privacy sensitive location information systems in smart buildings
DESCRIPTION
Privacy Sensitive Location Information Systems in Smart Buildings. Jodie P. Boyer, Kaijun Tan, Carl A. Gunter Midwest Security Workshop, 2006 In the proceedings of Security in Pervasive Computing, York, UK 2006. Motivating Scenario. Face to face meetings are important in many work scenarios - PowerPoint PPT PresentationTRANSCRIPT
IllinoisSecurity LabPrivacy Sensitive Location
Information Systems in Smart Buildings
Jodie P. Boyer, Kaijun Tan, Carl A. Gunter
Midwest Security Workshop, 2006
In the proceedings of Security in Pervasive Computing, York, UK 2006
IllinoisSecurity Lab
2
Motivating Scenario
• Face to face meetings are important in many work scenarios
• Much time can be wasted looking around the office for people
• How could we facilitate this?
• Many solutions– Add an expensive location tracking system– Make use of the information your smart
building already gathers
IllinoisSecurity Lab
3
Smart Buildings
• Many new buildings are being built with complex building automation systems
• Sensors and control systems create rich information streams
• Access to these streams is restricted
• This information could be useful to building users as well as administrators
IllinoisSecurity Lab
4
Location Information Systems
• Allows building users to gain and control information about tracked users and objects in a building
• Works by aggregating BAS information, together with other sources of raw data
IllinoisSecurity Lab
5
Case Study: The Siebel Center
• Andover Continuum BAS
• Uses electronic door locks and occupancy sensors
• Case study for a Location Information System
IllinoisSecurity Lab
6
Janus’s Map
• A prototype LIS for the Siebel Center
• Uses e-locks and occupancy sensors for location estimation
• Privacy is enforced using user specified rules
IllinoisSecurity Lab
7
Architecture for Janus’s Map
Location Service Data Cleaner
Data Aggregator
Access ControlModule
Internet
Rule Database
DoorRights
List
DoorAccess
Database
OccupancySensorSystem
Alice?Alice’sdoor
accesses
RoomOcc.
AggregatedData
OwnersRules
Alice’sLocationFor Bob
IllinoisSecurity Lab
8
Rules in Janus’s Map
• 3 Parts– Targets– Data Access– Visibility
• Example:– Target: Bob, Carol– Number of past entries: 5– Event types: Valid Access, DoorAjar,
OccupancySensor True– Event time: Between 9am and 5pm– Rooms: All– Granularity: Floor
IllinoisSecurity Lab
9
An Example: System Events
Time Location User Type
07:45 SC3405 Alice InvalidAccess
10:00 SC4105 Alice ValidAccessNoEntry
10:01 SC4309 Alice ValidAccess
10:01 SC4309 DoorAjar
10:03 SC4309 OccupancySensorTrue
• Who owns these events?• What happens when Bob searches for Alice?
IllinoisSecurity Lab
10
An Example: Enforcing Privacy
• Alice “owns” her events and has to allow Bob access to them to find her
• She allows him access to events that happened after 9am and of type ValidAccess, DoorAjar and OccupancySensorTrue
• After the filtering policy is applied:Time Location User Type
07:45 SC3405 Alice InvalidAccess
10:00 SC4105 Alice ValidAccessNoEntry
10:01 SC4309 Alice ValidAccess
10:01 SC4309 DoorAjar
10:03 SC4309 OccupancySensorTrue
IllinoisSecurity Lab
11
An Example: Event deduction
Time Location User Type
07:45 SC3405 Alice InvalidAccess
10:00 SC4105 Alice ValidAccessNoEntry
10:01 SC4309 Alice ValidAccess
10:01 SC4309 DoorAjar
10:03 SC4309 OccupancySensorTrue
• We can deduce that Alice is probably in SC4309
IllinoisSecurity Lab
12
An Example: Granularity
• Alice may wish to prevent Bob from knowing too much about her exact location
• Alice can specify a granularity to which Bob can find her, in this case: floor
• Bob is finally returned that Alice was on the 4th floor at 10:01
IllinoisSecurity Lab
13
How to Build an LIS
1. Define an ownership model
2. Determine the environment events of interest and how to deduce them
3. Develop a model for privacy-information sharing for events
IllinoisSecurity Lab
14
Ownership Model
– U, set of users– L, set of locations– S, set of system events– T, a set of values with a linear ordering, signifying
time
– time : ST which determines the time of an event– user : SU U {} which determines the users
associated with an event– loc : S L which determines the location in which an
event occurred– o : L 2U which determines the owner of a location– : S2U which determines the owner of an event
IllinoisSecurity Lab
15
Janus’s Map: Ownership
• Events– Defined as a tuple (U U {}) x L x T x is a set of event types– type : S returns the type of an event
• o is static policy that maps room ownership
assigns ownership of an event s first to the user(s) and then to o(loc(s))
IllinoisSecurity Lab
16
Environmental Events
• An aggregate event• Deduced from a set of system events• E is the set of environment events in an LIS• induce : 2S2E determines the set of
environment events that can be deduced from a set of system events
• Applies a set of deduction rules of the following form:
n
n
ee
Cthatsuchss
...
,...,
1
1
IllinoisSecurity Lab
17
Janus’s Map: Environment Events
• The main goal of Janus’s Map is to determine location information about users in the building
• E is defined as a set of tuples U x L x T x P– P = {In,Near} defines a users proximity to a
location
IllinoisSecurity Lab
18
Privacy Policy
• System events protected to protect user’s privacy
• We define 2 index families of functions:– filter : UxU(2S2S)– mask : UxU(2E2E)
• Users are able to define 2 functions that establish their privacy policy– filteru
v : 2S2S
– maskuv : 2E2E
IllinoisSecurity Lab
19
Janus’s Map: Privacy Policy
• Locations in Siebel Center– G={floor, wing, room}, the set of location granularities
– Lfloor L, Lwing L, Lroom L
– Locations are defined as a tuple: Lfloor x (Lwing U {}) x (Lroom U {})
• Users define rules from which the functions filteru
v and maskuv are derived
– System events are filtered based on time, date, event type, and location
– Environment events are masked to hide detailed location information
IllinoisSecurity Lab
20
Formal Definition
• A Location Information System (LIS), L, between an ownership model and set, E, of environment events consists of three functions:– filter : UxU(2S2S)– mask : UxU(2E2E)
– induce : 2S2E
IllinoisSecurity Lab
21
Reveal
• We also define a family of functions reveal : UxU(2S2E) which performs a look of environment events in an LIS
• revealuv is the function that v calls when he
wishes to learn something about u
vu
EE
vu
SS
vu
mask
inducereveal
filter
22
22
IllinoisSecurity Lab
22
Conclusion
• Developed a location system for smart buildings – Doesn’t require specialized equipment– Privacy sensitive
• Generalized the scheme to work on any building
• Future Work– Integrating more systems to improve accuracy– Policy conflicts– Policy management schemes