Secure Cluster Formation in BSN using Physiological Values

1
Secure Cluster Formation in BSN using
Physiological Values

• Krishna Venkatasubramanian
• IMPACT Lab
• CSE 591 Embedded Networks
• Final Presentation

2
Overview

• Pervasive Healthcare
• Biomedical Sensors and Stimuli
• Physiological Value-based Security
• Secure Cluster Formation
• Security Analysis
• Prototyping Results

3
Pervasive Computing Healthcare
Pervasive Healthcare
Pervasive Computing
Use Pervasive Computing for day-to-day healthcare
management (monitoring treatment), made
possible by development of biomedical sensors
Personalized computing power available
everywhere, by embedding computing in users
environment.
BSN

• Features
• Merger of Physical and Virtual Space
• Uses computing entities which are
• - tiny/ cheap
• - specialized
• - unsupervised
• - interconnected

• Features
• Extends BSN with embedded medical sensors
• No time space restrictions for healthcare
• Better coverage and quality of care to all.

Overview
Some Applications
Sports Health Management
Assisted Living
Disaster Relief Management
Medical Facility Management
GOAL Enable independent living, general
wellness and disease management.
4
Biomedical Sensors (Biosensors)
Inter-Pulse-Interval (V1)
Inter-Pulse-Interval (V1)
?
EKG
EKG
Inter-Pulse-Interval (V2)


Inter-Pulse-Interval (V2)
PPG
PPG
?

• Physiological Values (PV) Measure Stimuli from
  body e.g. EKG, PPG (Photoplethysymograph)
• PVs are universally collectable, vary with time
  and can have similar values in one human being

• Biomedical Sensor Platforms
• In-vivo sensors
• Are primarily at experimental stage
• Measure one stimuli
• Wearable sensors
• Groups of sensors packaged together
• Products available
• Have wireless capability

• Generic Sensors
• Measure environmental stimuli
• Can perform wireless communication
• Used in medical monitoring projects, Code Blue _at_
  Harvard
• Mica2, MicaZ, TelosB

Nano-scale Blood Glucose level detector Developed
_at_ UIUC
Mica2 based EKG sensor
AMON Wearable Health Monitor

• Properties
• Small form factor
• Limited processor, memory, communication
  capabilities
• Form large networks within body for energy-
  efficiency

Life Shirt Ambulatory Monitoring
5
Biosensor Net Security Energy-Efficiency

• Security
• Healthcare systems collect sensitive medical data
  from a patient.
• Patients privacy is a legal requirement (HIPAA).
• Health information of a person can be taken
  advantage of.

• Attacks
• Fake emergency warnings.
• Prevent legitimate emergency warnings
• Battery power depletion
• Tissue heating

• Energy-Efficient Topologies
• Biosensors have limited capabilities
• Topological formations helps in reducing energy
  consumption
• Many topologies possible Cluster, Tree
• Cluster is one of the most energy-efficient
  topologies.
• Security and Topology
• Topology formation
• Not traditionally secured
• Open systems to attacks during topology
  formation. Example Sinkholes
• Securing topology formation a must

6
PVS Physiological Value based Security
ECG, Heart/Pulse Rate

• Principle Idea Use PVs as security primitives in
  biomedical sensor networks
• Hide cryptographic keys
• Authenticate and secure biosensor communication
• Examples
• Blood Pressure, Heart Rate, Glucose level
• Temporal variations in different PVs.
• Combination of multiple PV
• PVs values at two location slightly different
• Use Error Correction Codes like Majority Encoding
  for correction

Blood Pressure

Blood Glucose
Easier and safe key generation
Cheaper key distribution
Sensors
7
Aspects of Physiological Values
Required Properties of Physiological Values
FOUND Inter-Pulse-Interval (IPI), Heart Rate
Variation (HPV) FUTURE QUEST Find Others

• Universal
• Should be measurable in everyone
• Distinctive
• Should be able to differentiate 2 individuals
• Random
• To prevent brute-force attacks
• Time variant
• If broken, the next set of values should not be
  guessable.

Physiological Certificate

• Cert MAC (Key, Data), ? Where ? Key ? PV
• hides the actual Key used for computing the
  Message Authentication Code (MAC) over the data
  for integrity protection.

8
PV Based Communication
Measure Pre-defined PV _at_ Sender PVs Receiver PVr
Generate Random Key _at_ sender
Randkey
Cert MAC(Randkey, Data) , ? where ? PVs ?
Randkey
Compute Physiological Certificate with Key Rand
on Data
Send Message
ltData, Cert, ?gt
Receiver message
Unhide RandKey using PVr and ? from the Cert
RandKey PVr ? Cert. ?
RandKey ECC(RandKey) Cert MAC
(RandKey, Data) ?
Correct RandKey, verify certificate by computing
MAC
Error Correction Code used ? Majority Encoding
Juels99,CVG03
9
Communication Scheduling for PVS

• PVs unpredictable vary with time
• At a given time PVs measured at co-located
  sensors are similar

Time-slot

• At MT, both sender receiver measure a
  pre-decided PV
• At TT, sender and receiver communicate using the
  PV measured in the MT before

Sender Sequence
1
3
7
Receiver Sequence
6,9
7

Transmission Time (TT)
Measurement Time (MT)
Broadcast (used for solicitations)

• Schedule is computed apriori by BS, based on
  network topology and communication requirements,
  and distributed to sensors
• Duration of time-slot variable, can be chosen
  based on PV strength and estimated time to
  compromise it.
• Once PV newly measured, old values are NEVER
  reused

10
Choosing Physiological Values

• Identified PVs
• Inter-Pulse-Interval (IPI) PZ06.
• Heart Rate Variation (HRV) BZZ05
• PV Distinctiveness Testing
• Performance evaluation criteria
• False Rejection Rate (FRR)
• False Acceptance Rate (FAR)
• FAR and FRR increased if two PVs lack
  synchronicity.
• Randomness of PVs verified using Chi-Square Test.
  
• Interference possible
• Drastic difference between PVs of two people will
  prevent un-wanted communication

PV1
PV0
HRV
HRV
Encoder
Encoder
I1
Io
128 bits
Hamming Distance
128 bits
lt 22 bits (same person)
? 90 bits (different person)
Radio-range for
Intended communication
Interference
11
Advantage of Using PV Based Security
Traditional Secure Biosensor Network Communication
S
R
BS
Topology Formation
Key Distribution
Secure Communication

• Unsecured
• Cluster
• Linear

• Use distributed keys

• Diffie Hellman (ECC)
• Pre-deployed Keys
• Master Key based Assignment

PV based Secure Biosensor Network Communication
S
R
BS
Secure Topology Formation
Secure Communication

• PV based security
• Centralized Cluster Formation
• Distributed Cluster Formation

• Use PV for sensor-sensor secure communication

Key Distribution Completely Eliminated VERY
EFFICIENT
12
Cluster formation Security Flaws
LN3
LN1
LN2
Traditional Cluster Formation Technique
SN1
SN2
SN3
SN4
SN5
SN6
Weaker signal
Flaws in Traditional Cluster Formation
Malicious Node

• Hello-Flood Attack
• Leads to the formation of Sinkholes
• The sinkhole can now mount selective forwarding
  attacks on the sensor in its cluster.
• Reason
• All solicitations supposed to be from LN only.
• Each LN is assumed to be trustworthy.

LN1
LN2
SN1
SN3
SN2

• Problem
• Traditional cluster formation protocol is not
  secure.

13
Secure Cluster Formation

• PV based inter-sensor communication
• NO explicit key distribution

• Assumptions
• Wireless Medium NOT Trusted
• Base Station Trustworthy
• Physical compromise of sensors difficult
  (ambulatory patient)
• Jamming not considered
• Leader Nodes identified apriori cluster formation

• Clusters are temporary topologies.
• Leader Nodes rotated at regular intervals.

14
Centralized Cluster Formation
Base Station
Nc
NA
NB
Nc
NA
NB
NC
N4
N3
N1
N2
Solicitation (N3 ? ) N3, Cert N3
Relay (NC? BS) N3, NC, SS, Cert( N3, NC , SS)
Relay (NB? BS) N3, NB, SS, Cert( N3, NC , SS)
Reply (BS ? N3) NC, Cert(NC)
15
Distributed Cluster Formation
NC
NA
NB
N1
N3
N2
N4
Solicitation (NB ? ) NB, Cert NB
Reply (N3 ? NB) N3, Cert N3, NB
Reply (N2 ? NB) N3, Cert N3, NB
16
Security Analysis
Centralized Protocol
Vulnerability
Distributed Protocol

• Relayed messages cannot be authenticated as no
  Cert as spoofed LN cannot measure PV

• Spoofed LN cannot measure PV, so no valid Cert

Spoof LN
Spoof Sensor Nodes

• Adversary cannot measure PV, illegal Cert
  appended in solicitation

• Adversary cannot measure PV, illegal Cert
  appended to reply

Compromise Physiological Values
Will FAIL to protect
Will FAIL to protect
Very Important to Choose good PVs
17
Prototype Implementation
Promiscuous Listener
Logical Setup

• Implementation on Mica2 motes.
• Promiscuous listener used to see workings of the
  protocol.
• Attacked the setup,
• Spoofed LN
• Spoof SN
• Attacks Thwarted

BS
LN
LN
Spoofed LN
SN
SN
Distributed
Spoofed SN
Centralized
Actual Setup
File Sizes
Clusters
SN
LN
LN
LN
LN
Base Station
18
Conclusions and Future Work

• Use of Physiological Values for establishing
  session keys between biosensors, for example
  Inter-Pulse Interval and Heart-Rate Variation.
• Prototyped protocol using Mica2 motes and tested
  resiliency by actively attacking it.
• Future Work
• Expand the set of Physiological Values used for
  securing biosensor communication.
• Incorporate PVs into the implementation

19
Feasibility

• Single PV for all sensors ?
• All sensors cannot be expected to measure same
  PV.
• Need enough PVs to allow senders and receivers to
  choose the one they have in common.
• Multiple stimuli Measurement
• Multi-modal wearable monitoring devices available
• Vivago WristCare (Wrist Wearable) patient
  activity, skin temperature, skin conductivity
  (http//www.istsec.fi/eng/Etuotteet.htm)
• AMON (Wrist Wearable) EKG, Blood Pressure, SpO2
  LA02
• Life Shirt (Smart Clothes)- EKG, perspiration,
  posture, SpO2 (http//www.vivometric.com)
• For in-vivo sensors, such capabilities are not
  yet available to the best of our knowledge.
• Powering sources
• Power-paper cells which can be printed
  (http//www.powerpaper.com)
• Battery made of fiber that can be woven AGS05
• Body movement and heat ASG05
• Flexile solar cells, textile coils, even Bike
  dynamo ASG05