Wireless sensor network development for urban environments

Boers, Nicholas M.

11 1900

In this thesis, we focus on topics relevant to developing and deploying large-scale wireless sensor network (WSN) applications within real dynamic urban environments. Given few reported experiences in the literature, we designed our own such network to provide a foundation for our research. The Smart Condo, a well-defined project with the goal of helping people age in place, provided the setting for our WSN that would non-intrusively monitor an occupant and environment. Although we carefully designed, developed, and deployed the network, all of our planning did not prepare us for a key challenge of that environment: significant radio-frequency interference. Most researchers tend to ignore the existence of interference along with its potentially serious implications: beyond impacting network performance, it can lead researchers to misleading or unrealistic conclusions. Interference is a particularly difficult problem to study because it varies in time, space, and intensity. Other researchers have typically approached the problem by investigating only known interferers. Instead, we approach the problem more generally and consider interference of unknown origins. We envision nodes periodically observing their environment, recognizing patterns in those observations, and responding appropriately, so we use only standard WSN nodes for our data collection. Unfortunately, collecting high-resolution data is difficult using these simple devices, and to the best of our knowledge, other researchers have only used them to collect rather coarse data. Within the Smart Condo urban environment, we recorded a transceiver's received power level at 5000 Hz, a higher rate than we encountered elsewhere in the literature, using 16 synchronized nodes. We explored traces from 256 channels and observed a number of recurring patterns; we then investigated classifying traces automatically and obtained rather promising results. We focused on the two patterns most detrimental to packet reception rates and further investigated both sampling and classification techniques tailored to them. As part of our work, we extended our simulator, making it capable of generating impulsive interference, and developed a proof-of-concept pattern-aware medium access control (MAC) protocol. Through experiments using both the simulator and WSN devices, we evaluated the classifier and proof-of-concept MAC. Our results show that impressive gains in the packet reception rates are possible when nodes can recognize and appropriately react to interference. Using our techniques, nodes can communicate more efficiently by reducing the number of failed transmissions and consequently decreasing overall network congestion.

wireless sensor networks

interference

classification

simulation

medium access control

A diagrammatic notation for modeling access control in tree-based data structures

Øslebø, Arne

January 2008

This thesis describe two graphical modeling languages that can be used for specifying the access control setup in most systems that store information in a tree based structure. The Tree-based Access control Modeling Language (TACOMA) is the simplest language that is defined. It is easy to learn and use as it has only 8 symbols and two relations. With this language it is possible to define the exact access control rules for users using a graphical notation. The simplicity of the language do however come at a cost: it is best suited for small or medium sized tasks where the number of users and objects being controlled are limited. To solve the scalability problem a second language is also presented. The Policy Tree-based Access control Modeling Language (PTACOMA) is a policy based version of TACOMA that doubles the number of symbols and relations. While it is harder to learn it scales better to larger tasks. It also allows for distributed specification of access rules where administrators of different domains can be responsible for specifying their own access control rules. Domains can be organized in a hierarchical manner so that administrators on a higher level can create policies that have higher priority and therefor limits what administrators at lower levels can do. The thesis describes the two languages in detail and provides a comparison between them to show the strong and weak points of each language. There is also a detailed case study that shows how the two languages can be used for specifying access control in SNMPv3.

access control

modeling

graphical notation

snmp

Information technology

Informationsteknologi

A Verified Algorithm for Detecting Conflicts in XACML Access Control Rules

St-Martin, Michel

11 January 2012

The goal of this thesis is to find provably correct methods for detecting conflicts between XACML rules. A conflict occurs when one rule permits a request and another denies that same request. As XACML deals with access control, we can help prevent unwanted access by verifying that it contains rules that do not have unintended conflicts. In order to help with this, we propose an algorithm to find these conflicts then use the Coq Proof Assistant to prove correctness of this algorithm. The algorithm takes a rule set specified in XACML and returns a list of pairs of indices denoting which rules conflict. It is then up to the policy writer to see if the conflicts are intended, or if they need modifying. Since we will prove that this algorithm is sound and complete, we can be assured that the list we obtain is complete and only contains true conflicts.

conflict detection

XACML

Coq Proof Assistant

access control rules

algorithm

Replication, Security, and Integrity of Outsourced Data in Cloud Computing Systems

Barsoum, Ayad Fekry

14 February 2013

In the current era of digital world, the amount of sensitive data produced by many organizations is outpacing their storage ability. The management of such huge amount of data is quite expensive due to the requirements of high storage capacity and qualified personnel. Storage-as-a-Service (SaaS) offered by cloud service providers (CSPs) is a paid facility that enables organizations to outsource their data to be stored on remote servers. Thus, SaaS reduces the maintenance cost and mitigates the burden of large local data storage at the organization's end. For an increased level of scalability, availability and durability, some customers may want their data to be replicated on multiple servers across multiple data centers. The more copies the CSP is asked to store, the more fees the customers are charged. Therefore, customers need to have a strong guarantee that the CSP is storing all data copies that are agreed upon in the service contract, and these copies remain intact. In this thesis we address the problem of creating multiple copies of a data file and verifying those copies stored on untrusted cloud servers. We propose a pairing-based provable multi-copy data possession (PB-PMDP) scheme, which provides an evidence that all outsourced copies are actually stored and remain intact. Moreover, it allows authorized users (i.e., those who have the right to access the owner's file) to seamlessly access the file copies stored by the CSP, and supports public verifiability. We then direct our study to the dynamic behavior of outsourced data, where the data owner is capable of not only archiving and accessing the data copies stored by the CSP, but also updating and scaling (using block operations: modification, insertion, deletion, and append) these copies on the remote servers. We propose a new map-based provable multi-copy dynamic data possession (MB-PMDDP) scheme that verifies the intactness and consistency of outsourced dynamic multiple data copies. To the best of our knowledge, the proposed scheme is the first to verify the integrity of multiple copies of dynamic data over untrusted cloud servers. As a complementary line of research, we consider protecting the CSP from a dishonest owner, who attempts to get illegal compensations by falsely claiming data corruption over cloud servers. We propose a new cloud-based storage scheme that allows the data owner to benefit from the facilities offered by the CSP and enables mutual trust between them. In addition, the proposed scheme ensures that authorized users receive the latest version of the outsourced data, and enables the owner to grant or revoke access to the data stored by cloud servers.

Cloud Computing

Data Integrity

Security

Access Control

Electrical and Computer Engineering

Cross-layer adaptive transmission scheduling in wireless networks

Ngo, Minh Hanh

05 1900

A new promising approach for wireless network optimization is from a cross-layer perspective. This thesis focuses on exploiting channel state information (CSI) from the physical layer for optimal transmission scheduling at the medium access control (MAC) layer. The first part of the thesis considers exploiting CSI via a distributed channel-aware MAC protocol. The MAC protocol is analysed using a centralized design approach and a non-cooperative game theoretic approach. Structural results are obtained and provably convergent stochastic approximation algorithms that can estimate the optimal transmission policies are proposed. Especially, in the game theoretic MAC formulation, it is proved that the best response transmission policies are threshold in the channel state and there exists a Nash equilibrium at which every user deploys a threshold transmission policy. This threshold result leads to a particularly efficient stochastic-approximation-based adaptive learning algorithm and a simple distributed implementation of the MAC protocol. Simulations show that the channel-aware MAC protocols result in system throughputs that increase with the number of users. The thesis also considers opportunistic transmission scheduling from the perspective of a single user using Markov Decision Process (MDP) approaches. Both channel state in-formation and channel memory are exploited for opportunistic transmission. First, a finite horizon MDP transmission scheduling problem is considered. The finite horizon formulation is suitable for short-term delay constraints. It is proved for the finite horizon opportunistic transmission scheduling problem that the optimal transmission policy is threshold in the buffer occupancy state and the transmission time. This two-dimensional threshold structure substantially reduces the computational complexity required to compute and implement the optimal policy. Second, the opportunistic transmission scheduling problem is formulated as an infinite horizon average cost MDP with a constraint on the average waiting cost. An advantage of the infinite horizon formulation is that the optimal policy is stationary. Using the Lagrange dynamic programming theory and the super modularity method, it is proved that the stationary optimal transmission scheduling policy is a randomized mixture of two policies that are threshold in the buffer occupancy state. A stochastic approximation algorithm and a Q-learning based algorithm that can adaptively estimate the optimal transmission scheduling policies are then proposed.

"wireless networks"

"medium access control"

A Verified Algorithm for Detecting Conflicts in XACML Access Control Rules

St-Martin, Michel

11 January 2012

The goal of this thesis is to find provably correct methods for detecting conflicts between XACML rules. A conflict occurs when one rule permits a request and another denies that same request. As XACML deals with access control, we can help prevent unwanted access by verifying that it contains rules that do not have unintended conflicts. In order to help with this, we propose an algorithm to find these conflicts then use the Coq Proof Assistant to prove correctness of this algorithm. The algorithm takes a rule set specified in XACML and returns a list of pairs of indices denoting which rules conflict. It is then up to the policy writer to see if the conflicts are intended, or if they need modifying. Since we will prove that this algorithm is sound and complete, we can be assured that the list we obtain is complete and only contains true conflicts.

conflict detection

XACML

Coq Proof Assistant

access control rules

algorithm

On Fine-Grained Access Control for XML

Zhuo, Donghui

January 2003

Fine-grained access control for XML is about controlling access to XML documents at the granularity of individual elements or attributes. This thesis addresses two problems related to XML access controls. The first is efficient, secure evaluation of XPath expressions. We present a technique that secures path expressions by means of query modification, and we show that the query modification algorithm is correct under a language-independent semantics for secure query evaluation. The second problem is to provide a compact, yet useful, representation of the access matrix. Since determining a user's privilege directly from access control policies can be extremely inefficient, materializing the access matrix---the net effect of the access control policies---is a common approach to speed up the authorization decision making. The fine-grained nature of XML access controls, however, makes the space cost of matrix materialization a significant issue. We present a codebook-based technique that records access matrices compactly. Our experimental study shows that the codebook approach exhibits significant space savings over other storage schemes, such as the access control list and the compressed accessibility map. The solutions to the above two problems provide a foundation for the development of an efficient mechanism that enforces fine-grained access controls for XML databases in the cases of query access.

Computer Science

access control

XML

fine-grained

security

access matrix

Design and Analysis of Medium Access Control Protocols for Broadband Wireless Networks

Cai, Lin

17 December 2009

The next-generation wireless networks are expected to integrate diverse network architectures and various wireless access technologies to provide a robust solution for ubiquitous broadband wireless access, such as wireless local area networks (WLANs), Ultra-Wideband (UWB), and millimeter-wave (mmWave) based wireless personal area networks (WPANs), etc. To enhance the spectral efficiency and link reliability, smart antenna systems have been proposed as a promising candidate for future broadband access networks. To effectively exploit the increased capabilities of the emerging wireless networks, the different network characteristics and the underlying physical layer features need to be considered in the medium access control (MAC) design, which plays a critical role in providing efficient and fair resource sharing among multiple users. In this thesis, we comprehensively investigate the MAC design in both single- and multi-hop broadband wireless networks, with and without infrastructure support. We first develop mathematical models to identify the performance bottlenecks and constraints in the design and operation of existing MAC. We then use a cross-layer approach to mitigate the identified bottleneck problems. Finally, by evaluating the performance of the proposed protocols with analytical models and extensive simulations, we determine the optimal protocol parameters to maximize the network performance. In specific, a generic analytical framework is developed for capacity study of an IEEE 802.11 WLAN in support of non-persistent asymmetric traffic flows. The analysis can be applied for effective admission control to guarantee the quality of service (QoS) performance of multimedia applications. As the access point (AP) becomes the bottleneck in an infrastructure based WLAN, we explore the multiple-input multiple-output (MIMO) capability in the future IEEE 802.11n WLANs and propose a MIMO-aware multi-user (MU) MAC. By exploiting the multi-user degree of freedom in a MIMO system to allow the AP to communicate with multiple users in the downlink simultaneously, the proposed MU MAC can minimize the AP-bottleneck effect and significantly improve the network capacity. Other enhanced MAC mechanisms, e.g., frame aggregation and bidirectional transmissions, are also studied. Furthermore, different from a narrowband system where simultaneous transmissions by nearby neighbors collide with each other, wideband system can support multiple concurrent transmissions if the multi-user interference can be properly managed. Taking advantage of the salient features of UWB and mmWave communications, we propose an exclusive region (ER) based MAC protocol to exploit the spatial multiplexing gain of centralized UWB and mmWave based wireless networks. Moreover, instead of studying the asymptotic capacity bounds of arbitrary networks which may be too loose to be useful in realistic networks, we derive the expected capacity or transport capacity of UWB and mmWave based networks with random topology. The analysis reveals the main factors affecting the network (transport) capacity, and how to determine the best protocol parameters to maximize the network capacity. In addition, due to limited transmission range, multi-hop relay is necessary to extend the communication coverage of UWB networks. A simple, scalable, and distributed UWB MAC protocol is crucial for efficiently utilizing the large bandwidth of UWB channels and enabling numerous new applications cost-effectively. To address this issue, we further design a distributed asynchronous ER based MAC for multi-hop UWB networks and derive the optimal ER size towards the maximum network throughput. The proposed MAC can significantly improve both network throughput and fairness performance, while the throughput and fairness are usually treated as a tradeoff in other MAC protocols.

Medium Access Control

Wireless Networks

Electrical and Computer Engineering

Method-Specific Access Control in Java via Proxy Objects using Annotations

Zarnett, Jeffrey

January 2010

Partially restricting access to objects enables system designers to finely control the security of their systems. We propose a novel approach that allows granting partial access at method granularity on arbitrary objects to remote clients, using proxy objects. Our initial approach considers methods to be either safe (may be invoked by anyone) or unsafe (may be invoked only by trusted users). We next generalize this approach by supporting Role-Based Access Control (RBAC) for methods in objects. In our approach, a policy implementer annotates methods, interfaces, and classes with roles. Our system automatically creates proxy objects for each role, which contain only methods to which that role is authorized. This thesis explains the method annotation process, the semantics of annotations, how we derive proxy objects based on annotations, and how clients invoke methods via proxy objects. We present the advantages to our approach, and distinguish it from existing approaches to method-granularity access control. We provide detailed semantics of our system, in First Order Logic, to describe its operation. We have implemented our system in the Java programming language and evaluated its performance and usability. Proxy objects have minimal overhead: creation of a proxy object takes an order of magnitude less time than retrieving a reference to a remote object. Deriving the interface---a one-time cost---is on the same order as retrieval. We present empirical evidence of the effectiveness of our approach by discussing its application to software projects that range from thousands to hundreds of thousands of lines of code; even large software projects can be annotated in less than a day.

Access Control

Java

Proxy Object

Annotation

Security

Electrical and Computer Engineering

An Analysis and Comparison of The Security Features of Firewalls and IDSs

Sulaman, Sardar Muhammad

January 2011

In last few years we have observed a significant increase in the usage of computing devices and their capabilities to communicate with each other. With the increase in usage and communicating capabilities the higher level of network security is also required. Today the main devices used for the network security are the firewalls and IDS/IPS that provide perimeter defense. Both devices provide many overlapping security features but they have different aims, different protection potential and need to be used together. A firewall is an active device that implements ACLs and restricts unauthorized access to protected resources. An IDS only provides information for further necessary actions, not necessarily perimeter related, but some of these needed actions can be automated, such as automatic blocking in the firewall of attacking sites, which creates an IPS. This thesis report analyzed some common firewall and IDS products, and described their security features, functionalities, and limitations in detail. It also contains the comparison of the security features of the both devices. The firewall and IDS perform different functions for the network security, so they should be used in layered defense architecture. The passwords, firewalls, IDSs/IPSs and physical security all together provide a layered defense and complement each other. The firewall and IDS alone cannot offer sufficient network protection against the network attacks, and they should be used together to enhance the defense-in-depth or layered approach.

Firewall

Intrusion Detection

Anomaly

Access Control

Packet Inspection

Signatures

IDS