An embodiment relates generally to security processing of message communications for a real-time tracking system.
A real-time tracking system consists of a number of nodes which process information about one or more time-varying or spatially varying random processes, in order to execute a given task. The nodes sample and track the processes of interest, by mutually exchanging sampled data in the form of messages. These messages are transmitted over channels that may be unreliable and hostile. Messages transmitted over unreliable channels may be lost, so that only a fraction of the transmitted messages may get through to the intended destination node. A hostile channel is one to which a malicious entity may have access, and could insert malicious messages. Nodes in such systems may have limited computational and storage resources. Given such constraints as described above, the nodes in a real-time tracking system need to process the exchanged messages so as to facilitate the execution of the underlying task of the system. Thus, the primary interest is in the satisfactory completion of that task. Performance requirements of the system essentially stem from what constitutes satisfactory completion. Randomness is inherent in these systems due to randomness in the processes being monitored or it could arise due to measurement errors and/or unreliable communication. This means that performance guarantees can only be of a probabilistic nature.
One example is a vehicle-to-vehicle (V2V) communication system to assist drivers of the vehicle. In vehicle-to-vehicle communications (V2V), vehicles are equipped with wireless radio interfaces which they use to communicate with one another. An objective of a V2V network is to enable driver assistance safety applications such as emergency electronic brake light (EEBL) or blind spot warning (BSW) applications. V2V safety applications rely on wireless communications for exchanging useful information that pertains to driving conditions. Exchanged information relied upon includes kinematical information (e.g., the motion of objects without consideration of the forces producing the motion such as mass and force), road condition information, and even traffic information. The information is processed to determine whether warnings or advisories should be conveyed to the driver of the vehicle to enable the driver to make appropriate driving maneuvers. Drivers are expected to make use of the warnings/advisories and act upon such warnings/advisories received from the V2V system, in a similar manner as reacting to turn signals or brake lights of cars ahead of them, or warning signals displayed on a side of the road. As a result, it is imperative to ensure the integrity/correctness of the information exchanged and provided to the driver by the V2V system.
Another example is that of sensor networking for real-time tracking of a signal of interest. Examples of such a system include remote monitoring of server farms using a sensor network, monitoring and/or controlling industrial automation and environmental monitoring. In each of these examples, a central monitor or controller receives messages pertaining to several signals of interest. The controller's responsibility is to track received signals in real-time to maintain correct operation of the underlying system and prevention of malfunctions. In systems where wireless sensors are used, it is necessary to use authentication to transmit messages among system entities (sensors and controller(s)). These systems also need to make judicious use of their resources so that the controller is able to maintain the system performance at the acceptable level.
The traditional network security approach to verify the transmitted information is to append signatures or authentication tags to each message that is exchanged over the hostile and/or unreliable channel, and use only those messages for further processing whose signature or authentication tags is valid. A message with a valid authentication tag is called a genuine message, while one with an invalid authentication tag is called a bogus message. Network security algorithms or specifically authentication schemes provide a verifying node with multiple ways (“modes”) to verify a received message. Under any authentication scheme, the following three (trivial) modes are available: accepting the message after verification, discarding the message before verification, or accepting the message without verification. Additional modes may arise in multiple authenticator schemes where messages may be appended with more than one authentication tag, any one of which can undergo verification. While the use of authentication schemes can ensure the authenticity of the information that safety applications act upon, it leaves opens the issue of how an entity is expected to authenticate and process messages given its limited computational resources.
An example of a current approach that addresses the above issue is the first-in first-out approach. But first-in-first-out fails to account for the urgency of the data being authenticated. Another approach is called “Verify-on-demand” whereby the tracking application demands verification of specific messages. Now while this may meet the performance requirements of the system, it is not clear whether all the demanded verifications would be feasible or not. Further, it is the history of messages rather than the “specific one” that might actually be essential for certain predictive tasks such as determining whether or not a vehicular collision is imminent. Also, the strategy still leaves open the question of what if the specific message that is verified turns out to be bogus (i.e., fails verification of its authentication tag). In other approaches such as assigning deadlines to messages, it is not clear whether the assigned deadlines are feasible. Even deadline assignment focuses on individual messages rather than their history. These approaches may also lead to exploitation by attackers crafting bogus messages that would attract urgent deadlines.
Given a node in a real-time tracking system with a limited amount of computational resources, it may not be able to track all its signals-of-interest with equally high accuracy. The processing strategies and the security layer need to work with the limited amount of storage and computational capability that is available. Specifically, it may be necessary for the node to assign priorities to its signals-of-interest depending on how they affect the underlying mission or task of the real-time system. Since messages may be exchanged over unreliable channels, the processing strategies and the security layer need to be sensitive to the availability or lack of information from respective sending nodes. Finally, the processing strategy and security layer needs to be resilient to computational Denial-of-Service (DoS) attacks whereby its resources may be overwhelmed by processing bogus packets.
The processing strategy and the security layer need to balance all of the above mentioned factors, and while doing so evaluate all the authentication modes available with all the messages pertaining to all the signals that are being tracked. However, crafting strategies that are optimal with respect to the entire domain of selections may be too cumbersome to implement, and may end up with very little robustness to the changing environment.