Wireless sensor networks are often queried for aggregates such as predicate count, sum, and average. In untrusted environments, sensors may potentially be compromised. Existing approaches for securely answering aggregation queries in untrusted sensor networks can detect whether the aggregation result is corrupted by an attacker. However, the attacker (controlling the compromised sensors) can keep corrupting the result, rendering the system unavailable. This paper aims to enable aggregation queries to tolerate instead of just detecting the adversary. To this end, we propose a novel tree sampling algorithm that directly uses sampling to answer aggregation queries. It leverages a novel set sampling technique to overcome a key and well-known obstacle in sampling — traditional sampling technique is only effective when the predicate count or sum is large. Set sampling can efficiently sample a set of sensors together, and determine whether any sensor in the set satisfies the predicate (but not how many). With set sampling as a building block, tree sampling can provably generate a correct answer despite adversarial interference, while without the drawbacks of traditional sampling techniques.

Due to the overwhelming flow of information in many data stream applications, many companies may not be willing to acquire the necessary resources for deploying a Data Stream Management System (DSMS), choosing, alternatively, to outsource the data stream and the desired computations to a third-party. But data outsourcing and remote computations intrinsically raise issues of trust, making outsourced query assurance on data streams a problem with important practical implications. Consider a setting where a continuous “GROUP BY, SUM ” query is processed using a remote, untrusted server. A client with limited processing capabilities observing exactly the same stream as the server, registers the query on the server’s DSMS and receives results upon request. The client wants to verify the integrity of the results using significantly fewer resources than evaluating the query locally. Towards that goal, we propose a probabilistic verification algorithm for selection and aggregate/group-by queries, that uses constant space irrespective of the result-set size, has low update cost per stream element, and can have arbitrarily small probability of failure. We generalize this algorithm to allow some tolerance on the number of erroneous groups detected, in order to support semantic load shedding on the server. We also discuss the hardness of supporting random load shedding. Finally, we implement our techniques and perform an empirical evaluation using live network traffic. 1

Estimating the cardinality (i.e. number of distinct elements) of an arbitrary set expression defined over multiple distributed streams is one of the most fundamental queries of interest. Earlier methods based on probabilistic sketches have focused mostly on the sketching algorithms. However, the estimators do not fully utilize the information in the sketches and thus are not statistically efficient. In this paper, we develop a novel statistical model and an efficient yet simple estimator for the cardinalities based on a continuous variant of the well known Flajolet-Martin sketches. Specifically, we show that, for two streams, our estimator has almost the same statistical efficiency as the Maximum Likelihood Estimator (MLE), which is known to be optimal in the sense of Cramer-Rao lower bounds under regular conditions. Moreover, as the number of streams gets larger, our estimator is still computationally simple, but the MLE becomes intractable due to the complexity of the likelihood. Let N be the cardinality of the union of all streams, and |S | be the cardinality of a set expression S to be estimated. For a given relative standard error δ, the memory requirement of our estimator is O(δ −2 |S | −1 N log log N), which is superior to state-of-the-art algorithms, especially for large N and small the estimation is most challenging.

We consider the Outsourced Aggregation model, where sensing services outsource their sensor data collection and aggregation tasks to third-party service providers called aggregators. As aggregators can be untrusted or compromised, it is essential for a sensing service to be able to verify the correctness of aggregation results. This work presents SECOA, a framework with a family of novel and optimally-secure protocols for secure outsourced aggregation. Our framework is based on a unified use of one-way chains. It supports a large and diverse set of aggregate functions, can have multiple hierarchically organized aggregators, can deterministically detect any malicious aggregation behavior without communication with sensors, and incurs a small and workload-independent communication load on sensors. We also present extensive evaluation results to demonstrate the feasibility of our framework.

Since then, he has been working as a scientific assistant at the Institute of Telematics in Karlsruhe. His main research interests include security and robustness in wireless sensor networks. Currently, he is working on robust, energy-aware concast communication schemes in wireless sensor networks within the BW-FIT project “ZeuS”. Dr. Erik-Oliver Blass recently joined Eurecom’s Network Security team in Sophia Antipolis, France, as a postdoc. His current work focuses on security and privacy aspects of RFID systems, in particular basic communication protocols between ‘tags ’ and ‘readers’. Before joining Eurecom, he received his diploma

In the emerging area of sensor-based systems, a significant challenge is to develop scalable, fault-tolerant methods to extract useful information from the data the sensors collect. An approach to this data management problem is the use of sensor database systems, which allow users to perform aggregation queries such as MIN, COUNT and AVG on the readings of a sensor network. In addition, more advanced queries such as frequency counting and quantile estimation can be supported. Due to energy limitations in sensor-based networks, centralized data collection is generally impractical, so most systems use in-network aggregation to reduce network traffic. However, even these aggregation strategies remain bandwidth-intensive when combined with the fault-tolerant, multi-path routing methods often used in these environments. To avoid this expense, we investigate the use of approximate in-network aggregation using small sketches. We present duplicate insensitive sketching techniques that can be implemented efficiently on small sensor devices with limited hardware support and we analyze both their performance and accuracy. Finally, we present an experimental evaluation that validates the effectiveness of our methods.

This is a preliminary release of an article accepted by ACM Transactions on Database Systems. The definitive version is currently in production at ACM and, when released, will supersede this version.

Existing secure interdomain routing protocols can verify validity properties about individual routes, such as whether they correspond to a real network path. It is often useful to verify more complex properties relating to the route decision procedure – for example, whether the chosen route was the best one available, or whether it was consistent with the network’s peering agreements. However, this is difficult to do without knowing a network’s routing policy and full routing state, which are not normally disclosed. In this paper, we show how a network can allow its peers to verify a number of nontrivial properties of its interdomain routing decisions without revealing any additional information. If all the properties hold, the peers learn nothing beyond what the interdomain routing protocol already reveals; if a property does not hold, at least one peer can detect this and prove the violation. We present SPIDeR, a practical system that applies this approach to the Border Gateway Protocol, and we report results from an experimental evaluation to demonstrate that SPIDeR has a reasonable overhead.

Abstract—Sensor applications often leverage in-network aggregation to extract aggregates, such as predicate count and average, from the network. With in-network aggregation, a malicious sensor can easily manipulate the intermediate aggregation results and corrupt the final answer. Most existing secure aggregation schemes aim to defend against stealth attacks and can only raise an alarm when the final answer is corrupted, without being able to pinpoint and revoke the malicious sensors. While some recent protocols can pinpoint and revoke malicious sensors, they need to rely on expensive public key cryptography to be robust against certain attacks. Using only symmetric key cryptography, this paper aims to strictly diminish the capability of adversaries whenever they launch a successful attack, so that malicious sensors can only ruin the aggregation result for a small number of times before they are fully revoked. To this end, we propose VMAT (verifiable minimum with audit trail), a novel secure aggregation protocol with malicious sensor revocation capability. VMAT relies on symmetric key cryptography only, and provides provable guarantees that each execution can either produce the correct aggregation result efficiently, or revoke some key held by the adversary. I.

Business incentives have brought us within a small factor of achieving the database community’s Grand Challenge set out in the Asilomar Report of 1998. This paper makes the case for a new, focused Grand Challenge: Public Health for the Internet. The goal of PHI (or ϕ) is to enable collectives of hosts on the Internet to jointly monitor and promote network health by sharing information on network conditions in a peer-to-peer fashion. We argue that this will be a positive effort for the research community for a variety of reasons, both in terms of its technical reach and its societal impact. This version of the ϕ vision is targeted at readers in the database research community, but the effort is clearly multidisciplinary. A more generalist version of this paper will be maintained at