Research On Key Technology Of Security And Privacy Protection For Internet Of Things Services

The Internet of Things (IoT) service is the combination of IoT technologies and services. As IoT system is widely used in various fields such as WIT 120 and Smart Grid, to achieve certain business goals requires sharing data across multiple organizations and real-time collaborations of distributed and heterogeneous IoT services. In the new environment, security and privacy protection is the key to restrict the development of IoT services. Compared to the traditional services, IoT services have distinctive features of being open and dynamic because of a coupling architecture in IoT environment. The security and privacy requirements of IoT services mainly focus on three aspects: secure data sharing, secure service collaboration and the privacy disclosure of service users. Based on the above features and security requirements of IoT services, this thesis first proposes a policy management mechanism for shared data, then proposes two kinds of access control mechanisms for protecting data confidentiality and realizing service's policy privacy,finally proposes an approach of ensuring security of composite services and a privacy disclosure recommendation model for protecting users'privacy information. They have more direction and guiding significance for building secure IoT demonstration applications.Researches and contributions of this thesis are summarized as follows:(1) To manage access to the shared data, this thesis proposes a bottom-up approach to address issues of multiple policy combinations. The key idea is to first classify the rules based on condition constraints in each policy,which is specified by XACML, and then reduce the rules of the corresponding classes into one. The reduced rules are then combined into a new global policy by choosing the appropriate rule combining algorithm in XACML. The latter ensures compliance with each of the local policies at syntax and semantic levels. To validate our approach, we develop a proof-of-concept implementation of the automated policy combination. Compared with the existing policy combining methods, this method has effectively extended the semantics for policy combination,which supports user-defined policy combining algorithm.(2)To support indirect? anonymous and multicast interactions among IoT services, this thesis proposes two kinds of access control framworks based on publish/subscribe systems. One is Data-Centric Access Control Framework (DCACF), which supports real-time control for service interactions and data confidentiality protection. The data published in our DCACF is encrypted with a fully homomorphic encryption scheme,which allows in-grid homomorphic aggregation of the encrypted data.The other is two-layer access control framework to facilitate the protection of the published data and IoT services policy privacy. The key idea is using a two-layer cooperating method to match bi-directional privacy control requirements: one is data layer for protecting IoT events;the other is application layer for protecting services. Furthermore, the anonymous-set based principle is adopted to realize the functionalities of the framework, including policy embedding and policy encoding as well as policy matching. Our security analysis shows that the policy privacy framework is CPA (Chosen-Plaintext Attack) secure. The performance evaluation results indicate that our approaches can effectively increase the size of the encrypted data and improve the efficiency in policy matching.(3) To ensure security of composite services, this thesis presents a separation approach to model hierarchical process and to specify authorization policy, and then combining them into a secure service process based on task relationships. The expected security compliance properties are modeled by a visual compliance rule graph, which is absorbed easily by a business analyst. Model checker NuSMV is applied to verify the security compliance properties of hierarchical process model.To minimize the privacy disclosure of service's user information, this thesis also presents a privacy disclosure recommendation approach based on a privacy cost model. The approach involves selecting appropriate credentials or attributes from the users, and automatically building a new credential to fulfill service's authorization policies. Experimental results demonstrate that our approach is effective in generating a new credential.