accepted from open call security and privacy for …

IEEE Wireless Communications • August 2015104 1536-1284/15/$25.00 © 2015 IEEE

Kuan Zhang, Kan Yang,and Xuemin (Sherman)Shen are with the Univer-sity of Waterloo.

Xiaohui Liang is withDartmouth College.

Zhou Su is with WasedaUniversity.

Henry H. Luo is withCare In Motion (CIM)Technology Inc.

AC C E P T E D F R O M OP E N CALL

INTRODUCTIONHealthcare is one of the major social and eco-nomic problems around the world, especially inan aging society, where it entails tremendoushealth expense and labor resources. From arecent national health report in the UnitedStates, the average expense per capita was $8895in 2014, while the annual national healthcareexpenditure has skyrocketed to $3.8 trillion.Among the costs, nursing home care, homehealth care, and personal care contribute about18 percent of the total expenditure [1]. More-over, traditional hospital-centric healthcare notonly lacks efficiency when dealing with chronicdiseases or identifying some serious diseases inthe early stages, but also suffers from excessivewaiting times in hospitals. Therefore, it is emerg-ing to pose up-and-coming healthcare solutions,

including continuous health monitoring as wellas health information processing and sharing, toenhance disease diagnosis and release the heavyburden of the existing health expenditure.

Recently, wearable devices (e.g., smart wrist-watches, bracelets, rings, and hair caps) arewidely applied to offer continuous healthcare,such as physiology parameter monitoring forremote healthcare [2], heart rate recording forworkout intensity or training, and calorie burnduring fitness. Consisting of these ubiquitouswearable devices, heterogeneous mobile net-works (e.g., cellular network, WiFi, and device-to-device [D2D] communications), and powerfulcomputational servers (e.g., cloud servers),mobile healthcare networks (MHNs) collect thehealth information sensed by wearable devices,analyze/process for health monitoring and diag-nosis, and enable users’ social interactions. Forexample, seniors can wear dedicated wearabledevices that continuously measure their physiol-ogy information, such as body temperature,heart rate, blood pressure, and oxygen satura-tion. Meanwhile, doctors and/or their familiescan use desktops and smartphones to remotelyaccess these health records via MHNs. In case ofany emergency, such as falling down or a heartproblem, the wearable devices can automaticallyreport the health condition of the patient tohis/her doctors and families. In addition, MHNscan also enable promising wearable and socialapplications, for example, sharing physical condi-tion and activity information measured by wear-able devices among social friends [3].

However, MHN applications raise varioussecurity and privacy issues. Since health informa-tion (e.g., phenomena, health condition, emer-gency) is relatively sensitive for users, anyinappropriate disclosure may violate user privacyand even result in property loss [2]. Users mayalso worry about their critical health data beingtampered with when their health data are storedin untrusted cloud servers [4]. Moreover, somemalicious attackers misbehave in MHNs to dis-rupt the effectiveness or mislead other users’

KUAN ZHANG, KAN YANG, XIAOHUI LIANG, ZHOU SU, XUEMIN (SHERMAN) SHEN, AND HENRY H. LUO

ABSTRACTWith the flourishing of multi-functional wear-

able devices and the widespread use of smart-phones, MHN becomes a promising paradigm ofubiquitous healthcare to continuously monitorour health conditions, remotely diagnose phe-nomena, and share health information in realtime. However, MHNs raise critical security andprivacy issues, since highly sensitive health infor-mation is collected, and users have diverse secu-rity and privacy requirements about suchinformation. In this article, we investigate securi-ty and privacy protection in MHNs from the per-spective of QoP, which offers users adjustablesecurity protections at fine-grained levels. Specif-ically, we first introduce the architecture ofMHN, and point out the security and privacychallenges from the perspective of QoP. Wethen present some countermeasures for securityand privacy protection in MHNs, including pri-vacy-preserving health data aggregation, securehealth data processing, and misbehavior detec-tion. Finally, we discuss some open problemsand pose future research directions in MHNs.

SECURITY AND PRIVACY FORMOBILE HEALTHCARE NETWORKS:

FROM A QUALITY OF PROTECTION PERSPECTIVE

SHEN_LAYOUT.qxp_Author Layout 8/13/15 1:58 PM 04

IEEE Wireless Communications • August 2015 105

preferences [5]. Without appropriate securityand privacy protections, users may not acceptMHN applications.

In addition, the costs of security protectionsvary with users’ diverse demands, and mayimpact users’ experiences of MHN applications.For example, complicated encryption techniquesmay offer users more security guarantees butwith higher computational overheads and latencythan lightweight ones. To satisfy users’ diversesecurity requirements and balance the trade-offbetween the performance and security protec-tions, quality of protection (QoP) has become anewly emerging security concept that allows

applications to seamlessly integrate adjustablesecurity protection [6, 7]. Therefore, we shine aspecial spotlight covering MHN trends in securi-ty and privacy protection from the QoP perspec-tive, which can separate security schemes intodifferent levels to ensure the suitable securityservices for the best trade-off between perfor-mance demands and security.

In this article, we investigate security and pri-vacy issues in MHNs from the QoP perspective.We first introduce the overall architecture ofMHNs, and present some promising MHN appli-cations. Then we discuss the security and privacychallenges in MHNs from the QoP perspective,

Figure 1. Mobile healthcare network.

ECG

Stress

SpO2

Pedometer

Body scale

Sleep

CaloriesFall detect

Totalactivity

Skin temp

Continuous HR

Blood pressure

Wearable device

Heterogeneous mobile network

Data flow

User movement

Server

Internet

Basestation

Localserver

Wi-Fiaccesspoint

WLAN

Device-to-devicecommunications

Cellularnetworks

Healthdata

centerCentralizedserver EMERGENCY

To satisfy users’ diversesecurity requirements

and balance the trade-off between the

performance and security protections,

quality of protection QoPhas become a newly

emerging security concept that allows

applications to seamlessly integrate

adjustable security protection.

SHEN_LAYOUT.qxp_Author Layout 8/13/15 1:58 PM Page 105

IEEE Wireless Communications • August 2015106

including privacy leakage, misbehavior, andsecurity in health data collection and processing.We also present some solutions, that is, privacy-preserving health data aggregation, misbehaviordetection, and secure health data processing, toaddress these security and privacy challenges.Finally, we present some open problems andindicate future research directions.

MHN ARCHITECTURE AND APPLICATIONS

In this section, we present the heterogeneousMHN architecture and introduce some promis-ing MHN applications.

MHN ARCHITECTUREMHNs consist of wearable devices, users, servers,and heterogenous mobile networks as shown inFig. 1.

Wearable Devices: Wearable devices, as thebridge connecting the human body and informa-tion world, are integrated with physiology sen-sors, and low-power computation, communi-cation, and storage modules. These devices cansense diverse information from a human, such asphysiology parameters, health conditions,motions, and location. Generally, wearabledevices can only preprocess the sensed data due

to the limitations of size, processing capabilities,and energy. Alternatively, these sensed data arecompressed by the embedded low-power compu-tation modules, sent to mobile users’ devices(i.e., smartphones and desktops) via Bluetoothor NFC, or directly delivered to the servers viaheterogeneous mobile networks.

Users: Users, such as doctors, patients, andtheir families, use smartphones to receive sensingdata from wearable devices. They can also deliverthese health data to servers for further process-ing and analysis. Furthermore, they can be eithersensing objects (e.g., patients and seniors) ofwearable devices or monitors to measure and col-lect health data from the sensing objects.

Servers: The servers (e.g., centralized serversin hospitals and cloud servers) are used to store,process, and analyze the collected health datafrom the wearable devices or mobile users. Somelocal servers can perform as authorities to auto-matically organize the local MHNs and providelocal information to facilitate mobile users’interactions.

Heterogeneous Mobile Networks: Consistingof cellular network, WiFi, and D2D communica-tions, heterogeneous mobile networks supportMHNs for health data collection from wearabledevices or mobile users, transmission, and shar-

Figure 2. MHN applications.

Fitness, training,and social networks

Home care

Mobilehealthcarenetworks

Clinic/remotehealthcare



ing. MHNs can be switched seamlessly amongdifferent types of mobile networks during healthdata transmission and sharing. With heteroge-neous mobile networks, mobile users can accessthe Internet through WiFi or cellular networks,interact with surrounding users via Bluetooth orNFC, and browse local information via localservers.

MHN APPLICATIONSThere are various MHN applications, includingremote healthcare, home care, and fitness, asshown in Fig. 2.

Clinic/Remote Healthcare: Health monitoringis one of the most prestigious MHN applica-tions, offering continuous physiology parametersensing, health condition monitoring, and so on.The multi-functional wearable devices can mea-sure various physiology and activity parameters,such as heart rate, body temperature, bloodpressure, oxygen saturation, blood volume index,respiration, pulse, quality of sleep, location, falls,and posture. Doctors and related family mem-bers can remotely and in real time check thehealth condition of the patients, or diagnose achronic disease at an early stage.

Home Care: Home care can offer ubiquitoushealthcare for seniors and disabled people, eventhough they stay at home, which considerablysaves hospital resources with convenience forpatients. Fall detection is a typical emergencyresponse application in MHNs, where the abnor-mal body position can trigger acceleration sen-sors to identify the fall, and wearable devices orsmartphones can report this emergency to thepatient’s family and doctors through MHNs.Furthermore, the real-time physiology parame-ters can be measured after the fall, offering aguideline for emergency operation.

Fitness and Training: Despite the aforemen-tioned health monitoring related applications,MHNs can also offer a wide range of applica-tions, including fitness and training. The wear-

able devices (e.g., belt, glove, and bracelet) areable to capture the motion of the human body,arms, or hands, measuring calorie burn andheart or lung conditions during fitness and train-ing. The sensed health data become the maindriver of users’ further fitness plan or the coach’sdecisions. During workouts, users can also sharetheir physiology parameters with each other forexperience sharing or feedback [8]. For example,they can share suitable fitness guidelines withusers having similar physical conditions, or rec-ommend health products (e.g., protein andhealthy foods).

SECURITY AND PRIVACY ISSUES INMHNS FROM A QOP PERSPECTIVE

With the main drivers of user experience [9] andsecurity service requirements, QoP is becomingan important security concept to provide differ-ent levels of security protection to different lev-els of users with diverse demands. Specifically, asshown in Fig. 3, MHNs with QoP can achieveaccess privileges via authentication; guaranteeintegrity, confidentiality, and non-repudiation viaencryption and signature; ensure copyrights viawatermarking; and protect privacy via cryptogra-phy, anonymity, and obfuscation techniques [9].Having a set of security protection services,QoP, fueled by artifacts, human intelligence, andinvolvement, adjusts these tunable protectionaspects according to different requirements.Besides these off-the-shelf security protectionschemes applied in QoP, several other emergingapproaches to dealing with the critical securityand privacy issues in MHNs are also essentialfrom the QoP perspective.

PRIVACY LEAKAGEPrivacy is a critical issue in MHNs as sensitivehealth data are involved in collection, transmis-sion, processing, and sharing. Without appropri-

Figure 3. QoP in MHNs.

Security and privacyrequirements

Lightweight and securehealth data measurement

Misbehavior detection andprivacy preservation

Provacy-prserving and securehealth data transmission

Secure health data accessand processing

Wearable devices

Users

Heterogeneous mobile networks

Server

Security protections

Requirement collection

Selection of security protections

QoP level adjustment

Data resource

Healthdata

center

Encryption (AES, IBE)Signature (RSA, BLS)

Anonymity (pseudonymity)Access control (ABE)

Misbehavior detectionPrivacy preservation

Data availability. . .



ate privacy protection, users may not be willingto expose their data to others, which hinders theprocessing and sharing of health data and users’experiences. In [4], several general privacythreats in a healthcare system, such as identityprivacy, information leakage during transmis-sion, and location privacy, are investigated. In[5], privacy protection is applied between sensorsand smartphones to protect against sensing datadisclosure. In [6], Ong et al. investigate securityservices partitioned into various security levels tobalance security requirements and performancepreferences. A proper QoP construction can beoffered by the characterization of QoP withsecurity settings, where it expresses security con-straints and attributes to customize protectionfor different applications. In MHNs, to achieve ahigher privacy level of data and users’ profiles(or attributes), for example, personal physiologyparameters, the privacy protection should berobust and strong enough to resist potentialattacks and leakage, which inevitably increasescomputational overheads and latency. Therefore,QoP should be applied in MHNs for adjustingthe privacy protection at various privacy levels.

SECURE DATA ACCESS AND PROCESSINGAs MHNs may take advantage of the powerfulstorage and computation capabilities of out-sourced cloud servers, security concerns associat-ed with these untrusted cloud servers are alsoraised in MHNs. The health data access policyshould be clearly defined and used to authenti-cate the user’s identity with access authority. Forexample, for a patient’s daily health data (e.g.,electrocardiography [ECG]) stored in the cloudserver, only the doctors in neurology can accessthese data and the corresponding analysis results.Meanwhile, the data should be protected frombeing accessed by an insurance company [10].Besides the general access control policies, it isalso critical to ensure fine-grained access inaccordance to users’ attributes. In MHNs,dynamic access management is necessary toaddress the issues of users’ attributes changing,revocation, a new user’s participation, and so on.In addition, the overheads for different accesslevels should be balanced to release the compu-tation burden for users.

When health data are outsourced to cloudservers for analysis and processing, the raw datashould be invisible to the untrusted cloudservers, and the user’s (e.g., data owner’s) identi-ty and associated profiles should be anonymous.Some secure health data processing schemes(e.g., functional encryption, homomorphicencryption) are proposed to guarantee data pro-tection during some basic operations (e.g., aggre-gation, summation, and comparison). Withdifferent QoP requirements, the protectionshould be enhanced when applying some compli-cated operations, such as Bayesian learning anddata mining, which are essential for health dataanalysis and diagnosis.

MALICIOUS ATTACKS AND MISBEHAVIORMHNs are vulnerable to malicious attacks andmisbehavior from mobile users, which may dis-rupt the effectiveness of MHNs or degrade the

performance. In health-related social applica-tions, such as fitness and social gaming, attackersmay forge their social attributes to snatch otherlegitimate users’ health information, leadingthem to push some spam recommendations andviolate users’ privacy. Moreover, these attackersmay also misbehave, for example, not followingthe network protocol or spreading spam tolaunch denial of service (DoS) attacks or con-suming a large amount of network resources.Although some misbehavior detection schemes[4] can partially resist individual attacks, it is stillchallenging to adjust the security protectionagainst powerful attacks such as Sybil attacks.The cost of misbehavior detection may increasedue to the skyrocketing attacking capabilities ofthese attackers. To offer MHNs from the QoPperspective, the misbehavior should be catego-rized into different levels with the correspondingdetection or protection schemes.

SECURITY SOLUTIONS IN MHNS

In this section, we present some security solu-tions for the emerging MHN applications fromthe perspective of QoP.

PRIVACY-PRESERVINGHEALTH DATA AGGREGATION

In MHNs, the data transmission (or forwarding)overheads are exponentially increased due to thelarge number of health sensing data from wear-able devices. Particularly, in a D2D-based smartcommunity as shown in Fig. 4, users continuous-ly upload their physiology parameter records toa health data center via social spots deployed inthe community by using short-range communica-tion techniques. Furthermore, the multihop relayis adopted to aggregate the data with a tolerabledelay. However, in accordance with differenttypes of health data, the transmission delay maybe significantly different. Meanwhile, privacyprotection during data transmission is also nec-essary for MHNs.

In [11], a priority-based privacy-preservingdata aggregation scheme is proposed for MHNs,which not only aggregates different types ofhealth data within tunable delay requirementsbut also protects the data and identity privacyduring transmission. According to various typesof health data, users select different forwardingstrategies, which not only forward data withinthe given delay but also consume reasonable net-work resources. Having the health data priorityshown in Fig. 4b, users with P1 data can greedilyforward their data and make use of the networkresources to minimize the delay. Furthermore,doctors may request vital health data frompatients in emergencies for continuous monitor-ing. In addition, the regular health data are notfor emergency use, so the delay requirementmay be tolerant. Both vital and regular data arelabeled as small data (i.e., physiology parameterswith small data size) and big data (i.e., ECG orimages with large size) [11]. Given the relayselection strategy, the sender selects the optimalrelay for different data priorities (or differentforwarding schemes). Then the relays store-carry-and-forward the data to social spots con-

As MHNs may takeadvantage of the power-ful storage and compu-tation capabilities ofoutsourced cloudservers, security con-cerns associated withthese untrusted cloudservers are also raisedin MHNs. The healthdata access policyshould be clearly definedand used to authenticatethe user’s identity withaccess authority.



nected to cloud servers so that the data canfinally be forwarded to the cloud servers.

The security and privacy issues cannot benegligible as the cloud servers are not fully trust-ed and may maliciously delete or modify thestored data. Moreover, the data owner cannottrust the relays who are anonymous and evenstrangers. Since the health data are separatedinto different categories, the security protectionlevels should also be adjusted. Therefore, toenhance the health data aggregation from theQoP perspective, privacy-preserving aggregationis desirable.

In [11], a superincreasing sequence is adopt-ed to separate different priorities of health data.If the amount of data and the maximum datavalue in each priority from N users are smallerthan constant f and q , the trusted authority(TA) can generate a superincreasing sequence

Æb

= (b1 = 1, …, bN) with each element denoting alarge prime, where Sj=1

i–1 bj · f · q < bi for i = 2,…, N, and Sj=1

n bj · f · q < n. To differentiate theencrypted data for each type, the TA generatesthe other superincreasing sequence Æa = (a1 = 1,a2, a3, a4, a5), where a2, a3, a4, and a5 are alllarge primes. Here, Sj=1

i–1 aj · g · q < ai for i = 2,…, 5, and S j=1

5 aj · g · q < n, where S j=1n bi = g.

The TA also has gi = gai for i = 1, 2, …, 5 andconstructs (g1, g2, …, g5). The secret keys are {l,m, Æa,

Æb}, while the public keys are {n, g}.

During initialization, an individual user uireceives his/her secret keys bi from the TA. Hav-ing the pseudonym techniques, ui is also assigneda set of asymmetric key pairs and generates thepseudonym PIDi during the communications.The unique identity ui can be protected sinceonly the literally meaningless pseudonyms arevisible to others. When the data (d1, d2, d3, d4,d5) are monitored and separated into differentpriorities (from P1 to P5), ui encypts the data asCi,j = gj

bidi,j · rin mod n2, where j Œ {1, 2, 3, 4, 5}

is the priority number and ri Œ Zq* is a randomnumber. The aggregated ciphertext is

Having the secret key (l, m), the ciphertext Ccan be decrypted as M = (a1 Si=1

N bidi1 + a2 Si=1N

bidi2 + … + a5Si=1N bidi5) mod n. The raw data

(d1, d2, d3, d4, d5) can be obtained by using arecursive algorithm based on the features of asuper-increasing sequence. Therefore, the dataare privately aggregated at different prioritieswith the corresponding service requirements,where users’ experiences and privacy are bal-anced with tunable QoP provisioning.

SECURE HEALTH DATA ACCESS AND PROCESSINGHealth data access, processing, and analysis areof utmost importance during healthcare manage-ment, health condition analysis, and diagnosis. Itis necessary to confine the health data access inthe server and prevent raw data disclosure dur-ing the processing procedures. In [12], a normal-ized weighted tree is adopted to describe thesecurity system attributes, where the elements ofthe security system structure are identified asnodes of the tree. By expanding/shrinking thetree, these security system attributes can be rep-

resented to permit the definition, formulation,and evaluation for model-based QoP. Therefore,QoP is an extension of the current QoS modelon security protection.

Authentication is the first step to enable legalusers (e.g., with valid signature or certificate)from outside to access the data. But the rawdata are still visible to the untrusted cloudservers [13]. Alternatively, the raw data can beencrypted and stored in the cloud servers so thatonly the users having the decryption keys canaccess the raw data. As such, the data are selec-tively visible at a coarse-grained access, that is,providing others the decryption keys. Mean-while, it resists the cloud servers’ efforts to pro-cess the data, which hinders the cloud server’sadvantages of data processing and limits theflourishing of MHNs. To achieve the fine-grained access control, attribute-based encryp-tion (ABE) has evolved in the past decades toimprove the flexibility in specifying differentialdata access [14]. Every user maintains a set ofdescriptive attributes associated with his secretkeys, while the ciphertexts are labeled with thedefined access policy. As a result, only autho-

∏∏ ( )= ∑==

=C g r nmod .jb d

iiN n

j 12

15 i i ji

N,1

Figure 4. Priority-based health data aggregation for MHNs: a) cloud assist-ed WBAN model; b) priority-based health data aggregation.

For a user

Forwarding strategy selection

Data priority in MHNs

PPPPP

For cloudserver

Fordoctors

Aggregation dataauthentication Data Classifier

Access the data Send requests tomobile users

Sense datafrom WBANs

Data prioritydetection

Relayselection

Dataforwarding

5

4

3

2

1

Priority Data category Data size

Emergency callVital physiology parameter

Vital image dataRegular physiology parameter

Regular image data

SmallSmallLargeSmallLarge

(a)

(b)

Emergency

Trusted authority

Key distribution

AuditingCloud server 1

Cloud server 2

Health data aggregationEmergency call

Health data aggregationEmergency call

Wireless communications

The Internet data flow

Social spot



rized users with specific attributes satisfying theaccess policy can decrypt the raw data.

In terms of health data processing, the com-putational operations in the cloud server posechallenges since the data are generally encryptedwithout access authorization for the untrustedcloud servers. To this end, some enhanced cryp-tographic schemes are adopted toward somespecific operations, for example, homomorphicencryption for summation and multiplication,searchable encryption for search, predicateencryption, order-preserving encryption, hiddenvector encryption for query and comparison, andso on. In addition, the recent functional encryp-tion also achieves the similar objectives of dataprocessing. Although these cryptographicschemes allow the cloud servers to performsome basic computational operations over theencrypted data and preserve data privacy, it isstill necessary to develop efficient approaches tothe complicated and diverse operations forMHNs from the perspective of QoP.

MISBEHAVIOR DETECTION FOR HEALTH-ORIENTEDMOBILE SOCIAL NETWORK APPLICATION

MHNs offer users a wide range of social networkapplications, such as fitness experience sharing,health data exchange, and instant interactionamong social friends. However, some attackersmay not honestly follow the network protocolsand even misbehave to not only degrade theMHN performance and users’ experiences butalso disrupt MHNs. A Sybil attack is one of theseserious threats to MHNs, where Sybil attackersmaliciously manipulate a large number ofpseudonyms (or identities) to cheat others. Forexample, during fitness experience sharing inMHNs, Sybil attackers may repeatedly send thesame fitness experiences to the same users withmultiple identities to mislead other users’ opin-

ions and preferences, as shown in Fig. 5. Further-more, it is difficult to trace Sybil attackers inMHNs due to the unpredictable trajectories andhigh mobility, which poses a new set of challengesand requires urgent solutions to detect them.

Generally, Sybil attacks in large-scale net-works can be detected with social graph or com-munity detection, or utilize cryptography todetect Sybil attackers. However, mobile userscannot easily detect Sybil attackers in mobileenvironments due to some limitations:• There are weak social relationships since

mobile users sometimes may not have tightsocial relationships with others in physicalproximity.

• Dynamic user mobility results in intermittentsocial connections.

• Smarter Sybil attackers usually act similar tonormal users, which leads to merging into nor-mal users’ social communities and loweringresistance to traditional detection.

• There are limited knowledge and detectioncapabilities.

One of the promising solutions is to take theadvantage of the cloud server in MHNs for thedetection. As security concerns are introducedby the cloud server, it is still tricky to find a thor-ough Sybil detection approach in MHNs fromthe perspective of QoP.

To this end, in [15], a social-based mobileSybil detection scheme is proposed, whichexplores mobile users’ pseudonym changingbehaviors and contact statistics to differentiateSybil attackers from normal users.

With the increasing attack capabilities, Sybilattackers can be defined in four levels.

L-1: General Sybil attackers adopt pseudonymsto hide their real identities (through frequentlychanging pseudonyms) and repeatedly send thesimilar information or spam to normal user ui.From ui’s view, the received information seemsto be from different users, so ui’s preference maybe biased.

L-2: Sybil attackers with forged contact canforge some fake contact records (without contactsignatures) with other users to confuse Sybildetection. In other words, a large number offake contact records can support an L-2 attack-er’s pseudonym change.

L-3: Sybil attackers with mobile users’ collusionprovide nonexistent contact records with validcontact signatures, even though the colludingusers have not met each other.

L-4: Sybil attackers with collusion of cloudservers either add some fake contact records forattackers to help validate their pseudonym chang-ing, or modify and delete normal users’ contactrecords to increase the false detection rate.

In [7], Luo et al., propose a QoP partitionmodel that quantitatively reflects strength ofprotection and users’ security demands. To pro-vide QoP toward these levels of Sybil attacks inMHNs, in [15], the corresponding countermea-sures are proposed as follows.

C-1: Each mobile user provides the contactrecords associated with his/her pseudonymchange. If a pseudonym is changed when thenumber of contacts is below a threshold TH, L-1attackers can be detected.

C-2: Mobile users collect the contact signa-

Figure 5. Sybil detection for MHNs.

Trustedauthority

Wireless communications

Wired communications

Sybilattacker

Pid1

Pid2Pid3

.

.

.

Pid4Pid5

Cloud server



ture of each encountered user. As evidence ofthe contact, the contact signature is generated byeach pair of the encountered legitimate mobileusers. A variant of the aggregate signature tech-nique is proposed to reduce the overall signaturesize and verification overhead.

C-3: If a user has a dramatically high volumeof contacts with a specific user while having onlya few contacts with other users, it is suspiciousand likely to be collusion. Based on the observa-tion of normal users’ contact rate distribution, asemi-supervised learning with a hidden Markovmodel (HMM) is proposed to differentiate theabnormal contact rates that are likely from col-luded users. With social proximity estimation,the collusion can be detected based on the learn-ing results. The proposed learning scheme canbalance the overhead of ground-truth data train-ing and the detection accuracy since it is adap-tive to abnormal states.

C-4: Before uploading the contact records tountrusted cloud servers, each mobile user shouldform the contact signatures in a specific struc-ture (e.g., chain or ring) in which each item can-not be removed or modified by a third party.The contact signatures form a closed ring struc-ture, while the established bidirectional hashchains guarantee the order of each contact time.A contact list is synchronized with the contactorder list by the users to validate the integrity ofthe contact records in the cloud servers.

We adopt false negative rate (FNR) and falsepositive rate (FPR) to evaluate the Sybil detec-tion performance, as shown in Fig. 6. Towarddifferent levels of Sybil attacks, MHNs are ableto adjust the tunable detection strategies fromthe perspective of QoP.

CONCLUSION AND OUTLOOK

In this article, we have introduced the MHNarchitecture and identified the security and pri-vacy requirements from the perspective of

QoP. Furthermore, we have provided informa-tion on some emerging MHN applicationsassociated with the challenging security andprivacy issues. From the QoP perspective, wehave presented the security countermeasures,which can be adjusted to satisfy MHN users’diverse requirements about service, experience,and protection.

However, there are also a set of immaturesecurity and privacy solutions for MHNs with-out consideration of QoP. First, although cur-rent wearable devices can offer diversefunctionalities to sense multiple physiologyparameters, they still lack lightweight securityprotection. Due to the low power and portabili-ty of these wearable devices, the traditionalcryptographic schemes may considerablyincrease the computation and communicationoverheads. Compressive sensing is a prestigiousapproach to integrating lightweight data sensingand security (e.g., encryption and signature)from the perspective of QoP. Having the sens-ing matrix, the raw data, which can be sparselyexpressed in some domain (e.g., time, frequen-cy, or wavelet), are compressed with differentrates. During the construction of a sensingmatrix, it is difficult to find such a matrix withlow coefficient between any two columns.Therefore, it is stil l an open problem andrequires more research effort.

Second, during health data processing inMHNs, it is urgent to allow a cloud server toperform complicated operations on the encrypt-ed data. For example, machine learning and datamining algorithms can be applied to analyze thephysiology parameters and disease. Theanonymity techniques should be integrated withthe cryptography schemes to balance the privacyand the health data usability. However, it is chal-lenging to achieve the trade-off between thesecurity and complexity of data processing, espe-cially from the perspective of QoP.

Finally, as smarter attackers tend to mimic

Figure 6. Performance comparison of mobile Sybil detection (TH is the threshold to change pseudonyms: a) FNR vs. TH; b) FPRvs. TH.

FFLSMSDLSMSD

10FN

R (%

)9

8

7

6

5

4

3

2

1

60 80 100TH

(a) (b)

120 140

FFLSMSDLSMSD

60 80 100TH

120 140

8

FPR

(%)

7

6

5

4

3

2

1

0



normal users to hide themselves against securitysolutions, the traditional approaches focused onresisting the attacking behavior may not beeffective under some circumstances. Misbehaviordetection relies on the learning procedureswhere learning and training are alternativelyapplied. Furthermore, human intelligence ishighly desirable during the misbehavior model-ing and detection to adjust the tunable securityand privacy solutions with QoP.

We hope this article sheds more light onsecurity and privacy protection for MHNs fromthe QoP perspective, which requires furtherresearch effort along this emerging line.

ACKNOWLEDGMENTThis research has been supported by a researchgrant from the Natural Science and EngineeringResearch Council (NSERC) and Care In Motion(CIM) Technology Inc., Canada.

REFERENCES[1] Forbes; available:http://www.forbes.com/[2] X. Liang et al., “Enabling Pervasive Healthcare through

Continuous Remote Health Monitoring,” IEEE WirelessCommun., vol. 19, no. 6, Dec. 2012, pp. 10–18.

[3] A. Toninelli, R. Montanari, and A. Corradi, “EnablingSecure Service Discovery in Mobile Healthcare Enter-prise Networks,” IEEE Wireless Commun., vol. 16, no. 3,June 2009, pp. 24–32, .

[4] J. Zhou et al., “Securing m-Healthcare Social Networks:Challenges, Countermeasures, and Future Directions,” IEEEWireless Commun., vol. 20, no. 4, Aug. 2013, pp. 12–21.

[5] H. Wang et al., “Resource-Aware Secure ECG HealthcareMonitoring Through Body Sensor Networks,” IEEE Wire-less Commun., vol. 17, no. 1, Feb. 2010, pp. 12–19.

[6] C. Ong, K. Nahrstedt, and W. Yuan, “Quality of Protec-tion for Mobile Multimedia Applications,” Proc. IEEEICME, 2003, pp. 137–40.

[7] A. Luo et al., “Quality of Protection Analysis and Perfor-mance Modeling in IP Multimedia Subsystem,” ComputerCommun., vol. 32, no. 11, July 2009, pp. 1336–45.

[8] G. Cardone et al., “Socio-Technical Awareness to Sup-port Recommendation and Efficient Delivery of LMS-Enabled Mobile Services,” IEEE Commun. Mag., vol. 50,no. 6, June 2012, pp. 82–90.

[9] M. Katsarakis et al., “On User-Centric Tools for QoE-Based Recommendation and Real-Time Analysis ofLarge-Scale Markets,” IEEE Commun. Mag., vol. 52, no.9, Sept. 2014, pp. 37–43.

[10] M. Barni et al., “Privacy-Preserving ECG Classificationwith Branching Programs and Neural Networks,” IEEETrans. Info. Forensics Security, vol. 6, no. 2, Jan. 2011,pp. 452–68.

[11] K. Zhang et al., “PHDA: A Priority Based Health DataAggregation with Privacy Preservation for Cloud Assist-ed WBANs,” Elsevier Info. Sciences, vol. 284, Nov.2014, pp. 130–41.

[12] Y. Sun and A. Kumar, “Quality-of-Protection (QoP): AQuantitative Methodology to Grade Security Services,”Proc. IEEE ICDCS, 2008, pp. 394–99.

[13] H. Lin et al., “CAM: Cloud-Assisted Privacy PreservingMobile Health Monitoring,” IEEE Trans. Info. ForensicsSecurity, vol. 8, no. 6, Mar. 2013, pp. 985–97.

[14] V. Goyal et al., “Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data,” Proc.SIGSAC, 2006, pp. 1–28.

[15] K. Zhang et al., “Exploiting Mobile Social Behaviors forSybil Detection,” Proc. IEEE INFOCOM, 2015, pp.271–79.

BIOGRAPHIESKUAN ZHANG [S’13] received his B.Sc. degree in electricaland computer engineering and his M.Sc. degree in com-puter science from Northeastern University, China, in 2009and 2011, respectively. He is currently working toward aPh.D. degree at the Broadband Communications Research(BBCR) Group, Department of Electrical and ComputerEngineering, University of Waterloo, Canada. His researchinterests include security and privacy for e-healthcare sys-tem, cloud computing, and mobile social networks.

KAN YANG received his B. Eng. degree from the University ofScience and Technology of China in 2008 and his Ph.D.degree from City University of Hong Kong in August 2013.He is currently a postdoctoral fellow with the Electrical andComputer Engineering Department of the University ofWaterloo, Canada. He was a visiting scholar at the StateUniversity of New York at Buffalo in 2012. His researchinterests include cloud security, big data security, clouddata mining, cryptography, social networks, wireless com-munication and networks, distributed systems, and so on.

XIAOHUI LIANG [S’10] is currently working as a postdoctoralresearcher at the Department of Computer Science, Dart-mouth College, New Hampshire. He received his Ph.D.degree from the Department of Electrical and ComputerEngineering of the University of Waterloo, and his Master’sand Bachelor’s degrees from the Computer Science Depart-ment of Shanghai Jiao Tong University. His research inter-ests include security and privacy for e-healthcare systemsand mobile social networks.

ZHOU SU [S’03, M’06] received his B.E and M.E degreesfrom Xian Jiaotong University, Xi’an, China, in 1997 and2000, and his Ph.D degree from Waseda University, Tokyo,Japan, in 2003. He was an exchange student betweenWaseda and Xi’an Jiaotong University from 1999 to 2000.His research interests include multimedia communication,web performance, and network traffic. He received thebest paper award of International Conference Chinacom2008, and the Funai Information Technology Award forYoung Researchers in 2009. He is Chair of an interestgroup of IEEE ComSoc, Multimedia Communications Tech-nical Committee, MENIG. He has also served as Co-Chair ofseveral international conferences including IEEE CCNC 2011WIP track, WICON 2011 Network track, IWCMC2012-Securi-ty track, and so on.

XUEMIN (SHERMAN) SHEN [M’97, SM’02, F’09] is a professor andUniversity Research Chair, Department of Electrical and Com-puter Engineering, University of Waterloo, Canada. He wasthe Associate Chair for Graduate Studies from 2004 to 2008.His research focuses on resource management in intercon-nected wireless/wired networks, wireless network security,social networks, smart grid, and vehicular ad hoc and sensornetworks. He served as Technical Program CommitteeChair/Co-Chair for IEEE INFOCOM ’14, IEEE VTC-Fall ’10, Sym-posia Chair for IEEE ICC ’10, Tutorial Chair for IEEE VTC-Spring’11 and IEEE ICC ’08, and Technical Program Committee Chairfor IEEE GLOBECOM ’07. He also serves or has servedserved asEditor-in-Chief for IEEE Network, Peer-to-Peer Networking andApplication, and IET Communications. He is a registered Pro-fessional Engineer of Ontario, Canada, an Engineering Insti-tute of Canada Fellow, a Canadian Academy of EngineeringFellow, and a Distinguished Lecturer of the IEEE VehicularTechnology and Communications Societies.

HENRY H. LUO received his Ph.D. degree in biomedical engi-neering from the University of Sussex, Brighton, UnitedKingdom, in 1994. He is currently an expert reviewer withthe Canadian Natural Sciences and Engineering ResearchCouncil (NSERC). He has been the president and CTO ofCIM Technology Inc., Waterloo, Canada, since 2007, and asenior manager on DSP application of Unitron hearing,Canada, since 1998.

Misbehavior detectionrelies on the learningprocedures where learning and training arealternatively applied.Furthermore, humanintelligence is highlydesirable during the misbehavior modelingand detection to adjustthe tunable security and privacy solutionswith QoP.


accepted from open call security and privacy for …

Documents