1National Institute of Informatics

Context-Aware Computing Network Architectures, NCA/ECA, and

a Privacy Protection Technology EMAPP

National Institute of Informatics (NII), JapanShigeki Yamada and Eiji Kamioka

{shigeki, kamioka}@nii.ac.jphttp://www.nii.ac.jp/index.html

NII

2

National Institute of Informatics (NII) at a Glance

Established in April, 2000 as one of the inter-university research institutes by the Ministry of Education, Culture, Sports, Science and Technology of Japanese Government

Became a new corporate body and affiliated with Research Organization of Information and Systems in April, 2004

Broad range of researches in informatics research areas from basic theories to applications: Foundations of Informatics, Infrastructure Systems,

Software, Multimedia Information, Intelligent Systems, Human and Social Information, and Information Research

Close cooperation with industries and universities to promote utilization of the outcomes of research in our society

NII

3

NII at a Glance (Contd.) Providing a scientific information

infrastructure in Japan SINET (Science Information Network) and

Super-SINET Inter-university library-related services

such as catalog information service (NACSIS-CAT) and electronic library service (NACSIS-ELS)

Started a PhD graduate school in 2002: currently 50 PhD candidates

Annual budget of 1 ００ Million Dollars and 340 members, including 170 researchers

NII

4

Topics in this Presentation Our Activities of Research on Ubiquitous

Computing Networks Context-Aware Computing Network

Architectures NCA/ECA and their Preliminary Network Performance Evaluation

Privacy-Protection Technology, EMAPP (Encapsulated Mobile Agent-based Privacy Protection)

5National Institute of Informatics

(1) Context-Aware Computing Network Architectures and their Preliminary Network Performance Evaluation

DefinitionService scenario examplesRequirementsFunctional modulesNetwork architecturePreliminary performance evaluationFuture work

NII

6

Ubiquitous Computing Next Generation Mobile Computing

Networks will evolve into ubiquitous computing networks

Concepts of Ubiquitous Computing Ubiquity: Everywhere Invisibility: Computers will disappear

below the threshold of our awareness. Invisibility requires computers to capture

and analyze the user’s context: Context-awareness

NII

7

Context-Aware Application Model

Implicit Input

http://lieber.www.media.mit.edu/people/lieber/Teaching/Context/

Out-of-Context-Paper/Out-of-Context.html

NII

8

Context-Aware Service Scenario 1

You are walking in Paris You ask your wearable computer how

to get to the Eiffel Tower The context-aware system

automatically captures your context: your voice (<- microphone) your location and direction (<-

GPS) analyzes and interprets the context retrieves the route information displays the information on your HMD

(Head Mount Display) nearest subway station, subway

fare and walking route on the map of Paris

Tour guide in Paris

I want to visit the Eiffel Tower!How can I get there?

NII

9

Context-Aware Service Scenario 2

You are sleeping in an airplane Your boss phones you at your office The context-aware system detects the call

and analyzes your context: your location your activity status available communication devices

understands you cannot answer the call as you are

asleep you have a headset-type device near

your seat stores the phone message in a voice mail

server sends a message to your handset device You read the message when you wake up

Personal communication

service

--- Context ---Location: on an airplaneActivity status: sleepingAvailable device: headset

NII

10

Previous Researches on Ubiquitous Computing

Most of the research efforts for the context-aware computing have been devoted to sensor devices, computer-human interactions, and context-aware application software

Few research works focus on the networking issues

NII

11

Our Approach on Ubiquitous Computing Networks

To spread context-aware services widely, we need a universal context-aware service network infrastructure

Context-aware services should be available anywhere but not restricted in local areas

We should make use of the WAN’s capability of covering both the small and wide areas and enabling seamless network connection

NII

12

Functional Requirements of Context-Aware Services

Context-Awareness Captures,stores, and updates the user context

Information Binding interprets the user context and associates it

with the appropriate contents and services that the users wants

Information Provision Finds the location of contents and services,

makes an access to them, and converts them to be adapted to the information receiver’s communication environment if necessary

Provides the contents and services with the information receiver at the right timing

NII

13

Communication Receiver

Communication Sender

User Content

Server

Context-Aware Personal Communication Services

Context-Aware Information Delivery Services

Network

Network

Communication Context

User Contex

t

Media and

Services

Media and

Services

ContentsAnd

Services

Contents and

Services

Context Analysis,Conversio

n

Context Analysis,conversio

n

Context-Aware Service Category and Service Model

Communication Context

NII

14

Consideration on Context-Aware Network Architecture

Context-aware services must seamlessly be available indoor --- outdoor LANs --- WANs stationary --- mobile

Wide-area coverage and mobility management capabilities must be supported

Network Architecture that integrates a 3G network architecture with a wireless LAN (WLAN)

NII

15

Functional Modules for Context-Aware Services

Four functional modules for context-aware services to handle the user context and the relevant content

(1) UIN (Universal Information delivery Navigator) decision making module collects user context from user devices executes user authentication analyzes and interprets the context decides the content that the user needs refers to a directory server to obtain the location of

the content sends the content itself or the content location

information to the user

NII

16

Functional Modules for Context-Aware Services (Contd.)

(2) DA (Directory Agent) Manages the location of content servers connected to

the Internet Processes service discovery queries from the UIN Responds to the UIN with service replies including

the location of the content server (3) UMD (User Management Database)

Manages information about users (e.g., authentication information, preferences and user context information that users have sent in the past)

User context information is updated when user’s context changes

(4) MPS (Media Processing Server) Converts the contents and services provided by a

content server into an appropriate form, if necessary

NII

17

Access Network for Context-Aware Services

Integration of UMTS release 5 (all IP network architecture) and Wireless LAN

PS-CNRNCBSMT

IMS

I-CSCF

HSS

S-CSCF

SGSNUTRAN

P-CSCFGGSN

PSTN/ISDN

WLAN

MTISP Network

AP RR Internet

UMTS Release 5

NII

18

Disposition of Functional Modules in the Network

Disposition of the functional modules in a network plays a key part in the context-aware network architecture Content servers should be placed on the

end-user side in local area networks connected to the Internet

Two alternatives on the location where the four functional modules (UIN, DA, UMD, and MPS) should be placed

NII

19

Two Alternative Network Architectures

Network-Centric Architecture (NCA) stores, analyze, interprets the user

context in various functional components managed by the network operator and connects relevant functional components with SIP.

End-user-centric architecture (ECA) stores and interprets the user context in

the end-user’s functional components managed by end-users or service providers and connects relevant functional components with HTTP.

NII

20

PS-CN

RNCBSMT

IMS

SGSN

UTRAN

WLAN

MT R

ISP network

AP

Content

Server

InternetLAN

P-CSCF

R

I-CSCF S-CSCF

UMD

MPS

DA

(1)

(2)

(3)

(7)

[5,10]

(4,9)

[6](8)

(11)[12]

[13]

[14]

[15]

[16]

UIN

NCA (Network Centric Architecture)

GGSN

RHSS

User information is managed by the UMD through GGSN

NII

21

NCA Information Flow from Capturing User Context to

Displaying the ContentI-CSCF S-CSCFMT UMDUIN DAP-CSCF

REGISTER

REGISTER

REGISTER

OKOKOK

Content Server

HTTP GET

HTTP OK (download)

(1) (2)

(3)(4)

[5]

[6]

(7)

(8)(9)

[10]

(11)

[12]

[13]

[14][15][16]

SIP SIP

SIP

SIPSIPSIP

SLP

SLP

Based on the 3GPP specification

Response time

Referring topreference and past context

Referring topreference and past context

Getting location of

content server

Getting location of

content server

Authentication+

Getting S-CSCF

Authentication+

Getting S-CSCF

NII

22

PS-CN

RNCBSMT

IMS

SGSN

UTRAN

WLAN

MT R

ISP network

AP

Content

ServerInternet

LAN

R

R

UMD

DA

MPS

UIN

S-CSCF

HSS

GGSN

GWTI

R

P-CSCF

I-CSCF

ECA

ECA (End-User Centric Architecture)

NII

23

SYN

SYN+ACK

ACK

HTTP PUT

ACK

HTTP OK

ACK

FIN

ACK

FIN

ACK

Request

ReplyProcessing time

Response time

MT UMDUIN DA Content Server

HTTP GET

HTTP OK (download)

Authentication

Get location of content

server

ECA Information Flow from Capturing User Context to Displaying the Content

NII

24

Preliminary Performance Evaluation of NCA and ECA

Need to evaluate the network architecture from various viewpoints and criteria Ease of deployment of new services, network cost,

network flexibility and scalability As a first step: comparison of overall network performance

of NCA and ECA Purpose:

Not to obtain precise or absolute network performance values

But to reveal the general characteristics of the two architectures

to clarify which design parameters have the most significant influence on performance

Performance model to measure the response time of the network

NII

25

Network Performance Evaluation The response time

The interval between the time when a user generates a user context and the time when the user receives the contents/services location information.

Mean and 95th percentile response times of the two architectures are obtained by queuing theory and simulation

NII

26

Performance Models The response time can be broken

down into three delay elements Processing delay for processing

SIP/UDP/IP, HTTP/TCP/IP, and SLP/UDP/IP packets

IP-network delay includes all of the network-layer, data link layer and physical layer delays

Wireless communication delay generated at wireless access sections

NII

27

Performance Simulation Parameters

Parameters Traffic Distribution

Values for Calculation and Simulation

Wireless-Related Delay either in MT, UTRAN and PS-CN or in MT,WLAN and ISP Network

Normal Distribution

10 msec. as an average3 msec. as a standard deviation

IP Network Delay in the IMS

Normal Distribution

10 and 20 msec. as averages3 and 4 msec. as standard deviations

Network Delay in the Internet

Normal Distribution

50 and 100 msec. as averages7 and 10 msec. as standard deviations

Processing Time in Application Servers

Exponential Distribution

10, and 50 msec. per IP packet

Utilization of Application Servers

Constant From 0.1 to 0.9 with the interval of 0.1

IP Packet Arrival Rate Poisson Distribution

Arrival rates are determined so as to satisfy the specified utilizations of application servers.

Processing Time in MT Constant 10 msec.

NII

28

Server-processing time of 50-ms and Network Delays of 10-ms for NCA and 50-ms for ECA

Response time of NCA and ECA models under server-processing time of 50ms and network delays of 10 ms (NCA model) and 50 ms (ECA model)

0.0

2.0

4.0

6.0

8.0

10.0

0 0.2 0.4 0.6 0.8 1

Server utilization

Res

pons

e ti

me

[s]

Mean values (NCA: 10ms)95th percentiles (NCA: 10ms)Mean values (ECA: 50ms)95th percentiles (ECA: 50ms)

NII

29

Server-processing time of 50-ms and Network Delays of 20-ms for NCA and 100-ms for ECA

Response time of NCA and ECA models under server-processing time of 50ms and network delays of 20 ms (NCA model) and 100 ms (ECA model)

0.0

2.0

4.0

6.0

8.0

10.0

0 0.2 0.4 0.6 0.8 1

Server utilization

Res

pons

e tim

e [s

]Mean values (NCA: 20ms)95th percentiles (NCA: 20ms)Mean values (ECA: 100ms)95th percentiles (ECA: 100ms)

NII

30

Analysis in Low-Performance Application Servers For Small Network Delays

ECA has smaller response times than NCA has

For Large Network Delays ECA has smaller response times than

NCA has except for the cases with low application-server utilization

For low performance application servers, ECA is better in the response time than NCA because server processing time is a dominant factor and NCA requires many traversals of application servers

NII

31

Server-processing time of 10-ms and Network Delays of 10-ms for NCA and 50-ms for ECA

Response time of NCA and ECA models under server-processing time of 10ms and network delays of 10 ms (NCA model) and 50 ms (ECA model)

0.0

0.5

1.0

1.5

2.0

2.5

0 0.2 0.4 0.6 0.8 1

Server utilization

Res

pon

se t

ime

[s]

Mean values (NCA: 10ms)95th percentiles (NCA: 10ms)Mean values (ECA: 50ms)95th percentiles (ECA: 50ms)

NII

32

Server-processing of 10-ms and Network Delays of 20-ms for NCA and 100-ms for ECA

Response time of NCA and ECA models under server-processing time of 10ms and network delays of 20 ms (NCA model) and 100 ms (ECA model)

0.0

0.5

1.0

1.5

2.0

2.5

0 0.2 0.4 0.6 0.8 1

Server utilization

Res

pon

se t

ime

[s]

Mean values (NCA: 20ms)95th percentiles (NCA: 20ms)Mean values (ECA: 100ms)95th percentiles (ECA: 100ms)

NII

33

Analysis in High-Performance Application Servers

For Small Network Delays For Server utilization under 0.7, NCA has smaller

response times than ECA For Server utilization over 0.7, ECA has smaller response

times than NCA For Large Network Delays

Similar results are obtained The ECA response times suffers from much larger delays

while NCA response times are almost unchanged as in the cases of small network delays

For High-performance application servers, When the application servers are busy, NCA is better in

the response time than ECA When the application servers are not busy, ECA is better

than NCA This is because network delay is a dominant factor

and ECA suffers from large internet delays while NCA will have smaller network delays maintained by the network operator

NII

34

Summary of Performance Evaluation

Response times of NCA and ECA greatly changes depending upon given network parameter values

Average network delays will increase over time because of continuous network growth and geographical expansions

Application servers may enjoy higher performance over time, assuming continuous improvement of device technologies

This implies that NCA will be slightly advantageous in terms of response times because the NCA’s response times are mitigated by fast servers

NII

35

Future Work Detail component design Comparisons of the NCA and ECA from

other technical viewpoints such as network scalability and reliability

Distributed Allocation of Context-Aware Functional Components over the Network

Incorporation of Privacy and Security Mechanisms

Performance Simulation Considering User Mobility, Frequent Context Updates and Heterogeneous Network Topology

36National Institute of Informatics

(2) Privacy-Protection in Ubiquitous Computing Environments : EMAPP:Encapsulated Mobile Agent-based Privacy Protection

BackgroundPrivacy model Features and problemsVerification by scenariosOverall ArchitectureFuture work

NII

37

Why is Privacy ProtectionImportant in Ubicomp Environments?

Two major concepts of ubiquitous computing Ubiquity Invisibility

Invisibility requires context-awareness that captures and interprets user context

User context includes privacy–sensitive personal data such as user’s location, activity status, and preferences

New privacy protection technologies are required for ubiquitous environments Dynamic changes of user’s computing and

communication environments

NII

38

Why Do We Need New Security and Privacy Technologies?

Two major concepts of ubiquitous computing1. Ubiquity

distributed and ad-hoc in nature devices are not always administered by the same entity every device becomes a potential gateway to leak

information across network perimeters

2. Invisibility requires context-awareness that captures and interprets

user context user context includes privacy–sensitive personal data

such as user’s location, activity status, and preferences New security and privacy protection technologies

are required for ubiquitous environments

NII

39

Privacy Invasions in Ubicomp Environments

Data Collection

Improper use of Alice’s personal data

Unauthorized use of Alice’s personal dataAlice

(Personal Data Owner)

Bob (Data Collector)

Carol (Data User)

Little control over how her data will be used

Data Copy

NII

40

Privacy Issues Where to store personal data?

End-User Centric Architecture (ECA) Into stationary servers and devices Into wearable servers and devices

Network- Centric Architecture (NCA) Who manages privacy?

User, Network Operator, or Service Provider How to protect privacy?

Existing Technologies:P3P and pawS system Our approach: EMAPP

NII

41

Context Data Storage Management ： ECA

InternetWLAN

MT

ISP Network

AP

PS-CN

RNCBSMT SGSN

UTRAN

GGSNU Ｉ N

LAN

R R

Contents/

Services Server

R

LAN

DAR

(1)

(2) (9)(8)(7

)

(6)

(5)

(4)(3) (10)

(11)

(12)

(16) (15) (14) (13)

(17)(18)

(19)(20)

• User context data are stored in user facilities (UMD) and managed by users or service providers

• Users feel easy• User has all the responsibility

UMD

MPS

NII

42

WLAN

MT

ISP Network

AP

PS-CN

RNCBSMT

IMS

I-CSCF

UCN

S-CSCF

Contents/

Services Server

SGSN

RInternet

UTRAN

LAN

P-CSCFGGSN

R R

DA

(1)

(2)(3)

(4) (5)

(6)(7) (8)

(9)

(10)

(11) (12)

(13)

(14)

(15)(16)(18)(19)(20) (17)

(21)

(26)

(25) (24)

(23)

(22)

Context Data Storage Management ： NCA

(Network Centric Architecture)

• User context data are stored inside the 3GPP All Network (UMD) managed by Network Operators

• Secure and uniform management • Users may feel uneasy

UMD

MPS

NII

43

Design Space for Privacy Protection

Data Collection

PreventionAvoidanceDetection

Access

Second Use

Personal Data Owner

Data Collector (Service Provider or web site)

Data User

PreventionAvoidanceDetection

PreventionAvoidanceDetection

NII

44

Classification of Privacy Protection Technologies (by X. Jiang (UCB))

Prevention

Avoidance

Detection Collection Acces

sSecond use

RBAC

Location Support

Wearables

AnonymizationPseudonymizatio

n

P3P

User Interfaces for Feedback, Notification, and Consent

Privacy Millers

NII

45

pawS: a Privacy Protection System (ETH)

Privacy Proxy Service Proxy

Privacy Beacon

(2) Personal Data & Service Name

(1) Service Announcement

(3) Privacy Policy Download

(4) Comparison of Privacy Policy with User Preferences

Privacy Assistant

(5)Personal Data

NII

46

• Most of Existing Privacy Models: “Outgoing Data” model– Once an access is authorized, personal data may

flow out or may be copied from the original database

– This may cause improper use of personal data by service providers and data collectors

• EMAPP Privacy Model: “Incoming Agent” model– does not move personal data from the database,

but move programs (mobile agents) into the location where the personal data are stored

– Personal data are referred to by mobile agents only inside a secure space (privacy capsule)

– Personal data are prohibited to directly flow out from the privacy capsule: they must be wrapped in the mobile agent that migrates to another location if necessary

Encapsulated Mobile Agent-based Privacy Protection: EMAPP

NII

47

EMAPP Privacy Model

User’s Preferences

Personal Data Mobile Agent

Privacy Capsule

Execution Results

Privacy Proxy

Privacy Policy

Download

Migration

Personal data are referred to by mobile agents only inside the privacy capsule and prohibited to flow out from the privacy capsule

NII

48

• Advantages• Prevents personal data from being copied and

used improperly• Provides a preventive mechanism to prevent

undesirable use of personal data• Provide an avoidance mechanism in the data

collection phase, combined with P3P technology• Problems

• Can the EMAPP model be applied to a wide variety of applications?

• How can the EMAPP model be implemented?• Performance overhead

Features of EMAPP

NII

49

Our Approach Assumes a general secure mobile agent

execution environment and PKI (Public Key infrastructure)

Adds privacy protecting mechanisms to the above secure environment

Classifies the patterns of mobile agent behaviors Sets the discipline of mobile agent behaviors Verifies the discipline from various service

scenarios Provides the mechanism to enforce the discipline Builds up a privacy protection architecture

NII

50

Mobile Agent (MA) Behavior Patterns

(2) Migration with Personal Data

Personal Data(PD1)

MA

Service Provider/ User’s Privacy Capsule

PD1

Personal data(PD2)

MA

PD1

Personal data(PD1)

MA

PD1

(1) MA Erase

MAErase

MA

PD1

(4) Personal Data Takeover to Other MA

(5) Other Device/ MA Control

Device

Service Provider/ User’s Privacy Capsule

(3) Message Communication with Personal Data

NII

51

Mobile Agent Behavior Disciplines for Protecting Privacy

Erase Personal Data Once a mobile agent takes in the personal data, they should be erased by

the erase or suicide of the mobile agent after the personal data become unnecessary

Use Migration but not Message Communication If personal data or the computed results must be referred to in another

host, they should be wrapped in the mobile agent and the mobile agent including the personal data should migrate into another host. Message communication that includes personal data or the computed results should not be used to avoid data copying.

Allow only Internal Takeover of Personal Data or Computed Results

If the personal data themselves must be taken over to another mobile agent, the handover between different mobile agents should be carried out inside the same host. No handover between different hosts is allowed.

NII

52

User’s PreferencesPersonal Data

Privacy Proxy

Mobile Agent

Privacy Policy

Mobile Agent

Service Proxy

EMAPP System for Nearby-Shop Advertisement Service

Privacy BeaconPrivacy Assistant

(1)

(2)

(5) Execution Results

(3) Policy Download(4) Agent Migration

(6)

Privacy Capsule

NII

53

Shop(Service Provider)

User’s Privacy ProxyUser PDA

Personal Data

Nearby-Shop Advertisement Service Control Flow

MA: Mobile Agent Policy Download

Generate MAMA Migration

Policy/ PreferenceMatching

AgeAdvertisement Information

User Detection

Migration with Age Information

Erase MA

NII

54

EMAPP System for a Phone Answering Service

Privacy Policy

Mobile Agent

Service Proxy

Answering Machine

User’s PreferencesPersonal Data

Bob’s Privacy Proxy

Mobile Agent

User’s PreferencesPersonal Data

Mobile Agent

Bob’s Personal Assistant

Alice’s Personal Assistant

Privacy Capsule

Alice’s Privacy Proxy

NII

55

Service ProviderPrivacy capsule AUser A

Personal Data A(Location Info.)

User B

Phone Answering Service Control Flow

Generate three MAs

Set an answering phone

Go out MA-1MA-2

Mediating MA (MA-3)

MA-1

MA-2

Privacy capsule B Personal

Data B(Location Info.)

Go out

Migration with Go-out information

Migration with Go-out information

Internal Takeover of Go-out Info.

NII

56

E-Commerce SiteUser’s Privacy ProxyUser

Personal Data

Credit Card Accounts Service Control Flow

MA: Mobile Agent Policy Download

Generate MAsMA Migration

Policy/ PreferenceMatching

Credit card number

Notice to user

Request accounts

Transaction MA

Authentication MA

Migration with credit card information

Erase MA

Internal takeover of credit card information

NII

57

Three Types of Privacy Violation Sources

Malicious Service Provider may send a malicious mobile agents to

the user Malicious User

may employ a malicious host or platform for mobile agents

Malicious Third Parties Other than Service Provider and User

NII

58

Countermeasures to Malicious Service Providers

Guarantees the correct behavior of Mobile Agents

Service Provider (Sender Host) The Agent Analyzer in the Certificate Authority

analyzes its mobile agent and generates the Computed Privacy Profile to prove the correctness of the mobile agent behavior disciplines

The mobile Agents and the Computed Privacy Profile are sent with a digital signature to the user host

User Host (Receiver Host) During the mobile agent execution, the Host

Checker monitors the host behaviors

NII

59

Countermeasures to Malicious Service Providers (Contd.)

Certificate Authority

Agent Analyzer

Service ProviderMobile Agent

User Host

Analyzed Privacy Profile

(3) Digital Signature

(5) Mobile AgentPersonal Data

(1) Analyze

(2) Generate

(4) Computed Privacy Profile

NII

60

Countermeasures to Malicious Users

Monitors the mobile agent to detect unauthorized access to personal data in the mobile agent

Service Provider (Sender Host) The Agent Analyzer in the Certificate Authority analyzes its mobile agent and generates the Host Checker to detect malicious behaviors of receiver

hosts The mobile Agents and the Host Checker are sent

with a digital signature to the user host User Host (Receiver Host)

During the mobile agent execution, the Host Checker monitors the host behaviors

NII

61

Countermeasures to Malicious Users (Contd.)

Certificate Authority

Agent Analyzer

Service ProviderMobile Agent

User Host

(3) Digital Signature

(5) Mobile Agent

Host Checker

Host Checker

Personal Data

(1) Analyze

(2) Generate

(6)

NII

62

Countermeasures to Malicious Third Parties

May use PKI and cryptography to prevent spoofing, eavesdropping and man-in-the-middle attacks

For Further Study

NII

63

Overall Architecture of EMAPP System

Certificate Authority

Agent Analyzer

Service ProviderMobile Agent

User Host

Analyzed Privacy Profile

(3) Digital Signature

(5) Mobile Agent

Host Checker

Host Checker

Personal Data

(1) Analyze

(2) Generate

(4)

Computed Privacy Profile

(6)

NII

64

Future Work Algorithm for the Agent Analyzer to generate

the Computed Privacy Profile and Host Checker

Algorithm to verify the content of the Computed Privacy Profile

Algorithm of the Host Checker to detect unauthorized access to personal data

Prototype Implementation and Performance Evaluation