Tanya Roosta

Quantitative Risk Analyst

Risk Modeling Research and Bank Surveillance

Commercial real estate, Credit risk, Supervisory ratings

Tanya.Roosta (at) sf.frb.org

CV

Tanya Roosta, Quantitative Risk Analyst, Federal Reserve Bank San Francisco

Show less Published Articles (Refereed Journals and Volumes)

Probabilistic Geographic Routing in Ad Hoc and Sensor Networks
Forthcoming in Conference Proceedings, International Workshop on Wireless Ad-hoc Networks (IWWAN) | With Menzo and Sastry

+ abstract
In this paper, we present Probabilistic Geographic Routing (PGR), a novel approach for the problem of power-aware routing in wireless ad hoc and sensor networks. Our protocol uses only local information to probabilistically forward the packet to the next hop. Every node relies on a beaconing process to keep track of the changes in the set of its neighbors. In order to forward a packet, the node selects a set of candidate nodes. These candidate nodes are then assigned a probability proportional to their residual energy and the link reliability. We have implemented PGR in NS-2 and compared the performance to two existing protocols, GPSR and Probabilistic Flooding. Based on the simulation results, PGR improves the throughput by 40%, increases the lifetime of the network by 30%, and decreases the overall end-to-end delay. In addition, we have implemented PGR on a real sensor network test-bed to verify our protocol.

Rethinking Security Properties, Threat Models, and the Design Space in Sensor Networks: A Case Study in SCADA Systems
Ad Hoc Networks 7(8), November 2009, 1434-1447 | With Cardenas and Sastry

+ abstract
In recent years we have witnessed the emergence and establishment of research in sensor network security. The majority of the literature has focused on discovering numerous vulnerabilities and attacks against sensor networks, along with suggestions for corresponding countermeasures. However, there has been little guidance for understanding the holistic nature of sensor network security for practical deployments. In this paper, we discuss these concerns and propose a taxonomy composed of the security properties of the sensor network, the threat model, and the security design space. In particular, we try to understand the application-layer goals of a sensor network, and provide a guide to research challenges that need to be addressed in order to prioritize our defenses against threats to application-layer goals.

Cyber Security Basic Defenses and Attack Trends
In Homeland Security, ed. by Franceschetti, 2008

Time Synchronization Attacks in Sensor Networks
In Advances in Information Security, 30, ed. by Poovendran, Wang, Roy | New York: Springer, 2007 | With Menzo and Sastry

+ abstract
Time synchronization is a critical building block in distributed wireless sensor networks. Because sensor nodes may be severely resource-constrained, traditional time-synchronization protocols cannot be used in sensor networks. Various time-synchronization protocols tailored for such networks have been proposed to solve this problem. However, none of these protocols have been designed with security in mind. If an adversary were able to compromise a node, he might prevent a network from effectively executing certain applications, such as sensing or tracking an object, or he might even disable the network by disrupting a fundamental service such as a TDMA-based channel-sharing scheme. In this paper we give a survey of the most common time synchronization protocols and outline the possible attacks on each protocol. In addition, we discuss how different sensor network applications that are affected by time synchronization attacks, and we propose some countermeasures for these attack.

Convergence Analysis of Reweighted Sum-Product Algorithms
Conference Proceedings, International Conference on Acoustic, Speech, and Signal Processing, 2007 | With Wainwright and Sastry

+ abstract
Many signal processing applications of graphical models require efficient methods for computing (approximate) marginal probabilities over subsets of nodes in the graph. The intractability of this marginalization problem for general graphs with cycles motivates the use of approximate message-passing algorithms, including the sum-product algorithm and variants thereof. This paper studies the convergence and stability properties of the family of reweighted sum-product algorithms, a generalization of the standard updates in which messages are adjusted with graph-dependent weights. For homogenous models, we provide a complete characterization of the potential settings and message weightings that guarantee uniqueness of fixed points, and convergence of the updates. For more general inhomogeneous models, we derive a set of sufficient conditions that ensure convergence, and provide estimates of rates. These theoretical results are complemented with experimental simulations on various classes of graphs.

Robust Estimation and Detection in Ad Hoc and Sensor Networks
Conference Proceedings, The Third IEEE International Conference on Mobile Ad Hoc and Sensor Systems, October 2006 | With Mishra and Ghazizadeh

+ abstract
Interest in robust detection and estimation in the presence of lying nodes has assumed importance in a number of applications. In this paper we motivate the robust detection and estimation problem using recent results for cooperative sensing in Cognitive Radios and multi-object tracking in sensor networks. As a first step, we formulate an abstract version of the problem that is solved under different assumptions. We use Expectation Maximization (EM) framework to successfully weed out the lying nodes. We consider different types of lying behavior. In the simplistic case of liars behaving the same over all observations. In the more complex cases, the lying behavior of the users changes over time. The solution to the problem of detection in the presence of lying nodes has been developed from two viewpoints. In the first case we consider the binary variable being detected as a latent variable, and in the second case we consider the binary variable as a parameter. The results under the two schemes are presented and compared. In all of the cases considered in this paper, we show that the factors that maximally impact the estimation/decision process are the mean of the liars, the variance of the channel, and the number of observations.

Distributed Reputation System for Tracking Applications in Sensor Networks
Conference Proceedings, International Workshop on Advances in Sensor Networks (IWASN), 2006 | With Meingast and Sastry

+ abstract
Ad-hoc sensor networks are becoming more common, yet security of these networks is still an issue. Node misbehavior due to malicious attacks can impair the overall functioning of the system. Existing approaches mainly rely on cryptography to ensure data authentication and integrity. These approaches only address part of the problem of security in sensor networks. However, cryptography is not sufficient to prevent the attacks in which some of the nodes are overtaken and compromised by a malicious user. Recently, the use of reputation systems has shown positive results as a self-policing mechanism in ad-hoc networks. This scheme can aid in decreasing vulnerabilities which are not solved by cryptography. We look at how a distributed reputation scheme can benefit the object tracking application in sensor networks. Tracking multiple objects is one of the most important applications of the sensor network. In our setup, nodes detect misbehavior locally from observations, and assign a reputation to each of their neighbors. These reputations are used to weight node readings appropriately when performing object tracking. Over time, data from malicious nodes will not be included in the track formation process. We evaluate the reputation system experimentally and demonstrate how it improves object tracking in the presence of malicious nodes.

Probabilistic Geographic Routing Protocol for Ad Hoc and Sensor Networks
Conference Proceedings, Wireless Networks and Emerging Technologies (WNET), 2005 | With Menzo and Sastry

+ abstract
In this paper, we present Probabilistic Geographic Routing (PGR), a novel approach for the problem of power-aware routing in wireless ad hoc and sensor networks. Our protocol uses only local information to probabilistically forward the packet to the next hop. Every node relies on a beaconing process to keep track of the changes in the set of its neighbors. In order to forward a packet, the node selects a set of candidate nodes. These candidate nodes are then assigned a probability proportional to their residual energy and the link reliability. We have implemented PGR in NS-2 and compared the performance to two existing protocols, GPSR and Probabilistic Flooding. Based on the simulation results, PGR improves the throughput by 40%, increases the lifetime of the network by 30%, and decreases the overall end-to-end delay. In addition, we have implemented PGR on a real sensor network test-bed to verify our protocol.

Show less Other Works

Attacks and Defenses of Ubiquitous Sensor Networks
Doctoral dissertation, UC Berkeley EECS Department, May 2008

Convergence Analysis of Reweighted Sum-Product Algorithms
Master’s thesis, UC Berkeley Statistics Department, May 2008

Integrity Checker for Wireless Sensor Networks in Health Care Applications
2nd International Conference on Pervasive Computing Technologies for Healthcare, January 2008 | With Giani and Sastry

+ abstract
Wireless sensor networks (WSN) for health care systems are used to transmit large amount of data collected from several physiological and environmental sensors. Because the information regarding the health of an individual is highly sensitive, it must be kept private and secure. It is of paramount importance to defend the network against any illegal access, as well as malicious insertion of data that would alter the integrity of the entire system. In this paper, we propose solutions to ensure robustness, integrity, and privacy of sensor networks in health care systems. In addition, we define new metrics for determining the integrity of the sensory data. These metrics are defined based on specific characteristics of the health care systems.

Key Management and Secure Software Updates in Wireless Process Control Environments
ACM Conference on Wireless Network Security (WiSec), 2008 | With Nilsson, Lindqvist, and Valdes

+ abstract
Process control systems using wireless sensor nodes are large and complex environments built to last for a long time. Cryptographic keys are typically preloaded in the wireless nodes prior to deployment and used for the rest of their lifetime. To reduce the risk of successful cryptanalysis, new keys must be established (rekeying). We have designed a rekeying scheme that provides both backward and forward secrecy. Furthermore, since these nodes are used for extensive periods of time, there is a need to update the software on the nodes. Different types of sensors run different types and versions of software. We therefore establish group keys to update the software on groups of nodes. The software binary is split into fragments to construct a hash chain that is then signed by the network manager. The nodes can thus verify the authenticity and the integrity of the new software binary. We extend this protocol by encrypting the packets with the group key such that only the intended receivers can access the new software binary.

An Intrusion Detection System for Wireless Process Control Systems
4th IEEE International Workshop on Wireless and Sensor Networks Security, 2008 | With Nilsson, Lindqvist, and Valdes

+ abstract
A recent trend in the process control system (PCS) is to deploy sensor networks in hard-to-reach areas. Using wireless sensors greatly decreases the wiring costs and increases the volume of data gathered for plant monitoring. However, ensuring the security of the deployed sensor network, which is part of the overall security of PCS, is of crucial importance. In this paper, we design a model-based intrusion detection system (IDS) for sensor networks used for PCS. Given that PCS tends to have regular traffic patterns and a well-defined request-response communication, we can design an IDS that defines the model of normal behavior of the entities and detects attacks when there is a deviation from this model. Model-based IDS can prove useful in detecting unknown attacks.

Inherent Security of Routing Protocols in Ad-Hoc and Sensor Networks
IEEE Global Communications Conference (Globecom), November 2007 | With Pai, Chen, Sastry, and Wicker

+ abstract
Many of the routing protocols that have been designed for wireless ad-hoc networks focus on energy-efficiency and guaranteeing high throughput in a non-adversarial setting. However, given that ad-hoc and sensor networks are deployed and left unattended for long periods of time, it is crucial to design secure routing protocols for these networks. Over the past few years, attacks on the routing protocols have been studied and a number of secure routing protocols have been designed for wireless sensor networks. However, there has not been a comprehensive study of how these protocols compare in terms of achieving security goals and maintaining high throughput. In this paper, we focus on the problem of analyzing the inherent security of routing protocols with respect to two categories: multi-path and single-path routing. Within each category, we focus on deterministic vs. probabilistic mechanisms for setting up the routes. We consider the scenario in which an adversary has subverted a subset of the nodes, and as a result, the paths going through these nodes are compromised. We present our findings through simulation results.

Using Social Network Theory towards Development of Wireless Ad Hoc Network Trust
Third IEEE International Symposium on Security in Networks and Distributed Systems, May 2007 | With Pai, Wicker, and Sastry

+ abstract
The evolution and existence of stable trust relations have been studied extensively in the context of social theory. However, reputation systems or trust schemes have only been recently used in the domain of wireless ad hoc networks. It has been shown that these schemes provide positive results as a self-policing mechanism for the routing of data in wireless ad hoc network security. This paper develops a relationship between the trust concepts in the social network theory and wireless ad hoc networks. In addition, the paper maps existing trust schemes in wireless ad hoc networks to a long-standing theory in social networks. Most importantly, a refined model of trust evaluation in social networks is constructed and mapped to a new trust scheme for ad hoc networks. The new trust scheme is analyzed and shown to outperform existing schemes using scenario and simulation analysis.

Taxonomy of Security Attacks in Sensor Networks and Countermeasures
The First IEEE International Conference on System Integration and Reliability Improvements, December 2006 | With Shieh and Sastry

+ abstract
Ad-hoc sensor networks have become common over the past few years and the domain of their application is increasing widely. However, the security of these networks poses a great challenge due to the fact that they consist of tiny wireless devices which have limited hardware and energy resources. In addition, these networks are generally deployed and then left unattended. These facts coupled together make it impractical to directly apply the traditional security mechanisms to the sensor network paradigm. Therefore, there is a need to analyze and better understand the security requirements of sensor networks. This paper provides a comprehensive taxonomy of security attacks on sensor networks, and gives solutions for each set of attacks. More importantly, it points out the research directions which need to be investigated in the future.

Securing Flooding Time Synchronization Protocol in Sensor Networks
First International Workshop on Embedded Systems Security, October 2006 | With Sastry

+ abstract
Sensor networks have become popular in the recent years due to their wide range of application. A fundamental building block in distributed wireless sensor networks is Time Synchronization. Because sensor nodes may be severely resource-constrained, traditional time-synchronization protocols cannot be used in sensor networks. Various energy efficient time-synchronization protocols tailored for such networks have been proposed in the recent years. However, none of these protocols have been designed with security in mind. If an adversary were able to compromise a node, he might prevent a network from effectively executing certain applications, such as sensing or tracking an object, or he might even disable the network by disrupting a fundamental service such as a TDMA-based channel-sharing scheme. In this paper we give a detailed explanation of the Flooding Time Synchronization protocol and outline the possible attacks on this protocol. To motivate our work, we briefly discuss how different sensor network applications that are affected by time synchronization attacks. Finally, we propose some statistical countermeasures, as opposed to cryptographic countermeasures, to mitigate the effect of time synchronization attacks.

Security and Privacy Issues with Health Care Information Technology
The 28th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, August 2006 | With Meingast and Sastry

Experiments in Instrumenting Wireless Sensor Networks for Real-Time Surveillance
ICRA video sessions, 2006

A Qualitative Analysis of Wireless Ad Hoc and Sensor Networks
Master’s thesis, UC Berkeley EECS Department , December 2004