FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION
(See Section 10 and Rule 13)
Title of invention: SYSTEM AND METHOD FOR ROBUST PRIVACY PRESERVING DATA
AGGREGATION
Applicant
TATA Consultancy Services Limited A company Incorporated in India under The Companies Act, 1956
Having address:
Nirmal Building, 9th Floor,
Nariman Point, Mumbai 400021,
Maharashtra, India
The following specification particularly describes the invention, and the manner in which it is to be performed.

FIELD OF THE INVENTION
The present invention relates generally to cluster based private data aggregation and more particularly relates to a system and method for enhancing efficiency and robustness of privacy preserving data aggregation.
BACKGROUND OF THE INVENTION
Currently, privacy preserving data aggregation scheme suffer from security vulnerability when one or more than one of the sensor nodes within a cluster becomes malicious. In spite of wide popularity of cluster based private data aggregation, it has been observed that the protocol is not secure. It is vulnerable when one or more number of nodes become malicious, which results in privacy breach. A malicious participant node can easily launch an attack on the privacy protocol so as to get access to the private data of its neighboring sensor nodes and the victim nodes are not able to detect or nullify such attacks. Therefore, the malicious node poses a strong attack on the sensor nodes and easily accesses the private values of the victim nodes without the slightest knowledge of the victim node.
Prior work has been done on Privacy preserving data aggregation in wireless sensor networks for enhancing security features of participating nodes. However, the prior art is weak when one of the participating nodes becomes malicious.
In the light of foregoing problem, there is a need of a system that is capable of plugging the vulnerability of the protocol towards attack from such malicious nodes and enhancing the robustness of the existing privacy preserving data aggregation system.
OBJECTIVES OF THE INVENTION
The principle object of the present invention is to nullify the attack from a malicious node in a cluster based private data aggregation system comprising of plurality of sensor nodes.

Another significant object of the invention is to enhance the robustness and efficiency of data preserving of nodes within a cluster when any of the participating nodes is malicious.
It is another object of the present invention to prevent access to private values of sensor nodes by malicious nodes by preventing nodes with very large or small seed values from participating in the cluster.
SUMMARY
In one of the preferred embodiments of the present invention, a system and method for plugging an attack scenario in a cluster based private data aggregation scheme using a clustering protocol is provided. The system is capable of nullifying the attack from a malicious node that endeavors to access private data from participating neighboring sensor nodes. A computer-readable medium bearing computer-executable instructions is also presented. When executed on a computer system, the computer-executable instructions carry out a method for providing data protection services to content on a clustered server.
In one of the preferred embodiments of the present invention, a method for detecting one or more malicious sensor node in a sensor communicating network of a data aggregation process is provided, wherein the method comprises of the following steps: determining a set of sensor nodes comprising plurality of participating sensor nodes that does not release their private sensor reading to other nodes, and, at least one aggregating node that generates one or more random values known only to the aggregating node; allowing the participating sensor nodes to share their respective seed value; defining a threshold range for comparing the shared seed value against the private sensor reading and the random values; and for the seed value not included within the defined threshold range, transmitting a non participating signal that is embodied on a non transitory computer readable medium, to the corresponding sensor node.
In one of the other preferred embodiments of the present invention, a system for detecting one or more malicious sensor node in a sensor communicating network of a

data aggregation process, the system comprising: one or more processor for hosting a set of sensor nodes; at least one input device; at least one storage device storing program instructions, which when executed by at least one processor, performs a method including: aggregating, by an aggregating node, private sensor reading of participating sensor nodes by:
determining the set of sensor nodes comprising the plurality of participating sensor nodes that does not release their private sensor reading to other nodes, and, the at least one aggregating node that generates one or more random values known only to the aggregating node; allowing the participating sensor nodes to share their respective seed value; defining a threshold range for comparing the shared seed value against the private sensor reading and the random values; and for the seed value not included within the defined threshold range, transmitting a non participating signal that is embodied on a non transitory computer readable medium, to the corresponding sensor node.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. These and other features of the present invention will become more fully apparent from the following description, or may be learned by the practice of the invention as set forth hereinafter.
BRIEF DESCRIPTION OF THE DRAWINGS
The foregoing summary, as well as the following detailed description of preferred embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the invention, there is shown in the drawings example constructions of the invention; however, the invention is not limited to the specific system and method disclosed in the drawings:

Figure 1 shows system architecture in accordance with one disclosed embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
Some embodiments of this invention, illustrating ail its features, will now be discussed in detail. The words "comprising," "having," "containing," and "including," and other forms thereof, are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items.
It must also be noted that as used herein and in the appended claims, the singular forms "a," "an," and "the" include plural references unless the context clearly dictates otherwise. Although any systems and methods similar or equivalent to those described herein can be used in the practice or testing of embodiments of the present invention, the preferred, systems and methods are now described.
The present invention provides an attack scenario on Cluster-based Private Data Aggregation (CPDA) that uses a clustering protocol and a well-known key distribution scheme for computing an additive aggregation function in a privacy-preserving manner.
The system of the preferred embodiment of the present invention broadly comprises of plurality of communicating sensor nodes which senses data and sends it to a server; a server or an aggregating node which aggregates data from the sensor node; and a network interface to post the aggregated data to the internet. In order to prevent the attack, the participating sensor nodes holding private values does not allow other nodes participating with very large or small seed values. The exemplary system further includes one or more processors, one or more input/output interface units, one or more storage devices, and one or more system buses and/or networks for facilitating the communication of information among the sensor nodes. One or more input devices and one or more output devices may be coupled with the one or more input/output interfaces.

At least a portion of the computer executable instructions may be stored (temporarily or more permanently) on the one or more storage devices and/or may be received from an external source via one or more input interface units.
The storage devices may include system memory, such as read only memory (ROM) and/or random access memory (RAM). The storage devices may also include a hard disk drive for reading from and writing to a hard disk, a magnetic disk drive for reading from or writing to a (e.g., removable) magnetic disk, and an optical disk drive for reading from or writing to a removable (magneto-) optical disk such as a compact disk or other (magneto-) optical media. The computer-readable medium may be non-transitory and may include, but is not limited to, flash memory, optical disks, CD-ROMs, DVD ROMs, RAMs, EPROMs, EEPROMs, magnetic or optical cards or any other type of machine-readable media suitable for storing electronic instructions. For example, the present invention may be downloaded as a computer program which may be transferred from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way of a communication link (e.g., a modem or network connection) and stored on a non-transitory storage medium. The machine-readable medium may also be referred to as a processor-readable medium.
Referring now to Figure 1, system architecture of the present invention is provided. For the illustration purposes, three nodes are shown wherein two of them 101 and 102 are participating sensor nodes while the third node is an aggregator node 103 that constitutes the cluster. The sensor nodes 101 and 102 are reporting nodes that are prone towards attack from any malicious node within the cluster network. These reporting nodes hold private values which the malicious node aims to get an access to. The aggregator node 103 can itself be a sensor node, which also senses the data. The objective is that the data (numeric) sent by the nodes 101 and 102 will get aggregated (summed up) by the aggregating node 103 without the aggregating node knowing the content of the data of B and C, which then reports the aggregated result through Internet.
In order to prevent such attacks, the reporting sensor nodes 101 and 102 that hold private values prevent other nodes holding very large or small seed value to participate and become a part of cluster. For this, first the node will compare the sent seed values

from its neighbors and if it finds that they are too high or small, typically 10X or 1X times of its private value and one of the random values (r1B, r2B, r1c, and r2c), it will broadcast the unacceptability message to the other nodes.
The present invention provides a solution for a scheme called Cluster-based Private Data Aggregation (CPDA) that uses a clustering protocol and a well-known key distribution scheme for computing an additive aggregation function in a privacy-preserving manner. In spite of the wide popularity of CPDA, it has been observed that the protocol is not secure and it is also possible to enhance its robustness. This invention describes the possible attack scenario in CPDA and the solution to nullify that attack and to enhance the efficiency.
Attack:
The objective of the attack is to show the vulnerability of the CPDA scheme which can be suitably exploited by a malicious participating sensor node. For understandability purposes, it is assumed that sensor node 101 of Figure 1 is B that holds the private value b, sensor node 102 is C that holds the private value c and the aggregator node 103 is A that holds private value a . The intention of the malicious node is to participate in the scheme in such a way that it can get access to the private values (i.e., a, b and c) of the participating sensor nodes. For describing the attack scenario, a sample cluster consisting of three sensor nodes A, B and C is considered. The node A is the cluster leader or an aggregating node whereas B and C are the cluster members or reporting sensor nodes. Considering CPDA, it is assumed that A is a malicious node. In order to get the values of b and c, node A chooses a large value of x. Once the values of r, and r2 are computed by node A, it can compute the value of (a + b + c), which are the values of nodes A, B and C respectively. Since the computation of the sum (a + b + c) by node A involves two division operations only, the modified CPDA scheme will be extremely light-weight and hence much more energy- and time- efficient as compared with the original CPDA scheme.
Node A chooses a very large value of x. With a suitable choice of x, node A can derive the value of n and r2. This can be proved this way:
FA = a+b+c+n x+r2 x2

Divide FA by xA2: f_A = a+b+c + n +r2 X2 X2 X2

A knows (a+b+c) and x, so A can also deduce after computing . So, in modified form:

Node A can now compute the values of r2B as

Similarly, A can deduce r2c from VCA

Now A can deduce r2B and r1C like:

Some amount of errors introduced by approximation can be averaged out using equation (1)and(2).
By knowing , A can easily deduce the private values b and c.
Similar attack can be launched by B or C also, so that they can deduce the values a, c or a, b respectively.
Modification to enhance robustness:
This modification is based on suitable choice for the value of x (the public seed) done by the aggregator node A. In order to prevent this attack, the nodes B and C, who are holding private values, should not allow other nodes participating with very large or small seed value. First the node will compare the sent seed values from its neighbors and if it finds that they are too high or small, typically 10X or .1X times of its private value and
one of the random values it will broadcast the unacceptability message to

the other nodes. So, by restricting the range of the seed values, this attack can be prevented. However, if two nodes, say A and C collude even this restriction of seed value will not be sufficient to leak the private value of B. But this applicable in general, that if (N-1) nodes collude in total N number of nodes, it is impossible to hide the private value in this kind of collaborating multi-party computation.
The foregoing description has been directed to one or more specific embodiments of this invention. It will be apparent; however, that other variations and modifications may be made to the described embodiments, with the attainment of some or all of their advantages. For instance, it is expressly contemplated that the teachings of this invention can be implemented as software, including a computer-readable medium having program instructions executing on a computer, hardware, firmware, or a combination thereof, in addition, it is understood that the data structures described herein can include additional information while remaining within the scope of the present invention. Accordingly this description is to be taken only by way of example and not to otherwise limit the scope of the invention. Therefore, it is the object of the appended claims to cover all such variations and modifications as come within the true spirit and scope of the invention.

We claim:
1) A computer implemented method for detecting one or more malicious sensor node in a sensor communicating network of a data aggregation process, the method comprising:
determining a set of sensor nodes comprising plurality of participating sensor nodes that does not release their private sensor reading to other nodes, and, at least one aggregating node that generates one or more random values known only to the aggregating node;
allowing the participating sensor nodes to share their respective seed value; defining a threshold range for comparing the shared seed value against the private sensor reading and the random values; and
for the seed value not included within the defined threshold range, transmitting a non participating signal that is embodied on a non transitory computer readable medium, to the corresponding sensor node.
2) The method of claim 1, further comprising aggregating the data from the participating sensor nodes that shares a seed value included within the defined threshold range.
3) The method of claim 1, wherein the aggregating node can alternately function as the participating sensor node.
4) The method of claim 1, wherein upper limit for the threshold value is reached when the seed value is ten times higher than the private sensor reading or one of the random values.
5) The method of claim 1, wherein a lower limit for the threshold value is reached when the seed value is one tenth of the private sensor reading or one of the random values.
6) A system for detecting one or more malicious sensor node in a sensor communicating network of a data aggregation process, the system comprising:
one or more processor for hosting a set of sensor nodes; at least one input device;

at least one storage device storing program instructions, which when executed by at
least one processor, performs a method including:
aggregating, by an aggregating node, private sensor reading of participating sensor
nodes by:
determining the set of sensor nodes comprising the plurality of participating sensor
nodes that does not release their private sensor reading to other nodes, and, the at
least one aggregator node that generates one or more random values known only to
the aggregator node;
allowing the participating sensor nodes to share their respective seed value;
defining a threshold range for comparing the shared seed value against the private
sensor reading and the random values; and
for the seed value not included within the defined threshold range, transmitting a non
participating signal that is embodied on a non transitory computer readable medium,
to the corresponding sensor node.
7) The system of claim 6, further comprising a network interface to post the aggregated data collected from the participating sensor nodes to the internet.
8) The system of claim 6, wherein the aggregating node can alternately function as the participating sensor node.
9) The system of claim 6, wherein upper limit for the threshold value is reached when the seed value is ten times higher than the private sensor reading or one of the random values.
10) The system of claim 6, wherein a lower limit for the threshold value is reached when the seed value is one tenth of the private sensor reading or one of the random values.