ebook img

Privacy-Preserving Electrocardiogram Monitoring for Intelligent Arrhythmia Detection PDF

21 Pages·2017·3.62 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Privacy-Preserving Electrocardiogram Monitoring for Intelligent Arrhythmia Detection

sensors Article Privacy-Preserving Electrocardiogram Monitoring for † Intelligent Arrhythmia Detection JunggabSon1,JuyoungPark2,HeekuckOh3,MdZakirulAlamBhuiyan4,JunbeomHur5,* andKyungtaeKang3,* 1 DepartmentofComputerScience,KennesawStateUniversity,Marietta,GA30060,USA;[email protected] 2 SustainableManagementStrategy,KoreaExpresswayCorporation,Gimcheon39660,Korea; [email protected] 3 DepartmentofComputerScienceandEngineering,HanyangUniversity,Ansan15588,Korea; [email protected] 4 DepartmentofComputerandInformationSciences,FordhamUniversity,Bronx,NY10458,USA; [email protected] 5 DepartmentofComputerScienceandEngineering,KoreaUniversity,Seoul02841,Korea * Correspondence:[email protected](J.H.);[email protected](K.K.);Tel.:+82-31-400-5235(K.K.) † ThispaperisanextendedversionofourpaperpublishedinPark,J.;Lee,K.;Kang,K.Intelligent ElectrocardiogramMonitoringSystemforEarlyArrhythmiaDetection.InProceedingsoftheIEEE InternationalConferenceonAdvancedInformationNetworkingandApplications(AINA2014),Victoria, BC,Canada,13–16June2016. Received:11April2017;Accepted:7June2017;Published:12June2017 Abstract: Long-term electrocardiogram (ECG) monitoring, as a representative application of cyber-physical systems, facilitates the early detection of arrhythmia. A considerable number of previous studies has explored monitoring techniques and the automated analysis of sensing data. However,ensuringpatientprivacyorconfidentialityhasnotbeenaprimaryconcerninECG monitoring. First,weproposeanintelligentheartmonitoringsystem,whichinvolvesapatient-worn ECG sensor (e.g., a smartphone) and a remote monitoring station, as well as a decision support serverthatinterconnectsthesecomponents. Thedecisionsupportserveranalyzestheheartactivity, usingthePan–Tompkinsalgorithmtodetectheartbeatsandadecisiontreetoclassifythem. Our system protects sensing data and user privacy, which is an essential attribute of dependability, by adopting signal scrambling and anonymous identity schemes. We also employ a public key cryptosystemtoenablesecurecommunicationbetweentheentities. Simulationsusingdatafrom theMIT-BIHarrhythmiadatabasedemonstratethatoursystemachievesa95.74%successratein heartbeat detection and almost a 96.63% accuracy in heartbeat classification, while successfully preservingprivacyandsecuringcommunicationsamongtheinvolvedentities. Keywords:bodysensornetworks;biomedicalcomputing;electrocardiography;arrhythmiadetection; communicationsystemsecurity;privacyofpatients 1. Introduction Cyberphysicalsystemshaveemergedasapromisingparadigmforenrichingtheinteractions between physical and cybernetic components. Recent advances in sensing technology and smart devices,whicharethemostimportantdevicesfacilitatingcyber-physicalsystems,havedrastically alteredtheshapeofthecurrenthealthcareenvironment,whilepresentingnumerousopportunities andchallengesinpatientmonitoringandassistance. Thisnovelparadigmenablespatientstomonitor their physical conditions using smart devices [1], which has been particularly useful for chronic diseasesthatcanbecomelifethreatening,suchashighbloodpressure,hypernatremiaandvarious Sensors2017,17,1360;doi:10.3390/s17061360 www.mdpi.com/journal/sensors Sensors2017,17,1360 2of21 heartdiseasesthatarecommonglobally[2]. Bymonitoringachronicdisease,apatientcandealwith thistransformationatanearlystage. Inparticular, monitoringarrhythmiasisofhighimportance, becausetheyareanextremelycommoninitialsymptomofcardiacarrestormyocardialinfarction. Arrhythmiacanbedetectedbyanalyzinganelectrocardiogram(ECG),whichmeasurestherate andregularityofheartbeatsandischaracterizedbyfivepeaksandvalleyslabeledP,Q,R,SandT (seeFigure1). TheamplitudeanddurationoftheP-Q-R-S-Twaveprovidesinformationregardingthe heartdisease. ThepositionanddistanceofthePRintervalandsegment,theSTintervalandsegment andtheQTintervalandQRScomplexcanbeusedinadiagnosis[3]. RR interval QRS complex R R PR ST segment segment T P P Q Q S PR interval S QT interval Figure1.StructureofECG. SeveralsuccessfulECGmonitoringsystemshavebeendeveloped[2–6]. Thesesystemspossess manyadvantages,suchasallowingforambulatorypatientcare,resultinginsaferandmoreaffordable healthcare.However,ECGsareprimarilyinterpretedbymedicalexperts,andmostpatientsthemselves cannotobtaintheinformationfirsthand. Thus,considerableattentionhasrecentlybeendevotedtothe computerizedautomaticanalysisofheartactivity,whichincludesboththedetectionoftheheartbeat inanelectrocardiogramandtheclassificationofitstype. Recentadvancesinportabledevices,such assmartphonesandtabletPCs,alsomakeitpossibleforuserstomoreeasilyself-monitortheirECG statusandclassificationresults[4]. In orderto exploitthis potential, weproposea noveland intelligentECG monitoringsystem (I-ECG)thatanalyzesandinterpretsheartactivitybyautomaticallydetectingandclassifyingheartbeats based on the Pan–Tompkins [7] and C4.5 algorithms [8–10]. Although this was developed to be effective,simpletouse,sustainableandreliable,itcannotbedirectlyappliedinreal-worldapplications, owing to the following security and privacy problems. First, individuals close to the patients can illegallyobtaintheECGsignalduringthecommunicationbetweenthesensorsandthesmartphone. Second,adecisionsupportserver(DSS)canmanipulatecollectedECGsignals,aswellasthestatus ofaparticular user. The health information that can be obtained through these security flaws is sensitivepersonaldata,andthus,itcouldbeabusedformonetarypurposes. Inaddition,theprivacy ofpatientscouldbeinvadedbytheabuseofthisinformation. Itshouldbenotedthatmanyarticlestreattheprivacyofpatientsasaprimaryconcernintheusage of personal healthcare systems [11–13], and some of these assert that patient privacy should be preservedatalltimesbylaw[12]. Therefore,healthcaresystemsmustbedesignedwithconsideration giventothesecurity,inordertoprovidejustifiablytrustedservices. Simultaneously,thesystemshould bedesignedtosafeguardtheprivacyofpatients. Contributions: Themainobjectiveofthisstudyistodevelopaprivacy-preservingI-ECGthat detectsarrhythmiaintheearlystage. Thecontributionscanbesummarizedasfollows: • We outline the guidelines for an intelligent ECG monitoring system and service model, andproposeanalgorithmforautomaticdetectionandclassificationofarrhythmia,whichrealize intelligentmonitoringasadecisionsupportsystem. Sensors2017,17,1360 3of21 • AdditionalcomputationsperformedbythebodysensorstoenableencryptionofECGdatato protectitfromattackersgenerateheatonthesensors,whichcanresultindiscomfortforthepatient. Toaddressthisproblem,wehavedevelopedanefficientandeffectivesolutionforencryption ofECGdatainthebodysensors. Thissolutionselectsthecipherwithminimaloverheadamong theciphersconsideredascandidatesforourenvironment. Inaddition,oursolutionprotectsthe patients’privacyagainstattackers,includingprotectionofdataattheDSS,aswellasmonitoring stationsbyadoptingchangeablepseudonyms. • WesimulatedourdetectionandclassificationalgorithmfordecisionsupportusingtheMIT-BIH arrhythmiadatabase[14],andthesimulationresultsdemonstratethattheDSSachievedanoverall accuracyof95.74%,withasensitivityof97.21%andaspecificityof94.26%forheartbeatdetection. TheDSSalsoachievedanoverallaccuracyof96.63%,withasensitivityof95.44%andaspecificity of97.82%forheartbeatclassificationincludingprivacypreservationmeasures. • We demonstrate that our scheme exhibits a high efficiency compared with conventional cryptographicalgorithmsandanenhancedrobustnessagainstinsideattackerswhohaveaccess totheDSS,aswellasagainstoutsideattackerswhohavetheabilitytoeavesdropondatafrom wirelesscommunications. The remainder of this paper is organized as follows. In Section 2, we briefly review related workregardingECGmonitoringsystemsandapplications,withthefocusonsecurityandprivacy. In Section 3, we describe the system models, threat models and security objectives. We describe our primary contribution, which is the privacy-preserving ECG monitoring system, in Section 4. In Section 5, we outline our system implementation. In Section 6, weevaluate and simulate our proposedsystem. Finally,weprovideourconclusionsinSection7. 2. RelatedWork Since the1970s, researchers worldwidehave been developingdiagnostic systemsthat enable patientstomakeECGrecordingsathomeandtransferdatatoacardiologist[2–6]. Researchregarding remote ECG monitoring systems continues today, with smartphones being employed. Essentially, remoteECGmonitoringsystems[5,15,16]requireonlyasimplearchitecturebetweenthesensordevice andasmartphone. ThesystemextractsECGsignalsthroughaleadcable,transmitsthesignaldata viaBluetoothandthenprocessesanddisplaystheECGwaveformonapersonalcomputer[15]or smartphone [5,16]. The system displays the ECG waveform on the device for remote monitoring. However,itdoesnottransmittheECGwaveformtoamedicalexpert. Therefore,thepatienteffectively receivesnoreal-timemedicalservice. Systemsonahealthcareserverexpandthefundamentalremotemonitoringsystembyoffering anoptiontostoreandaccessECGdata. WiththeincreasingpopularityofInternetaccessthrough mobile phones, these systems provide an ideal platform between remote monitoring systems and patients. TodisplaytheECG,manystudieshaveemployedawebcomponentthroughaPC[17,18], single-chipmicrocomputer[19]orsmartphone[2,18,20]. Oneproposeddesignforaremotemonitoring“tele-medicine”systemandwebserverconsists oftheclientside,ageneralpacketradioservice(GPRS)modemandtheserverside[18]. Theclient side could be interpreted as the combination of the ECG, collection equipment, user interface andmicroprocessor. TheGPRSmodem,whichisusedtotransmittheECGsignals,providesalarge geographical mobility coverage range. The server side is divided into the back and front ends. TheserverfrontendisusedtodisplaytheECGsignalonthewebforpatientsanddoctors,andtheback end is designed to receive data from the GPRS modem and store it in a database. However, such designsareinadequateformedicalexperts,becausetheydonotprovidetheinformationrequiredto analyzetheECGsignals. Intherecentpast,manystudieshaveappliedQRSdetectionalgorithmstohealthcareservers. SuchsystemscanrecordECGsignalsonawebserverandfacilitatetheiranalysis. Oneprototypeuses amobilephoneasagatewayfortransmittingmeasuredECGdatabacktothemedicalcloudusing Sensors2017,17,1360 4of21 3GmobiletelecommunicationsorWiFi[6]. ThesystemcanalsocalculatethebeatsoftheheartasRR intervals,whichisthetimebetweenconsecutiveR-waves,onthemobilephone. Anothersystemoffers notonlyQRSdetection,butalsoapriority-basedalarmmessagingservice[4]. Althoughtheseapproachesfacilitatetheconvenientmeasurementandanalysisofbodystatus, theystillencounterproblemswithsecurityandprivacy. Asanumberofhealthcareapplicationsdeal withphysicalinformation,whichconstitutessensitivepersonalinformation,dataleakageandinvasions ofprivacyinhealthmonitoringsystemsaresignificantissues[11–13]. In2012,Maetal. proposed asimple,buteffectivesecuritysolutionforECGsignalsbasedonanECGcompressionalgorithm[21]. Regardingsecurityandprivacychallengesinmobilehealthcare,Luproposedanefficientuser-centric privacyaccessschemebasedonattribute-basedaccesscontrolandanovelprivacy-preservingscalar productcomputation[22]. Thisschemeemploysabodysensornodethatcanmonitorvarioustypes ofhealthinformation,andithassufficientresourcestoapplyawidely-employedsymmetricencryption schemesuchasAES.Ontheotherhand,inthiswork,wefocusonabodysensingdevicethatonly monitorsanECG,andthus,asmallersensingdevicecanbeemployed,whichismorecomfortable forpatients. Becausepatientswearthesensingdevicefortheentireday, itisanadvantagetouse a smaller device. Regarding this aspect, the scheme described above based on a symmetric key andhashfunctionsrequiresmorecircuitsandlargerdevicestohandletherequiredcryptographic functions. Therefore, itremainsachallengetodesignasecureandprivacy-preservingschemefor resource-constrainedremotehealthcaremonitoringsystemsthatutilizebodysensorsofareducedsize. More recently, there have been attempts to deal with the use of ECG for identity recognition and biometric authentication [23,24]. For instance, Peter et al. [23] described the design and implementationstepsrequiredtorealizeanECG-basedauthenticationsysteminbodyareasensor networks andutilized ECG features for this purpose. Tan et al. [24] focused rather on enhancing theeffectivenessandrobustnessofabiometricrecognitionsystemusingacombinationofrandom forest and wavelet distance measure classifiers. The ECG application investigated in this study is slightly different and has different design objectives. It is more oriented towards the secure transmissionofECGdatatoremoteserversforanalysisandtotheapplicationofmachinelearningto arrhythmiarecognition. Enhancingtheextenttowhicharrhythmiacanbeaccuratelydetectedisone oftheeventualobjectivesofourstudy,andtheenergyisnotourprimaryconcern,becausedecisions aremadeonaremoteserver. Regardingnetworks,weareconsiderablyinterestedinsecuredelivery overwide-areanetworks,ratherthandatatransmissionoverbody-areanetworks. 3. SystemModels,ThreatModelsandSecurityObjectives Thissectiondescribesthesystemmodels,threatmodelsandsecurityobjectivesofoursystem. 3.1. SystemModel WeareparticularlyinterestedinrecordingandaccumulatingECGdataforeachpatientoveralong periodoftime,performingsupervisedlearningbasedonthekeyECGfeaturesandintelligentheartbeat classificationforearlyandautomaticdetectionofarrhythmia(weusedaclassifierbasedonadecision tree,whichisconstructedusingtheC4.5learningalgorithm). Thecrucialdesignconsiderationisthe level of accuracy with which arrhythmia can be recognized. To achieve the desired accuracy, it is imperativethatalloftheacquiredECGdatashouldbestoredinthepermanentstorageoftheDSS(i.e., database)andnotonmobiledeviceswithlimitedstoragespace. Oursystemcomprisesfourcomponents: arevocationauthority,anECGsensingentity,adecision supportserver(DSS)andamonitoringstation, asdepictedinFigure2. Thepatientisabletolead anormallifewhilethesensorcontinuouslyacquiresECGdataandsendsthemtoaBluetooth-enabled smartphone. The smartphone relays the data to the DSS, which associates incoming data with the records for the patient in a database and analyzes them. The heartbeat is detected using thePan–Tompkinsalgorithm,whichhasbeenshowntobeaneffectiveQRSdetectionscheme[25],and thenclassifiedusingadecisiontree. Ifthesystemidentifiescongestiveheartfailureoranirregular Sensors2017,17,1360 5of21 heartbeat,thenanalarmissentovertheInternetconnectiontoamonitoringstation,wheremedical personnelcancarryoutappropriateactions. Sensor Patient Individual(1) Individual(2) Individual(n) (A) ECG sensing entity (2) ECG transmission (C) Decision support server (A.1) User Interface (C.1) User interface (A.2) Signal measurement (C.2) Signal decryption (A.3) Signal encryption (C.3) Heartbeat analysis (A.4) Data delivery (C.4) Database (4) Care service (3) Alarm (1) Registration and obtaining AID Expert (B) Revocation authority (5) User revocation (D) Monitoring station (B.1) Issues AID (D.1) Check status (B.2) Revokes user Figure2.Overviewoftheproposedsystemarchitecture.AID,anonymousID. 3.1.1. RevocationAuthority We assume the existence of a revocation authority (RA) to hide a user’s identity, while being able to make it available during an emergency. The RA has three roles in the proposed scheme. First,itmanageseachuser’sidentityusingarelatedanonymousID(AID).Second,itrevealsauser’s identityandcontactinformationinanemergency,followingarequestbythemonitoringstation. Third, itissuescertificationforeachentity’spublickey. AstheRAplaysanimportantroleinuseridentity managementandpublickeyconfirmation,wetreattheRAasatrustedthirdparty. Agovernment agencycouldsetupandmanagetheRAforpublicwelfarepurposes. 3.1.2. ECGSensingEntity The smartphone of a patient collects ECG signals every day. Figure 3 illustrates the process ofsignalmeasurementanddelivery. Asensornodeisattachedtothepatient’sbody. Thesignalfrom thesensornodeisconvertedtoadigitalvalueusingananalog-to-digital(ADC)converterandthen senttoamicrocontrollerunit(MCU)throughaserialperipheralinterface,whichisusedprimarilyto communicatebetweenchips. ThesignalattheMCUissenttoaBluetoothmoduleusingauniversal asynchronousreceiverandtransmitter. SubjectscanviewtheirECGthroughagraphicalinterface designedfortheirmobiledevice. Althoughitispossibletoperformself-monitoring,theECGsignal shouldalsobetransmittedtoaDSS,becauseatypicallaymancannotindependentlyinterpretthesignal. Accordingly,thesignalonthesmartdeviceistransmittedoverawirelessnetwork. Micro- Bluetooth Sensor node controller Antenna SPI unit UART Figure3.ECGsignalmeasurementanddelivery. Sensors2017,17,1360 6of21 3.1.3. DecisionSupportServer The DSS analyzes multiple aspects of the ECG. As a convenience for medical experts, it acts asamonitoringstationfordecisionsupportbydetectingandclassifyingtheheartbeat. Heartbeat detectioninanECGprimarilydependsontheQRScomplex. However, QRSdetectionbyitselfis notsufficientforheartbeatdetection,whichmustprecedetherecognitionoffeaturesfordetecting arrhythmia. OneofthesignificantcontributionsofthisstudyisthemethodofdetectingtheP-wave using the QRS complex, which is in turn detected by the Pan–Tompkins algorithm [7] (consisting ofaband-passfilter,adifferentiatorandanintegratoroveramovingwindow). Eventually,theuse oftheP-wavewiththeQRScomplexleadstotheaccuratedetectionofheartbeatsrelatedtoarrhythmia. 3.1.4. MonitoringStation Themonitoringstation(MS)providesagraphicaluserinterface. Therefore,boththepatientand theexpertoperatorscanremotelycheckthesignal. Thepatient,expertsandafewotherswhohave accessrightscanviewtheECG,heartrateandpatientprofilethroughtheweboramobiledevice application.Moreover,expertsusingtheMScanalsoviewanddeterminethesignalconditionsofmany patients through the web application. If an expert identifies a dangerous condition, thentheMS immediatelycontactsmedicalservices. 3.2. ThreatModel Inthescopeofthiswork,weconsidernormalusers,includingservers,aspotentialadversaries. Adversaries have limited capabilities, in that they can only access publicly-available information, including information from wireless communications. This is no more information than can be accessedbynormalusersoftheECGmonitoringsystem. Thus,weconsiderthatadversariesdonot havetheabilitytodistinguishtheoriginatorofdataeavesdroppedfromawirelesscommunication. Inthecaseofservers, weassumeanhonest-but-curiousmodelthataccuratelyfollowsaprovided protocol, but may attempt to obtain information from the communication session or stored data. Inaddition,wedonotconsiderthattheadversariescaneasilycompromiseotherentitiesinorderto obtaintheidentityofusersorothervaluableinformation. Basedontheseconditions,thefollowing attackscanbecarriedoutbyadversaries. • Eavesdropping: Essentially, we assume that an attacker has the ability of eavesdropping on data during transmissions. Wireless communications, including Bluetooth, which is used to transmitthesensingdata,arevulnerable,becausethetransmitteddatacanbeleakedbythemajor functionhookingschemeofthewindowskerneldriver[26,27]. Thus, anattackerclosetothe sensingsystemcaneavesdroponthesensingdataandtheidentityofauserviatheweakpointof oursystem. • Leaking: WetreattheDSSandserviceprovideraspotentialattackers. TheECGanalysisresults andidentityofanindividualusercouldbeleakedbytheserviceprovidersorsystemmanagers oftheDSSandMS,respectively. Weonlyfocusoncaseswherehealthinformationisleakedalong withtheidentityoftherelevantuser. • Tracking: After obtaining data (raw ECG data or an ECG analysis) by eavesdropping or leaking, an attacker could attempt to determine the relation between the data and the user. Inaddition, theattackercouldattempttotraceaparticularuserbydeterminingtherelations betweenpseudonyms. Thecollectedsensingdatafordetectingarrhythmiasispersonalinformationfortheuser,andit couldbeusedbyanattackerinvariousways. Onepossiblescenarioissellingthecollecteddatafor profit. Pharmaceuticalcompaniesorclinicscouldusesuchdatafortargetedmarketing. Inaddition, thepatientmaynotwanthis/herillnesstobeknowntoothers. Suchtypesofattacksareonlypossible iftheattackercouldobtainboththehealthinformationandtheidentityoftheuser. Sensors2017,17,1360 7of21 3.3. SecurityObjectives Dependingonthesystemandthreatmodelsdescribedearlier,wedefinetwosecurityobjectives. • Communication security: An attacker close to a user cannot obtain sensing signals from the wireless communication between the MCU and the smart device, nor between the smart deviceandtheDSS. • Privacy preservation: An attacker cannot establish a link between a particular user and their sensing signal or analysis results from the DSS. In the case of an emergency, the personal informationofausercanbedisclosed. Duringthisstep,anattackercanobtainonlyalimited amountofdatafromtheserver.Inotherwords,fromacollectionofpersonalinformationprovided andapseudonym,theattackercannotdistinguishtheECGinformationofaparticularuser. Asimplemethodofpreservinguserprivacyistoemployapseudonymasananonymousidentity for communication, because this can easily hide the relation between data and a user’s identity. However,anattackercaneasilyobtaintheidentityofacertainuserthroughlong-termobservation. Many previous schemes have mentioned the traceability of a single pseudonym[28–31]. In our system model, the attacker can obtain contact information for the pseudonym in an emergency. Allofthepatient’s information from before and after the emergency will be leaked if a single pseudonym-basedapproachisapplied,andthus,thesecuritymodelhastodealwithforwardand backwardprivacy. Todealwithanemergency,auser’sidentityshouldberevealedtoreceivemedical service. Otherwise, an inside attacker can determine the relation between the user’s identity and thesensingsignal. Theforwardprivacyindicatesthattheattackercannotdeterminearelationbetween sensingsignalsafteranemergency. Thebackwardprivacyindicatesthattheattackercannotdetermine arelationbetweensensingsignalsbeforetheemergency. 4. SystemArchitectureforPrivacy-PreservingIntelligentECGMonitoring In this section, we propose an intelligent ECG monitoring system incorporating privacy preservation. The proposed scheme comprises two stages. First, we design a secure sensing signalencryptionschemeusingaconventionalpublickeycryptosystem,toprotectthesensingdata transferredfromthesensortotheMSviaasmartdevice.Second,wepresentanAIDschemetopreserve theuserprivacyduringthearrhythmiarecognitionprocess. Thisalsohidestheuserinformationfrom expertsattheMS,butthiscanberevealedinanemergency. Beforedescribingtheproposedscheme, wepresentthenotationsusedinthispaperinTable1. Table1.Notations. Notation Description k Asymmetricsessionkey (pk,sk) Public,privatekeypair p(cid:96) Apseudonym PS Asetofpseudonyms,PS={p1,p2,...,p(cid:96)} a(cid:96) AnanonymousID AID AsetofanonymousIDs,AID ={aj}1≤j≤(cid:96) H(·) Acryptographichashfunction PRG(·) Apseudo-randomnumbergenerator E {} Anencryptionfunctionusingkeyk k S {} Asignaturefunctionusingkeyk k KS Akeystream ES AnencryptedECGsignalusingkeyk 4.1. Setup Each user generates and uses a key and a pseudonym for each session to ensure privacy. Onesessionisthedurationofapseudonymandthecorrespondingkey. Bychangingthesefrequently, Sensors2017,17,1360 8of21 thesystemcanprovidestrongerprivacyprotection. Thelengthofeachsessionisflexible. Ifauser wantsahigherlevelofprivacy,he/shecanadjusttomakethedurationshorter. Theuseralsocan adjusttomakethedurationlongerinthecasethattheyrequireefficientoperation. WhenauserfirstestablishesaconnectionbetweentheMCUofabodysensornetworkandasmart device,theMCUandthesmartdeviceshareasymmetricsessionkey{k }todealwiththelimited s storageoftheMCU. The RA, DSS, MS and the smart device of a user use a public key cryptosystem to establish secure communications. The public/private key pairs for the entities are (pk ,sk ), RA RA (pk ,sk ),(pk ,sk )and(pk ,sk ),respectively. DSS DSS MS MS U U 4.2. RevocationAuthority Eachuserhasaunique ID,andtheuserregistersthisalongwithhis/hercontactinformationto dealwithemergencies. TogenerateanAID,theuserencryptstheir IDusingapublickeyoftheRA andsendsthistotheRA.Atthispoint,weemployasetofsessionpseudonymssuchthateachuser usesonepseudonymforonlyonesession,todealwithforwardandbackwardprivacyinthesingle pseudonymapproach[31]. The RA generates a set of unique pseudonyms PS = {p1,p2,...,p(cid:96)}, and computes the AID AID = {aj}1≤j≤(cid:96) withitssignatureas: a = E {H(ID||p )},S {a },1≤ j ≤ (cid:96) j pkU j skRA j where(cid:96)isanaturalnumbergreaterthanone,whichisdefinedbytheuser. Toaddressthetrade-off betweenprivacyandefficiency,wheretheprivacyisenhancedbychangingthepseudonymsmore frequently,weallowtheusertodefinethefrequencyand (cid:96) whileusingtheapplication. However, eachsessionshouldbelongerthan30minutestoensureanaccurateanalysisresult. TheRAstores(ID,A )pairs,encryptstheseusingtheuser’spublickeyandthensendsthemto ID theuser’ssmartdevice. Atthispoint,oursystemonlyusesthepublickeytoencryptthe(ID,A ) ID pairs. Therefore,anattackercannotobtaintheA usedforanactualcommunicationbetweentheuser ID and the DSS. Thus, using the user’s public key does not affect the privacy of the system. Finally, theusersendssensingsignalstotheDSS,preservingprivacybyusingoneoftheAIDs. Astheuser cannotreceiveserviceswhenanincorrectAIDisused,alegalAIDthatisgeneratedbytheRAshould beentered. Afterreceivingthe AID,theusergeneratesasetofkeys{ki}a≤i≤(cid:96). Incaseofanemergency,theMSsendstheAIDtotheRA.TheRAthendeterminesthepatient informationfromtheAIDlistandperformsthestepofconnectingthepatientwithadoctor.Ourscheme employstheRAasanadditionalentitytodecentralizesecretinformationandincreasetheeffectiveness ofprivacypreservation. 4.3. ECGSensing Totransferthesensingsignalsecurely,weuseastreamcipherthatconsistsofapseudo-random generator (PRG) and a bitwise exclusive OR operator [32]. A sensor installed on the human body typically consists of a resource-constrained and battery-powered device. Moreover, considerable computations result in the production of more heat, which can be problematic in terms of patient safety. Furthermore, a body sensor requires a powerful processor and a large capacity battery to applycryptographytoitsvariousfunctions,whichwouldincreasethesizeofthebodysensingsystem andinterferewithitsday-to-dayusage. Accordingly,weproposeasimpleandsecuremethodthat minimizestheencryptionoverheadandprotectssensingdataduringtransfer. The MCU of the user generates the keystream KS using the PRG such that KS = PRG(k ). s s s Then,itcomputestheexclusiveORoperationfortheECGsignalSS asES = KS ⊕SS,whereES i s s i s denotestheencryptedECGsignal. Afterreceivingthis,thesmartdeviceoftheuserperformsthesame Sensors2017,17,1360 9of21 operationastheMCUtodecrypttheECGsignal,andtheusercanmonitortheirownECGonselected smartdevices. Tosendthesensingsignalsafely,theusergeneratesakeystreamKS usingthePRGsuchthat i KS = PRG(k )andencryptsSS usingKS as ES = KS ⊕SS. Subsequently,theuserselectsan a i i i i i i i i randomly and sends the received signal stream to the DSS to detect arrhythmias using the ECG. The first time the user employs a choice of a, they send a,S {a } and E {k } for validity. i i skRA i pkDSS i Subsequently,theusersendsthesignalstreamtotheDSSasa ||ES. i i Forprivacyreasons,weuseasetofpseudonymsandasetofkeys. Ifauseronlyusesasingle pseudonym or key, then the DSS can easily trace that user. When a user’s identity is revealed in anemergency,theDSScanobtainallofthestoredECGsignalsandanalysisresults,aswellasfuture informationfortheuser. Therefore,usersshouldperiodicallychangetheirpseudonymsandkeysto minimizeleakeddataafteranemergency. Afterareceivedpseudonymisexhausted,theuserrequests anovelsetofpseudonymsfromtheRA. TheDSSdetectsarrhythmiasusingcontinuousECGstreamingfromusers,andthepseudonyms transformthatstreamintoadiscontinuoussignal. Thus,weshouldconsidertheeffectofpseudonyms onthedetectionprocess. Consequently,wedescribethesimulationresultsofourschemeinSection6, basedon30-minuteofECGsignals,andshowthatwecanensure96.63%accuracyifthepseudonym changingperiodislongerthanhalfanhour. 4.4. AnalysisofanECGforArrhythmiaDetection The DSS should first decrypt the signal stream to analyze the ECG. To achieve this, the DSS decryptsthekeysignalusingitsprivatekeyandobtains k . Byobtaining k ,theDSScangenerate i i thesameKS astheMCUanddecrypttheECGsignalasSS = KS ⊕ES. UsingSS,theDSSanalyzes i i i i i themultipleaspectsoftheECG. 4.4.1. HeartbeatDetectionandFeatureExtraction First,heartbeatsaredetectedusingthedeterminedQRScomplexesandP-waves. Figure4depicts theprocessofthePan–Tompkinsalgorithm,andFigure5[25]illustratestheresultsoffeatureextraction, withthestep-by-stepoutputofthealgorithmperformedonRecord200intheMIT-BIHarrhythmia database.Figure5ashowstheoriginalECGsignal.Theoriginalsignalisnormalizedbythemeanvalue, asshowninFigure5b. Theband-passfilteriscreatedbycombiningalow-passfilterwithahigh-pass filter. This reduces noise such as muscle noise, 60-Hz interference, baseline wander and T-wave interferenceintheECGsignal. Thedifferentialequationforthelow-passfilteris: y(nT ) = 2y(nT −T )−y(nT −2T )+x(nT ) s s s s s s −x(nT −6T )+x(nT −12T ), (1) s s s s whereT denotesthesamplingperiod,xistheamplitudeofthen-thECGsampleandyistheamplitude s afterfiltering. Thedifferenceequationforthehigh-passfilteris: y(nT ) = 32x(nT −16T ) s s s −[y(nT −T )+x(nT )−x(nT −32T )]. (2) s s s s s Moving- Band-pass Derivative Squaring Window filter integration Figure4.ProcessofthePan–Tompkinsalgorithm. Sensors2017,17,1360 10of21 Figure5.Resultsoffeatureextractionwithstep-by-stepoutputofthePan–Tompkinsalgorithm. TheDSSsetsthelow-passfilterwithacutofffrequencyof11Hzandthehigh-passfilterwith acutofffrequencyof5Hz,asshowninFigure5c,d.Afterbeingfiltered,theECGsignalisdifferentiated toprovideslopeinformationusingthefollowingdifferentialequation: 1 y(nT ) = [−x(nT −2T )−2x(nT −T ) s s s s s 8T s +2x(nT +T )+x(nT +2T )], (3) s s s s Equation(3)approximatestheidealderivativeoffrequenciesupto30Hz,andFigure5epresents the results of the derivative. This is then squared point by point, making all of the data points in the processed signal positive and emphasizing the higher frequencies, as shown in Figure 5f. Thedifferentialequationforthissquaringis: y(nT ) = [x(nT )]2. (4) s s Integrating the moving window provides waveform feature information, which is added to theslopeoftheR-wave. Thisisachievedusingthefollowingdifferentialequation: 1 y(nT ) = [x(nT −(N −1)T ) s s s s N s +x(nT −(N −2)T )+···+x(nT )], (5) s s s s

Description:
Electrocardiogram Monitoring System for Early Arrhythmia Detection arrhythmia database [14], and the simulation results demonstrate that the DSS .. Description of the features used for heartbeat classification. analyzed the data; J.H. and H.O. contributed reagents/materials/analysis tools;.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.