Distributed Danger Assessment Model for the Internet of Things Based on Immunology

The Internet of Things (IoT) confronts complicated and changeful security threats. It harms IoT and brings IoT potential danger. However, the research achievements of the danger assessment technology for IoT are rare. To calculate the danger value of IoT with many dispersive sense nodes, the theoretical model of distributed danger assessment for IoT is explored in this paper. The principles and mechanisms of Artificial Immune System (AIS) are introduced into the proposed model. Data packets in IoT are captured in each gateway and converted into antigens in the simulated immune environment. Detectors use self-learning and self-adaptation mechanisms in AIS to evolve themselves to adapt the local IoT environment and detect security threats. The mechanism of antibody density is simulated to reflect the intensity of security threats which are happening. Through the detected security threats and their intensity, the values of IoT property and security threats’ harm are combined to assess the quantitative value of danger for IoT. Theoretical analysis shows that the proposed model is significative of theory and practice.


INTRODUCTION
Along with the fast development of the Internet of Things (IoT) (ITU, 2005), security threats which harm IoT seriously are paid close attention to.The security threats bring IoT potential danger.It is very necessary to detect what security threat is happening in IoT and assess the situation confronted with danger.On the research of traditional computer network, the assessment technology of security situation was studied (Chen et al., 2006;Wei et al., 2009).It discovers danger and evaluates the quantitative or qualitative security situation according to the current and potential security threats.However, the danger assessment technology for IoT is rare.It can make the administrators be clear of the security situation and risk (Feng et al., 2004) of IoT.Furthermore, it may help the administrators work out the target-oriented and reasonable security defense strategy of IoT to change the passive situation of security defense.
The user ends in IoT do not limit to computers.They are expanded to Thing to Thing (T2T), Human to Thing (H2T) and Human to Human (H2T) (ITU, 2005).A lot of polygenetic and style-different data which is massive is enabled to access to the sense layer of IoT.Although IoT breaks through the applications Internet, mobile communication and sensor networks and improves them, hidden dangers of potential serious security exist in IoT because of the access, transport and treatment way of the IoT information.The randomly distributed and ubiquitous access way makes attackers implement security threats more easily and conveniently.At the same time, the wireless sensor network is largely applied to IoT.It makes the transport networks of IoT unsteady.In view of the foregoing, IoT confronts a lot of complicated security threats which not only impact the normal applications of IoT but also are bound to cause some severe problems such as user privacy leak, denial of service, system fault, system failure, and etc (Juels, 2006;Liu and Hu, 2010;Oleshchuk, 2009;Padmavathi and Shanmugapriya, 2009;Karygiannis et al., 2007;Kavitha and Sridharan, 2010;Karygiannis et al., 2006).Therefore, it is significative of theory and practice application value to survey the security threats in IoT and establish an effective danger assessment technology of IoT.
The danger assessment technology for IoT can greatly improve the traditional security technology for IoT.Presently, the research on the technology is still in the starting stage.It was covered by few documents in the recent years.The key technologies include surveying of security threat, computation of security threat intensity, and etc.To resolve the first problem, Mirowski and Hartnett (2007) proposed an intrusion detection method according to the last visit frequency of a thing tag.His detection method can only discover the IoT attacks which aim at the change of a tag ownership and cannot do anything against other attacks.Besides that, most researchers proposed some basic ideas or simple concepts for the IoT intrusion detection.Furthermore, their ability of attack detection limits.Their ideology is based on the traditional intrusion detection technology of Internet and cannot adapt the special security requirements of the IoT environment entirely.To resolve the second problem, there still lacks research achievements for the computation of IoT security threat intensity.In addition, the literature which introduces the computation of IoT security threat intensity is rare.Many difficult points exist in the research of the of IoT security threat intensity.
To overcome the problems confronted by the danger assessment for IoT, the excellent mechanisms of Artificial Immune System (AIS) (Xiao and Wang, 2002;Jiao and Du, 2003;Li, 2004;Mo and Zuo, 2009) are introduced into this paper to explore an effective way to survey IoT security threats and calculate the intensity of security threats.AIS has the good attributes of distributed and parallel treatment, diversity, selforganization, self-adaptation, robustness, and etc.It attracted a lot attention of many researchers in recent years.Because the problems found in an information security system are quite similar to those encountered in a biological immune system (Li, 2004), AIS is broadly applied to resolve the problems of information system security.Especially, it has indicated the effective ability in the fields of intrusion detection (Kim and Bentley, 2002;Dasgupta, 2002;Hofmeyr, 1999) and security risk assessment (Li, 2005;Wang et al., 2005).
This study proposes a Distributed Danger Assessment Model for the Internet of Things Based on AIS (DDAM).It opens up a new effective way to calculate danger value for IoT.In the following, the artificial immune principle will be introduced into DDAM and the theory model of DDAM will be established, good mechanisms in AIS will be simulated, the realization way of IoT security threats surveying, security threat intensity computation and quantitative danger assessment will be deduced with math methods.

Architecture of DDAM:
The architecture of DDAM is shown in Fig. 1.DDAM adapts the distribution mechanism.It is made up of Security threat Detection Node (SDN) and Danger Assessment Center (DAC).SDN is deployed in local IoT environment and connected to the gateway by pass.In SDN, the datagram in IoT is captured by the system and is transformed into The detector is defined to simulate the immune cells in an immune system.Let the detector set be D = {(gene, age, count, type, family)|gene ∈ Ag, age, count, type, family ∈ N, where, gene is the detector's gene, it is a binary string which matches antigens, N is a nature number set, count is the number of antigens matched by the detector, age is the life generations of the detector, type denotes the type of the detector, type ∈{i, m, r}, the three elements delegate immature detector, mature detector and memory detector respectively, family is the serial number of the detector ethnic group, is corresponding to the ID number of an IoT attack.
The detector set includes immature, mature and memory detectors.Let the data set of them be D I , D M and D R, respectively.
The function f match () is constructed to computer whether a detector matches an antigen.Presently, feasible matching methods include r-Contiguous, Hamming, Euclidean, and etc.Let a detector be d and an antigen be ag.f match () is shown in Eq. ( 1): ( ) where, the return value 1 denotes that d matches ag, and vice versa.
• Dynamical evolution of detector and self: After the immature detectors passed the process of selftolerance, they take possession of the initial ability to detect IoT security threats and will evolve to mature ones.Partial captured antigens in Ag are proportionally selected to be input into the proposed model to train mature detectors.The mature detector set at the moment t is shown in Eq. ( 2): where, D M_death (t-1) denotes the mature detectors which failed to be activated, D M_toR (t-1) denotes the mature ones which were activated, the function of ToMatureCell() is to transform immature detectors into mature ones, the parameter of ToMatureCell() is the immature detector set which succeeded to pass selftolerance (Li, 2004).
After the mature detectors are activated, they have owned enough detection ability against security threats.In the proposed model, a message about the activation event of a mature detector is sent to the security administrator of IoT.The administrator co-stimulates the mature detector and confirms that it is switched to a memory detector.The memory detector is immortal.When it matches a harmful antigen (security threat), it enters the status of activation and new immature detectors proliferate with it.Through the above mechanism, the activated memory detector expands the amount of its ethic group.The memory detector set D R (t) at the moment t is shown in Eq. ( 3): where, the function of ToMemoryCell()is to transform D M_toR (t-1) into memory detectors, ToMemoryCell (D M_toR (t-1))) returns the memory detectors newly generated.
After being detected, the antigen set Ag is classified into IoT attacks and normal antigens.To improve the self-adaptation ability of the proposed model to the IoT environment, the validated normal antigens will be switched into self elements to train the immature detectors newly generated.Let the set of the validated normal antigens be Ag normal (t-1) at the moment t-1.The self set S(t) at the moment t is shown in Eq. ( 4): where, the function of ToSelfCell is to transform the validated normal antigens to self elements.

Synchronization technology of SDN:
In a Security threat Detection Node, detectors detect and accept the training of the input antigens.With the mechanisms of self-adaptation and self-learning, antigens can train some enough good detectors to recognize mutated, even new unknown security threats.These good detectors which own the accurate detection ability to recognize harmful antigens and are good at adapting IoT environment are new memory detectors.In the local SDN, it takes the cost of much resource and time to generate new memory detectors.The other SDNs are not necessary to consume some cost to train the same memory detectors.Therefore, the learning achievements (new memory detectors) in a local SDN are needed to be shared with the other SDN to improve the global detection ability of IoT.
The following will describe the process of SDN synchronization whose principle is shown in Fig. 2. The process of SDN synchronization includes two stages: vaccination and self-tolerance in local IoT environment.
• Vaccination: In the biological immune system, the conception of vaccination is that a vaccinum is injected into biological bodies to make the biological bodies be immune to special pathogens.In this paper, the above mechanism is simulated to vaccinate all the SDNs in the global scope of IoT.It can make all the SDNs have the recognition ability of new security threats.The key question of quantitative danger assessment for IoT is how to compute the intensity value of security threats confronted by IoT.In this paper, the intensity formulation mechanism of immune cells in an immune system is simulated to quantificationally express the security threat intensity in IoT.In the biological immune system, when recognizing specific pathogens, the activated immune cells quickly perform the process of clonal expansion.They generate plasmacytes to form a lot of antibodies.The new antibodies expand the scale of ethic group of the activated immune cells to eliminate massive pathogens.Through the above mechanism, memory detectors in the proposed model use the clonal expansion to form the intensity of security threats which are relative to their corresponding memory detectors.
Let the memory detector which recognizes an harmful antigen be r detect .The proposed model uses r detect to implement the process of clonal expansion.It takes advantage of the gene of r detect to generate new immature detectors with the operations of cross, mutation and recombination.The new immature detectors inherit the serial number of r detect .In the process of ethic group expansion of r detect , when r detect recognize an antigen, the amount of new immature detectors cloned by r detect is ζ = [τar sinh(d detect .count)], where, τ is a coefficient of ethic group expansion.Along with the constant growth of harmful antigens detected by r detect , the number of ethic group increases sharply to form the intensity of security threats in IoT.
If r detect does not detect any harmful antigens in the period ψ, the number of new immature detectors cloned by it declines gradually.Let the time quantum in which r detect didn't recognize any harmful antigens be t no_detect .In t no_detect , r detect clones new immature detectors whose amount is: The clone process does not stop until d detcet .count-[tno_detect /ψ]≤0.After this moment, r detect does not clone any new immature antigens.New immature antigens which fail in self-tolerance and new mature detectors which are not activated will die little by little.The number of ethic group of r detect will fall to the lowest value.

Danger assessment center:
The above mechanism of ethic group change of a memory detector reflects the real-time intensity change of security threats in the IoT environment.The coned immature detectors which succeed to accept self-tolerance will evolve to new mature detectors.Therefore, the number of ethic group of r detect is equal to the number of immature and mature detectors whose ethic group number is r detect.family.
The intensity of security threats confronted by IoT is expressed by the number of ethic group of r detect .
Let the harmfulness value of a security threat be h i (i is the ID number of the security threat).Let the importance value of an IoT gateway be v j (j is the ID number of the IoT gateway device).The danger value R j of the IoT gateway and the danger value R of the global IoT are shown in Eq. ( 5) and ( 6), respectively: where, n is the sum of all the IoT gateway devices

CONCLUSION
To resolve the problems confronted by the danger assessment technology for IoT, a theoretical Danger Assessment Model (DDAM) is explored in this paper.The principles and mechanisms of Artificial Immune System are introduced into the proposed model.The realization of IoT's security threat surveying, security threat intensity computing and quantitative danger assessment assessing are deduced with math methods.The mechanism of antibody density is simulated to reflect the intensity of security threats which are happening.Through the detected security threats and their intensity, the real-time and quantitative danger of IoT is assessed.The proposed model in this paper can provide accurate danger for IoT administrators and let them know the current security status of IoT clearly.It can help the active and positive security defense strategy for IoT be worked out.It is significative of theory and practice application value to have the initiative of the IoT security defense.

Fig. 1 :
Fig. 1: The architecture of DDAM the data in immune style.The data is probed by immune elements with the immune principles and mechanisms to judge whether it contains security threats which do harm to IoT.At the same time, the immune elements which detect IoT security threats accept self-adaptation in local IoT environment.Each SDN works independently to realize distributed and parallel detection of security threats.Then, it sends the information of detected security threats to DAC.In DAC, the detection data of security threats in all SDNs is gathered and used to calculate the quantitative danger value.Security threat detection node: • Information simulation: The signature information in IoT sense layer is used to simulate the antigens in an immune system.Let the antigen set be Ag = {ag| ag ∈ U, |ag| = l}, where, Ag ⊂ ܷ, U = {0, 1} l .The antigen ag is made up of l-long (l is a nature number) binary strings which are extracted from the signature information of datagram.Let the normal datagram and abnormal datagram with security threats in the sensor layer of IoT be S and N, separately.S and N meet S ∪ N = Ag, S ∩N = ø.

Fig. 2 :
Fig. 2: The synchronization of SDN • Self-tolerance in local IoT environment: Once a vaccinated SDN accepts a vaccinum, it decomposes the vaccinum as the information of a new memory detector r new which will be saved in the local SDN.The memory detector r new owns excellent ability of security threat detection.However, it was trained in the different local IoT environment relative to the vaccinated SDN.It may not adapt the IoT environment of the vaccinated SDN. is possible to recognize self antigens in local environment.Therefore, r new must accept the process of selftolerance in the vaccinated SDN.After r new passes the process of self-tolerance, it will be transformed to a memory detector which will join the memory detector set D R and start the detection and recognition job of security threats in local IoT.• Forming mechanism of security threat intensity:The key question of quantitative danger assessment for IoT is how to compute the intensity value of security threats confronted by IoT.In this paper, the intensity formulation mechanism of immune cells in an immune system is simulated to quantificationally express the security threat intensity in IoT.In the biological immune system, when recognizing specific pathogens, the activated immune cells quickly perform the process of clonal expansion.They generate plasmacytes to form a lot of antibodies.The new antibodies expand the scale of ethic group of the activated immune cells to eliminate massive pathogens.Through the above mechanism, memory detectors in the proposed model use the clonal expansion to form the intensity of security threats which are relative to their corresponding memory detectors.
where, m is the sum of the security threats confronted by the IoT gateway, d I ε D I , d M εD M , d I .family= d M .family= i, the function Count()counts the sum of detectors according to the condition in accordance with its parameter: 1 1