Академический Документы
Профессиональный Документы
Культура Документы
I. I NTRODUCTION
Recent advances in ubiquitous computing and mobile networking have enabled IoT-based applications, where "anything" can be connected "anywhere" at "anytime". The IoT has
signicant applications in eHealth since it collects, processes,
and transmits continuously healthcare data thereby reducing
the cost of patient monitoring and improving the quality of
healthcare services. Nevertheless, there are strong privacy
and security concerns associated with the use of IoT in
eHealth. In the frame of the ASSET project (http://asset.nr.no),
we are developing risk-based adaptive security methods and
mechanisms to estimate and predict risk damages and security
solutions benets related to the use of the IoT in eHealth. In
fact, IoTs are vulnerable to attacks since communications are
mostly wireless and thus eavesdroppable, things are usually
unattended and thus vulnerable to physical attacks, and most
IoT elements are short on both the energy and computing resources necessary for the implementation of complex securitysupporting schemes.
In the complex and varying contexts where the smart things
operate, existing security solutions that have been proposed for
wireless sensor networks and ad hoc networks are no longer
tractable. They cannot protect against ever-changing attacks
while taking into account the power, computing, communication, and memory limitations. They mainly lack a granular
view of the context to reliably distinguish between situations
where security-effectiveness should be prioritized and other
cases where energy-efciency should be privileged.
This paper develops a game-based model for context-aware
adaptive security in the IoT. A mathematical framework is
provided to model the dynamic environment in which the
smart things operate. Our model relies on Markov game theory
A novel mathematical model for a dynamic and composite context that represents the core of the decision-making
process associated to adaptive security,
An extensible adaptive security policy based on probabilistic rules. This policy can be extended depending on
the threat model and the available security modules,
A novel game-theoretic model that allows us to model
the trade-off between the effectiveness of the adaptive
security policy and the power consumption resulting from
the execution of the underlying security controls.
920
TABLE I
S UMMARY OF GAME - BASED MODELS FOR ADAPTIVE SECURITY.
Reference
Shen et al. [2]
Chen et al. [3]
Xiaolin et al. [4]
Nielsen et al. [5]
Centry et al. [6]
Bonaci et al. [7]
Proposed approach
Context
Scalability
Opacity
Ci,i1
Ci,i
t.i+1
, i = 0, .., N 1
P r(i)
t.i
, i = 1, .., N
P r(i)
i=N
1 CN,N 1 ,
(2)
(3)
(4)
921
nodes since it requires additional processing and communication. In the following, we introduce four adaptive strategies
to build simple adaptive security policies based on these
simple rules. The three rst strategies adapt individually to
the components of the context dened in the previous section.
We suppose that a smart thing can be in the secure mode
or in the passive mode. In the secure mode, it systematically
authenticates the forwarded packets while no security checks
is performed in the passive mode. An adaptive security policy
is dened by the transition probabilities between these two
states. In other terms, when the battery state is b, the channel
state is c, the queue state is q, and the security level is s, the
transition probabilities are dened as follows:
P (b, c, p, s)
P (b, c, p, s)
922
4) Strategy 4 - Adapting to the intruder: Using witnessbased detection methods, the smart things can compute the
revocation rate, which is the fraction of compromised nodes
revoked per time slot. We use the technique proposed in [8] to
estimate the revocation rate, denoted by r. We dene a high
threshold r and a low threshold r such that.
3 ,
rr
P (b, c, p, s) =
1 3 , otherwise
(9)
4 ,
rr
P (b, c, p, s) =
1 4 , otherwise.
5) Strategy 5 - Hybrid adaptation: This strategy relies
on combining two or more criteria to decide whether to
activate security or not. Many combinations can be thought
of, depending on the priorities of the target application. For
instance, the following example, we design a strategy where
security activation is triggered by both the channel state and
the residual battery capacity.
1, b/B b and c = 1
P (b, c, p, s) =
0, otherwise
(10)
0, b/B b and c = 0
P (b, c, p, s) =
0, otherwise
Fig. 1.
Context-aware: The decisions are made based on information about the context
Hierarchical: Instead of considering only the attacker and
the defender, our model involves a hierarchy of players
Scalable and lightweight: The aforementioned policies
are lightweight in the sense that they do not require
much storage and computation capabilities. In fact, a
policy is reduced to a set of probabilities related to
elementary actions. Unlike security policies operating
on trafc header elds, our proposed adaptive security
policies are slightly affected by the size of the packet
ow since the key design criteria are extracted from the
context.
B. Utility functions
Based on the analytical models described in the previous
sections, we develop a game-theoretic formulation to setup the
parameters of the adaptive security policy. The utility functions
reect the ability of a node to authenticate or not the forwarded
trafc and its inuence on security policy violation and packet
blocking. We consider a damage function, denoted by ,
which returns the efciency of the security policy in mitigating
the intrusion, and a function, which represents the impact of
the security mechanisms on the lifetime of the network. We
use the sigmoid function to express the utility functions as
follows.
1
1 + egpv .(Ppv hpv )
,
(Ppv ) =
(11)
1
(Ppb ) = 1 1 + egpb .(Ppb hpb )
,
where Ppv and Ppb are the probabilities of security policy
violation and packet blocking, respectively, gpv and gpb determine the sensitivity of the utility functions, and hpv and hpb
represent the centers of the sigmoid functions.
A security policy violation occurs because the security
queue is full and the incoming packets will not be checked
for their compliance with the security policy. Packet blocking
occurs when the battery of the smart thing is depleted and
it switches to the sleep mode for recharging. The utility
functions dened above express a trade-off between enforcing
the policy (at the risk of depleting the battery) and forwarding
potentially forged packets without security checks (at the risk
of violating the security policy). Based on this trade-off, we
formulate a Nash Bargaining model where the equilibrium
can be determined so that both utilities are maximized. The
players of the game are the adaptive security policy and
the energy decay process. They execute random strategies
to reach an equilibrium where the balance between securityeffectiveness and energy-efciency is achieved. In this game,
the decision variable is the vector = (1 , 2 , 3 , 4 ). Adjusting the components of this vector allows controlling the
policy violation and packet dropping probabilities, thereby
impacting the damage and lifetime functions. In addition, the
disagreement outcome in our case is the point (0, 0). This point
represents the damage and lifetime values when no agreement
can be reached between the players.
923
(12)
B
B(p,0) . . . B(p,0)
B(p,1) B(p,1) . . . B(p,0)
(p) =
(13)
B
,
..
..
..
.
.
...
.
B(p,N )
B(p,c)
(p,c)
b0,0
(p,c)
b1,0
..
.
B(p,N )
...
B(p,N )
(p,c)
b0,1
(p,c)
b1,1
..
.
(p,c)
b1,2
..
.
(p,c)
(p,c)
bb,b1
..
.
(p,c)
bb,b
..
.
bb,b+1
..
.
(p,c)
bB,B
bB,B1
(p,c)
(14)
(p,c)
i=1 j=Xp+1
k=1
E(A)
(15)
(b, c, p, i),
b,c,p,i
924
Fig. 2.
Fig. 3.
925