Sage Journals: Discover world-class research

Abstract

Applying an Intrusion Detection System (IDS) to Wireless Body Area Networks (WBANs) becomes a costly task for body sensors due to their limited resources. To solve this problem, a cloud-assisted IDS framework is proposed. We adopt a new distributed-centralized mode, where IDS agents residing in body sensors will be triggered to launch. All IDS agents are only responsible for reporting the monitored events, not intrusion decision that is processed in the cloud platform. We then employ the signaling game to construct an IDS Report Game (IDSRG) depicting interactions between a body sensor and its opponent. The pure- and mixed-strategy Bayesian Nash Equilibriums (BNEs) of the stage IDSRG are achieved, respectively. As two players interact continually, we develop the stage IDSRG into a dynamic multistage game in which the belief can be updated dynamically. Upon the current belief, the Perfect Bayesian Equilibrium (PBE) of the dynamic multistage IDSRG is attained, which helps the IDS-sensor select the optimal report strategy. We afterward design a PBE-based algorithm to make the IDS-sensor decide when to report the monitored events. Experiments show the effectiveness of the dynamic multistage IDSRG in predicting the type and optimal strategy of a malicious body sensor.

1. Introduction

Recently, a specific class of Wireless Sensor Networks, known as Wireless Body Sensor Networks (WBSNs) or Wireless Body Area Networks (WBANs), has been developed as physiological sensors and low power integrated circuits are rapidly evolving. A WBAN is generally composed of some miniaturized and intelligent sensors attached on or implanted in the body, which are able to establish wireless communication links. Such networks have attracted considerable attention since they are capable of allowing for many human-central applications such as health monitoring, sports training, interactive gaming, and personal information sharing [1–5]. However, applying WBANs has to face many issues and challenges due to limited resources of body sensors [6]. One challenge in a common healthcare scenario is how to process, store, and manage the huge amount of data gathered by body sensors. Another challenge is how to meet the strict security requirement of WBANs applications [7, 8]. The openness of the wireless media of WBANs makes a malicious attacker easy to launch various attacks. Moreover, data collected by body sensors are health related and highly sensitive. Security threats may result in a patient in a hazardous situation and even death in the case of medical applications of WBANs. Therefore, Intrusion Detection System (IDS) is required to prevent body sensors from malicious actions. However, employing IDS is a costly task for body sensors due to their limited computation capability and storage capability. Moreover, these body sensors usually hold limited power while approaches to realizing IDS are computationally expensive in general. To solve these problems, cloud computing can be seen as a good remedy.

As infrastructure, cloud computing provides various services in fields of computation, storage, data access, security, and software [9, 10]. This computing model is therefore expected to play a significant role to make up for the deficiencies of body sensors. Combining WBANs with cloud computing will provide an integrated platform that realizes combination of different WBANs, scalability of data storage, and scalability of power for processing various data analyses [11]. The concept of Software as a Service, especially Security as a Service (SECaaS) [12] that represents the provision of security applications and services via the cloud platform to the customers' systems, changes the method of protecting body sensors. Through such a cloud-assisted IDS, we are able to detect misbehavior in WBANs and send back the response commands that isolate malicious body sensors. As a result, computation cost is no longer a critical factor influencing the effectiveness of security for body sensors, since security analyses and decisions are performed in the cloud platform.

Different decisions are then emerging along with the application of a cloud-assisted IDS to body sensors. Generally, IDS agents should be initially deployed in body sensors that are referred to as IDS-sensors. After these IDS-sensors have collected other body sensors' events, a problem exists in optimizing their strategies to decide whether to report events involving malicious or normal behavior. Obviously, this problem is caused by limited resources of body sensors. On the one hand, if an IDS-sensor makes a choice not to report any events, it conserves its power and bandwidth, but no malicious body sensors will be captured. However, if an IDS-sensor reports each event it detects, the probability of capturing malicious body sensors will be increased, but the IDS-sensor will run out of its power much faster. To solve this dilemma, we are motivated to employ game theory to seek the optimal strategies.

By supplying a rich set of mathematical tools for exploring the strategic decision-making, game theory has been widely employed in different fields [13–21]. These typical applications exist in optimizing the strategy of launching IDS [22], seeking autonomously stable adaptation decisions [23], minimizing power resource allocation for interference mitigation [24], optimizing service deployment in cloud computing [25], and predicting malicious behavior of attackers [26]. Among various game types, the signaling game is profitable to depict interactions between a body sensor and its corresponding IDS-sensor. In a signaling game, one player called Sender has private information about its type set while the other called Receiver is public in its type set. Thus, we can relate a body sensor, which attempts to send messages, to Sender since it may be normal or malicious so that its type is unknown to IDS-sensors. On the other hand, the corresponding IDS-sensor is related to Receiver as it only has one type.

Our interest is then to seek the optimal report strategies for body sensors using a cloud-assisted IDS to save their limited power. We deploy IDS agents to each of the body sensors. However, only those body sensors that are chosen as relays will be triggered to launch. Their responsibility is whether to report monitored events and is not to perform intrusion decisions that are analyzed and processed in the cloud platform for utilizing its powerful capabilities of computation and storage. Thus, we address the issue that a body sensor is too limited in its resources to execute the intrusion detection task that is computationally expensive in general. Using the signaling game, we address the other issue: when should an IDS-sensor report the monitored events? We reflect economic interactions between a body sensor and its corresponding IDS-sensor by constructing an IDS Report Game (IDSRG). We gradually explore the pure- and mixed-strategy BNEs (Bayesian Nash Equilibriums) of the stage IDSRG. As two players play the game continually, we develop the stage IDSRG into a dynamic multistage IDSRG and attain the mixed-strategy PBE (Perfect Bayesian Equilibrium) of the dynamic game. Upon the advantage of PBE, we design an algorithm to guide the IDS-sensor with the optimal report strategy. In this manner, the IDS-sensor is able to prolong its battery life while reporting an acceptable amount of monitored events.

Our contributions are summarized as follows: (1)

We propose a cloud-assisted IDS framework for WBANs, in which intrusion analyses and decisions are performed in the cloud platform. Thus, a body sensor is no longer concerned about its limited computation for realizing its security.

(2)

We construct the IDSRG based on the signaling game, which satisfies the actual environment where an IDS-sensor does not know the type of its opponent and is able to properly depict economic interactions between an IDS-sensor and its opponent.

(3)

We attain equilibrium theorems of the stage IDSRG as well as the dynamic multistage IDSRG, which disclose the rational behavior of the IDS-sensor and its opponent.

(4)

We design a report algorithm based on PBE, which provides an IDS-sensor with the optimal strategy to decide whether to take the action Report or not. In other words, an IDS-sensor does not always report monitored events, and thus its energy is saved.

The rest of this paper is organized as follows. In Section 2, we overview related works and highlight our particular aspects. In Section 3, we illustrate our network model and construct the stage and dynamic multistage IDSRG. In Section 4, we present a cloud-assisted IDS framework for WBANs and design a report algorithm based on PBE. In Section 5, we perform experiments to show the characteristics of the dynamic multistage IDSRG. Finally, conclusions are provided in Section 6.

Notations used in this paper are mainly listed in the Notations.

2. Related Work

Integration of cloud computing and WBANs is particularly attractive as it is able to expand the computation paradigm of WBANs. This infrastructure overcomes several shortfalls of WBANs like the storage capacity of data collected by body sensors and the ability to process these data. In spite of the above benefits, their emerging influences could be hindered by various security threats. Body sensors are susceptible to attacks, including node capturing and compromising. Patient's privacy may be lost in the cloud platform or may not be correctly supervised. For solving these issues, a protocol to attain storage and computation security in cloud computing is proposed in [27]. Zhang et al. [28] presented a key agreement scheme that provides neighboring body sensors with a common key generated by electrocardiogram signals, in order to preserve the integrity and privacy of medical data. The authors in [29] proposed a combined framework for reliable and secure data transmission in WBANs. In addition, the method of establishing trust among body sensors has been regarded as efficient implement to improve the security and performance of WBANs, in which trust evaluation [30] and trust management [31] always should be performed.

Different from the above prevention-based mechanisms to guarantee network security, an IDS, as the second line of defense, is regarded as a detection-based approach that is a necessary tool for realizing security of networks [32]. Typical techniques such as the swarm based rough set [33], Kalman filter [34], support vector machine [35], and unsupervised anomaly detection [36] are applied to IDSs in different networks. Since malicious body sensors usually disrupt the normal operation of WBANs and waste limited resources of normal body sensors, an IDS is required for WBANs to detect malicious body sensors that have broken down the prevention-based mechanisms. Using the IDS, WBANs will be capable of reacting with and isolating intruders to ensure body sensors' normal operation. However, there only exist a few studies of intrusion detection towards WBANs although many intrusion detection studies [37, 38] have been done for Wireless Sensor Networks. In [39], the authors gave a security framework of WBANs for monitoring ambulatory health status. They then proposed an IDS, which is inspired by the biological immune system using the negative selection algorithm, to maintain performance of WBANs in the presence of malicious body sensors. Wu et al. [40] proposed an intrusion-tolerant scheme for WBANs, which is able to dynamically detect intrusions and provide an adaptive strategy with passive replication via the combination of threshold-based intrusion detection and replicas classification. Unfortunately, these works [39, 40] do not consider the computation cost incurred by launching IDS agents. The emergence of cloud computing allows us to tackle this burden by applying its powerful computing ability. Through IDS services, IDS-sensors can transfer the cost of analyzing and processing suspicious data into the cloud platform. Thus, the rest of the problem of IDS-sensors is whether or not to report the monitored events.

Up to now, several works have been concerned about the utilities of employing an IDS via game theory. In [41], Otrok et al. proposed a cooperative game model for catching a misbehaving cluster head through checkers, which can analyze interactions among checkers to decrease the false positive rate. Moreover, a noncooperative zero-sum game between the cluster head and malicious node is formulated to maximize the probability of detection for an elected head. They [42] also conducted a noncooperative game between the intruders and IDS to guide the IDS to select an optimal sampling strategy in order to effectively reduce the success chances of intruders. Zhu et al. [43] combined game-theoretic modeling and trust management to design an intrusion detection network. With a noncooperative N-person continuous-kernel game model, each IDS seeks reciprocal incentive-based optimal resource allocation to maximize the aggregated satisfaction levels of its neighbors. Huang et al. [44] proposed a new IDS called Markovian IDS, which is able to select the optimal defense strategy of misuse detection with noncooperative game theory and to determine the weakest nodes representing potential security risks via a Markov decision process. Zonouz et al. [45] proposed a response and recovery engine based on a two-player Stackelberg stochastic game, which applies attack-response trees to analyze undesired system-level security events and to choose optimal response actions by solving a partially observable competitive Markov decision process. Shamshirband et al. [46] introduced a method called cooperative game-based fuzzy Q-learning to implement cooperative defense counterattack scenarios for the sink node and the base station. Using the signaling game, Shen et al. [22] constructed an intrusion detection game, which is able to depict interactions between the sensor node and IDS agent. The PBE attained is applied to obtain the optimal strategy determining when to launch the IDS agent. Thus, the IDS agent is not always in work and the sensor's power required to detect malicious behavior is saved. They [47] also obtain optimal strategies to save IDS agents' power, through Quantal Response Equilibrium (QRE) that is more realistic than Nash Equilibrium. In addition, Liu et al. [48] investigated the security and dependability mechanism when service providers are facing service attacks of software and hardware and proposed a stochastic evolutionary coalition game (SECG) framework for secure and reliable defenses in Sensor-Cloud.

Our work is distinguished in some aspects compared to the related works above. We adopt an IDS to detect malicious body sensors in WBANs so as to protect patients' privacy. We integrate cloud computing into WBANs to extend body sensors' abilities of computation and storage. Thus, plenty of computation cost incurred by IDS agents can be migrated from body sensors to the cloud platform. We construct an IDSRG in which the game type and corresponding equilibriums are different from [41–44], in order to seek the optimal strategy to decide when to report events monitored by IDS-sensors. The signaling game used in our work properly depicts the actual situation in which an IDS-sensor is uncertain about the type of its opponent. Our work is especially motivated by [22]. However, when analyzing the payoffs of two players, we consider the factors, including the channel reliability, attack success rate, detection rate, and false alarm rate, while only the detection rate and the false alarm rate are considered in [22]. Consequently, we attain the optimal strategies that are more adequate than those in [22].

3. A Report Game for WBANs Using a Cloud-Assisted IDS

3.1. Network Model

In [49], Farooqi and Khan have overviewed that there are three different ways of installing IDS agents in Wireless Sensor Networks. These are purely centralized, purely distributed, and mixed. In the purely centralized mode, an IDS agent is installed in the sink or base station. For realizing this way, an additional special routing protocol that collects information from sensor nodes is required so that the IDS agent can evaluate the behavior of sensor nodes according to the collected information. On the contrary, an IDS agent is installed in every sensor node in the purely distributed mode. It checks the data received in its communication range and declares whether a sensor node is compromised or not. Different from the two modes above, in the mixed mode IDS agents are only installed in monitor sensor nodes that are initially assigned. These monitor sensor nodes not only perform activities like normal sensor nodes but also check for intrusion detection.

To exert the powerful storage and computation capability of cloud computing, we adopt a new hybrid mode to realize a cloud-assisted IDS for WBANs, as depicted in Figure 1. In our mode, we deploy IDS agents in each body sensor, unlike the traditional case that the IDS agent is only installed in monitor sensor nodes. However, not all IDS agents work continuously; only IDS agents residing in body sensors that are selected as relays to forward information will be triggered to launch. Another different aspect is that the IDS agent in our network is only responsible for the monitor task, not including intrusion decisions that are made by the IDS in the cloud platform.

Figure 1

Network model of WBANs using a cloud-assisted IDS.

In Figure 1, the IDS-sensor audits data coming from those body sensors that lie inside its radio range or are its neighbors. It produces alert events if any body sensor works abnormally and may report them through the sink to the detection engine that exists in the cloud platform.

Now, a problem that will arise is how to select the optimal report strategy when a cloud-assisted IDS is applied to WBANs. The optimal strategy to be attained should maximize the probability of capturing malicious body sensors but minimize the report cost. To solve this dilemma, we next employ a dynamic multistage signaling game to model interactions between a body sensor and its corresponding IDS agent.

3.2. A Stage IDS Report Game

Definition 1.

The stage IDS Report Game (IDSRG) for WBANs using a cloud-assisted IDS is a 5-tuple $(N, T, A, P, U)$ , where (i)

$N = \{B o d y s e n s o r S, I D S - s e n s o r I\}$ is a set of players;

(ii)

$T = T_{S} \times T_{I}$ , where $T_{S} = {τ_{S}^{0}, τ_{S}^{1}}$ is the type set of player S and $T_{I} = {τ_{I}}$ is the type set of player I;

(iii)

$A = A_{S} \times A_{I}$ , where $A_{S} = {A_{S} (τ_{S}^{0}), A_{S} (τ_{S}^{1})} = {{a_{τ_{S}^{0}} | C o o p e r a t e}, {a_{τ_{S}^{1}} | A t t a c k, C o o p e r a t e}}$ is the action set of player S and $A_{I} = {a_{I} | R e p o r t, N o t - r e p o r t}$ is the action set of player I;

(iv)

P: $T \mapsto [0,1]$ is a prior probability distribution over types drawn by Nature (in game theory, Nature randomly chooses a type for each player according to the probability distribution across each player's type space), and $P = (p, 1 - p)$ , where p is referred to as the probability of a body sensor being malicious and then $1 - p$ is the probability of a body sensor being normal;

(v)

$U = {(u_{S}, u_{I})}$ , where $u_{S} : A \times T \mapsto R$ and $u_{I} : A \times T \mapsto R$ are the payoff functions of players S and I, respectively.

In the stage IDSRG, we consider there are two players, that is, body sensor S and IDS-sensor I. Body sensor S has private information about its type, which may be normal, denoted by $τ_{S}^{0}$ , or malicious, denoted by $τ_{S}^{1}$ . That is, the type of body sensor S is unknown to IDS-sensor I. On the contrary, IDS-sensor I has only one regular type denoted by $τ_{I}$ , and its type information is common knowledge to two players.

At each time slot, each player selects its action from its action space. If body sensor S is normal, it always cooperates. Its action denoted by $a_{τ_{S}^{0}}$ is therefore Cooperate. That is, $τ_{S}^{0}$ has one pure strategy: Cooperate. On the other hand, if body sensor S is malicious, it may attack for attaining potential profits or cooperate for disguising itself so that the IDS will be misled and is unable to distinguish its maliciousness. Therefore, the action of $τ_{S}^{1}$ , denoted by $a_{τ_{S}^{1}}$ , may be Attack or Cooperate. That is, $τ_{S}^{1}$ has two pure strategies: Attack and Cooperate. For IDS-sensor I, it may report the monitored events that come from body sensors in its radio range or not report these events for saving its energy to prolong its lifetime. Therefore, the action of $τ_{I}$ , denoted by $a_{τ_{I}}$ , is either Report or Not-report. That is, $τ_{I}$ has two pure strategies: Report and Not-report.

To express the payoff matrix of the stage IDSRG, we introduce some parameters. A malicious body sensor can select the action Attack to waste the limited resources of WBANs and disrupt normal network operations. Such an attack can result in, for example, a failure of communication between two neighbors. The malicious body sensor, however, gets a gain from the attack while it has to pay the cost of consuming power to launch the attack. We therefore present $g_{A}$ and $c_{A}$ to denote the attack gain and cost, respectively. When a malicious or normal body sensor selects the action Cooperate that means it makes itself available for communication, the packet can be then forwarded successfully through a link including this body sensor. Thus, the normal body sensor benefits from good network operations. In addition, the malicious body sensor gets a gain due to its disguise that helps itself avoid the IDS detection. However, receiving and forwarding packets during the cooperation communication will incur a cost of consuming power. We assume that, for simplicity, both the malicious and normal body sensors get the same gain and pay the same cost when selecting the action Cooperate. We therefore present $g_{C}$ and $c_{C}$ to denote the cooperation gain and cost, respectively. For an IDS-sensor, when it selects the action Report, it gets a gain denoted by $g_{R}$ once the cloud platform detects the malicious body sensor due to its report. At the same time, it suffers a cost $c_{R}$ from energy consumption used to transmit the monitored events. Moreover, like any general IDS, the IDS service in the cloud platform has false positive rate (i.e., false alarm rate) β, $β \in [0,1]$ . The existence of false alarms, meaning that body sensors in normal communication are detected in error as malicious ones, will result in a loss $l_{F}$ to the IDS-sensor due to its report. Besides the false positive rate, there exists the true positive rate (i.e., detection rate) α, $α \in [0,1]$ , during the process of intrusion detection. In addition, we introduce λ, $λ \in [0,1]$ as the channel reliability reflecting the actual communication environments in a cloud-assisted IDS for WBANs. In addition, we present γ, $γ \in [0,1]$ , as the attack success rate satisfying the case that a malicious body sensor does not always attack successfully.

We can next analyze various payoffs under different action profiles of two players, which are shown in Table 1. For the action profile $(a_{τ_{S}^{1}} = A t t a c k, a_{τ_{I}} = R e p o r t)$ , in Table 1(a), the payoff of malicious body sensor $τ_{S}^{1}$ is the gain of failing to be detected minus the loss of being detected minus the attack cost, that is, $(1 - α) λ γ g_{A} - α λ g_{R} - c_{A}$ , where $1 - α$ is the false negative rate in fact. In contrast, the payoff of IDS-sensor $τ_{I}$ is the gain of detecting successfully a malicious body sensor minus the loss of failed detection minus the report cost, that is, $α λ g_{R} - (1 - α) λ γ g_{A} - c_{R}$ . For the action profile $(a_{τ_{S}^{1}} = A t t a c k, a_{τ_{I}} = N o t - R e p o r t)$ , the payoff of $τ_{S}^{1}$ is the attack gain minus the attack cost, that is, $λ γ g_{A} - c_{A}$ , while the payoff of $τ_{I}$ is the loss of being attacked, that is, $- λ γ g_{A}$ . For the action profile $(a_{τ_{S}^{1}} = C o o p e r a t e, a_{τ_{I}} = R e p o r t)$ , the payoff of $τ_{S}^{1}$ is the cooperation gain minus the cooperation cost, that is, $λ g_{C} - c_{C}$ , while the payoff of $τ_{I}$ is the loss of false alarm minus the report cost, that is, $- β λ l_{F} - c_{R}$ . For the action profile $(a_{τ_{S}^{1}} = C o o p e r a t e, a_{τ_{I}} = N o t - R e p o r t)$ , the payoff of $τ_{S}^{1}$ is the same as one in the action profile $(a_{τ_{S}^{1}} = C o o p e r a t e, a_{τ_{I}} = R e p o r t)$ while the payoff of $τ_{I}$ is 0. In Table 1(b), the payoff of normal body sensor $τ_{S}^{0}$ is always $λ g_{C} - c_{C}$ . The payoff of $τ_{I}$ is $- β λ l_{F} - c_{R}$ if it reports and is 0 if it decides not to report.

Table 1

Payoff matrix of the stage IDSRG.

(a) Body sensor S is malicious

	Report	Not-report

Attack	$(1 - α) λ γ g_{A} - α λ g_{R} - c_{A}$ , $α λ g_{R} - (1 - α) λ γ g_{A} - c_{R}$	$λ γ g_{A} - c_{A}$ , $- λ γ g_{A}$
Cooperate	$λ g_{C} - c_{C}$ , $- β λ l_{F} - c_{R}$	$λ g_{C} - c_{C}$ , 0

(b) Body sensor S is normal

	Report	Not-report
Cooperate	$λ g_{C} - c_{C}$ , $- β λ l_{F} - c_{R}$	$λ g_{C} - c_{C}$ , 0

3.3. Equilibrium Analyses of the Stage IDSRG

The stage IDSRG belongs to a game of incomplete information, since an IDS-sensor does not know its opponent's type during interactions. We should therefore change it into a complete but imperfect information game through the Harsanyi transformation to attain the corresponding BNE. During the process of the Harsanyi transformation, a virtual player Nature is introduced and moves first to choose a type of player S. Thus, the extensive form of the stage IDSRG can be constructed in Figure 2, where p chosen by Nature is the probability of a body sensor being malicious.

Figure 2

Extensive form of the stage IDSRG.

Theorem 2.

In the stage IDSRG, there exists a probability threshold of a body sensor being malicious, $p_{0}$ , such that a pure-strategy BNE exists if $p < p_{0}$ .

Proof.

Case 1. Player S chooses the pure strategy $(a_{τ_{S}^{1}} = A t t a c k, a_{τ_{S}^{0}} = C o o p e r a t e)$ meaning that a malicious body sensor always plays the action Attack and a normal body sensor always plays the action Cooperate.

Under Case 1, the expected payoffs of player I selecting actions Report and Not-report are

\begin{matrix} E_{I} (R e p o r t) = p (α λ g_{R} - (1 - α) λ γ g_{A} - c_{R}) + (1 - p) (- β λ l_{F} - c_{\dot{R}}), \end{matrix}

(1)

\begin{matrix} E_{I} (N o t - r e p o r t) = - p λ γ g_{A}, \end{matrix}

(2)

respectively. If

E_{I} (R e p o r t) \geq E_{I} (N o t - r e p o r t)

, that is,

\begin{matrix} p \geq \frac{(β λ l_{F} + c_{R})}{(α λ g_{R} + α λ γ g_{A} + β λ l_{F})}, \end{matrix}

(3)

then the dominant strategy for player I is Report. However, if player I selects the action Report, Attack will not be the dominant strategy for a malicious body sensor since

\begin{matrix} (1 - α) λ γ g_{A} - α λ g_{R} - c_{A} < λ g_{C} - c_{C} \end{matrix}

(4)

is reasonable. Therefore, the pure strategy

(a_{τ_{S}^{1}} = A t t a c k, a_{τ_{S}^{0}} = C o o p e r a t e)

is not a pure-strategy BNE. If

E_{I} (R e p o r t) < E_{I} (N o t - r e p o r t)

, that is,

\begin{matrix} p < \frac{(β λ l_{F} + c_{R})}{(α λ g_{R} + α λ γ g_{A} + β λ l_{F})}, \end{matrix}

(5)

then the dominant strategy for player I is Not-report. Correspondingly, Attack will be the dominant strategy for a malicious body sensor since

\begin{matrix} λ γ g_{A} - c_{A} > (1 - α) λ γ g_{A} - α λ g_{R} - c_{A} \end{matrix}

(6)

is reasonable. Therefore, the action profile

((a_{τ_{S}^{1}} = A t t a c k, a_{τ_{S}^{0}} = C o o p e r a t e), a_{I} = N o t - r e p o r t)

is a pure-strategy BNE.

Case 2. Player S chooses the pure strategy $(a_{τ_{S}^{1}} = C o o p e r a t e, a_{τ_{S}^{0}} = C o o p e r a t e)$ meaning that it always plays the action Cooperate irrespective of its type. For player I, the dominant strategy to response to a normal body sensor's action Cooperate is Not-report, whereas for a malicious body sensor, the dominant strategy to response to the action Not-report is Attack. This leads to a contradictory result. Therefore, there are not any pure-strategy BNEs when player S chooses the pure strategy $(a_{τ_{S}^{1}} = C o o p e r a t e, a_{τ_{S}^{0}} = C o o p e r a t e)$ .

To sum up, a pure-strategy BNE $((a_{τ_{S}^{1}} = A t t a c k, a_{τ_{S}^{0}} = C o o p e r a t e), a_{I} = N o t - r e p o r t)$ exists if and only if (5) is satisfied. In other words, we can find $p_{0} = (β λ l_{F} + c_{R}) / (α λ g_{R} + α λ γ g_{A} + β λ l_{F})$ such that a pure-strategy BNE exists if $p < p_{0}$ .

The pure strategy attained from Theorem 2 means that player S always plays the action Attack for a malicious body sensor or Cooperate for a normal body sensor while player I always plays the action Not-report. This pure strategy is not practical because the equilibrium requires player I to take the action Not-report at all times, and hence malicious body sensors will not be captured forever. In fact, the equilibrium attained from Theorem 2 is referred to as Pooling Equilibrium [50] in which player I has no clue about the type of player S. Therefore, it is essential to find a mixed-strategy BNE for capturing malicious body sensors.

Theorem 3.

In the stage IDSRG, there is a mixed-strategy BNE if $p \geq p_{0}$ .

Proof.

From Theorem 2, obviously, the mixed-strategy BNE to be sought exists only if $p \geq p_{0}$ . Let ρ be the probability with which a malicious body sensor plays the action Attack and let δ be the probability with which player I plays the action Report. We next need to find the optimal values of ρ and δ such that neither player S nor player I can increase the payoff by deviating the mixed-strategy BNE. For the mixed strategy played by player S, the expected payoffs of player I selecting actions Report and Not-report are

\begin{matrix} E_{I} (R e p o r t) = ρ p (α λ g_{R} - (1 - α) λ γ g_{A} - c_{R}) + (1 - ρ) p (- β λ l_{F} - c_{R}) + (1 - p) (- β λ l_{F} - c_{R}), \end{matrix}

(7)

\begin{matrix} E_{I} (N o t - r e p o r t) = - ρ p λ γ g_{A}, \end{matrix}

(8)

respectively. According to the indifference between actions Report and Not-report under the optimal mixed strategy played by player I, we get

\begin{matrix} E_{I} (R e p o r t) = E_{I} (N o t - r e p o r t) . \end{matrix}

(9)

Thus, the optimal probability of a malicious body sensor selecting the action Attack is

\begin{matrix} ρ^{*} = \frac{(β λ l_{F} + c_{R})}{[p λ (α g_{R} + α γ g_{A} + β l_{F})]} . \end{matrix}

(10)

For the mixed strategy played by player I, the expected payoffs of player S selecting actions Attack and Cooperate are

\begin{matrix} E_{S} (A t t a c k) = δ p ((1 - α) λ γ g_{A} - α λ g_{R} - c_{A}) + (1 - δ) p (λ γ g_{A} - c_{A}), \end{matrix}

(11)

\begin{matrix} E_{S} (C o o p e r a t e) = δ p (λ g_{C} - c_{C}) + (1 - δ) p (λ g_{C} - c_{C}) + δ (1 - p) (λ g_{C} - c_{C}) + (1 - δ) (1 - p) (λ g_{C} - c_{C}), \end{matrix}

(12)

respectively. According to the indifference between actions Attack and Cooperate under the optimal mixed strategy played by player S, we get

\begin{matrix} E_{S} (A t t a c k) = E_{S} (C o o p e r a t e) . \end{matrix}

(13)

Thus, the optimal probability of player I selecting the action Report is

\begin{matrix} δ^{*} = \frac{[p (λ γ g_{A} - c_{A}) + c_{C} - λ g_{C}]}{[p α λ (γ g_{A} + g_{R})]} . \end{matrix}

(14)

To sum up, given $p \geq p_{0}$ , we can find a mixed-strategy BNE ((Attack with $ρ^{*}$ for $τ_{S}^{1}$ , Cooperate for $τ_{S}^{0}$ ), Report with $δ^{*}$ for $τ_{I}$ ) that means a malicious body sensor plays the action Attack with probability $ρ^{*}$ and a normal body sensor always plays the action Cooperate while player I plays the action Report with probability $δ^{*}$ .

Theorems 2 and 3 provide the IDS-sensor with the conditions under which the BNE can be achieved. We can obtain the probability threshold of a body sensor being malicious, $p_{0}$ , which is related to the channel reliability λ, cloud-assisted IDS' detection rate α, and false alarm rate β, as well as attack success rate γ. This threshold is extremely low since the gains of actions Report and Attack, compared to the cost of the action Report, are very large as $λ, α, β, γ \in [0,1]$ . However, as the probability of a body sensor being malicious, p, grows and eventually exceeds the threshold, the mixed-strategy BNE suggested in Theorem 3 requires the malicious body sensor to be less offensive in attacking.

The advantage of applying Theorems 2 and 3 is that an IDS-sensor is not always in taking the action Report. As a result, the power consumption of the IDS-sensor can be conserved. However, Theorems 2 and 3 are only concerned with a slot time of interactions between an IDS-sensor and its opponent. As two players continually interact with each other, the belief (i.e., probability of a body sensor being malicious), p, which is used to compute the optimal strategy for an IDS-sensor to determine when to select the action Report, may be updated dynamically. Therefore, we should develop the stage IDSRG into a dynamic multistage IDSRG to dynamically present the belief of player I on the type of player S.

3.4. Dynamic Multistage IDSRG

Following interactions between players S and I, the stage IDSRG is repeatedly played at each continuous time slot $t_{k}$ , where $k = 1,2, \dots, n (n \in Z^{+})$ . For simplicity, we assume the payoffs of players at the $t_{k}$ th stage game are the same as those at the $t_{k - 1}$ th stage game; that is, there is no discount with respect to the payoffs of players in the dynamic multistage IDSRG. Besides the notations defined in the stage IDSRG, we let $h_{S} (t_{k})$ be the historical actions of player S, let $a_{S} (t_{k})$ be the action adopted by player S at the $t_{k}$ th stage game, and let $p (τ_{S}^{1} | a_{S} (t_{k}), h_{S} (t_{k}))$ be the posterior belief meaning the probability of a body sensor being malicious at the end of the $t_{k}$ th stage IDSRG, respectively. Based on the Bayesian rule, this posterior belief can be constructed at the $t_{k}$ th stage IDSRG.

Definition 4.

The posterior belief hold by player I can be computed by

\begin{matrix} p (τ_{S}^{1} | a_{S} (t_{k}), h_{S} (t_{k})) = \frac{p (τ_{S}^{1} | h_{S} (t_{k})) p (a_{S} (t_{k}) | τ_{S}^{1}, h_{S} (t_{k}))}{\sum_{{\hat{τ}}_{S} \in T_{S}} p ({\hat{τ}}_{S} | h_{S} (t_{k})) p (a_{S} (t_{k}) | {\hat{τ}}_{S}, h_{S} (t_{k}))}, \end{matrix}

(15)

where, for any

τ_{S} \in {τ_{S}^{0}, τ_{S}^{1}}

p (τ_{S} | h_{S} (t_{k}))

and

p (a_{S} (t_{k}) | τ_{S}, h_{S} (t_{k}))

denote, with the historical actions of player S, the prior belief hold by player I and the probability of a body sensor selecting action

a_{S} (t_{k})

, respectively.

As described beforehand, the cloud-assisted IDS may inevitably produce detection errors and false alarms. In addition, communicating in WBANs may lose packets. Due to these factors, the actions observed by player I may not always reflect the reality accurately. We integrate these factors into computing the conditional probability $p (a_{S} (t_{k}) | τ_{S}, h_{S} (t_{k}))$ , $τ_{S} \in {τ_{S}^{0}, τ_{S}^{1}}$ , which can be updated as follows:

\begin{matrix} p (A t t a c k | τ_{S}^{1}, h_{S} (t_{k})) = α λ ρ_{k} + β (1 - λ ρ_{k}), \\ p (C o o p e r a t e | τ_{S}^{1}, h_{S} (t_{k})) = (1 - α) λ ρ_{k} + (1 - β) (1 - λ ρ_{k}), \\ p (A t t a c k | τ_{S}^{0}, h_{S} (t_{k})) = β, \\ p (C o o p e r a t e | τ_{S}^{0}, h_{S} (t_{k})) = 1 - β, \end{matrix}

(16)

where

1 - α

1 - λ

1 - β

, and

ρ_{k}

denote the false negative rate, the channel unreliability, the true negative rate, and the probability of player S selecting the action Attack at the

t_{k}

th stage IDSRG, respectively.

So far, a belief system based on (15)-(16) has been presented to describe the belief building and updating process. It is easy to see that each belief to be updated is dependent on a body sensor's action player I observes at the current stage IDSRG and the prior belief it holds. With the belief system, we can define the dynamic multistage IDSRG as follows.

Definition 5.

The dynamic multistage IDSRG is a 5-tuple $(N, T, A, U, P (t_{k}))$ , where (i)

$N$ , $T$ , $A$ , and $U$ are the same as those defined in Definition 1;

(ii)

$P (t_{k}) = (p (τ_{S}^{1} | h_{S} (t_{k})), 1 - p (τ_{S}^{1} | h_{S} (t_{k})))$ , where $p (τ_{S}^{1} | h_{S} (t_{k}))$ denotes the probability of a body sensor being malicious with the historical actions $h_{S} (t_{k})$ at the $t_{k}$ th stage IDSRG, and it will be updated by $p (τ_{S}^{1} | a_{S} (t_{k}), h_{S} (t_{k}))$ computed by (15) at the end of the $t_{k}$ th stage IDSRG.

For the dynamic multistage IDSRG, Perfect Bayesian Equilibrium (PBE) can be applied to seek the optimal strategies of two players. This is because the dynamic multistage IDSRG is essentially regarded as a dynamic Bayesian game. With the aforementioned belief system, the dynamic multistage IDSRG is played in a sequential manner. Players S and I will not always select the same strategies at each stage game to attain the most expected payoffs. Their best response strategies are related to the current belief that may be changed as the dynamic multistage IDSRG evolves. This relation can be disclosed by the concept of PBE. We next illustrate that the dynamic multistage IDSRG satisfies the Bayesian conditions, which guarantee that an incomplete information game has a PBE.

Lemma 6.

The dynamic multistage IDSRG satisfies the following Bayesian conditions B(i)–B(iv) referred to in [50]:

B(i):the posterior beliefs are independent, and all types of player I have the same beliefs.

B(ii):the Bayesian rule is used to update beliefs from $p (τ_{S} | h_{S} (t_{k}))$ to $p (τ_{S} | h_{S} (t_{k + 1}))$ for any $τ_{S} \in {τ_{S}^{0}, τ_{S}^{1}}$ .

B(iii):the players do not signal what they do not know.

B(iv):the posterior beliefs are consistent with a common joint distribution on $T$ given $h_{S} (t_{k})$ .

Proof.

B(i) is satisfied because player I has only one type. B(ii) is satisfied because the beliefs updated in the belief system are derived from the Bayesian rule. B(iii) means $p (τ_{S}^{1} | a_{S} (t_{k}), h_{S} (t_{k})) = p (τ_{S}^{1} | {\hat{a}}_{S} (t_{k}), h_{S} (t_{k}))$ if $a_{S} (t_{k}) = {\hat{a}}_{S} (t_{k})$ , which is satisfied because the signals of player S are the part of actions in the context of the dynamic multistage IDSRG. B(iv) is satisfied because only players S and I are in any stage game where no other players affect the beliefs updated by player I on its opponent.

Theorem 7.

There is a mixed-strategy PBE in the dynamic multistage IDSRG.

Proof.

At the $t_{k}$ th stage IDSRG, let $ρ_{k}$ and $δ_{k}$ denote the probabilities of a body sensor selecting the action Attack and the corresponding IDS-sensor selecting the action Report, respectively. For player I at the $t_{k}$ th stage IDSRG, the expected payoffs of selecting actions Report and Not-report at the $t_{k}$ th stage game are

\begin{matrix} E_{I}^{t_{k}} (R e p o r t) = ρ_{k} p (τ_{S}^{1} | h_{S} (t_{k})) (α λ g_{R} - (1 - α) λ γ g_{A} - c_{R}) + (1 - ρ_{k}) p (τ_{S}^{1} | h_{S} (t_{k})) (- β λ l_{F} - c_{R}) + (1 - p (τ_{S}^{1} | h_{S} (t_{k}))) (- β λ l_{F} - c_{R}), \end{matrix}

(17)

\begin{matrix} E_{I}^{t_{k}} (N o t - r e p o r t) = - ρ_{k} p (τ_{S}^{1} | h_{S} (t_{k})) λ γ g_{A}, \end{matrix}

(18)

respectively. According to the indifference between actions Report and Not-report under the optimal mixed strategy played by player I at the

t_{k}

th stage IDSRG, we get

\begin{matrix} E_{I}^{t_{k}} (R e p o r t) = E_{I}^{t_{k}} (N o t - r e p o r t) . \end{matrix}

(19)

Thus, the optimal probability of a malicious body sensor selecting the action Attack is

\begin{matrix} ρ_{k}^{*} = \frac{(β λ l_{F} + c_{R})}{[p (τ_{S}^{1} | h_{S} (t_{k})) λ (α g_{R} + α γ g_{A} + β l_{F})]} . \end{matrix}

(20)

For a body sensor at the

t_{k}

th stage IDSRG, the expected payoffs of selecting actions Attack and Cooperate are

\begin{matrix} E_{S}^{t_{k}} (A t t a c k) = δ_{k} p (τ_{S}^{1} | h_{S} (t_{k})) ((1 - α) λ γ g_{A} - α λ g_{R} - c_{A}) + (1 - δ_{k}) p (τ_{S}^{1} | h_{S} (t_{k})) (λ γ g_{A} - c_{A}), \end{matrix}

(21)

\begin{matrix} E_{S}^{t_{k}} (C o o p e r a t e) = δ_{k} p (τ_{S}^{1} | h_{S} (t_{k})) (λ g_{C} - c_{C}) + (1 - δ_{k}) p (τ_{S}^{1} | h_{S} (t_{k})) (λ g_{C} - c_{C}) + δ_{k} (1 - p (τ_{S}^{1} | h_{S} (t_{k}))) (λ g_{C} - c_{C}) + (1 - δ_{k}) (1 - p (τ_{S}^{1} | h_{S} (t_{k}))) (λ g_{C} - c_{C}), \end{matrix}

(22)

respectively. According to the indifference between actions Attack and Cooperate under the optimal mixed strategy played by player S at the

t_{k}

th stage IDSRG, we get

\begin{matrix} E_{S}^{t_{k}} (A t t a c k) = E_{S}^{t_{k}} (C o o p e r a t e) . \end{matrix}

(23)

Thus, the optimal probability of player I selecting the action Report is

\begin{matrix} δ_{k}^{*} = \frac{[p (τ_{S}^{1} | h_{S} (t_{k})) (λ γ g_{A} - c_{A}) + c_{C} - λ g_{C}]}{[p (τ_{S}^{1} | h_{S} (t_{k})) α λ (γ g_{A} + g_{R})]} . \end{matrix}

(24)

To sum up, there is a mixed-strategy PBE that can be attained with the strategy profile ((Attack with $ρ_{k}^{*}$ for $τ_{S}^{1}$ , Cooperate for $τ_{S}^{0}$ ), Report with $δ_{k}^{*}$ for $τ_{I}$ ) at the $t_{k}$ th stage IDSRG.

From Theorem 7, the two rational players S and I at the $t_{k}$ th stage IDSRG will play with the strategy profile shown in Theorem 7. This strategy profile exhibits the so-called sequential rationality in game theory [50], which means each player's strategy is optimal whenever it has to be changed, given the belief and each other's actions. The PBE makes the IDS-sensor not always report its opponent's events while minimizing the possible damage caused by an undetected malicious body sensor. Energy that is potentially consumed by the IDS-sensor to continuously report the monitored events is therefore saved.

4. Applying PBE-Based Report Strategies to WBANs Using a Cloud-Assisted IDS

To facilitate the advantage of the above PBE, we propose and design a framework of applying IDSRG to WBANs using a cloud-assisted IDS, as illustrated in Figure 3. The framework consists of three entities: body sensor S, IDS-sensor I, and cloud platform. Body sensor S may be normal or malicious; it therefore signals the action Cooperate or Attack that forms Monitored Events. As the opponent of body sensor S, IDS-sensor I captures those Monitored Events and decides whether to report them to cloud platform through the sink. Once cloud platform receives the Reported Events, the IDS will be immediately triggered as a service and then examine the obtained record. Finally, according to alerts produced by the IDS Administrator may send Control Data to deal with a malicious body sensor.

Figure 3

Framework of applying IDSRG to WBANs using a cloud-assisted IDS.

The heart of the framework is PBE calculation whose results indict IDS-sensor I with the probability of selecting the action Report. This calculation starts with Monitored Events captured by IDS-sensor I. Administrator first configures the IDS agent in IDS-sensor I with Configuration Data for making it more reliable and accurate. He/she also defines the game parameters required, including α, β, γ, λ, $g_{A}$ , $g_{R}$ , $g_{C}$ , $c_{A}$ , $c_{C}$ , $c_{R}$ , $l_{F}$ , and $p (τ_{S}^{1} | h_{S} (t_{k}))$ . Upon these game parameters, a stage IDSRG is built up and the payoff matrix is correspondingly formulated. With the signal included in Monitored Events and the stage IDSRG, the IDS agent computes the probability of selecting the action Report, $δ_{k}^{*}$ , according to (24). It also, according to (15), computes the posterior belief $p (τ_{S}^{1} | a_{S} (t_{k}), h_{S} (t_{k}))$ that is used to update $p (τ_{S}^{1} | h_{S} (t_{k}))$ for the next stage IDSRG. The process above will then be repeatedly done until the end of interactions between players S and I. The algorithm describing the PBE-based strategy to decide whether to report Monitored Events is given as Algorithm 1.

Algorithm 1: PBE-based report algorithm for an IDS-sensor.

(1) $k \leftarrow 1$ ;

(2) Initialize game parameters α, β, γ, λ, $g_{A}$ , $g_{R}$ , $g_{C}$ , $c_{A}$ , $c_{C}$ , $c_{R}$ , $l_{F}$ , and $p (τ_{S}^{1} | h_{S} (t_{k}))$ ;

(3) Select the action Not-report;

(4) Do UNTIL the end of interactions between an IDS-sensor and its opponent

(5) Waked by Monitored Events;

(6) IF the IDSRG is not existed

(7) Construct a game;

(8) ELSE

(9) Get the stored game;

(10) ENDIF

(11) Compute $δ_{k}^{*}$ according to (24);

(12) Compute $p (τ_{S}^{1} | a_{S} (t_{k}), h_{S} (t_{k}))$ according to (15);

(13) Update $p (τ_{S}^{1} | h_{S} (t_{k}))$ with $p (τ_{S}^{1} | a_{S} (t_{k}), h_{S} (t_{k}))$ and store it;

(14) Select the action Report with probability $δ_{k}^{*}$ ;

(15) $k \leftarrow k + 1$ ;

(16) ENDDO

The other important part of the framework is the IDS in cloud platform. It consists of three main components: Detection Engine, Alert Database, and Alert Management. Detection Engine is the core component of the IDS, which decides whether an event sent from IDS-sensors through the sink is normal or abnormal. It may combine two of well-known detection techniques, including misuse and anomaly-based detection. It may compare the event to a predefined rule set or perform the process of multipattern matching. Upon completion, it distinguishes the event as normal or abnormal one and inserts the generated alerts into Alert Database. As a storage unit to maintain all the formatted events created by Detection Engine, Alert Database stores body sensor ID, the timestamp of various events, and packet information with the defined signatures. Some alert groups and statistics produced by Alert Management are also contained in Alert Database. Depending on Alert Analysis, Alert Management is applied to observe the generated alerts and relate them to previously defined attacking cases. This tool provides Administrator with a function to extract events and to produce reports based on source, time, and types of attacks. Finally, Administrator examines these findings and decides whether to send Control Data to those malicious body sensors.

5. Experiments

In this section, we employ MATLAB R2010a to illustrate the characteristics of the dynamic multistage IDSRG. Since we are the first to study the report game in WBANs using a cloud-assisted IDS, we do not compare our work with any prior work. Here, we explore the factors influencing a malicious body sensor to select the action Attack, in order to disclose its optimal attack strategies. We further, through an IDS-sensor's posterior belief computed by Algorithm 1, evaluate the performance of our proposed framework with the probability of a body sensor being malicious in terms of IDSRG parameters at the $t_{k}$ th stage game.

5.1. Analyses on Optimal Attack Probabilities

We show the changeable trend of the optimal probability of a malicious body sensor selecting the action Attack in terms of α, β, and γ, in order to disclose the intension of a malicious body sensor. The rates of higher detection and lower false alarm make a cloud-assisted IDS easy to capture the malicious body sensors. Therefore, the optimal strategy of a malicious body sensor is to reduce the probability of selecting the action Attack to avoid the captured loss. On the other hand, the higher attack success rate helps a malicious body sensor attain its expected payoff more quickly. As the case we expect, the optimal probability of a malicious body sensor selecting the action Attack, from Figure 4, slowly decreases when the detection rate gradually increases from 0.5 to 1. A similar tendency is shown as the false alarm rate decreases from 0.1 to 0. In Figures 5 and 6, the decrement of the optimal attack probability selected by a malicious body sensor is followed with the increments of the attack success rate, detection rate, and false alarm rate. Further, the influence of the attack success rate is lower than that of the other two factors. When $α = 0.9$ in Figure 5, for example, the optimal attack probability decreases from 0.1547 to 0.1239 as γ changes from 0.6 to 1. It reduces by 19.91% or so. However, when $γ = 0.92$ , the optimal attack probability decreases from 0.2316 to 0.1162, producing 49.83% or so decrements. These results indicate we should improve the detection rate and reduce the false alarm rate for lowering the attack probability of a malicious body sensor.

Figure 4

Optimal attack probabilities in terms of α and β.

Figure 5

Optimal attack probabilities in terms of α and γ.

Figure 6

Optimal attack probabilities in terms of β and γ.

5.2. Performance Analyses

At the $t_{k}$ th stage IDSRG, an IDS-sensor updates its belief on the type of its opponent using (15). Without loss of generality, we assume the initial belief of each IDS-sensor is 0.5. That is, the probability of a body sensor being malicious is the same as that of a body sensor being normal. Figure 7 demonstrates the convergence of an IDS-sensor's posterior belief when different detection rates are presented. We see that the higher the detection rate is, the quicker the posterior belief converges to 1. The convergence requires about 12 times of playing the stage IDSRG if $α = 0.9$ , 15 times if $α = 0.7$ , and 20 times if $α = 0.5$ , respectively. When different false alarm rates are considered in Figure 8, we see that the lower the false alarm rate is, the quicker the posterior belief converges to 1. It requires about 6 times of playing the stage IDSRG if $β = 0.01$ , 11 times if $β = 0.05$ , and 21 times if $β = 0.1$ , respectively. From Figures 7 and 8, the convergence speed of an IDS-sensor's posterior belief increases as the detection rate goes up and the false alarm rate goes down. That is, the speed to judge whether a body sensor is malicious depends on the detection accuracy of the cloud-assisted IDS.

Figure 7

Probability of successfully detecting a malicious body sensor under different detection rates.

Figure 8

Probability of successfully detecting a malicious body sensor under different false alarm rates.

Figure 9 compares the convergence of an IDS-sensor's posterior belief when different actual-attack-gains denoted by $g_{A} / c_{A}$ are given. We see that the lower the actual-attain-gain is, the quicker the posterior belief converges to 1. This phenomenon may be explained as follows. With a smaller actual-attack-gain, a malicious body sensor must take the action Attack more frequently to get its expected payoff. This increasing frequency raises the probability that the IDS-sensor successfully observes the action Attack launched by the malicious body sensor. Thus, the posterior belief is updated more successfully and converges to 1 more quickly.

Figure 9

Probability of successfully detecting a malicious body sensor under different actual-attack-gains.

In Figure 10, we let $g_{R} / c_{R}$ be the actual-report-gain. It shows that a smaller actual-report-gain leads the belief system to converge to 1 more quickly. This is because the IDS-sensor should report more often to attain its expected payoff. Thus, quicker convergence of the posterior belief is achieved, leading to quicker detection of a malicious body sensor.

Figure 10

Probability of successfully detecting a malicious body sensor under different actual-report-gains.

In what follows, we analyze how the historical actions taken by a malicious body sensor influence the convergence speed of the posterior belief, as shown in Figure 11. We assume two observation sequences: $[0 0 0 0 0 1 1 1 1 1 0 0 1 0 1 0 1 1 1 0 0 0 0 0 0]$ and $[1 1 1 1 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0]$ , where 1 represents the action Attack and 0 represents the action Cooperate in the corresponding stage IDSRG. If 1 or 0 is continuous, then the malicious body sensor takes the action Attack or Cooperate repeatedly. The other important parameter considered in Figure 11 is $α = 0.9$ , which means a higher detection rate. We see the posterior belief converges to 1 quickly when a malicious body sensor takes continuous action Attack. Once the IDS-sensor considers a body sensor to be malicious, the posterior belief cannot be decreased adaptively to a lower value even if the IDS-sensor observes the action Cooperate taken by the malicious body sensor. This means that the IDS-sensor has to always take the action Report and consume its energy rapidly. To avoid this case, IDS agents in IDS-sensors should initially deploy an association-rule module that can reset the posterior belief.

Figure 11

Probability of successfully detecting a malicious body sensor under historical actions.

6. Conclusion

We have presented an IDS framework with the help of cloud computing, in order to quest for security of WBANs. It extends WBANs to an integrated platform that offers scalability of data storage and computation for launching an IDS. With this framework, IDS-sensors are only responsible for whether or not to report the monitored events, not for performing the costly task of intrusion detection. Thus, the deficiency of limited resources in WBANs is no longer a problem to guarantee security of WBANs. Moreover, to solve the IDS-sensors' dilemma between saving energy and reporting the monitored events to increase the probability of capturing the malicious body sensor, we have proposed a dynamic multistage IDSRG using the signaling game. Our game is able to depict interactions between a malicious/normal body sensor and its opponent IDS-sensor and is able to reflect their payoffs. We have proven that the stage IDSRG has a pure-strategy BNE or mixed-strategy BNE under different conditions of the probability of a body sensor being malicious. As the game evolves, we have extended the stage IDSRG to a dynamic multistage IDSRG, where the belief hold by IDS-sensors can be updated rationally and dynamically according to the current and historical actions of malicious body sensors. We have also proven the existence of the mixed-strategy PBE in the dynamic IDSRG. This mixed-strategy PBE helps IDS-sensors select an optimal strategy that will prolong their lifespan while allowing them to report an acceptable amount of monitored events. A report strategy algorithm is designed to implement the mixed-strategy PBE. Experiments have shown, based on the optimal report strategies computed by the proposed algorithm, that the type and optimal strategy of a malicious body sensor can be predicted. Thus, body sensors are capable of saving their energy while the cloud-assisted IDS is able to actively defend malicious body sensors.

While the proposed approach works in principle, we plan to implement it by developing a cloud-assisted IDS testbed via Castalia 3.2, a simulator based on OMNeT++ 4.3.1. Depending on the future experiment results, a more accurate IDSRG to further enhance its decision-making capability in order to prevent body sensors from malicious attacks maybe will be attained.

Footnotes

Notations

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

This work was supported by the National Natural Science Foundation of China under Grant no. 61272034, by Zhejiang Provincial Natural Science Foundation of China under Grants LY13F030012 and LY13F020035, and by Science Foundation of Shaoxing University under Grant no. 20145021.

References

Chen

Gonzalez

Vasilakos

A. V.

Cao

Leung

V. C. M.

Body area networks: a survey

Mobile Networks and Applications 2011 16 2 171 193

10.1007/s11036-010-0260-8

2-s2.0-79956094375

Ullah

Higgins

Braem

Latre

Blondia

Moerman

Saleem

Rahman

Kwak

K. S.

A comprehensive survey of wireless body area networks on PHY, MAC, and network layers solutions

Journal of Medical Systems 2012 36 3 1065 1094

10.1007/s10916-010-9571-3

2-s2.0-84864035796

Ullah

Mohaisen

Alnuem

M. A.

A review of IEEE 802.15.6 MAC, PHY, and security specifications

International Journal of Distributed Sensor Networks 2013 2013 12

950704

10.1155/2013/950704

2-s2.0-84878305255

Sung

W.-T.

Chang

K.-Y.

Health parameter monitoring via a novel wireless system

Applied Soft Computing 2014 22 667 680

10.1016/j.asoc.2014.04.036

2-s2.0-84903707677

Zhou

Cao

Dong

Lin

Vasilakos

Securing m-healthcare social networks: challenges, countermeasures and future directions

IEEE Wireless Communications 2013 20 4 12 21

10.1109/mwc.2013.6590046

2-s2.0-84884572913

Latré

Braem

Moerman

Blondia

Demeester

A survey on wireless body area networks

Wireless Networks 2011 17 1 1 18

10.1007/s11276-010-0252-4

2-s2.0-79951723271

Saleem

Ullah

Kwak

K. S.

A study of IEEE 802.15.4 security framework for wireless body area networks

Sensors 2011 11 2 1383 1395

10.3390/s110201383

2-s2.0-79952089663

Ali

S. T.

Sivaraman

Ostry

Tsudik

Jha

Securing first-hop data provenance for bodyworn devices using wireless link fingerprints

IEEE Transactions on Information Forensics and Security 2014 9 12 2193 2204

10.1109/tifs.2014.2357998

2-s2.0-84911072446

Xiao

Security and privacy in cloud computing

IEEE Communications Surveys and Tutorials 2013 15 2 843 859

10.1109/SURV.2012.060912.00182

2-s2.0-84877272118

10.

Zhou

Dong

Cao

Vasilakos

A. V.

Secure and privacy preserving protocol for cloud-based vehicular DTNs

IEEE Transactions on Information Forensics and Security 2015 10 6 1299 1314

10.1109/TIFS.2015.2407326

11.

Fortino

Pathan

Di Fatta

BodyCloud: integration of cloud computing and body sensor networks

Proceedings of the 4th IEEE International Conference on Cloud Computing Technology and Science (CloudCom '12)

December 2012

Taipei, Taiwan

851 856

10.1109/cloudcom.2012.6427537

2-s2.0-84874226703

12.

Getov

Security as a service in smart clouds—opportunities and concerns

Proceedings of the 36th IEEE Annual International Computer Software and Applications Conference (COMPSAC '12)

July 2012

Izmir, Turkey

373 379

10.1109/compsac.2012.112

2-s2.0-84870770632

13.

Liang

Xiao

Game theory for network security

IEEE Communications Surveys and Tutorials 2013 15 1 472 486

10.1109/surv.2012.062612.00056

2-s2.0-84873690107

14.

Moretti

Vasilakos

A. V.

An overview of recent applications of game theory to bioinformatics

Information Sciences 2010 180 22 4312 4322

10.1016/j.ins.2010.07.019

MR2684400

2-s2.0-77956393262

15.

Attar

Tang

Vasilakos

A. V.

F. R.

Leung

V. C. M.

A survey of security challenges in cognitive radio networks: solutions and future research directions

Proceedings of the IEEE 2012 100 12 3172 3186

10.1109/jproc.2012.2208211

2-s2.0-84869508857

16.

Shen

Yue

Cao

A survey of game theory in wireless sensor networks security

Journal of Networks 2011 6 3 521 532

10.4304/jnw.6.3.521-532

2-s2.0-79953065997

17.

Manshaei

M. H.

Zhu

Alpcan

Basar

Hubaux

J.-P.

Game theory meets network security and privacy

ACM Computing Surveys 2013 45 3, article 25

10.1145/2480741.2480742

2-s2.0-84874284297

18.

Sampaio

L. D. H.

Abrão

Angélico

B. A.

Lima

M. F.

Proença

M. L.

Jr. Jeszensky

P. J. E.

Hybrid heuristic-waterfilling game theory approach in MC-CDMA resource allocation

Applied Soft Computing 2012 12 7 1902 1912

10.1016/j.asoc.2011.05.028

2-s2.0-84861097211

19.

Moosavi

Bui

F. M.

A game-theoretic framework for robust optimal intrusion detection in wireless sensor networks

IEEE Transactions on Information Forensics and Security 2014 9 9 1367 1379

10.1109/tifs.2014.2332816

2-s2.0-84905736269

20.

Shen

Han

Vasilakos

A. V.

Wang

Cao

Differential game-based strategies for preventing malware propagation in wireless sensor networks

IEEE Transactions on Information Forensics and Security 2014 9 11 1962 1973

10.1109/tifs.2014.2359333

2-s2.0-84908240474

21.

Garnaev

Baykal-Gursoy

Poor

H. V.

Incorporating attack-type uncertainty into network protection

IEEE Transactions on Information Forensics and Security 2014 9 8 1278 1287

10.1109/tifs.2014.2329241

2-s2.0-84904708169

22.

Shen

Cao

Signaling game based strategy of intrusion detection in wireless sensor networks

Computers & Mathematics with Applications 2011 62 6 2404 2416

10.1016/j.camwa.2011.07.027

2-s2.0-80052425981

23.

Champrasert

Suzuki

Lee

Exploring self-optimization and self-stabilization properties in bio-inspired autonomic cloud applications

Concurrency Computation Practice and Experience 2012 24 9 1015 1034

10.1002/cpe.1906

2-s2.0-84862776883

24.

López-Pérez

Chu

Vasilakos

A. V.

Claussen

Power minimization based resource allocation for interference mitigation in OFDMA femtocell networks

IEEE Journal on Selected Areas in Communications 2014 32 2 333 344

10.1109/jsac.2014.141213

2-s2.0-84895057562

25.

Wada

Suzuki

Yamano

Oba

Evolutionary deployment optimization for service-oriented clouds

Software—Practice and Experience 2011 41 5 469 493

10.1002/spe.1032

2-s2.0-79952819488

26.

Shen

Han

Guo

Cao

Survivability evaluation towards attacked WSNs based on stochastic game and continuous-time Markov chain

Applied Soft Computing 2012 12 5 1467 1476

10.1016/j.asoc.2012.01.009

2-s2.0-84862813299

27.

Wei

Zhu

Cao

Dong

Jia

Chen

Vasilakos

A. V.

Security and privacy for storage and computation in cloud computing

Information Sciences 2014 258 371 386

10.1016/j.ins.2013.04.028

2-s2.0-84889087663

28.

Zhang

Wang

Vasilakos

A. V.

Fang

ECG-cryptography and authentication in body area networks

IEEE Transactions on Information Technology in Biomedicine 2012 16 6 1070 1078

10.1109/TITB.2012.2206115

2-s2.0-84870926798

29.

Raja

S. K. S.

Jebarajan

Reliable and secured data transmission in wireless body area networks (WBAN)

European Journal of Scientific Research 2012 82 2 173 184

2-s2.0-84864595772

30.

Chen

Chan

Vasilakos

A. V.

A distributed trust evaluation model and its application scenarios for medical sensor networks

IEEE Transactions on Information Technology in Biomedicine 2012 16 6 1164 1175

10.1109/TITB.2012.2199996

2-s2.0-84870885560

31.

Chen

Chan

Vasilakos

A. V.

ReTrust: attack-resistant and lightweight trust management for medical sensor networks

IEEE Transactions on Information Technology in Biomedicine 2012 16 4 623 632

10.1109/titb.2012.2194788

2-s2.0-84863512174

32.

Corona

Giacinto

Roli

Adversarial attacks against intrusion detection systems: taxonomy, solutions and open issues

Information Sciences 2013 239 201 225

10.1016/j.ins.2013.03.022

2-s2.0-84876939080

33.

Chung

Y. Y.

Wahid

A hybrid network intrusion detection system using simplified swarm optimization (SSO)

Applied Soft Computing 2012 12 9 3014 3022

10.1016/j.asoc.2012.04.020

2-s2.0-84863478979

34.

Sun

Shan

Xiao

Anomaly detection based secure in-network aggregation for wireless sensor networks

IEEE Systems Journal 2013 7 1 13 25

10.1109/JSYST.2012.2223531

2-s2.0-84874644743

35.

Kuang

Zhang

A novel hybrid KPCA and SVM with GA model for intrusion detection

Applied Soft Computing 2014 18 178 184

10.1016/j.asoc.2014.01.028

2-s2.0-84894281761

36.

Song

Takakura

Okabe

Nakao

Toward a more practical unsupervised anomaly detection system

Information Sciences 2013 231 4 14

10.1016/j.ins.2011.08.011

2-s2.0-84874114774

37.

Butun

Morgera

S. D.

Sankar

A survey of intrusion detection systems in wireless sensor networks

IEEE Communications Surveys and Tutorials 2014 16 1 266 282

10.1109/SURV.2013.050113.00191

2-s2.0-84894652457

38.

Rassam

M. A.

Maarof

M. A.

Zainal

A survey of intrusion detection schemes in Wireless Sensor Networks

American Journal of Applied Sciences 2012 9 10 1636 1652

10.3844/ajassp.2012.1636.1652

2-s2.0-84867604390

39.

Sundararajan

T. V. P.

Shanmugam

A novel intrusion detection system for wireless body area network in health care monitoring

Journal of Computer Science 2010 6 11 1355 1361

10.3844/jcssp.2010.1355.1366

2-s2.0-78049507383

40.

Ren

Yao

ITFBS: adaptive intrusion-tolerant scheme for body sensor networks in smart space applications

IET Communications 2011 5 17 2509 2517

10.1049/iet-com.2010.0862

MR2918577

2-s2.0-84863173663

41.

Otrok

Mohammed

Wang

Debbabi

Bhattacharya

A game-theoretic intrusion detection model for mobile ad hoc networks

Computer Communications 2008 31 4 708 721

10.1016/j.comcom.2007.10.024

2-s2.0-39149117050

42.

Otrok

Mehrandish

Assi

Debbabi

Bhattacharya

Game theoretic models for detecting network intrusions

Computer Communications 2008 31 10 1934 1944

10.1016/j.comcom.2007.12.028

2-s2.0-44549084937

43.

Zhu

Fung

Boutaba

Başar

GUIDEX: a game-theoretic incentive-based mechanism for intrusion detection networks

IEEE Journal on Selected Areas in Communications 2012 30 11 2220 2230

10.1109/jsac.2012.121214

2-s2.0-84870268417

44.

Huang

J.-Y.

Liao

I.-E.

Chung

Y.-F.

Chen

K.-T.

Shielding wireless sensor network using Markovian intrusion detection system with attack pattern mining

Information Sciences 2013 231 32 44

10.1016/j.ins.2011.03.014

MR3028811

2-s2.0-84874117071

45.

Zonouz

S. A.

Khurana

Sanders

W. H.

Yardley

T. M.

RRE: a game-theoretic intrusion response and recovery engine

IEEE Transactions on Parallel and Distributed Systems 2014 25 2 395 406

10.1109/tpds.2013.211

2-s2.0-84891815876

46.

Shamshirband

Patel

Anuar

N. B.

Kiah

M. L. M.

Abraham

Cooperative game theoretic approach using fuzzy Q-learning for detecting and preventing intrusions in wireless sensor networks

Engineering Applications of Artificial Intelligence 2014 32 228 241

10.1016/j.engappai.2014.02.001

2-s2.0-84900419562

47.

Shen

Huang

Han

Cao

Quantal response equilibrium-based strategies for intrusion detection in WSNs

Mobile Information Systems 2015 2015 10

179839

10.1155/2015/179839

48.

Liu

Shen

Yue

Han

A stochastic evolutionary coalition game model of secure and dependable virtual service in Sensor-Cloud

Applied Soft Computing 2015 30 123 135

10.1016/j.asoc.2015.01.038

2-s2.0-84922702919

49.

Farooqi

A. H.

Khan

F. A.

A survey of intrusion detection systems for wireless sensor networks

International Journal of Ad Hoc and Ubiquitous Computing 2012 9 2 69 83

10.1504/ijahuc.2012.045549

2-s2.0-84857692970

50.

Fudenberg

Tirole

Game Theory 1991

London, UK

The MIT Press

MR1124618

Optimal Report Strategies for WBANs Using a Cloud-Assisted IDS

Abstract

1. Introduction

2. Related Work

3. A Report Game for WBANs Using a Cloud-Assisted IDS

3.1. Network Model

3.2. A Stage IDS Report Game

Definition 1.

3.3. Equilibrium Analyses of the Stage IDSRG

Theorem 2.

Proof.

Theorem 3.

Proof.

3.4. Dynamic Multistage IDSRG

Definition 4.

Definition 5.

Lemma 6.

Proof.

Theorem 7.

Proof.

4. Applying PBE-Based Report Strategies to WBANs Using a Cloud-Assisted IDS

Algorithm 1: PBE-based report algorithm for an IDS-sensor.

5. Experiments

5.1. Analyses on Optimal Attack Probabilities

5.2. Performance Analyses

6. Conclusion

Footnotes

Notations

Conflict of Interests

Acknowledgments

References