Research Article | Open Access
Y. P. Jiang, C. C. Cao, X. Mei, H. Guo, "A Quantitative Risk Evaluation Model for Network Security Based on Body Temperature", Journal of Computer Networks and Communications, vol. 2016, Article ID 4517019, 10 pages, 2016. https://doi.org/10.1155/2016/4517019
A Quantitative Risk Evaluation Model for Network Security Based on Body Temperature
These days, in allusion to the traditional network security risk evaluation model, which have certain limitations for real-time, accuracy, characterization. This paper proposed a quantitative risk evaluation model for network security based on body temperature (QREM-BT), which refers to the mechanism of biological immune system and the imbalance of immune system which can result in body temperature changes, firstly, through the -contiguous bits nonconstant matching rate algorithm to improve the detection quality of detector and reduce missing rate or false detection rate. Then the dynamic evolution process of the detector was described in detail. And the mechanism of increased antibody concentration, which is made up of activating mature detector and cloning memory detector, is mainly used to assess network risk caused by various species of attacks. Based on these reasons, this paper not only established the equation of antibody concentration increase factor but also put forward the antibody concentration quantitative calculation model. Finally, because the mechanism of antibody concentration change is reasonable and effective, which can effectively reflect the network risk, thus body temperature evaluation model was established in this paper. The simulation results showed that, according to body temperature value, the proposed model has more effective, real time to assess network security risk.
With the continuous expansion of network size and the increasingly complex network structure and the rapid development of information technology, the research of assessment model has become one of the hot topics in network security field. Bass was the first one who proposed the definition of network situation awareness . The boom of the network security situation awareness has been laid out. In the past two decades, the experts and scholars not only use Analytic Hierarchy Process (AHP) [2, 3], attacking graph [4, 5], and Bayesian network [6, 7] to study the risk assessment but also make use of the hidden Markov model [8, 9] to discuss the field. With the advent of Computer Immunology, the researchers began to study the domain based on artificial immune [10, 11], such as that based on antibody concentration  of network risk assessment. In the meantime, from static to dynamic state, it is relatively according with the realistic environment.
Kotenko and Chechulin had proposed a safety assessment framework based on attack graph . The method has higher computational complexity. Taking into consideration the impact of time and environmental factors, Khosravi-Farmad et al. proposed a quantitative risk assessment method by using Bayesian attack graph . Literature  has put forward an architecture based on feed propagation neural, intelligent computing of the probability of occurrence of a network attack. Rezvani et al. proposed a new risk assessment methodology , and the algorithm included two concepts: the first one, the dependence of risk score between the source host and destination host, and, the second one, the risk of transmission between the network flows. Based on these two concepts, they have developed an iterative algorithm to calculate the host of risk scores and network flow, which make the algorithm convergence speed fast. Not only is the study of risk assessment very important for government agency, research institutes, and large-scaled enterprises, but it is also important for risk assessment of military networks. Hemanidhi et al. have put forward a military network risk assessment framework . Using the experiments of Wu et al., it has been proven that the effectiveness of the security threats recognition and analysis method was based on attack graph . Situation assessment method was based on hidden Markov model (HMM), by Li et al. , which can be relatively more accurate to reflect the security situation of the current complex network environment. However, some experiences can affect the objectivity of the results. Xi et al. improved the network security situation assessment method based on the HMM , so that the quantitative result is more reasonable. Nevertheless, the method of collecting the accuracy of the data source needs to be improved. Literature  proposed a network security situation assessment method based on immune danger theory, but the method cannot perceive more situational factors and complex network security situation.
Although the above literature can be accurately used to evaluate network security, the result of evaluating the network environment lacks certain flexibility. And due to people unattended and hostile deployment in wireless sensor networks , it is a critical security issue. In the meantime, some scholars refer to sensors for human activity monitoring [21, 22]. Thus, this paper puts forward a quantitative risk evaluation model for network security based on body temperature (QREM-BT), and the model makes characterization of the network of the immune system more in line with the biological immune system. It can be used to assess network security risk.
2. The Model of Basic Theory and Design Idea
Biological immune system is a highly distributed, self-adaption, and self-learning system. It has a sound mechanism to resist the invasion of foreign pathogens. After the body is infected with a pathogen, it can produce specific antibody and effector T cells to improve the immunity of the pathogen. But when the biological immune system itself is before the recovery of adaptive regulation, it will produce fever and other symptoms; with the increase in virus threats intensity, the biology of temperature also can be increased. Thus, when computer is attacked by outside illegal attacks or internal network illegal activity, according to the mechanism of biological immune system, antibody in computer immune system can quickly recognize these antigens. By increasing the antibody concentration, corresponding to the body temperature of the computer will also increase with a certain rising trend; at the same time, the network of multiple computers can also evaluate body temperature status of the entire network based on the importance of each computer. According to the body temperature evaluating the network risk, the body temperature value size can be more convenient, more directly determine risk levels, and make the corresponding protective measures.
QREM-BT model is composed of three parts, namely, intrusion detection, antibody concentration, and body temperature assessment. Design idea is briefly summarized as follows. (1) These detected attacks are classified by the blood . (2) According to the matching process of antigen and antibody, it could calculate the corresponding attack types of antibody concentration. (3) For body temperature based on antibody concentration, the body temperature range could also be mapped to a defined body temperature area through the body temperature to assess network risk.
3. Risk Analysis and Calculation Based on QREM-BT Model
In order to more accurately and real-time assess network security risk, the model uses -contiguous bits nonconstant matching rate algorithm to improve the detection quality of detector . In order to meet the real network environment, self, various detectors, and the corresponding tolerance all are dynamic changes. For more intuitively obtaining risk assessment, the model determines risk level by temperature change.
Let self/nonself in the domain , is the -set (the normal behavior of the network), and is the -set (network illegal behavior or attack), with . Detector set : (). Antigen () is defined as network intrusion behaviors, identifying antigen of antibody () as detector.
3.1. The Dynamic Evolution Process of Self
In the actual network environment, and are usually unsteady. The dynamic evolution equation of self is defined aswhere is the threshold of -set size, is the change of network environment caused by -variation (-change into ), and show when the -set size is more than the threshold on the basis of LRU principle to eliminate the number of -sets.
3.2. -Contiguous Bits Nonconstant Matching Algorithm
Because the constant -contiguous bits matching algorithm will be unable to more accurately detect illegal network behavior, the matching process of antigen and antibody uses -contiguous bits nonconstant matching rate algorithm .
The algorithm utilizes the segmentation technology and key position according to the importance of each section set different from the matching threshold.
In order to avoid the “black hole” and reduce missing rate or false detection rate, while improving the detection quality of the detector, we have the following matching calculation method, where “1” represents “match” and “0” represents “mismatch”: where the length of the match string , was and they are, respectively, divided into segments, set key position is represented by in key field, the matching threshold of each field is set as , represents the key position of fragment the same as , and is defined as the sum of each fragment of the matching threshold multiplied by 1 or 0.
3.3. The Dynamic Evolution Process of Detector Self-Tolerance
In order to prevent the detector match with , detector will experience -tolerance (if detector and matching succeeds, discard the detector) to improve the effectiveness of the detector. The dynamic evolution equations of detector -tolerance are as follows:where is the updating cycle of detector, is that moment of mature detectors through the process of tolerance, and is randomly generated immature detector.
3.4. The Dynamic Evolution Process of Mature Detectors
In a certain period of time, mature detector accumulates enough matching string (greater than or equal to ), the memory detector will be activated, and, after activation, matching number will reset as zero. When the set size of memory detector reaches the limit, a part of the memory detector will be converted to mature detector (use LRU elimination rule).
Definition 1. Mature detector changes can be divided into two parts: increase and reduction. The increase of mature detector is defined as ; the reduction of mature detector is defined as .
The increase of mature detector is as follows:The reduction of mature detector is as follows:Mature detector overall evolution equation is as follows:where is that moment when the number of initial detector -tolerances changes into mature detectors, is that moment when the number of memory detectors changes into mature detectors when the set size of memory detector reached the limit, shows that moment when the number of mature detectors reaching activation threshold becomes memory detectors, denotes that moment the number of clone mature detectors, shows that, in a certain period of time, mature detector cannot accumulate enough matching string causing the number of dead mature detectors, and is the max value of memory detector scale.
3.5. The Dynamic Evolution Process of Memory Detectors
The size of clone scale and activation threshold can change the number of memory detectors. Under certain conditions, memory detector may mutate. Although memory detector relatively has a long life cycle, this kind of detector size has certain limits. Therefore, the value of more than one predefined threshold will be eliminated in accordance with the LRU rule.
The dynamic evolution equations of memory detector are as follows:where is the number of memory detectors which matches self, shows the amount of memory detectors activated by mature detector, is the number of clone memory detectors, and means the amount of memory detectors mutating into immature detectors.
3.6. The Antibody Concentration Quantitative Calculation Model
Antibody concentration change is due to the illegal intrusion (antigen) computer immune system producing the immune response caused by the imbalance in the immune system; more antigens caused more serious imbalance; that is, the antibody concentration change is more obviously rising, after the antigen disappeared (killed), and gradually tends to be normal, but there is a certain duration; if for a long time there is no matching with antigen, the antibody concentration will be attenuated according to certain rules.
Definition 2. The formula of increasing antibody concentration is defined as where .
The above formula can be converted to , when antibody concentration tends to bewhere the initial of antibody concentration is , is antibody concentration increase factor, and shows the number of immature detectors.
Definition 3. The formula of attenuating antibody concentration is defined as where is antibody concentration decay cycle and is the duration of the antibody concentration decrease to zero.
Definition 4. Without considering the threat of attack types and the importance of equipment in the network, the host under attack of antibody concentration formula is defined as where , is under attack of antibody concentration increase factor, shows the number of activated memory detectors under attack, shows the number of clone memory detectors under attack, is the number of immature detectors under attack, denoted the number of mature detectors under attack, is the number of memory detectors under attack, and before attack the initial of antibody concentration is .
Definition 5. The threat of attack is and ; the host under all of the attacks of antibody concentration formula is defined aswhere is that attack of the number of attacks; the intensity of the attacks about attack is .
Theorem 6. If the threat is constant, the antibody concentration of the host is strengthened with the increase of categories of attacks, that is,where shows types of attacks and .
Proof. When is zero,When is greater than zero and is equal to ,and so on; when is greater than zero and is equal to , Therefore, we only need to prove < + .
Because the immune system according to the rules of the LRU is to weed out all kinds of detectors, but the overall size stays the same, = , with the increase of categories of attacks; from the above formula we can see molecular increases and the denominator remains the same; then .Because , , that is, < .
Thus, with more kinds of attacks increasing, the antibody concentration is also rising.
Theorem 7. The antibody concentration of the host was strengthened with the increase of the number of attacks and the intensity of the attacks; that is, if was increased or increased, then was also increased.
Proof. Because when was increased or increased, according to , was increased and because when was increased or increased, the activated mature detectors and memory detectors were also rising, then was increased and was also increased, so was also increased.
Definition 8. When is the importance of the host in the network, moment, all hosts under attack of antibody concentration formula are defined as where , manifests the price of the host , and refers to the memory of the host .
Definition 9. All hosts (i.e., entire network) under all of the attacks of antibody concentration formula are defined as
3.7. Body Temperature Assessment Model
According to the mechanism of the biological immune system, the body temperature rises in the face of external viruses and other harmful substances (fever phenomenon), indicating that the invasion of harmful substances alters the physiological regulation of equilibrium. Network is subject to risks caused by external attacks with which they have the same purpose. Therefore, in order to more conveniently and intuitively distinguish network degree of risk, using the way of body temperature to assess network risk, the body temperature will be divided into different stages and defined with different colors; depending on the different colors the danger zone can quickly be determined.
The host under attack of body temperature calculation formula is as follows:
Through the fusion of risk for the host of all attacks, the host under all of the attacks of body temperature calculation formula is as follows:
Through the fusion of risk for all hosts with a kind of attack, all hosts under attack of body temperature calculation formula are as follows:
Through the fusion of risk for all hosts and attacks, all hosts under all of the attacks of body temperature calculation formula are as follows:
Because the body temperature range of 0 to 1 and the defined body temperature range are different, the body temperature needs to adopt deviation standardization of the inverse function, standardize to , that is, . The standardized body temperature range is 1 to 6. The function of network body temperature is defined as .
4. Simulation Experiments and Analysis
This model uses -contiguous bits nonconstant matching rate algorithm in the stage of invasion, select artificial immune algorithm (AIA), where . It is proved that the matching algorithm can improve the detection rate of the nonself and reduce the false detection rate of self, which is shown in Figures 1 and 2.
In order to verify the feasibility and effectiveness of the method described in this paper, this paper uses the typical types of attacks (such as SYN Flood, Land, and Smurf attacks) of simulation experiment to test it. The structure of the experimental environment is shown in Figure 3. The experimental network is composed of twenty hosts, and the hosts , , and so on are monitored. In this experiment, the selected parameters are as follows: initial antibody concentration is 0.015; the hosts and prices are, respectively, 0.3 and 0.6 thousand yuan; hosts memory is, respectively, 2 G and 4 G; that is, the importance of hosts is, respectively, 0.56 and 0.77; the intensity of the attacks of SYN Flood, Land, and Smurf attack is, respectively, 0.5, 0.8, and 0.1; the number of attacks is, respectively, 0.2, 0.1, and 0.15; that is, the threat of attack types is, respectively, 0.79, 0.87, and 0.62.
The host of antibody concentration curve is illustrated in Figure 4 as the number of different attack types; as you can see from Figure 3, once the attack occurred, the antibody concentration will be increased. In three different states, in the moments of 24 to 76, the host relatively suffered no significant strengthening attack, so the trend of overall change in antibody concentration is relatively stable. In the moments of 18–24, the host suffered SYN Flood attack; with the increase of attacks, antibody concentration significantly increased. As can be seen from the whole, the antibody concentration of the host was strengthened with the increase of categories of attacks and threat.
The antibody concentration and attack power curve is illustrated in Figure 5. As you can see from Figure 5, in the moments of 32–40, with the significant increase of attack times, antibody concentration is also rapidly increasing; antibody concentration is positively correlated with the attack times. In the moment of 25, antibody concentration reaches the first peak and it has higher vigilance about attack; attacks occur within a short time; in the moment of 40, the antibody concentration reaches the highest value; when attacks are weakened, the antibody concentration decrease delays; in the moments of 40–50, antibody concentration basically remains unchanged; after the moment of 50, it began to fall. In the moments of 50 and 70, the system takes appropriate measures and the falling speed is relatively fast. At other times, it does not take measures, and the magnitude of the threat of attack is relatively small and the antibody concentration change is relatively stable. As can be seen from the whole, due to the presence of IDS, at the beginning, the increase of antibody concentration is slow; IDS orders the firewall to prevent a part of the attacks. The overall increase of antibody concentration is smaller than that of no IDS. The effect of initial different antibody concentration for risk values is shown in Figure 6. As can be seen from the bar chart, when is equal to 0.015, the value of risk is more satisfactory.
The host of attacks and antibody concentration increase factor curve is illustrated in Figure 7. The host of antibody concentration and temperature evaluation is illustrated in Figure 8. As you can see from Figure 7, the antibody concentration increase factor and the number of attacks change trend has good consistency: with the increase of the number of attacks, the corresponding value will rapidly rise and vice versa. As you can see from Figure 8, the antibody concentration and temperature change trend has good consistency. Compared with Figure 7, it shows that if the number of attacks increases, the antibody concentration and temperature will increase, but if the number of attacks decreased, antibody concentration and temperature will slowly decline. Due to recurrence of similar attacks in a short time in the real network environment, the network has higher vigilance. Therefore, in Figure 8, in the moments of 35 to 45 and in the moments of 48 to 57, the change of antibody concentration and temperature is smooth.
The temperature value is divided into five parts, namely, the definition of  is very safe, () is security, [) is low risk, [) is moderate risk, and  is high risk. By the mapping function body temperature is mapped to , (), [), [), and ; those areas are, respectively, represented by green, blue, yellow, orange, and red.
The body temperature evaluation of the entire network is illustrated in Figure 9. In the moments of 0 to 100, the corresponding color of 0–60-moment body temperature characterization is shown in Figure 10. As you can see from Figure 9, in the moment of 40, the body temperature significantly increased, and the body temperature value was at a low risk stage. In the moments of 50 to 60, the body temperature was slowly falling, and it was still at a low risk stage; because the system does not take measures, the decreased body temperature explains the reason why the system did not suffer new attacks in a certain period of time; a part of the mature detectors was death. In the moment of 70, the temperature increased, and the temperature value was at a moderate risk stage. But in the moment of 80, the temperature value was decreased to a low risk stage, during this period, indicating that the system takes the corresponding measures.
The scope of attack power will be mapped to the range of temperature which is defined in this paper and compared with network temperature. As you can see from Figures 11 and 12, the model of literature  and the proposed model in this paper all can represent the real time network risk, experimental result, and the change of attack power that keeps basic consistency. However, the proposed model is more close to the actual attack strength, and the network risk evaluation is more effective and accurate.
This paper references the mechanism of body temperature change caused by biological immune system imbalance, analyzes antibody concentrations change caused by the change process of various types of detectors in computer immune system, and proposes a quantitative risk evaluation model for network security based on body temperature (QREM-BT). The model established the evaluation equation of antibody concentration and body temperature in this paper, and body temperature values are mapped to be more easily convenient and intuitive judgment dangerous levels of body temperature range, making it more in line with the mechanism of biological immune system and more practical significance. Simulation results show that the model can be on the basis of the body temperature value and the color of the corresponding is relatively more effective, in real time, and intuitive to assess network security risk.
The authors declare that they have no competing interests.
The authors are grateful to the National Natural Science Foundation (no. 61272038), Henan Science and Technology Agency-Funded Science and Technology Research Projects (no. 0624220084), Henan Province Department of Education Program (no. 2010A520044), and Henan Science and Technology Department of Basic and Cutting-Edge Technology Projects (no. 122300410255).
- B. Tim, “Intrusion detection systems and multi-sensor data fusion creating cyberspace situational awareness,” Proceedings of the ACM, vol. 43, no. 4, pp. 99–105, 2000.
- M. Li and M. Bardi, “A risk assessment method of cloud computing based on multi-level fuzzy comprehensive evaluation,” in Proceedings of the International Conference on Cyberspace Technology (CCT '14), pp. 1–4, Beijing, China, November 2014.
- A. Sotoodeh Gohar, M. Khanzadi, M. Parchami Jalal, and A. A. Shirzadi Javid, “Construction projects risk assessment based on fuzzy AHP,” in Proceedings of the IEEE Student Conference on Research and Development (SCOReD '09), pp. 570–573, November 2009.
- M. Alhomidi and M. Reed, “Risk assessment and analysis through population-based attack graph modelling,” in Proceedings of the World Congress on Internet Security (WorldCIS '13), pp. 19–24, IEEE, London, UK, December 2013.
- M. Keramati and A. Akbari, “An attack graph based metric for security evaluation of computer networks,” in Proceedings of the 6th International Symposium on Telecommunications (IST '12), pp. 1094–1098, IEEE, Tehran, Iran, November 2012.
- J. J. P. Sipayung and J. Sembiring, “Risk assessment model of application development using Bayesian Network and Boehm's Software Risk Principles,” in Proceedings of the International Conference on Information Technology Systems and Innovation (ICITSI '15), pp. 1–5, IEEE, Bandung, Indonesia, November 2015.
- M. Naderpour, J. Lu, and G. Zhang, “A fuzzy dynamic bayesian network-based situation assessment approach,” in Proceedings of the IEEE International Conference on Fuzzy Systems (FUZZ '13), pp. 1–8, IEEE, Hyderabad, India, July 2013.
- F.-W. Li, S. Sun, J. Zhu, and S.-C. Yang, “Situation assessment method based on hidden Markov model,” Computer Engineering and Design, vol. 36, no. 7, pp. 1706–1711, 2015.
- R. R. Xi, X. C. Yun, Y. Z. Zhang, and Z. Y. Hao, “An improved quantitative evaluation method for network security,” Chinese Journal of Computers, vol. 38, no. 4, pp. 749–758, 2015.
- Y.-F. Wang, T. Li, X.-Q. Hu, and C. Song, “A real-time method of risk evaluation based on artificial immune system for network security,” Chinese Journal of Electronics, vol. 33, no. 5, pp. 945–949, 2005.
- N. Liu, S.-J. Liu, Y. Liu, and H. Zhao, “Method of network security situation awareness based on artificial immunity system,” Journal of Computer Science, vol. 37, no. 1, pp. 126–129, 2010.
- Z. Gao and X. Hu, “Design and implementation of real-time network risk control system based on antibody concentration,” Journal of Computer Applications, vol. 33, no. 10, pp. 2842–2845, 2013.
- I. Kotenko and A. Chechulin, “A cyber attack modeling and impact assessment framework,” in Proceedings of the 5th International Conference on Cyber Conflict, pp. 1–24, Tallinn, Estonia, June 2013.
- M. Khosravi-Farmad, R. Rezaee, and A. G. Bafghi, “Considering temporal and environmental characteristics of vulnerabilities in network security risk assessment,” in Proceedings of the 11th International ISC Conference on Information Security and Cryptology (ISCISC '14), pp. 186–191, IEEE, Tehran, Iran, September 2014.
- M. G. Ionita and V. V. Patriciu, “Biologically inspired risk assessment in cyber security using neural networks,” in Proceedings of the 10th International Conference on Communications (COMM '14), pp. 1–4, Bucharest, Romania, May 2014.
- M. Rezvani, V. Sekulic, A. Ignjatovic, E. Bertino, and S. Jha, “Interdependent security risk analysis of hosts and flows,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 11, pp. 2325–2339, 2015.
- A. Hemanidhi, S. Chimmanee, and C. Kimpan, “Cyber risk evaluation framework based on risk environment of military operation,” in Proceedings of the 1st Asian Conference on Defence Technology (ACDT '15), pp. 42–47, April 2015.
- D. Wu, Y.-F. Lian, K. Chen, and Y. L. Liu, “A security threats identification and analysis method based on attack graph,” Chinese Journal of Computers, vol. 35, no. 9, pp. 1938–1950, 2012.
- Y.-L. Chen, G.-M. Tang, and Y.-F. Sun, “Assessment of network security situation based on immune danger theory,” Journal of Computer Science, vol. 42, no. 6, pp. 167–170, 2015.
- P. Gope and T. Hwang, “A realistic lightweight anonymous authentication protocol for securing real-time application data access in wireless sensor networks,” IEEE Transactions on Industrial Electronics, 2016.
- S. C. Mukhopadhyay, “Wearable sensors for human activity monitoring: a review,” IEEE Sensors Journal, vol. 15, no. 3, pp. 1321–1330, 2015.
- P. Gope and T. Hwang, “BSN-care: a secure IoT-based modern healthcare system using body sensor network,” IEEE Sensors Journal, vol. 16, no. 5, pp. 1368–1376, 2016.
- T. Li, “An immunity based network security risk estimation,” Science in China Series F: Information Sciences, vol. 48, no. 5, pp. 557–578, 2005.
- X. Feng, M.-Y. Ma, T.-L. Zhao, and H.-Q. Yu, “Intrusion detection system based on hybrid immune algorithm,” Journal of Computer Science, vol. 41, no. 12, pp. 43–47, 2014.
Copyright © 2016 Y. P. Jiang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.