Intrusion Detection System for IoE-Based Medical Networks

Internet of everything (IoE) has the power of reforming the healthcare sector - various medical devices, hardware, and software applications that are interconnected, tendering a massive volume of data. The huge interconnected medical-based network is prone to significant malicious attacks that can modify the medical data being communicated and transferred. IoE permits dynamic two-way communication and empowers the network with intellect, sophisticated data handling, caching, and allocation mechanisms. In this paper, an improvement in the conventional variable-sized detector generation for healthcare - IVD-IMT algorithm under Artificial Immune System (AIS) based Intrusion Detection System (IDS) capable of handling enormous data generated by the IoE medical network is proposed. Algorithm efficiency is dependent on two performance metrics - detection rate and false alarm rate. The input parameters were tuned using synthetic datasets and then tested over the NSL-KDD dataset. The research lays emphasis on lowering the false alarm rate without compromising on the detection rate.


INTRoDUCTIoN
The Internet of Everything (IoE) marks a step forward from the Internet of Things (IoT).IoT connects various devices into internet-like networks such as RFID or NFC, to enable end-to-end data transfer from users to the cloud.It is one way of communication with the sole purpose of collecting data from the environments these gadgets are placed in.On the other hand, IoE supports bidirectional communication through intelligent networks which include both gadgets and people.The bottom layer is aware of its environment and does more than mere data collection.
With advancements in IoE, millions of devices over the internet can conduct communication.IoE (Miraz et al., 2018;Patel & Patel, 2016;Ryan & Watson, 2017) has its application in the healthcare sector, providing real-time services with reduced healthcare costs.It has enhanced the performance, precision, and accuracy of medical procedures.
Medical networks (Dong et al., 2016;Dwivedi et al., 2019;Kumar & Bairavi, 2016) comprise Internet of Medical Things (IoMT) devices that record patient information, actuators that display results, processing units to generate reports, and finally data management units such as cloud storage.Such complex systems that include manual operations and automation at higher levels see high traffic influx on a day-to-day basis.Network security in such cases poses a fair challenge for two reasonslatency and accuracy.While any security system needs to be robust, a breach of medical data may cost a patient their life, data rate cannot be compromised in serious health situations.Security checks are required to be highly optimized to deliver real-time data.If the security system has high sensitivity, any legitimate change in normal state may raise numerous false alarms.The healthcare sector has faced a massive number of cybersecurity attacks in recent decades.The security of a network majorly focuses on authentication, confidentiality, and integrity (Muhammad et al., 2017;Yeole & Kalbande, 2016).Existing Intrusion Detection Systems (IDS) (Foley, 2021;Sunke, 2008;Tiwari et al., 2017;Xu et al., 2013) are prone to stealthy attacks like Man in the Middle attack, where parameters like CPU usage and loop latency see a negligible change and end up undetected.Dynamic networks like IoE require dynamic security systems that can adapt to the new normal seamlessly, without compromising on the detection rate.
Various methods have been proposed for the implementation of IDS, the Artificial Immune System (AIS) (Balthrop et al., 2002;Dasgupta et al., 2004;Read et al., 2012) being one of them.Biological immune systems have antibody cells called lymphocytes that provide immunity to the body from pathogens.These antibody cells are closely modelled as detectors in the AIS and have the same properties as lymphocytes and other antibodies.AIS integrates the principles and fundamentals of the biological immune system (Srivastava & Lin, 2021), incorporating error resistance, dynamic adaptation, real-time self-detection, and computational facilities.Lymphocytes are referred to as negative detectors as they are qualified for binding to non-self-cells.
Like all predictive models, AIS can produce false results in the form of false negatives and false positives.A high false positives value would indicate autoimmunity, while a high false negatives count brings the detection rate down.This paper lays emphasis on optimizing the generation of dynamic detectors, using Negative Selection; that can distinguish between non-self and self-cells.Figure 1 depicts a simplified diagrammatic version of the artificial immune system, where specific detectors are generated to only detect non-self-antigens.This paper attempts to generate detectors in a multidimensional space, with each dimension representing a parameter that categorizes any point in space into self and non-self.
The main contributions to this paper are as follows: 1. Improve the time complexity of the Variable sized detector generation algorithm during detector generation through the proposed IVD-IMT algorithm to handle the enormous data generated by medical networks established by the IoE model.2. To ensure the security of voluminous and sophisticated data, better coverage around self or non-anomalous data points to better detect stealthy attacks that may pass as normal in physical anomaly detection systems.3. Draw a comparative study of variable-sized detector generation for the massive statistics The structure of the paper is as follows; Section 2 enlists the previous work on security in medical networks.Section 3 discusses our motivation for the paper.Section 4 discusses the proposed AIS approach for implementing IDS.Section 5 discusses the results followed by section 6 which concludes the study.

RELATED woRK
AIS has been known to implement Intrusion detection systems for ensuring a secure network in the field of healthcare.There have been several models proposed to address security issues.Yang et al. (2014) have proposed a detailed description of implementing an IDS system based on the AIS.It comprises methods like encoding antibodies, evolution mode, and generation algorithms.A detailed summary regarding the IDS of IoT implemented on the Negative selection algorithm (NSA) and Danger theory was proposed by Pamukov et al. (2017) along with a comparative analysis on the same.The paper also outlined the prerequisites required for the IoT IDS.An amalgamation of AIS and genetic algorithms had been proposed by Barani et al. (2014) detecting instructions that are dynamic in nature and present in mobile networks.
David J. Langley et al. (2021) explore the fundamentals of IoE models, and their value addition to running businesses.They talk about the levels of smartness that the components of a network may be endowed with and their effect on the overall network communication.The devices can now do more than just send the data they receive, turning the communication into bidirectional activity.
Ying Tan et al. (2016) discuss the AIS and human immune system, it further recognizes and studies the concepts related to the computer immune system (CIS).There were several papers presented that were based on anomaly detection.Angelov et al. (2016) discussed the state-of-art of AIS and reviewed various immune established algorithms and functions, further discussed the associated application, and contributed to the establishment of vigorous IS-based algorithms.It also outlines the various AIS approaches that exist.R. Banu et al. (2016) presented a paper that introduced various methods for ensuring security in IoT based on the biological immune system.It establishes that biologically based models for ensuring security provide vigorous defense and decentralized systems.These models provide a more scalable system and are self-organized.Mahdi H. Miraz et al.(2021) talk about the expanding use cases of IoE in corporations and the impact they can have on customer experience in current ecosystems.Bayar et al. (2015) propose biological immune system-inspired methods for fault detection, diagnosis, and recovery (FDDR).It summarizes the essentials for FDDR and highlights biological immune systems and approaches with regard to FDDR issues.It distinguishes the AIS into three divisions such as one-signal, immune network, and two-signal-inspired methods.A probability investigation was carried out to find the association between the number of detectors and the identification probability of a random fault.This was studied by D'haeseleer et al. (1996) and utilized matching probability for assessing the number of detectors.This paper discusses the approaches that are statistical in nature for analyzing the coverage of the detector in NSA, known as an evaluation that is quantitative.V-detectors are known to eliminate the detector coverage issues with effective methods by Z. Ji et al. (2005).V-detectors handle the issue of detector coverage differently with innovative techniques by estimating the area covered by the definite set of detectors.Dipankar et al. ( 2004) proposed V-detector NSA for addressing the detector coverage problem.The solution focuses on calculating proximate coverage on the generation of detector sets.It also highlights that when detectors of constant size are generated, the detector count needs to be mentioned beforehand.

MoTIVATIoN
IoE networks have tremendous potential in the medical field.However, in practice, these networks need strong protection against intrusion.They transfer highly sensitive medical information.With increased applications of the medical network in healthcare, the possibilities of malicious attacks on the network have increased.Conventional methods of placing physical intrusion detection nodes in the network make the orchestration less dynamic and pass stealthy attacks as normal network behavior.This served as the motivation to design a secure IoE-based intelligent intrusion detection system for the medical network with minimal overhead and a high detection rate.Multiple false alarms from a highly sensitive algorithm may lead to shutting down the entire alerting system, defeating the very purpose of subtle anomaly detection.AIS presents itself as an innovative solution to maintain this balance.It trains on the set of 'self' data points provided by the user, to prevent autoimmunity.

PRoPoSED MoDEL
This section contains a detailed analysis of the IVD-IMT algorithm, in terms of time complexity, and detector generation phases and maps them to the AIS principles used.It also talks about the dataset used along with feature extraction implementation to improve model performance.

Negative Selection Algorithm with Detectors of Variable Size
IVD-IMT is based on the Negative Selection Algorithm (NSA) (Bendiab & Kholladi, 2010;Igawa & Ohashi, 2009;Yang et al., 2020), an integral part of AIS.It distinguishes between self and non-self-cells.NSA comprises a detector set that is generated during the training phase using the self-cells and autoimmune detectors are removed.An advantage of using this technique over neural networks comes from the adaptive nature of the generation process.If new types of cells are identified as self in the future, generators surrounding that area can be regenerated to accommodate the changes instead of training the entire model again.Fundamental goals for all negative selection algorithms are: (1) reducing the number of detectors generated, to maintain a lightweight model; (2) ensuring that the set of detectors addresses maximum possible anomalies, in other words, to maximize no self-space coverage; (3) efficient generation of detector sets, in terms of time complexity and computational power required by the generation algorithm.IVD-IMT has been built upon the idea of detectors with variable sizes.Detector generation is considered complete when target coverage, an input parameter to the algorithm, is reached.Variable-sized detectors (Ji & Dasgupta, 2004;Ji & Dasgupta, 2009;Beyer, Shapiro, Lamont et al, 2005) have an associated advantage in which the detectors' geometry is of no relevance.Hence, it does not lead to any difficulties in using various representations for detectors.
In most real-valued NSA algorithms, the detector size is decided according to a predefined threshold.Variable-sized detectors do not work on such constraints, which optimizes the generation algorithm.The radius of each detector depends on the position of the nearest self-point in the space.In areas sparsely populated by self-points, detector size grows to ensure maximum coverage per detector.For estimating the area covered, the algorithm utilizes the point percentage enclosed by the detectors.

Dataset Description
The data set used for training is the NSL-KDD (Meena & Choudhary, 2017) training data set.It comprises the records selected from the complete KDD data set.The training data set does not contain any redundant or duplicate data points.There are 21 attacks present in the training data-set and there exist 37 attacks in the testing data set.The different attacks that are known are contained by the training data set whereas the standard attacks are the extra attacks that the test data set consists of.The attacks have been classified into four major classes: dos, probes, privileges, and access attacks.The below section lays emphasis on the feature extraction method.Figure 2 depicts the distribution of the NSL-KDD data set.

Feature Extraction -Principal Components Analysis (PCA)
Principal component analysis (Hidayat et al., 2011;Lhazmir et al., 2017;Murali, 2015) is a feature extraction method utilized for decreasing the features and dimensions for improving the computational ability of the model.The data set usually comprises several associated variables, signifying possibilities of various redundant variations.PCA ensures the retention of relevant features in the data set by converting to a group of new variables which are linear functions of the original data referred to as principal components (PCs), these are not correlated and are oriented in a specific order such that only the initial contains significant features composed by the original features.Deciding on the new variables boils down the problem to only determining the eigenvalue/vector; this makes PCA an adaptive data analysis technique.This method is successful in maximizing the variance and retaining the variance to a great extent.The section below describes the algorithm.Figure 3

Proposed Algorithm for Detector Generation
This section talks about the acceptance criteria, i.e., when the algorithm has generated enough detectors.It also proves the optimization in terms of time complexity over the traditional V-Detector algorithm, followed by the IVD-IMT algorithm.

Coverage
For a given detector set in a defined region, coverage can be calculated as the ratio of the area of the non-self region (Ji & Dasgupta, 2004;Beyer, Ji, & Dasgupta, 2005) covered by detectors to the total area of the nonself region.If the region is taken as a set of points, it can alternatively be seen as the number of unsuccessful attempts to find an uncovered point in the non-self region to the total number of attempts.Therefore, if the algorithm finds an uncovered point at the n th attempt, by picking one random point at a time, the total number of unsuccessful attempts becomes n-1.Equation 1 provides the total detector coverage.Hence: where C is the total detector coverage in the non-self region.It can be given as a parameter to the algorithm in the form of the minimum coverage required.
The algorithm generates enough detectors such that the coverage is equal to or greater than C.

Detector Generation
The idea is to divide the entire non-self region into groups, to improve the coverage achieved by v detectors (or variable-sized detectors) while reducing the time complexity by saving iterations through the entire self-set for every single detector.The areas near self-points need good coverage to detect stealthy attacks that may otherwise go unnoticed due to minimal changes in network parameters like loop delay or additional computational power (Forrest et al., 1994;Hart, 2005).Figure 4 displays the detector generation in GUI.This algorithm can be divided into two major steps: 1. To identify self-region clusters or groups in the entire space, regions with concentrated densities of self-set points and group them into self-regions, each with a centre as the mean of coordinates of the constituent points.Once all central points have been identified, the detector generation is initiated for every group centre.Detectors are generated in the vicinity sphere, i.e. within a specified radius from the respective centre, to closely cover the boundaries of these groups.The radius should cover the farthest self-point in the group, as measured from the centre of that group.The degree of closeness to the self-set boundary can also be supplied as a parameter.If the selfthreshold is too small, the space between self-samples could not be represented.In other words, more samples are needed to train the system properly.On the other hand, if the self-threshold is large, the false self region represented by the boundary samples may be too large to accept.2. After iterating through every group centre, random points in the non-self region are chosen as detector sphere centres, and their radius is taken as the centre of the nearest detector found in the current detector set.This would result in a huge improvement over finding the nearest selfset point for every detector in terms of time complexity for large datasets of self-data since the size of the detector set would be of a much smaller order.The time complexity of the detection generation algorithm can be calculated as follows by equations 2 and 3: where r is the number of groups, S i is the number of self points in that region, d i is the number of detectors in the vicinity sphere and D i denotes the number of detectors generated after the first phase of the algorithm is over, that is detectors lying in the region outside the vicinity sphere, D is the total size of the detector set.This time complexity can be proved to be less than that of the conventional algorithm for detectors of variable size.The algorithm has been built on the assumption that the size of the detector set will always be less than the total number of self-points in the dataset.For the conventional algorithm, every detector is generated with a radius equal to the nearest self point, which would need an iteration over the entire self-set in the worst case, hence for D number of detectors, it can be represented as: A B for A B and 1 1

Design Architecture for IVD-IMT
In the following analysis, it was assumed that both self and non-self points appear in some bounded n-dimensional real space.Some finite numbers of self-samples are provided as input (Ji & Dasgupta, 2009).They are randomly distributed over the self-region.The training data is noise-free, meaning all the self-samples are real self-points.This is not necessary for principle but is used to simplify the discussion.To evaluate the detection performance, the testing data are a finite number of random points over the entire space in the question described above.Each of those points can be verified to be self or non-self.Figure 5 below depicts the proposed architecture for IoE environment.The process begins with capturing data from the patient, preprocessing to make it fit for feeding to the detector generation algorithm, and finally testing the model to report intrusion.

The IVD-IMT Algorithm
Radius of the vicinity sphere is calculated by the given formula in equation 5 as Euclidean distance between the mean of coordinates in the group and the farthest self point: (5) where l i is the coordinate of the farthest point in i th dimension and u i is the coordinate of the mean or the group center in i th dimension and n is the number of dimensions.The self-space in 2 dimensions (figure 6), as obtained after performing PCA to generate 2 components of the training data-set.
Axes have been inverted in the following GUI implementation, but the same data set has been used to generate circular variable-sized detectors (figure 7), for low and high target coverage respectively:

RESULTS AND ANALySIS
The effect of the parameters of control and the variations in the strategy has been studied by means of additional experiments.The difference in results was found to be related to the number of sample points or a variety of forms in terms of self-region, including the specific geometric parameters.On the part of the algorithm, the difference was dependent on the target coverage and provided a threshold as the minimum distance from self-points.The following sections lay emphasis on the evaluation criteria and further analysis of the algorithm.

Evaluation Metrics
The NSL KDD data set was divided into training and testing sets, the training set consisting of selfpoints and the test set as a shuffled set of self and non-self points, in a 20:80 ratio respectively.where TP stands for a number of True Positives, which means the test point belonged to the nonself region and was detected as an anomaly by the algorithm, FP stands for the number of False Positives, which means the test point belonged to the self region and was detected as an anomaly by the algorithm, FN stands for the number of False Negatives, which means the test point belonged to the non-self region and was not detected as an anomaly by the algorithm.

Graphical Analysis
The two-performance metrics, as discussed at the beginning of this paper -detection rate and false alarm rate were plotted against input parameters to IVD-IMT; namely the number of dimensions, target coverage, and the value of the threshold, which is a measure of how tightly bound the detectors must be to the boundaries of the self region.The results have been shown in Figure 8.It was observed that an increase in the dimension results in a fall in the detection rate and an increase in the false alarm rate as depicted in the following graphs.If the threshold is too high it results in decreased detection rate and defeats the purpose of the algorithm to detect stealthy attacks, while a value too low increases the false positive rate and causes unnecessary alerts.Figure 8 below depicts the graphical analysis.Starting from a detection rate of 97.767% and a false alarm rate of 1.88% for 99% target coverage and 0.01 threshold in 2-dimensional space, the deviation in detection rate at 0.56% decline was significantly less than the 36.7% rise in false alarm rate.A steep curve was observed in the 4-dimensional stage, with a relative decrease of 76.95% and 106.22% in detection rate and false alarm rate respectively.Therefore, the application of IVD-IMT should be restricted to three-dimensional data points.Varying the target coverage parameter showed minimal deviation in false alarm rate with an increasing curve since the higher the target coverage, the larger the area covered by detectors.In case the self-points in test sets do not fall under any vicinity spheres created around training self points data, these outliers may increase the false alarm rate.The detection rate shows a significant improvement as it is directly proportional to the target coverage value provided.The graphs were plotted for 2-dimensional data analysis, at a 0.01 threshold.Similar observations were made in the case of the threshold parameter, a high threshold indicates loose boundaries and hence the false alarm rate goes down.The detectors would be at a distance from the self-points and hence not detect any closely outlying self-points near the boundaries.The graphs were plotted for 99%, 95%, and 89% threshold values in yellow, red, and blue color respectively.

Comparative Analysis
Axes have been inverted in the following GUI implementation.Still, the same data-set has been used to generate spherical variable-sized detectors, to draw a comparative study of the conventional V detector algorithm vs the proposed version of the variable detector algorithm.
The self space in 2 dimensions, as obtained after performing PCA to generate 2 components of the training data-set.Figure 9 displays the representation of the self points in the self region.Figure 10 represents the detector generation in GUI for the V-detector and IVD-IMT algorithm.
Figure 10 shows the detector generation in the traditional V-Detector algorithm and IVD-IMT.The generation of detectors around the boundary can be easily distinguished in both cases, due to the formation of vicinity spheres, boundaries are densely populated with smaller-sized detectors which have an impact in increasing the detection rate.This would be especially advantageous in detecting stealthy attacks since the anomalous points would lie in proximity with the self region and would be passed as non-anomalous by physical intrusion detection models.Table 1 compares the detection rate and false alarm rate accuracy of the IVD-MT algorithm with the conventional V Detector algorithm.The algorithm achieved coverage of 99%, with a threshold value of 0.01, i.e. closely covering the boundary of the self spaces with this limit set at 1000 detectors.Overall, a detection rate of 97.767% and a false alarm rate of 1.88% were achieved for 99% target coverage in 2-dimensional space which proves to be highly successful than the conventional V Detector.Table 2 compares the accuracy of IVD-MT with other Machine Learning algorithms (Thirumalai & Mohan, 2020).ML algorithms are supposed to be computationally heavy and are known to have a greater time complexity.IVD-MT is at par with other ML algorithms and in addition, provides better computation power with reduced time complexity.Figure 11

Discussion
After running several simulations on the varied datasets, anomaly detection via the IVD-IMT algorithm has delivered comparable detection rate and false alarm rates to neural networks for multi-dimensional data points, with improved time complexity over the conventional variable detector algorithm.This study also analyses the contemporary models regarding flexibility to new normals, computational complexity, and training time required before the systems are functional.The statistical nature of this algorithm gives it an edge over machine learning models that cannot be dynamically tuned without additional resource investment.IoE applications are not restricted to software units (Del Gaudio & Hirmer, 2021;Lata & Kumar, 2021;Some et al., 2021) that can run computationally complex algorithms, and each stage from the edge to the cloud needs to be secured.While the results for 2-dimensional data are in line with the research in Computer Immune systems, the model shows steep deviations when sample space goes beyond 3-dimensions.The concept of vicinity spheres is able to exploit spatial proximity to identify self and non-self entities on the X-Y-Z planes, but it opens the gates to a much deeper investigation when one needs to determine the anomaly based on 4 or more key attributes.Feature extraction through Principal Components Analysis has been pertinent to the dimensional limitation of this algorithm, but it's important to measure how it modifies the original data.The input features are transformations on real data and make it difficult to trace the outlying attribute for detected anomalies that may prove to be essential during mitigation.

Conclusion and Future work
The proposed IoE-based algorithm dynamically allows two-way communication for detectors of variable size.These variable size detectors were tested on real-valued data points in multiple dimensions, for different values of self-threshold and their performance was analyzed.The detection rate was improved by 24.8% and the false alarm rate was found to be decreased by 27.69% when compared with the conventional Variable Detector algorithm.Comparative analysis with other machine learning models proved that the algorithm has comparable accuracy, or detection rate along with the lowest false alarm rate.The algorithm achieved coverage of 99%, with a threshold value of 0.01, i.e., closely covering the boundary of the self-spaces with this limit set at 1000 detectors.For estimating the area covered in the full non-self-region the algorithm V-detector utilizes the point percentage enclosed by the detectors.Overall, a detection rate of about 7.76% and a false alarm rate of 1.88% were achieved for 99% target coverage in the two-dimensional space, 97.22% in the three-dimensional space.From the experimental results, the proposed algorithm shows extremely promising results for handling two-dimensional and three-dimensional spaces and can be modelled for similar anomaly detection models with real-valued, multidimensional data that can be created from multiple features in a data-set.We intend to improve the algorithm accuracy for higher dimension values in the future.
As with increasing dimensions the detection rate tends to fall whereas the false alarm rate is inclined towards the increase thereby reducing the accuracy.

Figure 1 .
Figure 1.Artificial Immune System generated by multiple dimensions in terms of detection rate and false alarm rate (a): Distribution of NSL KDD data-set for 4 PCA components according to attack flag -anomalous and non-anomalous data points and figure 3 (b): Distribution of NSL KDD data-set for 4 PCA components according to attack map -4 types of attacks -dos attacks, probe attacks, privilege attacks, access attacks.

Figure 2 .
Figure 2. Distribution of NSL KDD data-set

Figure 3 .
Figure 3. Distribution of NSL KDD data-set for 4 PCA components according to attack flag -anomalous and non-anomalous data points

Figure 4 .
Figure 4. Distribution of NSL KDD data-set for 4 PCA components according to attack map -4 types of attacks -dos attacks, probe attacks, privilege attacks, access attacks

Figure 5 .
Figure 5. Architecture of IVD-IMT for IoE network environment Figure 6.Diagrammatic representation of self-points for NSL-KDD

Figure
Figure 8. Graphical Analysis

Figure 9 .
Figure 9. Diagrammatic representation of Self points in the test set (a) represents the comparative Analysis of Detection rate and False Positive Rate and figure 11 (b) represents the comparative Analysis of time complexity.

Figure 10 .
Figure 10.Detector generation in GUI for V detector and proposed algorithm

Figure 11a .
Figure 11a.Comparative Analysis of detection rate and false-positive rate with alternative models to detect intrusion

Algorithm 1. IVD-IMT Data
: target coverage, threshold, self set Result: Detector set for the supplied self sety = x n /* Phase 1 -detector generation inside vicinity spheres Divide the self set into groups or clusters of closely spaced self points currentdetectorset ¬[ ]; for each group do local number of covered points ¬ 0 ; Use equation (4) to calculate the radius of vicinity sphere; while True do Select a random point P in the vicinity sphere as the centre of the detector; if P is a self point then continue Phase 2 -detector generation outside vicinity spheres Select a random point in the entire region ; if point is self point then continue; end if point is non self and point is uncovered then X ¬nearest detector in the current detector set.; Radius ¬Euclidean distance between the point and X ; Add the generated detector to the current detector set; else number of covered points += 1 end if current coverage 3 targetcoverage then return current detector set end