A Quantitative Risk Evaluation Model for Network Security Based on Body Temperature

These days, in allusion to the traditional network security risk evaluation model, which have certain limitations for realtime, accuracy, characterization. This paper proposed a quantitative risk evaluation model for network security based on body temperature (QREM-BT), which refers to themechanism of biological immune system and the imbalance of immune systemwhich can result in body temperature changes, firstly, through the r-contiguous bits nonconstant matching rate algorithm to improve the detection quality of detector and reducemissing rate or false detection rate.Then the dynamic evolution process of the detector was described in detail. And the mechanism of increased antibody concentration, which is made up of activating mature detector and cloning memory detector, is mainly used to assess network risk caused by various species of attacks. Based on these reasons, this paper not only established the equation of antibody concentration increase factor but also put forward the antibody concentration quantitative calculationmodel. Finally, because themechanism of antibody concentration change is reasonable and effective, which can effectively reflect the network risk, thus body temperature evaluationmodel was established in this paper.The simulation results showed that, according to body temperature value, the proposedmodel has more effective, real time to assess network security risk.


Introduction
With the continuous expansion of network size and the increasingly complex network structure and the rapid development of information technology, the research of assessment model has become one of the hot topics in network security field.Bass was the first one who proposed the definition of network situation awareness [1].The boom of the network security situation awareness has been laid out.In the past two decades, the experts and scholars not only use Analytic Hierarchy Process (AHP) [2,3], attacking graph [4,5], and Bayesian network [6,7] to study the risk assessment but also make use of the hidden Markov model [8,9] to discuss the field.With the advent of Computer Immunology, the researchers began to study the domain based on artificial immune [10,11], such as that based on antibody concentration [12] of network risk assessment.In the meantime, from static to dynamic state, it is relatively according with the realistic environment.
Kotenko and Chechulin had proposed a safety assessment framework based on attack graph [13].The method has higher computational complexity.Taking into consideration the impact of time and environmental factors, Khosravi-Farmad et al. proposed a quantitative risk assessment method by using Bayesian attack graph [14].Literature [15] has put forward an architecture based on feed propagation neural, intelligent computing of the probability of occurrence of a network attack.Rezvani et al. proposed a new risk assessment methodology [16], and the algorithm included two concepts: the first one, the dependence of risk score between the source host and destination host, and, the second one, the risk of transmission between the network flows.Based on these two concepts, they have developed an iterative algorithm to calculate the host of risk scores and network flow, which make the algorithm convergence speed fast.Not only is the study of risk assessment very important for government agency, research institutes, and large-scaled enterprises, but it is also important for risk assessment of military networks.Hemanidhi et al. have put forward a military network risk assessment framework [17].Using the experiments of Wu et al., it has been proven that the effectiveness of the security threats recognition and analysis method was based on attack graph [18].Situation assessment method was based on hidden Markov model (HMM), by Li et al. [8], which can be relatively more accurate to reflect the security situation of the current complex network environment.However, some experiences can affect the objectivity of the results.Xi et al. improved the network security situation assessment method based on the HMM [9], so that the quantitative result is more reasonable.Nevertheless, the method of collecting the accuracy of the data source needs to be improved.Literature [19] proposed a network security situation assessment method based on immune danger theory, but the method cannot perceive more situational factors and complex network security situation.
Although the above literature can be accurately used to evaluate network security, the result of evaluating the network environment lacks certain flexibility.And due to people unattended and hostile deployment in wireless sensor networks [20], it is a critical security issue.In the meantime, some scholars refer to sensors for human activity monitoring [21,22].Thus, this paper puts forward a quantitative risk evaluation model for network security based on body temperature (QREM-BT), and the model makes characterization of the network of the immune system more in line with the biological immune system.It can be used to assess network security risk.

The Model of Basic Theory and Design Idea
Biological immune system is a highly distributed, self-adaption, and self-learning system.It has a sound mechanism to resist the invasion of foreign pathogens.After the body is infected with a pathogen, it can produce specific antibody and effector T cells to improve the immunity of the pathogen.But when the biological immune system itself is before the recovery of adaptive regulation, it will produce fever and other symptoms; with the increase in virus threats intensity, the biology of temperature also can be increased.Thus, when computer is attacked by outside illegal attacks or internal network illegal activity, according to the mechanism of biological immune system, antibody in computer immune system can quickly recognize these antigens.By increasing the antibody concentration, corresponding to the body temperature of the computer will also increase with a certain rising trend; at the same time, the network of multiple computers can also evaluate body temperature status of the entire network based on the importance of each computer.According to the body temperature evaluating the network risk, the body temperature value size can be more convenient, more directly determine risk levels, and make the corresponding protective measures.
QREM-BT model is composed of three parts, namely, intrusion detection, antibody concentration, and body temperature assessment.Design idea is briefly summarized as follows.(1) These detected attacks are classified by the blood [23].(2) According to the matching process of antigen and antibody, it could calculate the corresponding attack types of antibody concentration.(3) For body temperature based on antibody concentration, the body temperature range could also be mapped to a defined body temperature area through the body temperature to assess network risk.

Risk Analysis and Calculation Based on QREM-BT Model
In order to more accurately and real-time assess network security risk, the model uses -contiguous bits nonconstant matching rate algorithm to improve the detection quality of detector [24].In order to meet the real network environment, self, various detectors, and the corresponding tolerance all are dynamic changes.For more intuitively obtaining risk assessment, the model determines risk level by temperature change.
3.1.The Dynamic Evolution Process of Self.In the actual network environment,  and  are usually unsteady.The dynamic evolution equation of self is defined as where  is the threshold of self-set size,  → is the change of network environment caused by self-variation (self-change into nonself), and  dead show when the self-set size is more than the threshold on the basis of LRU principle to eliminate the number of self-sets.

𝑟-Contiguous
Bits Nonconstant Matching Algorithm.Because the constant -contiguous bits matching algorithm will be unable to more accurately detect illegal network behavior, the matching process of antigen and antibody uses -contiguous bits nonconstant matching rate algorithm [10].
The algorithm utilizes the segmentation technology and key position according to the importance of each section set different from the matching threshold.
In order to avoid the "black hole" and reduce missing rate or false detection rate, while improving the detection quality of the detector, we have the following matching calculation method, where "1" represents "match" and "0" represents "mismatch": where the length of the match string  1 ,  2 was  and they are, respectively, divided into  segments, set key position is represented by Key , in key field, the matching threshold of each field is set as   ,  Key , =  Key  represents the key position of fragment  the same as Key , , and  is defined as the sum of each fragment of the matching threshold multiplied by 1 or 0.

The Dynamic Evolution Process of Detector Self-Tolerance.
In order to prevent the detector match with self, detector will experience self-tolerance (if detector and  matching succeeds, discard the detector) to improve the effectiveness of the detector.The dynamic evolution equations of detector self-tolerance are as follows: where  is the updating cycle of detector,  tolerance () is that  moment of mature detectors through the process of tolerance, and  random () is randomly generated immature detector.

The Dynamic Evolution
Process of Mature Detectors.In a certain period of time, mature detector accumulates enough matching string (greater than or equal to ), the memory detector will be activated, and, after activation, matching number will reset as zero.When the set size of memory detector reaches the limit, a part of the memory detector will be converted to mature detector (use LRU elimination rule).
Definition 1. Mature detector changes can be divided into two parts: increase and reduction.The increase of mature detector is defined as  increase

Ma
; the reduction of mature detector is defined as  reduction Ma .The increase of mature detector is as follows: The reduction of mature detector is as follows: Mature detector overall evolution equation is as follows: where  initial→Ma Ma () is that  moment when the number of initial detector self-tolerances changes into mature detectors,  Mr→Ma Ma () is that  moment when the number of memory detectors changes into mature detectors when the set size of memory detector reached the limit,  Ma→Mr Ma () shows that  moment when the number of mature detectors reaching activation threshold becomes memory detectors,  clone Ma () denotes that  moment the number of clone mature detectors,  dead Ma () shows that, in a certain period of time, mature detector cannot accumulate enough matching string causing the number of dead mature detectors, and  is the max value of memory detector scale.

The Dynamic Evolution Process of Memory Detectors.
The size of clone scale and activation threshold can change the number of memory detectors.Under certain conditions, memory detector may mutate.Although memory detector relatively has a long life cycle, this kind of detector size has certain limits.Therefore, the value of more than one predefined threshold will be eliminated in accordance with the LRU rule.
The dynamic evolution equations of memory detector are as follows: where  dead Mr () is the number of memory detectors which matches self,  active Ma () shows the amount of memory detectors activated by mature detector,  clone Mr () is the number of clone memory detectors, and  variation Mr () means the amount of memory detectors mutating into immature detectors.

The Antibody Concentration Quantitative Calculation
Model.Antibody concentration change is due to the illegal intrusion (antigen) computer immune system producing the immune response caused by the imbalance in the immune system; more antigens caused more serious imbalance; that is, the antibody concentration change is more obviously rising, after the antigen disappeared (killed), and gradually tends to be normal, but there is a certain duration; if for a long time there is no matching with antigen, the antibody concentration will be attenuated according to certain rules.Definition 2. The formula of increasing antibody concentration is defined as where  = ( active Ma ()+ clone Mr ())/( initial ()+ Ma ()+ Mr ()).
Definition 3. The formula of attenuating antibody concentration is defined as where  is antibody concentration decay cycle and Δ is the duration of the antibody concentration decrease to zero.
Definition 4. Without considering the threat of attack types and the importance of equipment in the network, the host  under  attack of antibody concentration formula is defined as where   = ( ; the host  under all of the attacks of antibody concentration formula is defined as where num  attack is that  attack of the number of attacks; the intensity of the attacks about  attack is str  .Theorem 6.If the threat is constant, the antibody concentration of the host  is strengthened with the increase of categories of attacks, that is, where   shows types of attacks and   ∈  * .
Proof.When  is zero, When  is greater than zero and  is equal to  1 , and so on; when  is greater than zero and  is equal to   , Therefore, we only need to prove Because the immune system according to the rules of the LRU is to weed out all kinds of detectors, but the overall size stays the same,   = ( )/( initial ()+ Ma ()+  Mr ()), with the increase of categories of attacks; from the above formula we can see molecular increases and the denominator remains the same; then Thus, with more kinds of attacks increasing, the antibody concentration is also rising.

Theorem 7. The antibody concentration of the host 𝑠 was strengthened with the increase of the number of attacks and the intensity of the attacks; that is, if num 𝜏
attack was increased or str  increased, then ∑   =     ab () was also increased.
Proof.Because when num  attack was increased or str  increased, according to   = 1 − 2 −√10num  attack +10 str  ,   was increased and because when num  attack was increased or str  increased, the activated mature detectors and memory detectors were also rising, then   ab () was increased and     ab () was also increased, so ∑   =     ab () was also increased.
Definition 8.When   is the importance of the host  in the network,  moment, all hosts   under  attack of antibody concentration formula are defined as where   = 1 − 2 −√  +  ,   manifests the price of the host , and   refers to the memory of the host .
Definition 9.All hosts   (i.e., entire network) under all of the attacks of antibody concentration formula are defined as 3.7.Body Temperature Assessment Model.According to the mechanism of the biological immune system, the body temperature rises in the face of external viruses and other harmful substances (fever phenomenon), indicating that the invasion of harmful substances alters the physiological regulation of equilibrium.Network is subject to risks caused by external attacks with which they have the same purpose.Therefore, in order to more conveniently and intuitively distinguish network degree of risk, using the way of body temperature to assess network risk, the body temperature will be divided into different stages and defined with different colors; depending on the different colors the danger zone can quickly be determined.
The host  under  attack of body temperature calculation formula is as follows: Through the fusion of risk for the host of all attacks, the host  under all of the attacks of body temperature calculation formula is as follows: Through the fusion of risk for all hosts with a kind of attack, all hosts under  attack of body temperature calculation formula are as follows: Through the fusion of risk for all hosts and attacks, all hosts under all of the attacks of body temperature calculation formula are as follows: Because the body temperature range of 0 to 1 and the defined body temperature range are different, the body temperature  needs to adopt deviation standardization of the inverse function, standardize to  * [7], that is,  * = (max − min) + min = 5 + 1.The standardized body temperature range is 1 to 6.The function of network body temperature is defined as   = 34 +  * .

Simulation Experiments and Analysis
This model uses -contiguous bits nonconstant matching rate algorithm in the stage of invasion, select artificial immune algorithm (AIA), where  ∈ [2,10].It is proved that the matching algorithm can improve the detection rate of the nonself and reduce the false detection rate of self, which is shown in Figures 1 and 2.
In order to verify the feasibility and effectiveness of the method described in this paper, this paper uses the typical types of attacks (such as SYN Flood, Land, and Smurf attacks) of simulation experiment to test it.The structure of the experimental environment is shown in Figure 3.The experimental network is composed of twenty hosts, and the hosts  1 ,  2 , and so on are monitored.In this experiment, the selected parameters are as follows: initial antibody concentration is 0.015; the hosts  1 and  2 prices are, respectively, 0.3 and 0.6 thousand yuan; hosts memory is, respectively, 2 G and 4 G; that is, the importance of hosts is, respectively, 0.56 and 0.77; the intensity of the attacks of SYN Flood, Land, and Smurf attack is, respectively, 0.5, 0.8, and 0.1; the number of attacks is, respectively, 0.2, 0.1, and 0.15; that is, the threat of attack types is, respectively, 0.79, 0.87, and 0.62.
The host  1 of antibody concentration curve is illustrated in Figure 4 as the number of different attack types; as you can see from Figure 3, once the attack occurred, the antibody concentration will be increased.In three different states, in the moments of 24 to 76, the host  1 relatively suffered no significant strengthening attack, so the trend of overall change in antibody concentration is relatively stable.In the moments of 18-24, the host suffered SYN Flood attack; with the increase of attacks, antibody concentration significantly increased.As can be seen from the whole, the antibody concentration of the host  was strengthened with the increase of categories of attacks and threat.
The antibody concentration and attack power curve is illustrated in Figure 5.As you can see from Figure 5, in the moments of 32-40, with the significant increase of attack times, antibody concentration is also rapidly increasing; antibody concentration is positively correlated with the attack times.In the moment of 25, antibody concentration reaches the first peak and it has higher vigilance about attack; attacks occur within a short time; in the moment of 40, the antibody concentration reaches the highest value; when attacks are weakened, the antibody concentration decrease delays; in the moments of 40-50, antibody concentration basically remains unchanged; after the moment of 50, it began to fall.In the moments of 50 and 70, the system takes appropriate measures and the falling speed is relatively fast.At other times, it does not take measures, and the magnitude of the threat of attack is relatively small and the antibody concentration change is relatively stable.As can be seen from the whole, due to the presence of IDS, at the beginning, the increase of antibody concentration is slow; IDS orders the firewall to prevent a part of the attacks.The overall increase of antibody concentration is smaller than that of no IDS.The effect of initial different antibody concentration for risk values is shown in Figure 6.
As can be seen from the bar chart, when  is equal to 0.015, the value of risk is more satisfactory.The host  1 of attacks and antibody concentration increase factor curve is illustrated in Figure 7.The host  1 of antibody concentration and temperature evaluation is illustrated in    7, the antibody concentration increase factor  and the number of attacks change trend has good consistency: with the increase of the number of attacks, the corresponding  value will rapidly rise and vice versa.As you can see from Figure 8, the antibody concentration and temperature change trend has good consistency.Compared with Figure 7, it shows that if the number of attacks increases, the antibody concentration and temperature will increase, but if the number of attacks decreased, antibody concentration and temperature will slowly decline.Due to recurrence of similar attacks in a short time in the real  network environment, the network has higher vigilance.Therefore, in Figure 8, in the moments of 35 to 45 and in the moments of 48 to 57, the change of antibody concentration and temperature is smooth.The temperature value is divided into five parts, namely, the definition of [0, 0.2] is very safe, (0.The body temperature evaluation of the entire network is illustrated in Figure 9.In the moments of 0 to 100, the corresponding color of 0-60-moment body temperature characterization is shown in Figure 10.As you can see from Figure 9, in the moment of 40, the body temperature significantly increased, and the body temperature value was at a low risk stage.In the moments of 50 to 60, the body   temperature was slowly falling, and it was still at a low risk stage; because the system does not take measures, the decreased body temperature explains the reason why the system did not suffer new attacks in a certain period of time; a part of the mature detectors was death.In the moment of 70, the temperature increased, and the temperature value was at a moderate risk stage.But in the moment of 80, the temperature value was decreased to a low risk stage, during this period, indicating that the system takes the corresponding measures.The scope of attack power will be mapped to the range of temperature which is defined in this paper and compared with network temperature.As you can see from Figures 11  and 12, the model of literature [14] and the proposed model in this paper all can represent the real time network risk, experimental result, and the change of attack power that keeps basic consistency.However, the proposed model is more close to the actual attack strength, and the network risk evaluation is more effective and accurate.

Conclusion
This paper references the mechanism of body temperature change caused by biological immune system imbalance, analyzes antibody concentrations change caused by the change process of various types of detectors in computer immune system, and proposes a quantitative risk evaluation model for network security based on body temperature (QREM-BT).The model established the evaluation equation of antibody concentration and body temperature in this paper, and body temperature values are mapped to be more easily convenient and intuitive judgment dangerous levels of body temperature range, making it more in line with the mechanism of biological immune system and more practical significance.Simulation results show that the model can be on the basis of the body temperature value and the color of the corresponding is relatively more effective, in real time, and intuitive to assess network security risk.

Figure 1 :Figure 2 :
Figure 1: The nonself detection rate of two matching algorithms.

Figure 3 :
Figure 3: The experimental environment structure diagram.

Figure 4 :
Figure 4: Host  1 antibody concentration on the condition of the number of different attack types.

Figure 8 .
Figure 8.As you can see from Figure7, the antibody concentration increase factor  and the number of attacks change trend has good consistency: with the increase of the number of attacks, the corresponding  value will rapidly rise and vice versa.As you can see from Figure8, the antibody concentration and temperature change trend has good consistency.Compared with Figure7, it shows that if the number of attacks increases, the antibody concentration and temperature will increase, but if the number of attacks decreased, antibody concentration and temperature will slowly decline.Due to recurrence of similar attacks in a short time in the real IDS in the networkThere is an IDS in the network Attack times * 10 4

Figure 5 :
Figure 5: Under conditions with IDS and without IDS, the host  2 of antibody concentration and attack times diagram.

Figure 6 :
Figure 6: The effect of different initial antibody concentrations for risk values.

Figure 7 :
Figure 7: Host  1 of attacks and antibody concentration increase factor.

Figure 8 :
Figure 8: Host  1 of antibody concentration and temperature evaluation factor.

Figure 9 :
Figure 9: The temperature evaluation of the entire network.

Figure 11 :Figure 12 :
Figure 11: The change curve of the measured body temperature and the actual attack intensity with the model of literature [14].