Intrusion Detection Analysis of Internet of Things considering Practical Byzantine Fault Tolerance (PBFT) Algorithm

In order to improve the security performance and accuracy of the Internet of things in the use process, it is necessary to use the Internet of things intrusion detection method. At present, the problem of inconsistency between the accuracy of detection results and nodes is more prominent when the Internet of things intrusion detection methods are running. This paper proposes a practical Byzantine fault-tolerant intrusion detection method for the use process of the Internet of things. This method introduces the intrusion detection method and the operation function of foreign attackers on the basis of practical Byzantine fault tolerance; using the expected utility function to the corresponding benefit function of practical Byzantine fault tolerance, the results of Internet of things intrusion detection model can be effectively calculated. Finally, the experimental results show that compared with the existing intrusion detection methods, the proposed method can effectively reduce the energy consumption of the Internet of things in the operation process, can effectively reduce 14.3% and 7.8%, and can effectively reduce the energy consumption of the Internet of things in the operation process.


Introduction
The Internet of things is a separate network established in the form of self-organization. The traditional Internet of things data can not meet people's monitoring needs compared with simple ushering in the era of Internet of things intrusion detection and analysis network [1][2][3]. Internet of things intrusion detection analysis is to add CMOS microcameras, microphones, and other facilities on the premise of using traditional Internet of things nodes to realize the performance of image acquisition, audio, video, and other data. Realize the application of the Internet of things intrusion detection and analysis network in the monitoring field, adopt the combination of the advantages of the traditional Internet of things and the Internet of things intrusion detection and analysis network, and use the coordination function of the combination to achieve the purpose of long-term, effective, and accurate monitoring in the environment. The system can realize the effect of real-time monitoring of a wireless multimedia network. When there are problems in the Internet of things or equipment on the network, the Internet of things intrusion detection system will receive early warning information, and the system will locate the fault information and inform the next level system [4][5][6][7].
In order to improve the efficiency of Internet of things intrusion detection and reduce the energy consumption in the use of Internet of things, this paper proposes an Internet of things intrusion detection method based on the practical Byzantine fault-tolerant algorithm. By giving priority to identifying nodes with high reliability for intrusion detection, all nodes in the network can be published at the end of detection, so as to realize the analysis of Internet of things intrusion detection. mobile network. The fuzzy c-means method is used to reduce the data aggregation in the mobile network, and the principal component method is used to reduce the data information after the cluster. The component aggregation of the data after dimension reduction needs to be compared with the corresponding dimension number and set the value. If the set value is the same as the comparison result, an alarm will be triggered to detect the mobile network.
Using the calculation method of principal component, the variable X of the sample is changed and substituted into the low-dimensional space Y [8,9]. The formula is as follows: In the formula, the number of samples in the mobile network is represented by X, which is composed of the number of M observation objects and the number of N columns, and represents a value in the coordinates of M. The orthogonal photographic data combined by the sample covariance matrix is represented by W and calculated in the form of sample matrix. T stands for transpose matrix. C represents the covariance value of the sample.
where u i is the average value and the following formula exists: In the formula, i = 1, 2, ⋯, N and W i represent the i-th column sample covariance matrix existing in W in the orthogonal matrix, λ i represents the special values occurring in matrix C, and W i represents the special values represented by and special values. Arrange the data in order according to the size of the data, and combine the value λ i corresponding to the first l special values to obtain the L -dimensional data after dimension reduction.
Set the random correlation matrix after u initialization to take value in the interval [0, 1], and meet the constraints of the following formula: Let v i represent c cluster centers i = 1, 2, ⋯, c, and the calculation formula of cluster centerv i is Calculate the cluster center and the second from the formula. The Euclidean distance between this sample is d ij .
The fuzzy optimal solution is obtained by the objective function J.
In the formula, M represents the fuzzy weighting factor, and the objective function J represents the sum of squares of distances between each cluster center and each sample. Set the threshold ζ. When the target relationship value J is greater than the threshold ζ, prove that the sample data set is intrusion data, alarm, and complete the intrusion detection of mobile network.

Optimized Deployment of IoT Nodes and Information Fusion Processing
3.1. Optimized Deployment Design of IoT Nodes. In order to realize real-time feedback control of online learning and monitoring of things, firstly, the optimal structure design of single-networked nodes requires the use of balanced sensor node control methods for single-network node link distribution model structure, assuming that there are k ðk ≥ 2Þ nodes in single network disjoint paths. Betweenvandv ðvÞ, why the aggregate distribution of E, SN, RN nodes isV = fv 0 , v 1 , v 2 ,⋯,v n , inv n+1 , v n+m g, the redundancy capacity of a single-layer relay node is described as RCðv j Þ = Cð v j Þ − wðv i Þ, and in Figure 1 in the defined multimedia monitoring area, the tree structure and cross structure are used to periodically forward data packets to the sensor node and cluster head node. The node dispersive link design that divides the time window between the sensor node and the cluster head node is presented. As shown in Figure 1, the Internet of things is initialized through the monitoring node link model under multimedia, and the cluster head vector group D n of the multimedia 2 Wireless Communications and Mobile Computing sensing data node is constructed, and the data set is divided into multiple two-dimensional subregions A k according to the width of the time window. A k is mainly a twodimensional information entropy group jd n−max − d n−min j ⋅ ð 1/KÞ, which satisfies A k = A. According to Figure 2, there is channel allocation layout of two relay nodes under the multimedia monitor.
If there is a certain space between the SN and sink of the Internet of things, k = 1 is initialized, and the position distribution set of multimedia sensor nodes under monitoring is S = fs 1 , s 2 ,⋯,s n g, and the double-layer relay nodes are uniformly distributed. The layout method is constituted, using the obtained configuration feature distribution equation. The formula can be expressed by the following formula: 〠f 3.2. Information Fusion Processing of Sensor Nodes in the Cluster. Based on the detailed design of the corresponding configuration design of the Internet of things nodes, the data is extracted for the two-dimensional entropy feature corresponding to the sensor nodes in the cluster to alleviate the computational overhead information of monitoring multimedia [8]. The processing steps are as follows: (Step 1) Enter the geographic coordinates of the Internet of things SN, sink, and initialize the operation of the scope of the Internet of things monitor. ( Step 2) Determine the sleep time. In the information data center, the distance d = fd 1 , d 2 ,⋯,d n g between SN and sink is sorted. The group corresponding to the cluster location distribution of multimedia sensor nodes in the monitoring area is S = fs 1 , s 2 ,⋯,s n g. ( Step 3) k = 1 is initialized, the pseudorandom number adaptive sorting of the multimedia sensor sequence is determined from the current position, and Tag = 1 is placed.
(Step 4) When d k ≥ d 0 and TagðkÞ = 1, obtain the best position of the data cluster fusion center and move to step 5. Otherwise, the algorithm ends.
(Step 5) Setting the maximum number of hops for the learning factor s k of the Internet of things. count max ðs, vÞχ k is associated with the sensing IoT route itself and TagðkÞ = 0.
(Step 6) Select nodes randomly arranged on the connection line of s k and sink under the sensing Internet of things, and adjust the energy and resources of a network node calculated by RN in the monitoring area ðχ k − 1Þ under the sensing Internet of things, and set s k . The next hop is marked as k, and the multimedia detection information output by the sink node in the range of d0 is quantified, fused, tracked, and identified.

Wireless Communications and Mobile Computing
The threshold for selecting data is fxmax, xming. By defining the connection line between each node SN and sink in the cluster, the maximum number of hops can be obtained and the node dimension entropy of IoT learning can be obtained. Meet the following formula: The average value of data near the monitoring node learned through the Internet of things has the spatial characteristics of the distribution of monitoring feedback data The information probabilities l and g of the unit data subset are integers, assuming that the probability weighted distance of each node determines the threshold group. After dðv i ′ , v j Þ > ð1/2Þdðv i+1 , v j Þ, the channel allocation control function used for data transmission in a single node i has been described.
3.3.2. IOT Transmission Delay Control. The linear shift channel allocation method is used, and the intelligent search algorithm for the transmission delay control of the Internet of things is used to perform the processing of the Internet of things learning monitoring feedback link equalization.
When the distance from the SN to the sink is arranged in descending order and the load of the object's network cluster head n i is constant, the global balanced scheduling method is used to perform real-time feedback control of monitoring information. The fuzzy adaptive weighted control processing of multimedia sensor nodes describes the critical thresholds related to physical network learning to monitor real-time feedback.
In the formula, E elect represents the global energy equalization coefficient. Through the above processing, the global equalization control of the transmission link of the Internet of things is realized, and the real-time feedback capability of multimedia information learning and monitoring is improved through the optimal configuration of the smart phone node.

IoT Performance Monitoring
Model. RTFM is a working group established by IETF. We have proposed a general framework for describing and measuring single network services. And based on this framework, based on RTFM, the Internet of things intrusion detection and real-time risk based on the real-time monitoring platform of the Internet of Thousands of Things are proposed. The early warning and real-time risk early warning system model is shown in Figure 3. The model is classified into four modules: rule input system, flow collection system, data analysis system, and database system.
In this model, the traffic collection system is based on the rules set by the rule input system. Thousands of real-time Internet of things traffic filter and aggregate the Internet of things traffic, save the effective data in the database system, and provide it for data analysis. The system handles it. The data analysis system processes valid data to obtain the changes and distribution information of the Internet of things intrusion to predict, adjust, and manage the actions of the Internet of things.
The flow of the system model is shown in Figure 4.
In the shared media Internet of things, any packet that flows through the Internet of things is higher than the grouping required by the hardware configuration of the Internet of things segment business, making it impossible to process the intercepted packets in time. As long as the server used for IoT intrusion analysis is installed in the network segment interconnected with the outside world and the network card of the machine is set to "hybrid" mode, all IP data packets entering and leaving the Internet of things can be captured, and if the IP packets are analyzed and then compiled if successful, you can get the necessary information such as the source address, destination address, data volume, and application protocol. Its advantage is that it does not change the structure of the Internet of things, does not increase the load of the Internet of things, and does not occupy the resources of the Internet of things. It has nothing to do with the waiting time of the Internet of things and does not affect the network usage of user items.
This article uses Raw Socket to implement the Sniffer method is relatively simple but only cuts the packet above the IP layer and does not contain frame information. It can not meet some special requirements. From the analysis In the formula, attender has intrusion detection system and intruder. The attacker is replaced by a and the intrusion detection system is represented by B. The intrusion detection system is different from the attacker's attack space: attacker a's attack space. A a = ðN, A, M, PÞ includes normal, attack, abnormal, and preattack. Formula A d = ðC, R, W, DÞ represents the action space of intrusion detection system. It includes continuous execution, execution, early warning, and protection.
Set the respective representatives of U a ðA a Þ and U d ðA d Þ as the revenue function of attacker and intrusion detection system, T represents the total number of games, and equation (21) was converted into the following equation: Make attack strategy suit and defense strategy suit according to formula (22). The expressions are as follows.
In the formula, S N , S N , S P , and S A represent normal, attack, abnormal, and preattack action strategies, respectively. S C , S R , S W , and S D , respectively, indicate continued execution, recommended execution, alarm, and protective action. S ad = ðs a , s d js a ∈ S a , s d ∈ S d Þ expressed the action strategy of both sides of the bureau.
In the case of action strategy S ad = ðS A , S C Þ, the attacker obtains the highest benefit in the mobile network. In action strategy S ad = ðS P , S D Þ, the intrusion detection system is beneficial to the attacker when the attacker attacks the moving body [10,11]. If an attacker wants to attack a moving body on the network, the intrusion detection system will take preventive measures. Through the above analysis, the intrusion detection system and the attacker's action strategy are converted into the corresponding preference set, and the expected utility function is used to set the preference set in the interval ½0, 1. UðXÞ represents the effective function of both sides of the game. The behavior of U ðXÞ is as follows: The equation represents the probability of intrusion detection system or attacker adopting different strategies in mobile network each time and represents the benefits of various strategies. Under ideal conditions, the probability of different action processing by attacker and intrusion detection system is 0.25. uðx i Þ can calculate the income matrix of the game model and get the balance of the game model.

Optimization Method of Practical Byzantine Fault-Tolerant Intrusion Detection
Method. The adjustment value of the balance calculation method can be fed back randomly, the practical performance of the mobile network is increased by the adjusted probability of P i , the profit factor P i is substituted into the function formula, and the intrusion detection method is actually optimized. The setting of P * = ðP * 1 , P * 2 ,⋯,P * i Þ represents the random optimal equilibrium value that occurs in the real Byzantine calculation method. P * i = ðP * 1 , P * 2 ,⋯,P * k Þ represents the situation of intrusion detection system and tactics used by attackers in a game. P * i represents the tactical hybrid probability set by the intrusion detection system and the attacker. Δ i represents a collection of hybrid tactics.
The mixed strategic space Δ = Q Δ i of the intrusion detection system and the attacker is obtained by equation (26). Through the strategy space Δ, the probability function π * i of the intrusion detection system and the attacker's choice of action strategy is obtained.
In the formula, λ denotes the weighting coefficient. When λ approaches infinity, the stochastic optimization reflects that the equilibrium is close to nanometer equilibrium, and the final result can be obtained by equation (26).
The ideal probability in a normal mobile network is almost zero, and attackers use different attack methods and strategies to attack the mobile network. Formulas (1) and (14) are optimized consistently to improve the detection accuracy of the actual Byzantine intrusion detection method. Suppose δ ∈ ½0, 1 is representative of the profit factor. The 5 Wireless Communications and Mobile Computing profit of both parties during the game is determined by the profit factor. The larger the value of δ, the more important the intrusion detection system or the attacker attaches to the overall profit and the higher the rate of return. The smaller value ofδ indicates that the intrusion detection system or the attacker pays less attention to the overall income. If the efficiency function is imported, the following formula can be obtained: Formula (28) belongs to the revenue function. Players in each game need to actively change their action tactics to maximize the revenue value, check malicious attacks in the mobile network according to the revenue function, and delete the combination of malicious nodes to improve the security performance of the mobile network [12][13][14].
3.6. Disciplinary Mechanisms. The use of disciplinary agencies poses a threat to malicious nodes in the mobile network. The purpose of the retribution mechanism is to have one node representing the attack, but the other nodes are not represented by the malicious node transmitted from the next timeslot. There are three levels of punishment.
(1) If no malicious node is detected in the previous mobile network game, all nodes remain in the current state in the network, and if the malicious node is detected in the mobile network, it will move to the next step (2) Punishment agencies punish malicious nodes and keep other nodes in the mobile network in their original state during punishment (3) After malicious node operation, the real data ðU 1 , ⋯,U N Þ of mobile network is shown below. If there is malicious behavior in the third step, it needs to go back to the second step according to the punishment malicious node If the malicious node ϑ becomes normal, the maximum profit of node ϑ in the departure time slot is v k , the profit of node ϑ in the punishment T k time is _ v k , and the profit of node ϑ in the normal state is v k ′. The average discounted utility valueÛ k of node ϑ in mobile Internet of things can be obtained: The utility value of the average discount of the node ϑ in the game when the node ϑ is in the normal state is According to Formulas (29) and (30), the deviation profit ΔU k of node ϑ in mobile network can be obtained. Δ U k is calculated by the following formula: In formula (31), the deviation gain must be below zero, and the deviation gain of node ϑ is smaller than the cooperation gain. At this point, no rational node in the mobile network deviates from the normal state.  The network cluster structure adopted in this paper is mainly composed of cluster head node and general node, which is a general topology structure in practical application. The common nodes, namely, sensor nodes, are terminal nodes in single network. The cluster head node (that is, the gateway device in a single network) manages the nodes in the cluster and reports data to the outside world. IDS operates at the cluster head node, and each cluster head node performs intrusion detection between it and other cluster head nodes based on PBFT [15]. The specific network topology is shown in Figure 5.

Data Set Preprocessing.
The KDD Train of the NSL-JDD data set was tested experimentally. The training model of 20 percent training set allows nodes to randomly select one from the test subset of KDD test-21 to record and perform intrusion detection operations as the node at this time (Table 1). indicates the number of samples whose sample error is judged to be negative. Then, Detection Rate (DR) is defined as

Experimental Evaluation
The other mode of intrusion detection is energy consumption, which has the characteristics of the following: (1) EV is the energy consumption in node election, (2) EDI is the energy consumption of node intrusion detection, (3) EP is the energy consumption of node to publish detection results, and (4) EC is the statistical energy consumption of node measurement results.
Energy consumption of all nodes in the network is 4.4. Experimental Scheme Design. In order to test the effectiveness of the practical Byzantine fault tolerance algorithm proposed by ontology, the SVM algorithm is used to detect the NSL-KDD data set to obtain the detection rules. In the experimental process of this paper, the relevant rules of flow control and intrusion detection can be realized by using the microcontroller, and the Active Message layer can be used to effectively control the RF module, so as to realize the mutual communication between the communication nodes. Based on the previous single network intrusion detection methods, this paper presents a comparative experimental study. Detailed simulation environment parameters are shown in Table 2.
4.5. Analysis of Results. In this paper, simulation experiments are conducted on different types of network nodes and abnormal proportion nodes in the initial state, as shown in Figure 6. Experimental results obtained in different types of network states can be seen. As can be seen from the experimental results in Figure 6, due to the impact of dimensionality reduction, the accuracy of the training data set will also be affected to a certain extent. Therefore, the twodimensional reduction detection method is used to optimize the model used by the algorithm in this paper to ensure that the detection rate of colleges and universities can be achieved under the condition of a large number of network nodes. Figure 7 shows the error rate in a single network with different proportions of the three methods attacking nodes. As can be seen from Figure 7, PBFT can modify the detection errors of a single node, and the introduced matching protocol has the lowest error rate. However, false positives occur on the network only when detection errors occur on nodes above M + 1. On the other hand, IIDS and TDTC methods only rely on the detection results of a single node, especially the TDTC method which has the highest false  By evaluating the network intrusion detection method, the network energy consumption can be obtained. Under the same experimental conditions, the algorithm proposed in this paper can complete the algorithm test under the environment of as little energy consumption as possible. As shown in Figure 8, after setting 15% and 20% of the total number of different nodes for different attackers, the energy consumption of all nodes in the experimental system is      Wireless Communications and Mobile Computing compared and analyzed to ensure that the energy consumption of IPBFT on network nodes is as low as possible. Compared with the IDS algorithm, the energy consumed by IPBFT algorithm can be reduced to 13.5% when the attacking node process takes up 25%, and the network attacking node can also be reduced from 20% to 12.5%. Compared with the TDTC algorithm, IPBFT algorithm can reduce energy consumption by 6.9% when attack nodes account for 15% of network usage. Compared with the other two methods, the IPBFT algorithm in this paper consumes less energy.

Conclusions
The Internet of things has been widely used in many fields such as life service, machinery manufacturing, medical treatment, economy, and business, but it will lead to the loss of data and information and lead to serious losses when it is invaded by external hackers, viruses, and viruses. In existing mobile Internet of things in the intrusion detection, test results are not accurate, and node inconsistent problem, through the practical Byzantine fault tolerance in the mobile Internet of intrusion detection method, can effectively solve the serious problems that exist in the existing methods, through the experimental results which show that the method can effectively improve the safety and accuracy of the mobile Internet of things.

Data Availability
Data sharing is not applicable to this article as no data sets were generated or analyzed during the current study.

Conflicts of Interest
The authors declare no conflicts of interest.