A bayesian inference-based detection mechanism to defend medical smartphone networks against insider attacks

doi:10.1016/j.jnca.2016.11.012

Journal of Network and Computer Applications

Volume 78, 15 January 2017, Pages 162-169

https://doi.org/10.1016/j.jnca.2016.11.012 Get rights and content

Abstract

With the increasing digitization of the healthcare industry, a wide range of devices (including traditionally non-networked medical devices) are Internet- and inter-connected. Mobile devices (e.g. smartphones) are one common device used in the healthcare industry to improve the quality of service and experience for both patients and healthcare workers, and the underlying network architecture to support such devices is also referred to as medical smartphone networks (MSNs). MSNs, similar to other networks, are subject to a wide range of attacks (e.g. leakage of sensitive patient information by a malicious insider). In this work, we focus on MSNs and present a compact but efficient trust-based approach using Bayesian inference to identify malicious nodes in such an environment. We then demonstrate the effectiveness of our approach in detecting malicious nodes by evaluating the deployment of our proposed approach in a real-world environment with two healthcare organizations.

Introduction

With the rapid advancements and interconnectivity of information and communications technologies (ICT), it is no surprise that ICT form the backbone of many aspects of the healthcare and medical industry. For example, it has been estimated that ICT could save 63 billion dollars in healthcare costs over the next fifteen years, with a 15–30% reduction in hospital equipment costs (Evans and Annunziata, 2012).

However, healthcare or medical networks are subject to more stringent scrutiny, in comparison to traditional networks (Symantec, 2015), due to the sensitivity of information (e.g. patient data and medical history) and the number and diversity of devices that could potentially be exploited to target the system (Williams and Woodward, 2015). According to a survey by Harries (2014), for example, the number of information security breaches reported by healthcare providers soared 60% from 2013 to 2014, which is almost double the increase in other industries. A more recent McAfee report explained that vulnerabilities affecting networked medical devices are not different from other operational technologies (e.g. medical devices), consumer technologies (e.g. smartphones) and other forms of ICT (e.g. hospital networks) (Healey et al., 2015). The networked medical devices may be vulnerable to accidental failures, privacy violations, intentional disruption, and widespread disruption.

It is no surprise that medical and mobile devices are targeted by cybercriminals due to the use of such devices to store and/or access sensitive information such as patient's personally identifiable information (PII) and medical history. In addition, with the widespread adoption of mobile technologies and the descreasing costs of mobile devices (e.g. Android and iOS devices), mobile devices are increasingly integrated in MSNs (e.g. recording patient's medical conditions and accessing patient's records in real-time during ward visits). These devices are generally connected to the organization's wireless network; thus, each device can be considered a node. Although such networks are private, they can be compromised by exploiting vulnerabilities in process, people and technology (Choo et al., 2014, Williams and Woodward, 2015). For example, an attacker may seek to infect a mobile device with malware with the aim of stealing sensitive information and compromising other devices in the network (Choo, 2011). Recent studies demonstrated that air-gapped devices and wearable devices (e.g. smartwatch) can also be compromised to covertly exfiltrate data using inaudible sound waves (Do et al., 2015, Do et al., 2016, O'Malley and Choo, 2014).

Thus, the capability to identify malicious devices in MSNs is crucial in ensuring the security of the network and the privacy of the data. This is the contribution we need to address in this paper. Specifically, in this paper, we first introduce the background of MSNs and describe the operational requirements (see Section 2). We observe that while a centralized security mechanism with dynamic traffic monitoring is desirable in MSNs, trust-based approaches are often used to defend against insider attacks in the literature (Bao et al., 2012, Duma et al., 2016, Shaikh et al., 2009). Therefore, to satisfy the requirements in the healthcare and medical industry, we apply and evaluate a trust-based detection approach based on Bayesian inference (Meng et al., 2013) to identify malicious nodes within the networks. In particular, our mechanism employs a hierarchical infrastructure in order to facilitate trust computation and management. To investigate the performance, we evaluate the proposed mechanism in real-world medical environments under different scenarios. The experimental results demonstrate that our approach is more effective in detecting malicious nodes with an acceptable workload, in comparison to other similar trust models.

The remainder of this paper is organized as follows. In Section 2, we introduce medical smartphone networks. Section 3 describes the practical requirements and proposes a security mechanism for securing medical networks from insider attacks. Section 4 presents our evaluation and discusses some challenges. Section 5 describes related work. Finally, we conclude the work in Section 6.

Section snippets

Medical smartphone networks and practical defense requirements

Medical smartphone networks (MSNs) are increasingly been implemented in hospitals, clinics and other healthcare centers. Healthcare providers consider MSNs as an emerging wireless network, specific for healthcare and medical purposes. An example of such networks is illustrated in Fig. 1, where mobile devices (e.g. smartphones) connect with each other and form an internal network to facilitate information exchange and management.

Despite the benefits afforded by having networked devices in MSNs

Trust-based intrusion detection mechanism

According to the requirements outlined in the preceding section, intrusion detection systems (IDSs) can be used to secure MSNs, due to the capability to inspect traffic and apply security policies. Thus, in this work, we apply a hierarchical trust-based intrusion detection mechanism for MSNs, which utilizes Bayesian inference to identify malicious nodes. Specifically, the mechanism provides the number of features that are suitable for healthcare setting:

•
Our mechanism can inspect MSN traffic in

Performance evaluation

We implement our detection mechanism in two healthcare environments (H1 and H2) in collaboration with the IT administrators in these two healthcare organizations, both located in China. Due to privacy restrictions (e.g. local privacy legislation), our detection mechanism can only be deployed on 10 phone nodes in H1 and 18 phone nodes in H2. Specifically, we develop a lightweight IDS version in Java for these 18 Android phones,³

Related work

Medical smartphone networks are an emerging architecture in healthcare organizations. There are few studies that focus specifically on MSNs, although a lot of research efforts have been dedicated to wireless sensor networks (WSNs). MSNs have their own characteristics, but also share some similarities with WSNs in terms of infrastructure. In this section, we briefly introduce IDS and trust-based intrusion detection for WSNs.

IDS. These systems have been widely implemented in current computer

Conclusion

Due to the potential benefits that can be realized by the digitalization of information and the increasing popularity of mobile devices, the trend of medical smartphone networks (MSNs) is unlikely to fade anytime soon. MSNs, an emerging architecture in healthcare organizations, facilitate communication and management within the organizations (e.g. between medical practitioners and patients). However, there are underlying security risks that need to be considered, which could have real-world

References (36)

K.-K.R. Choo
The cyber threat landscape: challenges and future research directions
Comput. Secur.
(2011)
Q. Do et al.
Exfiltrating data from android devices
Comput. Secur.
(2015)
W. Li et al.
MVPSystowards practical multi-view based false alarm reduction system in network intrusion detection
Comput. Secur.
(2016)
W. Meng et al.
EFM: enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism
Comput. Secur.
(2014)
Y. Meng et al.
Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection
Comput. Netw.
(2013)
F. Bao et al.
Hierarchical trust management for wireless sensor networks and its applications to trust-based routing and intrusion detection
IEEE Trans. Netw. Serv. Manag.
(2012)
Bao, F., Chen, I.-R., Chang, M., Cho, J.-H., 2011. Trust-Based Intrusion Detection in Wireless Sensor Networks. In:...
Chen, H., Wu, H., Hu, J., Gao, C., 2008. Event-based Trust Framework Model in Wireless Sensor Networks. In: Proceedings...
J.-H. Cho et al.
A survey on trust management for mobile ad hoc networks
IEEE Commun. Surv. Tutor.
(2011)
Choo, K.-K.R., 2014. A conceptual interdisciplinary plug-and-play cyber security framework, In: Kaur, H., & Tao, X.,...

Q. Do et al.

Is the data on your wearable device secure? An android wear smartwatch case study

Softw.: Pract. Exp.

(2016)

C.J. D'Orazio et al.

Data exfiltration from internet of things devices: ios devices as case studies

IEEE Internet Things J.

(2016)

Duma, C., Karresand, M., Shahmehri, N., Caronni, G., 2016. A trust-aware, p2p-based overlay for intrusion detection....

Evans, P.C., Annunziata, M., 2012. Industrial Internet, Pushing the Boundary of Mind and Machines. (November 26)...

Fung, C.J., Baysal, O., Zhang, J., Aib, I., Boutaba, R., 2008. Trust Management for Host-Based Collaborative Intrusion...

Ghosh, A.K., Wanken, J., Charron, F., 1998. Detecting Anomalous and Unknown Intrusions Against Programs. In:...

Gonzalez, J.M., Anwar, M., Joshi, J.B.D., 2011. A Trust-based Approach against IP-Spoofing Attacks. In: Proceedings of...

Guo, J., Marshall, A., Zhou, B., 2011. A New Trust Management Framework for Detecting Malicious and Selfish Behaviour...

Cited by (66)

Challenge-based collaborative intrusion detection in software-defined networking: an evaluation
2021, Digital Communications and Networks
Software-Defined Networking (SDN) is an emerging architecture that enables a computer network to be intelligently and centrally controlled via software applications. It can help manage the whole network environment in a consistent and holistic way, without the need of understanding the underlying network structure. At present, SDN may face many challenges like insider attacks, i.e., the centralized control plane would be attacked by malicious underlying devices and switches. To protect the security of SDN, effective detection approaches are indispensable. In the literature, challenge-based Collaborative Intrusion Detection Networks (CIDNs) are an effective detection framework in identifying malicious nodes. It calculates the nodes’ reputation and detects a malicious node by sending out a special message called a challenge. In this work, we devise a challenge-based CIDN in SDN and measure its performance against malicious internal nodes. Our results demonstrate that such a mechanism can be effective in SDN environments.
Towards multiple-mix-attack detection via consensus-based trust management in IoT networks
2020, Computers and Security
With the rapid development of Internet of Things (IoT), various smart devices can work collaboratively and construct a kind of multihop IoT network. However, due to the distributed nature, how to defend such kind of network against insider attacks remains a challenge, especially under multiple-mix-attack model where attackers can launch several attacks simultaneously. In this work, we consider a type of multiple-mix-attack that combines three typical attacks - tamper attack, drop attack and replay attack with an uncertain probability. For detection, we propose an approach called Distributed Consensus based Trust Model (DCONST), which can evaluate the trustworthiness of IoT nodes by sharing certain information called cognition. In particular, DCONST can detect malicious nodes and analyze their concrete attack behaviours via the K-Means clustering method. To further discuss the impact of cognition aggregation on detection accuracy and the additional burden on the network, we design three modes of DCONST: DCONST-Light, DCONST-Normal and DCONST-Proactive. In the evaluation, as compared with the similar methods of Hard Detection (HD) and Perceptron Detection with Enhancement (PDE), it is found that DCONST can achieve a better detection rate in the range from around 10% to 40%. In addition, DCONST-Normal and DCONST-Proactive can further improve the detection rate by 5% to 20% as compared to DCONST-Light.
Enhancing collaborative intrusion detection via disagreement-based semi-supervised learning in IoT environments
2020, Journal of Network and Computer Applications
Citation Excerpt :
The trust values could be calculated by considering both relation factors and weights of neighbor nodes, not just by simply taking an average value. Several other studies on insider attack detection can refer to (Meng et al., 2013b, 2017; Meng and Au, 2017). Challenge-based intrusion detection mechanism.
Collaborative intrusion detection systems (CIDSs) are developing to improve the detection performance of a single detector in Internet of Things (IoT) networks, through exchanging and sharing data. For anomaly detection, machine learning is an important and essential tool to help identify the deviation between current events and pre-built profile. For a traditional supervised learning classifier, there is a need to provide training examples with ground-truth labels in advance. However, labeled instances are quite limited in real-world IoT scenarios, while unlabeled data/instances are widely available. This is because data labeling is a very expensive process that requires huge human efforts and knowledge inputs. To mitigate this issue, the use of semi-supervised learning algorithms is a promising solution, which can leverage unlabeled data to label data automatically without human intervention. In this work, we focus on semi-supervised learning and design DAS-CIDS, by applying disagreement-based semi-supervised learning algorithm for CIDSs. In the evaluation, we investigate the performance of DAS-CIDS using both datasets and in real IoT network environments, in the aspects of both detection performance and false alarm reduction. The experimental results show that as compared with traditional supervised classifiers, our approach is more effective in detecting intrusions and reducing false alarms by automatically leveraging unlabeled data.
Detecting insider attacks in medical cyber–physical networks based on behavioral profiling
2020, Future Generation Computer Systems
Citation Excerpt :
Thus, there is a great need to identify malicious MSN nodes in a fast manner for protecting patient’s sensitive information and securing the network operations. According to a recent study [[8]], most healthcare managers considered that MSNs are different from conventional wireless network architecture, and have its unique challenges. Due to these challenges, it is critical to design appropriate security mechanisms to protect MSNs against insider attacks.
Cyber–physical systems (CPS) have been widely used in medical domains to provide high-quality patient treatment in complex clinical scenarios. With more medical devices being connected in industry, the security of medical cyber–physical systems has received much attention. Medical smartphones are one of the widely adopted facilities in the healthcare industry aiming to improve the quality of service for both patients and healthcare personnel. These devices construct an emerging CPS network architecture, called medical smartphone networks (MSNs). Similar to other distributed networks, MSNs also suffer from insider attacks, where the intruders have authorized access to the network resources, resulting in the leakage of patient information. In this work, we focus on the detection of malicious devices in MSNs and design a trust-based intrusion detection approach based on behavioral profiling. A node’s reputation can be judged by identifying the difference in Euclidean distance between two behavioral profiles. In the evaluation, we evaluate our approach in a real MSN environment by collaborating with a practical healthcare center. Experimental results demonstrate that our approach can identify malicious MSN nodes faster than other similar approaches.
BRITD: behavior rhythm insider threat detection with time awareness and user adaptation
2024, Cybersecurity
DewIDS: Dew Computing for Intrusion Detection System in Edge of Things
2024, Internet of Things

View all citing articles on Scopus

Weizhi Meng Weizhi Meng is currently an assistant professor in the Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), Kongens Lyngby, Denmark. He received his B. Eng. degree in Computer Science from the Nanjing University of Posts and Telecommunications, China and obtained his Ph.D. degree in Computer Science from the City University of Hong Kong (CityU), Hong Kong in 2013. He was known as Yuxin Meng and prior to joining DTU, he worked as a research scientist in Infocomm Security (ICS) Department, Institute for Infocomm Research, Singapore, and as a senior research associate in CityU after graduation. He won the Outstanding Academic Performance Award during his doctoral study, and is a recipient of The HKIE Outstanding Paper Award for Young Engineers/Researchers in 2014 and the Best Student Paper Award from the 10th International Conference on Network and System Security (NSS) in 2016. He is a member of Association for Computing Machinery (ACM) and IEEE. His primary research interests are cyber security and intelligent technology in security including intrusion detection, mobile security and authentication, HCI security, cloud security, trust computation, web security, malware and vulnerability analysis. He also shows a strong interest in applied cryptography.

Wenjuan Li is currently a Ph.D. student in the Department of Computer Science, City University of Hong Kong. Prior to this, she worked as Research Assistant in CityU HK and was previously a Lecturer in the Department of Computer Science, Zhaoqing Foreign Language College, China. Her research interests include network management and security, collaborative intrusion detection, spam detection, trust computing, web technology and E-commerce technology.

Yang Xiang received his PhD in Computer Science from Deakin University, Australia. He is the Director of Centre for Cyber Security Research, Deakin University. His research interests include network and system security, data analytics, distributed systems, and networking. In particular, he is currently leading his team developing active defense systems against large-scale distributed network attacks. He is the Chief Investigator of several projects in network and system security, funded by the Australian Research Council (ARC). He has published more than 200 research papers in many international journals and conferences, such as IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, IEEE Transactions on Information Security and Forensics, and IEEE Journal on Selected Areas in Communications. He has served as the Program/General Chair for many international conferences such as SocialSec 15, IEEE DASC 15/14, IEEE UbiSafe 15/14, IEEE TrustCom 13, ICA3PP 12/11, IEEE/IFIP EUC 11, IEEE TrustCom 13/11, IEEE HPCC 10/09, IEEE ICPADS 08, NSS 11/10/09/08/07. He has been the PC member for more than 60 international conferences in distributed systems, networking, and security. He serves as the Associate Editor of IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, Security and Communication Networks (Wiley), and the Editor of Journal of Network and Computer Applications. He is the Coordinator, Asia for IEEE Computer Society Technical Committee on Author Biography Distributed Processing (TCDP). He is a Senior Member of IEEE.

Kim-Kwang Raymond Choo received the Ph.D. in Information Security from Queensland University of Technology, Australia. He currently holds the cloud technology endowed professorship at the University of Texas at San Antonio, and is an associate professor at University of South Australia. He was named one of 10 Emerging Leaders in the Innovation category of The Weekend Australian Magazine / Microsoft's Next 100 series in 2009, and is the recipient of various awards including ESORICS 2015 Best Research Paper Award, Highly Commended Award from Australia New Zealand Policing Advisory Agency, British Computer Society's Wilkes Award, Fulbright Scholarship, and 2008 Australia Day Achievement Medallion. He is a Fellow of the Australian Computer Society, and a Senior Member of IEEE.

View full text

A bayesian inference-based detection mechanism to defend medical smartphone networks against insider attacks

Abstract

Introduction

Section snippets

Medical smartphone networks and practical defense requirements

Trust-based intrusion detection mechanism

Performance evaluation

Related work

Conclusion

Comput. Secur.

Comput. Secur.

Comput. Secur.

Comput. Secur.

Comput. Netw.

Hierarchical trust management for wireless sensor networks and its applications to trust-based routing and intrusion detection

IEEE Trans. Netw. Serv. Manag.

A survey on trust management for mobile ad hoc networks

IEEE Commun. Surv. Tutor.

Is the data on your wearable device secure? An android wear smartwatch case study

Softw.: Pract. Exp.

Data exfiltration from internet of things devices: ios devices as case studies

IEEE Internet Things J.