Optimal Report Strategies for WBANs Using a Cloud-Assisted IDS

Applying an Intrusion Detection System (IDS) to Wireless Body Area Networks (WBANs) becomes a costly task for body sensors due to their limited resources. To solve this problem, a cloud-assisted IDS framework is proposed. We adopt a new distributed-centralized mode, where IDS agents residing in body sensors will be triggered to launch. All IDS agents are only responsible for reporting the monitored events, not intrusion decision that is processed in the cloud platform. We then employ the signaling game to construct an IDS Report Game (IDSRG) depicting interactions between a body sensor and its opponent. The pure- and mixed-strategy Bayesian Nash Equilibriums (BNEs) of the stage IDSRG are achieved, respectively. As two players interact continually, we develop the stage IDSRG into a dynamic multistage game in which the belief can be updated dynamically. Upon the current belief, the Perfect Bayesian Equilibrium (PBE) of the dynamic multistage IDSRG is attained, which helps the IDS-sensor select the optimal report strategy. We afterward design a PBE-based algorithm to make the IDS-sensor decide when to report the monitored events. Experiments show the effectiveness of the dynamic multistage IDSRG in predicting the type and optimal strategy of a malicious body sensor.


Introduction
Recently, a specific class of Wireless Sensor Networks, known as Wireless Body Sensor Networks (WBSNs) or Wireless Body Area Networks (WBANs), has been developed as physiological sensors and low power integrated circuits are rapidly evolving. A WBAN is generally composed of some miniaturized and intelligent sensors attached on or implanted in the body, which are able to establish wireless communication links. Such networks have attracted considerable attention since they are capable of allowing for many human-central applications such as health monitoring, sports training, interactive gaming, and personal information sharing [1][2][3][4][5]. However, applying WBANs has to face many issues and challenges due to limited resources of body sensors [6]. One challenge in a common healthcare scenario is how to process, store, and manage the huge amount of data gathered by body sensors.
Another challenge is how to meet the strict security requirement of WBANs applications [7,8]. The openness of the wireless media of WBANs makes a malicious attacker easy to launch various attacks. Moreover, data collected by body sensors are health related and highly sensitive. Security threats may result in a patient in a hazardous situation and even death in the case of medical applications of WBANs. Therefore, Intrusion Detection System (IDS) is required to prevent body sensors from malicious actions. However, employing IDS is a costly task for body sensors due to their limited computation capability and storage capability. Moreover, these body sensors usually hold limited power while approaches to realizing IDS are computationally expensive in general. To solve these problems, cloud computing can be seen as a good remedy.
As infrastructure, cloud computing provides various services in fields of computation, storage, data access, security, and software [9,10]. This computing model is therefore 2 International Journal of Distributed Sensor Networks expected to play a significant role to make up for the deficiencies of body sensors. Combining WBANs with cloud computing will provide an integrated platform that realizes combination of different WBANs, scalability of data storage, and scalability of power for processing various data analyses [11]. The concept of Software as a Service, especially Security as a Service (SECaaS) [12] that represents the provision of security applications and services via the cloud platform to the customers' systems, changes the method of protecting body sensors. Through such a cloud-assisted IDS, we are able to detect misbehavior in WBANs and send back the response commands that isolate malicious body sensors. As a result, computation cost is no longer a critical factor influencing the effectiveness of security for body sensors, since security analyses and decisions are performed in the cloud platform.
Different decisions are then emerging along with the application of a cloud-assisted IDS to body sensors. Generally, IDS agents should be initially deployed in body sensors that are referred to as IDS-sensors. After these IDS-sensors have collected other body sensors' events, a problem exists in optimizing their strategies to decide whether to report events involving malicious or normal behavior. Obviously, this problem is caused by limited resources of body sensors. On the one hand, if an IDS-sensor makes a choice not to report any events, it conserves its power and bandwidth, but no malicious body sensors will be captured. However, if an IDS-sensor reports each event it detects, the probability of capturing malicious body sensors will be increased, but the IDS-sensor will run out of its power much faster. To solve this dilemma, we are motivated to employ game theory to seek the optimal strategies.
By supplying a rich set of mathematical tools for exploring the strategic decision-making, game theory has been widely employed in different fields [13][14][15][16][17][18][19][20][21]. These typical applications exist in optimizing the strategy of launching IDS [22], seeking autonomously stable adaptation decisions [23], minimizing power resource allocation for interference mitigation [24], optimizing service deployment in cloud computing [25], and predicting malicious behavior of attackers [26]. Among various game types, the signaling game is profitable to depict interactions between a body sensor and its corresponding IDS-sensor. In a signaling game, one player called Sender has private information about its type set while the other called Receiver is public in its type set. Thus, we can relate a body sensor, which attempts to send messages, to Sender since it may be normal or malicious so that its type is unknown to IDS-sensors. On the other hand, the corresponding IDSsensor is related to Receiver as it only has one type.
Our interest is then to seek the optimal report strategies for body sensors using a cloud-assisted IDS to save their limited power. We deploy IDS agents to each of the body sensors. However, only those body sensors that are chosen as relays will be triggered to launch. Their responsibility is whether to report monitored events and is not to perform intrusion decisions that are analyzed and processed in the cloud platform for utilizing its powerful capabilities of computation and storage. Thus, we address the issue that a body sensor is too limited in its resources to execute the intrusion detection task that is computationally expensive in general. Using the signaling game, we address the other issue: when should an IDS-sensor report the monitored events? We reflect economic interactions between a body sensor and its corresponding IDS-sensor by constructing an IDS Report Game (IDSRG). We gradually explore the pure-and mixedstrategy BNEs (Bayesian Nash Equilibriums) of the stage IDSRG. As two players play the game continually, we develop the stage IDSRG into a dynamic multistage IDSRG and attain the mixed-strategy PBE (Perfect Bayesian Equilibrium) of the dynamic game. Upon the advantage of PBE, we design an algorithm to guide the IDS-sensor with the optimal report strategy. In this manner, the IDS-sensor is able to prolong its battery life while reporting an acceptable amount of monitored events.
Our contributions are summarized as follows: (1) We propose a cloud-assisted IDS framework for WBANs, in which intrusion analyses and decisions are performed in the cloud platform. Thus, a body sensor is no longer concerned about its limited computation for realizing its security.
(2) We construct the IDSRG based on the signaling game, which satisfies the actual environment where an IDS-sensor does not know the type of its opponent and is able to properly depict economic interactions between an IDS-sensor and its opponent.
(3) We attain equilibrium theorems of the stage IDSRG as well as the dynamic multistage IDSRG, which disclose the rational behavior of the IDS-sensor and its opponent.
(4) We design a report algorithm based on PBE, which provides an IDS-sensor with the optimal strategy to decide whether to take the action Report or not. In other words, an IDS-sensor does not always report monitored events, and thus its energy is saved.
The rest of this paper is organized as follows. In Section 2, we overview related works and highlight our particular aspects. In Section 3, we illustrate our network model and construct the stage and dynamic multistage IDSRG. In Section 4, we present a cloud-assisted IDS framework for WBANs and design a report algorithm based on PBE. In Section 5, we perform experiments to show the characteristics of the dynamic multistage IDSRG. Finally, conclusions are provided in Section 6.
Notations used in this paper are mainly listed in the Notations.

Related Work
Integration of cloud computing and WBANs is particularly attractive as it is able to expand the computation paradigm of WBANs. This infrastructure overcomes several shortfalls of WBANs like the storage capacity of data collected by body sensors and the ability to process these data. In spite of the above benefits, their emerging influences could be hindered by various security threats. Body sensors are susceptible to attacks, including node capturing and compromising. Patient's privacy may be lost in the cloud platform or may not International Journal of Distributed Sensor Networks 3 be correctly supervised. For solving these issues, a protocol to attain storage and computation security in cloud computing is proposed in [27]. Zhang et al. [28] presented a key agreement scheme that provides neighboring body sensors with a common key generated by electrocardiogram signals, in order to preserve the integrity and privacy of medical data. The authors in [29] proposed a combined framework for reliable and secure data transmission in WBANs. In addition, the method of establishing trust among body sensors has been regarded as efficient implement to improve the security and performance of WBANs, in which trust evaluation [30] and trust management [31] always should be performed. Different from the above prevention-based mechanisms to guarantee network security, an IDS, as the second line of defense, is regarded as a detection-based approach that is a necessary tool for realizing security of networks [32]. Typical techniques such as the swarm based rough set [33], Kalman filter [34], support vector machine [35], and unsupervised anomaly detection [36] are applied to IDSs in different networks. Since malicious body sensors usually disrupt the normal operation of WBANs and waste limited resources of normal body sensors, an IDS is required for WBANs to detect malicious body sensors that have broken down the prevention-based mechanisms. Using the IDS, WBANs will be capable of reacting with and isolating intruders to ensure body sensors' normal operation. However, there only exist a few studies of intrusion detection towards WBANs although many intrusion detection studies [37,38] have been done for Wireless Sensor Networks. In [39], the authors gave a security framework of WBANs for monitoring ambulatory health status. They then proposed an IDS, which is inspired by the biological immune system using the negative selection algorithm, to maintain performance of WBANs in the presence of malicious body sensors. Wu et al. [40] proposed an intrusiontolerant scheme for WBANs, which is able to dynamically detect intrusions and provide an adaptive strategy with passive replication via the combination of threshold-based intrusion detection and replicas classification. Unfortunately, these works [39,40] do not consider the computation cost incurred by launching IDS agents. The emergence of cloud computing allows us to tackle this burden by applying its powerful computing ability. Through IDS services, IDS-sensors can transfer the cost of analyzing and processing suspicious data into the cloud platform. Thus, the rest of the problem of IDSsensors is whether or not to report the monitored events.
Up to now, several works have been concerned about the utilities of employing an IDS via game theory. In [41], Otrok et al. proposed a cooperative game model for catching a misbehaving cluster head through checkers, which can analyze interactions among checkers to decrease the false positive rate. Moreover, a noncooperative zero-sum game between the cluster head and malicious node is formulated to maximize the probability of detection for an elected head. They [42] also conducted a noncooperative game between the intruders and IDS to guide the IDS to select an optimal sampling strategy in order to effectively reduce the success chances of intruders. Zhu et al. [43] combined game-theoretic modeling and trust management to design an intrusion detection network. With a noncooperative -person continuous-kernel game model, each IDS seeks reciprocal incentive-based optimal resource allocation to maximize the aggregated satisfaction levels of its neighbors. Huang et al. [44] proposed a new IDS called Markovian IDS, which is able to select the optimal defense strategy of misuse detection with noncooperative game theory and to determine the weakest nodes representing potential security risks via a Markov decision process. Zonouz et al. [45] proposed a response and recovery engine based on a two-player Stackelberg stochastic game, which applies attack-response trees to analyze undesired systemlevel security events and to choose optimal response actions by solving a partially observable competitive Markov decision process. Shamshirband et al. [46] introduced a method called cooperative game-based fuzzy Q-learning to implement cooperative defense counterattack scenarios for the sink node and the base station. Using the signaling game, Shen et al. [22] constructed an intrusion detection game, which is able to depict interactions between the sensor node and IDS agent. The PBE attained is applied to obtain the optimal strategy determining when to launch the IDS agent. Thus, the IDS agent is not always in work and the sensor's power required to detect malicious behavior is saved. They [47] also obtain optimal strategies to save IDS agents' power, through Quantal Response Equilibrium (QRE) that is more realistic than Nash Equilibrium. In addition, Liu et al. [48] investigated the security and dependability mechanism when service providers are facing service attacks of software and hardware and proposed a stochastic evolutionary coalition game (SECG) framework for secure and reliable defenses in Sensor-Cloud.
Our work is distinguished in some aspects compared to the related works above. We adopt an IDS to detect malicious body sensors in WBANs so as to protect patients' privacy. We integrate cloud computing into WBANs to extend body sensors' abilities of computation and storage. Thus, plenty of computation cost incurred by IDS agents can be migrated from body sensors to the cloud platform. We construct an IDSRG in which the game type and corresponding equilibriums are different from [41][42][43][44], in order to seek the optimal strategy to decide when to report events monitored by IDS-sensors. The signaling game used in our work properly depicts the actual situation in which an IDSsensor is uncertain about the type of its opponent. Our work is especially motivated by [22]. However, when analyzing the payoffs of two players, we consider the factors, including the channel reliability, attack success rate, detection rate, and false alarm rate, while only the detection rate and the false alarm rate are considered in [22]. Consequently, we attain the optimal strategies that are more adequate than those in [22].

Network Model.
In [49], Farooqi and Khan have overviewed that there are three different ways of installing IDS agents in Wireless Sensor Networks. These are purely centralized, purely distributed, and mixed. In the purely centralized mode, an IDS agent is installed in the sink or base station. For realizing this way, an additional special routing protocol that collects information from sensor nodes is required so that the IDS agent can evaluate the behavior of sensor nodes according to the collected information. On the contrary, an IDS agent is installed in every sensor node in the purely distributed mode. It checks the data received in its communication range and declares whether a sensor node is compromised or not. Different from the two modes above, in the mixed mode IDS agents are only installed in monitor sensor nodes that are initially assigned. These monitor sensor nodes not only perform activities like normal sensor nodes but also check for intrusion detection.
To exert the powerful storage and computation capability of cloud computing, we adopt a new hybrid mode to realize a cloud-assisted IDS for WBANs, as depicted in Figure 1. In our mode, we deploy IDS agents in each body sensor, unlike the traditional case that the IDS agent is only installed in monitor sensor nodes. However, not all IDS agents work continuously; only IDS agents residing in body sensors that are selected as relays to forward information will be triggered to launch. Another different aspect is that the IDS agent in our network is only responsible for the monitor task, not including intrusion decisions that are made by the IDS in the cloud platform.
In Figure 1, the IDS-sensor audits data coming from those body sensors that lie inside its radio range or are its neighbors. It produces alert events if any body sensor works abnormally and may report them through the sink to the detection engine that exists in the cloud platform. Now, a problem that will arise is how to select the optimal report strategy when a cloud-assisted IDS is applied to WBANs. The optimal strategy to be attained should maximize the probability of capturing malicious body sensors but minimize the report cost. To solve this dilemma, we next employ a dynamic multistage signaling game to model interactions between a body sensor and its corresponding IDS agent.

A Stage IDS Report Game
}} is the action set of player and A = { | , -} is the action set of player ; (iv) : T → [0, 1] is a prior probability distribution over types drawn by Nature (in game theory, Nature randomly chooses a type for each player according to the probability distribution across each player's type space), and = ( , 1 − ), where is referred to as the probability of a body sensor being malicious and then 1 − is the probability of a body sensor being normal; (v) U = {( , )}, where : A × T → R and : A × T → R are the payoff functions of players and , respectively.
In the stage IDSRG, we consider there are two players, that is, body sensor and IDS-sensor . Body sensor has private information about its type, which may be normal, denoted by 0 , or malicious, denoted by 1 . That is, the type of body sensor is unknown to IDS-sensor . On the contrary, IDS-sensor has only one regular type denoted by , and its type information is common knowledge to two players.
At each time slot, each player selects its action from its action space. If body sensor is normal, it always cooperates. Its action denoted by 0 is therefore Cooperate. That is, 0 has one pure strategy: Cooperate. On the other hand, if body sensor is malicious, it may attack for attaining potential profits or cooperate for disguising itself so that the IDS will be misled and is unable to distinguish its maliciousness. Therefore, the action of 1 , denoted by 1 , may be Attack or Cooperate. That is, 1 has two pure strategies: Attack and Cooperate. For IDSsensor , it may report the monitored events that come from body sensors in its radio range or not report these events for saving its energy to prolong its lifetime. Therefore, the action of , denoted by , is either Report or Not-report. That is, has two pure strategies: Report and Not-report.
To express the payoff matrix of the stage IDSRG, we introduce some parameters. A malicious body sensor can select the action Attack to waste the limited resources of WBANs and disrupt normal network operations. Such an attack can result in, for example, a failure of communication between two neighbors. The malicious body sensor, however, gets a gain from the attack while it has to pay the cost of consuming power to launch the attack. We therefore present and to denote the attack gain and cost, respectively. When a malicious or normal body sensor selects the action Cooperate that means it makes itself available for communication, the packet can be then forwarded successfully through a link including this body sensor. Thus, the normal body sensor benefits from good network operations. In addition, the malicious body sensor gets a gain due to its disguise that helps itself avoid the IDS detection. However, receiving and forwarding packets during the cooperation communication will incur a cost of consuming power. We assume that, for simplicity, both the malicious and normal body sensors get the same gain and pay the same cost when selecting the action International Journal of Distributed Sensor Networks 5

Report
Not-report Cooperate. We therefore present and to denote the cooperation gain and cost, respectively. For an IDS-sensor, when it selects the action Report, it gets a gain denoted by once the cloud platform detects the malicious body sensor due to its report. At the same time, it suffers a cost from energy consumption used to transmit the monitored events. Moreover, like any general IDS, the IDS service in the cloud platform has false positive rate (i.e., false alarm rate) , ∈ [0, 1]. The existence of false alarms, meaning that body sensors in normal communication are detected in error as malicious ones, will result in a loss to the IDSsensor due to its report. Besides the false positive rate, there exists the true positive rate (i.e., detection rate) , ∈ [0, 1], during the process of intrusion detection. In addition, we introduce , ∈ [0, 1] as the channel reliability reflecting the actual communication environments in a cloud-assisted IDS for WBANs. In addition, we present , ∈ [0, 1], as the attack success rate satisfying the case that a malicious body sensor does not always attack successfully.
We can next analyze various payoffs under different action profiles of two players, which are shown in Table 1.

Equilibrium Analyses of the Stage IDSRG.
The stage IDSRG belongs to a game of incomplete information, since an IDS-sensor does not know its opponent's type during interactions. We should therefore change it into a complete but imperfect information game through the Harsanyi transformation to attain the corresponding BNE. During the process of the Harsanyi transformation, a virtual player Nature is introduced and moves first to choose a type of player . Thus, the extensive form of the stage IDSRG can be constructed in Figure 2, where chosen by Nature is the probability of a body sensor being malicious. Under Case 1, the expected payoffs of player selecting actions Report and Not-report are respectively. If ( ) ≥ ( -), that is, then the dominant strategy for player is Report. However, if player selects the action Report, Attack will not be the dominant strategy for a malicious body sensor since is reasonable. Therefore, the pure strategy ( 1 = , , that is, then the dominant strategy for player is Not-report. Correspondingly, Attack will be the dominant strategy for a malicious body sensor since is reasonable. Therefore, the action profile (( 1 = ,  Cooperate is Not-report, whereas for a malicious body sensor, the dominant strategy to response to the action Not-report is Attack. This leads to a contradictory result. Therefore, there are not any pure-strategy BNEs when player chooses the pure strategy ( 1 = , 0 = ).
The pure strategy attained from Theorem 2 means that player always plays the action Attack for a malicious body sensor or Cooperate for a normal body sensor while player always plays the action Not-report. This pure strategy is not practical because the equilibrium requires player to take the action Not-report at all times, and hence malicious body sensors will not be captured forever. In fact, the equilibrium attained from Theorem 2 is referred to as Pooling Equilibrium [50] in which player has no clue about the type of player . Therefore, it is essential to find a mixed-strategy BNE for capturing malicious body sensors.

Theorem 3. In the stage IDSRG, there is a mixed-strategy BNE
Proof. From Theorem 2, obviously, the mixed-strategy BNE to be sought exists only if ≥ 0 . Let be the probability with which a malicious body sensor plays the action Attack and let be the probability with which player plays the action Report. We next need to find the optimal values of and such that neither player nor player can increase the payoff by deviating the mixed-strategy BNE. For the mixed strategy played by player , the expected payoffs of player selecting actions Report and Not-report are respectively. According to the indifference between actions Report and Not-report under the optimal mixed strategy played by player , we get Thus, the optimal probability of a malicious body sensor selecting the action Attack is * = ( For the mixed strategy played by player , the expected payoffs of player selecting actions Attack and Cooperate are respectively. According to the indifference between actions Attack and Cooperate under the optimal mixed strategy played by player , we get Thus, the optimal probability of player selecting the action To sum up, given ≥ 0 , we can find a mixed-strategy BNE ((Attack with * for 1 , Cooperate for 0 ), Report with * for ) that means a malicious body sensor plays the action Attack with probability * and a normal body sensor always plays the action Cooperate while player plays the action Report with probability * . Theorems 2 and 3 provide the IDS-sensor with the conditions under which the BNE can be achieved. We can International Journal of Distributed Sensor Networks 7 obtain the probability threshold of a body sensor being malicious, 0 , which is related to the channel reliability , cloud-assisted IDS' detection rate , and false alarm rate , as well as attack success rate . This threshold is extremely low since the gains of actions Report and Attack, compared to the cost of the action Report, are very large as , , , ∈ [0, 1]. However, as the probability of a body sensor being malicious, , grows and eventually exceeds the threshold, the mixedstrategy BNE suggested in Theorem 3 requires the malicious body sensor to be less offensive in attacking.
The advantage of applying Theorems 2 and 3 is that an IDS-sensor is not always in taking the action Report. As a result, the power consumption of the IDS-sensor can be conserved. However, Theorems 2 and 3 are only concerned with a slot time of interactions between an IDS-sensor and its opponent. As two players continually interact with each other, the belief (i.e., probability of a body sensor being malicious), , which is used to compute the optimal strategy for an IDSsensor to determine when to select the action Report, may be updated dynamically. Therefore, we should develop the stage IDSRG into a dynamic multistage IDSRG to dynamically present the belief of player on the type of player .

Dynamic Multistage IDSRG.
Following interactions between players and , the stage IDSRG is repeatedly played at each continuous time slot , where = 1, 2, . . . , ( ∈ + ). For simplicity, we assume the payoffs of players at the th stage game are the same as those at the −1 th stage game; that is, there is no discount with respect to the payoffs of players in the dynamic multistage IDSRG. Besides the notations defined in the stage IDSRG, we let ℎ ( ) be the historical actions of player , let ( ) be the action adopted by player at the th stage game, and let ( 1 | ( ), ℎ ( )) be the posterior belief meaning the probability of a body sensor being malicious at the end of the th stage IDSRG, respectively. Based on the Bayesian rule, this posterior belief can be constructed at the th stage IDSRG.
As described beforehand, the cloud-assisted IDS may inevitably produce detection errors and false alarms. In addition, communicating in WBANs may lose packets. Due to these factors, the actions observed by player may not always reflect the reality accurately. We integrate these factors into computing the conditional probability ( ( ) | , ℎ ( )), ∈ { 0 , 1 }, which can be updated as follows: where 1 − , 1 − , 1 − , and denote the false negative rate, the channel unreliability, the true negative rate, and the probability of player selecting the action Attack at the th stage IDSRG, respectively.
So far, a belief system based on (15)- (16) has been presented to describe the belief building and updating process. It is easy to see that each belief to be updated is dependent on a body sensor's action player observes at the current stage IDSRG and the prior belief it holds. With the belief system, we can define the dynamic multistage IDSRG as follows. (ii) ( ) = ( ( 1 | ℎ ( )), 1 − ( 1 | ℎ ( ))), where ( 1 | ℎ ( )) denotes the probability of a body sensor being malicious with the historical actions ℎ ( ) at the th stage IDSRG, and it will be updated by ( 1 | ( ), ℎ ( )) computed by (15) at the end of the th stage IDSRG.
For the dynamic multistage IDSRG, Perfect Bayesian Equilibrium (PBE) can be applied to seek the optimal strategies of two players. This is because the dynamic multistage IDSRG is essentially regarded as a dynamic Bayesian game. With the aforementioned belief system, the dynamic multistage IDSRG is played in a sequential manner. Players and will not always select the same strategies at each stage game to attain the most expected payoffs. Their best response strategies are related to the current belief that may be changed as the dynamic multistage IDSRG evolves. This relation can be disclosed by the concept of PBE. We next illustrate that the dynamic multistage IDSRG satisfies the Bayesian conditions, which guarantee that an incomplete information game has a PBE. [50]: Proof. B(i) is satisfied because player has only one type. B(ii) is satisfied because the beliefs updated in the belief system are derived from the Bayesian rule. B(iii) means ( 1 | ( ), ℎ ( )) = ( 1 |̂( ), ℎ ( )) if ( ) =̂( ), which is satisfied because the signals of player are the part of actions in the context of the dynamic multistage IDSRG. B(iv) is satisfied because only players and are in any stage game where no other players affect the beliefs updated by player on its opponent.

Theorem 7.
There is a mixed-strategy PBE in the dynamic multistage IDSRG.
Proof. At the th stage IDSRG, let and denote the probabilities of a body sensor selecting the action Attack and the corresponding IDS-sensor selecting the action Report, respectively. For player at the th stage IDSRG, the expected payoffs of selecting actions Report and Not-report at the th stage game are respectively. According to the indifference between actions Report and Not-report under the optimal mixed strategy played by player at the th stage IDSRG, we get Thus, the optimal probability of a malicious body sensor selecting the action Attack is * = ( For a body sensor at the th stage IDSRG, the expected payoffs of selecting actions Attack and Cooperate are respectively. According to the indifference between actions Attack and Cooperate under the optimal mixed strategy played by player at the th stage IDSRG, we get Thus, the optimal probability of player selecting the action To sum up, there is a mixed-strategy PBE that can be attained with the strategy profile ((Attack with * for 1 , Cooperate for 0 ), Report with * for ) at the th stage IDSRG. From Theorem 7, the two rational players and at the th stage IDSRG will play with the strategy profile shown in Theorem 7. This strategy profile exhibits the so-called sequential rationality in game theory [50], which means each player's strategy is optimal whenever it has to be changed, given the belief and each other's actions. The PBE makes the IDS-sensor not always report its opponent's events while minimizing the possible damage caused by an undetected malicious body sensor. Energy that is potentially consumed by the IDS-sensor to continuously report the monitored events is therefore saved.

Applying PBE-Based Report Strategies to WBANs Using a Cloud-Assisted IDS
To facilitate the advantage of the above PBE, we propose and design a framework of applying IDSRG to WBANs using a cloud-assisted IDS, as illustrated in Figure 3. The framework consists of three entities: body sensor , IDS-sensor , and cloud platform. Body sensor may be normal or malicious; it therefore signals the action Cooperate or Attack that forms Monitored Events. As the opponent of body sensor , IDSsensor captures those Monitored Events and decides whether to report them to cloud platform through the sink. Once cloud platform receives the Reported Events, the IDS will be immediately triggered as a service and then examine the obtained record. Finally, according to alerts produced by the IDS Administrator may send Control Data to deal with a malicious body sensor. The heart of the framework is PBE calculation whose results indict IDS-sensor with the probability of selecting the action Report. This calculation starts with Monitored Events captured by IDS-sensor . Administrator first configures the IDS agent in IDS-sensor with Configuration Data for making it more reliable and accurate. He/she also defines the game parameters required, including , , , , , , , , , , , and ( 1 | ℎ ( )). Upon these game parameters, a stage IDSRG is built up and the payoff matrix is correspondingly formulated. With the signal included in Monitored Events and the stage IDSRG, the IDS agent computes the probability of selecting the action Report, * , according to (24). It also, according to (15), computes the  Figure 3: Framework of applying IDSRG to WBANs using a cloud-assisted IDS.
posterior belief ( 1 | ( ), ℎ ( )) that is used to update ( 1 | ℎ ( )) for the next stage IDSRG. The process above will then be repeatedly done until the end of interactions between players and . The algorithm describing the PBEbased strategy to decide whether to report Monitored Events is given as Algorithm 1.
The other important part of the framework is the IDS in cloud platform. It consists of three main components: Detection Engine, Alert Database, and Alert Management. Detection Engine is the core component of the IDS, which decides whether an event sent from IDS-sensors through the sink is normal or abnormal. It may combine two of wellknown detection techniques, including misuse and anomalybased detection. It may compare the event to a predefined rule set or perform the process of multipattern matching. Upon completion, it distinguishes the event as normal or abnormal one and inserts the generated alerts into Alert Database. As a storage unit to maintain all the formatted events created by Detection Engine, Alert Database stores body sensor ID, the timestamp of various events, and packet information with the defined signatures. Some alert groups and statistics produced by Alert Management are also contained in Alert Database. Depending on Alert Analysis, Alert Management is applied to observe the generated alerts and relate them to previously defined attacking cases. This tool provides Administrator with a function to extract events and to produce reports based on source, time, and types of attacks. Finally, Administrator examines these findings and decides whether to send Control Data to those malicious body sensors.

Experiments
In this section, we employ MATLAB R2010a to illustrate the characteristics of the dynamic multistage IDSRG. Since we are the first to study the report game in WBANs using a cloud-assisted IDS, we do not compare our work with any prior work. Here, we explore the factors influencing a malicious body sensor to select the action Attack, in order to disclose its optimal attack strategies. We further, through an IDS-sensor's posterior belief computed by Algorithm 1, evaluate the performance of our proposed framework with the probability of a body sensor being malicious in terms of IDSRG parameters at the th stage game.

Analyses on Optimal Attack Probabilities.
We show the changeable trend of the optimal probability of a malicious body sensor selecting the action Attack in terms of , , and , in order to disclose the intension of a malicious body sensor. The rates of higher detection and lower false alarm make a cloud-assisted IDS easy to capture the malicious body sensors. Therefore, the optimal strategy of a malicious body sensor is to reduce the probability of selecting the action Attack to avoid the captured loss. On the other hand, the higher attack success rate helps a malicious body sensor attain its expected payoff more quickly. As the case we expect, the optimal probability of a malicious body sensor selecting the action Attack, from Figure 4, slowly decreases when the detection rate gradually increases from 0.5 to 1. A similar tendency is shown as the false alarm rate decreases from 0.1 to 0. In Figures 5 and 6, the decrement of the optimal attack probability selected by a malicious body sensor is followed with the increments of the attack success rate, detection rate, and false alarm rate. Further, the influence of the attack success rate is lower than that of the other two factors. When = 0.9 in Figure 5, for example, the optimal attack probability decreases from 0.1547 to 0.1239 as changes from 0.6 to 1. It reduces by 19.91% or so. However, when = 0.92, the optimal attack probability decreases from 0.2316 to 0.1162, producing 49.83% or so decrements. These results indicate we should improve the detection rate and reduce the false alarm rate for lowering the attack probability of a malicious body sensor.

Performance Analyses.
At the th stage IDSRG, an IDSsensor updates its belief on the type of its opponent using (15). Without loss of generality, we assume the initial belief of each IDS-sensor is 0.5. That is, the probability of a body sensor being malicious is the same as that of a body sensor being normal. Figure 7 demonstrates the convergence of an IDS-sensor's posterior belief when different detection rates are presented. We see that the higher the detection rate is, the quicker the posterior belief converges to 1. The convergence requires about 12 times of playing the stage IDSRG if = 0.9, (1) ← 1; (2) Initialize game parameters , , , , , , , , , , , and ( 1 | ℎ ( )); (3) Select the action Not-report; (4) Do UNTIL the end of interactions between an IDS-sensor and its opponent (5) Waked by Monitored Events; (6) IF the IDSRG is not existed (7) Construct a game; (8) ELSE (9) Get the stored game; (10) ENDIF (11) Compute * according to (24); (12) Compute ( 1 | ( ), ℎ ( )) according to (15); (13) Update ( 1 | ℎ ( )) with ( 1 | ( ), ℎ ( )) and store it; (14) Select the action Report with probability * ; (15) ← + 1;  15 times if = 0.7, and 20 times if = 0.5, respectively. When different false alarm rates are considered in Figure 8, we see that the lower the false alarm rate is, the quicker the posterior belief converges to 1. It requires about 6 times of playing the stage IDSRG if = 0.01, 11 times if = 0.05, and 21 times if = 0.1, respectively. From Figures 7 and  8, the convergence speed of an IDS-sensor's posterior belief increases as the detection rate goes up and the false alarm rate goes down. That is, the speed to judge whether a body sensor is malicious depends on the detection accuracy of the cloud-assisted IDS. Figure 9 compares the convergence of an IDS-sensor's posterior belief when different actual-attack-gains denoted by / are given. We see that the lower the actual-attaingain is, the quicker the posterior belief converges to 1. This phenomenon may be explained as follows. With a smaller actual-attack-gain, a malicious body sensor must take the action Attack more frequently to get its expected payoff. This increasing frequency raises the probability that the IDS-sensor successfully observes the action Attack launched  by the malicious body sensor. Thus, the posterior belief is updated more successfully and converges to 1 more quickly.
In Figure 10, we let / be the actual-report-gain. It shows that a smaller actual-report-gain leads the belief system to converge to 1 more quickly. This is because the IDSsensor should report more often to attain its expected payoff. Thus, quicker convergence of the posterior belief is achieved, leading to quicker detection of a malicious body sensor.
In what follows, we analyze how the historical actions taken by a malicious body sensor influence the convergence speed of the posterior belief, as shown in Figure 11. We assume two observation sequences:  to 1 quickly when a malicious body sensor takes continuous action Attack. Once the IDS-sensor considers a body sensor to be malicious, the posterior belief cannot be decreased adaptively to a lower value even if the IDS-sensor observes the action Cooperate taken by the malicious body sensor. This means that the IDS-sensor has to always take the action Report and consume its energy rapidly. To avoid this case, IDS agents in IDS-sensors should initially deploy an association-rule module that can reset the posterior belief.

Conclusion
We have presented an IDS framework with the help of cloud computing, in order to quest for security of WBANs. It extends WBANs to an integrated platform that offers scalability of data storage and computation for launching an IDS. With this framework, IDS-sensors are only responsible for whether or not to report the monitored events, not for  performing the costly task of intrusion detection. Thus, the deficiency of limited resources in WBANs is no longer a problem to guarantee security of WBANs. Moreover, to solve the IDS-sensors' dilemma between saving energy and reporting the monitored events to increase the probability of capturing the malicious body sensor, we have proposed a dynamic multistage IDSRG using the signaling game. Our game is able to depict interactions between a malicious/normal body sensor and its opponent IDS-sensor and is able to reflect their payoffs. We have proven that the stage IDSRG has a purestrategy BNE or mixed-strategy BNE under different conditions of the probability of a body sensor being malicious.   As the game evolves, we have extended the stage IDSRG to a dynamic multistage IDSRG, where the belief hold by IDSsensors can be updated rationally and dynamically according to the current and historical actions of malicious body sensors. We have also proven the existence of the mixed-strategy PBE in the dynamic IDSRG. This mixed-strategy PBE helps IDS-sensors select an optimal strategy that will prolong their lifespan while allowing them to report an acceptable amount of monitored events. A report strategy algorithm is designed to implement the mixed-strategy PBE. Experiments have shown, based on the optimal report strategies computed by the proposed algorithm, that the type and optimal strategy of a malicious body sensor can be predicted. Thus, body sensors are capable of saving their energy while the cloud-assisted IDS is able to actively defend malicious body sensors.
While the proposed approach works in principle, we plan to implement it by developing a cloud-assisted IDS testbed via Castalia 3.2, a simulator based on OMNeT++ 4.3.1. Depending on the future experiment results, a more accurate IDSRG to further enhance its decision-making capability in order to prevent body sensors from malicious attacks maybe will be attained.

Notations
: Bodysensorthatisnormalor malicious, namely, player : Bodysensorthatin volvesanIDS agent and is chosen as a relay, namely, IDS-sensor (player ) 0 : Onetypeofplayer ; a body sensor belonging to this type is normal 1 : Onetypeofplayer ; a body sensor belonging to this type is malicious T : Type set of player : T ypeofplayer T : Type set of player 0 : Actiontakenbyanormalbody sensor 1 : Action taken by a malicious body sensor A ( 0 ): Action space of a normal body sensor A ( 1 ): Action space of a malicious body sensor : Action taken by an IDS-sensor A : Action space of an IDS-sensor : Probability of a body sensor being malicious : Attack gain of a malicious body sensor : Attack cost for a malicious body sensor : Cooperation gain of a malicious/normal body sensor : Cooperationcostfora malicious/normal body sensor : Report gain of an IDS-sensor : Report cost for an IDS-sensor : False alarm loss of an IDS-sensor : Detection rate of the IDS residing in the cloud platform : False alarm rate of the IDS residing in the cloud platform : Attack success rate : Channel reliability : Probability of a malicious body sensor selecting the action * : Optimal probability of a malicious body sensor selecting the action : Probability of an IDS-sensor selecting the action