A Privacy-Preserving Personalized Service Framework through Bayesian Game in Social IoT

It is enormously challenging to achieve a satisfactory balance between quality of service (QoS) and users’ privacy protection along with measuring privacy disclosure in social Internet of Things (IoT). We propose a privacy-preserving personalized service framework (Persian) based on static Bayesian game to provide privacy protection according to users’ individual security requirements in social IoT. Our approach quantifies users’ individual privacy preferences and uses fuzzy uncertainty reasoning to classify users. These classification results facilitate trustworthy cloud service providers (CSPs) in providing users with corresponding levels of services. Furthermore, the CSP makes a strategic choice with the goal of maximizing reputation through playing a decision-making game with potential adversaries. Our approach uses Shannon information entropy to measure the degree of privacy disclosure according to the probability of game mixed strategy equilibrium. Experimental results show that Persian guarantees QoS and effectively protects user privacy despite the existence of adversaries.


Introduction
The rapid development of cloud computing and big data technologies has greatly promoted work productivity and life quality. Along with such advancement, there come frequent user privacy disclosures that have attracted wide attention from academia and the industry [1]. In recent years, thanks to the marriage of wireless technologies [2] and mobile communications, social networks (SNs) have become an indispensable part of life [3]. Social networks enable communications and services far beyond instant messaging compared to traditional messaging services and applications [4]. The content of transmission has also become more diverse, including text, voice, image, video, and other multimedia data [5]. Data owners (e.g., mobile and smart device users) enjoy personalized services by gaining various application privileges while data collectors (e.g., service providers and application developers) obtain vast amounts of personal sensitive and security-critical data through privileged interfaces [6]. Such user data become attractive targets of attacks and are subject to serious privacy disclosures [7,8].
According to the "China Privacy Risk Index Analysis Report" published by the trusted institutions in 2018, mobile Internet applications in the social category have an average of 11,014 users per App, and the average amount of data acquired can reach up to 21.24 pieces/user, which is the most among all categories of Apps. At present, the number of user data leakages increased by 15.46% from 2018, and the privacy risk index increased by 26.66% [9]. Users inevitably leave a trail of footprints in the real world while accessing online services from a mobile device [10]. For example, people share various information on Twitter, and even when the original blog is deleted, relevant comments remain on the web [11]. Additionally, 267 million Facebook users' information, including names, gender, email addresses, and social identity, are stolen in April 2020 and sold on the dark web [12]. Thus, protecting user's privacy and security is critically important yet challenging in social networks.
Social networking aspects, in recent years, have been extended to the Internet of Things (IoT) that autonomously build social relationships for smart devices to discover new objects and their services [13,14]. The marriage of IoT and social network enables advanced and deep interactions among people and between people and the environment. Such advancement leads to the emergence of social IoT [13], where social approaches are employed for managing large volumes of user data with connected IoT devices [6,15]. This can result in a greater challenge for user privacy in social IoT. Efficient and effective IoT nodal interactions rely on the establishment of trustworthy relationship among nodes [15,16]. This is particularly important in helping overcome the perceptions of uncertainty and privacy risk [17,18].
Two main reasons contribute to vast amounts of user privacy disclosure in social IoT [19]: technical deficiencies and economic interest conflicts among all participants. Therefore, the privacy protection of social IoT users should also be analyzed from these two aspects. At present, from the technical perspective, user privacy is protected mainly through anonymity [20,21], differential privacy [22,23], network access control [24,25], and ecosystem [26] in social IoT.
Anonymity protection [20] hides private data in a data block so that other users are incapable of associating a user's real identity information with the collected data blocks. This is also a common problem of anonymous protection schemes, and it is difficult to defend against background knowledge attacks. Differential privacy protection [22,27] adds small amounts of Laplace noise into the original data prior to publishing the data for added fuzziness where other users are incapable of distinguishing between the real data and the fuzzy data. Zhang et al. [27] attach importance to the social connection of users, consider the existence of untrusted service providers and malicious attackers, and propose and implement an effective IoT service with differential privacy protection. Despite the high data utility, it is difficult to implement personalized privacy at the user level according to the user's security requirements using differential privacy [23]. Network access control [24,28] decides whether to grant authorized access by analyzing the credibility and closeness among visitors. While it implements privacy protection according to the wishes of data owners, it lacks an effective privacy measurement scheme.
Among the notable research works on the security and privacy of social IoT [19], Frustaci et al. addressed that security and privacy issues are a great challenge for IoT and yet they are also enabling factors to create a "trust ecosystem" [26]. Particularly, in their discussions of the importance of trust, excellent flexibility is considered as a critical factor to deal with changeable security conditions and personalized security requests. Users or nodes having defined personalized security and privacy policies should be facilitated to help in decision-making [26].
Considering big data privacy protection from the perspective of users' interests and economics, the existing literatures [29] mainly describe the benefits and costs of participants by employing game theory, simulate the rational selection process, and formulate the optimal privacy protection scheme through Nash equilibrium [21]. To some extent, these methods make up for the defects of technical schemes; yet how to balance the data utility and efficiency of privacy protection is still a difficult open issue.
In order to tackle this problem, this paper proposes the Persian framework, aiming at providing personalized services to social IoT users on the basis of protecting user privacy. Particularly, in order to resist against adversaries with background knowledge, static Bayesian game theory is applied to the strategic struggle between CSP and adversaries. The contributions in this paper are summarized as follows: (i) Implementing User Classification. Aiming at the difficult problem of users' discrete attribute classification, we adopt the fuzzy uncertainty reasoning method to classify users according to the membership function and expert rules (ii) Defining Trust and Security Responsibilities of the CSP. We construct a trust management center (TMC) that supervises the CSP's behavior and evaluates each service. TMC employs the incremental update strategy to manage the reputation of the CSP, so as to avoid CSP from proactively disclosing user privacy (iii) Achieving a Satisfactory Balance between Quality of Service (QoS) and Privacy Protection. We use the mixed strategy equilibrium to explain the correctness of the CSP making services strategies against different types of adversaries. Moreover, we utilize Shannon information entropy to measure the privacy disclosure, thereby providing a theoretical basis for users' privacy protection in social IoT. Experimental results show that the Persian framework achieves the correct user privacy classification and trust assessment, while privacy disclosure is limited to a low degree The rest of this paper is organized as follows: The related work is overviewed in Section 2. We illustrate the preliminaries, including fuzzy uncertainty reasoning and Bayesian game theory in Section 3. The system model and security model are introduced in Section 4. In Section 5, we present the modules of the Persian framework in detail, including user classification, trust management, Bayesian game, and privacy measurement. Experiments and evaluation are described in Section 6, and the study is concluded in Section 7.

Related Work
In social IoT, protecting user privacy has been a research hotspot due to frequent user privacy disclosures. Existing literatures mainly present from the two aspects of technology and economic interests. Anonymity, differential privacy, access control, and trust management are often adopted to protect users' privacy in social IoT.
Liu et al. [30] proposed a k-anonymous algorithm, which generates an initial weighted social network and reduces the adjustment of relation weight through the sorting process. It improves anonymity efficiency and resists against 2 Wireless Communications and Mobile Computing 1neighborhood attacks. However, this approach does not significantly improve the utility of anonymous data. Xie and Zheng [31] proposed a differential social network anonymous algorithm satisfying k-anonymity and l-diversity. For the key nodes and general nodes, the proposed algorithm uses different types of anonymous operations to transfer anonymous objects from privacy attributes to anonymized sensitive attributes. Based on implementing privacy protection, the proposed algorithm improves the utility of anonymous data. Furthermore, an indicator (UL) is constructed to measure the data utility loss. Chen et al. [32] proposed a classification data clustering scheme based on rough entropy and DBSCAN clustering algorithm, which effectively balances data utility and anonymity performance of mobile social networks. Nonetheless, it falls short on formal security analysis against the attacker. Li et al. [33] proposed an MB-CI strategy for protecting the edge weights of social networks, which retains most of the shortest paths under the premise of satisfying differential privacy, effectively reducing the error caused by noise and improving the accuracy of published data. At the same time, it effectively resists against the consistent reasoning attacks on data records without user-level privacy protection.
Wang et al. [34] proposed a data publishing algorithm (RescueDP) satisfying differential privacy to protect realtime and spatiotemporal crowd-sourced data in social networks. They also proposed an enhanced neural network algorithm, which accurately predicts statistical data with added noise, thereby improving the utility of published data. Huang et al. [35] proposed a differential privacy protection method (PBCN) based on clustering and noise, aiming at achieving a "trade-off" between data availability and privacy protection level. Jahid et al. [36] proposed an encryptionbased access control architecture (EASiER) to address privacy disclosure in online social networks. It transfers access control from the social network provider to users and implements fine-grained access control for dynamic social contacts using attribute-based encryption. Hu et al. [24] constructed a multiparty access control (MPAC) model and proposed a specific multiparty strategy specification scheme and strategy evaluation mechanism to protect the shared data associated with multiple users in online social networks against collusion attacks.
The existing literature also proposed a number of personalized privacy protection schemes. Cai et al. [37] proposed a data disinfection method for centralized processing of user configuration files and relationships among users. By controlling the set of user attributes and the relationship among users to hide sensitive information, the proposed method resists against the set inference attack in the process of data publishing in social networks. Cai et al. [38] proposed a privacy-preserving scheme for interactive messaging by leveraging user credibility and social behaviors, which guarantees the privacy protection in the process of information exchange through information confusion and sensitive attribute substitution. In order to solve the trust difficulties, Sharma et al. [39] proposed a novel solution in the form of fission computing. The proposed solution relies on the edge-crowd integration for maintenance of trust and preser-vation of privacy rules in Social IoT, using crowdsources as mini-edge servers and entropy modeling for defining trust between the entities.
Additional literature also considers privacy protection from the perspective of interests and puts forward a number of effective schemes and models utilizing game theory. Jin et al. [40] applied game theory to trajectory privacy protection. For any two sensing nodes in the network, this method selects the best strategy through the Bayesian game analysis to resist against the dishonest attacks of internal nodes, thus protecting the trajectory privacy of users. Hu et al. [41] proposed a multiparty control game, which extends the research on strategy selection among rational controllers in multiparty access control. The Nash equilibrium is used to explain the optimal strategy selection state, and no controller has any valid reason or authority to change its settings to deviate from the equilibrium, which solves the privacy conflict of collaborative data sharing in online social networks from the perspective of interests. Wu et al. [29] proposed an extended game model to solve the problem of privacy and utility equilibrium in the publishing of multicorrelated privacy data, which solves the differential privacy parameters according to Nash equilibrium, thereby improving data utility. Shan et al. [42] proposed a forwarding control mechanism for social networks based on game theory. By calculating the game revenue matrix of the publisher and forwarder and comparing the probability of dishonest forwarding with the threshold set by the publisher, this approach protects the privacy of publishing content according to the personalized privacy requirements of the publisher. Xiong et al. [21,23] also actively applied game theory to the privacy protection of the application environment.
Xiong et al. [43] conducted a comprehensive survey on the privacy measurement and quantification of big data. Serjantov and Danezis [44] used the Shannon entropy to describe the effective size of anonymous sets. Lin et al. [45] employed mutual information to measure privacy disclosure under the data protection mechanism. Diaz et al. [46] utilized conditional entropy to describe adversaries' observation ability and indirectly measured the level of protection mechanism. Additionally, Chen et al. [47] proposed an information surprise indicator to measure the surprise degree that still exists after an adversary acquires user attributes.

Preliminaries
3.1. Fuzzy Uncertainty Reasoning. Fuzzy reasoning [48] is a method of uncertainty reasoning, which is suitable for any situation where the input fluctuates in a specific range. Also, the output is also fuzzy, rather than precise. The fuzzy concept is regarded as a membership degree [49], reflecting the closeness of input or output with a fuzzy set in the universe. If the membership degree equals 1, it means that the variable values belong to the fuzzy set completely; if the membership degree equals 0, it means that no elements belong to the fuzzy set absolutely. A membership value in (0, 1) means that some elements, but not all, belong to the fuzzy level to some extent. The membership function replaces the positive or negative results with the fuzzy evaluation results, which is helpful for 3 Wireless Communications and Mobile Computing considering the influence of multiple factors. Generally, the membership function of the gradient type is widely accepted, as shown in Figure 1. Upon finding the membership, the rule activation is performed. The fuzzy output is generated by the activation of finite rules.
3.2. Bayesian Game Theory. The static Bayesian game (SBG) model [50] is also known as static incomplete information game. The type set of all participants is known. Any participant can only infer the probability that other participants belong to a certain type at a certain time, but cannot determine other participants' type and cannot determine the relevant action strategies or benefit. Furthermore, all participants choose action strategies simultaneously in the game. Even if there are differences in the order of choosing, the participants who choose the strategy posterior do not have the knowledge of the selected strategy. SBG model [50] can be represented by a quintuple, SBG = ðΓ, T, P, S, UÞ, which is described as follows: because it is meaningless to discuss a game with only one participant. Any participant iði ∈ ΓÞ is a rational decision-maker with the ability of independent selection, whose goal is to maximize their expected benefit and choose action strategies If each participant has only one candidate type (i.e., ∀i ∈ Γ and jT i j = 1), at the point, the static incomplete information game will become the static complete information game (3) The probability set of participants' inference about the types of other participants is P = fP 1 < t −1 jt 1 > , ⋯ , P n < t −n jt n > g, where P i < t −i |t i > represents the probability of participant i's inference about the types of other participants. Meanwhile, t i represents participant i's type, and t −i (i.e., ft 1 , ⋯, t i−1 , t i+1 , ⋯, t n g) represents all participants' type other than participant i s benefit is related to its own type and the strategy chosen by other participants

System Model and Security Model
We introduce important notations and descriptions in this paper, as shown in Table 1.

System Model.
In social IoT, we mainly focus on how a CSP provides personalized services for users. The system model includes four entities: Users, CSP, TMC, and adversaries (A), as shown in Figure 2.
(i) Users own multiattribute data, and obtain personalized services in exchange of providing private data and individual preferences to CSP (ii) CSP is the back-end server of various applications in social IoT, which obtains user data through the application privilege interface and provides personalized services according to users' individual preference. Meanwhile, CSP plays static Bayesian game with adversaries and makes strategies (iii) TMC is responsible for supervising CSP's behaviors, including managing and updating CSP's reputation.  We consider that the proposed Persian framework is implemented in a semitrusted security model [51][52][53]. CSP is considered as an honest-but-greedy entity.
On the one hand, it is supervised by the TMC and strictly implements protocols. On the other hand, it also hopes to obtain tremendous benefits through one-off privacy trafficking. TMC is regarded as a fully-trusted entity, which is in charge of managing the reputation of CSP without possessing any private information. A use rational judgment to attack adaptively. Their owned background knowledge can increase the probability of obtaining privacy. If A believes that there is no benefits from launching an attack, or if the CSP's strategy choices are indistinguishable, the Persian framework is considered secure.

The Construction Modules of Persian Framework
In this section, we illustrate the construction of the Persian framework in detail, including user classification, trust management, Bayesian game, and privacy measurement module.

Overview of Persian
Framework. Above all, we explain the basic principles of the Persian framework, as illustrated in Figure 3. On the user side, users in social IoT score for each attribute according to their subjective security requirements. Having received the normalized multiattribute scores, the user classification module obtains individual privacy preferences based on fuzzy uncertainty reasoning. Before CSP provides personalized services to users, it is necessary to establish trust relationship, which is the responsibility of TMC with notarization.  as references. Anonymous users give a score (0-10 points) according to their subjective privacy requirements. We randomly selected five questions, as shown in Table 2.
Definition 1. Degree of privacy preference (DP) is used to measure users' attention to private data. The lower DP is, the lower the users' attention to data will be; otherwise, the higher the users' attention to data will be.
Since fuzzy reasoning requires the input to be numerical data within the interval [0,1], we adopt linear function to normalize DP. Taking the j-th attribute as an example, the normalization process is shown in Formula (1). After the same treatment, the normalized DP (NDP) is shown in Table 3.

Fuzzy Uncertainty
Reasoning. Here, we use fuzzy reasoning of Mamdani [55] type to classify users. The advanced expert rules are shown in Table 4. The input fuzzy sets (Name, Age, Occu, Marr, and Shop) are composed of "high" and "low," which are represented by symbols "H" and "L," The output fuzzy sets (NDP) are composed of "high," "medium," and "low," which are represented by symbols "H," "M," and "L." We use u 3 's attribute vector in Table 3 ([0.43, 0.71, 0.75, 0.5, 0]) as the fuzzy input. We can then obtain the membership degree of each input attribute to the fuzzy level through calculating the membership function, as illustrated in Table 5 The more satisfied the preceding part is, the stronger the rule will be, and the more instructive output will be. Since logic "and" is the link among the conditions in the preceding part, the strength of the four rules is determined by the "minimum value" method. Finally, we employ the central average defuzzy method to calculate the fuzzy output, and obtain the NDP's approximation result equaling 0.462 through computing Formula (2). Therefore, u 3 obviously belongs to the M level.
In Formula (2), y represents the maximum of fuzzy level interval, and μð yÞ represents NDP's membership value about the fuzzy level.

Trust Management. Users in social
IoT submit data to CSP for personalized service, resulting in losing control of their personal data. In order to provide users with a satisfactory service experience, the trust for CSP needs to be clarified. Trust management [56] is to evaluate the target entity by referring to its historical behavior and reputation in social IoT. When social IoT users request to interact with a CSP, the service policy adopted by the CSP corresponds to a specific reputation value. CSP improves its reputation by providing good QoS. In turn, the reputation provides the basis for users to choose a CSP. We consider service behavior for J times and the reputation function of CSP as shown in the Formula.
In (3), j = f0, 1,⋯,Jg, and l ∈ f−1, 0, L, M, Hg. If l = −1, CSP actively discloses user privacy; if l = 0, CSP denies service. Other conditions indicate that CSP provides low, medium, and high QoS, respectively. Specially, we introduce a trust penalty factor λ, which represents the reputation penalty that CSP suffers from betraying trust. The construction function of λ is as below: where |λ | ≤m is satisfied in any case, and If·g is a two-value function. If the logic is true, then If·g = 1; otherwise, If·g = 0.
Obviously, the deeper the trust relationship of the CSP betrayal is, the greater the reputation penalty will be. Combined with the above reputation function, it makes sense to think of trust as a threshold. When the CSP's reputation value is greater than the threshold, the user considers the CSP to be credible. To be more realistic, we consider When j = 1, we initialize σ j to a small positive number. If σ j > θ, user will trust the CSP. In this way, CSP will not be willing to take the initiative to disclose user privacy for reputation. Moreover, TMC also needs to store and update the reputation of CSP for the next service. If the reputation is updated according to Formula (5), we need to calculate and store the average of m reputations. In order to reduce computation and storage overhead, we propose an incremental update strategy as shown in Formula (6). We only need to store two reputations (i.e., σ j−1 and δ j−1 l ). Another advantage is that users can only check the last time's service reputation of CSP, preventing users from completely rejecting the CSP because of occasional disclosure behaviors.
5.4. Static Bayesian Game. In addition to preventing CSP from voluntarily disclosing users' privacy, it is also necessary to resist theft attacks by potential adversaries (A). Therefore, we consider constructing a two-party static Bayesian game (SBG) [50] between the CSP and A to protect user privacy from the perspective of interests.
(1) We consider a strategic game between the CSP and A. Participants set can be formalized as Γ = fCSP, Ag (2) We consider two types of adversaries, denoted as T A = fA yk , A nk g, where A yk represents the adversary with background knowledge, and A nk represents the adversary without background knowledge. A ' s types set is public knowledge while CSP has only one type (3) We mainly consider the probability of CSP inferring A's type, then use P yk hA yk | CSPi and P nk hA nk | CSPi to represent the probability that CSP infers A to be A yk and A nk , respectively. In this game, A ' s type is known only by him/herself. Thus, it is private knowledge, while joint probability PhCSP, A yk i and PhCSP, A nk i are public knowledge (4) The strategy set of CSP denotes S CSP = fs YP , s NP g, where s YP represents CSP providing services and s NP represents CSP denying services. Note that Y P ∈ fLP, MP, HPg, indicating that the CSP provides low, medium, and high QoS, respectively. Meanwhile, the strategy set of A denotes S A = fs YA , s NA g, where s YA represents A choosing to attack and s NA represents A choosing not to attack. The strategy set of participants is determined before the game, regarded as public knowledge, while the strategy chosen in the game is private knowledge  Upon received user's NDP level, the CSP provides the corresponding QoS. If NDP is H, then the CSP provides low-level services with low service quality, which comes with a low risk of user privacy disclosure, thereby meeting the high-security requirements of users. If NDP is M, then the CSP provides middle-level services. If NDP is L, then the CSP provides high-level services with high quality of service, yet with an increased possibility of user privacy disclosure. Next, we construct a game benefit matrix as shown in Table 6.
Since the CSP provides different QoS according to users' individual preferences, it will gain different reputation benefits, as shown in the Formula.
Particularly, the benefit of the CSP due to denial of service is u NP = 0, and the loss of the CSP due to attack from adversary is u −1 = −3. On the other hand, A ' s benefit consists of three parts: basic benefit, attack cost, and extra incentive. Thus, we can determine that A's benefit is shown in the Formula.
In (8), u A b represents A ' s basic benefit, u A c represents A ' s attack cost, and the other represents extra incentive refer to benefit factor μ. This means that the higher the QoS provided by CSP, the higher the data quality submitted by users, and the greater the benefits gained from A successfully attacking. When A chooses not to attack, u NA = 0. Additionally, k is regarded as background factor, and is used to increase A ' s benefit.
In order to facilitate the analysis of the incomplete information game, we use the Harsanyi transformation to introduce a virtual participant "nature" ðNÞ. N randomly selects both participants' types. PhCSP, A yk i and PhCSP, A nk i are public knowledge, where PhCSP, A yk i + PhCSP, A nk i = 1: P yk hA yk | CSPi and P nk hA nk | CSPi represent the probabilities of the CSP inferring type A, respectively, which can be obtained by Bayesian formula: For simplicity, we use P yk and P nk to replace P yk hA yk | CSPi and P nk hA nk | CSPi, respectively. Then, we use P YP and P NP to represent the probability of CSP choosing YP strategy and NP strategy (i.e., P YP + P NP = 1), respectively. Furthermore, we use P YA and P NA to represent the probability of A choosing YA strategy and NA strategy, respectively, (i.e., P YA + P NA = 1). Next, we calculate the benefits of the CSP choosing YP and NP strategies, as shown in the Formula.
Wireless Communications and Mobile Computing Therefore, we can obtain the mixed strategy Bayesian equilibrium ðP * YA , P * YP Þ, as shown in the Formula.
5.5. Privacy Disclosure Measurement. In social IoT, users exchange personalized services from the CSP by providing private data, which will inevitably have the risk of being leaked over communication links. Shannon information entropy [57] is used to measure privacy disclosure, as shown in the Formula below.
where 0 ≤ P i ≤ 1, ∑ n i=1 P i = 1. From A's point of view, the probability P Y P and P NP can be inferred. As described in Formula (16), the greater HðAÞ is, the closer P Y P and P NP are, the higher the indistinguishability of A to CSP's strategy, and the lower degree of privacy disclosure. Otherwise, the higher is the degree of privacy disclosure. For instance, if P Y P = 0:5, the information entropy is 1, indicating that A is completely confused about the service decision of the CSP.
In social IoT, a single game obviously cannot satisfy the user requirement. Therefore, we consider the finite static Bayesian game for J times. Similarly, the privacy disclosure measurement in a long term can be described by Formula (17). It can be used to evaluate the privacy disclosure status of J times of service.

Experiment and Evaluation
In order to better illustrate the feasibility of the Persian framework, we consider that its performance is influenced by three factors: user classification, trust assessment, and privacy disclosure measurement. The experiments were carried out on a workstation with a 3.30 GHz quad-core processor, 8GB memory, and Windows 7 64-bit operating system to simulate and analyze on the Matlab R2016a platform.
6.1. User Classification. In the user classification module, Fuzzy Toolbox [58] is used to conduct fuzzy uncertainty reasoning for users, and the result is used to verify the theoretical calculation. Assuming that the input user is u 3 in Table 2, we synthesize the rule constraints of all input attributes. As shown in Figure 4, rules (13) Only when CSP's reputation is greater than the trust threshold (i.e., θ = 0), users are willing to trust the CSP and share their privacy. Based on the individual preferences of 30 users (i.e., J = 30), we quantified the CSP's active disclosure behavior and indirectly clarified the trust of the CSP. Figure 5(a) shows that the CSP provides three levels of QoS according to users' individual privacy preferences, and then obtains three ratings of reputation, namely, 1, 2, and 3. It is worth noting that the CSP will be subject to severe reputational penalties if it voluntarily discloses users' privacy in the process of providing services. The CSP chooses to disclose privacy when j = 3, and it loses the reputation of 12 units. The attendant consequences are disastrous for the CSP, resulting in a significant decline in service delivery rates. On the other hand, we consider the impact of trust depth on the reputation of the CSP. Figure 5(b) shows that dishonest behaviors of the CSP will lead to the decline of the visible reputation of multiround services. As the depth of trust relationship (i.e., m) increases, the spread of the reputation penalty becomes more serious. Regardless of the situation, there is no reason for the curve in SBG for J times. The CSP is used to actively disclose user privacy in order to maintain visible reputation with users.
6.3. Privacy Disclosure Measurement. It is certain that the CSP provides different levels of QoS according to individual preferences. As a result, the behavioral strategy of A and the CSP may change driven by interests. Figure 6(a) shows the relationship between Nash equilibrium and QoS levels. With the improvement of service quality, the probability of attack is gradually increased because of the temptation of  9 Wireless Communications and Mobile Computing high data quality, and the CSP tends to choose denying service due to potential attacks. Despite the fact that the CSP provides high QoS, the result of information entropy has declined slightly, just below 1. This suggests that A is still confused about the decision-making of the CSP, and the risk of user privacy disclosure remains at a relatively low level. Further, we explain the relationship between Nash equilibrium and two internal incentive factors μ and k. From Figure 6(b), the attack benefit u YA of adversaries increases with μ, and the probability P YP * of CSP to provide the service   Figure 6: Nash equilibrium results. (a) The relationship between Nash equilibrium and QoS levels; (b) the relationship between Nash equilibrium and benefit factor; (c) the relationship between Nash equilibrium and background factor; (d) Nash equilibrium. gradually decreases. When P YP * is close to 0.5, the service information entropy H (CSP) reaches the maximum, and the privacy protection level reaches its peak. Figure 6(c) shows a similar trend in relationships. The probability of a successful attack by adversaries increases with k, and as a result, CSP tends to refuse to provide services. Likewise, the intensity of privacy protection reaches maximum while k gets close to 0.5.
Additionally, we observe the Nash equilibrium change in the CSP service delivery for J times. Figure 6(d) shows that the information entropy is maintained at a high level. According to Formula (17), we can calculate the average privacy disclosure of 0.9509. As long as the CSP does not actively disclose the user's privacy, the confusion of A about the CSP's decision will not be decreased. Also, we have clarified the trust in the CSP in Section 5.3. Based on the above, the Persian framework can effectively provide personalized services while keeping privacy disclosure to a minimum level.

Conclusion
There are frequent occurrences of user privacy disclosure in social IoT, drawing wide attention in academia and the industry. A few achievements have been acquired, but a number of key techniques are still in need. On the one hand, users have to share their privacy to the CSP to exchange application privileges, so as to enjoy personalized services. On the other hand, users are reluctant to disclose their privacy. Find a satisfactory balance between QoS and privacy protection under the premise of ensuring personalized services is the main contribution of this paper. We proposed a privacy-preserving personalized service framework (Persian) through a static Bayesian game. In this framework, users independently infer their privacy preferences combined with offline fuzzy reasoning. The trust of the CSP is supervised by TMC to ensure normal service operations. The CSP provides users with personalized service according to users' individual preferences. Furthermore, we employ the game mixing strategy equilibrium to achieve privacy protection from the perspective of interests. Meanwhile, we measure privacy disclosure by using information entropy under the proposed framework.
The future work is to further expand the fuzzy reasoning with neural network and consider additional user attributes. We will also consider more types of adversaries and constantly optimize the proposed model to achieve better comprehensiveness and efficiency for privacy protection.

Data Availability
The data used in this paper comes from the comprehensive questionnaire investigation.

Conflicts of Interest
The authors declare that they have no conflicts of interest.