Service Level Management in Emerging Environments E-Book

Table of Contents

Cover

Title Page

Copyright

Preface

1 Service Level Management in the Internet of Things (IoT)

1.1. Introduction

1.2. IoT: definitions

1.3. IoT: an overview

1.4. Security management and privacy protection in the IoT

1.5. QoS management for IoT services

1.6. QBAIoT: QoS-based access method for IoT environments

1.7. Conclusion

1.8. References

2 Service Level Management in the Cloud

2.1. Introduction

2.2. The Cloud environment

2.3. Service level and self-management in the Cloud

2.4. QoS guarantee in Cloud Networking

2.5. Conclusion

2.6. References

3 Managing Energy Demand as a Service in a Smart Grid Environment

3.1. Introduction

3.2. The Smart Grid environment

3.3. Demand management: fundamental concepts

3.4. Demand-side management

3.5. Techniques and methods for demand scheduling

3.6. Conclusion

3.7. References

4 Managing Quality of Service and Security in an e-Health Environment

4.1. Introduction

4.2. e-health systems

4.3. QoS in e-health systems

4.4. Security of e-health systems

4.5. Conclusion

4.6. References

5 Quality of Service Management in Wireless Mesh Networks

5.1. Introduction

5.2. WMNs: an overview

5.3. QoS in WMNs

5.4. QoS-based routing for WMNs

5.5. HQMR: QoS-based hybrid routing protocol for mesh radio networks

5.6. Conclusion

5.7. References

6 Blockchain Based Authentication and Trust Management in Decentralized Networks

6.1. Introduction

6.2. The Blockchain Authentication and Trust Module (BATM) architecture

6.3. Evaluating BATM

6.4. Conclusion

6.5. References

7 How Machine Learning Can Help Resolve Mobility Constraints in D2D Communications

7.1. Introduction

7.2. D2D communication and the evolution of networks

7.3. The context for machine learning and deep learning

7.4. Dynamic discovery

7.5. Experimental results

7.6. Conclusion

7.7. References

8 The Impact of Cognitive Radio on Green Networking: The Learning-through-reinforcement Approach

8.1. Introduction

8.2. Green networking

8.3. Green strategies

8.4. Green wireless networks

8.5. How CR contributes to green networking

8.6. Learning through reinforcement by taking into account energy efficiency during opportunistic access to the spectrum

8.7. Conclusion

8.8. References

List of Authors

Index

End User License Agreement

List of Illustrations

Chapter 1

Figure 1.1. The ITU-T architecture of the Internet of Things (ITU-T 2012). For a...

Figure 1.2. Architecture of the Internet of Things (Lin et al. 2015). For a colo...

Figure 1.3.

Architecture of the Internet of Things (Khalil

et al.

2018)

Figure 1.4. Comparison of the structure of the IEEE 802.15.4 and the QBAIoT supe...

Figure 1.5.

Algorithm for the QBAIoT access method at the gateway level

Figure 1.6.

Algorithm for the QBAIoT access method at the loT object level

Figure 1.7.

Average real-time mission critical delays for different scenarios

Figure 1.8. Average real-time non-mission critical delays for different scenario...

Figure 1.9. Packet Delivery Ratio for all QoS classe. For a color version of thi...

Chapter 2

Figure 2.1. Standardization bodies for the Cloud (Sakai 2011). For a color versi...

Figure 2.2. Depiction of an Autonomic Manager (IBM 2005). For a color version of...

Figure 2.3. Inter Cloud broker-based Cloud Networking architecture. For a color ...

Figure 2.4.

Depiction of the XML diagram for an iSLA

Figure 2.5.

Interactions in a broker-type architecture

Figure 2.6. Federation Cloud Networking architecture. For a color version of thi...

Figure 2.7.

Interactions in a federation-type architecture

Figure 2.8. Evaluation of the average global end-to-end delay. For a color versi...

Figure 2.9. Evaluation of the jitter. For a color version of this figure, see ww...

Figure 2.10. Evaluation of the bandwidth cost. For a color version of this figur...

Figure 2.11. Evaluation of the global VMs cost. For a color version of this figu...

Figure 2.12. Evaluation of latency and response time. For a color version of thi...

Figure 2.13. Evaluation of the global bandwidth cost. For a color version of thi...

Figure 2.14. Evaluation of the global VM cost. For a color version of this figur...

Chapter 3

Figure 3.1. Architecture of a microgrid. For a color version of this figure, see...

Figure 3.2. Architecture of a DSM platform. For a color version of this figure, ...

Figure 3.3.

Classification of DSM approaches

Figure 3.4.

Architecture of a smart agent

Chapter 4

Figure 4.1.

The architecture of e-health systems (Hamdi

et al.

2014)

Chapter 5

Figure 5.1.

The different architectures of a wireless mesh network

Figure 5.2. General architecture of the framework. For a color version of this f...

Figure 5.3. Evaluating (a) average end-to-end delay and (b) jitter for a VoIP ap...

Figure 5.4. Performances of the IMRR protocol versus MARIA and IDAR. Evaluation ...

Figure 5.5. Evaluation of (a) average end-to-end delay and (b) average jitter fo...

Chapter 6

Figure 6.1.

Example of the protocol stack for the IoT

Figure 6.2.

Identity structure and secondary key

Figure 6.3.

Peering process

Figure 6.4.

The processing window

Figure 6.5.

Trust calculation – smart contracts

Figure 6.6. Complete calculation window. For a color version of this figure, see...

Figure 6.7. Simulation of failure of a node. For a color version of this figure,...

Chapter 7

Figure 7.1. Device-to-Device communication between UE1 and UE2 as a sublayer in ...

Figure 7.2.

The machine learning flowchart

Figure 7.3. Example of node positions for a morning traffic scenario with low us...

Figure 7.4. Example of the node positions for a morning traffic scenario with hi...

Figure 7.5. Number of periods required for complete discovery. For a color versi...

Figure 7.6. Percentage of energy consumed for the two cases considered: low and ...

Chapter 8

Figure 8.1. The contribution of different devices to the network’s energy consum...

Figure 8.2.

Energy consumption based on use (Barroso and Holzle 2007)

Figure 8.3.

The op

ti

mized carbo

n

footprint for

s

pecific operational

l

oads (Bianz...

Figure 8.4.

The Mitola cognition cycle (Mitola 1998)

Figure 8.5. Compromise: The bandwidth, transmission power, distance and flow rat...

Figure 8.6. State and condition of the channel for the SU. For a color version o...

Figure 8.7.

New machine learning algorithm

Figure 8.8. CR versus CR with Q_learning. For a color version of this figure, se...

List of Tables

Chapter 1

Table 1.1.

Parameters for the QBAIoT simulation scenarios

Chapter 2

Table 2.1.

Platforms for implementing Cloud Computing

Table 2.2.

Simulation software in Cloud Computing

Table 2.3.

Tools for implementing and simulating Cloud Networking

Table 2.4.

Inter-Cloud implementation and simulation tools

Table 2.5.

Standardization of QoS in the Cloud

Table 2.6.

Standardization of security in the Cloud

Table 2.7.

Standardization of security in the Cloud

Chapter 3

Table 3.1.

Table summarizing DSM approaches

Chapter 4

Table 4.1. Importance of QoS for e-health procedures/services (Skorin-Kapov and ...

Table 4.2.

Medical images: characteristics and QoS required (Vouyioukas

et al. 2...

Table 4.3.

QoS required for the constrained e-health flows (Gállego

et al.

2005)

Table 4.4.

Security required by WBANs and possible solutions (Ng

et al.

2006)

Chapter 6

Table 6.1.

Global parameters for BATM

Table 6.2.

BATM simulation parameters

Chapter 7

Table 7.1.

Examples of SVR kernel functions

Table 7.2.

Simulation parameters and values

Guide

Cover

Table of Contents

Title Page

Copyright

Preface

Begin Reading

List of Authors

Index

End User License Agreement

Pages

v

iii

iv

xi

xii

xiii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

259

SCIENCES

Networks and Communications, Field Director – Guy Pujolle

Network Management and Control, Subject Head – Francine Krief

Service Level Management in Emerging Environments

Coordinated by

First published 2020 in Great Britain and the United States by ISTE Ltd and John Wiley & Sons, Inc.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Ltd27-37 St George’s RoadLondon SW19 4EUUK

www.iste.co.uk

John Wiley & Sons, Inc.111 River StreetHoboken, NJ 07030USA

www.wiley.com

© ISTE Ltd 2020

The rights of Nader Mbarek to be identified as the author of this work have been asserted by him in accordance with the Copyright, Designs and Patents Act 1988.

Library of Congress Control Number: 2020933380

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library ISBN 978-1-78945-002-6

ERC code:

PE7 Systems and Communication Engineering

PE7_1 Control engineering

PE7_8 Networks (communication networks, sensor networks, networks of robots, etc.)

Preface

Nader MBAREK

LIB, University of Bourgogne Franche-Comté, Dijon, France

Communication technology has changed so much in our time that networks are omnipresent, with a variety of access equipment that allow people to constantly communicate with the network in order to produce or benefit from services provided by the network using ever-increasing and ever-more dynamic applications and operating environments. Networks have become an embedded part of daily life. This has been possible thanks to components that are constantly becoming smaller, cheaper and more powerful with higher processing speeds. Most important, perhaps, is that these components are able to form more and more connections between themselves using different technologies, thereby forming ambient networks on a large scale. In parallel with this quantitative explosion in communication networks, there is a complexification of technology. This rise in the number of networks and their complexity is accompanied by challenges in terms of management and control. Further, the increased competitiveness between service providers and the constant change in user needs requires genuine “dynamism” in service offerings, which is moving more toward Quality of Service (QoS), mobility and security as access networks and the technologies used develop further, while also trying to offer different service levels, thus responding to the needs of different types of applications. In this context, it becomes necessary to manage the service level demanded by the client and that the service provider must commit to offering. This service level is then used to efficiently parametrize the resources managed by the service provider based on customer needs.

It is from this point of view that different approaches for managing one or more service level components (QoS, security and mobility) are described in this book for different emerging environments such as the Internet of Things (IoT), the Cloud, smart grids, e-health, mesh networking, device to device (D2D), smart cities and green networking.

In Chapter 1, Ahmad Khalil, Nader Mbarek and Olivier Togni introduce the IoT environment through architectures proposed by different standardization bodies. They describe the importance of managing security and the protection of privacy in this kind of environment. Further, the authors highlight the needs and requirements of each layer in the IoT architecture in terms of QoS as well as in terms of the proposed QoS mechanisms that can respond to these requirements. Finally, a framework that uses a three-layer IoT architecture and a QoS-based access mechanism concerning the lowest level in this architecture are described.

In Chapter 2, Nader Mbarek describes the Cloud environment in terms of Cloud Computing, Cloud Networking and inter-Cloud. The author specifies the context and motives around guaranteeing service level in the Cloud in terms of QoS and security. A framework for guaranteeing the QoS in the Cloud Networking environment is introduced.

In Chapter 3, Samira Chouikhi, Leila Merghem-Boulahia and Moez Esseghir explore demand management as a service offered to consumers in a smart grid environment. They describe this environment and its essential components and also explain fundamental concepts of demand management. They focus on demand-side management, more specifically on energy consumption planning.

In Chapter 4, Mohamed-Aymen Chalouf introduces e-health systems, offering an overview of their architecture and characteristics. The author then describes the security and QoS challenges in this kind of environment and discusses several research papers and projects aimed at providing appropriate management solutions.

In Chapter 5, Hajer Bargaoui, Nader Mbarek and Olivier Togni introduce characteristics of wireless mesh networking, highlighting QoS management. The authors define routing concepts based on QoS in wireless mesh networks and describe Hybrid QoS Mesh Routing (HQMR) as an example of a routing protocol based on the defined QoS for this kind of environment.

In Chapter 6, Axel Moinet and Benoît Darties introduce the concept of blockchain through its basic characteristics and operating principle. The authors then describe how blockchain can fit into a model dedicated to the IoT in order to respond to authentication and trust challenges in this kind of environment. Blockchain Authentication and Trust Module (BATM) architecture is introduced as a solution that can respond to these challenges.

In Chapter 7, Chérifa Boucetta, Hassine Moungla and Hossam Afifi describe the emergence of D2D communications, focusing on the discovery of terminals in this kind of environment. It is essential, in this context, to optimize neighbor discovery in order to provide users with a high QoS while also ensuring the economizing of resources. The authors evaluate how an automatic learning strategy may contribute to a D2D environment.

In Chapter 8, Mohammed Salih Bendella and Badr Benmammar introduce not only green networking but also cognitive radio. They then study the impact of cognitive radio on green networking based on learning through reinforcement in order to extend the life of a network and reduce its energy footprint.

We hope that this book will help readers gain a greater understanding of the challenges and important issues related to service level management in emerging environments, as well as in their current works that focus on managing QoS, security and mobility in this kind of environment.

1Service Level Management in the Internet of Things (IoT)

Ahmad KHALIL, Nader MBAREK and Olivier TOGNI

LIB, University of Bourgogne Franche-Comté, Dijon, France

1.1. Introduction

The Internet of Things (IoT) is now an integral part of our daily life. By 2020, there will be over 20 billion connected digital and electronic devices, which works out to about two devices per human being on Earth (Nordrum 2016). The IoT will thus have a significant impact on human life and will improve quality of life. The future growth of the IoT will lead to advanced use of technology in order to facilitate accomplishing daily human tasks. Consequently, improving corresponding services is an important challenge that must be faced in order to allow the expansion of this environment. In this context, it is expected that there will be a better user experience that will make up for the limitations experienced when using IoT services. User experience may translate to a service level that includes the expected Quality of Service (QoS) and also the expected level of security and privacy offered by the IoT environment. The objects connected to the IoT have certain restrictions in terms of memory, computing capacity and energy consumption. However, existing QoS security and privacy protection mechanisms do not take these constraints into consideration. Thus, it is primordial that we design and develop new QoS and security mechanisms or adapt and improve existing mechanisms in the context of the IoT.

In this chapter, we will first introduce, in section 1.2, definitions related to the IoT environment. We will then describe, in section 1.3, the architectures proposed by different standardization bodies and the fields of application of the IoT. section 1.4 introduces security management as well as the management of privacy protection in the IoT through the motivations, challenges and different security services that must be considered in this kind of environment. section 1.5 describes QoS management by highlighting the needs and requirements of every layer of the IoT architecture in terms of QoS as well as the proposed QoS mechanisms that will respond to these. section 1.6 defines our framework using a three-layer IoT architecture and a QoS-based access mechanism concerning the lowest level of this architecture. Finally, section 1.7 presents conclusions and perspectives related to service level management in an IoT environment.

1.2. IoT: definitions

Various standardization bodies have worked on the IoT in order to specify the definitions, architecture, recommendations and the fields of application for this new paradigm. The ITU–T (International Telecommunication Union– Telecommunication Standardization Sector) is a standardization body that works on the IoT environment and its different fields of applications through the SG20 work group. According to the ITU-T document Y.2060, the IoT is a ubiquitous network that is available everywhere, anytime and to anyone (ITU-T 2012). The IoT is a global infrastructure for the information society that makes it possible to offer advanced services by interconnecting objects using various communication technologies (Minerva et al. 2015). Further, in ISO/IEC (2015a), the ISO/IEC (International Organization for Standardization/International Electrotechnical Commission) provides a definition and specification for the vocabulary used within the IoT environment. According to this, the IoT is a network of physical objects that collect and transmit data. It is an infrastructure made up of interconnected objects, humans and information resources that make it possible to process data collected by the objects and then react as a consequence (ISO/IEC 2015a; International Electrotechnical Commission 2017b). According to the Internet Engineering Task Force (IETF), the general idea behind the IoT is to connect objects in order to provide contextual services across different technologies, thereby offering a service available anywhere and at any time (Minerva et al. 2015). The IETF considers the IoT to be a network of interconnected objects that can be addressed uniquely and that use standardized protocols for communication between the objects (Lee et al. 2012). Further, the IETF and ISO/IEC take different requirements into consideration in the IoT environment, such as auto-configuration, unique identification, interfaces standardization, connectivity, reliability and mobility.

We propose a definition that brings together information from all the definitions discussed above: the IoT is a global infrastructure that interconnects objects (which are identified uniquely) and humans to offer advanced, autonomous services via smart interfaces. It must be noted that the unique identification allows the identity of the objects to be verified and enables data processing based on the source of the data.

1.3. IoT: an overview

1.3.1. IoT architectures

Standardization bodies and research projects have introduced various architectures for the IoT. In the following sections, we describe two examples of proposed architectures for the IoT.

1.3.1.1. The ITU-T reference model

The ITU-T proposed a reference model for the IoT that is based on multiple layers (ITU-T 2012). This reference model (see Figure 1.1) defines four horizontal layers (application, support, network and devices) and two vertical layers (management and security). The application layer includes IoT applications and services. Next, the Service Support and Application Support Layer defines the capacities for generic support that are common to all applications, such as data processing and storage. This also includes specific support capacities that respond to the needs of a particular application. The Network Layer offers two services. First there are network capacities, which ensure that connectivity, mobility management, authentication, authorization and accounting functions are all monitored. Second, there are transport capacities that control the routing of data coming from applications or information from the monitoring and management of the environment. The Device Layer defines the capacities of each connected object and device as well as the capacities of the communication gateways.

The vertical layers define the generic management capacities (management of objects, network, traffic and congestion) as well as the security capacities (authorization, authentication, integrity and privacy protection). Further, these vertical layers introduce specific capacities that are dependent on the type of IoT application being considered.

Figure 1.1.The ITU-T architecture of the Internet of Things (ITU-T 2012). For a color version of this figure, see www.iste.co.uk/mbarek/service.zip

1.3.1.2. The IIC architecture

The Industrial Internet Consortium is a consortium of several well-known industrial groups in the IT world, such as IBM, HUAWEI and Intel. Through the Industrial Internet Reference Architecture report, this consortium puts forth a system architecture that is applicable to the IoT. This three-tiered architecture is based on three vertical layers or three levels (see Figure 1.2) (Lin et al. 2015).

The Edge Tier corresponds to all the nodes that collect data from proximity networks. This layer makes it possible to implement all control functions. Then comes the Platform Tier, which receives, processes and transmits control commands to the Edge Tier. This layer also enables the processing, analysis and running of operations on data collected from objects, before transmitting them in the opposite direction, toward the Enterprise Tier. The Enterprise Tier takes decisions and carries out the role of an interface with the end-user. It thus includes applications that allow control commands to be generated and to be sent to the Platform Tier. The different layers in this architecture are interconnected via access networks and service networks.

Figure 1.2.Architecture of the Internet of Things (Lin et al. 2015). For a color version of this figure, see www.iste.co.uk/mbarek/service.zip

1.3.2. Application fields of the IoT

The IoT improves the quality of life in different areas of daily life. Examples include the field of health, smart cities, vehicular networks and so on. The ISO/IEC focuses on the standardization of the underlying technology used in different fields of application of the IoT. Working Group 9 under Technical Committee 1 (JTC 1/WG9) of ISO/IEC studies the normalization of Big Data technologies in IoT domains (International Electrotechnical Commission 2017). Further, various providers offer solutions for IoT service offerings and implementation in different fields of application. For example, the Kaa1 project offers a range of features allowing us to create advanced applications for smart devices, to flexibly manage ecosystems and their peripherals, to orchestrate end-to-end data processing, etc.

1.3.2.1. E-health

An aging population requires monitoring of old people through a decentralized healthcare system based on a set of connected sensors. Each patient possesses a surveillance system that allows them to be monitored and surveilled without the need of visiting the medical center. The medical data collected in this way improve healthcare by customizing treatments and creating an easier everyday life for patients. Thus, automated systems can perform a major part of a doctor’s work (tests, diagnosis, prescriptions, behavior modification) by collecting and analyzing patient data both passively and actively. As a result, a comprehensive and rich database becomes available and can alert doctors to any need that arises, while also providing them with a general overview of the patient’s health up to that point. This application field of the IoT has attracted the attention of several international organizations that have attempted to standardize the technologies used in order to effectively respond to the requirements of this field (International Electrotechnical Commission 2017). International organizations aim to promote the use of e-health technologies around the world. The World Health Organization (WHO) and the Program for Appropriate Technology in Health (PATH) have entered into a partnership to accelerate the development of digital health around the world (World Health Organization 2018). This field of application has attracted a large number of industrial organizations that try to offer different products that would be useful for e-health. Indeed, Ericsson and its partners offer portable prototypes for the field of e-health with long battery lives (Ericsson 2018).

1.3.2.2. Smart cities

In the context of smart buildings, the IoT offers management systems that can automate control functions through intelligent devices while providing real-time data analysis. Because of the data collected from the IoT objects, it is possible to anticipate needs and preferences in terms of lighting, heating or ventilation. Similarly, this information may relate to security systems, electricity meters or the removal of waste and sewage. Reactivity with respect to these data that are collected through IoT objects allow buildings to adapt to changes and to implement the required modifications in real time, for increased efficiency, and to reduce operational costs. Putting in place smart buildings makes it possible to create smart cities by integrating other IoT devices into different services offered by the city such as transport, water and air quality. Various standardization organizations have focused on this field through working groups that study the standardization of the technologies used. For example, ISO and IEC, through the technical subcommittee JTC1/SC25, have established norms for microprocessor systems and interconnection supports associated with equipment for commercial and residential environments (International Electrotechnical Commission 2018). Further, the IEC white paper (2017a) describes smart buildings and smart cities as being fields of application of the IoT. This paper specifies how to orchestrate the infrastructure required for smart and sustainable cities. Even as these groups establish norms, Nokia (2018) has launched several services and technologies on the market to manage video surveillance, the sensor networks for the IoT, parking and the environment within a smart city. In this context, infrastructure has been proposed with applications that make it possible to transform any contemporary city into a smart city.

1.3.2.3. Vehicular networks

All types of transportation systems may benefit from the advantages offered by the IoT. IoT solutions promise to make transportation systems more intelligent and better performing by improving safety, the efficiency of their journeys, the maintenance of vehicles and by offering more strategic traffic-management (Alcatel Lucent Enterprise 2018). Communication systems between vehicles and infrastructure (V2I) and communication systems between vehicles (V2V) enhance safety, efficiency and the performance of public and private transport. They also contribute to reducing congestion and improving space management. Drivers of connected cars can benefit from a large number of services such as navigation, real-time traffic and parking information, as well as the integration of smartphones with the dashboard and portable devices (International Electrotechnical Commission 2017). The revolutionizing of the transportation world by applying the IoT in the field of vehicular networks has been possible because of the use of sensor networks and applications for parking management, traffic management, etc. For example, smart roads use sensors to determine the number of cars in each lane and then manage traffic lights based on this information so as to minimize congestion. The effectiveness of this field of application of the IoT can be seen in the implementation of this transformative technology in different projects. For example, the ParkDC project, implemented by the Washington D.C. transport department, uses a surveillance system based on the IoT to alert drivers to parking spots that are available and to calculate the appropriate parking charges based on real-time demand (Njit 2018).

1.4. Security management and privacy protection in the IoT

1.4.1. Motivations and challenges

The security of information systems is made up of all technical, organizational, legal and human resources required to prevent the unauthorized use, misuse, modification or hijacking of the information system. At present, security is a major challenge in the information world and the goal of security in this context is to maintain the trust of the users and the consistency of the entire information system. Several norms have arisen around concepts related to security, for example the X800 recommendation by ITU-T (1991), which emphasizes the role played by different security services and their applicability.

The IoT is characterized by an environment that is subject to constraints across several levels, which makes it difficult to adopt security mechanisms that were designed for conventional systems. An IoT environment includes objects with low memory resources and limited computational power. Further, the techniques normally used in conventional networks were designed for systems that contained powerful microprocessors and had high storage capacities (Hanna 2015). Existing security techniques must thus be adapted. Further, the large number of objects in an IoT environment makes it a difficult and onerous task to adapt existing security algorithms. For example, methods and algorithms for identification and controlling access to objects become more and more complex as the number of objects in the environment keeps increasing.

Before a device or a user can access IoT services, mutual authentication and authorization between the device/user and the IoT system must be established in accordance with predefined security policies. Security policies must be drawn up with great precision in order to comprehensively cover all possible use cases and must also follow standardized models in order to respond to the requirements of the IoT. It is, therefore, important to standardize security policies for the IoT environment. Further, access to data or services must be entirely transparent, traceable and reproducible. This results in an enormous volume of trace files created in the IoT environment given the large number of connected objects. Thus, the mechanisms to optimize traceability must be designed for the context of the IoT. In this kind of an IoT environment, a variety of operating systems with different architectures are available for IoT objects. We can cite here, among others, the example of Google’s Android Things (formerly called Brillo) (Google’s Internet of Things Solutions 2018), Huawei’s LiteOS (2018) and Windows 10’s IoT Core (2018). This diversity can make it even more difficult to standardize security mechanisms and measures.

As concerns user privacy, data can be collected in IoT systems without involving the users. In this context, this data feedback must be secured and the user’s privacy must be ensured during the collection, transmission, aggregation, storage, extraction and processing of the data. In order to meet these requirements, the appropriate mechanisms for data confidentiality, data authentication and data integrity must be included within the IoT, while respecting the needs of this kind of environment (ITU-T 2012).

A number of international organizations have worked on concepts related to security and privacy in the IoT, either by offering appropriate security mechanisms or by offering methodologies that can be applied across the layers of their IoT architectures. We thus have the ITU-T Y.2060 recommendation (ITU-T, 2012) that aims to secure the IoT environment by starting with an analysis of the threats that are specific to the IoT application. Then, specific security services and mechanisms will be supported at every layer of the IoT architecture to ensure global security within this environment. In terms of the application layer of the ITU-T reference model, different security services will be considered, such as authorization, authentication, privacy and integrity of application data, and also the protection of privacy. As concerns the network layer, the security services include authentication, confidentiality of the application data and the signaling data (configurations and commands) and the protection of the integrity of the network management techniques. For the lowest level of ITU-T IoT architecture, namely the device layer, the main services and mechanisms offered to guarantee security are authentication, authorization, validation of the device integrity, access control, confidentiality of data and the protection of integrity. Following the recommendation (ITU-T, 2014), several specific security abilities must be considered in the IoT environment: the ability to ensure secured communications to guarantee the confidentiality and integrity of the data during transmission and during storage. Further, the recommendation specifies an ability to provide a secure service that guarantees that fraudulent services will be forbidden and an ability for authentication and mutual authorization between objects and users in accordance with predefined policies to guarantee the security of information access. They are closely tied to the specific needs of IoT applications and depend on their field of application. Recommendation Y.2060 (ITU-T 2012) also emphasizes the need for security functions and mechanisms to be supported by IoT gateways interconnecting the different components of the different layers of the IoT architecture specified by ITU-T. In the following section, we will describe the different security services that must be considered in the IoT environment.

1.4.2. Security services in the IoT environment

In order to ensure security in the IoT environment, various security services must be provided by applying mechanisms that are specific and adapted to the characteristics of this kind of environment.

1.4.2.1. Identification and authentication in the IoT

1.4.2.1.1. Definition

Identification refers to establishing the identity of the user of a service. It is based on the principle of each user being individually assigned an identifier. Authentication follows identification and enables the user to prove their identity. The user should use an authenticator or a secret code, which only they know. Authentication does not give the right of access. It is the access control that guarantees this privilege if authentication has been successful (ITU-T 1991). Authentication mechanisms can offer several advantages to the IoT environment. Thus, through the identification and authentication mechanisms, the IoT environment takes into account robust devices that are able to reduce the risk of intrusion and avoid violations (Li 2017).

Further, conventional identification and authentication methods must be adapted to meet the requirements of the IoT environment in terms of scalability, the large number of entities, etc. Several organizations use digital certificates based on public key infrastructure (PKI) for device identification and authentication operations (Allerin 2018). However, certain adaptations must be carried out in order to consider this solution in the IoT context. First of all, the PKI infrastructure must be able to effectively support the process of issuing digital certificates in large numbers and at high speeds. For example, a cloud-based PKI is a more economical and realistic method for the scale required by an IoT environment. Second, digital certificates have a limited lifespan, which means they have an expiry date. In the context of an IoT environment, some use cases may require short-term certificates while many others require certificates with a longer lifetime. A certificate with a longer lifetime is required when a device needs to be authenticated on the basis of a long-term certificate. IoT project managers must then carefully determine the lifespan required for digital certificates and determine the associated advantages and disadvantages. On the other hand, the certificates, which are considered critical elements with their own life cycle, must be managed in an efficient manner. The manual tracking of these certificates is not feasible in an IoT environment. Thus, PKI must be associated with certificate management providers along with a scalable platform. These platforms must then be capable of managing specific IoT use cases (Allerin 2018).

1.4.2.1.2. Research projects

Various research studies and projects have dealt with identification and authentication security services. BUTLER (uBiquitous, secUre inTernet-of-things with Location and contExt-awaReness) (CORDIS 2018), a European project funded by FP7 (October 2011–October 2014), studied the mechanisms of identification and authentication in the IoT environment. This project proposed a mechanism for managing the ownership of objects by the users. In this case, users possess connected objects. A user (the owner of an object) has an account with the Trust Manager, which is implemented on an authorization server. The user connects to the authorization server and registers a new resource (a new connected object). The resource must have a unique identifier (generally a URL) and identification information (resource security credentials). The user must then configure the resource with the resource security credentials and, thus, the identity of the user who possesses the object may be verified. Similarly, BUTLER offers a mechanism that makes it possible to identify objects to gateways using digital certificates that are managed by authorization servers (Sottile et al. 2014). There is also academic research that has studied identification and authentication in the IoT. According to the work described in Li (2017), the author highlights the importance of proposing an authentication protocol that makes it possible to relieve nodes (which are constrained in terms of their storage and computing capabilities) of the management of authentication and authorization.

1.4.2.2. Access control in the IoT

1.4.2.2.1. Definition

Access control makes it possible to fight against the unauthorized use of a resource. In order to implement this control, a list of entities authorized to access a resource with their access authorizations is defined in accordance with a security policy. This security service is offered to implement different types of access to resources (reading, writing, modification, information deletion and task execution). Access control is based on one or more elements, using an information database that is maintained by authorization centers or the entity itself and this may take the form of an access control list or a hierarchical or distributed matrix. These databases include authentication information (passwords, security tags, etc.) (ITU-T 1991). Two entities are used for access control in the IoT: the data holders (users of IoT services) and objects (data collectors) that send data or receive commands. These two entities must be mutually authenticated (Balte et al. 2015).

1.4.2.2.2. Research projects

Several European research projects have studied the adaptation of access control mechanisms for the IoT environment. ARMOUR (2018) is a European project funded by H2020 (February 2016–February 2018) that addressed some of the challenges surrounding security and trust in the IoT. The work carried out in the framework of this project makes it possible to define a set of components that interact with each other to authorize or block secure data queries in an IoT environment. ARMOUR defines several entities in this environment in order to do this. First, we have the Policy Decision Point (PDP), which is a component that includes the access policies and, by evaluating the access control policies, can authorize or deny authorization to an IoT device (sensor) to carry out an action on a resource (data registration server). For example, a “PERMIT” decision from the PDP allows the Capability Manager (the server communicating with the PDP) to generate and send a token to the sensor to publish the data on the IoT platform. The data publication server (Pub/Sub Server) saves the data and thus allows the data query to be updated and executed if the sensor token received by the Capability Manager allows this action (ARMOUR 2016).

SMARTIE (Secure and SMArter ciTIes data management) (Pokric et al. 2015) is another European project funded by FP7 (September 2013–December 2016) focused on access control in the IoT. SMARTIE’s goal was to develop new mechanisms to establish trust and security in the different IoT layers. The results of the project indicate that Attribute-Based Access Control (ABAC) is an appropriate solution to specify finer access control policies. In ABAC, the identity of an IoT service user is no longer limited to a single attribute but is based on multiple attributes (i.e. user ID, role, etc.) that make up this identity. This is why ABAC provides substantial improvements in authorization and access control within the IoT. ABAC-based solutions make it possible to overcome the disadvantages of centralized access control solutions. Each query requires two steps: an authorization check (identity control and authentication) and, consequently, an access control decision (authorization or prohibition). For each access request, the IoT service user is authenticated with the domain and the access authorization request is obtained for the user. The user’s access authorization request is signed by a trusted domain authority. Thus, the user may send the query to the IoT devices that verify the signature. If the signature is successfully verified, the required information is sent to the user (SMARTIE 2014a, 2014b; Pokric et al. 2015).

1.4.2.3. Confidentiality in the IoT

1.4.2.3.1. Definition

The confidentiality service offers protection against non-authorized entities analyzing traffic and against data flows being divulged. Data encryption is the most appropriate mechanism to ensure this security service. Encryption can be carried out using a symmetric system (with a secret key) or an asymmetric system (public key). Symmetric encryption involves knowing the secret key that allows encryption and decryption. For asymmetric encryption, the knowledge of the public encryption key by all entities does not imply knowledge of the private key for decryption. Apart from encryption mechanisms, there must be a key management mechanism in order to exchange keys between the communicating entities (ITU-T 1991).

In an IoT environment, there are several points that must be taken into consideration when using the confidentiality service, especially during the key exchange process for encryption. First of all, extensibility is an important characteristic that must be considered, as there is a high number of connected objects. In fact, the number of entities that can be involved in the key exchange process may be limited by using conventional systems. Second, new entities may be involved after the initial key exchange. Thus, new objects may be integrated into the IoT environment after the initiation of the services. Scalability is another important characteristic that must be taken into consideration. Indeed, when new entities are involved in the key exchange process in the IoT, the volume of cryptographic data to be stored on the objects becomes greater, while IoT objects are subject to restrictions in terms of data storage and processing abilities (Abdemeziem 2016).

1.4.2.3.2. Research projects

One of the challenges in implementing an encryption system for a connected object in the IoT environment is the availability of appropriate software libraries that respect the constraints governing IoT objects in terms of memory, computation ability and energy consumption. In this context, certain research projects have been carried out to address this problem, which still poses a challenge and requires more advanced studies that are better adapted to the needs of the IoT in order to provide optimal security services. An example of an existing library that can be used in an IoT environment is the “AVR-Crypto-Lib” (Cantora 2013), which provides special implementations that respect the limited resources of microcontrollers. This library offers symmetric key encryption such as AES, RC5, RC6 and DES. Another library, “Relic-Toolkit” (2018), offers a large variety of asymmetric encryption algorithms such as RSA and Rabin crypto system. “Relic-Toolkit” is used in the TinyPBC project implemented on the TOSSIM simulator (2018) on the TinyOS operating system. The libraries we have just described provide, among other things, a confidentiality service in an IoT environment, which allows secure communications, so that unauthorized access to the content of the data is prohibited and that content is protected during its transfer between two entities in the IoT environment.

European research projects have also focused on data confidentiality on the IoT. The SMARTIE project (Pokric et al. 2015), for example, uses CP-ABE (Ciphertext Policy Attribute-Based Encryption), a technique that allows the IoT user to decrypt the message from objects with a secret key if the policy attributes match the attributes of the key. CP-ABE makes it possible to encrypt data for a group of users, instead of encrypting it individually, in accordance with access policies. This technique links access control and encryption and is used when data from an object must be received by several users of that IoT service. Data are thus encrypted only once (SMARTIE 2014a; Pokric et al. 2015). The European project BUTLER (CORDIS 2018) is focused on the protection of the communication channel in the IoT. This channel is vulnerable because of its wireless feature and information dissemination. BUTLER proposes improvements to security standards used in IoT communication technologies. For ZigBee, it offers a security system based on the use of symmetric keys to complement and enhance the security features provided by the ZigBee standard, which uses two mandatory keys and one optional key. The Master Key and the Network Key are mandatory, while the Link Key is optional. The Master Key is used in the initialization phase and implemented at the nodes through an out-of-band channel. The Network Key guarantees the security of the network layer and is shared by all nodes. It is derived from the Master Key. The optional Link Key is derived from the Master key and guarantees the security of the link between two peers at the application level. In this context, the BUTLER project put in place mechanisms to manage the deployment, maintenance and revocation of the Master key. It also proposed implementing an additional symmetric key (called the Global Key) at the node, at the time of manufacture. This key is used by the Medium Access Control (MAC) layer and is shared by all nodes. The Global Key guarantees security for the lower layers. The Network Key provided by the ZigBee standard will thus be used as a Group Key, which will be shared between the nodes and managed by the ZigBee Network layer. This makes it possible to securely address a group of nodes sharing a common feature. As a result, objects communicating via ZigBee will be guaranteed greater security as well as additional security when using the optional Link Key (Sottile et al. 2014).

1.4.2.4. Integrity in the IoT

1.4.2.4.1. Definition

Integrity is a security service that covers two significant concepts in the IoT: the integrity of data and the integrity of objects. The integrity of data aims to ensure that the data exchanged in an IoT environment is not modified or destroyed in an unauthorized manner during transfer. This is necessary in order to provide a reliable service and ensure that the information collected and commands received by the objects are legitimate. Verifying the integrity of data involves two processes, one involving the sender and the other the recipient. The entity that is transmitting the data adds verification information (like the Block Check Character or a cryptographic check value such as a hash value) based on the data transmitted. The recipient generates the same verification information based on the data received and compares this information with the information received in order to determine whether or not the data were modified during transmission in the IoT environment (ITU-T 1991).

The integrity of objects is necessary as the nodes in the IoT may be deployed in an unreliable environment and may be physically attacked to modify the software codes in the objects, for example. This second integrity service in the IoT enables the detection and prevention of any modification to the operating system and the configuration of the objects. The integrity of objects also makes it possible to lock and eliminate non-compliant devices. To implement this type of integrity, a digital fingerprint for the object in question is used to compare data effectively available on the object with the data that should be available.

1.4.2.4.2. Research projects

Various European research projects have studied the security service ensuring both types of integrity, that of data as well as of objects, in an IoT environment. SMARTIE, for instance, takes into account several architectures for the implementation of the integrity service in an IoT environment. It uses Linux’s kernel integrity measurement architecture (Pokric et al. 2015) to verify the integrity of objects. It additionally takes the support of integrity verification mechanisms present on smart cards, while taking inspiration from the Integrity Measurement Architecture (IMA). SMARTIE thus offers a node-attestation component that makes it possible to verify the integrity of the node by testing the hashing for the list of software and files that have been executed on that node. The node attestation component consists of a Remote Attestation mechanism between IoT objects and the remote central unit that is responsible for measuring the integrity of the objects. Remote attestation allows the remote party – the gateway or server responsible for verifying the integrity of the objects – to inspect the state of a device or an IoT object at any given moment. The remote party may request the hashing of the list of software or files and is able to verify whether the records provided by the device have been falsified by comparing the hashing received with the hashing that was calculated. The node-attestation component developed in SMARTIE makes it possible to provide a practical solution, which is a compromise between the hardware solution and the software-based approaches by using the IMA module and the architecture for integrity measurement that is present in the Linux kernel (SMARTIE 2014a; Pokric et al. 2015). The IMA module measures the integrity of the binary code before the kernel proceeds to loading the code into memory to be run. The measurement result is recorded and sent to the IMASC service (Integrity Management Architecture using a Smart Card). The IMASC system transmits the result to the smart card, where it is timestamped and signed so that there can be no subsequent manipulation of the entry. In addition, the smart card preserves a record with the hash value. For remote attestation, the verifying party can inspect the state of a remote device at any time by requesting the hashing and verifying the signatures. During a remote attestation request, the IMASC service interacts with the smart card and with the remote party in order to provide the proof of attestation. Further, various libraries have been designed for IoT objects in order to carry out the hash functions. For example, we have “Cryptosuite” (Knight 2010), which is a library for Arduino that supports different hashing algorithms such as SHA-1, SHA-256, HMAC-SHA-1 and HMAC-SHA-256.

1.4.2.5. Non-repudiation in the IoT

1.4.2.5.1. Definition

The non-repudiation service ensures that one party cannot deny its involvement in exchanges. This service can take one or two of the forms described below: the first form is non-repudiation with proof of origin, where the recipient receives proof of the origin of the data. This proof may be a digital signature using asymmetric encryption applied to the result of the hashing of the data exchanged. The second form is non-repudiation with proof of the data delivery, where the sender receives this proof in the form of an acknowledgment, for example (ITU-T 1991). The non-repudiation security service is necessary in the IoT to provide proof of data transmission through objects and also as a proof of the dispatch of any order by users of IoT services. This may fit into the framework of an audit that will allow the tracking and recording in trace files of all events that took place in an IoT environment.

1.4.2.5.2. Research projects

The first form of non-repudiation (i.e. with proof of origin) is based on mechanisms that are used to guarantee integrity, such as the data signature.

Consequently, the adaptation of non-repudiation mechanisms to an IoT environment may borrow from the adaptation of integrity services in the IoT. Non-repudiation was guaranteed in SMARTIE by the implementation of a signature for the list of software and operating systems of objects in order to verify the identity of the hashing issuer (see section 1.4.2.4.2