**3. Preliminaries**

This section provides definitions for the used terms in this paper:

### **3.1 Distributed denial of service attacks (DDoS)**

DDoS is one of the potential attacks in IoT where attackers coordinate the utility of many machines connected to the network to send an overwhelming amount of unwanted requests to a targeted server [16]. They try to disrupt the traffic of the server with a flood of unwanted requests. Besides, DDoS reaches effectiveness by using various compromised devices as the roots of attack traffic. The more hacked devices, the more damage is caused to the servers. Thus, the attacker examines

### *An Effective Method for Secure Data Delivery in IoT DOI: http://dx.doi.org/10.5772/intechopen.104663*

remote machines for security gaps using some tools such as worms to find their vulnerabilities and inject them with the attack code. Then, these compromised machines become zombies, which the attacker uses to send malicious packets to the targeted victim. DDoS may yet cause a long-term memory consumption of the relaying nodes in IoT environments due to nodes' restricted resources. There are various DDoS attack types used to degrade the performance or availability of targeted services on the Internet. Some of these attacks are Botnet attacks, Spoof-packet flood attacks, Multi-Vector Attacks, and Misused Application Attacks. Besides, there are various schemes used to defend against DDoS attacks, which are under three categories; policy-based schemes, application-based schemes, and machine learning–based schemes. The policy-based defense scheme is placed in the switch to define the traffic that is allowed to be forwarded and the other ones are defined as malicious. It requires analyzing collected data samples of the network to classify malicious traffic. Numerous policy algorithms use different measurements such as standard deviation or measure the chi-square statistic of the sample to classify the packets as malicious or legitimate. Secondly, the application-based schemes handle and control packets in the network by the user interface layer. Finally, the machine Learning-based defense schemes deploy machine learning algorithms to investigate and classify the traffic to detect the DDoS attack.

### **3.2 Hierarchical hidden Markov model (HHMM)**

The Hierarchical hidden Markov model (HHMM) is a multi-level stochastic process derived from the Hidden Markov model (HMM) by making each of the hidden states a self-contained autonomous probabilistic model. It is a statistical framework for modeling a sequence of observations. Each observation is emitted from a hidden state within the system by recursive activation. The basic idea of HHMM is that the upper-level states produce sequence states called "abstract" states [17]. And, the lower-level states produce single observations called "concrete" states [17]. The observations are governed by each of the sub-states (sub-HMMs). The process of recursive activations ends when reaching a state that produces output symbols like an HMM [17].

For estimating HHMM parameters, we define the generalized forward (*α*) and backward (*β*) probabilities as follows:

$$\begin{aligned} a(i) &= P(O, q\_i^l | \lambda) \\ P(O|\lambda) &= \sum a\_T(i) \end{aligned}$$

where *q<sup>l</sup> <sup>i</sup>* is the number of sub-states of an abstract state.

$$\beta(j) = P\left(O|q\_j^l, \lambda\right)$$

We also define the generalized horizontal (*ξ*) and vertical transitions (*χ*) as follows:

$$\begin{aligned} \xi \left( T, q\_j^l, q^{l-1} \right) &= P \left( i\_t = q\_i^l i\_{t+1} = q\_j^l | O, \lambda \right) \\ \chi \left( T, q\_i^l, q^{l-1} \right) &= P \left( i\_t = q\_i^{l-1}, i\_{t+1} = q^l | O, \lambda \right) \end{aligned}$$

The model is represented as *λPHHMM* = < *Aql* , *Bql* , *πql* > . And, the states of an HHMM are denoted by *<sup>Q</sup><sup>l</sup>* <sup>¼</sup> *<sup>q</sup><sup>l</sup> i* , where *l*∈ 1, 2, *:* … *L*, *i* is the state indexing, *L* is the output state, and *l* is the hierarchy indexing. It performs the following computation:

• A probability transition matrix (*Aql* ¼ *a ql ij* ) is generated as the conditional probability of future traffic state is independent of the past states given the present state:

$$\begin{aligned} a\_{ij}^{q^l} &= P(q\_{t+1}^{l+1} = \mathbb{S}\_{\bar{j}} | q\_t^{l+1} = \mathbb{S}\_i), & \mathbf{1} \lessapprox i, j \lessapprox \mathbf{N}, \\\ a\_{ij}^{q^l} &\geqslant \mathbf{0} \\\ \sum a\_{ij}^{q^l} &= \mathbf{1} \end{aligned}$$

where *aij* is a horizontal transition probability from state i to state j and all are sub-states of *q<sup>l</sup>* .

N is hidden states.

• An emission matrix (*Bql* ¼ *b ql jh*) for observation probabilities given the hidden traffic state is generated by:

$$\boldsymbol{b}\_{jh}^{q^l} = \boldsymbol{P}\left(\boldsymbol{O}\_{h(t)}|\boldsymbol{q}\_t^l = \mathcal{S}\_j\right), \quad \qquad \qquad \mathbf{1} \lessdot{i}, j \lessle N$$
 
$$\mathbf{1} \lessdot{k} \lessdot{M}$$

where *bjh* is observed probability in state j.

M is observable states.

• An initial state distribution (*πql* ) is generated by:

$$
\pi^{q^l} = \pi^{q^l}(q\_i^{l+1}) = P(q\_t) = s\_1.
$$
