Accepted Manuscript

Wearable IoT data stream traceability in a distributed health information

system

Richard K. Lomotey, Joseph Pry, Sumanth Sriramoju

PII: S1574-1192(17)30327-9
DOI: http://dx.doi.org/10.1016/j.pmcj.2017.06.020
Reference: PMCJ 860

To appear in: Pervasive and Mobile Computing

Please cite this article as: R.K. Lomotey, J. Pry, S. Sriramoju, Wearable IoT data stream traceability
in a distributed health information system, Pervasive and Mobile Computing (2017),
http://dx.doi.org/10.1016/j.pmcj.2017.06.020

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to
our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form.
Please note that during the production process errors may be discovered which could affect the
content, and all legal disclaimers that apply to the journal pertain.
 PERVASIVE AND MOBILE COMPUTING - SPECIAL ISSUE ON INTERNET OF THINGS FOR PERSONALISED HEALTHCARE SYSTEM 1

Wearable IoT Data Stream Traceability in a

Distributed Health Information System
Richard K. Lomotey, Joseph Pry, Sumanth Sriramoju
Pennsylvania State University, Department of Information Sciences and Technology (IST), Monaca, PA 15061, USA

Abstract—With the soaring interest in the Internet of Things (IoT), some healthcare providers are facilitating remote care
delivery through the use of wearable devices. These devices are employed for continuous streaming of personal medical data
(e.g., vitals, medications, allergies, etc.) into healthcare information systems for the purposes of health monitoring and efficient
diagnosis. However, a challenge from the perspective of the physicians is the inability to reliably determine which data belongs
to who in real-time. This challenge emanates from the fact that healthcare facilities have numerous users who own multiple
devices; thereby creating an N x M data source heterogeneity and complexities for the streaming process. As part of this
research, we seek to streamline the process by proposing a wearable IoT data streaming architecture that offers traceability of
data routes from the originating source to the health information system. To overcome the complexities of mapping and
matching device data to users, we put forward an enhanced Petri Nets service model that aids with a transparent data trace
route generation, tracking and the possible detection of medical data compromises. The results from several empirical
evaluations conducted in a real-world wearable IoT ecosystem prove that: 1) the proposed system’s choice of Petri Net is best
suited for linkability, unlinkability, and transparency of the medical IoT data traceability, 2) under peak load conditions, the IoT
architecture exhibits high scalability, and 3) distributed health information system threats such as denial of service, man-in-the-
middle, spoofing, and masking can be effectively detected.

Index Terms—Internet of Things (IoT), Sensors, Mobile devices, Middleware, Wearables, Petri Nets, Privacy, Health
Information System

——————————  ——————————

1 INTRODUCTION

T HE huge galaxy of interconnected “things” around us

today is leading to the creation of new use cases and
applications across several domains [1] [3]. Through net-
working capabilities, these devices are facilitated to sense,
collect heterogeneous data types from different places,
and deliver the collected data to other nodes (e.g., cloud
facilities) for analytical transactions.
There are several use cases and applications of IoT and
especially in healthcare, the list includes: Telehealth: re-
mote or real-time pervasive monitoring of patients, diag-
nosis, and drug delivery. With wearable IoT for fitness
tracking, sensors are able to read users’ vitals and the in-
formation can be pushed to healthcare facilities.
However, the quest for sensor data streaming in an at-
tempt to offer health monitoring services for instance, can
be challenging for the physicians. Taking wearable IoT for
example, smart watches and other sensors such as blood
oxygen readers, gamma ray radiation detectors, and fit-
ness trackers are facilitated to generate and/or collect
personal records (including vitals, location, and dosage
levels) which should be delivered to the healthcare in-
formation system. These devices therefore are constantly
running to enable the data streaming process which can
create certain problems at the physicians’ end.
————————————————
 R.K. Lomotey, Department of Information Sciences and Technology (IST),
Pennsylvania State University, Beaver Campus Monaca, PA 15061, USA.
E-mail: rkl5137@psu.edu., Corresponding Author
Firstly, medical facilities have several “users”, say N,
who may subscribe to real-time monitoring through
wearable IoT services. But, a user can own more than one
IoT device, say M, where device heterogeneity is due to
varied conditions; and some devices can only sense and
deliver specific data. This means the healthcare systems
have to stream the IoT data in an N x M transactional
view. Since the physicians mostly do not control what
devices users purchase (because it’s personal), the task is
for the former to determine who owns what data — a
requirement that can be tedious and limiting real-time
diagnosis.
Moreover, the medical data streaming process can also
be demanding on features such reliability, transparency,
and user privacy preservation. This means the care facili-
ties are not only dealing with the N x M data streaming
sources but, must be able to track devices, maintain data
source origination record, and data read points. This of-
ten leads to unbearable complexities.
Some researchers identified the aforementioned issues
as well. For instance, Kang et al. [32] studied RFID-based
traceability and its implication to IoT data storage sys-
tems. Also, there are some reported works that focus on
application and process traceability within IoT [33] [34].
Our goal is to research and develop a wearable IoT ar-
chitecture for healthcare use with the capability of gener-
ating trace routes while preserving privacy and reliabil-
ity. With traceability facilitated, the healthcare facilities
can transparently audit the streamed medical data for
possible compromises, and eventually automate the mon-

***************************
2 PERVASIVE AND MOBILE COMPUTING - SPECIAL ISSUE ON INTERNET OF THINGS FOR PERSONALISED HEALTHCARE SYSTEM
itoring process to enhance real-time diagnosis.
To achieve our goal, the paper discussed the proposed
solution which is an implementation of a distributed ar-
chitecture that comprises users, IoT devices, a lightweight
middleware, and the healthcare information system. In
order to coordinate the process flow of the medical data
streaming, we put forward a Petri Net service model. This
aids the healthcare information system to support itera-
tions in the streaming data flow, device choice usage
tracking, and the monitoring of concurrent streams from
the users. The model further aids the proposed system to
track the IoT data from an originating user to the various
wearable devices being used and highlight areas where
compromises are suspected for further inquiry.
Secondly, the work is able to maintain medical data
trace route detection and formulation. As will be seen
further in the paper, the traceability routes are studied
with visual analytics.
Overall, the work made the following research contri-
butions:
 Proposed a wearable IoT architecture for healthcare
adoption with the ability to offer traceability of
streamed data from source, the devices engaged with,
and the current state of the medical data. This is
achieved through the adoption of Petri Net service
modelling where users, devices, and medical data
matching is achieved in the M x N system.
 The choice of service modelling facilitates the architec-
ture to overcome complexities of iterations, IoT device
choice adoption, and concurrency with regards to the
management of the streaming medical data. Also, digi-
tal audit trail is achieved for transparency.
The above contributions are highlighted based on the
experimental results that show superiority of our system
compared to existing service modelling methodologies
such as the Tuple of Input and the Büchi automaton which are
reported by Wing et al. [28].
The remaining sections of the paper are arranged as fol-
lows. Section 2 underscores the importance of IoT in the
current dispensation as well as reviews of works on IoT
and privacy. Section 3 describes the architectural design of
our proposed wearable IoT system and the design justifica-
tions of Petri Net in Section 4. The evaluation of the im-
plementated work is carried out in Section 5. The paper
concludes in Section 6 with our contributions and future
research direction.
2 BACKGROUND WORKS
2.1 IoT Applications
With the Internet of Things (IoT), addressable machines (or
objects) such as smart sensors and other physical devices
that are ideally not seen as computers, can interact with
less human intervention [1] [2] [4] [5]. This has given rise to
new use cases in the management and sharing of personal
data with physicians where sensors and smartwatches can
stream personal vitals; an area known as wearable IoT.
This is commonly seen in fitness and health monitoring
applications.
However, in wearable IoT for instance, users who are
streaming their personal vitals to backend services (e.g.,
health information systems in the cloud) or across multiple
personal devices (e.g., streaming between sensors and
smartphones for fitness tracking) are not only at risk from
hackers. But, there are emerging healthcare information
system issues with proper management of the varied data
streams; where the variety stems from multiple patients
using N-devices. This creates the need to offer research
solutions on how to reliably trace, track, and match pa-
tients to their device data in distributed architectures. Since
the IoT is still in its infancy, the field does not boast of ex-
tensive works on data traceability, privacy, and monitor-
ing. However, we studied some methodologies that have
been proposed to achieve the aforementioned require-
ments in distributed systems.
2.2 Data Tracking and Security
In order to ensure quality, reliability and to a very large
extent transparency, in enterprise systems, most works
proposed the provenance (i.e., the record of the lineage of
data) technique. In the electronic health system, data prov-
enance tracking is necessary for rights protection, regulato-
ry compliance, management of intelligence, privacy and
medical data, and verifying of information as it flows
through various stages [6] [7] [8]. As a result, some re-
searchers have looked into the employment of provenance
to answer the what, when, and how questions on IoT data.
Eduardo et al. [9] proposed a lightweight semantic
model and a prototypic mobile-enabled software for cap-
turing information about IoT devices and their generated
data. Other researchers focused on the privacy preserva-
tion of IoT provenenace data which can be breached
through contextual data inference [10] [11] [12] [14].
Yet, little has been done regarding security, privacy and
personal safety risks that arise beyond subsystems; that is,
cross platform openness perception that comes with cloud
services in relation to IoT [13].
2.3 Wearable IoT Security and Data Validation
Security in wearable IoT is treated as an afterthought [15]
[19] [21] [24]. In situations where that is not the case, Arias
et al [15] opined that methods which are engaged in high
powered computing are employed such as software-based
encryptions, firmware signing, and encoding techniques.
And sometimes, these techniques prove inefficient due to
the delicate nature of IoT ecosystems.
This is the reason Ometov et al [16] focused on crypto-
graphic primitives for wearable IoT devices in an at-
tempt to provide IoT domain specific solutions for encryp-
tions in constraint wearable systems. Consequently, Hosse-
inzadeh et al [17] explored the security options at the OS
and API levels on the wearable IoT devices. In another
platform called SecuWear [18], vulnerabilities are detected
on wearable devices within the hardware and software.
Other works related to healthcare discuss the building
blocks of wearable IoT architectures and further opined
that wearable IoT data should be secured from the point of
generation, through transmission, to the final resting place
in the database of the care facility [20]. As a result, IoT ar-
chitecture are proposed based on Gateways that aggregate
health sensor data and resolve security issues through digi-
AUTHOR ET AL.: TITLE
tal certificates, and public key encryption (PKI) data en-
cryption [22] [23].
Furthermore, wearable IoT devices together with
smartphones support lifelogging personalized health data
such as physical activity, weight, sleep quality, heart rate,
blood pressure, etc. However, lifelogging physical activi-
ties (LPA) data in IoT comes with several uncertainties due
to mobility and lifestyle changes [35]. Thus, Yang et al. [35]
studied how to enhance the validity of LPA data in an IoT
architecture using a rule-based adaptive LPA validation
model. Another research addressing the same LPA valida-
tion issues proposed LPA intensity pattern decision mak-
ing methodology [36] [37].
2.4 Graphs and Security Networks
Apart from the security complexities at the data and
system levels, there is also the need to understand how to
track device specific data. In addition to the provenance
technique which is earlier discussed, some techniques
prove to be valuable in other fields but under-utilized in
IoT implementations.
For instance, Petri Nets [25] model has been proposed
for the description of distributed services in a directed bi-
partite graph. However, the applicability of the model in
IoT is limited to only a handful of works from our current
findings. First, Yamaguchi et al [26] classified an IoT ser-
vice as a multi-agent environment, and model it as an
agent-oriented Petri net in order to analyze IoT services
through simulation. Likewise, Yang et al. [27] employed
the Petri net model to perform IoT services composition in
an attempt to find the most optimal composition way.
Also, network scenario graphs have been presented to
model network security. Examples of such include the Tu-
ple of Input and the Büchi automaton [28]. Both algorithms
are explained as algorithm 1 and algorithm 2 respectively.
Input:
set of states
⊆ – transition relation
⊆ – set of initial states
∶ → 2 states with propositional formulars
a safety property
Output:
Scenario graph 〈 , , ,
Algorithm: GenerateScenarioGraph , , , ,
1. , , ,
(* Use model checking to find the set of states
that violate the safety property . *)
2. , , , ,
(* Restrict the transition relation R to states in the set
*)
3. ∩ . the focus is on wearable IoT data traceability scenarios, we
.
| ∈ ⋀ ∈
4. Return 〈 , , , 〉 ver, the architecture took into consideration areas where
Algorithm 1. The tuple of inputs model.
In Algorithm 1, a network model scenario graph is
3
proposed for the detection of attacks using the tuple of
inputs 〈 , , , 〉. The algorithm considered set of states,
transitions, and the determination of reachable states
from another state. The properties of the algorithm fur-
ther enhances the determination of safe versus unsafe
transitions. The Algorithm 2 is an attack detection scenar-
io graph using the Büchi automata. This represents finite
states that accept infinite executions. For detail discussion
of the algorithms, the reader is referred to [28].
Input:
– the Büchi automaton
– a Linear Temporal Logic (LTL) property
Output:
Scenario graph ∩
Algorithm: GenerateScenarioGraph ,
1. Convert LTL formula to equivalent Büchi automa-
ton
2. Construct the intersection automaton ∩ .I
accepts the language ∖ , which is precisely
the set of executions of forbidden by .
3. Compute SCC, the set of strongly-connected compo-
nents of I that include at least one acceptance state.
4. Return , which consists of SCC plus all the paths to
any component in SCC from any initial state of I.
Algorithm 2. The Büchi automaton model.
2.5 The Open Issues
From the various literature, it is evident that most of the
works on medical data security and privacy in IoT ecosys-
tems focus on preventing unauthorized access or protec-
tion against damage. However, the current nature of
streaming data from heterogeneous wearable IoT devices
without any trace routes is an equal security concern. Un-
fortunately, medical data traceability has been overlooked
by current research studies and this makes it difficult to
answer critical questions about what data matches who.
This issue is futher complicated if dump IoT terminals are
used to generate the data. In that case another device (e.g.,
smartphone) is required to transmit the data to the physi-
cians. Example is using the heart rate monitor by Texas
Instrument Inc.
〉 It is our expectation that we can fill this research gap
with the design of a wearable IoT architecture with the
capability of medical data traceability.
3 THE DESIGNED IOT ARCHITECTURE
The overall designed wearable IoT architecture for accom-
plishing our research goal is shown in Figure 1. Although
put forward a multi-tier architecture that comprises IoT
devices, middleware, and the cloud-hosted medical servers
.
which form part of the health information system. Moreo-
personal user devices are likely to interact with other de-
vices, which are listed as: Home, Wearables, Work, and
Vehicular IoT.
A middleware is proposed to enable the data collection
4 PERVASIVE AND
A MOBILE COM
MPUTING - SPEC
CIAL ISSUE ON IN
NTERNET OF THINGS FOR PERS
SONALISED HEAL
LTHCARE SYSTE
EM

Fig. 1. The generic IoT architecture

e showing majorr segments whe
ere interactions can occur.

processs, manage seecurity and privacy,

p and ensure
e complli- It is th
his integration
n scenario th
hat can lead to o complica-
ance. tions witth data originn authenticatioon in wearablle IoT espe-
Thee analytics laayer is where the final com
mposed data iis cially, when
w personal data such aas vitals can n be shared
stored
d in a well forrmatted fashiion. This data
a resides in th
he across many
m devices. And this is thhe typical usee case when
mediccal servers and d are used by
y the physician
ns, physicianss, people area performin ng fitness acttivities and area sharing
and annalysts. their datta between se ensors, smarttphones, and d healthcare
facilities. This is why data traceabillity is require
ed to ensure
3.1 Some IoT Dev
vices Emplo
oyed for Tes
sting the y.
reliability
Proposed
P Sy
ystem
In ordder to exploree the vast typpes of wearablle IoT devicess, 3.2 Broa
adcast-Subs
scriber IoT S
Streaming Service
S
the work
w considerss the limited range comm munication sen n- In most wearable IoT T systems, thee broadcast technique is
sors as
a well as thee long range sensors. The limited rang ge employed. This mean ns the IoT devvices just broa adcast their
sensorrs are those that commu unicate prima arily via shorrt status so that they can n be discoveraable by other devices.
d For
span protocols
p succh as Bluetootth, BLE, NFC, and RFID. IIn most pra actical use cases, the conccept of broadcast cannot
this reegard, the maain sensor useed in this wo ork is the Bluee- change because
b that is
i the only wway to discove er a device.
tooth Smart SensorrTag, specificcally, the CC2 2650 SensorTaag Howeverr, this is also o the reason w why data po ollution and
[29] manufactured
m d by Texas In nstruments. This
T device iis stealing can
c occur.
versattile and has ffeatures for various
v data reads
r such ass: Thus, we propose ed the broadccast-subscriberr streaming
LED, GPS location n, digital miccrophone, ma agnetic sensorr, technique in the wea arable IoT arrchitecture too enable us
humid dity, pressuree, accelerometter, gyroscopee, magnetomee- enforce the
t medical data traceabilitty at the appllication lev-
ter, obbject temperaature, and am mbient temperrature. The dee- el. Essen
ntially, every device
d has too subscribe to
o receive in-
vice also
a commun nicates with Smartphones
S via Bluetoothh, formation n from an Io oT device beefore streamin ng into the
Blueto ooth Low Eneergy, and dev velopers can enable ZigBeee healthcarre informatio on system ca can take placce. This is
or 6Lo oWPAN through a firmwaare upgrade. This is a goo od achievedd through the e deploymentt of two techn niques out-
fit forr testing mach hine-to-machiine communiications. Otheer lined as – (1) a device e meta-data llevel encryptiion, and (2)
smart sensors emp ployed in thee work include the Opticaal Petri Neets modelling g. Both techn niques are inncorporated
Heart Rate Monitor with BLE. Also,A the Raspbberry Pi 3 witth into the IoT data flow w process as shown in Fig gure 2. The
an inttegrated 802.111n wireless LAN and Blu uetooth is emm- entire strreaming proccess is categor orized into three compo-
ployed d. nents wh hich are: the device level security, the e broadcast-
Mo oreover, we put forward mobile devices (e.g g., subscribeer shared serrvices, and th he centralizedd back-end
smartphones, tableets, and smartwatches) as th he main accesss services (i.e.,
( the healthhcare informaation system).
point of data betw ween the senso or devices an
nd the medicaal IoT Deviice Level Secu urity
serverrs. Also, somee mobile deviices have theiir own sensorrs Some off the sensors under conssideration in this paper
that can be used to o retrieve con
ntextual inforrmation. Thesse comes with
w the hard
dware and sooftware level encryption
contex xt informatioon can includ de: geolocatio
on data, direcc- capabilitiies. This secu
ure environm
ment creates the oppor-
tions, camera info ormation, acccelerometer readings,
r an
nd tunity to
o employ diffferent encod ding techniqu
ues such as
timesttamps. This ccreates the neeed for device e data integraa- RNG, SH HA, MD5, DE ES/3DES, AESS, and PKA. For
F most of
tion on the medicall servers. these enccoding algoriithms, root p
public keys arre required
 AUTHOR ET AL.: TITLE 5

Application Layer
Visual Analytics
Open Application Environment
QoS Policy
Subscriber Annotations Data Formatting Data Presentations
User Application
Dissemination
Secure Middleware Read
Component API Operation
File IoT Data Context Gateway
System
Storage Manager
Data
Broadcast Subscriber External Cloud IoT Device
Secure Object
Storage Text Multimedia APIs APIs

Secure Middleware Write Read

Component Root Public Key Secure State Operation Operation
Random Key Machine
M2M Connection Interface Network Layer
Secure ROM Code
RNG Secure Bluetooth Low  Communication Protocols
Bluetooth
SHA/MDS DMA Energy (BLE)
Secure RAM DES/3DES
AES Secure Chip M2I Connection Interface
PKA
RFID  HTTP
Protected  Interconnect
Application HTTP/S DDS MQTT CoAP
Other Security
Secret Data Features
Provenance Service

OS
Security Technology at the Hardware and Software System Level Shared Servicesbetween the IoT Devices and the Back-end
Back-end Middleware Services

Fig. 2. The proposed secure inter-device data flow in the architecture.

and can be generated randomly. These encoding tech-
niques can be applied at the hardware level to ensure se-
cure state machine, ROM security, RAM security, DMA
security, and middleware security.
These hardware level frameworks can be interacted
with through a device-level middleware component API.
All communications with the devices are facilitated
through a user application interface. Also, the IoT devices
have their own file system and secure storage components.
Shared Services
This segment of the IoT data streaming process is shared
between the devices and the back-end component. This is
where the broadcast-subscriber services are managed in-
cluding the provenance record tracking. The shared ser-
vices segment is a pure data-centric exchange medium
which has been designed as a typical data distribution ser-
vice (DDS) that describes a data-centric publish-subscribe
(DCPS) model [30]. This means the IoT data delivery is
based on subscriptions where the users will have to regis-
ter their devices in a subscription pool to which dissemina-
tion can take place.
Every intended IoT device is either a broadcaster or a sub-
scriber. This is based on the actions of the device. Any de-
vice that is publishing data or performing a write operation
(i.e., generating data) is considered a broadcaster. Conse-
quently, any device that is retrieving the IoT data or per-
forming a read operation (i.e., access IoT data) is a sub-
scriber. The data being generated by the devices is broadly
described in this architecture as the IoT Data Context. The
Data Object is the actual data value published or to be dis-
seminated to the subscribers. QoS (Quality of Service) is the
benchmark used to specify the behavior of the middleware.
The QoS Policy module helps the middleware to control
its behavior towards activities such as load balancing, topic
of interest dissemination, and subscriptions. Moreover,
there are several communication protocols for inter-device
communication, also known as machine-to-machine
(M2M). To accommodate these communication protocols,
a helper class is built called the M2M Connection Interface
which supports: Bluetooth, Bluetooth Low Energy (BLE),
RFID, and HTTP.
The Provenance Service layer is where all activities re-
garding the IoT data sharing process is monitored. This
layer also directly links the application interface of the IoT
devices, the storage manager of the back-end services, and
the network layer of the back-end.
Back-end Middleware Services
The middleware is proposed for the provenance data stor-
age and audit trail analysis but does not control the M2M
communication. A storage manager is proposed which is a
controller class that is responsible for storing the sensor
data plus meta-data of the device. The data stored is orga-
nized as text or multimedia based on the nature of the data
being generated by the sensor device. The storage facility
employed is CouchDB [31] (See Figure D at the end of pa-
per).
The gateway serves as the point of access enabler for in-
tegration into other external IoT environments as well as
enterprise applications. This is where the External Cloud
APIs are employed to integrate into third party cloud ser-
vices as discussed earlier. There is also an interface called,
IoT Device APIs, to integrate other external smart and
powerful nodes such as the Raspberry Pi device. In prac-
tice, this interface may require modification to fit the com-
munication requirements of the IoT device.
At the Network Layer, an independent controller class is
designed called, Communication Protocols, with the re-
sponsibility of checking two-way communications between
the infrastructure communication, and the gateway com-
munication. The backend services also have different
communication protocols so a helper class called, M2I
Connection Interface, is tasked to determine the communi-
cation protocol for the back-end server based on its pub-
lished acceptable connection. This type of communication
is called machine-to-infrastructure (M2I) and currently the
following protocols are supported: MQTT, CoAP, HTTP,
and DDS.
The Application layer is where the analysis of the data is
carried out to perform tasks such as annotations, format-
ting and visual presentations.
6 PERVASIVE AND MOBILE COMPUTING - SPECIAL ISSUE ON INTERNET OF THINGS FOR PERSONALISED HEALTHCARE SYSTEM

4 THE PETRI NET SCHEME FOR TRACEABILITY TABLE 1

FORMAL EXPLANATION OF THE PETRI NETS PARAMETERS
The designed wearable IoT system for healthcare data
traceability is a highly dynamic environment which re- Property Definition
quires a robust scheme to manage distributed characteris-
A Petri net is a 5-tuple, , , , ,
tics such as concurrency, synchronization, and event-based
where:
processes. Thus, we adapted the Petri Net (PN) [38]
scheme, which in our estimation is more suitable to the , ,…, finite set of places
work than existing distributed system models. In Table 1, a , ,…, finite set of transactions,
formal explanation of the various parameters used is given. ⊆ ∪ set of arcs (flow relation)
The behavior of the proposed wearable IoT architecture : → 1, 2, 3, … weight function
is modelled as system states and their changes. The overall : → 0, 1, 2, 3, … initial marking
outlook of the model is graphically shown in Figure 3. We ∩ ∅ ∪ ∅.
modelled four different sources where the IoT data is orig- The Petri net structure , , , without any spe-
inated or collected as places. These places, cific initial marking is denoted by .
, ,…, , are the human users (H), IoT devices The Petri net with the given initial marking is denoted
(IoT), personal servers (e.g., smartphones as PS), and medi- by , .
cal servers (HS). We decided to employ a Petri net of 5-
tuple, i.e., , , , , since we want to enforce , tokens to each output place of , where
that all data originate from the wearable devices. That , is the weight of the arc from to .
means we know the initial marking, . As a result of the Strictly, all conditions of a self-loop are avoided in our
system level dynamism, a state in the Petri net is changed model. A self-loop occurs when a pair of place and a
according to the following transition (firing) rule: transition are such that is both an input and output
1. A transition is enabled if each input place of place of . This means our Petri net is pure since it has no
is marked with at least , tokens, where self-loops.
, is the weight of the arc from to . Also, our system does not follow the infinite capacity net
2. An enabled transition may or may not fire (de- model where it is assumed that each place, , can handle
pending on whether or not the event actually unlimited number of tokens. Rather, we considered a finite
takes place). Events include new medical data capacity net where an upper limit to the number of tokens
readings such as vitals from the wearable IoT de- that each place, , can hold is set. This is paramount be-
vice. cause when we consider the four places in this work, each
3. A firing of an enabled transition removes , has a limitation on what to do. For instance, the wearable
tokens from each input place of , and adds devices are reading specific IoT data so it is unnatural to
model the , , , as infinite tokens. With the
Human Users IoT Devices Personal Servers Hospital Facilit
P2 P5

IoT PS
t1 t4

P1 P3 P6

H t2 IoT t5 PS t7

P4 P7
t3 t6
IoT PS

P10 P13

IoT P8
PS
t8 t11 HS

P9 P11 P14

H t9 IoT t12 PS t14

P12 P15
t10 t13
IoT PS
.    .    .    .

.    .    .    .
.    .    .    .

.    .    .    .

.    .    .    .

.    .    .    .

Pn‐1 tn‐2
Pn‐2 Pn
tn
tn‐3 IoT PS
H

tn‐1

Fig. 3. The overall services flow of the Petri Net scheme.

AUTHOR ET AL.: TITLE 7

finite capacity net , , the maximum number of tokens finding if ∈ , for a given marking in the
that can hold at anytime is defined as . This means net , .
for the transition to fire, the number of tokens in each Boundedness: The proposed Petri net , is bounded
output place of cannot exceed its capacity after since the number of tokens in each place does not exceed a
firing . The proposed capacity constraint however follows finite number k for any marking reachable from , . .,
the weak transition rule, where the given net , , is for every place p and every marking ∈
transformed to , . The transformation of , fol- , . Synchronic Distance: We proposed the synchron-
lows the following steps. ic distance to determine the degree of mutual dependence
 Step 1: Add a complementary place p’ for each between two events; mostly the IoT data flow from the
place p, where the initial marking of p’ is given wearable to the personal servers, or the middleware, or the
by . medical servers. The synchronic distance between two
 Step 2: Between each transition t and some transitions and in a Petri net , is defined by
complementary places p’, draw new arcs , ′
or , where , , max | | eqn(2)
and ′, , , so that the sum of to-
kens in place and its complementary place where is a firing sequence starting at any marking M in
equals its capacity for each place , before , and is the number of times that transition , i
and after firing the transition . = 1, 2 fires in .
Managing Parallel Activities: Parallel activities within the Controllability: Our Petri net N is completely controllable
wearable IoT ecosystem are events that are taking place since any marking is reachable from any other marking.
concurrently. For example, in the Petri net shown in Figure This means if there are m places, then we have
3, the parallel or concurrent activities represented by transi- . eqn(3)
tions and begin at the firing of transition . This sce-
nario of transition parallelization is modeled as a binary This is because we must have a solution x for any
relation (denoted by on the set of events , ,∙∙∙ ) such that
which is 1) reflexive and 2) ∶ ∆ eqn(4)
ric , 3) but not
tive but not necessarily . Which implies that the rank of an m x n matrix AT must
In our system, practical scenarios that can result into be of its full rank equal to m.
parallel activities are: having more than one wearable IoT Furthermore, our Petri net is structurally bounded since it
device reading vitals of the user at the same time, or is bounded for any finite initial marking . Formally,
streaming the wearable IoT data from multiple devices into structural boundedness will occur iff there exists an m-
the personal servers. vector y of positive integers such that 0.
Proof: Suppose
Synchronization Control: The middleware and the medi-
cal servers need to know the order data arrival since these ∋ 0, 0.
facilities are shared. This requires synchronization to ensu- Let ∈ , . Then we have
re the trace routes are correctly generated. The proposed , 0. eqn(5)

net uses the readers-writers synchronization technique
Consider the inner product of M and y
where k tokens in a place say represent k events which
may read and write in a shared represented by place . eqn(6)
. Up to k wearable devices may be Reading concu- Since 0 and 0, we have
rrently, but when one process is writing, no other process . eqn(7)
can be Reading or writing.
Thus, M(p), the number of tokens in each place p, is
Reachability: In the proposed scheme, a sequence of tran- bounded by
sitions will result in a sequence of markings. Thus, the
/ eqn(8)
marking is reachable from a marking if there exists a
sequence of firings that transforms to . That means Where y(p) is the pth entry of y.
the reachable marking, is a set that can be represent-
ed as: 5 EVALUATION
|
∗
eqn(1) In this section, empirical evaluations are provided to vali-
, ,
date the proposed privacy enhanced wearable IoT architec-
The occurrence sequence of a firing is denoted by ture. Three broad evaluations are conducted to determine:
… . In this case, is reachable from 1) the robustness of the proposed scheme through perfor-
by and we write . The set of all possible mance evaluations such as scalability and system data
markings reachable from in the net , is denoted propagation rates, 2) the effectiveness of the wearable IoT
by , . The set of all possible firing sequences from data traceability through visual analytics, and 3) compro-
in a net , is denoted by , . The reachabil- mise detection analysis to guarantee reliability in the dis-
ity problem for the Petri net however is the problem of tributed healthcare information system.
Different client devices are employed in conducting the
 8 PERVASIVE AND
A MOBILE COM
MPUTING - SPEC
CIAL ISSUE ON IN
NTERNET OF THINGS FOR PERS
SONALISED HEAL
LTHCARE SYSTE
EM

Fig. 4. The
T scalability plots – Medium Load
L (L) and Ma
aximum Load (R
R).

experiiments and thhe list includees: wearable fiitness trackerss, the prop posed scheme e and the dattabase can su upport high
smartphones acting g as personall servers, andd the back-en nd scale IoT T data streamming. That is because not many care
servicces. The back--end servicess are exposed d via HTTP o on facilities, including ouur partners oon this project, have this
cloud machines w with the follow wing specs: 100
1 Mbps, Miic numberss in terms of wearable
w IoT d data streamin
ng subscrip-
Windo ows 10 Pro, 88GB RAM, an nd Quad Corre 2.0 GHz. IIn tions. Thherefore in the
e present statee of the propoosed design,
additiion, the BLE SensorTag is used
u due to its
i support fo or the expeerimental outtcomes confirrm the resilie ence of the
variedd data generattion. system in n-line with ouur clinical traansactional go
oals regard-
ing wearrable IoT datta traceabilityy generation and visual
5.1 Scalability off the Distributed IoT Scheme analyticss.
The sccalability of th
he proposed distributed medical
m wearaa-
ble arrchitecture is evaluated to determine ho
ow the systemm 5.2 Wea
arable IoT Da
ata Propagaation Rate
can suupport higherr throughput as the systemm load increass- One of th he complexities of wearablle IoT data tra aceability is
es upp to peak po oints. The th
hroughput is evaluated ass: dealing with
w M x N he eterogeneouss data sources. And more


importan ntly, whether the data is being propagated from
the clientts in soft-real time. Thus, th he data propaagation rate
The ca apacity of thee entire archittecture is evalluated for loaad
analysis is conducted and the resu ults are discussed in this
balanccing includin ng the ability of the choice of databasee,
section. To
T perform th his experimen nt, 58 users of IoT devices
Couch hDB, in handiing the user generated
g req
quests. Overalll,
are recru uited from the Pennsylvan nia State Univ versity and
the go oal is to hav ve enough caapacity to pro ocess requestts
the evalu uation is carrieed out in a coontrolled enviironment to
within n soft-real tim
me. The outcom me of the scaalability testin
ng
avoid immprecision. Th he evaluation iis considered under four
is grapphed in Figurre 4.
broad sp pectrums of request generration/propag gation rates
Sin
nce this experriment requirres large scale user-base iin
of, 1) isolation of userrs, 2) contactss enabled betw ween users,
the deetermination of the system m behavior, we w configureed
3) controolled contacts, and 4) peak rrequests with h no control.
severa al nodes of lo oad generatorrs designed in i Erlang witth
The data a being propagated repreesent the perssonal vitals
the ca apability of p pushing requ uests over HTTP.
H Overalll,
from useer’s devices an nd the speed at which the ey reach the
1200 nodes are eemployed for sending th hese requestss.
medical servers.
s The results
r are plootted in Figuree 5.
Moreo over, the entirre system is evvaluated und der two states –
Moreo over, we conssidered the daata propagation speed at
mediu um load and m maximum/peeak load. The e medium loaad
various user
u points in
n a group from m 2 to 58, and d each user
meanss the system usage is conffined to only our testing acc-
grouping g has the experiment repea eated six (6) tiimes. Thus,
tivities, but the m maximum load d means whiile our experri-
the plotss of the minim mum, averagee, and maxim mum points
mentss are going on n, other system m activities outside our tesst
are the data points gen nerated for eaach grouping.
enviro onments are aalso going on n concurrently y and this putts
In thee first setup, we
w considered d the wearabble IoT data
the prroposed arch hitecture at peeak load. A request
r in thiis
propagattion cost for the least usagge scenario where w users
enviro onment can be anything including Io oT data push h,
are isolatted and each user has to seend only data a from their
databa ase query forr visual analy ytics, data tracce route deterr-
devices. From
F the observations with thin the avera
age plots for
minattion, generatiing linkability y and unlink kability in Io oT
instance, the propagattion speed att minimum is 7.61 ms, at
devicees, and consttructing a maatch between n a device an nd
average is i 567.89 ms, and
a at maxim mum is 1288.90 0 ms.
data.
In the second setup p, we considerred the weara able IoT da-
A number
n of co
oncurrent requests are sent from 1000 tto
ta propa agation cost forf scenarios where users have their
1341000 requests d during the tessting for both system statess.
devices in i a discoverrable mode sso that conta acts can be
This upper
u bound request is du ue to the fact that the maxxi-
made, but not accep pting any intter-device sh haring. This
mum number of requests by y each clientt is estimateed
means users’
u devices can be discoovered but content
c and
aroun nd 1117. In Fig gure 4, the miinimum, averrage, and maxx-
IoT data sharing is to otally disableed. Users can only share
imum m points for eeach block of requests con nsidered wheen
data direectly with the e medical serrvers. It is observed that
the exxperiment is reepeated multiple times are e graphed.
the avera age plot poin nts record at minimum 17 7.81 ms, on
Thee system thro oughput undeer medium loa ad is averageed
average 1328.85
1 ms, an
nd at maximu um 3016.03 ms.
m
at 109992 requests/ssecond. Undeer maximum (or ( peak) load d,
In thee third setup, we considerred the propa agation cost
the thhroughput is aaveraged 171772 requests/se econd.
where ussers have the eir devices diiscoverable an nd are per-
At these throug ghput rates, itt is within exxpectation thaat
mitted to o do inter-de evice sharingg activities. This
T means
AUTH
HOR ET AL.: TITL
LE 9

Fig. 5. The we
earable IoT data
a propagation ra
ate under four (4
4) different cond
ditions.

aparrt from pushiing the wearaable IoT data a to the mediical between n the various wearable IoT T devices and
d the medical
serveers, the devicces can also do
d object-to-o object commu uni- servers.. In the visuallization, SENSS xxxxx, iPhonne xxxxx, and
catio
on. We then o observed for the average points that tthe Android d xxxxx repressents a sensorr with serial number,
n iPh-
proppagation speed at minimum m reads 36.777 ms, on averaage one nam me, and Andrroid name resspectively. Allso, there are
27522.78 ms, and aat maximum 6366.17
6 ms. some in nstances where we have ssome devices as Unknown
In
n the fourth ssetup, we con nsidered the propagation
p co ost which means
m these devices did n not share the
eir UUIDs or
where users havee their devicees in an object-to-object co om- failed too subscribe with
w a unique identifier or name. These
mun nication modee, are able to o send data to the mediical devicess are for our research recrruits who are e mainly stu-
serveers, and are aallowed to usse their device es for any othher dents frrom the Penn nsylvania Staate University y with back-
activ
vity. This givees us the peaak points in thet propagatiion ground ds in Security y and Risk A Analysis, Disttributed Sys-
speeed with all othher activities happening
h co
oncurrently. Itt is tems, an nd Usability Engineering.
E
obseerved that thee average plo ot points of the
t propagatiion In Fiigure 6, the Fo
orce Directed d Static network shows the
speeed at minimum m is 59.08 mss, on average 4407.81
4 ms, aand intercon nnectedness between
b the u
users’ devices. Some of the
at maximum
m 100004.18 ms. devicess also show th he degree of coonnectivity to
o others.
Even though w we highlight only the averrage plot poin nts Takiing the iPhonee D2LF for exaample, connecctions are es-
in thhe discussion n for brevity y, the resultss are consisteent tablisheed with the following deevices: SENS 4733, SENS
across all four seetups with reegards to the minimum aand 3311, SEENS 33214, an nd iPhone 3ZAZALFJ. What this
t tells us is
maximum point p plots as can be
b inferred frrom the plotss in that, th
he user of the e iPhone D2L LF also ownss the various
ure 5. A criticcal lesson from
Figu m this evalua ation is the fa
fact sensorss plus the oth her phones aand is able to o stream her
that there is an in ncrement in the propagattion speed fro om vitals to
o the medicall servers from m these heteroogeneous de-
the first
f setup to tthe next. An increment
i in the
t propagatiion
speeed translates innto latency so
o the ideal situ
uation will bee to
reduuce the propaagation speed d. However, the t various sset-
ups offered us th he ability to determine
d the worst case scce-
narioo.
Frrom the work k, the highest read is from the
t fourth settup
at maximum
m plott point of 22898.37 ms. Thiis in the estim ma-
tion of our mediical partners is tolerable considering
c tthe
fact that
t in most ddeployed systtems, the variious IoT devicces
will not be using g their full reesources to se end data; as w we
meassured in our w work.

5.3 Traceability
T y and Visual Analytics

The traceability y and visual analytics

a of th
he wearable IIoT
a is offered to investigatee the intercon
data nnectedness bbe-
tweeen the IoT deevices and th he associated data owners in
the heterogeneou us ecosystem m. The interco onnectedness is Fig. 6. Using
U Force Directed Static Graaph to present the
t traceability of
o
builtt from the Pettri Net structu
ure regarding the interactio
ons the wearrable IoT device
e.
 10 PERVASIVE AND
A MOBILE COM
MPUTING - SPEC
CIAL ISSUE ON IN
NTERNET OF THINGS FOR PERS
SONALISED HEAL
LTHCARE SYSTE
EM

TAABLE 2
ANALYSIS OFF THE TRACE DATA

Linkaability Unlinkability T
Transparency
P
PN FSM ToI BA
A PN FSM To
oI BA PN FFSM ToI BA
True Posittive 99.223% 92.62% 86.33% 89.4
44% 99.28% 90.04% 85.2
22% 86.11% 96.33% 85.2
.23% 82.43% 88.65%
False Posittive 3.211% 12.13% 15.23% 11.7
77% 7.23% 18.73% 28.4
44% 25.71% 13.47% 27..88% 22.31% 17.66%
True Negaative 97.554% 87.33% 84.65% 86.2
22% 99.23% 91.69% 87.2
22% 91.84% 95.14% 91.3
.33% 89.96% 92.33%
False Negaative 5.411% 18.58% 21.34% 17.2
22% 6.91% 16.59% 23.6
66% 14.71% 3.22% 8.43
43% 11.31% 5.71%
Precision 96.887% 88.42% 85.00% 88.3
37% 93.21% 82.78% 74.9
98% 77.01% 87.73% 75.3
.35% 78.70% 83.39%
Recall (Sen
nsitivity) 94.883% 83.29% 80.18% 83.8
86% 93.49% 84.44% 78.2
27% 85.41% 96.77% 91..00% 87.93% 93.95%
Specificity 96.881% 87.80% 84.75% 87.9
99% 93.21% 83.04% 75.4
41% 78.13% 87.60% 76..61% 80.13% 83.94%
Accuracy 95.880% 85.42% 82.38% 85.8
83% 93.35% 83.73% 76.8
80% 81.49% 91.98% 82..94% 83.68% 88.56%
F1 Score 95.884% 85.78% 82.52% 86.0
05% 93.35% 83.60% 76.5
59% 80.99% 92.03% 82.4
.44% 83.06% 88.35%
**PN – Petr
tri Net, FSM – Fin
nite State Machin
ne, ToI - Tuple off Input, BA - Büchi Automaton

Fig. 7. Th
he analysis plot of the traced da
ata from top left – Accuracy, Se
ensitivity, Precisiion, and Specificity.
vices. The sensors could be for the vitals strreaming whille True Neegative (TN) is when no links are pre esented be-
the phhones could b be the person nal servers. The
T visual anaa- tween IoT nodes because no activitty took place. False Neg-
lytics provides tracceability routees that transparently aids iin ative (FNN) is when th he system sh hows that the ere has not
identiifying who ow wns which data
d from the wearable IoT T. been any y communica ation between n nodes but in practice
In thiss case, the identification of
o privacy bre eaches is mad
de commun nication took place. Based on the above e attributes,
easierr since users caan easily iden
ntify suspiciou
us nodes. five elem
ments are stud died which arre: Precision, Sensitivity,
Specificitty, Accuracy,, and F1 scorre. These beh haviors are
5.4 Analyzing the
e Traceabilitty and Visua
al Structure
e calculated based on th he formulas exxpressed belo ow. Overall,
This section
s providdes the assuraance evaluatio on of the tracee- the study y of the faulty data propaagation in the e data route
ability
y paths from the visual an nalytics. Prima arily, we focuus trace is reported in Ta able 2. The Acccuracy, Senssitivity, Pre-
on thee completeneess of the weearable IoT da ata trace from
m cision, an
nd Specificity results are pllotted in Figurre 7.
point of generatio on to the point of rest (on n the medicaal Then the fourth element is the comparison of our pro-
serverr). This requirred us to pressent a multi-m modal analysiis posed Peetri Net inspirred wearable IoT architectu ure to exist-
of a dimensional
d ex xpression of 3 x 5 x 4 elem ments. The firsst ing distrributed netw work graph approaches earlier de-
elemeent being an eevaluation of faulty medical data propaa- scribed inn Section 2 su
uch as the Finnite State Mach hine (FSM),
gationn in the linkab bility, unlinkaability, and trransparency o of Tuple of Input (ToI), and
a the Büchi Automaton (BA). (
the vissualization sttructure. In vieew of the acccuracy, the Pe Petri net has better
b trace
To perform thiss evaluation, certain attrib butes are con n- routes foor linkability, unlinkabilityy, and transpa arency. The
sidereed. True Posiitive (TP) reffers to the co orrect linkagees transpareency feature means
m the en
ntire lifecycle of a weara-
betweeen the IoT no odes and thee streamed da ata, False Possi- ble IoT data
d is traced from the poiint of generattion. This is
tive (F
FP) refers to tthe perceived d to be conne ection betweeen paramou unt because it i leads to bbetter digital audit trail
IoT devices
d but in
n reality, thosse connection ns never exisst. analysis.
AUTH
HOR ET AL.: TITL
LE 11

Fig. 8. Daily ussage overview Fig. 9.

9 Attack detectiion analysis
Considering
C liinkability for instance, thee percentage in- our dettected attack log. The outccome of the wearable
w IoT
creasse in accuracy y between th he Petri net an
nd the next b
best data commpromise stu udies is plotteed in Figure 9..
optioon (i.e., the B
Büchi Automaaton [28]) is 11.62%.
1 This ssu- It can
n be inferred that the mosst prevalent ty ype of attack
perioority of the P Petri net scheme is obserrved to be co on- is spoofing where users u try to mmasquerade data
d between
sistent with link kability, unlin nkability, andd transparenc
ncy. ownerss and devices. This type oof attack is alsso consistent
One main practiical explanatiion for the superiors perfoor- with ou ur primary go oal of generatting traceabillity in such a
man nce of the Pettri net is the high true po ositive and loow complex environmen nt. What it m means is if spooofing for in-
falsee negative retturns. This iss as a result of the fact th hat stance is
i not checked, then theree could be po otential prob-
comp pared to the other implem mented algorithms, the Peetri lems with
w the tracea ability where linkages can n be built be-
net has
h controls ssuch as concu urrency/parallelization maan- tween unintended
u noodes.
agem ment, synchrronization measures,
m an
nd reachabillity Not only were th he attacks deetected but th hey were all
checcks. These con ntrols significcantly reduce
e the margin of preventted and the log l data mattches the doccumented at-
errorr. tacks from the test grroup. This prooves to be an incredible fit
In
n the case of the other sch hemes (aside from Petri neet), bility is facilitated within th
as reliab he proposed system.
s
the high
h FN returrns will typiccally lead to the
t reduction n in
the sensitivity
s rattio as evidenced in Table 2. The sensitivvity
of thhe Petri net iss higher becaause the algorrithm is able to
6 CONCLUSION
use the
t aforemen ntioned contro ols to enhance the formatiion The hea althcare secto or is an early adopter of th he Internet of
of th
he linkability, unlinkability,, and transparrency. Things (IoT). And with w the rise oof wearable technologies,
t
care providers are facilitated to offer life and d cost saving
5.5 System
S Usa
age and Data
a Comprom
mise Analysis
s servicess such as real-time monitooring, vital re eads, recom-
In evaluating thee overall sysstem usage, consideration
c n is mendattion-based he ealthy lifestyl
yle, and so on n. These ser-
given n to the stud dy of the timee frames with hin which peeak vices on n the other hand
h require continuous streaming
s of
poinnts are reacheed versus low w points. In the study, tw wo health data
d (e.g., vittals) and conttextualized data
d from the
typees of usage paatterns are sttudied which we describe as wearab ble IoT devices to the health thcare systemms.
Usag ge 1 and Usage 2. The obserrvation and data
d collection
n is This creates two major
m problemms. Firstly, th
he healthcare
donee between 9 A AM to 5 PM. The system usage
u outlookk is informa ation systems have to deeal with both h the device
plottted in Figure 88. and datta heterogene eity within thhe IoT system m. This is be-
In
n the case of uusage 1, we co onsidered the log normal d dis- cause with
w multiple e users ownin ng more than n one weara-
tribuution while u usage 2 is the study of the e data followiing ble devvice each, the transaction ccan be diverge ent in an N x
the exponential
e d
distribution. The
T activity rate
r shows th hat M view ws. Secondly, such heteroggeneity can lead l to chal-
for the
t most timee, there is mo ore system ussage during tthe lenges with reliabillity, transparrency, and user u privacy
earlyy parts of the day. One parrticular reasonn why this is tthe preservvation. Especiially with thee difficulty off data origin
case is because of our test grou up compositioon. Since mostt of authenttication, it can be challengging to determine who is
the recruits
r are aat the Pennsyllvania State University,
U th
hey sending g what data.
will leave campu us after 5 PM and for the most
m part be on This work propo osed a wearaable IoT arch hitecture for
camp pus in the earrly parts of thee day. healthccare services with emphaasis on data traceability.
A fault injectioon analysis is conducted too detect possib ble This caan then lead to privacy p preservation, compromise
scennarios of data compromisees. In conductting the evalu ua- detectioon, and the ab bility to geneerate audit traails. The goal
tion,, users are reequired to usse the propossed system aand is achieeved by deve eloping a Petrri Net service e model with
attemmpt some of the well-expeected compro omise scenariios. detail discussion
d in the paper. Th he service allo ows the pro-
Thesse scenarios aare: spoofing g, masking, denial
d of servvice posed architecture
a to
t support iteerations in th he streaming
(DoS S) attack, andd man-in-the-m middle attack
ks. Since the ttest data floow, device ch hoice usage trracking, and the monitor-
is fo
or a controlled d group, the activities are
e monitored b be- ing of concurrent
c streams from tthe users. Also, the work
tweeen 9 AM and 5 PM. providees medical da ata traceabilitty detection and
a formula-
This user grou up is informed d to documennt their intendded tion th
hrough visuall analytics. T This aids with graphical
attaccks during, aand upon com mpletion. In which case tthe presenttations of wh here the weara rable data is coming
c from
docu umented actio ons can be compared
c an
nd studied w with and wh ho owns them m.
12 PERVASIVE AND MOBILE COMPUTING - SPECIAL ISSUE ON INTERNET OF THINGS FOR PERSONALISED HEALTHCARE SYSTEM
Thorough evaluations are conducted in real world set-
tings and test results show that the adaptation of Petri
Net proves to be superior to other distributed network
models in terms of linkability, unlinkability, and trans-
parency within the trace routes. Another test shows high-
er throughput support for scalability under peak load
conditions. Also, fault injection analysis is employed to
determine possible areas of compromises where the eval-
uated types of attack include denial of service, man-in-
the-middle, spoofing, and masking. The choice of service
modelling facilitates the architecture to overcome complex-
ities of iterations, IoT device choice adoption, and concur-
rency with regards to the management of medical data
streaming.
The future direction of this work is to explore proactive
diagnosis techniques through the employment of autonom-
ic computing techniques. This will further increase the
support base for real-time decision making at the system
level with little human intervention.
ACKNOWLEDGMENT
The authors wish to thank all our participants from the
Security and Risk Analysis, Usability Engineering, and
Distributed System courses at the Pennsylvania State
University. This work was supported in part by a grant
from the Pennsylvania State University.
REFERENCES
[1] NXP, "What the Internet of Things (IoT) Needs to Become a Reality"
White Paper, Document Number: INTOTHNGSWP REV 2, May 2014,
Available Online:
http://www.nxp.com/files/32bit/doc/white_paper/INTOTHNGS
WP.pdf, Last accessed date: April 02 2016.
[2] Karen Rose, Scott Eldridge, Lyman Chapin, "The Internet of Things
(IoT): An Overview", Internet Society, White Paper, Date: 15 Oct 2015,
Available Online:
http://www.internetsociety.org/sites/default/files/ISOC-IoT-
Overview-20151221-en.pdf, Last accessed date: April 04 2016
[3] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari and M. Ay-
yash, "Internet of Things: A Survey on Enabling Technologies, Proto-
cols, and Applications," in IEEE Communications Surveys & Tutorials,
vol. 17, no. 4, pp. 2347-2376, Fourthquarter 2015, doi:
10.1109/COMST.2015.2444095
[4] Luigi Atzori, Antonio Iera, and Giacomo Morabito. 2010. The Internet
of Things: A survey. Comput. Netw. 54, 15 (October 2010), 2787-2805.
DOI=10.1016/j.comnet.2010.05.010
[5] Yi Ge, Xiaoxing Liang, Yu Chen Zhou, Zhaotai Pan, Guo Tao Zhao, and
Yu Ling Zheng, “Adaptive Analytic Service for Real-Time Internet of
Things Applications”, 2016 IEEE International Conference on Web Ser-
vices, pp 484- 491, DOI 10.1109/ICWS.2016.69
[6] Hasan, R., Sion, R., & Winslett, M. (2009). Preventing history forgery
with secure provenance. ACM Transactions on Storage (TOS), 5(4), 12
[7] Manu Namboodiri, “M2M and IoT - Security and privacy thoughts for
2015”, https://www.linkedin.com/pulse/m2m-iot-security-privacy-
thoughts-2015-manu-namboodiri, Last accessed: August 01 2016
[8] S. Krishnan, K. Z. Snow and F. Monrose, "Trail of Bytes: New Tech-
niques for Supporting Data Provenance and Limiting Privacy Breach-
es," in IEEE Transactions on Information Forensics and Security, vol. 7,
no. 6, pp. 1876-1889, Dec. 2012, doi: 10.1109/TIFS.2012.2210217
[9] E. Pignotti and P. Edwards, “Trusted tiny things: making the internet of
things more transparent to users,” ASPI ’13 Proc. Int. Work. Adapt. Se-
cur., 2013
[10] Ziegeldorf, J. H., Morchon, O. G., & Wehrle, K. (2014). Privacy in the
Internet of Things: threats and challenges. Security and Communication
Networks, 7(12), 2728-2742.
[11] E. Bertino, Data Security and Privacy in the IoT, Proceedings of 19th
International Conference on Extending Database Technology (EDBT),
March 15-18, 2016 - Bordeaux, France.
[12] B. Shebaro, O. Oluwatimi, D. Midi, and E. Bertino. Identidroid: An-
droid can finally wear its anonymous suit. Transactions on Data Priva-
cy, 7(1):27–50, 2014.
[13] Singh, J., Pasquier, T., Bacon, J., Ko, H., & Eyers, D. (2016). Twenty secu-
rity considerations for cloud-supported Internet of Things. IEEE Inter-
net of Things Journal, 3(3), 269-284.
[14] Devi, K. N., & Muthuselvi, R. Secret Sharing of IoT Healthcare Data
Using cryptographic algorithm.
[15] O. Arias, J. Wurm, K. Hoang and Y. Jin, "Privacy and Security in Inter-
net of Things and Wearable Devices," in IEEE Transactions on Multi-
Scale Computing Systems, vol. 1, no. 2, pp. 99-109, April-June 1 2015.
doi: 10.1109/TMSCS.2015.2498605
[16] A. Ometov et al., "Feasibility characterization of cryptographic primi-
tives for constrained (wearable) IoT devices," 2016 IEEE International
Conference on Pervasive Computing and Communication Workshops
(PerCom Workshops), Sydney, NSW, 2016, pp. 1-6., doi:
10.1109/PERCOMW.2016.7457161
[17] S. Hosseinzadeh, S. Rauti, S. Hyrynsalmi and V. Leppänen, "Security in
the Internet of Things through obfuscation and diversification," Com-
puting, Communication and Security (ICCCS), 2015 International Con-
ference on, Pamplemousses, 2015, pp. 1-5, doi:
10.1109/CCCS.2015.7374189
[18] M. L. Hale, D. Ellis, R. Gamble, C. Waler and J. Lin, "Secu Wear: An
Open Source, Multi-component Hardware/Software Platform for Ex-
ploring Wearable Security," 2015 IEEE International Conference on
Mobile Services, New York, NY, 2015, pp. 97-104, doi:
10.1109/MobServ.2015.23
[19] W. Zhou and S. Piramuthu, "Security/privacy of wearable fitness track-
ing IoT devices," 2014 9th Iberian Conference on Information Systems
and Technologies (CISTI), Barcelona, 2014, pp. 1-5, doi:
10.1109/CISTI.2014.6877073
[20] S. Hiremath, G. Yang and K. Mankodiya, "Wearable Internet of Things:
Concept, architectural components and promises for person-centered
healthcare," Wireless Mobile Communication and Healthcare (Mobi-
health), 2014 EAI 4th International Conference on, Athens, 2014, pp.
304-307, doi: 10.1109/MOBIHEALTH.2014.7015971
[21] J. Wei, "How Wearables Intersect with the Cloud and the Internet of
Things : Considerations for the developers of wearables.," in IEEE Con-
sumer Electronics Magazine, vol. 3, no. 3, pp. 53-56, July 2014, doi:
10.1109/MCE.2014.2317895
[22] C. Doukas, I. Maglogiannis, V. Koufi, F. Malamateniou and G. Vassila-
copoulos, "Enabling data protection through PKI encryption in IoT m-
Health devices," Bioinformatics & Bioengineering (BIBE), 2012 IEEE
12th International Conference on, Larnaca, 2012, pp. 25-29, doi:
10.1109/BIBE.2012.6399701
[23] R. Snader, R. Kravets, and A. F. Harris, III. CryptoCoP: Lightweight,
Energy-efficient Encryption and Privacy for Wearable Devices. In Pro-
ceedings of the 2016 Workshop on Wearable Systems and Applications
(WearSys '16). ACM, New York, NY, USA, 7-12. DOI:
http://dx.doi.org/10.1145/2935643.2935647
AUTH
HOR ET AL.: TITL
LE 13

[24] P. A. Laplante annd N. L. Laplantee, "A Structured approach

a for desccrib- [33] Yan n, J., Feng, Z., Jian
n-Gang, D., & Fei,, Y. (2013). Wireleess sensor tracea-
ing healthcare aapplications for the t Internet of Things,"
T Internett of bilitty algorithm base ed on internet of things in the are ea of agriculture.
Things (WF-IoT),, 2015 IEEE 2nd World
W Forum on, Milan, 2015, pp. 6621- Senssors & Transduce ers, 151(4), 101-1066.
625, doi: 10.1109/
/WF-IoT.2015.73889125 [34] U. Barchetti,
B A. Buc cciero, M. De Bllasi, L. Mainetti and L. Patrono,
[25] Loïg Jezequel, Erric Fabre, and Vicctor Khomenko. 2015. Factored Pl Plan- "RFIID, EPC and B2B B convergence tow wards an item-lev vel traceability in
ning: From Autom mata to Petri Netts. ACM Trans. Emmbed. Comput. SSyst. the pharmaceutical supplys chain," 201
010 IEEE Internatiional Conference
14, 2, Artticle 26 (F
February 2015), 25 pagges. on RFID-Technology
R y and Applicationns, Guangzhou, China, 2010, pp.
DOI=http://dx.d doi.org/10.1145/22656215 194--199., doi: 10.1109/ /RFID-TA.2010.55529939.
[26] S. Yamaguchi, S. Tsugawa and K. Nakahori, "An an nalysis system of IoT [35] P. Yang;
Y D. Stankevic cius; V. Marozas;; Z. Deng; E. Liu; A. Lukosevicius;
services based onn agent-oriented Petri
P net PN2," 201 16 IEEE Internatioonal F. Dong;
D L. Xu; G. Min, "Lifelogging D Data Validation Model
M for Internet
Conference on Consumer Electtronics-Taiwan (IICCE-TW), Nanttou, of Things
T Enabled Personalized
P Healalthcare," in IEEE Transactions on
2016, pp. 1-2, doi:: 10.1109/ICCE-TTW.2016.7521031 Systtems, Man, and Cybernetics:
C Systtems , vol.PP, no
o.99, pp.1-15, doi:
[27] R. Yang, B. Li annd C. Cheng, "A Petri Net-Based Approach
A to Serv
vice 10.11109/TSMC.2016.2586075.
Composition and d Monitoring in th he IOT," Services Computing Con nfer- [36] Jun Qi, Po Yang, Ma artin Hanneghan, n, Stephen Tang, Multiple density
ence (APSCC), 2014 Asia-Paciffic, Fuzhou, 201 14, pp. 16-22, d doi: map ps information fu usion for effective
vely assessing inteensity pattern of
10.1109/APSCC..2014.11 lifeloogging physical activity,
a Neurocom mputing, Volume e 220, 12 January
[28] Wing JM. Scenarrio graphs applieed to network security. In: Tipperr D, 2017 7, Pages 199-209, ISSN 0925-2312,
Krishnamurthy P P, Quian Yi, Josshi J, editors. Info
ormation assuran nce: httpp://dx.doi.org/10 0.1016/j.neucom.22016.06.073.
survivability andd security in netwworked systems. LosL Altos, CA: M Mor- [37] Qi J,J Yang P, Hanne eghan M, Fan D, Deng Z, Dong F. Ellipse fitting
gan Kaufmann P Publishers. mod del for improving g the effectivenesss of life-logging physical activity
[29] SensorTag, http:///www.ti.com/to ool/cc2650stk#0 mea asures in an Interrnet of Things ennvironment. IET Networks. 2016
[30] Object Managem ment Group (OM MG), Data Distribu ution Service (DD DS), Sep 1;5(5):107-13.
Version 1.4, http:///www.omg.org g/ spec/DDS/1.4 4 [38] Murrata, T., 1989. Pettri nets: Propertiees, analysis and applications.
a Pro-
[31] CouchDB, http://www.couchdb..com ceeddings of the IEEE, 777(4), pp.541-580.
[32] Y. S. Kang, I. H. PPark, J. Rhee and
d Y. H. Lee, "MongoDB-Based Rep posi-
tory Design for IooT-Generated RF FID/Sensor Big Data," in IEEE Senssors
Journal, vol. 16, no. 2, pp. p 485-497, Jan.15,
J 2016. d doi:
10.1109/JSEN.20115.2483499.
     
     
     
                                          
   
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 14 PERVASIVE AND
A MOBILE COM
MPUTING - SPEC
CIAL ISSUE ON IN
NTERNET OF THINGS FOR PERS
SONALISED HEAL
LTHCARE SYSTE
EM

 
 
   { 
   ʺ_idʺ: ʺ23493 374K0811ʺ, 
   ʺ_revʺ: ʺ13‐7 75e5e09e7ce5c4591 184d7b0057b3a0622ʺ, 
   ʺConnection n Typeʺ: ʺBluetooth ʺ, 
   ʺBluetooth A Addressʺ: ʺe0:75:7d:33:8f:2eʺ, 
   ʺWi‐Fi MAC C Addressʺ: ʺe0:75:7d:33:93:2eʺ, 
   ʺDevice Typ peʺ: ʺcc2540ʺ, 
   ʺMagnetic S Sensorʺ: null, 
   ʺHumidityʺ: 63, 
   ʺLocationʺ: ʺʺ40.6781970, ‐80.29963830ʺ, 
   ʺTimestamp pʺ: ʺMonday June 13 206 10:14:12 AM Mʺ, 
   ʺPressureʺ: 2 29.89, 
   ʺGyroscopeʺʺ: ʺ‐22.78, ‐22.31ʺ,
   ʺMagnetometerʺ: null, 
   ʺObject Tem mperatureʺ: 71, 
   ʺAmbient Teemperatureʺ: 73,
   ʺDevices Intteracted Withʺ: { 
       ʺAndroid Phone 1ʺ: ʺTA093 30K93Dʺ, 
       ʺiPhone 1ʺ: ʺ54TRʺ, 
       ʺAndroid Phone 2ʺ: ʺ024E05 58Dʺ, 
       ʺAndroid Phone 3ʺ: ʺ0E0090 012ʺ, 
       ʺiPhone 2ʺ: ʺCCQKM2GHF4K3ʺ, 
       ʺiPad 1ʺ: ʺʺDMQPGQX6FK11ʺ 
   }, 
   ʺAcceleromeeter (X, Y, Z)ʺ: ʺ‐0..16741, ‐0.17645, 00.12643ʺ, 
   ʺCapabilitiesʺ: [ 
       ʺSTEP_CO OUNTʺ, 
       ʺWALK_D DISTANCEʺ 
   ] 
} 

Fig. D. Sample IoT provvenance data sto

ored in our CouchDB database
e - Fields View (Left)
( and Sourc
ce View (Right).