- Research
- Open access
- Published:

# RETRACTED ARTICLE: The design of network security protection trust management system based on an improved hidden Markov model

*EURASIP Journal on Information Security*
**volume 2023**, Article number: 10 (2023)

## Abstract

With the growth of the Internet, network security issues have become increasingly complex, and the importance of node interaction security is also gradually becoming prominent. At present, research on network security protection mainly starts from the overall perspective, and some studies also start from the interaction between nodes. However, the trust management mechanisms in these studies do not have a predictive function. Therefore, to predict trust levels and protect network security, this paper innovatively proposes a trust management system for network security protection based on the improved hidden Markov model. The research divides the trust level of inter-node interactions by calculating the threat level of inter-node interactions and predicts the trust level of inter-node interactions through an optimized hidden Markov model. In addition, the study designs an estimation of the types of interactive threats between nodes based on alarm data. The research results show that when inactive interaction tuples are not excluded, the average prediction accuracy of the combined model is 95.5%. In response time, the maximum values of the active and passive cluster management pages are 38 ms and 33 ms, respectively, while the minimum values are 16 ms and 14 ms, with an average of 26.2 ms and 24 ms, respectively. The trust management system designed by the research institute has good performance and can provide systematic support for network security protection, which has good practical significance.

## 1 Introduction

In the context of the popularization of the internet, emerging concepts are emerging frequently, and the convenience of people’s lives is gradually increasing. In this context, network security issues are also becoming increasingly complex. The complexity of network security issues requires continuous improvement and progress in the network security protection (NSP) system, and traditional passive protection should also be transformed into active protection. Computer NSP can be divided into three stages: pre-event, mid-event, and post-event. The pre-event stage is the focus of NSP, and network security situational awareness technology is an important method in the pre-event stage protection. The object of network security situational awareness technology is the entire network or a cluster composed of multiple nodes, so this technology mainly focuses on the macro level, with less involvement in the micro level [1]. The security research between nodes is mainly completed through trust management mechanisms, which have a high demand for indicators. However, excessive indicators can lead to ineffective prediction of trust relationships, and the reliability of the evaluated results will gradually decrease [2]. At present, network security trust management systems also face challenges. Firstly, most trust management mechanisms are mainly used to evaluate trust levels, which also leads to a relatively complex selection of indicators for this mechanism and makes it difficult to predict through this mechanism. The second issue is the difficulty in establishing the current node category relationship framework. Based on these problems, the research innovatively proposes an NSPTM (NSPTM) system based on the improved hidden Markov model (HMM), constructs a model for the prediction of the interaction trust level between nodes, and also designs a method for the prediction of the interaction threat types between nodes. The research aims to construct a new NSPTM system to address network security issues. The research content is divided into four parts. The first part is an overview of research related to network security system design; the second and the third parts are respectively the specific design and the design results of the NSPTM system; the fourth part is the research conclusion.

## 2 Related works

As the popularization of the internet and its development, the importance of network security issues is becoming increasingly prominent, and research related to system design of network security issues is also gradually increasing. Researchers such as Thabit S proposed a model based on trust management and data protection to address phishing attacks in online social networks. This model can identify the accuracy of trust factors and avoid data breaches and other problems. The experiment outcomes expressed that the proposed model had good performance and computational efficiency [3]. Alemneh and other experts have proposed a subjective logic-based trust management system for bidirectional fog computing to ensure the security and privacy of fog computing. This system can verify the reliability and security of services provided by service providers, as well as the credibility of service requesters. The research outcomes denoted that the system had high accuracy and a fast rate of convergence [4]. Xia and other scholars proposed a cloud service security access scheme for trusted mobile terminals to study the access scheme of mobile terminals on a trusted cloud architecture. This scheme not only used hardware isolation technology but also used trusted computing technology. The research findings showed that this scheme had strong scalability and high controllability [5]. Hassan and other researchers proposed a semi-supervised model based on deep learning feature extraction to prevent network risks in the industrial field and protect the adaptive trust boundary of the industrial Internet of Things (IoTs) network through this model. In addition, the model was compatible with the multi-level protocols of the industrial IoTs and did not require manual operation. The experiment outcomes indicated that the model had high attack recognition efficiency [6]. Meryem and other experts proposed a hybrid intrusion detection system based on machine learning to solve the problem of data breaches when requesting services. In addition, the system adopted a cloud architecture, which could solve difficulties related to information technology. The experimental outcomes indicated that the detection system proposed by the research improved the detection efficiency of data breaches and other issues to a certain extent, and avoided large-scale information leakage events [7].

To study trust management in the IoTs, scholars such as Jabee proposed a trust and reputation management protocol that combines context awareness. In addition, the protocol mainly targeted the requirements of adaptability and scalability for IoT systems. The research findings expressed that this protocol could improve the adaptability of IoT systems to a certain extent and enhance their own scalability [8]. Otari and other researchers proposed a trust management model based on a multi-objective genetic algorithm to study the identification of trusted nodes in mobile grid systems. This model used different evaluation indicators and attributes to evaluate the trust index of nodes and obtained the set of non-dominated trusted nodes. The research outcomes indicated that the model had good recognition speed and accuracy [9]. Tu scholar proposed an operation control method based on a distributed data quality management system to improve the operation control capability of the distribution network. This method adopted a small disturbance steady-state suppression method and a hybrid doubly fed DC transmission configuration method. The experimental outcomes expressed that this method had good output stability and strong anti-interference ability [10]. Zhang and other experts proposed a data protection model based on linear encryption and statistical mapping to protect the data information of a certain tourism virtual experience system. This model required the extraction of fuzzy correlation feature quantities of data information and adopted line space reconstruction methods and nonlinear vector quantization coding methods. The research findings indicated that the model had good data information protection ability and strong attack resistance [11]. To study the security defense of sensors, researchers such as Xin N proposed an Openflow-based security defense scheme for mobile IoT systems. This method used the Openflow structure to perform double random number conversion and had strong deployability. The experimental structure showed that this method could improve the security of system data transmission to a certain extent [12].

In summary, there is currently a wealth of research related to the design of network security systems, and the methods involved are also diverse. However, these studies also have certain problems, such as a lack of predictive ability in the micro field of node interaction, redundant evaluation indicators, and an inability to make effective predictions. Based on these problems, the research innovatively proposes an NSPTM system based on the improved HMM. In addition, the study also constructs a model for predicting the trust level of interaction between nodes and designs a method for predicting the types of interaction threats between nodes.

## 3 Design of interaction security method between network nodes based on improved HMM

To calculate the trust level between nodes, research is conducted to divide the trust level by calculating the degree of threat caused by node interaction. To predict the trust level of interaction between nodes, the traditional HMM is optimized, and the prediction of trust level in long short-term memory (LSTM) networks is explained. In addition, the study calculates the node distance based on alarm data and estimates the probability interval of threat types using Dempster-Shafer evidence theory.

### 3.1 Calculation and prediction method construction of interaction level between network nodes based on improved HMM

The traditional calculation of trust is based on traffic data, and due to the numerical variation of the threat level between network nodes, research has divided the trust level between nodes through threat level [13]. With the advancement of network security technology, current monitoring systems can directly generate network security alarm data. The calculation and prediction of trust levels for interaction between nodes are shown in Fig. 1.

In Fig. 1, the calculation and prediction of trust levels between nodes can be mainly divided into five steps. Among them, the first step is to input the initial data, and the second step is to preprocess the data. The third step is to calculate the threat level of node interaction and divide the trust level based on the numerical variation pattern of the threat level. The fourth step is to train the trust level prediction model. The fifth step is to use the trust level prediction model to make predictions, and finally end the process. Data preprocessing mainly involves interpolating missing data, and there are three traditional interpolation methods, namely elimination, single interpolation, and multiple interpolation [14]. Due to the uneven distribution of missing data, the processing of missing data is achieved through single and multiple interpolation methods. In addition, the mode interpolation method can also be used for processing missing data. Because there is an attack and defense game when nodes interact, an interpolation method based on the Markov chain is proposed. The discrete value calculation of the duration of the node state *s* is denoted in Eq. (1).

In Eq. (1), *et* expresses the end time; *st* denotes the start time, and *t*_{1} and *t*_{2} are both set values. The state-transition matrix is shown in Eq. (2).

In Eq. (2), *n* + 1 indicates the total number of states; *p*_{nm} represents the transition state; *m* expresses the number of columns in the matrix; *n* refers to the number of rows in the matrix. After obtaining the state-transition matrix, the missing data can be processed. The calculation of trust level between nodes mainly involves factors such as alarm data and the threat level of interaction between nodes, and the trust level of interaction between nodes is divided based on the threat level of interaction between nodes. The calculation of the threat level of interaction between network nodes is shown in Eq. (3).

In Eq. (3), *A* and *B* represents two different nodes; *i* stands for the number of alarm types; *level*_{i} means the threat level corresponding to the *i* alarm type generated by node *A* after attacking node *B*; *U* denotes the numbers of all alarm types; *sumTime*_{i} represents the total duration of the *i* alarm type generated by node *A* after attacking node *B*. HMM is a statistical model, and its structure is shown in Fig. 2.

From Fig. 2, HMM is mainly divided into two states, namely hidden and observable states. All hidden and observable states contain their own sequences, sets, and generator matrices. In addition, the hidden state also involves the initial probability distribution and only involves one Markov chain. HMM can predict the threat level of interaction between nodes. Due to the fact that the hidden state sequence only has one Markov chain, there needs to be a relative explanation in the hidden state set for all threat types and disposal methods of any interaction tuple on any given day. However, due to the large number of hidden states, predicting the trust level between nodes through HMM can lead to a memory explosion. Based on this issue, research has optimized and improved HMM to have multiple Markov chains. The specific improvement measure is to modify the hidden state sequence and increase the number of Markov chains, that is, no longer a separate Markov chain. The number of Markov chains corresponds to the number of calculated states, and then the hidden states are designed as binary. The improved HMM is called multiple HMM, and the specific structure of the model is shown in Fig. 3.

In Fig. 3, the multiple HMMs are composed of multiple Markov chains in their overall structure, involving hidden and observable states at different times. In addition, multiple HMMs also include influence factors, and observable states are mainly achieved through the calculation of influence factors based on hidden states. There are different methods for calculating the influence factor under different *sumTime*_{i} values. When the *sumTime*_{i} value is greater than 0, the calculation of the influence factor is shown in Eq. (4).

In Eq. (4), *h*_{t + 1}(*k*) refers to the impact factor; *t* means the serial number of days; *sumTime*_{t} stands for the duration of all relevant alarm entries in the interaction tuple on day *t*; *q*_{k} represents the hidden state in the interaction tuple; *k* refers to the serial number of the hidden state; \({sumTime}_{t,{q}_k}\) stands for the total duration of all corresponding alarm entries on day *t*. When the value is equal to 0, the calculation of the influence factor is denoted in Eq. (5).

LSTM solves the problem that recurrent neural networks make it easy to lose information through the gate mechanism [15]. When predicting the trust level of interaction between nodes through LSTM, the degree of interaction threat between nodes needs to be predicted first, followed by the transformation of the trust level. In addition, LSTM-based prediction is considered a many-to-one prediction, and its prediction steps are mainly divided into four steps. Among them, the first step is to process the data, and the second step is to train the model. The third step is to predict the level of interaction threat, and the fourth step is to calculate the trust level based on the already predicted level of interaction threat.

### 3.2 Design of network node clustering and threat type estimation method for node interaction based on alarm data

In terms of order, node clustering occurs before the estimation of the threat type of interaction between nodes. To cluster nodes, a hierarchical clustering (HC) method is adopted based on alarm data. The steps of the HC method can be divided into two steps as a whole, namely, the calculation of the distance between nodes and the HC from bottom to top [16]. In the calculation of distance between nodes, the Jaccard similarity coefficient is used to compare the similarity between sample sets. The expression of the Jaccard similarity coefficient is shown in Eq. (6).

In Eq. (6), *G*_{A} and *G*_{B} are the given sets. When *G*_{A} and *G*_{B} are both empty sets, the value of *J*(*G*_{A}, *G*_{B}) is 1. The Jaccard distance in the Jaccard similarity coefficient can describe the dissimilarity between sets, and the calculation of the Jaccard distance is shown in Eq. (7).

Node clustering can be divided into active and passive clustering, and in active clustering, the distance *d*_{Z} between nodes *A* and *B* is calculated as shown in Eq. (8).

In Eq. (8), *G*_{A}∩_{Asim}*G*_{B} denotes the active party similarity set of *G*_{A} and *G*_{B}. The calculation of the distance *d*_{V} between nodes *A* and *B* in the passive clustering class is shown in Eq. (9).

In Eq. (9), *G*_{A}∩_{Bsim}*G*_{B} refers to passive similarity set of *G*_{A} and *G*_{B}. If no alarm data has appeared at nodes *A* and *B*, then *d*_{Z} and *d*_{V} are expressed as in Eq. (10).

HC can be divided into two types: HC from top to bottom and one from bottom to top. And different HC methods will obtain a cluster tree after clustering [17]. The research uses HC from bottom to top, and the steps of this clustering method can be divided into five steps on the whole. The first step is to treat all objects as clusters and place them in the cluster collection. The second step is to determine the number of clusters in the cluster set. If the number of clusters is equal to 1 or 0, the construction of the cluster tree is completed. If the number of clusters is greater than 1, it will proceed to the third step. The third step is to calculate the distance between clusters in the cluster set and merge the two closest clusters into a new cluster. The fourth step is to return to the second step and continue to judge the number of clusters in the cluster set. The fifth step is to complete the construction of the clustering tree. When using HC, research will regard nodes as clusters, and calculate the distance between nodes, that is, the distance between clusters. After the first round of calculation, the distance between clusters is calculated as shown in equation (11).

In Eq. (11), *clu*_{i} and *clu*_{j} are both clusters; *H*_{i} means the set of *clu*_{i} sub-clusters; *j* represents the *j*th cluster; *H*_{j} expresses the set of *clu*_{j} sub clusters. To ensure the timeliness of clustering results, HC needs to restart after a certain interval. To obtain the threat types of interaction between nodes, the study adopts the Dempster-Shafer (D-S) evidence theory. D-S evidence theory is a mathematical theory based on evidence, which involves different concepts such as identification frameworks, trust functions, and trust intervals. The specific framework of D-S evidence theory is shown in Fig. 4.

From Fig. 4, the D-S evidence theory mainly consists of four steps. The first step is to conduct statistics based on the clustering results and alarm data, and the second step is to divide it into three different pieces of evidence. The third step is to aggregate three different pieces of evidence into a D-S evidence theory, and the fourth step is to estimate the types of interactive threats between nodes. Among the three pieces of evidence in D-S evidence theory, one is a characteristic of the interaction itself, while the others are all category characteristics. The calculation of the frequency of threat types is shown in Eq. (12).

In Eq. (12), *type*_{i} means the threat type; *sumC* denotes the total number of alarm entries; \({pro}_{type_i}\) refers to the frequency of *type*_{i} occurrence; \({C}_{type_i}\) denotes the total number of *type*_{i} entries in the alarm entries. The premise requirement of conventional D-S evidence theory is the independence of evidence, but in practical applications, there are few cases where all evidence is independent of each other. Therefore, research has optimized the conventional D-S evidence theory. The optimized D-S evidence theory mainly consists of three steps: calculation of different evidence correction coefficients, adjustment of basic probability allocation functions, and evidence fusion. The calculation of correction coefficients is shown in Eq. (13).

In Eq. (13), *ξ*_{i} is the estimated value of the correction coefficient; *E*_{i} expresses evidence, and *F* stands for the true situation. The expression of new evidence *E*^{'} is shown in Eq. (14).

In Eq. (14), \({pro}_{\left\{{type}_i\right\}}^{\hbox{'}}\) represents the probability of alarm occurrence. The probability interval of threat types appearing on the *t* day is expressed in Eq. (15).

In Eq. (15), *Bel*({*type*_{i}}) stands for the lower probability limit of the threat type appearing, and \({pe}_{\left\{{type}_i\right\}}\) and \({pe}_{\left\{{type}_1,{type}_2,\dots, {type}_i\right\}}\) are both vector elements after evidence fusion. The architecture design of the NSPTM system can be mainly divided into four layers, and the specific design architecture of the system is shown in Fig. 5.

In Fig. 5, the specific architecture of the NSPTM system mainly includes the data, service, communication, and display layers. The data layer involves files and My Structured Query Language, while the communication layer mainly includes HTTP and TCP. The service layer is divided into three parts, namely data preprocessing, prediction of trust level in interactive tuples, node clustering, and prediction of threat types in interactive tuples. The display layer also includes three parts, namely the display of trust level prediction results for interactive tuples, the display of probability estimation intervals for threat types of interactive tuples, and display category management. The scalability of the system mainly reflects the scalability of the system technology itself. In terms of system framework construction, the Spring Boot framework is used for research. This framework is an open-source framework based on Java and does not require template configuration. The specific functional design of the NSPTM system is shown in Fig. 6.

From Fig. 6, the specific functions of the NSPTM system can be divided into four modules as a whole, namely the unified login module, data preprocessing module, interaction tuple trust level prediction module, and node clustering and interaction tuple threat type prediction module. Among them, the unified login module includes four aspects, namely user login, user account information modification, user account deletion, and user login. The data preprocessing module involves three aspects, namely Markov chain-based interpolation, mode interpolation, and removing items that cannot be interpolated. The interactive tuple trust level prediction module mainly includes the calculation of trust level and the training and prediction of trust level prediction models. The node clustering and interactive tuple threat type estimation module mainly involves estimating the probability interval of node clustering and interactive tuple threat types.

## 4 Result analysis of the NSPTM system based on improved HMM

To verify the performance of the trust level prediction model, the study compared and analyzed the prediction accuracy of the model under different circumstances, and also compared the accuracy of the model prediction under different degrees of change in trust level. In addition, the study analyzed the combined trust level and threat type prediction models and also tested the performance of the NSPTM system.

### 4.1 Analysis of prediction results of interaction trust level between nodes based on improved HMM

To verify the effectiveness of the prediction model based on multiple HMMs, the study selected partial node data of a large company’s NSP trust system as the experimental dataset and selected accuracy indicators as the evaluation indicators of model performance. In addition, the study compared the prediction models under multiple HMMs with those under LSTM, and the comparison mainly involved inactive interaction tuples and other interaction tuples. In interactive tuples, inactive interactive tuples had a higher proportion. The accuracy comparison between multiple HMM and LSTM prediction models under different processing conditions of inactive interactive tuples is shown in Fig. 7.

From Fig. 7a, when inactive interaction tuples were not excluded, the prediction model based on multiple HMMs had a max accuracy of 96.6%, a mini accuracy of 94.2%, and an average accuracy of 95.2%. In addition, the average training time for interactive tuples in this prediction model was 0.75 s. The max accuracy of the LSTM-based prediction model was 96.7%, the mini was 96.1%, and the average was 96.4%. The average training time for interactive tuples in this prediction model was 41.5 s. From Fig. 7b, when excluding inactive interaction tuples, the prediction model based on multiple HMMs had a maxi accuracy of 82.7%, a mini accuracy of 82.3%, and an average accuracy of 82.5%. In addition, the average training time of interactive tuples in this prediction model was 0.85 s. The maxi accuracy of the LSTM-based prediction model was 88.9%, the mini accuracy was 88.7%, and the average accuracy was 88.8%. The average training time for interactive tuples in this prediction model was 56.95 s. In summary, due to the high trust level of inactive interaction tuples and the obvious patterns, when inactive interaction tuples were not excluded, the prediction accuracy of the model could be improved to a certain extent. The comparison between the two predictive models and the true values when the change in trust level did not exceed 3 is shown in Fig. 8.

From Fig. 8a, in the prediction model of multiple HMMs, the max and mini values of the true and predicted trust levels were consistent, with levels 4 and 1, respectively. The max value of the change in trust level was 2, and the mini value was 1. In addition, the coincidence rate between the predicted and true values was 90%, which also indicated that the accuracy of the prediction model could reach 90% under various HMMs. From Fig. 8b, under the LSTM prediction model, the coincidence rate between the true and predicted values of the trust level was also as high as 90%. In addition, the max value of the change in trust level was 2, and the mini value was 1. The accuracy of the two models was basically the same when the change in trust level did not exceed 3. The comparison between the two predictive models and the true values when the change in trust level was equal to 3 is shown in Fig. 9.

From Fig. 9a, the number of times when the trust level changed by 3 was 3. In addition, under the HMM-based prediction model, the repetition rate between the predicted and true values of the trust level was 76.6%, which also indicated that the prediction accuracy of the model was 76.6% at this time. Under the LSTM-based prediction model, if the repetition rate between the predicted and true values of the trust level was 90%, the prediction accuracy of the model was also 90%. According to Fig. 9b, the number of times when the trust level changed by 3 was 6. In addition, under the HMM-based prediction model, if the repetition rate between the predicted and true values of the trust level was 53.3%, the prediction accuracy of the model was 53.3%. Under the LSTM-based prediction model, the repetition rate between the predicted and true values of the trust level was 86.6%, and the prediction accuracy of the model was also 86.6%. To better validate the performance of multiple HMM-based prediction models, the study selected relatively advanced methods in network security trust management for comparison, including a support vector machine (SVM) model and a Simulated Annealing Back Propagation (SA-BP) model optimized based on a simulated annealing algorithm. The comparison of recall rates among the three models is shown in Table 1.

From Table 1, the maximum recall rate of the multiple HMM model was 97.7%, the minimum value was 96.7%, and the average value was 97.12%. The maximum recall rate of the SVM model was 91.6%, the minimum value was 90.3%, and the average value was 90.9%. The maximum recall rate of the SA-BP model was 95.2%, the minimum value was 93.1%, and the average value was 94.44%. From this, the performance of various HMM models was superior to SVM and SA-BP models.

### 4.2 Performance analysis of the NSPTM system based on improved HMM

To fully utilize the functions of multiple HMMs, the study combined them with LSTM-based models. To verify the performance of the combined model, the prediction accuracy and average training time of the combined model under different processing conditions of inactive interactive tuples were studied and analyzed. In addition, the study validated the effectiveness of the threat type prediction model and tested different pages of the NSPTM system. The accuracy comparison of the combined trust level prediction model in different situations is shown in Fig. 10.

As shown in Fig. 10a, without excluding inactive interaction tuples, the maximum prediction accuracy of the combined model was 96.1%, the minimum was 94.2%, and the average was 95.5%. In addition, the average training time for interactive tuples at this time was 1.45 s. From Fig. 10b, when excluding inactive interaction tuples, the maximum prediction accuracy of the combined model was 88.2%, the minimum value was 86.8%, and the average value was 87.4%. In addition, the average training time for interactive tuples at this time was 9.17 s. The overall distribution and average accuracy of interaction tuples for the average interval of threat-type probability estimation under D-S evidence theory are shown in Fig. 11.

From Fig. 11a, the average probability estimation interval for threat types was mainly concentrated between 0.1 and 0.3, accounting for approximately 82% of the total. The proportion of the average value in the estimated interval of threat-type probability was generally less than 7%, and the proportion of the average value outside the range of 0.1 to 0.3 was basically less than 1%. From Fig. 11b, the max and mini average accuracy of interactive tuples were 99.7% and 88.7%, respectively, and the overall trend showed continuous upward and downward fluctuations. To apply the design method of the research institute to the real environment, the research would install the system in the real environment. Among them, the hardware memory of the server was 32 GB, the graphics card was NVIDIA GeForce GTX 1080, the operating system was Windows 10, and it was 64-bit. The integrated development environment was PyCharm 2020. To verify whether the system met the practical application requirements, the response time between the system and user interaction was tested. The response time when the system interacts with users could have a significant impact on the user experience, thereby affecting the system's practical application. In response time testing, the most important pages in the system were selected for research, namely interactive tuple security prediction and estimation pages, and active and passive cluster management pages, and each page needed to undergo 50 tests. The test results of different pages of the NSPTM system in the experimental environment constructed by the research institute are shown in Fig. 12.

From Fig. 12a, the maximum response time for predicting and estimating the security situation of interactive tuples was 80 ms, the minimum was 31 ms, and the average was 59.2 ms. From Fig. 12b, the maximum response time of the active cluster management page was 38 ms, the minimum value was 16 ms, and the average value was 26.2 ms. As shown in Fig. 12c, the maximum response time of the passive cluster management page was 33 ms, the minimum value was 14 ms, and the average value was 24 ms. From this, the system had good performance. To better validate the performance of the trust management system for network security protection, the robustness and scalability of the system were analyzed. The analysis of system scalability was mainly conducted from two perspectives: latency and throughput. The comparison of latency and throughput for different pages under different node numbers is shown in Table 2.

From Table 2, when the number of nodes was 20, 30, and 40, the latency of the interaction tuple security prediction and estimation page was 60 ms, 72 ms, and 86 ms, while the latency of the active and passive cluster management pages was 32 ms and 30 ms, 43 ms, 37 ms, and 55 ms and 46 ms, respectively. The throughput of interactive tuple security prediction and estimation pages was 375, 326, and 271 while the throughput of active and passive cluster management pages was 550 and 672, 482 and 551, and 413 and 498, respectively. Based on the above analysis, the NSPTM system designed by the research institute had good scalability. Robustness refers to the ability of a system to maintain its own stability under abnormal conditions. To verify the robustness of the system designed by the research institute, it was subjected to destructive testing and network attacks on the system. The latency of different pages in the NSPTM system under different network attack methods is shown in Table 3.

From Table 3, when the system was subjected to a distributed denial of service attack, the latency of the interaction tuple security prediction and estimation page, the active cluster management page, and the passive cluster management page were 167 ms, 131 ms, and 120 ms, respectively. When systems 413 and 498 were attacked by malicious software, the latency of interaction tuple security prediction and estimation pages, active cluster management pages, and passive cluster management pages were 185 ms, 152 ms, and 164 ms, respectively. When the system was attacked by network worms, the latency of interaction tuple security prediction and estimation pages, active cluster management pages, and passive cluster management pages were 175 ms, 130 ms, and 143 ms, respectively. In summary, when the system is subjected to network attacks, the page delay will increase, but the system is also running normally without any crashes or crashes, indicating that the system has good robustness.

The NSPTM system researched and designed integrates trust level prediction, threat type prediction, and node clustering. In the increasingly complex network security context, the system can predict the trust level and threat type of interaction between nodes, effectively protect the security of interaction between nodes, and assist network security operation and maintenance personnel in their work.

## 5 Conclusion

To predict trust levels and protect network security, the research innovatively proposed an NSPTM system based on the improved HMM and designed the prediction of the interaction trust level and threat type between nodes. The research findings indicated that without excluding inactive interaction tuples, the maximum prediction accuracy of the combined model was 96.1%, the minimum value was 94.2%, and the average value was 95.5%. When excluding inactive interaction tuples, the maximum prediction accuracy of the combined model was 88.2%, the minimum value was 86.8%, and the average value was 87.4%. The average probability estimation interval for threat types was mainly concentrated between 0.1 and 0.3, accounting for approximately 82% of the total. The maximum and minimum average accuracy of interactive tuples were 99.7% and 88.7%, respectively. The maximum response time for predicting and estimating the security situation of interactive tuples was 80 ms, the minimum was 31 ms, and the average was 59.2 ms. The maximum response time of the active cluster management page was 38 ms, the minimum value was 16 ms, and the average value was 26.2 ms. The maximum response time of the passive cluster management page was 33 ms, the minimum was 14 ms, and the average was 24 ms. The NSPTM system designed by the research institute had good performance. However, there are also certain shortcomings in the research, such as the improvement of the processing methods for missing data and the optimization of the computational efficiency of the model, which is also an area for further research to improve.

## 6 Discussion

To better understand the shortcomings of the research, this section will provide an explanation. Firstly, the model designed by the research institute can be further improved, and there is still room for optimization in terms of time and spatial complexity. Secondly, in terms of missing data filling, a Markov chain-based interpolation method was used in the study. Although this method has high accuracy and efficiency, it can still be deepened. Thirdly, for the threat types of interaction between nodes, the improved D-S evidence theory was adopted in the study. This method can continue to be improved, improve the accuracy of estimation, and shorten the length of the probability interval of threat types. Fourthly, when the time span is large and the network is deep, LSTM will face huge computational complexity and time consumption, which can be avoided by improving the algorithm. These shortcomings are also areas that research can improve in the future.

## Availability of data and materials

The data for this study are available from the corresponding author.

## Change history

### 13 May 2024

This article has been retracted. Please see the Retraction Notice for more detail: https://doi.org/10.1186/s13635-024-00167-2

## References

Z. Chen, Research on internet security situation awareness prediction technology based on improved RBF neural network algorithm. J Comput Cogn Eng.

**1**(3), 103–108 (2022)R. Islambouli, Z. Sweidan, A. Mourad, C. Abou-Rjeily, Towards trust-aware IoT hashing offloading in mobile edge computing., International Wireless Communications and Mobile Computing (IWCMC). IEEE.

**2020**, 2216–2221 (2020)S. Thabit, Y. Lianshan, Y. Tao, A.B. Abdullah, Trust management and data protection for online social networks. IET Commun

**16**(12), 1355–1368 (2022)E. Alemneh, S.M. Senouci, P. Brunet, T. Tegegne, A two-way trust management system for fog computing. Futur Gener Comput Syst.

**106**(6), 206–220 (2020)H. Xia, W. Yang, Security access solution of cloud services for trusted mobile terminals based on trust zone. Int J Netw Secur.

**22**(2), 201–211 (2020)M.M. Hassan, S. Huda, S. Sharmeen, J. Abawajy, G. Fortino, An adaptive trust boundary protection for IIoT networks using deep-learning feature-extraction-based semisupervised model. IEEE Trans Industr Inform.

**17**(4), 2860–2870 (2020)A. Meryem, B.E. Ouahidi, Hybrid intrusion detection system using machine learning. Netw Secur.

**2020**(5), 8–19 (2020)F. Jabeen, Z.U.R. Khan, Z. Hamid, A. Khan, Adaptive and survivable trust management for Internet of Things systems. IET Inf Secur.

**15**(5), 375–394 (2021)G.V. Otari, V.R. Ghorpade, A trust management model based on NSGA-II in mobile grid system. Int J Knowl-Based Intell Eng Syst.

**24**(3), 235–242 (2020)Y. Tu, Distribution network operation control algorithm for distributed data quality management system. Int J Performability Eng.

**16**(5), 766–774 (2020)M. Zhang, H. Fu, P. Yu, Data information protection quality management of the characteristic tourism virtual experience system in Changbai Mountain. Int J Performability Eng.

**16**(3), 401–410 (2020)N. Xin, Z.L. Jiang, Moving target defense controller of mobile system based on Openflow sensor security scheme - ScienceDirect. Comput Commun.

**161**(9), 142–149 (2020)G.N. Nguyen, N.H.L. Viet, M. Elhoseny, K. Shankar, A. El-Latif, Secure blockchain enabled Cyber-physical systems in healthcare using deep belief network with ResNet model. J Parallel Distrib Comput.

**153**(2), 150–160 (2021)R.C. Mittal, S. Kumar, R. Jiwari, A cubic B-spline quasi-interpolation method for solving two-dimensional unsteady advection diffusion equations. Int J Numer Methods Heat Fluid Flow.

**30**(9), 4281–4306 (2020)B. Geng, Text segmentation for patent claim simplification via Bidirectional Long-Short Term Memory and Conditional Random Field. Comput Intell.

**38**(1), 205–215 (2022)A. Kigerl, Behind the Scenes of the Underworld: Hierarchical Clustering of Two Leaked Carding Forum Databases. Soc Sci Comput Rev.

**40**(3), 618–640 (2022)C.H. Tseng, J.R. Lin, A semi-hierarchical clustering method for constructing knowledge trees from stackoverflow. J Inf Sci.

**48**(3), 393–405 (2022)

## Acknowledgements

None.

## Funding

Not applicable.

## Author information

### Authors and Affiliations

### Contributions

All authors have contributed equally. The authors read and approved the final manuscript.

### Corresponding author

## Ethics declarations

### Competing interests

The authors declare that they have no competing interests.

## Additional information

### Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article has been retracted. Please see the retraction notice for more detail: https://doi.org/10.1186/s13635-024-00167-2"

## Rights and permissions

**Open Access** This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

## About this article

### Cite this article

Chen, S. RETRACTED ARTICLE: The design of network security protection trust management system based on an improved hidden Markov model.
*EURASIP J. on Info. Security* **2023**, 10 (2023). https://doi.org/10.1186/s13635-023-00146-z

Received:

Accepted:

Published:

DOI: https://doi.org/10.1186/s13635-023-00146-z