2.1. The Basic Principles of CPCSIS
The proposal of CPCSIS has a solid theoretical foundation. Research in the biomedical field indicates that the human immune system is generally composed of three lines of defense. CPCSIS draws on the hierarchical structure of the three lines of defense of human immunity, focusing on the elements of citizens, enterprises, and government affairs, and constructs three lines of defense that are similar to human immunity in terms of immune methods, immune functions, and immune components, as shown in
Table 1. CPCSIS combines cyber security with biomedical research for interdisciplinary innovation, which is a fundamental research method for solving complex technical problems. Its scientificity is, as pointed out by Tache et al. (2023) in his research paper, through transdisciplinarity, wherein the aim is to highlight the nature and characteristics of the flow of information that circulates between the different branches of knowledge [
22].
The basic principle of CPCSIS is shown in
Figure 2.
CPCSIS has a three-line defense architecture. HWolf-Ostermann (2021) mentioned in his paper the basic concepts of three lines of defense structure of the human immune system [
23]. In the corresponding CPCSIS, it is first able to achieve network and public environment perception and scene cognition. Secondly, it has basic access control capabilities, which can defend against attacks of moderate intensity in the network environment. In the paper by Robert et al. (2023), it was mentioned that bactericidal substances and phagocytic cells form the second line of defense, which has the functions of phagocytosis and digestion. They phagocytose, process antigens, and transmit antigen-specific transmission to T lymphocytes and B lymphocytes [
24]. Analogous to the information fusion, threat discovery, and factor authentication mechanisms in the CPCSIS system, the fusion of public safety and cybersecurity information is similar to the phagocytic and digestive functions of phagocytic cells. Antigen specificity is similar to identifying “self” and “non-self” abnormal behaviors that already exist, thus identifying and blocking illegal access, illegal acquisition, and illegal leakage behaviors and presenting the identified information to higher-level analysis, response, and processing systems, which confirm the ownership of key data and its circulation for risk fusion analysis and response strategy generation across the entire network. In the paper by Chiara et al. (2023), it was mentioned that the third line of defense is composed of immune organs and immune cells, which constitutes an acquired defense function gradually established by the human body after birth and only works against a specific pathogen or foreign object [
25]. The characteristic of specific immunity is immune memory, which is the ability of the human body to resist infections acquired through acquired infections or artificial vaccination and can acquire memory against the antigen.
In the field of cybersecurity, protective systems constructed based on algorithms such as artificial intelligence and machine learning can also achieve similar learning, recognition, memory, and feature extraction capabilities. When facing specific types of risks (such as abnormal behavior) and new threats (APT), these protective measures can establish highly specialized detection strategies, defense strategies, and isolation mechanisms, thereby making the entire immune system exhibit typical self-learning habits. This confers adaptability to achieve specific immunity for cybersecurity.
2.2. The Basic Components of CPCSIS
2.2.1. Functional Module Composition of the Three Lines of Defense
The three lines of defense of the CPCSIS system include cybersecurity and public safety protection functional components in multiple key information infrastructure areas of smart cities, such as the Internet of Things, IP Internet, and Industrial Internet, as shown in
Figure 3.
Among them, the public safety monitoring platform module based on video surveillance, the public safety and cybersecurity strategy visualization module, the cybersecurity monitoring data collection module, the intelligent public safety gateway module, the multisource heterogeneous data collection module, the network asset mapping module, the cybersecurity vulnerability scanning module, and the public safety multirisk linkage analysis and accurate warning module (including network public opinion monitoring and content security monitoring) are included. They form the first line of defense with environmental awareness, scene awareness, and access control capabilities.
The second line of defense consists of a distributed public key infrastructure module, a fine-grained permission management module, an urban data sharing and exchange module, a multidimensional data authorization module, a multidimensional simulation module for virtual and real integration of smart cities, and a comprehensive threat detection module for smart cities. It will provide information fusion, threat discovery, and element authorization mechanisms for public safety and cybersecurity in smart cities at the level of virtual and real space.
In the third line of defense, the smart city cybersecurity and public safety situation analysis module, the smart city ultralarge capacity data flow monitoring module, the cybersecurity and public safety linkage disposal and control module, the cybersecurity and public safety threat warning and disposal module, and the smart city cybersecurity and public safety comprehensive prevention and control platform module are combined to output security isolation, linkage disposal, and learning modeling mechanisms.
2.2.2. Analysis of the Working Principle of the First Line of Defense
The smart city cybersecurity and public safety comprehensive prevention and control platform module is the fusion processing center unit of CPCSIS. The first line of defense is displayed in the smart city cybersecurity comprehensive prevention and control platform, which includes the perception and detection of the smart city network environment, including the distribution of smart city network assets, asset attributes, and asset risk vulnerabilities: This involves understanding the operational status of smart city business systems and application scenarios, displaying the execution results of network control operations triggered by public safety incidents, etc. The first line of defense is achieved through the combination of middleware—public safety and cybersecurity strategy visualization module, intelligent public safety gateway module, and public safety monitoring platform module for video surveillance—to handle public safety events under collaborative control conditions.
In terms of interfaces for collaborative disposal, in the first line of defense, the smart city intelligent security gateway module collects data from smart city IoT sensors, reports the detected environmental data to smart city security strategy visualization module, and disposes of IoT sensors based on the disposal actions issued by smart city security strategy visualization module. The public safety monitoring module based on video surveillance monitors public safety event information through video capture and reports real-time information on possible personnel intrusion. The multirisk linkage analysis and precise warning module for public safety issue real-time alarm information based on the reported public safety event information and report it to the smart city security strategy visualization module; then, it receives and integrates alarm event data from the public safety multirisk linkage analysis and accurate warning system, as well as the smart city intelligent security gateway. The smart city security strategy visualization module reports the execution results of the security response strategy to the smart city cybersecurity comprehensive prevention and control platform module; this module processes the received alarm information and issues disposal commands and actions layer by layer. The communication interfaces between various devices in the first line of defense, and the interface with the smart city cybersecurity comprehensive prevention and control platform are shown in
Figure 4:
2.2.3. Analysis of the Working Principle of the Second Line of Defense
The second line of defense mainly completes the dynamic display of the protection process in the smart city cybersecurity comprehensive prevention and control platform. Therefore, the system interaction design in the second line of defense is implemented in the form of web page URL redirection. The second line of defense displays the protection status of important business data in the smart city cybersecurity comprehensive prevention and control platform module, including the operation status of element authorization, threat detection of data flow, and dynamic operation process information of multimodal data information fusion. Among them, based on blockchain technology, element rights are mainly achieved.
2.2.4. Analysis of the Working Principle of the Third Line of Defense
The third line of defense is mainly aimed at protecting against high-level sustained attacks and other high-energy level attack activities. Through the ability to learn and model unknown attacks, it intelligently executes security isolation and linkage disposal measures. The interface and communication relationships of the various components of the third line of defense are shown in
Figure 5. The third line of defense in the smart city cybersecurity comprehensive prevention and control platform module mainly displays monitoring and early warning information of unknown attack threats in smart city government information networks, multisensor networks, the Internet of Things, and corresponding cybersecurity control strategies, as well as security isolation measures and their results, against high-level attack threats.
2.3. The Collaborative Protection Method of CPCSIS
The human immune system has an adaptive regulatory mechanism to maintain immune balance. CPCSIS adopts an elastic protection mechanism for attacks and invasions of different intensities, which can be adjusted through changes in the operating status of the three lines of defense to achieve this elastic protection. The defense of the human immune system is a limited defense, and the immune process of the three lines of defense of the human immune system is a hierarchical and evolutionary process rather than a simultaneous initiation process. Therefore, in the context of a wide variety and distribution of smart city Internet and IoT devices, as well as regarding complex and diverse attack and intrusion pathways, in order to prevent situations where the three lines of defense are “under protected” or “over reinforced”, CPCSIS needs to design an elastic adjustment algorithm to dynamically control the operation process of the three lines of defense. About the Dynamic Arrangement of Security Resources, Shao et al. (2020) proposed a resource optimization allocation strategy based on particle swarm optimization [
26]. Mahfouzi et al. (2019) proposed a security-aware methodology for routing and scheduling for control applications in Ethernet networks [
27]. Based on the protection characteristics of smart city network security and public safety, CPCSIS has designed a dynamic allocation method of security resources based on threat index; the protection control process based on the CPCSIS elastic adjustment defense algorithm is divided into four steps:
Step 1: Calculation of Smart City Cyberthreat Index Based on Information Entropy:
Jing et al. (2024) proposed a resilience-oriented planning strategy for the cyberphysical active distribution network (ADN) under malicious attacks [
28]. Ibrahim et al. (2022) proposd an efficient protection mechanism against entropy deception, which is based on the analysis of changes in different entropy types, namely Shannon, Renyi, and Tsallis entropies, and monitoring the number of distinct elements in a feature distribution as a new detection metric [
29]. Yang et al. (2021) proposed a dynamic spatiotemporal causality modeling approach to analyze traffic causal relationships for the large-scale road network [
30]. Numerous studies have shown that Shannon entropy can be used to discover changes in the normal distribution of network traffic, thereby identifying security anomalies. By monitoring the flow entropy of the smart city network through the functional modules of the first and second lines of defense of CPCSIS, the network status and security status of the smart city can be detected. For traffic samples in cyberspace, the probability distribution of public safety and cybersecurity attributes of traffic packets can reflect the characteristics of traffic, and information entropy can measure any variable, which is a feature quantification method.
Implement real-time detection of malicious attack threats based on the smart city cyber security situation awareness method of scanning traffic entropy, with specific methods: Assuming that the cyberspace of smart cities is represented by a random variable
s, we define its set of values as
. The probability distribution of values is defined as
. Therein,
,
indicate the probability of 1 to
n network anomalies occurring, where
. The information entropy of variable can be expressed as follows:
The
H value determines the degree of attack on the system network. The lower the value, the more stable the system is; the higher the value, the more chaotic the system is. Chen et al. (2022) proposed an improved Technique for Order Preference by Similarity to Ideal Solution, called CPR-TOPSIS, which is based on information Communication Probability and Relative Entropy (CPR) and presented for identifying influential nodes in complex networks from the view of global, local, and location information dimensions [
31]. In the CPCSIS, relative entropy is equivalent to the information entropy of two probability distributions, which can characterize the similarity between the two probability distributions. For the distribution of two discrete probabilities, we have
and
, where
Overall, the formula for calculating relative entropy for
P and
Q is
where
D represents the difference in probability distribution between
P and
Q; when
D is 0, this indicates that
P and
Q belong to the same distribution, because
. In order to accurately and stably depict the distribution of
P and
Q, we expand relative entropy to scan flow entropy:
Based on the above, it can be concluded that when the cyberspace domain of the smart city that needs to be protected is divided into
blocks within the
t time cycle, the summary of failed application messages is
, and the number of failed network space application messages in the
i block is
. We use Equation (
5) to obtain
, which is the probability distribution of failed application source addresses within a time cycle. Therein, the probability distribution of destinations can be expressed as
, thus setting
.
The above methods can better grasp the current operation status and environment of protected networks in smart cities and perceive various attackers and their attack activities, such as zombie networks, malicious websites, and denial of service.
From a mathematical perspective, based on the completion of information entropy calculation, the average number of scans of each partitioned address space in a specified time period is
. But in reality within a divided time period, the likelihood of completing a random scan is relatively low. In a failed application message within a time period, it is easier to directly calculate the probability distribution of the obtained IP address and the
scan traffic entropy in engineering. Therefore, this situation can be adjusted through the criterion of Formula (
6):
Step 2—Classification of Cybersecurity Threats in Smart Cities Based on the Threat Level: Formula (
7) is used to calculate the probability distribution of IP addresses in failed application packets within the time period and the corrected average probability distribution of the scan traffic entropy. By comparing it with the set threshold, the degree of attack threat can be determined.
represents the cyberspace security threat index. The overall algorithm process can be found in Algorithm 1.
Algorithm 1 Part of the Smart City Cybersecurity Threat Level |
- 1:
Input: Probability of IP address segment distribution - 2:
Output: The degree of attack threat - 3:
← Average probability distribution - 4:
for do - 5:
Relative entropy - 6:
end for - 7:
for do - 8:
Scan traffic entropy - 9:
end for - 10:
if checkentropyverity(A,B) then - 11:
calculatethreatlevel() - 12:
else - 13:
return Unreasonable scanning flow entropy - 14:
end if
|
Step 3—The Classification of Security Threat Levels for Smart Cities using CPCSIS: This should include both public safety and cybersecurity factors. In the third step, the cybersecurity threat level index is calculated using information entropy. According to the research of Guo et al. (2020), the level of public safety threat is generally divided according to the regulations of government management departments for various types of public threats [
32]. For the convenience of research, this article only focuses on threats related to smart city video surveillance and network public opinion content security and divides them into four levels:
represents the public safety threat index,
. We calculate the threat level of smart cities using weighted processing algorithms, as shown in Formula (
8):
In the formula, is the public safety factor, is the cybersecurity factor, and . According to the requirements of CPCSIS application scenarios, it can be divided into three situations:
- (a)
> : Public safety disposal or scenarios with high attention, such as natural disasters;
- (b)
= : Scenarios where public safety factors are of equal concern to cybersecurity factors, such as handling public health incidents, among others;
- (c)
< : Scenarios with high cybersecurity disposal or attention, such as being subjected to organized large-scale network attacks, among others.
In theory, the values of relative entropy and flow entropy can be infinitely large, and the value of
is infinite. However, the actual situation is not like this. According to the research of Imanbayeva et al. (2020), when the system becomes chaotic to a certain extent, it will become unusable as a whole [
33]. As a result, the value of
will never be infinite: there always exists an upper limit value
. The range of values for
is 0
. By dividing the interval of
into 5 segments, 5 threat levels can be formed. The classification of attack threat levels can be calculated, as shown in
Table 2.
Step 4—Three Lines of Defense Operation Control Based on Threat Level Classification: According to the attack threat level of protected objects in smart cities, the activation status design of the functional components of the three lines of defense of CPCSIS is shown in
Table 3,
Table 4 and
Table 5.
The collaborative protection principle of CPCSIS proposed by this innovative research work is in line with the current trend of smart city information infrastructure development and the common research practice of researchers in this field. Kaššaj et al. (2024) highlighted the importance of cooperation between city authorities, local communities, and European institutions to achieve successful digital urban development [
34]. Rizwan et al. (2023) have proposed safety and security as examples of issues and obstacles that smart cities confront [
35]. Sha et al. (2022) suggested that it is clear from this that the key to urban security lies in the construction of a relatively stable system that brings together the various urban elements [
36]. Accordingly, CPCSIS will promote cooperation between public safety management departments and cybersecurity management departments in smart cities.