A noise-based privacy preserving model for Internet of Things

With the ever-increasing number of devices, the Internet of Things facilitates the connection between the devices in the hyper-connected world. As the number of interconnected devices increases, sensitive data disclosure becomes an important issue that needs to be addressed. In order to prevent the disclosure of sensitive data, effective and feasible privacy preservation strategies are necessary. A noise-based privacy-preserving model has been proposed in this article. The components of the noise-based privacy-preserving model include Multilevel Noise Treatment for data collection; user preferences-based data classifier to classify sensitive and non-sensitive data; Noise Removal and Fuzzification Mechanism for data access and user-customized privacy preservation mechanism. Experiments have been conducted to evaluate the performance and feasibility of the proposed model. The results have been compared with existing approaches. The experimental results show an improvement in the proposed noise-based privacy-preserving model in terms of computational overhead. The comparative analysis indicates that the proposed model without the fuzzifier has around 52–77% less computational overhead than the Data access control scheme and 46–70% less computational overhead compared to the Dynamic Privacy Protection model. The proposed model with the fuzzifier has around 48–73% less computational overhead compared to the Data access control scheme and 31–63% less computational overhead compared to the Dynamic Privacy Protection model. Furthermore, the privacy analysis has been done with the relevant approaches. The results indicate that the proposed model can customize privacy as per the users’ preferences and at the same time takes less execution time which reduces the overhead on the resource constraint IoT devices.


Introduction
The amalgamation of various technologies like sensor communications, cloud computing, Internet of Things (IoT), artificial intelligence, machine and deep learning plays a vital role in the smart world [1]. IoT is a prevailing technology capable of morphing human lives by providing ease and smartness in varied conventional application domains. As shown in Figs. 1, 2, and 3, IoT is a hybrid environment that is a combination of many technologies such as sensing, data storage, data analytics, and connectivity of things. Further, IoT extends the capabilities of the physical things [2].
IoT applications like smart city, smart healthcare systems, smart building, smart transport and smart environment [3], industrial, agriculture, supply chain management [4], smart B Shelendra Kumar Jain shelendra23@hotmail.com 1 Department of Computer Science, Central University of Rajasthan, NH-8, Bandar Sindri, Dist-Ajmer, Rajasthan 305817, India retail, location-based services, etc. may deal with sensitive data such as health information, financial information [5], location footprints, Personally Identifiable Information (PII) [6], data of personal life, etc. Data deluge from billions of entities producing information is a significant threat to privacy [7] (Fig. 4).
Privacy is the right of individuals, which helps them keep their information secret and have control over their information [8]. Privacy preservation is an important aspect that must be considered in every existing logical and physical system to reduce the possibilities of privacy breaches. Ensuring Information privacy is an increasing concern for government, business, consumer, and likewise [9]. In IoT-based networks, personal information is collected from smart devices, and weak privacy measures can misuse sensitive information. If this personal information is stolen, then results can be detrimental [10].
Some of the significant privacy challenges in IoT are as follows: (1) What private data are sensed, where is this data stored, how and who uses the data? [10] (2) Automate the process of identification of sensitive and non-sensitive data. (3) How to allow users to control and manage their data, maintain user's anonymity, and preserve the data integrity in each phase of the data's life cycle? [5] (4) Implementation of efficient mechanism that is suitable for pervasive infrastructure and resource-constrained IoT devices [11].
Many researchers have emphasized that privacy and security are the most challenging problems in IoT because of the risk associated with leakage of the user's private information from several IoT services [12]. Data protection by design and by default (or privacy by design) is crucial to address privacy and protection of data [13]. Users will accept IoT-based systems only if they are secure, trustworthy, and privacy is preserved [8]. Users must be equipped with tools to retain their anonymity in an IoT-based connected world [7]. Thereby, in an IoT environment, an efficient and well-planned strategy is necessary to preserve privacy. The novelties and contributions of this paper as follows: (1) A Multilevel Noise Mechanism has been proposed for data collection to ensure privacy preservation in the Internet of Things environment. (2) A user preferences-based data classifier has been proposed to classify sensitive and non-sensitive data in the Internet of Things environment.

(3) Noise Removal and Fuzzification Mechanism has been
proposed for data access to ensure privacy preservation in the Internet of Things environment.
The remainder of this paper is organized as follows: "Related work and motivation" describes related work and motivation. "Adversary model and design objectives" presents adversary model and design objectives. The noise-    privacy-preserving model is described in "Noise Based Privacy Preserving model". The experiments and results are given in "Experiments and results", and "Limitations and future scope" concludes the paper.

Related work and motivation
The consumer's trust can be enhanced by privacy preservation in IoT, and it can be achieved by fulfilling the privacy requirements at data generation, storage, usage, and sharing [10]. Ziegeldorf et al. [14] analyzed the privacy issues, discussed the evolving features and trends in IoT, and classified privacy threats. According to the survey [15], more research needs to be done to ensure security and privacy for the IoT paradigm's success. With the miniature power sources, small memory, limited processing capability, and incredibly resource-constrained IoT devices [16], User privacy and data protection, authentication and identity management, trust management, policy integration, authorization and access control, end-to-end security, etc. are security and privacy challenges in the IoT that need to be addressed (Tables 1  and 2).
The personal data collection and usage of these data are challenges to individual privacy in the IoT [17]. Corcoran [18] has introduced different privacy classes and outlined some ideas for improved privacy framework for IoT, such as; data should be protected at the data source. For the mitigation of heavy computation constraints due to cryptographic operations in the sensors used in medical applications, Moosavi et al. [19] proposed a Secure and Efficient Authentication and Authorization (SEA) Architecture perform authentication and authorization on behalf of the medical sensors by the distributed smart e-health gateways. SEA architecture is based on the fact that various heavy-weight security protocols and certificate validation efficiently can be handled by smart e-health gateway and the remote end-user because both have sufficient resources.
Appavoo et al. [20] proposed a privacy-preserving model to prevent service providers from revealing sensed values, sensor types, and user preferences. The proposed work can be considered as a simple form of functional encryption. A case of a semi-trusted service provider has been considered. In this work, the author represented privacy loss (Eq. 1) in the form of mutual information [21].
, V , and δ are the random variables for the set of sensors that can be utilized, the set of sensed values, and the set of outcomes for the trigger conditions, respectively. H (S, V ) represents the maximum information that can be predicted for sensors and their values. Turgut and Boloni [22] have concentrated on the value and cost of data exchange in IoT with the other types of cost. They described an exciting relationship between the value of information and the cost of privacy (customer's benefit from Eq. 2 and business benefit from Eq. 3) for the IoT paradigm's success. The definition of the notations used in these equations is given in Table 4.
As a notion that trust can be directly related to privacy [23], Butun [24] mapped privacy and trust relation by integrating multi-dimensional relationship of the sensitivity level of PII items, privacy, and trust (Eq. 4).
Jayaraman et al. [25] introduced privacy-preserving IoT architecture and data ingestion scheme in which produced IoT data are split into R parts, where R is the number of servers. If a jth datum produced by an IoT device is D and the number of servers is three (R=3), then it will be split into data addends, namely α 1 j , α 2 j and α 3 j , where Along with privacy-preserving IoT architecture, Jayaraman et al. also proposed a privacy pre serving data access scheme based on the Paillier cryptosystem's homomorphic properties (Tables 1, 2).
The Dynamic Privacy Protection (DPP) model [26] is designed to ensure mobile device user privacy. DPP model generates a privacy protection plan to determine the security mode for each data or data package. In this model, privacy protection levels are classified based on privacy weight. Total privacy weight P is calculated using Eq. (6). In this equation, N e (D i ) is the number of data or data packages (D i ) that use higher-level security mode, and N n (D i ) is the number of data or data packages that use lower-level security mode. If values of binary function s(i) = 1, then encryption will be used and if s(i) = 0 then non-encryption will be used.
Many researchers have tried to address security and privacy issues in the Internet of Things. Several privacy preservation techniques for IoT have been proposed, but to Privacy-preserving IoT architecture Encryption/decryption [25] DPP model Selectively encrypt data [26] EPIC Differentially Private (DP) obfuscation mechanism [28] Privacy-preserving model Trust evaluation [29] Privacy-preserving trust model Functional encryption/decryption [20] Information relevance model Contextual privacy perception framework [30] Interaction-based privacy protection management framework Restricting the non-authorized operations and neutralizing the execution of non-authorized operations [31] Privacy monitoring framework Informative event, access log analyzer, obfuscation [32] Privacy preserving communication protocol Chaos-based cryptographic scheme and message authentication codes [33] Balance privacy-preserving data aggregation model Slicing and mixing technology [34] Privacy preserving scheme Identity-based Encryption (IBE) and symmetric encryption [35] the best of our knowledge, only a little research work has been carried out to ensure end-to-end privacy, i.e., privacy preservation in all the layers in the IoT ecosystem, along with implementation and detailed results analysis. Also, Many proposed privacy-preserving frameworks are based on cryptographic operations. Many of the existing frameworks have not included data classifier mechanisms and user customization-based privacy preservation. Many of the existing work on IoT privacy has not considered the tradeoff between privacy and quality-of-service in the practical scenario. This paper has addressed these issues, presents a systematic flow of IoT data, and implements and analyzes the Noise-Based Privacy-Preserving model (NBPPM model). The proposed model's novelty is that it ensures data privacy with fair efficiency at all the layers (edge layer, middleware, and application layer) of the IoT ecosystem.

Adversary model and design objectives
This section is focused on various privacy threats associated with IoT. In the adversary model, it has been assumed that an adversary is well equipped to monitor communication channels. Any malicious insider at the data storage level (such as a rogue administrator) can access sensitive and non-sensitive data, analyze data and make inferences to gain advantages. An unauthorized user can access sensitive data at the application level, and a service provider can access user data to provide services to the user.
As an example of inference threat in IoT based healthcare application, let us assume a universal set of sensors in IoT is X = {s 1 , s 2 , s 3 , . . . s n } where n is number of sensors in the IoT based system and a universal set of location of these sensors is L = {l 1 , l 2 , l 3 , . . . l n }. A set for data produced by the sensors in set X is D = {d 1 , d 2 , d 3 , . . . d n }. If a set of different m kinds of diseases is Y = {y 1 , y 2 , y 3 , . . . y m }. An adversary well equipped with tools and malicious intention can draw fruitful inferences by employing following inference rules in the inference attack: where a 1 , . . . a n , b 1 , . . . b n , c 1 , . . . c n and k 1 , . . . k n are constants used to form specific ranges for the derivation of a useful inference rule. For example, through the above inference rules, an eavesdropper can infer patient disease, which may be private information for the patient, and through location set L, linkage-based attack can be performed, i.e., It can result in physical, mental, economic, and social exploitation of the victim.

Security and privacy threats in IoT
An overview of the major security and privacy threats [14,[38][39][40] in the IoT environment is mentioned in Table 3.

Problem definition and design objectives
The critical research problem is defined as developing a systematic model to ensure end-to-end privacy against various threats for resource-constrained IoT environments. As Uses the content-oriented approach to selectively encrypt data for privacy protection [26] EPIC Utility optimal differential privacy mechanism Protecting from the traffic analysis attacks due to resources constrain A privacy-preserving traffic obfuscation framework Adversaries cannot link any traffic flow to a particular smart home [28] Privacy-preserving trust model Trust and uniformization models Minimizing the privacy-loss in the presence of untrusted service providers A lightweight approach to functional encryption [20] Privacy-preserving model Based on simple threshold detection Direct interactive trust, friend recommendation trust and historical trust Dynamic self-adjusting trust evaluation approach How to build a trust model that can prevent non trusted objects from accessing private data A lightweight strategy to access control for privacy-preservation Privacy protection problem is transformed into a simple judgment problem [29] Information relevance model Consumer's privacy sensitivity as the summation of their privacy concerns Population privacy sensitivity To treat privacy uniformly is unfair and socially inefficient by which a substantial proportion of the population remains unsatisfied by a common-policy Acknowledged the existence of individual differences with respect to unique security and privacy protection needs Contribute to quantifiable means to measure and evaluate the customized privacy [30]  For the broader adoption of cloud computing, the necessity of proper privacy and security mechanisms to control the sensitive information committed to cloud service providers by users The framework provides a mechanism that enables cloud customers to track details, such as what happens to their data, where data is stored, and who accesses their data [32] Privacy preserving communication protocol   [33], our objective was to plan and develop a model against privacy threats and incorporate privacy preservation characteristics such as to safeguard sensitive information, data access control, query privacy, and user-based privacy customization. Along with privacy preservation, our main objective was to reduce the computational overhead for resource-constrained IoT environments.

Noise based privacy preserving model
This section presents the proposed noise-based privacypreserving model. The methodology with the structural diagram and detailed functioning of all modules involved in the NBPPM model have been described.

Overview
Let us assume a typical IoT environment consists of IoT devices, middleware, data storage, and user devices with apps that consume service providers' services. The components of the NBPPM model are shown in Fig. 5. Data produced from a source device must be protected in-transit, in-process, and at rest from an intruder that may exist between a source device and a legitimate user device. This goal is achieved in the proposed NBPPM model by incorporating noise while data move from the data source to data storage and denoising the noise at the user device. The proposed model also incorporates the fuzzification mechanism for privacy customization. Thus, the proposed NBPPM uses twofold privacy preservation using noise and fuzzification.

Methodology
The proposed NBPPM model's fundamental modules are the data classification module, multilevel noise treatment module, and noise removal and fuzzification module. In this subsection, each module has been described comprehensively. The overall layout of the proposed model is shown in Fig. 6. As shown in the proposed methodology's flowchart (Fig. 7), level 1 noise is added to all types of data (i.e., sensitive and non-sensitive data). After the level 1 noise addition, data splitting is performed on each data. A data classifier synchronized with the user customization setting performs data Fig. 6 Overall layout of the proposed model classification according to the user preferences. If the data attribute is sensitive, then data addends proceed for level 2 and level 3 noise addition. If the data attribute is nonsensitive, then data addends proceed for level 3 noise addition (Algorithm 1). All of these noised data addends are stored in the data repository (i.e., Cloud Storage). An authenticated user can access noised data addends using valid credentials. At the user end, data addends are de-noised using the noise removal process (Algorithm 2). Further, if a service provider requests users' data to provide services, the service user can supply fuzzified data (based on the user privacy preferences) to the service provider (Fig. 9).

Data classification module
A data classification mechanism is a necessary step before incorporating a privacy protection mechanism. The data classification mechanism acts as a classifier to categorize data into two classes: sensitive and non-sensitive data class. One of the major issues for data classification is who and how it is decided which data attribute is sensitive and non-sensitive. The data owner is the best entity that can decide the sensitivity of his/her data for an IoT environment. In our proposed data classification mechanism, a data owner can customize his/her data privacy by setting attribute sensitivity to sensitive and non-sensitive mode at the application level, and from the application level, it will be synchronized with the data classifier module. Depending upon the sensitivity of the data, it is treated to multiple levels of noise. Further, at this point, an alternative policy can also be adopted for the data classification by considering an application-specific scenario, i.e., an IoT environment in which some of the data owners cannot judge data sensitivity correctly or may not have any knowledge about the data sensitivity. In this case, a predefined data sensitivity can be added. This predefined data sensitivity can be decided according to specific IoT applications and the General Data Protection Rules and Regulations of the particular country. For instance, in the IoT healthcare system, blood glucose level, heart rate, respiration rate, blood pres-sure, body temperature can be put in the sensitive category of data, and room temperature and humidity can be considered under the non-sensitive data category. A hybrid policy can also be deployed, combining predefined data classification and user-defined privacy preferences. Therefore, a user can change predefined settings according to his/her personal privacy preferences in the IoT ecosystem.

Multilevel noise treatment
In the multilevel noise treatment module of the NBPPM model, noise acts as a private key for the user. A random number generation algorithm is used to generate and divide noise into sub-noises. Let P be the generated noise; then P will be divided into three sub-noises P 1 , P 2 , and P 3 through a random number generation algorithm at the user end. Each sub-noise P 1 , P 2 , and P 3 is privately shared with the Data-Source, middleware, and data storage server, respectively.
Data splitting and multilevel noise treatment are two critical steps of the NBPPM model, as shown in Fig. 7. Each datum sensed D in the IoT environment is treated with subnoise P 1 at level 1 from an operator, picked out from the operator table for the sensed data of particular attribute type F i (Table 5). Operator selection for level 1 sub-noise is based on modulo operation with the Data Identifier, i.e., from Qth position, where N=9 for Table 5. After the treatment of level 1 noise, resultant data is split into three data addends, namely X, Y, and Z. Data classifier module checks data addends X, Y, and Z for sensitivity. If these data addends are part of a sensitive attribute type data, then each of the data addends will be treated with level 2 and level 3 sub-noises. If the data addends are parts of a non-sensitive attribute, then each data addend will pass through level 3 sub-noise treatments only. For instance, as shown in Fig. 7, the sensed data D are treated with noise P 1 at level 1, and then resultant data are split into three data addend, namely (X , Y , Z ) F i . Then data classifier checks the sensitivity of attribute type F i . If the F i is sensitive attribute type, then (X , Y , Z ) F i will be treated with noise P 2 and P 3 resulting into (A, B, C) F i and (K , L, M) F i ,  (Fig. 8).

Noise removal and fuzzification
Noise removal at the user device is a reverse mechanism of the Multilevel Noise treatment mechanism. In an IoT environment, the user requests a service from the service provider. In order to provide the service, user data are requested from A ← X ⊕ 2 P 2 10: B ← Y ⊕ 2 P2 11: C ← Z ⊕ 2 P2 12: Forward A, B, C to level 3 through secure channel 13: Non-sensitive Data 17: Forward X , Y , Z to level 3 through secure channel 18: M ← Z ⊕ 3 P 3 21: end if 22: Stop the service provider. As shown in Fig. 9, the user accesses the requested data from long-term data storage through valid user credentials. In the proposed NBPPM model, the authentication mechanism is incorporated to verify user validity through username and password. A valid user can access noisy data through a secure channel, and then the noise removal process is initiated through sub-keys, which act as the private key for the user. The process of Noise removal and fuzzification is shown in Algorithm 2.
Privacy is ensured through the fuzzification process when data are transferred between the user and the service provider. A sub-module, termed as privacy manager shown in Fig. 9, plays a vital role in user privacy customization. A fuzzifier sub-module is synchronized with user privacy preferences. A user can set his/her privacy preferences for a particular service, and accordingly, the fuzzifier decides the quality for data to be sent to access a service. if Sensitivity (F i ) == True then 4: User receives K , L, M 5: Y ← B 2 P 2 10: Z ← C 2 P 2 11: S ← X + Y + Z 12: Q ← D I D mod N 13: Pick operator ⊕ from Q th position from operator  System trust coefficient (t j ) F i Execution time to access jth content of F i attribute type ω Computational time Table 5 An example of an operator Table   Attribute  0  1  2  3  4  5  6  7 8 A comprehensive overview of the functioning of the fuzzifier is as follows. As already defined, a universal set X over sensor domain as X = {s 1 , s 2 , s 3 , . . . s n }. A user can set the sensitivity level for the data attribute of a sensor node (s i ) that senses the specific parameter value. Two fuzzy setsÃ andλ are defined as follows: A = 'Sensitive data' andλ = 'Obfuscation quantity'.
Membership function ofÃ andλ are μÃ and μλ, respectively, where μÃ ∈ [0, 1] and μλ ∈ [0, 1]. Value of the membership function μÃ may be provided through an interface for the user. Value of μÃ indicates the level of the data sensitivity. Value of μλ indicates about the level of obfuscation. Membership value of the μλ will be decided through the value of μÃ. i.e., μλ depends on μÃ and an illustrative example of the relationship between μÃ and μλ may be as follows (Eq. 7 and Table 6): where x ∈ X and c 1 and c 2 can be fixed within a range and used to add the required quantity of the noise.

Experiments and results
The Noise-Based Privacy-Preserving Model has been presented comprehensively in "Noise Based Privacy Preserving Model". This section presents the experimental setup, findings of the experiment, performance evaluation, security, and privacy analysis to show how privacy can be protected through the proposed model.

Experimental configurations
The proposed multilevel noise function mechanism, data classification mechanism, and noise removal and fuzzification mechanism are implemented in NetBeans IDE 8.2 [45]

Results and discussion
The execution time is the time to access all the contents of a sample dataset. As shown in Eq. 8, the average execution time is the average of the total time to access the N c number of contents of a specific attribute F i . (t j ) F i is the execution time to access jth content of F i attribute type.
A sample from the activity tracker dataset has been taken and calculated the execution time. Figure 12 shows the comparative execution time of the noise removal without fuzzification and with the fuzzification mechanism in the proposed model. It can be observed from the figure that noise removal with the fuzzification mechanism requires more execution time than noise removal without fuzzification. The sample sizes of 1000-5000 records (data points) have been taken from the Single Chest-Mounted Accelerometer dataset and calculated the average data execution time. The snapshots of the different data are shown in Figs. 10 and 11. Figure 13 presents the comparative average execution time of the noise removal without fuzzification and with the fuzzification mechanism in the proposed model for each data attribute F 1 , F 2 , and F 3 . A sample of the data before and after the noise treatment is shown in Table 7, and a sample of the data without fuzzification and with the fuzzification after the noise removal is shown in Table 8. As shown in Table 8, all the data of a specific attribute type are treated with a fixed amount of noise. It gives a fixed amount of difference with all data of a particular attribute type, but it is not necessary to treat data with the fixed amount of noise. Every data of the particular attribute type may be treated with different random noises, and the resultant varying difference may enhance privacy.     Table 8 A sample of the data without fuzzification and with the fuzzification after the noise removal Data after noise removal and without fuzzification Data after noise removal and with fuzzification Table 8 continued Data after noise removal and without fuzzification Data after noise removal and with fuzzification Figure 14 presents the findings of the comparative average execution time of the noise removal without fuzzification in the proposed model, and data access control scheme [25] for each data attribute F 1 , F 2 , and F 3 of the Single Chest-Mounted Accelerometer dataset. Figure 15 presents the findings of the comparative average execution time of the noise removal with fuzzification in the proposed model and data access control scheme [25] for each data attribute F 1 , F 2 , and F 3 of the Single Chest-Mounted Accelerometer dataset. It is clear from both of these figures that our proposed noise removal mechanism requires less execution time than the data access control scheme [25].
The findings presented in Fig. 16 are the comparative execution time of the noise removal without fuzzification in the proposed model, data access control scheme [25] and data access time of the DPP model [26]. Next, Fig. 17 presents the comparative execution time of the noise removal with fuzzification in the proposed model; data access control scheme [25] and data access time of the DPP model [26].

Algorithmic behavior and performance evaluation
IoT components, such as sensors, actuators, etc., have limited computing capabilities and are not suitable for performing complex computing operations. The comparative analysis shown in Table 9 indicates that the proposed model without fuzzifier has around 52-77% and 46-70% less computational overhead than the data access controls scheme and DPP model, respectively. The proposed model with the fuzzifier has around 48-73% and 31-63% less computational overhead than the data access controls scheme and DPP model, respectively. As the critical research problem to develop a systematic model to ensure end-to-end privacy against various threats for resource-constrained IoT environments and the main objective of the proposed NBPPM model, this analysis of the computational overhead for resource-constrained IoT environments shows the efficiency of the NBPPM model. Fig. 16 Comparative analyses of the execution time of the proposed model without fuzzifier, data access control scheme [25] and DPP model [26] Fig. 17 Comparative analyses of the execution time of the proposed model with fuzzifier, data access control scheme [25] and DPP model [26]  As an IoT environment deals with a massive amount of data, it is crucial to consider computational time for performance measurement. The integrated multi-dimensional relationship of sensitivity levels of personally identifiable information items, privacy, and trust (Eq. (4)) allowed the author to devise Eq. (9). It is believed that the efficiency of a privacy-preserving algorithm increases as there is a decrement in the computational time (ω) of that algorithm, and trust value will increase with the increment in the effectiveness of the privacy-preserving algorithm. In terms of computational time, Noise Removal and Fuzzification Mechanism's efficacy can be seen in the comparative analysis with the given existing mechanism. In particular, the findings presented show that computational time is less in our noise removal mechanism compare to the encryption-based mechanisms. A privacy customization feature has been incorporated for the user, and comparative analysis with this feature also shows better performance. The experimental results presented in "Results and discussion" validate the feasibility and applicability of the novel NBPPM model for privacy preservation in the real-world and resource constraint environment of the internet of things.

Security and privacy analysis
The proposed NBPPM model ensures security and privacy through Multilevel Noise Treatment and Fuzzification. The privacy of the data is ensured by adding noise. The noise is sub-divided into three sub-keys as described in "Multilevel noise treatment". Sub-noise P 1 , P 2 and P 3 is privately shared with the Data-Source, middleware and data storage server, respectively. The proposed Multilevel Noise Treatment Mechanism stores sensed IoT parameter D as noisy data addends. At the data-source, every sensed parameter is converted into noisy data and then split into meaningless noisy data addends, so it is difficult to know original data without the sub-key P 1 and the operator used to treat the source data with the noise P 1 . Further, in the proposed model, a usercustomized data classifier is employed to protect sensitive data with a higher level of privacy preservation. At middleware, complexity increases for an eavesdropper to know the original sensed parameter due to the requirement of sub-noise P 1 , P 2 and the operators used to treat the source data with the noise P 1 and P 2 . At long-term data storage (such as cloud), it is extremely complex due to the requirement of all three sub-noises and operators used to treat the source data with the noise P 1 , P 2 and P 3 . A comprehensive status of an instance of data at different levels within the NBPPM model, i.e., data before and after privacy preservation, is shown in Table 10. Furthermore, an attacker could use vulnerabilities such as a weak credential mechanism to gain access to the data. If a user requests data through sending a data request for IoT parameter (D) (containing data field identifier (F i ), timestamp, and unique username); the authentication mechanism is used in our proposed model to authenticate the user, and thereby the non-legitimate user cannot access the sensitive data. An access control list (ACL) maintains for usernames and their credentials. Even if, at this level, an eavesdropper succeeds in accessing noisy data addend, then privacy will still be preserved since noisy data addends are meaningless. After the successful authentication, only a legitimate user will be able to access noisy data addends. Our proposed Noise Removal and Fuzzification Mechanism also provides flexible and dynamic ways to preserve privacy through the privacy manager module. A user can customize his/her sensitive attributes and level of the sensitivity of their data. Based on the privacy customization, a user-specific privacy preservation environment will be created by the fuzzifier module. A comparative analysis of different frameworks for privacy preservation in IoT is presented in Table 11.

Applicability in real life applications
The proposed NBPPM model can be used in all real-life IoT applications, especially in the application domains where data sensitivity is high. This subsection illustrates a real-life example of the NBPPM model in the IoT-based healthcare system. A typical IoT-based healthcare system involves patient (s), doctors (s), hospital (s), and IoT-based service (s). In this IoT ecosystem, a patient is the user of the IoT-based healthcare system. A patient can be equipped with sensors (that sense the patient's health parameters), and with a mobile app, a patient can be enabled to use IoT-based healthcare services. Doctor and hospital act as a service provider. A hospital may use third-party services like cloud services to store a massive amount of the produced IoT data. In this scenario, patient's data are sensitive because of the sensing of health-related parameters. The sensitivity of these healthrelated parameters may vary from patient to patient, i.e., some patients may want to keep their data private because, for them, sensed health parameters are highly sensitive and for some patients, sensed health parameters are less sensitive. In this situation, the proposed NBPPM model may play a significant role in preserving privacy. An NBPPM model-based IoT healthcare system; preserves user privacy at different levels of the IoT ecosystem, as described in "Security and privacy analysis".

Limitations and future scope
Several different modifications, experiments, and analyses have been left for the future due to the study's broad research scope. Future work may focus on in-depth analysis of the particular mechanisms with new proposals to try different enhanced strategies. The following subsection emphasizes the potential future scope for improvement and research directions.

Applicability and scope of the proposed solution with emerging domains
Evolutionary computations, i.e., Genetic Algorithms (GA) based obfuscation mechanism, could be applied in the proposed models. Crossover and Mutation phases can play a significant role in suppressing sensitive information in the IoT ecosystem, and managing the mutation phase to regenerate information can be a challenging step. Still, it will be interesting to develop and analyses the behavior of these kinds of optimization techniques. Machine Learning has the potential for real-time automation, intelligent processing, and analysis of the high volume of data. The data classification mechanism of the proposed Noise-Based Privacy-Preserving Model can exploit this predictive-power of Machine Learning. This predictivepower may assist in identifying sensitive information in the IoT ecosystem and will reduce human intervention. In the future, Machine Learning-based mechanisms may be incorporated in the proposed model and analyze behavior.
Accountability is an important feature that can enhance every privacy preservation mechanism by rendering control over sensitive personal information. A procedure that keeps the history of all logs (such as a chain of all paths where sensitive data are traveled and the details of the data accessing entity) can be incorporated with the proposed models but will increase computational and space overhead. A future study can be conducted to incorporate this aspect.
There is a tradeoff between Quality of Service (QoS) provided to the user and users' data consumed by the service provider. In the Noise-Based Privacy-Preserving Model, a sub-module (Privacy Manager) plays a crucial role in customizing user privacy, and privacy is ensured through the fuzzification process when it is transferred between the user and the service provider. Here is the scope to further optimize the membership function for the specific application and case study.
Along with the study's future scope, the following are emerging domains where proposed solutions can be employed:

Edge computing and fog computing
As edge computing and fog computing, both paradigms move the computational capabilities closer to the data source, and these computing technologies may move data intelligence and data analytics near the IoT ecosystem's data sources. In future work, such approaches may be adopted in our proposed privacy-preserving model to distribute trust with the enhanced privacy protection in the IoT ecosystem.
It will be interesting to develop and study the architectural integration of edge and fog computing in the privacy-preserving IoT ecosystem, privacy-preserving edge and fog data processing, and management of edge and fog nodes in the frameworks.

Blockchain
An adversary can infer significant information about the users from blockchain-based IoT networks. These systems need specific privacy-protection plans to preserve personal and device privacy. A critical perspective that causes privacy leakage in the blockchain network is address reuse. Public addresses of blockchain users are open to anyone in the network, and an adversary can easily access these addresses through internet access. A perfect anonymous transaction in the blockchain is unlikely without any particular privacypreservation plan. Also, linking attacks can be performed over distributed ledger that contains a copy of transactions [49]. The proposed model can be applied to preserve privacy in this scenario, and it is further a future scope of the study for these use cases.

Fifth Generation technology
The lately emerging Fifth Generation (5G) technology is expected to transform every area of life by connecting everything, everywhere, by employing IoT devices. However, massively interconnected devices and high-speed data communication will bring the challenge of privacy and energy insufficiency. 5G industries and organizations require privacy-preservation for their endurance and competency. Moreover, billions of devices supposed to communicate using the 5G network will spend a considerable amount of energy while confined energy-resources. Hence, energyoptimization is a future challenge confronted by 5G industries that need to be addressed [50]. In this case, our proposed privacy-preserving model can be integrated with 5G technology, and it will be interesting to study improved privacy with the energy resource optimization in this specific use case.

Autonomous vehicles
The emergence of complex cyber-physical systems (CPS) such as an autonomous vehicle is equipped with different sensors and intelligent logic to provide advanced auxiliary services. Due to their sensor and inboard intelligence, such vehicles gather, analyze, and capitalize upon an unprecedented quantity of fine-grained data and cooperate in real-time with various stakeholders. However, such valuable data can significantly impact data-driven economies of scale, which raises questions concerning privacy and integrity-dependent situations [51]. Our proposed study's future scope is the measurement of real-time performance with autonomous vehicles and should cover a study of the level of the balance between privacy preservation and quality of service in this specific use case.

Conclusion
The NBPPM model has been presented to address critical issues of privacy preservation in the IoT ecosystem. The proposed model ensures end-to-end privacy preservation in the IoT environment. The NBPPM is a robust and flexible model that ensures privacy preservation according to the user's preferences. The performance of the proposed NBPPM model has been evaluated in terms of computation overheads. Our experimental results show that the computational cost in NBPPM is reasonably less in the practical scenarios. In this article, the feasibility of the proposed model has been demonstrated for the IoT's resourceconstrained environment. An exciting future work of the NBPPM model may be incorporating accountability procedures at the appropriate levels to enhance control over personal information in the IoT environment. The outcomes of this work may have a significant effect on IoT-based industries.

Conflicts of interest
The authors declare that they have no conflict of interest.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/.