INTRUSION DETECTION AND SELF-RECOVERY

SYSTEM Namita Singh

Uday Singh

Computer Science & Engineering Department A.I.E.T, LUCKNOW

namitasingh02@gmail.com

Abstract

Wireless Sensor Networks (WSNs) are the collection

of self – organizing sensor nodes deployed in various

physical environments statically or dynamically

depend upon the application. In wireless environment

these sensor nodes are defenseless or vulnerable

against attacks. Wireless sensor networks (WSNs)

have become one of the most promising and

interesting areas over the past few years. But the

properties of constrained resources make WSNs

vulnerable to different types of intrusions such as

Denial of Service (DoS) attacks which result in a

large number of compromised nodes. For success

application of ubiquitous WSN it is important to

maintain the basic security. However, there is not an

effective intrusion detection and self-recovery system to eliminate the harm of DoS attacks. To solve the

problem, an agent-based intrusion detection and self-

recovery system for WSNs is proposed, which adopts

the distributed architecture to monitor intrusion

activities and realize abnormal events processing in

local nodes. Finally, the system is analyzed and

verified. The simulation results indicate that the

compromised nodes can self-recover effectively and

network total energy consumption also is reduced

effectively.

Keywords:DoS attacks; Self-recovery; Intrusion

detection; Wireless sensor network

1. Introduction

Wireless sensor network (WSN) is a network

consisting of geographically distributed autonomous

devices with sensors to attentively monitor physical

or environmental conditions, such as temperature,

sound, vibration, pressure, motion, at different

geographical locations. Wireless Sensor Networks

(WSNs) are ideal candidates for monitoring

environments in a wide variety of applications such

as military surveillance and forest fire monitor,

animal identification etc. Wireless sensor networks

(WSNs) are developing rapidly and have become a

promising technology recently. Wireless sensor

networks are deployed in target area for monitoring

different events and environment in cooperative by

use of many small sensors, which are small size, limited battery power, low memory and

computational capability [1-3].

Currently, wireless sensor networks are widely

applied in military surveillance and target tracking,

disaster detection and relief, industry, agriculture,

intelligent buildings and so on [4-5]. WSNs are

different from conventional wired and wireless

networks. WSNs are usually deployed in

unsupervised and hostile environments. WSNS are

vulnerable to various attacks such as denial of service

(DoS) attacks, eavesdropping and signal jamming.

Therefore, such networks need to be secured than

other networks. Currently, many intrusion detection

techniques are proposed to identify intruders and

existing intrusion detection systems (IDS) are not

adequate to protect wireless sensor networks from all

kinds of inside and outside attackers. However, none

of them are complete. For example, they cannot

avoid compromised nodes produced by DoS attacks

[7-9].

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

111

ISSN:2249-5789

2. Intrusion Detection System

Intrusion detection system is the system or tool or

any intelligent computing algorithm that has been

designed to monitor and detect unauthorized

activities or malicious activities (attacks) in wired or wireless networks (Wireless Sensor Networks/Mobile

Ad-hoc Networks). Wireless sensor networks are

distributed in nature, so here the intrusion detection

system is called as Distributed intrusion detection

system (DIDS).

Figure1: Network Models: Hierarchical and

Distributed Wireless Sensor Networks.

The sinkhole attack was implemented on the compromisednodes as follows.

Ensure: sinkhole attack performed

ifcurrentTime ∈sinkholeAttackWindow then

dest←baseStationAddress

RequestRoute(dest)

forgedRoute← SetHQRoute(routingProtocol)

ForceHighQualityRoute(dest, forgedRoute)

end if

On the compromised node, during routing activities

no malicious behavior is performed until the attack time window is reached. In the sinkhole attack time

window the attacker requests nodes in the network to

advertise their route to the WSN base station. After

sending this request, the compromised node answers

by sending a message where it claims itself to be

long a high quality route in term of metrics of the

routing protocol being used, e.g. low hop count and

high sequence number for AODV routing protocol

[16].Distributed intrusion detection system workson

individual wireless sensor nodes as an intrusion

detection agent module to detect the vulnerabilities,

attacks and decisions will be taken in distributed

manner with the help of local and global agents. [12].

3. Attacks and Compromised nodes

Normally wireless networks are more vulnerable

against the attacks like Denial of Service (DOS)

which causes for Black hole attack, Sybil attack,

Wormhole attack, Selective forwarding attacks,

Jamming attacks etc. This is the serious problem in

wireless sensor networks. A packet drop attack or

black hole attack is a type of denial-of service attack

in which a node supposed to relay packets discards

them instead. This usually occurs from a node

becoming compromised from a number of different

causes. Because packets are routinely dropped from a

lossy network,the packet drop attack is very hard to

detect and prevent. The adversary can make multiple

compromised nodes in its Black hole intercepted

region. Also the intruder can sense or read the secret

data from compromised wireless sensor node

(Compromised Node-CN) easily. [8]

The two main categories that we use for classifying

physical attacks are (1) the degree of control over the

sensor node the attacker gains; and (2) the time span

during which regular operation of a node is

interrupted.

.

Figure 2: Design space for physical attacks on sensor

nodes

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

112

ISSN:2249-5789

4. Agent-based intrusion detection and self-

recovery

When sensor nodes are attacked, the agent-based

intrusion detection and self-recovery system will

monitor the compromised nodes and do self-recovery. The intrusion detection and self-recovery

algorithm is illustrated in Figure 6. The algorithm

includes three steps: anomaly detection, anomaly

decision and anomaly recovery. Anomaly based

compares the systems normal profile with the current

activity. In this paper, we have described several

existing approaches based on anomaly intrusion

detection technique.

4.1 Anomaly Intrusion Detection based on OSI Layer

In [9] there is description of intrusion detection based

on anomaly in multiple layers. The paper tried to

detect intrusion based on multiple OSI layers to

reduce the false alarm rates.

Figure 3: Sensor nodes scattered in a sensor field.

Data are routed back to the end user by a

multihopinfrastructureless architecture through the

sink as shown in Fig. 4. The sink may communicate

with the task manager node via Internet or Satellite.

The protocol stack used by the sink and all sensor

nodes is given in Fig. 4. This protocol stack

combines power and routing awareness, integrates

data with networking protocols, communicates power

efficiently through the wireless medium, and

promotes cooperative efforts of sensor nodes.

The protocol stack consists of the application layer,

transport layer, network layer, data link layer,

physical layer, power management plane, mobility

management plane, and task management plane.

Depending on the sensing tasks, different types of

application software can be built and used on the

application layer.

The transport layer helps to maintain the flow of data

if the sensor networks application requires it. The

network layer takes care of routing the data supplied by the transport layer. Since the environment is noisy

and sensor nodes can be mobile, the MAC protocol

must be power aware and able to minimize collision

with neighbors’ broadcast.

The physical layer addresses the needs of a simple

but robust modulation, transmission and receiving

techniques. In addition, the power, mobility, and task

management planes monitor the power, movement,

and task distribution among the sensor nodes. These

planes help the sensor nodes coordinate the sensing

task and lower the overall power consumption.

Figure 4: The sensor networks protocol stack.

The power management plane manages how asensor

node uses its power.The mobilitymanagement plane

detects and registers themovement of sensor nodes,

so a route back to theuser is always maintained, and

the sensor nodescan keep track of who are their

neighbor sensornodes. By knowing who the neighbor

sensor nodes are, the sensor nodes can balance their

powerand task usage. The task management plane

balancesand schedules the sensing tasks given to

aspecific region. Not all sensor nodes in that

regionare required to perform the sensing task at the

same time. As a result, some sensor nodes perform

the task more than the others depending on

theirpower level. These management planes are needed, so that sensor nodes can work together in a

power efficient way, route data in a mobile sensor

network, and share resources between sensor nodes.

Without them, each sensor node will just

workindividually.[18]

4.1.1 Physical Layer: Received Signal Strength

Indicator (RSSI) value is used at the physical layer.

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

113

ISSN:2249-5789

During the neighbor discovery, each node records the

RSSI value received from its neighbor. Therefore,

any node receiving packet with unexpected RSSI

value will generate an alarm. However, there is a

chance of high positive false alarm because RSSI

value is affected with the background noise.

4.1.2 Mac Layer: At Mac layer, the authors

proposed to use time scheduling algorithm such as

TDMA to allocate the time slot to each node and

SMAC to allocate wake and sleep schedule. If node

A received packets from node B at the time when B

is supposed to sleep then alarm will be raised.

4.1.3 Routing Layer: At the routing layer, they have

used forwarding tables generated by the routing

protocol. And they have also proposed a protocol

named information authentication for sensor network

(IASN). The protocol works on authenticating

information rather than authenticating nodes. That

means, a node keeps track on its neighbors and knows what kind of information it expects from its

neighbors. As an example, if a node receives a packet

from node B but it is expecting the packet from node

C then an anomaly is detected. In the paper, they

have also shown how IASN works with routing

protocols like DSR, DSDV and directed diffusion.

The networking layer of sensor networksis usually

designed according to the followingprinciples:

• Power efficiency is always an important consideration.

• Sensor networks are mostly data centric.

• Data aggregation is useful only when it does

nothinder the collaborative effort of the sensornodes.

• An ideal sensor network has attribute-based

addressingand location awareness.

One of the following approaches can be used toselect

an energy efficient route. [17]

Figure 5: The power efficiency of the routes.

We use Fig. 5 to describe each of these approaches,

where node T is the source node that senses the

phenomena. It has the following four possible routes

to communicatewith the sink:

• Route 1: Sink-A-B-T, total PA= 4, total ɑ = 3,

• Route 2: Sink-A-B-C-T, total PA=6, total ɑ=6,

• Route 3: Sink-D-T, total PA=3, total ɑ= 4,

• Route 4: Sink-E-F-T, total PA=5, total ɑ= 6,

Where PA is the available power and ɑi, the energy

required to transmit a data packet through therelated

link.

4.1.4 Application Layer: At application layer, they

have proposed mutual guarding techniques. In the

mutual guarding technique, the author described

about nodes guarding each other and also mentioned

about four nodes guarding each other.

4.2 Anomaly Intrusion Detection based on Sliding

Window

In [10], the authors have introduced an intrusion

detection algorithm to consider the node

impersonation attack and route depletion attack.

Their detection algorithm is based on the sliding

window approach where N packets are buffered. If

the comparison of the rate of the N received packets

and rate of the previous N received packet is greater

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

114

ISSN:2249-5789

than a threshold value then the alarm is triggered. But

the algorithm fails to mitigate all the security threats.

4.3 Anomaly Intrusion Detection based on rules

In [11], the authors have proposed several rules to

detect anomaly. The rules are:

Interval Rule: A failure is detected if two

consecutive message receptions are smaller or

greater than the allocated time.

Retransmission Rule: A failure is detected if

the node is not forwarding the message. This rule

can detect black hole and selective forwarding attack.

Integrity Rule: A failure is raised if an attacker

modifies the message payload.

Delay Rule: A failure is detected if the message

is not delivered on due time.

International Journal of Advanced Repetition Rule:

This rule detects denial of service attack where a

failure is detected if the same message is sent by

node several times than expected.

Radio Transmission Range: A failure is raised

if the message is received from the other node

except from one of its neighbor. All the message

listened by monitor node must be originated by

one its neighbor.

Jamming Rule: The number of collisions associated with a message must be lower than

the expected number of collisions.

They have implemented IDS in some of the nodes

called monitor node. Monitor node will act as an

ordinary node and also it will detect intrusion in three

phases. Phase 1 will collect data and send it to the

phase 2 to check the data by predefined rules and

then intrusion alarm is raised at phase 3.

4.4 Anomaly Intrusion Detection based on Delta

Grouping Algorithm

Li, He and Fu in [12] proposed a group based IDS

which is based on anomaly detection technique. They

have used delta grouping algorithm to partition the

network into groups and then run the detection

algorithm on each groups. At first, the whole sensor

nodes are deployed in the network and then the delta

algorithm is applied to partition the network and then

IDS is applied on each group.

4.5 Anomaly Intrusion Detection for Black Hole

Attack

In [13], the authors have proposed their own IDS

algorithm to detect black hole and selective

forwarding attack and they have proposed two rules

to detect anomaly:

Rule 1: If the node A send a packet to node B than it

stores the packet in its buffer and watch whether B forwards it or not. If B doesn’t then increment then

counter by one or delete the message. If the failure

count is more than the threshold value, an alarm will

be raised.

Rule 2: If the majority of the monitor nodes have

raised an alert then the target node is compromised

and should be revoked or should be notified by the

base station. Based on their rules, they have proposed

an IDS block that is implemented in all the sensor

nodes.

They proposed an IDS agent in each sensor node and

their IDS agent consists of following:

Local responses

Cooperative detection engine.

Communication

Local packet monitoring

Local detection engine

Local responses send the response to the base station

if any anomaly is found. In cooperative detection

engine phase, if any of the node detects the intrusion then it shares information with the other nodes to

reduce the false alarm rates. However, the local

packet monitoring phase monitors the packet and

sends the data to the detection engine phase to detect

the intrusion to detect the anomaly based on their

unexpected behavior.

By the characters of wireless sensor networks and the

differences between common nodes and cluster

headers, each agent has different tasks and its

strategy of detection is also different. These agents’

carries the new detection method can cooperate with

each other, which would make our system have the

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

115

ISSN:2249-5789

advantages of high detection rate, good expansibility

and lower cost.

Figure 6: Flow chart of intrusion detection and self-

recovery algorithm

5. Anomaly detection

When the sensor nodes in wireless sensor networks

are compromised by DoS attack, the number of data

packets sent will increase obviously in order to

exhaust the nodes’ energy quickly and lose the ability

to monitor targets. It is a serious problem, especially

when wireless sensor network is deployed in a hostile

area. Thus recovered to normal as soon as possible.

The model includes sink node agent (SNA), cluster

head agent (CHA) and member node agent (MNA).

Each agent is a set of functionality and predefined

processing u each node has been assigned a unique

identifier. Therefore using D (i) represents each node.

MNA in member node continuously monitors the packets from sensors and sends these packets to CHA

in cluster head in a certain time interval. The packets

detected from node i are message (i) = {ID(i),

Message}. At the same time, MNA will count the

number of message (i) sent by itself and CHA will

count the number of message (i) sent by MNA. CHA

know how many messages each node in its cluster

should send. It is expressed by count (i). Therefore,

when the node in its cluster sends excessive

messages, CHA will be able to know whether the

node is anomaly attacked. In CHA, athreshold is set

for judging and distinguishing the nodes between

normal and compromised. M (i) is the maximum

number that cluster head can receive messages from

node i. That is, when the number of messages

received from node i is larger than M (i), the node i is

doubt to be compromised and will be anomaly

decided by CHA in its cluster head.

6. Anomaly decision

After anomaly detection, CHA will be monitoring

and analyzing the node in order to confirm whether

the node is not truly compromised. Anomaly decision

mechanism is the average of count (i) in the T time

intervals. When the node continuously sends

excessive messages, the average of count (i) in the T

time intervals will be larger than normal the average.

Therefore, normal average threshold is set as A(i).

When the average of count (i) in the T time intervals

exceeds A(i), the node i is considered compromised truly and need to recover itself based on recovering

instructions given by CHA.

7. Anomaly recovery

Recovering instructions based on the knowledge base

in cluster head. In the knowledge base, initial

metadata for sensor nodes are stored and maintained.

These initial metadata describe the attributes,

configuration information and restart parameters of

each node. The CHA will use these initial metadata to enforce the compromised node to recover.

Recovery methods in this paper include micro-reboot

and reboot: 1) When nodes are compromised

commonly, micro-reboot will be implemented based

the configuration information provided by CHA in its

cluster head. The micro-reboot is a fast reboot

method and reduces the energy consumption

comparing with reboot. 2) When nodes are

compromised seriously, reboot will be carried out

based the restart parameters provided by CHA in its

cluster head.

8. Experiments and results

Currently the existing agent-based intrusion detection

and self-recovery system for WSN are lack of

abilities of formal reasoning and verification. Based

on our proposed network model and intrusion

detection model, the performance of the intrusion

detection and self-recovery algorithm was evaluated

and analyzed to check the rationality.

In the experiments, the wireless sensor networks

consist of 1 sink node, 5 cluster head and 20 member

nodes. Each cluster includes 4 member nodes. We

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

116

ISSN:2249-5789

will investigate the total energy consumption of our

proposed agent-based intrusion detection and self-

recovery system and nonuse of intrusion detection

system when the number of compromised nodes

increases from 1 to 8. The total energy consumption

based on different method is illustrated in Figure 3.

Figure 7: The total energy consumption based on

different method

From Figure 7, it is obvious that our proposed agent-

based intrusion detection and self-recovery system

can reduce the energy consumption obviously as the

number of compromised nodes increases. It is due to

our proposed agent-based intrusion detection and

self-recovery system finding the compromised nodes

and recovering them, consequently the rate of data

transmitted between cluster head and member nodes is normal. However, the rate of data transmitted in

compromised nodes is high and the node consumes a

great deal of energy. If the compromised nodes

cannot be discovered and recovered as fast as

possible, the compromised nodes will exhaust the

energy of wireless sensor networks.

The relationship of processing time delay using

agent-based intrusion detection and self-recovery

system and the number of compromised nodes is

presented in Figure 8. It is obvious that processing

time delay of our proposed agent-based intrusion

detection and self-recovery system increases as the

number of compromised nodes increases. However,

when the number of compromised nodes keeps on increasing, the increasingrate of the processing time

delay becomes slower. It is due to our proposed

method overcoming network latency by means of

carry out operations directly at the target sensor

nodes.

Figure 8: Relationship of processing time delay & the

number of compromised nodes

9. Conclusion

In this paper, we have proposed an agent-based

intrusion detection and self-recovery system in order

to eliminate the DoS attacks and make the

compromised nodes self-recover. At the same time,

its performance of the total energy consumption and

processing time delay is analysed. Simulation results

shows than the proposed agent-based intrusion

detection and self-recovery system can reduce the

energy consumption obviously and achieve effective

network recovery performance.

The proposed system in this paper is also a comprehensive model which has some main

properties such as robustness, scalability and

extensibility along with environment changes and its

new conditions. Wireless sensor networks are

vulnerable to several attacks because of their

deployment in an open and unprotected environment.

This paper describes the major security threats in

WSN and also describes different intrusion detection

techniques. Moreover, the paper also describes

several existing approaches to find out how they have

implemented their intrusion detection system.

References

[1]. I. F. Akyildiz, Su Weilian, Y. Sankarasubramaniam, “A survey on sensor networks,” IEEE Communications

Magazine, 2002, 40(8):102-114.

[2].Xiaojiang Du Hsiao-Hwa Chen, “Security in wireless sensor networks”. Wireless Communications, 2008,

15(4):60- 66.

[3]..R.Nakkeeran, T. Aruldoss Albert and R.Ezumalai,“Agent Based Efficient Anomaly

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

117

ISSN:2249-5789

IntrusionDetection System in Ad hoc networks”. IACSIT

International Journal of Engineering and Technology,2010, 2(1):1793-8236.

[4]. GuoBin,LiZhe, “United voting dynamic cluster routing

algorithm based on residual-energy in wireless sensor

networks”. Journal of Electronics & Information Technology. 2007, 29(12):3006-3010.

[5] J. Yick, B. Mukherjee and D. Ghosal, “Wireless Sensor

Network Survey,” Elsevier’s Computer Networks Journal, 2008, 52(12):2292-2330..

[6]. S. Mohammadi, R. A. Ebrahimi and H.

Jadidoleslamy,“A Comparison of Link Layer Attacks on Wireless Sensor Networks,” Journal of Information

Security, 2011, 2(2): 69-84.

[7] S. Mohammadi, R. A. Ebrahimi and H. Jadidoleslamy,“A Comparison of Routing Attacks on

Wireless Sensor Networks,” Journal of Information

Assurance .

[8] Tao Shu, Marwan Krunz, and Sisi Liu, “Secure Data

Collection in Wireless Sensor Networks Using

Randomized Dispersive Routes”, IEEE transactions on

mobile computing. July. 2010.

[9] Shanshan Chen, Geng Yang and Shengshou Chen, “A

Security Routing Mechanism against Sybil Attack for

Wireless Sensor Networks”, IEEE int. conf, 2010.

[10]Kemal Akkaya and Mohamed Younis,” A survey on

routing protocols for wireless sensor networks”, Elsevier

Feb.2003.

[11]Ali Modirkhazeni, NorafidaIthnin and Othman

Ibrahim, “Secure Multipath Routing Protocols in Wireless

Sensor Networks: A Security Survey Analysis”, IEEE int. conf.2010.

[12] www.wikipedia.org/ wireless sensor networks,

intrusion detection system.

[13] V. Bhuse, A. Gupta, “Anomaly intrusion detection in

wireless sensor network” Journal of High Speed Networks,

Volume 15, Issue 1, pp 33-51, Jan 2006.

[14]. An intrusion detection system for wireless sensor

networks Onat, I.; Miri, A. Wireless And Mobile

Computing, Networking And Communications, 2005. (WiMobapos;2005), IEEE International Conference on

Volume 3, Issue , 22-24 Aug. 2005

[15] A. da Silva, M. Martins, B. Rocha, A. Loureiro, L. Ruiz, and H. Wong, “Decentralized intrusion detection in

wireless sensor networks”, Proceedings of the 1st ACM

international workshop on Quality of service & security in

wireless and mobile networks- 2005.

[16] C. Perkins, E. Royer, and S. Das, “RFC 3561 Ad

hocOn-Demand Distance Vector (AODV) Routing,” Tech.

Rep.,2003.[Online].Available:http://tools.ietf.org/html/rfc3

561.

[17] Y.H. Nam et al., Development of remote diagnosis

systemintegrating digital telemetry for medicine,

InternationalConference IEEE-EMBS, Hong Kong, 1998,

pp. 1170–1173.

[18] E. Shih, S. Cho, N. Ickes, R. Min, A. Sinha, A. Wang,

A.Chandrakasan, Physical layer driven protocol and

algorithmdesign for energy-efficient wireless sensor networks,Proceedings of ACM MobiCom’01, Rome, Italy,

July2001, pp. 272–286.

Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118

118

ISSN:2249-5789