Upload
dangmien
View
223
Download
1
Embed Size (px)
Citation preview
INTRUSION DETECTION AND SELF-RECOVERY
SYSTEM Namita Singh
Uday Singh
Computer Science & Engineering Department A.I.E.T, LUCKNOW
Abstract
Wireless Sensor Networks (WSNs) are the collection
of self – organizing sensor nodes deployed in various
physical environments statically or dynamically
depend upon the application. In wireless environment
these sensor nodes are defenseless or vulnerable
against attacks. Wireless sensor networks (WSNs)
have become one of the most promising and
interesting areas over the past few years. But the
properties of constrained resources make WSNs
vulnerable to different types of intrusions such as
Denial of Service (DoS) attacks which result in a
large number of compromised nodes. For success
application of ubiquitous WSN it is important to
maintain the basic security. However, there is not an
effective intrusion detection and self-recovery system to eliminate the harm of DoS attacks. To solve the
problem, an agent-based intrusion detection and self-
recovery system for WSNs is proposed, which adopts
the distributed architecture to monitor intrusion
activities and realize abnormal events processing in
local nodes. Finally, the system is analyzed and
verified. The simulation results indicate that the
compromised nodes can self-recover effectively and
network total energy consumption also is reduced
effectively.
Keywords:DoS attacks; Self-recovery; Intrusion
detection; Wireless sensor network
1. Introduction
Wireless sensor network (WSN) is a network
consisting of geographically distributed autonomous
devices with sensors to attentively monitor physical
or environmental conditions, such as temperature,
sound, vibration, pressure, motion, at different
geographical locations. Wireless Sensor Networks
(WSNs) are ideal candidates for monitoring
environments in a wide variety of applications such
as military surveillance and forest fire monitor,
animal identification etc. Wireless sensor networks
(WSNs) are developing rapidly and have become a
promising technology recently. Wireless sensor
networks are deployed in target area for monitoring
different events and environment in cooperative by
use of many small sensors, which are small size, limited battery power, low memory and
computational capability [1-3].
Currently, wireless sensor networks are widely
applied in military surveillance and target tracking,
disaster detection and relief, industry, agriculture,
intelligent buildings and so on [4-5]. WSNs are
different from conventional wired and wireless
networks. WSNs are usually deployed in
unsupervised and hostile environments. WSNS are
vulnerable to various attacks such as denial of service
(DoS) attacks, eavesdropping and signal jamming.
Therefore, such networks need to be secured than
other networks. Currently, many intrusion detection
techniques are proposed to identify intruders and
existing intrusion detection systems (IDS) are not
adequate to protect wireless sensor networks from all
kinds of inside and outside attackers. However, none
of them are complete. For example, they cannot
avoid compromised nodes produced by DoS attacks
[7-9].
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
111
ISSN:2249-5789
2. Intrusion Detection System
Intrusion detection system is the system or tool or
any intelligent computing algorithm that has been
designed to monitor and detect unauthorized
activities or malicious activities (attacks) in wired or wireless networks (Wireless Sensor Networks/Mobile
Ad-hoc Networks). Wireless sensor networks are
distributed in nature, so here the intrusion detection
system is called as Distributed intrusion detection
system (DIDS).
Figure1: Network Models: Hierarchical and
Distributed Wireless Sensor Networks.
The sinkhole attack was implemented on the compromisednodes as follows.
Ensure: sinkhole attack performed
ifcurrentTime ∈sinkholeAttackWindow then
dest←baseStationAddress
RequestRoute(dest)
forgedRoute← SetHQRoute(routingProtocol)
ForceHighQualityRoute(dest, forgedRoute)
end if
On the compromised node, during routing activities
no malicious behavior is performed until the attack time window is reached. In the sinkhole attack time
window the attacker requests nodes in the network to
advertise their route to the WSN base station. After
sending this request, the compromised node answers
by sending a message where it claims itself to be
long a high quality route in term of metrics of the
routing protocol being used, e.g. low hop count and
high sequence number for AODV routing protocol
[16].Distributed intrusion detection system workson
individual wireless sensor nodes as an intrusion
detection agent module to detect the vulnerabilities,
attacks and decisions will be taken in distributed
manner with the help of local and global agents. [12].
3. Attacks and Compromised nodes
Normally wireless networks are more vulnerable
against the attacks like Denial of Service (DOS)
which causes for Black hole attack, Sybil attack,
Wormhole attack, Selective forwarding attacks,
Jamming attacks etc. This is the serious problem in
wireless sensor networks. A packet drop attack or
black hole attack is a type of denial-of service attack
in which a node supposed to relay packets discards
them instead. This usually occurs from a node
becoming compromised from a number of different
causes. Because packets are routinely dropped from a
lossy network,the packet drop attack is very hard to
detect and prevent. The adversary can make multiple
compromised nodes in its Black hole intercepted
region. Also the intruder can sense or read the secret
data from compromised wireless sensor node
(Compromised Node-CN) easily. [8]
The two main categories that we use for classifying
physical attacks are (1) the degree of control over the
sensor node the attacker gains; and (2) the time span
during which regular operation of a node is
interrupted.
.
Figure 2: Design space for physical attacks on sensor
nodes
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
112
ISSN:2249-5789
4. Agent-based intrusion detection and self-
recovery
When sensor nodes are attacked, the agent-based
intrusion detection and self-recovery system will
monitor the compromised nodes and do self-recovery. The intrusion detection and self-recovery
algorithm is illustrated in Figure 6. The algorithm
includes three steps: anomaly detection, anomaly
decision and anomaly recovery. Anomaly based
compares the systems normal profile with the current
activity. In this paper, we have described several
existing approaches based on anomaly intrusion
detection technique.
4.1 Anomaly Intrusion Detection based on OSI Layer
In [9] there is description of intrusion detection based
on anomaly in multiple layers. The paper tried to
detect intrusion based on multiple OSI layers to
reduce the false alarm rates.
Figure 3: Sensor nodes scattered in a sensor field.
Data are routed back to the end user by a
multihopinfrastructureless architecture through the
sink as shown in Fig. 4. The sink may communicate
with the task manager node via Internet or Satellite.
The protocol stack used by the sink and all sensor
nodes is given in Fig. 4. This protocol stack
combines power and routing awareness, integrates
data with networking protocols, communicates power
efficiently through the wireless medium, and
promotes cooperative efforts of sensor nodes.
The protocol stack consists of the application layer,
transport layer, network layer, data link layer,
physical layer, power management plane, mobility
management plane, and task management plane.
Depending on the sensing tasks, different types of
application software can be built and used on the
application layer.
The transport layer helps to maintain the flow of data
if the sensor networks application requires it. The
network layer takes care of routing the data supplied by the transport layer. Since the environment is noisy
and sensor nodes can be mobile, the MAC protocol
must be power aware and able to minimize collision
with neighbors’ broadcast.
The physical layer addresses the needs of a simple
but robust modulation, transmission and receiving
techniques. In addition, the power, mobility, and task
management planes monitor the power, movement,
and task distribution among the sensor nodes. These
planes help the sensor nodes coordinate the sensing
task and lower the overall power consumption.
Figure 4: The sensor networks protocol stack.
The power management plane manages how asensor
node uses its power.The mobilitymanagement plane
detects and registers themovement of sensor nodes,
so a route back to theuser is always maintained, and
the sensor nodescan keep track of who are their
neighbor sensornodes. By knowing who the neighbor
sensor nodes are, the sensor nodes can balance their
powerand task usage. The task management plane
balancesand schedules the sensing tasks given to
aspecific region. Not all sensor nodes in that
regionare required to perform the sensing task at the
same time. As a result, some sensor nodes perform
the task more than the others depending on
theirpower level. These management planes are needed, so that sensor nodes can work together in a
power efficient way, route data in a mobile sensor
network, and share resources between sensor nodes.
Without them, each sensor node will just
workindividually.[18]
4.1.1 Physical Layer: Received Signal Strength
Indicator (RSSI) value is used at the physical layer.
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
113
ISSN:2249-5789
During the neighbor discovery, each node records the
RSSI value received from its neighbor. Therefore,
any node receiving packet with unexpected RSSI
value will generate an alarm. However, there is a
chance of high positive false alarm because RSSI
value is affected with the background noise.
4.1.2 Mac Layer: At Mac layer, the authors
proposed to use time scheduling algorithm such as
TDMA to allocate the time slot to each node and
SMAC to allocate wake and sleep schedule. If node
A received packets from node B at the time when B
is supposed to sleep then alarm will be raised.
4.1.3 Routing Layer: At the routing layer, they have
used forwarding tables generated by the routing
protocol. And they have also proposed a protocol
named information authentication for sensor network
(IASN). The protocol works on authenticating
information rather than authenticating nodes. That
means, a node keeps track on its neighbors and knows what kind of information it expects from its
neighbors. As an example, if a node receives a packet
from node B but it is expecting the packet from node
C then an anomaly is detected. In the paper, they
have also shown how IASN works with routing
protocols like DSR, DSDV and directed diffusion.
The networking layer of sensor networksis usually
designed according to the followingprinciples:
• Power efficiency is always an important consideration.
• Sensor networks are mostly data centric.
• Data aggregation is useful only when it does
nothinder the collaborative effort of the sensornodes.
• An ideal sensor network has attribute-based
addressingand location awareness.
One of the following approaches can be used toselect
an energy efficient route. [17]
Figure 5: The power efficiency of the routes.
We use Fig. 5 to describe each of these approaches,
where node T is the source node that senses the
phenomena. It has the following four possible routes
to communicatewith the sink:
• Route 1: Sink-A-B-T, total PA= 4, total ɑ = 3,
• Route 2: Sink-A-B-C-T, total PA=6, total ɑ=6,
• Route 3: Sink-D-T, total PA=3, total ɑ= 4,
• Route 4: Sink-E-F-T, total PA=5, total ɑ= 6,
Where PA is the available power and ɑi, the energy
required to transmit a data packet through therelated
link.
4.1.4 Application Layer: At application layer, they
have proposed mutual guarding techniques. In the
mutual guarding technique, the author described
about nodes guarding each other and also mentioned
about four nodes guarding each other.
4.2 Anomaly Intrusion Detection based on Sliding
Window
In [10], the authors have introduced an intrusion
detection algorithm to consider the node
impersonation attack and route depletion attack.
Their detection algorithm is based on the sliding
window approach where N packets are buffered. If
the comparison of the rate of the N received packets
and rate of the previous N received packet is greater
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
114
ISSN:2249-5789
than a threshold value then the alarm is triggered. But
the algorithm fails to mitigate all the security threats.
4.3 Anomaly Intrusion Detection based on rules
In [11], the authors have proposed several rules to
detect anomaly. The rules are:
Interval Rule: A failure is detected if two
consecutive message receptions are smaller or
greater than the allocated time.
Retransmission Rule: A failure is detected if
the node is not forwarding the message. This rule
can detect black hole and selective forwarding attack.
Integrity Rule: A failure is raised if an attacker
modifies the message payload.
Delay Rule: A failure is detected if the message
is not delivered on due time.
International Journal of Advanced Repetition Rule:
This rule detects denial of service attack where a
failure is detected if the same message is sent by
node several times than expected.
Radio Transmission Range: A failure is raised
if the message is received from the other node
except from one of its neighbor. All the message
listened by monitor node must be originated by
one its neighbor.
Jamming Rule: The number of collisions associated with a message must be lower than
the expected number of collisions.
They have implemented IDS in some of the nodes
called monitor node. Monitor node will act as an
ordinary node and also it will detect intrusion in three
phases. Phase 1 will collect data and send it to the
phase 2 to check the data by predefined rules and
then intrusion alarm is raised at phase 3.
4.4 Anomaly Intrusion Detection based on Delta
Grouping Algorithm
Li, He and Fu in [12] proposed a group based IDS
which is based on anomaly detection technique. They
have used delta grouping algorithm to partition the
network into groups and then run the detection
algorithm on each groups. At first, the whole sensor
nodes are deployed in the network and then the delta
algorithm is applied to partition the network and then
IDS is applied on each group.
4.5 Anomaly Intrusion Detection for Black Hole
Attack
In [13], the authors have proposed their own IDS
algorithm to detect black hole and selective
forwarding attack and they have proposed two rules
to detect anomaly:
Rule 1: If the node A send a packet to node B than it
stores the packet in its buffer and watch whether B forwards it or not. If B doesn’t then increment then
counter by one or delete the message. If the failure
count is more than the threshold value, an alarm will
be raised.
Rule 2: If the majority of the monitor nodes have
raised an alert then the target node is compromised
and should be revoked or should be notified by the
base station. Based on their rules, they have proposed
an IDS block that is implemented in all the sensor
nodes.
They proposed an IDS agent in each sensor node and
their IDS agent consists of following:
Local responses
Cooperative detection engine.
Communication
Local packet monitoring
Local detection engine
Local responses send the response to the base station
if any anomaly is found. In cooperative detection
engine phase, if any of the node detects the intrusion then it shares information with the other nodes to
reduce the false alarm rates. However, the local
packet monitoring phase monitors the packet and
sends the data to the detection engine phase to detect
the intrusion to detect the anomaly based on their
unexpected behavior.
By the characters of wireless sensor networks and the
differences between common nodes and cluster
headers, each agent has different tasks and its
strategy of detection is also different. These agents’
carries the new detection method can cooperate with
each other, which would make our system have the
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
115
ISSN:2249-5789
advantages of high detection rate, good expansibility
and lower cost.
Figure 6: Flow chart of intrusion detection and self-
recovery algorithm
5. Anomaly detection
When the sensor nodes in wireless sensor networks
are compromised by DoS attack, the number of data
packets sent will increase obviously in order to
exhaust the nodes’ energy quickly and lose the ability
to monitor targets. It is a serious problem, especially
when wireless sensor network is deployed in a hostile
area. Thus recovered to normal as soon as possible.
The model includes sink node agent (SNA), cluster
head agent (CHA) and member node agent (MNA).
Each agent is a set of functionality and predefined
processing u each node has been assigned a unique
identifier. Therefore using D (i) represents each node.
MNA in member node continuously monitors the packets from sensors and sends these packets to CHA
in cluster head in a certain time interval. The packets
detected from node i are message (i) = {ID(i),
Message}. At the same time, MNA will count the
number of message (i) sent by itself and CHA will
count the number of message (i) sent by MNA. CHA
know how many messages each node in its cluster
should send. It is expressed by count (i). Therefore,
when the node in its cluster sends excessive
messages, CHA will be able to know whether the
node is anomaly attacked. In CHA, athreshold is set
for judging and distinguishing the nodes between
normal and compromised. M (i) is the maximum
number that cluster head can receive messages from
node i. That is, when the number of messages
received from node i is larger than M (i), the node i is
doubt to be compromised and will be anomaly
decided by CHA in its cluster head.
6. Anomaly decision
After anomaly detection, CHA will be monitoring
and analyzing the node in order to confirm whether
the node is not truly compromised. Anomaly decision
mechanism is the average of count (i) in the T time
intervals. When the node continuously sends
excessive messages, the average of count (i) in the T
time intervals will be larger than normal the average.
Therefore, normal average threshold is set as A(i).
When the average of count (i) in the T time intervals
exceeds A(i), the node i is considered compromised truly and need to recover itself based on recovering
instructions given by CHA.
7. Anomaly recovery
Recovering instructions based on the knowledge base
in cluster head. In the knowledge base, initial
metadata for sensor nodes are stored and maintained.
These initial metadata describe the attributes,
configuration information and restart parameters of
each node. The CHA will use these initial metadata to enforce the compromised node to recover.
Recovery methods in this paper include micro-reboot
and reboot: 1) When nodes are compromised
commonly, micro-reboot will be implemented based
the configuration information provided by CHA in its
cluster head. The micro-reboot is a fast reboot
method and reduces the energy consumption
comparing with reboot. 2) When nodes are
compromised seriously, reboot will be carried out
based the restart parameters provided by CHA in its
cluster head.
8. Experiments and results
Currently the existing agent-based intrusion detection
and self-recovery system for WSN are lack of
abilities of formal reasoning and verification. Based
on our proposed network model and intrusion
detection model, the performance of the intrusion
detection and self-recovery algorithm was evaluated
and analyzed to check the rationality.
In the experiments, the wireless sensor networks
consist of 1 sink node, 5 cluster head and 20 member
nodes. Each cluster includes 4 member nodes. We
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
116
ISSN:2249-5789
will investigate the total energy consumption of our
proposed agent-based intrusion detection and self-
recovery system and nonuse of intrusion detection
system when the number of compromised nodes
increases from 1 to 8. The total energy consumption
based on different method is illustrated in Figure 3.
Figure 7: The total energy consumption based on
different method
From Figure 7, it is obvious that our proposed agent-
based intrusion detection and self-recovery system
can reduce the energy consumption obviously as the
number of compromised nodes increases. It is due to
our proposed agent-based intrusion detection and
self-recovery system finding the compromised nodes
and recovering them, consequently the rate of data
transmitted between cluster head and member nodes is normal. However, the rate of data transmitted in
compromised nodes is high and the node consumes a
great deal of energy. If the compromised nodes
cannot be discovered and recovered as fast as
possible, the compromised nodes will exhaust the
energy of wireless sensor networks.
The relationship of processing time delay using
agent-based intrusion detection and self-recovery
system and the number of compromised nodes is
presented in Figure 8. It is obvious that processing
time delay of our proposed agent-based intrusion
detection and self-recovery system increases as the
number of compromised nodes increases. However,
when the number of compromised nodes keeps on increasing, the increasingrate of the processing time
delay becomes slower. It is due to our proposed
method overcoming network latency by means of
carry out operations directly at the target sensor
nodes.
Figure 8: Relationship of processing time delay & the
number of compromised nodes
9. Conclusion
In this paper, we have proposed an agent-based
intrusion detection and self-recovery system in order
to eliminate the DoS attacks and make the
compromised nodes self-recover. At the same time,
its performance of the total energy consumption and
processing time delay is analysed. Simulation results
shows than the proposed agent-based intrusion
detection and self-recovery system can reduce the
energy consumption obviously and achieve effective
network recovery performance.
The proposed system in this paper is also a comprehensive model which has some main
properties such as robustness, scalability and
extensibility along with environment changes and its
new conditions. Wireless sensor networks are
vulnerable to several attacks because of their
deployment in an open and unprotected environment.
This paper describes the major security threats in
WSN and also describes different intrusion detection
techniques. Moreover, the paper also describes
several existing approaches to find out how they have
implemented their intrusion detection system.
References
[1]. I. F. Akyildiz, Su Weilian, Y. Sankarasubramaniam, “A survey on sensor networks,” IEEE Communications
Magazine, 2002, 40(8):102-114.
[2].Xiaojiang Du Hsiao-Hwa Chen, “Security in wireless sensor networks”. Wireless Communications, 2008,
15(4):60- 66.
[3]..R.Nakkeeran, T. Aruldoss Albert and R.Ezumalai,“Agent Based Efficient Anomaly
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
117
ISSN:2249-5789
IntrusionDetection System in Ad hoc networks”. IACSIT
International Journal of Engineering and Technology,2010, 2(1):1793-8236.
[4]. GuoBin,LiZhe, “United voting dynamic cluster routing
algorithm based on residual-energy in wireless sensor
networks”. Journal of Electronics & Information Technology. 2007, 29(12):3006-3010.
[5] J. Yick, B. Mukherjee and D. Ghosal, “Wireless Sensor
Network Survey,” Elsevier’s Computer Networks Journal, 2008, 52(12):2292-2330..
[6]. S. Mohammadi, R. A. Ebrahimi and H.
Jadidoleslamy,“A Comparison of Link Layer Attacks on Wireless Sensor Networks,” Journal of Information
Security, 2011, 2(2): 69-84.
[7] S. Mohammadi, R. A. Ebrahimi and H. Jadidoleslamy,“A Comparison of Routing Attacks on
Wireless Sensor Networks,” Journal of Information
Assurance .
[8] Tao Shu, Marwan Krunz, and Sisi Liu, “Secure Data
Collection in Wireless Sensor Networks Using
Randomized Dispersive Routes”, IEEE transactions on
mobile computing. July. 2010.
[9] Shanshan Chen, Geng Yang and Shengshou Chen, “A
Security Routing Mechanism against Sybil Attack for
Wireless Sensor Networks”, IEEE int. conf, 2010.
[10]Kemal Akkaya and Mohamed Younis,” A survey on
routing protocols for wireless sensor networks”, Elsevier
Feb.2003.
[11]Ali Modirkhazeni, NorafidaIthnin and Othman
Ibrahim, “Secure Multipath Routing Protocols in Wireless
Sensor Networks: A Security Survey Analysis”, IEEE int. conf.2010.
[12] www.wikipedia.org/ wireless sensor networks,
intrusion detection system.
[13] V. Bhuse, A. Gupta, “Anomaly intrusion detection in
wireless sensor network” Journal of High Speed Networks,
Volume 15, Issue 1, pp 33-51, Jan 2006.
[14]. An intrusion detection system for wireless sensor
networks Onat, I.; Miri, A. Wireless And Mobile
Computing, Networking And Communications, 2005. (WiMobapos;2005), IEEE International Conference on
Volume 3, Issue , 22-24 Aug. 2005
[15] A. da Silva, M. Martins, B. Rocha, A. Loureiro, L. Ruiz, and H. Wong, “Decentralized intrusion detection in
wireless sensor networks”, Proceedings of the 1st ACM
international workshop on Quality of service & security in
wireless and mobile networks- 2005.
[16] C. Perkins, E. Royer, and S. Das, “RFC 3561 Ad
hocOn-Demand Distance Vector (AODV) Routing,” Tech.
Rep.,2003.[Online].Available:http://tools.ietf.org/html/rfc3
561.
[17] Y.H. Nam et al., Development of remote diagnosis
systemintegrating digital telemetry for medicine,
InternationalConference IEEE-EMBS, Hong Kong, 1998,
pp. 1170–1173.
[18] E. Shih, S. Cho, N. Ickes, R. Min, A. Sinha, A. Wang,
A.Chandrakasan, Physical layer driven protocol and
algorithmdesign for energy-efficient wireless sensor networks,Proceedings of ACM MobiCom’01, Rome, Italy,
July2001, pp. 272–286.
Namita Singh et al , International Journal of Computer Science & Communication Networks,Vol 4(3),111-118
118
ISSN:2249-5789