Intrusion detection techniques in mobile ad hoc and wireless sensor networks

Wireless Communications, IEEE Volume 14, Issue 5, October

2007

Presented by Yu-Shun Wang( 王猷順 )

BO SUN, LAWRENCE OSBORNE, YANG XIAO, SGHAIER GUIZANI

1 OP LAB, IM NTU

BO SUN [M] received his Ph.D. degree in computer science from Texas A&M University, College Station, in 2004.

He is now an assistant professor in the Department of Computer Science at Lamar University.

His research interests include the security issues of wireless ad hoc networks, wireless sensor networks, cellular mobile networks, and other communications systems.

2/75OP LAB, IM NTU

LAWRENCE OSBORNE received a Ph.D. in computer science from the University of Missouri Rolla in 1989.

He is now a professor of computer science at Lamar University.

His research interests include algorithms for routing and localization in MANETs and wireless sensor networks, databases in sensor networks, satellite networks, and distributed systems.

3/75OP LAB, IM NTU

YANG XIAO [SM] is currently with the Department of Computer Science at the University of Alabama.

He was a voting member of the IEEE 802.11 Working Group from 2001 to 2004.

His research areas are security, telemedicine, and wireless networks.

He currently serves as Editor-in-Chief for International Journal of Security and Networks, International Journal of Sensor Networks, and International Journal of Telemedicine and Applications.

4/75OP LAB, IM NTU

SGHAIER GUIZANI obtained a Ph.D. in telecommunication from the University of Quebec Trois-Rivières, Canada.

He is currently working as an assistant professor at Qatar University in the Mathematics and Computer Department.

His research interests are in the areas of optical fiber communication systems, radio over fiber, wireless network architectures, and wireless communication.

5/75OP LAB, IM NTU

1. Introduction2. Intrusion Detection Techniques3. Intrusion Detection in a MANET

— Attack Models— Existing Research

4. Intrusion Detection in a WSN— Challenges— Secure Localization in WSNs— Secure Aggregation in WSNs— Extended Kalman Filter-Based Secure Aggregation for

a WSN

5. Conclusion

6/75OP LAB, IM NTU




a WSN

5. Conclusion

7/75OP LAB, IM NTU

MANET WSNCommunicat

ionThrough wireless

mechanismDeployment Environment

Often in in adverse or even hostile

environmentsComponent Mobile

nodesSensor nodes

Application Military application

Wide range application 8/75OP LAB, IM NTU

9/75OP LAB, IM NTU

• Reasons make MANETs and WSNs more vulnerable to malicious attacks

– For MANET• The features of an open medium• Dynamic topology• The absence of a central management point

– For WSN• the lack of physical security combined with

unattended operations make sensor nodes prone to a high risk of being captured and compromised.

10/75OP LAB, IM NTU

• So far, research to find security solutions for MANETs and WSNs has originated from the prevention point of view.

• However, they cannot totally eliminate intrusions.

• Therefore, intrusion detection systems (IDSs), serving as the second line of defense, are indispensable in providing a highly-secured information system.

11/75OP LAB, IM NTU




a WSN

5. Conclusion

12/75OP LAB, IM NTU

Misuse-based detection encodes known attack signatures

and system vulnerabilities. If finds a match between current

activities and signatures, an alarm is generated.

But it is not effective to detect novel attacks.

13/75OP LAB, IM NTU

Anomaly-based detection creates normal profiles of system

states or user behaviors and compares them with current activities.

If a significant deviation is observed, the IDS raises an alarm.

Anomaly detection can detect unknown attacks.

However, normal profiles are usually very difficult to build.

14/75OP LAB, IM NTU

Specification-based detection combine the advantages of misuse

detection and anomaly detection. using manually developed

specifications to characterize legitimate system behaviors.

However, the development of detailed specifications can be time-consuming.

15/75OP LAB, IM NTU




a WSN

5. Conclusion

16/75OP LAB, IM NTU

Attack Model Routing Logic Compromise

typical attack scenarios is modification of various fields in routing control packets.

Traffic Distortion attacks such as packet dropping, packet corruption, data flooding.

combination of attacks mentioned previously.

17/75OP LAB, IM NTU

Attack modelRouting Logic Compromise

Traffic Distortion

Purpose Disarrange routing save power or prevent other from receiving data

Attack method

To modify routing control packets

randomly, periodically, or selectivelydrop received packets

Attack target

route request,reply, or error messages.

Every packet that attacker received might be an attack target.

Example Black hole, routing update storm

Packet corruption, data flooding

18/75OP LAB, IM NTU




a WSN

5. Conclusion

19/75OP LAB, IM NTU

Existing Research feature selection

through learning-based method to utilize cross-feature analysis to capture inter-feature correlation patterns.

pattern classification based on an identified feature set with decision-tree equivalent classifier for rule induction, system can classify observed activities as normal or intrusive.

20/75OP LAB, IM NTU

Existing Research(cont.) watchdog and pathrater

21/75OP LAB, IM NTU

E

Existing Research(cont.) zone-based intrusion detection system

(ZBIDS)

22/75OP LAB, IM NTU




a WSN

5. Conclusion

23/75OP LAB, IM NTU

Challenges Similar to security research in a MANET,

many approaches in a WSN have been proposed.

But due to many features, prevention-based schemes are inadequate after sensor nodes have been compromised.

24/75OP LAB, IM NTU

Challenges(cont.) A WSN has a limited power supply, thus

requiring energy-efficient protocols and applications to maximize the lifetime of sensor networks.

Besides, Sensor nodes are prone to failure. This results in frequent network topology changes.

Also, a WSN usually is densely deployed, causing serious radio channel contention and scalability problems.

25/75OP LAB, IM NTU




a WSN

5. Conclusion

26/75OP LAB, IM NTU

Secure Localization Due to cost considerations, it is still not

practical to equip every sensor node with a global positioning system (GPS) receiver.

To utilize localization protocols, some special nodes, called beacon nodes, often are used.

However, beacon nodes may be compromised, thus providing incorrect information to non-beacon nodes.

27/75OP LAB, IM NTU

Secure Localization(cont.) Utilizing deployment knowledge of a WSN

and based on the fact that probability distribution functions of sensor locations usually can be modeled prior to deployment.

[11] W. Du, L. Fang, and P. Ning, “LAD: Localization Anomaly Detection for Wireless Sensor Networks” propose that each non-beacon node can efficiently detect location anomalies.

28/75OP LAB, IM NTU

Assume that sensor nodes are static once they are deployed.

define the deployment point of a sensor as the point location where the sensor is to be deployed.

also define the resident point of a sensor as the point location where the sensor finally resides.

29/75OP LAB, IM NTU

30/75OP LAB, IM NTU

After deployment, each node can estimate its neighbor based on deployment knowledge.

Then, compared the estimate result with its actual observation.

If the inconsistent rate is higher than a threshold, we conclude there is abnormal.

31/75OP LAB, IM NTU

Process overview

After Deployment

Actual observation

Estimation based on deployment knowledge

inconsistent rate > threshold

?

There exists anomaly

No anomaly

Yes

No

32/75OP LAB, IM NTU

Three metrics for anomaly detection The difference metric The add-all metric The probability metric

Among these, the Diff metric performs the best among the three metrics.

33/75OP LAB, IM NTU

The difference metric

屬於 group i 的 node ，其成為位於 Le 上 node 之鄰近點的機率

group i 的 node 總數

Le 之座標位置

Group i 之 deployment point

Node 之 actual observation 34/75OP LAB, IM NTU

Obtaining the Thresholds Using Training we are targeting at a specific

localization application in sensor networks.

Thus, it is likely to observe most (if not all) of the normal behaviors during the training process.

35/75OP LAB, IM NTU

36/75OP LAB, IM NTU




a WSN

5. Conclusion

37/75OP LAB, IM NTU

Secure Aggregation in WSNs Aggregation has become one of the

required operations for a WSN to save energy.

Aggregation function maybe: average, sum, maximum, minimum, count, etc.

If one node is compromised, it can send false reports to other nodes.

High-level nodes (i.e., nodes closer to the root) get higher influence to aggregation result than low-level nodes.

38/75OP LAB, IM NTU

Secure Aggregation in WSNs(cont.)

39/75OP LAB, IM NTU

Secure Aggregation in WSNs(cont.) Using robust statistics for resilient aggregation.

Through truncation and trimming techniques to help improve the resilience of aggregation functions.

RANSAC (random sample consensus) is an outlier elimination technique. uses maximum likelihood estimation (MLE) as a

estimating method. Outlier measurements can be filtered out, even

if a large quantity of sensor nodes is compromised.

But what if there indeed occur some anomaly?

40/75OP LAB, IM NTU

Secure Aggregation in WSNs(cont.) Secure Hop-by-Hop Data Aggregation

Protocol [14] Y. Yang et al., “SDAP: A Secure Hop-by- Hop Data Aggregation Protocol for Sensor Networks” ACM Mobihoc ’06, Florence, Italy, 2006, pp. 356–67.

Different from approaches mentioned before, this one is not simply eliminate those ”outlier”.

In such way, it can prevent from removing “real” data.

41/75OP LAB, IM NTU

Assume the BS cannot be compromised. Also, it has a secure mechanism to

authenticate its broadcast messages to all the nodes.

Assume every node can verify the received broadcast messages, and has an individual secret key shared with the BS.

Further, there is a unique pairwise key shared between each pair of neighboring nodes.

42/75OP LAB, IM NTU

we do not consider the attack where a compromised node forges a false reading of its own as a value changing attack. the impact of such an attack is usually

limited. such a compromised node is very much like a

faulty sensor node. In this case, we have to rely on an outlier

detection algorithm or the content-based attestation scheme.

43/75OP LAB, IM NTU

Process overview

Tree Construction

Node grouping & data aggregation

Process end

Exist suspicio

us value?

Start verification

Any abnormal

node detect?

Trust the value

Discard the suspicious value

no

yes

yes

no

44/75OP LAB, IM NTU

Tree Construction Initially, the root broadcasts a tree

construction message includes its own id and its depth to be 0.

After receiving a broadcast message, each node plus the depth value with one and set its parent to be the broadcasting node.

This process continues until all nodes have received this message.

45/75OP LAB, IM NTU

Tree Construction(cont.) After constructing the aggregation tree,

the BS can disseminate the aggregation query message through this tree.

A random number(Sg) which is added to the query, is used for the probabilistic grouping in the next phase.

46/75OP LAB, IM NTU

Node grouping & data aggregation In this phase, SDAP randomly groups all

the nodes into multiple logical groups and performs aggregation in each group.

Grouping is conducted through the selection of leader node for each group.

Leader nodes are selected based on probabilistic method with the count values and the grouping seed Sg

received in the last phase.

47/75OP LAB, IM NTU

Node grouping & data aggregation(cont.) With the random number(Sg), the BS can

rotate the leaders among nodes instead of fixing their roles.

Once a node becomes the leader, all the nodes in its subtree that have not been grouped yet become members of its group.

the resulted group sizes are roughly even with a small deviation since the grouping function is uniformly distributed.

48/75OP LAB, IM NTU

Node grouping & data aggregation(cont.)

49/75OP LAB, IM NTU

Node grouping & data aggregation(cont.) During aggregation, each aggregation

packet contains the sender’s id, an aggregated data value, and a count value.

In addition, a flag field is contained in each packet to show whether the aggregate needs to be aggregated further or not.

Three types of aggregation is performed Leaf node aggregation Intermediate node aggregation Leader node aggregation

50/75OP LAB, IM NTU

Node grouping & data aggregation(cont.) Leaf node aggregation

Leaf node just sends its id, data and count value to its parent (it also keeps a local copy until the attestation phase is completed).

Packet formNode id

Aggregation flagCount value The reading of node u

51/75OP LAB, IM NTU

Node grouping & data aggregation(cont.) Intermediate node aggregation

When an intermediate node receives an aggregate from its child node, it first checks the flag.

for a received packet with flag 0, a node first keeps a local copy of the aggregates (until the attestation phase is done), and then decrypts the data and performs some simple checking on the validity of the count.

If the aggregate packet does not pass this checking, it will discard the packet. Otherwise, it will further aggregate its own reading with all the aggregates received.

52/75OP LAB, IM NTU

Node grouping & data aggregation(cont.) Intermediate node aggregation

Node idAggregation flag Count value The aggregated value

53/75OP LAB, IM NTU

Node grouping & data aggregation(cont.) Leader node aggregation

Leader node will encrypts the new aggregate with its individual key and sets the flag to ‘1’ in its aggregation packet.

Means this packet may transfer through more than one hop

Aggregation flag is set to 1

54/75OP LAB, IM NTU

Node grouping & data aggregation(cont.) When a sensor node receives an

aggregation packet with flag ‘1’, it records the id of the group leader and the incoming link into its forwarding table.

In this way, when the BS sends out an attestation request later regarding this group, the node knows where to forward this request.

55/75OP LAB, IM NTU

Exist suspicious value? First, BS will verify whether this packet is

from a legitimate group leader. Then, use Grubbs’ test to detect

outlier since we expect the attacker to forge an aggregated data that have a non-trivial influence on the final result.

Those groups which contain outlier become suspicious ones.

56/75OP LAB, IM NTU

Verification The BS broadcasts an attestation message to

the group leader which need to be attested. Leader node dynamically decides the next hop

on the attestation path based on probability. A selected child runs the same process to

select one of its own children to form the path. Each node on the path sends back its count

value and its own reading. Besides, its parent also asks its sibling to send back their count values, aggregation data, and their MACs.

57/75OP LAB, IM NTU

Verification(cont.) Assume that the BS wants to attest the

group with leader node x and the attestation path in this group is x−w−v−u.

58/75OP LAB, IM NTU

Verification(cont.) After the BS decrypts the received data,

it first verifies whether w, v and u are really the nodes on the attestation path.

Then, it verifies whether the count value of every node is correct.

59/75OP LAB, IM NTU

Verification(cont.) If those checks succeed, BS

aggregates the data by itself and reconstructs the aggregation result.

It can also reconstruct MACx using these data.

60/75OP LAB, IM NTU

Any abnormal node detect? the BS compares the reconstructed

aggregation result with the previously received one.

Then, BS will check whether the MAC value is consistent.

Only when both values match the previously received ones, the BS accepts the data.

Otherwise, the BS knows that some node in this group has been compromised and it discards this group aggregate.

61/75OP LAB, IM NTU




a WSN

5. Conclusion

62/75OP LAB, IM NTU

EKF-Based Secure Aggregation In a WSN, consecutive observations of sensor nodes

usually are highly correlated in time domains. This correlation, along with the collaborative

nature of WSNs, makes it possible to predict future observed values based on previous values.

[16] B. Sun et al., “Integration of Secure In-Network Aggregation and System Monitoring for Wireless Sensor Networks,” IEEE ICC ’07, Glasgow, U.K., June 2007. proposed a viable approach to estimate aggregated in-network values.

63/75OP LAB, IM NTU

Assumptions the majority of nodes around some

unusual events are not compromised. falsified data transmitted by the

compromised node is significantly different from the real value.

64/75OP LAB, IM NTU

Process overview

Node broadcast its

reading/aggregation

Near nodes overhear this

reading/aggregation

Apply EKF and

compare these values

System normal

Awake other nodes reside

around

Apply EKF and

compare these values

System normal

System abnorm

al

Inconsistent rate over a threshold

Inconsistent rate under a

threshold

May process many timesInconsistent

rate over a threshold

Inconsistent rate under a

threshold65/75OP LAB, IM NTU

EKF-Based Secure Aggregation for a WSN By setting a proper process model and

measurement model for WSN, we can use EKF to obtain an accurate estimate.

Also, time update and measurement update equations are also required.

66/75OP LAB, IM NTU

Notations

67/75OP LAB, IM NTU

Process model

Measurement model

the real value at time tk+1表自 xk 至xk+1 之間的改變

process noise at time tk

Measured value at time tk 表 xk 和 zk 之間的關係函數

measurement noise at time tk

68/75OP LAB, IM NTU

Time update equation State Estimate Equation

Error Project Equation

a priori estimate of xk+1 at time tk+1

function relating xk to xk+1

a priori estimate error at time tk+1

variance of wk (process noise at time tk)at time tk

Applying a first order Taylor series approximation to F(x)

69/75OP LAB, IM NTU

Measurement update equation Kalman Gain

Error covariance update

Estimate update with the measurement zk+1

Kalman gain at time tk+1 a priori estimate error at time tk+1

variance of vk (measurement noise)at time tk

a posterior estimate error at time tk+1

a priori estimate error at time tk+1

a posterior estimate error at time tk+1

Difference between measured value and posterior estimate at time tk+1

70/75OP LAB, IM NTU

The time update equations are responsible to predict the real value(ˆx−

k+1) and estimate error (P−k+1) in

order to obtain a prior estimate at the next time step (tk+1).

The measurement update equations are responsible for incorporating(zk+1) into the a prior estimate to obtain a statistical optimal a posterior estimate (ˆx+

k+1).

71/75OP LAB, IM NTU

Verification

A B1. 收到 B 傳送之zk+12. 利用在 tk 時所得之 ˆx+

k 算出ˆx−

k+1

3. 計算 |ˆx−k +1 − zk+1|

4. 若該值小於既定的 threshold ，則無異常

72/75OP LAB, IM NTU

Simulation

73/75OP LAB, IM NTU




a WSN

5. Conclusion

74/75OP LAB, IM NTU

Intrusion detection systems, if well designed, effectively can identify malicious activities and help to offer adequate protection.

IDS for both MANETs and WSNs requires a distributed architecture and the collaboration of nodes to make accurate decisions.

Solutions must consider resource constraints in terms of computation, energy, memory, and communication.

75/75OP LAB, IM NTU

OP LAB, IM NTU 76/75

Documents

Intrusion detection techniques in mobile ad hoc and wireless sensor networks