Professional Documents
Culture Documents
Concordia University
Submitted to:
Professor Ayda Basyouni
Submitted By:
1
Intrusion Detection in wireless sensor network
Abstract:
Wireless sensor Network (WSN) constitutes of plenty of tiny sensing devices which are able to perform
computations and able to communicate with other sensor nodes in the network. These sensor are powered
by battery and hence reducing the energy consumed is always a major criteria for design. These node are
huge in number and scattered through the network and can even communicate with physical environment.
These devices are majorly employed in security and defense purposes. So these devices are very critical and
should be secure enough to withstand attacks. To achieve this they use many security approaches like
authentication, AES-128 security scheme but these devise are still vulnerable to attacks. As these devices are
easily accessible there is need of advanced security methodologies. To address these problem intrusion
detections systems are deployed which are capable of monitoring the entire system activities and triggers
the alarm in case of any malicious activities and act as second layer of defense to the entire network.
I.INTRODUCTION
Wireless sensor networks (WSN) are geographically communicate which make these devices vulnerable
distributed sensor machines, whose applications and to attacks. These attacks includes passive attack
usage range from monitoring physical and where the attacker eavesdrops the data thereby
environmental conditions. They are mainly violating the confidentiality and active attacks which
developed due to the advancing requirements in includes modification or deletion of data thereby
military and medical fields, not limiting these violating CIA triad (Confidentiality, Integrity, and
networks are used in various industrial and consumer Availability).
machines also. WSN consists of sinks and sensor Even though there are many security mechanism like
nodes. The devices are mainly battery operated and key establishment and trust set up, secrecy and
are capable of self-heating, self-organizing and authentication, secure routing to ensure they are
decentralization. They consume very little energy for secure enough. These mechanism can protect the
their communication. The main traits of the WSN are: data from outsider attacks but insider attacks are still
I. Less power consumption open treat to WSN.
II. Resilience- coping up with node failures As failure of these prevention based approach to
III. Scalability-Ability to perform large scale of protect the WSN paved the way for the detection
deployment based mechanisms which acts as second layer of
defense. This paper unveils comprehensive analysis
IV. Portability Withstand severe climatic
of the existing intrusion detection systems (IDS) and
conditions
provides the comparison of different IDS based on
V. Ease of access. their detection techniques.
The WSNs are constructed on nodes which mainly
comprise from one to many. Each node is connected II.WSN ARCHITECTURE
to a sensor. Sensor nodes are nothing but sinks and
are capable of sensing the devices and delivering the The WSN is comprised of sensor nodes, gateways,
data. One of the major difference between WSN and internet and satellites, sensor nodes are placed in the
other wireless network is that these sensor network physical environment and are responsible for
are deployed in physical environment and are not processing information, gathering data and
under direct supervision of the users. Also these communicates with other nodes. Gateways allow the
network uses multi-hop and wireless medium to system managers to connect to the personal device
2
or the PDA’s. These are nothing but proxies for the
sensor network on the internet. The gateways can be
classified as active, passive and hybrid. The signals
received from the node are accumulated in the
gateway and are forwarded to the applications.[1]
IV.ATTACKS ON WSN
Fig: WSN Architecture [8]
As WSN use a wireless medium to broadcast the
Each node consists five components a central messages and are often placed in the physical
controller capable of performing all the tasks, a environment which makes them vulnerable to
communication device- for sending and receiving attacks. There are few specific attacks which targets
signals, sensor- used to control the physical device, a only WSN like node capture but most of the attacks
memory unit- where the programs are stored, a are common in all predominant wireless network.
power supply- produces the required energy. The Attacks majorly had targeted the exploiting of the
communication is done when both the transmitter vulnerabilities present in the protocols employed in
and the receiver receives a radio wave from the the WSN. As these attackers has Physical access to
controller which is converted to bit stream. Then the the network is always a major security concern. Most
communication is established via a MAC protocols of the attacks targets the communication channel
with the help of a transceiver using multi-hop and tries to eliminate the link between the sensor
communication. nodes, and feed large of amount of traffic to consume
the limited computational resources. [6]
III.SECURITY GOALS IN WSN
Layer Attacks
The security goals of WSN differs with other wireless Applications Layer Data Corruption, Repudiation
network as WSN doesn’t have traditional Transport Layer Session Hijacking, SYN flooding
architecture and these devices have restricted Network Layer Black-hole, Wormhole
memory, processor and energy. Primary goals which Resource consumption
ensure that the system would be available are Location disclosure attacks
Confidentiality, Integrity, Authentication and Flooding, Byzantine.
Availability. Secondary goals includes Data freshness, Data link Layer Traffic analysis
Self-organization, Time synchronization and secure WEP weakness
Localization.[1] Physical Layer Jamming
Interceptions
Eavesdropping.
Multi-Layer Denial of Service (DoS)
3
Man-in-the-middle(MIM) authentication. It also continuously monitor the
Impersonation network there by providing the availability and
Table: Attack Classification based on layers provides integrity and confidentiality by preventing
the attempt to compromise the system. IDS would
Attacker Model: Taxonomy of attacks maintain the log which helps in discovering the
malicious activities.
The attacker model is classified as internal and
external. Internal or insider attack are the type where
the sensor nodes contain some cryptographic keys to
validate the encryption of a network. When these
model is compromised the attacker takes over full
control and performs malicious activity. After gaining
full control the attacker can possibly read the
cryptographic keys also. Another model is external or
outsider, where there is no need for the
cryptographic keys to perform external attacks.
4
by which it alert the administrator that the network
has been attacked and hence the necessary actions
are taken to eradicate the attack. Based on
architecture the intrusion detection can be classified
as follows
Standalone IDS: As the name signifies it works on
each node individually without sharing any
information to other nodes, monitor the network
activities and detects the malicious activities based
on the system logs
Distributed IDS: Each node which monitor and
control the activities of the neighboring nodes in the
network and detects the attacks by analyzing the
traffic patterns and updates the information to the
Fig: Challenges in designing IDS cluster head
Hierarchical IDS: These are usually employed for
Requirements for IDS for WSN multilayer networks. Node are grouped into clusters
and each cluster has a cluster-head. IDS are deployed
From the above mentioned challenges, it’s straight in cluster-heads which will monitor the network for
forward that the in order to meet the special features malicious by verifying how each nodes behave and if
of the sensor network the IDS should meet the a node drops or alters a packet that node is tagged as
following requirements. vulnerable.
5
Analysis & Detection phase:
1. This phase depends on the modeling In a decentralized Signature Based intrusion system
algorithms. works based on three phases [7].
2. Analyze the traffic patterns and event logs Data acquisition phase: In this phase all the
and compares them with the predefined messages transmitted and received in the network
has been monitored, filter is applied to these
standards or the standards how the system
messages such the important messages with certain
works normally without any malicious
message fields are filtered and stored in the
activities. database. This reduces the memory consumption,
3. If there is any deviations from the standards processing time as unwanted messages are not
defined in the algorithm then this detects an processed and also reduces the energy utilized and
intrusion. hence meets the constraints of WSN. Data which has
filtered from the messages has been stored in an
Alarm:
array data structure. It should be also noted that
1. Once the intrusion is detected it should be
these data has cleared either when the whole storage
notified and hence a response is generated to
has been occupied or based on the time.
alert the system. Rule application phase: This phase is used to
Signature-based Intrusion Detection System evaluate the data in the array with the predefined
rules for each message type. When data fails a
Signature based intrusion detection system has a set particular rule then that particular data has been
of predefined rules which are responsible for discarded and the failure count has been
previous security attacks. This system monitors the incremented by one. This technique also reduces the
network activities if there is any deviation from the processing time as that data wouldn’t be evaluated
predefined rules then that is referred as an attack. against the remaining rules and also reduces the
Since it depends on rules for detecting an attack it is memory consumed. It should be noted that rules has
also know rule based intrusion detection system. stored in increasing order of complexity. Also the
failure to meet a rule specifies that there is an issue
from which the intrusion can be detected at a faster
rate. If a particular message doesn’t fail any of the
rule then the message has been discarded as there is
no chance for any intrusion.
Intrusion Detection phase: The major issue for an
Intrusion detection system is to differentiate the
network failure with that of the attack. If a false alarm
has triggered for the network failure then
implementing IDS wouldn’t be feasible. In order to
differentiate the network failure with the attack the
following technique has been implemented. In this
model the alarm is triggered without considering the
network failures. A monitor node is used to detect
the failures during the transmission of the message in
that particular sensor network and is used calculate
the failure in transmission of the message of all the
nodes. It also stores the average failure count of each
and updates it based on the current failures and
hence the history of failure count of each node is
Fig: Signature Based IDS maintained and this is referred as deviation
6
tolerance. Now the failure count for the node is This method is capable of finding the new attacks but
calculated by reducing the deviation tolerance and the main disadvantage is that there is huge possibility
the alarm is triggered if the frequency is high than of missing the well know attacks.
expected.
This system is able to detect all the known attacks Since anomaly detection is based on host network,
but is incapable of detecting any new attacks. many distinctive process models are being used
depending upon the behavior.
Anomaly-based Intrusion Detection System One such method is Operational or threshold model.
The count of the number of events that occur over a
Anomaly based intrusion detection system is able to period of time determines if the event falls under
classify the malicious behavior and normal behavior normal or attack category [3].
of the system. It classifies the behavior based on the Another model in the anomaly IDS is the statistical
heuristics or rules. In this approach the system moment, where any mean, standard deviation are
continuously monitors the traffic. Then it store and considered as moments or events. If the event falls
analyze traffic. Anomaly based IDS is able to outside the interval or if it is below the moments then
recognize the normal behavior of the system either that particular event is considered as anomalous.
by artificial intelligence or neural network and this The main difference from the operational model is
acts as the baseline. Now the IDS will start evaluating that, prior knowledge is required to determine the
the current traffic pattern by comparing it with the normal activity and abnormal activity. The main
normal system behavior. By this technique it drawback of the first model is that it lacks in
compute the difference i.e. how much the current determining the intervals depending on the user [3].
traffic pattern differs from the standard behavior.
Therefore, the difference computed by the above Specification-based Intrusion Detection system
comparison is checked against the threshold.
Threshold specifies the value within which the The normal functioning of the system can be
system behaves as legitimate. Threshold for a described based on the set of specification and
particular network is calculated during the training constraints. The above technique was employed in
phase. If the computed difference is greater than the IDS which continuously monitors both specification
threshold then the sensor node can be referred as and constraints of the system. This helps the system
malicious [4]. to find even the unknown attacks with very less false
alarm. It should be noted that signature based
intrusion detection system is capable of finding all
the well-known attacks and anomaly based intrusion
detection are capable of finding new attacks. Thus
combining the positive aspects of both intrusion
detection system specification based intrusion
detection system is built with manually created
specifications and constraints to differentiate a
legitimate system behavior from malicious system
behavior. Hence this is known as hybrid intrusion
detection system. It has two modules first one
signature-based module which is capable of finding
the attacks with the well know signature patterns and
the second module is anomaly based which is used to
identify the normal behavior of the system from the
malicious behavior from which the new attacks can
Fig: Anomaly based IDS be detected. As it uses two modules it requires more
7
memory and computational capability to perform the inclusion of the new attack is one of complex task as
task which makes this technique impossible to deploy it uses data mining or pattern matching techniques.
on the sensor nodes as they have low resources. This technique is good enough to discover well-
known attacks. It should be also noted that it uses
more resources and performs computation
compared to that of anomaly detection
8
Fig: IDS for Sink
Fig: Proposed solution for IDS[1]
Intrusion detection for the CH:
Intrusion detection for the sink:
As compared to the sink, the availability of the
Due to the high availability of the resources in the resources are limited in the channel head hence a
sink nodes when compared to the channel heads and host based intrusion detection system (HIDS) is
sensor nodes, an intelligent host based intrusion deployed. This system has three models in it,
detection system is developed. This system combine anomaly detection which filters the packets based on
anomaly detection and signature based intrusion the behaviour of them, signature based detection
detection for better computing. By this it can not only where the packets are analysed based on the type
achieve high detection rate but it can also achieve and a decision making module where the intrusion
low false positives. This also solves the problem of type and the follow-up is being decided. Both HIDS
unknown attacks by using a learning mechanism and IHIDS are similar only for the difference where
where it can learn and add new classes. This IHIDS has a learning mechanism in it. The presence of
proposed model consists for four module they are the learning mechanism can be correlated with the
anomaly detection where the behaviour of the availability of the resources, since the resources are
packets are observed and when on observation if any less available in the channel heads the possibility of
packets are not matched with the usual behaviour the unknown attacks are being cut down when
then those packets are considered to be attacks , compared to the sink nodes, another stated reason is
signature based detection where the abnormal that if the CH utilises too much of energy then the
packets are filtered for type detection. The result of lifespan of the network is shorter, hence the
these two model is now given to the decision making necessity of the learning phase has not met. Though
model to showcase the intrusion type. the learning mechanism is omitted the classes are
being updated through a feedback mechanism
between the sink and the CH. The mechanism works
by feeding the data into the signature based
detection module which is learnt from the learning
phase of the IHIDS. By this the HIDS saves some
resources to learn the new attacks. The HIDS are
retrained about the new attack every time when
signature based detection model in HIDS receives the
9
feedback from the IHIDS. This is possible because of 4) Another influence is that the rule based
the similarity between the IHIDS and the HIDS. method does not need to infer any complex
computation, hence the speed is maintained.
VII.CONCLUSION
10
[5] Advanced Intrusion Detection System for
Wireless Sensor Networks ,Joseph Rish Simenthy
CEng , AMIE, K. Vijayan Dept. of
Telecommunication and Networks, SRM University,
Kattankulathur,Tamil Nadu, India
http://www.ijareeie.com/upload/2014/apr14-
specialissue3/33_R33_Joseph.pdf
[8]https://en.wikipedia.org/wiki/Wireless_sensor_
network
CONTRIBUTION
11