Ashfaq Hussain Farooqi and Farrukh Aslam...

Int. J. Ad Hoc and Ubiquitous Computing, Vol. x, No. x, 200x 1

Copyright © 200x Inderscience Enterprises Ltd.

A survey of Intrusion Detection Systems for Wireless Sensor Networks

Ashfaq Hussain Farooqi and Farrukh Aslam Khan* Department of Computer Science, FAST National University of Computer and Emerging Sciences, A.K. Brohi Road, H-11/4, Islamabad, Pakistan E-mail: [email protected] E-mail: [email protected] *Corresponding author

Abstract: Wireless Sensor Networks (WSNs) are vulnerable to various kinds of security threats that can degrade the performance of the network and may cause the sensors to send wrong information to the sink. Key management, authentication and secure routing protocols cannot guarantee the required security for WSNs. Intrusion Detection System (IDS) provides a solution to this problem by analysing the network in order to detect abnormal behaviour of the sensor node(s). Researchers have proposed various approaches for detecting intrusions in WSNs during the past few years. In this survey, we classify these approaches into three categories and discuss them in detail.

Keywords: WSNs; wireless sensor networks; IDS; intrusion detection system; IDS agent installation; misuse detection; anomaly-based detection; specification-based detection; denial of service; black-hole attack; Sybil attack.

Reference to this paper should be made as follows: Farooqi, A.H. and Khan, F.A. (xxxx) ‘A survey of Intrusion Detection Systems for Wireless Sensor Networks’, Int. J. Ad Hoc and Ubiquitous Computing, Vol. x, No. x, pp.xxx–xxx.

Biographical notes: Ashfaq Hussain Farooqi received his BS in Information Technology from Allama Iqbal Open University (AIOU), Islamabad, Pakistan, in 2007, and his MS in Computer Sciences from FAST National University of Computer and Emerging Sciences (NUCES), Islamabad, Pakistan, in June 2009. Since August 2009, he has been working towards his PhD in the Department of Computer Science, FAST-NUCES, Islamabad, Pakistan.

Farrukh Aslam Khan is currently an Assistant Professor in the Department of Computer Science, FAST National University of Computer and Emerging Sciences (NUCES), Islamabad, Pakistan. He did his BSc and MSc in Computer Science from University of Peshawar, Pakistan. He did his MS in Computer System Engineering from GIK Institute of Engineering Sciences and Technology, Topi, Pakistan, and PhD in Computer Engineering from Cheju National University, Jeju, South Korea, in 2003 and 2007 respectively. His areas of interest are wireless ad hoc and sensor networks as well as network security and cryptography.

1 Introduction

Wireless Sensor Networks (WSNs) are distributed, infrastructureless, fault-tolerant, scalable and dynamic in nature (Akyildiz et al., 2002). These networks are low cost and easy to install in an area. These are built upon small sized, low power and self-controlled nodes called sensor nodes. These nodes have small memory, less computation capacity and short lifetime (depends on battery life). Sensor nodes gather useful information from their surroundings and transmit it to the user-controlled system called Base Station (BS) or sink for analysis. Such networks might be used for battlefield surveillance, judging volcanic behaviour, eyeing animal movement, predicting tsunami, etc. Sensor nodes are densely deployed in the sensor field

(area under consideration). They maintain a topology and start sensing the environment. Data gathered from the surroundings is processed and transmitted to the BS or sink using any routing protocol. Their topology is dynamic and changes frequently owing to the limitations of the sensor nodes. Sensor nodes may get damaged owing to heavy wind, rain, sunshine, animals, etc., or their battery may exhaust. Here, routing protocol plays an important role because nodes leave or join the sensor network at irregular intervals. There are a number of routing protocols proposed for WSNs. Akkaya and Younis (2005) classify them into three major categories: hierarchical, data-centric and location-based routing protocols.

Security is a major concern for all types of network paradigms whether they are wired networks, mobile ad hoc

2 A.H. Farooqi and F.A. Khan

networks or newly emerging IP Multimedia Subsystems (IMSs). The vision for the security of a network is secure transmission and reliable delivery of packets from a source to the destination. In WSNs, key management, authentication (Liu et al., 2005) and secure routing protocols provide secure transmission while lacking reliable delivery of messages. In other words, these mechanisms can protect the network from outside attacks but show failure against the inside attacks. These mechanisms aim to provide data confidentiality, data authentication and data integrity. In an outside attack, when an intruder tries to get access to the data, these mechanisms protect the secret information. During an inside attack, the sensor node that is a part of the sensor network starts performing maliciously without trying to get access to the data of the message. These attacks aim to affect the throughput of the network (i.e., by dropping received packets without forwarding them). Hence, critical information will not reach the sink or BS that is important in making decisions regarding the relative sensor field.

WSNs are vulnerable to several types of security threats that can degrade the overall performance of these networks. According to Wood and Stankovic (2002), various attacks are possible on different layers of the sensor node that may cause DoS in WSNs. In Karlof and Wagner (2003), authors discuss various routing protocol attacks that affect the throughput of the sensor network. The possibility of Sybil attack in WSNs is briefly discussed in Newsome et al. (2004) where some countermeasures for these attacks are also presented. According to it, Sybil attack can affect different protocols in distributed storage, data aggregation, routing, voting, etc. A nice work is presented in Roosta et al. (2006) that covers a number of possible attacks that can be launched with malicious intent. This paper provides a comprehensive taxonomy of security threats on sensor networks. In Bojkovic et al. (2008), authors conduct a survey on security issues of WSNs. They focus on various attack scenarios in WSNs and key distribution mechanisms. According to them, IDS is an underdeveloped service for sensor networks that should be explored.

IDS (Innella and McMillan, 2001) is a security mechanism used to detect the abnormal behaviour of the mobile nodes in ad hoc networks (Wang, 2006), and clients in IMS (Farooqi and Munir, 2008). It is thought that ‘IDS is not fit’ for securing WSNs. It seems true because IDS approaches are computationally expensive. But, there is a rapid change in technology, and keeping in mind the future perspectives, the capabilities of a sensor node will increase. The sensors will have more memory and survival time and might be used for transmitting multimedia information (Akyildiz et al., 2007). Furthermore, these devices will be used for underwater applications in future (Heidemann et al., 2006). Recent research in Radio Frequency Identification (RFID) has given birth to Radio frequency identification Sensor Networks (RSNs) (Buettner et al., 2009). It binds together the advantages of RFID and WSNs. These networks will become visible and might be used by us in our daily life as a lot of research is in progress for its various applications. On the other hand, if

we consider a WSN that is working for tracking the movement of the enemy, it can provide very critical information for making a strategy to beat the enemy in that area. Hence, there is a requirement of a secure WSN that ensures secure transmission and reliable delivery of packets in the network.

IDS-based mechanisms can be very effective. They can detect the abnormal behaviour of the sensor nodes such as DoS attacks. In IDS, the unit that analyses the network and detects the abnormal behaviour of node(s) is called an IDS agent. It works in three phases: collection, processing and action. Initially, the network data is collected for a specified interval of time. Processing depends on the detection mechanism. There are three types of detection techniques: misuse detection, anomaly-based detection and specification-based detection. In misuse detection, the system searches for some specific patterns or signatures to detect the intruder while in anomaly-based detection, system learns about the normal behaviour of the network and then declares anything that deviates from a specified pattern that it has learnt. Rules are made in specification-based detection for particular attacks to analyse the behaviour of the nodes. If it violates n numbers of rules, it is declared as abnormal. After detection, an alert is generated to perform some appropriate action. Misuse detection is also known as signature-based detection. It only detects known attacks and does not perform well for unknown attacks. On the other hand, both anomaly- and specification-based techniques detect known and unknown attacks efficiently and achieve low false positive rate.1 That is why the researchers are focussing on improving the existing mechanisms or coming up with innovations in these two kinds of detection techniques.

Since recently, researchers have proposed a number of IDS-based security mechanisms that analyse the working of sensor node(s) and efficiently detect abnormal activities. They mostly focus on routing protocol attacks for explaining their detection methodologies. Their work differ from each other in two ways, i.e., installation of IDS agent and the detection policy. There are three possibilities of installing an IDS agent: purely centralised, purely distributed and distributed-centralised. In the first approach, it is installed only at sink or BS, whereas in the second approach IDS agent is present in every sensor node. In the third approach, only monitor nodes are used for intrusion detection.

IDS is a mature research field in wired networks as well as in ad hoc networks. In sensor networks, it is still a new area that can be explored further. Researchers have proposed a number of IDS-based methodologies for wired or ad hoc networks but these cannot be applied directly to WSNs owing to the limitations of sensor networks (directed towards sink or BS) and capabilities of sensor nodes. Standard intrusion detection that works better for wired networks is not appropriate for WSNs because it is computationally expensive for the sensor nodes. Energy-efficient IDS is more favourable for these networks (Techateerawat and Jennings, 2006).

A survey of Intrusion Detection Systems for Wireless Sensor Networks 3

A number of attacks that influence the overall working of WSNs are briefly discussed in Bojkovic et al. (2008). According to them, “IDS is an interesting, underdeveloped service, useful for scenarios where there is a possibility for a node being subverted and controlled by an adversary”. They propose a detection technique that uses Hidden Markov Model (HMM). HMM predicts intrusion state sequence by correlating state transitions and system observation.

A survey on anomaly detection mechanisms is conducted in Rajasegarar et al. (2008), which classify them into two categories (according to their model): parametric or non-parametric techniques (see Table 1).

Table 1 Parametric vs. non-parametric

Parametric Non-parametric Data distribution Known Not known Usage App. dependent Resource constrained Data changes Not frequently Frequently Sensor nodes Static Static or mobile Approach Multivariate Rule or density based,

clustering, CUSUM

Their work focuses only on anomaly-based techniques and they discuss and compare five different approaches. The paper does not provide a complete picture of IDS approaches that are proposed for WSNs. Our work differs from others in various aspects. We discuss various security threats to WSNs and our aim is not to give solution for these threats but provide a detailed survey and compare different IDS-based security mechanisms that are proposed in recent years.

In this survey, we classify various methodologies on the basis of the installation of IDS agents and further explore the way they apply the detection policy. We assign names to the proposed approaches according to the detection algorithm or IDS architecture used in the respective papers. We also notice that the decision-making about declaring a sensor node as malicious or not also differs from each other.

The rest of the paper is organised as follows: Section 2 provides a brief description of security issues in WSNs. Section 3 contains an introduction to the IDSs. We classify IDS-based security mechanisms in Section 4 and explain each methodology. Finally, Section 5 concludes the paper.

2 Security issues in Wireless Sensor Networks

Security is one of the major challenges for wireless networks particularly wireless ad hoc and sensor networks. These networks are more vulnerable to attacks than wired networks because these are infrastructureless and are dynamic in nature. According to Cordeiro and Agrawal (2006), “WSNs can be considered as a special case of ad hoc networks with reduced or no mobility”. Ad hoc networks have several similarities with sensor networks such as no infrastructure, distributed nodes and dynamic

topology while sensor networks differ in various aspects too, i.e.,

• sensor nodes are densely deployed in an area to check the surrounding activities

• sensor nodes transmit the information to the BS or sink

• nodes are self-organising in WSNs.

WSNs inherit a number of security threats of ad hoc networks while several others are new. In this section, we briefly discuss the DoS attack, Sybil attack, routing attacks and some other possible attacks in WSNs.

Denial of Service attack

Sometimes, a legitimate user cannot communicate with other users in the network or with the server owing to some reasons even though rights are given by the network administrator. It might be due to the DoS attack. In these attacks, the legitimate users are not able to communicate with the server or other nodes perfectly. They affect various layers of the protocol stack of the node whether it is a laptop, mobile host or any other device. Security mechanisms are modelled for different networks keeping in view the possibility of these attacks.

Our discussion relating to security issues is incomplete without knowing the proper definition of a compromised node because these attacks are launched by the adversary by attacking the sensor node. When an adversary gains control over a node after its deployment, it becomes a compromised node. Adversary can launch various types of attacks by altering the nodes’ configurations, i.e., adding malicious data to messages, selective forwarding, black-hole attack, etc. It also appears normal and performs the activities of a legitimate node. DoS attacks may be launched in a number of ways in WSNs. There are several possible attacks on the protocol stack or different layers of the sensor node that may cause DoS (Wood and Stankovic, 2002). These are discussed here:

• Physical layer: Jamming and tempering attacks are possible. Nodes should change their mode of transmission or hide information in respective attacks.

• Link layer: Collisions may cause exhaustion or unfairness. Error-correcting codes or any other mechanism might be used to avoid such attacks.

• Network or routing layer: Black-hole, misdirection, etc., can be launched at the network layer. An intelligent work is required to stop these attacks.

• Transport layer: Attacks that can be launched at this layer are flooding and de-synchronisation. These are related to the actual data packet flow. These can be minimised by client puzzle mechanism or authorisation.

Attacks on routing layer

IDS-based security mechanisms have mainly focused on the network or routing protocol attacks. In Karlof and Wagner (2003), authors provide detailed information about


various routing attacks. In this section, we discuss several attacks that target routing protocol or network layer such as selective forwarding, black-hole, sink-hole, worm-hole, homing and hello flood attack.

HELLO flood attack: It is a common attack in networks whether wired or wireless. In WSNs, it is launched by a compromised node. It sends HELLO messages to its neighbours to exhaust their battery and create congestion; hence, they do not work properly. A sensor node that malfunctions owing to some physical damage may cause this attack too.

Homing attack: A compromised node can be configured such that when it receives rebroadcast messages, it does not forward them because it thinks that these messages are destined to it.

Selective forwarding: In this type of attack, the compromised node selectively forwards messages to other nodes and drops a fraction of messages. The amount of dropping the packets depends on the configuration by the adversary and even sometimes, it is also set that which node’s message should be forwarded or dropped.

Consider the sensor network shown in Figure 1. Let node C selectively forward the received packets. Here, it will drop t fraction of packets and forward others. It is difficult to detect this attack, as node still forwards the packets.

Figure 1 24 Sensor nodes communicating with sink in a sensor network

Black-hole attack: A compromised node sends wrong routing information to its neighbours and mentions that it has a low-cost route to the sink or BS. Neighbour nodes may start sending packets through this node. It is up to the configuration of that node whether it drops all the packets or does something else.

Let node C be compromised by an adversary and it starts sending wrong routing information to its neighbours A, D, F, I and J as shown in Figure 2(a). A and D will not change their routes because they are very near to the sink but node J will start sending data to node C to route to the sink because it appears to be the shortest route to the sink. Here, the target node J is in the main stream or flow of data to the BS and now more than half of the network nodes send data through node C. It means that the sink does not get much updates about the sensor field.

Figure 2 (a) Node J sending data through node C which is compromised and (b) a scenario for the sink-hole attack where node D is compromised

(a)

(b)

Sink-hole attack: In the Sink-hole attack, the compromised node tries to gain more attention from its surroundings and tries to become the parent node of its neighbours. In MintRoute routing protocol (see Appendix A), the compromised node sends wrong information in route update message and becomes the parent (Krontiris et al., 2008). If it succeeds, then more traffic moves to that node like messages from its neighbour and the neighbour’s children. It usually drops all the packets it receives, so the BS receives less information from the sensor network.

Consider the topology mentioned in Figure 1. Let node D be compromised by an adversary. It sends messages to its neighbours and tries to become the parent in case of MintRoute or appears as sink. Neighbours of node D update their routes. The affected nodes are node C, E, and J as shown in Figure 2(b). These nodes start communication with D and packets might be dropped there. Node D receives majority of the data packets that should be routed to the sink. So, sink or BS gets incomplete information about the sensor field.

Worm-hole attack: A compromised node tunnels received messages in one part of the network over a low latency link and replays them in a different part (Tun and Maw, 2008). This attack works in cooperative manner. Two or more compromised nodes take part in degrading the performance by tunnelling maximum messages between each other. Sensor nodes can overhear messages in promiscuous mode that are even not destined to them. In WSNs, this attack can be easily launched in different manners such as by high-powered transmission. In this attack, nodes think that by using the tunnel they can route their messages in lesser number of hops because the two end points of the tunnel appear near to each other. An attacker can affect the normal


operation of the routing protocol by using the tunnelling mechanisms and can control various routes.

Sybil attack: Sybil attack is caused by a Sybil node placed in the range of the wireless network. The Sybil node appears in the network with multiple identities. It acts as if multiple nodes are functioning. Once it gets into the network, it can overhear the communications of neighbour nodes or can act maliciously (i.e., causing DoS). It may control network activities and can damage the network performance. It can play a major role in providing malicious information by attacking different protocols of WSNs too.

Initially, Sybil attack was considered as an attack of peer-to-peer networks. In Newsome et al. (2004), authors explain about its occurrence in sensor networks. According to them, it can affect different protocols and can play a major role in degrading the performance of the wireless network. These protocols are:

• Distributed storage: When a node dies, it shares its information with the neighbours. The neighbour may be Sybil node so it can reach to the secret data.

• Routing: Sybil node may provide multiple routes information for a single destination and it can perform other malicious activities too.

• Data aggregation: If a packet passes through a Sybil node, it can add different types of information or changes the information by aggregating the packet.

• Voting: If a Sybil node gets into the network with different identities, then it can vote against the legitimate node and classify it as malicious node due to majority.

• Fair resource allocation: It is the function of a sensor node to share resources, as some nodes remain active for a particular time interval and others sleep for that time. Similarly, when the time is up, others become active and the previous ones sleep, and so on. Now, Sybil node can give wrong information to its neighbours by sending them active call before their time is up and they may remain active for long time and exhaust earlier.

• Misbehaviour detection: In this, the Sybil node generates an alert against the legitimate node. According to this alert, it passes a message that the node is acting maliciously.

Miscellaneous other attacks

A sensor network works in wireless environment using self-controlling sensor nodes. There are a number of security issues and countermeasures discussed by Roosta et al. (2006) and Bojkovic et al. (2008). We just highlight them here to provide an overall picture of the security requirements for WSNs. These are:

• traffic analysis attacks

• key management protocols

• attacks on reputation assignment schemes

• attacks on in-network processing

• target location problem

• security in group communication

• software updating in WSNs

3 Intrusion Detection System

IDS is a system that checks the network behaviour and finds the nodes that are not working normally. IDS-based security mechanisms are proposed for other network paradigms too. It is a mature research field for wired networks or ad hoc networks while it is an emerging area of research in IMS and WSNs. IDS is an additional unit installed at the clients or server or both. This unit is called IDS agent. IDS agent works in three essential sequential steps (Innella and McMillan, 2001): monitor network behaviour, detect the intrusion and respond to the abnormal activity. In other words, we say that the IDS agent works in three phases and each phase has a unit such as:

• Collection unit: It collects the network data.

• Detection unit: It performs detection policy accordingly to find intrusions.

• Response unit: It generates alert in case of abnormal node detection.

Various approaches are used to develop these systems depending on the nature of the network architecture. In this section, we explain various ways of installation of the IDS agent and also define various detection policies.

3.1 IDS agent installation

IDS agent performs an important task for securing network from intrusive attacks. Researchers use three different ways of installing IDS agent in WSNs. These are purely centralised, purely distributed and distributed-centralised.

Purely centralised IDS agent installation mechanism

In WSNs, sensor nodes sense the environment and transmit processed information to the sink or BS. All the sensor nodes scattered in the sensor area communicate with the sink and the analysis of the field is done by users or human beings. In purely centralised IDS approach, IDS agent is installed in the sink or BS. It requires an additional special routing protocol that gathers or collects information from nodes to analyse the behaviour of the sensor nodes collectively.

Purely distributed IDS agent installation mechanism

Sensor nodes work in a distributed manner. In purely distributed IDS approach, IDS agent is installed in every node. It checks the abnormal behaviour of neighbouring nodes locally. It analyses the data that it receives from nodes in its radio range. Sensor nodes audit that data and


generate alerts for abnormal activity. There are further two ways for declaring a node as compromised or not. In individualised decision-making, node that detects the anomalous behaviour of another node sends that information to the sink or BS. In cooperative decision-making, node that detects the anomalous behaviour of any node communicates with other nodes and finally that node is declared compromised after voting. If the majority of the nodes validate it, then proper action is taken to secure the network according to the configuration.

Distributed-centralised IDS agent installation mechanism

Cluster-Head (CH) approach lowers the power consumption and efficiently reduces the control overhead. This approach is used in hierarchical routing protocols. CHs have more capabilities than other ordinary nodes. The concept of monitor node is derived from this philosophy. In distributed-centralised approach, IDS agent is installed in monitor nodes only. This node performs two types of functions simultaneously. First, it performs the activities of the normal nodes and, second, it checks for intrusion detection. The logic behind that approach is to minimise the detection overhead faced by purely distributed approaches.

3.2 Detection policy

In an IDS, the detection of intrusions is the major phase. There are three different policies of detection: misuse detection, anomaly-based detection and specification-based detection.

Misuse detection system

There are various attacks that follow same sequence of steps to launch their effect. In misuse detection system, these sequences of steps are used to detect these attacks. This detection mechanism is also called signature-based detection. It is like pattern matching and works better for known attacks only and cannot cater unknown attacks.

In this approach, abnormal behaviour is defined for the network, e.g., by making a log file of signatures of known attacks. The network is then simulated to evaluate the performance of the designed technique. Every instance is matched with the entries of the log file to detect the attack scenario. That is why this approach is quite expensive especially for sensor nodes.

Anomaly-based detection system

Signature-based approach cannot detect the attacks for which signature (known pattern) is not present. There are a number of attacks that change the signatures frequently. These attacks are hard to detect using these mechanisms. Anomaly-based systems provide a security environment in which anything that deviates from the normal behaviour is declared anomalous or malicious.

In this approach, normal behaviour of the network is defined and any other behaviour is declared intrusive. An anomaly detection algorithm learns about the normal behaviour of the targeted network during normal simulation of the network. It sets some thresholds, etc., during this

period. These help in detection of intrusions in attack scenarios.

Specification-based detection system

Specification-based detection system works by defining rules for attacks. A sensor node’s behaviour is checked against each rule sequentially. There is a failure bit associated with each node. If the sensor node violates any rule, failure bit is incremented. If the number of failures of a particular node increases than a threshold (adjusted for normal situation) after an interval of time ‘t’, an alert about that node is generated.

4 IDS-based security mechanisms for Wireless Sensor Networks

Since recently, various IDSs have been proposed for detecting compromised node(s) in WSNs. We categorise these methodologies into three major classes depending on the way they install IDS agent in the network.

4.1 Purely distributed approach

A sensor node has its own memory unit, processing unit, sensing unit and communication unit. It senses the environment using its sensing unit. It stores that data in the memory unit for some particular interval of time. It processes data with the help of the processing unit. Finally, it communicates this data to the sink in a hop-by-hop manner. Hence, the sensor node works independently. In purely distributed mechanisms, IDS agent is installed in each sensor node to analyse the working of the other node(s). In this section, we discuss several approaches that focus on this idea.

Spontaneous watchdog approach

In Roman et al. (2006), authors claim for giving an idea of IDS architecture for the first time. They introduce a neighbour monitoring technique known as spontaneous watchdog. According to them, IDS agent is installed in every sensor node. It has a data structure containing two types of information: knowledge about previously declared malicious nodes and a list of legitimate neighbours.

IDS agent also has two detection bodies: local agent and global agent. Local agent audits data that comes from those nodes that lie inside its radio range or are its neighbours. It generates alert if any node works abnormally, such as flooding or if it receives message from a node that is not present in the neighbour list. On the other hand, a node activates its global agent if it senses any communication in promiscuous mode about any of its neighbouring nodes. Here, global agent acts like a spontaneous watchdog. This agent now discovers that how many neighbouring nodes have activated their global agent. If there are n global agents in the same situation, then the particular node works like a spontaneous watchdog with a probability of 1/n. It checks whether nodes rebroadcast received message (s) or not.


Consider a sensor network shown in Figure 3. Let node I sense some movement and broadcast after processing to node C for further rebroadcast. Now, according to the proposed methodology, anyone among the common neighbours of nodes C and I activates global agent such as node F or J as shown in Figure 3. It senses the network in promiscuous mode until it receives rebroadcast message from node C in time interval ‘t’. If it does not receive, it generates an alert about the abnormality of node C. In this approach, the activation of the global agent is an important issue that should be handled carefully because sensor nodes are independent.

Figure 3 Common neighbours of node C and node I

Cooperative local auditing

Key management protocols, authentication protocols and secure routing provide security to WSNs against outside attacks but fail to secure from inside strong attacks. A specification-based cooperative local auditing mechanism for detection of selective forwarding and black-hole attacks is proposed in Krontiris and Dimitriou (2007). Authors further extend their work for sink-hole attack in Krontiris et al. (2007). According to their approach, IDS agent is installed in each sensor node. Here, IDS agent is composed of five main components as shown in Figure 4, i.e., local packet monitoring, local detection engine, cooperative detection engine, communication and local response.

Figure 4 Major components of IDS agent in cooperative local auditing

The local packet monitoring component gathers packet from the radio frequency range of the node and transmits to the local detection engine. Specification-based detection mechanism is applied to find intrusions. The authors have mentioned four rules in their papers from which two rules are for detecting black-hole, selective forwarding and sink-hole attacks and the other two relate to an action. Local detection engine performs this task. It checks whether messages of a particular node obey the rules or not. If it violates the specifications, then an alert is sent to the cooperative detection engine. This component then

communicates with other nodes to check the status of that node there. If majority of the nodes validate the maliciousness of that node, then an alert is passed to the local response. There may be different types of responses to secure the network from compromised nodes depending on the configuration.

In Krontiris and Dimitriou (2007), authors mention specification or rules for detecting selective forwarding or black-hole attacks. An example helps here in understanding the phenomenon. Consider the black-hole scenario discussed before for network topology shown in Figure 1. Let node J send data packet to node C after sensing the environment. According to the proposed rule, node J buffers that packet for some time t. It waits for node C to rebroadcast that packet. If it does not rebroadcast, then it increments a failure counter corresponding to node C. If it forwards, then node J removes that packet from the buffer. Let failure counter meet a certain limit for node C, node J generate an alert. It communicates with its neighbour about the maliciousness of node C and voting takes place.

In another paper (Krontiris et al., 2007), authors discuss about the possibility of the sink-hole attack in MintRoute routing protocol (see Appendix A). They extended their previous work and added rules for the sink-hole attack too. According to that, sensor node generates an alert whenever the malicious node tries to impersonate another node. According to them, the node checks the ID of the sender. Here, for each route_update packet, the sender ID should be different from its own ID and it should be only from its neighbours. It generates an alert in any other situation. When an intrusion is detected such as sink-hole attack, sensor nodes start sharing their neighbour list to identify the malicious node. In sink-hole attack, it is observed that the compromised node lies in the intersection of different nodes. The following is a scenario after information sharing by the neighbours:

Node C: {A, D, F, I, J} ∩ {C, D, I, M} ∩ {C, D} = {D}

Node B: {D, E} ∩ {B, D, G, J} = {D}

Node J: {C, D, I, M} ∩ {A, D, F, I, J} ∩ {B, D, G, J} = {D}

After analysing this, a collective result is maintained and it satisfies in the above-mentioned scenario that node D is an abnormal node. A comprehensive alert is generated for BS or sink to take immediate steps to avoid the influence of the compromised node.

Fixed-width clustering algorithm

A well-known distributed anomaly detection mechanism is discussed in Loo et al. (2006). In this approach, 12 various features like number of packets received or sent or broadcast, route request sent or forwarded or received, etc., are loaded. These features are used to determine mean or standard deviation for each neighbouring node in normal messaging. These values are normalised to get a single value. This value is utilised to form fixed width clusters. If it is close to any cluster central value, it is placed in that cluster. Otherwise, it forms another cluster and becomes a


central value of that cluster. A range is also calculated for it. These values are also calculated by simulating various attack scenarios and are placed in the cluster. After analysing these clusters, the compromised nodes are detected. It is assumed that those clusters that have fewer points indicate the abnormal activity.

According to the algorithm, the IDS agent is installed in every node and all the nodes act as monitor nodes. Two challenges are faced for presenting this model. First challenge is the identification of the features. These are used to identify particular attack while appropriate anomaly detection mechanism is the second challenge. Twelve features are identified to analyse the behaviour of the network. Nine features relate to non-traffic properties while other three are related to the traffic. A network simulation is created to discover the mean values and standard deviation of these features in normal messaging. These values are then utilised to detect the abnormal behaviour of the network in attack scenarios. These features are depicted here:

• Feature 1 relates to the number of messages received from a particular node in some particular interval of time t. It is useful in detecting flood attacks.

• Ad hoc On-demand Distance Vector (AODV) is a well-known reactive routing protocol. In WSNs, sensor nodes create a route to sink by broadcasting Route Request (RREQ) message when they require route. This message is transmitted hop-by-hop until the route is discovered or Time to Live (TTL) expires. Once a node has active route to the sink or sink is its next hop, it replies with a Route Reply message (RREP). Features 2, 3 and 4 are number of RREQ received, sent or dropped, respectively. These features can be helpful in detecting sink-hole attack. This is because, in sink-hole attack, a compromised node tries to broadcast wrong route information to affect the routes.

• Other three features are also related to AODV routing protocol; number of RREP received, forwarded or sent are 5th, 6th and 7th feature, respectively. These are mainly affected by a compromised node in routing attacks. Features 8 and 9 are errors received or sent, respectively, about the route request messages.

• Last three (10, 11 and 12) traffic-related features are: the changes that occur to a route of a particular node to deliver the messages to the BS, mean and standard deviation of the number of hops to the BS, respectively.

The next challenge is the anomaly detection mechanism. Data is collected from the surrounding nodes or neighbour nodes for some particular interval of time. It is used to detect the malicious activity and nodes that are acting abnormally. Here, the sensor nodes work in two phases after collecting the data, i.e., training and testing. Training phase involves three sequential processes. Data is collected for a

specified time and each data set contains data items. Each data item is a vector of attributes or features, containing values about any particular node. Now, in the first step, data items are normalised to a possible range based on a formula using mean and standard deviation. Second, normalised data values are checked that how much it differs from the previous centroid of clusters having fixed radius. If the value is close to some defined degree, it is kept in that cluster, else it forms another centroid and a radius is calculated for it. So, if any other data item lies in this range, it will become a part of that cluster. Finally, a label is assigned to the clusters. Abnormal nodes are less when compared with the normal nodes. So, the cluster(s) with minimal activities than a threshold (keep for normal behaviour) are labelled as malicious and the others as normal. After training, testing phase enquires whether these nodes efficiently detect the anomalies or not. According to the authors, their proposed methodology can detect the simulated routing attacks efficiently while gaining low false positive rate.

Artificial Immune System

Artificial Immune System (AIS) is used as an anomaly detection mechanism in wired networks as well as in ad hoc networks (Drozda and Szczerbicka, 2006). It works like Human Immune System (HIS) that safeguards human body from various viral or bacterial attacks. In Drozda et al. (2007), authors introduce an AIS-based detection mechanism for WSNs because it is computationally less expensive and provide better detection performance. They explain design principles for their proposed methodology and also perform experiments by simulating in NS-2 to show the effectiveness of their approach. They focus on MAC layer and network layer attacks and call them misbehaviour attacks. Mostly, these attacks are launched by compromised nodes in the sensor network like medium access selfishness (node holds the medium), flooding, wormhole, Sybil, etc.

In AIS, the system maintains a list of self-strings (normal behaviour) and non-self strings (misbehaviour).

The system learns normal behaviour by maintaining strings called self-strings from the header of each received message. After that, random generate and test process is introduced to form detector set as shown in Figure 5. Self-strings are compared with randomly generated strings. If newly produced string matches the self-string, it is rejected; else, it is stored in the detector set. Now, new strings are again randomly produced. These are compared with detector set entities. If match appears, it confirms the positive nature of a non-self string and it is stored in the list of non-self string. This process is called negative selection because it determines those behaviours (strings) that are used for determining abnormal activity. When this process completes, attacks are launched to analyse false positive rate.


Figure 5 Negative selection for generating non-self string. Input: random generated string and output: non-self string

Intrusion-aware validation algorithm

An algorithm is proposed in Shaikh et al. (2008) for identifying compromised nodes if they generate alerts against normal nodes and give an impression that it is malicious. It enhances those distributed cooperative IDSs that lack confirmation about the source of the alert because compromised nodes can generate false alarms about normal node(s). It works in two phases. In consensus phase, node checks after receiving any alert about the occurrence of the malicious activity that whether it is any declared (available in list) abnormal node or not. If the information is not available, then it checks the anomaly type and the threat level. It randomly selects n number of neighbours, according to the threat level, for consensus and sends confirmation request packet(s). When any node receives confirmation request packet, decision phase activates. Neighbour node replies with three types of responses: 1 agrees with claim, 0 do not know and –1 does not agree with the claim. Sensor node takes decision on the basis of the responses received from the randomly selected nodes. There are three possible decisions: validate (node is abnormal), no consensus (not identified) and invalidate (node that sends the alert is compromised).

It is clear from the above-mentioned discussion that intrusion-aware validation algorithm helps those methodologies that lack the confirmation about the source of alert because compromised nodes can generate false alarms for normal nodes. On the other hand, it increases energy consumption and computational and control overhead too.

Pair-based abnormal node detection

A novel distributed abnormal node detection technique is proposed in Ahmed et al. (2008). It uses both signature and anomaly-based techniques to identify compromised nodes. In this technique, the sensor network is divided into pairs that further lead to form groups. These groups communicate with each other in hierarchical way. They are controlled by central pairs or Cluster-Heads (CHs).

There are two challenges: creation of pair(s) that further leads to form group(s) and detection mechanism for abnormal activity. There are some important points for making pairs. These are as follows:

• A pair is made between adjacent nodes according to some attribute such as distance from the adjacent node, energy of the node and response time.

• If any new node enters the network, initially, it searches for lonely available node in its neighbourhood. If no node is available, then it broadcasts a request to make pair.

• The first pair that is formed after deployment of the nodes in the sensor field is known to be the central pair. There might be several central pairs in the sensor field. These central pairs further form groups of nodes. These groups further communicate with each other in hierarchical way. They are controlled by central pairs because they act as CH.

Every sensor node audits the behaviour of its pairing node. It has a local detection engine and a local knowledge-base while there are two central containers: central knowledge-base and central signature key management engine as shown in Figure 6. These help in the detection of abnormal nodes in the network. Among the two, central signature key management engine is responsible for secure transmission of messages between the pairs and groups. It always communicates with the local detection engine to verify the particular node.

Figure 6 Two nodes work in a pair to check the behaviour of each other

Data is collected based on some predefined features by the local knowledge-base about pairing node and is used by the local detection engine to detect the anomaly. Central knowledge-base collects and stores information about all the nodes present in the group or outside the group. The information updates when an anomalous behaviour is detected inside the group or outside and it shares the relevant information about the nodes with local knowledge base of individual nodes to clarify the true picture of the pairing node. Similarly, when an individual node finds any anomaly, it updates the central database too. It performs anomaly detection by consulting the local database and if it does not find any maliciousness, it contacts the central database to detect the abnormality.

Group-based detection scheme

A group-based detection mechanism is proposed in Li et al. (2008) that works in two phases. The sensor network is partitioned into n number of groups. Authors assume that all the nodes of a particular group should perform the same task such as sensing some particular attribute of the environment; the sensed information should differ


from each other with certain threshold th. In this phase, each node generates a randomised number T_Rnd. If it does not receive any group joining request during this time, it makes itself the root of a new group and broadcasts this information with its neighbourhood to join its group. Once a node receives any group joining request:

• It determines the Euclidean distance between the sensed data of itself with that of the root node of a particular group. This should be less than or equal to th/2.

• It calculates the number of hops to that particular root, which should be less than or equal to a predefined maximum number of hops within a group.

If a node satisfies the above-mentioned two conditions, it joins this group. After grouping the sensor field, the second phase starts, i.e., intrusion detection.

Initially, sensor nodes are grouped together on the basis of the similarity between their sensed data. This information can be utilised to detect the abnormal activity of a particular node during attack scenarios. When a malicious activity is detected, the root or monitor node broadcasts a message containing four attributes, i.e., alert, charged node, monitor node and timestamp, where alert is the type of attack, charged node is the compromised node, monitor node is the one that performed intrusion detection, and timestamp assures that the message is fresh. Now, if the neighbouring nodes receive N number of alert messages from the same monitor node for the same charged node, it starts monitoring the activities of both the charged node and the monitor node in promiscuous mode. If it finds that the particular node is malfunctioning, then it removes it from its routing table.

Monitor node collects various types of data of the sensor nodes for auditing the behaviour. Sensed data can be utilised to find fabricated information attack. Packet sending and receiving rates are used to detect energy exhausting and sink-hole attacks. respectively, whereas packet dropping rate and sending power can be helpful for analysing the behaviour for black-hole attacks and worm-hole attacks, respectively.

Authors find low false alarm rate after applying the proposed methodology on a real data acquired from 54 nodes situated in Intel Berkeley Research Lab in 2004.

4.2 Purely centralised approach

In several schemes, sink or BS collects some specific information from sensor nodes using some routing protocol and analyses it to detect intrusions.

ANDES

A centralised anomaly detection mechanism for detecting fail-stop failures and several routing protocol attacks is presented in Gupta et al. (2007). It works in two main phases, i.e., collection of information and detection. ANDES gathers information from the sensor network using two sources: data plane (normal or regular collection of data in the sensor network) and management plane (specific

information from sensor nodes using a specialised routing protocol).

Sink or BS collects sufficient information before applying anomaly detection. This approach consists of three main components. In collection of application data, sink or BS collects regular data but there are a few assumptions regarding that data. A node sends its ID with each packet and after a certain time, each node generates a packet. When the data arrives at sink, it records the sequence number of the last n messages received from a particular node. It updates the time-stamp of the last received data packet from that node and updates the total number of application packets received from each node. Collection of management information is the second component. An additional management routing protocol collects attributes such as address, parent, hops, send_cnt, receive_cnt and fwd_cnt from each node after an interval of time. Detection policy analyses gathered information to find anomalous behaviour of the sensor node(s) or intrusions. It works in three phases: analysis of application data, analysis of management data and cross-checking to determine the root cause of the attack.

ANDES algorithm analyses the application data to maintain a list of active and connective nodes to declare the current state of each node. The states are normal, abnormal and unattached or replicate, while it performs three operations on the management data, which are: set-up active sets, create routes and self-learning. Nodes’ response to the queries of the management routing protocol are kept in active set. ANDES creates routes to each node to find whether it is reachable or not. Self-learning is a machine leaning algorithm like decision tree (Mitchell, 1997). It is applied to four attributes namely fwd_cnt, send_cnt, receive_cnt and failure_cnt. In the start, normal operations are assumed and ANDES calculates the baseline values during the first k epochs. These values change at the end of subsequent updates and are compared with their changing averages.

ANDES utilises the information to identify abnormal node(s) that gather from application plane and management plane. Cross check helps in the taxonomy of the attacks.

Fail-stop failure: If analysis of application data of any particular node shows that it is not available and that node is not in the active set (maintained from management data), ANDES considers it as a failed node and eliminates it from the network.

Selective forwarding, black-hole and sink-hole attack: Consider node C, a compromised node that launches black-hole, sink-hole or selective forwarding attack (Network topology shown in Figure 1).

Node F: Sink A C F

Node H: Sink A C F H

Node I: Sink A C I

Node O: Sink A C I O

Node J: Sink A C J


According to ANDES, initially nodes are considered white or normal. After applying create route operation (construct paths toward sink), nodes are marked as white or black. This tells that F, H, I, O and J are not available still they are active. They are not children of any failed node too. Depth first search algorithm finds the normal node that contains black child. This node is declared as malicious like node C in this example.

Flooding: It is identified from careful analysis of receive_cnt of each node. It causes a change in the average. If it is above certain limit or threshold, the sensor node is declared abnormal.

Application-independent framework

In Zhang et al. (2008), authors present simple graph-theory-based approach that efficiently detects compromised beacon nodes. Beacon nodes provide location information to the sensor nodes. It is assumed that the IDS agent is installed at the beacon nodes. It produces alerts about the maliciousness of the sensor nodes. A compromised beacon node transmits false information about other nodes and degrades the performance of the routing protocol. It is not a purely centralised IDS methodology because nodes are also playing a role in detection. It is classified in this category because the proposed detection framework works at sink or BS only. In this, beacon nodes generate alerts about the malicious activity. Sink or BS receives these alerts by any secure transmission protocol. Once efficient amount of data is gathered, it applies the proposed graph-theory-based detection mechanism to find whether the information is received from reliable source or not.

Authors of this approach propose an application-independent framework. Their focus is about identifying the source of information, whether it is reliable one or compromised. Global Positioning System (GPS) is expensive if it is installed in each sensor node. The concept of beacon node is resource-efficient for networks that have location-based routing. Major components of the proposed framework are observability graph, alerts, sensor behaviour model, observer model, security estimation and identification function.

4.3 Distributed-centralised approach

Generally, a hybrid technique combines best features of two or more different approaches to achieve better performance. Distributed-centralised is a hybrid approach that combines both purely centralised and purely distributed approaches. In this approach, IDS agent is installed in some nodes called monitor nodes. Monitor node listens in two modes: normal and promiscuous. In normal listening, monitor node interprets and forwards after processing (application-dependent) those messages that are destined to it. It is similar to other regular sensor nodes because they perform same operation after receiving destined messages. In promiscuous listening, monitor node interprets all the messages whether they are destined to it or not.

In Atakli et al. (2008), authors favour those approaches that work on the principle of distributed-centralised over purely distributed. They avoid the complexity of using an additional specialised routing protocol (purely centralised approach) and limit the overall energy consumption of sensor nodes (purely distributed approach).

Decentralised intrusion detection model

A specification-based distributed centralised IDS mechanism that is well known in the field of IDS for WSNs is proposed in Da Silva et al. (2005). They simulate it in C++ to analyse the detection rate. In this mechanism, authors test each specification by changing the configuration of an abnormal node or compromised node that is located at same location in the sensor field. There are 100 common nodes with 28 monitor nodes. These are distributed randomly in the sensor field such that two monitor nodes surround abnormal node and other common nodes are present around it. Results show that their approach works better and detects abnormal behaviour effectively while achieving less false positive rate.

IDS agent is installed in the monitor node. It works in three phases as shown in Figure 7. These are:

Data acquisition: Here, the monitor node listens in promiscuous mode. It maintains an array data structure for each node. It contains information about those nodes that lie in its neighbourhood.

Rules application: In this phase, the monitor node checks whether any node violates any rule or not, after collecting sufficient amount of data in the first phase. There is a failure counter for each node. If a node's data structure violates any rule, its respective counter is incremented. Monitor node applies rules for various attacks in the following way:

• Exhaustion attack: An interval rule detects exhaustion attack. In this, monitor node checks the time interval of two consecutive messages sent by a node. If the node sends messages frequently with a rate greater than others or with a certain limit, failure information for that node is updated in the history table (stores failure information).

• Selective forwarding or black-hole attacks: Retransmission rule detects these types of attacks. The monitor node interprets the collected data and finds whether the next hop of message m has retransmitted or forwarded the received message or not in time t. Consider black-hole or selective forwarding attack scenario depicted in Section 2. If node C does not retransmit messages, then the monitor node updates the number of failures for it.

• Flooding attack: This type of attack is detected using repetition rule. According to this rule, monitor node analyses node’s behaviour by auditing the message whether it transmits same message again and again or anything else. If it broadcasts same data messages


for n number of times greater than a certain retransmission range, the numbers of failures are updated in the history table.

• Similarly, other rules like integrity rule, delay rule and jamming rule are used for detecting message modification, delay and jamming attacks, respectively.

Figure 7 Monitor node

Intrusion detection: In this phase, the monitor node evaluates failure history table of each node. If the counter value exceeds from a certain threshold ‘th’ in time interval ‘t’, an alert is generated about that particular node. Authors simulate decentralised intrusion detection model in their own simulator (Martins et al., 2005). This IDS simulator is implemented in C++. Results show that their methodology is energy-efficient and achieves detection rate of 100% for black-hole, selective forwarding and worm-hole attacks.

Hybrid intrusion detection system

A cluster-based detection mechanism is presented in Hai et al. (2007) that finds the intrusion using a hybrid detection policy, which unites the benefits of misuse and anomaly-based detection techniques. Authors acknowledge and use the knowledge of two previous approaches that are discussed in this paper and one other for deciding the clustering methodology. These are summarised here:

Clustering algorithm: The sensor network is organised into clusters as discussed by Heinzelman et al. (2000). There is a CH in each cluster. Sensor nodes are part of any one cluster. They sense the environment according to their configuration and communicate with the CH. Cluster-Head aggregates the gathered data and further communicates with sink or BS through other CHs. This reduces the overall control overhead.

IDS agent architecture: Spontaneous watchdog approach is applied (discussed in Section 4.1.1). Every node contains the IDS agent. Whenever a sensor node detects any malicious activity whether through local agent or global agent, it sends an alert to the CH. Here, CH acts like a local BS. It takes decision when it receives alerts greater than or equal to some X (threshold) about any node.

It communicates this information with other nodes of the cluster and they update their malicious node database.

Detection policy: Local agent contains the signatures of maliciously detected nodes in its database so it avoids those packets that it receives from such nodes. While the global agent works in promiscuous mode if activated. Here, it applies rules discussed in Decentralised intrusion detection model to find intrusions.

Routing attacks such as selective forwarding, sink-hole, hello flood and worm-hole can be detected using this proposed IDS mechanism. Results achieved from mathematical analysis show that the probability of detection of an attack increases with the increase in monitor nodes.

Cumulative Summation

An anomaly-based distributed-centralised detection mechanism to analyse the behaviour of nodes is discussed in Phuong et al. (2006). It secures WSN from three categories of attacks by an anomaly detection algorithm called Cumulative Summation (CUSUM). The three categories are:

• compromised nodes attract the attention of other nodes as done in black-hole, sink-hole or worm-hole attacks

• affect the packets’ data such as collision

• compromised node floods packets to exhaust resources of other nodes.

IDS agent is installed in the monitor nodes only. The architecture of monitor node is almost the same as shown in Figure 7 but here monitor node performs two operations for detecting abnormal behaviour of neighbouring nodes: data acquisition and anomaly detection. In data acquisition, the monitor node listens in promiscuous mode. It maintains a table containing total number of incoming packets and outgoing packets that relate to neighbour n (1, 2, 3, …, N) as shown in Table 2. CUSUM further works on this statistical data to find intrusions. Authors analyse the network behaviour under the above-mentioned three categories of attacks. According to this, there are three changes that occur due to these attacks. These are:

• amount of messages received by a node

• amount of collision occurrence with the packet • amount of packets emerging from a particular node.

In anomaly detection, CUSUM detects these three changes to find abnormal behaviour of the nodes (see Appendix B). Consider an adversary compromised node C (sensor network topology in Figure 1) and it launches a black-hole attack. Let any one or more among the neighbours of node C (see Figure 2 (a)) A, D, J, I and F be monitor nodes. They analyse that node C receives a lot of messages for some particular time interval. It generates an alert


of type one (compromised a node to attract the attention of other nodes).

Table 2 Data acquisition in CUSUM

Incoming packets Outgoing packets

Neighbour # 1 X X Neighbour # 2 X X

… … …

CUSUM algorithm is widely used in different networks for analysing abnormal transition in mean of random sequence.

CUSUM algorithm is not simulated by authors in Phuong et al. (2006), so it is difficult to analyse the effectiveness of this algorithm in WSNs.

Table 3 categorises the IDS-based security mechanisms on the basis of detection policy, decision-making and attacks encountered. It indicates that researchers mostly targeted routing protocol attacks. In detection policy, ‘Any’ shows that authors do not specify any particular way while ‘Both’ means that the proposed approach uses the benefits of signature-based as well as anomaly-based detection techniques.

Table 3 IDS-based security mechanisms

Proposed approach IDS agent installation Detection policy Decision making Attacks

Spontaneous watchdog (Roman et al., 2006)

Purely distributed Any Sensor node after cooperating

–

Cooperative local auditing (Krontiris and Dimitriou, 2007)

Purely distributed Specification-based Sensor node after cooperating

Routing

Fixed-width clustering (Loo et al., 2006)

Purely distributed Anomaly-based Sensor node by its individual knowledge

Routing

Artificial Immune System (Drozda et al., 2007)

Purely distributed Anomaly-based Sensor node by its individual knowledge

MAC/routing

Intrusion aware validation algorithm (Shaikh et al., 2008)

Purely distributed Anomaly-based Sensor node after cooperating

–

Pair-based approach (Ahmed et al., 2008)

Purely distributed Both Pairing node –

Group based detection scheme (Li et al., 2008)

Purely distributed Anomaly-based Root node Routing

ANDES algorithm (Gupta et al., 2007)

Purely centralised Anomaly-based Base Station Phy./routing

Application independent framework (Zhang et al., 2008)

Purely centralised Anomaly-based Sink or Base Station –

Decentralised intrusion detection model (Da Silva et al., 2005)

Distributed-centralised Specification-based Monitor node Trans./routing

Hybrid intrusion detection system (Hai et al., 2007)

Distributed-centralised Both Cluster-Head Routing

Cumulative Summation (Phuong et al., 2006)

Distributed-centralised Anomaly-based Monitor node Trans./Routing

5 Conclusion

In this paper, a detailed discussion and analysis of the existing IDSs for WSNs is presented. An IDS is an essential component of security for every network. Energy-efficient IDSs are suitable for WSNs. Purely centralised IDS approaches are power-efficient because the most powerful part of the network (sink or BS) detects intrusion. But, these techniques are complex and require some specialised routing protocol that gathers data from each sensor node to BS or sink for anomaly detection. On the other hand, purely distributed IDS techniques are not energy-efficient because IDS agent is installed in every node. It increases extra computation or power consumption at node level. Distributed-centralised IDS approach suits WSNs in

accordance with energy consumption and complexity; but it has its own constraints. WSNs are vulnerable to a number of inside attacks that affect the overall performance of the network. These attacks result in wrong interpretation of the sensor field. There is a requirement of an energy-efficient IDS that works in distributed manner and cooperates with other nodes to identify the abnormal behaviour of the nodes in a sensor network.

Acknowledgements

The authors would like to thank the Higher Education Commission (HEC), Pakistan, for supporting this research under the indigenous PhD Fellowship program.


References Ahmed, K.R., Ahmed, K., Munir, S. and Asad, A. (2008)

‘Abnormal node detection in wireless sensor network by pair based approach using IDS secure routing methodology’, International Journal of Computer Science and Network Security, Vol. VIII, No. 12, pp.339–342.

Akkaya, K. and Younis, M. (2005) ‘A survey on routing protocols for wireless sensor networks’, Elsevier Ad Hoc Networks, Vol. III, No. 3, pp.325–349.

Akyildiz, I.F., Melodia, T. and Chowdhury, K.R. (2007) ‘A survey on wireless multimedia sensor networks’, Computer Networks: The International Journal of Computer and Telecommunications Networking, Vol. 51, No. 4, pp.921–960.

Akyildiz, I.F., Su, W., Sankarsubramaniam, Y. and Cayirci, E. (2002) ‘A survey on sensor networks’, IEEE Communication Magazine, Vol. 40, No. 8, pp.102–114.

Atakli, I.M., Hu, H., Chen, Y., Ku, W.S. and Su, Z. (2008) ‘Malicious node detection in wireless sensor networks using weighted trust evaluation’, The Symposium on Simulation of Systems Security, Society for Computer Simulation International, Ottawa, Canada.

Bojkovic, Z.S., Bakmaz, B.M. and Bakmaz, M.R. (2008) ‘Security issues in wireless sensor networks’, International Journal of Communications, Vol. II, No. 1, pp.106–115.

Buettner, M., Greenstein, B., Sample, A., Smith, J.R. and Wetherall, D. (2009) ‘Revisiting smart dust with RFID sensor networks’, 11th ACM International Conference on Ubiquitous Computing, Orlando, Florida USA.

Cordeiro, C.M. and Agrawal, D.P. (2006) Ad Hoc and Sensor Networks: Theory and Applications, World Scientific, Singapore.

Da Silva, A.P.R., Martins, M.H.T., Rocha, B.P.S., Loureiro, A.A.F., Ruiz, L.B. and Wong, W.C. (2005) ‘Decentralized intrusion detection in wireless sensor networks’, Proceedings of the 1st ACM International Workshop on Quality of Service and Security in Wireless and Mobile Networks, Quebec, Canada.

Drozda, M. and Szczerbicka, H. (2006) ‘Artificial immune systems: survey and applications in ad hoc wireless networks’, International Symposium on Performance Evaluation of Computer and Telecommunication Systems, Calgary, Canada.

Drozda, M., Schaust, S. and Szczerbicka, H. (2007) ‘AIS for misbehaviour detection in wireless sensor networks: performance and design principles’, IEEE Congress on Evolutionary Computation, Singapore.

Farooqi, A.H. and Munir, A. (2008) ‘Intrusion detection system for IP multimedia subsystem using K-Nearest neighbor classifier’, 12th IEEE International Multi-topic Conference, Karachi, Pakistan.

Gupta, S., Zheng, R. and Cheng, A.M.K. (2007) ‘ANDES: an anomaly detection system for wireless sensor networks’, International Conference on Mobile Ad hoc and Sensor Systems, Pisa, Italy, pp.1–8.

Hai, T.H., Khan, F. and Huh, E.N. (2007) ‘Hybrid intrusion detection system for wireless sensor networks’, Computational Science and Its Applications, Lecture Notes in Computer Science, Vol. 4706, Springer, pp.383–396.

Heidemann, J., Li, Y., Syed, A., Wills, J. and Ye, W. (2006) ‘Underwater sensor networking: research challenges and potential applications’, IEEE Wireless Communications and Networking Conference, Las Vegas, USA.

Heinzelman, W., Chandrakasan, A. and Balakrishnan, H. (2000) ‘Energy-efficient communication protocol for wireless microsensor networks’, Proccedings of the 33rd Hawaii Conference on System Sciences, Vol. 8, pp.3005–3014.

Innella, P. and McMillan, O. (2001) An Introduction to Intrusion Detection Systems, Tetrad Digital Integrity, LLC.

Karlof, C. and Wagner, D. (2003) ‘Secure routing in wireless sensor networks: attacks and countermeasures’, The first IEEE International Workshop on Sensor Network Protocols and Applications, Anchorage, AK, USA, pp.113–127.

Krontiris, I. and Dimitriou, T. (2007) ‘Towards intrusion detection in wireless sensor networks’, 13th European Wireless Conference, ENSTA and SEE, Paris.

Krontiris, I., Dimitriou, T., Giannetsos, T. and Mpasoukos, M. (2007) ‘Intrusion detection of sinkhole attacks in wireless sensor networks’, 3rd International Workshop on Algorithmic Aspects of Wireless Sensor Networks, LNCS 4837, Wroclaw, Poland.

Krontiris, I., Giannetsos, T. and Dimitriou, T. (2008) ‘Launching a sinkhole attack in wireless sensor networks: the intruder side’, International Conference on Wireless and Mobile Computing Networking and Communications, Avignon, France, pp.526–531.

Li, G., He, J. and Fu, Y. (2008) ‘A group based intrusion detection scheme in wireless sensor networks’, Computer Communications, Vol. 31, No. 18, pp.4324–4332.

Liu, D., Ning, P., Zhu, S. and Jajodia, S. (2005) ‘Practical broadcast authentication in sensor networks’, The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, California, USA, pp.118–132

Loo, C.E., Ng, M.Y., Leckie, C. and Palaniswami, M. (2006) ‘Intrusion detection for routing attacks in sensor networks’, International Journal of Distributed Sensor Networks, Vol. II, No. 4, pp.313–332.

Martins, M.H.T., Da Silva, A.R.P., Loureiro, A.A.F. and Ruiz, L.B. (2005) An IDS Simulator for Wireless Sensor Networks, Sensornet Technical Report, Federal University of Minas Gerais, Computer Science Department.

Mitchell, T.M. (1997) Machine Learning, McGraw-Hill Science/ Engineering/Math.

Newsome, J., Shi, E., Song, D. and Perrig, A. (2004) ‘The Sybil attack in sensor networks: analysis and defences’, The 3rd ACM/IEEE International Symposium on Information Processing in Sensor Networks, Berkeley, California, USA.

Phuong, T.V., Hung, L.X., Cho, S.J., Lee, Y.K. and Lee, S. (2006) ‘An anomaly detection algorithm for detecting attacks in wireless sensor networks’, Intelligence and Security Informatics, Lecture Notes in Computer Science, Vol. 3975, Springer, pp.735–736.

Rajasegarar, S., Leckie, C. and Palansiwami, M. (2008) ‘Anomaly detection in wireless sensor networks’, IEEE Wireless Communications, Vol. 15, No. 4, pp.34–40.

Roman, R., Zhou, J. and Lopez, J. (2006) ‘Applying intrusion detection systems to wireless sensor networks’, 3rd IEEE Consumer Communications and Networking Conference, Las Vegas, Nevada, USA, pp.640–644.

Roosta, T., Shieh, S. and Sastry, S. (2006) ‘Taxonomy of security attacks in sensor networks and countermeasures’, First IEEE International Conference on System Integration and Reliability Improvements, Hanoi, Vietnam.


Shaikh, R.A., Jameel, H., Auriol, B.J., Lee, S. and Song, Y.J. (2008) ‘Trusting anomaly and intrusion claims for cooperative distributed intrusion detection schemes of wireless sensor networks’, The 9th International Conference for Young Computer Scientists, Hunan, China, pp.2038–2043.

Techateerawat, P. and Jennings, A. (2006) ‘Energy efficiency of intrusion detection systems in wireless sensor networks’, IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology, Hong Kong.

Tun, Z. and Maw, A.H. (2008) ‘Wormhole attack detection in wireless sensor networks’, World Academy of Science, Engineering and Technology, Vol. 36, pp.549–554.

Wang, X. (2006) ‘Intrusion detection techniques in wireless ad hoc networks’, 30th IEEE Annual International Computer Software and Applications Conference, Chicago, USA.

Wood, A.D. and Stankovic, J.A. (2002) ‘Denial of service in sensor networks’, IEEE Computer, Vol. 35, No. 10, pp.54–62.

Zhang, Q., Yu, T. and Ning, P. (2008) ‘A framework for identifying compromised nodes in wireless sensor networks’, ACM Transaction on Information System Security, Vol. XI, No. 3, pp.1–37.

Appendix

1 MintRoute and sink-hole attack

MintRoute is a routing protocol that makes the routing tree on the basis of link quality estimates. Each node estimates the link quality of its neighbourhood nodes on the basis of packet loss. Each node broadcasts route packet after a fixed interval of time that contains link estimates of neighbourhood nodes. Nodes update their Neighbour table after receiving route update message (s). Neighbour table contains neighbour-node IDs and their link quality estimates. After finalising this table, node selects its parent with the best link quality.

An adversary can launch sink-hole attack on MintRoute routing protocol. If a compromised node listens to the neighbouring node’s route update message (s), it alters the original message and replays them after impersonating the original sender.

2 Thresholds for detecting changes (CUSUM approach)

Detecting changes in the amount of incoming packets

n: Amount of incoming packets of node X in sampling period s.

nT: Average of the amount of incoming packets to the monitor node from its neighbouring nodes in a sampling period.

If the mean Z of {n/nT} is close to 1, then it is in normal condition.

Threshold = Z – β

where β is acquired during normal condition to be greater than Z.

Detecting changes in the amount of outgoing packets

n: Amount of outgoing packets of node X in sampling period s.

Nt: Average of the amount of outgoing packets to the monitor node from its neighbouring nodes in a sampling period.

If the mean Z of {nT/n} is close to 1, then it is in normal condition.


where, β is acquired during normal condition to be greater than Z.

Detecting changes in the amount of collision

nS: Amount of successful packets of node X in sampling period s.

nF: Amount of unsuccessful packets of node X in sampling period s.

The mean of {nS/nF} is equal to Z.


where β is acquired during normal condition to be greater than Z.

Note 1X is negative but falsely detected as positive, i.e., the node is compromised but is declared as normal.

Ashfaq Hussain Farooqi and Farrukh Aslam...

Documents

Transcript of Ashfaq Hussain Farooqi and Farrukh Aslam...