intrusion detection systems for wireless sensor networks: a survey ashfaq hussain farooqi...
TRANSCRIPT
Intrusion Detection Systems for Wireless Sensor Networks: A Survey
Ashfaq Hussain FarooqiFAST-NUCES, Islamabad, Pakistan.
Agenda
Wireless Sensor Networks (WSNs) Security issues in WSNs Intrusion Detection System (IDS) IDS proposed for WSNs
IDS architectures Anomaly detection algorithms Compromised node detection
Future work ConclusionApril 19, 2023 2FAST-NUCES, Islamabad.
Wireless Sensor Networks (WSNs) Sensor nodes are densely deploy [1]
from an aircraft in an area to check the surrounding activities transmit the information to the base
station The sensor network is infrastructure-
less. Sensor nodes works using TinyOS. Transmission is dependent on routing
protocol.April 19, 2023 3FAST-NUCES, Islamabad.
Components of Sensor Node [1]
April 19, 2023 FAST-NUCES, Islamabad. 4
Sensor network Vs. Ad Hoc Networks The number of nodes in a sensor network
can be several orders of magnitude higher than the nodes in an ad hoc network.
Sensor nodes are densely deployed. Sensor nodes are prone to failures. The topology of a sensor network changes
very frequently Sensor nodes mainly use broadcast, most ad
hoc networks are based on p2p. Sensor nodes are limited in power,
computational capacities and memory. Sensor nodes may not have global ID.
April 19, 2023 FAST-NUCES, Islamabad. 5
Working environment Sensor nodes may be working
in busy intersections in the interior of a large machinery at the bottom of an ocean inside a twister in a battlefield beyond the enemy lines in a home or a large building
April 19, 2023 FAST-NUCES, Islamabad. 6
Data aggregation [1]
April 19, 2023 FAST-NUCES, Islamabad. 7
Applications of WSNs
Battle ground surveillance Enemy movement (tanks, soldiers, etc)
Environmental monitoring Habitat monitoring Forrest fire monitoring
Hospital tracking systems Tracking patients, doctors, drug
administrators.
April 19, 2023 8FAST-NUCES, Islamabad.
Need for Security Availability
Accessible throughout the lifetime Authorization
Malicious not can’t transmit to legal ones Authentication
Malicious should not get authenticity Confidentiality
Attacker cant effect the normal communication Integrity
No modification to the transmitted data Non Repudiation
Redundancy is allowed Freshness
Data should be fresh one and respond to fresh data
Solution: Cryptography
April 19, 2023 FAST-NUCES, Islamabad. 9
mu TESLA Sender broadcast a message with a
Message Authentication Code (MAC) generated with a secret key, which will be disclosed after a certain period of time. The receiver, which does not know the key, has to buffer this packet and authenticate at a later time interval when the sender discloses them.
April 19, 2023 FAST-NUCES, Islamabad. 10
Security issues in WSNs
Attacks are possible Self control Infrastructure less Less computation Topology change
Several types of attacks Denial of service attacks [5] Sybil attacks [7,8] Others [9]
April 19, 2023 11FAST-NUCES, Islamabad.
Security map
April 19, 2023 FAST-NUCES, Islamabad. 12
Denial of Service (DoS) attack When legitimate
nodes can't communicate with each other.
A. D. Wood et al. [5] mentioned various attacks that lead to DoS on different network layers of the sensor node.
A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks,” IEEE Computer, pp. 48-56, October 2002.
April 19, 2023 13FAST-NUCES, Islamabad.
Physical Layer Jamming: An
adversary keeps sending useless signals making other nodes unable to communicate
Defence: 1. Reroute Traffic2. Mode Change
April 19, 2023 FAST-NUCES, Islamabad. 14
Physical Layer
Tampering: An Attacker can tamper with nodes physically Defence:
1. React to tampering in a fail-complete manner, e.g. erase memory
2. hiding the nodes
April 19, 2023 FAST-NUCES, Islamabad. 15
Link Layer Collision: Attacker only need to disrupt part
of the transmission. Defense: Error-correcting codes
Exhaustion: Retransmission repeatedly will cause battery exhaustion; In IEEE802.11 based MAC, continuous RTS requests cause battery exhaustion at targeted neighbor Defense: Make MAC admission control rate
limiting Unfairness: Above attacks could cause
unfairness Defense: use small frames
Network and Routing Layer
Misdirection: Forwards messages along wrong paths; provide wrong route information Defense:
Egress filtering - In hierarchical routing, parent can verify the source of the packets and make sure that all packets are from its children.
Authorization: Only authorized nodes can exchange routing information.
Monitoring: Every node monitors if its neighbors are behaving correctlyApril 19, 2023 FAST-NUCES, Islamabad. 17
Network and Routing Layer-cont Neglect and greed: Malicious and selfish
nodes Defense: Redundancy (Multiple paths or multiple
packets along same route) Homing: Nodes have special responsibilities
are vulnerable Defense: Hiding the important nodes( e.g.
encryption) Black holes: Attackers make neighbors to
route traffic to them, but don’t relay the traffic Defense: Authorization, Monitoring, RedundancyApril 19, 2023 FAST-NUCES, Islamabad. 18
Transportation Layer Flooding: An attacker sends many connection
establishment requests to victim, making the victim run out of resources Defense:
Limit number of connections Make flow connectionless Client Puzzle – challenging the client
De-synchronization: An attacker forges messages carrying wrong sequence number to one or both endpoints Defense: Authenticates all packets including
transport protocol header.April 19, 2023 FAST-NUCES, Islamabad. 19
What is Sybil attack? A malicious node behaves as if it were a
larger number of nodes, for example by impersonating1 other nodes or simply by claiming false identities. In the worst case, an attacker may generate an arbitrary number of additional node identities, using only one physical device.
April 19, 2023 FAST-NUCES, Islamabad. 20
1. to pretend to be another person, especially in order to deceive
Encarta« World English Dictionary (P) 1999 Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.
Taxonomy of Sybil Attacks Communication
Direct: Sybil node communicate directly with legitimate nodes.
Indirect: Sybil node communicate through some other malicious nodes.
Identities Fabricated: Simply create 32-bit arbitrary new Sybil
identity. Stolen: Given a mechanism to identify legitimate node
identities. Simultaneity
Simultaneously: Having Sybil identities at once. Non-Simultaneously: Present large number of identities
over a period of time but acting as a smaller number of identitiesApril 19, 2023 FAST-NUCES, Islamabad. 21
Sybil attacks [8] Known Attacks
Distributed Storage replication and fragmentation performed
node store the data in several nodes.
Routing Multipath Geographic routing
New Attacks Data Aggregation Voting Fair Resource Allocation Misbehavior
April 19, 2023 FAST-NUCES, Islamabad. 22
Other attacks [9]
Attacks on the Mote Traffic Analysis System Attacks on Reputation-Assignment
Schemes Attacks on In-Network Processing
(Data Aggregation) Attack on Time Synchronization
Protocols
April 19, 2023 FAST-NUCES, Islamabad. 23
Routing protocol attacks [6]
Homing Selective forwarding Black-Hole attack Sink-Hole attack Worm-Hole attack Flooding Misdirection
April 19, 2023 24FAST-NUCES, Islamabad.
Sink/Base
Station BB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NNLL
RR
CCAA
DD
EE
An example of WSNs: Deployment
April 19, 2023 National University of Computer and Emerging Sciences
25
Sink/Base
Station BB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NNLL
RR
CCAA
DD
EE
An example of WSNs: Deployment
April 19, 2023 National University of Computer and Emerging Sciences
26
An example of WSNs: Routing
April 19, 2023 National University of Computer and Emerging Sciences
27
SinkBB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NN RR
CCAA
DD
EE
LL
An example of WSNs: Messaging
April 19, 2023 National University of Computer and Emerging Sciences
28
SinkBB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NN RR
CCAA
DD
EE
LL
An example of WSNs: Messaging
April 19, 2023 National University of Computer and Emerging Sciences
29
SinkBB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NN RR
CCAA
DD
EE
LL
An example of WSNs: Messaging
April 19, 2023 National University of Computer and Emerging Sciences
30
SinkBB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NN RR
CCAA
DD
EE
LL
Compromised node
When a legitimate node is attacked by an adversary it becomes a malicious node and known as compromised node.
It performs the same activities as that of legitimate node plus configured by adversary.
Remember the node still appear as a normal node.
April 19, 2023 National University of Computer and Emerging Sciences
31
Black-hole or Selective forwarding attacks Selective forwarding: In this type of
attack the compromised node selectively forward packets to other nodes and drops a fraction of packets In sensor network one type of such attack
is denial-of-message attack. Black hole: A compromised node
sends wrong routing information to its neighbors and tells that it’s a low cost route node and other nodes starts sending packets to this node.
April 19, 2023 National University of Computer and Emerging Sciences
32
Black-hole or Selective forwarding attacks
April 19, 2023 National University of Computer and Emerging Sciences
33
SinkBB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NN RR
AA
DD
EE
LL
Sink-hole Attack Sink hole
In this type of attack compromised node tries to gain more attention from its surrounding and tries to become the parent node of its neighbor.
In minte-route routing protocol, compromised node sends wrong information in route update message and becomes the parent.
If it successes; more traffic moves to that node. As messages from its neighbor and the messages from the neighbor’s children. It usually drops all the packet it receive so the base station receive less information from the sensor network.April 19, 2023 National University of Computer
and Emerging Sciences34
Sink-hole Attack
April 19, 2023 National University of Computer and Emerging Sciences
35
SinkBB
FF
HH
II
JJ
GG
KK
MM
OO
PP
SS
UU
TT
VVWW XX
NN RR
CCAA
EE
LL
Intrusion Detection System (IDS) IDS is
Collection unit Detection unit Response unit
Types Host based IDS Network based IDS
April 19, 2023 36FAST-NUCES, Islamabad.
IDS (continue)
Detection mechanisms Misuse detection Anomaly detection Specification based detection.
Installation of IDS agent Centralized Distributed
Individualized cooperative
HybridApril 19, 2023 37FAST-NUCES, Islamabad.
IDS proposed for WSNs IDS architectures
Spontaneous Watchdog approach [12] (2006) Cooperative local auditing [13, 14] (2007) Monitoring node detection approach [15] (2005) Pair based abnormal node detection [16] (2008)
Anomaly detection algorithms ANDES [17] (2007) Cumulative Summation [18] (2006) Fixed width clustering algorithm [19] (2006) Artificial Immune System [20] (2007)
Compromised node detection Application Independent Framework [21] (2008) Intrusion-aware Validation algorithm [22] (2008)
April 19, 2023 38FAST-NUCES, Islamabad.
Spontaneous watchdog [12]
Distributed intrusion detection system. Basic components
Local agent Audit the data that comes from the nodes
inside its radio frequency range and will generate alert if it is found from malicious node or node not present its neighbor list.
Global agent If activated it will act as Spontaneous
watchdog. To check whether the node that received the
message transfers that message or not.April 19, 2023 FAST-NUCES, Islamabad. 39
Cooperative local auditing[13,14] IDS client
Present in each sensor node.
Composed of five components.
Local packet monitoring
Local detection engine
Cooperative detection engine
Communication Local response
April 19, 2023 FAST-NUCES, Islamabad. 40
Send/Receive packets
Checkrules
Communicate
Voting
Regular task
No violation
Violation
Not malicious
AlertTo SinkMalicious
Cooperative local auditingRules for Black-hole attack [12] Node J will send data
packet to node C and it will buffer that packet for some time.
It will now wait and see node C forwards that packet or not.
If it doesn’t then it will increment a counter corresponding node C else the packet will be removed from the buffer.
If for certain units of time, the node C drops t percent of packets then it will generate an alert.
Rules for Sink-hole attack [13]
Assumption: MinteRoute routing protocol Node will check the ID
relates to that packet sender.
It should be from its neighbors.
It will generate alert in any other situation
April 19, 2023 National University of Computer and Emerging Sciences
41
Comparison of IDS architectures
Spontaneous Watchdog [12]
Cooperative local auditing [13, 14]
Monitoring node detection approach [15]
Pair based abnormal node detection [16]
Approach Distributed Distributed/Cooperative Distributed Distributed/Novel approach
Detection Technique
Anomaly based Specification based Specification based
Both signature andanomaly based
Monitor Node(s)
One More then half More then one Pairing node
IDS agent Installation
Every node Every node Monitor node Every node
Complexity Activating global agent
Cooperation Placing monitor node
Making pairs
Attack Detection
Not specified Selective forwarding,black-hole or Sink-hole
Jamming, black-hole, delay, sel. forwarding, repetition
Not specified
April 19, 2023 42FAST-NUCES, Islamabad.
ANDES [17] Centralized anomaly detection mechanism Main components
Collection and analysis of application data Regular data is collected at sink.
Record the sequence number of the last n messages Time-stamp of the last received data packet Updates the total number of application packets
Analyzes the application data Maintain a list of active and connective nodes.
Collection and analysis of management information
Additional management routing protocol to collect address, parent, hops, send_cnt, receive_cnt, fwd_cnt,
failure_cnt etc.April 19, 2023 National University of Computer
and Emerging Sciences43
ANDES (continue)F, H, I, O, and J are unavailable
C, F, J, M, and E are unavailable
April 19, 2023 National University of Computer and Emerging Sciences
44
CUSUM [18] Distributed anomaly detection mechanism Monitor nodes to analyze the nodes
behavior as normal or malicious. Categories of attack
Compromising the node to attract the attention of other nodes.
Affect the packets data as collision. Flooding the nodes to exhaust their resources.
Analysis Amount of messages received by a node. Amount of collision occurrence with the
packet. Amount of packets emerging from a particular
node.April 19, 2023 National University of Computer and Emerging Sciences
45
CUSUM (continue) Monitor node
IDS agent is installed in the monitor nodes.
Two tasks Normal listening Promiscuous listening
The anomaly detection module will utilize the statistics collected from the analysis of the header of the packet to generate the type of alert.
April 19, 2023 National University of Computer and Emerging Sciences
46
Comparison of Anomaly Detection Algorithms
ANDES [17] Cumulative Summation [18]
Fixed width clustering algorithm [19]
Artificial Immune System [20]
Approach Centralized Distributed Distributed Distributed
Detection Technique
ANDES algorithm CUSUM algorithm Fixed width clustering
Artificial immune system
Monitoring Node
Sink or Base station
Monitor node Every node Every node
IDS agent Installation
Central location or Sink
Only Monitor node All the nodes All the nodes
Complexity Routing protocol Placing monitor node Detection policy Detecting non-self string
Computational Overhead
At sink At monitor nodes At every node At every node
Attack Detection
Sel. forwarding, flooding, black-hole or sink-hole
Worm-hole, black-hole, collision, flooding
Periodic Route Error,Active and Passive Sink-hole
Misbehavior detection
April 19, 2023 47FAST-NUCES, Islamabad.
Comparison of Compromised node detection
Application Independent Framework [21]
Intrusion-aware Validation algorithm [22]
Approach Simple graph based Consensus based validation
Detection Technique
Application Specific Distributed / Cooperative
Decision Makers Central point Multiple neighbors
IDS agent Installation
Sink or central point Every node
Computational Overhead
At sink or central point At node level
Complexity Graph based Cooperation with neighbors
April 19, 2023 48FAST-NUCES, Islamabad.
Future work
Increasing demand of WSNs makes it vulnerable to different types of security threats.
Requirement A complete security system
Reliable one.
Future approach Distributed / cooperative anomaly based
IDS approach that covers detail about the secure transmission mechanism too.
April 19, 2023 49FAST-NUCES, Islamabad.
Conclusion Secure routing or Key management
protocols can not provide security in strong adversary attacks. IDS is a solution.
Still a new area. Researchers have proposed
IDS model for WSNs Reliable solution is still unavailable.
A reliable distributed / cooperative anomaly based IDS approach is a future demand.
April 19, 2023 50FAST-NUCES, Islamabad.
References1. I. F. Akyildiz, W. Su, Y. Sankarsubramaniam, and E. Cayirci, “A survey on sensor networks," IEEE
Communication Magazine, pp. 102-114, August 2002.2. D. Liu, P. Ning, S. Zhu, S. Jajodia, “Practical Broadcast Authentication in Sensor Networks," The Second
Annual IEEE International Conference on Mobile and Ubiquitous Systems: Networking and Services, pp. 118-132, July 2005.
3. S. Rajasegarar, C. Leckie, and M. Palaniswami, “Anomaly detection in Wireless Sensor Networks," Security in Ad hoc and sensor networks, IEEE Wireless Communications, pp. 34-40, August 2008.
4. K. Akkaya and M. Younis, “A survey on routing protocols for wireless sensor networks," ELSEVIER Ad Hoc Networks 3, pp. 325-349, 2005.
5. A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks", IEEE Computer, pp. 48-56, October 2002.
6. C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks and countermeasures," In Proc. of the First IEEE International Workshop on Sensor Network Protocols and Applications, pp. 113-127, May 2003.
7. J. R. Douceur , “The Sybil Attack," In Proc. of the First International Workshop on Peer-to-Peer Systems, pp. 251-260, London, UK, March 2002.
8. J. Newsome, E. Shi, D. Song and A. Perrig, “The Sybil attack in sensor networks: Analysis and Defenses," In Proc. of the 3rd ACM Int. Symposium on Information Processing in Sensor Networks, California, USA, April 2004.
9. T. Roosta, S. P. Shieh, and S. Sastry, “Taxonomy of Security Attacks in Sensor Networks and Countermeasures," In Proc. of the 1st IEEE Int. Conference on System Integration and Reliability Improvements, 2006.
10. P. Innella and O. McMillan, “An Introduction to Intrusion Detection Systems," Article by Tetrad Digital Integrity, LLC, December 2001.
11. J. P. Walters, Z. Liang, W. Shi and V. Chaudhary, “Wireless sensor networks security: A survey," Security in Distributed, Grid, and Pervasive Computing, Auerbach Publications, CRC Press, 2006.
12. R. Roman, J. Zhou and J. Lopez, “Applying Intrusion Detection Systems to wireless sensor networks," IEEE Consumer Communications and Networking Conference. vol. 1, pp. 640-644, January 2006.
April 19, 2023 51FAST-NUCES, Islamabad.
References13. I. Krontiris and T. Dimitriou, “Towards intrusion detection in wireless sensor networks," In Proc. of the
13th European Wireless Conference, Paris, France, April 2007.14. I. Krontiris, T. Dimitriou, T. Giannetsos and M. Mpasoukos, “Intrusion Detection of Sinkhole Attacks in
Wireless Sensor Networks," 3rd International Workshop on Algorithmic Aspects of Wireless Sensor Networks, Wroclaw, Poland, July 2007.
15. A. P. R. da Silva, M. H. T. Martins, B. P. S. Rocha, A. A. F. Loureiro, L. B. Ruiz and H. C. Wong, “Decentralized intrusion detection in wireless sensor networks," In Proc. of the 1st ACM Int. workshop on Quality of service \& security in wireless and mobile networks, pp. 16-23, Canada, October 2005.
16. K. R. Ahmed , K. Ahmed, S. Munir and A. Asad, “Abnormal Node Detection in Wireless Sensor Network by Pair Based Approach using IDS Secure Routing Methodology," International Journal of Computer Science and Network Security, vol. 8, no. 12, pp. 339-342, December 2008.
17. S. Gupta, R. Zheng and A. M. K. Cheng, “ANDES: an Anomaly Detection System for Wireless Sensor Networks," IEEE International Conference on Mobile Adhoc and Sensor Systems, pp. 1-9, October 2007.
18. T. V. Phuong, L. X. Hung, S. J. Cho, Y. K. Lee and S. Lee, “An Anomaly Detection Algorithm for Detecting Attacks in Wireless Sensor Networks," Intelligence and Security Informatics, vol. 3975, pp. 735-736, Springer Berlin, Heidelberg, 2006.
19. C. E. Loo, M. Y. Ng, C. Leckie and M. Palaniswami, “Intrusion Detection for Routing Attacks in Sensor Networks," International Journal of Distributed Sensor Networks, vol. 2, no. 4, pp. 313-332, December 2006.
20. M. Drozda, S. Schaust and H. Szczerbicka, “AIS for Misbehavior Detection in Wireless Sensor Networks: Performance and Design Principles," In Proc. Of IEEE Congress on Evolutionary Computation, pp. 3719-3726, Singapore, 2007.
21. Q. Zhang, T. Yu and P. Ning, “A framework for identifying compromised nodes in wireless sensor networks," ACM Transaction Information System Security, vol. 11, Article No. 12, 2008.
22. R. A. Shaikh, H. Jameel, B. J. Auriol, S. Lee and Y. J. Song, “Trusting anomaly and intrusion claims for cooperative distributed intrusion detection schemes of wireless sensor networks," In Proc. of the 2008 International Symposium on Trust Computing, pp. 2038-2043, China, November 2008.
April 19, 2023 52FAST-NUCES, Islamabad.
Questions