Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks

Yulia Ponomarchuk and Dae-Wha SeoKyungpook National University, Republic of Korea

Dept. of Electrical Engineering and Computer ScienceMobile Computing and Embedded Systems Laboratory,

2010.10.26

Outline

Introduction Related Work

Attacks against the wireless sensor networks (WSN) and obstacles the security Intrusion Detection Systems (IDSs)

Ising model formulation for the global IDS agents activation Self-organization of the IDS agents Conclusions

Introduction: Comparison of the WSNs and Wireless Ad Hoc Networks

Nodes function in unattended manner High specialization of nodes The batteries may be nonrechargeable Memory and processing power resources

are very constrained Dense and random deployment The exact location is unknown The location is fixed after deployment Nodes often fail or can be compromised Any node can not be trusted Paths for transmissions are fixed within

a given time interval

Nodes are controlled by users No specialization of nodes Power resources are not constrained Memory and processing power

resources are satisfactory Sparse deployment of nodes Each node can be supplied with GPS Nodes can be mobile Nodes rarely fail or get compromised Authenticated node can be trusted Paths for transmissions are random

and change in time course

Source nodeRouting node

Destination node

Routing node

Wireless ad hoc network Wireless sensor network

BaseStation

Internet

Task ManagerNodeUser

Sensor field

Sensor nodes

Related Work: Some Attacks against the WSNs Physical layer jamming: producing sufficient levels of radio interference to provoke collisions MAC layer jamming: preventing legal nodes from accessing the channel or exhausting their

resources Routing layer attacks:

Spoofing, altering, or replaying routing information Selective forwarding of packets Black hole attack: dropping all trespassing packets Sinkhole attack: luring traffic from the targeted area Wormhole attack: inserting an out-of-band link to lure traffic Sybil attack: representing several identities to its neighbors

a

fe

d

cb

m2m1

Transmission alongnormal route

Eavesdropping

Transmission byout-of-band channel

Replaying a packet

Wormhole attack

Selective forwarding attack

BS

BS

(a) Single malicious node

(b) Two collaborating nodes

Obstacles to the Wireless Sensor Networks Security The nodes in the WSNs can be easily compromised Attack prevention schemes alone cannot ensure perfect security of the networks An attacker can eavesdrop packets and analyze the protocols and topology of the target net

work An attacker may inject false information through the compromised nodes All keying material may be obtained from a compromised node and a complex attack can b

e launched Resource constraints Unreliable communication Unattended operation

Therefore, intrusion detection systems (IDSs) are proposed – as a second line of defense To detect anomalies and inform the base station (BS) To trigger the network reaction to the intrusion To minimize the attacker’s influence on the network performance

Assumption: the behavior of the intruder and the legal node can be discriminated

Intrusion Detection Systems (IDSs)

An IDS is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems A network IDS (NIDS) is an independent platform which identifies

intrusions by examining network traffic and monitors multiple nodes A host-based IDS (HIDS) consists of an agent on a host which

identifies intrusions by analyzing system calls, application logs, file-system modifications, and other host activities and state

It is assumed that the behavior patterns of an intruder and a legitimate user in the network are different (noticeably)

While data encryption and data integrity protection are used as preventive measures, an IDS acts only in reaction to the occurrence of an attack – second line of defense

Classification of the IDSs according to the Detection Techniques A signature-based (or misuse detection based) IDS:

compares the traffic features with the predefined signatures of attacks or malicious actions; allows detection of the majority of known attacks; has a low false positive rate; when a new type of assault is launched, a new signature should be created and broadcast to ever

y node An anomaly-based IDS:

checks the traffic on occurrence of any behavior different from the predefined or accepted normal patterns;

can detect novel attacks; has a high false positive rate.

A specification-based IDS: uses a set of manually defined rules,

specific for the application or running protocols in the WSN;

it is recommended for the WSNs, since the specification database requires less memory

Monitoring nodeSensoring

Application Routing

IDS agentData gathering

Data analysisRules/ specifications

application Intrusion Response:Alert broadcast

Change RF channelNetwork reorganize

Keys’ renovationGeneral architecture of the IDSs for WSNs

Previously Proposed Approaches to the IDS Design A significant number of IDS design approaches rely on

analysis of incoming and outgoing traffic from a node and monitoring the neighbors’ behaviors (watchdogs technique)

Besemann, et al. (2004), Roman, et al. (2006), Hai, et al. (2007): suggested to use a local IDS (LIDS) agent and a global IDS (GIDS) agent for traffic analysis and nodes’ monitoring and cooperation respectively

While the analysis of incoming and outgoing traffic does not require much energy resources, an active GIDS agent may quickly exhaust the battery of a node. Therefore, the algorithms for optimal deployment and activation of the GIDS agents were proposed:

Anjum, et al. (2004): proposed to activate the IDS agents only at CHs, which belong to a minimum cut-set (a set of nodes, through which the most of the traffic is transferred). The CHs were assumed to be trustworthy

Techateerawat and Jennings (2006): analyzed the three adaptive strategies of IDS deployment: 1) core defense – protects the CH; 2) boundary defense – protects the boundary of each cluster; 3) distributed defense – the uniform activation of IDS agents in the WSN. As soon as an intrusion is detected, alarms are broadcast to activate the IDS agents in the vicinity of the attacker

Chatzigiannakis and Strikos (2007): suggested to activate the GIDS agents at the cluster heads (CHs), which are the members of a cut-set; also there are a few nodes in each cluster with active GIDS agents, which monitor the CHs behavior

Hai, et al. (2007): proposed to activate GIDS agents at all CHs in order to monitor cluster members’ behaviors. All monitoring nodes were assumed to be trustworthy

Ising Model Formulation for the Activation of GIDS Agents The WSN is represented as a weighted (directed) graph G=(V, E, W):

V={v1, v2, …, vN} – the set of individual components (the WSN nodes) - the set of edges (links) between components - the set of weights assigned to edges and representing the strength

of interaction between the components Self loops are absent Each node is assigned a spin to represent the state of its GIDS agent Bt is a time-dependent external field:

is the magnitude of the local field at node vk

is a scalar (anomaly) measure at the sensor node

A time-dependent Hamiltonian H t :

Given the spin states of nodes and anomaly measures at a given time instant, the problem of self-organization of IDS agents is reduced to estimation of the state probabilities of the possible subsequent states of the Ising system

jiNjiVvvvvE jiji ,,1,,,,

jiNjiwwW ijij ,,1,,0

1i

i

iji

jiij BwH

,

ikik

iiBiB kN

kikkk j ,0

,,1,,

1

k

jkkkB ,

Optimal Activation of the IDS Agents in the WSN

The goal: To estimate probabilities of the future states of the system To determine the distribution of active GIDS agents in the sensor network To provide adaptability to the IDS agents activation

The model was simplified by the following assumptions Markov dynamics: the future state depends only on the present state Quasi-static equilibria at all time instants: the system follows the single-flip dynami

cs, large changes in system’s states are impossible The system follows the condition of the detailed balance:

PI ,PJ – the probabilities of the system being in states I and J respectively pIJ – the probability of transition from state I to state J, then:

Other denotations: - the weighting coefficient for the distance measure - the coefficient, proportional to the “inverse temperature”

JI

IJ

I

Jpp

PP

Algorithm: Self-Organization of the IDS Agents

While (1) do Collect traffic data from the neighboring devices Compute local anomaly measure at the current time instant and broadcast it to the

one-hop neighbors Compute the external field:

Compute change in energy and calculate the probability of flipping the state

Change the spin state with probability for the next time period End

k

j

j

jj k

kkkkkk eBB

0,

E

otherwiseEifepBwE k

Eflip

kkjk

jkkjkk

,1,0,,22

,

flipkp

Conclusions

The paper proposes a model for adaptive optimal activation of the GIDS agents for intrusion detection in the WSNs, which is based on the weighted graphs and the Ising model based on the principles of Statistical Mechanics

Given the estimations of traffic anomalies, a small fraction of nodes is activated in order to watch their neighbors’ behaviors only when it is necessary

The proposed scheme is distributed and lightweight in terms of computation and communication overheads

It can be applied in large WSNs, since the BSs do not collect and store the traffic information from all nodes

Further research will be devoted to: the performance evaluation using simulations and comparison to other approaches for GIDS agents deployment and activation