intrusion detection based on traffic analysis in wireless sensor networks
DESCRIPTION
Intrusion Detection Based on Traffic Analysis in Wireless Sensor Networks. Yulia Ponomarchuk and Dae-Wha Seo Department of Electrical Engineering and Computer Science, Kyungpook National University Daegu, Republic of Korea. Outline. Introduction Related Work Network and Attacker Models - PowerPoint PPT PresentationTRANSCRIPT
Intrusion Detection Based on Traffic Analysis in Wireless Sensor Networks
Yulia Ponomarchuk and Dae-Wha Seo
Department of Electrical Engineering and Computer Science,Kyungpook National University
Daegu, Republic of Korea
2
Outline
Introduction Related Work Network and Attacker Models Proposed Intrusion Detection Method Simulation Results Conclusions
3
Introduction: Specific Features of WSNs
Nodes function in unattended manner High specialization of nodes The batteries may be nonrechargeable Memory and processing power resources ar
e very constrained Dense and random deployment The exact location is unknown The location is fixed after deployment Nodes often fail or can be compromised Any node can not be trusted Paths for transmissions are fixed within a g
iven time interval
Nodes are controlled by users No specialization of nodes Power resources are not constrained Memory and processing power
resources are satisfactory Sparse deployment of nodes Each node can be supplied with GPS Nodes can be mobile Nodes rarely fail or get compromised Authenticated node can be trusted Paths for transmissions are random and
change in time course
Source nodeRouting node
Destination node
Routing node
Wireless ad hoc network Wireless sensor network
BaseStation
Internet
Task ManagerNode
UserSensor field
Sensor nodes
4
Introduction: Motivation of Research WSN nodes can be easily compromised All keying material can be obtained from a compromised node An attacker may target data, transmitted within the network No security scheme can guarantee that an attacker may not succeed eventually An intrusion detection scheme – second line of defense
Detects anomalies and informs a base station (BS) Triggers network reaction to an intrusion Minimizes an attacker’s effect on the network performance
Assumption: the behavior of an intruder and a legal node can be discriminated
The proposed distributed intrusion detection method: Based on traffic monitoring and statistical methods Can be used in flat or hierarchical networks Does not require any additional hardware or extra communication costs Has minimal computational overheads and short detection delay Demonstrates better efficiency than common approaches
5
Related Work: Some Attacks against WSNs
Physical layer jamming: producing sufficient levels of radio interference to provoke collisions MAC layer jamming: preventing legal nodes from accessing the channel or exhausting their
resources Routing layer attacks:
Spoofing, altering, or replaying routing information Selective forwarding of packets Black hole attack: dropping all trespassing packets Sinkhole attack: luring traffic from the targeted area Wormhole attack: inserting an out-of-band link to lure traffic Sybil attack: representing several identities to its neighbors
a
fe
d
cb
m2m1
Transmission alongnormal route
Eavesdropping
Transmission byout-of-band channel
Replaying a packet
Wormhole attack
Selective forwarding attack
BS
BS
(a) Single malicious node
(b) Two collaborating nodes
6
Related Work: Detection Techniques of Traffic Manipulation
Misic and Begum (2007): proposed a test for the ratio of short- and long-term EWMAs of packet inter-arrival time. Smoothing coefficients and the threshold are chosen manually
Xiao, et al. (2007): suggested CHEckpoint-based Multi-hop Acknowledgement Scheme (CHEMAS), where nodes monitor the number of ACKs. CHEMAS incurs extra communication costs and has problems with scalability
Kaplantzis, et al. (2007): designed a centralized IDS based on SVMs. An SVM must be carefully trained and its kernel functions must be chosen beforehand. The scheme is not scalable
Gupta, et al. (2007): suggested a centralized framework ANDES, incurring small communication overheads. The BS detects anomalies by correlating data and routing traffic
Liu, et al. (2007): proposed to use spatial and temporal correlation of neighboring devices. Calculation of Mahalanobis distances, used as the degree of extremity, requires significant computation overheads and delay. The scheme may not detect colluding devices
Hai and Huh (2008): based their detection technique to 2-hops neighborhood information and overhearing. Nodes may cooperate using voting. Overhearing requires significant power costs
Cakiroglu and Ozcerit (2008): based jamming detection on analysis of PDR, BPR, and energy consumption amount (ECA) in combination using 6-rule
IDS concerning approaches (2005-2009): suggest to apply thresholds to various traffic parameters. However, there are no clear recommendations on threshold’s choice
7
Network Model A WSN includes one BS and a large number of resource-constrained static sensor nodes The WSN has tree-type topology Each node monitors the environment and sends sensed data periodically Nodes’ sending rate is constant Nodes perform CCA before sending a packet No retransmission in case of losing a packet There is no attacker during initialization phase
Attacker Model
A single malicious device joined the network The attacker drops 30%, 50%, or 100% of trespassing traffic or injects meaningless packets in
the uplink direction The attacker is not able to inject or modify a packet on behalf of legal nodes The attacker is able to compromise any device except the BS
8
The Proposed Intrusion Detection Scheme Nodes are capable of monitoring their child nodes behavior The BS may monitor behavior patterns from all nodes Traffic parameters for monitoring:
Average packet reception rate (PRR) in a time window Packet inter-arrival time (IAT): time interval between arrivals of two consecutive packets f
rom the same source node Initialization phase
Nodes acquire samples of parameters’ values from their child nodes Nodes compute threshold for average PRR according to binomial distribution (k –the nu
mber of lost packets; Tw – the length of the time window)
Nodes compute the threshold for IAT according to exponential distribution ( - the average IAT during Tw)
Intrusion detection phase Newly acquired data are compared to the thresholds In case of inconsistency, an alert is raised
wk TkPRRPRRk ;2
1 2,12
high
nn
low ttn
Ttn
t
2
21,2
2
2,2
22
t
9
Simulation Environment
Simulations were done in Castalia simulator for WSNs (http://castalia.npc.nicta.com.au) Area: 50x50m2, 200x200m2
One base station (in the upper-left corner of the area) Number of nodes: 100 Uniform grid deployment of nodes Tree-type topology Sending rate: 1 packet per 1.5s (in dense network) or 15s (in sparse network) Packets are transmitted according to the schedule without retransmission Packet size: 10B-100B Data rate: 100kbps, 250kbps (used for figures) Sample size for threshold computation: 15 values Significance level: 10% There is one attacking device The attacker device drops or injects 30%, 50%, or 100% of traffic Path loss exponent: 1.5-3, the standard deviation of the Gaussian noise: 2.5-7
All figures were obtained under conditions, when path loss exponent was equal 2.4 and the standard deviation of the noise was 4
10
Simulation Results: False Positive Rate
Compared criteria: PRR: according to binomial distribution (proposed) IAT: according to normal distribution IAT: compared to minimum and maximum values IAT: EWMA-based rule
IAT: according to exponential distribution (proposed)
False positive rate grows with the increase of packet size and density of the network The proposed scheme shows low false positive rate even in dense WSN, prone to congestion
00.020.040.060.080.1
0.120.140.160.180.2
10B 20B 30B 40B 50B 60B 70B 80B 90B 100B
PRR IAT-3S IAT-6SIAT-MinMax IAT-EWMA IAT-exponential
(a) WSN area: 50x50m2, 1 packet per 1.5s
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
10B 20B 30B 40B 50B 60B 70B 80B 90B 100B
(b) WSN area: 200x200m2, 1 packet per 15s
TTTT StTStStTSt 66;33
maxmin TTT
thrlong
shortiii Tt
;111
11
Simulation Results: Detection rate
Time window for PRR estimation: 23s in dense network with intensive traffic 4 minutes in sparse network with traffic of lower intensity
The “worst case” scenario is demonstrated: an attacker changes his sending rate in regular manner In general, detection rate decreases with increasing of packet size or density of a WSN The proposed IAT rule poorly detects an intrusion if less than 30% of traffic is dropped or injected EWMA rule has high detection rate of short attacks, but quickly adapts and stops detecting an
anomaly of long duration
0
0.2
0.4
0.6
0.8
1
PRR IAT-3S IAT-6S IAT-MinMax
IAT-EWMA IAT-exponential
10B-30% 10B-50% 10B-100%
100B-30% 100B-50% 100B-100% 0
0.2
0.4
0.6
0.8
1
PRR IAT-3S IAT-6S IAT-MinMax IAT-EWMA IAT-exponential
10B-30% 10B-50% 10B-100%
100B-30% 100B-50% 100B-100%
The average detection rate in dependence on packet size in 50x50m2 area and rate of 1 packet per 1.5s
The average detection rate in dependence on packet size in 200x200m2 area and rate of 1 packet per 15s
12
Conclusions
The proposed technique is lightweight and efficient, has short time delay It can be used in large networks, since it is distributed and requires no communication costs The proposed method considers PRR and IAT in combination Recommendations to threshold computations are provided Thresholds may be quickly adapted in time course of network’s operation The results of simulations show high detection delay and low false positive rate even in dense
WSN, prone to congestion The result of intrusion detection does not depend on the number of malicious devices
Future Work Design and evaluation of an intrusion detection scheme, producing a conclusion on the basis
of PRR and IAT combined monitoring Incorporating of the proposed scheme into an intrusion detection system for WSNs, capable o
f detecting various types of attacks