Intrusion Detection Systems for Wireless Sensor Networks: A Survey Ashfaq Hussain Farooqi FAST-NUCES, Islamabad, Pakistan

Intrusion Detection Systems for Wireless Sensor Networks: A Survey

Ashfaq Hussain FarooqiFAST-NUCES, Islamabad, Pakistan.

Agenda

Wireless Sensor Networks (WSNs) Security issues in WSNs Intrusion Detection System (IDS) IDS proposed for WSNs

IDS architectures Anomaly detection algorithms Compromised node detection

Future work ConclusionApril 19, 2023 2FAST-NUCES, Islamabad.

Wireless Sensor Networks (WSNs) Sensor nodes are densely deploy [1]

from an aircraft in an area to check the surrounding activities transmit the information to the base

station The sensor network is infrastructure-

less. Sensor nodes works using TinyOS. Transmission is dependent on routing

protocol.April 19, 2023 3FAST-NUCES, Islamabad.

Components of Sensor Node [1]

April 19, 2023 FAST-NUCES, Islamabad. 4

Sensor network Vs. Ad Hoc Networks The number of nodes in a sensor network

can be several orders of magnitude higher than the nodes in an ad hoc network.

Sensor nodes are densely deployed. Sensor nodes are prone to failures. The topology of a sensor network changes

very frequently Sensor nodes mainly use broadcast, most ad

hoc networks are based on p2p. Sensor nodes are limited in power,

computational capacities and memory. Sensor nodes may not have global ID.


Working environment Sensor nodes may be working

in busy intersections in the interior of a large machinery at the bottom of an ocean inside a twister in a battlefield beyond the enemy lines in a home or a large building


Data aggregation [1]


Applications of WSNs

Battle ground surveillance Enemy movement (tanks, soldiers, etc)

Environmental monitoring Habitat monitoring Forrest fire monitoring

Hospital tracking systems Tracking patients, doctors, drug

administrators.

April 19, 2023 8FAST-NUCES, Islamabad.

Need for Security Availability

Accessible throughout the lifetime Authorization

Malicious not can’t transmit to legal ones Authentication

Malicious should not get authenticity Confidentiality

Attacker cant effect the normal communication Integrity

No modification to the transmitted data Non Repudiation

Redundancy is allowed Freshness

Data should be fresh one and respond to fresh data

Solution: Cryptography


mu TESLA Sender broadcast a message with a

Message Authentication Code (MAC) generated with a secret key, which will be disclosed after a certain period of time. The receiver, which does not know the key, has to buffer this packet and authenticate at a later time interval when the sender discloses them.


Security issues in WSNs

Attacks are possible Self control Infrastructure less Less computation Topology change

Several types of attacks Denial of service attacks [5] Sybil attacks [7,8] Others [9]


Security map


Denial of Service (DoS) attack When legitimate

nodes can't communicate with each other.

A. D. Wood et al. [5] mentioned various attacks that lead to DoS on different network layers of the sensor node.

A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks,” IEEE Computer, pp. 48-56, October 2002.


Physical Layer Jamming: An

adversary keeps sending useless signals making other nodes unable to communicate

Defence: 1. Reroute Traffic2. Mode Change


Physical Layer

Tampering: An Attacker can tamper with nodes physically Defence:

1. React to tampering in a fail-complete manner, e.g. erase memory

2. hiding the nodes


Link Layer Collision: Attacker only need to disrupt part

of the transmission. Defense: Error-correcting codes

Exhaustion: Retransmission repeatedly will cause battery exhaustion; In IEEE802.11 based MAC, continuous RTS requests cause battery exhaustion at targeted neighbor Defense: Make MAC admission control rate

limiting Unfairness: Above attacks could cause

unfairness Defense: use small frames

Network and Routing Layer

Misdirection: Forwards messages along wrong paths; provide wrong route information Defense:

Egress filtering - In hierarchical routing, parent can verify the source of the packets and make sure that all packets are from its children.

Authorization: Only authorized nodes can exchange routing information.

Monitoring: Every node monitors if its neighbors are behaving correctlyApril 19, 2023 FAST-NUCES, Islamabad. 17

Network and Routing Layer-cont Neglect and greed: Malicious and selfish

nodes Defense: Redundancy (Multiple paths or multiple

packets along same route) Homing: Nodes have special responsibilities

are vulnerable Defense: Hiding the important nodes( e.g.

encryption) Black holes: Attackers make neighbors to

route traffic to them, but don’t relay the traffic Defense: Authorization, Monitoring, RedundancyApril 19, 2023 FAST-NUCES, Islamabad. 18

Transportation Layer Flooding: An attacker sends many connection

establishment requests to victim, making the victim run out of resources Defense:

Limit number of connections Make flow connectionless Client Puzzle – challenging the client

De-synchronization: An attacker forges messages carrying wrong sequence number to one or both endpoints Defense: Authenticates all packets including

transport protocol header.April 19, 2023 FAST-NUCES, Islamabad. 19

What is Sybil attack? A malicious node behaves as if it were a

larger number of nodes, for example by impersonating1 other nodes or simply by claiming false identities. In the worst case, an attacker may generate an arbitrary number of additional node identities, using only one physical device.


1. to pretend to be another person, especially in order to deceive

Encarta« World English Dictionary (P) 1999 Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.

Taxonomy of Sybil Attacks Communication

Direct: Sybil node communicate directly with legitimate nodes.

Indirect: Sybil node communicate through some other malicious nodes.

Identities Fabricated: Simply create 32-bit arbitrary new Sybil

identity. Stolen: Given a mechanism to identify legitimate node

identities. Simultaneity

Simultaneously: Having Sybil identities at once. Non-Simultaneously: Present large number of identities

over a period of time but acting as a smaller number of identitiesApril 19, 2023 FAST-NUCES, Islamabad. 21

Sybil attacks [8] Known Attacks

Distributed Storage replication and fragmentation performed

node store the data in several nodes.

Routing Multipath Geographic routing

New Attacks Data Aggregation Voting Fair Resource Allocation Misbehavior


Other attacks [9]

Attacks on the Mote Traffic Analysis System Attacks on Reputation-Assignment

Schemes Attacks on In-Network Processing

(Data Aggregation) Attack on Time Synchronization

Protocols


Routing protocol attacks [6]

Homing Selective forwarding Black-Hole attack Sink-Hole attack Worm-Hole attack Flooding Misdirection


Sink/Base

Station BB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NNLL

RR

CCAA

DD

EE

An example of WSNs: Deployment

April 19, 2023 National University of Computer and Emerging Sciences

25

Sink/Base

Station BB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NNLL

RR

CCAA

DD

EE

An example of WSNs: Deployment


26

An example of WSNs: Routing


27

SinkBB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NN RR

CCAA

DD

EE

LL

An example of WSNs: Messaging


28

SinkBB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NN RR

CCAA

DD

EE

LL



29

SinkBB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NN RR

CCAA

DD

EE

LL



30

SinkBB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NN RR

CCAA

DD

EE

LL

Compromised node

When a legitimate node is attacked by an adversary it becomes a malicious node and known as compromised node.

It performs the same activities as that of legitimate node plus configured by adversary.

Remember the node still appear as a normal node.


31

Black-hole or Selective forwarding attacks Selective forwarding: In this type of

attack the compromised node selectively forward packets to other nodes and drops a fraction of packets In sensor network one type of such attack

is denial-of-message attack. Black hole: A compromised node

sends wrong routing information to its neighbors and tells that it’s a low cost route node and other nodes starts sending packets to this node.


32

Black-hole or Selective forwarding attacks


33

SinkBB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NN RR

AA

DD

EE

LL

Sink-hole Attack Sink hole

In this type of attack compromised node tries to gain more attention from its surrounding and tries to become the parent node of its neighbor.

In minte-route routing protocol, compromised node sends wrong information in route update message and becomes the parent.

If it successes; more traffic moves to that node. As messages from its neighbor and the messages from the neighbor’s children. It usually drops all the packet it receive so the base station receive less information from the sensor network.April 19, 2023 National University of Computer

and Emerging Sciences34

Sink-hole Attack


35

SinkBB

FF

HH

II

JJ

GG

KK

MM

OO

QQ

PP

SS

UU

TT

VVWW XX

NN RR

CCAA

EE

LL

Intrusion Detection System (IDS) IDS is

Collection unit Detection unit Response unit

Types Host based IDS Network based IDS


IDS (continue)

Detection mechanisms Misuse detection Anomaly detection Specification based detection.

Installation of IDS agent Centralized Distributed

Individualized cooperative

HybridApril 19, 2023 37FAST-NUCES, Islamabad.

IDS proposed for WSNs IDS architectures

Spontaneous Watchdog approach [12] (2006) Cooperative local auditing [13, 14] (2007) Monitoring node detection approach [15] (2005) Pair based abnormal node detection [16] (2008)

Anomaly detection algorithms ANDES [17] (2007) Cumulative Summation [18] (2006) Fixed width clustering algorithm [19] (2006) Artificial Immune System [20] (2007)

Compromised node detection Application Independent Framework [21] (2008) Intrusion-aware Validation algorithm [22] (2008)


Spontaneous watchdog [12]

Distributed intrusion detection system. Basic components

Local agent Audit the data that comes from the nodes

inside its radio frequency range and will generate alert if it is found from malicious node or node not present its neighbor list.

Global agent If activated it will act as Spontaneous

watchdog. To check whether the node that received the

message transfers that message or not.April 19, 2023 FAST-NUCES, Islamabad. 39

Cooperative local auditing[13,14] IDS client

Present in each sensor node.

Composed of five components.

Local packet monitoring

Local detection engine

Cooperative detection engine

Communication Local response


Send/Receive packets

Checkrules

Communicate

Voting

Regular task

No violation

Violation

Not malicious

AlertTo SinkMalicious

Cooperative local auditingRules for Black-hole attack [12] Node J will send data

packet to node C and it will buffer that packet for some time.

It will now wait and see node C forwards that packet or not.

If it doesn’t then it will increment a counter corresponding node C else the packet will be removed from the buffer.

If for certain units of time, the node C drops t percent of packets then it will generate an alert.

Rules for Sink-hole attack [13]

Assumption: MinteRoute routing protocol Node will check the ID

relates to that packet sender.

It should be from its neighbors.

It will generate alert in any other situation


41

Comparison of IDS architectures

Spontaneous Watchdog [12]

Cooperative local auditing [13, 14]

Monitoring node detection approach [15]

Pair based abnormal node detection [16]

Approach Distributed Distributed/Cooperative Distributed Distributed/Novel approach

Detection Technique

Anomaly based Specification based Specification based

Both signature andanomaly based

Monitor Node(s)

One More then half More then one Pairing node

IDS agent Installation

Every node Every node Monitor node Every node

Complexity Activating global agent

Cooperation Placing monitor node

Making pairs

Attack Detection

Not specified Selective forwarding,black-hole or Sink-hole

Jamming, black-hole, delay, sel. forwarding, repetition

Not specified


ANDES [17] Centralized anomaly detection mechanism Main components

Collection and analysis of application data Regular data is collected at sink.

Record the sequence number of the last n messages Time-stamp of the last received data packet Updates the total number of application packets

Analyzes the application data Maintain a list of active and connective nodes.

Collection and analysis of management information

Additional management routing protocol to collect address, parent, hops, send_cnt, receive_cnt, fwd_cnt,

failure_cnt etc.April 19, 2023 National University of Computer

and Emerging Sciences43

ANDES (continue)F, H, I, O, and J are unavailable

C, F, J, M, and E are unavailable


44

CUSUM [18] Distributed anomaly detection mechanism Monitor nodes to analyze the nodes

behavior as normal or malicious. Categories of attack

Compromising the node to attract the attention of other nodes.

Affect the packets data as collision. Flooding the nodes to exhaust their resources.

Analysis Amount of messages received by a node. Amount of collision occurrence with the

packet. Amount of packets emerging from a particular

node.April 19, 2023 National University of Computer and Emerging Sciences

45

CUSUM (continue) Monitor node

IDS agent is installed in the monitor nodes.

Two tasks Normal listening Promiscuous listening

The anomaly detection module will utilize the statistics collected from the analysis of the header of the packet to generate the type of alert.


46

Comparison of Anomaly Detection Algorithms

ANDES [17] Cumulative Summation [18]

Fixed width clustering algorithm [19]

Artificial Immune System [20]

Approach Centralized Distributed Distributed Distributed

Detection Technique

ANDES algorithm CUSUM algorithm Fixed width clustering

Artificial immune system

Monitoring Node

Sink or Base station

Monitor node Every node Every node


Central location or Sink

Only Monitor node All the nodes All the nodes

Complexity Routing protocol Placing monitor node Detection policy Detecting non-self string

Computational Overhead

At sink At monitor nodes At every node At every node

Attack Detection

Sel. forwarding, flooding, black-hole or sink-hole

Worm-hole, black-hole, collision, flooding

Periodic Route Error,Active and Passive Sink-hole

Misbehavior detection


Comparison of Compromised node detection

Application Independent Framework [21]

Intrusion-aware Validation algorithm [22]

Approach Simple graph based Consensus based validation

Detection Technique

Application Specific Distributed / Cooperative

Decision Makers Central point Multiple neighbors


Sink or central point Every node

Computational Overhead

At sink or central point At node level

Complexity Graph based Cooperation with neighbors


Future work

Increasing demand of WSNs makes it vulnerable to different types of security threats.

Requirement A complete security system

Reliable one.

Future approach Distributed / cooperative anomaly based

IDS approach that covers detail about the secure transmission mechanism too.


Conclusion Secure routing or Key management

protocols can not provide security in strong adversary attacks. IDS is a solution.

Still a new area. Researchers have proposed

IDS model for WSNs Reliable solution is still unavailable.

A reliable distributed / cooperative anomaly based IDS approach is a future demand.


References1. I. F. Akyildiz, W. Su, Y. Sankarsubramaniam, and E. Cayirci, “A survey on sensor networks," IEEE

Communication Magazine, pp. 102-114, August 2002.2. D. Liu, P. Ning, S. Zhu, S. Jajodia, “Practical Broadcast Authentication in Sensor Networks," The Second

Annual IEEE International Conference on Mobile and Ubiquitous Systems: Networking and Services, pp. 118-132, July 2005.

3. S. Rajasegarar, C. Leckie, and M. Palaniswami, “Anomaly detection in Wireless Sensor Networks," Security in Ad hoc and sensor networks, IEEE Wireless Communications, pp. 34-40, August 2008.

4. K. Akkaya and M. Younis, “A survey on routing protocols for wireless sensor networks," ELSEVIER Ad Hoc Networks 3, pp. 325-349, 2005.

5. A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks", IEEE Computer, pp. 48-56, October 2002.

6. C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks and countermeasures," In Proc. of the First IEEE International Workshop on Sensor Network Protocols and Applications, pp. 113-127, May 2003.

7. J. R. Douceur , “The Sybil Attack," In Proc. of the First International Workshop on Peer-to-Peer Systems, pp. 251-260, London, UK, March 2002.

8. J. Newsome, E. Shi, D. Song and A. Perrig, “The Sybil attack in sensor networks: Analysis and Defenses," In Proc. of the 3rd ACM Int. Symposium on Information Processing in Sensor Networks, California, USA, April 2004.

9. T. Roosta, S. P. Shieh, and S. Sastry, “Taxonomy of Security Attacks in Sensor Networks and Countermeasures," In Proc. of the 1st IEEE Int. Conference on System Integration and Reliability Improvements, 2006.

10. P. Innella and O. McMillan, “An Introduction to Intrusion Detection Systems," Article by Tetrad Digital Integrity, LLC, December 2001.

11. J. P. Walters, Z. Liang, W. Shi and V. Chaudhary, “Wireless sensor networks security: A survey," Security in Distributed, Grid, and Pervasive Computing, Auerbach Publications, CRC Press, 2006.

12. R. Roman, J. Zhou and J. Lopez, “Applying Intrusion Detection Systems to wireless sensor networks," IEEE Consumer Communications and Networking Conference. vol. 1, pp. 640-644, January 2006.


References13. I. Krontiris and T. Dimitriou, “Towards intrusion detection in wireless sensor networks," In Proc. of the

13th European Wireless Conference, Paris, France, April 2007.14. I. Krontiris, T. Dimitriou, T. Giannetsos and M. Mpasoukos, “Intrusion Detection of Sinkhole Attacks in

Wireless Sensor Networks," 3rd International Workshop on Algorithmic Aspects of Wireless Sensor Networks, Wroclaw, Poland, July 2007.

15. A. P. R. da Silva, M. H. T. Martins, B. P. S. Rocha, A. A. F. Loureiro, L. B. Ruiz and H. C. Wong, “Decentralized intrusion detection in wireless sensor networks," In Proc. of the 1st ACM Int. workshop on Quality of service \& security in wireless and mobile networks, pp. 16-23, Canada, October 2005.

16. K. R. Ahmed , K. Ahmed, S. Munir and A. Asad, “Abnormal Node Detection in Wireless Sensor Network by Pair Based Approach using IDS Secure Routing Methodology," International Journal of Computer Science and Network Security, vol. 8, no. 12, pp. 339-342, December 2008.

17. S. Gupta, R. Zheng and A. M. K. Cheng, “ANDES: an Anomaly Detection System for Wireless Sensor Networks," IEEE International Conference on Mobile Adhoc and Sensor Systems, pp. 1-9, October 2007.

18. T. V. Phuong, L. X. Hung, S. J. Cho, Y. K. Lee and S. Lee, “An Anomaly Detection Algorithm for Detecting Attacks in Wireless Sensor Networks," Intelligence and Security Informatics, vol. 3975, pp. 735-736, Springer Berlin, Heidelberg, 2006.

19. C. E. Loo, M. Y. Ng, C. Leckie and M. Palaniswami, “Intrusion Detection for Routing Attacks in Sensor Networks," International Journal of Distributed Sensor Networks, vol. 2, no. 4, pp. 313-332, December 2006.

20. M. Drozda, S. Schaust and H. Szczerbicka, “AIS for Misbehavior Detection in Wireless Sensor Networks: Performance and Design Principles," In Proc. Of IEEE Congress on Evolutionary Computation, pp. 3719-3726, Singapore, 2007.

21. Q. Zhang, T. Yu and P. Ning, “A framework for identifying compromised nodes in wireless sensor networks," ACM Transaction Information System Security, vol. 11, Article No. 12, 2008.

22. R. A. Shaikh, H. Jameel, B. J. Auriol, S. Lee and Y. J. Song, “Trusting anomaly and intrusion claims for cooperative distributed intrusion detection schemes of wireless sensor networks," In Proc. of the 2008 International Symposium on Trust Computing, pp. 2038-2043, China, November 2008.


Questions

Documents

Intrusion Detection Systems for Wireless Sensor Networks: A Survey Ashfaq Hussain Farooqi FAST-NUCES, Islamabad, Pakistan