Presentation on theme: "Intrusion Detection Systems for Wireless Sensor Networks: A Survey"— Presentation transcript:
1 Intrusion Detection Systems for Wireless Sensor Networks: A Survey Ashfaq Hussain FarooqiFAST-NUCES, Islamabad, Pakistan.
2 Agenda Wireless Sensor Networks (WSNs) Security issues in WSNs Intrusion Detection System (IDS)IDS proposed for WSNsIDS architecturesAnomaly detection algorithmsCompromised node detectionFuture workConclusionApril 21, 2017FAST-NUCES, Islamabad.
3 Wireless Sensor Networks (WSNs) Sensor nodes are densely deploy from an aircraft in an areato check the surrounding activitiestransmit the information to the base stationThe sensor network is infrastructure-less.Sensor nodes works using TinyOS.Transmission is dependent on routing protocol.April 21, 2017FAST-NUCES, Islamabad.
4 Components of Sensor Node  April 21, 2017FAST-NUCES, Islamabad.
5 Sensor network Vs. Ad Hoc Networks The number of nodes in a sensor network can be several orders of magnitude higher than the nodes in an ad hoc network.Sensor nodes are densely deployed.Sensor nodes are prone to failures.The topology of a sensor network changes very frequentlySensor nodes mainly use broadcast, most ad hoc networks are based on p2p.Sensor nodes are limited in power, computational capacities and memory.Sensor nodes may not have global ID.April 21, 2017FAST-NUCES, Islamabad.
6 Working environment Sensor nodes may be working in busy intersections in the interior of a large machineryat the bottom of an oceaninside a twisterin a battlefield beyond the enemy linesin a home or a large buildingApril 21, 2017FAST-NUCES, Islamabad.
7 Data aggregation April 21, 2017FAST-NUCES, Islamabad.
8 Applications of WSNs Battle ground surveillance Enemy movement (tanks, soldiers, etc)Environmental monitoringHabitat monitoringForrest fire monitoringHospital tracking systemsTracking patients, doctors, drug administrators.April 21, 2017FAST-NUCES, Islamabad.
9 Need for Security Availability Accessible throughout the lifetime AuthorizationMalicious not can’t transmit to legal onesAuthenticationMalicious should not get authenticityConfidentialityAttacker cant effect the normal communicationIntegrityNo modification to the transmitted dataNon RepudiationRedundancy is allowedFreshnessData should be fresh one and respond to fresh dataSolution: CryptographyApril 21, 2017FAST-NUCES, Islamabad.
10 mu TESLASender broadcast a message with a Message Authentication Code (MAC) generated with a secret key, which will be disclosed after a certain period of time. The receiver, which does not know the key, has to buffer this packet and authenticate at a later time interval when the sender discloses them.April 21, 2017FAST-NUCES, Islamabad.
11 Security issues in WSNs Attacks are possibleSelf controlInfrastructure lessLess computationTopology changeSeveral types of attacksDenial of service attacks Sybil attacks [7,8]Others April 21, 2017FAST-NUCES, Islamabad.
13 Denial of Service (DoS) attack When legitimate nodes can't communicate with each other.A. D. Wood et al.  mentioned various attacks that lead to DoS on different network layers of the sensor node.A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks,” IEEE Computer, pp , October 2002.April 21, 2017FAST-NUCES, Islamabad.
14 Physical LayerJamming: An adversary keeps sending useless signals making other nodes unable to communicateDefence:Reroute TrafficMode ChangeApril 21, 2017FAST-NUCES, Islamabad.
15 Physical Layer Tampering: An Attacker can tamper with nodes physically Defence:React to tampering in a fail-complete manner, e.g. erase memoryhiding the nodesApril 21, 2017FAST-NUCES, Islamabad.
16 Link LayerCollision: Attacker only need to disrupt part of the transmission.Defense: Error-correcting codesExhaustion: Retransmission repeatedly will cause battery exhaustion; In IEEE based MAC, continuous RTS requests cause battery exhaustion at targeted neighborDefense: Make MAC admission control rate limitingUnfairness: Above attacks could cause unfairnessDefense: use small frames
17 Network and Routing Layer Misdirection: Forwards messages along wrong paths; provide wrong route informationDefense:Egress filtering - In hierarchical routing, parent can verify the source of the packets and make sure that all packets are from its children.Authorization: Only authorized nodes can exchange routing information.Monitoring: Every node monitors if its neighbors are behaving correctlyApril 21, 2017FAST-NUCES, Islamabad.
18 Network and Routing Layer-cont Neglect and greed: Malicious and selfish nodesDefense: Redundancy (Multiple paths or multiple packets along same route)Homing: Nodes have special responsibilities are vulnerableDefense: Hiding the important nodes( e.g. encryption)Black holes: Attackers make neighbors to route traffic to them, but don’t relay the trafficDefense: Authorization, Monitoring, RedundancyApril 21, 2017FAST-NUCES, Islamabad.
19 Transportation LayerFlooding: An attacker sends many connection establishment requests to victim, making the victim run out of resourcesDefense:Limit number of connectionsMake flow connectionlessClient Puzzle – challenging the clientDe-synchronization: An attacker forges messages carrying wrong sequence number to one or both endpointsDefense: Authenticates all packets including transport protocol header.April 21, 2017FAST-NUCES, Islamabad.
20 What is Sybil attack?A malicious node behaves as if it were a larger number of nodes, for example by impersonating1 other nodes or simply by claiming false identities. In the worst case, an attacker may generate an arbitrary number of additional node identities, using only one physical device.1. to pretend to be another person, especially in order to deceiveEncarta« World English Dictionary (P) 1999 Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc.April 21, 2017FAST-NUCES, Islamabad.
21 Taxonomy of Sybil Attacks CommunicationDirect: Sybil node communicate directly with legitimate nodes.Indirect: Sybil node communicate through some other malicious nodes.IdentitiesFabricated: Simply create 32-bit arbitrary new Sybil identity.Stolen: Given a mechanism to identify legitimate node identities.SimultaneitySimultaneously: Having Sybil identities at once.Non-Simultaneously: Present large number of identities over a period of time but acting as a smaller number of identitiesApril 21, 2017FAST-NUCES, Islamabad.
22 Sybil attacks  Known Attacks New Attacks Distributed Storage replication and fragmentation performednode store the data in several nodes.RoutingMultipathGeographic routingNew AttacksData AggregationVotingFair Resource AllocationMisbehaviorApril 21, 2017FAST-NUCES, Islamabad.
23 Other attacks  Attacks on the Mote Traffic Analysis System Attacks on Reputation-Assignment SchemesAttacks on In-Network Processing (Data Aggregation)Attack on Time Synchronization ProtocolsApril 21, 2017FAST-NUCES, Islamabad.
25 An example of WSNs: Deployment HPFOSISink/Base StationCATJDMQUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
26 An example of WSNs: Deployment HPFOSISink/Base StationCATJDMQUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
27 An example of WSNs: Routing HPFOSISinkCATJDQMUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
28 An example of WSNs: Messaging HPFOSISinkCATJDQMUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
29 An example of WSNs: Messaging HPFOSISinkCATJDQMUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
30 An example of WSNs: Messaging HPFOSISinkCATJDQMUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
31 National University of Computer and Emerging Sciences Compromised nodeWhen a legitimate node is attacked by an adversary it becomes a malicious node and known as compromised node.It performs the same activities as that of legitimate node plus configured by adversary.Remember the node still appear as a normal node.21 April 2017National University of Computer and Emerging Sciences
32 Black-hole or Selective forwarding attacks Selective forwarding: In this type of attack the compromised node selectively forward packets to other nodes and drops a fraction of packetsIn sensor network one type of such attack is denial-of-message attack.Black hole: A compromised node sends wrong routing information to its neighbors and tells that it’s a low cost route node and other nodes starts sending packets to this node.21 April 2017National University of Computer and Emerging Sciences
33 Black-hole or Selective forwarding attacks PFOSISinkCATJDQMUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
34 National University of Computer and Emerging Sciences Sink-hole AttackSink holeIn this type of attack compromised node tries to gain more attention from its surrounding and tries to become the parent node of its neighbor.In minte-route routing protocol, compromised node sends wrong information in route update message and becomes the parent.If it successes; more traffic moves to that node. As messages from its neighbor and the messages from the neighbor’s children. It usually drops all the packet it receive so the base station receive less information from the sensor network.21 April 2017National University of Computer and Emerging Sciences
35 National University of Computer and Emerging Sciences Sink-hole AttackHPFOSISinkCATJDQMUBEWXVGKNRL21 April 2017National University of Computer and Emerging Sciences
36 Intrusion Detection System (IDS) IDS isCollection unitDetection unitResponse unitTypesHost based IDSNetwork based IDSApril 21, 2017FAST-NUCES, Islamabad.
37 IDS (continue) Detection mechanisms Installation of IDS agent Hybrid Misuse detectionAnomaly detectionSpecification based detection.Installation of IDS agentCentralizedDistributedIndividualizedcooperativeHybridApril 21, 2017FAST-NUCES, Islamabad.
39 Spontaneous watchdog  Distributed intrusion detection system.Basic componentsLocal agentAudit the data that comes from the nodes inside its radio frequency range and will generate alert if it is found from malicious node or node not present its neighbor list.Global agentIf activated it will act as Spontaneous watchdog.To check whether the node that received the message transfers that message or not.April 21, 2017FAST-NUCES, Islamabad.
40 Cooperative local auditing[13,14] IDS clientPresent in each sensor node.Composed of five components.Local packet monitoringLocal detection engineCooperative detection engineCommunicationLocal responseSend/Receive packetsCheckrulesNo violationViolationCommunicateVotingNot maliciousAlertToSinkRegular taskMaliciousApril 21, 2017FAST-NUCES, Islamabad.
41 Cooperative local auditing Rules for Black-hole attack Rules for Sink-hole attack Node J will send data packet to node C and it will buffer that packet for some time.It will now wait and see node C forwards that packet or not.If it doesn’t then it will increment a counter corresponding node C else the packet will be removed from the buffer.If for certain units of time, the node C drops t percent of packets then it will generate an alert.Assumption: MinteRoute routing protocolNode will check the ID relates to that packet sender.It should be from its neighbors.It will generate alert in any other situation21 April 2017National University of Computer and Emerging Sciences
42 Comparison of IDS architectures Spontaneous Watchdog Cooperative local auditing [13, 14]Monitoring node detection approach Pair based abnormal node detection ApproachDistributedDistributed/CooperativeDistributed/Novel approachDetection TechniqueAnomaly basedSpecification basedBoth signature andanomaly basedMonitor Node(s)OneMore then halfMore then onePairing nodeIDS agent InstallationEvery nodeMonitor nodeComplexityActivating global agentCooperationPlacing monitor nodeMaking pairsAttack DetectionNot specifiedSelective forwarding,black-hole or Sink-holeJamming, black-hole, delay, sel. forwarding, repetitionApril 21, 2017FAST-NUCES, Islamabad.
43 National University of Computer and Emerging Sciences ANDES Centralized anomaly detection mechanismMain componentsCollection and analysis of application dataRegular data is collected at sink.Record the sequence number of the last n messagesTime-stamp of the last received data packetUpdates the total number of application packetsAnalyzes the application dataMaintain a list of active and connective nodes.Collection and analysis of management informationAdditional management routing protocol to collectaddress, parent, hops, send_cnt, receive_cnt, fwd_cnt, failure_cnt etc.21 April 2017National University of Computer and Emerging Sciences
44 National University of Computer and Emerging Sciences ANDES (continue)F, H, I, O, and J are unavailableC, F, J, M, and E are unavailable21 April 2017National University of Computer and Emerging Sciences
45 National University of Computer and Emerging Sciences CUSUM Distributed anomaly detection mechanismMonitor nodes to analyze the nodes behavior as normal or malicious.Categories of attackCompromising the node to attract the attention of other nodes.Affect the packets data as collision.Flooding the nodes to exhaust their resources.AnalysisAmount of messages received by a node.Amount of collision occurrence with the packet.Amount of packets emerging from a particular node.21 April 2017National University of Computer and Emerging Sciences
46 National University of Computer and Emerging Sciences CUSUM (continue)Monitor nodeIDS agent is installed in the monitor nodes.Two tasksNormal listeningPromiscuous listeningThe anomaly detection module will utilize the statistics collected from the analysis of the header of the packet to generate the type of alert.21 April 2017National University of Computer and Emerging Sciences
47 Comparison of Anomaly Detection Algorithms ANDES Cumulative Summation Fixed width clustering algorithm Artificial Immune System ApproachCentralizedDistributedDetection TechniqueANDES algorithmCUSUM algorithmFixed width clusteringArtificial immune systemMonitoring NodeSink or Base stationMonitor nodeEvery nodeIDS agent InstallationCentral location or SinkOnly Monitor nodeAll the nodesComplexityRouting protocolPlacing monitor nodeDetection policyDetecting non-self stringComputational OverheadAt sinkAt monitor nodesAt every nodeAttack DetectionSel. forwarding, flooding, black-hole or sink-holeWorm-hole, black-hole, collision, floodingPeriodic Route Error,Active and Passive Sink-holeMisbehavior detectionApril 21, 2017FAST-NUCES, Islamabad.
48 Comparison of Compromised node detection Application Independent Framework Intrusion-aware Validation algorithm ApproachSimple graph basedConsensus based validationDetection TechniqueApplication SpecificDistributed / CooperativeDecision MakersCentral pointMultiple neighborsIDS agent InstallationSink or central pointEvery nodeComputational OverheadAt sink or central pointAt node levelComplexityGraph basedCooperation with neighborsApril 21, 2017FAST-NUCES, Islamabad.
49 Future workIncreasing demand of WSNs makes it vulnerable to different types of security threats.RequirementA complete security systemReliable one.Future approachDistributed / cooperative anomaly based IDS approach that covers detail about the secure transmission mechanism too.April 21, 2017FAST-NUCES, Islamabad.
50 ConclusionSecure routing or Key management protocols can not provide security in strong adversary attacks.IDS is a solution.Still a new area.Researchers have proposedIDS model for WSNsReliable solution is still unavailable.A reliable distributed / cooperative anomaly based IDS approach is a future demand.April 21, 2017FAST-NUCES, Islamabad.
51 References April 21, 2017 FAST-NUCES, Islamabad. I. F. Akyildiz, W. Su, Y. Sankarsubramaniam, and E. Cayirci, “A survey on sensor networks," IEEE Communication Magazine, pp , August 2002. D. Liu, P. Ning, S. Zhu, S. Jajodia, “Practical Broadcast Authentication in Sensor Networks," The Second Annual IEEE International Conference on Mobile and Ubiquitous Systems: Networking and Services, pp , July 2005. S. Rajasegarar, C. Leckie, and M. Palaniswami, “Anomaly detection in Wireless Sensor Networks," Security in Ad hoc and sensor networks, IEEE Wireless Communications, pp , August 2008. K. Akkaya and M. Younis, “A survey on routing protocols for wireless sensor networks," ELSEVIER Ad Hoc Networks 3, pp , 2005. A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks", IEEE Computer, pp , October 2002. C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks and countermeasures," In Proc. of the First IEEE International Workshop on Sensor Network Protocols and Applications, pp , May 2003. J. R. Douceur , “The Sybil Attack," In Proc. of the First International Workshop on Peer-to-Peer Systems, pp , London, UK, March 2002. J. Newsome, E. Shi, D. Song and A. Perrig, “The Sybil attack in sensor networks: Analysis and Defenses," In Proc. of the 3rd ACM Int. Symposium on Information Processing in Sensor Networks, California, USA, April 2004. T. Roosta, S. P. Shieh, and S. Sastry, “Taxonomy of Security Attacks in Sensor Networks and Countermeasures," In Proc. of the 1st IEEE Int. Conference on System Integration and Reliability Improvements, 2006. P. Innella and O. McMillan, “An Introduction to Intrusion Detection Systems," Article by Tetrad Digital Integrity, LLC, December 2001. J. P. Walters, Z. Liang, W. Shi and V. Chaudhary, “Wireless sensor networks security: A survey," Security in Distributed, Grid, and Pervasive Computing, Auerbach Publications, CRC Press, 2006. R. Roman, J. Zhou and J. Lopez, “Applying Intrusion Detection Systems to wireless sensor networks," IEEE Consumer Communications and Networking Conference. vol. 1, pp , January 2006.April 21, 2017FAST-NUCES, Islamabad.
52 References April 21, 2017 FAST-NUCES, Islamabad. I. Krontiris and T. Dimitriou, “Towards intrusion detection in wireless sensor networks," In Proc. of the 13th European Wireless Conference, Paris, France, April 2007.I. Krontiris, T. Dimitriou, T. Giannetsos and M. Mpasoukos, “Intrusion Detection of Sinkhole Attacks in Wireless Sensor Networks," 3rd International Workshop on Algorithmic Aspects of Wireless Sensor Networks, Wroclaw, Poland, July 2007.A. P. R. da Silva, M. H. T. Martins, B. P. S. Rocha, A. A. F. Loureiro, L. B. Ruiz and H. C. Wong, “Decentralized intrusion detection in wireless sensor networks," In Proc. of the 1st ACM Int. workshop on Quality of service \& security in wireless and mobile networks, pp , Canada, October 2005.K. R. Ahmed , K. Ahmed, S. Munir and A. Asad, “Abnormal Node Detection in Wireless Sensor Network by Pair Based Approach using IDS Secure Routing Methodology," International Journal of Computer Science and Network Security, vol. 8, no. 12, pp , December 2008.S. Gupta, R. Zheng and A. M. K. Cheng, “ANDES: an Anomaly Detection System for Wireless Sensor Networks," IEEE International Conference on Mobile Adhoc and Sensor Systems, pp. 1-9, October 2007.T. V. Phuong, L. X. Hung, S. J. Cho, Y. K. Lee and S. Lee, “An Anomaly Detection Algorithm for Detecting Attacks in Wireless Sensor Networks," Intelligence and Security Informatics, vol. 3975, pp , Springer Berlin, Heidelberg, 2006.C. E. Loo, M. Y. Ng, C. Leckie and M. Palaniswami, “Intrusion Detection for Routing Attacks in Sensor Networks," International Journal of Distributed Sensor Networks, vol. 2, no. 4, pp , December 2006.M. Drozda, S. Schaust and H. Szczerbicka, “AIS for Misbehavior Detection in Wireless Sensor Networks: Performance and Design Principles," In Proc. Of IEEE Congress on Evolutionary Computation, pp , Singapore, 2007.Q. Zhang, T. Yu and P. Ning, “A framework for identifying compromised nodes in wireless sensor networks," ACM Transaction Information System Security, vol. 11, Article No. 12, 2008.R. A. Shaikh, H. Jameel, B. J. Auriol, S. Lee and Y. J. Song, “Trusting anomaly and intrusion claims for cooperative distributed intrusion detection schemes of wireless sensor networks," In Proc. of the 2008 International Symposium on Trust Computing, pp , China, November 2008.April 21, 2017FAST-NUCES, Islamabad.