A Study of Intrusion Detection Techniques for Energy Efficient and Early Detection in Wireless Senso

1
A Study of Intrusion Detection Techniques for
Energy Efficient and Early Detection in Wireless
Sensor Networks

• Åke Olbert
• Chalmers University of Technology
• 2007-04-26

2
Research Goal

• The aim of my research is the detection and
  localization of intruders in the sensor network,
  when the first line of security has failed

Part I Background WSN Characteristics and
Security
Intrusion Detection System
ltArchitectural problemsgt Energy-Efficient
Selection of Detection Entities
ltDetection and Localization of an Attackergt Early
and High Accuracy
Part II
Part III
A Distributed Solution for Selection of
Detectors in Wireless Sensor Networks
Collaborative and Distributed Detection
for Wireless Sensor Networks
Part IV
Intrusion Detection using Mobile Detectors
3
Part I Background

• Wireless Sensor Networks
• A network of small sensor devices deployed in an
  ad-hoc fashion and cooperating to sense a
  physical phenomenon
• Sensing abilities include light, temperature,
  pollution, motion etc.
• Small and cheap lt 1 Euro
• Applications
• Pollution monitoring
• Military tracking system
• Disaster management
• Health care
• Traffic conditions
• Keeping track of cows

LEO??????????? (Generated by SaVi)
WSN for disaster management (Source 1)
The secure operation of these applications is
paramount
4
Wireless Sensor Networks - Constraints

• Sensor nodes' constraints
• Limited battery power and size results in
  reduced
• Processing power
• Storage capacity
• Communication bandwidth
• Power consumption determines network lifetime
• Energy for sensing the environment
• Energy for wireless communication (gt50 of energy
  used)
• Energy for microprocessor computations
• Energy for idle listening

Traditional security solutions are not practical
for WSNs
How can this differences be overcome?
5
Sensor Networks vs Mobile Ad Hoc NETworks

• However, some researchers argue that public key
  systems are possible with special hardware...

6
Security in Wireless Sensor Networks

• Requirements
• First line of defense Authorization,
  Confidentiality etc.
• Second line of defense Intrusion detection and
  recovery
• Threat Model
• Attackers know the security scheme of the network
  a priori
• An attacker may compromise or capture a node and
  gain total access to the network
• Outsider vs Insider attacks
• Passive vs Active attacks
• Sensor-class vs Laptop-class attacks

This work considers insider attacks originating
from compromised sensor nodes
7
Attacks on Sensor Network Security

• Attack Categories
• Attacks on secrecy and authentication
• Attacks on network availability DoS
• Stealthy attacks against service integrity
• Attacks covered in this work

• Sinkhole
• The malicious node forges routing updates so that
  nearby nodes chose it as its next hop
• When all traffic is routed through the malicious
  node, the attacker has total control of the
  information flow

• Selective Forwarding
• The sinkhole node drops packets selectively or at
  random
• Black Hole
• All packets are dropped

Sinkhole attack
A scheme for detecting these attacks is needed
8
Intrusion Detection Systems - IDS

• Traditional IDS
• Passive systems that only log events or reactive
  systems that take action upon an intrusion
• The two most common models for intrusion
  detection are misuse detection and anomaly
  detection
• Misuse Detection (a.k.a. Pattern matching)
• Observed behavior matched against stored patterns
• Simple and high accuracy - cannot detect new
  attacks
• Anomaly Detection
• Searches for events that differ from normal
  behavior
• Requires large amounts of subject data can
  detect new attacks
• Impractical for WSNs

9
Challenges in Intrusion Detection for WSNs

• Challenges
• Selection of detection entities Energy
  consumption coverage
• Detection and localization of malicious nodes /
  attackers
• Detection entities
• Sensor nodes
• Keep track of neighbors and nearby detectors
• Periodically checks if it should become a
  detector
• Detectors
• Normal or specialized sensor nodes
• Monitors nearby traffic flows
• Initiates a judgment phase when suspicious action
  is observed
• Periodically checks if it should withdraw
• Base Station
• Functions as a IDS manager receiving reports from
  all detectors

10
Part II A Distributed Solution for Selection of
Detectors in Wireless Sensor Networks

• Previous Work
• Watchdogs (detectors)
• The nature of wireless communications makes it
  possible for neighbors to watch eachothers actions

• Random Watchdogs Roman et. al
• Nodes that can become watchdogs roll a die to see
  if they should become detectors less energy
  consumption

• Problem statement
• Watchdog scheme
• Excellent coverage
• High energy consumption gt50 nodes active as
  watchdogs
• Random scheme
• Low energy consumption fewer nodes elected as
  watchdogs
• Optimal coverage not possible

Node C and D can become detectors
How to minimize the energy consumption while
keeping the coverage?
11
Solution Approach

• Detector election
• Nodes elect to become detectors according to
  certain criteria
• Nodes that become detectors inform their
  neighbors
• Avoids redundant detectors
• Ensures near optimal coverage
• Goals
• Monitor all packets traversing the network at
  least once
• Distribute energy consumption over all nodes
• Minimize the number of selected detectors
• Selection based only on local information
  decentralized
• Avoid selecting high profile nodes
• Methods
• Randomized back off timer avoids redundant
  detectors.
• Detectors denounce detector role periodically to
  distribute energy cost evenly in the network.

12
Node Roles

• Sensor nodes
• Elect to become detectors (if they find an
  unmonitored flow)
• (May chose to sleep to preserve energy if they
  deem that there is nothing useful for them to do
  presently.)
• To solve contention nodes wait a variable time
  depending on certain criteria
• Detectors
• Observe neighboring nodes (communication)
• Withdrawal (based on remaining energy, neighbors
  willingness to become detectors, etc.)
• Base Station
• (Handles reports about suspicious behavior,
  orders monitoring of such nodes)

13
Performance Evaluation

• Simulation Setup
• NS2
• 100 sensor nodes in 100 x 100m
• Energy consumption based on the MICA2 mote
• Each simulation was performed a multitude of
  times and the average outcome is presented
• Each simulation lasted 600 seconds
• Traffic Scenarios
• Scenario 1
• 10 randomly selected nodes send traffic
  continuously
• These 10 nodes are periodically rotated in the
  network
• Scenario 2
• 10 randomly selected nodes send traffic for 300
  seconds
• The rest of the time they are silent

14
Number of Detectors

• The proposed method performs close to the random
  method with respect to the number of detectors
• Increasing the transmission range results in
  almost equal decrease in the number of detectors
  for both methods
• The two methods perform well in both scenarios in
  response to different traffic flows

15
Coverage

• The proposed method achieves near total coverage
  at all times
• The random method achieves on average 80
  coverage
• Both methods suffers from decreased coverage as
  detectors run out of energy proposed method
  degrades more gracefully

16
Energy Consumption Number of Live Nodes

• Both methods distribute the energy costs fairly
  equal over the network
• Longer transmission range -gt fewer detectors -gt
  live longer
• Nodes live longer in scenario 2 as detectors are
  active for a shorter time

17
Part III Collaborative and Distributed Detection
for Wireless Sensor Networks

• Previous Work
• Silva et al. propose a system where some nodes
  watch the other nodes for suspicious activity
• The size of the buffer window for monitored
  packets is highlighted as a key problem
• Ioannis et al. propose an system that elects
  roughly half of the sensor network to become
  detectors
• Detectors collaborate in finding malicious nodes
  resulting in much better performance compared to
  the previous method
• High accuracy achieved for detection of selective
  forwarding attack
• No energy analysis made
• Problem Statement
• Previous methods fail to combine
  energy-efficiency with high detection accuracy

18
Problem Statement and Solution Approach

• Importance of collaboration
• Hidden terminal problem
• Low frequency attacks
• Importance of energy efficiency
• Sensor networks severely constrained
• Avoid static solutions

Benefits of collaboration

• Solution approach
• On demand activation co-detector scheme
• Based on the architecture proposed in Part II
• A detector identifies a suspicious node
• Nearby nodes are activated as co-detectors
• Judgment is passed based on all detectors reports
• Co-detectors go back to slumber -gt energy savings

19
Early Detection by Collaboration

• Detectors
• Observe neighbors
• Initiates judgment if a suspicious node is
  identified
• Co-detectors
• Active for a short time
• Collects information and sends to the initiating
  detector

20
Collaborative Detection of Selective Forwarding

• Assumptions
• Attacker drops packets with a probability t
• Aggregation window
• Rule 1 For each packet that a node A send to
  node B, temporarily buffer this packet and check
  if node B forwards it. If not, increment a
  counter for node B. Else remove the packet from
  the buffer. If after w units of time the node has
  dropped more than n packets, initiate judgment or
  produce a report.
• The size of the aggregation window determines how
  long time passes before rule 1 is applied
• A small size gives faster detection but lower
  accuracy
• Collaborative Detection
• Rule 2 If the majority of the detectors have
  sent reports of the suspects guiltiness to the
  initiator, the suspect is judged to be malicious
  and should be revoked, or notify the base
  station.

21
Time line of proposed method

• For a network setup similar to Part II each node
  has on the average 10 neighbors
• On average 5 of these 10 can act as detectors -
  co-detectors

Timeline for the proposed cooperative detection
mechanism
22
Performance Evaluation

• Simulation setup
• 100 nodes, 100 x 100 m
• Each node has on average 10 neighbors
• A random link A -gt B was chosen for each
  simulation
• B launches a selective forwarding attack,
  dropping packets with a probability Pb
• Detector threshold for generating a report over a
  period of w units was set to t 20
• When this threshold was reached, co-detectors
  were activated and judgment was performed
  according to rule 2
• 1000 iterations of each simulation was performed
  to get good average values

23
Accuracy False Negative Rate

• The size of the aggregation window w has a
  significant influence on the accuracy
• For a low value of Pd the false negative rate is
  quite high so I tried a modified version of rule
  2 the average drop rate of all detectors decided
  the outcome of the judgment.
• I set w to 30 units in subsequent simulations

24
Probability of Detecting an Attack

• Two thresholds 10 and 20 assumed for detection
• Drop probabilities below the threshold produced a
  small number of reports false positives
• Method 2 gives fewer false positives but also
  misses a bit more attacks
• However, a missed attack can be detected in the
  next window

25
Time to Detection

• Time to detection depends almost exclusively on
  the size of the window w (RTT between detectors
  ignored)
• For a low Pd a detector might miss an attack
  resulting in longer detection times

26
Energy Efficiency

• Detectors consume more energy than non-detectors
• Proposed method compared to the method by Ioannis
  et al. using a static number of detectors
• For a low frequency of attacks the proposed
  method clearly outperforms the previous method

27
Chapter IV Intrusion Detection using Mobile
Detectors

• Mobile Detectors
• Sensor network mobility a hot topic in recent
  literature
• What if the detectors where mobile
• Compare to a Police Car
• Patrol neighborhood
• Random movement or
• Directed by anonymous tips
• If suspicious activity is found, the police car
  can stop and conduct further investigation

28
Motivation for a Mobile Detector Scheme
Homogeneous network
Specialized network
Mobile detector network
Characteristics of intrusion detection systems
based on different network architectures
29
Design of a Mobile Detector

• One mobile detector equals multiple stationary
  detectors
• Communication Strategy
• All communication is through the base station -
  stealth
• Detection Strategy
• Aggregation window of size w
• Apply rule 1 from part III
• Movement Strategy
• Predefined Easier communication
• Random Attacker cannot predict where mobile
  detector is
• Shortcomings
• The velocity of the mobile detector has a great
  influence on detection accuracy as well as time
  to detection

30
Influence from Detector Mobility

• Detector-Link Meeting Delay

Illustration of computing the distribution of
detector-link meeting delay

• To reduce Detector-Link Meeting Delay
• Increase the number of detectors
• Increase the transmission range not practical
• Increase the velocity

31
Detector-Link Delay

• Increased velocity and number of detectors
  results in reduced detector-link meeting delay
• However, increased speed means less time to
  monitor each node

What are the effects on time to detection?
32
Time to Detection

• Increased speed results in more attacks being
  missed, but more chances to detect them net
  result still positive
• Another concern is for false negatives if
  mobile detectors stop to investigate a suspect
  further, these can almost be eliminated

33
Discussion

• One mobile detector equals multiple stationary
  detectors Achieved! However...
• Still unrealistic
• Movement of detectors expensive
• Extending the Idea of Mobile Detectors
• Neighborhood watch, deputies...
• Future Directions
• Merge mobile detectors and mobile base
  stations/sinks

34
Summary

• Part I
• Introduction to WSN
• WSN Security
• IDS
• Part II
• Detection Entities
• Selection of Detectors Low Energy High
  Coverage
• Part III
• Collaborative Detection of Selective Forwarding
• Part IV
• Mobile intrusion detection

35
Conclusions

• Questions?