Title: A Study of Intrusion Detection Techniques for Energy Efficient and Early Detection in Wireless Senso
1A Study of Intrusion Detection Techniques for
Energy Efficient and Early Detection in Wireless
Sensor Networks
- Åke Olbert
- Chalmers University of Technology
- 2007-04-26
2Research Goal
- The aim of my research is the detection and
localization of intruders in the sensor network,
when the first line of security has failed
Part I Background WSN Characteristics and
Security
Intrusion Detection System
ltArchitectural problemsgt Energy-Efficient
Selection of Detection Entities
ltDetection and Localization of an Attackergt Early
and High Accuracy
Part II
Part III
A Distributed Solution for Selection of
Detectors in Wireless Sensor Networks
Collaborative and Distributed Detection
for Wireless Sensor Networks
Part IV
Intrusion Detection using Mobile Detectors
3Part I Background
- Wireless Sensor Networks
- A network of small sensor devices deployed in an
ad-hoc fashion and cooperating to sense a
physical phenomenon - Sensing abilities include light, temperature,
pollution, motion etc. - Small and cheap lt 1 Euro
- Applications
- Pollution monitoring
- Military tracking system
- Disaster management
- Health care
- Traffic conditions
- Keeping track of cows
LEO??????????? (Generated by SaVi)
WSN for disaster management (Source 1)
The secure operation of these applications is
paramount
4Wireless Sensor Networks - Constraints
- Sensor nodes' constraints
- Limited battery power and size results in
reduced - Processing power
- Storage capacity
- Communication bandwidth
- Power consumption determines network lifetime
- Energy for sensing the environment
- Energy for wireless communication (gt50 of energy
used) - Energy for microprocessor computations
- Energy for idle listening
Traditional security solutions are not practical
for WSNs
How can this differences be overcome?
5Sensor Networks vs Mobile Ad Hoc NETworks
- However, some researchers argue that public key
systems are possible with special hardware...
6Security in Wireless Sensor Networks
- Requirements
- First line of defense Authorization,
Confidentiality etc. - Second line of defense Intrusion detection and
recovery - Threat Model
- Attackers know the security scheme of the network
a priori - An attacker may compromise or capture a node and
gain total access to the network - Outsider vs Insider attacks
- Passive vs Active attacks
- Sensor-class vs Laptop-class attacks
This work considers insider attacks originating
from compromised sensor nodes
7Attacks on Sensor Network Security
- Attack Categories
- Attacks on secrecy and authentication
- Attacks on network availability DoS
- Stealthy attacks against service integrity
- Attacks covered in this work
- Sinkhole
- The malicious node forges routing updates so that
nearby nodes chose it as its next hop - When all traffic is routed through the malicious
node, the attacker has total control of the
information flow
- Selective Forwarding
- The sinkhole node drops packets selectively or at
random - Black Hole
- All packets are dropped
Sinkhole attack
A scheme for detecting these attacks is needed
8Intrusion Detection Systems - IDS
- Traditional IDS
- Passive systems that only log events or reactive
systems that take action upon an intrusion - The two most common models for intrusion
detection are misuse detection and anomaly
detection - Misuse Detection (a.k.a. Pattern matching)
- Observed behavior matched against stored patterns
- Simple and high accuracy - cannot detect new
attacks - Anomaly Detection
- Searches for events that differ from normal
behavior - Requires large amounts of subject data can
detect new attacks - Impractical for WSNs
9Challenges in Intrusion Detection for WSNs
- Challenges
- Selection of detection entities Energy
consumption coverage - Detection and localization of malicious nodes /
attackers - Detection entities
- Sensor nodes
- Keep track of neighbors and nearby detectors
- Periodically checks if it should become a
detector - Detectors
- Normal or specialized sensor nodes
- Monitors nearby traffic flows
- Initiates a judgment phase when suspicious action
is observed - Periodically checks if it should withdraw
- Base Station
- Functions as a IDS manager receiving reports from
all detectors
10Part II A Distributed Solution for Selection of
Detectors in Wireless Sensor Networks
- Previous Work
- Watchdogs (detectors)
- The nature of wireless communications makes it
possible for neighbors to watch eachothers actions
- Random Watchdogs Roman et. al
- Nodes that can become watchdogs roll a die to see
if they should become detectors less energy
consumption
- Problem statement
- Watchdog scheme
- Excellent coverage
- High energy consumption gt50 nodes active as
watchdogs - Random scheme
- Low energy consumption fewer nodes elected as
watchdogs - Optimal coverage not possible
Node C and D can become detectors
How to minimize the energy consumption while
keeping the coverage?
11Solution Approach
- Detector election
- Nodes elect to become detectors according to
certain criteria - Nodes that become detectors inform their
neighbors - Avoids redundant detectors
- Ensures near optimal coverage
- Goals
- Monitor all packets traversing the network at
least once - Distribute energy consumption over all nodes
- Minimize the number of selected detectors
- Selection based only on local information
decentralized - Avoid selecting high profile nodes
- Methods
- Randomized back off timer avoids redundant
detectors. - Detectors denounce detector role periodically to
distribute energy cost evenly in the network.
12Node Roles
- Sensor nodes
- Elect to become detectors (if they find an
unmonitored flow) - (May chose to sleep to preserve energy if they
deem that there is nothing useful for them to do
presently.) - To solve contention nodes wait a variable time
depending on certain criteria - Detectors
- Observe neighboring nodes (communication)
- Withdrawal (based on remaining energy, neighbors
willingness to become detectors, etc.) - Base Station
- (Handles reports about suspicious behavior,
orders monitoring of such nodes)
13Performance Evaluation
- Simulation Setup
- NS2
- 100 sensor nodes in 100 x 100m
- Energy consumption based on the MICA2 mote
- Each simulation was performed a multitude of
times and the average outcome is presented - Each simulation lasted 600 seconds
- Traffic Scenarios
- Scenario 1
- 10 randomly selected nodes send traffic
continuously - These 10 nodes are periodically rotated in the
network - Scenario 2
- 10 randomly selected nodes send traffic for 300
seconds - The rest of the time they are silent
14Number of Detectors
- The proposed method performs close to the random
method with respect to the number of detectors - Increasing the transmission range results in
almost equal decrease in the number of detectors
for both methods - The two methods perform well in both scenarios in
response to different traffic flows
15Coverage
- The proposed method achieves near total coverage
at all times - The random method achieves on average 80
coverage - Both methods suffers from decreased coverage as
detectors run out of energy proposed method
degrades more gracefully
16Energy Consumption Number of Live Nodes
- Both methods distribute the energy costs fairly
equal over the network - Longer transmission range -gt fewer detectors -gt
live longer - Nodes live longer in scenario 2 as detectors are
active for a shorter time
17Part III Collaborative and Distributed Detection
for Wireless Sensor Networks
- Previous Work
- Silva et al. propose a system where some nodes
watch the other nodes for suspicious activity - The size of the buffer window for monitored
packets is highlighted as a key problem - Ioannis et al. propose an system that elects
roughly half of the sensor network to become
detectors - Detectors collaborate in finding malicious nodes
resulting in much better performance compared to
the previous method - High accuracy achieved for detection of selective
forwarding attack - No energy analysis made
- Problem Statement
- Previous methods fail to combine
energy-efficiency with high detection accuracy
18Problem Statement and Solution Approach
- Importance of collaboration
- Hidden terminal problem
- Low frequency attacks
- Importance of energy efficiency
- Sensor networks severely constrained
- Avoid static solutions
Benefits of collaboration
- Solution approach
- On demand activation co-detector scheme
- Based on the architecture proposed in Part II
- A detector identifies a suspicious node
- Nearby nodes are activated as co-detectors
- Judgment is passed based on all detectors reports
- Co-detectors go back to slumber -gt energy savings
19Early Detection by Collaboration
- Detectors
- Observe neighbors
- Initiates judgment if a suspicious node is
identified - Co-detectors
- Active for a short time
- Collects information and sends to the initiating
detector
20Collaborative Detection of Selective Forwarding
- Assumptions
- Attacker drops packets with a probability t
- Aggregation window
- Rule 1 For each packet that a node A send to
node B, temporarily buffer this packet and check
if node B forwards it. If not, increment a
counter for node B. Else remove the packet from
the buffer. If after w units of time the node has
dropped more than n packets, initiate judgment or
produce a report. - The size of the aggregation window determines how
long time passes before rule 1 is applied - A small size gives faster detection but lower
accuracy - Collaborative Detection
- Rule 2 If the majority of the detectors have
sent reports of the suspects guiltiness to the
initiator, the suspect is judged to be malicious
and should be revoked, or notify the base
station.
21Time line of proposed method
- For a network setup similar to Part II each node
has on the average 10 neighbors - On average 5 of these 10 can act as detectors -
co-detectors
Timeline for the proposed cooperative detection
mechanism
22Performance Evaluation
- Simulation setup
- 100 nodes, 100 x 100 m
- Each node has on average 10 neighbors
- A random link A -gt B was chosen for each
simulation - B launches a selective forwarding attack,
dropping packets with a probability Pb - Detector threshold for generating a report over a
period of w units was set to t 20 - When this threshold was reached, co-detectors
were activated and judgment was performed
according to rule 2 - 1000 iterations of each simulation was performed
to get good average values
23Accuracy False Negative Rate
- The size of the aggregation window w has a
significant influence on the accuracy - For a low value of Pd the false negative rate is
quite high so I tried a modified version of rule
2 the average drop rate of all detectors decided
the outcome of the judgment. - I set w to 30 units in subsequent simulations
24Probability of Detecting an Attack
- Two thresholds 10 and 20 assumed for detection
- Drop probabilities below the threshold produced a
small number of reports false positives - Method 2 gives fewer false positives but also
misses a bit more attacks - However, a missed attack can be detected in the
next window
25Time to Detection
- Time to detection depends almost exclusively on
the size of the window w (RTT between detectors
ignored) - For a low Pd a detector might miss an attack
resulting in longer detection times
26Energy Efficiency
- Detectors consume more energy than non-detectors
- Proposed method compared to the method by Ioannis
et al. using a static number of detectors - For a low frequency of attacks the proposed
method clearly outperforms the previous method
27Chapter IV Intrusion Detection using Mobile
Detectors
- Mobile Detectors
- Sensor network mobility a hot topic in recent
literature - What if the detectors where mobile
- Compare to a Police Car
- Patrol neighborhood
- Random movement or
- Directed by anonymous tips
- If suspicious activity is found, the police car
can stop and conduct further investigation
28Motivation for a Mobile Detector Scheme
Homogeneous network
Specialized network
Mobile detector network
Characteristics of intrusion detection systems
based on different network architectures
29Design of a Mobile Detector
- One mobile detector equals multiple stationary
detectors - Communication Strategy
- All communication is through the base station -
stealth - Detection Strategy
- Aggregation window of size w
- Apply rule 1 from part III
- Movement Strategy
- Predefined Easier communication
- Random Attacker cannot predict where mobile
detector is - Shortcomings
- The velocity of the mobile detector has a great
influence on detection accuracy as well as time
to detection
30Influence from Detector Mobility
- Detector-Link Meeting Delay
Illustration of computing the distribution of
detector-link meeting delay
- To reduce Detector-Link Meeting Delay
- Increase the number of detectors
- Increase the transmission range not practical
- Increase the velocity
31Detector-Link Delay
- Increased velocity and number of detectors
results in reduced detector-link meeting delay - However, increased speed means less time to
monitor each node
What are the effects on time to detection?
32Time to Detection
- Increased speed results in more attacks being
missed, but more chances to detect them net
result still positive - Another concern is for false negatives if
mobile detectors stop to investigate a suspect
further, these can almost be eliminated
33Discussion
- One mobile detector equals multiple stationary
detectors Achieved! However... - Still unrealistic
- Movement of detectors expensive
- Extending the Idea of Mobile Detectors
- Neighborhood watch, deputies...
- Future Directions
- Merge mobile detectors and mobile base
stations/sinks
34Summary
- Part I
- Introduction to WSN
- WSN Security
- IDS
- Part II
- Detection Entities
- Selection of Detectors Low Energy High
Coverage - Part III
- Collaborative Detection of Selective Forwarding
- Part IV
- Mobile intrusion detection
35Conclusions