Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks - PowerPoint PPT Presentation


PPT – Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks PowerPoint presentation | free to download - id: 3e6c5a-OTYzM


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks


Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks Yulia Ponomarchuk and Dae-Wha Seo Kyungpook National University, Republic of Korea – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 13
Provided by: YUL164
Learn more at: http://www.wsn-security.info


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks

Optimal Activation of Intrusion Detection Agents
for Wireless Sensor Networks
  • Yulia Ponomarchuk and Dae-Wha Seo
  • Kyungpook National University, Republic of Korea
  • Dept. of Electrical Engineering and Computer
  • Mobile Computing and Embedded Systems Laboratory,
  • 2010.10.26

  • Introduction
  • Related Work
  • Attacks against the wireless sensor networks
    (WSN) and obstacles the security
  • Intrusion Detection Systems (IDSs)
  • Ising model formulation for the global IDS agents
  • Self-organization of the IDS agents
  • Conclusions

Introduction Comparison of the WSNs and Wireless
Ad Hoc Networks
Wireless sensor network
Wireless ad hoc network
  • Nodes function in unattended manner
  • High specialization of nodes
  • The batteries may be nonrechargeable
  • Memory and processing power resources are very
  • Dense and random deployment
  • The exact location is unknown
  • The location is fixed after deployment
  • Nodes often fail or can be compromised
  • Any node can not be trusted
  • Paths for transmissions are fixed within a given
    time interval
  • Nodes are controlled by users
  • No specialization of nodes
  • Power resources are not constrained
  • Memory and processing power resources are
  • Sparse deployment of nodes
  • Each node can be supplied with GPS
  • Nodes can be mobile
  • Nodes rarely fail or get compromised
  • Authenticated node can be trusted
  • Paths for transmissions are random and change in
    time course

Related Work Some Attacks against the WSNs
  • Physical layer jamming producing sufficient
    levels of radio interference to provoke
  • MAC layer jamming preventing legal nodes from
    accessing the channel or exhausting their
  • Routing layer attacks
  • Spoofing, altering, or replaying routing
  • Selective forwarding of packets
  • Black hole attack dropping all trespassing
  • Sinkhole attack luring traffic from the targeted
  • Wormhole attack inserting an out-of-band link to
    lure traffic
  • Sybil attack representing several identities to
    its neighbors

Wormhole attack
Obstacles to the Wireless Sensor Networks Security
  • The nodes in the WSNs can be easily compromised
  • Attack prevention schemes alone cannot ensure
    perfect security of the networks
  • An attacker can eavesdrop packets and analyze the
    protocols and topology of the target network
  • An attacker may inject false information through
    the compromised nodes
  • All keying material may be obtained from a
    compromised node and a complex attack can be
  • Resource constraints
  • Unreliable communication
  • Unattended operation
  • Therefore, intrusion detection systems (IDSs) are
    proposed as a second line of defense
  • To detect anomalies and inform the base station
  • To trigger the network reaction to the intrusion
  • To minimize the attackers influence on the
    network performance
  • Assumption the behavior of the intruder and the
    legal node can be discriminated

Intrusion Detection Systems (IDSs)
  • An IDS is software and/or hardware designed to
    detect unwanted attempts at accessing,
    manipulating, and/or disabling of computer
  • A network IDS (NIDS) is an independent platform
    which identifies intrusions by examining network
    traffic and monitors multiple nodes
  • A host-based IDS (HIDS) consists of an agent on a
    host which identifies intrusions by analyzing
    system calls, application logs, file-system
    modifications, and other host activities and
  • It is assumed that the behavior patterns of an
    intruder and a legitimate user in the network are
    different (noticeably)
  • While data encryption and data integrity
    protection are used as preventive measures, an
    IDS acts only in reaction to the occurrence of an
    attack second line of defense

Classification of the IDSs according to the
Detection Techniques
  • A signature-based (or misuse detection based)
  • compares the traffic features with the predefined
    signatures of attacks or malicious actions
  • allows detection of the majority of known
  • has a low false positive rate
  • when a new type of assault is launched, a new
    signature should be created and broadcast to
    every node
  • An anomaly-based IDS
  • checks the traffic on occurrence of any behavior
    different from the predefined or accepted normal
  • can detect novel attacks
  • has a high false positive rate.
  • A specification-based IDS
  • uses a set of manually defined rules,
  • specific for the application or running
  • protocols in the WSN
  • it is recommended for the WSNs, since the
  • specification database requires less memory

General architecture of the IDSs for WSNs
Previously Proposed Approaches to the IDS Design
  • A significant number of IDS design approaches
    rely on
  • analysis of incoming and outgoing traffic from a
    node and
  • monitoring the neighbors behaviors (watchdogs
  • Besemann, et al. (2004), Roman, et al. (2006),
    Hai, et al. (2007) suggested to use a local IDS
    (LIDS) agent and a global IDS (GIDS) agent for
    traffic analysis and nodes monitoring and
    cooperation respectively
  • While the analysis of incoming and outgoing
    traffic does not require much energy resources,
    an active GIDS agent may quickly exhaust the
    battery of a node. Therefore, the algorithms for
    optimal deployment and activation of the GIDS
    agents were proposed
  • Anjum, et al. (2004) proposed to activate the
    IDS agents only at CHs, which belong to a minimum
    cut-set (a set of nodes, through which the most
    of the traffic is transferred). The CHs were
    assumed to be trustworthy
  • Techateerawat and Jennings (2006) analyzed the
    three adaptive strategies of IDS deployment 1)
    core defense protects the CH 2) boundary
    defense protects the boundary of each cluster
    3) distributed defense the uniform activation
    of IDS agents in the WSN. As soon as an intrusion
    is detected, alarms are broadcast to activate the
    IDS agents in the vicinity of the attacker
  • Chatzigiannakis and Strikos (2007) suggested to
    activate the GIDS agents at the cluster heads
    (CHs), which are the members of a cut-set also
    there are a few nodes in each cluster with active
    GIDS agents, which monitor the CHs behavior
  • Hai, et al. (2007) proposed to activate GIDS
    agents at all CHs in order to monitor cluster
    members behaviors. All monitoring nodes were
    assumed to be trustworthy

Ising Model Formulation for the Activation of
GIDS Agents
  • The WSN is represented as a weighted (directed)
    graph G(V, E, W)
  • Vv1, v2, , vN the set of individual
    components (the WSN nodes)

  • - the set of edges (links) between

  • - the set of weights assigned to edges and
    representing the strength of interaction between
    the components
  • Self loops are absent
  • Each node is assigned a spin to
    represent the state of its GIDS agent
  • Bt is a time-dependent external field
  • is the magnitude
    of the local field at node vk
  • is a scalar (anomaly) measure at the
    sensor node
  • A time-dependent Hamiltonian H t
  • Given the spin states of nodes and anomaly
    measures at a given time instant, the problem of
    self-organization of IDS agents is reduced to
    estimation of the state probabilities of the
    possible subsequent states of the Ising system

Optimal Activation of the IDS Agents in the WSN
  • The goal
  • To estimate probabilities of the future states of
    the system
  • To determine the distribution of active GIDS
    agents in the sensor network
  • To provide adaptability to the IDS agents
  • The model was simplified by the following
  • Markov dynamics the future state depends only on
    the present state
  • Quasi-static equilibria at all time instants the
    system follows the single-flip dynamics, large
    changes in systems states are impossible
  • The system follows the condition of the detailed
  • PI ,PJ the probabilities of the system being
    in states I and J respectively
  • pIJ the probability of transition from state I
    to state J, then
  • Other denotations
  • - the weighting coefficient for the distance
  • - the coefficient, proportional to the
    inverse temperature

Algorithm Self-Organization of the IDS Agents
  • While (1) do
  • Collect traffic data from the neighboring devices
  • Compute local anomaly measure at the
    current time instant and broadcast it to the
    one-hop neighbors
  • Compute the external field
  • Compute change in energy and calculate
    the probability of flipping the state
  • Change the spin state with probability
    for the next time period
  • End

  • The paper proposes a model for adaptive optimal
    activation of the GIDS agents for intrusion
    detection in the WSNs, which is based on
  • the weighted graphs and
  • the Ising model based on the principles of
    Statistical Mechanics
  • Given the estimations of traffic anomalies, a
    small fraction of nodes is activated in order to
    watch their neighbors behaviors only when it is
  • The proposed scheme is distributed and
    lightweight in terms of computation and
    communication overheads
  • It can be applied in large WSNs, since the BSs do
    not collect and store the traffic information
    from all nodes
  • Further research will be devoted to
  • the performance evaluation using simulations and
  • comparison to other approaches for GIDS agents
    deployment and activation
About PowerShow.com