A Study of Intrusion Detection Techniques for Energy Efficient and Early Detection in Wireless Senso - PowerPoint PPT Presentation


PPT – A Study of Intrusion Detection Techniques for Energy Efficient and Early Detection in Wireless Senso PowerPoint presentation | free to view - id: 20943f-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

A Study of Intrusion Detection Techniques for Energy Efficient and Early Detection in Wireless Senso


LEO??????????? (Generated by SaVi) Wireless Sensor Networks ... Misuse Detection (a.k.a. Pattern matching) Observed behavior matched against stored patterns ... – PowerPoint PPT presentation

Number of Views:102
Avg rating:3.0/5.0
Slides: 36
Provided by: itstudC


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: A Study of Intrusion Detection Techniques for Energy Efficient and Early Detection in Wireless Senso

A Study of Intrusion Detection Techniques for
Energy Efficient and Early Detection in Wireless
Sensor Networks
  • Åke Olbert
  • Chalmers University of Technology
  • 2007-04-26

Research Goal
  • The aim of my research is the detection and
    localization of intruders in the sensor network,
    when the first line of security has failed

Part I Background WSN Characteristics and
Intrusion Detection System
ltArchitectural problemsgt Energy-Efficient
Selection of Detection Entities
ltDetection and Localization of an Attackergt Early
and High Accuracy
Part II
Part III
A Distributed Solution for Selection of
Detectors in Wireless Sensor Networks
Collaborative and Distributed Detection
for Wireless Sensor Networks
Part IV
Intrusion Detection using Mobile Detectors
Part I Background
  • Wireless Sensor Networks
  • A network of small sensor devices deployed in an
    ad-hoc fashion and cooperating to sense a
    physical phenomenon
  • Sensing abilities include light, temperature,
    pollution, motion etc.
  • Small and cheap lt 1 Euro
  • Applications
  • Pollution monitoring
  • Military tracking system
  • Disaster management
  • Health care
  • Traffic conditions
  • Keeping track of cows

LEO??????????? (Generated by SaVi)
WSN for disaster management (Source 1)
The secure operation of these applications is
Wireless Sensor Networks - Constraints
  • Sensor nodes' constraints
  • Limited battery power and size results in
  • Processing power
  • Storage capacity
  • Communication bandwidth
  • Power consumption determines network lifetime
  • Energy for sensing the environment
  • Energy for wireless communication (gt50 of energy
  • Energy for microprocessor computations
  • Energy for idle listening

Traditional security solutions are not practical
for WSNs
How can this differences be overcome?
Sensor Networks vs Mobile Ad Hoc NETworks
  • However, some researchers argue that public key
    systems are possible with special hardware...

Security in Wireless Sensor Networks
  • Requirements
  • First line of defense Authorization,
    Confidentiality etc.
  • Second line of defense Intrusion detection and
  • Threat Model
  • Attackers know the security scheme of the network
    a priori
  • An attacker may compromise or capture a node and
    gain total access to the network
  • Outsider vs Insider attacks
  • Passive vs Active attacks
  • Sensor-class vs Laptop-class attacks

This work considers insider attacks originating
from compromised sensor nodes
Attacks on Sensor Network Security
  • Attack Categories
  • Attacks on secrecy and authentication
  • Attacks on network availability DoS
  • Stealthy attacks against service integrity
  • Attacks covered in this work
  • Sinkhole
  • The malicious node forges routing updates so that
    nearby nodes chose it as its next hop
  • When all traffic is routed through the malicious
    node, the attacker has total control of the
    information flow
  • Selective Forwarding
  • The sinkhole node drops packets selectively or at
  • Black Hole
  • All packets are dropped

Sinkhole attack
A scheme for detecting these attacks is needed
Intrusion Detection Systems - IDS
  • Traditional IDS
  • Passive systems that only log events or reactive
    systems that take action upon an intrusion
  • The two most common models for intrusion
    detection are misuse detection and anomaly
  • Misuse Detection (a.k.a. Pattern matching)
  • Observed behavior matched against stored patterns
  • Simple and high accuracy - cannot detect new
  • Anomaly Detection
  • Searches for events that differ from normal
  • Requires large amounts of subject data can
    detect new attacks
  • Impractical for WSNs

Challenges in Intrusion Detection for WSNs
  • Challenges
  • Selection of detection entities Energy
    consumption coverage
  • Detection and localization of malicious nodes /
  • Detection entities
  • Sensor nodes
  • Keep track of neighbors and nearby detectors
  • Periodically checks if it should become a
  • Detectors
  • Normal or specialized sensor nodes
  • Monitors nearby traffic flows
  • Initiates a judgment phase when suspicious action
    is observed
  • Periodically checks if it should withdraw
  • Base Station
  • Functions as a IDS manager receiving reports from
    all detectors

Part II A Distributed Solution for Selection of
Detectors in Wireless Sensor Networks
  • Previous Work
  • Watchdogs (detectors)
  • The nature of wireless communications makes it
    possible for neighbors to watch eachothers actions
  • Random Watchdogs Roman et. al
  • Nodes that can become watchdogs roll a die to see
    if they should become detectors less energy
  • Problem statement
  • Watchdog scheme
  • Excellent coverage
  • High energy consumption gt50 nodes active as
  • Random scheme
  • Low energy consumption fewer nodes elected as
  • Optimal coverage not possible

Node C and D can become detectors
How to minimize the energy consumption while
keeping the coverage?
Solution Approach
  • Detector election
  • Nodes elect to become detectors according to
    certain criteria
  • Nodes that become detectors inform their
  • Avoids redundant detectors
  • Ensures near optimal coverage
  • Goals
  • Monitor all packets traversing the network at
    least once
  • Distribute energy consumption over all nodes
  • Minimize the number of selected detectors
  • Selection based only on local information
  • Avoid selecting high profile nodes
  • Methods
  • Randomized back off timer avoids redundant
  • Detectors denounce detector role periodically to
    distribute energy cost evenly in the network.

Node Roles
  • Sensor nodes
  • Elect to become detectors (if they find an
    unmonitored flow)
  • (May chose to sleep to preserve energy if they
    deem that there is nothing useful for them to do
  • To solve contention nodes wait a variable time
    depending on certain criteria
  • Detectors
  • Observe neighboring nodes (communication)
  • Withdrawal (based on remaining energy, neighbors
    willingness to become detectors, etc.)
  • Base Station
  • (Handles reports about suspicious behavior,
    orders monitoring of such nodes)

Performance Evaluation
  • Simulation Setup
  • NS2
  • 100 sensor nodes in 100 x 100m
  • Energy consumption based on the MICA2 mote
  • Each simulation was performed a multitude of
    times and the average outcome is presented
  • Each simulation lasted 600 seconds
  • Traffic Scenarios
  • Scenario 1
  • 10 randomly selected nodes send traffic
  • These 10 nodes are periodically rotated in the
  • Scenario 2
  • 10 randomly selected nodes send traffic for 300
  • The rest of the time they are silent

Number of Detectors
  • The proposed method performs close to the random
    method with respect to the number of detectors
  • Increasing the transmission range results in
    almost equal decrease in the number of detectors
    for both methods
  • The two methods perform well in both scenarios in
    response to different traffic flows

  • The proposed method achieves near total coverage
    at all times
  • The random method achieves on average 80
  • Both methods suffers from decreased coverage as
    detectors run out of energy proposed method
    degrades more gracefully

Energy Consumption Number of Live Nodes
  • Both methods distribute the energy costs fairly
    equal over the network
  • Longer transmission range -gt fewer detectors -gt
    live longer
  • Nodes live longer in scenario 2 as detectors are
    active for a shorter time

Part III Collaborative and Distributed Detection
for Wireless Sensor Networks
  • Previous Work
  • Silva et al. propose a system where some nodes
    watch the other nodes for suspicious activity
  • The size of the buffer window for monitored
    packets is highlighted as a key problem
  • Ioannis et al. propose an system that elects
    roughly half of the sensor network to become
  • Detectors collaborate in finding malicious nodes
    resulting in much better performance compared to
    the previous method
  • High accuracy achieved for detection of selective
    forwarding attack
  • No energy analysis made
  • Problem Statement
  • Previous methods fail to combine
    energy-efficiency with high detection accuracy

Problem Statement and Solution Approach
  • Importance of collaboration
  • Hidden terminal problem
  • Low frequency attacks
  • Importance of energy efficiency
  • Sensor networks severely constrained
  • Avoid static solutions

Benefits of collaboration
  • Solution approach
  • On demand activation co-detector scheme
  • Based on the architecture proposed in Part II
  • A detector identifies a suspicious node
  • Nearby nodes are activated as co-detectors
  • Judgment is passed based on all detectors reports
  • Co-detectors go back to slumber -gt energy savings

Early Detection by Collaboration
  • Detectors
  • Observe neighbors
  • Initiates judgment if a suspicious node is
  • Co-detectors
  • Active for a short time
  • Collects information and sends to the initiating

Collaborative Detection of Selective Forwarding
  • Assumptions
  • Attacker drops packets with a probability t
  • Aggregation window
  • Rule 1 For each packet that a node A send to
    node B, temporarily buffer this packet and check
    if node B forwards it. If not, increment a
    counter for node B. Else remove the packet from
    the buffer. If after w units of time the node has
    dropped more than n packets, initiate judgment or
    produce a report.
  • The size of the aggregation window determines how
    long time passes before rule 1 is applied
  • A small size gives faster detection but lower
  • Collaborative Detection
  • Rule 2 If the majority of the detectors have
    sent reports of the suspects guiltiness to the
    initiator, the suspect is judged to be malicious
    and should be revoked, or notify the base

Time line of proposed method
  • For a network setup similar to Part II each node
    has on the average 10 neighbors
  • On average 5 of these 10 can act as detectors -

Timeline for the proposed cooperative detection
Performance Evaluation
  • Simulation setup
  • 100 nodes, 100 x 100 m
  • Each node has on average 10 neighbors
  • A random link A -gt B was chosen for each
  • B launches a selective forwarding attack,
    dropping packets with a probability Pb
  • Detector threshold for generating a report over a
    period of w units was set to t 20
  • When this threshold was reached, co-detectors
    were activated and judgment was performed
    according to rule 2
  • 1000 iterations of each simulation was performed
    to get good average values

Accuracy False Negative Rate
  • The size of the aggregation window w has a
    significant influence on the accuracy
  • For a low value of Pd the false negative rate is
    quite high so I tried a modified version of rule
    2 the average drop rate of all detectors decided
    the outcome of the judgment.
  • I set w to 30 units in subsequent simulations

Probability of Detecting an Attack
  • Two thresholds 10 and 20 assumed for detection
  • Drop probabilities below the threshold produced a
    small number of reports false positives
  • Method 2 gives fewer false positives but also
    misses a bit more attacks
  • However, a missed attack can be detected in the
    next window

Time to Detection
  • Time to detection depends almost exclusively on
    the size of the window w (RTT between detectors
  • For a low Pd a detector might miss an attack
    resulting in longer detection times

Energy Efficiency
  • Detectors consume more energy than non-detectors
  • Proposed method compared to the method by Ioannis
    et al. using a static number of detectors
  • For a low frequency of attacks the proposed
    method clearly outperforms the previous method

Chapter IV Intrusion Detection using Mobile
  • Mobile Detectors
  • Sensor network mobility a hot topic in recent
  • What if the detectors where mobile
  • Compare to a Police Car
  • Patrol neighborhood
  • Random movement or
  • Directed by anonymous tips
  • If suspicious activity is found, the police car
    can stop and conduct further investigation

Motivation for a Mobile Detector Scheme
Homogeneous network
Specialized network
Mobile detector network
Characteristics of intrusion detection systems
based on different network architectures
Design of a Mobile Detector
  • One mobile detector equals multiple stationary
  • Communication Strategy
  • All communication is through the base station -
  • Detection Strategy
  • Aggregation window of size w
  • Apply rule 1 from part III
  • Movement Strategy
  • Predefined Easier communication
  • Random Attacker cannot predict where mobile
    detector is
  • Shortcomings
  • The velocity of the mobile detector has a great
    influence on detection accuracy as well as time
    to detection

Influence from Detector Mobility
  • Detector-Link Meeting Delay

Illustration of computing the distribution of
detector-link meeting delay
  • To reduce Detector-Link Meeting Delay
  • Increase the number of detectors
  • Increase the transmission range not practical
  • Increase the velocity

Detector-Link Delay
  • Increased velocity and number of detectors
    results in reduced detector-link meeting delay
  • However, increased speed means less time to
    monitor each node

What are the effects on time to detection?
Time to Detection
  • Increased speed results in more attacks being
    missed, but more chances to detect them net
    result still positive
  • Another concern is for false negatives if
    mobile detectors stop to investigate a suspect
    further, these can almost be eliminated

  • One mobile detector equals multiple stationary
    detectors Achieved! However...
  • Still unrealistic
  • Movement of detectors expensive
  • Extending the Idea of Mobile Detectors
  • Neighborhood watch, deputies...
  • Future Directions
  • Merge mobile detectors and mobile base

  • Part I
  • Introduction to WSN
  • WSN Security
  • IDS
  • Part II
  • Detection Entities
  • Selection of Detectors Low Energy High
  • Part III
  • Collaborative Detection of Selective Forwarding
  • Part IV
  • Mobile intrusion detection

  • Questions?
About PowerShow.com