Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks

1. Optimal Activation of Intrusion Detection Agents for Wireless Sensor Networks Yulia Ponomarchuk and Dae-Wha Seo Kyungpook National University, Republic of Korea Dept. of Electrical Engineering and Computer Science Mobile Computing and Embedded Systems Laboratory, 2010.10.26

2. Outline • Introduction • Related Work • Attacks against the wireless sensor networks (WSN) and obstacles the security • Intrusion Detection Systems (IDSs) • Ising model formulation for the global IDS agents activation • Self-organization of the IDS agents • Conclusions

3. Introduction: Comparison of the WSNs and Wireless Ad Hoc Networks Nodes function in unattended manner High specialization of nodes The batteries may be nonrechargeable Memory and processing power resources are very constrained Dense and random deployment The exact location is unknown The location is fixed after deployment Nodes often fail or can be compromised Any node can not be trusted Paths for transmissions are fixed within a given time interval Wireless sensor network Wireless ad hoc network • Nodes are controlled by users • No specialization of nodes • Power resources are not constrained • Memory and processing power resources are satisfactory • Sparse deployment of nodes • Each node can be supplied with GPS • Nodes can be mobile • Nodes rarely fail or get compromised • Authenticated node can be trusted • Paths for transmissions are random and change in time course

4. Related Work: Some Attacks against the WSNs (a) Single malicious node (b) Two collaborating nodes Selective forwarding attack • Physical layer jamming: producing sufficient levels of radio interference to provoke collisions • MAC layer jamming: preventing legal nodes from accessing the channel or exhausting their resources • Routing layer attacks: • Spoofing, altering, or replaying routing information • Selective forwarding of packets • Black hole attack: dropping all trespassing packets • Sinkhole attack: luring traffic from the targeted area • Wormhole attack: inserting an out-of-band link to lure traffic • Sybil attack: representing several identities to its neighbors Wormhole attack

5. Obstacles to the Wireless Sensor Networks Security • The nodes in the WSNs can be easily compromised • Attack prevention schemes alone cannot ensure perfect security of the networks • An attacker can eavesdrop packets and analyze the protocols and topology of the target network • An attacker may inject false information through the compromised nodes • All keying material may be obtained from a compromised node and a complex attack can be launched • Resource constraints • Unreliable communication • Unattended operation • Therefore, intrusion detection systems (IDSs) are proposed – as a second line of defense • To detect anomalies and inform the base station (BS) • To trigger the network reaction to the intrusion • To minimize the attacker’s influence on the network performance • Assumption: the behavior of the intruder and the legal node can be discriminated

6. Intrusion Detection Systems (IDSs) • An IDS is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems • A network IDS (NIDS) is an independent platform which identifies intrusions by examining network traffic and monitors multiple nodes • A host-based IDS (HIDS) consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications, and other host activities and state • It is assumed that the behavior patterns of an intruder and a legitimate user in the network are different (noticeably) • While data encryption and data integrity protection are used as preventive measures, an IDS acts only in reaction to the occurrence of an attack – second line of defense

7. Classification of the IDSs according to the Detection Techniques A signature-based (or misuse detection based) IDS: compares the traffic features with the predefined signatures of attacks or malicious actions; allows detection of the majority of known attacks; has a low false positive rate; when a new type of assault is launched, a new signature should be created and broadcast to every node An anomaly-based IDS: checks the traffic on occurrence of any behavior different from the predefined or accepted normal patterns; can detect novel attacks; has a high false positive rate. A specification-based IDS: uses a set of manually defined rules, specific for the application or running protocols in the WSN; it is recommended for the WSNs, since the specification database requires less memory General architecture of the IDSs for WSNs

8. Previously Proposed Approaches to the IDS Design • A significant number of IDS design approaches rely on • analysis of incoming and outgoing traffic from a node and • monitoring the neighbors’ behaviors (watchdogs technique) • Besemann, et al. (2004), Roman, et al. (2006), Hai, et al. (2007): suggested to use a local IDS (LIDS) agent and a global IDS (GIDS) agent for traffic analysis and nodes’ monitoring and cooperation respectively While the analysis of incoming and outgoing traffic does not require much energy resources, an active GIDS agent may quickly exhaust the battery of a node. Therefore, the algorithms for optimal deployment and activation of the GIDS agents were proposed: • Anjum, et al. (2004): proposed to activate the IDS agents only at CHs, which belong to a minimum cut-set (a set of nodes, through which the most of the traffic is transferred). The CHs were assumed to be trustworthy • Techateerawat and Jennings (2006): analyzed the three adaptive strategies of IDS deployment: 1) core defense – protects the CH; 2) boundary defense – protects the boundary of each cluster; 3) distributed defense – the uniform activation of IDS agents in the WSN. As soon as an intrusion is detected, alarms are broadcast to activate the IDS agents in the vicinity of the attacker • Chatzigiannakis and Strikos (2007): suggested to activate the GIDS agents at the cluster heads (CHs), which are the members of a cut-set; also there are a few nodes in each cluster with active GIDS agents, which monitor the CHs behavior • Hai, et al. (2007): proposed to activate GIDS agents at all CHs in order to monitor cluster members’ behaviors. All monitoring nodes were assumed to be trustworthy

9. Ising Model Formulation for the Activation of GIDS Agents The WSN is represented as a weighted (directed) graph G=(V, E, W): V={v1, v2, …, vN} – the set of individual components (the WSN nodes) - the set of edges (links) between components - the set of weights assigned to edges and representing the strength of interaction between the components Self loops are absent Each node is assigned a spin to represent the state of its GIDS agent Btis a time-dependent external field: is the magnitude of the local field at node vk is a scalar (anomaly) measure at the sensor node A time-dependent Hamiltonian H t : Given the spin states of nodes and anomaly measures at a given time instant, the problem of self-organization of IDS agents is reduced to estimation of the state probabilities of the possible subsequent states of the Ising system

10. Optimal Activation of the IDS Agents in the WSN The goal: To estimate probabilities of the future states of the system To determine the distribution of active GIDS agents in the sensor network To provide adaptability to the IDS agents activation The model was simplified by the following assumptions Markov dynamics: the future state depends only on the present state Quasi-static equilibria at all time instants: the system follows the single-flip dynamics, large changes in system’s states are impossible The system follows the condition of the detailed balance: PI ,PJ– the probabilities of the system being in states I and J respectively pIJ – the probability of transition from state I to state J, then: Other denotations: - the weighting coefficient for the distance measure - the coefficient, proportional to the “inverse temperature”

11. Algorithm: Self-Organization of the IDS Agents While (1) do Collect traffic data from the neighboring devices Compute local anomaly measure at the current time instant and broadcast it to the one-hop neighbors Compute the external field: Compute change in energy and calculate the probability of flipping the state Change the spin state with probability for the next time period End

12. Conclusions • The paper proposes a model for adaptive optimal activation of the GIDS agents for intrusion detection in the WSNs, which is based on • the weighted graphs and • the Ising model based on the principles of Statistical Mechanics • Given the estimations of traffic anomalies, a small fraction of nodes is activated in order to watch their neighbors’ behaviors only when it is necessary • The proposed scheme is distributed and lightweight in terms of computation and communication overheads • It can be applied in large WSNs, since the BSs do not collect and store the traffic information from all nodes • Further research will be devoted to: • the performance evaluation using simulations and • comparison to other approaches for GIDS agents deployment and activation