1 / 53

Intrusion Detection Systems for Wireless Sensor Networks: A Survey

Intrusion Detection Systems for Wireless Sensor Networks: A Survey. Ashfaq Hussain Farooqi FAST-NUCES, Islamabad, Pakistan. Agenda. Wireless Sensor Networks (WSNs) Security issues in WSNs Intrusion Detection System (IDS) IDS proposed for WSNs IDS architectures Anomaly detection algorithms

ganit
Télécharger la présentation

Intrusion Detection Systems for Wireless Sensor Networks: A Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection Systems for Wireless Sensor Networks: A Survey Ashfaq Hussain Farooqi FAST-NUCES, Islamabad, Pakistan.

  2. Agenda • Wireless Sensor Networks (WSNs) • Security issues in WSNs • Intrusion Detection System (IDS) • IDS proposed for WSNs • IDS architectures • Anomaly detection algorithms • Compromised node detection • Future work • Conclusion FAST-NUCES, Islamabad.

  3. Wireless Sensor Networks (WSNs) • Sensor nodes are densely deploy [1] • from an aircraft in an area • to check the surrounding activities • transmit the information to the base station • The sensor network is infrastructure-less. • Sensor nodes works using TinyOS. • Transmission is dependent on routing protocol. FAST-NUCES, Islamabad.

  4. Components of Sensor Node [1] FAST-NUCES, Islamabad.

  5. Sensor network Vs. Ad Hoc Networks • The number of nodes in a sensor network can be several orders of magnitude higher than the nodes in an ad hoc network. • Sensor nodes are densely deployed. • Sensor nodes are prone to failures. • The topology of a sensor network changes very frequently • Sensor nodes mainly use broadcast, most ad hoc networks are based on p2p. • Sensor nodes are limited in power, computational capacities and memory. • Sensor nodes may not have global ID. FAST-NUCES, Islamabad.

  6. Working environment • Sensor nodes may be working • in busy intersections • in the interior of a large machinery • at the bottom of an ocean • inside a twister • in a battlefield beyond the enemy lines • in a home or a large building FAST-NUCES, Islamabad.

  7. Data aggregation [1] FAST-NUCES, Islamabad.

  8. Applications of WSNs • Battle ground surveillance • Enemy movement (tanks, soldiers, etc) • Environmental monitoring • Habitat monitoring • Forrest fire monitoring • Hospital tracking systems • Tracking patients, doctors, drug administrators. FAST-NUCES, Islamabad.

  9. Need for Security • Availability • Accessible throughout the lifetime • Authorization • Malicious not can’t transmit to legal ones • Authentication • Malicious should not get authenticity • Confidentiality • Attacker cant effect the normal communication • Integrity • No modification to the transmitted data • Non Repudiation • Redundancy is allowed • Freshness • Data should be fresh one and respond to fresh data Solution: Cryptography FAST-NUCES, Islamabad.

  10. mu TESLA • Sender broadcast a message with a Message Authentication Code (MAC) generated with a secret key, which will be disclosed after a certain period of time. The receiver, which does not know the key, has to buffer this packet and authenticate at a later time interval when the sender discloses them. FAST-NUCES, Islamabad.

  11. Security issues in WSNs • Attacks are possible • Self control • Infrastructure less • Less computation • Topology change • Several types of attacks • Denial of service attacks [5] • Sybil attacks [7,8] • Others [9] FAST-NUCES, Islamabad.

  12. Security map FAST-NUCES, Islamabad.

  13. Denial of Service (DoS) attack • When legitimate nodes can't communicate with each other. • A. D. Wood et al. [5] mentioned various attacks that lead to DoS on different network layers of the sensor node. A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks,” IEEE Computer, pp. 48-56, October 2002. FAST-NUCES, Islamabad.

  14. Physical Layer • Jamming: An adversary keeps sending useless signals making other nodes unable to communicate Defence: • Reroute Traffic • Mode Change FAST-NUCES, Islamabad.

  15. Physical Layer • Tampering:An Attacker can tamper with nodes physically • Defence: • React to tampering in a fail-complete manner, e.g. erase memory • hiding the nodes FAST-NUCES, Islamabad.

  16. Link Layer • Collision: Attacker only need to disrupt part of the transmission. • Defense: Error-correcting codes • Exhaustion: Retransmission repeatedly will cause battery exhaustion; In IEEE802.11 based MAC, continuous RTS requests cause battery exhaustion at targeted neighbor • Defense: Make MAC admission control rate limiting • Unfairness: Above attacks could cause unfairness • Defense: use small frames

  17. Network and Routing Layer • Misdirection: Forwards messages along wrong paths; provide wrong route information • Defense: • Egress filtering - In hierarchical routing, parent can verify the source of the packets and make sure that all packets are from its children. • Authorization: Only authorized nodes can exchange routing information. • Monitoring: Every node monitors if its neighbors are behaving correctly FAST-NUCES, Islamabad.

  18. Network and Routing Layer-cont • Neglect and greed: Malicious and selfish nodes • Defense: Redundancy (Multiple paths or multiple packets along same route)‏ • Homing: Nodes have special responsibilities are vulnerable • Defense: Hiding the important nodes( e.g. encryption) • Black holes: Attackers make neighbors to route traffic to them, but don’t relay the traffic • Defense: Authorization, Monitoring, Redundancy FAST-NUCES, Islamabad.

  19. Transportation Layer • Flooding: An attacker sends many connection establishment requests to victim, making the victim run out of resources • Defense: • Limit number of connections • Make flow connectionless • Client Puzzle – challenging the client • De-synchronization: An attacker forges messages carrying wrong sequence number to one or both endpoints • Defense: Authenticates all packets including transport protocol header. FAST-NUCES, Islamabad.

  20. What is Sybil attack? • A malicious node behaves as if it were a larger number of nodes, for example by impersonating1 other nodes or simply by claiming false identities. In the worst case, an attacker may generate an arbitrary number of additional node identities, using only one physical device. 1. to pretend to be another person, especially in order to deceive Encarta« World English Dictionary (P) 1999 Microsoft Corporation. All rights reserved. Developed for Microsoft by Bloomsbury Publishing Plc. FAST-NUCES, Islamabad.

  21. Taxonomy of Sybil Attacks • Communication • Direct: Sybil node communicate directly with legitimate nodes. • Indirect: Sybil node communicate through some other malicious nodes. • Identities • Fabricated: Simply create 32-bit arbitrary new Sybil identity. • Stolen: Given a mechanism to identify legitimate node identities. • Simultaneity • Simultaneously: Having Sybil identities at once. • Non-Simultaneously: Present large number of identities over a period of time but acting as a smaller number of identities FAST-NUCES, Islamabad.

  22. Sybil attacks [8] • Known Attacks • Distributed Storage • replication and fragmentation performed • node store the data in several nodes. • Routing • Multipath • Geographic routing • New Attacks • Data Aggregation • Voting • Fair Resource Allocation • Misbehavior FAST-NUCES, Islamabad.

  23. Other attacks [9] • Attacks on the Mote • Traffic Analysis System • Attacks on Reputation-Assignment Schemes • Attacks on In-Network Processing (Data Aggregation) • Attack on Time Synchronization Protocols FAST-NUCES, Islamabad.

  24. Routing protocol attacks [6] • Homing • Selective forwarding • Black-Hole attack • Sink-Hole attack • Worm-Hole attack • Flooding • Misdirection FAST-NUCES, Islamabad.

  25. An example of WSNs: Deployment Sink/ Base Station B F H I J G K M O Q P U T V W X N L R C A D E S National University of Computer and Emerging Sciences

  26. An example of WSNs: Deployment Sink/ Base Station B F H I J G K M O Q P U T V W X N L R C A D E S National University of Computer and Emerging Sciences

  27. An example of WSNs: Routing Sink E B F H I J G K M O Q P S U T V W X N R C A D L National University of Computer and Emerging Sciences

  28. An example of WSNs: Messaging Sink E B F H I J G K M O Q P S U T V W X N R C A D L National University of Computer and Emerging Sciences

  29. An example of WSNs: Messaging Sink E B F H I J G K M O Q P S U T V W X N R C A D L National University of Computer and Emerging Sciences

  30. An example of WSNs: Messaging Sink E B F H I J G K M O Q P S U T V W X N R C A D L National University of Computer and Emerging Sciences

  31. Compromised node • When a legitimate node is attacked by an adversary it becomes a malicious node and known as compromised node. • It performs the same activities as that of legitimate node plus configured by adversary. • Remember the node still appear as a normal node. National University of Computer and Emerging Sciences

  32. Black-hole or Selective forwarding attacks • Selective forwarding: In this type of attack the compromised node selectively forward packets to other nodes and drops a fraction of packets • In sensor network one type of such attack is denial-of-message attack. • Black hole: A compromised node sends wrong routing information to its neighbors and tells that it’s a low cost route node and other nodes starts sending packets to this node. National University of Computer and Emerging Sciences

  33. Black-hole or Selective forwarding attacks Sink E B F H I J G K M O Q P S U T V W X N R C A D L National University of Computer and Emerging Sciences

  34. Sink-hole Attack • Sink hole • In this type of attack compromised node tries to gain more attention from its surrounding and tries to become the parent node of its neighbor. • In minte-route routing protocol, compromised node sends wrong information in route update message and becomes the parent. • If it successes; more traffic moves to that node. As messages from its neighbor and the messages from the neighbor’s children. It usually drops all the packet it receive so the base station receive less information from the sensor network. National University of Computer and Emerging Sciences

  35. Sink-hole Attack Sink E B F H I J G K M O Q P S U T V W X N R C A D L National University of Computer and Emerging Sciences

  36. Intrusion Detection System (IDS) • IDS is • Collection unit • Detection unit • Response unit • Types • Host based IDS • Network based IDS FAST-NUCES, Islamabad.

  37. IDS (continue) • Detection mechanisms • Misuse detection • Anomaly detection • Specification based detection. • Installation of IDS agent • Centralized • Distributed • Individualized • cooperative • Hybrid FAST-NUCES, Islamabad.

  38. IDS proposed for WSNs • IDS architectures • Spontaneous Watchdog approach [12] (2006) • Cooperative local auditing [13, 14] (2007) • Monitoring node detection approach [15] (2005) • Pair based abnormal node detection [16] (2008) • Anomaly detection algorithms • ANDES [17] (2007) • Cumulative Summation [18] (2006) • Fixed width clustering algorithm [19] (2006) • Artificial Immune System [20] (2007) • Compromised node detection • Application Independent Framework [21] (2008) • Intrusion-aware Validation algorithm [22] (2008) FAST-NUCES, Islamabad.

  39. Spontaneous watchdog [12] • Distributed intrusion detection system. • Basic components • Local agent • Audit the data that comes from the nodes inside its radio frequency range and will generate alert if it is found from malicious node or node not present its neighbor list. • Global agent • If activated it will act as Spontaneous watchdog. • To check whether the node that received the message transfers that message or not. FAST-NUCES, Islamabad.

  40. Cooperative local auditing[13,14] • IDS client • Present in each sensor node. • Composed of five components. • Local packet monitoring • Local detection engine • Cooperative detection engine • Communication • Local response Send/Receive packets Check rules No violation Violation Communicate Voting Not malicious Alert To Sink Regular task Malicious FAST-NUCES, Islamabad.

  41. Cooperative local auditing Rules for Black-hole attack [12] Rules for Sink-hole attack [13] Assumption: MinteRoute routing protocol Node will check the ID relates to that packet sender. It should be from its neighbors. It will generate alert in any other situation • Node J will send data packet to node C and it will buffer that packet for some time. • It will now wait and see node C forwards that packet or not. • If it doesn’t then it will increment a counter corresponding node C else the packet will be removed from the buffer. • If for certain units of time, the node C drops t percent of packets then it will generate an alert. National University of Computer and Emerging Sciences

  42. Comparison of IDS architectures FAST-NUCES, Islamabad.

  43. ANDES [17] • Centralized anomaly detection mechanism • Main components • Collection and analysis of application data • Regular data is collected at sink. • Record the sequence number of the last n messages • Time-stamp of the last received data packet • Updates the total number of application packets • Analyzes the application data • Maintain a list of active and connective nodes. • Collection and analysis of management information • Additional management routing protocol to collect • address, parent, hops, send_cnt, receive_cnt, fwd_cnt, failure_cnt etc. National University of Computer and Emerging Sciences

  44. ANDES (continue) F, H, I, O, and J are unavailable C, F, J, M, and E are unavailable National University of Computer and Emerging Sciences

  45. CUSUM [18] • Distributed anomaly detection mechanism • Monitor nodes to analyze the nodes behavior as normal or malicious. • Categories of attack • Compromising the node to attract the attention of other nodes. • Affect the packets data as collision. • Flooding the nodes to exhaust their resources. • Analysis • Amount of messages received by a node. • Amount of collision occurrence with the packet. • Amount of packets emerging from a particular node. National University of Computer and Emerging Sciences

  46. CUSUM (continue) • Monitor node • IDS agent is installed in the monitor nodes. • Two tasks • Normal listening • Promiscuous listening • The anomaly detection module will utilize the statistics collected from the analysis of the header of the packet to generate the type of alert. National University of Computer and Emerging Sciences

  47. Comparison of Anomaly Detection Algorithms FAST-NUCES, Islamabad.

  48. Comparison of Compromised node detection FAST-NUCES, Islamabad.

  49. Future work • Increasing demand of WSNs makes it vulnerable to different types of security threats. • Requirement • A complete security system • Reliable one. • Future approach • Distributed / cooperative anomaly based IDS approach that covers detail about the secure transmission mechanism too. FAST-NUCES, Islamabad.

  50. Conclusion • Secure routing or Key management protocols can not provide security in strong adversary attacks. • IDS is a solution. • Still a new area. • Researchers have proposed • IDS model for WSNs • Reliable solution is still unavailable. • A reliable distributed / cooperative anomaly based IDS approach is a future demand. FAST-NUCES, Islamabad.

More Related