intrusion detection in sensor networks based on ... - IEEE Xplore

Download PDF
2 downloads 0 Views 515KB Size Report
Comment
Measurements. Leon Reznik, Bakytzhan K. Bitemirov. Department of Computer Science. Rochester Institute of Technology. Rochester NY, USA [email protected].
Intrusion Detection in Sensor Networks Based on Measurements Leon Reznik, Bakytzhan K. Bitemirov

Michael Negnevitsky

Department of Computer Science Rochester Institute of Technology Rochester NY, USA [email protected]

School of Engineering University of Tasmania Hobart TAS, Australia [email protected]

Abstract—The paper presents the results of an empirical study of the intrusion detection methods in wireless sensor networks (WSN). It intends to verify if networking of heterogeneous sensors in WSN improves the system reliability and security. Unlike many other reported approaches, which employ conventional networking intrusion detection techniques in a WSN environment, this paper presents methods specific to sensor networks. They are designed to take an advantage of receiving sensor signals from networked sensors by building the models of the sensor signals and, on the higher network levels, objects under measurement. The methods are based on statistical processing of the measurement results coming from sensors and employing those models to detect the anomalies caused either by an equipment malfunctioning or human malicious activities and mistakes. Three algorithms are examined and implemented with SunSpot sensor kits produced by Sun Corp. Their performance in two intrusion activities executed on real sensor networks is analyzed.

I.

INTRODUCTION

Over the past decade Wireless Sensor Networks (WSN) have increasingly become the subject of an intense scientific interest. These networks mostly are used to monitor physical and environmental conditions by measuring temperature, humidity, illumination, sound, vibration, pressure, motion or pollutants at different locations. A typical architecture of sensor networks involves the sensor nodes forwarding all gathered data to a collection point called an aggregation node or the base station. Wireless sensor networks are mostly unguarded. This means that capturing a node physically, altering its code and getting private information like cryptographic key might become an easy possibility for an attacker. And as any other networks, WSNs are vulnerable to different kinds of attacks. For example, the intruders might deploy or compromise the existing sensor nodes and then use them to send malicious information targeting the base station or the server. These nodes can also try to overwhelm the network with unnecessary updates, data and other traffic so as to deplete the resources

978-1-4244-5335-1/09/$26.00 ©2009 IEEE

such as bandwidth, power, etc, which are typically were limited. Preventive mechanisms can be applied to protect WSNs against certain attack types. However, there exist some attacks for which there are no effective known prevention methods, such as a wormhole attack [1]. Another example of an attack that can be launched against WSN is masquerade attacks [2]. These attacks can be very dangerous because adversaries can run other attacks and can still hide and present themselves as legitimate node. Moreover, there is no guarantee that the preventive methods will be able to hold the intruders off. For these cases, it is not just sufficient to protect the information sent out by the sensor nodes by encrypting it but it is also necessary to detect malicious events in the system by using some mechanism of intrusion detection. Besides preventing the intruder from causing damages to the network, an intrusion detection system (IDS) can acquire information related to the attack techniques, assisting in the development and execution of preventive techniques. An intrusion detection design in WSN poses many challenges, mainly due to the lack of resources. Besides, WSNs are typically application-oriented, which means they are designed to have very specific characteristics according to the target application. The intrusion detection assumes that the normal system behavior is different from the behavior of a system under attack. The several possible WSN configurations make difficult the definition of the “normal” or “expected” system behavior. Since common nodes are designed to be cheap and small, they do not have enough hardware resources. Thus available memory may not be sufficient to create a detection log file. Moreover, a sensor node is designed to be disposed after being used by the application and that makes difficult to recover a log file due to the possible dangerous environment, in which the network was deployed. The software stored on the node must be designed to save as much energy as possible in order to extend the network lifetime [3]. Another challenge to the design of an IDS is more frequent

1026

IEEE SENSORS 2009 Conference

failures of sensor nodes when compared to processing entities found in wired networks. With a lack of resource availability at one node, the distributed systems have been tried. A distributed method for anomalies detection that is in compliance with the storage and computation capacity of a sensor node has been developed [4]. The algorithm is based on sliding window approach. At every node, only the last N packets (the main packet buffer length) received from each neighbor are used to calculate the statistics for that neighbor and each arriving packet is compared against these values. If the packet conforms to the statistics of the neighbor, it is accepted as normal and is used for new calculations. The oldest packet’s values are removed from the list. The arrival time and receive power of each incoming packet is recorded and used for detecting anomalies. In this work, we studied a feasibility of using measurement results to detect attacks violating data integrity in WSNs. The paper goal is to describe the results of an empirical study of a statistical-based intrusion detection mechanisms that were applied in a network composed from SunSPOT sensor network kits to detect the attacks modifying data on the nodes by analyzing the measurement results received at the base station. Section II provides more information about the hardware and software used in the study. Section III describes the study, while section IV comments on its results. II. A.

STUDY TESTBED

Hardware Platform Sun Microsystems, Inc. Small Programmable Object Technologies (SPOT) are battery powered sensor devices running the Squawk JVM [5]. The SPOT comes equipped with a 32 bit 180 MHz ARM920T processor, with 512K of RAM and 4MB of Flash memory [6] and with support for radio communication over 802.15.4 protocol within a range of 80 meters. In addition to the main processor, the eDEMO board [7] also features I/O interfaces for USB, SPI and Programmable I/O based communication. The SPOT is powered by an internal 3.7V 720maH rechargeable lithium ion prismatic cell, which can be charged either using the USB type mini-B device or from an external source with a 5V±10% supply [7]. The eDEMO board contains a row of 8 tri-color LEDs, and two push buttons that operate in parallel. Another device that is of primary importance is the Analog to Digital Converter (ADC) embedded in the eDEMO Board. The analog inputs accept a voltage of 0-3V in analog voltage, with the resolution of 1.024mV/count and producing the output according to the formula: ADC = Vin x 1024/Vref [7]. In other words, the digitized output of each of the sensors is in the range 0-1024. These values are normalized using default and reference values of the corresponding inputs. The accelerometer reading in terms of g-force is calculated using the formula (ADC – zeroOffset)/gain = (ADC – 465.5)/186.2 [7]. The output range of the Luminosity sensor is 0.1V to 4.3V, with the former indicating dark and latter indicating light. The use of raw digitized output in the range of 0-1.024 mV for each of the sensor readings enables us to build a sensor independent anomaly detection technique. Operating on quantized sensor

measurements significantly reduces the eventual cost of storing and transmitting data across the network. B. Testbed Functionality The host application server makes use of Sun SPOT library API written in JAVA to design a data collection engine and store the data values received from the sensor nodes in a remote database. Also, it applies the Sensor Network Anomaly Detection (SNADS) framework, specifically developed to facilitate fast prototyping of the intrusion detection applications in distributed sensor networks [8]. The Spot message listener on the host application collects the data from the Sun SPOT devices once the queue on the Sun SPOT client is ready and sent across the network. Based on the type of data packet received from the sensor nodes the corresponding request is handled by the collection engine. The host application server initiates a connection with the sensor nodes where the framework indicates its presence and sends the sensor readings in the form of radiogram data packets. These samples are then queued at the SPOT end and transmitted to the base station once the queue is full. The two LEDs on the SPOT will be green to indicate that the sensor readings are being sent across the network and the data are being read by the base station. When the SPOT is discovered, only one green LED gets ON to indicate that the SPOT has been discovered; elsewhere in an undiscovered state only one red LED is set to be ON. The data samples in the packet are then decoded by the SPOT listener component in the data collection engine and stored in the database. Each type of packets, which are registered to handle the Spot listener is decoded by the base station and stored in the database in the specified format. The data reading collected from the Sun SPOT devices are raw reading extracted from an ADC. Different raw values collected from the Sun SPOT nodes are acceleration along X, Y and Z axes, temperature reading, light reading and the battery power currently remaining on the SPOT node. The strength of the received signal is also extracted from the data packet received and stored in the central database. The SpotID and the MAC address of the Sun SPOT device are retrieved from the data packet and used for logging purposes to the database. The scale used for measurement of acceleration and the time when the reading was taken are also recorded in the database. The data from the sensor devices are recorded on a continuous basis that enables to execute intrusion detection off-line later on as well as in the real time and to analyze the detection performance based on the models created by the anomaly detection engine. III.

EMPIRICAL STUDY

In this empirical study two attacks were implemented and their results investigated: 1) the first attack represented malicious data modifications and involved multiplication of all sensor readings by a random number in [0,10] range. 2) unlike the first, the second attack did not change the actual readings of the sensors. Instead it changed the order in which readings appeared in the packet to be sent to the base station. For example, Luminosity reading was put at X

1027

acceleration’s place, X acceleration at Temperature’s place and so forth. Both attacks could represent either a malicious action of the intruder that was performed on the sensor node or over the signal transmission via a communication channel or a processing error, e.g. due to the wrong calibration or programming. The paper analyzes an application of three anomaly detection algorithms in SunSpot sensor networks: 1) the Normal Range (NR) approach detects anomalies in a temporal distribution of samples coming from the same sensor. It is applied on the separate sensor nodes as it works with the measurements coming from one sensor only. First, it creates and fills in the window of N samples. All initial samples in the window are considered to represent the normal measurement results. The window size could be chosen based on the available resources on the sensor node and properties of the signal coming from a particular sensor if known. The approach determines and then applies the range of possible sensor signal values that will be considered normal for the next measurement by calculating the mean and the standard deviation estimate from the samples currently in the window and using those results to determine the normality range as the mean value plus/minus a few standard deviation estimates. When the next measurement arrives it is compared against the normality range and if within it, it is declared normal, inserted in the window and used to recalculate the normality range. If outside the normality range, it indicates the attack. 2) the Vector Norm (VN) approach is designated to detect anomalies in a temporal and a spatial distributions of samples coming from different sensors, It is applied on an aggregate node to signals originated from homogeneous sensors. The measurement results taken at the same time at an aggregation node compose a vector, whose characteristic called herein the norm is calculated. Note that at this stage all measurement samples are normalized in the same scale. Except averaging, some other functions for calculating the norm from the samples could be tried, for example the square root of the sample squares. If the norm calculated for the samples taken the next time moment deviates from the previous one beyond the threshold level, the anomaly is signaled. 3) the Regression (R) approach is designed to detect temporal anomalies in signals coming from heterogeneous sensors, for example temperature and humidity. It is applied on a sensor or aggregate node to signals coming from heterogeneous sensors having a strong correlation. Herein the regression function is build between two or more sensor signals based on the window samples. This regression is used to get estimates to be compared against samples received the next time moment. The considerable difference would indicate an anomaly detected. An application of three different algorithms on various network levels allow for improving intrusion detection reliability and performance. All three methods require a number of parameters to be chosen that is done either by an expert estimates or statistical processing of the results received during the training phase.

IV. RESULTS AND CONCLUSION In order to conduct experiments, a specialized Java code was designed and applied, both on the sensor nodes and on the base station. The experiments have proved a possibility to employ simple statistical analysis and data processing algorithms on the sensor network node kits available on the market. The analysis included calculating the false positive and false negative rates for different cases of both types of attacks. These rates varied significantly in different experiments because of natural fluctuations and differences in various sensor signals and also, depending on the choice of the threshold values and other algorithm parameters. As usual, change in threshold values caused decreasing the false negative rates but increasing the false negative rates and vice versa. Fig. 2 illustrates this dependence. It puts on the agenda an application of machine learning and intelligent techniques, such as clustering methods that were investigated in [8-10]. The performed analyses have shown better performance of the R and VN methods (fig.1), which apply multi-sensor readings in comparison to the NR (fig.1,2), which employs readings from only one sensor. The average detection accuracy rate in the conducted experiments for the NR approach was 73.59%, for the VN (fig.3) – 91.71%, and the R method – 94%. REFERENCES [1]

A. P. R. da Silva, et al., "Decentralized intrusion detection in wireless sensor networks," in 1st ACM International Workshop on Quality of service & security in wireless and mobile networks, Montreal, Quebec, Canada, 2005, pp. 16-23.

[2]

V. Bhuse, et al., "Detection of Masquerade Attacks on Wireless Sensor Networks," in Communications, 2007. ICC '07. IEEE International Conference on, 2007, pp. 1142-1147.

[3]

J. Podpora, et al., "Intelligent Real-Time Adaptation for Power Efficiency in Sensor Networks," Sensors Journal, IEEE, vol. 8, pp. 20662073, 2008.

[4]

I. Onat and A. Miri, "An intrusion detection system for wireless sensor networks," in Wireless And Mobile Computing, Networking And Communications, 2005. (WiMob'2005), IEEE International Conference on, 2005, pp. 253-259 Vol. 3.

[5]

D. Simon, et al., "Java™ on the bare metal of wireless sensor devices: the squawk Java virtual machine," in ACM/Usenix International Conference On Virtual Execution Environments, Ottawa, Ontario, Canada, 2006, pp. 78-88.

[6]

R. B. Smith, et al., "Programming the world with sun SPOTs," in Dynamic Languages Symposium, Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications, Portland, OR, USA, 2006.

[7]

(2009,

June

8).

Sun

Spot

World.

Available:

http://www.sunspotworld.com/ [8]

L.Reznik and K. Nathan, "A framework for measurement anomaly detection in sensor networks," in 2009 IEEE Sensors Conference, Cristchurch, New Zealand, 2009, in press in these proceedings.

[9]

J. F. Chamberland and V. V. Veeravalli, "Wireless Sensors in Distributed Detection Applications," Signal Processing Magazine, IEEE, vol. 24, pp. 16-25, 2007.

[10] R. Sutharshan, et al., "Distributed Anomaly Detection in Wireless Sensor Networks," in Communication systems, 2006. ICCS 2006. 10th IEEE Singapore International Conference on, 2006, pp. 1-5.

1028

Figure 1 compares the rates of correct detections of malicious changes in sensor signals representing X, Y, Z accelerations, Luminosity, and Temperature signals received from SunSpot sensor nodes

Figure 2 illustrates the difficulty of choosing the correct range of possible sensor values to minimize both false negative and false positive rates while working with real Luminosity and Temperature sensor signals received from SunSpot sensor nodes subject to Attack 1study

Figure 3demonstrates the performance of the Vector Norm method while working with real sensor signals received from SunSpot sensor nodes subject to Attack 1study

1029