Intrusion Detection for Wireless Sensor Networks

1
Intrusion Detection for Wireless Sensor Networks

• Qualifying Exam
• 28th April 2005
• Presented by Edith Ngai
• Supervised by Prof. Michael R. Lyu

2
Outline

• Background
• Research direction
• Intrusion detection for WSN
• Tracing network attacks
• Conclusion Proposed future work

3
Technology trend

• Small integrated devices
• Smaller, cheaper, more powerful
• PDAs, mobile phones
• Many opportunities, and research areas
• Power management
• Distributed algorithms

4
Wireless sensor networks

• Wireless sensor node
• power supply
• sensors
• embedded processor
• wireless link
• Many, cheap sensors
• wireless ? easy to install
• intelligent ? collaboration
• low-power ? long lifetime

5
Possible applications

• Military
• Asset monitoring and management, battlefield
  surveillance, biological attack detection
• Ecological
• fire detection, flood detection, agricultural
  uses
• Health related
• Medical sensing, microsurgery
• General engineering
• car theft detection, inventory control,
  residential security

6
Requirements

• Low energy use
• Efficient use of small memory
• In-network data processing
• large amounts of raw data
• limited power and bandwidth
• Efficient data routing
• Node localization

7
WSN vs MANET
WSN MANET
Goal Detection / estimation of some events of interest Simply communications
Communication pattern Specialized to Many-to-one One-to-many Local communications Typically support routing between any pair of nodes
Energy/resources constrained More Less
Mobility Mostly not mobile Mostly mobile
Cooperation among nodes More cooperative, exhibit trust relationships Less cooperative
Security mechanism Authentication and routing based on public key cryptography is too expensive Both public key or asymmetric cryptography can be applied
Routing Distance vector and source routing protocols are generally too expensive Support different types of routing protocols
8
Security in WSN

• Main security threats in WSN are
• Radio links are insecure eavesdropping /
  injecting faulty information is possible
• Sensor nodes are not temper resistant if it is
  compromised the attacker obtains all security
  information
• Protecting confidentiality, integrity, and
  availability of the communications and
  computations

9
Why security is different?

• Sensor Node Constraint
• Battery
• CPU power
• Memory
• Networking Constraints and Features
• Wireless
• Ad hoc
• Unattended

10
Network defense
React - Response - Terminate Connections
- Block IP Addresses - Containment
- Fishbowl - Recovery - Reconstitute
Protect - Encryption - Firewalls -
Authentication - Biometrics
Detect - Intrusions - Attacks - Misuse of
Resources - Data Correlation - Data
Visualization - Malicious S/W - Network
Status/ Topology
11
What is intrusion detection?

• Intrusion detection is the process of
  discovering, analyzing, and reporting
  unauthorized or damaging network or computer
  activities
• Intrusion detection discovers violations of
  confidentiality, integrity, and availability of
  information and resources

12
What is intrusion detection?

• Intrusion detection demands
• As much information as the computing resources
  can possibly collect and store
• Experienced personnel who can interpret network
  traffic and computer processes
• Constant improvement of technologies and
  processes to match pace of Internet innovation

13
How useful is intrusion detection?

• Provide digital forensic data to support
  post-compromise law enforcement actions
• Identify host and network misconfigurations
• Improve management and customer understanding of
  the Internet's inherent hostility
• Learn how hosts and networks operate at the
  operating system and protocol levels

14
Intrusion detection models

• All computer activity and network traffic falls
  in one of three categories
• Normal
• Abnormal but not malicious
• Malicious
• Properly classifying these events are the single
  most difficult problem -- even more difficult
  than evidence collection

15
Intrusion detection models

• Two primary intrusion detection models
• Network-based intrusion detection monitors
  network traffic for signs of misuse
• Host-based intrusion detection monitors computer
  processes for signs of misuse
• So-called "hybrid" systems may do both
• A hybrid IDS on a host may examine network
  traffic to or from the host, as well as processes
  on that host

16
Network-based intrusion

• Network-based intrusion detection pros
• Highest return on investment, as one sensor can
  potentially monitor dozens to hundreds of targets
• Recognize attacks upon infrastructure and
  provides a larger field-of-view
• Network-based intrusion detection cons
• Encryption may degrade network visibility
• IDS may not interpret traffic as target would

17
Host-based intrusion

• Host-based intrusion detection pros
• Offers greater ability to understand processes on
  hosts, including success or failure of attacks
• A single event log can effectively replace
  interpretation of hundreds of network packets
• Host-based intrusion detection cons
• Difficult to manage more than a few systems
• Host owners blame HIDS for problems

18
IDS paradigms

• Anomaly Detection look for abnormal
• Misuse Detection pattern matching
• Burglar Alarms - policy based detection
• Honey Pots - lure the hackers in
• Hybrids - a bit of this and that

19
Anomaly detection

• Goals
• Analyze the network or system and infer what is
  normal
• Apply statistical or heuristic measures to
  subsequent events and determine if they match the
  model/statistic of normal
• If events are outside of a probability window of
  normal, it generates an alert

20
Anomaly detection (cont)

• Typical anomaly detection approaches
• Neural networks - probability-based pattern
  recognition
• Statistical analysis - modeling behavior of
  users and looking for deviations from the norm
• State change analysis - modeling systems state
  and looking for deviations from the norm

21
Misuse detection

• Goals
• Know what constitutes an attack
• Detect it
• A database of known attack signatures should be
  maintained

22
Misuse detection (cont)

• Typical misuse detection approaches
• Network grep - look for strings in network
  connections which might indicate an attack in
  progress
• Pattern matching - encode series of states that
  are passed through during the course of an attack
• e.g. change ownership of /etc/passwd -gt open
  /etc/passwd for write -gt alert

23
Research DirectionIntrusion Detection for WSN
24
Types of attack

• Physical attack
• Physical damage, destroy, tamper
• MAC layer attack
• Jamming
• Network layer attack
• Misdirection on routing
• Selective forwarding
• Sinkhole attack
• Wormhole attack
• Sybil attack
• Rushing attack
• Hello flood attack
• Application layer attack
• Denial of service

25
Research proposal
26
Audit data

• Application data from sensors
• Routing information
• Node behavior record
• Network topology

27
Data collection

• Localization
• Data fusion
• Routing
• Behavior monitoring
• History recording

28
Procedures

• Intrusion Detection
• Discover suspicious activity from audit data
• Detect the intrusions
• Classify the type of intrusions
• Intrusion Tracing
• Trace of source of intrusions
• Identify and locate the intruders
• Intrusion Reaction
• Resist to the intrusions
• Defend against further intrusions

29
Intrusion Detection in WSN
30
Network model

• BSj base station at location (Xj, Yj)
• Si sensor node at location (xi, yi)
• R transmission range of the base station
• r transmission range of the sensor node
• k-coverage a node covers by k BSs

31
Definitions

• Coverage of a base station
• Number of coverage from base stations
• p sends data to q successfully (in 1-hop)
• p sends data to q successfully via k hops
• p fails in sending data from p to q

32
Types of intrusions

• Sinkhole SH(q), HelloFlood HF(q)
• A region of nodes will forward packets destined
  for a BS through an adversary
• Wormhole WH(q)
• An adversary tunnels messages received in one
  part of the network over a low latency link and
  replays them in a different part

33
Types of intrusions

• Missing Data MD(Ci)
• Missing data from p to BSi
• Wrong Data (local) WDL(p)
• Inconsistent data
• Selective Forwarding / Interference
• Sensor p does not forward data to its neighboring
  nodes

34
Architecture
35
Intrusion detection components

• Data fusion
• Local neighboring nodes
• Global overlapping areas
• Topology discovery
• Route tracing
• History
• Neighbor monitoring
• Watchdog

36
Intrusion detection
Components\Attack Types Components\Attack Types I II III IV V
Neighbor Monitoring BS Dominating intermediate node Dominating intermediate node Selective forwarding N/A N/A
Neighbor Monitoring Sensor N/A N/A Selective forwarding N/A Interference (jamming with neighbors)
Data Fusion Global (may have missing or inconsistent data) (may have missing or inconsistent data) Missing data Inconsistent data (IVa malicious sensor or intermediate nodes) Missing data
Data Fusion Local (may have missing or inconsistent data) (may have missing or inconsistent data) Missing data Inconsistent data (IVb sensor failure or being compromised) Missing data
Routing (with topology info.) BS a region of nodes forward packet through the same adversary An adversary tunnels messages and replays them in a different part N/A N/A N/A
Attack Types I - Sinkhole, Hello Flood II
Wormhole III Missing Data IV Wrong
Data V - Interference
37
Intrusion Tracing in WSN
38
Related work

• IP Traceback in traditional network
• Packet marking
• ICMP traceback message

39
Related work

• dead node
• cases sending or routing measurement as died
• silent node
• Ceases sending but status not determined

40
Tracing sinkhole attack

• Adversary lures nearly all traffic from a
  particular area through a compromised node
• Attracts network traffic by advertising a high
  quality path to the BS
• Common kind of violation is
• selective forwarding

1
41
Attack region detection

• The BS can detect the list of nodes affected by
  the intrusions
• Missing data
• Inconsistent data
• Circle the attack area

42
Probing

• Collect the next hop, hop counts from the nodes
  in the affected area
• At the beginning of a suspicious sinkhole attack
  occurs
• BS -gt N(x) ltprobing, BSigt
• When a probing message is received from N(x)
• x -gt y (neighbors of x) ltprobing, x, BSigt
• When node y receives a probing message
• y -gt x lty, shortest_next_hop,
  shortest_hop_countgt
• (routing information to BS)
• y -gt y (neighbors of y) ltprobing, y, BSigt
• The processes (3) repeats until the request
  messages reach the boundary of the attack area

43
Identify the sinkhole

• Sinkhole does not have outgoing edges
• Incoming edges to sinkhole should provide minimum
  no. of hop counts to BS

Search from the leaf nodes to the root (Sinkhole)
44
With colluding nodes
Missing information
Routing loop
Wrong routing information
Misleading Sinkhole
Attack area with colluding nodes (a) missing
information (b) cycles (c) misleading sinkhole
(d) identification sinkhole using hop counts
45
Enhanced algorithm

• Finding array on hop counts

Call method checkRootByCount for each roots
for each root r initialize a new array
count checkRootByCount(r, count, 1) if
(count0 gt numNode(r)/2) r is a correct
root. end if end for checkRootByCount (Node
r, Array count, int depth) depth depth 1 for
each precedent node p of r increase count
w(p,r) depth by 1 checkRootByCount (p,
count, depth) end for end checkRootByCount
Calculate the array Count
h -2 -1 0 1 2
Counth 0 0 n 0 0
46
Enhanced algorithm
for each root r initialize a new Array
count initialize a new Path correctPath checkRo
otByCount(r, count, 1) S xgt0 forall ygt0,
countxcount-xgtcountycount-y x min
(S) correctRoot(r, r, x, 0, correctPath ,
count0) apply correctPath on Network G end for
correctRoot (Node r, Path p, int totalLevel,
int currentLevel, Path correctPath, int
bestCount) if (currentLevel gt
totalLevel) return end if currentLevel
currentLevel1 for each precedent node c of
r initialize a new Array count reverse edge
(c,r) checkRootByCount (c, count, 1) if
(count0gt bestCount) correctPath
p-gtc end if correctRoot(c, p-gtc,
totalLevel, currentLevel, correctPath ,
bestCount) reverse edge(c,r) end for end
correctRoot
Calculate no. of hop counts for correction
Correct the root by specifying another suspicious
Sinkhole
Calculate the array Count again
Select the best result
47
Example Before correction
Value provided by node Y 3 Deduced value from Y
to SH 4 Count of node Y 3 4 -1 (gtSH
should be 1 hop closer than SH)
Value provided by node X 4 Deduced value from
X to SH 3 Count of node X 4 3 1 (gtSH
should be 1 hop farther away than SH)
Y
X
1
i -2 -1 0 1 2
Counti 0 14 8 6 0
48
Example After correction
Value provided by node Y 3 Deduced value from Y
to SH 3 Count of node Y 3 3 0 (gthop
count agrees with SH)
Value provided by node X 4 Deduced value from
X to SH 4 Count of node X 4 4 0
(gthop count agrees with SH)
Y
X
i -2 -1 0 1 2
Counti 0 1 21 6 0
49
Conclusion Proposed Work
50
Required technologies

• Collection of the audit data
• Localization
• Data fusion
• Routing
• Analysis on the audited data
• Identifying the intrusion characteristics
• Detecting the intrusions
• Locating the intrusions
• Intrusion reaction

51
Proposed work

• Study how to collect the audit data effectively
  and complete the intrusion detection architecture
• Investigate the methods to analyze the audited
  data for intrusion detection
• Propose new methods to identify and locate the
  intruders (for various attacks)
• Study and explore reactive measures to defend
  against the detected intrusions
• Formulate and evaluate our intrusion detection
  framework which is expected to be effective in
  detecting and resisting to the many types of
  intrusions

52
Conclusion

• We discussed the characteristics of WSN and its
  security issues
• We studied traditional intrusion detection
  technologies
• We introduced our intrusion detection framework
  in our research proposal
• We proposed an intrusion detection architecture
  and analyzed some kinds of intrusions can be
  detected
• We proposed an algorithm for tracing Sinkhole
  attack for WSN
• We presented our proposed future work

53
Q A