International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No.

4 ISSN: 1837-7823

Analysis of Intrusion Detection & Emergence in Intermittently Connected Networks

Abstract Wireless sensor network make it possible to send large amounts of data in a routing. If applied to network monitoring data recorded on a host or in a route, they can be used to detect intrusions, attacks and/or anomalies. In this paper, we present sensing a method to detect intruders to classifying anomalous and normal activities. Our work studies the best algorithm by using classifying anomalous and normal activities in a sensor networks with single sensing & multi sensing algorithms that have not been used before. We analyses the algorithm that have the best efficiency. Keywords Sensing, Wireless sensor networks, Intrusion, misuse, false positive rate.

INTRODUCTION I Explosive increase in the number of networked machines and the widespread use of the internet in organizations have led to an increase in the number of unauthorized activities, not only by external attackers but also by internal sources, such as fraudulent employees or people abusing their privileges for personal gain or revenge. As a result, intrusion detection systems (IDSs) as originally introduced by Anderson [4] and later formalized by Denning [5], have received increasing attention in recent years. By definition intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. When Intrusion detection takes a preventive measure without direct human intervention, then it becomes an intrusion prevention system. A system that performs automated intrusion detection is called an Intrusion Detection System (IDS). Another important distinction is between systems that identify patterns of traffic or application data presumed to be malicious (misuse detection systems), and systems that compare activities against a 'normal' baseline (anomaly detection systems).Anomaly detection system (ADS) monitors the behavior of a system and flag significant deviations from the normal activity as an anomaly. Anomaly detection is used for identifying attacks in a computer networks, malicious activities in a computer systems, misuses in a Web-based systems. A network anomaly by malicious or unauthorized [6] users can cause severe disruption to networks. Therefore the development of a robust and reliable network anomaly detection system (ADS) is increasingly important. Traditionally, signature based automatic detection methods are widely used in intrusion detection systems. When an attack is discovered, the associated traffic pattern is recorded and coded as a signature by human experts, and then used to detect malicious traffic. However, signature based methods suffer from their inability to detect new types of attack. Furthermore the database of the signatures is growing, as new types of attack are being detected, which may affect the efficiency of the detection. A wireless sensor network (WSN) is a network of cheap and simple processing devices (sensor nodes) that are equipped with environmental sensors for temperature, humidity, etc. and can communicate with each other using a wireless radio device. Most of the applications in WSNs require the unattended operation of a large number of sensor nodes. This raises immediate problems for administration and utilization. Even worse, some [1] times it is not possible to approach the deployment area at all, like for example in hostile, dangerous environments or
54

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

military applications. So, sensor networks need to become autonomous and exhibit responsiveness and adaptability to evolution changes in real time, without explicit user or administrator action. This need is even more imperative when it comes to [2] security threats. The unattended nature of WSNs and the limited resources of their nodes make them susceptible to attacks. Any defensive mechanism that could protect and guarantee their normal operation should be based on autonomous mechanisms within the network itself. SECTION II 2. Intrusion Detection System - An intrusion is a piece of installed software or a physical appliances that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic that violates acceptable user policies. 2.1. Technologies used to detect intrusion 2.1.1. Network Intrusion Detection: Network Intrusion detection is one common type of IDS that analyzes network traffic at all layers of the open systems interconnection (OSI) model and makes decisions about the purpose of the traffic analyzing for suspicious activity. Wireless Intrusion Prevention System (WIPS) to describe a network device that monitors and analyzes the wireless radio spectrum in a network for intrusions and performs countermeasures. 2.1.2. Wireless: A wireless local area network (WLAN) IDS is similar to NIDS in that it can analyze network traffic. However, it will also analyze wireless-specific traffic, including scanning for external users trying to connect to access points (AP), rogue APs, users outside the physical area of the company, and WLAN IDSs built into APs. As networks increasingly support wireless technologies at various points of a topology, WLAN IDS will play larger roles in security. Many previous NIDS tools will include enhancements to support wireless traffic analysis. 2.1.3. Detection Types for Intrusion: Signature-Based Detection: An IDS can use signature-based detection, relying on known traffic data to analyze potentially unwanted traffic. This type of detection is very fast and easy to configure. However, an attacker can slightly modify an attack to render it undetectable by a signature based IDS. Still, signature-based detection, although limited in its detection capability, can be very accurate. Anomaly-Based Detection: An IDS that looks at network traffic and detects data that is incorrect, not valid, or generally abnormal is called anomaly-based detection. This method is useful for detecting unwanted traffic that is not specifically known. For instance, an anomalybased IDS will detect that an Internet protocol (IP) packet is malformed. It does not detect that it is malformed in a specific way, but indicates that it is anomalous. Stateful Protocol Inspection: Stateful protocol inspection is similar to anomaly based detection, but it can also analyze traffic at the network and transport layer and vender-specific traffic at the application layer, which anomaly-based detection cannot do. 2.1.4. Intrusion False Positive Rates: It is impossible for an IDS to be perfect, primarily because network traffic is so complicated. The erroneous results in an IDS are divided into two types: false positives and false negatives. False positives occur when the IDS erroneously detects a problem with benign traffic. False negatives occur when unwanted traffic is undetected by the IDS. Both create problems for security administrators and may require that the system be calibrated. A greater number of false positives are generally more acceptable but can burden a security administrator with cumbersome amounts of data to sift through. However, because it is
55

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

undetected, false negatives do not afford a security administrator an opportunity to review the data. 2.2. Intrusion Detection Related Work in Wireless Sensor Networks: Intrusion detection is an important aspect within the broader area of computer security, in particular network security, so an attempt to apply the idea in WSNs makes a lot of sense. However, there are currently only a few studies in this area. Da Silva et al. and Onat and Miri [8] propose similar IDS systems, where certain monitor nodes in the network are responsible for monitoring their neighbors, looking for intruders. They listen to messages in their radio range and store in a buffer specific message fields that might be useful to an IDS system running within a sensor node, but no details are given how this system works. In these architectures, there is no collaboration among the monitor nodes. It is concluded from both papers that the buffer size is an important factor that greatly affects the rate of false alarms. Currently, research on providing security solutions for WSNs has focused mainly in three categories: 1) Key management: A lot of work has been done [1] in establishing cryptographic keys between nodes to enable encryption and authentication. 2) Authentication and Secure Routing: Several protocols [2] have been proposed to protect information from being revealed to an unauthorized party and guarantee its integral delivery to the base station. 3) Secure services: Certain progress has been made in providing specialized secure services, like secure localization Loo et al. [9] and Bhuse and Gupta [9] describe two more IDSs for routing attacks in sensor networks. Assume that routing protocols for ad hoc networks can also be applied to WSNs: Loo et al. [8] assume the AODV (Ad hoc On-Demand Distance Vector) protocol while Bhuse and Gupta [9] use the DSDV and DSR protocols. Then, specific characteristics of these protocols are used like number of route requests received to detect intruders. However, to our knowledge, these routing protocols are not attractive for sensor networks and they have not been applied to any implementation that we are aware of. More extensive work has been done in intrusion detection for ad hoc networks [10]. In such networks, distributed and cooperative IDS architectures are also preferable. Detailed distributed designs, actual detection techniques and their performance have been studied in more depth. While also being ad hoc networks, WSNs are much more resource constrained. We are unaware of any work that has investigated the issue of intrusion detection in a general way for WSNs. SECTION III 3. Problem Definition: Information Security rising every day along with the availability of the anomalies or attacks assessment tools that are widely available on the Sensor network, for free as wel as commercial use. To identify such intruders tools to be used Subseven Loftcrack BackOrifce penetrate the systems.

56

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

Figure 2 is setup Wireless Sensor Networks

3.1. Type of Intrusion our general activities: Imagine that you have just purchased a state of the art Home Theatre System. Everyone who knows anything about electronics, have an idea of how much it may cost. After installing it, you decided that you might need to install new locks on all the doors in your house, because the old ones do not use the up to date secure mechanisms. You call the locksmith, and in about 2 month (if you are lucky) you have a new locks on your doors, and you are the only one who have the keys (well, maybe you mother have another pair). With that in mind you pack your things, and with whatever money you got left from you recent purchases, you go on vacation. As you came back a week later, you find that the Entertainment room looks different. After careful examination, you realize that your Home Theater System, that you were dwelling over for the last year, is missing. What worse is that your wife told you that the window in the kitchen is broken, and there is boot stains on the carpet, all over the house. That led you to believe that someone broke into your house, stole, and vandalized a lot of your prized possessions. After you wipe the tears from your eyes, you suddenly begin to vaguely remember the brochure that you got, about a burglar alarm installation in your neighborhood. 3.1.1. Using Intrusion Detection System will provide the following activities Provides the degree of integrity to the rest of other infrastructure Provides trace user activity from point of entry to point of impact and also recognize and report alterations to data. Automate a task of monitoring the internet searching for the latest attacks Detect when our system is under attack and errors in our system configuration. Make the security management of your system possible by non-expert staff 3.1.2. Effects of Intrusion Detection System Compensate for a weak identification and authentication mechanisms Conducts investigation of attacks without human intervention. Analyze all the traffic on a busy network and always deal with problems involving packet-level attacks. 3.2. Where we need to produce the IDS: Will try to identify the most common places that intrusion detection mechanisms are installed on. Please look at the following illustration taken from and try to imagine your own environment and where would you place the sensors.
57

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

Figure 2 representations of Sensor Nodes. Between your network and Extranet In the DMZ before the Firewall to identify the attacks on your servers in DMZ Between the firewall and your network, to identify a threat in case of the firewall Penetration and In the Remote access environment If possible between your servers and user community, to identify the attacks from the Inside & On the intranet, ftp, and database environment To establish a network perimeter and to identify all possible points of entry to your network. Once found IDS sensors can be put in place and must be configured to l report to a central management console. The dedicated administrators would logon to the console and manage the sensors, providing it with a new-updated signature, and reviewing logs. SECTION IV 4. Algorithms applied for IDS: Algorithms help the WSN in detecting the intruder with energy efficiency and thereby increasing the life time of the network. 4.1. Single Sensing Detection Model: The intruder is detected only when it enters the sensing range of any one sensor nodes. When the intruder enters the area through the boundary and it is covered by the sensors, then the intruder will be detected as soon as it enters the WSN area. 4.2. Multi Sensing Detection Model: Multi sensing in a heterogeneous WSN is explained in figure 3. Here multiple sensors have to detect a intruder at the same time. Three sensors are considered. The intruder is within the sensing range of three sensors. In the k-sensing detection model of a heterogeneous WSN with two types of sensors, at least k sensors are required to detect an intruder. These k sensors can be any combination of any type of sensors.

58

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

Figure 3 is Multi Sensing Detection 4.3. Comparative study: In Wireless sensor networks detection of intrusion is to provide the security in the routing data from source to destination with a normal activity. Intrusion has two types of attacks anomaly and misuse, Anomaly detection refers to detecting patterns in a given data set that do not conform to an established normal behavior. The patterns thus detected are called anomalies and translate to critical and actionable information in several application domains. Anomalies are also referred to as outlier, surprise deviation etc Misuse detection uses well-defined patterns of the attack that exploit weakness in system and application software to identify the intrusions (Kumar and Spafford 1995). These patterns are encoded in advance and used to match against user behavior to detect intrusions. Anomaly detection identifies deviations from the normal usage behavior patterns to identify the intrusion. The normal usage patterns are constructed from the statically measures of the system features, for example the CPU and I/O activities by a particular user or program. The behavior of the user is observed and any deviation from the constructed normal behavior is detected as intrusion. To detect the type of intruders in WSN we analyze two techniques single sensing and multi sensing detection, which provides the system in secure. In single sensing at a time only one intruder detected by the WSN here no guarantee for our information has been sent securely, data will not routed if primary detector fails. Comparing with single sensing we introduce a heterogeneous wireless sensor intruder detected anywhere in the network, by finding the intruders we can send our information in a secured manner even if primary detector fails another detector detect the intruder.

CONCLUSION V This work analysis is minimization of external intrusion detection in an energy efficient way and probability of intrusion detection in a heterogeneous wsn deployed. Here required number of sensors in a given deployment, their sensing and transmission range to efficiently detect an intruder in a wsn. We have analyzed an analytical model for intrusion detection and applied the same into single-sensing detection and multiple sensing detection scenarios for heterogeneous WSNs. The correctness of the analytical model is proved by comparative study.

59

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

Reference [1] S. Camtepe and B. Yener, Key distribution mechanisms for wireless sensor networks: a survey, Rensselaer Polytechnic Institute, Troy, New York, Technical Report 05-07, March 2005. [2] E. Shi and A. Perrig, Designing secure sensor networks, IEEE Wireless Communications, vol. 11, no. 6, pp. 3843, December 2004. [3] L. Lazos and R. Poovendran, Serloc: Robust localization for wireless sensor networks, ACM Transactions on Sensor Networks, vol. 1, no. 1, pp. 73100, 2005. [4]. Christos Douligeris, Aikaterini Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks: The International Journal of Computer and Telecommunications Networking, Vol. 44, Issue 5 , pp: 643 - 666, 2004. [5]. Ghosh, A. K., A. Schwartzbard, and M. Schatz,Learning program behavior profiles for intrusion detection, In Proc. 1st USENIX, 9-12 April, 1999 [6]. Lee, W. and S. J. Stolfo, Data mining approaches for intrusion detection, In Proc. of the 7th USENIX Security Symp., San Antonio, TX. USENIX, 1998. [7]. W. Lee, S.J.Stolfo et al, A data mining and CIDF based approach for detecting novel and distributed intrusions, Proc. of Third International Workshop on Recent Advancesin Intrusion Detection (RAID 2000), Toulouse, France. [8] I. Onat and A. Miri, An intrusion detection system for wireless sensor networks, in Proceeding of the IEEE International Conference on Wireless and Mobile Computing, Networking and Communications, vol. 3, Montreal, Canada, August 2005, pp. 253259. [9] C. E. Loo, M. Y. Ng, C. Leckie, and M. Palaniswami, Intrusion detection for routing attacks in sensor networks, International Journal of Distributed Sensor Networks, 2005. [10] V. Bhuse and A. Gupta, Anomaly intrusion detection in wireless sensor networks, Journal of High Speed Networks, vol. 15, no. 1, pp. 3351, 2006. [11] Introduction to Intrusion Detection ISCA Publications, Prepared by Rebeka Bace - URL: http://www.icsa.net/html/communities/ids/White%20paper/Intrusion1.pdf [12] Intrusion Detection and Response - Lawrence Livermore National Laboratory Sandia National Laboratories, December, 1996 URL: http://all.net/journal/ntb/ids.html

60

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

Usha pursuing M.Tech Computer Science Engineering from TKR college of Engineering, having Academic experience is reputed Engineering colleges. Her areas of interest include Data mining, Computer organization, Network Security, currently focusing on Routing.

Mr K. Venkatesh Sharma, Prof, B.E Electronics from Shivaji University, Maharashtra, completed M.Tech in Information Technology from Punjabi University, M.Tech in CSE from JNT University and PGDCA, pursuing Ph.D in computer science from JNTU Kakinada. He has 10 years of teaching experience in various engineering colleges. Currently he is heading CSE dept at TKR College of Engineering. He is Life Member of MISTE. He presented papers at International & National Conference on various domains. His interested areas are Databases, Information security & Embedded systems.

Ravi Kumar V M.Tech Computer Science & Engineering from JTUH MSc Electronics from Andhra University BSc from Kakatiya University. Currently he is working as Head of department at Balaji Institute of science & Technology Warangal having 8 years of experience in Academic. His research areas include cloud computing & Parallel computing, Cryptography Network Security, Computer Organization, Image Processing, Embedded Systems & Bio-Metrics.

61

International Journal of Computational Intelligence and Information Security, April 2012 Vol. 3, No. 4 ISSN: 1837-7823

Syed Abdul Moeed M.Tech from JNTUH B.Tech from JNTUH having experience in Academic. His areas of interest include Software Engineering, computer Networks Project Management, Data Mining and Data Warehousing.

62