International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 6, November December 2013 ISSN 2278-6856

Incremental Intrusion Detection System for Wireless Sensor Networks

Priyanka Shah1, Dr. Atul Patel2
Smt. Chandaben Mohanbhai Patel Institute of Computer Applications, Faculty of Computer Science and Applications, CHARUSAT, CHANGA.
1,2

Abstract: The security is the most promising area for the

rapid developing Wireless Sensor Network (WSN) which is vulnerable to proliferation of security attacks. The hostile environment of WSN ensues in variety of threats that can damage low powered sensor nodes. Mission critical wireless sensor networks require an efficient, lightweight and flexible intrusion detection methodology to identify abnormal node or malicious attackers. Intrusion Detection System (IDS) is a second line-of-defense that is very efficient and effective against a range of attacks. In this paper, the existing Intrusion Detection System models are discussed in brief. Finally, the novel framework -Incremental Intrusion Detection System (INIDS) is proposed which takes the countermeasures against malicious nodes based on clustering algorithm and layered approach. The proposed idea forms the clusters. Cluster Head and specialized IDS agents i.e. Function Point (FP) are responsible for detecting attacks by incrementally observing and notifying node Feature Values (FV). The algorithm is based on both known attack patterns and anomaly detection.

malicious node. The vast varieties of security threats can happen in wireless sensor network because of its nature. The current security solutions can be classified in following categories: 1) Key management: Many of the ideas have been developed in defining cryptographic keys for security which provides encryption and authentication [1]. 2) Authentication and Secure Routing: Several protocols [2] have been implemented that protects the data to be revealed to the unauthorized party. 3) Secure services: Certain progress has been made in providing specialized secure services, like secure localization [3], secure aggregation [4] and secure time synchronization [5]. The above solutions basically come under the primary line of defense which is the prevention based techniques. The main problem with these solutions is that only few predefined security attacks can be handled. On the contradictory, the wireless sensor network is vulnerable to bounty of attacks. Therefore, we always need a second line of defense which provides detection based solution i.e. Intrusion Detection System.

Keywords: Clusters, Cluster Head, Function Point, Intrusion Detection System, Node Feature Value, Wireless Sensor Network.

1. INTRODUCTION
Wireless sensor network (WSN) is the most interesting and promising wireless technology that has wide variety of applications and provide unlimited potentials. The wireless sensor network comprises of plenty of small sized, low power, inexpensive and resource constrained sensor devices which communicate through radio frequency. Each sensor node senses some physical phenomenon (e.g., temperature, pressure, light etc.) inside deployment area. The collected details are sent to a base station. The sensor nodes cannot directly communicate to base station. Therefore, data are passed from multiple layers or hierarchy and sent ultimately to base station Figure 1 depicts the wireless sensor network with one base station that is depicted as the black outlined circle and sensor nodes that are depicted as blue ones. The star boundary specifies the range of communication. Many of the operations of sensor nodes remain unattended and the sensor nodes need to work in hostile environment. That raises an important issue of security. There is always a possibility to get stuck. That results in an anomaly data reception because of the compromised or Volume 2, Issue 6 November December 2013

Figure 1. A wireless sensor network with one base station. In this paper, the effort has been made to define the powerful yet trouble-free solution for developing intrusion detection system which may set aside the wireless sensor network from the primary security threats. The rest of the paper is organized as follows: the foundation of the intrusion detection system and the related work is discussed in section 2. Section 3 dictates the network model for incremental intrusion detection system. The main algorithm for detecting malicious node is explored in section 4 and section 5 concludes the paper and suggests the research thrust area for defining more commanding intrusion detection system for wireless sensor network. Page 322

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 6, November December 2013 ISSN 2278-6856 2. INTRUSION DETECTION SYSTEM IN WSN AND RELATED WORK
Intrusion detection is an important concept within broader area of computer network security. The intrusion detection system (IDS) must be able to differentiate between the normal activities and the malicious activities in order to detect compromised or malicious node within a network. The intrusion detection techniques can identify the misuses of network by following any of the three ways in alone or in combination: i) Misuse Detection: It is also known as signature based detection technique. The network always maintains the knowledge base for the known attack patterns (signatures). The observed behavior is matched with the pattern, if there is a match, the malicious activity is detected. It is restricted to identify only known patterns and cannot detect a new kind of attack to a network. ii) Anomaly Detection: Opposed to misuse detection, anomaly detection focuses on normal behavior. It defines what constitute the routine behavior of the node, and then if any deviations are there from the defined behavior, it flag as an intrusion attempt. iii) Specification Based Detection: these are also based on deviations from normal behavior in order to detect attacks, but they are based on manually defined specifications that describe what a correct operation is and monitor any behavior with respect to these constraints. Currently, there are various approaches for intrusion detection is emerging. Every intrusion detection system can active under distributed approach, hierarchical approach or centralized approach depending on the network model formed. The possible network structure for the IDS can be tree based, cluster based or hierarchical. Following is the comprehensive report of ongoing activities in this area: a. Watchdog approach: It is based on misuse detection tactics. All the neighboring nodes coming within the same radio range, will overhear every packet even though they are not the expected receiver of that packet. The neighboring nodes provide many useful audit data by activating its IDS agent which helps to detect the compromised node [6]. b. Spontaneous watchdog: In [7] the improvement over the watchdog mechanism, the system assigns the local agents, who are only responsible for analyzing the local activities of the node and not all the neighboring nodes. That reduces overhead of the nodes within a network. c. Statistical Model based approach: An anomaly detection based scheme has been proposed in [8]. In this, each sensor node maintains the statistical model of its neighbor behavior which is used to detect the node impersonation. The system features that are used to detect anomalies are the average of the received Volume 2, Issue 6 November December 2013 power and the packet arrival rate. There are so many other schemes based on the basic idea of maintaining the statistics of the neighbor nodes, only differs in using various statistical models or methods to detect the malicious activities. d. Clustering algorithm based approach: This approach works in two phases of training and testing. It maintains certain traffic pattern. In training phase it generates the clusters of the nodes according to certain common features of the node. In testing stage, each sample is tested to be anomalous or not [7]. e. Centralized approach: A centralized, active anomaly detection system called ANDES was proposed by Gupta et al. in [9]. The detection agent stay at base station, collecting application data, management information (e.g. nodes ID, hops towards the sink, total transmitted packets, total number of failures to route a packet), and node status information (e.g. normal, unavailable, duplicated and abnormal state), amongst others. All the gathered information then used to identify the anomalies. f. Isolation table: [10] proposes three level hierarchical architecture (base station, cluster head, secondary cluster head), which uses isolation table for detecting the anomalies. Isolation table records the anomaly data and the list of the nodes which may be compromised and considered as isolated from network. g. Machine learning based approach: There are so many techniques exist that rely on various machine learning behavior as anomaly detection tool. Support vector machine is the powerful among others. h. Game theory based approaches: Many of the researchers also have adopted game theory approach [11] for intrusion detection. The approach is excellent in performance for wired network. i. Decentralized approach, predefined watchdog, and hybrid system approach: These are the specification based IDS, which uses predefined rules or manually specified situations for defining compromised nodes [12]. j. Trust based approach: The approach detects the malicious node based on the trust data collected from the nodes within range. The trust factor is built up by the neighboring node based on certain features (no. of packets received successfully, no of failures etc).

3. PROPOSED NETWORK MODEL

The objective is to detect chiefly the data forwarding attacks like selective forwarding attack where nodes transmit only some of the packets received, and denial of service attack where node denies transmitting packets to other nodes within range. Along with these, the model also tries to detect sleep dispossession attack which causes compromised node remain idle for a long time period. The proposed system uses cluster based hierarchical layered architecture that can handle the scalability, Page 323

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 6, November December 2013 ISSN 2278-6856
flexibility and energy issues. As it is known that WSN works in heterogeneous unpredicted environment with low powered sensor devices, the model proves to be very effectual. The model works with four layer hierarchy. It is comprised of one base station that is depicted as the black outlined circle on the top layer, dashed circles depicts clusters, red squares indicates function point layer and sensor nodes on the leaf node layer that are depicted as blue ones (Figure 2). Following is the list of primary building blocks of it: i) Top Layer: The layer is consisting of basically the base station (BS) which is the final destination for transmitting data and all the formed cluster of nodes connected with it. ii) Cluster Layer: The layer comprised of number of cluster of sensor nodes. The cluster is formed based on the sensed values by the sensor nodes. If the two nodes are sensing almost the same value, they will form a cluster. Such kind of cluster can be formed by defining some set of radio range. If the nodes are within same range, they will be part of one cluster. The main benefit of forming cluster in this way is it is easy to identify any deviation that can occur within a network, because the sensor nodes of the same cluster will sense almost same values. In each cluster, cluster-head (CH) is nominated responsible for all the activities take place within a cluster. iii) Function Point Layer: The second most responsible node after the CH is the Function Point (FP) node. They work as an IDS agent. The decision about malicious nodes is taken primarily based on the data reported by Function Point. There is odd number of sensor nodes assigned to the Function Point. That indicates any FP can have odd number of nodes attached with it any time, for which it is chiefly responsible. The FP maintains data about the sensor nodes attached with it, which identifies any deviation within it. It maintains the data like - No of packets dropped, No of packets received successfully, No of packets received within time, the amount of time the node is idle etc. The FP can also participate in detecting malicious node when it is detected by other FP within same cluster. eventually responsible for sensing various physical phenomenon data and for transmitting it to the base station by passing through the hops.

4. INIDS (INCREMENTAL INTRUSION DETECTION SYSTEM)

The Incremental Intrusion Detection System (INIDS) works in combination of signature based detection and anomaly based detection. Therefore it also helps to detect the unknown pattern of anomaly. In this approach, it is assumed that network of sensor nodes are already deployed in the network and the process then passes through the various phases: Cluster formation phase, Cluster head and Function point nomination phase, sensor nodes grouping phase, intrusion detection phase, decision making phase (Figure 3). i) Cluster formation phase: There are various cluster formation techniques are researched which provides energy efficient solution for forming the clusters within a network. In this approach, The sensor nodes will works in same cluster if they are sensing the same value or lying in same radio range. The clusters are formed in the network once all the sensor nodes are deployed. ii) Cluster head and Function point nomination phase: Next the coordinator or head which is responsible for all the activities of the respective cluster is chosen. The BS broadcasts the message to all nodes to reply back their respective residual energy level. The node with the highest residual energy within a cluster will be chosen as Cluster Head (CH) and the node with second highest residual energy will be chosen as Function point (FP) of the cluster. Within one cluster, there can be more than one FP, which will be chosen then in the descending order of their respective energy within a cluster. After the selection, the message is broadcasted notifying the CH and respective FP of the node. iii) Sensor node grouping phase: Within a cluster, sensor nodes are grouped in odd numbers. Some researchers are forming the pairs of sensor nodes, in that case whenever a new node is deployed; it cannot start working without forming a pair with other. The odd numbered grouping solves this issue, and new node can immediately start transmitting the data. The sensor nodes most closely to each other will form a group. After group is formed, the acknowledgment message is sent to the cluster head. Once the cluster head will get all the acknowledgements, it nominates the function point which basically working as an IDS agent within a network. iv) Intrusion Detection Configuration phase: This phase mainly consisting of range of sub modules. It configures the nodes to make it possible to detect the security threats. The modules are in the following sequence: Signature Set-up Module: As the approach relies also on known attack patterns, the attack patterns and Page 324

Figure 2. The proposed model

iv) Leaf node layer: The lowest layer in the model

consisting of the all the sensor nodes which are Volume 2, Issue 6 November December 2013

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 6, November December 2013 ISSN 2278-6856
normal behavior of the node are defined and the table of the same is maintained by both, cluster head and function point. Node Features Definition Module: This module defines the features of the sensor nodes about which FP has to take note of continuously. In this approach, the Feature Value (FV) selected for the node are: No of packets dropped, No of packets received successfully, No of packets received within time, the amount of time the node is idle. Each feature can be assigned a weight according to networks characteristics. If the probability of data forwarding attacks are more, then the features like No of packets dropped, No of packets received successfully, No of packets received within time are assigned more weightage. So the weightage assignment is flexible depending on network requirements. Rule-base Definition Module: This module defines the rules which are used to take decision when some malicious activity happens in a network. The rules are defined for both: what are the rules to detect some node as a compromised node and the rules to confirm about the maliciousness of the node and isolate it from network. The Rule base for detecting compromised node is maintained at FP and the rules to isolate the node from network are available at CH and BS only. v) Data Transmission and Anomaly detection phase: In this phase, data is transmitted among sensor nodes and FP is continuous observing the transmission and maintains the features table of the corresponding attached nodes as well as the nodes within the same cluster may be attached with other FP. The misuse is detected whenever some activity is matched with attack pattern or any Feature Value (FV) for some node crosses some threshold value according to the Rule base, it identifies as an anomaly and reports it to the CH with sensor identity, the attack pattern type, the Feature Value (FV) and the weightage of the feature. The misuse can be reported by FP of the respective cluster either connected directly or indirectly to the sensor node. According to network requirements or characteristics, the amount of maliciousness is determined and next step of decision making is implemented. vi) Decision making phase: Whenever misuse is reported to CH, it demands for the suspicious node activity report from the other FPs within the same cluster. The count indication for the maliciousness of the suspicious node is incremented as many positive reports of the same are generated from other FPs. If the 90% of the FPs agree with the misuse detection, then the misuse is approved and report for the same is sent to BS. The BS will nominate the suspicious nodes as a malicious node. The Base station also broadcasts of the same within a network and mark it as an isolated node from the network. The paper discusses the existing approaches to IDS and also defines the concept of detecting the malicious node based on the opinions of more than one IDS agent within a cluster. It detects the suspicious activities based on the poll of more than one node in a network. There are still many open areas and implementation strategies that should be taken into account for the future development. Among many, energy efficient solution for intrusion detection and dynamic IDS are the main. Still maintaining the data about the sensor nodes and continuous analyzing the nodes activities absorbs lots of energy of the network which is always the critical issue in WSN. Little work has been done on IDS for mobile WSNs. In fact, applying IDS for mobile nodes or in presence of dynamic change of network topology is a very challenging task.

5. CONCLUSION
Volume 2, Issue 6 November December 2013

Figure 3. The Incremental Intrusion Detection Algorithm Flowchart. Page 325

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 6, November December 2013 ISSN 2278-6856 References
[1] S. Camtepe and B. Yener, Key distribution mechanisms for wireless sensor networks: a survey, Rensselaer Polytechnic Institute, Troy, New York, Technical Report 05-07, March 2005. [2] E. Shi and A. Perrig, Designing secure sensor networks, IEEE Wireless Communications, vol. 11, no. 6, pp. 3843, December 2004. [3] L. Lazos and R. Poovendran, Serloc: Robust localization for wireless sensor networks, ACM Transactions on Sensor Networks, vol. 1, no. 1, pp. 73 100, 2005. [4] D. HevinRajesh and B. Paramasivan, Fuzzy Based Secure Data Aggregation Technique in Wireless Sensor Networks. Science Publications, Journal of Computer Science, 2012, pp. 899907. [5] S. Ganeriwal, S. Capkun, C.-C. Han, and M. Srivastava, Secure time synchronization service for sensor networks, in Proceedings of the 4th ACM workshop on Wireless security (WiSe 05), 2005, pp. 97 106. [6] S. Nishanthi, Intrusion Detection in Wireless Sensor Networks Using Watchdog Based Clonal Selection Algorithm, in IJREAT, 2013, pp. 1-5. [7] R. Roman, J. Zhou, and J. Lopez, Applying intrusion detection systems to wireless sensor networks, in Consumer Communications and Networking Conference, 2006, pp. 640644 [8] I. Onat and A. Miri, An intrusion detection system for wireless sensor networks, Wireless and Mobile Computing, Networking and Communications, vol. 3, 2005, pp. 253259. [9] S. Gupta, R. Zheng, and A. Cheng, ANDES: an Anomaly Detection System for Wireless Sensor networks, in MASS2007, pp. 1-9, 2007. [10] R. Chen, Ch. Hsieh, and Y. Huang, A New Method for Intrusion Detection on Hierarchical Wireless Sensor Networks, in ICUIMC-09, Suwon, Korea, January. 2009, pp. 238-245. [11] H. Shi, W. Wang, N. M. Kwok, and S. Y. Chen, Game theory for wireless sensor networks: a survey, Sensors, vol. 12, no. 7, pp. 90559097, 2012. [12] T. Bhattasali, and R. Chaki, A Survey of Recent Intrusion Detection Systems for Wireless Sensor Network, in 4th International Conference on Network Security and Applications (CNSA-2011), Springer, 2011, pp. 268280. AUTHORS
Priyanka Shah received Bachelors degree in Computer Applications, M.C.A. degree from Gujarat University, India. At present she is an Assistant Professor at Smt. Chandaben Mohanbhai Patel Institute of Computer Applications, CHARUSAT, Changa, India. Her main research areas are Wireless Communication & Network Security. Dr.Atul Patel received Bachelors degree in Science (Electronics), M.C.A. degree from Gujarat University and M.Phil. (Computer Science) Degree from Madurai Kamraj University, India. He is Dean of Faculty of Computer Science & Applications, CHARUSAT, Changa, India. He has completed Ph.D. in Wireless networks. His main research areas are wireless communication and Network Security & Cloud Computing.

Volume 2, Issue 6 November December 2013

Page 326