Professional Documents
Culture Documents
Reference 9
Reference 9
Research Article
Abstract: This study deals with the design and implementation of an Embedded Cooperative-Hybrid Intrusion Detection System
(ECHIDS) for a solar energy harvested Road Side Unit(RSU). In order to offer a high level of defense against the various
attacks and to cope against the limited processing and energy resources of RSU, we suggest a cooperative IDS approach. In
this approach, the RSUs do not depend only on their local view to make conclusions about the security status of their network,
but also cooperate with their VANET server by exchanging security reports to create a more global and precise idea about the
security situation of the whole network, the possible attacks and their origins. The other main contribution in this paper is the
attempt to insert a Hybrid Intrusion Detection System functionality (combines all the three IDS techniques :signature based IDS,
anomaly based IDS and behavioral based IDS) into the RSU itself. Each one of these IDSs has its own resistance strategy
against certain classes of attacks which enhances RSUs’ immunity. The suggested IDS was prototyped using an experimental
model based on the Ubicom IP2022 network processor development kit and different practical tests were performed to evaluate
the effectiveness of the suggested solutions.
1 Introduction attacks, which can seriously affect their integrity, performance and
power consumption and hence their availability. So our efforts in
Many research works suggest that there is an actual need for a this paper focus on the definition of a multitude of security
VANET infrastructure, which consists of various types of fixed methods to protect the RSUs (in particular) and the VANET (in
nodes performing different actions according to VANET general) against these threats.
applications demands. An important class of these nodes are road-
side units (RSUs) [1, 2]. Due to power supply requirements, it was
recommended to localise RSUs nearer to wired electricity sources, 2 Literature review
such as traffic lights [1, 2]. However, such placement limits the This section presents a survey on the existing research works on
area covered by the RSUs and thus their services. To overcome this the intrusion detection system (IDS) functionality in an ad hoc
restriction, it is required to establish self-powered RSUs. In our wireless networks which had spanned and covered a wide research
previous work [3], we suggest that an RSU can harvest the energy area. Since the nature of the ad hoc networks is distributed and
needed for its work from the surrounding environment, especially requires the cooperation of other nodes, many previous works [6–
solar energy. Such a suggestion permits to install RSUs in any 13] have proposed that the intrusion detection in such networks
place without considering the power supply availability and hence, should also be both distributed and cooperative. Every node
extensive area can be covered by the VANET infrastructure. We contributes in the intrusion detection and response by having an
also suggest that these RSUs would create an ad hoc network in IDS agent running on them. An IDS agent is in charge of
order to assist each other to deliver data packets to their distinguishing and gathering the local events and data to identify
destinations, that is why an ad hoc infrastructure is needed. Each the probable intrusions, as well as initiating a reply separately.
RSU is responsible for providing different VANET services to the However, the neighbouring IDS agents cooperatively partake in the
vehicles in a certain area of the city, ranging from traffic safety and global intrusion detection actions when the evidence is uncertain.
road monitoring services to Internet access & entertainment On the other hand, some papers [14, 15] suggest enhancing the
services. RSUs, as a part of the VANET infrastructure, receive ability of an IDS to detect the various types of attacks, under
different packets from vehicles (vehicle status or Internet access different conditions, by modifying its internal architecture.
request), then forward them to the VANET server via the ad hoc Through combining more than one type of IDS strategies, which is
network. As a member in the ad hoc network, an RSU also behaves so widely called the hybrid IDS (HIDS), intrusions detection task
as a router which delivers other RSUs traffic to their destinations; would be more efficient and precious. Many papers dealt with the
see Fig. 1. building of different IDS approaches against specific types of ad
To implement a functional and efficient solar energy powered hoc networks attacks [16–24]. These behavioural-based IDSs, try
RSU, the embedded UBICOM IP2022 platform was chosen to to identify the activities of certain types of attacks by comparing
implement the proposed RSU. The heart of the harvesting module their behaviour against previously defined models (an in depth
is the harvesting circuit, which draws power from the solar panels comparison among the different IDS methods can be seen in
(4-4.0-100 solar panels from Solar World Inc.), handles energy Table 1). Finally, some research works focus on employing the
storage (2800 mAh, AA battery pairs), and routes the power to the reputation and trustfully based verification methods in order to
intended system; see Fig. 1. A DC–DC converter is used to provide categorise the different nodes in the VANET [25–28].
a constant supply voltage to the embedded system and we used Although the majority of the mentioned references give various
Texas Instruments TPS63000 low-power boost–buck DC–DC IDS solutions for the ad hoc networking environment, they do not
converter to achieve this goal [3]. take into consideration the realisation issues of their thoughts on
From the above discussion, it is clear that the RSU plays a real platforms, especially embedded systems. Even though, our
major role in the proposed green VANET infrastructure and hence, previous works in [29, 30] study the implementation challenges of
the security of this device must be a priority [4, 5]. The RSUs are inserting an IDS functionality into an embedded platform, the
subjected to a plethora of network traffic conditions and security
IET Inf. Secur. 1
© The Institution of Engineering and Technology 2016
Fig. 1 Suggested solar energy-harvested RSU
contribution was limited to a cooperative IDS energised by the 4 Embedded cooperative-hybrid intrusion
traditional wire power resources. Our efforts in this paper focus on detection system (ECHIDS)
answering some questions regarding the implementation of a
cooperative HIDS into a renewable energy-dependent embedded Service availability is an important security issue which means that
system, questions such as: an authorised access of the data and other VANET resources is
made ready when requested or demanded. This feature could be
i. Is it possible to implement such a sophisticated system into a obtained by protecting the system against the different types of
resources limited platform? attacks using an IDS. To offer a high level of defence against the
ii. What do we need to ensure the successful combination of the various attacks and to cope against the limited processing and
different security methods, algorithms and techniques with energy resources in the RSU, we suggest a cooperative IDS
solar energy powered system? approach. In this approach, the RSUs do not depend only on their
iii. What are the assessment of the whole system in terms of its local view to make conclusions about the security status of their
network performance, practicability, power consumption and network, but also cooperate with their VANET server by
immunity against the different threats? exchanging security reports to create a more global and accurate
idea about the security situation of the whole network, the possible
attacks and their origins (the term ‘VANET server’ used in this
3 Threats model paper, stands for the control centre of a VANET cluster. It was
In this paper, we are concentrating on the attacks perpetrated assumed that it consists of powerful, cooperative, reliable and
against the RSU itself rather than the VANET infrastructure or its secured servers in order to undertake the different VANET services
users and applications. As shown in Fig. 2, the security threats and to serve its associated clients. It was also assumed that this
against an RSU can take different forms and may originate from centre was armed with the different strategies to avoid becoming a
different sources. These sources can be an insider attackers (attacks single point of failure). The implementation of the suggested
(1) & (2) in Fig. 2) which are either a ‘VANET user’ (e.g. the cooperative IDS is shown in Fig. 3a. In such systems, the RSUs
vehicles) or a forged RSU. In other words, the insider attacker is an play the role of an IDS sensor, they generate ‘periodically’ their
authentic user of the network who has some knowledge of the security status reports, and then forward them to the VANET
network and makes use of it for understanding the design and server. These reports contain the necessary data about the number,
configuration of the RSUs and the whole network. On the other types and sources of attacks against this RSU at that time. On
hand, the outsider attackers (attack (3) in Fig. 2) make use of the receiving these reports, the VANET server accumulates them, and
VANETs’ Internet connection to launch their attacks from a remote then performs the necessary processing to obtain the final report
location outside the VANET coverage area [19]. about the security status of this part of the network. Also, the
On the other side, when investigating the possible types of VANET server suggests the necessary IDS reactions to accomplish
attacks, the RSUs are susceptible to a variety of attacks differ in against these attacks and declares them to the RSUs and to the
their nature, goals and catastrophic effects [20]. We have made a VANET administrator.
survey on the possible attacks against the RSUs, according to their IDSs must be able to distinguish between the normal and the
origins, as abstracted in Table 2. abnormal activities in order to discover the malicious attempts in
real time. There are three main techniques that an IDS can use to and finally the behavioural-based IDS is used to defend against the
classify the actions; a signature-based IDS, an anomaly based IDSs VANET-specific attacks [21, 22]. As shown in Fig. 3b, the input
and a behavioural-based IDS [19]. One of the main contributions in traffic to the HIDS is firstly sampled and processed (in the data-
this paper is the attempt to insert an HIDS functionality (combines processing unit) in order to extract its main features, such as the
all the three techniques together) into the RSU itself; see Fig. 3b. average data rate, the maximum data rate and the maximum burst
Each one of these IDSs has its own defence strategy against certain size and many others. This input traffic is then converted into a
classes of attacks. For example, the signature-based IDS is the best more proper format to be processed by the three different IDSs.
solution against the well-known Internet attacks, while the anomaly The final decision of the suggested that HIDS is taken based on the
based is very effective against the denial of service (DoS) attacks sub-decisions made by the three IDSs. This decision includes the
platform. Due to the huge amount of data, a reduction of data is expected over a longer time period, due to the changed
compulsory and a set of sample values were hauled out and environmental, seasonal and circumstantial conditions, which
averaged from the available data. The samples sets were divided affect on the road traffic behaviour. Also, the measured false-
into a training sets and a test sets. The assessment of the model positive and false-negative ratios (in which the predicted values are
performance can be done by the mean square error, calculated as more or less than the real values [31]) show that our system tends
the difference between the forecasted and the actual values [31]. It to generate higher false-positive predictions. However, the error
is noted that the average error values for the forecasting were values are considered satisfactory and fall within the acceptable
increased as the time scales increase because more variation is range of such systems [31].
ii. Each pair of these PRNGs are firstly synchronised off-line and send them (together with a time stamp) back to the
prior to installing the RSU in the field. The synchronisation VANET server.
procedure includes feeding the two routines with the same seed
values, then starting the random numbers generation procedure If the receiver was a malicious or faulty RSU, then it will neither
until they produce the same sequences. This initialisation point be able to decrypt the challenge packet, nor be able to generate the
is saved in the RSU and the server and can be added to the next correct sequence of random numbers. In this case, the VANET
Factory Default Settings in order to be used later when server broadcasts an encrypted security report to all RSUs about
resetting the RSU. the discovery of a malicious RSU with the necessary details.
iii. At this point, the two PRNGs are ready to generate the
synchronised random numbers which will be used for different 6 Experimental investigation of the suggested
purposes such as generating the random numbers used in the ECHIDS
authentication procedure or to check the functionality of a
certain RSU. To validate the convenience of the suggested ECHIDS from the
iv. To check an RSU functionality, the VANET server and its power consumption point of view, several practical tests must be
associated RSUs perform periodic synchronisation tests (or in performed using an experimental network; see Fig. 9. The
response to a security report about a misbehaving or a experimental network consists of ordinary PCs supplied with
malicious RSU). These tests are established from the server WLAN NICs working at different data rates, the IP2022 Ubicom
side and involve sending an encrypted challenge packet to the platform which was also supplied with the same WLAN NIC, the
RSU. This packet contains a sequence of random numbers energy-harvesting module and a real-time storage oscilloscope. The
generated by the PRNG routine in the server side and a time purpose of performing these experiments is to emulate the real
stamp. On receiving this packet, the RSU performs the identity VANET environment in which the EHCIDS will be installed.
check procedure and generates the next sequence of numbers The objective of the first experiment is to record the electrical
current drained by the RSU according to the different modes of
operation: Transmission, Reception, IDLE, CPU full load and conditions. To feed the experimental test bed with truthful values, a
SLEEP. The traffic generator PC was programmed to send and simulation model was built using the Network Simulation package.
receive a 1 Mbps streamed UDP traffic to and from the IP2022 The goal of building this model is to generate a traffic patterns as
Ubicom platform. The real-time oscilloscope (Tektronix224) was close as possible to the real situations. Our network represents a
used to measure the current drained from the batteries (according VANET cluster of 40 RSU covering (25 km2) area of a typical city.
to the different network traffic conditions) by measuring the It was assumed that the vehicles broadcast their 100 byte status
voltage across a (0.1 Ω) resistor, which is proportional to the packets each 1s [3], while the RSUs generate their 1000 byte traffic
drained current. Table 7 summarises the settings of this experiment report ten times per minute and forward them to the VANET server
and lists the average values obtained for different data rates. [3]. According to our earlier analysis in [38], optimised link state
The goal of the second experiment is to discover the network routing (OLSR) protocol gives the best performance compared
activities of a typical VANET infrastructure and hence, the power with the other ad hoc routing protocols when working in a non-
consumption of the proposed RSU under realistic road traffic
10 IET Inf. Secur.
© The Institution of Engineering and Technology 2016
stationary ad hoc topology, so that it was adopted in our simulation additional IDSs’ tasks) was observed to be ranged between (5 and
model. The OLSR mechanisms are regulated by a set of parameters 15%) according to the update file size.
predefined in the OLSR RFC 3626 [4] standard and it was adopted The effect of the black hole attack on the RSU power
in our simulation model, see Table 8. To simplify the simulation consumption and hence its battery life is described in this
model, the RSUs were assumed to be identical and subjected to the experiment. At this point, two variables were changed: the
same road traffic conditions. The different network traffic patterns percentage of an RSUs’ traffic dropped by its neighbours (due to
generated from running the previous simulation model (listed in the black hole attack) and the number of the retransmission
Table 8) represent the baseline VANET model, i.e. without the attempts made by the RSU to compensate this dropping. Fig. 10c
intervention of any attack or the functionality of the suggested shows the destructive effect of such attack on the drained current
ECHIDS. and hence the battery life of the RSU as listed in Table 9. These
The aim of the next experiment is to measure the effect of the measurements confirm the importance of our earlier procedure to
cooperative signature (SNORT)-based IDS functionality on the cope against this type of attack using the suggested behavioural-
network traffic and hence, the RSU power consumption. The test based IDS.
bed was fed with the simulation model outcomes (the RSU In/Out In this context, we also investigated the degradation in the
network traffic) while changing both the rules update file size battery life caused by the energy intensive ‘promiscuous packet
(number of rules) and the signatures update interval. The results capturing’ task which is needed to perform the suggested defence
obtained from performing these tests can be shown in Figs.10a and against the black hole attack. Fig. 10d shows that as this mode of
b. Increasing the file size while decreasing the update interval operation includes the reception of an additional network traffic
creates more network load and hence more power is consumed due from the neighboured RSUs, more energy is consumed to achieve
to the increment in the transmission/reception operations. It is this mission. However, including this task into the power budget
worth to mention that when using a fully charged 2800 mAh AA planning procedure puts its consumed power within the
battery, an RSU can work for 27 h under the VANET baseline predetermined energy utilisation limits and guarantees a longer
traffic pattern; however, the battery life was decreased to 26.5 h battery life.
when the update file size was chosen to be (40 kbyte) with a (10 The purpose of the last experiment is to examine the ability of
min) update interval (highest extra traffic case). In the real world the suggested power management method to adapt against the
implementation, we recommend the file size to be (20 kbyte) with different working conditions (wherein different AE levels were
a (30 min) update interval which is a good compromise between an assumed) and to defend against unmanaged network traffic
RSU invulnerability and its power consumption. Finally, it is worth conditions (such as those resulting from the energy exhaustive
to mention that an additional RSUs’ CPU utilisation (due to the attack). Fig. 10e shows that the suggested power management
8 Conclusion internal and external threats. The proposed defence strategies took
into account the embedded nature of an RSU and hence the
In this paper, different intrusion detection methods were suggested recommended solutions make a compromise between a highly
to protect solar energy-harvested RSUs against various types of
and green ad hoc routing protocol, so that the power management [8] Michiardi, P., Molva, R.: ‘Core A collaborative reputation mechanism to
enforce node cooperation in MANET’. Communication and Multimedia
and the security techniques will be taken into consideration in the Security Conf. (CMCS'02), September 2002
earlier design stages. [9] Nasser, N., Chen, Y.: ‘Enhanced intrusion detection system for discovering
malicious nodes in mobile ad hoc networks’. ICC 2007 Conf., 2007
[10] Huang, Y., Lee, W.: ‘A cooperative intrusion detection system for ad hoc
9 References networks’. First ACM Workshop Security of Ad Hoc and Sensor Networks,
[1] Wu, T., Liao, W., Chang, C.: ‘A cost-effective strategy for road-side unit Fairfax, VA, 2003
placement in vehicular networks’, IEEE Trans. Commun., 2012, 60, (8), pp. [11] Kachirski, O., Guha, R.: ‘Effective intrusion detection using multiple sensors
2295–2303 in wireless ad hoc networks’. 36th Annual Hawaii Int. Conf. on System
[2] Barrachina, J., Garrido, P., Fogue, M., et al.: ‘Road side unit deployment: a Sciences, 2003
density-based approach’, IEEE Intell. Transp. Syst. Mag., 2013, 5, pp. 30–39 [12] Krügel, C., Toth, T.: ‘Flexible, mobile agent based intrusion detection for
[3] Ali, Q.I.: ‘Design, implementation & optimization of an energy harvesting dynamic networks’ (European Wireless, 2002)
system for VANETS’ road side units (RSU)’, IET Intell. Transp. Syst., 2014, [13] Xiao, K., Zheng, J., Wang, X., et al.: ‘A novel peer-to-peer intrusion detection
8, (3), pp. 298–307 system using mobile agents in MANETs’. Sixth Int. Conf. on Parallel and
[4] Ali, Q.I.: ‘Security issues of solar energy harvesting road side unit (RSU)’, Distributed Computing, Applications and Technologies, 2005
IJEEE J., 2015, 11 (1), pp. 18–31 [14] Gómez, J., Gil, C., Padilla, N., et al.: ‘Design of a snort-based hybrid
[5] Filippini, I., Malandrino, F., Cesana, M., et al.: ‘Non-cooperative RSU intrusion detection system’. IWANN 2009, 2009
deployment in vehicular networks’. WONS Conf., 2012 [15] Aydın, M.A., Zaim, A.H., Ceylan, K.G.: ‘A hybrid intrusion detection system
[6] Buchgger, S., Le Boudec, J.: ‘Performance analysis of the CONFIDANT design for computer network security’, Comput. Electr. Eng. J., 2009, 35, pp.
protocol’. Proc. IEEE/ACM Workshop on Mobile Ad Hoc Networking and 517–526
Computing (MobiHoc'02), Lausanne, Switzerland, June 2002, pp. 226–336 [16] Marti, S., Giuli, T.J., Lai, K., et al.: ‘Mitigating routing misbehavior in mobile
[7] Zhang, Y., Lee, W.: ‘Intrusion detection in wireless ad hoc networks’. Sixth ad hoc networks’. Proc. Sixth Annual ACM/IEEE Int. Conf. on Mobile
Int. Conf. on Mobile Computing and Networking, August 2000, pp. 275–283 Computing and Networking, 2000, pp. 255–265