Cross –Layer Intrusion Detection System for Wireless Sensor Networks

Cross –Layer Intrusion Detection System for Wireless Sensor Networks

D Sathya¹* and K Krishneswari²

*1Kumaraguru College of Technology, Coimbatore, Tamil Nadu, India.

2Tamilnadu College of Engineering, Coimbatore, Tamil Nadu, India.

Received 25 August 2014; revised 29 September 2015; accepted 22 December 2015

In Wireless Sensor Network, the sensor nodes monitor any abnormal events occurring around the business environment to report the emergency alert whenever it detects any abnormality in an environment or report the monitored data continuously or periodically to the base station. These emergency alerts can be stolen or modified by the attackers or in some cases, the sensor nodes can be physically compromised by the attackers, which lead to an unsafe environment. To avoid these problems, Intrusion Detection System is implemented at the base station to filter the abnormal data mostly related to the attacks of network layer. But this paper proposes a novel cross layer rule based intrusion detection system to detect the attacks coming from different layers in Wireless Sensor Networks. The method analyzed several detection rules for Physical, MAC, Network and Application layer attacks. The implementation is done using the rules identified from the IDS techniques available for Wireless Sensor Network. The experimental result shows the detection rate of different attacks on different layers. The performance of cross layer IDS are shown in the graph by making the comparison between the detection rates of various IDS techniques.

Keywords: Cross –layer Intrusion Detection System, PIR sensor, Ultrasonic sensor.

Introduction

Wireless Sensor Networks (WSN)¹ is a special category of ad hoc wireless networks that are used to provide a wireless communication infrastructure among the sensors deployed in an application domain.

The sensor node is deployed in an open and unattended environment and transmits the sensed data to the sink node or the base station. The sensor nodes are very cheap and it is easy to deploy in large number for monitoring applications. At the same time, due to the resource constraint nature of sensor nodes, the sensor nodes can be easily captured by the attackers physically. On the other hand, the base station stores the repository of data collected from the sensor nodes process and transmit to the users,so the data need to be checked before processing by the base station. The WSN is needed in business environment to guarantee the safety and security of the servers, storage devices and networking hardware. Nowadays, sensor nodes are cheaper to deploy in small to medium size business, remote offices, server rooms, meeting rooms, bank locker rooms etc. The sensor nodes are used to detect the unauthorized access, smokes and leaks, airflow and vibrations, temperature

and humidity fluctuations etc. The sensor network provides increased availability with real time notifications to the managers or administrators that prevent the business environment from the hazards and theft. These emergency alarms can be compromised by the attackers, so the information has to be securely transferred to the base station or users.

Several Intrusion Prevention Systems like cryptography, authentication, and key management was proposed to secure the data, but all these security mechanisms cannot be able to prevent all types of attacks², so the Intrusion Detection System (IDS) need to be implemented in Wireless Sensor Networks as a second line of defence. Intrusion Detection System monitors the data collected from sensor nodes and raises an alarm when it detects any abnormality in data. Most of the IDS concentrates on the attacks of Network layer and leaves the Physical, MAC, Application layer anomalies³.

In this work, the sensor nodes are deployed to monitor the business environment. The sensor nodes used in the surveillance system, reports the sensed message continuously to the base station and the system is setup in such a way that it raises an alarm in two situations:

 When the sensor node senses any object movement inside the target area and

——————

*Author for correspondence E-mail: Sathy.spj@gmail.com

 The object distance is very nearer to attack the target area. These emergency alerts may be stolen or modified by the intruder which leads to a large problem in the business environment.

 The attacks from different layers are summarized below⁴.

 Attacks on Physical layer – Node outage, Eavesdropping, Jamming attacks.

 Attacks on MAC layer – Collision, Sybil attack.

 Attacks on Network layer – Black hole attack, Sinkhole attack, Selective forwarding, replicating data packet attack.

 Attacks on Application layer – Selective message forwarding, Attacks on Data aggregation.

The attack in one layer may extend the attack to other layers for example: the node compromise attack from the physical layer may drop the packet or modify the packet that occurs in network layer⁵. These attacks are called cross –layer attacks and hence this paper focused on detecting attacks in all the layers. At the base station, the Cross layer Rule based Intrusion Detection System (CIDS) is invoked to overcome the attacks coming from distinct layers.

The security mechanism in WSN is divided into two levels:

 Intrusion Prevention mechanism like cryptography, authentication acts as the first level of defence, which prevents the network from known outsider attacks but fails to prevent some outsider and insider attacks caused by a compromised node.

 Intrusion Detection mechanism acts as a second level of defence, that catches all the insider attacks and also the undetected outsider attacks.

Also by filtering out the attacks the vulnerabilities in a system can be easily identified and to overcome those vulnerabilities IDS enables a programmer to develop a new prevention system⁶.

 Several IDS techniques proposed were fall under one of the three categories⁸.

 Misuse Detection: It is also called as rule-based or signature based detection scheme, where the attack patterns are defined and given to the system. The incoming data are compared to the attack patterns and if it finds a match then the particular data will be discarded.

 Anomaly Detection: It is also called as outlier based detection scheme where the normal behaviour of data is modelled and if the data deviates from the normal behaviour then it will be marked as intrusion.

 Specification Detection in which an automated training based anomaly detection and human made rule-based misuse detection techniques are combined to form a hybrid system.

In⁷, the Intrusion prevention and detection for Industrial applications was proposed. IPS provides data, node authentication and prevents eavesdropping.

As a second level the IDS is designed to secure the network against the attacks which is not detected by the IPS. Further the significance of the one-hop clustering was shown with real motes and a hierarchical framework is proposed for detecting other attacks. In⁶, the algorithm for IDS is implemented in the monitor node and it has three phases: Data acquisition, Rule application and Intrusion Detection. The advantage of this scheme is that the rule definitions are specified clearly to detect attacks like jamming, blackhole, wormhole and selective message forwarding in a faster manner. In⁸, the Hybrid IDS combines three models:

 Rule based anomaly detection model filter the data that deviates from the normal behaviour,

 The filtered abnormal data is passed to Misuse detection model, where the known attacks are filtered,

 Rule based decision making model combines the output from anomaly and misuse detection model to determine the attacks and type of attack.

The advantage of the scheme is it reduces the energy wastage because only the filtered data is passed to the misuse detection model and rules in the decision making model makes the decision faster.

In⁹, three different IDS are proposed for sink, cluster head and sensor node. The rule based misuse detection model is implemented at the sensor node.

Hybrid IDS (HIDS) is implemented at the cluster head to combine Anomaly and Misuse detection model. The output is passed to the decision making model to decide the attack and the type of attack. An Intelligent Hybrid IDS (IHIDS) is implemented at the sink node which combines Anomaly detection, Misuse Detection, Decision Making Model and finally the learning mechanism to detect unknown attacks. The advantage of this scheme is that the learning mechanism used in the IHIDS increases the detection rate and also gives better performance. In the proposed system the IDS rules are selected from the papers studied for Intrusion Detection techniques in WSN and the threshold values are setup for the

related parameters of the layers. The IDS filters the data when the data fails in any one of the rule and reports to the base station about their abnormality, type of attack and its layer of attack. In the experimental results, the comparison is made with the existing schemes and also shows the high detection rate of proposed scheme.

Materials and Methods

Data collection phase

The data are collected in real time using PIR sensor and Ultrasonic sensor. Details and the purpose of the sensor are described below:

The Pyroelectric Infrared (PIR) motion sensor is used to detect the object movement (animals, people or other objects). It is also called as PID –Passive Infrared Detector. The passive detector do not generate any energy for detection instead PIR uses the heat energy emitted from the object for detection. The sensing region is divided into two halves, if one half has higher or lower IR radiation than the other then output will change to high or low. The PIR detects the movement of objects up to a distance of 2 meters.

HC-SR501 PIR uses operating voltage range –DC voltage 3.6 ~ 20V, operates at

 Temperature -15 to +70 degrees, and outputs high 3.3 V/Low 0V and uses the connection VCC, GND, Output.

 The Ultrasonic sensor – The sensor is used to detect the distance to an object and senses up to a distance of 2cm – 300 cm. The Ultrasonic sensor generates a sound or radar and receives back an

echo signal when it is interrupted by any object or obstacles. The sensor calculates the time interval between sending the radar and receiving the echo which is used to determine the distance to an object. HC –SR04 Ultrasonic mote consists of transmitter, receiver and a control circuit. It operates at DC 5V, and senses in angle less than 15 degree and uses the connection VCC, trig (control), echo (receiver), GND.

Both the sensors are connected to an Arduino Uno (microcontroller board) to receive the input from sensors. Microcontroller ATmega328 operates at 5V, and have 6 analog input pins, 14 digital I/O pins, 32 KB flash memory, 2 KB SRAM, 1 KB EEPROM, 16 MHZ clock speed. Fig. 1 shows the experimental setup of the sensors and arduino board. The data generated using the PIR sensors are in the form of 0’s and 1’s. The data ‘0’ is generated when no object inside the target area otherwise it generates ‘1’ when PIR detects any object movement and it continues to generate ‘1’ until the object moves out of the target area. The Ultrasonic sensor detects the distance to an object inside the target area. The distance are collected in the form of millimeters, using our setup 3000 mm is taken as the maximum distance and 500 mm is taken as the nearer distance to attack the target place. Arduino software is used to set the delay between the readings, initialize an input pin, input pin for trigger and echo. The sensor data received by arduino are connected to the computer through USB cable. Fig. 2 shows the connection of two sensors with a system.

Fig. 1—Experimental setup

Proposed system- Intrusion Detection System phase

The PIR (sensor 1) and Ultrasonic sensor (sensor 2) act as two member nodes which detect the movement of object inside the target area and also sense the speed of the object to attack the target area. The sensed data is forwarded through one –hop clustering to the base station. For both sensor node 1 and 2, node 1 is assumed as cluster head and no specific routing protocol is used. Fig. 3 shows the proposed system model in which the base station collects all the data send by the sensors and triggers an IDS routine to detect the abnormal data. The data is checked against the various Cross layer rules and when it finds any deviation from the normal threshold value then the data is discarded and informed to base station about the type of attack and layer of attack. The collected data are stored and the PHP language is used for creating an interface and detecting abnormality from normal data.

Cross layer attacks and Detection System

The layered approach mostly detects the attacks of network layer and does not detect the attacks of other layer¹⁰. The Cross layer IDS is implemented to detect the injection of attacks in Physical layer, Data link layer, Network layer and Application layers.

Physical layer

Sensor nodes are mostly deployed in remote areas.

Due to this, the sensor nodes are highly vulnerable to theft and capturing¹¹.

Jamming Attack

The Jammer device continuously or randomly transmits the radio transmission signal to interfere

the network channel¹². The impact of the jamming attack results in packet dropping, due to this unacknowledged packets will be retransmitted again which results in delay, throughput drops and finally it slows down the application. The jamming attack can be detected by the deviation in received signal strength (RSS) value and angle of arrival measurements. It is also detected by the deviation in Packet Arrival Rate (PAR) threshold⁷ and number of collisions in the channel⁶. In CIDS, the deviation in RSS value is chosen as the best parameter to detect the attack.

Node Failure Attack and Node Malfunction

The sensor node failure is caused by the hardware, software, battery failure or environmental effects. The data generation will be completely stopped or there may be delay in receiving the data is the impact of sensor node failure. In¹³, the failure or malfunctioning node is detected by the Round trip delay time (RTD) of Round trip path. If the delay time is infinity then the node is detected as malfunctioning and if the delay time is greater than threshold value then the node is detected as failure one. In CIDS, the attack is identified by the interval rule⁸ ie, the time difference between the two consecutive packets is greater or lower than the allowed limits.

MAC layer

MAC layer focuses on the radio channel access and error control and it is highly vulnerable to collision and other exhaustion attacks¹¹.

Traffic Manipulation

The traffic manipulation is an attack where the intruder suppresses all the data or sends the meaningless data to the base station, therefore it leads to the deviation in packet reception rate¹⁴.It also leads to DoS attack or data aggregation distortion. In CIDS the traffic manipulation is detected by the deviation in Packet Arrival Rate (PAR) threshold value¹⁴.

Fig. 2—The connection with real sensor motes

Fig. 3—The System Model

False Node

In¹⁵, the false node is inserted by the attacker inside the network. The false identity (id) attack will insert false data or stops the transmission of original data in the network. In this work, the node id which carries the data to the base station is compared against the registered id, if mismatch is found then it is marked as false id attack.

Sybil attack

The Sybil attack duplicates the node ids in the network and present in same or different location¹⁵. The duplicate node id can be identified by verifying the changes in RSS values, because a node can have only one radio channel to send or receive¹⁶. The radio transmission rule is followed to detect the spoofed attack^7,6 and the same technique is followed in the proposed work, where the duplicate node id is identified by different RSS values.

Network Layer

Network layer uses multihop for routing the data towards the destination. The existing routing protocol used for wireless network is not suitable or does not provide high security in WSN. So it is vulnerable to routing attacks^{17, 18}.

Replicating Data Packet Attack

Similar to id spoofing the data may also replicate several times in the network and it leads to energy consumption and traffic manipulation in the network.

In CIDS, the same data replicating from same node id for a particular period of time is designated as replicated data packet.

Altered Packet Attack or False Data

In¹⁹ the packet content will be altered by the attackers. But in CIDS, the attack is detected by the Integrity rule as in^6,7.

Packet dropping attack or selective forwarding attack

The packet content from the sensors will be completely or selectively dropped by the attackers. In CIDS, the attack is identified by the packet dropping¹¹. Routing Attack

The routing attack is the one which takes false routing path. The routing attack leads to false data or in some cases the data goes around an infinite loop. In CIDS, the attack is identified by the change in the source address of the packet.

Hello flood Attack

In²⁰, the attacker node sends or floods a hello packet into the network to convey the node is a neighboring node. The attack causes the legitimate node to send the original packet to the attacker believing that is a neighbor. In CIDS, the attack is identified by the addition of new node identity in the network⁷.

Application Layer

Application layer is responsible for data aggregation and sending the queries. This layer is vulnerable to data aggregation distortion and message alteration²¹.

Selective Message Forwarding

In⁴, the attacker selectively forwards the message by learning the semantics of the message. The attack will change the data aggregation value and CIDS identifies the attack using the Integrity rule⁶.

Results & Discussion

The Detection Rate (DR) of various attacks between WISN⁷, Decentralized IDS⁶, and the Cross Layer IDS are compared. Number of attacks and the DR (%) are given for 80,100,200,400,500 datasets.

The detection techniques from the experimental test of WISN⁷ are tested with the dataset collected and the results obtained are shown in Table 1. The detection techniques are as follows:

Table 1—Attack Detection Rate according to WISN techniques

Attacks WISN

80 100 200 400 500

No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%)

Jamming attack 2 50 2 50 4 75 8 62.5 10 60

ID Spoofing attack 1 100 1 100 2 100 6 100 8 75

Spoofed or Altered

Packet attack 2 100 2 100 4 50 8 75 10 70

Selective forwarding or

Packet Dropping attack 1 100 2 100 5 40 9 55.5 11 54.5

Hello flood attack 1 100 2 50 4 100 8 100 10 100

 Packet Jamming attack: Detection using the predetermined packet arrival rate.

 ID Spoofing attack: Detection using radio transmission rule.

 Spoofed or Altered Packet attack: Detection using the integrity rule.

 Selective forwarding or Packet Dropping attack:

Detection using packet dropping.

Hello flood attack: Dection using new nod In WISN⁷ in order to detect a single attack many techniques are implemented and from the results obtained the best among them are chosen here. The Detection Rate (DR) of the jamming attack is calculated by the formula

attacks 100 of . No Total

ected det attacks of . (%) No Rate

Detection 







 … (1)

Similarly the detection rate is calculated for all other attacks.

Using the dataset collected, various attacks are tested with the rules defined in Decentralized IDS⁶ and illustrated in Table 2. The rules are as follows:

 Jamming rule: Jamming attack is detected when the collisions in the network is greater than the number expected.

 Interval rule: Negligence attack and exhaustion attack can be detected if the time interval between the two consecutive packets is higher or lower than the expected value.

 Integrity rule: By detecting the changes in the message payload, altered packet attack can be detected.

 Retransmission rule: Black hole and Selective forwarding attack can be detected when

the intruder suppresses some or all of its messages.

 Radio transmission rule: Attacks like Hello flood and Worm hole can be detected by receiving a packet with high radio transmission range from the farther node.

In CIDS, the rules are taken from both Decentralized IDS⁶ and WISN techniques⁷ for detecting attacks like Jamming attack, Altered Packet attack, Selective forwarding attack, Hello flood attack. In addition to these attacks, false id attack, Routing attack, Replicating data packet attack, and Selective Message forwarding are detected in the proposed work.

Few attacks were injected in the dataset in real time to test the proposed idea. For example for Node failure attack, the sensor nodes are disconnected from the arduino board and the data reported to the base station is nil for disconnected period of time. Table 3 shows the detection rate of various attacks in Cross layer IDS. Among 80 data 2 are jamming attacks, from that 1 attack is detected so detection rate is 50%. Similarly replicating packet attack is 3 among that 2 attack is detected so detection rate is 66.67%.Totally 16 are attacked data among that 2 are undetected so total detection rate is 87.5%.

Using the below formula total detection rate for CIDS is calculated as

Layers 100 four the all in attacks of . No

Total MAC,Network,ApplicationLayer) Physical,

( No.ofattacksdetectedinfour layers (%)

Rate Detection

Total  





























… (2) The high detection rate is obtained in CIDS by detecting the attacks in four layers.

Table 2—Attack Detection Rate according to Decentralized IDS

Attacks WISN

80 100 200 400 500

No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%)

Jamming attack 2 50 2 50 4 75 8 62.5 10 60

ID Spoofing attack 1 100 1 100 2 100 6 100 8 75

Spoofed or Altered

Packet attack 2 100 2 100 4 50 8 75 10 70

Selective forwarding or

Packet Dropping attack 1 100 2 100 5 40 9 55.5 11 54.5

Hello flood attack 1 100 2 50 4 100 8 100 10 100

Conclusion

We proposed a Cross Layer Rule based IDS which provides the detection against various attacks from almost all layers. The Intrusion Detection rates are compared with the two previous detection techniques and a high detection rate was obtained from Cross layer rule based IDS. In the future work, Genetic optimized neural network have to be used to increase the accuracy and speed of detection rate for complex dataset.

References

1 Jha M K & Sharma T P, Secure Data Aggregation in Wireless Sensor Network: A Survey, Int J Eng Sci Techno, 3 (2011) 407-412.

2 Abduvaliyev A, Al-Sakib K P, Jianying Z, Roman R &

Wai-Choong W, On the Vital Areas of Intrusion Detection System in Wireless Sensor Networks, IEEE Commun Surveys and Tutorials, 15 (2013) 1223-1237.

3 Nabil Ali A, Khan S & Shams B, Intrusion Detection System in Wireless Sensor Networks, Int J Distributed Sensor Networks, (2013) Article ID 167575.

4 Xing K, Shyaam Sundhar R S, Rivera M, Jiang L & Xiuzhen C, Attacks and Countermeasures in Sensor Networks: A Survey, (2005).

5 Wang C, Feng T, Kim J, Guiling W & Wensheng Z, Catching Packet Droppers and Modifiers in Wireless Sensor Networks, IEEE Tran on Par & Dist Sys, 23 (2012) 835-843.

6 Da Silva A P R, Martins M H T & Rocha B P S, Decentralized Intrusion Detection in Wireless Sensor Networks, Proc Int Workshop on Qual of Service Security in Wire and Mob Networks, (2005) 16-23.

7 Sooyeon S, Taekyoung K, Gil-Yong J, Youngman P &

Rhy H, An Experimental Study of Hierarchical Intrusion

Detection for Wireless Industrial Sensor Networks, IEEE Trans Industrial Informatics, 6 (2010) 744-757.

8 Yan K Q, Wang S C & Liu C W, A Hybrid Intrusion Detection System of Cluster-based Wireless Sensor Networks, Proc Int Multiconf of Eng and Comp Scientists, 1 (2009) 18-20.

9 Shun-Sheng W, Kuo-Qin Y, Shu-Ching W & Chia-Wei L, An Integrated Intrusion Detection System for Cluster-based Wireless Sensor Networks, Expert Sys with Appl, 38 (2011) 15234-15243.

10 Boubiche D E& Bilami A, Cross Layer Intrusion Detection System for Wireless Sensor Network, Int J Network Security and its Appl (IJNSA), 4 (2012) 35-52.

11 Usham Robinchandra S, Sudipta R & Mutum H, A Survey on Wireless Sensor Network Security and its Countermeasures: An Overview, Int J Eng Sci Invention, 2 (2013) 19-37.

12 Proano A & Loukas L, Packet-Hiding Methods for Preventing Selective Jamming Attacks, IEEE Trans Dependable and Secure Computing, 9 (2012) 101-114.

13 Duche R N & Nisha P S, Sensor Node Failure Detection Based on Round Trip Delay and Paths in WSNs, IEEE Sensors J, 4 (2014).

14 Ponomarchuk Y & Dae-Wha S, Intrusion Detection based on Traffic Analysis and Fuzzy Inference System in Wireless Sensor Networks, J Convergence, 1 (2010) 35-42.

15 Padmavathi G & Shanmugapriya D, A Survey of Attacks, Security Mechanisms and Challenges in Wireless Sensor Networks, Int J Comp Sci and Inform Security, 4 (2009).

16 Newsome J, Shi E, Dawn S & Adrian Perrig, The Sybil Attack in Sensor Networks: Analysis and Defenses, proc Int symp Inform processing in sensor Network sys, (2004) 259-268.

Table 3—Attack Detection Rate according to Cross layer IDS

Attacks Cross layer IDS

80 100 200 400 500

No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%) No. of

attacks DR (%)

Jamming attack 2 50 2 50 4 25 8 62.5 10 70

Node malfunction or

Node failure 1 100 3 100 6 83.3 12 91.7 15 93.3

Traffic Manipulation

Attack 1 100 3 100 6 83.3 12 83.3 15 93.3

False id attack 1 100 2 100 4 100 8 100 10 100

Sybil attack 1 100 1 100 2 100 6 100 8 75

Replicating Packet

attack 3 66.7 3 100 8 87.5 10 90 13 92.3

Altered Packet attack 2 100 2 100 4 50 8 75 10 70

Packet Dropping 1 100 2 50 5 40 9 55.5 11 54.5

Routing attack 2 100 2 100 4 75 8 87.5 10 80

Hello flooding attack 1 100 2 50 4 100 8 100 10 100

Selective Message

Forwarding 1 100 2 50 4 25 8 75 10 70

17 Su C C, Chang K M, Kuo Y H & Horng M F, The new intrusion prevention and detection approaches for clustering based sensor networks, Proc IEEE WCNC, 4 (2005) 1927-1932.

18 Shio Kumar S, Singh M P & Singh D K, Routing Protocols in Wireless Sensor Networks – A Survey, Int J Comp Sci &

Eng Survey, 1 (2010) 63-83.

19 Lupu T G, Main Types of Attacks in Wireless Sensor Networks, Proc Int conf signal, speech and image

processing, and Int conf Multimedia, internet & video technol, (2009) 180-185.

20 Virendra P S, Sweta J & Jyoti Singhai, Hello Flood Attack and its Countermeasures in Wireless Sensor Networks, Int J Comp Sci Issues, 7 (2010) 23-27.

21 Alhameed Alkhatib A A & Singh Baicher G, Wireless Sensor Network Architecture, Int Conf Comp Net and Commun Sys, , 35 (2012) 11-15.