A Global Hybrid Intrusion Detection System for Wireless Sensor Networks

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 52 (2015) 1047 – 1052

The 5th International Symposium on Frontiers in Ambient and Mobile Systems (FAMS 2015)

A Global Hybrid Intrusion Detection System for Wireless Sensor Networks Yassine Maleh*a, Abdellah Ezzatib , Youssef Qasmaouic, Mohamed Mbidac Faculty of Sciences and Techniques – Department of Mathematics and Computer, LAVETE Laboratory, Settat 26000, Morocco Hassan 1st University – Faculty of Sciences and Techniques, IR2M Laboratory, Settat 26000, Morocco

Abstract

Many researchers are currently focusing on the security of wireless sensor networks (WSNs). This type of network is associated with vulnerable characteristics such as open-air transmission and self-organizing without a fixed infrastructure. Intrusion Detection Systems (IDSs) can play an important role in detecting and preventing security attacks. In this paper, we propose a hybrid, lightweight intrusion detection system for sensor networks. Our intrusion detection model takes advantage of cluster-based architecture to reduce energy consumption. This model uses anomaly detection based on support vector machine (SVM) algorithm and a set of signature rules to detect malicious behaviors and provide global lightweight IDS. Simulation results show that the proposed model can detect abnormal events efficiently and has a high detection rate with lower false alarm. © © 2015 2015 The The Authors. Authors.Published Publishedby byElsevier ElsevierB.V. B.V.This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs. Peer-review under responsibility of the Conference Program Chairs Keywords: Wireless Sensor Network, Hybrid Intrusion Detection System, Support vector machine, Signature attacks, false alarm, detection rate;

1. Introduction Wireless sensor networks (WSNs) have become increasingly one of the most interesting research areas over the past few years. The different characteristics of wireless sensor networks (energy limited, low-power computing, use of radio waves, etc...) expose them to many security threats 1. Cryptography defined as a first line of defense is

*

Corresponding author. Tel.: +212-608-86-75-68; fax +212-522-78-64-03. E-mail address: [email protected]

1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs doi:10.1016/j.procs.2015.05.108

1048

Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

ineffective when the attacker is located inside the network. Intrusion detection system (IDS) defined as the second line of defense, allows detection and prevention of internal and external attacks. The IDSs designed for wired or ad hoc networks cannot be implemented directly in the WSN. Therefore, there is a need to design a specific detection system for wireless sensor network, which takes in consideration the limitations of WSNs 2. The paper is organized as follows. In the next section, we present in related work. Section 3 proposes security architecture for WSNs. Section 4 describes the algorithms and the defense methods against routing attacks. In the Section 5, we present performance analyses and discussion of our scheme. Finally, the paper ends with a conclusion and future works. 2. Related Work In literature, there are a few works that aim to combine between anomaly-based approach and signature based approach (hybrid model) to benefit from the advantages of both detection techniques. Yan et al. 3 proposed hierarchical IDS based on clusters. The authors took advantage of this approach and install on each cluster-head an IDS agent (core defense). This agent has three modules: a supervised learning module, an anomaly detection module based on the rules and decision-making module. The simulation results show that this model has a high detection rate and lower false positive rate. However, the main disadvantages of this scheme is: The IDS node is static (runs only in the cluster-head), in this case the intruder uses all his strength to attack this hot spot (hot point) and subsequently disrupts the network. The implementation of this detection mechanism requires many calculations in cluster-heads, which can decrease the network lifetime. Hai et al. 4 proposed a hybrid, lightweight intrusion detection system integrated for sensor networks, based on the model proposed by Roman et al. 5. Intrusion detection scheme takes advantage of cluster-based protocol to build a hierarchical network and provide an intrusion framework based on both anomaly model and misuse techniques. In their scheme, IDS agent consists of two detection modules, local agent and global agent. The authors apply their model in a process of cooperation between the two agents to detect attacks with greater accuracy (both agents are in the same node). However, the disadvantage of this scheme is the sharp increase in signatures, which can lead to an overload of the node memory. In recent work, Coppolino and al. 6 presented a hybrid, lightweight, distributed IDS for wireless sensor networks. This IDS uses both misuse-based and anomaly-based detection techniques. It is composed of a Central Agent (CA), which performs highly accurate intrusion detection by using data mining techniques, and a number of Local Agents (LA) running lighter anomaly-based detection techniques on the motes. Based on these hybrid models. Our contribution in this paper is to propose an efficient and lightweight intrusion detection system for sensor network. Our goal in this research is to study and implement a new model of intrusion detection that combines the advantages of both techniques anomaly based model and signature based model in cluster wireless sensor environment, and surpassing other hybrid models proposed in the literature. 3. The proposed hybrid model The Hybrid Intrusion Detection System (HIDS) achieves the goals of high detection rate and low false positive rate. The proposed model uses anomaly detection based on SVM technique and a set of attacks represented by fixed rules signatures, which are designed to validate the malicious behavior of a target identified by anomaly detection technique. The detection approach is integrated into a cluster-based topology to increase the network lifetime. This is achieved by designating one known node as a leader of the group (cluster-head), that forwards nodes packets (data aggregated) to the base station (BS) instead of sending their (nodes) collected data to a remote location (base station). Cluster head acts like a local base station sensor, then clusters elect themselves to be a CH at any given time with a certain probability, more details can be found in 7. We propose a cluster-based architecture that divides the array of sensors into a plurality of groups, each of which comprises a cluster-head (CH). In this architecture, every node belongs to only one of the clusters which are distributed geographically across the whole network. Cluster head is used to reduce network energy consumption and to increase its lifetime. As shown in Fig. 1, the architecture of proposed hybrid IDS.

Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

1049

Fig. 1. IDS architecture.

3.1. Cluster election and strategy location of IDS CH is elected dynamically according to his energy. The BS announces the process of CH election, the CHs calculate residual energy by equation Vi(t) = [Initial – Ei(t)] / r, where Initial is the initial energy, Ei(t) is the residual energy and r is the current round of CH selection 8. BS calculates the average value and average deviation, according to obtained values. CH announces the CH election procedure for nodes. Old CH broadcasts a message about the withdrawal of authority. New CH sends alert messages to the sensors nodes. CH is responsible for authentication of the other members of the cluster, and the base station (BS) is responsible for CH authentication. Because of limited battery life and resources, each agent is only active when needed. x Local agent: Local agent module is responsible to monitor the information sent and received by the sensor. The node stores in his internal database specific malicious network nodes attacks. When the network first organized, the sensor nodes don’t have any knowledge about malicious nodes. After the deployment of WSNs, the signature database is constructed gradually. The entry in the malicious node database is created and propagated to every node by a CH. x Global agent: Global agent monitor the communication of its neighbor nodes. Because the broadcast nature of wireless network, every node can receive all the packets going through its radio range. Global agent must have the information of its neighbor nodes to monitor the packets. We use local monitoring mechanism and pre-defined rules to monitor the packets 9. If the monitor nodes discover a possible breach of security in of their neighbor nodes, they create and send an alert to the CHs. The CHs receive the alert and make the decision of a suspicious node through the threshold X. Both agents are built on application layer. Fig. 2 below describes the strategy location of IDS in network.

Fig. 2. Strategy location of IDS.

1050

Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

3.2 Anomaly detection using SVM Support vector machines (SVMs) are a class of machine learning algorithms, due originally to Vapnik 10, which is sorter design method based on the small sample study, which is suitable to the classification of small sample data. Therefore, the SVM method is suited to classify the high-dimension data in IDS. During the training phase, which takes place offline at a system with abundant resources, data are collected from the physical, medium access control (MAC) and network layers. Then the collected training data are pre-processed using a data reduction process, which aims at reducing their size in order to be processed by SVM. Classification hyperplane of training data which may be divided by linear classification plane or not via mapping the training data vector to higher dimensional space with some function and transferring the problem to an linear classification problem in that space. After the mapping procedure, SVM finds out a linear separating hyperplane with the maximum margin in the space. In 11, 12, Vapnik et al. described the problem as finding a solution of convex optimization problem. Suppose the linearly separability sample set (xi , yi)Ǥ Given the training datasets: ݅ ൌ ͳǡ ǥ ǡ ݊ǡ ‫ܴ א ݔ‬ௗ ǡ ‫ א ݕ‬ሼ൅ͳǡ െͳሽ. In our case {1} is normal, and {-1} normal is abnormal. The classify hyperplane equation is: (1) ‫ݓ‬Ǥ ‫ ݔ‬൅ ܾ ൌ Ͳ Where w is a normal vector and the parameter b is offset. The training samples on the hyperplane are called Support Vectors, because they support the optimal classify hyperplane. So our problem can be formulated as follow: ଵ

ଵ

ଶ

ଶ

݉݅݊‫׎‬ሺ‫ݓ‬ሻ ൌ ȁȁ‫ݓ‬ȁȁଶ ൌ ሺ‫ݓ‬Ǥ ‫ݓ‬ሻ

(2)

‫݅ݕ݋ݐݐ݆ܾܿ݁ݑݏ‬ሾሺ‫݅ݔ ڄ ݓ‬ሻ ൅ ܾሿ െ ͳ ൒ Ͳ݅ ൌ ͳǡʹǡ ǥ ǡ ݊ T he classify function can be described as follow: ௡

݂ሺ‫ݔ‬ሻ ൌ ‫݊݃ݏ‬ሼሺ‫ כ ݓ‬Ǥ ‫ݔ‬ሻ ൅ ܾ ‫ כ‬ሽ ൌ ‫݊݃ݏ‬ሼ෌௜ୀଵ ߙ௜‫ݕ כ‬௜ ሺ‫ݔ‬௜ ή ‫ݔ‬ሻ ൅ ܾ ‫ כ‬ሽ

(3)

T he optimal classify function as follow: ௡

݂ሺ‫ݔ‬ሻ ൌ •‰ሺ෌௜ୀଵ ߙ௜‫ݕ כ‬௜ ݇ሺ‫ݔ‬௜ ή ‫ݔ‬ሻ ൅ ܾ ‫ כ‬ሻ

(4)

݇ሺ‫݅ݔ‬ǡ ‫ )ݔ‬Here is the kernel function and Di are the Lagrange multipliers. According to the condition of KuhnTucker (KKT), the xi that corresponding to Di > 0 are called support vectors (SVs). In our context, each node communicates its vectors with its neighbor in one hope (one-hop neighbor), once this process is complete, the final hyperplane is calculated and all nodes have the same discriminant plan to separate the data into two classes (normal, abnormal). Therefore, the SVM method is suited to classify the high-dimension data in IDS. Maintaining the Integrity of the Specifications. SVM method provides very good results with less training time compared to neural networks. Another advantage of SVM is the low expected probability of generalization errors. 3.3 Signature based model This module uses a discovery protocol based on signatures to detect malicious nodes and prevent network disruptions by these nodes. The purpose of this protocol is to classify the behavior of a target as normal or abnormal based on a set of rules. In our case, there is four rules for each attack. The rule for detecting the Selective forwarding attack is defined by the number of packets dropped (PDR) and a node that is above a certain threshold δ sf). The rule for detecting the Hello flood attack is the received signal strength (ISSR) at the IDS agent, if it is greater than a certain threshold (δissrh). The rule for detecting the Black hole attack is defined by the number of RDP (greater than threshold δissrbh) and excess of the signal power (above the threshold δissrbh). Finally, the rule for detecting the wormholes attack is the power signal (above the threshold δissrhwh) and none of the neighboring nodes malicious node makes the retransmission of packets received from this opponent (PDR bypass the threshold δwh). 3.4 Decision making model

Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

1051

In the collaborative process, the cluster-head applies a simple rules mechanism. In case there is no correspondence between intrusions detected by the anomaly detection technique and predefined signatures attackers, the IDS agent sends a report to CH, then it uses a fast rules mechanism to take a final decision about the suspect node. The CH report the results to the administrator to help them manage the network and make further corrections. Finally, CH sends a message to all IDSs, so they proceed to update their table of signatures. Fig. 3 illustrates the rules used in decisionmaking model

If anomaly detection (SVM) detects an attack and signature model does not detect attack then it is not an attack and it is erroneous classification.

If anomaly detection (SVM) detects an attack and signature model detects attack then it is an attack and determine the class of attack.

Fig .3. Rules for decision-making model.

4. Performance of the hybrid detection model In this section, we evaluate the performance of our intrusion detection model using KDDcup'99 database 13. We study the variations in detection rate and false positive, when the number of IDS increases in the network. Finally, we compare the performance of our model with other hybrid models. To evaluate the effectiveness of the proposed model, a set of metrics have been adopted to determine the most efficient intrusion detection model. x x

Detection Rate: Represents the percentage of attacks detected on the total number of attacks. False positive rate (false alarms): This is the ratio between the number classified as an anomaly on the total number of normal connections. The combination of anomaly detection based on SVM and detection based on attack signatures allows the intrusion detection model to achieve a high rate of intrusion detection (almost 98%) with a number very reduces false alarms (near 2%) as shown in Table 1 below. Table 1. Detection and false positive rate under four attacks. Attack

Detection rate

False positive

Selective forwarding attack

98,40%

5,13%

Hello flood attack

97,20%

2,24%

Black Hole attack

96,80%

3,50%

Worm Hole attack

98,20%

4,54%

To determine the effectiveness of our approach, we compared our model with others hybrids models proposed by authors Bin et al. 14, Khanum et al. 15, Yuan et al. 16 and Hai et al. 4, analyzing in particular the detection rate and false alarms and generated by IDS agents. Fig. 4 below present a performance comparison of some existing intrusion detection models for WSN.

1052

Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

a

b

Fig. 4. (a) Detection rate; (b) False positive rate.

From Fig. 4, the proposed hybrid model has a better efficiency in terms of detecting attacks and false positives rates compared to other models. 5. Conclusion and future works In this article, we proposed a hybrid intrusion detection model for WSN. Our IDS uses a learning algorithm based on the SVM and a detection technique based on the attack signatures. Indeed, the combination of these two techniques to offers an intrusion detection system with a high detection rate and low false positive rate. Our detection approach is integrated in a cluster-based topology, to reduce communication costs, which leads to improving the lifetime of the network. For our future work, more research on this topic needs to be undertaken with detail simulation of different attack scenarios to test the performance of proposed IDS. We expect the result to be available soon in the future. References 1. Y. Maleh, A. Ezzati, “A review of security attacks and intrusion detection schemes in wireless sensor network”, International Journal of Wireless & Mobile Networks (IJWMN) Vol. 5, No. 6, December 2013. 2. H. Sedjelmaci, S.M Senouci“A Lightweight Hybrid Security Framework for Wireless Sensor Networks”, IEEE ICC, Sydney, 2014. 3. K. Q. Yan, S. C. Wang, S. S. Wang, C. W. Liu, “Hybrid intrusion detection system for enhancing the security of a cluster-based wireless sensor network”, Proceedings of 3rd IEEE International Conference on Computer Science and Information Technology, China, pp. 114-118, 2010. 4. T. H. Hai, E. N. Huh and M. Jo, “A lightweight intrusion detection framework for wireless sensor networks”, Wireless Communications and Mobile Computing, 10(4): 559-572, 2010. 5. R. Roman, J. Zhou, J. Lopez, “Applying intrusion detection systems to wireless sensor networks “, in: 3rd IEEE Consumer Communications and Networking Conference, pp.640-644, 2006. 6. L. Coppolino, S. D’Antonio, A. Gafalo, L. Romano, “Applying Data Mining Techniques to Intrusion Detection in Wireless Sensor Networks”, Eighth IEEE International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2013. 7. A. Abduvaliyev, S. Lee, Y.K Lee, “Energy Efficient Hybrid Intrusion Detection System for Wireless Sensor Networks”, IEEE International Conference on Electronics and Information Engineering, 2010. 8. C. Haiguang, W. Huafeng, X. Zhou , G. Chuanshan, “Key Feature and Rule-based Intrusion Detection for Wireless Sensor Networks”, IFIP International Conference on Network and Parallel Computing – Workshops, 2007. 9. Da Silva, A. Loureiro, M.H.T Martins, L.B Ruiz, H.Wong, “Decentralized Intrusion Detection in Wireless Sensor Networks”. International Workshop on Modeling Analysis and Simulation of Wireless and Mobile Systems, October 2005. 10. Vapnik, “Statistical study theory essential”, Qinghua University publishing press, Beijing 1995. 11. B. Boser and V. Vapnik, “A training algorithm for optimal margin classifiers”, 4th Annual Workshop on Computational Learning Theory, 1992. 12. C. Cortes and V. Vapnik, “Support-vector network, Machine Learning 20”, pp. 273–297, 1995. 13. KDD Cup 1999 Data, http://kdd.ics.uci.edu/databases/kddcup99/task.html; 1999. 14. W. H. Bin, Y. Zheng, W. C. Dong, “Intrusion detection for wireless sensor networks based on multi-agent and refined clustering”, International Conference on Communications and Mobile Computing, IEEE, Yunnan, China, pp. 450-454, 2009. 15. S. Khanum, M. Usman, K. Hussain. “Energy-efficient intrusion detection system for wireless sensor network based on MUSK architecture”, Second International Conference on High Performance Computing and Applications, Springer, Shanghai, China, pp.212-217, 2009. 16. L. Yuan, L.E Parker, “Intruder detection using a wireless sensor network with an intelligent mobile robot response”, IEEE Southeastcon, 2008.