A Novel Detection Intrusion Approach for Ubiquitous and Pervasive Environments

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 94 (2016) 429 – 434

The 3rd International Symposium on Emerging Inter-networks, Communication and Mobility (EICM-2016)

A Novel Detection Intrusion Approach for Ubiquitous and Pervasive Environments Lynda Sellamia *, Djilali Idoughia,b, Abderrahman.Baadachea,c , Pierre.Tiakod a

Department of Computer Science, A/Mira University of Bejaiaa, Algeria Applied Mathematics Laboratory, A/Mira University of Bejaia, Algeria c Modeling and Optimization Systems Laboratory, University of Bejaia, Algeria dCITDR, Tiako University, Oklahoma, USA b

Abstract Ubiquitous system returns to making pervasive computing in everyday life, the objects of our environments become intelligent and communicate without anyone being aware of their communication processes. Ubiquitous computing adds the concept of mobility to the notion of omnipresence; therefore, it makes reference to moving intelligent objects (from mobile computing) that can communicate with other ubiquitous objects in our daily lives. These advantages expose the network to malicious and unauthorized activities. The security of these networks, targeted by attackers, is an important issue. For this, Intrusion Detection Systems (IDSs) have been widely discussed for solving networks intrusions problems. Several solutions have been adopted to overcome these kinds of intrusion. These IDS solutions are insufficient and/or incomplete because they are based on centralized devises, and did not consider the heterogeneity and mobility nature of these devices, which is the case for ubiquitous environments. We developed a new IDS approach to support security problems in ubiquitous network. The approach proposed is based on nodes authentication abilities for preventing inside and outside ubiquitous network intrusion. ©©2016 Published by Elsevier B.V.B.V. This is an open access article under the CC BY-NC-ND license 2016The TheAuthors. Authors. Published by Elsevier (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs. Peer-review under responsibility of the Conference Program Chairs Keywords: Ubiquitous computing; Intrusion detection system (IDS); Security; Trust;

* Corresponding author. Tel.: +213666164723; fax: +21334221624. E-mail address: [email protected], [email protected]

1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/). Peer-review under responsibility of the Conference Program Chairs doi:10.1016/j.procs.2016.08.066

430

Lynda Sellami et al. / Procedia Computer Science 94 (2016) 429 – 434

1. Introduction Ubiquitous computing is applicable to all areas and has the capacity to deal with context sensitivity, invisibility and mobility. One of the characteristics of ubiquitous computing systems is their availability at all times, which makes them easily vulnerable to attacks1. Security is one of the most important challenges for ubiquitous computing. Security in ubiquitous environments is very harsh due to the use of wireless communications and low power consumption devices (equipment)1. Individuals and organizations express the need to protect their property and/or system against thefts or protect their privacy (confidentiality) against intrusions (attacks) 2. An intrusion is an abuse by hackers in order to obtain information, services or other forms of profits. Attacks against information systems may come from outside or inside sources. For technical and economic reasons, it is not possible to find and fix all these defects (abuses/ attacks). Many tools and resources are available today for intrusion detection problems either for hardware (firewalls) or software such as audits systems2,3. However, these solutions are limited because they are based on monitoring intrusions or attacks. As against, a new technique based on monitoring intruders or attackers themselves is developed to better protect and manage the system supported by IDS mechanisms4. Intrusion Detection System (IDS) provide the ability to quickly implement new security policies to detect and respond as soon as possible to attacks occurring in the network. They may be based on logs or registration systems audits, which are managed by a system controller or an administrator5,6. To deal with ubiquitous computing vulnerabilities, security and privacy safeguards in ubiquitous computing environments, we propose a new IDS for such environments. In this article, we propose an Intrusion Detection System that overcomes network intrusions problems in ubiquitous computing. Our goal is to explore the possibilities to detect intrusions (attacks) occurring in cloud computing. The rest of the paper is organized as follows: Section 2 outlines some background on ubiquitous system and intrusion detection system, and presents related work on intrusion detection in ubiquitous environments. In section 3, we expose open research problems in the subject. Section 4 details our proposal. Section 5 we show some experimental results and evaluate our solution. A conclusion and perspectives are presented in section 6. 2. Background and related work 2.1. Ubiquitous computing Ubiquitous computing is a set of technologies (hardware and/or software) present in the (our) daily lives and activities1. In the Ubiquitous computing era, the user is taken into account by its physical context in order to have mobile access to data and processing tools, offer conditions for best service. In ubiquitous computing environment, the user may have several devices. These devices need to communicate and interact with their environments in order to be able to cooperate and to access remote information. The users then can easily, quickly and effortlessly exchange data, regardless of their geographies position. This ubiquity of information access has a strong impact on society, change work habits, and privacy. 2.2. Intrusion Detection System The security mechanisms such as Intrusion Detection Systems (IDS), can be implemented in order to detect any attempted of security violation. Intrusions Detection Systems is a surveillance, monitoring, detection and correction, tool and even in some cases a preventive tool7. Intrusion is any set of actions to compromise the confidentiality, data integrity and availability of services or resources. Intrusion detection is the ability for a computer system to automatically detect, based on events relating to security, a security breaches3.

Lynda Sellami et al. / Procedia Computer Science 94 (2016) 429 – 434

Intrusion Detection Systems (IDS) allow to quickly implement new security policies to detect and react as quickly as possible against attacks occurring in a network3. It helps to have knowledge about successful and unsuccessful intrusion attempts. 2.3. Related Work in Ubiquitous Networks To face the problem of security and the new requirements of the Ubicomp (ubiquitous computing)6, which is the goal of our work, we will introduce and describe main research works in this area. Zhou et al.8 presented a distributed and dynamically deployed IDS system. It is service-oriented and user responsive (SUIDS). SUIDS is applied to smart home / office8,9. It checks and lists a user's activities and protects the various network devices against intrusions. SUIDS is based on the events of user behavior. The system is organized hierarchically in several levels. The first level is the domain of the manager node (e.g., PC on the network kernel); the second level contains the principal nodes (e.g., intelligent refrigerator, camera surveillance and electronic doors) and the third level is dedicated to the nodes of services and users, and user behavior (such as PDA user or smart phones). The detection algorithm uses a chi-squared test to determine abnormalities. The chi-square test is applied to each specific setting. Another IDS developed for ubiquitous sensor networks an IP (Internet Protocol) based is RIDES10. Amin et al.10 have developed this IDS to overcome the intrusion problems at USN (Ubiquitous Sensor Networks) level. For that, they have implemented a distributed pattern matching algorithms for intrusion detection based on attack signatures, and in order to detect Intrusions based on anomalies, RIDES employs a graphical technic called CUSUM (cumulative sum control chart) chart, which is a technique of classification based on Statistical Process Control (SPC) technique. RIDES is an hybrid system of intrusion detection. The authors introduced a dynamic creation of attack-signature identifier so that IDS based signatures can be implement on IP-USN, and have designed an IDS based anomaly IP-SUN environments. In11, an intrusion detection policy is proposed for ubiquitous sensor networks. The objective of Xu et al.11 in this approach is to monitor the communication between neighboring nodes and find abnormal nodes (compromise). The streamed packets are transmitted to the data processing unit, the packet header are interpreted and analyzed. In order to detect attacks, from the transport and routing layer in each sensor. A data collection unit listen communication between neighbor nodes. A comparison of the current activity of the sensor node with the threshold value is performed, if the behavior violates these values, the node is identified as compromised. 2.4. Limits of IDS-Ubicomp The majority of IDSs developed for ubiquitous environments are designed for specific areas of application or for application scenarios, which limit their generalizations for all areas of Ubicomp. Also, we have to deal with several problems; (1) centralization of detection, (2) capacity limitation of hardware, (3) need to update normal profile, and (4) sensor nodes overloaded. A learning phase is required to construct the normal profile, and to update the database of profile and signatures. Table 1. Limits of IDS-Ubicomp. IDS

Drawbacks

14

-The principal nodes are far from the service nodes, they need more energy -The network connections are consumed in communication with service nodes. -Intrusions that occur during transmission may go unnoticed. -Existence of the concept of centralized detection, which cannot be applied to larger areas (administrative building). -This solution is not applicable to other areas of applications of ubiquitous where we need a mass of information to convey and treat. -Risk of false positives that generates too much alarms and treatments. - Sensor nodes overloaded through the detection collection, analysis, and transmission of data.

17

The IDSs developed for Ubicomp are insufficient or incomplete, and they need improvements and/or adaptation.

431

432

Lynda Sellami et al. / Procedia Computer Science 94 (2016) 429 – 434

3. Proposal In this section, we present the IDS we have developed to detect malicious an unauthorized behaviors of nodes in ubiquitous networks. We first introduced the network architecture in which our IDS operate and then we described our proposed security scheme. 3.1. Network architecture Consider a ubiquitous network consisting of a large number of nodes with each node communicating with its neighbors. Each node of the network has permissions and privileges, allowing to perform a number of processes and communications with other nodes in the network. We focus on node’s authentication; each node has knowledge of neighbors surrounding it. The network we consider is a set of nodes grouped in clusters. Each cluster is orchestrated by a cluster manager (or cluster head). This choice of clustering architecture is suitable for ubiquitous networks, because, these networks connect together an enormous number of users, usually difficult to manage. Furthermore, this architecture makes easy the cooperation among different cluster managers. 3.2. Proposed security scheme We recall that our objective is to detect intrusions that can occur in ubiquitous network. The key idea is to compare between a predefined normal profile and the actual behavior of the user. To do so, we have decomposed our security scheme into three phases: initialization phase, detection phase and isolation phase (see Fig.1). In the following, we present these phases.

Fig. 1. Phases of the proposed security scheme

x Initialization phase: this phase defines the normal profile of users. We note that the user profile is determined based on the login and the password provided by the user when accessing the network. The user profile is a set of attributes such as: IP address, port, processor use rate, memory occupation, number of opened files, number of running processes, number of incoming TCP packets, etc. The user profile can be considered as a combination of privileges and restrictions. A privilege is an authorized action while a restriction is the prohibition of the action. In order to implement the user profile, we use the attribute vector Vi, where i is the user identifier and Vi[k] represents the value of the attribute k of the user i. We note that restrictions are indicated by the value zero, and privileges are indicated by a value different to zero. Let, Vi(0) = (vi, v, vi, …, vi)t the vector of attribute with initial time 0. x Detection phase: In this phase, two tasks are mainly performed. First, we collect information about the user behavior in order to construct the current behavior CB of the user, then we compare the current behavior with the corresponding normal profile of the user as defined in the initialization phase. Each node i detects the defective attribute vectors using its normal profile prepared beforehand. Such defective vectors of attributes are calculated using the following distance between Vi(0) et Vi(t) : n



¦ vi(0)  vi(t ) 















ሺͳሻ

k 1

Such that D is the number of features of node i. For each node, we calculate the projection distance of each feature vector Vi(t) and Vi(0). We then make Vi(t) as defective, if the calculated projection distance is greater than 0.

433

Lynda Sellami et al. / Procedia Computer Science 94 (2016) 429 – 434

­d (vi(t ), vi(0)) 0, Normal ® ¯d (vi(t ), vi(0)) t 1, Anomalie

(2)

This calculation allows to detect any intrusion and their source (node that caused the attack). User

Current behavior

User

Normal Profile

Analyse and control

Any deviation

No

Process normally

Yes

Action

End

Fig. 2. IDS-Activity

x Isolation phase: If an intrusion (attack) is detected, the insulating phase (1) inform neighboring nodes of the intruder; (2) cut all connections with the incriminated node; (3) remove the failed node of the network; and (4) keeping track of the intruder and the nature of the intrusion. 4. Experimental results To prove the feasibility and applicability of our approach, we created a simulation environment by using the Georgia Tech Network Simulator (GTNetS)12. In this simulation, every node is connected and communicated with the other nodes through wireless connections. We first launched the system with random access to the ubiquitous network; the nodes make an access request, once authentication is verified through the database, the normal profile of the nodes is built based on the result of their authentications. The current behavior of the nodes processed is collected. A comparison of current nodes behavior with their normal profiles is realized. In the case of node’s behavior deviation (changing), the procedures against intrusions are started. To elaborate the function of our IDS model in ubiquitous network, we carried out a number of intrusion attacks. For testing purpose, bad packets along with legitimate data packets were sent to the simulated system. During the test phase, it was observed that the analysis module had efficiently identified and discarded bad data packets.

434

Lynda Sellami et al. / Procedia Computer Science 94 (2016) 429 – 434 Table.2. Detection result. False alarm

Normal data size (KB)

Intrusion data size (KB)

Normal behavior

Intrusion detection

50

40

50

100%

0,50%

150

80

150

100%

4,00%

200

100

200

99,83%

5,50%

Table 2 shows the result of anomalies detected after our experiment. The table shows the normal behavior (NB), intrusion detection (ID), and false alarm (FA) rates. Rate of user’s normal behavior equals 100%, the FA rate is very small due to the types of attacks that are still poorly detected. The proposed IDS model gives good results; it detects any new attacks, detects unidentified intruders and any intruders identified by the authentication. The hit rate should be kept as high as possible; any ignored attack can cause serious damages to the whole system. 5. CONCLUSION AND PERSPECTIVES Our main objective in this work was to guarantee the security of ubiquitous networks. We developed an IDS to detect intrusions and correct anomalies in ubiquitous environments. Our approach controls the security of nodes and network. It searches anomalies that could lead to possible attacks, and takes action against such attacks. To build the user profile, we introduced a new way authentication-based approach allowing a more flexible analysis and detection, which avoids updating the normal profile database. As future work, we will secure communications (canals, connections) and surcharge devices in order to complete the intrusion detection architecture proposed. We will also investigate the methods to analyze audit data for intrusion detection. References 1. Weiser M. The computer of the 21 century, Scientific American (International Edition), v 265, n 3, Sept. 1991, p. 66-75; 2. Sellami K, Chelouah R, Sellami L, and Ahmed-Nacer. Intrusion Detection Based on Swarm Intelligence using mobile agent, International Conference on Swarm Intelligence: Theoretical advances and real world applications (ICSI 2011). Cergy, France: June. 2011, p. 1-3. 3. Mé L,Michel C. La détection d’intrusion : bref aperçu et derniers développements, Mars 1999. 4. Philippe B. Architecture expérimentale pour la détection d’intrusions dans un système informatique, Avril 2001. 5. Lancia J. Infrastructure orientée service pour le développement d’application ubiquitaire, Thèse.N_d’ordre : 3745. 2008. 6. Sellami L, Idoughi D, Baadache A. Intrusions Detection System Based on Ubiquitous Network Nodes, INFOCOMP 2014: The Fourth International Conference on Advanced Communications and Computation (2014), Paris: Juillet 2014, ISBN. 978-1-61208-365-0, p. 138-1. 143. 7. Snapp SR, Brentano J, Dias GV, Goan TL, Heberlein LT, Ho C, Levitt KN, Mukherjee B, S. Smaha E, Grance T, Teal DM, Mansur D. DIDS (Distributed Intrusion Detection System) -Motivation, Architecture, and an early Prototype, In Proceedings of the 14th National Computer Security Conference, Oct 1991, p. 167–176.. 8. Zhou B, Shi Q, Merabti M. A novel service-oriented and user-centric intrusion detection system for ubiquitous networks, Proceedings of IASTED International Conference on Communication, Network and Information Security (CNIS’05), Phoenix, Arizona, USA: Nov. 2005, p. 76-81. 9. Zhou B, Shi Q, Merabti M. A Framework for Intrusion Detection in Heterogeneous Environments, Proc. IEEE Consumer Communications and Networking Conference (CCNC 06), vol. 2, Las Vegas, Nevada, USA: Jan. 2006. p. 1244-1248. 10. Amin SO, Siddiqui MS, Hong CS, Lee S. RIDES: Robust Intrusion Detection System for IP-Based Ubiquitous Sensor Networks, Journal of Sensors, vol. 9, no. 6, May. 2009. p. 3447-3468, doi: 10.3390/s90503447. 11. Xu J, Wang J, Xie S, Chen W, Kim JU. Study on intrusion detection policy for wireless sensor networks, International Journal of Security and Its Applications, vol. 7, no. 1, January. 2013. p. 1-6. 12. GTNets homepage, http://www2.ece.gatech.edu/research/labs/MANIACS/GTNetS/, [accessed January 2016].