1. Intrusion Detection Based on Traffic Analysis in Wireless Sensor Networks Yulia Ponomarchuk and Dae-Wha Seo Department of Electrical Engineering and Computer Science, Kyungpook National University Daegu, Republic of Korea

2. 2 Outline Introduction Related Work Network and Attacker Models Proposed Intrusion Detection Method Simulation Results Conclusions

3. 3 Introduction: Specific Features of WSNs Nodes function in unattended manner High specialization of nodes The batteries may be nonrechargeable Memory and processing power resources are very constrained Dense and random deployment The exact location is unknown The location is fixed after deployment Nodes often fail or can be compromised Any node can not be trusted Paths for transmissions are fixed within a given time interval Nodes are controlled by users No specialization of nodes Power resources are not constrained Memory and processing power resources are satisfactory Sparse deployment of nodes Each node can be supplied with GPS Nodes can be mobile Nodes rarely fail or get compromised Authenticated node can be trusted Paths for transmissions are random and change in time course Wireless ad hoc network Wireless sensor network

4. 4 Introduction: Motivation of Research WSN nodes can be easily compromised All keying material can be obtained from a compromised node An attacker may target data, transmitted within the network No security scheme can guarantee that an attacker may not succeed eventually An intrusion detection scheme – second line of defense  Detects anomalies and informs a base station (BS)  Triggers network reaction to an intrusion  Minimizes an attacker’s effect on the network performance Assumption: the behavior of an intruder and a legal node can be discriminated The proposed distributed intrusion detection method:  Based on traffic monitoring and statistical methods  Can be used in flat or hierarchical networks  Does not require any additional hardware or extra communication costs  Has minimal computational overheads and short detection delay  Demonstrates better efficiency than common approaches

5. 5 Related Work: Some Attacks against WSNs Physical layer jamming: producing sufficient levels of radio interference to provoke collisions MAC layer jamming: preventing legal nodes from accessing the channel or exhausting their resources Routing layer attacks:  Spoofing, altering, or replaying routing information  Selective forwarding of packets  Black hole attack: dropping all trespassing packets  Sinkhole attack: luring traffic from the targeted area  Wormhole attack: inserting an out-of-band link to lure traffic  Sybil attack: representing several identities to its neighbors Wormhole attack Selective forwarding attack (a) Single malicious node (b) Two collaborating nodes

6. 6 Related Work: Detection Techniques of Traffic Manipulation Misic and Begum (2007): proposed a test for the ratio of short- and long-term EWMAs of packet inter-arrival time. Smoothing coefficients and the threshold are chosen manually Xiao, et al. (2007): suggested CHEckpoint-based Multi-hop Acknowledgement Scheme (CHEMAS), where nodes monitor the number of ACKs. CHEMAS incurs extra communication costs and has problems with scalability Kaplantzis, et al. (2007): designed a centralized IDS based on SVMs. An SVM must be carefully trained and its kernel functions must be chosen beforehand. The scheme is not scalable Gupta, et al. (2007): suggested a centralized framework ANDES, incurring small communication overheads. The BS detects anomalies by correlating data and routing traffic Liu, et al. (2007): proposed to use spatial and temporal correlation of neighboring devices. Calculation of Mahalanobis distances, used as the degree of extremity, requires significant computation overheads and delay. The scheme may not detect colluding devices Hai and Huh (2008): based their detection technique to 2-hops neighborhood information and overhearing. Nodes may cooperate using voting. Overhearing requires significant power costs Cakiroglu and Ozcerit (2008): based jamming detection on analysis of PDR, BPR, and energy consumption amount (ECA) in combination using 6  -rule IDS concerning approaches (2005-2009): suggest to apply thresholds to various traffic parameters. However, there are no clear recommendations on threshold’s choice

7. 7 Network Model A WSN includes one BS and a large number of resource-constrained static sensor nodes The WSN has tree-type topology Each node monitors the environment and sends sensed data periodically Nodes’ sending rate is constant Nodes perform CCA before sending a packet No retransmission in case of losing a packet There is no attacker during initialization phase Attacker Model A single malicious device joined the network The attacker drops 30%, 50%, or 100% of trespassing traffic or injects meaningless packets in the uplink direction The attacker is not able to inject or modify a packet on behalf of legal nodes The attacker is able to compromise any device except the BS

8. 8 The Proposed Intrusion Detection Scheme Nodes are capable of monitoring their child nodes behavior The BS may monitor behavior patterns from all nodes Traffic parameters for monitoring:  Average packet reception rate (PRR) in a time window  Packet inter-arrival time (IAT): time interval between arrivals of two consecutive packets from the same source node Initialization phase  Nodes acquire samples of parameters’ values from their child nodes  Nodes compute threshold for average PRR according to binomial distribution (k –the number of lost packets; T w – the length of the time window)  Nodes compute the threshold for IAT according to exponential distribution ( - the average IAT during T w ) Intrusion detection phase  Newly acquired data are compared to the thresholds  In case of inconsistency, an alert is raised

9. 9 Simulation Environment Simulations were done in Castalia simulator for WSNs (http://castalia.npc.nicta.com.au)http://castalia.npc.nicta.com.au Area: 50x50m 2, 200x200m 2 One base station (in the upper-left corner of the area) Number of nodes: 100 Uniform grid deployment of nodes Tree-type topology Sending rate: 1 packet per 1.5s (in dense network) or 15s (in sparse network) Packets are transmitted according to the schedule without retransmission Packet size: 10B-100B Data rate: 100kbps, 250kbps (used for figures) Sample size for threshold computation: 15 values Significance level: 10% There is one attacking device The attacker device drops or injects 30%, 50%, or 100% of traffic Path loss exponent: 1.5-3, the standard deviation of the Gaussian noise: 2.5-7  All figures were obtained under conditions, when path loss exponent was equal 2.4 and the standard deviation of the noise was 4

10. 10 Simulation Results: False Positive Rate Compared criteria:  PRR: according to binomial distribution (proposed)  IAT: according to normal distribution  IAT: compared to minimum and maximum values  IAT: EWMA-based rule  IAT: according to exponential distribution (proposed) False positive rate grows with the increase of packet size and density of the network The proposed scheme shows low false positive rate even in dense WSN, prone to congestion (a) WSN area: 50x50m 2, 1 packet per 1.5s (b) WSN area: 200x200m 2, 1 packet per 15s

11. 11 Simulation Results: Detection rate Time window for PRR estimation:  23s in dense network with intensive traffic  4 minutes in sparse network with traffic of lower intensity The “worst case” scenario is demonstrated: an attacker changes his sending rate in regular manner In general, detection rate decreases with increasing of packet size or density of a WSN The proposed IAT rule poorly detects an intrusion if less than 30% of traffic is dropped or injected EWMA rule has high detection rate of short attacks, but quickly adapts and stops detecting an anomaly of long duration The average detection rate in dependence on packet size in 50x50m 2 area and rate of 1 packet per 1.5s The average detection rate in dependence on packet size in 200x200m 2 area and rate of 1 packet per 15s

12. 12 Conclusions The proposed technique is lightweight and efficient, has short time delay It can be used in large networks, since it is distributed and requires no communication costs The proposed method considers PRR and IAT in combination Recommendations to threshold computations are provided Thresholds may be quickly adapted in time course of network’s operation The results of simulations show high detection delay and low false positive rate even in dense WSN, prone to congestion The result of intrusion detection does not depend on the number of malicious devices Future Work Design and evaluation of an intrusion detection scheme, producing a conclusion on the basis of PRR and IAT combined monitoring Incorporating of the proposed scheme into an intrusion detection system for WSNs, capable of detecting various types of attacks