25-08-2017, 09:32 PM
Analysis of an Anomaly-based Intrusion Detection System for Wireless Sensor Networks
Analysis of an Anomaly.pdf (Size: 730.14 KB / Downloads: 65)
ABSTRACT
Wireless Sensor Networks (WSNs) are becoming more popular in recent times, and are very useful in military applications and environmental monitoring. However, security is a major challenge for WSNs because they are usually setup in unprotected environments. Hence, our goal in this study is to simulate an Intrusion Detection System (IDS) that monitors the WSN and report intrusions accurately and effectively. This approach is initiated from
an assumption that since sensor networks use wireless communications, the radio links are insecure and very
prone to attacks whereby an attacker can very possibly
bypass intrusion prevention mechanisms that must have been adapted to the network. IDSs implemented for fixed wired networks are not applicable in WSNs and a number
of the ones implemented for WSNs suffer from a high False Positive Rate (FPR). Therefore, adequately securing a
WSN poses a very challenging research problem. We have thus simulated an IDS that uses anomaly-based technique to monitor traffic pattern on the network following a fixedwidth clustering algorithm.
INTRODUCTION
Wireless Sensor Networks (WSNs) often considered as a self-organised network of low cost, power and complex sensor nodes have been typically designed to monitor the environment for physical and chemical changes, disaster regions and climatic conditions. The sensor nodes are light and portable, with sensing abilities, communication and processing board, and are used for sensing in critical applications. These provides an avenue to monitor and respond to phenomena and chemical compounds in the environment such as light, temperature, noise.
RELATED WORKS
With the increasing growth in technology, many researchers have proposed several IDSs to secure WSNs. The vulnerabilities associated with wireless networks make it imperative to imbibe an IDS in WSNs. [2] defined IDS as an act of monitoring and detecting unwanted actions or traffic on a network or a device. This is achieved by monitoring the traffic flow on the network. Examples of published work on anomaly detection systems are IDES [3], HAYSTACK [5], and the statistical model used in NIDES/STATS [4] which is a more recent approach and presents a better anomaly detection system compared to the
others afore mentioned. A process of developing intrusion detection capabilities for MANET was described in [6]. The authors discussed how
to provide detailed information about intrusions from anomaly detection by showing that for attacks; a simple rule can be applied to identify the type of attack and the location of the attacking node. Furthermore, they introduced a cluster-based detection scheme, where a cluster of nodes can elect a monitoring node for the entire
neighbourhood of MANET nodes, which will be referred to as the cluster head. This cluster head performs the intrusion detection functions for all the nodes within its cluster. Our approach produces a wider solution where every node monitors and detects locally.
ANOMALY-BASED IDS
Anomaly detection describes a process of detecting abnormal activities on a network. The major requirements on an anomaly-based intrusion detection model are low
FPR and a high true positive rate. The performance parameters for these requirements are True Positive, True Negative, False Positive and False Negative which are defined as following.
SENSOR NETWORK SIMULATION
To start with the analysis of the accuracy of our IDS, we have run preliminary tests to investigate the performance of a WSN under a real life situation by investigating the network performance with the presence of a phenomenon. We have used a sensor network simulation based on the simulation package by the Naval Research Laboratory (NRL) [9] running on NS2 tool. The package included a
new routing protocol for the phenomenon broadcast
packets called PHENOM routing protocol. Our simulation scenarios consist of a total of 20 nodes. We
configured 18 nodes as sensor nodes, one node as a
phenomenon node moving through the network and emitting carbon monoxide (CO), and one sink node which is the data collection point where all the sensor nodes periodically send their sensor report when they sense the phenomenon. The movement of the phenomenon node was randomly generated with a maximum speed of 20m/s and an average pause time of 1.0secs. Each simulation carried out was done over a time period of 120sec. We assumed in our analysis that each sensor node has enough power to operate intrusion detection functions.
SIMULATION RESULTS
The results collected from Scenario 1 show the average of ten simulation runs with varying seed. The sensor network performs optimally under normal condition. Scenario 2 (No attack-STL) was simulated such that five instances were considered with the five pulse rates described in the corresponding sub-section in Section 4. Each instance was repeated ten times with ten seed values to produce a more accurate result respectively. We observed that the higher the pulse rate, the lower the network performance. This is due to the fact that the rate by which the phenomena are emanated are increasing with higher pulse rates, and thereby leading to more collision which then causes the nodes to drop packets. However, from a general view, the network depicts an average performance.
CONCLUSIONS
In this paper, we described ways to simulate a sensor network in a life scenario by introducing the presence of a phenomenon, and we extended this simulated network to perform a denial of service attack which we used to test the efficiency of the anomaly-based Intrusion detection system. From our results, we have reached the following conclusions: As expected, the results obtained shows that the higher the pulse rate, the lower the performance of the network because a phenomenon emanating at a very high pulse rate can cause collision at the receiving node, leading to packet drops. We used the phenomenon node contribution to generate a realistic traffic pattern for accurate evaluations of protocols. We further investigated the network under an attack condition and tested the performance of the anomaly based IDS in this instance.