A Specification-based Distributed Intrusion Detection Framework For Wireless Sensor Network

Abstract

Wireless Sensor Networks (WSNs) have a great potential to assist in storing and processing data collected from tiny sensors placed in various environments such as smart homes, vehicles, hospitals, enemy surveillance areas, volcanoes, oceans, etc. The sensors may be implanted to inspect the physical aspects of the external environment such as temperature, moisture, humidity, pressure, motion, magnetic fields, light, sound, gravity, vibration, electrical fields, and others or inspect the physical aspects of the internal environments such as motion of the organism, glucose level, oxygen level and others. The data recorded by these sensors can further be used for several applications as well as services. Here, the data is acquired from sensors through the wireless medium. Recent studies show that WSNs are vulnerable to various kinds of security threats and there is a requirement of a security solution that can safeguard them from lethal attacks. Several security schemes have been proposed in the recent past to counter the attacks launched at different layers of WSNs. Intrusion detection systems (IDS) focus on the detection of malicious activity at the network layer. Most of the proposed IDS based security approaches for WSNs lack completeness with respect to data acquisition, detection policy and the way actions should be taken once the malicious behavior is detected. Further, they lack the proper testing of the proposed schemes with respect to the performance metrics such as energy consumption, throughput, false positive rate, intrusion detection rate, and accuracy etc. Hence, there is a requirement of a purely distributed security scheme that works independently and communicates the anomalous behavior of sensor nodes with the base station (BS). The scheme should be lightweight and is able to perform efficiently with respect to energy efficiency and throughput. Moreover, it should be able to achieve low false positive rate and high detection rate. In this thesis, a novel intrusion detection framework is proposed for securing WSNs from routing attacks. The proposed system works in a distributed environment to detect intrusions by collaborating with the neighboring nodes. It works in two modes: online prevention allows safeguarding from those abnormal nodes that are already declared as malicious, while offline detection finds those nodes that are being compromised by an adversary during the next epoch of time. The proposed framework is a specification-based detection framework that works for a flat WSN scenario. To test the performance of the proposed framework, a simulator is implemented, and results are produced. The results show that a centralized distributed approach cannot properly figure out the actual condition of the network. Therefore, a purely distributed security system is more appropriate for WSNs. The results also show that the specification-based detection scheme achieves higher detection rate and low false positive rate. These results also guide that each node should be treated independently in WSNs, and centralized distributed detection schemes may fail to identify the network behavior whether it is normal or is under any attack. As a second contribution, the low-energy adaptive clustering hierarchy (LEACH) protocol for WSNs is modified by adding the functionality of the proposed intrusion detection framework to secure it from sink-hole, black-hole, and selective forwarding attacks. The modified protocol is called LEACH++. We performed two types of analyses: (1) numerical analysis to check the effect on vi throughput and energy, and (2) simulations in Network Simulator-2 (NS-2) to prove the results found from the numerical analysis. The results are quite promising and favor LEACH++ over LEACH under attack with respect to throughput and energy consumption. The third contribution is to perform a security analysis of the LEACH++ protocol to validate the proposed specification-based detection scheme with respect to accuracy, false positive rate, and detection rate. For this purpose, we simulate LEACH++ by launching various numbers of attacks in different patterns for different configurations. The experiments are carried out against the LEACH++ protocol for black hole and sinkhole attacks in different patterns. The results show that the proposed scheme achieves high accuracy and detection rate for LEACH++ and shows very low false positive rate.