The Model - Dynamic and Flexible Intrusion Detection
Protocol for High Error Rate Wireless Sensor
Networks Based on Data Flow S.Janakiraman S.Rajasoundaran P.Narayanasamy Dept. of CSE Dept. of CSE Dept. of CSE Anna University of Technology Chennai Anna University of Technology Chennai Anna University, Chennai, Tamil Nadu, India Tamil Nadu, India Tamil Nadu, India jana3376@yahoo.co.in rajasoundarans@gmail.com Abstract- Wireless Sensor Networks (WSNs) are the collection of self organizing sensor nodes deployed in various physical environments statically or dynamically depends upon the application. In wireless environment these sensor nodes are defenseless or vulnerable against attacks. To solve this problem the Intrusion Detection System (IDS) has been used and for wireless networks, Distributed Intrusion Detection System (DIDS) has been used. But this is not sufficient to achieve maximum resiliency against attacks. Considering the issues here a new Dynamic Intrusion Detection Protocol model (DYDOG) has been designed based on data flow for High Error Rate Wireless Sensor Networks (WSNs). Here the Dynamic Intrusion Detection nodes are deployed based on the proposed protocol model which will acts as forwarding node as well as Intrusion Monitoring Node with respect to the data flow through the sensor nodes. The Dynamic Intrusion Detection Nodes are selected from the one-hop or two hop neighbors non-forwarding node list by using Secure Session Key Management approach without deploying separate Intrusion Monitoring Nodes. This makes the network is more flexible and dynamic against various attacks and provide maximum monitoring nodes availability with better resiliency in high error rate Wireless Sensor Networks (WSNs). The monitoring nodes are dynamically changed in its behavior within the session itself depends on mobility and based on proposed conditions. For an attacker it will create problem to identify and attack the Dynamic Intrusion Detection Nodes within the limited session. By this protocol the attacks and compromised nodes can be effectively identified at runtime in high data rate static or dynamic Wireless Sensor Networks (WSNs). Now the research is going on On-Line Updates for local agents and global agents individually in high data rate Wireless Sensor Networks (WSNs), when the network has maximum mobility and maximum data rate. Keywords: Wireless Sensor Networks, Intrusion Detection, Dynamic Intrusion Detection Nodes, Key management. I INTRODUCTION A. Wireless Sensor Networks A wireless sensor network (WSN) is a network consisting of geographically distributed autonomous devices with sensors to attentively monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion, at different geographical locations. Wireless Sensor Networks (WSNs) are ideal candidates for monitoring environments in a wide variety of applications such as military surveillance and forest fire monitor, animal identification etc,. The field of wireless sensor networks offers a affluent, multi-disciplinary area of research, in which a variety of tools and concepts can be employed to ponder on a diverse set of applications. Research is going in the fields of wireless sensor networks mainly on routing, energy consumption and security. Here the main focused idea is in intrusion detection systems (IDS) to secure the wireless sensor networks with energy optimization even in high error prone and in crowded situation by using DIDN. Unlike mobile ad-hoc networks or other wireless networks, wireless sensor networks have more number of nodes in dense manner. So the essential here is to reduce the cost of deployment as well as energy consumption even in large scale network. More over in most of the cases wireless sensor networks are considered as motionless nature, but this is not feasible one for many applications. Here the model analysis goes with these concerns. [11].
Figure 1.1 Wireless Sensor Networks B. Intrusion Detection System Intrusion detection system is the system or tool or any intelligent computing algorithm that has been designed to monitor and detect unauthorized activities or malicious activities (attacks) in wired or wireless networks (Wireless Sensor Networks/Mobile Ad-hoc Networks). Wireless sensor networks are distributed in nature, so here the intrusion detection system is called as Distributed intrusion detection system (DIDS). Distributed intrusion detection system works on individual wireless sensor nodes as an intrusion detection agent module to detect the vulnerabilities, attacks and decisions will be taken in distributed manner with the help of local and global agents. [11]. C. Attacks and Compromised nodes Normally wireless networks are more vulnerable against the attacks like Denial Of Service (DOS) which causes for Blackhole attack, Sybil attack, Wormhole attack, Selective forwarding attacks, Jamming attacks etc. This is the serious problem in wireless sensor networks. A packet drop attack or blackhole attack is a type of denial-of- service attack in which a node supposed to relay packets discards them instead. This usually occurs from a node becoming compromised from a number of different causes. Because packets are routinely dropped from a lossy network, the packet drop attack is very hard to detect and prevent. The adversary can make multiple compromised nodes in its Blackhole intercepted region. Also the intruder can sense or read the secret data from compromised wireless sensor node (Compromised Node-CN) easily. [5] Likewise wormhole attack records and uses the secret data in unauthorized manner, Sybil attack causes for faulty identification and Selective forwarding attack causes for hunger and data loss in wireless sensor networks. [7][9]. Against these various types of attacks our proposed model will provide flexible and resilient solution with the help of Dynamic Intrusion Detection Nodes for High-Data rate Wireless Sensor Networks based on data flow at runtime. II RELATED WORKS In Wireless Sensor Networks (WSNs), nowadays, multipath routing scheme is used on for static path routing which provides flexibility in routing. Due to the deterministic nature of multipath routing, the sensor nodes are vulnerable to DOS and CN attacks. To avoid this at the time of data transmission randomized diffusion can be used. [5]. By that the protection would be provided against the attacks (DOS and CN). But for every time paths should be created and every node in these paths need to monitor the events to detect attacks using Distributed Intrusion Detection System as well as forward the data to next neighbor node. This will increase the computing overhead of the nodes and power consumption of the nodes also. In further research, to reduce the nodes overhead some nodes are acted as monitoring nodes called as Watchdogs which have intrusion detection module with cluster head. Apart from these nodes others are forwarding nodes, sender and sink. Based on the results from these intrusion detection nodes the cluster head would take action. [3]. If the intrusion detection nodes are static in that session or all time, the intruder can easily attack these detective nodes which creates very serious problem in sensor networks and also in cluster head approach cluster head might be vulnerable. More than that cluster head election process consumes more energy which is not optimal. In further approach, Intrusion detection has been processed without cluster head, but in this method the wireless sensor nodes have to maintain the information about their two hop neighbors which increases overhead, increases power consumption and also the intrusion detection nodes may be in forwarding path. This makes the intruder can track this monitoring nodes easily. [11] In other approach, Mu-DOG describes about intrusion monitoring scheme based on IEEE 802.15.4 MAC with beacon approach. But there is less security over monitoring node selection process and no dynamic approach on those nodes which causes for easy attack on monitoring nodes. Then it deals with only first three layers, but in our approach is designed to achieve flexibility in more than three layers. [2] The previous works deals with only Intrusion Detection with monitoring nodes. But those have not provided the solution in the secure monitoring node selection and did not provide flexibility on that process. With these constraints the design of Dynamic Intrusion Detection Protocol for wireless sensor networks is designed and it will work effectively in high error level condition and in maximum mobility situation also with optimized energy level in sensor nodes.
III. PROPOSED METHOD-DY-DOG A. Selection of Intrusion Detection Nodes In this proposed scheme dynamic intrusion detection nodes will be created to detect various attacks like DOS (Blackhole, Wormhole, Sybil and Selective forwarding attacks etc.,), Compromised nodes (CN) in wireless sensor networks. In previous related work only single blackhole can be identified. But here by using more selected Dynamic Intrusion Detection Nodes multiple Blackholes can be identified with the help of any suitable intelligent computing algorithms. Here every node will be monitored by more than one Intrusion Detection/Monitoring Nodes. In this scheme the node acts as both intrusion detection node as well as forwarding node dynamically. Also without cluster head the node itself take an action against these attacks and intimate to other neighbors with limited updates. The nodes in forwarding list acts as forwarding nodes for a moment only and this will be changed their nature to idle dynamically until it is the one hop neighbor for the forwarding node in other forwarding path if the data transmission is going on that path. Only the neighbor nodes which are not in that forwarding path monitor their forwarding nodes for intrusion detection at the time of data transmission and others are stable in functionality. At the time every single node can be monitored by more than one Dynamic Intrusion Detection Nodes (DIDN). If anyone is traced by the adversary other can detect the attack and action will be taken. This will provide better resiliency in intrusion detection and flexibility in DIDN availability with the help of designed algorithm will be discussed later. This method is very critical for intruders to identify or attack the Intrusion detection nodes. Here we are going to use only idle nodes which are in one hop distance from forwarding node are selected as DIDNs when they are not in their forwarding path. By that the utilization of monitoring nodes will be increased and the data transmission will not be affected in any way. If any node will not satisfied the above condition will go to idle state to reduce power consumption. In worst case scenario, if the forwarding node wont be monitored by at least two Intrusion detection nodes or the data rate over the nodes will increase the overhead due to maximum mobility then the Intrusion detection node in one hop will select its next hop neighbor node as the Dynamic intrusion detection node (DIDN) for actual forwarding node if that monitoring node within the transmission range of forwarding node by the designed algorithm will be discussed later. Now the monitoring node (DIDN) is in two hop distance from forwarding node. But this will happen when high level data transmission occurs and the forwarding nodes need not to maintain two hop neighbor information all the time. At the time of critical situation or high data rate condition the one hop monitoring nodes will share their one hop nodes information with forwarding node as its two hop monitoring node dynamically with predefined shared session key (see in next section). By that we can increase availability of intrusion detection nodes even in dense situation of sensor data transmission and also in highly dynamic situation. These Dynamic Intrusion Detection Nodes are selected by using secure key management approach to avoid the malicious nodes acts as monitoring nodes. We will discuss this later. Figure 3.1 DIDNs and Forwarding Nodes From the figure 3.1 the nodes are separated as three types like Sender/Destination, Forwarding node only for the time of data forwarding and it will be changed as DIDN or idle node as we seen before. And the Dynamic Intrusion Detection Nodes for forwarding node 1 are, One hop neighbors for forwarding node 1 which are not in the forwarding path). For this mechanism we propose a framework of efficient dynamic intrusion detection protocol to detect multiple attacks in wireless sensor networks and this will be used to send any type of data (multimedia) in secured manner. The proposed scheme has been planned to enhance the security against various attacks like DOS (Blackhole, Wormhole, Sybil and Selective forwarding attacks etc.,), Compromised nodes (CN) with secured dynamic Intrusion detection nodes even in dynamic condition of wireless sensor networks. This will suitable for both fixed wireless sensor networks as well as ad- hoc wireless sensors. By this flexible DIDNs deployment we can significantly reduce the overhead and power consumption of the individual nodes and increase the security against the attacks. In the next section we will discuss about the secured key management need for DIDN selection and for DMDIDN selection. B. Secured Key Management for DY-DOG To select DIDN here we need to make secure way which is used to identify the malicious nodes from DIDNs. The Intrusion detection node should maintain two secret shared session keys here to ensure the identity of that node from other malicious nodes. *Secret shared session key for unique intrusion detection node This key will be generated from forwarding nodes partial data bits, senders ID and monitoring nodes ID (node to be DIDN). The entities are concatenated in forwarding node and EX-ORed in intrusion detection node and send that key to forwarding node. From this key the monitoring nodes identity will be checked with reverse EX-OR operation. This will increase the security against intruder nodes. Within the particular session these keys are hard to be identified. This authentication scheme is used to avoid the malicious nodes monitor the sensor nodes as like DIDNs during data transmission. *Decision making key for unique intrusion detection node This will be generated after attacks are identified by the intrusion detection nodes, will be discussed in next section. C. Decision Key for Decision Making Dynamic Intrusion Detection Node Selection (DMDIDN) In previous section we discussed about Dynamic Intrusion Detection Node (DIDN) selection process. Now here we will discussed about the decision will be taken at the time of attacks identified. At the time of intruder attack based on this proposed system more than one intrusion detection nodes will monitor the forwarding nodes which are in one hop distance from that monitoring nodes. Every monitoring node could identify the attacks as much as possible, but when the action taken against these attacks the data need to be rerouted through other forwarding path after heal the infected node or infected packets. These alternative paths will be dynamically selected by intrusion detection node itself. But there are multiple monitoring nodes are available here to monitor the forwarding nodes. Although there is more than one intrusion detection nodes are here only one will take a decision on route change during intrusion time. Here the forwarding node will send another key which is called as decision making key to their monitoring nodes and waiting for reply from those nodes. The nodes will reply the decision making key which had been got and TTL field to forwarding node. The lowest TTL valued node will be selected as decision making intrusion detection node. In the next step the forwarding node send only initial portion of data to the selected intrusion detection node and wait for acknowledgement for ensuring authentication. After that the remaining data will be forwarded to the correspondent node to make secured route selection. This Decision making node selection changes depends on nodes mobility. In the next section the algorithms used for proposed design will be explained. D. Proposed Algorithms for DY-DOG, Dynamic Energy Efficient Intrusion Detection Protocol Model Here we will discuss about various algorithms used to design DY-DOG protocol for dynamic intrusion detection based on data flow with maximum network data rate. I) Algorithm- Secured DIDN Selection If D R >D TH DIDN 1 1 { Conditions on selection:- N N F1L of N F1 (S): N N FL of N F (S); N N FO of N FO (S) || DIDN O ; Let N (Node taken for selection process) =N F2 here; N N 11L of N F1 (S) N F2L of N F2 (S); Then, N F ID XF ||S DSF N F1 ID NF1 XOR (ID XF ||S DSF ) N F2 ; N F1 ID NF2 N F ; N F2 ID XF ||S DSF XOR ID NF1 XOR ID NF2 via N F1 N F
Here, Key 1 =ID XF ||S DSF XOR ID NF1 ; Key 2 =ID XF ||S DSF XOR ID NF1 XOR ID NF2 ; In Key 1 N F checks If (ID XFR = =ID XF &&S DSFR = =S DSF &&ID NF1R = =ID NF1 ) { And have the ID NF1 Then in Key 2 N F checks If (ID NF1R = ID NF1 && ID NF2R = =ID NF2 ) { And have the ID NF2 NDIDN =N F2 DIDN and this node ready to monitor; } Else { NMalicious Node (N F2 Malicious Node)} It is valid If and only if (N=N F2 A NF ) { Else Do the process from initial stage; }} Here, N F - Forwarding node in current forwarding path; N F1L & N F2L -Forwarding List of one-hop and two-hop neighbor node respectively for N; N FL - Current Forwarding path node list; N FO - Forwarding node for other path; DIDN O - DIDN for Forwarding node in other path; ID XF & ID XFR - ID of the sender for Forwarding node and received ID XF in N F respectively; S DSF & S DSFR - Sample data bit from Forwarding node and received S DSF in N F ; ID NF1 & ID NF2 -ID of the Node taken for selection process from one-hop and two-hop respectively; N F1 & N F2 - Node taken for selection process from one-hop and two-hop respectively; ID NF1R & ID NF2R - received ID NF1 & ID NF2 in N F ; AN F - Coverage area of N F. This is the common one for other nodes also which have satisfied the above initial conditions in high error rate wireless sensor network. The above algorithm describes the steps to select the DIDNs to monitor the forwarding nodes for detecting intrusions and that nodes being monitored in high error rate condition. Figure 3.2 Secure DIDN Selection (Hop-2) with Shared Secret Session Key (Key2). Figure 3.2 shows that how the secure DIDN has been selected from second hop in high data rate situation. In this situation, except only one DIDN-One hop node others are busy with forwarding the data in some other forwarding paths and the nodes have maximum mobility. Also the data rate is exceeding the normal threshold level. II) Algorithm- Decision Making Dynamic Intrusion Detection Node Selection (DMDIDN) Among multiple DIDNs only one DIDN should be selected as DMDIDN when the attack has been identified. That Decision Making DIDN will reroute the data packets through secured path to destination after attacked node is identified. In multiple DIDNs, if any one detects the intrusion in the node or packets being sensed then that node is marked as attacked node or infected packet. DMDIDN Selection and Reinforced Path Selection and Limited Update:- Condition: DMDIDN DIDN(S); N F D Key + TTL DIDN(S); DIDN(S) REQ N F ; Dkey+TTL DIDNDMDIDN; If and only if TTL=TTL S ; Then N F D i DMDIDN; ACK i i= Initial Data Packet; N F D n DMDIDN for route selection; n=1, 2, ; Limited Update against Attacks: Attacks A(S) =A 1 , A 2 , A 3 A k ; Pn- Data Packets DIDN 1 P n (N F )|A k DIDN n ; n=1, 2,.; k=1, 2 ; If DIDN 1 |A k DIDN n |A k Here the DIDNs will not share all of their attack or intruder information with other DIDNs periodically. Because multiple monitoring nodes are available for many time and mark the data packet or node in their packet field with identified attack details at the time of attack or intruder detection. The other DIDNs will search the intrusion detection field and update the attack details if it not in their database which avoids redundancy. This is limited update. This limited update scheme use to reduce the redundant updates of attack information between nodes which saves memory, energy and delay during data transmission. By using these proposed algorithms we can increase DIDNs availability to monitor other forwarding nodes and with multiple monitoring nodes the number of detected attacks can be increased with limited updates in distributed and dynamic manner. Figure 3.3 Secure DMDIDN Selection Process with Decision Key (Dkey) Figure 3.4 Secure DMDIDN Selection Process with Selected DMDIDN. Figure 3.3 and 3.4 shows the selection of Decision Making DIDN. And the next figure- Figure 3.5 shows the data Re- Routing process after detecting the attacks in wireless sensor nodes. Figure 3.5 Data Packet Re-Routing Process through Selected DMDIDN E. Route Update/Mobility: In Wireless Sensor Networks each and every nodes mobility should be updated periodically or on-demand basis. When the TTL value or transmission delay of any Dynamic Intrusion Detection node (DIDN) or DMDIDN exceeds the predefined threshold value that will be considered as link break or the node is in uncovered range. Then the forwarding node needs to reform its neighbor table for routing updates. Here this update (On-Demand) will be taken in the situation like if any DIDN has been attacked or in uncovered area of forwarding node. F. Performance Analysis of DY-DOG: Normally other monitoring mechanisms based on watchdogs considered only network layer functions and Mu-Dog has the functions on three layers only. But in our mechanism we could improve the performance in more than three layers with the various functions like, DIDN selection (Topology Maintenance), Intrusion Monitoring (Carrier Sensing- CSMA/CA), Routing (Multipath Routing and Reinforced Routing) and Transport Layer activities (ACK/NACK between Forwarding Node and DMDIDN). There is various performance metrics like availability of DIDNs Vs Normal nodes, Intrusion monitoring level Vs Data rate, Route update Vs Nodes, Time Vs Number of attacks detected, Attacks Detected Vs DIDNs and Attacks updated Vs Nodes will be used to show that our proposed scheme will improve the intrusion detection against various attacks by the securely selected DIDNs with the help of any intelligent algorithms. IV CONCLUSION Here the Dynamic and Flexible Intrusion Detection Protocol (algorithms) - model has been proposed for secure data transmission in high error rate Wireless Sensor Networks. Here every single wireless sensor node acts as intrusion detection node as well as forwarding node dynamically. These algorithms used to deploy flexible Dynamic Intrusion Detection nodes (DIDNs) with unique key management approach from non forwarding paths neighbor nodes to identify the attacks in individual wireless sensor nodes and reroute the packets to the destination in secured manner. This will reduce the deployment cost for small scale and large scale wireless sensor networks. Our design makes those wireless sensor nodes as an effective and flexible Dynamic Intrusion Detection nodes (DIDNs), which makes trouble to detect this monitoring nodes for intruders. Here there is no need for cluster head election process and here the nodes memory will be used efficiently and the processes of the sensor nodes have low overhead because of the dynamic distributed nature. With multiple DIDNs the nodes in the transmission path can be monitored for detecting intrusion efficiently and dynamically which increases security against various attacks in node level with low energy consumption and this DY-DOG approach deals with more than three layers in security vision. The design based implementation is being processed with the different performance metrics mentioned above. In our future work with internal updates the process is in progress for runtime on-line updates for new knowledge updates according to various attacks in wireless sensor nodes. REFERENCES [1] Yun Wang, Xiaodong Wang, Bin Xie, Demin Wang, and Dharma P. Agrawal, Intrusion Detection in Homogeneous and Heterogeneous Wireless Sensor Networks, IEEE transactions on mobile computing, June.2008. [2] Abderrezak Rachedi and Hend Baklouti, MuDog: Smart Monitoring Mechanism for Wireless Sensor Networks based on IEEE 802.15.4 MAC, IEEE Int.Conf,2011 [3] Noman Mohammed, Hadi Otrok, Lingyu Wang, Mourad Debbabi, and Prabir Bhattacharya, Mechanism Design-Based Secure Leader Election Model for Intrusion Detection in MANET, IEEE transactions on dependable and secure computing, Feb.2011 [4] Xiao Zhenghong and Chen Zhigang, A Secure Routing Protocol with Intrusion Detection for Clustering Wireless Sensor Networks, IEEE int.conf,2010. [5] Tao Shu, Marwan Krunz, and Sisi Liu, Secure Data Collection in Wireless Sensor Networks Using Randomized Dispersive Routes, IEEE transactions on mobile computing. July.2010. [6] Shanshan Chen, Geng Yang and Shengshou Chen, A Security Routing Mechanism against Sybil Attack for Wireless Sensor Networks, IEEE int. conf, 2010. [7] Kemal Akkaya and Mohamed Younis, A survey on routing protocols for wireless sensor networks, Elsevier Feb.2003. [8] Rodrigo Roman, Jianying Zhou and Javier Lopez, Applying Intrusion Detection Systems to Wireless Sensor Networks, 2006. [9] Ali Modirkhazeni, Norafida Ithnin and Othman Ibrahim, Secure Multipath Routing Protocols in Wireless Sensor Networks: A Security Survey Analysis, IEEE int. conf.2010. [10] Krontiris Ioannis and Tassos Dimitriou, Towards Intrusion Detection In Wireless Sensor Networks, IEEE 2007. [11] www.wikipedia.org/ wireless sensor networks, intrusion detection system.