The Model - Dynamic and Flexible Intrusion Detection

Protocol for High Error Rate Wireless Sensor

Networks Based on Data Flow
S.Janakiraman S.Rajasoundaran P.Narayanasamy
Dept. of CSE Dept. of CSE Dept. of CSE
Anna University of Technology Chennai Anna University of Technology Chennai Anna University, Chennai,
Tamil Nadu, India Tamil Nadu, India Tamil Nadu, India
jana3376@yahoo.co.in rajasoundarans@gmail.com
Abstract- Wireless Sensor Networks (WSNs) are the collection of
self organizing sensor nodes deployed in various physical
environments statically or dynamically depends upon the
application. In wireless environment these sensor nodes are
defenseless or vulnerable against attacks. To solve this problem
the Intrusion Detection System (IDS) has been used and for
wireless networks, Distributed Intrusion Detection System
(DIDS) has been used. But this is not sufficient to achieve
maximum resiliency against attacks. Considering the issues here
a new Dynamic Intrusion Detection Protocol model (DYDOG)
has been designed based on data flow for High Error Rate
Wireless Sensor Networks (WSNs). Here the Dynamic Intrusion
Detection nodes are deployed based on the proposed protocol
model which will acts as forwarding node as well as Intrusion
Monitoring Node with respect to the data flow through the sensor
nodes. The Dynamic Intrusion Detection Nodes are selected from
the one-hop or two hop neighbors non-forwarding node list by
using Secure Session Key Management approach without
deploying separate Intrusion Monitoring Nodes. This makes the
network is more flexible and dynamic against various attacks and
provide maximum monitoring nodes availability with better
resiliency in high error rate Wireless Sensor Networks (WSNs).
The monitoring nodes are dynamically changed in its behavior
within the session itself depends on mobility and based on
proposed conditions. For an attacker it will create problem to
identify and attack the Dynamic Intrusion Detection Nodes
within the limited session. By this protocol the attacks and
compromised nodes can be effectively identified at runtime in
high data rate static or dynamic Wireless Sensor Networks
(WSNs). Now the research is going on On-Line Updates for local
agents and global agents individually in high data rate Wireless
Sensor Networks (WSNs), when the network has maximum
mobility and maximum data rate.
Keywords: Wireless Sensor Networks, Intrusion Detection,
Dynamic Intrusion Detection Nodes, Key management.
I INTRODUCTION
A. Wireless Sensor Networks
A wireless sensor network (WSN) is a network consisting of
geographically distributed autonomous devices with sensors to
attentively monitor physical or environmental conditions, such
as temperature, sound, vibration, pressure, motion, at different
geographical locations. Wireless Sensor Networks (WSNs) are
ideal candidates for monitoring environments in a wide variety
of applications such as military surveillance and forest fire
monitor, animal identification etc,. The field of wireless sensor
networks offers a affluent, multi-disciplinary area of research,
in which a variety of tools and concepts can be employed to
ponder on a diverse set of applications. Research is going in
the fields of wireless sensor networks mainly on routing,
energy consumption and security. Here the main focused idea
is in intrusion detection systems (IDS) to secure the wireless
sensor networks with energy optimization even in high error
prone and in crowded situation by using DIDN.
Unlike mobile ad-hoc networks or other wireless networks,
wireless sensor networks have more number of nodes in dense
manner. So the essential here is to reduce the cost of
deployment as well as energy consumption even in large scale
network. More over in most of the cases wireless sensor
networks are considered as motionless nature, but this is not
feasible one for many applications. Here the model analysis
goes with these concerns. [11].

Figure 1.1 Wireless Sensor Networks
B. Intrusion Detection System
Intrusion detection system is the system or tool or any
intelligent computing algorithm that has been designed to
monitor and detect unauthorized activities or malicious
activities (attacks) in wired or wireless networks (Wireless
Sensor Networks/Mobile Ad-hoc Networks). Wireless sensor
networks are distributed in nature, so here the intrusion
detection system is called as Distributed intrusion detection
system (DIDS). Distributed intrusion detection system works
on individual wireless sensor nodes as an intrusion detection
agent module to detect the vulnerabilities, attacks and
decisions will be taken in distributed manner with the help of
local and global agents. [11].
C. Attacks and Compromised nodes
Normally wireless networks are more vulnerable against the
attacks like Denial Of Service (DOS) which causes for
Blackhole attack, Sybil attack, Wormhole attack, Selective
forwarding attacks, Jamming attacks etc. This is the serious
problem in wireless sensor networks.
A packet drop attack or blackhole attack is a type of denial-of-
service attack in which a node supposed to relay packets
discards them instead. This usually occurs from a node
becoming compromised from a number of different causes.
Because packets are routinely dropped from a lossy network,
the packet drop attack is very hard to detect and prevent. The
adversary can make multiple compromised nodes in its
Blackhole intercepted region. Also the intruder can sense or
read the secret data from compromised wireless sensor node
(Compromised Node-CN) easily. [5]
Likewise wormhole attack records and uses the secret data in
unauthorized manner, Sybil attack causes for faulty
identification and Selective forwarding attack causes for
hunger and data loss in wireless sensor networks. [7][9].
Against these various types of attacks our proposed model will
provide flexible and resilient solution with the help of
Dynamic Intrusion Detection Nodes for High-Data rate
Wireless Sensor Networks based on data flow at runtime.
II RELATED WORKS
In Wireless Sensor Networks (WSNs), nowadays, multipath
routing scheme is used on for static path routing which
provides flexibility in routing. Due to the deterministic nature
of multipath routing, the sensor nodes are vulnerable to DOS
and CN attacks. To avoid this at the time of data transmission
randomized diffusion can be used. [5]. By that the protection
would be provided against the attacks (DOS and CN). But for
every time paths should be created and every node in these
paths need to monitor the events to detect attacks using
Distributed Intrusion Detection System as well as forward the
data to next neighbor node. This will increase the computing
overhead of the nodes and power consumption of the nodes
also.
In further research, to reduce the nodes overhead some nodes
are acted as monitoring nodes called as Watchdogs which
have intrusion detection module with cluster head. Apart from
these nodes others are forwarding nodes, sender and sink.
Based on the results from these intrusion detection nodes the
cluster head would take action. [3]. If the intrusion detection
nodes are static in that session or all time, the intruder can
easily attack these detective nodes which creates very serious
problem in sensor networks and also in cluster head approach
cluster head might be vulnerable. More than that cluster head
election process consumes more energy which is not optimal.
In further approach, Intrusion detection has been processed
without cluster head, but in this method the wireless sensor
nodes have to maintain the information about their two hop
neighbors which increases overhead, increases power
consumption and also the intrusion detection nodes may be in
forwarding path. This makes the intruder can track this
monitoring nodes easily. [11]
In other approach, Mu-DOG describes about intrusion
monitoring scheme based on IEEE 802.15.4 MAC with
beacon approach. But there is less security over monitoring
node selection process and no dynamic approach on those
nodes which causes for easy attack on monitoring nodes. Then
it deals with only first three layers, but in our approach is
designed to achieve flexibility in more than three layers. [2]
The previous works deals with only Intrusion Detection with
monitoring nodes. But those have not provided the solution in
the secure monitoring node selection and did not provide
flexibility on that process. With these constraints the design of
Dynamic Intrusion Detection Protocol for wireless sensor
networks is designed and it will work effectively in high error
level condition and in maximum mobility situation also with
optimized energy level in sensor nodes.

III. PROPOSED METHOD-DY-DOG
A. Selection of Intrusion Detection Nodes
In this proposed scheme dynamic intrusion detection nodes
will be created to detect various attacks like DOS (Blackhole,
Wormhole, Sybil and Selective forwarding attacks etc.,),
Compromised nodes (CN) in wireless sensor networks. In
previous related work only single blackhole can be identified.
But here by using more selected Dynamic Intrusion Detection
Nodes multiple Blackholes can be identified with the help of
any suitable intelligent computing algorithms. Here every
node will be monitored by more than one Intrusion
Detection/Monitoring Nodes. In this scheme the node acts as
both intrusion detection node as well as forwarding node
dynamically. Also without cluster head the node itself take an
action against these attacks and intimate to other neighbors
with limited updates. The nodes in forwarding list acts as
forwarding nodes for a moment only and this will be changed
their nature to idle dynamically until it is the one hop neighbor
for the forwarding node in other forwarding path if the data
transmission is going on that path.
Only the neighbor nodes which are not in that forwarding path
monitor their forwarding nodes for intrusion detection at the
time of data transmission and others are stable in functionality.
At the time every single node can be monitored by more than
one Dynamic Intrusion Detection Nodes (DIDN). If anyone is
traced by the adversary other can detect the attack and action
will be taken. This will provide better resiliency in intrusion
detection and flexibility in DIDN availability with the help of
designed algorithm will be discussed later.
This method is very critical for intruders to identify or attack
the Intrusion detection nodes. Here we are going to use only
idle nodes which are in one hop distance from forwarding
node are selected as DIDNs when they are not in their
forwarding path. By that the utilization of monitoring nodes
will be increased and the data transmission will not be affected
in any way. If any node will not satisfied the above condition
will go to idle state to reduce power consumption.
In worst case scenario, if the forwarding node wont be
monitored by at least two Intrusion detection nodes or the data
rate over the nodes will increase the overhead due to
maximum mobility then the Intrusion detection node in one
hop will select its next hop neighbor node as the Dynamic
intrusion detection node (DIDN) for actual forwarding node if
that monitoring node within the transmission range of
forwarding node by the designed algorithm will be discussed
later.
Now the monitoring node (DIDN) is in two hop distance from
forwarding node. But this will happen when high level data
transmission occurs and the forwarding nodes need not to
maintain two hop neighbor information all the time. At the
time of critical situation or high data rate condition the one
hop monitoring nodes will share their one hop nodes
information with forwarding node as its two hop monitoring
node dynamically with predefined shared session key (see in
next section). By that we can increase availability of intrusion
detection nodes even in dense situation of sensor data
transmission and also in highly dynamic situation.
These Dynamic Intrusion Detection Nodes are selected by
using secure key management approach to avoid the malicious
nodes acts as monitoring nodes. We will discuss this later.
Figure 3.1 DIDNs and Forwarding Nodes
From the figure 3.1 the nodes are separated as three types like
Sender/Destination, Forwarding node only for the time of data
forwarding and it will be changed as DIDN or idle node as we
seen before. And the Dynamic Intrusion Detection Nodes for
forwarding node 1 are, One hop neighbors for forwarding
node 1 which are not in the forwarding path).
For this mechanism we propose a framework of efficient
dynamic intrusion detection protocol to detect multiple attacks
in wireless sensor networks and this will be used to send any
type of data (multimedia) in secured manner. The proposed
scheme has been planned to enhance the security against
various attacks like DOS (Blackhole, Wormhole, Sybil and
Selective forwarding attacks etc.,), Compromised nodes (CN)
with secured dynamic Intrusion detection nodes even in
dynamic condition of wireless sensor networks. This will
suitable for both fixed wireless sensor networks as well as ad-
hoc wireless sensors.
By this flexible DIDNs deployment we can significantly
reduce the overhead and power consumption of the individual
nodes and increase the security against the attacks. In the next
section we will discuss about the secured key management
need for DIDN selection and for DMDIDN selection.
B. Secured Key Management for DY-DOG
To select DIDN here we need to make secure way which is
used to identify the malicious nodes from DIDNs. The
Intrusion detection node should maintain two secret shared
session keys here to ensure the identity of that node from other
malicious nodes.
*Secret shared session key for unique intrusion detection node
This key will be generated from forwarding nodes partial data
bits, senders ID and monitoring nodes ID (node to be
DIDN). The entities are concatenated in forwarding node and
EX-ORed in intrusion detection node and send that key to
forwarding node. From this key the monitoring nodes identity
will be checked with reverse EX-OR operation. This will
increase the security against intruder nodes. Within the
particular session these keys are hard to be identified. This
authentication scheme is used to avoid the malicious nodes
monitor the sensor nodes as like DIDNs during data
transmission.
*Decision making key for unique intrusion detection node
This will be generated after attacks are identified by the
intrusion detection nodes, will be discussed in next section.
C. Decision Key for Decision Making Dynamic Intrusion
Detection Node Selection (DMDIDN)
In previous section we discussed about Dynamic Intrusion
Detection Node (DIDN) selection process. Now here we will
discussed about the decision will be taken at the time of
attacks identified. At the time of intruder attack based on this
proposed system more than one intrusion detection nodes will
monitor the forwarding nodes which are in one hop distance
from that monitoring nodes. Every monitoring node could
identify the attacks as much as possible, but when the action
taken against these attacks the data need to be rerouted
through other forwarding path after heal the infected node or
infected packets. These alternative paths will be dynamically
selected by intrusion detection node itself. But there are
multiple monitoring nodes are available here to monitor the
forwarding nodes. Although there is more than one intrusion
detection nodes are here only one will take a decision on route
change during intrusion time.
Here the forwarding node will send another key which is
called as decision making key to their monitoring nodes and
waiting for reply from those nodes. The nodes will reply the
decision making key which had been got and TTL field to
forwarding node. The lowest TTL valued node will be
selected as decision making intrusion detection node. In the
next step the forwarding node send only initial portion of data
to the selected intrusion detection node and wait for
acknowledgement for ensuring authentication. After that the
remaining data will be forwarded to the correspondent node to
make secured route selection. This Decision making node
selection changes depends on nodes mobility. In the next
section the algorithms used for proposed design will be
explained.
D. Proposed Algorithms for DY-DOG, Dynamic Energy
Efficient Intrusion Detection Protocol Model
Here we will discuss about various algorithms used to design
DY-DOG protocol for dynamic intrusion detection based on
data flow with maximum network data rate.
I) Algorithm- Secured DIDN Selection
If D
R
>D
TH
DIDN
1
1
{
Conditions on selection:-
N N
F1L
of N
F1
(S):
N N
FL
of N
F
(S);
N N
FO
of N
FO
(S) || DIDN
O
;
Let N (Node taken for selection process) =N
F2
here;
N N
11L
of N
F1
(S) N
F2L
of N
F2
(S);
Then,
N
F
ID
XF
||S
DSF
N
F1
ID
NF1
XOR (ID
XF
||S
DSF
) N
F2
;
N
F1
ID
NF2
N
F
;
N
F2
ID
XF
||S
DSF
XOR ID
NF1
XOR ID
NF2 via
N
F1
N
F

Here, Key
1
=ID
XF
||S
DSF
XOR ID
NF1
;
Key
2
=ID
XF
||S
DSF
XOR ID
NF1
XOR ID
NF2
;
In Key
1
N
F
checks If (ID
XFR
= =ID
XF
&&S
DSFR
= =S
DSF
&&ID
NF1R
= =ID
NF1
)
{
And have the ID
NF1
Then in Key
2
N
F
checks If (ID
NF1R
= ID
NF1
&& ID
NF2R
=
=ID
NF2
)
{
And have the ID
NF2
NDIDN =N
F2
DIDN and this node ready to monitor;
}
Else
{
NMalicious Node (N
F2
Malicious Node)}
It is valid If and only if (N=N
F2
A
NF
)
{
Else
Do the process from initial stage;
}}
Here, N
F
- Forwarding node in current forwarding path; N
F1L
& N
F2L
-Forwarding List of one-hop and two-hop neighbor
node respectively for N; N
FL
- Current Forwarding path node
list; N
FO
- Forwarding node for other path; DIDN
O
- DIDN for
Forwarding node in other path; ID
XF
& ID
XFR
- ID of the
sender for Forwarding node and received ID
XF
in N
F
respectively; S
DSF
& S
DSFR
- Sample data bit from Forwarding
node and received S
DSF
in N
F
; ID
NF1
& ID
NF2
-ID of the Node
taken for selection process from one-hop and two-hop
respectively; N
F1
& N
F2
- Node taken for selection process from
one-hop and two-hop respectively; ID
NF1R
& ID
NF2R
- received
ID
NF1
& ID
NF2
in N
F
; AN
F
- Coverage area of N
F.
This is the common one for other nodes also which have
satisfied the above initial conditions in high error rate wireless
sensor network.
The above algorithm describes the steps to select the DIDNs
to monitor the forwarding nodes for detecting intrusions and
that nodes being monitored in high error rate condition.
Figure 3.2 Secure DIDN Selection (Hop-2) with Shared Secret Session Key
(Key2).
Figure 3.2 shows that how the secure DIDN has been selected
from second hop in high data rate situation. In this situation,
except only one DIDN-One hop node others are busy with
forwarding the data in some other forwarding paths and the
nodes have maximum mobility. Also the data rate is exceeding
the normal threshold level.
II) Algorithm- Decision Making Dynamic Intrusion Detection
Node Selection (DMDIDN)
Among multiple DIDNs only one DIDN should be selected as
DMDIDN when the attack has been identified. That Decision
Making DIDN will reroute the data packets through secured
path to destination after attacked node is identified. In multiple
DIDNs, if any one detects the intrusion in the node or packets
being sensed then that node is marked as attacked node or
infected packet.
DMDIDN Selection and Reinforced Path Selection and
Limited Update:-
Condition:
DMDIDN DIDN(S);
N
F
D
Key
+ TTL DIDN(S);
DIDN(S) REQ N
F
;
Dkey+TTL
DIDNDMDIDN; If and only if TTL=TTL
S
;
Then N
F
D
i
DMDIDN;
ACK
i
i= Initial Data Packet;
N
F
D
n
DMDIDN for route selection; n=1, 2, ;
Limited Update against Attacks:
Attacks A(S) =A
1
, A
2
, A
3
A
k
;
Pn- Data Packets
DIDN
1
P
n
(N
F
)|A
k
DIDN
n
; n=1, 2,.; k=1, 2 ;
If DIDN
1
|A
k
DIDN
n
|A
k
Here the DIDNs will not share all of their attack or intruder
information with other DIDNs periodically. Because multiple
monitoring nodes are available for many time and mark the
data packet or node in their packet field with identified attack
details at the time of attack or intruder detection. The other
DIDNs will search the intrusion detection field and update the
attack details if it not in their database which avoids
redundancy. This is limited update. This limited update
scheme use to reduce the redundant updates of attack
information between nodes which saves memory, energy and
delay during data transmission. By using these proposed
algorithms we can increase DIDNs availability to monitor
other forwarding nodes and with multiple monitoring nodes
the number of detected attacks can be increased with limited
updates in distributed and dynamic manner.
Figure 3.3 Secure DMDIDN Selection Process with Decision Key (Dkey)
Figure 3.4 Secure DMDIDN Selection Process with Selected DMDIDN.
Figure 3.3 and 3.4 shows the selection of Decision Making
DIDN. And the next figure- Figure 3.5 shows the data Re-
Routing process after detecting the attacks in wireless sensor
nodes.
Figure 3.5 Data Packet Re-Routing Process through Selected DMDIDN
E. Route Update/Mobility:
In Wireless Sensor Networks each and every nodes mobility
should be updated periodically or on-demand basis. When the
TTL value or transmission delay of any Dynamic Intrusion
Detection node (DIDN) or DMDIDN exceeds the predefined
threshold value that will be considered as link break or the
node is in uncovered range. Then the forwarding node needs
to reform its neighbor table for routing updates. Here this
update (On-Demand) will be taken in the situation like if any
DIDN has been attacked or in uncovered area of forwarding
node.
F. Performance Analysis of DY-DOG:
Normally other monitoring mechanisms based on watchdogs
considered only network layer functions and Mu-Dog has the
functions on three layers only. But in our mechanism we could
improve the performance in more than three layers with the
various functions like, DIDN selection (Topology
Maintenance), Intrusion Monitoring (Carrier Sensing-
CSMA/CA), Routing (Multipath Routing and Reinforced
Routing) and Transport Layer activities (ACK/NACK
between Forwarding Node and DMDIDN). There is various
performance metrics like availability of DIDNs Vs Normal
nodes, Intrusion monitoring level Vs Data rate, Route update
Vs Nodes, Time Vs Number of attacks detected, Attacks
Detected Vs DIDNs and Attacks updated Vs Nodes will be
used to show that our proposed scheme will improve the
intrusion detection against various attacks by the securely
selected DIDNs with the help of any intelligent algorithms.
IV CONCLUSION
Here the Dynamic and Flexible Intrusion Detection Protocol
(algorithms) - model has been proposed for secure data
transmission in high error rate Wireless Sensor Networks.
Here every single wireless sensor node acts as intrusion
detection node as well as forwarding node dynamically. These
algorithms used to deploy flexible Dynamic Intrusion
Detection nodes (DIDNs) with unique key management
approach from non forwarding paths neighbor nodes to
identify the attacks in individual wireless sensor nodes and
reroute the packets to the destination in secured manner. This
will reduce the deployment cost for small scale and large scale
wireless sensor networks. Our design makes those wireless
sensor nodes as an effective and flexible Dynamic Intrusion
Detection nodes (DIDNs), which makes trouble to detect this
monitoring nodes for intruders. Here there is no need for
cluster head election process and here the nodes memory will
be used efficiently and the processes of the sensor nodes have
low overhead because of the dynamic distributed nature. With
multiple DIDNs the nodes in the transmission path can be
monitored for detecting intrusion efficiently and dynamically
which increases security against various attacks in node level
with low energy consumption and this DY-DOG approach
deals with more than three layers in security vision. The
design based implementation is being processed with the
different performance metrics mentioned above. In our future
work with internal updates the process is in progress for
runtime on-line updates for new knowledge updates according
to various attacks in wireless sensor nodes.
REFERENCES
[1] Yun Wang, Xiaodong Wang, Bin Xie, Demin Wang, and Dharma P.
Agrawal, Intrusion Detection in Homogeneous and Heterogeneous
Wireless Sensor Networks, IEEE transactions on mobile computing,
June.2008.
[2] Abderrezak Rachedi and Hend Baklouti, MuDog: Smart Monitoring
Mechanism for Wireless Sensor Networks based on IEEE 802.15.4
MAC, IEEE Int.Conf,2011
[3] Noman Mohammed, Hadi Otrok, Lingyu Wang, Mourad Debbabi, and
Prabir Bhattacharya, Mechanism Design-Based Secure Leader Election
Model for Intrusion Detection in MANET, IEEE transactions on
dependable and secure computing, Feb.2011
[4] Xiao Zhenghong and Chen Zhigang, A Secure Routing Protocol with
Intrusion Detection for Clustering Wireless Sensor Networks, IEEE
int.conf,2010.
[5] Tao Shu, Marwan Krunz, and Sisi Liu, Secure Data Collection in
Wireless Sensor Networks Using Randomized Dispersive Routes, IEEE
transactions on mobile computing. July.2010.
[6] Shanshan Chen, Geng Yang and Shengshou Chen, A Security Routing
Mechanism against Sybil Attack for Wireless Sensor Networks, IEEE
int. conf, 2010.
[7] Kemal Akkaya and Mohamed Younis, A survey on routing protocols for
wireless sensor networks, Elsevier Feb.2003.
[8] Rodrigo Roman, Jianying Zhou and Javier Lopez, Applying Intrusion
Detection Systems to Wireless Sensor Networks, 2006.
[9] Ali Modirkhazeni, Norafida Ithnin and Othman Ibrahim, Secure
Multipath Routing Protocols in Wireless Sensor Networks: A Security
Survey Analysis, IEEE int. conf.2010.
[10] Krontiris Ioannis and Tassos Dimitriou, Towards Intrusion Detection In
Wireless Sensor Networks, IEEE 2007.
[11] www.wikipedia.org/ wireless sensor networks, intrusion detection
system.