One size does not fit all - how to approach intrusion detection in wireless sensor networks (pdf)

Article PDF cannot be displayed. You can download it here:

http://drops.dagstuhl.de/opus/volltexte/2009/2347/pdf/09006.StetskoAndriy.2347.pdf

One size does not fit all - how to approach intrusion detection in wireless sensor networks

One Size Does Not Fit All – How to Approach Intrusion Detection in Wireless Sensor Networks Andriy Stetsko and Václav Matyáš Department of Computer Systems and Communications Faculty of Informatics, Masaryk University {xstetsko, matyas}@fi.muni.cz Abstract. A wireless sensor network (WSN) is a highly distributed network of resource constrained and wireless devices called sensor nodes. In the work we consider intrusion detection systems as they are proper mechanisms to defend internal attacks on WSNs. A wide diversity of WSN applications on one side and limited resources on other side implies that “one-ﬁt-all” intrusion detection system is not optimal. We present a conceptual proposal for a suite of tools that enable an automatic design of intrusion detection system that will be (near) optimal for a given network topology, capabilities of sensor nodes and anticipated attacks. 1 Introduction A wireless sensor network (WSN) consists of sensor nodes – devices that are equipped with sensor(s), microcontroller, wireless transceiver and battery. Each sensor node monitors some physical phenomenons (e.g., humidity, temperature, pressure, light, etc.) inside an area of deployment. The collected measurements are then sent to a base station – a gateway between a WSN and external world (in most cases the Internet). In the work we consider WSNs that contain hundreds of thousands of nodes distributed over an area of hundreds square kilometers. Communication range of sensor nodes is limited to tens of meters and hence not all of them can directly communicate with a base station. Therefore, data are sent hop-by-hop from one sensor node to another until they reach a base station (see Figure 1). Sensor nodes are constrained in processing power and energy, whereas a base station is assumed to have laptop capabilities and unlimited energy resources. Crossbow MICAz1 is an example of average sensor node. It contains Atmel Atmega128L microcontroller, 802.15.4 compliant (250kbps) Texas Instruments CC2420 transceiver and two AA batteries. The microcontroller features 8b processor (operating at 8MHz), 128kB FLASH, 4kB EEPROM and 4kB SRAM. Currently the sensor node is available at price of e110. That eliminates deployment of a large number of sensor nodes. However, it is believed that recent advances in micro-electro-mechanical systems will decrease the cost signiﬁcantly. 1 See manufacturer’s website http://www.xbow.com/. Mathematical and Engineering Methods in Computer Science (MEMICS), Znojmo, Czech Republic, 2009. Petr Hliněný, Vashek Matyáš, Tomáš Vojnar (Eds.) Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Germany Digital Object Identifier: 10.4230/DROPS.MEMICS.2009.2347 It is expected that WSNs will have many applications in military, ecology, building and industrial automation, energy management, agriculture and even wildlife monitoring. Security becomes an important issue for WSNs and brings new challenges for security engineers. Fig. 1: Wireless sensor network. A base station is depicted as the black ﬁlled circle and sensor nodes are depicted as gray ones. We assume that communication ranges (represented by dotted circles) of neighboring sensor nodes are symmetric. Cryptographic techniques can be used to prevent an external attacker (outsider) [9] from eavesdropping or altering the ongoing communication2 . Encryption does not solve the problem of jamming attacks, where a malicious node (or other device) purposefully tries to interfere with physical transmission and reception of wireless communication. An area of deployment is most often not physically protected and an attacker can easily access the area and capture some nodes 3 . Being a legitimate participant of the network the attacker (insider) can launch a variety of internal attacks. In the work we consider: a selective forwarding attack in which an attacker selectively drops packets [5]; a sinkhole attack in which an attacker attracts all traﬃc from a particular area towards itself, typically by making a compromised node look attractive to neighboring nodes with respect to routing algorithm [5]; a packet alternation attack in which a malicious node modiﬁes packets that it forwards for the neighbors. Sensor nodes are not tamper-resistant and an attacker can extract cryptographic keys from captured nodes. The attacker can replicate (also known as clone attack) [6] the nodes, deploy them into a network and then launch attacks described above. The attacker can also create nodes with several identities, also known as Sybil nodes [5]. These nodes may have an impact on multipath routing, voting, data aggregation, fair-resource allocation and misbehavior detection. In this work we consider intrusion detection systems (IDSs) since they are, in comparison to cryptographic techniques, better mechanisms to defend against internal attacks on WSNs. In Section 2 we describe basics of intrusion detection systems for wireless sensor networks – what kinds of audit data can be gathered 2 A survey on performance of symmetric/asymmetric cryptographic primitives and hash functions implemented for WSNs is available in [8]. 3 We assume that a number of such nodes is signiﬁcantly smaller than a total number of sensor nodes in the network. 2 and for detection of what types of attack they can be used. “One-ﬁt-all” IDS is not optimal because of the wide range of WSN applications and limited resources of sensor nodes. In Section 3 we propose a conceptual architecture of a suite of tools that will provide administrators with an IDS that ﬁts best its purposes. 2 Intrusion detection in wireless sensor networks In the work we consider a distributed IDS that consists of IDS agents. We assume that every sensor node runs an IDS agent which monitors its neighbors using both local and watchdog monitoring techniques [1]. In the local monitoring technique sensor nodes collect and analyze only data forwarded by themselves (see Figure 2a). In the watchdog technique, sensor nodes collect an analyze data overheard in their neighborhood (see Figure 2b). We assume that sensor nodes employ single-channel transceivers. However, if the multi-channel transceivers are used, it might happen (the worst scenario) that the watchdog technique will be useless and an IDS will have to rely only on the local monitoring technique. A A B C B C (a) The sensor node B monitors traﬃc that it forwards from the node A to the node C (b) The sensor node B monitors in promiscuous mode traﬃc from the node A to the node C Fig. 2: Traﬃc monitoring techniques A conceptual model of an IDS agent is presented in [10]. Audit data gathered by a local audit data collection module are subsequently analyzed by a local detection module(s). A cooperative detection module is used to propagate intrusion detection state information or/and audit data among neighboring nodes. In case a local detection evidence is weak or inconclusive the cooperative detection module can use information (...truncated)