Ant Colony based Approach for Intrusion Detection ... - Semantic Scholar

Ant Colony based Approach for Intrusion Detection on Cluster Heads in WSN Dr. Harshal A. Arolkar

Ms. Shraddha P. Sheth

Ms. Vaidehi P. Tamhane

GLS Institute of Computer Technology GLS Institute of Computer Technology GLS Institute of Computer Technology Ellisbridge Ellisbridge Ellisbridge Ahmedabad, Gujarat, India Ahmedabad, Gujarat, India Ahmedabad, Gujarat, India

[email protected]

[email protected]

[email protected]

ABSTRACT

to internal and external attacks.

Wireless Sensor Networks are widely used in various domains like military, habitat monitoring, medical monitoring for humans, environment monitoring in industries. Some applications of WSN are critical in nature and would have adverse effects as a result of intrusion. In this paper, we propose a four stage ant colony based architecture for identifying intrusion detection in cluster heads of Wireless Sensor Network.

Due to absence of predefined infrastructure in WSN, most of the nodes have to perform the task of a router. As each node plays a major role in routing the data from source to destination. Thus security threats in routing become an important issue. Researchers have identified vulnerabilities like manipulated routing information [7], selective forwarding [7], sinkhole attack, Sybil attack [4], [10], wormhole attack [15], acknowledgement spoofing, HELLO flood attack [3] in WSN.

Categories and Subject Descriptors C.2.0 [COMPUTER-COMMUNICATION NETWORKS]: General – Security and protection. C.2.1 [COMPUTER-COMMUNICATION NETWORKS]: Network Architecture and Design – Network communications, Network topology, Wireless communication. C.2.3 [COMPUTER-COMMUNICATION NETWORKS]: Network Operations – Network management, Network monitoring.

General Terms Design, Security.

Keywords WSN, IDS, ANT, NIDS, HIDS, CIDS.

1. INTRODUCTION The technological advances in micro-electro mechanical systems technology, wireless communication and digital electronics have given rise to a new paradigm called Wireless Sensor Networks. A wireless sensor network (WSN) consists of spatially distributed autonomous sensors to cooperatively monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion or any other such activity. WSN is made up of collection of sensor nodes, also known as motes [1]. The nodes are capable of processing, gathering sensory information and communicating with other connected nodes within the network. However, due to the insecure nature of wireless communication channels, these networks are vulnerable Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. ICCCS’11, February 12–14, 2011, Rourkela, Odisha, India. Copyright 2011 ACM 978-1-4503-0464-1/11/02…$10.00.

Intrusion Detection System (IDS) forms a base to detect any anomaly happening within such networks. Deploying IDS allows us to secure the network from internal as well as external attacks.

2. INTRUSION DETECTION SYSTEM Intrusion Detection System performs the task of detecting internal and external anomalies within a network. Along with cryptography techniques IDS guarantees better security of the network. Intrusion detection is an important activity for improving security in modern networks. IDS are complementary to the Firewall and Antivirus software’s and is considered as last line of defense. It does not only detect malicious activity, but also performs appropriate actions to prevent the activity.

2.1 IDS Architecture for Wired Networks Different IDS architectures have been proposed by researchers. The architectures are based on the way IDS is deployed or based on detection of anomalies. IDS architecture that is based on deployment has two basic categories. Host based architecture (HIDS) and Network based architecture (NIDS) [8]. The HIDS consist of a host that identifies intrusions by analyzing system calls, application logs, file system modifications and other host activities and state. NIDS are designed to monitor network traffic, packets, and assesses the packet information to identify any suspicious behavior. The IDS architecture that is based on anomaly detection techniques also has two categories. Signature based IDS and Anomaly based IDS [9]. In Signature based architecture, a knowledgebase is maintained which stores all the known attack profiles and are matched with suspicious behaviors to detect inconsistencies. On the other hand, in Anomaly based IDS, the knowledgebase stores all the normal profiles and inconsistencies are detected by comparing the suspicious behaviors with the knowledgebase.

2.2 IDS Architecture for Wireless Sensor Networks Similar to IDS architecture for wired network, researchers have also proposed IDS architecture for Wireless Sensor Networks. Portilla et. al. in [13] and Strikos in [14] have suggested a modular architecture for nodes in wireless networks. They categorize the IDS for WSN in three types’ namely Centralized approach, Distributed approach, and Hierarchical approach.

2.2.1 Centralized Approach Centralized IDS (CIDS) use anomaly based detection technique to detect DoS attacks. In CIDS, one of the node acts as a master node and others act as slaves. This master node gathers information from slaves; processes it and acts consequently if any anomaly is detected.

2.2.2 Distributed Approach In Distributed approach, all the nodes run their own IDS. The IDS handle malicious activities locally and this in-turn reduces the network traffic.

2.2.3 Hierarchical Approach In Hierarchical approach, the network is divided into clusters, each having a cluster-head. The IDS is deployed on these clusterheads and handle malicious activities of its own cluster and other cluster-heads.

3. RELATED WORK Researchers have proposed various IDS for wireless sensor networks in recent years. In this paper we have discussed some of them namely Self Organized Criticality & Stochastic Learning Based IDS [5], A cluster based model [14], Intrusion Detection based on Emotional Ants for Sensors (IDEAS) Algorithm [2], EAR Algorithm for Detecting Routing Attacks in WSN [6]. Sections 3.1 to 3.4 describe these IDS in brief.

3.1 Self-Organized Criticality and Stochastic Learning Based IDS Doumit et. al. in [5] have proposed a light-weight Intrusion Detection System. It uses a host-based data collection mechanism and anomaly based intrusion detection technique. This approach stores all the normal behavior profiles of a node into a knowledgebase and handles the inconsistent node by comparing the suspicious activities with the knowledgebase. The IDS uses Hidden Markov model [11], [12] that states that probability of a node being in a certain state depends only on the previous state. The Hidden Markov model is applied on the sensor reading acquired based on the self organized criticality of the deployment region. This model is advantageous as it accommodates the addition of new sensor nodes easily. The main drawback of this model is the focus on individual sensor nodes rather than the sensor network infrastructure. The other drawback is that there is no guideline given for the attacks it can or cannot resist.

3.2 Cluster Based Model Strikos A. A. in [14] presented a cluster based intrusion detection model. In this model, the entire network is divided into clusters. The Clusters and cluster-heads are formed using cluster-first

protocol which states that first the clusters are formed and then the cluster-heads are formed. Once the cluster head is selected, it monitors all other nodes within the cluster. This model also concentrates on monitoring the cluster head. For this purpose, Clusters are further divided into teams which monitor the cluster head in round-robin fashion. In addition it uses centralized routing mechanism which means every packets will always be forwarded to cluster-head and then to the base station. To deploy the IDS, the author considered the set of all cluster heads to determine the cluster-set. IDS are deployed on all those cluster nodes which are part of cluster-set. The main drawback of this model is it detects malicious node by requesting retransmission of all previous messages that it has sent to the suspicious node. This further increases the congestion and also consumes the battery of the nodes. The lifetime of the node as well as WSN thus decreases and there is a possibility of DoS attack.

3.3 Intrusion Detection Based on Emotional Ants for Sensors (IDEAS) Algorithm Banerjee et. al. in [2] have suggested IDS based on emotional ants for sensor networks. The algorithm proposed is known as IDEAS. It is a parallel search algorithm which uses multiple ant agents to deploy pheromone values on nodes. Malicious activities within the network are detected using these pheromone values. The model initially identifies direct and indirect paths amongst its neighbors. Once the path among nodes is detected by an emotional ant, it communicates the characteristic of path through pheromone balancing to the other ants. If any imbalance is found in pheromone values the network administrator is alerted. An important advantage of the IDEAS framework is to identify behavioral patterns, deliberate and act based on self organizational principle initiated with probability values. One of the drawbacks of this algorithm is that congestion in the network increases as ant packets are sent through all possible paths from a source node. Also a very large list has to be stored at every node for storing pheromone values which utilizes memory to a large extent.

3.4 EAR Algorithm for Detecting Routing Attacks in WSN Juneja et. al. in [6] have proposed EAR algorithm for detecting routing attacks in WSN. The main factors addressed in this algorithm are energy, age and reliability. Ant packets are categorized into two types’; forward ant and backward ant. A forward ant is generated at source node and proceeds towards a destination node gathering information about the state of the network on its way. A backward ant makes use of the collected information to update the routing tables of nodes on their path and analyzes the collected information to detect attack. Every node maintains a log table that stores the information about their remaining energy, age of ant, ratio of packet sent and packet delivered. The backward ant checks values corresponding to these stored values for selected node and compares them with a predefined threshold values to verify the path’s reliability. The different types of attacks identified are sinkhole attack, black hole attack, and congestion. In this model the consumption of processing power and memory are very high as ant based processing is to be carried out in both

directions at every node in the network. This also adds to the congestion in the network.

with highest resources is then selected as a cluster head. This process is applied to select a cluster heads of all available clusters.

4. PROPOSED IDS MODEL

4.3 Deployment of Ant Pheromones on Cluster Heads

The models discussed in this paper address only external attacks except for cluster-based model for IDS. Hence in case of internal attacks, the rest of the IDS tend to fail. In addition, the resource consumption in terms of processing power and memory are also very high. Most of the above models do not specify where IDS should be deployed. To overcome above listed problems, we have proposed a cluster based hierarchical model which uses an ant colony based approach for intrusion detection. The proposed model has two phases. The first phase is initial configuration of the network, and the second phase performs identification of attacks and routing of data. The model proposed here takes into account the resource constraints as well as internal attacks of WSN. Hence instead of deploying IDS on individual nodes within the network, a hierarchical approach has been used. The network here is divided into clusters and cluster heads are then selected. The IDS is deployed on the cluster heads to minimize the resource consumption. The two phases of the model is further divided into following four stages: I. II. III. IV.

Formation of cluster without malicious node. Identification of cluster head within the cluster. Deployment of Ant pheromone on cluster heads. Routing and detecting malicious activities based on pheromone values. The four stages have been elaborated in sections 4.1 to 4.4.

4.1 Formation of Cluster without Malicious Node To form clusters, the WSN is divided into different geographical regions G. Within each geographical region G a node N is chosen randomly and a parameter L that indicates the level of neighbor in the cluster is decided. Further to avoid HELLO flood attack only M neighbors are sent the Hello message. The neighbor list exchange process starts from the node N and goes up to L levels. After cluster creation, a node conformity check is carried out if any inconsistency is identified. This ensures that no node in the cluster is malicious. To perform node conformity check on node J, the neighbor node sends a checksum request for the data previously sent to J. In case no reply is available, the node J is dropped from the cluster and added to the ignored node list. If a reply is obtained, then the checksum received is compared with the checksum calculated by the neighbor node. If these two checksum do not match, the suspicious node J is dropped from the cluster and is added to the ignored node list. Otherwise, it remains to be part of the cluster.

4.2 Identification of Cluster Head within Clusters Once the cluster is formed, the cluster head selection process starts. Three random nodes H1, H2, and H3 are chosen within the cluster. The resources of H1, H2, and H3 are then computed and compared with a predefined threshold value of resource. A node

Once cluster heads are finalized, the process of pheromone distribution starts. Cluster head CH deploys initial pheromone value using ant agents on the neighbor cluster heads. The pheromone values deployed, are refreshed based on time interval T. The time interval T is application specific. Figure 1 shows the scenario of pheromone distribution.

Figure 1. Deployment of ant pheromones

4.4 Routing and Detecting Malicious Activities based on Pheromone Values Once the pheromone is deployed over all the cluster heads, the routing process can begin. The routing process is now a two stage process. In the first stage, data is sent to respective cluster head by the source node. The cluster head then sends Hello message along with pheromone request to its neighbor cluster heads. The entire neighbor cluster heads reply with their current pheromone value. This process is repeated until an optimal path from source cluster head CH to destination is found. Figure 2 shows the scenario of pheromone value exchange.

Figure 2. Pheromone value exchange In the second stage, the source cluster head CH, based on the pheromone value, then analyses possible threats like sinkhole attack, misdirection and passive information gathering. A sinkhole attack is detected if any cluster head responds with a very high pheromone value before the completion of the pheromone refresh time interval. Misdirection is detected if the received pheromone value is very low even after it is recently refreshed. Passive information gathering is said to be done if energy and received pheromone value do not decrease proportionally.

If any of the above mentioned attacks are identified, cluster head that generated the values is identified as malicious and is added to ignored node list. While the data is routed using different routes, the cluster whose cluster head was declared as malicious goes into the CH identification phase. For routing the data packet the cluster head with highest pheromone value is selected. If two cluster heads respond with same highest value, random selection of cluster head is performed. This process is continued until the data packet reaches the destination cluster head. Figure 3 shows the routing of data using optimal path.

Figure 3. Routing of data packets on optimal path

5. CONCLUSION The constraint of limited resource in wireless sensor networks becomes a major bottleneck while designing IDS. The limited energy and memory constraint needs to be considered as a design aspect of routing or detecting anomalies within WSN. The IDS proposed in this paper takes into account the resource constraints of WSN. It is capable of taking care of internal as well as external attack. Further the conformity check after the formation of cluster makes sure that no malicious node becomes part of WSN.

6. REFERENCES [1] Akyildiz I.F, Weilian Su, Sankarasubramaniam Y, Cayirci E., A Survey on Sensor Networks. IEEE Communications Magazine, 40(8), 102-114. DOI=http://dx.doi.org/10.1109/ MCOM.2002.1024422. [2] Banerjee S, Grosan C, Abraham A, IDEAS: Intrusion Detection Based on Emotional Ants for Sensors. 5th International Conference on Intelligent Systems, Design and Applications, (Wroclaw, Poland 2005), IEEE Computer Society, 344-349. DOI=http://dx.doi.org/ 10.1109/ ISDA.2005.53. [3] Chakeres I.D. and E. M. Belding-Royer, “The utility of hello messages for determining link connectivity”, in 5th International Symposium on Wireless Personal Multimedia Communications. (Honululu, Hawai, 2002), 504 -508. DOI=http://dx.doi.org/10.1109/WPMC.2002.1088225. [4] Doucher J.R., The Sybil attack. in 1st International Workshop on Peer-to-Peer Systems, (Cambridge, MA, 2002), Springer, 251-260.. [5] Doumit S. and Agrawal D.P, Self-organized criticality & stochastic learning based intrusion detection system for wireless sensor network. IEEE Military Communications Conference, (Boston, MA, 2003), IEEE Press Piscataway,

609-614. DOI=http://dx.doi.org/10.1109/MILCOM.2003. 1290173. [6] Juneja D, Bansal S, Gurpreet Kaur, Arora N, Design and Implementation of EAR Algorithm for Detecting Routing Attacks in WSN. International Journal of Engineering Science and Technology,2(6), 1677-1683. [7] Karlof C., Wagner D., Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures. in 1st IEEE International Workshop on Sensor Network Protocols and Applications,(2003),IEEE Press Piscataway ,113-127. DOI=http://dx.doi.org/10.1109/SNPA.2003.1203362. [8] Kaur K. and Singh B., Wireless Sensor Network based: Design Principles & measuring performance of IDS, International Journal of Computer Application.1 (28), 81-85. [9] Khandakar R A , A.S.M Shihavuddin, Kabir Ahmed, Md. Shirajum Munir and Md Anwar Asad, Abnormal Node Detection in Wireless Sensor Network by Pair Based Approach using IDS Secure Routing Methodology, International Journal of Computer Science and Network Security, 8(12), 339-342. [10] Newsome J., Shi E., Song D. and Perrig A., The Sybil Attack in Sensor Networks: Analysis and Defense, in 3rd International Symposium on Information Processing in Sensor Networks,(Berkeley, California, 2004),ACM New York ,259-268. [11] Ourstoun D., Matzner S., Stump W., Hopkins B., and Richards K., Indentifying Coordinated Internet Attacks. in Second SSGRR Conference, (Rome, Italy, 2001). [12] Park H.J. and Cho S.B., An Effective HMM-Based Intrusion Detection System with Privilege Change Event Modeling. Springer Lecture Notes in Computer Science, 2417/2002, 617-618. DOI=http://dx.doi.org/10.1007/3-540-45683-X_86 [13] Portilla J., Angel de Castro, Eduardo de la Torre, Riesgo T., A Modular Architecture for Nodes in Wireless Sensor Networks. Journal of Universal Computer Science, 12(3), 328-339. [14] Strikos A. A., A full approach for intrusion detection in wireless sensor networks. http://www.ict.kth.se/courses/ IK2555/ ExamplePapers/Andreas_Strikos-paper20070301.pdf [15] Y.C.Hu, A.Perrig and D. B. Johnson, Wormhole Detection in wireless ad-hoc networks. Technical Report TR01-384, Department of Computer Science, Rice University.