Reactive Security Scheme using Behavioral Aspects of ... - IEEE Xplore

Reactive Security Scheme using Behavioral Aspects of Attacks for Wireless Sensor Networks Roshan Zameer Ahmed

Anusha Anigol

R. C. Biradar

Electronics and Communication Reva Institute of Technology and Management,Bangalore [email protected]

Electronics and Communication Reva Institute of Technology and Management,Bangalore [email protected]

Information Science Reva Institute of Technology and Management, Bangalore [email protected]

Abstract—Wireless Sensor Networks(WSN) are vulnerable to many types of hackers who might get into the network with the intent of fetching its significant data and destroying the network. The sink node in WSN that maintains the database of entire network is also prone to security violations and there is no such security mechanism devised for communicating the data to other nodes. Hence, there is a need to design security scheme with the capabilities to protect the network and the sink node on the occurrence of attack. In this paper, we aim to provide security with a reactive security scheme that includes studying the behavioral aspect of attacks and congregating the security demands. This scheme successively conglomerates the security and the network rescue mechanism free from attacks and their impacts on the network. The simulation results such as Packet Delivery Ratio(PDR), Malicious node activity, Delay, Transmission power depict various attack behaviours in WSN along with the Reception power rate observed by the sink node and the Packet loss.

Key words: Wireless Sensor Network, Security, Sink Node, Reactive Mechanism. I.

I NTRODUCTION

A Wireless Sensor Network(WSN) is a collection of densely deployed autonomous devices, called sensor nodes that gather environmental data with the help of sensors. The sensor nodes use radio communication to transmit sensor measurements to a terminal node, called the sink node. The sink node is the access point of the observer who is able to process the distributed measurements and obtain useful information about the monitored environment. Sensor nodes communicate over a wireless medium by using a multi-hop communication protocol that allows data packets to be forwarded by neighboring nodes to the sink[1]. Sensor nodes are susceptible to various types of attacks. These attacks aim at one or more of the following security violations. (1) Disturb the network service. (2) Create and feed bad data or prevent the movement of actual data that leads to bad decision or computation. (3) Gain access to forbidden information and/or restricted services by unauthorized entity.

that usually caused havoc to the security of the information owned by others. Threat is basically an ability or intention of any agent to adversely affect the operation, system or facility offered by that network and can be categorized as amateur, professional and well-funded adversary. Amateur types of attacks include denial-of-services or eavesdropping through wireless sniffing. A professional type of adversary on the other hand, usually launches more sophisticated attacks such as hijacking, man-in-the middle attack or Sybil attack. Finally, a well organized adversary with highly sophisticated tools will launch attacks such as node capture, wormhole or rushing attacks [2]. Due to the potential asymmetry in power and computational constraints, guarding against a well orchestrated attack on a WSN can be nearly impossible. The needy requirements of a WSN as encompassing both the typical network requirements and the unique security requirements suited solely to wireless sensor networks are as appended such as Data Confidentiality, Data Integrity, Data Freshness, Availability, Self organization, Time Synchronization, Secure Localization and Authentication [3][4][5]. Intrusion Detection Systems (IDS) in WSN is classified into two categories: host-based and network-based. IDS are further classified as signature based, anomaly based and specification based. A host based IDS system operates on operating systems audit trails, system call audit trails, logs, and so on. A network based IDS, on the other hand, operates entirely on packets that have been captured from the network. A signature based IDS simply monitor the network for specific pre-determined signatures that are indicative of an intrusion. In an anomaly based scheme, a standard behavior is defined and any deviation from that behavior triggers the intrusion detection system [6][7]. B. Related works

A. Security and Intrusion Detection in WSN

Most of the work is motivated to protect the integrity and confidentiality of transmission data by using encryption and authentication mechanisms. Other works are focused on protecting sensor nodes against attacks initiated to break or alter sensors normal functionalities[8][9].

WSNs are vulnerable to several types of attacks. Attacks can be performed in a variety of ways which includes traffic analysis, privacy violation, physical attacks, and so on. Threats, vulnerabilities and attacks are three crossly related entities

Some of the related works are as follows. The intrusion detection scheme based on traffic prediction is proposed in [10] where in the design of WSN traffic prediction model using Markov which makes lower computational complexity

c 978-1-4673-6217-7/13/$31.00 2013 IEEE

1023

and improves the forecast accuracy. The authors in [11] applied game theory to IDS. The intrusion detection game has two players: the service provider, striving for the greatest reward on the network; and the intruder, trying to minimize the profit of the service provider. The authors in [12] improved the learning ability of the IDS through the application of a Markov chain and Q-learning algorithm. The authors in [13] proposed IHIDS in this research it not only efficiently detects attack but also avoids the waste of resources.

CLUSTER HEAD. NETWORK.

C. Our Contributions Our contributions in this work are as follows. To design an efficient reactive security scheme which sporadically monitors the network from any sort of security attacks. In this scheme, we use guard nodes deployed around the sink node of WSN system. Guard nodes identify an intruder for the following attacks : (a) hello flood, (b) worm hole, (c) Sybil and (d) node replication. Attack prediction algorithm efficiently predicts the attack based on the attack behavior probable on the network or the sink. Guard nodes use data rescue mechanisms to protect the network once it confirms the predicted attack.

SINK NODE.

GUARD NODES.

GUARD NODES IN ACTIVATED STATE.

D. Proposed work We use guard nodes to identify security attacks in WSN. Guard nodes in WSN terminology is considered as a threat to the attacker(adversary), wherein an network manager places these node in a very close proximity to the sink as shown see Figure 1. These nodes are nevertheless different from other sensor nodes but, they are equipped with a special capability of protecting the sink node during an attack. This gives strength for the sink node and as well as the network to be ensured that although affected by an attack these nodes gives an effective rescue system and any time during an attack these nodes act as a protection shield to safeguard the network and the data. Since an IDS is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station and an Intrusion Detection and Prevention Systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. Here we design an IDPS for WSN. A guard node being a protective shield to a WSN system prevents an adversary from directly intruding into the system. We employ the Guard nodes as our reactive monitoring system around the sink node a foreign network or computer. The sensor network is a self-organized network by nature, we deploy these Guard nodes around the sink node at the network organization state. We shall deal in detail about the intrusion detection scheme employed by Guard nodes in section 2. II.

I DENTIFICATION OF ATTACK B EHAVIOR USING R EACTIVE A PPROACH

The Intrusion detection mechanism by reactive security monitoring against the attacks involving the guard nodes would be clearly explained with the help of reactive security monitoring algorithm and its flowchart as shown in Figure 2. The reactive security scheme involves a Reactive Monitoring Algorithm. Firstly, the guard nodes that are deployed around the sink node are initially at the deactivated state. On the

1024

GUARD NODES IN DEACTIVATED STATE.

Fig. 1.

Guard nodes deployed near the Sink node in a WSN grid

reception of the signal from the sink node, the guard nodes get activated only on the corroboration of the source and also by checksum verification. The corroboration method involves attack prediction and packet format verification. If the guard nodes encounter any sort discrepancy of the packet format received, guard nodes discard the packet and continue in their initial state. Based on the predicted attack sent by the sink, is certified by these guard nodes by Network Monitoring Mechanism. If the predicted is proved to be matching to the actual attack then, the Attack Rescue () system is launched for the Predicted Attack P Attack else, the network is monitored for the exact actual attack A Attack () based on the behavior of the attack i.e signal power, node id etc are few parameters which classify the behavioural aspect of attack. Depending on the type of attack that has occurred the Attack rescue is launched. And every attack rescue is effectively managed by the acknowledging the rescue mechanism to the sink using Send Rescue Event(S a) as a system routine function. Once the attack is rescued entirely from the network we check for the incurred data loss either at the network or at the sink, by sending the Send NTWMonitoring Event(S m). This routine monitors the entire network and checks for the data loss or the probable effects on the network due to the attack we estimate the normal operationing of network based on the parameters: packet delivery ratio,acknowledgement time delays, traffic congestion rate ,collision rate, number of nodes operating in the network-along with number of active nodes including cluster heads,number of deactived nodes including cluster heads and the signal returns the current status of the network. We compare the current status of the network with the previous normal operation status and acknowledge the guard nodes, if found without any change in its operation or if there is

2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI)

a minuet data loss or normal operational variations then a data rescue system Send DataRescue Event(S m) is initiated. If status change which is not detected Send NTWMonitoring Event(S m) event then we return back to attack prediction stage. When the sink node is ensured that there is no any impact of attack on the network, the sink node signal the guard node along with the acknowledgement of network operating in safe mode hence return back to their initial state. START

Guard nodes deactivated

NO

Change in Network operation

YES Activate guard nodes

Change in Signal Power

NO

Change in Node ID

NO

Change in Packet Density YES

YES Discard Signal

Delete the node

Increase the RTT

Send Rescue Event

NO

Network normal

NO

Send DataRescue Event

YES

STOP

Fig. 2.

Reactive security mechanism flowchart representation

III.

S IMULATION RESULTS

Reactive approach based monitoring system is simulated on QualNet 5.2 Network Simulator to assess the performance and effectiveness of the approach. Simulation environment for the proposed work consists of three models:Network model, Propagation model and Traffic model. In the network model, sensor nodes are placed in an area of ’l x b’ square meters. It consists of ’N’ number of nodes that are assumed to be connected to a base station at the boundary of a network. Propagation model uses free space model with propagation constant β. Transmission range of a node is ’r’ for a one-hop distance. Traffic model, the constant bit rate model is used to transmit fixed size packets, Trpkts. Coverage area around each node has a bandwidth, BWsinglehop, which includes the noise factor, channel frequency along shared among its neighbors.

Algorithm 1 Reactive Security Monitoring Algorithm 1: Begin 2: Initially, guard nodes in deactivated state; 3: Guardnodes = Status Deactivated(); 4: WHILE(EVENT e(S R)!=0); 5: R g(Pkt Header, Pkt Format, Predicted attack(); 6: R s(Pkt Header, Pkt Format, Predicted attack()=S R; 7: if (Rg = Rs ) then 8: Hello flood attack prediction and rescue; 9: Receive the packet and get activated; 10: else 11: Discard packet, continue initial status; 12: end if 13: if (R pwr > S pwr||R pwr < S pwr) then 14: Sa = Discard Packet signal Send Rescue Event(Sa); 15: Goto Line 25 16: else 17: (Node Id!=(fopen(fd,Node Id,RD Only))) 18: Malicious node attack prediction and rescue; 19: Sa = Destroy or delete the node Send Rescue Event(Sa); 20: Goto Line 25 21: else 22: (pkt density > M in no pktdelay > time t) 23: Traffic congestion and rescue; 24: Sa = Wait for the time or Increase the RTT Send Rescue Event(Sa); 25: Goto Line 25 26: else 27: Goto Line 27 28: Send Rescue Event (S a); 29: Receive Acknowledge attack rescue scheme; 30: Send NTWMonitoring Event(S m); 31: return entire network status; 32: monitor network for the data loss; 33: end if 34: if (Send N T W M ontioring Event(S R) == Send N T W M ontioring Event(S M )) then 35: Acknowledge guard nodes network is safe; 36: Send NTWMonitoring Event(S m); 37: Send DataRescue Event(S m); 38: else 39: Goto Line 3 40: end if 41: Re-Initialize the guard nodes 42: Status = Deactivated(); 43: End

A. Simulation procedure The proposed scheme is simulated using the following simulation inputs. l = 100 mtrs., b = 100 mtrs., N =[5 to 25].,r = 50 mtrs., Trpkts = multiples of (50)., Channel frequency = 2.4GHz, Noise factor = 10. Simulation procedure involves following steps. 1.Generate sensor network environment. The nodes are randomly deployed in a fixed area and the topology changes for every instant defined by simulation inputs. Within certain intervals, the performance evaluation is carried out. 2.Guard nodes ensure trustworthiness of channel and node using MAC model. 3.Compute performance parameters of the system: Performance parameters are assessed and plotted with

2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI)

1025

PDR(%) Vs. Number of nodes (Cluster−2); 100 90 80 70 PDR(%)

different variables. The results thus obtained with proposed reactive security monitoring scheme include, four categories of results that are analyzed: (1) PDR - It is defined as the number of packets received at destinations to the number of packets sent from a source (2) Malicious nodes - Deployed in a hostile environment, they try compromising the other nodes by attack influential strategy, (3) Variations in Transmission power - On establishment of the attack by the adversary there is variations observed in the transmission power of each node at different instance, (4) Packet delay - It is the variation in time taken for a packet to be transmitted across a network from source to destination. (5) Reception rate - It is the received power at sink node from any node and is also the power received by each cluster head node in a network at various instants of time, (6) Packet loss - It is the variation observed during the reception of packets at the receiver end to the number of packets sent by the sender, before the identifying an attacker.

60 50 40 30 20 10

Fig. 4.

Packet tansmitted = 50 pkt (Cluster−2) Packet transmitted = 100 pkt (Cluster−2) 1

2

3 4 Number of nodes

5

6

PDR v/s Cluster-2

B. Analysis of PDR Average PDR(%) Vs. Number of clusters;

PDR is plotted in see Figures 3 and 4 with varying number of nodes for different number of packets transmitted for cluster1 and cluster2 respectively. In these results we observe that PDR decreases with increase in number of nodes. This is because as the number of nodes in network increases, due to bandwidth limitation some of the packets may be lost.

250

PDR(%)

200

PDR(%) Vs. Number of nodes (Cluster−1); 100

150

90 100

80 PDR(%)

70 50

60

Packet tansmitted = 50 pkt (Clusters) Packet transmitted = 100 pkt (Clusters) 1

1.5

2 Number of clusters

50 40

Fig. 5.

2.5

3

Average PDR v/s Clusters

30 20 10

1

2

3

4 Number of nodes

5

6

7

PDR v/s Cluster1

We also observe that the PDR for 100 packets transmission is better than 50 packets transmission. Figure 5 shows Average PDR plotted with number of clusters for 50 and 100 packets transmission. We observe that average PDR decreases with increase in number of clusters. This is due to increased packets create bandwidth bottleneck. C. Analysis of Malicious node Malicious node is classified as the attacker node through which the intruder attacks the system. Figure 6 shows the malicious node activity in the communicating network. We observe that the attacker nodes try to implicate the network as the simulation time increases. The results give a clear picture of increase in the attacker nodes over the network communication time. The simulation time is considered is in multiples of 20

1026

Malicious nodes Vs. Simulation Time, Tx. power = 2mW; 8 Number of Malicious node detected

Fig. 3.

seconds the malicious nodes are multiplying to increase the effect of network attack and completely annex the network.

Packet tansmitted = 50 pkt (Cluster−1) Packet transmitted = 100 pkt (Cluster−1)

7 6 5 4 3 2 1 0

Fig. 6.

10 nodes Scenario 20 nodes Scenario 0

20

40

60

80 100 Time(sec)

120

140

Malicious node v/s Time

2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI)

160

Delay(sec) Vs. Number of nodes (Clusters);

D. Analysis of Variations in Transmission power

50 45 40 35 Delay(sec)

The transmission power is the security factor considered here as integrity feature. The results shows the variation observed in the transmission power before the attack, during the attack and after the attack is rescued from the network by the reactive approach. The results show the comparison of transmission power with the number of nodes in each cluster. As we can see in see Figure 7 the transmission power is extremely low during an attack compared to the normal network status, once the network is successfully rescued from the system the transmission power ploddingly approaches the normal network transmission power.

30 25 20 15 10

Power(milliwatt) Vs. Number of nodes, Tx. power = 2mW;

5

4

Cluster−1 Cluster−1 & Cluster−2 1

2

3

3.5 Fig. 8.

6

35 Attacher signal Signal 1 Signal 2 Signal 3 Signal 4

2 30

1.5

Before attack After attack rescued During attack

0.5 0

7

Reception power v/s Simulation time

2.5

1

Fig. 7.

5

Packet delay v/s Number of nodes

Received power (microwatt)

Power(milliwatt)

3

4 Number of nodes

1

2

3 4 Number of nodes

5

6

Variation in transmission power v/s number of nodes

It is observed that once the network is re-established after the attack occurrence the transmission power of each individual node tries to remain in the same level as it was before the attack.

25

20

15

10

5

0

Fig. 9.

30

60

90 Time (sec)

120

150

Reception power v/s Time

E. Analysis of Packet delay End to End delay versus number of nodes is shown in Figure 8. We see that the delay increases when the nodes from multiple clusters are sending the data to the sink. Hence the delay for only single cluster (cluster1) is restricted to within 20 seconds. Where as it is shooted up to 45 seconds when cluster1 and cluster2 nodes are transmitting the packets simultaneously. Obviously, the delay is increasing with increase in number of nodes. F. Analysis of Reception rate Figure 9 shows the signal received at sink node from each cluster head and the signal from attacker nodes for different simulation times. We observe that the attacker node’s signal is in large variation(either too low or too high) compared to authenticated clusters in the network. Based on this large variation in received signal strength, we are able to identify the attackers and necessary measure can be taken to disrupt the attacker. For example, the signal from attacker is shown as 32microwatt in 30 sec, 15 microwatt in 60 sec, 25 microwatt in 90 sec, 27 micro watt in 120 sec, and 20 microwatt in 150 sec.

G. Analysis of Packet loss Figures 10 and 11 shows packets lost in percentage at sink node from every node in a cluster for different number of packets sent (50 and 100). We observe that packet percentage loss is less for less number of packets sent and it is more for more packets sent. IV.

C ONCLUSION

This scheme employs an effective reactive attack handling mechanism scheme based on the prediction of the attack on the sink or the network by the behavioral approach. The network is sporadically monitored to save the energy and also this scheme gives an extra edge to the WSN security by comparing the network status during an attack and after the attack. This method also enables a data rescue system in case of an impact of an attack. ACKNOWLEDGMENT The authors wish to thank Visvesvaraya Technological University (VTU), Karnataka, INDIA, for funding the

2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI)

1027

Packet loss(%) Vs. Number of nodes (Cluster−1);

[7]

50 45

[8]

Packet loss(%)

40 35

[9]

30 25

[10]

20 15

[11]

10 5

Fig. 10.

loss for 50 pkt (Cluster−1) loss for 100 pkt (Cluster−1) 1

2

3

4 Number of nodes

5

6

7

Packet loss v/s Number of nodes(Cluster1)

[12]

[13]

Packet loss(%) Vs. Number of nodes (Cluster−2); 50

Kyriazanos DM, Prasad NR, Patrikakis CZ., A security, privacy and trust architecture for wireless sensor networks, In 50th international symposium ELMAR-2008, Zadar, Croatia, 2008, pp. 523 529. I. Akylidiz, W. Su, Sankarasubramaniam, and E.Cayrici, A survey on sensor networks, IEEE Communications Magazine, Vol. 40, No. 8, 2002, pp. 102 - 114. K. Akkaya and M. Younis, A survey of Routing Protocols in Wireless Sensor Networks, Elsevier Ad Hoc Network Journal, 2005, pp. 325 349. Han Zhijie, Wang Ruchuang, Intrusion Detection for Wireless Sensor Network Based on Traffic Prediction Model, International Conference on Solid State Devices and Materials Science, Physics Proceedings 25, 2012, pp. 2071 - 2079. M. Kodialam, T.V. Lakshman, Detecting network intrusions via sampling: a game theoretic approach,IEEE INFOCOM 2003, Vol. 3, pp. 1880 1889. A. Agah, S.K. Das, K. Basu, Intrusion detection in sensor networks: a non-cooperative game approach, In 3rd IEEE International Symposium on Network Computing and Applications (IEEE NCA04), Cambridge, 2004, pp. 1 4. Shun-Sheng Wang, Kuo-Qin Yan , Shu-Ching Wang , Chia-Wei Liu, An Integrated Intrusion Detection System for Cluster-based Wireless Sensor Networks, Expert Systems with Applications, Vol. 38, 2011, pp. 15234 15243.

45

Packet loss(%)

40 35 30 25 20 15 10 loss for 50 pkt (Cluster−2) loss for 100 pkt (Cluster−2)

5 1 Fig. 11.

2

3 4 Number of nodes

5

6

Packet loss v/s Number of nodes(Cluster2)

part of the project under VTU Research Scheme (Grant No.VTU/Aca./2011-12/A-9/753, Dated: 5 May 2012. R EFERENCES [1]

[2]

[3]

[4]

[5] [6]

Mihail Mihaylov, Karl Tuyls and Ann Now, Decentralized Learning in Wireless Sensor Networks, Proc. of the Adaptive and Learning Agents Workshop (ALA 2009), Taylor and Tuyls (eds.), May, 12, 2009, Budapest, Hungary. Yusnani Mohd Yussoff, Habibah Hashim, Roszainiza Rosli, Mohd Dani Baba, A Review of Physical Attacks and Trusted Platforms in Wireless Sensor Networks, International Symposium on Robotics and Intelligent Sensors 2012 (IRIS 2012), Proceedings Engineering 41(2012) pp. 580 587. Lopez J, Roman R, Alcaraz C., Analysis of security threats, requirements, technologies and standards in wireless sensor networks. On Foundations of Security Analysis and Design ,LNCS 5705,Springer, August 2009, pp. 289 338. Rajeshwar Singh, Singh D.K. and Lalan Kumar, A review on security issues in wireless sensor network, Journal of Information Systems and Communication, Vol. 1, 2010, pp. 01 - 07. Chen X, Makki K, Yen K, Pissinou N., Sensor network security: a survey, IEEE Communications Surveys and Tutorials 2009b;11(2), pp. 52 73. Law YW, Havinga PJ., How to secure a wireless sensor network, Proceedings of the international conference on intelligent sensors, sensor networks and information processing conference, 2005, pp. 89 95.

1028

2013 International Conference on Advances in Computing, Communications and Informatics (ICACCI)