Evaluation of Detecting Malicious Nodes Using ... - Semantic Scholar

Evaluation of Detecting Malicious Nodes Using Bayesian Model in Wireless Intrusion Detection Yuxin Meng1 , Wenjuan Li2 , and Lam-for Kwok1 1

Department of Computer Science, College of Science and Engineering, City University of Hong Kong, Hong Kong, China [email protected] 2 Computer Science Division, Zhaoqing Foreign Language College, Guangdong, China, [email protected]

Abstract. Wireless sensor network (WSN) is vulnerable to a wide range of attacks due to its natural environment and inherent unreliable transmission. To protect its security, intrusion detection systems (IDSs) have been widely deployed in such a wireless environment. In addition, trust-based mechanism is a promising method in detecting insider attacks (e.g., malicious nodes) in a WSN. In this paper, we thus attempt to develop a trust-based intrusion detection mechanism by means of Bayesian model and evaluate it in the aspect of detecting malicious nodes in a WSN. This Bayesian model enables a hierarchical wireless sensor network to establish a map of trust values among different sensor nodes. The hierarchical structure can reduce network traffic caused by node-to-node communications. To evaluate the performance of the trust-based mechanism, we analyze the impact of a fixed and a dynamic trust threshold on identifying malicious nodes respectively and further conduct an evaluation in a wireless sensor environment. The experimental results indicate that the Bayesian model is encouraging in detecting malicious sensor nodes, and that the trust threshold in a wireless sensor network is more dynamic than that in a wired network. Keywords: Intrusion Detection, Network Security, Wireless Sensor Network, Trust Computation, Bayesian Model.

1

Introduction

A wireless sensor network (WSN) is usually composed of a number of small, resourcelimited, autonomous sensor nodes (SNs) to transmit data to a main location and provide access points for human interface. Such networks nowadays are being widely used in many fields such as agriculture [4], transportation [7] and homeland security [13]. Due to its natural environments (i.e., deployed in a hostile environment) and inherent unreliability of transmission, a WSN is vulnerable to a wide range of attacks (e.g., DoS) [5]. Attackers can exploit rogue access points within an organization or poorly configured hotspots to launch attacks [16]. For example, an attacker can gain access to wireless user’s data by placing an unauthorized access point. To mitigate the above problems, intrusion detection systems (IDSs) [16] have been widely implemented aiming to protect a WSN. Generally, an IDS can be classified as:

2

Y. Meng et al.

misuse-based IDS and anomaly-based IDS. The misuse-based detection [20] (or called signature-based detection) looks for network attack sequences or events through matching them with its stored signatures3 . The detection capability is as good as the available signatures. The anomaly-based detection [12], on the other hand, detects anomalies by comparing current network events with pre-defined normal traffic behavior on the network. In this case, sensor nodes can monitor their deployed network for deviations and produce alerts when anomalies are discovered. However, an IDS suffers from some inherent issues (i.e., generating a lot of false alarms [1, 24]). In a wireless environment, due to limitations of resource restrains such as computational power, memory of a SN, traditional complex security mechanism is difficult to be implemented in a WSN [19]. Specifically, attacks in a WSN can be categorized into outsider attacks and insider attacks. Authentication is used as a defense mechanism against the outsider attacks (e.g., spoofing), while the insider attacks (e.g., malicious nodes) are more difficult to identify [2]. In this paper, we develop a trustbased intrusion detection mechanism by using Bayesian model to compute trust values for each node in a hierarchical WSN, and this mechanism can then detect malicious nodes by selecting an appropriate trust threshold. The hierarchical structure can be used to reduce network traffic caused by node-to-node communications. The contributions of our work can be summarized as below: – We develop a trust-based intrusion detection mechanism by means of Bayesian model to compute trust values and detect malicious nodes in a WSN, which relies on a scalable hierarchical structure including sensor nodes (SNs) and cluster heads (CHs). The SNs can initially record trust information during the node-to-node communication, and a CH collects trust reports from all SNs and calculates comprehensive trust values for all nodes in its effective range (e.g., clusters). Malicious nodes can be identified by selecting an appropriate trust threshold. – We further conduct a simulation in a WSN to identify an appropriate trust threshold for detecting a malicious node. By computing and analyzing the trust values of 10 clusters, we point out that the trust threshold in a wireless network is more dynamic than that in a wired network. – In the experiment, we evaluate the performance of the Bayesian model in a WSN with a fixed trust threshold and a dynamic threshold respectively. The results illustrate that this model is encouraging in detecting malicious nodes by selecting an appropriate trust threshold, with an acceptable false positive rate and false negative rate. Additionally, we compare and analyze the current findings with our previous results obtained in a wired network [18], and present possible overhead with respect to our developed trust-based intrusion detection mechanism. The remaining parts of this paper are organized as follows. In Section 2, we review some related work about trust calculation and trust management in a WSN. We describe the details of calculating trust values using Bayesian model in Section 3. In Section 4, we conduct a simulation to choose an appropriate (initial) trust threshold. We perform an evaluation and present the experimental results in Section 5. Finally, we conclude our work with future directions in Section 6. 3

A signature is a kind of descriptions to describe a known attack or exploit.

Evaluation of Detecting Malicious Nodes Using Bayesian Model

2

3

Related Work

In computer science, the notion of trust has been extensively studied, which is borrowed from the social science literature attempting to evaluate and predict the behavior of target objects [11]. In a WSN, a lot of trust-based mechanisms regarding trust computation and trust management have been developed [8]. Probst and Kasera [21] presented a distributed approach that established reputationbased trust among sensor nodes to identify malfunctioning, malicious sensor nodes and minimize their impact on applications. Their proposed method could compute statistical trust values and a confidence interval around the trust, based on sensor node behavior. Wang et al. [22] presented a novel intrusion detection mechanism based on the Trust Model (called IDMTM) for mobile Ad hoc networks. To judge whether it is a malicious node, they evaluated the trust values using two concepts: Evidence Chain (EC) and Trust Fluctuation (TF). They further indicated that the IDMTM could greatly decrease the false alarm rate by efficiently utilizing the information collected from the local node and the neighboring nodes. Later, Chen et al. [6] proposed an event-based trust framework model for WSNs, which used watchdog scheme to observe the behavior in different events of these nodes and broadcast their trust ratings. In their work, different events of a sensor node have different trust-rating values, that is, a sensor node could have several trust-rating values stored in its neighbor nodes. Zahariadis et al. [28] proposed a secure routing protocol (ATSR) by adopting the geographical routing principle to cope with the network dimensions, and the ATSR could detect malicious neighbors based on a distributed trust model incorporating both direct and indirect trust information. For trust management, Shaikh et al. [23] proposed a new lightweight Group-based Trust Management Scheme (GTMS) employing clusters for wireless sensor networks. The GTMS evaluated the trust of a group of SNs and worked on two topologies: intragroup topology where distributed trust management approach was used and intergroup topology where centralized trust management approach was adopted. Then, Zhang et al. [29] proposed a dynamic trust establishment and management framework for hierarchical wireless sensor networks. Their framework takes into account direct and indirect (group) trust in trust evaluation as well as the energy associated with sensor nodes in service selection. Their approach also considers the dynamic aspect of trust by developing a trust varying function which can be used to give greater weight to the most recently obtained trust values during the trust calculation. In addition, their approach has the capability of considering movement of nodes from one cluster to another. The hierarchical structure (e.g., base station, clusters, sensor nodes) used in our work is very similar to their work. Later, Guo et al. [14] presented a trust management framework to generate trust values by using Grey theory and Fuzzy sets. The total trust value in their work was calculated by using relation factors and weights of neighbor nodes, not just by simply taking an average value. Bao et al. [2] proposed a trust-based IDS scheme by utilizing a hierarchical trust management protocol for clustered wireless sensor networks. They considered a trust metric including both quality of service (QoS) trust and social trust for detecting malicious nodes. They further developed an analytical model based on stochastic Petri nets for performance evaluation and a statistical method for calculating the false alarm probability. Their experimental results showed that an optimal trust

4

Y. Meng et al.

threshold for minimizing false positives and false negatives was existed, and that this optimal trust threshold could differ based on the anticipated WSN lifetime. Their extended work [3] showed that their trust-based IDS algorithm outperformed traditional anomaly-based IDS techniques (e.g., weighted summation-based IDS and fixed width data clustering-based IDS) in the detection probability while maintaining sufficiently low false positives (i.e., less than 5%). Several other work about trust management protocols can be referred to [9], [10], [17] and [25]. Different from the above articles, in this work, we mainly attempt to compute trust values of sensor nodes by means of Bayesian model and further develop a trust-based intrusion detection mechanism in a hierarchical WSN. This mechanism can compute trust values for each node and detect malicious nodes by means of a trust threshold. To the best of our knowledge, the Bayesian model used in our work has not been explored in a WSN. Based on the results in our previous work [18], we additionally compare the effect of this Bayesian model with its applications in a wired network.

3

Our Proposed Method

In this section, we introduce the architecture of hierarchical (clustered) wireless sensor networks, describe the calculation of trust values using Bayesian model for sensor nodes and present our developed trust-based intrusion detection mechanism. 3.1

Hierarchical Wireless Sensor Network

A hierarchical (clustered) WSN is usually composed of multiple clusters, in which each cluster contains a cluster head (CH) and a number of sensor nodes (SNs). In this network, a cluster head is assumed to have more computational power and energy resources than a sensor node. We present the typical architecture of a hierarchical WSN in Fig. 1. In this model, a WSN consists of a base station, several cluster heads and a number of clusters (e.g., Cluster 1, Cluster 2,..., Cluster N) grouped by multiple sensor nodes. The cluster head in each cluster can be selected by using election protocols [27]. The clusters can be grouped based on various criteria [29] such as location and communication range or using several cluster algorithms [15]. Generally, a sensor node forwards its data (or information) to its corresponding cluster head and the cluster head then forwards the data to the base station. The basic assumptions for a clustered WSN are described as below: – All sensor nodes and cluster heads are stationary, and the physical location and communication range of all nodes in the hierarchical WSN are known. – All the sensor nodes and cluster heads have unique identities and all SNs are organized into clusters. – The base station is a central control authority and virtually has no resource constraints. In addition, the base station is fully trusted by all nodes. – Cluster heads have more computational power and more memory compared to other sensor nodes in the WSN. – The base station communicates with the cluster head and each cluster head manages all the sensor nodes in its own group.

Evaluation of Detecting Malicious Nodes Using Bayesian Model

5

Cluster Head (CH)

Base Station

Sensor Node (SN)

……

Cluster1

Cluster N

Fig. 1. The typical architecture of hierarchical wireless sensor network.

In this work, our mechanism implements a misuse-based IDS in each node and calculates their trust values by means of Bayesian model. With the rapid development of computer networks, we further assume that: all sensor nodes can be deployed with a misuse-based IDS (i.e., constructing a wireless misuse-based detection sensor) and haveCluster the Node basic capability of launching the process of signature matching. 3.2

Bayesian Model

In statistics, Bayesian Model (or called Bayesian inference) is a method of inference in which Bayes’ rule is utilized to update the probability estimate for a hypothesis as additional evidence [26]. The objective of using the Bayesian Model in our work is to calculate the trust values for sensor nodes (and cluster heads) in a clustered WSN. This model is based on a major assumption described as follows: – Assumption. We assume that all packets sent from a node are independent from each other. That is, if one packet is found to be a malicious packet, the probability of the following packet being a malicious packet is still 1/2. This probability assumption indicates that the attacks can appear in various forms, either in one packet or in a number of packets. To derive the calculation of trust values. We assume that N packets are sent from a node, of which k packets are proven to be normal. Next, we provide some terms as those described in our previous work [18]. P (ni : normal) = p

(means the probability of the ith packet is normal.)

Vi (means that the ith packet is normal.)

6

Y. Meng et al.

n(N ) (means the number of normal packets.) In terms of the analysis in work [11, 26] and the above assumption, we can assume that the distribution of observing n(N ) = k is governed by a Binomial distribution4 , which can be described as below. k N −k P (n(N ) = k|p) = (N k )p (1 − p)

(1)

In this case, our final objective is to estimate the probability: P (VN +1 = 1|n(N ) = k) (determining whether the N + 1 packet is normal or not). We can use the approach of Bayesian Inference to calculate this probability. Based on the Bayesian theorem, we can have the following probability distribution. P (VN +1 = 1, n(N ) = k) P (n(N ) = k)

P (VN +1 = 1|n(N ) = k) =

(2)

For the above equation, we apply marginal probability distribution5 and we then can have two equations: Z

1

P (n(N ) = k|p)f (p) · dp

P (n(N ) = k) =

(3)

0

Z

1

P (n(N ) = k|p)f (p)p · dp

P (VN +1 = 1, n(N ) = k) =

(4)

0

There is no prior information about p, so that we assume that p is determined by a uniform prior distribution f (p) = 1 where p ∈ [0, 1]. Therefore, using equation (1), (2), (3) and (4), we can have the following equation: R1

P (n(N ) = k|p)f (p)p · dp k+1 = P (VN +1 = 1|n(N ) = k) = R0 1 N +2 P (n(N ) = k|p)f (p) · dp 0

(5)

Therefore, trust values (denoted tvalue ) can be calculated based on equation (5) for all nodes in a WSN (i.e., obtaining the number of normal packets k and the total number of packets N ). In terms of the trust values calculated for each node (i.e., constructing a map of trust values), a potential malicious node can be identified by giving an appropriate trust threshold. Note that a node can be regarded as a malicious node by only sending one malicious packet, but our approach has the capability of evaluating the trust of a node based on its long-term performance. 4

5

Binomial distribution is the discrete probability distribution that represents the number of successes in a sequence of n independent, which the possibility of each n is the same p. Marginal distribution of a subset of random variables is the probability distribution of the variables contained in the subset.

Evaluation of Detecting Malicious Nodes Using Bayesian Model

3.3

7

Trust-based Intrusion Detection Mechanism

As described above, trust values can be calculated based on equation (5). To obtain the trust value for a certain node, we therefore should record the total number of its sent packets and the number of normal packets. In current mechanism, we use a misusebased IDS (e.g., Snort) to identify malicious packets (i.e., the number of malicious packets is m) so that the number of normal packets can be computed as: k = N −m. As the nature of the misuse-based detection, malicious packets can be detected by means of signature matching between incoming payloads and stored IDS signatures. Maliciousness. Based on equation (5), we can determine a malicious node by using a trust threshold. If we set the trust threshold to T ∈ [a, b] (the selection of the threshold will be discussed later), then we can judge a malicious node as follows: – If tvalue ∈ T , then the corresponding node is regarded to be a normal node. – If tvalue is not in T , then the corresponding node is regarded to be a malicious (or untrusted) node. Trust Value of a Node. In a hierarchical WSN, each sensor could have two main functions: sensing and relaying. Sensors collect and gather data and then transmit the collected information to the cluster head directly in one hop or by relaying via a multi hop path. Sensors transmit or relay data only via short-haul radio communication. It is also assumed that each cluster head (CH) has the capability of reaching and controlling all the sensor nodes in its cluster. Each cluster head can receive the data from different sensor nodes, and it then processes, extracts and sends the data to the base station.6

Base Station Data

Cluster Head (CH)

Sensor Node (SN)

Data Data Data Require data Send data Target Node

Fig. 2. Trust calculation in a hierarchical wireless sensor network. Cluster1

Cluster N

In Fig. 2, we give an example of calculating trust values for a target node in a hierarchical WSN. Each sensor node will deploy a misuse-based IDS to examine incoming packets. The calculation of node’s trust values is based on a time window t. The time window usually consists of several time units. The sensor nodes in a cluster record the 6

In this structure, the trust ofCluster a cluster Node head (CH) can be evaluated by the base station.

8

Y. Meng et al.

information (e.g., the number of sent packets, the number of malicious packets) about other nodes in each time unit and then send the information to its cluster head. After several time units elapse, the time window slides to the right (e.g., one time unit), and the sensor nodes can drop the data collected during the earliest unit aiming to reduce the storage consumption. The cluster head receives the data and then calculates the trust values for the target node during a selected time period, as shown in Fig. 2, based on equation (5). Later, the cluster head sends data to the base station. Specifically, the cluster head will periodically request the trust state for a target node and thus can establish a map of trust values. In response, all sensor nodes in the cluster forward the recorded information to the cluster head. Suppose there are n sensor nodes, the cluster head can then establish a map of trust values as follows: Tmap = [tvalue,i ] (i = 1, 2, ..., n) Where Tmap represents the matrix (or map) of trust values in the cluster, and tvalue,i represents the trust values for sensor node i. If a trust threshold is given, then the cluster head can quickly identify malicious nodes based on the matrix. In the mechanism, bad behavior of a node (i.e., sending malicious packets) can reduce its trust value greatly. For a sensor node, its trust value can be computed by its cluster head, while for a cluster head, its trust value can be computed by the base station.

4

Trust Threshold

To efficiently detect a malicious node using the Bayesian model, a trust threshold should be identified in advance. According to equation (5), we can find that if k becomes bigger, then the tvalue will become larger. Because k (the number of normal packets) is always smaller than N (the total number of incoming packets), the range of tvalue is belonging to the interval of [0,1]. In this case, the best scenario for tvalue is that its value infinitely close to 1, which means that a node is more credible by sending most normal packets. On the other hand, if tvalue declines, it means that malicious packets are detected for that node during the node-to-node communications. We define a as the lower limit of the threshold, thus, the trust threshold can be initially presented as [a,1]. In order to determine the lower limit a, we simulate a clustered WSN with the purpose of identifying an appropriate trust threshold. The simulated WSN consists of 100 sensor nodes (SNs) and 10 cluster heads (CHs) uniformly distributed in a 110m×110m area. The duration of a time unit for calculating the trust values is initially set to 10 minutes. To evaluate the trust threshold, we performed the experiment for a day by randomly selecting 5 clusters. The average trust values for each cluster are presented in Fig. 3. The average trust values are calculated by using the trust values of all sensor nodes in a cluster within an hour7 . In the figure, it is visible that each cluster has a different range of trust values. Take Cluster 1 for an example, its trust values are ranged from 0.856 to 0.937, whereas for Cluster 2, its trust values are ranged from 0.742 to 0.912. 7

In this simulation, we consider an hour is an appropriate time unit for our mechanism to collect trust information, whereas the time duration can be configured based on real settings.

Evaluation of Detecting Malicious Nodes Using Bayesian Model

9

0 .9 4 0 .9 2 0 .9 0

C lu C lu C lu C lu C lu

0 .8 8

T r u s t V a lu e

0 .8 6 0 .8 4 0 .8 2

s te s te s te s te s te

r 1 r 2 r 3 r 4 r 5

0 .8 0 0 .7 8 0 .7 6 0 .7 4 0 .7 2 0

5

1 0

1 5

2 0

2 5

T im e ( h )

Fig. 3. The average trust values for 5 clusters in the simulated WSN.

For the Cluster 3, Cluster 4 and Cluster 5, the corresponding trust values are in the range from 0.785 to 0.904, from 0.765 to 0.931, and from 0.731 to 0.893 respectively. As shown in Fig. 3, it is visible that the trust values are very dynamic in different clusters. For the other 5 remaining clusters, we conduct the same simulation and find that their trust values are mainly ranged from 0.724 to 0.916. In [18], we evaluated the trust values calculated by means of the Bayesian model in a wired network and found that the corresponding trust values are ranged from 0.75 to 0.92. In this scenario, the results show that the trust values in a wireless sensor network are more dynamic than in a wired network. Based on the simulation results, we set the lower limit a to 0.72 so that the (initial) trust threshold for the simulated WSN is [0.72,1]. If the trust value of a node is below this threshold, then this node can be regarded as a malicious node. Note that the lower limit a may be varied in different network deployment (i.e., the characteristics of traffic may be distinct). In this work, we can only say that a = 0.72 is an appropriate value regarding our simulated WSN. Whether it is suitable for other WSNs needs to be verified in our future experiments.

5

Evaluation

In this section, we evaluate the performance of our proposed trust-based intrusion detection mechanism on the simulated WSN. In particular, we mainly conducted two experiments by using a fixed and a dynamic trust threshold respectively: – Experiment1. This experiment evaluated the performance of our proposed method by using a fixed trust threshold of [0.72,1]. During the experiment, we launched some wireless attacks and malicious packets by means of testing tools8 (i.e., flooding the WSN with deauthentication packets-WVE-2005-0045). 8

http://code.google.com/p/wireless-intrusion-detection-systemtesting-tool/.

10

Y. Meng et al. F a ls e P o s itiv e F a ls e N e g a tiv e

0 .7

P ro b e

0 .5

F a ls e A la r m

0 .6

0 .3

0 .4

0 .2 0 .1 0 .0 0

1 0

2 0

3 0

4 0

( a ) T im e ( h )

0 .7

F a ls e P o s itiv e F a ls e N e g a tiv e

P ro b e F a ls e A la r m

0 .6 0 .5

0 .3

5 0

0 .4

0 .2 0 .1 0 .0 0

1 0

2 0

3 0

4 0

5 0

( b ) T im e ( h )

Fig. 4. The false positive rates and the false negative rates for (a) the Experiment1 and (b) the Experiement2.

– Experiment2. This experiment evaluated the performance of our proposed method by implementing a dynamic trust threshold, which would be updated in every time unit. The dynamic trust threshold for each cluster is an average trust value computed by all nodes in that cluster during the latest time unit. As being deployed in the same WSN, we attempt to compare the performance of the fixed trust threshold and the dynamic trust threshold. 5.1

Experiment1

In this experiment, a fixed trust threshold of [0.72,1] is used. The sensor nodes may randomly send malicious packets by using the wireless IDS testing tools. Therefore, a sensor node in a cluster may become a malicious node by sending a number of malicious packets. The experiment was conducted for 2 days. The false positive rates and the false negative rates are described in Fig. 4 (a). In the figure, the false positive rates are ranged from 0.31 to 0.68 while the false negative rates are ranged from 0.11 to 0.28. The results show that the false alarm rate is very fluctuant and a bit high regarding the fixed trust threshold. The main reason is that the traffic in a WSN is very dynamic whereas the fixed trust threshold cannot reflect the traffic changes in the WSN. 5.2

Experiment2

In this experiment, we used a dynamic trust threshold for each cluster. The dynamic trust threshold is an average trust value computed by all nodes in its cluster during the

Evaluation of Detecting Malicious Nodes Using Bayesian Model

11

C lu s te r 1 C lu s te r 2 0 .9 0

0 .8 5

T r u s t T h r e s h o ld

0 .8 0

0 .7 5

0 .7 0

0 .6 5

0 .6 0 0

1 0

2 0

3 0

4 0

5 0

T im e ( h )

Fig. 5. The trust threshold for cluster 1 and cluster 2 in the Experiement2.

latest time unit. Through analyzing the same WSN data, the false positive rates and the false negative rates are described in Fig. 4 (b). In the figure, it is visible that the false positive rates and the false negative rates are greatly reduced. For the false positive rates, the rate-range is maintained from 0.2 to 0.3 excluding the first several hours. The range for the false negative rate is from 0.05 to 0.15. These experimental results indicate that the use of dynamic trust thresholds can significantly reduce the false alarm rate and keep the rate at a relatively stable level. The reason is that the dynamic trust threshold can vary with the latest traffic changes in a cluster and can more accurately reflect the current network traffic. In Fig. 5, we illustrate an example of computing dynamic trust thresholds for cluster 1 and cluster 2 during the experiment. It is easily visible that the trust thresholds for these two clusters are varied. For the cluster 1, the trust threshold is ranged from 0.705 to 0.812, while for the cluster 2, the trust threshold is ranged from 0.713 to 0.82. This situation is similar to other clusters. 5.3

Discussion

The above experimental results indicate that, by employing the mechanism of computing the trust threshold in an adaptive way, the false positive rates and false negative rates for detecting malicious nodes can be greatly reduced and maintained at a stable level. However, as compared to our previous results obtained in a wired network environment [18] (where the false positive rate is about 0.084 and the false negative rate is about 0.068), the false alarm rate achieved in this work is still a bit higher. This comparison reflects that the traffic in a wireless network is more dynamic than that in a wired network. In other words, it is more difficult to model the traffic by means of the Bayesian model in a wireless sensor network than in a wired network environment.

12

Y. Meng et al.

To enhance the detection performance of our proposed trust-based intrusion detection mechanism, several additional measures (e.g., energy consumption, cooperativeness) could be used to compute a weighted trust value. During the experiments, we also find that the implementation of a misuse-based IDS brings less burden on a sensor node since all nodes can perform the process of signature matching well. Next, we briefly analyze possible overhead with respect to our developed mechanism. Communication Overhead. We assume the worst case scenario: every sensor node wants to communicate with every other node in the cluster and every cluster wants to communicate with the other clusters in the WSN. If there are Nct clusters and the average size of a cluster is S, then the maximum communication overhead within a cluster is 2S(S − 1)(S − 2) (since a node sends S − 2 and receives S − 2 packets by communicating with other S − 1 nodes), while the maximum communication overhead between clusters is 2Nct (Nct − 1) (i.e., a cluster should send a request to the base station when communicates with another cluster). Thus, the maximum communication overhead in the WSN is: Nct [2S(S − 1)(S − 2)] + 2Nct (Nct − 1). Storage Overhead. For sensor nodes, each of them needs to store a 2∗(S −1) matrix to record the information (i.e., the number of malicious packets and the total number of packets) of other nodes. For the cluster head, it needs to store a (S − 1) ∗ (S − 1) matrix (i.e., recording information sent from other nodes) and a 1 ∗ (s − 1) matrix. Computation Overhead. In current mechanism, the trust calculation is conducted in the cluster head. To compute the trust values, the cluster head begins by establishing a (S − 1) ∗ (S − 1) matrix to record collected information sent from sensor nodes, and then computes one 1 ∗ (S − 1) matrix of trust values. Note that in this work, our goal is to compute and evaluate the trust values of WSN nodes by using the Bayesian model. A detailed comparison of our proposed mechanism with other existing solutions in the aspect of CPU cycle, memory consumption and communication overhead will be investigated in our future work.

6

Conclusion and Future Work

In this paper, we proposed a trust-based intrusion detection mechanism by means of Bayesian model to detect malicious nodes in a hierarchical wireless sensor network. The Bayesian model enables a hierarchical wireless sensor network to establish a map of trust values among different sensor nodes. In particular, the sensor nodes collect and sent data about other nodes to its corresponding cluster head. The cluster head can calculate the trust values for all nodes in its cluster, and the base station can calculate the trust values for all cluster heads. We then evaluated the trust mechanism in a simulated WSN and identified an initial trust threshold that can be used at the beginning of detecting malicious nodes. In the evaluation, we conducted two experiments to explore the effect of a fixed trust threshold and a dynamic trust threshold. The experimental results show that the way of dynamically computing trust thresholds can greatly reduce both the false positive rates and the false negative rates, and maintain the false alarm rate at a lower and more stable level. We also find that the traffic in a wireless sensor network is more dynamic than that in a wired network by comparing our current results with our previous work in a wired network environment.

Evaluation of Detecting Malicious Nodes Using Bayesian Model

13

Our work is developed at an early stage and there are many possible topics for our future work. One is to implement our approach into a more larger wireless sensor network and validate the results obtained in this work. Future work could also include exploring how to effectively identify a trust threshold, and applying other measures (e.g., energy consumption) in calculating a weighted trust threshold. In addition, future work could include investigating the impact of the number of clusters and the time unit on the calculation of trust values, and conducting a comparative performance analysis of existing trust-based IDS mechanisms.

References 1. Axelsson, S.: The Base-rate Fallacy and The Difficulty of Intrusion Detection. ACM Transactions on Information and System Security 3(3), 186–205 (August 2000) 2. Bao, F., Chen, I.-R., Chang, M., Cho, J.-H.: Trust-Based Intrusion Detection in Wireless Sensor Networks. In: Proceedings of the 2011 IEEE International Conference on Communications (ICC), pp. 1–6 (2011) 3. Bao, F., Chen, I.-R., Chang, M., Cho, J.-H.: Hierarchical Trust Management for Wireless Sensor Networks and its Applications to Trust-Based Routing and Intrusion Detection. IEEE Transactions on Network and Service Management 9(2), 169–183 (2012) 4. Beckwith, R., Teibel, D., Bowen, P.: Report from the Field: Results from an Agricultural Wireless Sensor Network. In: Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks, pp. 471–478 (2004) 5. Chen, X., Makki, K., Yen, K., Pissinou, N.: Sensor Network Security: A Survey. IEEE Communication Surveys & Tutorials 11(2), 52–73 (2009) 6. Chen, H., Wu, H., Hu, J., Gao, C.: Event-based Trust Framework Model in Wireless Sensor Networks. In: Proceedings of the 2008 International Conference on Networking, Architecture, and Storage (NAS), pp. 359–364 (2008) 7. Cheung, S.-Y., Varaiya, P.: Traffic Surveillance by Wireless Sensor Networks: Final Report. California PATH Research Report, UCB-ITS-PRR-2007-4. Institue of Transportation Studies, University of California, Berkeley (2007) http://www.its.berkeley.edu/ publications/UCB/2007/PRR/UCB-ITS-PRR-2007-4.pdf 8. Cho, J.-H., Swami, A., Chen, I.-R.: A Survey on Trust Management for Mobile Ad Hoc Networks. IEEE Communications Surveys & Tutorials 13(4), 562–583 (2011) 9. Daabaj, K., Dixon, M., Koziniec, T., Lee, K.: Trusted Routing for Resource-Constrained Wireless Sensor Networks. In: Proceedings of the 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC), pp. 666–671 (2010) 10. Ganeriwal, S., Balzano, L.K., Srivastava, M.B.: Reputation-based Framework for High Integrity Sensor Networks. ACM Transitions on Sensor Network 4(3), 1–37 (May 2008) 11. Gonzalez, J.M., Anwar, M., Joshi, J.B.D.: A Trust-based Approach against IP-Spoofing Attacks. In: Proceedings of the 9th International Conference on Privacy, Security and Trust (PST 2011), pp. 63–70 (2011) 12. Ghosh, A.K., Wanken, J., Charron, F.: Detecting Anomalous and Unknown Intrusions Against Programs. In: Proceedings of the 1998 Annual Computer Security Applications Conference (ACSAC), pp. 259–267 (1998) 13. Grilo, A., Piotrowski, K., Langendoerfer, P., Casaca, A.: A Wireless Sensor Network Architecture for Homeland Security Application. In: Proceedings of the 8th International Conference on Ad-Hoc, Mobile and Wireless Networks (ADHOC-NOW), pp. 397–402 (2009)

14

Y. Meng et al.

14. Guo, J., Marshall, A., Zhou, B.: A New Trust Management Framework for Detecting Malicious and Selfish Behaviour for Mobile Ad Hoc Networks. In: Proceedings of the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 142–149 (2011) 15. Gupta, G., Younis, M.: Performance Evaluation of Load-Balanced Clustering of Wireless Sensor Networks. In: Proceedings of the 10th International Conference on Telecommunications (ICT), pp. 1577–1583 (2003) 16. Hutchison, K.: Wireless Intrusion Detection Systems. SANS GSEC Whitepaper, pp. 1– 18 (2005) http://www.sans.org/reading_room/whitepapers/wireless/ wireless-intrusion-detection-systems_1543 17. Liu, K., Abu-Ghazaleh, N., Kang, K.-D.: Location Verification and Trust Management for Resilient Geographic Routing. Journal of Parallel and Distributed Computing 67(2), 215– 228 (2007) 18. Meng, Y., Kwok, L.F., Li, W.: Towards Designing Packet Filter with A Trust-based Approach using Bayesian Inference in Network Intrusion Detection. In: Proceedings of the 8th International Conference on Security and Privacy in Communication Networks (SECURECOMM), Lecture Notes in ICST, Springer, pp. 203-221 (2012) 19. Mishra, A., Nadkarni, K., Patcha, A.: Intrusion Detection in Wireless Ad-Hoc Networks. IEEE Wireless Communications 11(1), 48–60 (2004) 20. Porras, P.A., Kemmerer, R.A.: Penetration State Transition Analysis: A Rule-based Intrusion Detection Approach. In: Proceedings of the 8th Annual Computer Security Applications Conference (ACSAC), pp. 220–229 (1992) 21. Probst, M.J., Kasera, S.K.: Statistical Trust Establishment in Wireless Sensor Networks. In: Proceedings of the 2007 International Conference on Parallel and Distributed Systems (ICPADS), pp. 1–8 (2007) 22. Wang, F., Huang, C., Zhang, J., Rong, C.: IDMTM: A Novel Intrusion Detection Mechanism based on Trust Model for Ad-Hoc Networks. In: Proceedings of the 22nd IEEE International Conference on Advanced Information Networking and Applications (AINA), pp. 978–984 (2008) 23. Shaikh, R.A., Jameel, H., d’Auriol, B.J., Lee, H., Lee, S., Song, Y.J.: Group-based Trust Management Scheme for Clustered Wireless Sensor Networks. IEEE Transactions on Parallel and Distributed Systems 20(11), 1698–1712 (2009) 24. Sommer, R., Paxson, V.: Outside the Closed World: On Using Machine Learning for Network Intrusion Detection. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 305–316 (2010) 25. Sun, Y., Luo, H., Das, S.K.: A Trust-Based Framework for Fault-Tolerant Data Aggregation in Wireless Multimedia Sensor Networks. IEEE Transactions on Dependable and Secure Computing 9(6), 785–797 (2012) 26. Sun, Y., Yu, W., Han, Z., Liu, K.: Information Theoretic Framework of Trust Modeling and Evaluation for Ad Hoc Networks. IEEE Journal on Selected Areas in Communications 24(2), 305–317 (2006) 27. Younis, O., Fahmy, S.: HEED: A Hybrid Energy Efficient, Distributed Clustering Approach for Ad Hoc Sensor Network. IEEE Transaction on Mobile Computing 3(3), 366–379 (2004) 28. Zahariadis, T., Trakadas, P., Leligou, H.C., Maniatis, S., Karkazis, P.: A Novel Trust-Aware Geographical Routing Scheme for Wireless Sensor Networks. Wireless Personal Communications, 1–22 (2012) 29. Zhang, J., Shankaran, R., Orgun, M.A., Varadharajan, V., Sattar, A.: A Dynamic Trust Establishment and Management Framework for Wireless Sensor Networks. In: Proceedings of the 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC), pp. 484–491 (2010)