Intrusion Detection System In wireless Sensor network Based On ...

Intrusion Detection System In wireless Sensor network Based On Mobile Agent YousefEL Mourabit*, Ahmed Toumanari, Anouar Bouirden, Hicham zougagh, Rachid Latif [email protected], [email protected]", [email protected], [email protected], [email protected]

Laboratory ESSI, ENSA Agadir, Ibn Zohr University AGADIR, MOROCCO

Abstract- The wireless sensor network is a network of simple

learn these features for known attacks, and how to detect new

sensing devices, which are capable of communicating with other

attacks. This has motivated research into learning algorithms

devices and sensing some changes of Incidents or parameters,

and techniques.

however, the wireless sensor network is easy to be attacked because of its features, so protecting networks against intrusions or attacks is one of the most principals posed issue into the network and information security domains. This problem on Wireless Sensor Networks (WSNs), in attention to their special

Nowadays, the modern Agent was a research field of vitality and influence. Agent might be regarded as an entity existed

in

some

environment,

which

could

sense

the

environment and receive the information of the environment,

properties, has more importance. This work describes a new

then reacted to the information, so reaction in the environment,

Intrusion Detection System architecture that uses multi-agent

Agent could be software or hardware controlled by software

system and a classification algorithm to detect the intrusion. We

[4]. Multi-Agent System was related to coordinate the behavior

use the Weka tool to implement algorithms of detection intrusion

of a set of autonomous or semi-autonomous Agent, in the

and to perform the rate classification.

multi-agent

Keywords-; Intrusion Detection System; Multi-Agent System; Wireless Sensor Network;Mobile Agent.

I.

the

promise

for

monitoring,

building

with

others

each

their own problems or taking joint action.

principal reasons to propose new IDS based on mobile agents

monitoring

for wireless sensor network.

critical

II.

infrastructure, it have been proposed for applications such as traffic

coordinate

The Intelligent and mobile characteristics of the agent, the

INTRODUCTION

solution

agent

false positive rate of traditional intrusion detection system, are

The development of wireless sensor networks (WSN), offers

system,

knowledge, and the objective and strategic planning for solving

monitoring,

health

care

SURVEY OF WIRELSSE SONSOR NETWORKS SECURITY AND MOBILE AGENT

and

battlefield surveillance [1]. In any application using critical infrastructure, there is a risk of malicious attacks on this infrastructure, this attacks can used for a terrorist act or as a

A.

Wireless Sonsor Network Security Wireless

sensor

network

is

distributed

autonomous

financial gain. Security is a vital requirement in these networks

system, consist of many small devices, called sensor nodes,

and it must be established according to their constraints to can

that monitoring different environments,

solve weaknesses and vulnerabilities of these networks. In this

autonomously and they cooperate to each other and combine

they can operate

paper, we investigate how to incorporate intrusion detection

their local data to reach a global view of the operational

into wireless sensor networks, and present a new approach

environment.

based on mobiles agents to detect intrusions on WSN. A key

deployed through the environmental phenomenon which has

attraction of sensor networks is their ease of installation and

simply sensing and communicating analysis by properties.

operation. However, security is one of the key challenges to creating a robust and reliable sensor network [2]. Security is

This collection of sensor node has densely

Among the most important features a network of sensors, we cite:

faced with additional challenges due to complexities such as an

Limited life cycle: The sensor nodes are very limited by the

unreliable node operation, an unpredictable node movement

energy constraint, they usually run unattended in geographic

and a wireless access medium. These challenges make a very

remote areas. Therefore recharge or replace their batteries

important

become almost impossible [12].

potential

to

exploit

weaknesses

in

the

WSN.

Consequently, Intrusion Detection Systems (IDSs) are required

Limited Resources: Usually the sensor nodes have a very

to detect both known security exploits and even novel attacks

small size, form factor limits the amount of resources that can

or intrusions that

have

yet

to be

experienced.

Intrusion

detection is the complication of identifying misuse networks

be placed in these nodes. Accordingly, processing capacity and memory are limited [12].

and terminals [3]. Most IDSs apply signature-based techniques. In general, signature based techniques test for features of known network attacks. Consequently the question is how to

978-1-4799-4647-l/14/$31.00©2014 IEEE

Dynamic Topology: The topology of sensor networks changes

in a frequent and fast manner because the sensor nodes can be

C.

Mobile Agent A mobile agent is an autonomous entity that performs

deployed in hostile environments (ex: a battlefield), the failure

different tasks in order to achieve some goals. In the domain of

of a node sensor can be very likely. Furthermore, the sensor

networking, an agent can run even if the user disconnects from

nodes and end points where they should send the captured

the network. So mobile agents are the programs that move

information can be mobile [12].

between nodes of network, autonomously trying to achieve

Data Aggregation: In sensor networks, the data produced by

some specific goals given by users. Agents are different from

Sensor nodes are connected, which implies the existence of

other applications in that they are goal-oriented: they represent

redundancies data. A common approach is to aggregate data at

users and act on their behalf to achieve some set goals

the nodes intermediate to reduce power consumption during

autonomously, we can say they control themselves, as in the

transmission of these data [12].

decision where and when they will move to the next node.

Scalability: sensor networks generate a very large number of

Mobile agent makes adequate means of analysis efficiently and

sensors, they can reach thousands or even millions of sensors.

effectively. Mobile agent neither brings new method to detect

The challenge for the WSNs is being able to maintain their

for IDS nor increases detection speed for some kind of

performance with that many sensors [12].

attracting. Nevertheless, it improves the design, construct, and

Bandwidth Limited: Due to the limited power nodes sensors

execute of IDS clearly [6].

cannot withstand high flow rates.

Mobile agents offer very important advantages that may

Limited physical security: this is justified by the physical

constraints

and

limitations

that

minimize

the

transmitted

control data [12]. B.

Intrusion detection system in WSNs Intrusion detection system can be defined as the automatic

detection and generation an alarm to report an intrusion has occurred or is in progress. There are two approach of detection intrusion. Behavioral Approach: the observed behavior of the target

system is compared to normal and expected behavior. If the behavior of the system is significantly different from the normal or expected behavior, we say that the target system has deficiencies and is subject to an intrusion [5]. Scenarios Approach: In this approach we analyze the audit

data in search of attacks predefined scenarios in a database attack signatures [5]. In wireless sensor networks IDSs must satisfy the following properties: Local Auditing (Localize auditing): IDSs for wireless sensor

networks work with local and partial audits as in sensor networks wireless data, there is no centralized points that can collect perceivable data auditing. Minimum Resources (Minimize resources): Means that IDSs

in sensor network must use a minimum number of resources for networks without son do not have stable connections. More physical resources and network nodes such as power, energy and bandwidth are limited. Disconnection can occur at any time. Communication between nodes for detecting intrusion should therefore not take any available bandwidth. No node trust (Trust no node): IDSs in sensor networks can't

trust any node because, unlike wired networks, nodes sensors can be easily compromised. Distributed (Be truly distributed): Means that the collection

and analysis of data must be done in different locations. Moreover the distributed approach also applies to the execution of the algorithm of detection and the correlation alerts. Safe (Be secure): intrusion detection system in sensor network

should be able to withstand attacks.

overcome limitations that exist in wireless sensor network [6]: Reducing Network Load: Instead of sending huge amount of

data to the data processing unit, it might be simpler to move the processing algorithm (i.e. Agent) to the data. Overcoming Network Latency: When agents operate directly

on the host where an action has to be initiated, they can respond faster than the tree based systems that have to communicate with a central coordinator located elsewhere on the network. Autonomous Execution: When portions of the tree based

systems get destroyed or separated, it is important for the other components to remain functional. Independent mobile agents can still act and do useful work when their creating platform is unreachable which increases the fault-tolerance of the overall system. Heterogeneous

Environment:

The agent platform allows

agents to travel in a heterogeneous environment and inserts an OS independent layer. Dynamic Adoption: The mobility of the agents can be used to

reconfigure the system at run-time by having special agents move to a location where an attack currently takes place to collect additional data. Scalability: When distributed mobile agents replace a central

processing unit, the computational load is divided between different machines and the network load is reduced. This enhances scalability and additionally supports fault-resistant behavior [7]. III.

PROPOSED WORK

Different intrusion detection system for sensor network has proposed. Some of them have critical for many reasons, others are used with collaboration of routing protocols. In this paper we propose a new Intrusion Detection System based on the mobile agent which employs classification algorithms to order to perform intrusion detection in WSNs. Such algorithms have the advantages that they are largely automated, that they can be quite accurate, and that they are rooted in statistics, which explains why they are prime candidates for use in cost-sensitive classification problems. After training, they can be used for detection with matrices.

They have extended applications

including intrusion detection in wired networks [8]. In standard

experiment is the NSL-KDD dataset [9] which is a new dataset

classification problems the classification decision is selected in

for the evaluation of researches in network intrusion detection

order to minimize the probability of error. However, to detect

system. It consists of selected records of the complete KDD 99

the intrusion, we perform a thorough comparison of three well­

dataset [9]. NSL-KDD dataset solve the issues of KDD 99

known algorithms for the detection intrusion in Wireless

benchmark and connection record contains 41 features. We use

Sensor Networks (WSNs), (K-Means, Naive Bayes, and SVM).

the Weka [10] tool to implement algorithms and to perform the

A.

rate of classification.

System Architecture:

x

41285

In this section we present our new IDS based on three main mobile agents:

x x x

x

0642.5

x

o �cddeeefghhhlkllnnnnopprrsssttuuvX accdd eeffhhhiiklmnnnn rssssttuu�

Figure 2. K-Means cluster assignments

Update Database

Collector Agent: Collector Agent is the first agent to work in

the system, it collects the data from the wireless environment, store it in a file, and give it as an input to the misuse detection

n o r

x

III

agent.

x

a

1

Misuse Detection Agent: Misuse Detection Agent analyses

the data collected and captured by the collector agent. It detect the

x

known

technique

»,

attacks

in

network,

using

«misuse

detection

wcddeeefghhhlkllnnnnopprrsssttuuvX acc ddeeffhhh iikllllnnnnppprssssttuuwZ

by pattern matching algorithm, and then reports to Figure 3. Naive-Bayes Classifier errors

alert agent if there is a similarity between the captured packets and attack signatures in the database, if not, those data are given as an input to the anomaly detection agent. Anomaly Detection Agent: Anomaly Detection Agent is used

to detect the unknown attacks or intrusion by using the classification algorithm SVM. If the incoming data is detected

fI

as attack, it reports to alert agent about the attack, and updates

1

the detected attack in the database.

Y

Alert Agent: The alert agent is used to alert the system if an n

attack or intrusion occurs in the network.it.

o

IV.

A.

SIMULATION AND PLATEFORM OF IMPLEMENTATION

Simulation

x

In this simulation we improve the reason of choosing

�cddeeefghhhlkllnnnnopprr8ssttuuvX

SVM as a Classification algorithm to detect intrusion in

Bccddeeffhhhiiklmnnnnpppr�333ttuuwZ

anomaly detection agent.

We compare between the most

performing Algorithm using in anomaly technique to detect unknown

attacks

or

intrusion.

The

dataset

used

in

this

Figure 3. SVM Classifier errors

A simple way to perform intrusion detection is to use a

SVM classifier algorithm is more efficient and performing than

classifier in order to decide whether some observed traffic data

K-Means and Naive Bayes classifier with a classification rate

is normal or anormal (in the graphs above normal system on

reaching 97.4%. So we advise to use it in the IDSs, as an

blue color and anormal system on red color). The classification

algorithm for detection of new attacks, especially for the

objective is to minimize the probability of error.

anomaly detection technique. As opportunities for future work, it could be identified: the deployment of a more complex detection, with mobile agents,

Algorithm

Correctly Classified

using

Instances K-Means

91,5%

Naive Bayes

92,2%

SVM

97,4%

statistical

anomalies detection

identified by

mobile

agents and enabling the creation of attack signatures, the development of more complex detection ontology, with more parameters to characterize the attacks; the study of the impact of the use of the proposed architecture in wireless sensor network traffic, and the implementation and testing of the architecture with a redundant and fault-tolerant main container. REFERENCES

Tablel: Rate of classificatIon

[I]

c. Y. Chong and S. Kumar. "Sensor Networks: Evolution. Opportunities, and Challenges." In Proceedings of the IEEE, Vol. 39, No. 8, August 2003, pp. 1247-1256.

[2]

1. Clerk Maxwell, A. Perrig, 1. Stankovic and D. Wagner, "Security in Wireless Sensor Networks. " In Communications of the ACM, Vol. 47, No. 6, June 2004, pp. 53-57.

[3]

A Treatise on S. Snapp, 1. Brentano, G. Dias, T. Goan, L. Heberlein, C. Ho, K. Levitt, B. Mukherjee, S. Smahal, T. Grance, D. Teal, and D. Mansur, "DIDS (Distributed Intrusion Detection System) Motivation, Architecture, and An Early Prototype." In Internet besieged: countering cyberspace scoffiaws, ACM Press, 1998.

[4]

Guoxing Zhan, Weisong Shi, Deng J. Design and Implementation of TARF: A Trust-Aware Routing Framework for WSNs. IEEE Transactions on Dependable and Secure Computing. 2012; 9(2): 184197.

[5]

Peng Ning ,Yun Cui,and Douglas S . Reeves. Construc-ting attacks scenarios through correlation of intrusion alerts. In ACM Conference on Computer and ComminicationSecurity.pages 245-254,2002.

[6]

Y. EL MOURABIT et ai, A Mobile Agent Approach for IDS in Mobile Ad Hoc Network !JCSI International Journal of Computer Science Issues, Vol. II, Issue I, No I, January 2014, pp 148-152.

[7]

Blakley, B. : The Emperors Old Armor Proc. New Security Paradigms Wksp., 1996.

[8]

K. Lee, W. , Stolfo, SJ. , Mok, K. W. : A data mining framework for building intrusion detection models Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1999, pp.120132.

[9]

NSL-KDD Data set for Network-based Intrusion Detection Systems. Available at: nsl.cs.unb. calNSL-KDDI [accessed: July 15, 2014].

According to the results obtained we improve that the SVM classifier algorithm is more efficient than K-Means and Naive Bayes classifier with a classification rate reaching 97.4%.

Plate/arm a/ Implementation

B.

Programming WSN applications is a complex task that requires suitable programming paradigms and frameworks to cope with the WSN specific characteristics. Many of the technologies were checked like Agent development Kit (ADK), JADE [II] and Aglet Software Development Kit (IBM). These are well-known available platforms. The above mentioned technologies provide a platform for Agent development several kinds of micro and macro programming techniques have to date

been

proposed.

programming,

which

Among has

them

been

conventional distributed systems,

mobile

formerly

agent-based

introduced

for

can be more effectively

exploited in the context of WSNs. So we choose MAPS [13], Java-based framework for the development of agent-based applications for Sun SPOT platform

of

implementation,

[13] By

sensor platforms, using

MAPS,

a

as a WSN

application can be structured as a set of stationary and mobile agents distributed on sensor nodes supported by a component­ based agent execution engine that provides basic services such as agent creation, message transmission, agent cloning, agent migration, easy access to the sensor node resources, and timer handling . MAPS programming has been exemplified through a simple yet effective example that shows how to program the dynamic behavior of agents in terms of state machines on the basis of the MAPS library. It is emblematic of the effectiveness and suitability of MAPS to deal with the programming of complex applications [13]. V.

CONCLUSION AND FUTURE WORK

The proposed IDS exploits the benefits of employing mobile agents such as flexibility, increased scalability, ability to operate in heterogeneous environments, and reduced WSNs bandwidth usage.

Consequently,

we improve

that mobile

agents do provide a viable means of performing wireless sensor network security analysis as well as some other complex tasks. Also, according to the results obtained, we improve that the

[10] WEKA (2008): Data Mining Machine Learning Software [Available Online] at: cS.waikato.ac. nzlmllwekai. [II] Mosqueira-Rey, E. , Alonso-Betanzos, A. , Guijarro-Berdinas, 8., Alonso-Rios, D. , Lago-Pineiro, 1.: A Snort-based agent for a JADE multi-agent intrusion detection system In!. J. of Intelligent Information and Database Systems, 2009 Vol.3, No.1, pp. 107-121. [12] A.Delye, V. Gauthier, M. Marot, and M. Becker. State of the art networks sensors. Research Report !NT 0500IRST N-GET-TNT, UMR5157AMOVAR, National Institute of Telecommunications, Evry, France,2005. [13] F. AIELLO and al A Java-Based Platform for Programming Wireless " Sensor Network"Published by Oxford University Press on behalf of The British Computer Society. The Computer Journal, Vol. 54 No. 3, 2011