Wireless Sensor Network, 2011, 3, 241-261 doi:10.4236/wsn.2011.37026 Published Online July 2011 (http://www.SciRP.org/journal/wsn) Copyright © 2011 SciRes. WSN A High-Level Architecture for Intrusion Detection on Heterogeneous Wireless Sensor Networks: Hierarchical, Scalable and Dynamic Reconfigurable Hossein Jadidoleslamy Department of Information Technolo gy, Anza li International Branch , The University of Guilan, Ra sht, Iran E-mail: tanha.hossein@gmail.com Received May 23, 2011; revised June 2, 2011; accepted June 22, 2009 Abstract Networks protection against different types of attacks is one of most important posed issue into the network and information security domains. This problem on Wireless Sensor Networks (WSNs), in attention to their special properties, has more importance. Now, there are some of proposed solutions to protect Wireless Sen- sor Networks (WSNs) against different types of intrusions; but no one of them has a comprehensive view to this problem and they are usually designed in single-purpose; but, the proposed design in this paper has been a comprehensive view to this issue by presenting a complete Intrusion Detection Architecture (IDA). The main contribution of this architecture is its hierarchical structure; i.e. it is designed and applicable, in one, two or three levels, consistent to the application domain and its required security level. Focus of this paper is on the clustering WSNs, designing and deploying Sensor-based Intrusion Detection System (SIDS) on sensor nodes, Cluster-based Intrusion Detection System (CIDS) on cluster-heads and Wireless Sensor Network wide level Intrusion Detection System (WSNIDS) on the central server. Suppositions of the WSN and Intru- sion Detection Architecture (IDA) are: static and heterogeneous network, hierarchical, distributed and clus- tering structure along with clusters’ overlapping. Finally, this paper has been designed a questionnaire to ver- ify the proposed idea; then it analyzed and evaluated the acquired results from the questionnaires. Keywords: Wireless Sensor Network (WSN), Security, Intrusion Detection System (IDS), Hierarchical, Distributed, Scalable, Dynamic Reconfigurable, Attack, Detection 1. Introduction Wireless Sensor Networks (WSNs) are homogeneous or heterogeneous systems consist of many small devices, called sensor nodes, that monitoring different environ- ments in cooperative [1,2], i.e. sensor nodes cooperate to each other and combine their local data to reach a global view of the operational environment; they also can oper- ate autonomously. In WSNs there are two other compo- nents, called “aggregation points” (i.e. cluster-heads and CIDSs’ deployment locations) and “base station” (i.e. the central server and the WSNIDS’s deployment location), which have more powerful resources and capabilities than normal sensor nodes [1,3]. As shown in Figure 1, aggregation points collect information from their nearby sensor nodes, aggregate and forward them to the base station to process gathered data [4]. Factors such as wireless, unsafe, unprotected and shared nature of com- munication channel, untrusted and broadcast transmis- sion media, deployment in hostile and open environ- ments, automated and unattended nature and limited re- sources, make WSNs vulnerable and susceptible to many types of attacks [1]; therefore, in attending to the WSNs’ constraints, their requirements and unusable traditional network security techniques on WSNs, security is a vital and complex requirement for these networks [2,5]. Also, the defensive-security mechanism that can guarantee the normal functionalities of these networks must be consis- tent to the WSNs’ autonomous mechanisms. This paper is following a complete security mechanism to cover and establish different basic security dimensions of WSNs, like confidentiality, integrity, availability and authentic- ity. Our proposal is adding an another defensive line, called Intrusion Detection System (IDS), as a new defen- sive-security layer to the WSNs’ security infrastructure; which it can
H. JADIDOLESLAMY 242 Figure 1. WSNs’ communication architecture. detects unsafe activities and unauthorized access; also, when attacks occurred, even new attacks such as anoma- lies, it can get notify by different warnings and perform required actions (mainly predefined actions). Therefore, the main purpose of this paper is presenting, discussing and solving the intrusion detection problem in WSNs. This paper is including: An overview of WSNs and their security; Discussing Intrusion Detection System (IDS) as a new aggressive-defensive security layer for WSNs (consider the basic architecture of IDSs and IDS’s requirements for WSNs); Suggestion a comprehensive, hierarchical and uncen- tralized Intrusion Detection Architecture (IDA) and IDS architecture for WSNs (SIDS, CIDS and WSNIDS architectures); This paper makes us enable to identify the existent security challenges in WSNs and we can almost solve the intrusion detection problem on these networks; besides, we also can detect and manage WSNs’ attacks and react to them, appropriate to attacks’ type and their nature. The rest of this paper is organized as follows: in Section 2 an overview of WSNs and their different security dimen- sions are presented; Section 3 is mainly focused on IDS, it’s importance and different dimensions, and IDS’s re- quired properties for WSNs; Section 4 considers the in- trusion detection issue on WSNs, including design chal- lenges and IDS requirements in these networks; Section 5 will describe the proposed Intrusion Detection Archi- tecture (IDA) and suggested IDSs for WSNs; Section 6 prepares a questionnaire to verifying the IDA; it also expressed the reached results from analyzing question- naires; Section 7 presented conclusion; and finally future works, are drawn in Section 8. 2. An Overview of WSNs Sensor is a tiny device which detects and measures amount of physical parameters, or an event occurrence, or an object existence; then, it converts that value to elec- trical signal; finally, if necessary, it actuates a special operation by using electrical actuators [1,6]. WSN is a computer network with following major features: Infrastructure-less [1,2,3]; No public address, often (data-centric network, thus sensor nodes do not have identification code) [2,7]; Consists of many (hundreds or even thousands) tiny sensor nodes [2,8,9] (small size, low-cost and low-power); High-density of nodes distribution [3,10]; Insecure radio links; Application-oriented; Central or distributed management; Different communication models [1,2,11], including: hierarchical/distributed WSNs or homogenous/heter- ogeneous WSNs; Limited resources of sensor nodes [2,3,12] (radio communication, bandwidth, energy, memory and pro- cessing capabilities) [7,10,13]; Having decision making capability to react to the events, including: automated structure (local decision making), semi-automated (decision making by base- station) and combinational (clustering structure); Main application domains of WSNs are: monitoring and tracking (as shown in following figure, Figure 2(a)); therefore, some of the most common applica- Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY243 (a) (b) Figure 2. WSN’s applications. tions of these networks are: military, medical, environ- mental monitoring, industrial, infrastructure protection, disaster detection and recovery, agriculture, intelligent buildings, law enforcement, transportation and space discovery (as shown in Figure 2(b)). The taken approach into the WSN is a combinational model; i.e. hierarchical, distributed and heterogeneous; since, sensor nodes, cluster-heads and the central server are different than each other and each one of them have special and different capabilities, hardware and software specifications than others. In continue of this section, it will be presented an out- line of different aspects of WSNs, such as their charac- teristics, vulnerabilities and different security dimen- sions. 2.1. Vulnerabilities and Challenges of WSNs WSNs are vulnerable against many kinds of attacks; some of the most common reasons are: Theft [1] (reengineering and replicating) [3,5]; Limited capabilities and resources [2,5]; Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY 244 Random deployment [7]; Deployment on dynamic/hostile environments [2,10]; Insider attackers; Inapplicable traditional network’s common security techniques [2,5] (due to limited devices and their re- sources and interaction to physical environment); Requirement to redesigning security architectures and protocols (distributed and self-organized); Unreliable communications [2] (connectionless pac- ket-based routing unreliable transfer, channel’s broadcast nature conflicts, multi-hop routing and network congestion and node processing Latency); Vulnerability against eavesdropping (since using unique communication frequency into the WSN); Unattended nature and operation [1,2]; Dynamic structure, unpredictable topology and self- organization [1,3]; Sensor nodes’ selfishness [2,12]; Requiring to forwarding and routing sensed informa- tion to a shared destination, called sink; Existence redundancy in gathered traffic; Fault tolerant [1,12]; Cost of sensor nodes’ development and their produc- tion [2,6]; Size and precision of sensor nodes; 2.2. Security in WSNs As WSNs’ application areas are growing, intrusion tech- niques in these networks also are increasing; there are many methods to disrupt these networks and every day, new techniques are representing to destruct WSNs [1,2]. Besides, in attending to the vital WSNs’ vulnerability against many types of attacks [5,11] and necessity of data accuracy and network health and fault tolerant, con- fidential and sensitive applications of WSNs, security is a vital requirement in these networks and it must be es- tablished according to their constraints to can solve secu- rity problems and weaknesses of these networks. Also, there are three security key points on WSNs, including system (integrity, availability), source (authentication, authorization) and data (integrity, confidentiality). Thus, security in WSNs is an important, critical issue, necessity and vital requirement, due to: Correctness of network functionality [1,2]; Unusable typical networks protocols [2,7]; Limited resources and untrusted sensor nodes [1,8]; Requiring trusted center for key management, to au- thenticate nodes to each others, preventing from ex- istent attacks and selfishness [1,10,13] and extending collaboration [2]; Broadcast and wireless nature of transmission media [1,5]; Sensor nodes deploy on hostile environments [1,6,12] (unsafe physically); Unattended nature and operation of WSNs [1,2,9]; Some of most important dimensions of WSNs have been shown in following figure (Figures 3(a) and (b)) by star spangled. As Figure 3(a) shows, in this paper we have emphasize on goals, obstacles and constraints of WSNs’ security aspects. Also, Figure 3(b) is showing which this paper has been emphasized on intrusion de- tection approach from security mechanisms (by star spangled). 3. Intrusion Detection System (IDS) Intrusion, i.e. unauthorized access or login (to the system, or the network or other resources) [14]; intrusion is a set of actions from internal or external of the network, which violate security aspects (including integrity, confidential- ity, availability and authenticity) of a network’s resource [15,16]. Intrusion detection is a process which detecting contradictory activities with security policies to unau- thorized access or performance reduction of a system or network [14]; the purpose of intrusion detection process is reviewing, controlling, analyzing and representing reports from the system and network activities. Intrusion Detection System (IDS), i.e.: A hardware or software or combinational system, with aggressive-defensive approach to protect infor- mation, systems and networks [17,18]; Usable on host, network [19] and application levels; For analyzing traffic, controlling communications and ports, detecting attacks and occurrence vandalism, by internal users or external attackers; Concluding by using deterministic methods (based on patterns of known attacks) or non-deterministic [18, 19] (to detecting new attacks and anomalies such as determining thresholds); Informing and warning to the security manager [16, 17,20] (sometimes disconnect suspicious communi- cations and block malicious traffic); Determining identity of attacker and tracking him/ her/it; There are three main functionalities for IDS, including: monitoring (evaluation), analyzing (detection) and react- ing (reporting) [15,17] to the occurring attacks on com- puter systems and networks. If IDS be configured, cor- rectly; it can represent three types of events: primary identification events (like stealthy scan and file content manipulation), attacks (automatic/manual or local/remote) and suspicious events. 3.1. IDS Categorization Based on Their Architecture According to the Figure 4, Intrusion Detection Systems Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY245 Security in WSNs Goals** Obstacles** Constraints** Very limited resources Unattended operation Untrusted communica- (a) (b) Figure 3. Security in WSNs. (IDSs) attending to the information gathering source and input data supplier, divide into three categories, as fol- lows. 3.1.1. Host-Based Intrusion Detection System (HIDS) HIDS installs on a computer system [15,18]; it uses proc- essor and memory of that system and protects only the hosting system [15,21]. It has an abnormal detector part which using statistical methods to detect abnormal be- havior of users in comparison to their behavioral records [21,22]; also, it has an expert system part that detects the security threats and describes the vulnerabilities of the system, but independent from behavioral records of users; of course, it uses a rules-base, too. Standard Unique Confidentiality Integrity Authenticity Availability Data freshness Self-organization or self-healing Time synchronization Secure localization Wide applications Cost-effective Node constraints Physical constraints Network constraints Energy Unattended after deployment Memor Stora e Remotely managed Processin Unreliable, ad-hoc and wireless communications Collisions/latency Lack of physical infra- structure Security in WSNs Security threats Security classes Security mechanisms Interruption Data inte rit Authentication Confidentiality Availability Interception Modifica- Forgery Deletion Modification High-level Low-level Fabrication Secure group management Key establishment and trust setu Replay Intrusion detection Secrecy and authentica- tion Secure data aggregation Privacy Secure broadcasting and multi- casting Robustness to commu- nication DoS Secure routing Resilience to node capture Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY 246 Figure 4. Different categorizations of IDSs. 3.1.2. Network-Based Intrusion Detection System (NIDS) NIDS is a software process which installs on a special hardware system [16,20]; in many cases, it operates as a sniffer and controls passing packets and active commu- nications, then it analyzes network traffic in sophisti- cated, to find attacks [18,19,22,]. NIDS can identify at- tacks, on network level; thus, it includes following steps: Setting up the Network Interface Card (NIC) on pro- miscuous mode and eavesdropping total network traf- fic [16]; Capturing the transmitting network packets [19]; Extracting requirement information and properties from them (the packets); Analyzing properties and detecting statistical devia- tion from normal behavior and known patterns (using pattern matching); Producing and logging proper events; 3.1.3. Distributed Intrusion Detection System (DIDS) Most important characteristics of DIDS are: Combination of HIDS, NIDS and central manage- ment system [23]; Sending the reports of distributed IDSs (HIDSs and NIDSs) to the central management system; Based on distributed and heterogeneous resources [14,15,20]; High complexity, variable specifications and agent- based. In WSNs, most attackers are targeting routing layer, since they can control passing information into the net- work. Besides, WSNs mainly are based on sensor nodes’ reporting to the base station; so, disrupting and violating from this process leads to success attacks. As a result, for such networks, most proper architecture for IDS will be NIDS. A NIDS using network raw data packets as data source; it eavesdrops and listens to the network traffic, captures packets in real-time, then controls and tests them to detect attacks. There is a SIDS on each sensor node to detect attacks on sensor-level wide; mainly, physical attacks. Also, in the proposed architecture, sensor nodes are partitioned as some clusters; each cluster has a cluster-head and any cluster-head (CIDS) should monitor the traffic of its as- sociated cluster nodes. But, in some cases (about bound- ary nodes), a single cluster-head can not solve the “trust no node” requirement; thus, neighboring and corre- sponding cluster-heads have to cooperate to each others to complete the intrusion detection process. They can use the simple majority vote rule to make an appropriate de- cision. In other cases, a human agent or the WSNIDS (deployed IDS on the central server) is completing the intrusion detection process. Intrusion Detection Sys- tem (IDS) Architecture Detection Methods Decision making Response or Reaction Approaches HIDS NIDS DIDS Cooperative Anom- aly-Based Sys-Log Traffic Anal zer File-Finger- Printing Signa- ture-Based or Traffic Accountin Active Misuse Passive System Integrity Checks Virtual - Sys-trace 3.2. IDS Classification Based on Detection Method IDSs must be able to differentiate between normal and abnormal activities, to detect malicious efforts, in real- time. As Figure 4 shows, IDSs be partitioned into two categories, based on data analysis and detection method [15,17]. In following sections, they will be considered. 3.2.1. Anomaly Detection Systems Anomaly Detection Systems are focused on normal be- havioral patterns [18,20]. According to the expert sys- tems are not able to timous update patterns, we will need automatic devices to extract new attacks’ patterns [14, 15,20]. It is possible to using some techniques such as threshold detection (fully heuristic and static), statistical criteria, act/rule-oriented criteria, clustering methods, neural networks, expert systems, machine learning and data mining, to detecting abnormal behaviors [12,24]; for example, measuring the changes in volume, direction and pattern of communication traffic, can indicate and dif- ferentiate attack traffic, easily. In this approach, it is pos- sible to detecting new attacks and also internal attackers; including following steps: Identifying normal behaviors [20,22] (they have de- terministic properties) and finding especial rules for them (describing normal behaviors by automated learning, usually); Forming some views from normal behaviors of the system, network, users and user groups; o Behaviors that following these patterns normal behaviors; o Activities which have excessive deviation from de- fined statistical values of these patterns abnor- mal behaviors and intrusion efforts; Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY247 The main key to detect abnormal behavior: comparing current traffic and predefined normal behaviors patterns; Problem: how gathering a set of static criteria of nor- mal behaviors? 3.2.2. Signature-based Detection Systems This method is using deterministic scenarios, rules and patterns of known attacks, which be defined by security expert systems, to detect security threats and attacks [17, 24]; in this model, IDS gathers the properties of attacks and abnormal behaviors and then, make an information base by them [18,20,22]. Therefore, to using such sys- tems, user should define and store the templates and re- quirements actions for security threats. After pattern and properties matching, IDS can report the type of attack, in precise. Thus, the main operation of these systems is comparing observed behavior and known attacks’ pat- terns to each other. Some of characteristics of this ap- proach are: Inability to identifying new attacks [15,20]; Requiring to a set of predefined patterns [17,24] (in- cluding properties, rules and behaviors) of known at- tacks into the IDS; Necessity of adding new patterns of attacks to the patterns’ set, manually and repeatedly; The main key to detect misuse behavior: comparing current traffic to predefined and pre-known attacks’ pat- terns; Problem: how detecting intrusions’ properties and dis- playing them? In attending to the surveys conducted, severe restric- tions of resources on WSNs, especially memory, using of such IDSs which requiring storing the patterns of attacks, they are not usable or rather difficult to using on WSNs. Proposed detection approach on the WSN is combina- tional method (specifications-based); i.e., based on sig- nature and based on anomaly. In this approach, at first, defining manually some of deterministic properties and thresholds of normal behavior for the system; thus, de- viation of them, is anomaly. This system can be had two types of policy-bases, including: Misuse-detection pol- icy-base and Anomaly-detection policy-base. Proposed detection method is uncentralized; because IDSs are distributed and installed on different levels of the network: the WSNIDS on the central server (highest level), CIDSs on cluster-heads (medium level) and SIDSs on sensor nodes (low level). Distributed systems are more scalable and more robust; since they have dif- ferent views of the network. Besides, IDS can inform the occurrence of attacks, in fast; because the network is clustering, SIDSs and CIDSs are distributed as cover total nodes of the network; then, SIDSs and correspond- ing CIDSs are near to the attackers (on single hop dis- tance). It is possible to detect in 1, 2 or 3 levels; i.e. if SIDS can not detect attack or make decision about attack oc- currence or its policy-base does not have the pattern of the type of a special attack, the SIDS is tagging that packet and then, send it to the high-level IDS (i.e. corre- sponding CIDS); if the CIDS can not detect attack or make decision about attack occurrence or its policy-base does not have the pattern of the type of a special attack; the CIDS is labeling that packet and then, send it to the high-level IDS (i.e. WSNIDS); now, WSNIDS should make final decision if the current traffic is malicious or not. 3.3. IDS Categorization Based on Decision Making Techniques In this section, the paper discusses about who should make final decision if occurring intrusion or not, or if a node is an intruder, really? Is an attack accrued? If ok, what actions must be doing? According to the Figure 4, there are two approaches for this purpose, as follows. 3.3.1. Cooperative Mechanism In a cooperative IDS, if a node detects an anomaly, or the existent evidences be inconclusive, a cooperative mecha- nism triggers to produce a global intrusion detection ac- tion along with neighboring nodes; even if a node be sure about the crime of another node, decision making also should be cooperative (again) [17,20]; because the node which take the decision, maybe be malicious, itself. Be- sides, for decision making about boundary nodes be- tween neighboring clusters in the network wide level, corresponding cluster-heads (using collector and major- ity rule), and if necessary, the central server (WSNIDS), should take proper decisions by participate to each other. 3.3.2. Autonomous Mechanism In this method, sensor nodes and cluster-heads take deci- sions, autonomously [15,21]; they gather evidences and criteria of anomaly and intrusion activities from co-clu- ster nodes and then, make decision on sensor-level or cluster-level intrusions. Other nodes, clusters and the WSNIDS, do not have cooperated in this decision mak- ing process. The main weaknesses of this approach are: Security of sensor nodes and cluster-heads is low [17,25] (of course, in homogenous WSNs); attackers can compromise them soon and easy; therefore, this leads to loss of the network control. Enforcing excessive processing overhead on clus- ter-heads; therefore, in attending to limited resources and being few key nodes, on homogenous WSNs, leads to their lifetime reduction (energy loss/waste Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY 248 and cluster-heads destruction). Processing the infor- mation of other nodes and then, taking appropriate decision on results of intrusion efforts (if leads to an attack or not), enforcing excessive processing over- head and finally, can be leading to energy loss/waste and exhaustion of decision maker nodes (clus- ter-heads). The proposed IDA for WSNs, can take combinational decision making approach (autonomously, but often co- operative) by using clustering manner; thus, SIDSs make decision about intrusion occurrence on sensor node level; if necessary they referenced to the corresponding CIDSs; also, cluster-heads make decision about intrusion occur- rence and proportional actions on cluster level; if neces- sary, they cooperate to each others (for example, about boundary nodes). i.e. , the WSN’s nodes be clustering and forming clusters; in each cluster, sensor nodes collect data from environment, cluster-heads gather data from corresponding cluster’s nodes, then form and mainte- nance a machine state for any one of them; then, clus- ter-head (CIDS) can take proper decision if the node be compromised or not; or if any node disclosure informa- tion or not; of course, by attention to the nodes’ reports. Therefore, in each cluster, SIDSs make decision on in- trusion to the local host nodes; also, corresponding clus- ter-head make decision on intrusion to its co-cluster nodes. So, in some cases (about boundary nodes), neighboring cluster-heads cooperate to each other to de- tect intrusions. Besides, in cases of anomaly detection, special attacks or inapplicability majority rule, the cen- tral server (WSNIDS) or human agents make final deci- sions about attack occurrence and proper reactions. In suggestion approach, at first level, sensor nodes make decision on attack occurrence to local host sensor node; at second level, cluster-heads make decision on attack occurrence to associated clusters’ sensor nodes and then, cluster-heads of boundary nodes cooperate to each other about intrusion occurrence and proportional actions (cooperative decision making); finally, the WSNIDS take decision on anomalies and difference cases between cluster-heads. We can establish a combinational decision making mechanism by using this actual that whole sensor nodes deploy in associated cluster-heads and the WSNIDS ra- dio range; also, cluster-heads deploy in each other and the central server (WSNIDS) radio communication range; it means that cluster-heads (to each other) and WSNIDS have communicate to each others; thus, each cluster-head can listen to the transmitted messages of its neighboring cluster-heads and the WSNIDS. Therefore, these nodes can advertise their warnings to each other, easily; through produce and broadcast a single message. In sus- picious cases of boundary nodes can have a safer and more reliable conclusion by using the majority rule: “If more than half of a node’s corresponding clus- ter-heads warn, then that node is a compromised node and it should be turning off or the central server must be notified and take proper decision about it”. It means, if a boundary node has been n corresponding cluster-heads, if the collector receives at least ((n/2) + 1)) warnings, also include the warning of the collector (it- self), it can conclude which that node is a compromised node. Therefore, in cooperative approach, we have to select one of associated cluster-heads as collector, to gather warnings and ideas of other associated clus- ter-heads and enforce the majority rule; then, the final conclusion and decision making do by collector. For enforcing the majority rule, we have to determine a cluster-head as collector, to gather warnings from other cluster-heads analyze them and take the final decision. Problem 1: compromising collector: attacker can con- trol intrusion result, easily. To avoid from this scenario, other cluster-heads must impose the majority rule on the received warnings, too; then, they have to check, con- sider and compare reached result to the collector’s report. Problem 2: compromising a few cluster-heads: in at- tending to majority rule, if a cluster-head compromised and broadcasts a false warning, and tries to cancel an authorized node or does not broadcast a warning for a malicious node; this is almost ineffective; because most of cluster-heads are win and non-compromised, yet. 3.4. IDS Categorization Based on Response Method IDSs using events’ information and patterns analysis of attacks to react them; including: 3.4.1. Active Response These responses prevent from the attackers’ activities, directly [13,16]; for example, session disconnection [19], dynamic reconfiguration of the network, using Honeypot and setting thresholds again (in attention to the user skill, network speed, expected network connections, work load of security manager, sensor sensitivity, security policy, vulnerabilities, information and system sensitivity and fault importance). 3.4.2. Passive Response These kinds of responses do not prevent from the attack- ers’ activities, directly [15,17,18]; like: shunning, log- ging, notifying [15] through cell phone, email and mes- sage to SNMP console [18,20]. The proposed response approach for the WSN: using combinational method; i.e. active and passive responses by each others, depending on conditions, type and nature Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY249 of attacks; thus, the type of response be determining based on attacks’ severity and their damages level. Also, responses can be as a part of policies; i.e. we can define and store responses into the info-bases such as Pol- icy-base, manually. 4. Intrusion Detection on Wireless Sensor Networks (WSNs) Intrusion detection in WSNs has many challenges, mainly due to lack or weak of resources [7,17]. Besides, the existent methods and protocols of traditional net- works can not be enforced to the WSN, directly; because they need to the resources which attending to the WSNs’ limitations and constraints are inaccessible. In general, WSNs are application-oriented [9,25]; i.e. they are de- signed as cover the very special properties according to the target application domain. Intrusion detection process is supposing that the behavior of normal system is dif- ferentiating than the behavior of attacked system. There are several possible and different configurations for WSNs; so, it is difficult to define normal and expected behavior; since the proposed IDS should have been dif- ferent characteristics on different application domains. Non-existence the unique structure for WSNs Non-existence unique IDS different and variety IDSs requirement requiring to a modular and comprehen- sive IDS. For example, one of intrusion detection meth- ods is checking, considering and distinguishing the run- ning code on the sensor node; then, if it be differentiate than the normal code, it means which an attack is oc- curred or occurring [14,16]. 4.1. Main Challenges in Designing IDS for WSNs There are a lot of challenges in designing IDS for WSNs; as follows described: Designing efficient software to store and install on the sensor nodes, cluster-heads and the central server, to saving existent energy consumption; as a result, leading to increase the network lifetime; Limited resources [1,7,13,17]; Repeated failures and unreliable sensor nodes; Application-oriented networks [11]; Requiring to the monitoring, detecting, decision making and responding to the intrusions, in real-time and fast; then leading to minimum damages; It is difficult to time synchronizing nodes into the WSNs; so, it is difficult to using protocols that are rely on time synchronization; Databases challenges: the volume of sensed data in the dynamic and mobile WSNs; proper storage me- dium; supporting different queries from sensor nodes, cluster-heads and the central server in network wide level; data indexing and local queries to perform que- ries faster; indexing the mobile data; enforcing very costs by fast and real-time changes and communica- tions and weak of data freshness (high-frequency of data freshness); 4.2. The basis Requirements of IDS on WSNs In this section, the paper be described the basis require- ments of IDS for WSNs; i.e. it wants to discuss the basis requirements of an IDS, which it has to provide for WSNs. Attacker can load the malicious software to trig- ger an internal attack, in attending to the special proper- ties of these networks such as limited communication and processing resources, low radio range and other weakness of sensor nodes [11,25]. Therefore, an optimal and appropriate solution to solving this problem is archi- tecture by following properties: Distributed; Based on cooperation of nodes, cluster-heads and the central server; Then, a distributed and cooperative architecture is an optimal and proper solution. So, it is necessary which a WSNs’ IDS has been following features: Localize auditing: IDS of WSNs should operate by using local and minor auditing data (such as SIDS, in the same sensor node level or CIDS, in the same cluster level); thus, distributed approach for these networks is appropriate and consistent (an accurate and comprehensive monitoring in sensor node level or cluster wide level, preprocessing, analyzing and processing). Accurate management of resources: IDS for WSNs has to consume minimum dose of nodes’ and other network’s resources (light-weight IDS). Besides, wireless networks do not have stable connections; also, the WSN’s equipments and resources such as bandwidth and power, are limited. For example, the inter-nodes communications for intrusion detection purposes should not consume and occupy the acces- sible bandwidth, excessively. Some of necessities are: non-enforcing extra load to the WSN, efficiency and monitoring the health state of IDSs. Error management, health state monitoring and secu- rity management: an IDS can not suppose that any single node is fully secure (supposition: no node is secure); because sensor nodes are compromising eas- ily and disclosure information. Thus, in cooperative approaches, we have to attend that no nodes can be fully trusted. Accurate and comprehensive monitoring: data gath- Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY 250 ering and analyzing them doing at some of specific location (such as cluster-heads). Some of necessities are: non-enforcing extra load to the special components such as sensor nodes or clus- ter-heads into the WSN, using detection mechanism, audit trial, warning dependence, distributed and collec- tive response at the level of the whole WSN. Robustness and fault tolerant: IDS must be robust and resistant against attacks [17,20]. Compromising one or more sensor node (their associated SIDSs) or even a cluster-head and controlling the behavior of its em- bedded CIDS, should not able attackers to remove an authorized node from the WSN or prevent from de- tecting another attacker or malicious node. Some of necessities are: error management, keeping configuration information and security management. Secure and under-control inter-modules (internal parts of IDSs) and inter-components (between the WSN’s components on different levels) data communications; Scalability; Reaction and tracking capabilities; Ease of use; 4.3. Intrusion Detection Approaches on WSNs There are two major approaches for intrusion detection in this domain, as follows: Centralized approach: for applications with accessible nodes and possible to manage them, in centralize [15, 18]; but, this kind of architecture threats the entire system security. Distributed approach: in this approach, it is possible to have one IDS per each sensor node (SIDS); so, sensor node usually makes decision autonomously about sensor node level’s attacks (mainly, physical attacks); also, there is one IDS per each cluster of nodes (CIDS); in this case, cluster-heads usually make decisions autonomously and independently about their associated and co-cluster sensor nodes; in some cases about boundary nodes, they cooperate to each others for intrusion detection; so, they take deci- sions, cooperatively. Thus, they using a cooperative mechanism to take proper decisions and then, they combine the local view of neighboring cluster-heads to each other. In clustering method, all cluster-heads that place in the radio range of a node, can surveil- lance on that node, to identify malicious nodes accu- rately by using the majority rule; even though chain- ing destruction. The proposed approach is combinational; i.e. at first, the existent sensor nodes be classified in subsets, called cluster; then, a cluster-head be selected per each cluster. Now, in low level, a series of distributed IDS, called SIDS, be installed on sensor nodes; in medium level, a series of distributed IDS, called CIDS, be installed on cluster-heads; these IDSs have communicate to each other and corresponding cluster nodes; also, they have commu- nicate to the central server (high level IDS: WSNIDS). Besides, there is a centralized and comprehensive IDS on highest level of the WSN intrusion detection architecture which has been installed and deployed on the powerful central server, calling the WSNIDS. 5. The proposed Intrusion Detection Architecture (IDA) for WSNs As Figure 5 is showing, the suggested architecture has a combinational (distributed, in two low levels and cen- tralized, in highest level) and hierarchical structure; thus, the proposed approach can be used in 1, 2 or 3 levels of IDSs, including SIDSs (on sensor nodes), CIDSs (on cluster-heads) and the WSNIDS (on the central server). 5.1. Sensor-Based Intrusion Detection System (SIDS: Sensor Node Level IDS) In low level of the proposed architecture (sensor nodes), there is a simple IDS or Sensor-based IDS (SIDS/HIDS) per each sensor node. In each sensor node, there is a small policy-base that is including most common attacks in this domain along with special and limited preproc- essing capabilities such as extracting the required data fields from the network packet. This IDS is signa- ture-based; if an attack be detected, according to the de- termined response into the corresponding policy and se- curity rule, it be responded (autonomous and independ- ent decision making). If the traffic was not on intrusion or there is not a matched policy in the sensor-based pol- Figure 5. The proposed Intrusion Detection Architecture (IDA) for WSNs. Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY Copyright © 2011 SciRes. WSN 251 icy-base (SBPB), it be labeled and it will be send to the high-levels of the IDA (other IDSs) (cooperative deci- -sion making), to considers more. Some of most impor- tant features of SIDS are: There is a SIDS on each typical sensor node; so, in this case, nodes besides performing the common functions of typical sensor nodes like sensing and gathering information, routing packets into the WSN and retransmission, doing also intrusion detection functionalities (operating as IDS, too). Architecture: HIDS; Detection method: signature-based; Response approach: hybrid; Decision making: almost independent and autono- mous; Some of common operations of each SIDS are: pre- processing, extracting the properties and fields of packets, processing, enforcing rules and comparing policies to the current traffic by attending to the ap- plication area, type and nature of the WSN and possi- ble attacks, decision making and finally, reacting by proper actions; Fields of data packets must be selected as be inte- grated, unique and low-size and low volume; besides, they should be optimal on processing, energy con- sumption, response time and delay; to leading to high performance. Some of most important fields are: Source: node-id, Next hop, Previous hop, Data type, Destination (CIDS/WSNIDS-id), Data and Sequence number (optional). SIDSs mainly are focused on detecting physical at- tacks of WSNs; Gathering data in intervals times, comparing them to the predefined thresholds and assigning a state label to them such as notification, warning or normal; In this approach, in attending to the distributed design for intrusion detection on WSNs, each sensor node only operates by using accessible local and partial information on the sensor node level; of course, it also using a distributed design for intrusion detection. In homogenous WSNs, SIDSs are same exactly on entire sensor nodes; they can broadcast, eavesdrop and listen to the messages (for example, messages that come from other neighboring sensor nodes). The communication between nodes, cluster-heads and the central server, provide possibility of using a distrib- uted mechanism to take the final decision about in- trusion threat. In heterogeneous WSNs, SIDSs are different than each others (since the systems and data types are dif- ferent). The main properties of SIDSs are: o Using local and minor information for intrusion de- tection (localize auditing); o Low error rates; Each sensor node in the WSN should have been a SIDS by following functionalities (according to Figure 6): Network monitoring: each sensor node monitors its immediate neighboring and nearby nodes to gathering audit data; Decision making: sensor node using gathered audit data (on previous step) to make decision on intrusion threat level based on node and appropriate responses; if necessary, it shares its findings with associated cluster-head (s) to take proper decision, in collective. Reaction: each sensor node has responding mecha- nisms which allow it to react to the intrusion situa- tions. Internal components and modules which are existing into the SIDS’s architecture are (as shown in Figure 6): local packet monitoring: gathering, auditing and fil- tering raw data for local detection engine module; these data usually are gathering by listening to the op- erating environment and transmissions of neighboring nodes (in promiscuous); Figure 6. High-level architecture of the SIDS.
H. JADIDOLESLAMY 252 Independent and local detection engine: analyzing and comparing audit data, in attending and consider- ing to the properties, given limitations and predefined rules and enforcing detection techniques; this com- ponent stores, imposes and operates rely on signa- ture-based detection method which describes attacks’ patterns; Local decision making; local response module: it is possible to divide re- sponses into two categories, according to the attacks’ nature; i.e.: direct response and indirect response; once an intrusion occurred, compromised node will be detected and this module will trigger proper ac- tions; including: disconnecting session, isolating in- truder and compromised node, preventing the mali- cious/suspicious node from entire network’s routes, network recovery, improving the used routing proto- col, producing and using new cryptography keys, no- tifying to the associated cluster-head (s), reducing the quality estimation of the link to that node. According to the independent and autonomous behavior of WSNs, these functions must be doing without human agent intervention and in finite time. Communication mechanism: this module is using to establish communication between sensor node (SIDS), cluster-heads (CIDSs) and the central server (the WSNIDS). 5.2. Cluster-Based Intrusion Detection System (CIDS: Cluster-Level IDS) CIDSs place on the medium level of the proposed archi- tecture (according to the Figure 7); i.e. they install and deploy on the heterogeneous cluster-heads. There is a cluster-head per each cluster of sensor nodes which it covers its radio range sensor nodes; so, the intrusion de- tection process does by cluster-heads. There is a small and low-size policy-base (Cluster-Based Policy Base: CBPB) on each cluster-head that includes the most common patterns of attacks on this domain, along with some preprocessing capabilities such as requirement data field extraction from the network packets and packets filtering. If an attack detects, according to the predefined actions into the policy-base and the corresponding secu- rity rule-base, the IDS is responding to it. In this level, decision is making in combinational; so, if the current traffic be from the internal of the cluster, the proper de- cision takes autonomously and independently; also, if the current traffic be from the boundary nodes (between dif- ferent neighboring clusters), the collector be selected and then, the collector enforces the majority rule to takes the final decision; finally, if the current traffic not be about an intrusion or the collector can not take a decision (if the majority rule be inefficient), for more consideration, that traffic labeled (for example, rely on the attack esti- Figure 7. High-level architecture of the CIDS. Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY253 mation severity by current node) and will forward to the central server (centralized-cooperative decision making by CIDSs and the WSNIDS). Some of most common properties of CIDS are: A cluster-head node, besides performing the common functions of typical sensor nodes like sensing and gathering information, routing packets into the WSN and retransmission, doing also intrusion detection functionalities. Some of common operations of each CIDS are: pre- processing, filtering, reducing unsuitable data, extract- ing the properties and fields of packets, processing, enforcing rules and comparing policies to the current traffic by attending to the application area, type and nature of the WSN and possible attacks, decision making and finally, reacting by appropriate actions; Gathering events in intervals time, comparing them to the predefined thresholds and assigning a state label to them such as notification, warning or normal; In this approach, each cluster-head can operate only by using accessible local information on the cluster-wide level; in other words, it can make decision about intru- sion occurrence of its cluster nodes, autonomously; of course, it also using a distributed design for decision making on intrusion detection between sensor nodes, cluster-heads and the central server, provide possibility of using a distributed mechanism to take the final deci- sion about intrusion threat. In homogenous WSNs, CIDSs are same exactly on entire cluster-heads or sensor nodes and other WSN’s components; they can broadcast, eavesdrop and listen to the messages (for example, messages that come from other cluster-heads). In heterogeneous WSNs, CIDSs are different than each others and other WSN’s components (since the hosting systems and data types are different). The main properties of CIDS are: o Using local information for intrusion detection (lo- calize auditing); o Low error rates (due to existing comprehensive Info- bases); Each cluster-head in the WSN should has been a CIDS by following functionalities (according to the Figure 7): Cluster-based monitoring: each cluster-head monitors its immediate neighboring and nearby nodes (mem- bers of its associated cluster) to gather auditing data; Decision making: cluster-head using audit data that gathered on previous stage, to make decision on in- trusion threat level based on node, based on cluster and appropriate responses; if necessary, it shares its findings with other neighboring cluster-heads to take proper decision, in collective. Reaction: each sensor node and cluster-head has re- sponding mechanisms which allow it to react to the intrusion situations. Internal components and modules which are existing into the CIDS’s architecture are (as shown in Figure 7): Cooperative and local monitoring: gathering, auditing and filtering primary data for detection engine mod- ule; audit data of a CIDS is communication activities into its radio range; these data usually are gathering by listening to the transmissions of corresponding cluster nodes and neighboring cluster-heads (CIDSs); Independent and local detection engine (cluster-head level): analyzing and comparing audit data, in at- tending and considering to the properties, given limi- tations and predefined rules and enforcing detection techniques; this component stores, imposes and oper- ates rely on specification-based detection method which describes correct operations; Collective detection engine: collector and the major- ity rule enforcement; if there was a document rely on intrusion; this module broadcast the information of local detection process state to the neighboring nodes. The same module in any cluster-head is gathering this information from entire neighboring cluster-heads and enforcing the majority rule to concluding if an intrusion is occurred or not (for taking requirement decisions on boundary nodes). Decision making module: including local decision making and cooperative decision making; Response module: it is possible to divide responses into two categories, according to the attack nature; i.e.: direct response and indirect response; once an intru- sion occurred, node or compromised area will be de- tected and this module will does proper actions; in- cluding: disconnecting session, isolating intruder and malicious area (compromised nodes), preventing the malicious/suspicious node from entire WSN’s routes, network recovery, improving the used routing proto- col, producing and using new secret keys, notifying to the WSNIDS and associated node by corresponding cluster-head (s), reducing the quality estimation of the link to that node. According to the independent and autonomous behavior of WSNs, these functions must be doing without human agent intervention and in limited time. Communication mechanism: this module is using to establish communication between inter-cluster sensor nodes, neighboring cluster-heads and the central server. 5.3. Wireless Sensor Network-Based Intrusion Detection System (WSNIDS: WSN Wide Level IDS) The WSNIDS place on the highest level of the proposed architecture; i.e. it installs and deploys on the heterogene- Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY Copyright © 2011 SciRes. WSN 254 ous central server and management part. As Figure 8 shows, this is a comprehensive IDS which has some of complete info-bases including a series of comprehensive and integrated policy-bases along with some agents to distinguishing anomalies. Also, the hosting system and deployment location of this IDS is a powerful system which has high software and hardware equipments and capabilities. Figure 8 represents the basic architecture of the WSNIDS in form of existent main modules and proce- dures into the system (WSNIDS); this system is doing many activities, such as: distinguishing the referral traffic from cluster-heads, full processing, analyzing and detect- ing, logging, performing associated and appropriate re- sponses, and then, tracking and forensic analysis (ac- cording to Figures 8 and 9). Following figure (Figure 10) is showing the data flow into the WSNIDS, in more detailed. As shown Figures 8-10, the WSNIDS is based on analyzing audit data, detected events by cluster-heads and inference the WSN’s behaviors. The taken approach in the WSNIDS has following features: Figure 8. The basis architecture of the WSNIDS. Figure 9. The WSNIDS work flow.
H. JADIDOLESLAMY255 Figure 10. The WSNIDS data flow. Using an agent and policy-based platform; There are four different layers, including: acquisition and preprocessing traffic layer, processing and analyzing layer, decision making and response layer and tracking and forensic analysis layer; also, it has a user interface in different layers. 5.4. The Major Properties of the Proposed Architecture The suggested system has following features: Distributed, hierarchical and cooperation-based struc- ture (based on participation of sensor nodes, cluster- heads and the central system to each others); Efficiency, high performance, optimal energy con- sumption and increase the WSN lifetime and its sta- bility; Independent and autonomous SIDSs; Independence and autonomous CIDSs; they do not have any dependency to each other, or they have minimum dependency (else about decision making on boundary sensor nodes); however, each CIDS does its functions independently, almost entirely. Most of times, it also takes decisions, itself/alone (else about boundary nodes). Ease of extensibility, too much scalability and high flexibility; Powerful detection process (since there are SIDSs on sensor nodes, CIDSs on the cluster-heads, WSNIDS on the central server, appropriate policies and rules and comprehensive info-bases); IDSs based on agent and policy; It allows to use authentication and authorization me- chanisms for different levels of the proposed archi- tecture; for example, SIDSs to the associated CIDSs and CIDSs to the WSNIDS, to establishing secure communications between different existent IDSs and preventing from intrusion of unauthorized systems; Providing information to tracking attackers (support- ing forensic analysis, detecting and finding attackers Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY 256 on cyber space for preventing from electronic crimes); The performance of the proposed model is depending on response time (time consumed to search and find- ing appropriate pattern for query matching into the info-bases like policy-base); Fault tolerant and dynamic reconfiguration: o Using backup network equipments, such as sensor nodes in low level and cluster-heads in medium level of the proposed architecture; i.e. there are some backup sensor nodes and backup cluster-heads; o Using backup agents into the IDSs; o Clusters overlapping (increased stability); o Existing dynamic reconfiguration agents for each SIDS, CIDS, and the WSNIDS; o Updating resources and info-bases in manual or automatic; for example, by using new patterns of at- tacks, or dynamic and manual/automatic change of thresholds, but in attending to the current conditions of the WSN; or changing the response type once an event occurred; Security considerations: o IDS protection (monitoring the health state of IDSs and their hosting systems, continuously); o The architecture is dependence to the network data flow; o Existence logging capabilities; o Using cryptography and secret key to exchange in- formation between sensor nodes and associated clus- ter-heads, and between cluster-heads and the central server (WSNIDS), to preventing from intrusion and avoiding from establishing unauthorized direct com- munication to IDSs through unauthorized systems. 6. Results This paper has been designed a questionnaire to verify the proposed system. The prepared questionnaire is in- cluding some questions about different aspects and prop- erties of the IDA; it also discusses the high-level and general requirements of IDSs, which focused on IDSs’ performance and functionality. The properties and their associated questions are classified into 6 categories, in- cluding: processing and managing properties, operational, output, technical and finally, special and high-level properties. The questionnaire is presented to some ex- perts in WSN and IDS areas (almost 50 people). Then, the acquired result has been analyzed and evaluated in form of following tables and figure. 6.1. Preprocessing and Processing Properties As Table 1 is showing, the proposed architecture sup- ports different dimensions of IDSs’ processing properties. For example, the IDA’s monitoring level is almost 98.7 percent; i.e. it covers the WSN’s components such as sensor nodes, cluster-heads and the central server, almost completely. Also, the extendibility capability of the IDA is about 84.9 percent. Besides, the IDA has dynamic re-configurability capability about 75.6 percent. The suggested system is supporting local/remote control and distributed databases capabilities. It is evaluated the IDA is including the properties of processing and managing category of IDSs’ requirements about 86.4 percent, in average. 6.2. Operational Properties Table 2 is representing the different aspects of the IDA’s operational requirements. According to the following table, the IDA supports real-time detection property al- most 82.3 percent. Also, it has the content-based (body of a packet) detection and context-based (header of a packet) detection capabilities about 94.5 and 66.8 percent, in order. The proposed system is independent of used platform and Operating System (OS); in other words, it is supporting multiple platforms and multiple OS. The suggested system supports hierarchical reporting struc- ture and it reacts to the attacks, automatically; i.e. into the IDA, sensor nodes report and communicate to the cluster-heads and cluster-heads report and communicate to the central server. Finally, the IDA is included the properties of this IDSs’ requirement category about 81.2 percent, in total. Table 1. Processing properties of the IDA. Functional properties Non-Functional properties No. Question Yes No In percentage (0 - 100) : Total average 1 Monitoring level ― 98.7 2 Extendibility and flexibility ― 84.9 3 Dynamic re-configurability capability ― 75.6 4 Local and remote control capabilities Yes ― 5 Distributed databases capabilities Yes ― Average (percentage) ― 86.4 Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY257 Table 2. Operational properties of the IDA. Functional propertiesNon-Functional properties No. Question Yes No In percentage (0 - 100) : Total average 1 Gathering intrusion detection and vulnerability data in real-time and non real-time ― 82.3 2 Content-based detection capability ― 94.5 3 Context-based detection capability ― 66.8 4 Supporting multiple platforms and multiple OS Yes ― 5 Hierarchical reporting structure Yes ― 6 Automatic reaction to the intrusions Yes ― Average (percentage) ― 81.2 6.3. Output Requirements Following table (Table 3) shows the IDA has different characteristics in output requirement area, including: it can make attackers profile, security profile and system profile; of course, by attending and using the logged in- formation and data flow into the WSN. 6.4. Technical Requirements Table4 is representing and questioning the IDA’s tech- nical properties. For example, ease of implementation of the proposed system is evaluated about 91.2 percent; the IDA has fault tolerant, scalability, robustness and safety capabilities, each one almost 83.4, 95.1, 72.5 and 78.6 percent, in order. Also, the suggested system can using cryptography and digital signature, key management, authentication and authorization mechanisms to estab- lishing secure connections between different levels of the WSN’s components. Besides, the IDA is an efficient system; since it does not enforce extra load to the WSN resources and its normal functionalities. As a result, the proposed architecture supports different properties of this IDSs’ requirement category about 84.2 percent, in aver- age. 6.5. Special and High-Level Properties of the IDA Following table (Table 5) represents and considers the required especial and high-level properties of the IDA. As the acquired result of the questionnaires shows, the proposed system has distributed and hierarchical archi- tecture, based on cooperation of sensor nodes, cluster- heads and the central server to each others; also, the CIDSs are independent than each others (about 84.5 per- cent). The IDA is included centralized management on the WSN resources (such as info-bases) and its compo- nents. The proposed system supports localize auditing capability; i.e. SIDSs and CIDSs can operate by using partial and local auditing data, in sensor-level and clus- ter-head level (almost 94.7 percent). This system is in- cluded minimize resources property; i.e. It has attention to the minimize resources property, in the design phase and it tries to consume energy, in appropriate (90.3 per- cent). This architecture supports accurate management of resources, non-enforcing extra load to the WSN and monitoring the health state of IDSs and the WSN com- ponents. The IDA is including truly distributed property; i.e. it is gathering and analyzing data in some determined locations, such as cluster-heads; also, it does not enforce extra load to the some determined nodes (it is using dis- tributed approach about 82.2 percent). The proposed system is a secure architecture; i.e. it is resistant and ro- bust against attacks (almost 79.8 percent); so, if one or more sensor node (their SIDSs) or a cluster-head and associated CIDS be compromised, it should not be leads to missing the control on the WSN; for example, re- moving an authorized node from the network or non-detection of an attacker node. The IDA has central- ized control on inter-components data communications and interactions from the central server, by user. The level of interaction between different network compo- nents in its different levels to each others in the same or different levels of the network (between sensor nodes and CIDSs, between CIDSs to each others, between CIDSs and the WSNIDS) is almost 93.5 percent. This system can detect chaining attacks by using powerful detection process and audit trial mechanisms (about 65.8 percent). The IDA is evaluated as an optimal system in energy consumption; since, it is attending to the energy consumption in designing step (almost 81.4 percent). The strength of detection process on the proposed system is evaluated about 96.9 percent (because there is strong and big info-bases and hierarchical detection process). The IDA has attention to taking back-up designs; i.e. it sup- ports the back-up components and performs operations such as buffering. The IDA’s efficiency and its func- tionality are depending on to the network data flow; its dependability is evaluated almost 86.5 percent. The sug- gested architecture is consistent to the centralized and autonomous operations in different levels of WSNs; its consistency is evaluated about 89.3 percent. The pro- posed system is providing the possibility of updating and configuring network components from different con- trol locations; i.e . it is possible to configure sensor nodes Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY 258 Table 3. Output properties of the IDA. Functional properties Non-Functional properties No. Question Yes No In percentage (0 - 100) : Total average 1 Making attackers profile Yes ― 2 Providing security profile Yes ― 3 representing the system profile Yes ― Average (percentage) ― ― Table 4. Technical properties of the IDA. Functional propertiesNon-Functional properties No. Question Yes No In percentage (0 - 100) : Total average 1 Ease of implementation ― 91.2 2 Fault tolerant capability ― 83.4 3 Scalability ― 95.1 4 Robustness ― 72.5 5 Safety (against unauthorized access) ― 78.6 6 Possibility of using key management and authentication mechanisms Yes ― 7 Enforcing extra load to the WSN No ― Average (percentage) ― 84.2 Table 5. Special and high-level properties of the IDA. Functional propertiesNon-Functional properties No. Question Yes No In percentage (0 - 100) : Total average 1 Distributed and hierarchical architecture, based on cooperation Yes ― 2 Undependability of CIDSs ― 84.5 3 Centralized management on the WSN Yes ― 4 Localize auditing capability ― 94.7 5 Minimize resources property ― 90.3 6 Accurate management of resources and monitoring the health state of IDSs and the WSN components Yes ― 7 Truly distributed ― 82.2 8 The IDA security ― 79.8 9 Centralized control on inter-components data communications Yes ― 10 Interaction level between different network components ― 93.5 11 Ability to detecting chaining attacks ― 65.8 12 Attending to the energy consumption ― 81.4 13 Strength of detection process ― 96.9 14 Possibility to taking back-up designs Yes ― 15 Data flow dependability ― 86.5 16 Consistency to the centralized and autonomous operations of the WSN ― 89.3 17 Existing different control locations Yes ― 18 Ease of updating ― 84.9 19 Possibility to updating the IDSs (SIDSs, CIDSs and the WSNIDS)and operational using of them, simultaneously Yes ― 20 Combinational decision making technique Yes ― Average (percentage) 85.8 from cluster-heads and the central server; or configuring cluster-heads from the central server. Ease of updating and integrating new capabilities and new functionalities to the proposed system is almost 84.9 percent. It is also possible to update the IDSs (SIDSs, CIDSs and the WSNIDS) and operational using of them, simultaneously. The proposed system supports combinational decision making technique; i.e. it is possible to making decisions autonomously (by SIDSs and CIDSs) and if necessary, taking cooperative decisions (by CIDSs, collector and the WSNIDS). As a result, the IDA is included different properties of this IDSs’ requirement category almost 85.8 percent, in total. 7. Conclusions The purpose of this paper is discussing the intrusion de- tection problem on WSNs and designing an Intrusion Detection Architecture (IDA) for these networks, of course by attending to their constraints. The suggested Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY259 system depends on situations, the WSN’s application area, the requirement security level and other things such as its cost, can be used and implemented in 1, 2 or 3 lev- els; including: SIDSs (monitoring the local host) on the sensor nodes, CIDSs (surveillance, monitoring and con- trol in cluster-level) on cluster-heads and the WSNIDS (monitoring and control in the WSN-wide level) on the central management system. The main attributions of the suggested architecture are as following: The IDA properties: hierarchical, distributed, scalable fault tolerant, robustness and clustering; o Distributed systems are more scalable and more robust; The proposed IDSs (SIDS, CIDS and WSNIDS) properties: based on agent and policy, independent and autonomous agents, strong and comprehensive info-bases, dynamically reconfigurable, scalable, component-based and modular, fault tolerant and ro- bustness, high-flexibility, host-based (SIDS) and network-based (CIDS and WSNIDS) architectures; Detection method: o Combinational (specification-based); o Uncentralized (detection in 1, 2 or 3 levels); be- cause these networks are application-oriented; Decision making approach: combinational; o About each sensor node, the associated SIDS makes decision, independent and autonomously; o About each cluster, the corresponding cluster-head (CIDS) makes decision, independently and autonomously; o About anomaly occurrence or boundary nodes, as- sociated SIDSs and CIDSs, collector and the WSNIDS make final decision, cooperatively; o About some cases of anomalies, existent informa- tion is presented to the human agent; Response method: combinational; i.e. active response and passive response, depending on to the conditions and the attack’s nature; Fast and real-time detection process and response: reducing the response time by using caching and buffering techniques to preventing from scrolling the entire file for a repeated event or using better mecha- nisms for query in policy-bases; besides, SIDSs and CIDSs are very near to attackers; Comparative and multi-agent detection process to detecting attacks along with low error rate; The heterogeneous WSN and IDSs; Consistent with automatic, autonomous and inde- pendent mechanisms of WSNs; Possibility of centralized management on systems and resources by using the WSNIDS; Focused on routing layer, mainly; According to the Tables 1, 2, 4 and 5, the following table (Table 6) is representing integrated average values of different IDSs’ requirement classes. According to the Table 6, following figure (Figure 11) is formed. Figure 1 is showing the sum average values of different IDSs’ properties categories; in other words, the IDA supports different categories of IDSs’ required properties (as Figure 11 shows). As above figure shows, the processing and managing properties of the suggested system has been assessed almost 86.4 percent, in average; i.e. the IDA supports different aspects of this requirement category about 86.4 percent. Also, the supported operational and technical properties by the proposed architecture have been evaluated about 81.2 and 84.2 percent, in order. The proposed system is included especial and high- level required properties of IDSs almost 85.8 percent, in general. As a result, the proposed system is in- cluded different IDSs’ requirement categories almost 84.3 percent, in total average. In summarize, the posed model in this paper is a com- prehensive model which has some main properties such as robustness, scalability, responsively, extensibility and incremental matching along with environment changes and its new conditions. Also, the IDA is focused on inte- grating the accessible tools in security area of computer networks (like IDSs, logging, tracking and forensic analysis systems). This model is a distributed model for intrusion detection on WSNs, which it is designed as even it can operates by only using minor and local acces- sible information in each sensor node, cluster and clus- ter-head; i.e. it can uses from the local sensor-level and cluster-wide information to detects intrusions by SIDSs or CIDSs. Also, if necessary, sensor nodes, cluster-heads and the central server cooperate to each others to take an appropriate decisions about if an attack occurred, or not; in other words, they share their information to each oth- ers, with associated CIDSs, collector and if necessary, with the WSNIDS, to detect and make final decision on detected anomaly. It is hoped to this research able us to Table 6. Total average value of different properties category. No. Properties class Total average value (in percentage) 1 Preprocessing, processing, assessing and managing properties86.4 2 Operational properties 81.2 3 Technical properties 84.2 4 Special and high-level properties 85.8 Average value (in percentage) 84.3 Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY 260 86.4 81.2 84.2 85.8 84.3 78 79 80 81 82 83 84 85 86 87 Total average value Category of properties Sum average values of different IDSs' properties categories Processing category86.4 Operational category81.2 Technical category84.2 Special and High-level85.8 Total Average84.3 Processing OperationalTechnicalHigh-levelTotal Average Figure 11. The sum average values of different IDSs’ properties categories. improving the security level of WSNs. 8. Future Works Some of research areas in this domain to improve and extend the proposed model capabilities are: Improving response scheduling, priority responses and having more control on response production mechanism; Providing higher level of security, fault tolerant and robustness for suggested architecture; Centralizing more detailed information about system activities for forensic analysis; Efficient data management; Developing user friendly interfaces which allow dy- namic reconfiguration of systems (the SIDSs, CIDSs and the WSNIDS) and representing the activities of these systems, in graphical; Approaches for data aggregation in WSNs’ different protocols; Techniques for using of mobile nodes in WSNs; Work in this area always is growing and as the WSNs are changing, and their utility, performance and applica- tion are increasing, the security threats also are increas- ing; so, architectures and IDSs to protecting WSNs against different types of attacks will be required, more and more. 9. References [1] S. Mohammadi, R. A. Ebrahimi and H. Jadidoleslamy, “A Comparison of Routing Attacks on Wireless Sensor Networks,” International Journal of Information Assur- ance and Security, Vol. 6, No. 3, 2011, pp. 195-215. [2] S. Mohammadi and H. Jadidoleslamy, “A Comparison of Link Layer Attacks on Wireless Sensor Networks,” In- ternational Journal of Information Security, Vol. 2, No. 2, 2011, pp. 69-84. Copyright © 2011 SciRes. WSN
H. JADIDOLESLAMY261 [3] S. Mohammadi and H. Jadidoleslamy, “A Comparison of Transport and Application Layers Attacks on Wireless Sensor Networks,” International Journal of Information Assurance and Security, Vol. 6, 2011, pp. 331-345. [4] B. Krishnamachari, D. Estrin and S. Wicker, “The Im- pact of Data Aggregation in Wireless Sensor Networks,” International Workshop on Distributed Event-Based Sys- tems, Vienna, July 2002, pp. 457-458. [5] K. Sharma and M. K. Ghose, “Wireless Sensor Networks: An Overview on Its Security Threats,” International Journal of Computers and Their Applications, Vol. 1, Special Issue on “Mobile Ad-hoc Networks”, 2010, pp. 42-45. [6] S. Mohammadi and H. Jadidoleslamy, “A Comparison of Physical Attacks on Wireless Sensor Networks,” Interna- tional Journal of Peer to Peer Networks, Vol. 2, No. 2, 2011, pp. 24-42. doi:10.5121/ijp2p.2011.2203 [7] M. Saxena, “Security in Wireless Sensor Networks: A Layer-based Classification,” Department of Computer Science, Purdue University, 2011. https://www.cerias.purdue.edu/apps/reports_and_papers/v iew/3106 [8] T. A. Zia, “A Security Framework for Wireless Sensor Networks,” Doctor of Philosophy (PhD) Thesis, The School of Information Technologies, University of Syd- ney, 2008. [9] A. Perrig, R. Szewczyk, V. Wen, D. Culler and D. Tygar, “SPINS: Security Protocols for Sensor Networks,” Pro- ceedings of 7th Annual International Conference on Mo- bile Computing and Networks, Rome, July 2001. [10] Z. Li and G. Gong, “A Survey on Security in Wireless Sensor Networks,” Department of Electrical and Com- puter Engineering, University of Waterloo, Canada, 2011. http://www.cacr.math.uwaterloo.ca/techreports/2008/cacr 2008-20.pdf [11] J. Yick, B. Mukherjee and D. Ghosal, “Wireless Sensor Network Survey,” Elsevier’s Computer Networks, Vol. 52, No. 12, 2008, pp. 2292-2330. doi:10.1016/j.comnet.2008.04.002 [12] A. Dimitrievski, V. Pejovska and D. Davcev, “Security Issues and Approaches in WSN, Department of computer science,” Faculty of Electrical Engineering and Informa- tion Technology, Skopje, 2011. http://ict-act.org/ICTInntions.../ictinnovations2009_subm ission_21.pdf [13] C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures,” Pro- ceedings of the 1st IEEE International Workshop on Sen- sor Network Protocols and Applications, Alaska, 11 May 2003, pp. 113-127. [14] R. A. Kemmerer and G. Vigna, “Intrusion Detection: A Brief History and Overview,” Computer Society, Vol. 35, No. 4, 2002, pp. 27-30. doi:ieeecomputersociety.org/10.1109/MC.2002.10036 [15] Ch. Krügel and Th. Toth, “A Survey on Intrusion Detec- tion Systems,” TU Vienna, Austria, 2000. [16] A. K. Jones and R. S. Sielken, “Computer System Intru- sion Detection: A Survey,” University of Virginia, 1999. [17] K. Scarfone and P. Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS),” NIST 800-94, Feb 2007. [18] G. Maselli, L. Deri and S. Suin, “Design and Implemen- tation of an Anomaly Detection System: an Empirical Approach,” University of Pisa, Italy, 2002. [19] S. Northcutt and J. Novak, “Network Intrusion Detection: An Analyst’s Handbook,” New Riders Publishing, Thou- sand Oaks, 2002. [20] V. Chandala, A. Banerjee and V. Kumar, “Anomaly De- tection: A Survey, ACM Computing Surveys,” University of Minnesota, September 2009. [21] J. Molina and M. Cukier, “Evaluating Attack Resiliency for Host Intrusion Detection Systems,” Information As- surance and Security Journal, Vol. 4, 2009. pp. 1-9. [22] S. Zanero and S. M. Savaresi, “Unsupervised Learning Techniques for an Intrusion Detection System,” Proceed- ings of ACM Symposium on Applied Computing, New York, 2004, pp. 412-419. doi:10.1145/967900.967988 [23] S. Selliah, “Mobile Agent-Based Attack Resistant Archi- tecture for Distributed Intrusion Detection System,” MSc Thesis, College of Engineering and Mineral Resources at West Virginia University, 2001. [24] O. Depren, M. Topallar, E. narim and M. K. Ciliz, “An Intelligent Intrusion Detection System (IDS) for Anomaly and Misuse Detection in Computer Networks,” Expert Systems with Applications, Vol. 29, No. 3, 2005, pp. 713- 722. [25] V. Handziski, A. K’opke, H. Karl, C. Frank and W. Dryt- kiewicz, “Improving the Energy Efficiency of Directed Diffusion Using Passive Clustering,” Proceedings of 1st European Workshop on Wireless Sensor Networks, Ber- lin, 2004, pp. 172-187. Copyright © 2011 SciRes. WSN
|