ANOMALY BASED DETECTION

Anomaly based detection (Callegari, Giordano,

& Pagano, 2009) analyzes the network activity in order to identify possible threats. The activity profiles are constructed by analyzing the charac-teristics of the network components, e.g., nodes, users or applications. The major advantage of anomaly-based methods is that they are capable to detect efficiently unknown threats. However, these methods produce numerous false positive (i.e., the identification of legitimate activity as being malicious), especially in dynamic systems where allowable activities can easily misclassified.

Distributed and Cooperative Techniques Shrestha et al. (2009) devised an intusion detec-tion soludetec-tion with authenticadetec-tion capability in MANET. In their embodiment, which is similar to (Zhang & Lee, 2000), each node is equipped with an IDS module which collects, analyzes and detects local events (e.g., the network packets).

Additionally, the nodes communicate with each other in order to detect cooperatively intrusions.

To increase the security of the transmitted data an authentication based on hash chains is devised.

However, executing IDS in each node consume

memory (Chen, & Leneutre, 2009). Furthermore, the experimental tests are not sufficient to prove the effectiveness of the proposed solution.

Krontiris et al. (2009) devised the first general framework for intrusion detection in WSNs which is focused on the collaboration between sensors.

The scheme considers only the case where the IDS attempts to identify a single malicious node since this situation is already very complex. Another important presumption is that each node “sees” its 2-hop neighbors. The intrusion detection evolves in three steps:

• Alerting. Each node is installed with an alert module which aim to locally detect at-tacks. Whenever an alert module of a node (called the alerted node) detects a suspi-cious activity in its vicinity it outputs the set of suspected nodes (i.e., suspected set).

There may by more than one suspected set since many nodes are alerted if a suspi-cious activity is present.

• Voting. The suspected sets, which are cryp-tographically signed, are interchanged among all the alerted nodes with the aid of a broadcast message-suppression protocol similar to SPIN (Kulik, Heinzelman, &

Balakrishnan, 2002). Since the nodes are not synchronized, an attacker can delay and forge its vote during this phase. The algorithm resolves this issue by relaying on the alternatives paths that may exists between the sensor nodes.

• Revealing. Each alerted node, which knows the suspected sets of all other alert-ed nodes, identifies the nodes that appear most frequently and then exposes it. If the alerted nodes cannot reach the agree-ment regarding the attacker an additional step, called external ring enforcement, is applied which consists in taking into con-sideration also the results of the neighbors of the alerted nodes. Hence, this procedure

tries to break the uncertain situation by ex-tending the results set.

The memory ROM and RAM requirements of the proposed solution are relatively low, taking as the reference the Tmote Sky sensor architecture which has 10KB of RAM and 48KB of program memory. The communication overhead is between 12 packets to 19 packets, and depends mainly on the topology of the network and the number of the alerted nodes. Several variants of this scheme, which deal with the detection of certain attacks such as the blackhole and sinkhole attacks, can be found in (Krontiris, Dimitriou, & Freiling, 2007;

Giannetous, Kromtiris, & Dimitriou, 2009). In addition, in (Kromtiris, Giannetous, & Dimitriou, 2008) is given a lightweight implementation of this intrusion detection method based on mobile agents.

Komninos and Douligeris (2009), proposed a multilayered intrusion detection framework for ad-hoc networks. This type of intrusion detection is denominated low-level IDS by Lauf et al. (2009) since it collects and analyzes the data at the link and network layers. Due to the untrustworthy and distributed environment, the authors state that each node needs to have its own intrusion detection module. To perform the local detection, firstly the IDS module of the nodes collects the network data by means of a binary tree structure.

Secondly, with the aid of the collected data, considered as data points, a unique polynomial is generated through a Lagrange interpolation method. Finally, an attacker is detected if the polynomial generated within the node converges in a predefined interval given by a secret function.

In addition, when more information is necessary to improve the detection, the information from the neighborhoods nodes is used. This assumes that a secure connection between the nodes par-ticipating in the collaborative detection can be established. The cooperative detection is realized with the help of a linear threshold scheme, i.e., the shares of a secret are distributed to a set of

nodes such that the shares form the secret through a linear combination. In the experimental setup the anomaly detection solution, implemented for various proactive routing protocols, shown satisfactory results. However, the detection ac-curacy depends on the secret function while the distribution of subshares causes a communication overhead for the cooperative intrusion.

In (Creti et al., 2009) a multigrade monitoring (MGM) approach in wireless ad hoc network is introduced. The main idea is to employ sequen-tially two different intrusion detection approaches:

a lightweight method that detects the evidence of attacks and a heavyweight technique that has low false negative rate and no false positive. For the lightweight method, the authors use local monitoring (Zhang & Lee, 2000) which is energy efficient but suffers from high false positive rate.

To mitigate this drawback a second technique with high detection performances, called Route Verification (RV), is applied. However, the RV protocol consumes important energy resources due to communication overhead. In essence, the MGM approach provides a modality to equilibrate the security goals and the network resources.

Hierarchical Techniques

Hierarchical IDS techniques were proposed for those ad hoc networks that can be separated into clusters, i.e., a set of nodes that share common characteristics such as links, neighbors, affinities etc.. This type of network is composed of cluster heads, which are similar to switches, routers, or gateway, and monitored nodes. According to the node type, the intrusion detection operates locally in each monitored node and globally within the cluster heads.

Recently, Chen et al. (2010) proposed an isola-tion table intrusion detecisola-tion technique (ITIDS) for hierarchical ad hoc networks. Briefly, this IDS merges to hierarchical intrusion detection meth-ods: the Collaboration-based Intrusion Detection (CBID) (Bhuse, & Gupta, 2006) and the Routing

Tables Intrusion Detection (RTID) (Su, Chang, &

Kuo, 2006). The CBID uses the cluster heads to monitor and to detect intrusions among the moni-tored nodes. Instead, the intrusions in RTID are detected with the aid of the routing table. Unlike to CBID, this scheme fragments the network in primary cluster heads, secondary cluster heads and monitored nodes (see Figure 5).

Furthermore, to avoid the energy consumption each malicious node that is detected will be iso-lated and reordered on the isolation list. How-ever, two aspects are not clear: firstly, the recov-ery procedure of the isolated nodes and secondly, the memory and communication overhead induced by employing this detection approach.

Mobile agents have been used in IDS due to their capacity to move in large networks. Gener-ally, several mobile agents are attached to each node allowing the execution of the intrusion detection operations. Recently, several intrusion detection techniques that use agents have been devised. For instance, MUSK (Khanum et al.,

chitecture for hierarchical WSNs. Locally, each MUSK agents that detects an intrusion sends an intrusion report to the cluster head (CH) node.

Afterwards, CH applies, within the cluster of which is responsible, a voting scheme to assess the intrusion occurrence. If a real intrusion is detected then CH sends a message to the sink node which gives the suitable response. The advantages of the proposed scheme are elimination of duplicate data, reduction of communication overhead and robustness against attacks carried out by nodes belonging to different clusters.

Pugliese et al. (2009), proposed a novel IDS in clustered WSNs based on mobile agents and non-parametric version of Hidden Markov Mod-els (HMMs). A HMM is a stochastic finite state machine (FSM) that is generated by a stochastic process (the real state of the system). The real state of the system (i.e., the sensor network) is hidden but indirectly observable through another system that generates observable events. HMM and the more general Markov chains have been Figure 5. Cluster-base hierarchical ad hoc network: red nodes are the primary cluster heads (PCHs), green nodes are the secondary cluster heads (SCHs) and blue nodes are the member nodes (MNs) for the SCHs. Note that all the green and blue nodes are MNs for the PCHs.

networks (Cheng, 2009; Pugliese et al., 2009). To detect intrusion, the devised system correlates them with the sequences of observable events by applying a set of anomaly rules. The observable events are used to predict the hidden state of the system and assess if an intrusion occurred. To improve the detection accuracy and reduce energy consumption the authors replace the HMMs with the weak process model (WPMs), which are “a non-parametric version of HMMs wherein state transition probabilities are reduced to rules of reachability” (p. 34, Pugliese et al. 2009). The estimation of the threats are reduced to the prob-lem of finding the most probable state sequence of the HMM. In addition, the attacks are classi-fied according to an attack score in low and high potential attacks. However, the scheme assumes that a secure routing protocol (Du, & Peng, 2009) is in place, and the control messages are encrypted and authenticated. Furthermore, the experimental test show that the scheme has a high false posi-tive rate and the detection ability is restricted to flooding, sinkhole, and wormhole attacks.

The nature of ad hoc networks imposes the adoption of IDS that are dynamic and cooperative.

Nevertheless, cooperative intrusion detection is a hard problem since the reputation of the nodes cannot be prior assessed. A possible solution is to devise a trust model for the ad hoc network and then to employ it when performing aggregation of multiple detection results. Following this idea Wang et al., (2009) designed an IDS based on a trust model, called IDMTM. The interesting idea is the association of a trust value to each node of the network, which is computed in function of his behavior. The IDMTM is running on each node and consist of two modules: the interior and exterior modules. The former monitors several nodes through “evidence chains” and evaluates their trust values, while the latter module carries out the trust recommendations and data aggre-gation. In order to lower the false positive rate, the trust value is categorized in several levels:

compromised, minimum, medium, high, and

highest. The experimental results show good detection performances, performing better than the algorithm proposed by Zhang and Lee (2000).