ANOMALY DETECTION IN WIRELESS SENSOR NETWORK AND KEY RECOVERY ATTACKS

(1)

International Journal of Engineering Science Invention Research & Development; Vol. III, Issue II, August 2016 www.ijesird.com, e-ISSN: 2349-6185

S.Kiruthika, L.Clenton, B.Balakumaran and V.jaiganesh ijesird, Vol. III, Issue II, August 2016/91

ANOMALY DETECTION IN WIRELESS SENSOR NETWORK

AND KEY RECOVERY ATTACKS

1S.Kiruthika, ²L.Clenton, ³B.Balakumaran, ⁴V.jaiganesh

1,2,3,4 UG Student, Dept. of CSE, IFET College of Engineering, Villupuram.

Email:[email protected]

Abstract: An anomaly and keyed Intrusion detection in Wireless Sensor Network (WSN) is of practical applied in many applications such as detecting an intruder in a sensor networks. The intrusion detection is a mechanism for a WSN to detect the appearance of incorrect, or anomalous moving attackers. Anomaly Intrusion detection system in wireless sensor network is one of the developing research areas in recent years in intruder detection system. Wireless sensor networks (WSN) consist of each small useful device. The main purpose is a fundamental issue to characterize the WSN parameters such as node density and node sensing range in terms of a desirable intrusion detection probability concerns. Many network params they are sense, transmission, and node density have to be carefully considered at the network design stages. In this project, we derive the expect intrusion distance and calculate the detective probability in various application of WSN. One such scheme is Anomaly KIDS (Keyed Intrusion Detection System) which is completely dependent on secrecy of key and provides storage allocation of different key generating mechanism and method used to generate the key for the security purposes. In this scheme, the key attacker easily able to recover key on both WSN and cloud on interact with the Keyed Intrusion Detection System and also denotes the outcome .Hence by using this scenario can’t provide security standards by using both anomaly and also KIDS.

So based on survey we need the scheme which will help us to consult with more security on cloud and has personal computer by using that cloud storage we can able to protect our WSN. The proposed scheme is more security which will be used to secure sensitive data of different domains in healthcare domain patient that related with data registers like personal details , history and also used in both as WSN and KIDS for provide more cloud storage on a system.

Keywords: KIDS, WSN, Anomaly, Security, Threats, Sensor Network, ADS

I . INTRODUCTION

Wireless ad hoc networks are autonomous nodes that helps to communicate with each other in a non-centralized manner via multi-hop routing.

There are two main types of WAHNs, namely:

mobile ad hoc networks (MANET) and wireless sensor networks (WSN). Various potential applications such as environment monitoring, health monitoring, personal details monitoring, military applications are provided by WSN. WSN consists of some low cost and small devices. They are

generally deployed in various unprotected environment, wireless sensor network is vulnerable to various attacks. The security design is one of most the important factors for WSN. There are two main techniques for security : prevention and detection based solution. Prevention based solution techniques are encryption, valid authentication etc.

Prevention based solution techniques can’t be applied to the WSN because of the limited resources accessing and broadcast medium techniques [1].

Detection solution technique helps to identify the unpreserved attacks based on the systems function behavior. There are various kinds detection technique: anomaly based tech and signature based tech.this paper focusing towards both the anomaly based detection and advanced intrusion detection system. Most of the WSN researches were based on homogeneous network and heterogeneous network.

In homogeneous, all the sensor nodes have the same capability mode and the sensor nodes may be of differing capabilities in hetero networks in WSN.

Wireless Networks can reduce the complexity of the current networks .It reducing the c u r r e n t e n v i r o n m e n t infrastructure, it will not adopt for all the applications, for security concerns .The enormous amount works done to solve the security concern issues. Anomalous node detection is the most critical security concerned issues in wireless sensor networks.

II. RELATED WORK

An anomaly detection system (ADS) is a useful software helps to design detect unwanted attempts for accessing the network, manipulating, and disable of computer mainly through a network.

These attempts may take the form of attacks, examples, by crackers, malware and disgruntled employees. ADS cannot directly detect attacks within properly encrypted traffic. An anomaly

(2)

S.Kiruthika, L.Clenton, B.Balakumaran and V.jaiganesh ijesird, Vol. III, Issue II, August 2016/92 detection system is used to detect several types

of malicious intruder nodes behaviors that can compromise the security and trust a computer system. This contains network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and viruses. Anomaly detection is one of the critical applications in WSNs, and recently, several approaches for intrusion detection in homogeneous WSNs have been presented [3], [10], [11].The focus of these approaches aims at effectively detecting the presence of an intruder.

First, it is investigated from the aspect of the network architecture.

The problem of computing optimal strategies to modify an attack so that it evades detection by a Bayes classifier. They formulate the problem in game-theoretic terms, where each modification made to an instance comes at a price, and successful detection and evasion have measurable utilities to the classifier and the adversary, respectively. The authors study how to detect such optimally modified instances by adapting the decision surface of the classifier, and also discuss how the adversary might react to this. The setting used in assumes an adversary with full knowledge of the classifier to be evaded. Shortly after, how evasion can be done when such information is unavailable. They formulate the adversarial classifier reverse engineering problem (ACRE) as the task of learning sufficient information about a classifier to construct attacks, instead of looking for optimal strategies.

The authors use a membership oracle as implicit adversarial model: the attacker is given the opportunity to query the classifier with any chosen instance to determine whether it is labeled as malicious or not. Consequently, a reasonable objective is to find in-stances that evade detection with an affordable number of queries. A classifier is said to be ACRE learnable if there exists an algorithm that finds a minimal-cost in-stance evading detection using only polynomial many queries. Similarly, a classifier is ACRE k-learnable if the cost is not minimal but bounded by k. Among the results given, it is proved that linear classifiers with continuous features are ACRE k-learnable under linear cost functions. Therefore, these

classifiers should not be used in adversarial environments. Subsequent work by generalizes these results to convex-inducing classifiers, showing that it is generally not necessary to reverse engineer the decision boundary to construct undetected instances of near-minimal cost. For the some open problems and challenges related to the classifier evasion problem. More generally, some additional works have revisited the role of machine learning in security applications, with particular emphasis on anomaly detection.

III. WIRELESS SENSOR NETWORK A wireless sensor network is a wireless network consist of widely distributed i n d i vi dua l autonomous devices using sensors to cooperatively monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion or pollutants, at different locations in a network. The deployment of wireless sensor networks was originally motivated b y m i l i t a r y solutio n s s u c h a s b a t t l e f i e l d surveillance. The detection probability is captured by using network parameters, and our work makes importance for a network planner to design WSNs for intrusion detection applications .The work which considers the anomaly intrusion detection problem in a heterogeneous WSN and provides fundamental analytical results a n d it results indicates that improvement on the detection quality in a heterogeneous WSN, as compared to a homogeneous WSN, either for the single sensing detection or the multiple-sensing detection scenarios.

We have modeled the network connectivity and broadcast reach for ability in a heterogeneous WSN [19], which serve as the necessary conditions for achieving desirable detection probability.

(3)

Fig: Anomaly moved area.

A sensor node is a small and simple device with various limited computational capability and broadcast n e t w o r k a c c e s s power. Wireless sensor networks are most commonly provisioned to consist of a large number of inexpensive intermediate nodes reporting their data to a central and more capable to sink each node using multi-hop transmission. Commonly, it is assumed that sensors will be equipped with non- rechargeable batteries and will be left unattended after development under deployment. However, current and foreseeable future technology has put severe restraints on energy resources of sensor devices. Hence, because long term operation of nodes with limited battery energy is the main design for bottleneck of sensor networks, sensor network protocols have to be designed to operate with minimum resource utilization. Security solutions for sensor networks also have to be designed to limited computational power.

Fig: WSN in keyed IDS

IV. ANOMALY STRATEGY MODEL As illustrated, we consider two intrusion strategies for the movement of the intruder in a

WSN. If the intruder (say, a panzer) already knows its destination before entering the network domain, h e n c e it follows the shortest path to approach the destination. The intrusion path is a straight line from the entering point to t h e destination. The main idea behind this c o n c e p t is that the straight movement causes the least risk for the intruder due to the least area that it has to explore by following a straight line toward the destination. The corresponding intrusion detection area S1 is determined by the sensor’s sensing range rs and intrusion distance D1. The intruder can be detected within the intrusion distance D1 by any sensor(s) situated within the limited area of S1. If the intruder does not know its destination, it moves in the network domain in a random manner.

It is considered as the intruder tends to minimize the overlapping on its path. Thus, the intrusion path of the intruder can be regarded as a no overlapping curved line, and the intrusion area accordingly is a curved band S2. In the above two strategies, if the intruder travels the same distance, i.e., D1=D2, the corresponding intrusion detection areas approximately satisfy the condition as S1=S2. Therefore, we adopt a straight path in the following discussion, and the analytical results can be directly applied to the case of the curved path. The intruder can start its intrusion node from the network boundary or a random point inside the network domain .The intruder can be dropped from the air and starts from any point in the network domain. There are the detection models to recognize an intruder: single sensing detection model and multiple-hop sensing detection model. It is said that the intruder is detected under the single-hop sensing detection model if the intruder can be detected by using the sensing knowledge from one single sensor. On the contrary, in the multiple-hop sensing detection model, the intruder can be d e t e c t e d by using cooperative knowledge from at least k sensors (k is defined by specific application requirements).

V. ANAMOLY IDENTIFICATION SYSTEM Intrusion Distance

The intrusion distance, denoted by D, is the distance that the intruder travels before it is

(4)

S.Kiruthika, L.Clenton, B.Balakumaran and V.jaiganesh ijesird, Vol. III, Issue II, August 2016/94 detected by a WSN. It is the distance between the

point where the intruder enters the WSN and the point where the intruder gets detected by any sensor(s).The intrusion distance, the Maximal Intrusion Distance D is the maximal d i s t a n c e allowabl e f o r t h e intruder to move before it is identified by the WSN.

Detection Probability

The detection probability is defined as the probability that an intruder is detected within a certain intrusion distance

Average intrusion distance

The average intrusion distance is defined as the expected distance that the intruder travels before it is detected by the WSN for the first time.

1. Adversarial Learning process

The Machine learning has been widely used in security related tasks such as malware and network intrusion detection, and spam filtering, to recognize between malicious and legitimate samples is major problem, so evasion can be classified. The major problems are challenging for machine learning algorithms due to the presence of intelligent and adaptive adversaries who can carefully manipulate the input data to downgrade the performance of the detection system, that underlying assumption of data stationary, i.e., that training and test data follow the same distribution.

2. Evasion preventing process

Kolesnikov et al. [5] introduce a new class of polymorphic attacks, called polymorphic blending attacks, that can effectively evade byte frequency- based network anomaly IDS by carefully matching the statistics of the mutated attack instances to the normal profiles. The proposed polymorphic blending attacks can be viewed as a subclass of the mimicry attacks. Author takes a systematic approach to the problem and formally describes the algorithms and steps required to carry out such attacks. They not only show that such attacks are feasible but also analyze the hardness of evasion under different circumstances. They present detailed techniques using PAYL, a byte frequency-based anomaly IDS.

Several application payload-based anomaly IDS have been proposed which monitor the payload of a packet for anomalies. In [6], Kruegel et al.

proposed four different models, namely, length, character distribution, probabilistic grammar, and token finder, for the detection of HTTP attacks.

PAYL, proposed by Wang and Stolfo [7], records the average frequency of occurrences of each byte in the payload of a normal packet. A separate profile is created for each port and packet length.

3. KIDS A Keyed Intrusion Detection System Mrdovic and Drazenovic [2] proposed Keyed Intrusion Detection System in which secret key plays important role. Network anomaly detector inspects packet payloads. The proposed method has 3 important steps for implementation of the key.

1) Training Mode

In training mode payload divided into words. Words are nothing but the sequence of byte located between delimiters. From this any special two byte assign to secret set S. This set S again classified into normal words, frequency count.

2) Detection Mode

In detection mode anomaly score get counted according to word frequency count.

3) Key Selection

The Key got selected after its score and checking its detection quality. Repeating all three steps generates new key each time.

3.1 KEY Recovery attacks

Author Juan E. Tapiador, Agustin Orfila, Arturo Ribagorda, and Benjamin Ramos[9]

experiment analysis shows that in KIDS scheme attacker easily able to interact with it and using the feedback of the interaction attacker attacks on the secure data. Attacker takes help of various queries to get more information related to secret key. The attack makes exactly 257 queries to KIDS: 256 with each tentative key element d, plus one final query to determine which subset corresponds to the key [9].

(5)

Fig: Flow of Anomaly Detection

4. Proposed System

Our assaults are to a great degree proficient, demonstrating that it is sensibly simple for an assailant to recoup the key in any of the settings examined. We trust that such an absence of security uncovers that plans like children were just not intended to anticipate key-recovery assaults.

Here we have contended that resistance against such assaults is key to any classifier that endeavors to hinder avoidance by depending on a mystery bit of data. We have given exchange on this and other open inquiries in the trust of empowering further research around there. The assaults here exhibited could be forestalled by presenting various impromptu counter measures the framework, for example, constraining the most extreme length of words and payloads, or including such amounts as order components. We think, then again, that these variations may in any case be powerless against different assaults. In this manner, our suggestion for future plans is to construct choices in light of hearty standards as opposed to specific fixes. Our aim is enhance KIDS and meet all security properties so that it can able to secure store data in clouds. Like data in healthcare domain.

Fig: Anomaly Intrusion Identification

4.1. Advantages of current system

 Energy Efficient System.

 More secure KIDS

Fig: System module

4.2. Proposed system module Details

Node Creation & Routing

In this module, a remote system is made.

Every one of the hubs are haphazardly sent in the system region. Our system is a portable system, hubs are doled out with versatility (movement).Source and destination hubs are characterized. Information exchanged from source hub to destination hub.

Since we are working in versatile system, hubs portability is set i.e. hub move starting with one position then onto the next.

Key- Recovery Attacks On Kids

At the point when surveying the security of frameworks, for example, KIDS, one note worthy issue originates from the non appearance of broadly acknowledged antagonistic models giving an exact portrayal of the aggressor's objectives and his abilities one such model for secure machine learning and talked about different general assault classes. Our work does not fit well inside in light of the fact that our principle objective is not to assault the learning calculation itself, but rather to recoup one bit of mystery data that, in this way, may be vital to successfully dispatch an avoidance assault.

Keyed Anomaly Detection and Adversarial Models

Firmly identified with the focuses talked about above is the need to set up plainly characterized and persuaded ill- disposed models for secure machine learning calculations. The suspicions made about the assailant's abilities are basic to legitimately break down the security of any plan, yet some of them may well be unlikely for some applications. One disputable issue is whether

(6)

S.Kiruthika, L.Clenton, B.Balakumaran and V.jaiganesh ijesird, Vol. III, Issue II, August 2016/96 the assailant can truly get criticism from the

framework for examples he picks. This bears a few analogies with Chosen-Plaintext Attacks (CPA) in cryptography. This supposition has been made by numerous works in secure mama chine learning, including our own.

Performance Analysis

For performance evaluation we will use the following graph

– Packet delivery ratio – Throughput

– Delay

4.3. Secure and Optimal Performance Approach

for Data Manipulation in Cloud

 Splitting and Merging Module

 Encryption with block generation

 Decryption

 Fragment Allocation

 Third Party Auditor

 Proxy Agent.

we are using RSA encryption and decryption algorithm. RSA makes use of an expression with exponentials. Plaintext is encrypted in blocks, with each block having a binary value less than some number. The blocks must be less than (or) equal to log2 (n), block size is i bits, where 2i<n<2i+1 Steps:

1. Select p, q p!=q

2. Calculate n= p*q Φ(n)= (p-1) (q-1) 3. Select integer e, gcd(ϕ(n),e)≡1, 1<e<ϕ(n)

4. Calculate d, d≡e-1(mod (ϕ(n))) 5. Public key PU = {e, n}

e=encryption

6. Private Key PR = {d, n}

d=decryption

Fig: System Architecture

5. Key revocation process

In paper [5] describe about the Key revocation, how to remove secrets that may have been compromised. Revocation mechanisms are known in identity based encryption such as renew their private key periodically and senders use the receivers identities concatenated with current period. In this mechanism would result in an overhead load in public key generator.

Revocation scheme is based on one way accumulator tool has both the one way and quasi commutative property, based on strong RSA assumption. Modified cipher policy attribute based encryption to setup a fine grained access control method in which user revocation is achieved based on the theory of Shamir’s secret sharing.

User revocation is challenging issue in this attribute based encryption. To reduce the cost for secret key updates, the cloud servers perform a lazy update, which means the users’

secret keys are only updated when they setup a legal request. To provide a seamless integration between the revocation and tracing so that the tracing mechanisms do not require any change to the revocation algorithm. The revocation algorithm run by public key generator takes as input.

VI. CONCLUSION

This system analyses the intrusion detection problem in WSNs by characterizing intrusion detection probability with respect to the intrusion distance and the network parameters. The analytical model for intrusion detection allows us to

(7)

S.Kiruthika, L.Clenton, B.Balakumaran and V.jaiganesh ijesird, Vol. III, Issue II, August 2016/97 analytically formulate intrusion detection

probability within a certain intrusion distance under various application scenarios. Our simulation results verify the correctness of the proposed analytical model. This work provides insights in designing WSNs and helps in selecting critical network parameters so as to meet the application requirements. Overall we produce an aggregate key Cryptosystem which produces effective constant size private key by the derivations of

different cipher text classes. Proposed approach proves to be more secure and efficient cryptographic scheme in which we have an effective derivation of secret key generation and key management for the outsourced Cloud data. We have analyzed the strength of KIDS against key-recovery attacks. We have presented key-recovery attacks according to adversarial settings, depending on the feedback given by KIDS to probing queries.

REFERENCES

[1] A Scarfone, Karen; Mell, Peter (February 2007). "Guide to Intrusion Detection and Prevention Systems (IDPS)" (PDF).

Computer Security Resource Center (National Institute of Standards and Technology) (800–94). Retrieved 1 January 2010.

[2] R. S. Mrdovic and B. Drazenovic,

“KIDS-Keyed Intrusion Detection System,”

Proc. Seventh Int’l Conf. Detection of Intrusions and Malware,and Vulnerability Assessment (DIMVA ’10), pp. 173-182, 2010.

[3] N. Dalvi, P. Domingos, Mausam, S.

Sanghai, and D.

Verma, “Adversarial classification,” in 10th ACM SIGKDD Int’l Conf. on Knowl.

Discovery and Data Mining, 2004, pp. 99–

108.

[4] D. Lowd and C. Meek, “Adversarial Learning,” Proc.

11th ACM SIGKDD Int’l Conf. Knowledge Discovery in Data Mining (KDD ’05), pp.

641-647, 2005.

[5] O. Kolesnikov, D. Dagon, and W. Lee,

“Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,”

Proc.USENIX Security Symp., 2005.

[6] C. Kruegel and G. Vigna. Anomaly detection of web- based attacks. In Proceedings of ACM CCS, pages 251-261, 2003.J. G [7] K. Wang and S. Stolfo. Anomalous payload-

based network intrusion detection. In Recent Advances in Intrusion Detection, 2004.

[8] B. Biggio, G. Fumera, and F. Roli,

“Adversarial Pattern Classification Using Multiple Classifiers and Randomisation,”

Proc. IAPR Int’l Workshop Structural, Syntactic, and Statistical Pattern Recognition,pp. 500-509, 2008.

[9] Juan E. Tapiador, Agustin Orfila, Arturo Ribagorda, and Benjamin Ramos “Key- Recovery Attacks on KIDS, a Keyed Anomaly Detection System" IEEE transaction on

DEPENDABLE AND SECURE

COMPUTING, VOL. 12, NO. 3, MAY/JUNE 2015