Professional Documents
Culture Documents
Computer Communications
journal homepage: www.elsevier.com/locate/comcom
a r t i c l e i n f o a b s t r a c t
Article history: Many mission critical wireless sensor networks require an efficient, lightweight and flexible intrusion
Available online xxxx detection algorithm to identify malicious attackers. In this paper, we propose a distributed group-based
intrusion detection scheme that meets all the above requirements by partitioning the sensor networks
Keywords: into many groups in which the sensors in each group are physically close to each other and are equipped
Wireless sensor networks with the same sensing capability. Our intrusion detection algorithm takes simultaneously into consider-
Security ation of multiple attributes of the sensor nodes to detect malicious attackers precisely. We show through
Intrusion detection scheme
experiments with real data that our algorithm can decrease the false alarm rate and increase the detec-
False alarm
Detection accuracy
tion accuracy compared with existing intrusion detection schemes while lowering the computation and
transmission power consumption.
Ó 2008 Elsevier B.V. All rights reserved.
1. Introduction tify and isolate attackers after prevention based techniques fail.
Furthermore, there are two types of detection based techniques:
Wireless sensor networks have become one of the most signature based detection and anomaly based detection. Signature
interesting and promising research and development areas over based detection techniques match the known attack profiles with
the past few years. Such networks usually consist of hundreds suspicious behaviors whereas anomaly based detection techniques
or even thousands of small-sized, low power, inexpensive sen- detect unusual deviations from pre-established normal profiles to
sors to monitor some specific phenomenon cooperatively. The identify the abnormal behaviors.
characteristics of sensor networks such as flexibility, self-organi- In this paper, we propose a new group-based intrusion detec-
zation, fault tolerance, high sensing fidelity, low cost and rapid tion scheme which is based on anomaly detection technique. In
deployment have created many new and exciting applications our scheme, we first partition the sensor nodes in a network into
such as wildlife monitoring, disaster response, military surveil- a number of groups using d-grouping algorithm such that the
lance, smart building and industrial quality control, to name a nodes in a group are physically close to each other and their sensed
few [1]. data are dissimilar by at most d. And then our intrusion detection
In general, the sensors in a network are deployed in unattended algorithm is scheduled to run for each group. The monitor sensor
environment or even hostile circumstance, and communicate with node supervises multidimensional measurement promiscuously
each other using wireless signals which can be eavesdropped very in each group in turn to average the power consumption among
easily. The constrained capacity of wireless sensor nodes such as the group members. If an obvious deviation between monitored
limitation in computation power, memory and battery lifetime fur- values is found using intrusion detection algorithm, an alarm will
ther increases the insecurity of wireless sensor networks. Many be issued and the corresponding outlier should be identified and
different kinds of attacks against wireless sensor networks have segregated from the sensor network. Through experiments in
been identified so far, e.g., bogus routing and sensed data attack, which we use data released from the Intel Berkeley Research Lab,
select forward attack, sink hole attack, worm hole attack, black we show that our scheme can achieve a lower false alarm rate than
hole attack and hello flood attack, etc. [2]. that in the present intrusion detection schemes while consuming
All the security solutions proposed so far can be classified into less power.
two main categories: prevention based techniques and detection The two notable features of our scheme are: (1) the intrusion
based techniques. Prevention based techniques, such as encryption detection algorithm is executed in a number of groups in which
and authentication, are often regarded as the first line of defense the sensors in each group are physically close to each other and
against attacks. Detection based techniques are designed to iden- sense the similar observation. This feature makes it easier to detect
outlier nodes and the intrusion detection results become more pre-
* Corresponding author. Tel.: +86 10 67396607; fax: +86 10 67396061. cise; and (2) we adopt the Mahalanobis distance measurement and
E-mail address: liguorui@emails.bjut.edu.cn (G. Li). the OGK estimators in the intrusion detection algorithm to take
0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved.
doi:10.1016/j.comcom.2008.06.020
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
into account the inter-attribute dependencies of multidimensional out the need for such infrastructure as base station and cluster
observed values and ensure a high breakdown point even with heads [12].
some missing data at a lower computational cost. The idea of par-
titioning the sensor network into many groups with the similar 2.2. Detection based techniques
observation to detect the outlier nodes is first introduced in this
paper and is shown to be effective in increasing the detection accu- Doumit et al. proposed a self-organized criticality and sto-
racy and decreasing the false alarm rate. chastic learning based intrusion detection scheme that takes
This paper is organized as follows. In the next section, we re- advantage of self-organized criticality for a certain location based
view some related work. In Section 3, we present our group-based on an environment variable and uses a hidden Markov model to
intrusion detection scheme. In Section 4, we analyze our scheme detect future anomalies [13]. Su et al. proposed eHIP – energy
and present some simulation results. Finally, we draw our conclu- efficient hybrid intrusion prohibition system to improve the
sions in Section 5. security of cluster-based sensor networks [14]. Such a system
consists of authentication-based intrusion prevention (AIP) sub-
system and collaboration-based intrusion detection (CID) subsys-
2. Related work tem to provide heterogeneous mechanisms that can meet the
different demands of security levels in cluster-based wireless
In this section, we review some related work in the security of sensor networks to improve energy efficiency. Agah et al. pro-
wireless sensor networks in which we classify them into two catego- posed a non-cooperative game approach in which the key is to
ries: prevention based techniques and detection based techniques. find the most vulnerable node in a sensor network and protect
it [15]. Silva et al. defined multiple rules that can be used to
2.1. Prevention based techniques determine if a failure has happened and to raise an intrusion
alarm if the number of failures exceeds a predefined threshold
Encryption and authentication are two primary techniques to [16]. A newly proposed scheme, called the insider attacker
secure wireless sensor networks against malicious access. The detection scheme, takes into consideration of multiple attributes
core ideas behind such techniques rely on key management. Esc- simultaneously in node behavior evaluation without the require-
henauer and Gligor proposed the basic probabilistic key predistri- ment for prior knowledge about normal or malicious sensor
bution scheme in which each sensor is assigned a random subset activities [17]. It has high accuracy and low false alarm rate
of keys from a key pool before the network is deployed so that when some sensor nodes are misbehaving. We will compare
any two sensor nodes will have a certain probability to share at our scheme with it in Section 4.
least one key [3]. Chan et al. improved the above scheme and pro-
posed the q-composite key predistribution scheme [4], which re-
3. The group-based intrusion detection scheme in wireless
quires that two sensor nodes share at least q predistributed
sensor networks
keys as the basis for the establishment of a pairwise key between
the two nodes. Liu and Ning proposed a framework in which pair-
The group-based intrusion detection scheme involves two
wise keys are predistributed by using bivariate polynomials [5].
phases: grouping the sensor networks and running the group-
They also proposed two efficient instantiations, i.e., a grid-based
based intrusion detection algorithm in each group. We describe
key predistribution scheme and a random subset assignment
the assumptions in the proposed scheme first.
scheme, for the establishment of pairwise keys in a wireless sen-
sor network. In addition, they proposed the closest pairwise key
predistribution scheme and the closest polynomials predistribu- 3.1. Assumptions
tion scheme, which take advantage of sensor nodes’ expected
locations to predistribute appropriate keys to the sensors and thus The group-based intrusion detection scheme can run in a flat
can improve the performance of key establishment [6]. Li et al. homogeneous wireless sensor network. There is no need to include
proposed the hexagon-based key predistribution scheme that special nodes, such as cluster heads. We assume that there are no
can improve the effectiveness of key management in sensor net- malicious nodes at the beginning of the sensor network deploy-
work by using the bivariate polynomial in a hexagonal coordinate ment and all the sensors start the intrusion detection algorithm
system based on the deployment information about expected at the same time. Neither are there intense and unexpected varie-
locations of the sensor nodes [7]. All the key management ties of sensed data at the grouping phase of our intrusion detection
schemes mentioned above belong to the type of static key man- algorithm.
agement schemes.
Another type of key management scheme is the dynamic key 3.2. d-Grouping algorithm
management scheme in which keys may be updated periodically
or on demand as a response to node capture. By performing key First, we partition the sensor nodes in the network into a set of
update, the compromised nodes are segregated and the security groups with each group sensing a similar phenomenon. The sen-
of sensor networks can be enhanced. Moharrum and Eltoweissy sors within the same group are physically close to each other
compared dynamic key management with static key management and their sensed data are dissimilar by at most d. This feature in-
and, as the result, proposed an EBS (exclusion basis system)- sures that the intrusion detection results are more precise than
based dynamic key management scheme [8]. Eltoweissy et al. other schemes. According to [18], the d-grouping problem is NP-
proposed a dynamic key management scheme called LOCK complete and, therefore, it is impossible to derive an approxima-
(LOcalized Combinatorial Keying) which is an EBS-based hierar- tion to the optimal solution in polynomial time unless P = NP.
chical key management scheme that can only be used in hierar-
chical wireless sensor networks [9]. Similar dynamic key 3.2.1. The original d-grouping algorithm
management schemes also include SHELL [10] and identity-based The notations used in the original d-grouping algorithm are de-
symmetric keying [11], both relying on a central key server to scribed in Table 1.
perform rekeying. Li et al. proposed the group-based dynamic The original d-grouping algorithm in sensor node i works as
key management scheme that can solve the same problem with- follows:
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
3.3.1. Intrusion detection scheduling algorithm 3.3.2. Intrusion detection monitoring algorithm
We partition the d-group into equal-sized sub-groups accord- The monitor sensor node can collect the following informations,
ing to the node attributes such as sensor ID, sensor remaining which are shown in Table 3, to detect the malicious network attack
power or the hops to the root of the d-group. Assuming that behavior.
there are Ni sensor nodes in the d-group Gi and N Si sensor nodes We assume that the multiple monitoring attributes of sensor xi
in its sub-group, we partition Gi into bN i =N Si c sub-groups. Every form a multiple dimension vector f(xi) = {f1(xi),f2(xi), . . . ,fq(xi)} where
sensor in the sub-group will monitor the network simulta- q is the number of the monitoring attributes. And all the monitoring
neously using the intrusion detection monitoring algorithm de- vectors of monitor sensors x1, . . . ,xn form a matrix F(x) = {f(x1),f(x2),
scribed in Section 3.3.2. These sub-groups monitor the entire . . . ,f(xn)}, where n is the number of monitor sensor nodes in a sub-
d-group in turn to reduce the total power consumption resulting group.
from monitoring to prolong the lifetime of the entire network. If We assume that all f(xi)(xi 2 {x1, . . . ,xn}) form a sample of a mul-
P
one sensor found obvious deviation between its sensed data and tivariate normal distribution. And f(xi) is distributed as N q ðl; Þ,
its monitored data, it will alert other sensors in the same d- following a multi-variate normal distribution with mean vector l
P
group using the following message: and variance–covariance matrix . The Mahalanobis squared dis-
P
tance ðf ðxi Þ lÞT 1 ðf ðxi Þ lÞ is distributed as v2q , where v2q is the
‘‘Alert”, Charged node, Monitor node, Timestamp.
chi-square distribution with q degree of freedom. Therefore, the
P
When there are more than n1 alert messages coming from probability that f(xi) satisfies ðf ðxi Þ lÞT 1 ðf ðxi Þ lÞ v2q ðaÞ is
the same monitor node or charging the same abnormal node a, where v2q ðaÞ is the upper (100a)th percentile of a chi-square dis-
in a sensor’s alert table for a period of time, it will change to tribution with_ q degrees of freedom.
_ P P
the promiscuous mode and only monitor the abnormal node Let l and be the estimates of l and , respectively. Then the
or the monitor node by itself. If it found any abnormal behavior _ P_ _
probability that f(xi) satisfies ðf ðxi Þ l ÞT 1 ðf ðxi Þ lÞ v2q ðaÞ is
taking place in the charged node or the monitor node, it will P
_
_
record the observed alert in its own alert table and calculate expected to be roughly a. Let dðxi Þ ¼ ððf ðxi Þ l ÞT 1 ðf ðxi Þ
_
the alert value: n1w1 + n2w2, where w1 and w2 are the weight lÞÞ1=2 . Sensor xi will be regarded as an outlier if d(xi) or d2(xi) is
value of the alert message coming from other sensor nodes unusually large. In our scheme, sensor xi is regarded as an abnor-
and itself, respectively, and n2 is the number of abnormal mes- 2
mal node if d ðxi Þ v2q ðaÞ.
sages it has observed. When n1w1 + n2w2 is above a predefined P
Rather than estimating l and by the simple mean and the
threshold h, it will confirm that the charged node is an abnor-
simple variance-covariance matrix:
mal node or the monitor node is a malicious charging node and
_ 1X n
will segregate it from the sensor network by removing it from l¼ f ðxi Þ
the route table and/or removing the pairwise key between n i1
them. X
_
1 X n
_ _
¼ ðf ðxi Þ lÞðf ðxi Þ l ÞT
n 1 i¼1
in which the values from outlying sensors can easily distort the esti-
P
mates of l and and the detection via Mahalanobis distances may
Table 3 fail to identify true abnormal sensors, we adopt the OGK (Orthogo-
The collected information _ P_
nalized Gnanadesikan–Kettenring) estimators l and [19].
_
Collected information Detected attack behavior The single-variate estimates l and r ^ 2 based on the single-vari-
Sensor sensed data Fabricate information attack ate sample set Y = {y1,y2, . . . ,yn} are:
Packet sending rate Energy exhausting attack Pn
_ yi Wðvi Þ y l0
Packet dropping rate Select forward attack, black hole attack l ¼ Pi¼1
n for vi ¼ i
Packet mismatch rate Message alter attack i¼1 Wðvi Þ r0
Packet receiving rate Sink hole attack _!
2 Xn
_ r y l
Packet sending power Hello attack, worm hole attack r2 ¼ 0 q i
n i¼1 r0
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
Fig. 5. False alarm ratio in the refined group-based intrusion detection scheme vs.
that in the original group-based intrusion detection scheme.
Rjk ¼
1
4
½ r2 ðGj þ Gk Þ r2 ðGj Gk Þ j 6¼ k :
1 j¼k
(3) Apply the spectral decomposition to obtain R = QK QT where
Q is R’s eigen-matrix and K is the diagonal matrix composed
of R’s eigen-values.
(4) Compute H = {h(xi)jh(xi) = QTg(xi)}. Then calculate D ¼
_ _ _
ðl ðH1 ðxÞÞ; l ðH2 ðxÞÞ; . . . ; l ðHq ðxÞÞÞT and C ¼ diagðr
^ 2 ðH1 ðxÞÞ;
Fig. 4. The percentage of the sensor nodes in each group partitioned by the two
grouping algorithms.
r ðH2 ðxÞÞ; . . . ; r ðHq ðxÞÞÞ.
^ 2 ^ 2
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
Fig. 7. Comparison of power consumption between the refined and the original
group-based intrusion detection schemes.
Fig. 6. The detection accuracy ratio between refined group-based intrusion
detection scheme and original group-based intrusion detection scheme.
Fig. 8. Comparison of false alarm ratio between the refined group-based intrusion detection scheme and the insider attacker detection scheme with different back retrieve
numbers. (a) Back retrieve number = 3 and (b) back retrieve number = 4.
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
Fig. 9. Comparison of detection accuracy ratio between the refined group-based intrusion detection scheme and the insider attacker detection scheme with different back
retrieve numbers. (a) Back retrieve number = 3 and (b) back retrieve number = 4.
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
Fig. 14. Detection accuracy ratios of the refined group-based intrusion detection
Fig. 12. Detection accuracy ratios of the refined group-based intrusion detection
scheme with different outlying deviations.
scheme with different back retrieve numbers.
Fig. 13. False alarm ratio of the refined group-based intrusion detection scheme Fig. 15. False alarm ratios of the refined group-based intrusion detection scheme
with different outlying deviation. with different alpha-quantile of the chi-squared distribution.
4.2. Comparison between the refined group-based intrusion detection monitoring sensor’s neighborhood so that the detection results
scheme and the insider attacker detection scheme are less influenced by the variety of the observed values.
Fig. 10 is the comparison of power consumption between the
Fig. 8 shows the false alarm ratio between the refined group- refined group-based intrusion detection scheme and the insider at-
based intrusion detection scheme and the insider attacker detec- tacker detection scheme, where n is the sub-group size. We can see
tion scheme with back retrieve number 3 and 4, respectively, that the refined group-based intrusion detection scheme consumes
where the back retrieve number is the number of history messages less power than that of the insider attacker detection scheme. The
reserved in the monitoring nodes to facilitate the detection pro- reason behind this improvement lies in the fact that the intrusion
cess. We can see that the refined group-based intrusion detection detection scheduling mechanism distributes the monitoring power
scheme produces less number of false alarm alerts than that of consumption to each node equally and the sensor nodes within
the insider attacker detection scheme. each group collaborate with each other.
Fig. 9 shows the detection accuracy ratio between the refined
group-based intrusion detection scheme and the insider attacker 4.3. Characteristics of the refined group-based intrusion detection
detection scheme with back retrieve number 3 and 4, respectively. scheme
We can see that the detection accuracy of the refined group-based
intrusion detection scheme is much higher than that of the insider Figs. 11 and 12 compare the false alarm ratios and the detection
attacker detection scheme. The decrease in false alarm ratio and in- accuracy ratios of the refined group-based intrusion detection
crease in detection accuracy lie in the fact that the grouping algo- scheme with different back retrieve number 3, 4 and 5, respec-
rithm eliminates the difference between sensed data within the tively. We can see that both the false alarm ratio and the detection
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020
ARTICLE IN PRESS
References
Please cite this article in press as: G. Li et al., Group-based intrusion detection system in wireless sensor networks, Comput. Commun.
(2008), doi:10.1016/j.comcom.2008.06.020