Beruflich Dokumente
Kultur Dokumente
Abstract—The intrusion detection systems gained major service (DoS) detection architecture for 6LoWPAN is
significance in the field of internet of things (IoT) as the presented by [5]. A packet matching technique is used to
communicating entities could reach thousands of nodes. An detect attacks that exceed a certain threshold. The proposed
intrusion detection system (IDS) that uses a hybrid learning work integrates the IDS into the network framework
approach, consists of two stages of detection, local and global. developed within the EU FP7 project ebbits.
The data collection for the classification purposes at the local The need for a simple yet adaptive intrusion detection
detection phase is intended to mimic the network behavior
technique is a prerequisite for the networks that has low
rather than node behavior and the ability to infer the state of the
node. A scheme based on obtaining datasets related to the computational capabilities and limited power resources as in
packet counts for normal and malicious cases, collected using some IoT applications. This issue was the major drive for the
promiscuous mode, is adopted in the network. The local work presented in this paper. A time evolving IDS is
detection is conducted by the dedicated sniffers (DS) where each proposed, based on two-layers of detection. During stage one,
DS uses supervised learning approach based on decision trees to every DS deploys a classifier based on decision trees such as
generate correctly classified instances (CCIs). The global stage C 4.5. The reason for choosing these types of classifiers is the
collects the CCIs sent from the dedicated sniffers (DS) to the low computational complexity and low resource
super node (SN) and applies an iterative linear regression to requirements such as memory [6]. The packet collection
generate a time-based profile called the accumulated measure of
module acquires this information using the promiscuous
fluctuation (AMoF) for malicious and normal nodes. A profile
of a malicious and a normal node is obtained, and an anomaly is mode, which is collecting first hand data from neighboring
detected after three iterations (processed samples). nodes that are in the radio range of the DS [7]. Every
reporting time, each DS sends the calculated CCI to the SN.
Key words: Internet of things (IoT), Intrusion Detection Systems In stage two, The SN generates a variable called AMoF,
(IDS), Accumulated Measure of Fluctuation (AMoF), decision which is calculated based on the variations of the collected
trees. CCIs using sliding window approach. In conjunction to this
step, he SN performs linear regression fitting for those CCIs
I. INTRODUCTION to set a proper detection threshold which helps in
The internet of things (IoT) is a term used to describe a differentiating between malicious and normal nodes. The rest
network that is connecting different communication entities of the paper is divided into the following sections. Section II
that span from simple sensing devices like thermostats at presents a brief introduction about the black hole attack and
home to healthcare devices, printers, smart phones, control RPL protocol in MANET. In Section III, the system
systems in factories [1]. The IoT can be considered as the architecture is described. The experimental setup is discussed
umbrella that took an advantage from the important aspects in Section IV. Results and discussion are provided in Section
of wireless sensor networks (WSN) and mobile Ad-hoc V.. Finally, section VI presents the conclusions and thoughts
networks (MANET) and forms an interface to the cloud or about future work.
the internet [2].
Intrusion detection systems (IDS) are the core of security II. BLACK HOLE AND ANDRPL IN IOT
maintenance in any communication network, wireless or The IPv6 Routing Protocol for Low-Power and Lossy
wired. The vast application potential of the IoT devices drive Networks, RPL, is the standardized routing protocol for the
the need for developing an IDS that can deal with the threats IoT's [8]. The RPL topology forms the DODAG (Destination
that are faced by WSN’s, MANET’s, legacy networks and Oriented Directed Acyclic Graph) tree, which has one root,
beyond. This is due to the massive range of communication or sink [9]. The control packets of RPL are:
activities that are involved in the future IoT networks [3]
The IPv6 over Low-power Wireless Personal Area Network a) DODAG Information Solicitation (DIS): Solicit a DODAG
(6LoWPAN) facilitate the connection of resource constrained Information Object from a RPL node.
devices with the global network. Many IDS have dealt with b) DODAG Information Object (DIO): It allows a node to
the security threats for 6LoWPAN routing protocols, such as discover an RPL Instance, learn its configuration parameters
SVELTE [4], developed to detect routing attacks such as: and select DODAG parents.
spoofing, sinkhole, and selective forwarding. A denial-of-
The system shown in Fig.1, is a simplified version of the X and independent variable Y [14],
system in [12] which in this paper, is adopted to IoT’s. The
system here, avoids using feature selection module for two ܻ ൌ ߚ ߚଵ ܺ ߳ (1)
main reasons: Firstly, the complexity and power restriction in where ߚ and ߚଵ are the model parameters. The errors ߳ are
IoT based systems, especially in our experiment with WSN assumed to be independent ܰሺͲǡ ߪ ଶ ሻ. The confidence interval
oriented scenario, are much higher than the ones in MANET. for ߚଵ is given as
Second, the total number of features used in the experiment
ഀ
is 6, which is a small dimensionality problem where the ௧ቀିଶǡଵି మ ቁ௦
ܾଵ േ ሼσሺ௫ (2)
decision trees would be able to handle. ି௫ҧ ሻమ ሽభȀమ
The IDS consists of a two-stage detection process, local and ఈ ఈ
global. The local detection is achieved via a DS located at two where ݐቀ݊ െ ʹǡͳ െ ቁ is the ͳͲͲ ቀͳ െ ቁ percentage point of
ଶ ଶ
diagonally opposite quadrants of the field similar to the a t-distribution with ሺ݊ െ ʹሻ degrees of freedom and the
scheme used in [13]. The packet counts from MAC and residual sum of squares ݏଶ . From algorithm 1, the threshold
network layer are the features used by the classifier to is calculated first by finding an initial threshold ሺߜ כሻwhich is
generate CCI. Each DS will calculate the CCI at every the difference between the maximum of the upper bounds and
reporting time (Tr). The total reporting time is given as N as the minimum of the upper bounds of all NUTs divided by two
shown in Fig. 1. The calculation of the CCIs depends on the and added to the minimum of the upper bounds for that
packet counts/ features shown in table 1. iteration.
The CCIs from the DS will be communicated to the SN
to perform an iterative linear regression process that will Algorithm 1 Calculating the AMoF, fitted slope and detection threshold for
establish a detection threshold, based on certain detection malicious and normal nodes
criterion, for the entire system. 1: Input: ܫܥܥሺௌሻଵ,………,ܫܥܥሺௌሻ ே , ݊ א ݉
The use of the variation of the correctly classified 2: Output: AMoF, fitted slope (ߚ), detection threshold (ߜ)
instances (CCI) collected from different DS, to detect 3: At the super node
malicious nodes using a sliding window approach over the 4: ࢀࢁࡺ א ݁݀݊
5: for i =1 to ܰ do
collected CCIs from different dedicated sniffers (DS) is the 6: for j =1 to ݊ do
core for our proposed IDS. A detailed mathematical 7: Calculate ܶ݁݉ሺௌೕሻ , ̴ܰ݉݁ܶ݉ݎሺௌೕ ሻ
modeling for the CCI’s along with a detailed algorithmic 8: end for
description for calculating the AMoF and the iterative linear 9: ܨܯܣሺௌೕ ሻ ĸሺ̴ܰ݉݁ܶ݉ݎሺௌೕ ሻ Ȁ݊) + ܨܯܣሺௌೕሻ ିଵ
regression to obtain the detection threshold is shown in 10: end for
Algorithm 1 [12]. A simplified version of the algorithms is 11: for k=1 to ܰ െ ͳ do
12: for j =1 to l do ܷܶܰ א ݈
stated in this paper. 13: If k then
A simple linear regression process can be characterized 14: Calculate ߚ , ܥ , and ߜכ
as shown in equations 1 and 2, relating a dependent variable 15: while ߜ כെ ߜିଵ
כ
ȁοȁ do
16: ߜ ՚ ߜכ
17: If ߜ ߜ
TABLE I. FEATURES USED BY STAGE 1 OF THE IDS 18: node is normal
Tx/Rx 19: else
Mac layer 20: node is malicious
ACK 21: end if
22: end while
Tx/Rx Tx/Rx 23: end for
Network layer 24: end for
DAO DIO
IV. EXPERIMENTAL SETUP TABLE II. SIMULATION PARAMETERS
The raw data was collected by simulating a network of No. of Nodes 35
thirty-five nodes using the widely adopted discrete-event
network simulator for IoT applications, called Cooja under Field area 100m × 100m
Contiki environment. Two of the nodes are designated as DS Transmission range 50 m/s
collects data from the neighboring nodes promiscuously and
then generate CCIs which in turn are sent to the SN that Simulation time 10,000 sec
performs the AMoF algorithm that includes a linear
Routing protocol RPL
regression of the MoF to detect the malicious nodes. The first
level detection is at the sniffers level, where each sniffer Reporting time (Tr) 1000 sec
generates a CCI at each Tr. Simple, yet effective, supervised
based machine learning algorithms namely, the C4.5 decision Sampling time (Ts) 200 sec
tree has been adopted. Nodes Under Test (NUT) 18, 22
The simulation parameters are shown in Table 2. The
NUT’s are node 18 (Malicious node), and Node 22 (Normal Transport layer Protocol UDP
node). The DS’s are node 8 and node 30 placed strategically
so that they can cover most of the simulation area. A static set
V. RESULTS
of features collected from the MAC and network layers are
used for the detection process using a C4.5 decision tree as Simulation for scenario of transmission range = 50 m,
shown in Table 1. Those features, which are packet counts, Tr = 1000 sec, and Ts = 200 sec is presented. The detection
are fed to the C4.5 classifier mounted at the DS. The threshold criterion ȁοȁ which is the difference between
classification process produces true positive (TN), true consecutive fitted slopes is chosen after certain number of
negative (TN), false positive (FP), and false negative (FN). iterations that achieve small fluctuation in the consecutive
The CCI is the ratio of the summed TP and TN instances to fitted slopes, showing stable behavior, ȁοȁ = 10-3 was picked
the total instances classified. for this purpose.
The tracing logs are obtained using Wireshark and The results shown in Fig.3 represents the AMoF for two
processed using MATLAB. Simulation time is 10000 sec, different types of node. Normal and malicious. The AMoF of
which is divided into ten reporting times (Tr) of length 1000 the normal node, node 22 shows higher variation than the
sec. Each reporting time is divided into five sampling times AMoF of the malicious node, node 18.
(Ts), or instances. Traces when the network is normal, no The iteratively fitted slope (FS) and confidence
malicious nodes deployed, is used to label the data set as intervals for nodes 18 and 20 are shown in Fig.4. The
normal. Traces when the network has malicious activity, 3 confidence interval for each sample has upper bound (UB)
black holes were deployed, is used to label the data set as and lower bound (LB). The detection threshold is met at the
malicious. This gives a total of ten instances, 5 normal and 5 3rd AMoF sample as shown in Fig.4 which translates to 3000
malicious in every Tr. A stratified ten-fold cross validation sec of simulation time. This appears to be long time for
process is used for training and testing purpose. This process detecting a malicious activity, but it is highly dependent on
divides the labeled data into ten equal folds and uses nine the traffic types deployed in the network such as the client-
folds for training and one-fold for testing. server type traffic at the application layer.
1.5
AMoF
0.5
0
Fig.2 Layout of the nodes showing transmission range for both DS 0 2 4 6 8 10
REFERENCES
[1] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari and M.
Ayyash, "Internet of Things: A Survey on Enabling Technologies,
Protocols, and Applications," in IEEE Communications Surveys &
Tutorials, vol. 17, no. 4, pp. 2347-2376, Fourthquarter 2015.
[2] P. Bellavista, G. Cardone, A. Corradi and L. Foschini, "Convergence
of MANET and WSN in IoT Urban Scenarios," in IEEE Sensors
Journal, vol. 13, no. 10, pp. 3558-3567, Oct. 2013.
[3] L. Atzori, A. Iera, and G. Morabito, “The internet of things: A survey,”
Comput. Netw., vol. 54, no. 15, pp. 2787–2805, 2010.