Mids : a lightweight intrusion detection system for wireless sensor networks and the internet of things

Abstract

Η ομαδοποίηση (clustering) αποσκοπεί στη διαίρεση των αντικειμένων σε ομάδες βάση διαφόρων κριτηρίων. Σε πραγματικά δίκτυα πληροφοριών, κάθε χαρακτηριστικό των αντικειμένων, π.χ. ιδιότητες και τύποι συνδέσεων, περιέχει διαφορετική πληροφορία, και ορισμένα από αυτά τα χαρακτηριστικά μπορεί να μην είναι χρήσιμα στην διαδικασία ομαδοποίησης. Επομένως, πρέπει να προσδιορίσουμε πόσο σημαντική είναι η κάθε ιδιότητας και ο κάθε τύπος ακμής. Όταν η διαδικασία ομαδοποίησης λαμβάνει υπόψη το πόσο σημαντικά είναι τα χαρακτηριστικά των αντικειμένων επιτυγχάνει αποτελέσματα υψηλής ποιότητας.

Wireless sensor networks are used for critical applications due to their ability to provide low-cost, low-power, and diversified monitoring services. They also attract people with malicious intent who aim in disrupting the network by any means possible. Existing security methods fail in identifying unknown malicious attacks and require memory and power which are limited resources for WSNs. Intrusion Detection Systems (IDS) are found at the second line of security defense. They are engaged once the intruder has penetrated the first line of defense, the preventive layer. Most intrusion detection solutions for WSNs in the literature, are evaluated using simulation tools or mathematical models. We propose and evaluate mIDS; a run-time, low-memory overhead IDS that can detect unknown attacks by imposing minimum computation power. We implemented a monitoring tool in Contiki O/S, called RMT, that monitors and collects data from multiple network layers, in real time. RMT gathers statistics from the various sensor node's layers that can be customized to decrease memory cost. RMT provides monitoring information to an anomaly IDS, called mIDS, that detects attacks within the network. At an offline stage the data gathered from the RMT monitoring is analysed using the profiling statistical Binary Logistic Regression (BLR) to define normal sensor activity. To have a fine grain detection model both benign and viral behaviors are included to form the plane of what is normal behavior. We implemented routing WSN attacks that take advantage of the routing layer vulnerabilities to infect the sensor node. At run time, mIDS uses input data from RMT and the normal activity profile to detect abnormalities within the network. At prede_ned intervals mIDS analyses sensor node activity using the probability equation extracted at the offline stage using BLR. mIDS is currently installed at the constrained nodes and it is responsible for monitoring local sensor behavior. We developed BLR models for the routing and the MAC network layers to detect routing attacks. The BLR models that achieved 96% - 100% accuracy levels were the ones trained with routing layer data. We developed BLR models for each attack implemented and evaluated real time in three different topologies. Depending which BLR model raised an alarm, we can classify the type of the attack if it has Selective Forward and/or Blackhole or if the attack is of type Sinkhole. The BLR model for Sinkhole attack detected, in all network topologies the attack with no false alarms.