A Heterogeneous Framework to Detect Intruder Attacks in Wireless Sensor Networks

Wireless sensor network (WSN) has been broadly implemented in real world applications, such as monitoring of forest fire, military targets detection, medical and/or science areas and above all in our daily home life as well. Nevertheless, WSNs are effortlessly compromised by adversaries due to their broadcast transmission medium as a means of communication which are lacking in tamper resistance. Consequently, an intruder can over hear all traffic, replay previous messages, inject malicious data packets, or can compromise a node. Commonly, sensor nodes are very much vulnerable of two main issues in security aspect that are node authentication and compromising a node. In this paper, a heterogeneous framework of node capture and intrusion detection for WSNs is proposed. This framework efficiently detects the captured nodes by using a novel technique, embedded with an Intrusion Detection mechanism which aggregates Signature and Anomaly based approach with Neural Network Multi-Layer Perceptron (MLP) classification in a clustering environment. Moreover, the proposed framework achieves efficiency at reasonable computation and communication costs and it can be a security shield to real WSN applications. Keywords—Intrusion; node compromise; anomaly; signature; MLP


INTRODUCTION
Sensor networks are immensely distributive networks of tiny, light-weight wireless nodes, deployed in huge numbers for the monitoring of environment by the calculation of physical parameters e.g., pressure, temperature, or relative humidity.The current advances in (MEMS) Micro electro mechanical systems technology made possible to build sensors [1].Some of the important applications of wireless sensor networks are as follows:  Wireless sensor networks could be an essential part of military command, computing control, communications, surveillance, intelligence, and targeting systems [2].
 Sensor networks are also largely applied in agriculture research, habitat monitoring, fire detection and traffic management [3].
 Sensor networks are extensively used in home appliances, health care, classroom operations, and structural monitoring [4][5][6][7][8] The topology design in the WSNs differs from an easy star network to a complex wireless multi-hop mesh network.Data propagation technique used in between the different network hops could be flooding or routing.Conventional WSNs are susceptible to various kinds of attacks.These attacks could be typically classified into following types [9][10]: (i) attack on the authentication and secrecy, (ii) attack on availability of the network, and (iii) hidden attacks on service integrity.The focus of this paper is on the first and third types of attacks on sensor networks.Currently, security mechanisms for sensor networks focus on external attacks, and these mechanisms fails to protect internal attacks where a group of sensor nodes being compromised.In hidden attacks, an intruder tries to compromise a sensor node so as to inject fake data.In this form of attack, an intruder accesses the codes and encryption keys utilized by the network.The adversary can constantly interrupt or halt the normal functions of the sensor network e.g., building routing loops.A compromised node might impact the sensor network by sending the authenticated data to the base station.By physically accessing the sensor nodes an intruder can fully control the operations of few sensor nodes.Compromising a node is normally contemplated as one of a most challenging problem in WSN security [11].
An adversary attacking a node tries straightaway to tamper the captured node physically to retrieve the cryptographic information.This attack can harm the security in the architecture of the underlying network.Furthermore, it can possibly increase many consecutive power-full insider threats [12].Once compromised by an adversary, the node can perform variety of tasks which it is commanded to do.The node can be directed to be a launch pad for spam posting, stealing private information, or spread spyware.Considering the operation of a WSN depends on the accuracy of the secret information exchanged between the nodes, the node compromise poses detrimental impact in WSNs.Consequently, a single compromised node could be a mighty weapon for an adversary in WSNs.www.ijacsa.thesai.orgSince, wireless communication is susceptible to eavesdropping, an intruder can oversee the flow of data and tries to modify, intercept, disrupt, or falsify data packets [13] and disseminates incorrect information to the sink.Typically, sensor nodes have scarce resources and short transmission range, an intruder possessing huge processing capability and farther range of communication could compromise many sensors at a time in order to modify the real data during communication.
A large number of security relevant solutions are previously proposed e.g., exchanging the key, authentication, secure routing, safety mechanisms for particular attacks.To some level these security techniques are able to ensure the security; however, they can"t remove the security attacks completely [14].To overwhelm the challenge faced by WSNs, this paper proposes a scheme which efficiently detects the captured nodes by using a novel technique, embedded with an Intrusion Detection mechanism which utilizes Anomaly and Signature based approach in the combination of Clustering, and Neural Network Multi-Layer Perceptron (MLP) classification algorithm [15].
The remaining parts of this paper are organized as follows: Section 2, gives the literature review and related works.Section 3 describes the framework with details of algorithms of the proposed solution.The experimental results are demonstrated in section 4. The paper is concluded in section 5.

II. LITERATURE REVIEW
In [9] the authors propose "software based attestation for embedded devices" (SWATT) to discover an immediate change in the content of sensor memory which indicates the chance of an attack.
In [16], Hartung et.al., retrieve the cryptography secrets on a sensor node of MICA2 type by removing its inner memory via the JTAG interface.This attack is further explored in [17], where Becher et.al., displays how to retrieve many components of node hardware like external memory, and the boot-strap loader or the JTAG-interface.The authors suggested that the programming interfaces should be disabled so that unauthorized access to the microcontroller is prevented.They also indicated that if the node is captured it certainly remains absent for a considerable period which is enough to figure out node captivity.[18] presents an absolute distributed-detection system which cooperates with nearest node(s) to yield a decision regarding the malicious behavior of the sensors.The authors enhance the starting security framework and develop a more promising Intrusion Detection System agent architecture which is known as LIDeA (lightweight-intrusion detection architecture) in [19].They proposed a new encryption scheme which secures the network from external attacks and also devised few rules to detect sinkhole attack.They focused on MintRoute-routing protocol, and the approach they proposed is not applicable to the routing protocols like LEACH protocol and more.
In [20] the authors developed an Intrusion Detection system which is based upon SEP (Stable Election Protocol) for clustered-heterogeneous WSNs.The advantage of adopting SEP protocol is its heterogeneity awareness in order to increase the life time of the first node before its death.They trained their system to identify four-types of attacks that are DOS, Probe, R2L, and U2R.Their proposed scheme used the KNN (K-nearest neighbor) classifier to detect an anomaly in the system.
In [21] the authors proposed the IP address, MAC address, and Port Number based intruder sniffing system for clusterbased WSNs.According to them, the proposed approach is truly efficient in energy consumption for initial detection & prevention of security risks and attacks.They argued that initial detection & prevention of the adversary by effective security system restricts several problems such as network slowdown, injecting of fake data, and much more.They also believed that by designing a security mechanism where a Base Station has the responsibility of the overall network security, higher security measures are expected without draining the energy levels of the cluster heads as well as individual sensor nodes.
In [22], Coppolino et.al, has shown a light weight, hybrid and distributed IDS for WSNs.They utilized both anomaly based and misuse based techniques.Their technique consists of a central agent (CA) which carries out an extremely accurate intrusion detection by devising data mining methods and they consider local agents (LA) that are lighter running on motes to detect intrusions.
In [23], Yassine et.al, proposed an IDS model which uses anomaly detection based on SVM technique and a set of attacks that are represented by fixed rule signatures.These signatures are designed to detect the malicious behavior of the intruder by anomaly detection method.This approach is implemented in a cluster based topology to increase the network lifetime.

III. THE PROPOSED FRAMEWORK
The proposed framework defends the network from various types of attacks on service integrity, authentication and secrecy etc., and at the same time it doesn"t depend on a particular routing protocol.The proposed framework is assumed geographic routing with a slight modification in multi-hop topology.In the proposed routing protocol, nodes need to only be aware about the locations of nearest neighbors" in the cluster; through the network the data packets are routed by being forwarded to a cluster.The major advantages of geographic routing over other routing strategies of WSNs include; (i) stateless, and therefore highly energy efficient, nature of routing, (ii) fast adaptability to network"s topological changes, and (iii) scalability [24][25] which should be the main objectives while deploying any type of WSN.These distinguished characteristics makes the protocol efficient, simple, and physically deployable, averting the use of practical routing that can originate complexity and also overhead in the mobile framework.The methodology of the proposed framework as follows:

A. Hidden attacks on Service integrity:
The sensor nodes are deployed sparsely in the network.After the deployment the sensors those are physically closer chooses a cluster head unanimously which depends upon www.ijacsa.thesai.orgvarious parameters like battery power etc at the selection time.This selection is dynamic in the sense the node with higher battery power is selected as a CH.The sensors in a cluster dynamically create the node ID lists of the neighboring nodes and the CH.This list is maintained until the nodes changes the cluster itself or by the deployed authority or an adversary who tries to displace/compromise the node.The cluster head is responsible for the data transmission between the clusters which finally arrives to the sink.The deployed sensor reads/senses the data from the environment and disseminates it to the cluster head by applying geographic routing protocol.Then it is the responsibility of the cluster head to transmit the data to another CH or to the sink.This paper proposes an algorithm to prevent the possible node compromise by an adversary: ALGORITHM 1: Begin 1) If "n 1 " and any other neighboring node "n 2 " talks to each other (by transmitting messages) after a specified interval of time about their presence and non-compromising behavior in the network.Two cases arise about this scenario: a) If a node "n 1 " is not sending the message to its neighboring due to some other reason except node compromise in the specified period of time say "t", there may be many possible reasons like traffic congestion, reconfiguring its hardware etc. b) If a node "n 1 " is compromised, the neighboring node "n 2 " waits for the message for a specified period of time say "t", and then broadcasts the failure mode of node "n 1 " all the neighboring node blocks the node ID in their lists temporarily for a certain threshold time "T".When the compromised node doesn"t acknowledge its presence after the expiration of the threshold is blocked permanently and black listed from the network.
2) If an adversary tries to shift the location of any particular node(s) from the deployed area so as to compromise its immediate neighboring node ID list, retrieve the cryptographic keys etc.Two cases arise: a) The attacked node senses the displacement by an unauthorized authority without a certain predefined verification shuts down the system immediately and erases its memory and node ID list.
b) The displaced node before shutting the system down raises an alarm and notifies about the attack to the neighboring nodes and the CH.End Below is the flow chart representation of proposed node compromise algorithm, as shown in Fig. 1.

B. Attack on the authentication and the secrecy:
An Intrusion Detection System is one potential resolution for several security attacks in WSNs.IDS can only detect the attacks but are unable to prevent them.Once detected, the IDSs can raise an alarm to apprise the controller to take appropriate action.The standard classification of intrusion in networks fall into four major categories: DoS, Probe, U2R and R2L Two main classes of IDSs exists.(1) rule based IDS and (2) anomaly based IDS [26].Rule based or signature based IDs is used for the detection of intrusions with the assistance of built in signatures.Rule based IDS has the ability to detect known attacks with greater accuracy, however, it is not able to detect attacks that are new and for which there are no signatures present in the intrusion database.Whereas, Anomaly based IDSs are able to detect new and novel intrusions using the matching of routine traffic patterns and/or resource utilizations.
For authentication and secure data transmission in the wireless sensor network, a hybrid Intrusion Detection System, anomaly & Signature based is proposed.The proposed IDS scheme is also distributed in the following way; (i) misuse based IDS are implemented locally in the nodes.The network is trained to detect several types of known attacks before the deployment phase, and the signatures are added in the nodes profile.This misuse (signature) based IDS is a light weight scheme and is used to detect known attacks on the network.In case of new or novel attacks which can"t be detected by the signature based scheme in the sensor nodes, (ii) anomaly based IDS which is implemented in the CHs comes into action.Anomaly based IDS scheme in the CHs detects any deviation from the normal functioning of the network.If a deviation is being detected, the CH immediately stops the transmission of data and informs the neighboring CHs by raising some kind of alarm.Simultaneously, the new signature pattern which is based on this deviation is added to the misuse based IDS profile in the sensor nodes for future detection.
In this way, both the IDS techniques are utilized in a very efficient and optimal manner.This technique makes the proposed network robust and secure from several kinds of www.ijacsa.thesai.orgintruder attacks.This scheme is basically a blend of standalone and hierarchical architecture in WSNs.The proposed IDS scheme has an advantage over the monitoring node schemes in the literature, IDS is implemented in all the sensor nodes which makes them self-dependable to resist any kind of attack to a large extent, and at the same time not to rely on any other monitoring node for the intrusion detection purpose, which if compromised disrupts all the network functionality.

C. Anomaly based detection model:
This model is proposed to implement the Multi-Layer Perceptron (MLP) (Fig. 2) and the backpropagation algorithm for the training of anomaly based detection system.It is a supervised learning algorithm [27].The MLP is an artificial neural network which is extensively used to solve different problems like pattern recognition, digression etc. Multi-layer Perceptron is a network that is composed of several neurons, which are divided into input layer, output layer, and one or more hidden layers.The function that connects the input and the target output is what the perceptron must find.The way it accomplishes this is by this very simple rule: Equation ( 1) calculates y i which is the output of the node, w denotes the vector of weights, x is the vector of inputs, b is the bias and f is the activation function.Design: In this case, the proposed IDS consist of several neural networks which operate in parallel [28].Every CH is a three-layer neural network and has its own training data sets for intrusion detection.The back-propagation algorithm is used to train the individual CH nodes.The parameters were implemented are listed below:  Back propagation algorithm used for CH IDS learning.
 MLP structure is utilized with input, hidden, and output layers.
 Sigmoid function is used as activation function.
The MLP algorithm which is implemented in CHs for anomaly based IDS is defined as follows:  MLP classifies the data into five categories which are Normal, Probe, DoS, U2R, and R2L.This approach reduces the (FA) false alarm at the same time maintains accuracy and detection at higher range.With respect to previous researches in intrusion detection, the performance of IDS is calculated and evaluated by measure of accuracy, detection rate and false alarm which are defined in the "(2)", "(3)" and "(4)" as follows:

IV. EXPERIMENTAL RESULTS
The performed experiments have been conducted to evaluate the proposed framework in terms of accuracy, attack detection rate and false alarm.The evaluation of proposed IDS detection system is conducted using KDD Cup 99 dataset [29].The specified dataset is denounced for repetition of records.This repetition of records precludes the learning algorithms to detect unknown attacks [30].Notwithstanding, it is the only publicly available labelled dataset which has been used extensively in the research field of intrusion detection.By experiments the proposed approach on KDD Cup 99 dataset provides a significant evaluation and makes the performance comparison with other advanced technique proportionate.
Two experiments have been carried out on MLP classifier and SVM using the KDD Cup"99 dataset.All experiments were performed on an Intel® core™ 2 Duo CPU T7500 @2.20 as computing machine with the following specifications: 4 GB main memory, and running Microsoft Windows 8.During the evaluation, the 10 percent labeled data of KDD Cup 99 dataset is utilized, where three types of legal traffic (TCP, UDP and ICMP) are available.
The evaluation of these experiments is based in terms of accuracy, attack detection rate and false alarm.Fig. 4 classifies the result for each type of data using testing dataset.Data from Table 1 is represented graphically in Fig. 5 which clearly shows that for the given attack categories, MLP performs better than K-M algorithm.Moreover, the data collected from Table 2 which is represented in Fig. 6 shows that in detecting false alarm MLP lags behind only in the probing category.MLP shows better detection performance more than 85% of attack records for probing category, more than 95% in DoS and more than 97% in R2L category.CONCLUSION AND FUTURE WORK The proposed framework aims to protect the network from the attacks on service integrity, authentication and secrecy by employing a heterogeneous approach of intrusion detection.A heterogeneous IDS framework which utilizes many state-ofthe-art approaches together to achieve the maximum probability of intrusion detection in WSNs.The different experiments which were carried out in comparison with K-M algorithm evaluates the performance of proposed technique of IDS on the KDD 1999 Cup dataset which showed that MLP detects more than 85% of attack records for probing category, more than 95% in DoS and also more than 97% in R2L category.It also showed promising results in detecting false alarms.In future, will be considered some more innovative techniques for intrusion detection in WSNs.

ALGORITHM 2 :
Begin Initialize weights at random, choose a learning rate ηTrain the network for each training example (input pattern and target output (s)): Do -Until output is produced: Do -forward pass through network layer by layer: Compute error (delta or local gradient) for each output unit δ k  By backpropagation Layer-by-layer, compute error (delta or local gradient) for each hidden unit δ j  Correct the output layer of weights. Correct the input weights. Update all the weights Δwij  Done End www.ijacsa.thesai.orgBelow is the flow chart representation of the proposed anomaly detection (MLP) algorithm, as shown in Fig. 3.

Fig. 3 .
Fig. 3. Algorithm #2 Flowchart The structure of neural networks and WSNs has similar characteristics i.e., inter-connected components.Both types of networks implement functions which maps the input values to the output values.Artificial neural networks (ANN) have general characteristics which are desirable in WSNs also.The selection of ANN MLP classification algorithm for the training of anomaly based detection in CHs has many reasons which are defined as under:  This technique is designed to be parallelized. It is very fast to evaluate new attacks. It is also robust on noisy training data which is inherent in WSNs.

ACKNOWLEDGMENT
This project was supported by the deanship of scientific research at Prince Sattam bin Abdulaziz University under the research project # 2015/01/4646.