Insider Attacker Detection in Wireless Sensor Networks

flangeeasyMobile - Wireless

Nov 21, 2013 (3 years and 11 months ago)

67 views

Insider Attacker
Detection in Wireless
Sensor Networks

Fang Liu , Xiuzhen Cheng

The George Washington University

IEEE INFOCOM 2007

26th IEEE International Conference on Computer Communications.


Presented by Jinman Jeong

Outline


Introduction


Existent Solutions


Insider Attacker Detection


Performance Evaluation


Conclusion

Introduction


Easy to compromise nodes


Insider attacker


compromised nodes c
an

be
insider attacker
.


An internal adversary can easily
modify and
drop
with access to the valid cryptographic
keys


Causes False readings


Causes Routing misbehaviors



Existent Solutions


Several approach in WSN


misuse based



r
equires prior knowledge



anomaly based

-

r
equires prior knowledge


specification
-
based
-

r
equires prior knowledge



cross feature analysis based



r
equires prior knowledge


specific protocol based


not general



Prior knowledge requirement


incurs extra training overhead


produces serious concern that attack behaviors may change
dynamically



Detecting Insider attackers


Requires no prior knowledge


Generic solution


Instead of considering specific aspects,
Monitors many aspects of sensor networking
behaviors.


High detection accuracy & Low false alarm
rate





Our Work


A General Solution
to Insider Attacker Detection

The Basic Idea


Observation and Assumption in this paper:


: E
xpected to behave similarly in close
neighborhood.







Localized statistical analysis

-

Measure the
networking behaviors of neighbor nodes


(e.g. p
acket dropping rate, packet sending rate, forwarding delay time, etc.)


Algorithm

Information Collection

Filtering the collected data

Majority Vote

Each node gets information
from neighbor nodes

the final decision

For an accurate detection result,
the collected information must
be filtered

Initial Insider attackers Detection


Throughout this

paper, insider attackers are also called
outliers

The detection is conducted by
computing mahalanobis distance

Information Collection


X
i
: x’s neighbor node.


F(X
i
) : the set of
attribute vectors

received from
sensor X
i

(e.g.Packet drop rate, Sensor
readings… )


Node
x

gets F(X
i
)
in
neighbor nodes


x

x
1

x
2

x
3

x
i

F(
x
i
)= (f
1
(
x
i
), f
2
(
x
i
)… )

T

Filtering the collected data


N(X) : the set of
neighborhood
of x,
whose selection is
determined by the node density in the network


For a dense network, N(x) may equals one
-
hop neighbors


For a sparse network, N(x) should be large


For a sparse network ,


Sensor (A) should select
a reliable relay node
(C or D?)



for filtering
information from F


A

B

F

E

C

D

A

B

E

D

C

F

sparse

dense

Filtering the collected data

A

B

E

D

C

F

C: (19,32,40)

D: (22,
11
,42)

E: (21,29,38)

F: (19,31,39)

C: (
0.83
,0.63,0.15)

D: (1.17,
1.49
,1.31)

E: (0.50,0.33,
1.02
)

F: (
0.83
,0.53,0.44)

C: 0.83

D: 1.49

E: 1.02

F: 0.83

C: 1

D: 0.56

E: 0.81

F: 1

max

T= min/x

standardize

A’s monitoring results

Trust value

Z=|(y
-
μ
)/
σ
|

sparse

How to select
a reliable relay node? C

Min = 0.83

max = underlined filed

(C
or D
?)

How to select
a reliable relay node?


Insider Attacker Detection


The detection is conducted by
computing Mahalanobis
distance


xi is treated as an outlier if D(Xi) is
larger than
θ
(i.e., >
θ
)


Mahalalobis distance


In statistics, a useful way of
determining similarity of an
unknown sample set to a known
one.


In pattern recognition,


widely used in classification
techniques.


Insider Attacker Detection

2
2
2
)
(
2
1
)
(







x
e
x
p











)
(
)
(
2
1
exp
|
|
)
2
(
1
)
(
1
2
/
1
2
/
μ
x
Σ
μ
x
Σ
x
T
d
p


Univariate Gaussian Distribution



X~N(μ,σ2)


probability density function


Multivariate Gaussian

Distribution

X~N(μ,Σ)




As the mahalanobis distance increase, the
probability will be decrease


Mahalanobis distance


D
2
(
x
i
) =
(
f
(
x
i
)
-
μ
)
T
Σ
-
1
(
f
(
x
i
)
-
μ
)

~
χ
2
d
.


Thus,
Prob
(
D
2
(
x
i
)>
χ
2
d
(
α
)) >
α
.

Majority Vote


if sensor x determines which sensors are outlying, it
sends a message with the format to the neighbors


n ID
1

Status
1

… … ID
n

Status
n`


n : the number of sensors in N`(x)


ID
i
: the ID of sensor x
i


Status
i
: whether or not x
i

is an outlier (0/1)


Sensor x receive announcements from others


Sensor x make the final decision from all the votes

Simulation Settings


With N = 4096 uniformly distributed sensors,


(64 X 64 , q = 3 attributes)


Different normal distributions.


μ1(normal) = (10, 15, 20) , Σ1 ~ N
3
(μ1, Σ1)


μ2(abnormal) = (30, 35, 40) , Σ2 ~ N
3
(μ2, Σ2)

Σ1 = Σ2 =

Simulation Settings


2 different tests were run 100 times, and
the results is averaged.


Dense network


Sparse network


( more N(x) should contain the multi
-
hop
neighborhood for better performance)

Performance Evaluation

(1/2)

Sparse networks

Dense networks

-

Detection accuracy:






# of
detected outliers





# of
Real outliers

Sparse networks

Dense networks

Performance Evaluation

(2/2)

-

False alarm:



# of normal sensors that are claimed as insider attackers



# of normal sensors.

Sparse networks

Dense networks

Conclusion


Generic solution to detect an insider attacker


Requires no
prior

knowledge about network
activities


high detection accuracy, low false alarm rate


Works well with 25% misbehaving sensors


Thank you!