Exploring the Benefits of Wireless Sensor Networks

intrusions, and other forms of computer abuses can be viewed as finding non-permitted deviations (or security violations) of the characteristic properties in the monitored (network) systems. This assumption is based on the fact that intruders’ activities must be different (in some ways) from the normal users’ activities. However, in most situations, it is very difficult to realize or detect such differences before any damage occur during break-ins.

The aim is to develop and implement an efficient WIDS (Wireless Intrusion Detection System) in an infrastructure-based wireless network and try to use anomaly-detection techniques to detect different types of attacks within the wireless network. Wireless Sensor Networks A wireless sensor network is a collection of nodes organized into a cooperative network (Hill et al, 2000). Each node consists of processing capability (one or more microcontrollers, CPUs or DSP chips), may contain multiple types of memory (program, data and flash memories), have a RF transceiver (usually with a single omni-directional antenna), have power source (e. . , batteries and solar cells), and accommodate various sensors and actuators. The nodes communicate wirelessly and often self-organize after being deployed in an ad hoc fashion. Systems of 1,000 or even 10,000 nodes are anticipated (Stankovic, 2006). Such systems can revolutionize the way we live and work. Currently, wireless networks are beginning to be deployed at an accelerated pace. According to Stankovic (2006), it is not unreasonable to expect that in 10-15 years that the world will be covered with wireless sensor networks with access to them via the Internet.

This can be considered as the Internet becoming a physical network. This new technology is exciting with unlimited potential for

numerous application areas including environmental, medical, military, transportation, entertainment, crisis management, homeland defence, and smart spaces. Network Intrusion Network intrusion is a deliberate attempt to enter a network and break the security of the network thus breaking the confidentiality of the information present in the systems of the network.

The person who tries to attempt such an action is called an Intruder and the action can be termed as Network Intrusion. The Network Administrator is supposed to protect his network from such persons and this software can help him in his efforts. Intrusion Detection Systems (IDS) An Intrusion Detection System (IDS) is a system that is responsible for detecting anomalous, inappropriate, or other data that may be considered unauthorized occurring on a network. An IDS captures and inspects all traffic, regardless of whether it’s permitted or not.

Based on the contents, at either the IP or application level, an alert is generated. Statement of the Problem With the ever-increasing need for organizations and individuals to stay connected by means of computer networks comes the challenge of preventing malicious attempts to break the confidentiality of information present in the systems of a network, and unauthorized access to resources on the network. A variety of traditional techniques are commonly used to help prevent computer crimes.

These include protecting computer screens from observation, keeping printed information and computers in locked facilities, backing up copies of data files and software, and clearing desktops of sensitive information and materials, user authentication, data encryption, avoiding programming errors and firewalls, are used as the first line of defence for sensor networks. If a password is weak and is compromised,

user authentication cannot prevent unauthorized use; firewalls are vulnerable to errors in configuration and ambiguous or undefined security policies.

They are generally unable to protect against malicious mobile code and insider attacks. Programming errors cannot be avoided as the complexity of the system and application software is changing rapidly leaving behind some exploitable weaknesses. Intrusion detection is therefore required as an additional wall for protecting systems (Bace, R. ; 2000). In view of the foregoing, there is the need for a system to detect network intrusions by monitoring data packets transmitted in and out of a network, preventing access to a network by known malicious IP addresses and optimizing the speed of such processes. Objective of the Study

The objective of the study is to create a wireless network intrusion detection system for wireless sensor networks that is capable of detecting certain well-known intrusion attacks on the host system and display warnings to users and also store information regarding the IP addresses and consequently allow the traffic based on that information. The system is expected to satisfy the following high level requirements: i. Ability to monitor traffic in the form of data packets to and from the host system ii. Ability to keep a log of identified intrusion attacks done on the host system and to provide this information on request.

Ability to keep a record of well-known malicious IP addresses and prevent network access when such addresses are detected Significance of the Study Intrusion detection devices are an integral part of any network. The internet is constantly evolving, and new vulnerabilities and exploits are found regularly. They provide an additional level

of protection to detect the presence of an intruder, and help to provide accountability for the attacker’s action. Four different types of attacks have been identified which makes the need for an IDS critical.

Denial of Service: Network-based-denial-of-service attacks are one of the easiest types of attacks. It often requires little effort to fully consume resources on the target computer, to starve the target computer of resources, or to cause critical services to fail or malfunction. Internal corporate networks typically do not have internal filtering defenses against common denial-of-service attacks, such as flooding. ii. Threat to Confidentiality: Some viruses attach themselves to existing files on the system they infect and they send the infected files to others.

This can result in confidential information being distributed without the author’s permission. iii. Modification of Contents: Intruders might be able to modify news sites, produce bogus press releases, and conduct other activities, all of which could have economic impact. iv. Masquerade: A masquerade takes place when one entity pretends to be a different entity. Authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an unauthorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.

Any system connected to the internet and providing TCP-based network services (such as Web server, FTP server, or mail server) is potentially subject to attack. Note that in addition to attacks launched at specific hosts, these attacks could also be launched against routers or other network server systems if these hosts enable (or turn on) other TCP services (e. g. echo). The consequences of the attack

may vary depending on the system; however, the attack itself is fundamental to the TCP protocol used by all systems. Scope of the Study The scope of this project will include:

• The monitoring and analysis of the wireless network user and system activities
• The recognition of patterns of known attacks
• The identification of abnormal network activity
• The accumulation of all local wireless transmissions
• The generation of alerts based either on predefined signatures or on anomalies in the traffic Limitation of the Study Because of the inability of the researcher to access a wireless sensor network, the project will be limited to the use of simulated wireless sensors data to mimic the monitoring data supplied about the monitored wireless network.

Definition of Terms

Intrusion: A deliberate unwanted attempt by an unauthorized person to break into a network to obtain or modify confidential information, access resources, abuse and misuse of sensitive system and application programs and data such as password, inventory, financial, engineering, and personnel files and generally make networks vulnerable to attacks.

Intruder: An unauthorized person such as a hacker or cracker who carries out intrusion attempts on networks.

Hacker: A computer user who makes unauthorized attempts to access system and application programs and data for malicious intent.

Cracker: A computer user who illicitly modifies system and application programs or data in a network for criminal purposes.

IP Address: Also known as Internet Protocol Address, the identifying number that enables any computer on the Internet to find any other computer on the network. It consists of four sets of numbers

separated by periods—for example, 123. 456. 78. 90 that is translated into a word-based address—for example, president. whitehouse. gov—by the Domain Name System (DNS) server.

Encryption: The process of converting messages or data into a form that cannot be read without decrypting or deciphering it.

The root of the word encryption—crypt—comes from the Greek word kryptos, meaning “hidden” or “secret. ”

Firewall: A device consisting of hardware and software that blocks unauthorized access to an organization's local area network (LAN). A firewall can reside on the administrative computer (the server) that acts as the local area network's gateway to the Internet or it can be a dedicated computer placed between the local area network and the Internet, so that the network is never in direct contact with the Internet.

The firewall also keeps track of every file entering or leaving the local area network in order to detect the sources of viruses and other problems that might enter the network.

Antivirus: A software or combination of software used to detect and possibly delete viruses on a computer.

Authentication: A security measure using data encryption that identifies the user and verifies that the message transmitted in a network was not tampered with.

Packet: The basic unit of data transferred over a network such as the Internet. A message to be transferred over the network is broken up into small units, or packets, by the sending computer.

The packets, which travel independently of one another, are marked with the sender's address, destination address, and other pertinent information, including data about any errors introduced during the transfer. When the packets

arrive at the receiving computer, they are reassembled. 11. Network Traffic: The volume or flow of messages transmitted over a network.

Literature Review

Review of Related Works

Application specific wireless sensor network consists of hundreds to thousands of low-power multi-functioning sensor nodes, operating in an unattended or hostile environment, with limited computational and sensing capabilities.

Realization of sensor network applications requires wireless ad hoc networking techniques. However protocols and algorithms proposed for traditional ad hoc networks are not well suited due to the unique features and application requirements of sensor networks. Because of its unique features, sensor networks are used in wide range of applications in areas like health, military, home and commercial industries in our day to day life (Albers, et al; 2002), (Axelsson, S, 2000). Data gathering protocols are formulated for configuring the network and collecting information from the desired environment.

In each round of the data gathering protocol, data from the nodes need to be collected and transmitted to Base Station, where from the end user can access the data. Sensor nodes use different data aggregation techniques to achieve energy efficiency. Existing data gathering protocol can be classified into four different categories based on the network structure and protocol operation. As WSN is mostly used for gathering application specific information from the surrounding environment, it is highly essential to protect the sensitive data from unauthorized access.

WSNs are vulnerable to security attacks due to the broadcast nature of radio transmission. Sensor nodes may also be physically captured or destroyed by the enemies. The uses of sensor network in various applications emphasis on secure routing. Various protocols

are proposed for routing and data gathering but none of them are designed with security as a goal. The resource limitation of sensor networks poses great challenges for security. As sensor nodes are with very limited computing power, it is difficult to provide security in WSN using public-key cryptography.

Therefore most of the proposed security solutions for WSN are based on symmetric key cryptography. This paper reviews possible attacks on WSN in general as well as attacks on specific WSN data gathering protocols. Overview of Security Issues Attack and Attacker An attack can be defined as an attempt to gain unauthorized access to service, resource or information, or the attempt to compromise integrity, availability, or confidentiality of a system. Attackers, intruders or the adversaries are the originator of an attack.

The weakness in a system security design, implementation, configuration or limitations that could be exploited by attackers is known as vulnerability or flaw. Any circumstance or event (such as the existence of an attacker and vulnerabilities) with the potential to adversely impact a system through a security breach is called threat and the probability that an attacker will exploit a particular vulnerability, causing harm to a system asset is known as risk. Security Requirements A sensor network is a special type of Ad hoc network. So it shares some common property as computer network.

The security requirements (Axelsson, S. 2000) (Estrin, et al 1999) of a wireless sensor network can be classified as follows: i. Authentication: As WSN communicates sensitive data which helps in many important decisions making. The receiver needs to ensure that the data used in any decision-making process originates

from the correct source. Similarly, authentication is necessary during exchange of control information in the network. ii. Integrity: Data in transit can be changed by the adversaries. Data loss or damage can even occur without the presence of a malicious node due to the harsh communication environment.

Data integrity is to ensure that information is not changed in transit, either due to malicious intent or by accident. iii. Data Confidentiality: Applications like surveillance of information, industrial secrets and key distribution need to rely on confidentiality. The standard approach for keeping confidentiality is through the use of encryption. iv. Data Freshness: Even if confidentiality and data integrity are assured, there is also need to ensure the freshness of each message. Data freshness suggests that the data is recent, and it ensures that no old messages have been replayed.

To ensure that no old messages replayed a time stamp can be added to the packet. v. Availability: Sensor nodes may run out of battery power due to excess computation or communication and become unavailable. It may happen that an attacker may jam communication to make sensor(s) unavailable. The requirement of security not only affects the operation of the network, but also is highly important in maintaining the availability of the network. vi. Self-Organization: A wireless sensor network believes that every sensor node is independent and flexible enough to be self-organizing and self-healing according to different hassle environments.

Due to random deployment of nodes no fixed infrastructure is available for WSN network management. Distributed sensor networks must self-organize to support multi-hop routing. They must also self-organize to conduct key management and building trust relation among

sensors. vii. Time Synchronization: Most sensor network applications rely on some form of time synchronization. In order to conserve power, an individual sensor’s radio may be turned off periodically. viii. Secure Localization: The sensor network often needs location information accurately and automatically. However, an attacker can asily manipulate non-secured location information by reporting false signal strengths and replaying signals, etc. Security Classes Attacks on the computer system or network can be broadly classified (Du, et al; 2006. ) as interruption, interception, modification and fabrication. Interruption is an attack on the availability of the network, for example physical capturing of the nodes, message corruption, insertion of malicious code etc. Interception is an attack on confidentiality. The sensor network can be compromised by an adversary to gain unauthorized access to sensor node or data stored within it.

Modification is an attack on integrity. Modification means an unauthorized party not only accesses the data but tampers it, for example by modifying the data packets being transmitted or causing a denial of service attack such as flooding the network with bogus data. iv. Fabrication is an attack on authentication. In fabrication, an adversary injects false data and compromises the trustworthiness of the information relayed. Methodology The software engineering standard used for this research work is the Structured System Analysis and Design Methodology (SSADM).

The SSADM method involves the application of a sequence of analysis, documentation and design tasks concerned with the following: Feasibility Study The following questions were answered to determine if the proposed system is feasible:

• Is the project technically possible?
• Can the business afford to carry out the project?

• justify;">Will the new system be compatible with existing practices?

• Is the impact of the new system socially acceptable?

Investigation of the Current Environment

The current system is entirely composed of people and paper and mobile telecommunication.

Through a combination of interviewing employees, circulating questionnaires, observations and existing documentation, the analyst comes to full understanding of the system as it is at the start of the project. This served many purposes: i. the researcher became acquainted with the terminology of the business, what users do and how they do it ii. the old system provided the core requirements for the new system iii. faults, errors and areas of inefficiency were highlighted and their correction added to the requirements iv. the data model was constructed v. he users became involved and learned the techniques and models of the analyst vi. the boundaries of the system were defined Business System Options Having investigated the current system, the overall design of the new system was decided. Using the outputs of the previous stage, the researcher developed a set of business system options. These are different ways in which the new system could be produced varying from doing nothing to throwing out the old system entirely and building an entirely new one. The analyst held a brainstorming session to generate as many ideas as possible.

The ideas were then collected to form a set of two or three different options which are presented to the user. The options considered the following:

• The degree of automation
• The boundary between the system and the users
• The distribution of the system,
  

for example, is it centralized to one office or spread out across several?

The output of this stage was the single selected business option together with all the outputs of the feasibility stage.

Requirements Specification

The researcher developed a full logical specification of what the new system must do. He ensured that the specification was free from error, ambiguity and inconsistency. To produce the logical specification, the analyst built the required logical models for both the data-flow diagrams (DFDs) and the entity relationship diagrams (ERDs). These were then used to produce function definitions of every function which the users will require of the system, entity life-histories (ELHs) and effect correspondence diagrams. Technical System Options This stage is the first towards a physical implementation of the new system.

Like the Business System Options, in this stage a large number of options for the implementation of the new system were generated. This was honed down to two or three to present to the user from which the final option was chosen or synthesized. However, the considerations were quite different being:

• the hardware architectures
• the software to use
• the cost of the implementation
• the staffing required
• the physical limitations such as a space occupied by the system
• the distribution including any networks which that may require
• the overall format of the human computer interface

All of these aspects were made to conform to any constraints imposed by the business such as available money and standardization of hardware and software.

The output of this stage was a chosen technical system option.

Logical Design

Though the previous level specified details of the implementation, the outputs of this stage were implementation-independent and concentrated on the requirements for the human computer interface. The logical design specified the main methods of interaction in terms of menu structures and command structures. One area of activity was the definition of the user dialogues.

These are the main interfaces with which the users will interact with the system. Other activities are concerned with analysing both the effects of events in updating the system and the need to make inquiries about the data on the system. Both use the events, function descriptions and effect correspondence diagrams produced in stage 4 to determine precisely how to update and read data in a consistent and secure way. Physical Design This is the final stage where all the logical specifications of the system were converted to descriptions of the system in terms of real hardware and software. . The logical data structure is converted into a physical architecture in terms of database structures. ii. The exact structure of the functions and how they are implemented is specified. iii. The physical data structure was optimized where necessary to meet size and performance requirements. The product of this phase was a complete Physical Design which could tell software engineers how to build the system in specific details of hardware and software and to the appropriate standards.

Analysis of the Existing System

The existing system is a wired Local Area Network without a special intrusion detection system. The following advantages and disadvantages were observed.

Advantages of the Existing System i. Ethernet cables, hubs and switches are very inexpensive. ii. Some connection sharing software packages, like ICS, are free. iii. Ethernet cables, hubs and switches are extremely reliable. iv. Wired LANs offer superior performance. v. Broadband routers offer equivalent firewall capability built into the device, configurable through its own software. vi.

Operating system based security systems are relatively inexpensive and efficient. Disadvantages of the Existing System i. Need to run cables in difficult environments through walls, floors and ceilings. ii. Cables need to be run from computer to computer and switch to switch. Process can be time consuming. iii. Loose cables likely remain the single most common and annoying source of failure in a wired network. iv. Operating system based security systems can easily be outsmarted by professional hackers and crackers. Analysis of the Proposed System

The proposed system is a wireless sensor network with a special intrusion detection system installed on individual computers in the network. The advantages and disadvantages observed in the following sub-sections. Advantages of the Proposed System i. The greater mobility of wireless LANs helps offset the performance disadvantage. Mobile computers do not need to be tied to an Ethernet cable and can roam freely within the WLAN range. ii. It is relatively easy to set up a WAP and configure a WNIC using a wireless connection utility. iii.

Wireless networks have much less cabling which leads to a much neater working environment. You do not need to run cables across your house/office, which can create trip hazards across rooms, hallways and stairs. Also choosing to set-up a wireless network means that you

do not need to run cables underneath carpets or drill holes through walls or ceilings to pass cables through. iv. Special purpose intrusion detection systems are capable of: * Adding a greater degree of integrity to the rest of you infrastructure * Recognizing and report alterations to data Automating a task of monitoring the Internet searching for the latest attacks * Detecting when your system is under attack * Detecting errors in your system configuration * Guiding system administrator in the vital step of establishing a policy for your computing assets * Making the security management of your system possible by non-expert staff Disadvantages of the Proposed System i. Transmission speeds in wireless networks, although improving with new technologies, are relatively slow. ii. Wireless network signal strengths can be affected by poor weather conditions iii.

Sensor nodes are prone to failures iv. Sensor nodes are limited in power, computational capacities, and memory. v. Special intrusion detection software are incapable of:

• Compensating for a weak identification and authentication mechanisms
• Conducting investigations of attacks without human intervention
• Compensating for weaknesses in network protocols
• Compensating for problems in the quality or integrity of information the system provides
• Analysing all the traffic on a busy network Always dealing with problems involving packet-level attacks
• Dealing with some of the modern network hardware and features

Justification of the Proposed System

The underlying reasons why you might use a wireless network intrusion detection system are relatively straightforward; you want to protect your data and systems integrity. The fact that you cannot always protect that data integrity from

outside intruders in today's internet environment using mechanisms such as ordinary password and file security, leads to a range of issues.

Adequate system security is of course the first step in ensuring data protection. For example, it is pointless to attach a system directly to the internet and hope that nobody breaks into it, if it has no administrator password! Similarly, it is important that the system prevents access to critical files or authentication databases except by authorized systems administrators. Further measures beyond those normally expected of an intranet system should always be made on any system connected to the internet. Firewalling and other access prevention mechanisms should always be put in place.

Intrusion detection takes that one step further. Placed between the firewall and the system being secured, a network based wireless intrusion detection system can provide an extra layer of protection to that system. For example, monitoring access from the internet to the sensitive data parts of the secured system can determine whether the firewall has perhaps been compromised, or whether an unknown mechanism has been used to bypass the security mechanisms of the firewall to access the network being protected.

Objective of the Design

The objective of the design is to create a wireless network intrusion detection system for wireless sensor networks that is capable of detecting certain well-known intrusion attacks on the host system and display warnings to users and also store information regarding the IP addresses and consequently allow the traffic based on that information. The system is expected to satisfy the following high level requirements: iv. Ability to monitor traffic in the form of data

packets to and from the host system v.

Ability to keep a log of identified intrusion attacks done on the host system and to provide this information on request Ability to keep a record of well-known malicious IP addresses and prevent network access when such addresses are detected Main Menu The program’s Main menu (Control Centre) consists of the following items that act as links to desired modules. Figure 3. 1: Main Menu Items Program Modules The various modules and their functions are briefly explained below. i. System Login Module: This module allows the user gain access to the newly proposed system. i. Add Client Module: This module is used to add information on the registered users of the Local Area network being monitored. iii. Update Client Module: This module is used to edit and update information on the registered users of the Local Area network being monitored. iv. Client Log Information Module: This module allows for the view of the log details for the activities of the clients on the monitored network that has been stored on the system’s database.