Intrusion Detection for WSN based on WPM State Estimation

Method Purpose Short description of the method's purpose and main benefits

Method description A detailed description of the method

State-of-the-art solutions for intrusion and attack detection have major drawbacks in resource-constrained platforms such as WSNs. In fact, those solutions require large amount of memory and storage to provide effective and useful intrusion/attack detection. This issue led the design of WIDS (WSN Intrusion Detection System) [IDS1], an intrusion detection system specifically designed to overcome the limitations and gain advantages on the peculiarity of WSNs. WIDS models the known attacks into more general Weak Model Processes (WPM), which are a simplification of Hidden Markov Processes where the probability on the edges can be only 1 or 0, i.e., a hidden state can be either reachable or unreachable. Each node in the WPM represents a possible state in which one WSN node happens to be. The reachability of a state depends on specific conditions on a chosen set of observable events which are detected and analysed by WIDS and the underlying networking drivers. WIDS uses such models to estimate the current state of WSN nodes and to detect when such states represent a danger for the WSN node or, for the whole WSN. For example, consider the observable, e.g., “Clear Channel Assessment Failure” (the node was unable to acquire the radio medium) which can lead to a dangerous state, e.g., “WSN node under Jamming”. The WIDS design has been recently implemented as a component in the TinyOS framework with the name TinyWIDS [IDS2]. TinyWIDS embeds WIDS design and provide enhanced radio transceiver drivers to provide low-level observables, the WPM representation as JSON, the continuous state estimation by inspecting selected attacks WPMs and notification system based on TinyOS events. Currently, TinyWIDS can detect incoming attacks and eventually the source of them, but it cannot provide any reactive behavior which could be useful to avoid further damage to the WSN before the operators could take action.

Method Strengths A listof the strengths of the method

Lightweight, low computational resource requirements. Traditional intrusion detection techniques require a non-trivial amount of network traffic and enough computational capabilities to elaborate it. On a WSN node this is not feasible. This method instead allows to define WPM attack models in the form of graphs which walked at runtime along with the state estimation with limited impact on computational power.
Compatible with different WSN platforms. The hardware and (low-level) software requirements are very limited. The method has been already tested on many resource- constrained WSN node platforms such as MICA2, MICAZ, IRIS, TELOSB, XM1000 etc.
Extensible. The observable definitions and the attack models are customizable to fulfil the requirements of the specific deployment.

Method Limitations The limitations of the method

May require segmentation of the WSN to improve detection
Higher software layers may need to adapt to the notification interfaces
There is no way to react to an incoming attack. A WSN under attack remains vulnerable in the time between detection/notification and actual operator’s action.

Method References Bibliography references to papers about the method.

Pugliese M., Giani A., Santucci F. (2010) Weak Process Models for Attack Detection in a Clustered Sensor Network Using Mobile Agents. In: Hailes S., Sicari S., Roussos G. (eds) Sensor Systems and Software. S-CUBE 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 24. Springer, Berlin, Heidelberg
Bozzi Luciano, Giuseppe Lorenzo, Pomante Luigi, Pugliese Marco, Santic Marco, Santucci Fortunato & Tiberti Walter. (2018). TinyWIDS: a WPM-based Intrusion Detection System for TinyOS2.x/802.15.4 Wireless Sensor Networks. 13-16. 10.1145/3178291.3178293.

Method Dimensions

Evaluation Environment Type Type of environment where the method is applied. It can be more than one type of environment. (Dimension 1)

Evaluation Type Type of evaluation performed with that method. If a method is hybrid, more than one type can be selected. (Dimension 2)

Type of Component Under Evaluation Type of components that can be evaluated with that method. It can be more than one type. (Dimension 3)

Evaluation Stage The evaluation stage where the method is used. (Dimension 5)

Purpose of the Component Under Evaluation The type of purpose that can be evaluated by a method. It can be more than one type. (Dimension 6)

Type of Requirement Under Evaluation The type of requirements that a method is able to evaluate. It can be more than one type. (Dimension 7)

Evaluation Performance Indicator The type of evaluation criteria or KPI that a method is able to improve. It can be more than one type. (Dimension 8)

Relations

Related Methods A method could be related to other methods.

Tools A method can use zero or more tools.

Part Method A method (when it is a combination: Combination of method artefact that is a specialization of a V&V Method) could be composed of a set of V&V Methods.

Test Case or Verification and Validation activity Test Case or V&V activity performed in a Use Case. We will link to the method to the test cases where the method is used.

Standards A method can be linked with standards.

Context

Workflow

Contents

There are currently no items in this folder.