Intrusion Detection for WSN based on WPM State Estimation
State-of-the-art solutions for intrusion and attack detection have major drawbacks in resource-constrained platforms such as WSNs. In fact, those solutions require large amount of memory and storage to provide effective and useful intrusion/attack detection. This issue led the design of WIDS (WSN Intrusion Detection System) [IDS1], an intrusion detection system specifically designed to overcome the limitations and gain advantages on the peculiarity of WSNs. WIDS models the known attacks into more general Weak Model Processes (WPM), which are a simplification of Hidden Markov Processes where the probability on the edges can be only 1 or 0, i.e., a hidden state can be either reachable or unreachable. Each node in the WPM represents a possible state in which one WSN node happens to be. The reachability of a state depends on specific conditions on a chosen set of observable events which are detected and analysed by WIDS and the underlying networking drivers. WIDS uses such models to estimate the current state of WSN nodes and to detect when such states represent a danger for the WSN node or, for the whole WSN. For example, consider the observable, e.g., “Clear Channel Assessment Failure” (the node was unable to acquire the radio medium) which can lead to a dangerous state, e.g., “WSN node under Jamming”. The WIDS design has been recently implemented as a component in the TinyOS framework with the name TinyWIDS [IDS2]. TinyWIDS embeds WIDS design and provide enhanced radio transceiver drivers to provide low-level observables, the WPM representation as JSON, the continuous state estimation by inspecting selected attacks WPMs and notification system based on TinyOS events. Currently, TinyWIDS can detect incoming attacks and eventually the source of them, but it cannot provide any reactive behavior which could be useful to avoid further damage to the WSN before the operators could take action.
- Lightweight, low computational resource requirements. Traditional intrusion detection techniques require a non-trivial amount of network traffic and enough computational capabilities to elaborate it. On a WSN node this is not feasible. This method instead allows to define WPM attack models in the form of graphs which walked at runtime along with the state estimation with limited impact on computational power.
- Compatible with different WSN platforms. The hardware and (low-level) software requirements are very limited. The method has been already tested on many resource- constrained WSN node platforms such as MICA2, MICAZ, IRIS, TELOSB, XM1000 etc.
- Extensible. The observable definitions and the attack models are customizable to fulfil the requirements of the specific deployment.
- May require segmentation of the WSN to improve detection
- Higher software layers may need to adapt to the notification interfaces
- There is no way to react to an incoming attack. A WSN under attack remains vulnerable in the time between detection/notification and actual operator’s action.
- Pugliese M., Giani A., Santucci F. (2010) Weak Process Models for Attack Detection in a Clustered Sensor Network Using Mobile Agents. In: Hailes S., Sicari S., Roussos G. (eds) Sensor Systems and Software. S-CUBE 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 24. Springer, Berlin, Heidelberg
- Bozzi Luciano, Giuseppe Lorenzo, Pomante Luigi, Pugliese Marco, Santic Marco, Santucci Fortunato & Tiberti Walter. (2018). TinyWIDS: a WPM-based Intrusion Detection System for TinyOS2.x/802.15.4 Wireless Sensor Networks. 13-16. 10.1145/3178291.3178293.