Introduction
Reconfigurable wireless networks (RWN), such as ad hoc and Wireless Sensor Networks (WSN), are decentralized, flexible, highly dynamic, independent of any fixed infrastructure and capable of self-management, [1]. Routing is a fundamental operation that is needed in these networks in order to deliver information among nodes. Routing protocols in RWN were designed assuming a safe and cooperative network environment and this is not always the case. Some routing protocol vulnerabilities can be exploited by a malicious node or group of nodes to affect network performance and consume resources (e.g., energy, bandwidth). There are different types of network attacks against reconfigurable routing protocols, e.g., the flooding attack, [2], selective forwarding attack, [3], black hole attack, [4] and worm hole attack, [5].
Preventive measures, such as, authentication mechanisms or secure routing, could be taken to protect RWN from routing attacks. It is worth mentioning that those preventive measurements are not sufficient to fully protect the network from inside attackers. Intrusion Detection Systems (IDS) represent a protective measure because they are a set of techniques designed to identify malicious activities that could compromise network security. Several IDS approaches, [6], such as statistical, [7], collaborative, [8], or machine learning techniques, [9], have been taken in the literature to address the routing attack detection for RWN. Thus, the development of tools for intrusion detection is important, and more interest is drawn towards tools that can potentially control and act based on evidence of the presence of an attack.
In this paper, we present two new approaches for IDS in RWN’s routing. These approaches are based on linear systems theory, which allows us to detect intruders by monitoring the behavior of nodes in the network. At the same time this tool is powerful for protection and control of the network with actions to isolate or avoid the attack.
Malicious nodes behave differently than the rest of the nodes in the network; if we model each network node as a linear system, those differences in dynamic behavior should be reflected on the system representation for those nodes. A linear system can be defined in the frequency domain by the z-domain zeros and poles of the transfer function. System poles are always located on a two dimensional orthogonal space which is independent of the number of network metrics considered as input and output signals (e.g., number of received packets, bandwidth usage per link). This property can be used as a dimensionality reduction step that arises naturally when representing a node as a linear system. Depending on the pole locations, a system could behave as an under damped, over damped, critically damped or an unstable system. This property of the pole locations could be thought of as being part of a classification task that can be exploited to identify routing attacks. Hence, our goal is to find a routing attack-sensitive system representation of a node. Without loss of generality we introduce the general equations for system models and we form a case study with one input and one output to analyze and show feasibility of the two IDS techniques proposed.
The rest of this document is organized as follows, Section II, provides background on routing attacks and IDS for RWN. In addition, it provides a concise literature review. In Section III, two different techniques to identify routing attacks in RWN are presented. Section IV, presents simulation results as a case study where performance metrics are presented in terms of detection rates for different attack severity and node speed values. The implementation of both techniques is also addressed in this section. Finally, Section V, covers the conclusions of this work.
Background
In this section we present a general overview on protocols and attacks for routing in RWN. Literature review on IDS for routing in RWN is briefly addressed. Finally, as background work, we discuss the use of linear systems theory for network attack detection in the literature.
A. Routing Attacks
Data routing is one of the most essential functions of a network. For the RWN case, routing represents a specially hard challenge due to the open and highly dynamic nature of the network. The problem gets even harder because of the fact that some nodes could have severe energy, computing and bandwidth restrictions. Routing protocols for RWN can be classified into proactive and reactive protocols. Proactive protocols are those in which nodes periodically exchange routing information and changes in topology with their respective neighbors, as in the case of Optimized Link State Routing (OLSR) protocol, [10]. Reactive protocols are those in which routes are generated only when there is a need to communicate a message between two nodes, such as Ad Hoc on Demand Distance Vector (AODV), [11]. In general, any routing protocol for RWN must perform three tasks, route discovery, route maintenance and data forwarding. During route discovery, nodes share information about their links with their respective neighbors, either in a proactive or reactive manner. With updated routing information, nodes cooperate to forward data packets from origin to destination, usually through multiple hops. Route maintenance refers to the actions performed by nodes when routes change due to node mobility or channel impairments.
Many routing protocols were designed assuming a cooperative environment. However, if there are one or more malicious nodes they could launch an attack to the routing protocol by violating its rules, either in the route discovery phase, the route maintenance phase or during packet forwarding. Any of those hostile actions could affect considerably network performance.
There are different attack classes that can be used against the reconfigurable routing protocols, [12], some of which are:
Flooding Attack. There are two possible implementations of this attack, Route Request (RREQ) flooding and data flooding attack. RREQ flooding occurs when a malicious node sends a large number of RREQ messages in a short period of time in order to deplete network resources, such as bandwidth or energy. During a data flooding attack, the malicious node sends bogus traffic to consume network bandwidth and energy.
Selective Forwarding. A malicious node behaves properly during route discovery and route maintenance, but selectively drops data packets in order to degrade network performance.
Black Hole Attack. A malicious node sends fake routing information so that each neighboring node calculates an optimal route to a node of the attacker’s interest, attracting and controlling network traffic. After monopolizing network traffic, the attacker could then analyze the content of the collected data packets or simply discard the data packets.
Wormhole Attack. This attack requires a pair of malicious nodes colluding to re-transmit packets from one network location to another using a private network, gaining control on network traffic.
Secure routing protocols usually rely on encrypting routing information to prevent any modification or misuse of it, [13], [14]. This approach prevents some attacks by increasing the packet overhead, but the lack of a central organism in charge of security poses a challenge in security certificate management. Additionally, some routing attacks, such as selective forwarding or wormhole attack, could be launched against the network by an inside attacker despite routing information encryption. Complementary techniques, such as IDS are necessary to fully protect RWN.
B. Intrusion Detection Systems
An Intrusion Detection System (IDS) is a defense mechanism capable of detecting hostile activities that could compromise the network security. IDS are an alternative to protect the routing process in RWN, [15]–[17]. In order to carry out the detection, the network is constantly being monitored in search of known malicious behaviors or anomalous behaviors. IDS can be classified as host-based, if the detection process is performed by each node, or network based, if the detection is performed by a central entity observing larger traffic flows, such as a base station or a cluster head node.
Different collaborative, [18], and trust based IDS have been proposed in the literature to detect routing attacks in RWN, [19]–[21]. There is generally a trust metric that nodes in the network obtain for their neighbors. Then, they share those measurements to reach a consensus about a particular node behavior, identifying in this way attacker nodes. This approach has usually good detection rates, but has an overhead increase for reaching consensus between nodes.
Statistical techniques such as the ones presented in [22]–[24], and [25], tend to have very good attack detection rates for particular scenario conditions. Statistical metrics of network parameters change over time because of the dynamic nature of the RWN. Spectral information of relevant network parameters could be used in conjunction with statistical techniques to make intrusion detection robust to dynamic changes in the network, [26].
Support Vector Machines (SVM) are a popular machine learning approach for IDS in RWN, [27], [28], because they are robust to the network dynamic behavior. SVM are good for performing a classification task in high dimensional feature space, with a relatively little training data sample. Additionally, SVM can achieve very high attack detection accuracy, up to 99.98%, [29], and have a relatively low computational cost compared to other machine learning techniques.
C. Network Security Based on Linear Systems Theory
In the literature we identified two network security references on linear systems theory. In the first reference, [30], authors modeled the network behavior as a Multiple Input Single Output (MISO) linear system. They used the model obtained to detect unauthorized probe and Denial of Service (DoS) attacks in a centralized network. They considered as model inputs traffic parameters, such as, number of TCP packets received, number of UDP packet received, among other similar features. The system output models the network state and is used to detect a particular threat.
In the second reference, [31], the authors obtained a state-space feedback model and a Proportional Integral controller (PI) to detect and delay the spread of worms and viruses on a network. They were monitoring the number of connections per unit time and controlling the traffic in two queues, a safe queue and a suspicious queue to slow down the spread velocity of the worm.
In this paper, we analyze RWN routing security based on the theory of Discrete-Time Linear Time Invariant Systems (DT-LTIS), [32], [33]. We know that routing attacks degrade RWN’s performance. We consider a node as a linear system whose output signal is a performance metric. This metric is defined in such a way that performance degradation corresponds to an output signal increase. As system input signals, we consider different network metrics locally available to a network node. Those considered metrics are sensitive to network performance degradation. The linear systems approach and the input and output signals will allow us to analyze routing attacks in terms of causes and effects from the local perspective of a single network node.
Pole Location Based Intrusion Detection
In this section, we present two host-based intrusion detection techniques for RWN. Our goal for each technique, is to find a linear system representation of a node. Poles of this system representation must be sensitive to routing attacks.
We begin by defining notation and some basic concepts. Then we discuss a black box technique to find an attack-sensitive system representation of a node. Finally a root locus approach is presented as an alternative to the black box technique.
A. Basic Definitions
Consider a reconfigurable network as a dynamic directed graph
(a) Topology of some reconfigurable network at instant
Without loss of generality, we will focus on node
A malicious node or group of nodes could perpetrate a routing attack in order to affect network performance (e.g., flooding attack, worm hole attack, black hole attack, selective forwarding attack, among others). The set of the
The set of
Node
In order to detect the
1) An Example
Consider that as part of
The selective forwarding attack,
Note that as long as link
So far, we have defined reconfigurable networks, routing attacks, the set of local performance metrics affected by those attacks and the set of features to perform intrusion detection. The rest of this section introduces the path to achieve our goal of finding a routing attack-sensitive system representation of a node,
B. A Black Box Approach
As a first approach for
Node
Proposed system model for the black box based
After defining the system inputs and outputs, the next step consists in modeling the dynamical behavior of the chosen system in discrete time. Parametric modeling relies on a previously known model structure. This model structure can come from discretization of a set of differential equations modeling the physical principles of the system of interest. Since for a node \begin{equation*} \boldsymbol {y}(k)=\sum _{e=1}^{p}\boldsymbol {A}^{(e)}\boldsymbol {y}(k-e)+\sum _{f=0}^{q}\boldsymbol {B}^{(f)}\boldsymbol {\chi }(k-f)+\boldsymbol {\varepsilon }(k),\tag{1}\end{equation*}
\begin{equation*} \hat {\boldsymbol {y}}(k|\hat {\boldsymbol {\theta }})=\sum _{e=1}^{p}\hat {\boldsymbol {A}}^{(e)}\boldsymbol {y}(k-e)+\sum _{f=0}^{q}\hat {\boldsymbol {B}}^{(f)}\boldsymbol {\chi }(k-f).\tag{2}\end{equation*}
The difference, \begin{equation*} \boldsymbol {\varepsilon }(k)=\boldsymbol {y}(k)-\hat {\boldsymbol {y}}(k|\hat {\boldsymbol {\theta }}).\tag{3}\end{equation*}
The set of parameters \begin{equation*} \boldsymbol {y}=\boldsymbol {X}\boldsymbol {\theta },\tag{4}\end{equation*}
\begin{equation*} \hat {\boldsymbol {\theta }}=(\boldsymbol {X}^{\intercal }\boldsymbol {X})^{-1}\boldsymbol {X}^{\intercal }\boldsymbol {y}.\tag{5}\end{equation*}
Once we have a model in the time domain, we can obtain its frequency domain representation by using the
Black box based
C. A Root Locus Approach
In this subsection we will take a different approach to achieve our goal. We start from the desired behavior of the instantaneous system poles on the z-plane. Similarly to the previous case, we will focus on the
(a) Proposed root locus based
In order for \begin{equation*} \pi _{a}(k) = \sum _{b=1}^{\lambda _{a}}\alpha _{b}\chi _{\mathcal {A}b}(k) + \sum _{c=1}^{\lambda _{n}}\beta _{c}\chi _{\mathcal {N}c}(k) + \gamma (k).\tag{6}\end{equation*}
Now, assume that the desired system representation of \begin{equation*} Q(z) = 1 + \varphi \frac {R(z)}{S(z)}.\tag{7}\end{equation*}
Suppose that the number of roots of
If we want that our system poles have the desired behaviour, \begin{align*} S(z)=&z^{2},\tag{8}\\ R(z)=&(z-r\cos \theta -jr\sin \theta)(z-r\cos \theta +jr\sin \theta) \\=&z^{2} - 2zr\cos \theta + r^{2}.\tag{9}\end{align*}
The roots of
Substituting \begin{align*} Q(z)=&1+\left ({\sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta }}\right)\frac {(z^{2} - 2zr\cos \theta + r^{2})}{z^{2}} \\=&1 +\sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta } - z^{-1}\left ({2r\cos \theta \sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta }}\right) \\&+ z^{-2}\left ({r^{2}\sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta }}\right).\tag{10}\end{align*}
The next step consists in defining the input signals, \begin{align*} u_{\mathcal {A}b}(k)=&\chi _{\mathcal {A}b}(k) + \alpha _{b}^{\eta -1}y_{a}(k) \\&-\, 2r\cos \theta \alpha _{b}^{\eta -1}y_{a}(k-1) \\&+\,r^{2}\alpha _{b}^{\eta -1}y_{a}(k-2),\tag{11}\\ u_{\mathcal {N}c}(k)=&\chi _{\mathcal {N}c}(k),\tag{12}\\ y_{a}(k)=&\pi _{a}(k) - \gamma (k),\tag{13}\end{align*}
Proof that the proposed definitions for
Summarizing, we have defined input signals,
In order to define parameters
Given concrete values for
The probability of error, \begin{align*}&\underset {r, \eta }{\text {minimize}} ~P(\epsilon) = f(r,\eta), \\&\text {subject to}~E[|z_{\mathcal {N}}|]\leq \zeta, \\&\hphantom {\text {subject to}~} \zeta < E[|z_{\mathcal {A}}|]< \xi.\tag{14}\end{align*}
After finding the optimal values of
The number of parameters of the model in (6) is equal to the number of input signals of the system,
Root locus based
A Case Study
In this section we analyze a case of a routing attack in a sensor network, and we compare the two proposed IDS techniques and demonstrate their feasibility. We first analyze the effects of attack severity for a static network, and then we analyze the case where all the nodes in the network are moving for a given attack severity.
A. Scenario and Simulator Description
Simulations were performed to test the proposed IDS. Only one attack was considered for those simulations, RREQ flooding attack. Note that this type of attack can be launched against any proactive routing protocol. In order to analyze the attack severity impact on attack detection rates, the simulated scenarios were randomly initiated without varying any simulation parameter with the exception of the attack severity. Attack severity was different for each simulated scenario,
In order to make a fair comparison, the same data was used for the analysis of both techniques, for the static and mobile cases and the same system order was considered for all cases and models. For similar reasons, the same input and output signals were used for the black box and the root locus methods in order to construct the
1) Simulator Description
The event-driven simulation tool used for this work was developed using the Python programming language. The simulator is composed by the modules represented as boxes in Fig. 6. The simulation module controls the traffic model and mobility model for each simulated node. It is also in charge of saving relevant network metrics (e.g., node’s positions, average link duration, network throughput) and simulating channel phenomena (e.g., propagation, noise, interference). Each simulated node is composed of transport layer, network layer, data link layer and physical layer modules. Transport layer receives the data traffic profile from the simulator module and controls a UDP or TCP session. Network layer is in charge of routing data packets following the selected routing protocol. Data link layer is in control of the packets queue and it simulates the exponential back off process and the frame collisions of the Medium Access Control protocol. The wireless link communicates with the wireless channel module to receive and broadcast information to neighboring nodes. The node performance metrics module collects relevant metrics from each layer of the communication stack each simulation period. Those relevant metrics are represented as time series in the IDS module, which implements a given intrusion detection system (black box or root locus).
Block diagram of the simulated node functionality and its relationship with the simulation scenario.
B. Black Box Method Results
1) Static Network Results
The results for the black box method and the static network case start by dividing in two the time series of \begin{align*} \pi _{a}(k) = \sum _{e=1}^{2}A^{(e)}\pi _{a}(k-e) + \sum _{f=0}^{2}B^{(f)}\chi _{\mathcal {A}1}(k-f) + \varepsilon (k). \\ {}\tag{15}\end{align*}
Given the fact that we only have one input signal and one output signal,
(a) System poles obtained for the black box based
Decision regions for the \begin{align*} f_{\mathcal {N}}(Re(z_{\mathcal {N}}), Im(z_{\mathcal {N}}))=&\sum _{w=1}^{3}\rho _{w}\mathcal {N}(\boldsymbol {\mu }_{w}, \boldsymbol {\Sigma }_{w}),\tag{16}\\ f_{\mathcal {A}}(Re(z_{\mathcal {A}}), Im(z_{\mathcal {A}}))=&\sum _{w=1}^{2}\rho _{w}\mathcal {N}(\boldsymbol {\mu }_{w}, \boldsymbol {\Sigma }_{w}),\tag{17}\end{align*}
Figure 8 (a) shows the decision regions obtained when the
(a) Decision regions obtained for the black box based
Table 2 shows the detection accuracy, defined as
2) Mobility Case Results
The results of attack detection for the mobility case were obtained following the same methodology as for the static network case. We fixed attack severity,
C. Root Locus Method Results
1) Static Network Results
For the root locus based detector in \begin{equation*} \pi _{a}(k) = \alpha _{1}\chi _{\mathcal {A}1}(k),\tag{18}\end{equation*}
The input and output signals were defined as, \begin{align*} u_{\mathcal {A}1}=&\alpha _{1}^{\eta -1}y_{a}(k) - 2r\cos \theta \alpha _{1}^{\eta -1}y_{a}(k-1) \\&+\, r^{2}\alpha _{1}^{\eta -1}y_{a}(k-2) + \chi _{\mathcal {A}1}(k),\tag{19}\\ y_{a}(k)=&\pi _{a}(k).\tag{20}\end{align*}
In order to obtain the optimal parameters,
For each pair of values
Figure 9 (a) shows the system poles for the optimal values of
(a) System poles obtained for the root locus based
Figure 10 (a) shows the decision regions for the detector in
(a) Decision regions obtained for the root locus based
2) Mobility Case Results
Similar to the black box results for mobility, we analyze the time series
D. Discussion
This new perspective of thinking about a network node
As mentioned in Section IIIC., and in (27) in Appendix, all the terms of the transfer function matrix
Although we obtained good detection accuracy for both proposed techniques, in the next lines we will compare them from the implementability point of view to help us decide which technique is more feasible.
1) On the Implementability of the Black Box Method
Although it seems natural to use black box system identification techniques to model the unknown dynamic behavior of a node,
A second issue with the black box approach is that we do not have previous knowledge of the right model of a node. We could face under-fitting or over-fitting problems, so in general, we need to try different values for
Finally, we intuitively understand that the potential attacker node,
2) Comparison of the Root Locus and the Black Box Approaches
Note that the number of parameters for the root locus approach is reduced when compared with the black box model for the same case of one output signal and an arbitrary number of input signals. There are
Additionally, in (6), we determined the system poles to be sensitive to routing attacks and not to other causes by making the distinction of the time series of features sensitive to the
3) On the Attacker’s Position and Network Impact
An important aspect to consider for further research is the attacker’s position. Depending on the physical location of the malicious node, the impact on network performance of a routing attack could vary. Those impact variations are due to the fact that nodes near the center of the network tend to have more neighbors than nodes close to the outskirts of the network and therefore have access to a larger portion of data traffic. This phenomena could also affect attack detection rates, the more severe the impact on network performance the easier to detect.
Conclusions
In this work, we proposed two different IDS for routing in RWN based on the same perspective of considering a network node as a linear system. This new perspective allows us to gain some intuitive understanding of the problem. Additionally, by using the system poles on the z-plane as the feature space for attack detection, we can represent all the relevant information in two dimensions. This two dimensional feature space is guaranteed to be independent of the number of input and output signals considered as relevant network metrics for a given attack detection. Good detection accuracy was obtained for both attack detection techniques. For more elaborate scenarios than the simple case presented in Section IV we need to consider additional inputs. The root locus approach is more robust to mobility and has a lower computational cost when compared to the black box method and hence more feasible for low power devices. The black box technique could be implemented in nodes with sufficient computing capabilities, such as nodes in vehicular ad hoc networks, and in unmanned aerial ad hoc networks. The number of appropriate input signals as well as which specific ones lead to better detection accuracy remain an open challenge.
AppendixSystem Inputs and Outputs Derivation
System Inputs and Outputs Derivation
In this appendix, we show that a system as the one in Fig. 4 (a), with input signals,
We begin by substituting \begin{align*} \pi _{a}(k) - \gamma (k)=&\sum _{b=1}^{\lambda _{a}}\alpha _{b}\chi _{\mathcal {A}b}(k) + \sum _{c=1}^{\lambda _{n}}\beta _{c}\chi _{\mathcal {N}c}(k), \\ y_{a}(k)=&\sum _{b=1}^{\lambda _{a}}\alpha _{b}\chi _{\mathcal {A}b}(k) + \sum _{c=1}^{\lambda _{n}}\beta _{c}\chi _{\mathcal {N}c}(k).\tag{21}\end{align*}
We solve for \begin{align*} y_{a}(k)=&\sum _{b=1}^{\lambda _{a}}\alpha _{b}\Biggl [{u_{\mathcal {A}b}(k)-\alpha _{b}^{\eta -1}y_{a}(k) } \\&{ + 2r\alpha _{b}^{\eta -1}\cos \theta y(k-1)-r^{2}\alpha _{b}^{\eta -1}y_{a}(k-2)}\Biggr] \\&+ \sum _{c=1}^{\lambda _{n}}\beta _{c}u_{\mathcal {N}c}(k).\tag{22}\end{align*}
Grouping all the terms containing \begin{align*}&\hspace {-.9pc}Y_{a}(z) \!+\! Y_{a}(z)\sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta } -2z^{-1}Y_{a}(z)r\cos \theta \sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta } \\&+\, z^{-2}Y_{a}(z)r^{2}\!\sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta } \!=\! \sum _{b=1}^{\lambda _{a}}\alpha _{b}U_{\mathcal {A}b}(z) \!+\! \sum _{c=1}^{\lambda _{n}}\beta _{c}U_{\mathcal {N}c}(z),\tag{23}\end{align*}
\begin{align*}&\hspace {-.5pc}Y(z) \left [{ 1 + \sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta } -z^{-1}\left({2r\cos \theta \sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta }}\right) + z^{-2}\left({r^{2}\sum _{b=1}^{\lambda _{a}}\alpha _{b}^{\eta }}\right)}\right] \\& \qquad \qquad \qquad \qquad {= \sum _{b=1}^{\lambda _{a}}\alpha _{b}U_{\mathcal {A}b}(z) + \sum _{c=1}^{\lambda _{n}}\beta _{c}U_{\mathcal {N}c}(z).} \tag{24}\end{align*}
Note that the expression inside the brackets in (24) is equal to \begin{equation*} Y(z) [Q(z)] = \sum _{b=1}^{\lambda _{a}}\alpha _{b}U_{\mathcal {A}b}(z) + \sum _{c=1}^{\lambda _{n}}\beta _{c}U_{\mathcal {N}c}(z).\tag{25}\end{equation*}
Dividing both sides by \begin{equation*} Y(z) = \frac {\displaystyle \sum _{b=1}^{\lambda _{a}}\alpha _{b}U_{\mathcal {A}b}(z) + \sum _{c=1}^{\lambda _{n}}\beta _{c}U_{\mathcal {N}c}(z)}{Q(z)},\tag{26}\end{equation*}
\begin{align*} Y(z)=&\boldsymbol {H}(z)\boldsymbol {U}(z) \\=&\left [{\dfrac {\alpha _{1}}{Q(z)} {\dots }\dfrac {\alpha _{\lambda _{a}}}{Q(z)}~\dfrac {\beta _{1}}{Q(z)} {\dots }\dfrac {\beta _{\lambda _{n}}}{Q(z)}}\right] \begin{bmatrix} U_{\mathcal {A}1}(z) \\ \vdots \\ U_{\mathcal {A}\lambda _{a}}(z) \\ U_{\mathcal {N}1}(z) \\ \vdots \\ U_{\mathcal {N}\lambda _{n}}(z) \end{bmatrix}.\tag{27}\end{align*}
The poles of