See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/324482808

e-Health Wireless IDS with SIEM integration

Conference Paper · April 2018

CITATIONS READS

3 441

2 authors:

Pantaleone Nespoli Felix Gomez Marmol

University of Murcia University of Murcia
20 PUBLICATIONS   99 CITATIONS    91 PUBLICATIONS   1,484 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

COSMOS: Collaborative, Seamless and Adaptive Sentinels for the Internet of Things View project

AuthCODE View project

All content following this page was uploaded by Pantaleone Nespoli on 14 October 2018.

The user has requested enhancement of the downloaded file.

 e-Health Wireless IDS with SIEM integration
Pantaleone Nespoli, Félix Gómez Mármol
University of Murcia, Spain
{pantaleone.nespoli,felixgm}@um.es
Abstract—The paper at hand presents a relevant summary
of the work conducted in [1]. It shows how a wireless Intrusion
Detection System (IDS) successfully reports malicious activities to
a Security Information and Event Management (SIEM) system.
By doing so, a variety of IoT devices are protected from potential
cyber-attacks. Leveraging the capabilities of the SIEM platform,
the events coming from different sources are effectively correlated
and analyzed, increasing the situational awareness of the security
operator. Exhaustive experiments demonstrate that the proposed
architecture is applicable to several wireless scenarios in which
the devices are exposed to cyber intruders, like e-Health.
I. I NTRODUCTION
As the use of Internet is growing day-by-day, another big
area is emerging to use Internet as a global platform allowing
machines and smart objects to communicate, compute and
coordinate, called Internet of Things (IoT). The IoT envi-
sions a world in which everything, in our everyday life, is
connected together. Thus, some crucial application domains
will be enhanced under this paradigm, such as health-care,
environmental and industrial plant monitoring, and so forth [2].
In particular, the IoT paradigm has been widely applied
to interconnect available medical resources and to provide
reliable, effective and smart healthcare services to the elderly
and patients with chronic illnesses [3]. On the downside, the
enormous amount of the sensitive data exchanged among these
devices becomes attractive for ill-motivated entities, which
aim to collect them for inappropriate uses [4]. For example,
the privacy of patients must be ensured to prevent unau-
thorized identification and tracking. Furthermore, healthcare
IoT-based applications are inherently vulnerable due to two
basic aspects: (1) most of the communications are wireless,
facilitating eavesdropping attacks; (2) most of the IoT devices
are characterized by low energy and computing capabilities,
thus the usual protection schemas (e.g. cryptography) cannot
be straightforwardly enforced to ensure an appropriate security
level. Recently, at the 25th DefCon hacking conference1 ,
security researchers took on a new challenge: uncovering flaws
in dozens of biomedical devices, from pacemakers and insulin
pumps to glucose monitors. Notably, they found out that
the devices are indeed vulnerable to remote control attacks,
threatening the patients’ lives.
To address the abovementioned challenges, this work pro-
poses a novel wireless IDS architecture which can be applied
to a variety of IoT environments, including specifically wire-
less e-Health. It extends the work proposed in [5] by adding the
wireless detection capability, considered of major importance
in the proposed scenario, and the integration with a SIEM
system called OSSIM2 . The core ingredient of the proposed
framework is the Raspberry Pi, a low powered device with
the peculiar features of IoT. Specifically, this work analyzes
the feasibility of employing the Raspberry Pi as an IDS in a
wireless scenario, arguing on its resources consumption and
detection capabilities. To the best our knowledge, this is the
1 https://www.defcon.org/
2 https://www.alienvault.com/products/ossim
first attempt to employ a Raspberry Pi as host system for a
wireless IDS, leveraging also the correlation capabilities of a
SIEM platform to report the detected anomalies.
II. F RAMEWORK A RCHITECTURE
At the core of the proposed architecture there is a small
and portable device acting as a wireless IDS. Our Raspberry
Pi could be deployed anywhere; its role is to monitor the
wireless traffic of the surrounding area, acting as a passive
sensor. Such device requires certain inherent properties in
order to fully satisfy the requirements in the context of IoT
e-Health security. First, it must be portable: following the IoT
concept of everywhere, anytime, users must be able to relocate
the device effortlessly. Then, it must be able to perform its
duties using minimum configuration, adapting its behavior
to different scenarios. Finally, the sensor must be easy to
use: turning it on, users’ communications are protected. In
addition to the local detection, attacks’ statistics are forwarded
to a remote SIEM server from which network administrators
can perform maintenance or emergency operations. Collecting
data stemming from different sources may be useful for
administrators to figure out network characteristics in a given
area, thus increasing the situational awareness. Using a SIEM
platform, the incoming events are filtered, aggregated, and
correlated to distinguish between malicious activities and false
alarms. This in turn, would help in identifying the appropriate
security measures to protect those areas.
Fig. 1. Wireless IDS architecture with SIEM integration.
Fig.1 shows a high level architecture of the proposed
framework. An ad-hoc Debian OS (i.e., Raspbian) optimized
for the Pi is used. Connected with the OS, two IDSs are
used: Kismet3 and Snort4 . The former intercepts the wireless
packets, analyzing them in order to find possible malicious
activities targeting the 802.11 protocol. Then, it removes the
wireless encapsulation and feeds the latter which in turn
uses its powerful capabilities to detect intrusions targeting the
upper TCP/IP layers. Once alerts are raised, log messages are
forwarded via TCP/UDP using rsyslog to OSSIM, which is in
3 https://www.kismetwireless.net/
4 https://www.snort.org/
charge of receiving these logs, analyzing and visualizing them
through the Web interface.
III. E XPERIMENTS
This Section presents a relevant extract of the experimental
results achieved in [1], where exhaustive experiments were
conducted over the Raspberry Pi as Kismet and Snort’s
host, measuring also the overhead introduced by the rsys-
log daemon. In our testing scenario, a laptop acting as an
attacker exploited the vulnerabilities exhibited by a wireless
access point to gain unauthorized access to the corresponding
network. Subsequently, it acquired root privileges over a
smarthphone, which was also acting as a victim. For more
detailed experiments’ settings and results, please refer to [1].
The performance evaluation was conducted in a shared en-
vironment where multiple devices communicated among them
using several access points. Thus, the monitor interface of
the Raspberry Pi captured the traffic from different networks.
For those frames, Snort was not able to start the detection
process because their payload was encrypted. Kismet, instead,
inspected also this traffic as its rules were focused on the
devices’ behavior and on 802.11 header anomalies. On the
contrary, attacks performed in our sub-network were indeed
detected. Malicious packets were decrypted by Kismet before
feeding Snort, which in this case could directly analyze them.
The tests were performed along 27 consecutive days, using
an 8 hours time window (from 10 a.m. to 6 p.m.), in which
we registered the highest amount of frames. Within the above-
mentioned window, the attacker performed random attacks
(e.g. port scanning, replay attack, etc.) against the victims
with a fixed frequency. A script running on the Raspberry
monitored the overall impact introduced by the IDSs and
the logs forwarding in terms of used system resources. In
particular, Snort was tested with different configurations to
argue on their resource consumption; that is, different rule
sets (i.e. connectivity, balanced and security) and detection
algorithms (i.e. lowmem, ac-bnfa and ac-split) were examined
during the experiments. The choice of the above-mentioned
parameters relies on the fact that they present the best overall
performance according to the Snort developers.
Fig. 2. Lowmem RAM usage comparison with different rule sets.
The CPU usage was measured and, notably, we found out
that it never exceeded 5% during the experiments. Moreover,
View publication stats
relevant statistics on the RAM usage of the lowmem detection
algorithm for the above-mentioned rule sets are depicted in
Fig. 2. As expected, a higher number of enabled rules implies a
higher memory usage, since Snort stores these rules directly in
RAM at the startup. A notable result is the curves’ shape; that
is, they show a trend which presents periodical spikes. These
peaks were generated by the Snort detection process which
was evaluating the simulated attacks in our sub-network. As
the attack starts, Snort analyzes the potential malicious frames
so that the RAM usage increases for a certain time period.
Then, when the detection process ends, the occupied memory
is freed. Another interesting feature is represented by the
curves’ slopes: as the number of received packets increases, the
RAM consumption increases too. This behavior is mainly due
to the Kismet’s mechanisms of devices tracking: during the
detection process, data structures are created to store relevant
information about the active devices in the surrounding area.
Specifically, the plot shows that the higher is the number of
packets, the higher is the slope (more RAM is used).
The experimental results demonstrate that, even in a heavily
loaded environment, the proposed solution is able to handle
and analyze the traffic efficiently. That is, we observed that
the CPU usage never exceeded 5%, and the RAM usage never
reached 400 MB utilization during the 8 hours experimental
window. In addition, the attacks performed were indeed de-
tected by the wireless IDS with high accuracy, and reported
to the remote OSSIM server in a timely fashion. Thus, we can
safely conclude that the proposed solution is suitable to protect
IoT devices from potential cyber-attacks, and more specifically
it looks promising for the e-Health ecosystem protection.
IV. C ONCLUSIONS AND F UTURE W ORK
We proposed a novel wireless IDS architecture to be applied
in a variety of IoT environments. In particular, we argued
on the possibility of employing it to protect the e-Health
devices in a healthcare scenario. To support our claims, we
carried out extensive tests on the architecture showing that
it is capable to protect a typical IoT environment. Future
works will explore the possibility of deploying a collaborative
scenario to perform the detection duties, but also a scenario
in which the SIEM server reacts based on the acquired alerts.
Additionally, we plan to run intrusion detection experiments
over other wireless protocols, such as Bluetooth or Zigbee,
including proper medical devices.
Acknowledgments: This work has been supported by the
European Commission H2020 Programme under grant agree-
ment no. H2020-ICT-2014-2/671672 - SELFNET, by a Ramón
y Cajal research contract (RYC-2015-18210) granted by the
MINECO (Spain) and co-funded by the European Social Fund,
as well as by a Leonardo Grant 2017 for Researchers and
Cultural Creators awarded by the BBVA Foundation.
R EFERENCES
[1] P. Nespoli, “WISS: Wireless IDS for IoT with SIEM integration,” Master’s
thesis, University Federico II Naples, 2017.
[2] Y. H. Hwang, “IoT security & privacy: Threats and challenges,” in
Proceedings of the 1st ACM Workshop on IoT Privacy, Trust, and
Security, ser. IoTPTS ’15. New York, NY, USA: ACM, 2015.
[3] Y. Yin, Y. Zeng, X. Chen, and Y. Fan, “The internet of things in
healthcare: An overview,” Journal of Industrial Information Integration,
vol. 1, no. Supplement C, pp. 3 – 13, 2016.
[4] K. Katzis, R. W. Jones, and G. Despotou, “The challenges of balancing
safety and security in implantable medical devices.” in ICIMTH, 2016,
pp. 25–28.
[5] A. Sforzin, F. Gómez Mármol, M. Conti, and J.-M. Bohli, “Raspberry
Pi IDS: A fruitful Intrusion Detection System for IoT,” in 13th IEEE
International Conference on Advanced and Trusted Computing (ATC
2016), Toulouse, France, 2016.