A Weak Process Approach to Anomaly Detection in Wireless Sensor Networks

Marco Pugliese
Center of Excellence DEWS University of LAquila LAquila, Italy marco.pugliese@ieee.org

Annarita Giani
Dep. of Electrical Engineering and Computer Sciences University of California at Berkeley Berkeley, CA, USA agiani@eecs.berkeley.edu

Fortunato Santucci
Center of Excellence DEWS University of LAquila LAquila, Italy santucci@ing.univaq.it

AbstractThis paper introduces a novel methodology for modeling Anomaly Detection Logic (ADL) in intrusion detection for Wireless Sensor Networks (WSNs). In particular, we propose an integrated approach to threat modeling and detection using the Weak Process Model (WPM) paradigm. WPMs are nonparametric versions of Hidden Markov Models (HMM) in which states transition probabilities are reduced to 0-1 rules of reacheability. WSNs are resource-limited; WPMs are robust while consuming few resources. Threat identication is performed by introducing a threat score, which weights the states sequence (hypothetic states traces) associated with each threat model, while anomalies are classied using predened rules. The higher the threat score, the higher the likelihood of an attack. Attacks have been classied according to their risk potentiality: Low Potential Attacks (LPA) and High Potential Attacks (HPA). An alarm is issued when at least one HPA is likely to occur. We present a theoretical review of our methodology and report experimentally obtained quantitative data

I. I NTRODUCTION Sensor networks revolutionize the way we interact with the physical environment. A sensor network is often subject to a unique set of constraints, such as nite battery power and limited communication bandwidth. Furthermore, transferring data to a processing unit requires the existence of a secure communication channel. Wireless Sensor Network are exible, can be quickly implemented and have low cost of operation. If well designed and appropriately deployed, a WSN can become a secure communication platform for gathering sensory data. To be a "secure platform", it must implement specic functional modules, typically software applications, in a distributed computing architecture. Assuring security in a WSN depends on successful execution of several interconnected components: ciphering and authenticating data ows
0 This work has been partially supported by the EU FP6 NoE HYCON and is part of the project WINSOME at DEWS and by TRUST (Team for Research in Ubiquitous Secure Technology), which receives support from the National Science Foundation (NSF award number CCF-0424422) and the following organizations: AFOSR (#FA9550-06-1-0244), BT, Cisco, ESCHER, HP, IBM, iCAST, Intel, Microsoft, ORNL, Pirelli, Qualcomm, Sun, Symantec, Telecom Italia, and United Technologies.

(cryptography), detecting malicious intrusions coming from external or internal attackers, assuring correct functionality of the sensor nodes(integrity). An Intrusion Detection System (IDS) is a defense system, which detects hostile activities in a network. It recognizes patterns of known attacks (signature based), or identies abnormal network activity that differ from historical norms (anomaly based) [1]. Model based reasoning combines models of misuse with reasoning to support conclusions about an attack. Recently, IDSs have been developed for the use on wireless networks. A Wireless IDS is similar to a standard, wired IDS, but contains additional deployment requirements as well as unique features specic to WLAN intrusion and misuse detection [2]. This work considers an IDS based on Anomaly Detection Logic (ADL). The architecture taken as reference for this work is derived from, and compliant with a wide variety of accepted standards, and can be decomposed into the following components (see Fig. 1): Intrusion Alarm Generation (IAG): generates alarms based on ADL. Intrusion Reaction Logic (IRL): denes the defence strategy (determines the subset of nodes to be protected) and tracks correlated alarms. Intrusion Reaction logic Application (IRA): reacts to intrusion by deploying appropriate countermeasures (releasing links, putting compromised nodes in quarantine, distributing black lists / grey lists). The database Local Conguration Data (LCD) refers to the set of conguration data essential for any operation of the sensor node in the WSN: e.g. LCD contains data related to cryptographic key generation and to node authentication procedures [3]. As it will be shown later, LCD is the fundamental component for determining if an anomaly is present on the incoming data trafc. The remainder of this paper is organized as follows. Section II presents a review of current intrusion detection techniques applied to WSN. Section III introduces threat modeling

application architecture) and software engineering techniques (modular algorithms and code squeezing) are adopted, as will be shown in Sec. V.

III. W EAK P ROCESS F ORMALISM FOR T HREAT M ODELING According to the denition given in Sec. II, threats can be modeled as random dynamical systems using stochastic Finite State Machines (FSMs). Threat detection by monitoring anomalous events from environment becomes equivalent to FSM structure identication by observing symbols related to the FSM states. A Hidden Markov Model (HMM) is a doubly stochastic FSM with an underlying stochastic process that is hidden but indirectly observable through another stochastic process that produce a sequence of observable symbols (observables) [11], [12]. In HMMs, state transitions follow a rstorder Markov chain, and an observable is emitted according to some probability distribution each time a state is entered. Anomaly Intrusion Detection can be treated as a classication problem. The use of Hidden Markov Model for the detection of malicious computer and system intrusion is not new. The sequence of system calls is given as input to a system model. If the probability of the models specifying normal activity is less then a specic threshold, an alarm is triggered [13], [14]. Another approach that uses HMMs consists of modeling computer attacks and using system alerts as observables to nd the most likely process [15]. Nonparametric versions of HMMs are called weak models. Weak models are robust for process detection and easy to construct, as the assumption of knowing precise probabilities in HMMs is weakened to 0,1-values of reachabilities [16]. A Weak Process Model [10] is an HMM where only the reachability between states and observables are specied (as opposed to transition and emission probabilities). By mapping these concepts to threat models, it follows that the existence of an observable can be considered as an indicator that an attack against the WSN may be occurring. The information about the current state of the attack is not available (it is an hidden state) but we observe a sub-set of choices. Fig. 2 shows a simple example of WPM where the green bordered node in the graph represents the initial state and the red one the nal state. There are 6 observables and 5 states, and the mapping is: when event 1 is observed (or observable 1 occurs) then the FSM can be in state 1 or 5; when event 3 is observed (or observable 3 occurs) then the FSM can be in state 2, 4 or 5. This mapping is represented as a graph by including the observables into brackets for each state. A WPM, as any Markov model, can be formally represented using the canonical form: xk+1 = Axk ok = Bxk where: States set X is dened by X = (x1 , x2 , . . . , x3 ) ; (1)

Figure 1.

ADL-based IDS macro-functions.

using Weak Process Model approach. Section IV describes a method for performing threat identication. Section V describes the functional architecture for the Anomaly Detection Logic module of IDS, as well as the anomaly rules and the internal blocks of the threat model. In Section VI the proposed scheme is applied to a specic threat (HELLO ooding). Section VII contains concluding discussion and future work. II. M OTIVATION A threat can be dened as a particular strategy in engaging an attack. Typical threats affecting WSNs are reported in [4]. WSNs are resource limitated: memory, energy and accessibility constraints make the use of current security techniques challenging [5]. Traditional intrusion detection techniques cannot be well implemented on a WSN, they are not effective, too limited to a restricted number of threats, or too restrictive: crosscorrelating aggregated data (among all analyzing uctuations in sensor readings [6], watching over the information interchange [7], modeling normal trafc to detect abnormal trafc patterns [8]), or running the Baum-Viterbi algorithm as likelihood criterion in threats identication when HMM are used to model threats [9], are some examples. The issue of implementing an effective IDS on a WSN leads to the problem of nding a trade-off between the capability of identifying threats (i.e. with a bounded false alarm rate), the complexity of the algorithms and memory usage [10]. We believe that an anomaly-based IDS using weak process models applied to threat modelling with a weight-based logic for threat identication can be a promising solution for a resource constraint platform such as WSNs. First, a WPM simplies HMM (ref. to Sec. III for details) leading to a simplied threat identication likelihood logic in comparison with the Viterbi algorithm. This simplication is done at the expense of sacrifying the capability of the intrusion system to reveal attacks with low probabilities. However increasing the number of observables associated to a state (ref. to Sec. III) can lead to better accuracy with an expense in memory occupancy but without increasing algorithmic complexity. Nevertheless given a xed amount of resource, a larger number of WPMbased threats can be considered compared to HMM-based models. Second, a careful project design (adopting specic

Individual state x at step k is dened by xk and x0 (k = 0) is the initial state; Observable set O is dened by O = (o1 , o2 , . . . , oq ) ; Individual observable o at step k is dened by ok ; State Transition Distribution A denes the n n matrix representing the behaviour of each threat. Matrix elements are dened as: Ai,j = 1, if p(xk+1 = xj |xk = xi ) = 1 0, otherwise

yet engaged at observable ok . Formally: Freexk = xk (xk Hpxk ) where the symbol indicates the Boolean AND between vector elements. Denition (Hypothetic States Trace at step k, Trk ). The Hypothetic States Trace at step k is the sequence of engaged states compliant to a state sequence in the FSM graph up to k1 observable ok . Formally: Trk = i=1 (Hpk AF reexi ). x Thus an Hypothetic States Trace is the output from a threat model when an observable has been applied as input. Weights are assigned to each trace by applying the n n score matrix S, whose elements are dened:

Emission Distribution B denes the q n matrix representing the mapping between each observable and the sub-set of the possible states. Matrix elements are dened as Bi,j = 1, if p(ok = oj |xk = xi ) = 1 0, otherwise

sij is the score assigned to transition from xj to xi sjj is the score assigned to state xj (e.g. the initial state x0 ).

The following formula returns the score associated to the threat after the rst k observable steps:
k j T

sk =
j=1

(Hpxj x0 )T Sx0 +
i=1

T ri S Freexi

(2)

Figure 2.

Example of WPM with 6 observables and 5 states.

IV. T HREAT I DENTIFICATION AND A LARM G ENERATION P ROBLEMS Supposing the WSN is currently under attack. What is the criterion to identify the most likely threat currently occurring? This is the Threat Identication Problem. Another question is: supposing that threat has been identied, what is the criterion to state the hazard level of the attack and, according to it, the choice to issue or not an alarm? This is the Alarm Generation Problem, which impacts the reliability of the proposed mechanism (false alarms percentage). Our approach to answer these questions is to assign weights (or scores) to the output produced by each threat model when an observable has been applied as input: this output is the Hypothetic States Trace, as will be dened in the following. Denition (Hypothetic Engaged States at step k, Hpxk ). The Hypothetic engaged states at step k is the sub-set of possible (hidden) states associated to the observable ok . Formally is Hpxk = B T ok . Denition (Hypothetic Free States at step k, Freexk ). The Hypothetic Free States at step k is the sub-set of states not

The idea behind this expression is to weight WPM transitions according to the topological positions of the starting and ending states involved in the transition. As will be shown later, this allows to straightforwardly dene two different hazard levels of an attack (5). The threat score is given by the total sum for the sequence of hidden states (trace) up to the current observable: this denition gives us an expressive indicator of both threat identity (non-zero alarms for a certain threat model) and its related hazard level (the score value). It can be shown that the algorithmic complexity of equation (2) is O(k 2 ) until the memory order of the underlying Markov model associated to the WPM (which coincides with the Local Buffer Memory, LBM, depicted in Fig.6, where the hypothetic free states are buffered, see Fig.7) has been lled up, i.e. for k < LBM ; denitively, i.e. for k LBM , the complexity becomes O(k) because as a new observable enters in the model, the oldest hypothetic free states are discarded from memory and score is updated by sweeping just once the remaining free states. In the case k < LBM we have:
k j T

sk =
j=1

(Hpxj x ) Sx +
i=1

0 T

T ri S Freexi

(3)

and in the case k LBM we have:

LBM

sk = (Hpxk x0 )T Sx0 +
i=1

T ri S Freexi

(4)

If the resulting score is decomposed in the following components: s = shpa + slpa then shpa and slpa indicate two hazard levels: (5)

Denition (Low Potential Attack, LPA, slpa ). An attack can be considered "low potentially dangerous" if an hypothetic engaged state is at least 2 hops before the nal state in the FSM graph representing the threat. Denition (High Potential Attack, HPA, shpa ). An attack can be considered "high potentially dangerous" if a hypothetic engaged state is a penultimate state in the FSM graph representing the threat. Assuming that the buffer message is less than 100 positions, then the following score assignments can be adopted: The total score at each state at least 2 hop before the nal state is 1 or multiples (thus 0 slpa 99 ); The total score at each penultimate state is 100 or multiples (thus 0 shpa 9900 ); If there are observables associated to the nal state then the score -100 is assigned to each transition from any penultimate state to the nal state. Alarms and the related scores are issued (Al[s]) when a penultimate state has been reached and an HPA is likely to occurre. The example reported in Fig. 3 provides a better understanding where, for simplicity, matrices A and B have not been represented. Given the WPM-based threat model depicted in Fig. 2, if the sequence of observables {3,1,4,2,5,6} is applied as input to the model, the Hypothetic State Traces 1-2-4-5 and 1-3-5 are produced (see Fig. 3). Hypothetic states not in any trace have been barred. The application of Eq. (2) to traces generates the score values associated to each trace at every step k, with k = 1, 2, .., 6. If state 3 or state 4 is reached (respectively at step 2 and step 4) an HPAs, by denition, is likely occurring and alarms are issued with scores 101 and 200 respectively. According to Eq. (2), the alarm semantic is: 1 HPA +1 LPA at step 2, 2 HPA + 0 LPA at step 4.

Figure 4.

Threats TM1 and TM2 respectively.

labeled with observation steps (k) and vertical axis with scores (s); orange bars refer to TM1 and blue bars to TM2. As already mentioned, indicators for threats identication and the related hazard level are given by the existence of a score associated to a threat model (score not zero) and the related values respectively: e.g. observation steps ranging from 14 to 18 show a majority of not-zero scores from TM1 (with high hazard levels) identifying TM1 as the most likely attacking the network, while steps ranging from 24 to 30 identify TM2.

Figure 5.

Alarms related to TM1 and TM2 when (6) is applied as input.

V. I NTRUSION A LARM G ENERATION Fig. 6 represents the functional architecture of the Intrusion Alarm Generation module: internally the main blocks are Anomaly Detection Logic (ADL) and several of Threat Models (TM). ADL block implements the following functions: 1) ADL block applies a predened set of rules based on the Local Conguration Data, to determine if an incoming signalling message contains anomalies or not. The application of these anomaly rules give two possible results: "no anomalies", resulting in the message being processed further, or "anomaly type T", according to the

Figure 3.

An example of Alarm Generation.

Now suppose to feed the threats TM1 and TM2 represented in Fig. 4 with the following sequence of observables:
{6, 4, 5, 6, 4, 5, 6, 3, 3, 2, 6, 4, 5, 3, 2, 4, 3, 6, 4, 5, 1, 1, 6, 4, 5, 2, 2, 6, 4, 5} (6)

Simulations using MATLAB software tool provided the result reported graphically in Fig. 5 where horizontal axis is

rule that has revealed that anomaly: this event denes a threat observable (refer to sub-block "Anomaly Rules" in Fig. 7). 2) ADL block implements the logic to identify which is the most likely attacking threat, and which is its potential dangerousness to the correct WSN working: in such cases alarms are generated and issued (refer to sub-block "Alarm Generation" in Fig. 7). Each TM block, as shown, implements a specic WPMbased threat model.

Figure 7.

ADL internal functional architecture.

3) Derive the WPM-based threat model. Step 1. The attacker node, symbolically with a skull, is labeled with "e". Fig. 8 depicts the possible dynamics of an attack to a clustered WSN: the attacker continuously issues malformed HELLO messages to the cluster head i or the cluster members j or w. The attack is considered successful if at least 2 nodes in WSN are attacked by the same attacker.
Figure 6. IAG module internal functional architecture.

Let us consider the ADL internal architecture shown in Fig. 7. From a SW engineering point of view, an IDS is a set of concurrent interacting modules which typically are managed through a middleware. We are currently enhancing the work reported in [17], where a mobile agent-based middleware is introduced. Applying it to our case, TM blocks can be implemented through (light) agents containing the threat model (represented with sparse matrices) each one fed by the current observable. The produced output Hpxk , in turn, feeds the Alarm Generation module which implements (2). The Alarm Generation module, which is the actual ADL engine, can be implemented through additional SW stubs embedded into the middleware code residing in each sensor node. Moreover publish / subscribe asynchronous messaging paradigms optimize alarms propagation in terms of transmissions overheads. Sec. VII reports the current status of our work. VI. A PPLICATION TO HELLO FLOODING T HREAT This section is dedicated to the application of the proposed ADL to HELLO Flooding threat. HELLO Flooding is a simple Denial of Service attack to WSN, where the attacker continuously issues malformed HELLO messages to nodes in WSN, which waste computational and memory resources processing the signalling information elements contained in these HELLO messages. The modeling process can be split in the following steps: 1) Analyze the behaviour of the threat; 2) Derive the Anomaly Rules;

Figure 8.

HELLO Flooding Threat.

Step 2. According to the previous analysis, the following Anomaly Rules listed in the table can be straightforwardly stated: Thus, the resulting observables are:
ID

1 2 3

Search for anomalies in signalling hand-shake between nodes i and e Search for anomalies in signalling hand-shake between nodes j and e Search for anomalies in signalling hand-shake between nodes w and e Table I A NOMALY RULES DESCRIPTION

ID 1 2 3 4 Node i cannot authenticate node e or failed generation of the key Node j cannot authenticate node e or failed generation of the key Node w cannot authenticate node e or failed generation of the key No observables during the K steps, with K a predened threshold

Table II O BSERVABLES DESCRIPTION .

Step 3. From the previous results, the WPM-based HELLO Flooding FSM is represented in Fig. 9. The number of states is 4 and the number of observables is 4. the canonical form Eq. (1) can be specialized using matrices A and B in (7) and the score matrix S in (8). The threat behavior represented in Fig. 9 is easily described. If the observable 1 or 2 or 3 occurs then the threat is considered "started" and state HF1 denes an LPA. If no more observables are identied in the following K steps (with K predened threshold) then the threat is considered "reset", which means either "attack temporary suspended" or maybe there were no attack at all (HF3 ). If the observable 1 or 2 or 3 occurs again then the attack is considered dangerous, state HF2 denes an HPA and an alarm is issued; if no more observables are identied in the following K steps then the attack is reset. The nal state, SUCCESSFULLY ATTACK, is formally never reached so that alarm remains set until a suited countermeasure has been taken (in this case alarm is not considered anymore) or the threat returns reset.

moreover the maximum value for alarm 301 (i.e. 3 HPA + 1 LPA) is reached at the last observable in the sequence 6-7-8-9.

Figure 10. input

Alarms related to Hello Flooding threat when (9) is applied as

We are extending this approach to Sinkhole and Wormhole. In a Sinkhole the attacker emulates the sink and lures trafc from other nodes. In a Sinkhole an adversary receives packets at one location in the network and tunnels them to another location (low latency link) in the network, where the packets are resent into the network. VII. C ONCLUSION AND F UTURE W ORK In this paper we propose a new approach to anomaly detection and alarm generation logic using Weak Process Model formalism, which is a simplied version of Hidden Markov Models. Weak models are both robust tools for process detection, and are easy to construct. The proposed anomaly detection logic for threat modeling, threat identication, and alarm generation has been validated using MATLAB simulations. Other threats are currently being modeled using the proposed formalism. The objective is the experimentation on a MicaZ cluster-based sensor network with a stepped implementation and deployment approach starting from few sensor nodes. Currently we are carrying on early experimentations using [17] on few MicaZ sensor nodes and have implemented a stub module into the middleware code for the application of the anomaly rules on incoming signalling messages [18]. Moreover we are packing ADL code for WSN development environment. A well-suited application scenario for WINSOME (WIreless sensor Network-based Secure system for structural integrity Monitoring and AlErting) project is biomedicine, where WSN are deployed as body area networks and a sink node is integrated in a PDA. In such case, the security and reliability are absolute qualifying indicators for the effectiveness of the monitoring system. Cross-layer, adopted in WINSOME, is a key design approach for security management. In particular, a deep integration with the cryptographic scheme (specically the authentication procedure) has been applied as input (compare Local Conguration Data dened in Section I with [3]).

Figure 9.

WPM-based HELLO Flooding Model

0 1 A= 1 0

0 0 1 1

0 0 0 0

1 0 1 0 B = 1 0 0 0 0 0 100 0

1 1 1 0

0 0 0 1

0 0 0 0

(7)

1 99 S= 1 0

0 0 0 0 0 0 0 0

(8)

Now suppose to feed the HELLO Flooding threat model graphically represented in Fig. 9 with the following sequence of observables in the hypothesis that the threshold K introduced in Table II is equal to 3.
{2; 2; ; ; ; 3; 1; 2; 3; ; ; ; 3; ; 3; 2; ; } (9)

where the symbol indicates any other observable different from those listed in Table II. Simulations using MATLAB provided the results reported graphically in Fig. 10 and results conrm expectations: observable sequences 3-4-5 and 10-1112 indicate an attack interruption and alarms have been reset;

R EFERENCES
[1] H. Debar, M. Dacier, and A. Wespi, Towards a Taxonomy of IntrusionDetection Systems, Computer Networks: The International Journal of Computer and Telecommunications Networking, vol. 31, no. 9, pp. 805 822, 1999. [2] T. Roosta, S. Shieh, and S. Sastry, Taxonomy of security attacks in sensor networks, in First IEEE International Conference on System Integration and Reliability Improvements, Hanoi, Vietnam, vol. 1, 2006, pp. 529536. [3] M. Pugliese and F. Santucci, Novel hybrid cryptographic scheme for the generation of pair-wise network topology authenticated keys in a wireless sensor network, in Unpublished. [4] C. Karlof and D. Wagner, Secure routing in wireless sensor networks: Attacks and countermeasures, in 1st IEEE International Workshop on Sensor Network Protocols and Applications, vol. 10, 2003. [5] B. U, K. Sjoberg, B. Svensson, and P. Wiberg, Capacity limitations in wireless sensor networks, in Emerging Technologies and Factory Automation, 2003. Proceedings. ETFA 03., 2003, pp. 529536. [6] S. S. Doumit and D. P. Agrawal, Self Organized Criticaly and Stochastic Learning Based Intrusion Detection System for Wireless Sensor Networks, in Military Communications Conference (MILCOM03), 2003. [7] S. Marti, T. Giuli, K. Lai, and M. Baker, Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, in 6th ACM/IEEE International Conference on Mobile Computing and Networking (MobiCom00), 2000. [8] C. E. Loo, M. Y. Ng, C. Leckie, and M. Palaniswami, Intrusion Detection for Routing Attacks in Sensor Networks, in International Journal of Distributed Sensor Networks, 2005. [9] Y. Ephraim and N. Merhav, Hidden Markov Processes, in IEEE Trans. Inform. Theory, vol. 48, no. 6, 2002. [10] G. Jiang, Robust process detection using nonparametric weak models, in International Journal of Intelligent Control and Systems, vol. 10, 2005. [11] G. Forney, The Viterbi Algorithm, in Proc. IEEE, vol. 61, 1973, pp. 263278. [12] L. Rabiner and B. Juang, An Introduction to Hidden Markov Models, in IEEE ASSP Magazine, 1986, pp. 416. [13] Q. Yin, L. Shen, R. zhang, X. li, and H. Wang, Intrusion Detection Based on Hidden Markov Model, in 2003 International Conference on Machine Learning and Cybernetics, vol. 5, 2003, pp. 31153118. [14] R. Khanna and H. Liu, System Approach to Antrusion Detection Using Hidden Markov Model, in Proceedings of the 2006 international conference on Wireless communications and mobile computing, vol. 5, 2006, pp. 349 354. [15] A. Giani, Detection of Attacks on Cognitive Channels, in Ph.D. Thesis, Dartmouth College, 2006, Hanover, NH. [16] Y. Sheng and G. Cybenko, Distance Measures for Nonparametric Weak Process Models, in IEEE International Conference on Systems, Man and Cybernetics, vol. 1, 2005, pp. 722 727. [17] C. L. Fok, G. C. Roman, and C. Lu, Agilla: A Mobile Agent Middleware for Sensor Networks, in Technical Report, Washington University in St. Louis, WUCSE-2006-16, 2006. [18] D. D. Leonardis and C. Coletti, Utilizzo di Agenti Mobili in wsns

attraverso il Middleware Agilla, in Technical Report, State University of LAquila, 2008.