# Intrusion-Aware Alert Validation Algorithm for Cooperative Distributed Intrusion Detection Schemes of Wireless Sensor Networks

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Taxonomy of IDS

## 3. Related Work

#### 3.1. Intrusion Detection Schemes

#### 3.2. Intrusion Prevention Schemes

## 4. Network Model, Assumptions and Definitions

#### 4.1. Network Model and Assumptions

#### 4.2. Definitions

_{L}) is define as:

## 5. Intrusion-aware Alert Validation Algorithm

#### 5.1. Sender Monitoring Node

#### Phase 1: Detection of Malicious Node

_{x,y}is the total number of successful interactions of node x with y during time Δt, U

_{x,y}is the total number of unsuccessful interactions of node x with y during time Δt. After calculating trust value, a node will quantize trust into three states as follows:

_{x}represents the set of trustworthy nodes for node x, M

_{x}the set of untrustworthy nodes for node x, and n is the total number of nodes that contains trustworthy, untrustworthy and uncertain nodes. The initial trust values of all nodes are 50, which represents the uncertain state. Initially f and g are equal to 25 and 17 respectively, although other values could also be used by keeping the following constraint intact: f

_{i}− g

_{i}≥ 1, which is necessary for keeping the uncertain zone between a trusted and untrustworthy zone. The values of f and g are adaptive. During the steady-state operation, these values can change with every passing unit of time which creates dynamic trust boundaries. At any stage, when |R

_{x}| or |M

_{x}| becomes zero, the value of f

_{j}

_{+1}or g

_{j}

_{+1}remains the same as the previous values (f

_{j}and g

_{j}). The nodes whose values are above 100 − f will be declared as trustworthy nodes (Equation 3), and nodes whose values are lower than 50 − g will be consider as untrustworthy nodes (Equation 3). After each passage of time, Δt, nodes will recalculate the values of f and g. This trust calculation procedure will continue in this fashion.

#### Phase 2: Threat Level Assignment

_{level}) in following way:

_{mal}represent the trust value of a malicious node. Let us assume that there are three threat levels (k=3): low, medium and high. In that case, a node will quantize threat level (H

_{level}) in following way:

#### Phase 3: Generation of Alert Message

- Identity of the sender node (ID
_{sender}). - Identity of the malicious node (ID
_{mal}). - Threat level (H
_{level}). - Threat detail, like code etc.

#### 5.2. Receiver Monitoring Node

#### Phase 1 (Consensus Phase)

_{sm}) of the sender and malicious nodes respectively (Line 3:5). Afterwards, the node will perform filtering by eliminating any known malicious node(s) from that list (Line 6). Based on the threat level, confirmation request packet(s) is forwarded to randomly selected node(s) from the N

_{t}list (Line 7:19). For example, if the threat level is low, then the confirmation request is forwarded to the one randomly selected trustworthy node from the list N

_{t}(Line 8:9). If the threat level is medium, then the confirmation request packet is forwarded to half of the randomly selected trustworthy nodes from the list N

_{t}(Line 10:13). If the threat level is high, then the confirmation request packet is forwarded to all trustworthy nodes in the list N

_{t}(Line 14:17). If the information about the malicious node is already present (Line 20), then the node will just update its old record (Line 21).

1: Received Claim Packet (ID_{sender}, ID_{mal}, H_{level}, detail); |

2: if ID_{sender} is uncertain and ID_{mal} is new then |

3: N_{s} = GetNeighorList(ID_{sender}); |

4: N_{m} = GetNeighorList(ID_{mal}); |

5: N_{sm} = N_{s} ∩ N_{m}; |

6: N_{t} = Eliminate_Known_Malicious_Nodes(N_{sm}); |

7: if N_{t} ≠ = ϕ then |

8: if ThreatLevel(T H_{level}) is Low then |

9: Send conf_req_pkt(rand(N_{t}), ID_{mal}, H_{level},det); |

10: else if ThreatLevel(T H_{level}) is Medium then |

11: for i = 1 to len(N_{t})/2 do |

12: Send conf_req_pkt(rand(N_{t}), ID_{mal}, H_{level},det); |

13: end for |

14: else |

15: for i = 1 to len(N_{t}) do |

16: Send conf_req_pkt(ID_{i}, ID_{mal},det); |

17: end for |

18: end if |

19: end if |

20: else |

21: Update Record; |

22: end if |

#### Phase 2 (Decision Phase)

_{prop}is the propagation time between the requester and farthest responder (in terms of hops or geographical location) among nodes where the request packets were forwarded. The t

_{proc}is the estimated processing time of the request at the responder end.

_{i,j}represents that the node i received the response packet from the node j and j ∈ N

_{t}. A node i will make the decision (D) about the validity and invalidity of the claim based on the following rule:

_{res}represents the total number of the response packets received by the node i in response to the number of the request packets (n

_{req}). Here 0 ≥ n

_{res}≤ n

_{req}.

**Responder monitoring nodes:**Whenever any monitoring node receives confirmation request packet for alert validation, it will first check the status of the sender. If the sender is trusted, it will generate confirmation response packet and will not generate the same alert if responder node agree with the claim. Also, the responder node will update its malicious node list. If the responder node receives the same alert message from another monitoring node, it will straightforwardly validate that claim. This approach helps to suppress any extra requests for the same alert.

**Tolerance for false alarm:**In our proposed algorithm, default tolerance level for false alarms generated by any node is zero. As mentioned earlier, if a claim is invalidated, the sender of the claim will be declared as a malicious node. If we do not declare the sender as a malicious node, then it may result in flooding or denial of service attacks. However, if we declare the sender as a malicious node, it may cause a node to be evicted from the network due to false alarm.

## 6. Analyses and Evaluation

#### 6.1. Communication Overhead Analysis

_{c}), (2) number of commonly trusted neighboring nodes, and (3) threat level of intrusion or anomaly. Table 2 shows the communication overhead, in which m

_{t}represents the average number of trusted common neighboring nodes between the monitoring and malicious nodes and I

_{l}, I

_{m}, and I

_{h}represents the total number of low, medium and high intrusion level threats respectively. Here I

_{c}= I

_{l}+ I

_{m}+ I

_{h}.

_{t}and the total number of intrusions I

_{c}occurred in the network. It shows that as the number of m

_{t}or I

_{c}increases, the communication overhead of the validation scheme also increases linearly. Figure 6(b) shows the comparison between the four different levels of the reliability modes. In the simulation, each monitoring node has a random number of commonly trusted neighboring nodes. This figure shows that the intrusion-aware reliability mode introduces less communication overhead then the medium and high level reliability modes. At a modest communication cost, it provides adequate reliability required by the nature of the intrusion claim.

_{t}or I

_{c}increases, the communication overhead of the validation scheme (with random tolerance) increases more sharply as compared with the zero tolerance level.

#### 6.2. Reliability Analysis

_{c}) of a algorithm to reach at the consensus state (validate or invalidate) is:

_{c}represents the number of nodes reaching a consensus and K represents the number of possible outcomes (agree, disagree and don’t know) produces by the node. If the probability distribution is not uniform between possible outcomes, then the total probability (P

_{c}) of an algorithm to reach the consensus state (validates or invalidate) is:

_{i}is the probability mass function that captures the probability distribution of the symbol produced by the node i. S

_{m}(i) is the i

^{th}symbol in the m

^{th}node result. More details and derivation of these two probability equations are given in [27].

#### 6.3. Security Resiliency Analysis

**m**denote the node accused of being malicious and let

**a**denote the node that receives this claim from

**s**about

**m**. As before, let N

_{t}denote the filtered list of nodes obtained after performing Line 6 of the algorithm for the consensus phase. From a security point of view, we consider 4 possible events:

- Event
`S`:**s**sends a true claim. - Event
`S̄`: The complement of event`S`. - Event
`N`: All nodes in N_{t}send correct responses. - Event
`N̄`: A non-empty subset of nodes in N_{t}send incorrect responses.

**a**behaving maliciously since the claim received by it is for its own benefit. Notice further that by incorrect response, we mean nodes responding with −1, where the right answer should be either 1 or 0. Denote by

`M`the event that

**a**decides that

**m**is malicious. We are interested in the four resulting conditional probabilities. We calculate them sequentially in the following. For the ease of analysis, we assume that if

**a**comes to no consensus, it will take the claim of

**s**as true.

**Claim 1:**Let m be the number of nodes in N

_{t}that agree with the claim of

**s**. Then $\text{Pr}[\mathrm{M}|\mathrm{S},\mathrm{N}]=\left(\begin{array}{c}{N}_{t}\\ m\end{array}\right){\sum}_{i=1}^{m}\frac{\left(\underset{i}{{N}_{t-m}}\right)}{{2}^{{N}_{t-m}}}$ when m < N

_{t}/2 and 1 otherwise.

_{t}/2. The remaining nodes in N

_{t}will either send −1 or 0 as the response. Event

`M`will be true if the sum of the −1’s is less than or equal to m. Assuming m to be fixed, this probability is:

_{t}nodes, $\left(\begin{array}{c}{N}_{t}\\ m\end{array}\right)$ is the total number of ways in which m nodes can agree with the claim. So the probability is then:

_{t}/2 is obvious.

**Claim 2:**Let m

^{′}be the number of nodes in N

_{t}that send false responses. Let m be the number of nodes in N

_{t}that agree with the claim of

**s**. Then $\text{Pr}[\mathrm{M}|\mathrm{S},\overline{\mathrm{N}}]=\left(\begin{array}{c}{N}_{t}\\ m-{m}^{\prime}\end{array}\right){\sum}_{i=1}^{m-{m}^{\prime}}\frac{\left(\underset{i}{{N}_{t-m+{m}^{\prime}}}\right)}{{2}^{{N}_{t-m+{m}^{\prime}}}}$ when m ≥ m

^{′}and 0 otherwise. In particular, Pr [

`M`|

`S`,

`N̄`] = 0 if m

^{′}> N

_{t}/2.

^{′}, since otherwise the sum of responses will be less than 0. Hence we replace m by m − m

^{′}in the probability obtained from Claim 1. The special case when m

^{′}> N

_{t}/2 is obvious since then the sum of the responses will always be less than 0.

**Claim 3:**Pr[

`M`|

`S̄`,

`N`] = 1 − Pr [

`M`|

`S`,

`N`].

**s**will play an opposite role, the result follows.

**Claim 4:**Let m

^{′}be the number of nodes in N

_{t}that send false responses. Let m be the number of nodes in N

_{t}that agree with the claim of

**s**. Then $\text{Pr}[\mathrm{M}|\overline{\mathrm{S}},\overline{\mathrm{N}}]=\left(\begin{array}{c}{N}_{t}\\ m+{m}^{\prime}\end{array}\right){\sum}_{i=1}^{m+{m}^{\prime}}\frac{\left(\underset{i}{{N}_{t-m-{m}^{\prime}}}\right)}{{2}^{{N}_{t-m-{m}^{\prime}}}}$ when m + m

^{′}< N

_{t}/2 and 1 otherwise.

^{′}nodes that agree with

**s**. Thus we simply replace m by m + m

^{′}to complete the proof.

**a**marks

**s**as malicious. This will happen if

**a**comes to a consensus opposite to the claim of

**s**. Let this event be denoted as

`O`. We are interested in Pr [

`O`|

`S`] and Pr [

`O`|

`S̄`]. Let p = Pr [

`N`]. We have the following straightforward result:

**Claim 5:**We have:

## 7. Conclusion and Future Work

## Acknowledgments

## References and Notes

- Bhuse, V.; Gupta, A. Anomaly Intrusion Detection in Wireless Sensor Networks. J. High Speed Netw
**2006**, 15, 33–51. [Google Scholar] - Du, W.; Fang, L.; Ning, P. LAD: Localization Anomaly Detection for Wireless Sensor Networks. J. Parallel Distrib. Comput
**2006**, 66, 874–886. [Google Scholar] - Loo, C.E.; Ng, M.Y.; Leckie, C.; Palaniswami, M. Intrusion Detection for Routing Attacks in Sensor Networks. Inter. J. Distrib. Sensor Netw
**2006**, 2, 313–332. [Google Scholar] - Chatzigiannakis, V.; Papavassiliou, S. Diagnosing Anomalies and Identifying Faulty Nodes in Sensor Networks. IEEE Sens. J
**2007**, 7, 637–645. [Google Scholar] - da Silva, A.P.R.; Martins, M.H.T.; Rocha, B.P.S.; Loureiro, A.A.F.; Ruiz, L.B.; Wong, H.C. Decentralized Intrusion Detection in Wireless Sensor Networks. Proceedings of the 1st ACM international workshop on Quality of service & security in wireless and mobile networks (Q2SWinet’05), 2005; ACM: New York, NY, USA; pp. 16–23.
- Liu, F.; Cheng, X.; Chen, D. Insider Attacker Detection in Wireless Sensor Networks. Proceedings of 26th Annual IEEE Conference on Computer Communications (INFOCOM07), Anchorage, Alaska, USA, 2007; pp. 1937–1945.
- Bhuse, V.S. Lightweight Intrusion Detection: A Second Line of Defense for Unguarded Wireless Sensor Networks. PhD thesis,. Western Michigan University, Kalamazoo, MI, USA, 2007. [Google Scholar]
- Su, W.-T.; Chang, K.-M.; Kuo, Y.-H. eHIP: An Energy-Efficient Hybrid Intrusion Prohibition System for Cluster-Based Wireless Sensor Networks. Comput. Netw
**2007**, 51, 1151–1168. [Google Scholar] - Zhang, Q.; Yu, T.; Ning, P. A Framework for Identifying Compromised Nodes in Wireless Sensor Networks. ACM Trans. Infor. Syst. Secur
**2008**, 11, 1–37. [Google Scholar] - Barborak, M.; Dahbura, A.; Malek, M. The Consensus Problem in Fault-Tolerant Computing. ACM Comput. Surv
**1993**, 25, 171–220. [Google Scholar] - Pfleeger, S.L. Security in Computing; Prentice Hall: Upper Saddle River, New Jersey, USA, 2003. [Google Scholar]
- Newman, D.P.; Manalo, K.M.; Tittel, E. CSIDS Exam Cram 2 (Exam Cram 623-531); Que Publishing: Upper Saddle River, NJ, USA, 2004. [Google Scholar]
- Perrig, A.; Canetti, R.; Tygar, J.D.; Song, D. Efficient Authentication and Signing of Multicast Streams Over Lossy Channels. Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, Canada, 2000; pp. 56–73.
- Younis, O.; Krunz, M.; Ramasubramanian, S. Node Clustering in Wireless Sensor Networks: Recent Developments and Deployment Challenges. IEEE Netw
**2006**, 20, 20–25. [Google Scholar] - Heinzelman, W.B.; Chandrakasan, A.P.; Balakrishnan, H. An Application-Specific Protocol Architecture for Wireless Microsensor Networks. IEEE Trans. Wirel Comm
**2002**, 1, 660–670. [Google Scholar] - Jin, Y.; Wang, L.; Kim, Y.; Yang, X.-Z. Energy Efficient Non-uniform Clustering Division Scheme in Wireless Sensor Networks. Wirel. Pers. Comm
**2008**, 45, 31–43. [Google Scholar] - Hac, A. Wireless Sensor network Designs; John Wiley & Sons, Ltd: New Jersey, USA, 2003. [Google Scholar]
- Shaikh, R.A.; Lee, S.; Khan, M.A.U.; Song, Y.J. LSec: Lightweight Security Protocol for Distributed Wireless Sensor Network. Lect. Not. Comput. Sci
**2006**, 4217, 367–377. [Google Scholar] - Shaikh, R.A.; Jameel, H.; Lee, S.; Song, Y.J.; Rajput, S. Trust Management Problem in Distributed Wireless Sensor Networks. Proceedings of 12th IEEE International Conference on Embedded Real Time Computing Systems and its Applications (RTCSA 2006); IEEE Computer Society: Sydney, Australia, 2006; pp. 411–415. [Google Scholar]
- Jiang, P. A New Method for Node Fault Detection in Wireless Sensor Networks. Sensors
**2009**, 9, 1282–1294. [Google Scholar] - Shaikh, R.A.; Jameel, H.; d’Auriol, B.J.; Lee, H.; Lee, S.; Song, Y.J. Group-based Trust Management Scheme for Clustered Wireless Sensor Networks. IEEE Trans. Parall Distrib. Sys. (in press)..
- Buchegger, S.; Le Boudec, J.-Y. A Robust Reputation System for Peer-To-Peer and Mobile Ad-Hoc Networks. Proceedings of P2PEcon, Harvard University, MA, USA; 2004. [Google Scholar]
- Gupta, S. Automatic Detection of DOS Routing Attacks in Wireless Sensor Networks, MS thesis,. University of Houston, Houston, USA, 2006.
- Du, X.; Guizani, M.; Xiao, Y.; Chen, H.H. Two Tier Secure Routing Protocol for Heterogeneous Sensor Networks. IEEE Trans. Wirel. Commun
**2007**, 6, 3395–3401. [Google Scholar] - Karlof, C.; Wagner, D. Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures. Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications (WSNA’03); IEEE Computer Society: Anchorage, Alaska, USA, 2003; pp. 113–127. [Google Scholar]
- Srinivasan, A.; Teitelbaum, J.; Liang, H.; Wu, J.; Cardei, M. Reputation and Trust-based Systems for Ad Hoc and Sensor Networks. In Algorithms and Protocols for Wireless Ad Hoc and Sensor Networks; Boukerche, A., Ed.; Wiley & Sons: New Jersey, USA, 2006. [Google Scholar]
- Yacoub, S.; Lin, X.; Burns, J. Analysis of the Reliability and Behavior of Majority and Plurality Voting Systems. Hewlett-Packard Development Company, L.P.: Palo Alto, CA, USA, 2002. [Google Scholar]

**Figure 5.**Average communication overhead of validation algorithm after 1000 simulation runs in which different levels of intrusions occurs randomly.

[1] | [2] | [3] | [4] | [5] | [6] | ||
---|---|---|---|---|---|---|---|

Classification | Technique | Signature-based | Statistical-based | Statistical-based | Statistical-based | Statistical-based | Statistical-based |

Architecture | Distributed & cooperative | Distributed & cooperative | Distributed & uncooperative | Hybrid | Distributed & uncooperative | Distributed & cooperative | |

Specifications | Installation of IDS | Each sensor node | Each sensor node | Each sensor node | Each primary node of a group | Special monitor nodes in network | Each sensor node |

IDS Scope | Multilayer (Appl., Net., MAC & Phy.) | Application layer | Network layer | Application layer | Multilayer (Appl., Net., MAC & Phy.) | Network layer | |

Attacks detects | Masquerade attack, and forged packets attacks | Localization anomalies | Routing attacks e.g., Periodic error route attack, active & passive sinkhole attack | Correlated anomalies / attacks (invalid data insertion) | Worm hole, data alteration, selective forwarding, black hole, & jamming | Routing attacks e.g., packet dropping etc. | |

Network | Sensor node | Static / Mobile | Static | Static / Mobile | Static / Mobile | Static | Static |

Topology | Any | Any | Any | Cluster-based | Tree-based | Any |

Cost | |
---|---|

Low | 2I_{c} |

Medium | m_{t}I_{c} |

High | 2m_{t}I_{c} |

Intrusion-aware | 2I_{l} + (I_{m} + 2I_{h})m_{t} |

© 2009 by the authors; licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).

## Share and Cite

**MDPI and ACS Style**

Shaikh, R.A.; Jameel, H.; D’Auriol, B.J.; Lee, H.; Lee, S.; Song, Y.-J.
Intrusion-Aware Alert Validation Algorithm for Cooperative Distributed Intrusion Detection Schemes of Wireless Sensor Networks. *Sensors* **2009**, *9*, 5989-6007.
https://doi.org/10.3390/s90805989

**AMA Style**

Shaikh RA, Jameel H, D’Auriol BJ, Lee H, Lee S, Song Y-J.
Intrusion-Aware Alert Validation Algorithm for Cooperative Distributed Intrusion Detection Schemes of Wireless Sensor Networks. *Sensors*. 2009; 9(8):5989-6007.
https://doi.org/10.3390/s90805989

**Chicago/Turabian Style**

Shaikh, Riaz Ahmed, Hassan Jameel, Brian J. D’Auriol, Heejo Lee, Sungyoung Lee, and Young-Jae Song.
2009. "Intrusion-Aware Alert Validation Algorithm for Cooperative Distributed Intrusion Detection Schemes of Wireless Sensor Networks" *Sensors* 9, no. 8: 5989-6007.
https://doi.org/10.3390/s90805989