COLIDE: a collaborative intrusion detection framework for Internet of Things
2018; Volume: 8; Issue: 1 Linguagem: Inglês
10.1049/iet-net.2018.5036
ISSN2047-4962
AutoresJunaid Arshad, Muhammad Ajmal Azad, Mohammad M. Abdellatif, Muhammad Habib ur Rehman, Khaled Salah,
Tópico(s)Security in Wireless Sensor Networks
ResumoIET NetworksVolume 8, Issue 1 p. 3-14 Special Section: Exploring IoT Systems in Businesses: Frameworks, Use Cases, Policies, Protocols and ServicesFree Access COLIDE: a collaborative intrusion detection framework for Internet of Things Junaid Arshad, Junaid Arshad orcid.org/0000-0003-0424-9498 School of Computing and Engineering, University of West London, London, UKSearch for more papers by this authorMuhammad Ajmal Azad, Corresponding Author Muhammad Ajmal Azad muhammad.azad@ncl.ac.uk School of Computing, Newcastle University, Newcastle Upon Tyne, UKSearch for more papers by this authorMohammad Mahmoud Abdellatif, Mohammad Mahmoud Abdellatif Faculty of Engineering, The British University in Egypt, Cairo, EgyptSearch for more papers by this authorMuhammad Habib Ur Rehman, Muhammad Habib Ur Rehman Department of Computer Science, National University of Computer and Emerging Sciences, Lahore, PakistanSearch for more papers by this authorKhaled Salah, Khaled Salah ECE Department, Khalifa University, Abu Dhabi, United Arab EmiratesSearch for more papers by this author Junaid Arshad, Junaid Arshad orcid.org/0000-0003-0424-9498 School of Computing and Engineering, University of West London, London, UKSearch for more papers by this authorMuhammad Ajmal Azad, Corresponding Author Muhammad Ajmal Azad muhammad.azad@ncl.ac.uk School of Computing, Newcastle University, Newcastle Upon Tyne, UKSearch for more papers by this authorMohammad Mahmoud Abdellatif, Mohammad Mahmoud Abdellatif Faculty of Engineering, The British University in Egypt, Cairo, EgyptSearch for more papers by this authorMuhammad Habib Ur Rehman, Muhammad Habib Ur Rehman Department of Computer Science, National University of Computer and Emerging Sciences, Lahore, PakistanSearch for more papers by this authorKhaled Salah, Khaled Salah ECE Department, Khalifa University, Abu Dhabi, United Arab EmiratesSearch for more papers by this author First published: 01 January 2019 https://doi.org/10.1049/iet-net.2018.5036Citations: 35AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract Internet of Things (IoT) represent a network of resource-constrained sensor devices connected through the open Internet, susceptible to misuse by intruders. Traditional standalone intrusion detection systems (IDS) are tasked with monitoring device behaviours to identify malicious activities. These systems not only require extensive network and system resources but also cause delays in detecting a malicious actor due to unavailability of a comprehensive view of the intruder's activities. Collaboration among IoT devices enables considering knowledge from a collection of host and network devices to achieve improved detection accuracy in a timely manner. However, collaboration introduces the challenge of energy efficiency and event processing which is particularly significant for resource-constrained devices. In this paper, we present a collaborative intrusion detection framework (COLIDE) for IoT leveraging collaboration among resource-constrained sensor and border nodes for effective and timely detection of intruders. The paper presents a detailed formal description of the proposed framework along with analysis to assess its effectiveness for a typical IoT system. We implemented the COLIDE framework with Contiki OS and conducted thorough experimentation to evaluate its performance. The evaluation demonstrates efficiency of COLIDE framework with respect to energy and processing overheads achieving effectiveness within an IoT system. 1 Introduction The use of sensor devices has increased dramatically over the last few years leading to their proliferation across diverse domains such as wearables, intelligent appliances, and vehicles. As these devices have the ability to be connected to the Internet, it introduces exciting possibilities such as the Internet of Things (IoT). IoT has received significant attention as a disruptive technology and is considered fundamental to the networks of the future. A recent study by the Gartner has predicted the number of sensor devices to increase to more than 20 billion devices by the year 2020 [1]. This has a direct impact on industrial applications such as automotive industry, commercial security cameras, as well as consumer applications such as wearables, smart TVs, and smart meters. A typical IoT network consists of devices with resource constraints such as limited processing power, energy resources, communication range etc. These constraints mandate an IoT network to have an efficient communication protocol that requires limited energy overheads, provides efficient performance under diverse conditions, and supports larger address space. To this extent, IPv6 over Low-power Wireless Personal Area Networks (6LoWPAN) [2-4] allows resource-constrained sensor devices to send and receive communication events as IPv6 packets over IEEE 802.15.4-based networks. Additionally, 6LoWPAN facilitates communication among LoWPANs using IPv6 by performing header compression and fragmentation [5]. This enables the things to still use IP based Internet, leveraging standards, and technologies developed over the last few decades. For a typical LoWPAN, this connectivity is achieved by using an edge router which facilitates connectivity among the devices participating within a LoWPAN as well as with the Internet. However, the open network architecture of IoT has also attracted intruders to use the network of thousands of devices for spreading malicious content. Due to the proliferation of such devices in almost every aspect of our life, the threats posed due to their insufficient security are unique with insecure devices exposing the end users to serious security and privacy threats. For instance, if an attacker is able to compromise an in-car WiFi, all in-car devices and data will be at risk. Once inside the network, an attacker can spoof the car, connect to outside data sources, and steal the owner's personal information including credit card data [6]. With regards to 6LoWPAN implementation, most of the IoT security threats originate from the 802.15.4, IP network, and its adaptation layer. Therefore, the challenge for an effective and secure intrusion detection system for a 6LoWPAN-based IoT network is two-fold: firstly, these devices are typically resource-constrained which limits their ability to host sophisticated security system that can monitor the device in real time. Secondly, the ad-hoc nature of 6LoWPAN networks allows devices to connect to other devices at runtime, typically for short time periods, thereby creating a dynamic network. A number of efforts have been made to address security for IoT in general and with respect to intrusion detection in particular [7-9]. However, these are generally focused at standalone intrusion detection components which are integrated with the sensor device or the high-powered device such as cluster head. These approaches are limited in that they consider a restricted view of the events within an IoT network and therefore are limited in their ability to address complex, multi-stage, coordinated, and distributed attacks. We believe that collaboration in intrusion detection enables end devices to use the collective information from the number of devices to have more accurate and wider overview of the characteristics of IP traffic passing through them. In this paper, we build on our existing work [10] and present a COL laborative I ntrusion DE tection (COLIDE) framework for IoT networks. In particular, the framework envisages the collective use of information from the host and network-based detection systems. The detection system is divided into two layers: an edge router layer, and an end-host/node layer. The end-host component monitors the events at the node level and reports anomalous events to the network/edge router level system to correlate the alerts to perform aggregate detection. We believe correlating alerts from multiple devices will not only minimise false positive rate and improve the detection rate under distributed attacks but will also reduce the workload at the end host. Therefore, the proposed framework is envisioned to address challenges such as the flexibility, resource constraints of the nodes, and the collaborative nature of the IoT networks. The overall contributions made by this paper are presented below. A novel intrusion detection framework for IoT networks focused on achieving efficient intrusion detection through collaboration between host and network-based intrusion detection. Efficient detection of complex, multi-stage attacks achieved via collaboration between sensor nodes and the edge router. The rest of the paper is structured as follows. Section 2 presents the background on intrusion detection systems and 6LowPAN along with an attack model for the IoT networks highlighting specific threats addressed by the COLIDE framework. Section 3 presents the related work regarding intrusion detection within an IoT network. Section 4 presents our collaborative approach and its formal representation and analysis using Z notation. Section 5 presents the implementation of the setup that we propose followed by the performance evaluation of the proposed framework in Section 6. Section 7 provides a discussion of properties of the proposed system. Finally, Section 8 concludes the paper. 2 Background and threat model In this section, we present the basic concepts used throughout the rest of this paper which are important to understand the proposed system. Furthermore, we include an attack model identifying the threats addressed by the COLIDE framework. 2.1 Ipv6 over Low-Power Wireless Personal Area Networks A major factor in the uptake of IoT is its ability to integrate sensor devices with the Internet allowing them to communicate with other devices and systems. These devices typically include automation and home appliances creating LoWPANs. One of the most commonly used technology for LoWPAN is IEEE802.15.4 [11]. This standard describes the PHY and MAC layer requirement for a low rate, low-power wireless embedded radio communication. It is capable of operating in three different frequency band namely, 2400 MHz ISM, 915 MHz ISM, and 868 MHz European band. The MAC layer protocol is responsible for achieving the efficient sharing of channel bandwidth and the quantity of energy required for efficient communication. MAC layer module controls the way packets are transmitted and received. Generally, two approaches are used in the literature to classify different types of protocol for transmission and reception of packets in the channel, i.e. the reservation and the contention-based protocols. The reservation-based protocols attempt to optimise energy and throughput by dividing the network into clusters referred to as Personal Area Networks (PANs). Each PAN will have a cluster head that coordinates the transmissions among the nodes within the PAN, whereas the contention-based approach uses Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) and focuses on detecting medium activity in the channel. When using the CSMA/CA mechanism, a node tries to sense the medium before transmitting the packet. If another node is already sending through the medium, it withdraws itself to avoid a collision when there is high traffic. In order for these devices to connect to the Internet, they each need to have a unique IP address. IPv4 has many limitations such as the address size which limits the number of connected devices. This is easily solved by using IPv6. IPv6 nodes are assigned 128 bit IP addresses in a hierarchical manner, through a network prefix of arbitrary length. IEEE 802.15.4 devices may use either of IEEE 64-bit extended addresses or, after an association event, 16-bit addresses that are unique within a PAN. A significant problem within this context is that IPv6 requires the maximum transmission unit to be at least 1280 octets. In contrast, IEEE 802.15.4's standard packet size is 127 octets. A maximum frame overhead of 25 octets spares 102 octets at the media access control layer. An optional but highly recommended security feature at the link layer poses an additional overhead. For example, 21 octets are consumed for AES-CCM-128 leaving only 81 octets for upper layers. In order to solve this, 6LowPAN adaptation layer was introduced. 6LoWPAN [12] is a technology standard defined by IETF to enable IPv6 stack to smoothly operate over IEEE 802.15.4 MAC link layer. As an adaptation layer, it compresses all headers, including 40 Bytes of IPv6 header from the network and 8 Bytes of UDP header from the transport into a few bytes. For IPv6 frames to be transmitted over IEEE 802.15.4 radio links, the IPv6 frames have to be divided into partitions and more data generated to resemble the original format. During packet retrieval, additional data is removed to maintain the original format. 6LoWPAN supports routing in the network and link layer. The link layer uses mesh-under while the network layer uses route-over. In mesh-under routing, the adaptation layer sends packets through multiple radio hops, while the route-over scheme performs routing at the network layer with the nodes acting as a router. Thus, every hop in the link represents an IP hop to send packets across the links. Fig. 1 shows the architecture of a 6LoWPAN network, host devices can be either fixed (static) or mobile, depending on the application design. The edge router handles communication between 6LoWPAN devices, Internet, and other IP networks. It manages maintenance and generation of 6LoWPAN subnets and also handles data exchange between devices in the network. Fig. 1Open in figure viewerPowerPoint Typical 6LoWPAN system 2.2 Routing protocol for low-power and Lossy network As 6LoWPAN networks are expected to be densely populated. Packets will need to be routed throughout the network to reach their destination. Several routing protocols have been proposed by the 6LoWPAN community. However, only two routing protocols are currently legitimate for large-scale deployments: LOADng [13], and RPL [14]. This work is performed using Routing Protocol for Low-Power and Lossy Network (RPL). RPL is an IPv6-based Routing Protocol for LowPANs, designed by IETF Routing Over Low-Power and Lossy network working group. It is a distance-vector routing protocol that operates on top of IEEE 802.15.4 Physical and Data Link layers. It organises nodes in a Destination-Oriented-Acyclic-Graph (DODAG), where each router identifies a set of parents, each of which is a potential next hop on a path towards the root of the DODAG. The preferred parent is selected based on a metric or constraint among other candidates. RPL supports different kinds of network traffic, which includes point to point, multi-point-to-point, and point to multi-point communication. RPL supports bidirectional links that enable uplink and downlink traffics. Each of the nodes in the network comprises the Low-Power and Lossy Network border router (LBR), the routers, and the host. During network formation, RPL creates a tree-like topology with the border router (BR) serving as the root and the routers and host forming the edges to propagating information up and down the link of the network. Each node in the RPL network has a rank, which states its position relative to other nodes with the LBR having a rank of minimum rank value, then the rank increases towards the leaves of the DODAG. The rank value is computed using the objective function. The objective function contains the routing metrics and objectives used in forming the network. 6LoWPAN [3, 4] has a profound role in this. 6LoWPAN is a networks technology that allows IPv6 packets to be carried efficiently within small link layer frames such as those defined by IEEE 802.15.4. This enables the much sought after integration of sensor devise within a WPAN with the Internet thereby realising the long-term objective of the Internet of ‘Things’. A graphical representation of a typical 6LoWPAN is provided in Fig. 1. Typically, the Internet connectivity for the ‘things’ is handled by a wireless access point whereas the 6LoWPAN network is connected to the IPv6 network using an edge router which handles: data exchange between 6LowPAN devices and the Internet, local data exchange between devices inside the 6LoWPAN, and generation and maintenance of radio subnet. 2.3 Threat model for the IoT Although the IoT is an emerging paradigm, a significant part of the software stack used by the IoT applications is adopted from the existing computing paradigms. This is also evident from the integration of IoT specific stack (such as specific to 6LoWPAN and RPL) [15] with the existing Internet infrastructure such as IPv4 and IPv6. Consequently, an attack model for IoT infrastructures is not restricted to the threats specific to the new routing protocols such as 6LoWPAN and RPL but also includes threats to existing infrastructure such as IPv6, application specific attacks, and attacks specific to the physical media such as the radio spectrum. The attack model for a typical IoT network is presented in Fig. 2. Fig. 2Open in figure viewerPowerPoint Attack Model for IoT Network Our research is aimed at developing a collaborative intrusion detection system for IoT infrastructures. Therefore, we focus on two types of threats for this paper, i.e. routing-specific and software or application specific threats. As our proposed system is a software entity, we render the threats at the physical layer out of the scope of this research. 2.3.1 Routing-specific attacks Routing attacks directly impact the low-power devices and their routing tables. This can be achieved by making the flooding or denial of service (DoS) attacks with respect to routing tables. Potential routing attacks for an IoT system are presented below. Rank attack: 6LoWPAN networks use ranking to establish an optimal routing path. Within this context, Node Rank indicates the quality of the path from a node to the sink node. Every time a node updates its rank or preferred parent, it needs to inform other nodes by sending the updated information in the next cycle. RPL uses the rank rule such that a node in the parent should always have a lower rank than its children to prevent the loop creation. This enables creating an optimal topology, preventing loop creation and managing control overhead [16]. As identified by [16-18], the rank information can be maliciously tampered with by an attacker so that it chooses the node with worst rank to be its parent. This will result in disrupting the topology of the network causing delays in normal transmission. Wormhole attack: A wormhole can be considered as a tunnel between two nodes using wired or wireless links and can be used to achieve faster transmission rates or dedicated connection between such nodes. As such, a wormhole has legitimate applications such as the connection between the local and global IDS modules within our architecture. However, a wormhole as identified by [19] can be used by an attacker to create a dedicated tunnel with a node on the Internet. Wormhole attack is not novel to the IoT networks and has been historically identified as a potential threat for wireless sensor networks (WSN) [20-22]. Sinkhole attack: The objective of a sinkhole attack is to attract traffic through a designated node using illegitimate information making the node a lucrative routing sink (base station within wireless network terminology). As with wormhole attack, literature around sinkhole attack is well established with [23] being an initial effort to identify and mitigate against such attack. Creating a sinkhole does not necessarily disrupt legitimate transmission within a 6LoWPAN. However, diverting the traffic through a specific route creates opportunities to launch other attacks such as wormhole and selective-forwarding attack described below. Selective-forwarding attack: With selective-forwarding attack, a malicious node attempts to disrupt legitimate transmission and routing path. The malicious node, in this case, attempts to block certain packets and forward selected packets thereby affecting the routing. For instance, an attacker can forward all RPL control messages but block the rest [19]. This attack can cause more damage when used in conjunction with a sinkhole attack. Such dependencies among different attack types have motivated us to explore the impact of multi-stage attacks within IoT infrastructures. To the best of our knowledge, the intrusion detection system presented in this paper is a pioneering effort to identify this issue and explore a solution to mitigate against it especially for IoT systems. Fragment duplication attack: The fragment duplication attack leverages a weakness within the 6LoWPAN layer with respect to how fragmented packets are received and assembled by an IoT node. A consequence of the integration of 6LoWPAN with IPv6 networks is that bigger packets supported by IPv6 have to be fragmented into smaller packets so as to be effectively processed by the resource-constrained nodes within an IoT system. However, as identified by [24], a recipient node cannot verify if two fragments of a packet were sent from the same source. Therefore, the recipient node is unable to distinguish between legitimate and spoofed fragments. A malicious node can exploit this vulnerability to block reassembly of targeted packets such as connection establishment packets. This may result in disrupting legitimate traffic as well as depleting resources available to the victim node. Buffer reservation attack: The buffer reservation attack is closely linked to the fragment duplication attack and may be caused as a consequence of a successful fragment duplication attack. The buffer reservation attack also targets the vulnerability in the fragmentation mechanism employed by 6LoWPAN networks. As identified by [24], it leverages the fact that the recipient of a fragmented packet is unable to determine if all fragments will be received correctly. Therefore, a recipient node reserves a buffer space based on the information provided in the 6LoWPAN header with any additional fragments discarded. Taking advantage of this setting, a malicious node can send its victim single F RAG1 to reserve arbitrary buffer space thereby consuming scarce memory of the resource-constrained node. Sybil and clone ID attack: Sybil and clone ID attacks are similar in that the objective of the attacker is to use spoofed logical identities within a network without deploying physical devices. In particular, for clone ID attack, an attacker is aiming to use a victim's logical identity within the network. Whereas, in Sybil attack, the attacker aims to assume multiple logical identities within a network without deploying physical nodes. These logical identities may not be currently present in the network. A number of existing efforts such as [19, 23] have identified these attacks for IoT and historically for WSNs. 2.3.2 Application of specific threats In addition to routing-specific threats mentioned above, IoT infrastructures are susceptible to other types of threats such as application specific threats. Although routing forms an essential component of the IoT system, the IoT devices are expected to run application software required by the function envisaged to be performed. We categorise these threats as application specific and present them below. DoS attack: Historically, DoS attacks are used to make the victim unavailable for legitimate service. This can be achieved via flooding the victim with the extraordinarily large volume of requests or by exhausting the resources such as memory and computational power available to the victim. Within IoT, the threat of DoS attack is two-fold: the victim can be part of the network under threat that an attacker wishes to make unavailable or the victim can be used as a zombie (stepping stone) to launch a Distributed DoS (DDoS) on a target IoT network. The significance of these threats within IoT systems has been identified by [25-27] Malicious code injection: As identified by [26, 28], malicious code injection is another application specific threat to IoT systems. The attacker, in this case, attempts to inject malicious code to get privileged access to the victim. Consequently, the attacker can damage the normal operation by causing a threat to the data or to the network using one of the routing-specific attacks described in the previous section. Traditional subversion attacks: In addition to the above-mentioned attacks, IoT systems are vulnerable to the existing attacks targeted at computer systems such as message interception, fabrication, modification, subversion, phishing, etc. As with the routing-specific attacks, these attacks can also form a part of a more complicated and sophisticated attack. 3 Intrusion detection within IoT systems The history of intrusion detection within IoT networks has its foundations within the WSNs where the focus has mostly been on identifying and mitigating against threats affecting routing protocols. The routing protocols within such networks were optimised to work within a resource-constrained environment and therefore prioritise performance over security [29]. With the introduction of LoWPAN and RPL networks, sensor networks are now connected to the contemporary IP network resulting in expansion of the attack surface of such networks. Therefore, such networks are not only vulnerable to malicious attempts targeting routing protocols but also to the contemporary internet-based attacks such as code injection, DoS, and phishing – we presented a bespoke attack model for IoT networks in the previous section. We believe the cutting edge efforts in IDS for IoT networks should take these considerations into account to mitigate against such malicious attempts. Within this context, we present an overview of existing efforts for intrusion detection in IoT systems. Although our research identified linkage between WSNs and IoT systems, however, we do not include literature items related to intrusion detection in WSN. This is because the type and volume of attacks faced by IoT systems are significantly different from that of WSN mainly due to IP connectivity as highlighted by the threat model presented in the previous section. Le et al. [30] present one of the early efforts to establish an IDS for IoT where authors proposed a host-based IDS for LoWPANs using Contiki OS [14] and 6LowPAN [3, 4]. The IDS is able to perform detection based on the information at the node level and then transmit data to some centralised system for further analysis. The detection system performs detection using information collected from individual nodes and does not consider the information from other nodes in the network. The system does not show effective detection under the distributed DoS attack that not only overwhelms the device but also congests the communication channel between nodes and the centralised system. Kasinathan et al. [31] presented an IDS framework for 6LoWPAN which was able to detect DoS attacks by monitoring physical parameters of the device. In [32], the authors proposed a distributed system architecture for detecting the version number attacks in RPL-based networks and identify malicious nodes. Furthermore, a number of intrusion detection system architectures have been developed in [33, 34] for the resource-constrained 6LoWPAN devices based systems focusing on the sinkhole and selective-forwarding attacks (well-known attacks within 6LoWPAN networks). Our work is different from these systems, as it provides a generic framework for intrusion detection within IoT networks which is capable of working with diverse devices addressing a range of issues including different types of attacks, the inherent flexibility of the IoT networks, and the lack of trust among the participant devices. An architecture to protect against DoS attacks within 6LoWPANs has been presented in [35] where the system uses network-level traffic and attack signature to identify malicious traffic. Moreover, Jun and Chi addressed the problem of processing a significant volume of alerts and network traffic as a part of intrusion detection in [36]. The authors identified the challenge of a significant volume of network traffic within a limited time to be processed by an intrusion detection module and proposed to use established Complex Event Processing techniques to address this challenge. The work presented is different from our proposed system mainly due to the focus of research. For the proposed system, we focus on a generic IoT system which can include devices of any types (constrained or unconstrained), whereas the authors in [31, 37] have specifically designed the system for constrained devices. Furthermore, as a part of our proposed system, we envision to work in an untrustworthy and flexible environment where different devices can come together without previous handshakes to deliver a certain service in a coordinated manner. A number of machine learning systems have also been proposed for detecting malicious nodes in an IoT network [38-41]. However, measuring behaviour patterns of device usage and processing it via multi-stage neural networks could have a high-energy consumption. Additionally, the intrusion detection based on a
Referência(s)