* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Denial-of-Service detection in 6LoWPAN based Internet of Things
Survey
Document related concepts
Policies promoting wireless broadband in the United States wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Computer security wikipedia , lookup
Airborne Networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wireless security wikipedia , lookup
Transcript
2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob) Denial-of-Service detection in 6LoWPAN based Internet of Things Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito Mark Vinkovits Pervasive Secure Networks Istituto Superiore Mario Boella (ISMB) Torino, Italy {kasinathan / pastrone / spirito}@ismb.it User Centered Ubiquitous Computing Fraunhofer FIT Sankt Augustin, Germany mark.vinkovits@fit.fraunhofer.de Abstract—Smart objects connected to the Internet, constituting the so called Internet of Things (IoT), are revolutionizing human beings’ interaction with the world. As technology reaches everywhere, anyone can misuse it, and it is always essential to secure it. In this work we present a denial-of-service (DoS) detection architecture for 6LoWPAN, the standard protocol designed by IETF as an adaptation layer for low-power lossy networks enabling low-power devices to communicate with the Internet. The proposed architecture integrates an intrusion detection system (IDS) into the network framework developed within the EU FP7 project ebbits. The aim is to detect DoS attacks based on 6LoWPAN. In order to evaluate the performance of the proposed architecture, preliminary implementation was completed and tested against a real DoS attack using a penetration testing system. The paper concludes with the related results proving to be successful in detecting DoS attacks on 6LoWPAN. Further, extending the IDS could lead to detect more complex attacks on 6LoWPAN. applications: manufacturing process monitoring, e-health care services, gas/electric meters, etc. Cisco predicts that by 2020 there will be more than 50 billion devices connected to Internet [3] creating tera-bytes of data each second. Keywords—6LoWPAN, Internet of Things, Denial-of-Service Detection, Intrusion Detection Systems, Penetration Testing. This paper studies the vulnerabilities present in IP-based WSNs with a major focus on DoS attacks and analyses the existing solutions and countermeasures. Finally, it presents a novel security architecture for detecting DoS attacks in 6LoWPAN-based IoT. The proposed solution is actually integrated within the platform being developed in the ebbits project [4]. Such project aims to semantically integrate the IoT into mainstream enterprise systems and support interoperable, online end-to-end business applications. In fact, the networking features exposed by the ebbits platform are opportunistically exploited to improve the performance of the proposed detection solution. I. I NTRODUCTION For more than a decade wireless sensor networks (WSNs) research community assumed that Internet architecture was ill suited for WSNs’ applications. Internet protocol (IP) was considered impractical for low-power and lossy network (LLN) devices. Eventually research community came up with a solution to support IP into LLNs, by designing IPv6 over low power wireless personal area networks (6LoWPAN) [1] protocol. 6LoWPAN enables IPv6 communication between low power wireless personal area networks (LoWPANs) by compressing IPv6 headers. In addition, specific working groups within the internet engineering task force (IETF) are defining new protocols to support routing and to exchange application messages resulting in the IPv6-enabled LLNs. The evolution of WSN technologies is thus leading to the integration into the Internet of smart objects with heterogeneous functions and characteristics. Such smart objects have self-configuring capabilities and can interact among themselves with or without human intervention. In this scenario, the Internet of the future is further evolving by allowing the convergence of the Internet of Things (IoT) with Internet of Services and People [2]. With more than 10 billion microcontrollers being flooded into the market each year, potentially all objects could become smarter and be connected through the Internet to create various consumer and industrial 978-1-4799-0428-0/13/$31.00 ©2013 IEEE 600 As wireless devices become increasingly pervasive and essential in our daily life, security becomes a critical issue. These inchoate devices and technologies are prone to more threats in future, if not governed adequately. 6LoWPAN-based IoT has inherited deficiencies: limited resources in terms of power, processing, memory, space and unreliable communication with respect to packet loss rate, collisions. An adversary can take advantage of these weaknesses to initiate different kinds of attacks. More specifically, denial-of-service (DoS) attacks are considered to have adverse effects in disrupting WSNs’ communication; still, effective security mechanisms against DoS attacks are yet to be addressed. The paper is structured as follows: Section II discusses security in IoT which includes State-of-the-Art (SotA) threats and countermeasures; Section III presents a brief introduction about our proposed DoS detection architecture; Section IV describes the system development of the proposed architecture; Section V demonstrates the effectiveness of the intrusion detection system (IDS) by evaluating the performance when solicited by a penetration testing system with results; Conclusion and future work are discussed in section VI. II. S ECURITY IN I OT Since IoT fuses IP and low-power radio technologies like WSNs, it inherits vulnerabilities from both the technologies. Lots of researches are being carried out in the field of WSNs security. A survey about WSNs DoS attacks and defenses is illustrated in [5], [6]. Garcia, et. al., [7], [8] presented the SotA about the threats and possible countermeasures for IP-based WSNs. This section describes a survey of SoTA attacks/threats and their respective countermeasures on 6LoWPAN network, which was useful to design the detection architecture. The life-cycle of an object or ‘thing’ is depicted in Figure 1 and can be classified into three major phases: manufacturing, installing/bootstrapping, and operational. During each of these phases, each ‘thing’ is prone to one or more attacks. Traditional security solutions already existing in IP and IETF world such as cryptographic encryption mechanisms are not applicable to resource constrained 6LoWPAN devices. However, research community is involved in developing light-weight security solutions such as light-weight public-key cryptography [9] and end-to-end transport layer security [10], [11]. Most of the security mechanisms try to guarantee basic security requirements: confidentiality, integration, and authentication. But they are not powerful enough to relinquish the DoS attacks of WSNs. The following subsections describe the SotA regarding threats and countermeasures. For any information network, ‘device availability’ is the most important factor, and DoS attacks target ‘network availability’ by preventing communication between network devices from accessing the services provided. Thus, DoS attacks are considered to be an important security issue. These attacks can be initialized from remote places with mere commands, combined with advanced tools; attackers could even perform distributed DoS attacks, which are efficient in taking down big networks. It’s rather difficult to find a DoS attack before the service becomes unavailable. DoS attacks range from simple jamming attack to sophisticated attacks as mentioned below. Jamming: Jamming simply means to exploit the transmission of a radio signal to interfere with the radio frequencies being used by the sensor network. Jamming can be performed either continuously or in an intermittent way [15]; in both the cases, network will suffer from considerable damage. Jamming attack is usually carried out during the ‘operational phase’. Jamming takes place at link-level by sending forged packets to create collisions; thereby, dropping legitimate packets [12]. Cloning of things: This exploit is open during the ‘manufacturing process’, as well as in the ‘operational phase’. In the first circumstance, an internal attacker can substitute a genuine thing with a similar preprogrammed thing for unauthorized purposes. During ‘operational phase’, a node can be captured and replicated, and these are commonly known as node-replications attacks. Node capture could lead to further attacks such as: extraction of the security parameters, firmware replacement attacks [8]. Eavesdropping: This vulnerability is evident in ‘operational phase’ of all wireless communications; if security parameters like key materials and configurations are exchanged as clear messages, an attacker could retrieve these messages just by passively listening to the operating channel; later using them, the attacker can join the network as a legitimate node and perform further attacks. Later, this could lead to a manin-the-middle attack [6]. Fig. 1: IoT life-cycle Source: [8] A. Threat Analysis Sensor networks are particularly susceptible to attacks related to privacy, traffic analysis, physical attacks and most notably DoS attacks [5]. Raymond, et. al., studied MAC layer denial-of-sleep attacks on WSNs, where a sensor node’s power supply is targeted. Such type of attacks can reduce the sensor lifetime from years to days and have a devastating impact on sensor network’s life [12]. In [7] the authors analyzed IoT threats starting from a thing’s life-cycle. 6LoWPAN is still evolving with its related technologies: Constrained Application Layer Protocol (CoAP) [13] and Routing over low power lossy networks (RPL) [14]. By design, IoT devices are not only passive, they are active too. They can be used to remotely tag, track, locate, and monitor target locations of its users, thus intruding into theirs privacy, and collect sensitive information. This piece of information could be exploited by an attacker for various purposes [7]. 6LoWPAN related protocols should be carefully analyzed for potential vulnerabilities. In the following, we list and describe threats associated with 6LoWPAN smart objects. Denial-of-Service attacks Any event that reduces, disrupts or completely eliminates the network’s communication is categorized as DoS attack. 601 Routing attack: Routing information in IoT can be spoofed, altered or replayed in order to create routing loops, attract or repel network traffic, extend or shorten source routes and so on. Other possible routing attacks include: flooding, sinkhole attack, selective forwarding, wormhole attack, and sybil attack [6]. Further analyzing, attacks based on 6LoWPAN such as packet fragmentation attacks [16], [17] and RPL protocol such as rank attacks, local-repair attacks [18] are possible. Application Layer attack: CoAP is being standardized as the application layer protocol for 6LoWPAN. Since it is still evolving, many security issues could arise in future. Some possible vulnerabilities are SYN flood, protocol parsing, processing URI, proxying and caching, risk of amplification, IP address spoofing attack, cross-protocol attacks [13]. B. Security Countermeasures In [6] Raymond et al, discuss various DoS attack defense mechanisms and countermeasures in WSN context. A study about the overall QoS threats related to IP-based WSNs is described in [19]. Other IoT threats and defense strategies are discussed in [7], [8]. However, there are no countermeasures or defense mechanisms able to completely overcome all DoS attacks right now. Matured research in WSNs suggests various techniques to defend WSNs’ attacks. They correspond to heterogeneous approaches: centralized, distributed, co-operative, clustered. Overall, centralized solutions are not scalable; distributed and co-operative approaches could be more efficient and robust, but prolonged consistency and stability are serious issues. Securing the system from all DoS threats becomes necessary. Recent works related to IoT suggest the following classes of security countermeasures: • Secure Bootstrapping: Bootstrapping is a process in which one device is associated or connected with a part of network or similar devices. During the bootstrapping phase, a unique identity and other security parameters are associated with each device/thing. Secure bootstrapping ensures that only authenticated devices access the network. The simplest mechanism for carrying out the initial setup (security parameters, node identity) is via physical interface (USB, wire, chip contact, etc.). Wireless bootstrapping may lead to eavesdropping although it can be avoided by using advanced cryptographic mechanisms which provide confidentiality [7], [20]. To optimize the key distribution mechanism, several key management schemes have been proposed in literature for WSNs [21], to support secure communication and authentication among WSNs devices. • Application Layer Security: Transport Layer Security (TLS) is considered to be a security function of utmost importance in IoT [7]. In fact, the present and foreseen IoT applications are handling more sensitive data; securing all those data is then a major requirement for IoT. Securing them alone may provide basic security requirements for IoT. The work by Heer et al. [8] focuses on the application layer security with the following technologies: IKEv2/IPsec, TLS/SSL, DTLS, HIP, PANA, and EAP. • IDS solutions: IDSs provide the first line of defense for any security system. Implicitly, detecting an attack is considered to be an important security countermeasure. IDSs can be classified based on the detection methods, resulting of two major types: misuse or signature based detection and anomaly detection. In the former, a set of predefined rules are loaded into IDS and matched with the events of the network; when a suspicious event is detected, an alert is triggered. Whereas in anomaly based detection normal network behavior is recorded and compared with the current network status, triggering an event when the network behaves abnormally. Misuse detection is prone to new attacks whereas, anomaly detection method produces more false positive events. These two techniques can be combined together to increase the detection accuracy by reducing false positive events: the resulting approach is called Hybrid Detection. In literature various IDS solutions for WSNs have been proposed [22], [23], but most of them are not applicable in IPbased WSNs environment. An ID approach for IPbased WSNs was investigated in [18], and recently the work [24] reported a Host Based IDS specifically designed for IoT. A comparative study of already 602 existing IDS solutions is described in the following table I. TABLE I: Analysis and Comparison of IDS Schemes Scheme Simulation (or) O/S Detection Method Highlights SVELTE (IDS for IoT)[24] Cooja (Contiki) Hybrid RIDES (IP-Based WSNs)[25] Specification Based IDS for RPL (IPBased WSNs) [18] Novel Hybrid IDS (WSNs)[26] Energy Efficient Hybrid-IDS (WSNs)[27] An Experimental Study of Hierarchical IDS (WSNs) [28] ns2 Hybrid Host based IDS, 6Mapper (Reconstructs RPL’s network information) Bloom Filters, CUSUM charts - Specification Finite state machine design to detect RPL based attack. - Hybrid Omnet++ Hybrid Clustered approach to save energy Cluster Based, Energy Efficient NesC in TinyOs Misuse Hierarchical Model. In our work, we focus on IDS techniques to detect DoS attacks during operational phase of a thing. The SoTA analysis identified the limitations of existing solutions. In the following, we describe the disadvantages of the already existing IDSs proposed. Drawbacks of Existing IDSs: The IDS survey revealed one major drawback. Most of the proposed strategies contain either lightweight, efficient algorithms or similar methods which can be programmed inside one or more resource constrained WSNs nodes1 . Most of the proposed IDSs were not designed for IP-based WSNs. These programs are either centralized or distributed while centralized systems suffer from single point of failure. The programmed nodes have same limited capabilities as their neighbors, thus they equally suffer from most of the DoS attacks. If detecting an attack, these nodes convey the message through the same ‘wireless channel’ to their group/cluster head or base station (a more powerful device) for advanced detection processing (signature matching or anomaly detection). DoS attacks like flooding and jamming usually make the wireless channel unusable, thus they fail the most basic objective of IDS. III. T HE P ROPOSED S OLUTION The motivation of the proposed solution is to detect the DoS attacks in 6LoWPAN networks before network operations are disrupted and to trigger the proper execution of countermeasures aiming to increase network availability. Within the ebbits platform, we have then extended the security framework to include an Open Source IDS and to be connected with ebbits networking framework: the final object is to support effective detection of DoS attacks in 6LoWPANs. As far as the IDSs are concerned, traditional solutions have proven to be efficient in detecting wide range of attacks, especially DoS attacks. In this section, we propose a DoS detection architecture, describing the main components of the architecture and finally mentioning the advantages of our solution, compared to the already existing solutions. 1 constrained nodes programmed with already existing IDS modules The current proposed architecture could be capable of detecting wide range of attacks. However, the provision of defense mechanisms to counteract the attacks, i.e, intrusion prevention systems (IPS) is out of scope of this paper and will be the next step of this work. A. DoS Detection Architecture To detect DoS attacks in IoT, the detection system itself needs to be immune to DoS attacks. In addition it should be scalable, and applicable to most of the real-world IoT scenarios. These design criteria are considered while developing the DoS detection architecture for IoT. Our DoS detection architecture has been designed to detect DoS attacks in ebbits networks. The DoS detection architecture as reported in Figure 2 represents the 6LoWPAN network integrated with the network manager of ebbits. IDS probe (IDS_P) helps the IDS to listen 6LoWPAN network traffic. The most relevant contributions of this paper are the DoS protection manager and the IDS, which are integrated with the ebbits network manager as the security manager. In the following, firstly ebbits network manager and its components are briefly explained; later the proposed DoS protection manager and its components are explained in detail. ! &'( # $% &. , ! ebbits Network Manager: The network manager integrates three major subcomponents: network management; opportunistic manager; and security manager. Network management provides network monitoring and configuration services. By monitoring the network it provides performance information: interference level, latency, outrage probability, and collisions. The role of network management is to make the opportunistic manager and the security manager interoperable by providing the network information available at any specific time. Opportunistic manager provides communication resilience and optimization for the ebbits framework. It enables the system to operate with the best available network communication at all times. It provides delay tolerant networking (DTN) and frequency agility (FA) capabilities to WSNs/6LoWPANs [29]. FA is a mechanism allowing the network to become aware of the interference level by analyzing channel occupancy states in real-time. The aim is to determine the best available channel. When the system detects the interference level exceeding a certain threshold, the FA mechanism starts a procedure to switch the operating channel to the best available channel [29]. Security manager provides security mechanisms in the network, for instance encryption and policy enforcement. It enables secure communication between ebbits network manager and middleware by providing cryptographic and trust mechanisms. In this work, we introduce the DoS protection manager within security manager of ebbits. ! " component of ebbits and it enables the low level interaction between physical devices/smart objects and the ebbits network manager. In this way, physical world capabilities can be abstracted and exposed into the ebbits middleware as web services. • DoS protection manager: The DoS protection manager receives alerts from IDS when intrusion attempts occur. Later, it extracts the pieces of information (interference rate, packet dropping rate, etc.) from other ebbits managers (network management and opportunistic manager) and analyzes them to confirm an actual attack. The main component for the DoS protection manager is the IDS involved in detecting the attack. This hybrid approach, by leveraging on additional data related to the same network collected by other ebbits managers, decreases the false alarm rate of the IDS warnings. • IDS: The IDS proposed is a network-based IDS (NIDS): it usually works by capturing and examining the network packet. It is in charge of monitoring the 6LoWPAN traffic and raising alerts in case of any misbehavior in the network. This IDS agent is in charge of processing the network-related information captured from multiple IDS_Ps spread within the network as depicted in Figure 2. These IDS_P operate in promiscuous mode: they can listen to all messages irrespective of destination addresses. The usage of multiple probes is actually needed to manage large scale networks. It is important to mention that such probes are external to the operating 6LoWPAN and &- &- & ) * &' + Fig. 2: DoS Detection Architecture Physical world: The physical world depicted in Figure 2 represents a simple 6LoWPAN network aimed to collect data from real world sensors. Several host (H) nodes forms the network along with their respective cluster nodes (R), the aggregated network data finally available from cluster nodes are delivered to network manager through a border router (B). In the real world scenario of ebbits, many smart objects (RFIDs, Sensors, Smartphones, etc.) are combined together to form the physical world. The physical world adaptation layer (PWAL) is a special network 603 Briefly summarizing, the proposed system monitors the network traffic of 6LoWPAN through one or more IDS_Ps operating in promiscuous mode and detects attack by using hybrid IDS detection method. DoS protection manager, on receiving the alerts, confirms the attack by leveraging the information available by other network manager components. This attack detection approach can be implemented with any network manager in general. B. Scenario To elucidate the application of the proposed architecture, let us consider a simple manufacturing scenario. It requires monitoring acceleration of the equipment, pressure and temperature of the area involved in the manufacturing setting. In this scenario, any DoS attack can degrade the quality of the manufacturing. The functioning of the DoS detection architecture is described in the following. We assume a Jamming attack is being performed towards a target 6LoWPAN network (manufacturing). Once the DoS protection manager has received an alert notification from the IDS about the jamming attack, it can further validate the detection by: 1) 2) 3) Checking the level of interference detected in the current operating channel - info is achieved from the FA manager. Verifying the collected information about loss rate in the monitored network - info available at the network management manager. Observing the absence of updated information in the just mentioned two managers, which would represent anyway an additional symptom that an attack is being performed. The proposed DoS detection architecture contributes to get the following advantages over the aforementioned works in section II-A. Wired connectivity between IDS_P and IDS promises immunity to wireless jamming and other DoS attacks, thus the IDS can receive reliable network information all the time. The processing is centralized with a powerful IDS agent running on a Linux host, thus overcoming the resource constraints existing in traditional low-power devices. False positive events of IDS can be reduced by leveraging the information gained from the other network managers. The proposed architecture suits the real-time industrial environments, where reliability and availability are the most important security requirements. IV. S YSTEM D EVELOPMENT This section describes the system development of the DoS protection manager. At present, the proposed solution is not 604 completely implemented: nonetheless, preliminary development work has been carried out to evaluate the performance of our system, highlighting promising results. The preliminary development work is characterized as follows: the presence of a single IDS_P was considered enough to sniff a small 6LoWPAN network; only signature based detection method was considered for IDS development; finally, integration with the network manager of ebbits is ignored. According to the assumption, just a DoS attack on a 6LoWPAN network could be detected simply. The most important components are the IDS and IDS_P attached with DoS protection manager. A. IDS Probe (IDS_P) This component, previously developed as part of the work in [30], operates with a custom firmware and is able to sniff the packets in promiscuous mode. The IDS_P is connected with the IDS via a USB interface, thus wired, and is realized as a virtual interface inside a Linux host. Therefore, the probe can be realized as any other interface like Ethernet inside the Linux host. B. IDS Suricata, an open source IDS, is adopted for development [31]. It exhibits the following advantages: complete IPv6 support, automatic protocol detection, multi-threading and intrusion prevention system. As a standard IDS, Suricata’s architecture is composed of the three following modules as depicted in Figure 3: the protocol decoder, the detection engine and the alert response unit. Suricata IDS uses signature based detection, thus requiring a predefined set of rules to detect attacks. do not participate in network activities. When an active DoS attack is performed, the wireless channel is disrupted and the messages received through the IDS_Ps could not be reliable, thus wired connectivity is used to connect them and the IDS. In order to be endowed with the capabilities of detecting known and unknown attacks with high accuracy, a hybrid detection model is considered to work better and thus adopted for development. Fig. 3: Suricata IDS’ Architecture Basic information about how such architecture works is described in the following. After capturing packets through a virtual interface provided by IDS_P, these packets are interpreted by means of the Suricata decoder. A packet is completely decoded and analyzed, looking for any possible misbehavior with respect to the protocol standards. If some packet misbehavior is identified, a specific event is recorded within the IDS engine. The detection engine analyses the signature database; the rules are loaded into the signature database before the IDS is started. The IDS detection engine can be profitably supported if specific events recorded during the decoding phase are matched, but the detection engine capabilities are not limited to this only, developing custom modules can extend them further. When a signature match occurs, an alert is triggered by the detection engine and is usually recorded in different user specific formats: unified2 format as the standard IDS alert format; whereas, basic text logging is done by fast.log format in Suricata. In our work, major effort was devoted to develop IEEE 802.15.4 (layer 2) and 6LoWPAN (adaptation layer 3) protocol decoders for Suricata decoder. When a packet is captured, firstly the decoder identifies the link-type. If it matches IEEE 802.15.4 link-type, then the packet is decoded with respect to the IEEE 802.15.4 standard. Similarly, the 6LoWPAN compliant section of the packet is decoded thus obtaining the complete IPv6 packet which is sent to the Suricata’s default IPv6 decoder. Decoder development is described in Figure 4. If a possible match with the signature happens, then an alert is triggered. - 0 !"#!$ + 0 1 -& + "%#& 2 '()*+ ',()*+& 2 + . /- )' ) 0 1 3 ) + 0 0 1 )' Fig. 4: Decoder development in Suricata V. !" ! $% () &' , # , *"#+ ./0 (-) (-) Fig. 5: Architecture of Proposed IDS and Evaluation System IDS_P probe has only sniffing capability. During this work, an additional module was developed in Metasploit to support flashing/reprogramming of an attached Mp node with user defined firmware, thus allowing more flexibility in performing remote DoS attacks. The Attack: To validate our IDS, we performed an IPv6 UDP flooding attack against a 6LoWPAN network. Contiki [32], a prominent open source operating system for IoT, was used to develop the UDP flooding program, which can be either self-programmed or remotely programmed (using Metasploit) in a node. This node attached as the Mp in Figure 5, initiates flooding by sending large amount traffic to a specific destination network performing a DoS attack against the target network. !"#!$ 2 S YSTEM E VALUATION The proposed IDS for the 6LoWPAN network was evaluated by Penetration Testing (PenTest) System which was developed as part of work in [30]. A test-bed of our proposed 6LoWPAN DoS detection architecture was built with physical nodes as represented in Figure 5. The PenTest system and the IDS was connected to the 6LoWPAN through the PenTest probe (Mp) and the IDS_P probes respectively. A detailed description of the evaluation is mentioned below. A. Penetration Testing PenTest is a method of evaluating the security of a computer system by simulating actual attacks; it basically compromises the target network in a controlled environment. This helps in identifying vulnerabilities present in our network. Metasploit, an open source PenTest tool, was adopted for this experiment. Metasploit has the capability to sniff and inject forged packets into the 6LoWPAN network; whereas 605 The Rule: To detect the previously simulated UDP flooding attack, Suricata provides threshold option in its rules: a rule option matches with the packets and when the number of matches reaches above a threshold, an alert is triggered. The Rule header contains the information about what action a rule takes when any packet matches with the rule. Each rule contains headers as follows: an action (pass, drop, reject, alert); protocol (UDP, TCP, ICMP etc); source address; source port; destination address; destination port followed by rule options. These rule options provide the flexibility to the IDS, novel rule options could be developed to extend the detection parameters in rule options. The following rule was developed to detect the UDP flooding attack. alert udp any any -> any any (msg:\"My Threshold rule works \";threshold: type threshold, track by_dst, count 30, seconds 1; sid:999999; classtype: misc-activity;rev:1; content:"Hello"; priority:1;) If UDP packets arrive at the rate of 30 packets per second, the above rule triggers an event in Suricata. The count and seconds parameters in the rule define the threshold value for the alert. The values defined are taken as a reference. Different levels of flooding can be monitored with different threshold values. To extend detection capabilities, content option provides payload matching capability in Suricata. The flooded packets are loaded with payload content as ‘Hello’ to evaluate the payload matching. The above rule tracks the flooded packets with content ‘Hello’, towards a destination address. Thus, Suricata generates as many numbers of alerts each time, when it matches the above rule. An example of one such alert has been recorded from fast.log of Suricata is given below, increases when more Mp nodes are involved in the same attack. This is also due to the fact that the flooding was performed towards a single target node and this increases the number of matches per time of the rule set in Suricata. The same tests also confirm that the proposed solution can detect attacks when one or more nodes flood the network at the same time. 01/01/2013-18:51:58.653658 [**] [1:999999:1] My Threshold rule works \ [**] [Classification: Misc activity] [Priority: 1]{UDP} aaaa:0000: 0000:0000:0212:7400:116c:9af4:8765 -> aaaa:0000:0000:0000:0000:00ff:fe00:0001:5678 In future, by developing detection modules to detect attacks mentioned in [24] such as RPL-rank attack, the proposed detection architecture’s results could be compared to [24]. Furthermore, trusted node addresses could be predefined as internal-nodes and when an adversary disrupts or joins the network, that particular suspicious node can be detected. B. Results In the considered experiments, a progressively increasing number of Mp nodes (up to 5) was performing a flooding attack towards a target 6LoWPAN node. The duration of each test was 1 minute and Suricata IDS triggered alerts when a flooding attack was detected. Figure 6 represents the number of true positive events triggered by each Mp flooding node detected by the IDS versus the number of Mp nodes participating in each attack. The experiments showed no false negatives as the detection was based on predefined rules, which are defined to specifically detect the flooding attack. Three trials of 1 minute for each attack scenario were performed to evaluate the standard deviation of the alerts for each Mp Node: the results are represented in Figure 6. At first, only 2 flooding nodes (Mp1 and Mp2) are introduced into the network; in such scenario, Suricata triggered 22 alerts, in which Mp1 was detected 10 times and Mp2 was detected 12 times. Then, the number of Mp flooding nodes was increased to find the efficiency of IDS engine and IDS probe in detecting each rouge node separately. Furthermore, traffic patterns of normal network behavior have been compared with the patterns achieved by performing flooding attacks. More specifically, the number of packets transmitted per second has been monitored and represented in Figure 7. 3 Nodes Flooding Network Traffic 120 100 80 60 40 20 0 0 5 10 15 20 25 30 35 40 45 50 55 60 Time (s) Fig. 7: DoS Network Traffic VI. C ONCLUSION & F UTURE W ORK 25 Our DoS detection architecture, built on top of the ebbits network framework was proved capable of detecting DoS attacks. It is more applicable to real world scenarios. Integrating information from the network manager components will increase the accuracy of attack detection. Nevertheless, in future more complicated attacks can be detected by using our DoS detection architecture. Since, our IDS runs on a host computer, it overcomes the resource constraint problems and provides more power to detect complicated attacks. It showed promising results and unearthed new ways to detect more complicated attacks related to 6LoWPAN, which could have not been possible earlier. 20 A. Future Works 15 In future, we expect to complete the implementation of our proposed architecture and test it against different real attacks. Apart from this, the proposed architecture can be further improved by the following: Mp 1 Number of True Positive Alerts 5 Nodes Flooding Number of Packets per second The above alert describes event information: time-stamp, signature ID, UDP source, destination address when the particular rule is matched. Mp 2 Mp 3 Mp 4 Mp 5 30 10 5 Distributed Approach: To monitor large networks distributed sniffing, detection mechanisms are required. 0 2 3 4 Number of Nodes 5 Fig. 6: IDS alerts against UDP flooding attack We can notice that the proposed IDS is able to detect the flooding attacks and that the detection rate of each Mp node 606 Security Incident and Event management system (SIEM): Once the IDS detect some alerts, this raw information can be accessed by certain alert management software. These tools provide effective statistics and various notifying options to the administrators via email, sms, etc. In future, extending support to SIEMs will be considered. Finally, a centralized monitoring system could be designed such that all network management information from ebbits network manager and IDS alerts could be monitored. DoS Protection: After detecting a DoS attack, specific mechanisms can be designed to defend the attack i.e., the intrusion prevention systems (IPS). [15] [16] [17] ACKNOWLEDGEMENTS The ebbits project is co-funded by the EC within the FP7, theme ICT-2009.1.3 Internet of Things and Enterprise environments, grant agreement No.257852. [18] [19] R EFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] J. W. Hui and P. Thubert, “Compression format for ipv6 datagrams over ieee 802.15.4-based networks.” IETF Proposed Standard, (ISSN: 2070-1721) Available [Online] http://tools.ietf.org/html/rfc6282, Sept. 2011. O. Vermesan, P. Friess, P. Guillemin, S. Gusmeroli, H. Sundmaeker, A. Bassi, I. S. Jubert, M. Mazura, M. Harrison, M. Eisenhauer, et al., “Internet of things strategic research roadmap,” Internet of ThingsGlobal Technological and Societal Trends, pp. 9–52, 2011. D. Evans, “The internet of things: How the next evolution of the internet is changing everything,” CISCO white paper, 2011. “European project- “enabling the business-based internet of things and services”.” website [Online] http://www.ebbits-project.eu/news.php, Accessed May 2013. J. P. Walters, Z. Liang, W. Shi, and V. Chaudhary, “Wireless sensor network security: A survey,” Security in distributed, grid, mobile, and pervasive computing, vol. 1, p. 367, 2007. D. R. Raymond and S. F. Midkiff, “Denial-of-service in wireless sensor networks: Attacks and defenses,” Pervasive Computing, IEEE, vol. 7, no. 1, pp. 74–81, 2008. O. Garcia-Morchon, S. Kumar, R. Struik, S. Keoh, and R. Hummen, “Security considerations in the ip-based internet of things.” IETF (work in progress) Available [Online] http://tools.ietf.org/html/draft-garciacore-security-05, Mar. 2013. T. Heer, O. Garcia-Morchon, R. Hummen, S. L. Keoh, S. S. Kumar, and K. Wehrle, “Security challenges in the ip-based internet of things,” Wireless Personal Communications, vol. 61, no. 3, pp. 527–542, 2011. A. Liu and P. Ning, “Tinyecc: A configurable library for elliptic curve cryptography in wireless sensor networks,” in Information Processing in Sensor Networks, 2008. IPSN’08. International Conference on, pp. 245– 256, IEEE, 2008. C. Karlof, N. Sastry, and D. Wagner, “Tinysec: a link layer security architecture for wireless sensor networks,” in Proceedings of the 2nd international conference on Embedded networked sensor systems, pp. 162–175, ACM, 2004. L. Casado and P. Tsigas, “Contikisec: A secure network layer for wireless sensor networks under the contiki operating system,” in Identity and Privacy in the Internet Age, pp. 133–147, Springer, 2009. D. R. Raymond, R. Marchany, M. Brownfield, and S. Midkiff, “Effects of denial-of-sleep attacks on wireless sensor network mac protocols,” Vehicular Technology, IEEE Transactions on, vol. 58, no. 1, pp. 367– 380, 2009. Z. Shelby, K. Hartke, and C. Bormann, “Constrained application protocol (coap).” IETF (work in progress) Available [Online] http://tools.ietf.org/html/draft-ietf-core-coap-16, Apr. 2013. T. Winter, “Rpl: Ipv6 routing protocol for low-power and lossy networks.” IETF RFC 6550, Available [Online], http://tools.ietf.org/html/rfc6550, Mar. 2012. 607 [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] A. Wood and J. Stankovic, “Denial of service in sensor networks,” Computer, vol. 35, no. 10, pp. 54–62, 2002. H. Kim, “Protection against packet fragmentation attacks at 6lowpan adaptation layer,” in Convergence and Hybrid Information Technology, 2008. ICHIT’08. International Conference on, pp. 796–801, IEEE, 2008. R. Riaz, K.-H. Kim, and H. Ahmed, “Security analysis survey and framework design for ip connected lowpans,” in Autonomous Decentralized Systems, 2009. ISADS’09. International Symposium on, pp. 1–6, IEEE, 2009. A. Le, J. Loo, and Y. Luo, “Specification-based IDS for securing RPL from topology attacks,” Wireless Days (WD), 2011, pp. 4–6, 2011. A. Le, J. Loo, A. Lasebae, M. Aiash, and Y. Luo, “6lowpan: a study on qos security threats and countermeasures using intrusion detection system approach,” International Journal of Communication Systems, vol. 25, no. 9, pp. 1189–1212, 2012. R. Cragie, Y. Ohba, R. Moskowitz, Z. Cao, and B. Sarikaya, “Security bootstrapping solution for resource-constrained devices.” IETF (work in progress) Available [Online] http://tools.ietf.org/html/draft-oflynn-corebootstrapping-03, Nov. 2010. Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, “A survey of key management schemes in wireless sensor networks,” Computer communications, vol. 30, no. 11, pp. 2314–2341, 2007. A. H. Farooqi and F. A. Khan, “Intrusion detection systems for wireless sensor networks: A survey,” in Communication and networking, pp. 234–241, Springer, 2009. A. Mitrokotsa and A. Karygiannis, “Intrusion detection techniques in sensor networks,” Wireless Sensor Network Security, ed. J. Lopez and J. Zhou, pp. 251–272, 2008. S. Raza, L. Wallgren, and T. Voigt, “Svelte: Real-time intrusion detection in the internet of things.” Ad Hoc Networks ,Available [Online] http://www.sciencedirect.com/science/article/pii/S1570870513001005, May 2013. S. O. Amin, M. S. Siddiqui, C. S. Hong, and S. Lee, “Rides: Robust intrusion detection system for ip-based ubiquitous sensor networks,” Sensors, vol. 9, no. 5, pp. 3447–3468, 2009. H. Sedjelmaci and M. Feham, “Novel, Hybrid Intrusion Detection System for Clustered Wireless Sensor Network,” International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011, vol. 3, no. 4, pp. 1–14, 2011. A. Abduvaliyev, S. Lee, and Y.-K. Lee, “Energy efficient hybrid intrusion detection system for wireless sensor networks,” 2010 International Conference on Electronics and Information Engineering, vol. 2, pp. V2– 25–V2–29, Aug. 2010. Sooyeon Shin, Taekyoung Kwon, Gil-Yong Jo, Youngman Park, and H. Rhy, “An Experimental Study of Hierarchical Intrusion Detection for Wireless Industrial Sensor Networks,” IEEE Transactions on Industrial Informatics, vol. 6, pp. 744–757, Nov. 2010. R. Tomasi, H. Khaleel, F. Penna, C. Pastrone, R. Garello, and M. Spirito, “Frequency agility in ipv6-based wireless personal area networks (6lowpan),” in Wired/Wireless Internet Communications (E. Osipov, A. Kassler, T. Bohnert, and X. Masip-Bruin, eds.), vol. 6074 of Lecture Notes in Computer Science, pp. 146–157, Springer Berlin Heidelberg, 2010. R. Tomasi, L. Bruno, C. Pastrone, and M. Spirito, “Meta-exploitation of ipv6-based wireless sensor networks,” in 3rd international workshop on Security and Communication Networks - IWSCN, (Gjøvik - Norway), 2011. “Suricata- The Next Generation Intrusion Detection System.” [Online] http://www.openinfosecfoundation.org, Accessed May 2013. “Contiki, the open source os for the internet of things.” [Online] http://www.contiki-os.org/, Accessed May 2013.