Intrusion Detection System to Detect Sinkhole Attack on RPL Protocol in Internet of Things

Size: px

Start display at page:

Download "Intrusion Detection System to Detect Sinkhole Attack on RPL Protocol in Internet of Things"

Rodger Thomas
6 years ago
Views:

1 Intrusion Detection System to Detect Sinkhole Attack on RPL Protocol in Internet of Things R. Stephen 1, Dr. L. Arockiam 2 1 Research Scholar, 2 Associate Professor, Department of Computer Science, St. Joseph s College, Trichy, TN, India 1 stephenr1989@gmail.com, 2 larockiam@yahoo.co.in Abstract: In Internet of Things (IoT), the sensor nodes are deployed to transmit the data to a base station. So, the major threat is sinkhole attack and it is still being a challenging issue on the sensor networks, where the attacker node disrupts the packets from the other normal sensor nodes and drops the packets. This paper proposes an Intrusion Detection System (IDS) to detect the sinkhole attack in the network which uses the RPL as a routing protocol. The proposed algorithm uses the detection metrics such as number of packets received and transmitted to validate the Intrusion Ratio (IR) by the IDS agent. A technique is proposed to identify whether the router node is a malicious node or not using the IR value. If IDS system detects the malicious node, it sends the alert message to the leaf nodes to isolate the malicious node in next data transmission. The aim of the proposed work is to minimize the Intrusion Ratio. Keywords: Internet of Things, RPL, Sinkhole Attack. 16 I. INTRODUCTION Internet of Things is used in a broad range of applications such as home monitoring, environment sensing, healthcare, and agriculture etc. It uses various technologies to communicate among sensor devices. These sensor devices sense the information and send to the base station. RPL is one of the routing protocols that is primarily designed for Internet of Things. Wireless Sensor Networks (WSNs) are deployed in the IoT network to send the data to the base station (6BR). IoT faces a lot of security issues that arise due to low energy, low storage and low computation. The data transmission in Internet of Things network needs to ensure security in end to end communication. But, IoT faces different types of routing attacks such as sinkhole attack, selective forwarding, Sybil, HELLO flood, black hole etc. These attacks disrupt the entire network and create more threats. This paper takes the sinkhole attack as a major issue in RPL topology for Internet of Things. The sinkhole attack creates more network traffic than other routing attacks. It compromises the neighbor nodes by sending the fake routing information. The intruder launches the sinkhole attack to destroy the data packets. Also, this attack is extended to selective forwarding, HELLO flood, and black hole attack. This paper proposes the intrusion detection system to detect the sinkhole attack in IoT. It uses the RPL as a routing protocol for IoT network. The IDS mechanism is used to identify a router node is normal node or malicious node and send the alert message to the remaining sensor nodes to isolate the malicious node in next data transmission. This paper is structured as follows: section 2 describes the similar existing works on sinkhole attacks. Section 3 presents the background of our research work. The proposed IDS mechanism is explained in section 4. Finally, section 5 concludes the paper. II. RELATED WORK Secure routing for Internet of Things is a challenging task for researchers. Especially, designing Intrusion Detection mechanism for 6LoWPAN networks based on RPL protocol is the current research area. David et al. [1] surveyed on vulnerabilities to routing in IoT. This paper has summarized the RPL attacks, 6LoWPAN attacks and secure routing protocols for IoT. Christian et al. [2] proposed Intrusion Detection System called INTI to detect sinkhole attacks on 6LoWPAN for Internet of Things. Sinkhole attack is identified by the combination of three strategies such as watchdog, reputation and trust. The results showed that the proposed IDSperformance and its effectiveness in terms of attack detection rate, number of false positives and false negatives are better than earlier mechanisms. Nguyen et al. [3] surveyed on secure communication protocols for Internet of Things. This paper prescribed an overview of IoT security and cryptography mechanisms. Raza et al. [4] proposed the Intrusion Detection modules called SVELTE in the Internet of Things. These modules placed in the IPv6 Border Router (6BR) with various requirements such as 6Mapper, detection, node availability, mini-firewall etc. The proposed IDS was implemented in Contiki OS based on RPL DODAG. Shafiei et al. [5] used centralized and distributed monitoring approaches to detect and mitigate sinkhole attacks in wireless sensor networks. George et al. [6] surveyed the existing works on sinkhole attacks detection. This paper articulated that various existing approaches and their limitations and advantages. Wallgren et al. [7] exemplified the usage of IDS in the IoT by implementing a lightweight heartbeat protocol. This paper implemented a set of well-known routing attacks against 6LoWPAN networks running on RPLrouting protocol. Stephen et al. [8] used dynamic detection of sinkhole attack for Internet of Things. This paper used an alternative parent information to identify the attacker. Ranjeeth et al. [9] proposed Intrusion Detection System mechanism to detect the intruder in the wireless sensor network which uses LEACH protocol. This paper used IDS algorithm to detect

[11] analyzed the wireless sensor networks performance and detection methods in terms of sinkhole attack in wireless sensor networks.

2 sinkhole attack and simulated by using TETCOS NETSIM. Patel et al. [10] proposed baseline IDS framework for 6LoWPAN devices. This IDS framework is based on signature, anomaly, distributed and centralized approaches to detect insider attacks. Basker et al. [11] analyzed the wireless sensor networks performance and detection methods in terms of sinkhole attack in wireless sensor networks. This paper used average energy consumption, throughput and packet delivery ratio as parameters for analyzing network performance. Kumar et al. [12] proposed the leader based intrusion detection system to detect sinkhole attack in wireless sensor networks. Here, the leader can monitor the nodes only region wise and does not adopt any clustering technique. Shelke et al. [13] proposed detection algorithm to resolve sinkhole attack over collection tree protocol. Atinderpal et al. [15] reviewed on detection and prevention of sinkhole attack in networks. This paper articulated the sinkhole attack effectiveness based on AODV routing protocol and compared with previous techniques on the basis of various parameters like end to end delay, throughput and network load. Tariqahmad et al. [16] proposed Intrusion Detection System to detect hello flood and Sybil attack in Internet of Things. This paper used Hybrid approach for placement IDS in the IoT networks. This Hybrid approach combined the centralized and the distributed modules used to detect attacks.santiago et al. [17] presented the issues and ways to minimize the energy consumption in IoT networks. The researchers also highlighted the need for the lightweight algorithms for the resource-constraint devices keeping in mind security concerns. III. 17 RESEARCH BACKGROUND A. Routing Protocol for Low Power and Lossy Networks (RPL): The RPL is based on the construction of a Destination- Oriented Directed Acyclic Graph (DODAG) that is designed by the Internet Engineering Task Force (IETF) network working group. It is an IP-based distance vector and hop-by-hop routing protocol [14]. RPL enables one-to-one, one-to-many, many-to-many communication over the network by different operations such as the unidirectional towards a DODAG root and bidirectional between resource-constrained devices and the DODAG root. In the DODAG architecture, the nodes are organized in a hierarchical tree structure and routed at a single root node called 6BR (IPv6 Border Router) which connects 6LoWPAN to the internet. Figure 1 shows the typical RPL tree structure which consists of different 6LoWPAN nodes that are connected together based on the DODAG topology. Each node has an ID based on IPv6 address and rank. The rank value is increasing in the top-down direction and it is decreasing in the bottom-up towards the DODAG root. B. Sinkhole Attack: Sinkhole attack is an active type of attack. There are various methods to launch the sinkhole attacks such as the attack node sends the false information to the sender nodes either directly or using wormhole attack about the routing metrics. Sinkhole attack acts like a selective forwarding attack, black hole attack and wormhole attack. In RPL, an intruder launches sinkhole attack by using its rank. It sends rank information as a better rank to make neighbor nodes in the DODAG for selecting it as a preferred parent node. Figure 2 shows a screenshot of sinkhole attack on RPL topology. In DODAG, the node 5 suffers a sinkhole attack which is compromised by the neighbor nodes to create a traffic and disrupt the routing path. Figure 2: A Sinkhole attack by Node 6 in RPL DODAG C. Research Motivation: The classification of the attacks is based on the layers of the IoT stack, where the network layer has many vulnerabilities like sinkhole, black hole, Sybil, HELLO flood attacks etc. These attacks create a threat to the sensor networks. Among them, sinkhole attack is one of the most susceptible threats to the network as referred in related works. RPL routing protocol plays the major role in data transmission in IoT networks. The RPL is based on DODAG (Destination Oriented Directed Acyclic

3 Graph). It has a single root node (6BR) which connects 6LoWPAN to the internet. The design of IDS mechanism for RPL over 6LoWPAN in Internet of Things is still in demand. In RPL, a sinkhole node is to compromise the other nodes to disrupt the network. Also, the sinkhole attack leads to selective forwarding, HELLO flood, black hole attacks. 18 IV. SYSTEM DESIGN Sinkhole attack creates more vulnerabilities than all other attacks in wireless sensor networks [9]. So, the effort of providing security, detecting the possibilities of sinkhole attack in a sensor networks with RPL protocol, and developing IDS mechanism to reduce the routing attacks should be efficient. A. Problem Description: A sinkhole attack compromises a node which attracts nearby nodes to make a route traffic through it. In RPL, an intruder launches a sinkhole attack by making a node (R) as the parent node of a cluster. This is done through setting the rank of that node (R) as the highest. Hence,the neighbor nodes send the data packets through it. Here, a sinkhole node compromises the other nodes and makes data loss in transmission time. Also, sinkhole attack leads to selective forwarding, black hole, HELLO flood attacks. B. Intrusion Detection Architecture: Recent routing protocols face security issues in multiple sink or base station [9]. The RPL protocol is primarily designed for Internet of Things. It classifies the network nodes into leaf nodes, router nodes and root node (6BR). In RPL topology, it has one root node that is 6BR (IPv6 Border Router) which receives the data from the router nodes. The leaf nodes or source nodes send the data to the base station through the router nodes. The router nodes are responsible to send the data to the root node. But, the intruder launches the sinkhole attack to disrupt the communication such as selective forwarding of the data or droping the data packets. The proposed IDS runs on the root node, that collects the data packets from router nodes and identify the malicious node. Figure 3 shows an overview of working principle of the IDS architecture. The proposed IDS is deployed in the root node which is identified as the malicious node and sends the alert message to the remaining leaf nodes to avoid the intruder node in next transmission. C. Proposed Algorithm Description The IDS agent runs in the root node to identify the intrusion by analyzing the data packets that consists of Packet Received (PR), Packet Transmitted (PT) and identify therouter Node (RN) periodically. The packet transmission value of router node (PT i ), the packet received value of router node (PR i ) and router node identification (RN i ) are used to calculate the Intrusion Ratio (IR i ). From the intrusion value, the node is classified as normal node or malicious node. Suppose, the router node is a sinkhole attack node which drops the data packets or selectively forwards the data packets then it may lead to black hole attack. The purpose of the above strategy is to minimize the intrusion ratio, so that the intruder node can be isolated in the next route of data transmission. Begin L1, L2, L3 Ln are leaf nodes (sensor network) PT is the packets transmitted by the RN in sensor network PR is the packets received by the RN in sensor network R i is the router node ID IR i is the intrusion ratio of RN i Repeat Time_delay (100) Receive packets from the Route nodes Calculate IRi where IR i =PR i /PT i If IR i n then Corresponding RN i is the normal node It sends the data packets completely Else if IR i then Corresponding RN i is the sinkhole attack node

4 It drops the data packets fully Else Corresponding RN i is the normal node It selectively forwards the data packets End if Until the nodes transmission process completes End Algorithm 1: IDS Algorithm for Sinkhole Attack D. Intrusion Detection Model: A mathematical model is used to verify the effectiveness of the IDS algorithm. The leaf nodes are sensor nodes that are denoted by Ln which are placed over the network. Let Ln consist of L1, L2, L3, Ln which are sensor nodes in the network. Let RN i be the router node which contains the sensor nodes as its members. Let RN i consists of R1, R2, R3 Rn. Let R i be the router node ID. LN i be the leaf node of a particular router node RN i. The sensor node (LN i ) starts to sense the environment data like temperature, movement tracking and so on. The Packets Received (PR i ) and Packets Transmitted (PT i ) values of a particular RN i are calculated by the root node (6BR). ThenThe Intrusion Ratio (IR) is calculated by the following equation: IR = 19 Number of Packets Received (PRi ) (1) Number of Packets Transmitted (PTi ) The IR value can be either 1 or or fraction. If the IR value is 1, it denotes that the data packets are completely transmitted. If the IR value is an infinitive, it denotes that the data packets are fully dropped. If their valueis a fraction format, it denotes that the data packets are selectively forwarded. Consider a sensor network with three router nodes. The sensor nodes (leaf nodes) L1, L2, L3 send the data packets to the router node R1. Now, let us consider the three different possible cases for different values of PRi/PT i.. Case 1 (no attack): Let the PR1 value of the RN1 be 50 and PT1 value of RN1 be 50. The IR value of the router node RN1 is calculated from equation (1) as 1, which indicates that the RN1 is a normal node, since it sends all the data packets. Case 2 (under attack): Let the PR1 value of the RN1 be 50 and PT1 value of RN1 be 0. The IR value of the router node RN1 is calculated from (1) as, which indicates that the RN1 is a malicious node, since it drops all the data packets. Case 3 (selective forwarding attack): Let the PR1 value of the RN1 be 50 and PT1 value of RN1 be 45. The IR value of the router node RN1 is calculated from (1) as 1.11, which indicates that the RN1 is a normal node, but itselectively forwards the data packets. Here, the IR value is calculated from the sample data, and the different possible cases are explained. But, the proposed IDS requires the global data access. V. CONCLUSION Internet of Things is primarily connected with wireless sensor networks. It is prone to security issues like sinkhole attacks. The proposed IDS mechanism identifies such attacks on RPL protocol and alerts the leaf nodes (sensor nodes) in order to reduce the value of the packet loss. The proposed mechanism calculates the Intrusion Ratio to identify the malicious nodes in the network. In future, the proposed algorithm will be simulated and the performance will be analyzed. Also, the proposed work could be extended to detect other types of routing attacks. VI. REFERENCES [1] Airehrour David, Jairo Gutierrez, and Sayan Kumar Ray, "Secure routing for internet of things: A survey", Journal of Network and Computer Applications 66, pp , [2] Christian Cervantes, Diego Poplade, Michele Nogueira and Aldri Santos "Detection of sinkhole attacks for supporting secure routing on 6lowpan for internet of things", Integrated Network Management (IM), IFIP/IEEE International Symposium on. IEEE, [3] Nguyen Kim Thuat, Maryline Laurent, and Nouha Oualha "Survey on secure communication protocols for the Internet of Things", Ad Hoc Networks 32, pp.17-31, [4] Raza Shahid, Linus Wallgren, and Thiemo Voigt "SVELTE: Real-time intrusion detection in the Internet of Things", Ad hoc networks, Vol.11, Issue.8, pp , [5] Shafiei Hosein, Khonsari, Derakhshi, and Mousavi, "Detection and mitigation of sinkhole attacks in wireless sensor networks", Journal of Computer and System Sciences, Vol. 80, Issue.3, pp , [6] Kibirige George W., and Camilius Sanga, "A Survey on Detection of Sinkhole Attack in Wireless Sensor Network", print: , [7] Wallgren Linus, Shahid Raza, and Thiemo Voigt, "Routing Attacks and Countermeasures in the RPL-based Internet of Things", International Journal of Distributed Sensor Networks, [8] Stephen.R, A. Dalvin Vinoth Kumar, and L. Arockiam, "Deist: Dynamic Detection of Sinkhole Attack for Internet of Things", International Journal of Engineering and Computer Science,

5 ISSN: , vol.5, issue. 12, pp , [9] Sundararajan Ranjeeth Kumar, and Umamakeswari Arumugam, "Intrusion detection algorithm for mitigating sinkhole attack on LEACH protocol in wireless sensor networks", Journal of Sensors, [10] Patel Himanshu B, Devesh C. Jinwala, and Dhiren R. Patel, "Baseline Intrusion Detection Framework for 6LoWPAN Devices", Adjunct Proceedings of the 13th International Conference on Mobile and Ubiquitous Systems: Computing Networking and Services. ACM, [11] Baskar Radhika, P.C. Kishore Raja, Christeena Joseph and M. Reji, "Sinkhole Attack in Wireless Sensor Networks-Performance Analysis and Detection Methods", Indian Journal of Science and Technology, Vol.10 (12), ISSN: , [12] Kumar D. Udaya Suriya Raj, and Rajamani Vayanaperumal, "A Hybrid Zone based Leader for Monitoring Sinkhole Attack in Wireless Sensor Network", Indian Journal of Science and Technology, Vol.8 (23), [13] Shelke Maya, Kalyani kadam, Ameya Bhattacharya, Richita Das, Ayushi Rathi and Aishwarya Singh, "Energy Efficient and Reliable Algorithm to Detect and Resolve Sinkhole Attack over Collection Tree Protocol", International Journal of Computer Applications, Vol.148, No.12, [14] Bostani Hamid, and Mansour Sheikhan, "Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach" Computer Communications, Elsevier, [15] Atinderpal Singh, and Tejinderdeep Singh, "Review on Detection and Prevention of Sink Hole Attack In network", Global Journal of Computers & Technology, Vol.5, No.2, pp: [16] Tariqahmad Sherasiya, and Hardik Upadhyay, Intrusion Detection System for Internet of Things, International Journal of Advance Research and Innovative Ideas in Education, Vol.2, Issue. 3, ISSN: , [17] Santiago and Arockiam, Energy Efficiency in Internet of Things: An Overview,International Journal of Recent Trends in Engineering & Research (IJRTER), Vol. 02, 2016, pp

International Journal of Computer Engineering and Applications, Volume XII, Issue I, Jan. 18, ISSN

International Journal of Computer Engineering and Applications, Volume XII, Issue I, Jan. 18, www.ijcea.com ISSN 2321-3469 INTRUSION DETECTION IN INTERNET OF THINGS A SURVEY T. S. Urmila, Dr. B. Balasubramanian