Intrusion Detection System for detecting internal threats in 6LoWPAN

6LoWPAN (IPv6 over Low-power Wireless Personal Area Network) is a standard developed by the Internet Engineering Task Force group to enable the Wireless Sensor Networks to connect to the IPv6 Internet. This standard is rapidly gaining popularity for its applicability, ranging extensively from health care to environmental monitoring. Security is one of the most crucial issues that need to be considered properly in 6LoWPAN. Common 6LoWPAN security threats can come from external or internal attackers. Cryptographic techniques are helpful in protecting the external attackers from illegally joining the network. However, because the network devices are commonly not tampered-proof, the attackers can break the cryptography codes of such devices and use them to operate like an internal source. These malicious sources can create internal attacks, which may downgrade significantly network performance. Protecting the network from these internal threats has therefore become one of the centre security problems on 6LoWPAN. This thesis investigates the security issues created by the internal threats in 6LoWPAN and proposes the use of Intrusion Detection System (IDS) to deal with such threats. Our main works are to categorise the 6LoWPAN threats into two major types, and to develop two different IDSs to detect each of this type effectively. The major contributions of this thesis are summarised as below. First, we categorise the 6LoWPAN internal threats into two main types, one that focuses on compromising directly the network performance (performance-type) and the other is to manipulate the optimal topology (topology-type), to later downgrade the network service quality indirectly. In each type, we select some typical threats to implement, and assess their particular impacts on network performance as well as identify performance metrics that are sensitive in the attacked situations, in order to form the basis detection knowledge. In addition, on studying the topology-type, we propose several novel attacks towards the Routing Protocol for Low Power and Lossy network (RPL - the underlying routing protocol in 6LoWPAN), including the Rank attack, Local Repair attack and DIS attack. Second, we develop a Bayesian-based IDS to detect the performance-type internal threats by monitoring typical attacking targets such as traffic, channel or neighbour nodes. Unlike other statistical approaches, which have a limited view by just using a single metric to monitor a specific attack, our Bayesian-based IDS can judge an abnormal behaviour with a wiser view by considering of different metrics using the insightful understanding of their relations. Such wiser view helps to increase the IDS’s accuracy significantly. Third, we develop a Specification-based IDS module to detect the topology-type internal threats based on profiling the RPL operation. In detail, we generalise the observed states and transitions of RPL control messages to construct a high-level abstract of node operations through analysing the trace files of the simulations. Our profiling technique can form all of the protocol’s legal states and transitions automatically with corresponding statistic data, which is faster and easier to verify compare with other manual specification techniques. This IDS module can detect the topology-type threats quickly with a low rate of false detection. We also propose a monitoring architecture that uses techniques from modern technologies such as LTE (Long-term Evolution), cloud computing, and multiple interface sensor devices, to expand significantly the capability of the IDS in 6LoWPAN. This architecture can enable the running of both two proposed IDSs without much overhead created, to help the system to deal with most of the typical 6LoWPAN internal threats. Overall, the simulation results in Contiki Cooja prove that our two IDS modules are effective in detecting the 6LoWPAN internal threats, with the detection accuracy is ranging between 86 to 100% depends on the types of attacks, while the False Positive is also satisfactory, with under 5% for most of the attacks. We also show that the additional energy consumptions and the overhead of the solutions are at an acceptable level to be used in the 6LoWPAN environment

Mobile Firewall System For Distributed Denial Of Service Defense In Internet Of Things Networks

Internet of Things (IoT) has seen unprecedented growth in the consumer space over the past ten years. The majority of IoT device manufacturers do not, however, build their products with cybersecurity in mind. The goal of the mobile firewall system is to move mitigation of network-diffused attacks closer to their source. Attack detection and mitigation is enforced using a machine that physically traverses the area. This machine uses a suite of security tools to protect the network. Our system provides advantages over current network attack mitigation techniques. Mobile firewalls can be deployed when there is no access to the network gateway or when no gateway exists, such as in IoT mesh networks. The focus of this thesis is to refine an explicit implementation for the mobile firewall system and evaluate its effectiveness. Evaluation of the mobile firewall system is analyzed using three simulated distributed denial of service case studies. Mobility is shown to be a great benefit when defending against physically distant attackers – the system takes no more than 131 seconds to fully nullify a worst-case attack

Security of the Internet of Things: Vulnerabilities, Attacks and Countermeasures

Wireless Sensor Networks (WSNs) constitute one of the most promising third-millennium technologies and have wide range of applications in our surrounding environment. The reason behind the vast adoption of WSNs in various applications is that they have tremendously appealing features, e.g., low production cost, low installation cost, unattended network operation, autonomous and longtime operation. WSNs have started to merge with the Internet of Things (IoT) through the introduction of Internet access capability in sensor nodes and sensing ability in Internet-connected devices. Thereby, the IoT is providing access to huge amount of data, collected by the WSNs, over the Internet. Hence, the security of IoT should start with foremost securing WSNs ahead of the other components. However, owing to the absence of a physical line-of-defense, i.e., there is no dedicated infrastructure such as gateways to watch and observe the flowing information in the network, security of WSNs along with IoT is of a big concern to the scientific community. More specifically, for the application areas in which CIA (confidentiality, integrity, availability) has prime importance, WSNs and emerging IoT technology might constitute an open avenue for the attackers. Besides, recent integration and collaboration of WSNs with IoT will open new challenges and problems in terms of security. Hence, this would be a nightmare for the individuals using these systems as well as the security administrators who are managing those networks. Therefore, a detailed review of security attacks towards WSNs and IoT, along with the techniques for prevention, detection, and mitigation of those attacks are provided in this paper. In this text, attacks are categorized and treated into mainly two parts, most or all types of attacks towards WSNs and IoT are investigated under that umbrella: “Passive Attacks” and “Active Attacks”. Understanding these attacks and their associated defense mechanisms will help paving a secure path towards the proliferation and public acceptance of IoT technology

A specification-based IDS for detecting attacks on RPL-based network topology

Routing Protocol for Low power and Lossy network (RPL) topology attacks can downgrade the network performance significantly by disrupting the optimal protocol structure. To detect such threats, we propose a RPL-specification, obtained by a semi-auto profiling technique that constructs a high-level abstract of operations through network simulation traces, to use as reference for verifying the node behaviors. This specification, including all the legitimate protocol states and transitions with corresponding statistics, will be implemented as a set of rules in the intrusion detection agents, in the form of the cluster heads propagated to monitor the whole network. In order to save resources, we set the cluster members to report related information about itself and other neighbors to the cluster head instead of making the head overhearing all the communication. As a result, information about a cluster member will be reported by different neighbors, which allow the cluster head to do cross-check. We propose to record the sequence in RPL Information Object (DIO) and Information Solicitation (DIS) messages to eliminate the synchronized issue created by the delay in transmitting the report, in which the cluster head only does cross-check on information that come from sources with the same sequence. Simulation results show that the proposed Intrusion Detection System (IDS) has a high accuracy rate in detecting RPL topology attacks, while only creating insignificant overhead (about 6.3%) that enable its scalability in large-scale network

A specification-based IDS for detecting attacks on RPL-based network topology

Routing Protocol for Low power and Lossy network (RPL) topology attacks can downgrade the network performance significantly by disrupting the optimal protocol structure. To detect such threats, we propose a RPL-specification, obtained by a semi-auto profiling technique that constructs a high-level abstract of operations through network simulation traces, to use as reference for verifying the node behaviors. This specification, including all the legitimate protocol states and transitions with corresponding statistics, will be implemented as a set of rules in the intrusion detection agents, in the form of the cluster heads propagated to monitor the whole network. In order to save resources, we set the cluster members to report related information about itself and other neighbors to the cluster head instead of making the head overhearing all the communication. As a result, information about a cluster member will be reported by different neighbors, which allow the cluster head to do cross-check. We propose to record the sequence in RPL Information Object (DIO) and Information Solicitation (DIS) messages to eliminate the synchronized issue created by the delay in transmitting the report, in which the cluster head only does cross-check on information that come from sources with the same sequence. Simulation results show that the proposed Intrusion Detection System (IDS) has a high accuracy rate in detecting RPL topology attacks, while only creating insignificant overhead (about 6.3%) that enable its scalability in large-scale network

A Trust-Based Intrusion Detection System for RPL Networks: Detecting a Combination of Rank and Blackhole Attacks

Routing attacks are a major security issue for Internet of Things (IoT) networks utilising routing protocols, as malicious actors can overwhelm resource-constrained devices with denial-of-service (DoS) attacks, notably rank and blackhole attacks. In this work, we study the impact of the combination of rank and blackhole attacks in the IPv6 routing protocol for low-power and lossy (RPL) networks, and we propose a new security framework for RPL-based IoT networks (SRF-IoT). The framework includes a trust-based mechanism that detects and isolates malicious attackers with the help of an external intrusion detection system (IDS). Both SRF-IoT and IDS are implemented in the Contiki-NG operating system. Evaluation of the proposed framework is based on simulations using the Whitefield framework that combines both the Contiki-NG and the NS-3 simulator. Analysis of the simulations of the scenarios under active attacks showed the effectiveness of deploying SRF-IoT with 92.8% packet delivery ratio (PDR), a five-fold reduction in the number of packets dropped, and a three-fold decrease in the number of parent switches in comparison with the scenario without SRF-IoT. Moreover, the packet overhead introduced by SRF-IoT in attack scenarios is minimal at less than 2%. Obtained results suggest that the SRF-IoT framework is an efficient and promising solution that combines trust-based and IDS-based approaches to protect IoT networks against routing attacks. In addition, our solution works by deploying a watchdog mechanism on detector nodes only, leaving unaffected the operation of existing smart devices