Anomaly Detection in Wireless Sensor Networks: A Proposed Framework

—With the rise of IOT devices and the systems connected to the internet, there is, accordingly, an ever-increasing number of network attacks (e.g. in DOS, DDOS attacks). A very significant research problem related to identifying Wireless Sensor Networks (WSN) attacks and the analysis of the sensor data is the detection of the relevant anomalies. In this paper, we propose a framework for intrusion detection system in WSN. The first two levels are located inside the WSN, one of them is between sensor nodes and the second is between the cluster heads. While the third level located on the cloud, and represented by the base stations. In the first level, which we called light mode, we simulated an intrusion traffic by generating data packets based on TCPDUMP data, which contain intrusion packets, our work, is done by using WSN technology. We used OPNET simulation for generating the traffic because it allows us to collect intrusion detection data in order to measure the network performance and efficiency of the simulated network scenarios. Finally, we report the experimental results by mimicking a Denial-of-Service (DOS) attack.


Introduction
A wireless sensor network (WSN) is a common network architecture made up of a set of autonomous devices and sensor nodes for gathering data from the adjacent environment. Examples of collected data sources are humidity sensor nodes, temperature sensor devices, power, light, etc. The need of wireless sensor networks is growing continuously, because of the enormous improvement of technology [1]. Simultaneously, effective administration techniques are needed for dealing with complex networks and with the disparities of sensor data [2,3]. Wireless sensor networks are naturally associated with cloud services over the Internet. The storage and computing infrastructures are provided by the Cloud platforms that are necessary for archiving, analyzing, and processing the huge amount of data produced by sensors [4,5].
Anomaly detection in homogeneous WSNs received much attention in the literature. Most of the methods concerning with anomaly detection are devoted to the analysis of data streams produced by any single device [6,7]. In this issue, any node de-vice is analyzed, by using many different methods, to realize whether or not an anomaly has been detected. These methods and techniques are generally based on composite mathematical analysis or statistical or numerical methods applied on data streams [8,9], which is appropriate for the specific arithmetic characteristics of the sensor data type. Consequently, WSNs applied such techniques in order to sense diverse type of features/parameters, and including many sensors is not simple. Authors in [10], proposed Short-long term anomaly detection in wireless sensor networks based on machine learning and multi-parameterized edit distance, their method is performed by applying the analysis of edge and cloud on real data, which has been developed inside residential building and then deformed with a set of fake impairments.

The Proposed IDS Framework
In this paper, we propose a framework for intrusion detection in WSN; the WSN designed based upon three elements: the sensor nodes, the cluster heads, and the base stations, as illustrated in Fig. 1. The framework consists of three levels: the first level is the sensor node level, that we can call it the short-term level where the nodes monitored by the cluster head. If any of the sensors detect any type of anomaly, it can forward this thread to the correspondence Cluster head. The second level is the cluster head level, that we call it the medium-term level, it deals only with the cluster heads inside the network. In this level, the base stations monitor the cluster heads where the last can send the detected anomaly to the base station. We can combine the monitoring processes in the sensor nodes and the cluster head to constitute an edge-based method, as represented in Fig. 1.
The third and last level is the base station level, which we call it the long-term level and the monitoring process here is done using a cloud-based method. In this level the monitoring process between the base stations is done outside the WSN (on the cloud). The cloud-based method uses the historical data in addition to the information sent by the base stations to take a suitable decision. Inside the WSN; Edge-based Method is effective on identifying short term anomalies while In the Cloud: Cloud-based method: is more accurate on identifying long term anomalies that uses the cloud storage sensed data, the historical analysis, and the new sensed data from the base stations to detect the long-term anomalies.
Simulation and modelling are important approaches in the development and evaluation of the systems in terms of time and costs. Simulations are used to show the expected behavior of the system under different conditions [11]. There are many different possible platforms for simulation and testing anomaly detection framework on WSNs. The current WSNs simulators allow users to measure different features by varying different parameters. Example of features that could be measured are: simulation scenarios, global behavior, energy effectiveness, and fault tolerance. Each of them can be measured with different simulation programs, however, the most popularly used simulators for WSNs are: OPNET, NS-2, SensorSim, GloMoSim, OMNET++, and JavaSim [12]. In addition to the possibility of using hybrid simulators that can use both real devices to sense the data integrated with suitable simulator of produce cheaper software development system that can increase the reliability on the results [13].

Simulation Model Using OPNET
We are using OPNET Modeler for this paper because of the numerous benefits it offers. OPNET provides a Graphical User Interface (GUI) for the designed model or topology, which allows a realistic simulation of networks; it has also a performance display module and data collection [14]. Another benefit of using OPNET Modeler is that it has been used widely by network researchers, and there is a wide confidence in the validity of the produced results. OPNET permits an accurate analysis of performance measures and an effective detection of network intrusions.
The network traffic source comes from the MIT/Lincoln Lab TCPDUMP files. It contains various simulated network attacks, including DoSNuke attack packets, which has been used in this paper for testing the proposed model [15]; DoSNuke attack is a Denial of Service (DoS) attack, which exploits a known vulnerability in Windows NT operating system. We could use, alternatively, software tools such as Nmap [16] to generate attacks while running a network sniffer such as Ethereal [17] to capture the network traffic, with the attack and network sniffing activities all occurring in a controlled lab environment. The captured Ethereal file, which includes the attack data and normal user data if desired, can be used in our intrusion simulation experiment. For both the TCPDUMP and Ethereal files, we use pre-processing tools to extract information of the traffic, which is very important for OPNET simulation. Our tools can analyze the TCPDUMP and Ethereal files, extracting the flag information, the data packet headers, the time distribution, and the packet payload. OPNET software can also provide an Application Characterization Environment module (ACE) that can be used to include packet traces into simulation, supporting packet formats of various sources as well as TCPDUMP files [18].
Before building the simulated network, we need first to pre-process the TCPDUMP file (or Ethereal file) to extract the relevant information, including the packet interarrival times, which are saved as a list of double-type values. In addition to the time duration, which is the time difference between the first packet and the last packet of the traffic source, and a list of the distinct IP addresses in the traffic source.

Building the network model
To get better results from our model; we build three scenarios for our WSN. The first scenario consists of a coordinator that represent the cluster head in our framework, a router that acts as a firewall, and 10 sensor nodes (or end devices), as shown in Fig. 2 (a), it represents the OPNET model for simulating the DoSNuke attack, sensor Node 1 is the ATTACKER while sensor Node 6 is the VICTIM. The packets are extracted from the traffic source file. Once a packet is ready to be sent from the source to the destination (according to the predefined traffic scenario) it can be transmitted without delay and also the traffic flow is consistent.
The Second scenario for simulating the DoSNuke attack is shown in Fig. 2 (b). It consists of 50 sensor nodes; sensor Node 1 is the ATTACKER while sensor Node 20 is the VICTIM. Figure 2 (c) shows the third scenario which have 100 sensor nodes with Node 1 is the ATTACKER and Node 6 is the VICTIM of the DoSNuke attack. There is a firewall node between the victim and the coordinator, which we use to capture suspicious data packets to, or from the victim using the DoSNuke attack's signature. During the configuration process for the OPNET model, we build a generator module to use a predefined interval times for the script file that is responsible for generating the packets. This file is the output of a pre-processing step of the source traffic.

Analysis of simulation results
The source traffic data file for the DoSNuke attack comes from the MIT/Lincoln Lab, DARPA intrusion detection evaluation data set, outside TCPDUMP dataset, 1999/Week 4/Wednesday. The simulated network normally collected data twenty-two hours a day. The tcpslice program was used to examine the outside TCPDUMP data files, and the actual times of the first and last packet were extracted. [19]. We set up several statistical measures in OPNET to study the performance of the intrusion simulation. One of these measures is the IP address distributions of the data packets during the entire simulation, as explained in Figures 3, 4, and 5 that represent the three scenarios; 10 Nodes, 50 Nodes, and 100 Nodes, respectively. The figures clearly demonstrate that in the normal mode without attack the accesses to the IP addresses is consecutive while on the DoSNuke attack mode there is a clear crowded access on the IP for nodes 6, 20, 60 as in figures 3(b), 4(b), and 5(b), respectively, in range approximately from 1200 sec to 2200 secs. The average rates of data packets captured by the firewall router, which means the occurrences of the packets and the times of their arrivals is illustrated in Fig. 6. The figure shows the firewall traffic for the sent and received data with normal mode (No-attack) and with DoSNuke attack. It is clearly noticed in the figure that the traffic has high rates during the period 1200 sec and 2200 sec, which means at the same periods appeared in figures 3, 4, and 5. These results demonstrates the occurrences of the DoSNuke attack captured synchronously with the firewall.

Conclusion
In this paper, we propose a framework for intrusion detection system in WSN. The first two levels are located inside the Wireless Sensor Networks (WSN), one of them is between sensor nodes and the second between the cluster heads. While the third level located on the cloud and represented by the base stations. In the first level, which we called light mode, we simulated an intrusion traffic by generating data packets based on TCPDUMP data, which contain intrusion packets. Then, we reported experimental results of network intrusion simulation using previously captured TCPDUMP data as the traffic sources. Our work demonstrated several aspects using OPNET Modeler simulator for detecting intrusions by displaying and identifying patterns of the IP address distributions of the data packets during the entire simulation The overall network traffics DoSNuke Attack using three different scenarios and the average rates of data packets captured by the firewall router. For future work, we plan to complete the evaluation of the second and third levels of our proposed framework in WSN with different intrusion detection aspects.