international journal of advanced research and innovations vol.1, issue .1
DESCRIPTION
Wireless sensors usage is drastically improved in the world, to provide the security was tedious task due to lot of constraints. The sensor networks has the challenges to overcome the problems of energy, memory usage and computation power finally quality assurance issues. So privacy preservation is scheme to provide the security to the sensor networks we are adding some more enhanced parameters like identity routing, location, identity etc. by this will achieve reliability and cost worthiness .TRANSCRIPT
International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253
Print: 2319 – 9245
IJARAI.COM Dec/2012 Page 52
Alert Correlations in Intrusion Detection systems
P.Sai Prasad[1]
J.KrishnaVeni [2]
1. Asst. Professor,Dept. of CSE, Sanjeevani College of Engineering, Kopargaon, Shiridi
2. HOD, Dept. of IT,VivekanandaInstitute of Technology and Science, Karimnagar
ABSTRACT
Wireless sensors usage is drastically improved in the world, to provide the security was tedious task
due to lot of constraints. The sensor networks has the challenges to overcome the problems of energy, memory
usage and computation power finally quality assurance issues. So privacy preservation is scheme to provide the
security to the sensor networks we are adding some more enhanced parameters like identity routing, location,
identity etc. by this will achieve reliability and cost worthiness .
Keywords: privacy; routing; wireless sensor networks, IRLScheme, network model
I. INTRODUCTION
An intrusion detection system (IDS) is a
device or software application that monitors
network or system activities for malicious
activities or policy violations and produces
reports to a Management Station. Some systems
may attempt to stop an intrusion attempt but this
is neither required nor expected of a monitoring
system. Intrusion detection and prevention
systems (IDPS) are primarily focused on
identifying possible incidents, logging
information about them, and reporting attempts.
In addition, organizations use IDPSes for other
purposes, such as identifying problems with
security policies, documenting existing threats
and deterring individuals from violating security
policies. IDPSes have become a necessary
addition to the security infrastructure of nearly
every organization.[1]
IDPSes typically record information related to
observed events, notify security administrators
of important observed events, and produce
reports. Many IDPSes can also respond to a
detected threat by attempting to prevent it from
succeeding. They use several response
techniques, which involve the IDPS stopping the
attack itself, changing the security environment
(e.g. reconfiguring a firewall), or changing the
attack's content.[1]
II. TYPES OF IDS
For the purpose of dealing with IT, there are
three main types of IDS:
1. Network intrusion detection
system (NIDS)
Nids is an independent platform that identifies
intrusions by examining network traffic and
monitors multiple hosts, developed in 1986 by
Pete R. Network intrusion detection systems
gain access to network traffic by connecting to
a network hub, network switch configured
for port mirroring, or network tap. In a NIDS,
sensors are located at choke points in the
network to be monitored, often in
the demilitarized zone (DMZ) or at network
borders. Sensors capture all network traffic and
analyzes the content of individual packets for
malicious traffic. An example of a NIDS
is Snort.
2. Host-based intrusion detection
system (HIDS)
It consists of an agent on a host that identifies
intrusions by analyzing system calls, application
logs, file-system modifications (binaries,
password files, capability databases, Access
control lists, etc.) and other host activities and
state. In a HIDS, sensors usually consist of
a software agent. Some application-based IDS
are also part of this category. Examples of HIDS
are Tripwireand OSSEC.
International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253
Print: 2319 – 9245
IJARAI.COM Dec/2012 Page 53
3. Stack-based intrusion detection
system (SIDS)
This type of system consists of an evolution to
the HIDS systems. The packets are examined as
they go through the TCP/IP stack and, therefore,
it is not necessary for them to work with the
network interface in promiscuous mode. This
fact makes its implementation to be dependent
on the Operating System that is being used.
Intrusion detection systems can also be system-
specific using custom tools and honey pots.
Privacy Schemes
A number of a privacy schemes [1, 3–7] have
been proposed for WSNs that arediscussed
below. phantom routing scheme for WSNs,
which helps to prevent the location of a source
from the attacker. In this scheme, each message
reaches the destination in two phases: 1)
awalking phase, in which the message is
unicasted in a random fashion within first hwalk
hops, 2) afterthat, the message is flooded using
the baseline flooding technique. The major
advantage of their scheme
is the source location privacy protection, which
improves as the network size and intensity
increase because of high path diversity. But on
the other hand, if the network size increases, the
flooding phase will consume more energy. This
scheme does not provide identity privacy. Also,
it is unable to provide data secrecy in the
presence of identity privacy.
P. Kamat et al. [4] proposed a phantom single-
path routing scheme that works in a similar
fashion as the original phantom routing scheme
[3]. The major difference between these two
schemes is that after the walking phase, a packet
will be forwarded to the destination via a single
path routing strategy such as the shortest path
routing mechanism. This scheme consumes less
energy and requires slightly higher memory as
compared to first one. This scheme also does not
provide identity privacy. Also, it is unable to
provide data secrecy in the presence of identity
privacy.
S. Misra and G. Xue [5] proposed two schemes:
Simple Anonymity Scheme (SAS) and
Cryptographic Anonymity Scheme (CAS) for
establishing anonymity in clustered WSNs. The
SAS scheme use dynamic pseudonyms instead
of true identity during communications. Each
sensor node needs to store a given range of
pseudonyms that are non-contiguous.
Therefore, the SAS scheme is not memory
efficient. On the other hand, the CAS scheme
uses keyed hash functions to generate
pseudonyms. This scheme is memory efficient
as compare to the SAS but it requires more
computation power. The authors do not propose
any routing scheme. Sender node may always
send packets to the destination via shortest path.
In that case, for an adversary who is capable of
performing hop-by-hop trace back (with the help
of direction information) can find out the
location of the source node.
Y. Xi et al. [1] proposed a Greedy Random
Walk (GROW) scheme to protect the location of
the source node. This scheme works in two
phases. In a first phase, the sink node will set up
a path through random walk with a node as a
receptor. Then the source node will forward the
packets towards the receptor in a random walk
manner. Once the packet reaches at the receptor,
it will forward the packet to the sink
III. Wireless Sensor Networks
(WSNs)
Network level privacy has often been
categorized into four categories:
1. Sender node identity privacy: no intermediate
node can get any information about who is
sending the packets except the source, its
immediate neighbors and the destination,
2. Sender node location privacy: no intermediate
node can have any information about the
location (in terms of physical distance or number
of hops) about the sender node except the
source, its immediate neighbors and the
destination,
3. Route privacy: no node can predict the
information about the complete path (from
source to destination). Also, a mobile adversary
gets no clue to trace back the source node either
International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253
Print: 2319 – 9245
IJARAI.COM Dec/2012 Page 54
from the contents and/or directional information
of the captured packet(s)
4. Data packet privacy: no node can see the
information inside in a payload of the data
packet except the source and the destination.
Existing privacy schemes such as [1, 3–7], that
have specifically been proposed for WSNs only
provide partial network level privacy. Providing
a full network level privacy is a critical and
challenging issue due to the constraints imposed
by the sensor nodes (e.g., energy, memory and
computation power), sensor network (e.g.,
mobility and topology) and QoS issues (e.g.,
packet reach-ability and trustworthiness). Thus,
an energy-efficient privacy solution is needed to
address these issues.
In order to achieve this goal, we
incorporate basic design features from related
research fields such as geographic routing and
cryptographic systems. To our knowledge, we
propose the first full network level privacy
solution for WSNs. Our contribution lies in
following features. A new Identity, Route and
Location (IRL) privacy algorithm is proposed
that ensures the anonymity of source node’s
identity and location. It also assures that the
packets will reach their destination by passing
through only trusted intermediate nodes.
• A new reliable Identity, Route and Location (r-
IRL) privacy algorithm is proposed, which is the
extension of our proposed IRL algorithm. This
algorithm has the ability to forward packets from
multiple secure paths to increase the packet
reach-ability.
Fig.1. Three sample cycle detection and
prevention scenarios.
A. Network Model
A wireless sensor network (WSN) is composed
of large number of small sensor nodes that are of
limited resource and densely deployed in an
environment. Whenever end users require
information about any event related to some
object(s), they send a query to the sensor
network via the base station.. And the base
station propagates that query to the entire
network or to a specific region of the network.
In response to that query, sensor nodes send
back required information to the base station. A
typical wireless sensor network scenario is
shown in Figure 1. Links are bidirectional. Also,
sensor nodes use IEEE 802.11 standard link
layer protocol, which keeps packets in its cache
until the sender receives an acknowledgment
(ACK). Whenever a receiver (next hop) node
successfully receives the packet it will send back
an ACK packet to the sender. If the sender node
does not receive an ACK packet during
predefined threshold time, then the sender node
will retransmit that For reason of scalability, it
is assumed that no sensor node needs to know
the global network topology, except that it must
know the geographical location of its own, its
neighboring nodes and the base station.[16]
This paper only focuses on the
development of a prevention strategy against
network level privacy disclosure attacks, such as
eavesdropping, traffic analysis and hop-by-hop
trace back attacks. Other general attacks, such as
flooding attacks, could be detected and
prevented by using any IDS scheme proposed
for WSNS.
B. Identity, Route, and Location Privacy
(IRL)
Our proposed identity, route and location
privacy scheme works in two phases. The first is
neighbor node state initialization phase, and the
second is routing phase.
Route Privacy: In initialization phase, let the
node i have m neighboring nodes in which t
nodes are trusted. So, 0 ≤ t ≤ m and M(t) = M(tF
) ∪ M(tBr ) ∪ M(tBl) ∪ M(tBm). Here M(tF ),
M(tBr ), M(tBl), and M(tBm) represent the set of
trusted nodes that are in the forward, right
backward, left backward, and middle backward
International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253
Print: 2319 – 9245
IJARAI.COM Dec/2012 Page 55
directions, respectively. These neighbor sets
(M(tF ), M(tBr ), M(tBl), and M(tBm)) are
initialized and updated whenever a change occur
in neighborhood. For example, the entrance of a
new node, change of a trust value, etc.
Whenever a node needs to forward a
packet, the routing phase (Algorithm 1 for
source node and Algorithm 2 for intermediate
node) of IRL algorithm is called.
Whenever a source node (Algorithm 1)
wants to forwards the packet, it will first check
the availability of the trusted neighboring nodes
in its forward direction setM(tF ) (Line 2). If
trusted nodes exists then it will randomly select
one node as a next hop (Line 3) from the
setM(tF ) and forward the packet towards it
(Lines 13:21). If there is no trusted node in its
forward direction, then the source node will
check the availability of a trusted node in the
right (M(tBr )) and left (M(tBl)) backward sets.
If the trusted nodes are available then the source
node will randomly select one node as a next
hop (Line 3) from these sets and forward the
packet towards it (Lines 13:21). If the trusted
node does not exist in these sets either, then the
source node will randomly select (Line 8) one
trusted node from the backward middle set
(M(tBm)) and forward the packet towards it
(Lines 13:21). If there are no trusted nodes
available in
all of the sets then the packet will be dropped
(Line 9:10).
Algorithm 1 IRL - Routing at Source Node.
1: prevhop ← ∅ ; nexthop ← ∅ ;
2: if M(tF ) = ∅ then
3: nexthop(k) = Rand(M(tF ));
4: else
5: if M(tBr ) ∪M(tBl) = ∅ then
6: nexthop(k) = Rand(M(tBr ) ∪M(tBl));
7: else if M(tBm) = ∅ then
8: nexthop(k) = Rand(M(tBm));
9: else
10: Drop packet and Exit;
11: end if
12: end if
13: Set prevhop = myid;
14: Form pkt p = {prevhop; nexthop; seqID;
payload};
15: Create Signature and save in buffer;
16: Forward packet to nexthop;
17: Set timer Δt = D dnexthop
× pt;
18: while Δt = true do
19: Signature remains in buffer;
20: end while
21: Signature removed from buffer;
IRL scheme.
This routing strategy may result in the creation
of a cycle (loop). However, due to the
randomness in the selection of the next-hop and
the presence of the different four direction sets,
the probability of creation of any cycle is very
low. Nevertheless, in order to fully avoid the
occurrence of the cycles, each node (prior to
forwarding of a packet) will save the signature
of the packet in the buffer for the δt time, that is
δt = 2(Dd× pt)
where D is the distance between the forwarding
node and the base station, d is the distance
between the forwarding node and the next hop,
and pt is the propagation transfer time between
the forwarding node and the next hop. This
signature consists of two fields: (1) sequence
number of the packet, and (2) the payload. The
potential of the signature to compare and
identify the same packet is detailed in the later
section. Corresponding to this signature, three
more fields are also stored in the buffer: (1)
previous hop identity, (2) next hop identity
where the packet is forwarded, and (3) counter,
that tells how many times the same packet is
received by the node. This information will later
be used to get rid of any cycle. The size of the
buffer is mainly dependent on the network
traffic conditions. However, it is expected
to be low due because the sensor nodes sent data
either in periodic intervals or upon the
occurrence of some event.
IV. CORRELATION PROCESS
The main objective of the correlation process is
to produce a succinct overview of security-
related activity on the network. This process
consists of a collection of components
International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253
Print: 2319 – 9245
IJARAI.COM Dec/2012 Page 56
that transform intrusion detection sensor alerts
into intrusion reports. Because alerts can refer to
different kinds of attacks at different levels of
granularity, the correlation process cannot treat
all alerts equally. Instead, it is necessary to
provide a set of components that focus on
different aspects of the overall correlation task.
a graphical representation of the integrated
correlation process that we implemented. The
first two tasks are performed on all alerts. In the
initial phase, a normalization component
translates every alert that is received into a
standardized format that is understood by all
correlation components. This is necessary
because alerts from different sensors can be
encoded in different formats.
Next, a preprocessing component
augments the normalized alerts so that all
required alert attributes (such as start-time,end-
time, source, and target of the attack) are
assigned meaningful values. The next four
correlation components of our framework all
operate on single, or closely related, events.
The fusion component is responsible for
combining alerts that represent the independent
detection of th same attack instanceby different
intrusion detection systems. The task of the
verification component is to take a single alert
and determine the success of the attack that
corresponds to this alert. The idea is that alerts
that correspond to failed attacks should be
appropriately tagged and their influence on the
correlation process should be decreased. The
task of the thread reconstruction component is to
combine a series of alerts that refer to attacks
launched by a single attacker against a single
target. The attack session reconstruction
component associates network-based alerts with
host-based alerts that are related to the same
attack. The next two components in our
framework operate on alerts that involve a
potentially large number of different hosts. The
focus recognition component has the task of
identifying hosts that are either the source or the
target of a substantial number of attacks. This is
used to identify denial-of-service (DoS) attacks
or port scanning attempts. The multistep
correlation component has the task of
identifying common attack patterns such as
island-hopping attacks.
These patterns are composed of a sequence of
individual attacks, which can occur at different
points in the network.
The final components of the correlation process
contextualize the alerts with respect to a specific
target network. The impact analysis component
determines the impact of the detected attacks on
the operation of the network being monitored
and on the assets that are targeted by the
malicious activity. Based on this analysis, the
prioritization component assigns an appropriate
priority to every alert. This priority information
is important for quickly discarding information
that is irrelevant or of less importance to a
particular site.
Alerts that are correlated by one component of
our framework are used as input by the next
component. However, it is not necessary that all
alerts pass through the same components
sequentially. Some components can operate in
parallel, and it is even possible that alerts output
by a sequence of components are fed back as
input to a previous component of the process.
ACARM-ng (Alert Correlation, Assessment and
Reaction Module - next generation) is an open
source IDS/IPS system. ACARM-ng is an alert
correlation software which can significantly
facilitate analyses of traffic in computer
networks. It is responsible for collection and
correlation of alerts sent by network and host
sensors, also referred to
as NIDS and HIDS respectively. Correlation
process aims to reduce the total number of
messages that need to be viewed by a system
administrator to as few as possible by merging
similar events into groups representing logical
pieces of malicious activity.
Architecture
ACARM-ng consists of 3 main elements:
correlation daemon, WUI and (optional) a
database engine.
ACARM-ng's daemon has been designed from
scratch as a framework solution. It provides core
system functionalities, like logging, alerts and
International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253
Print: 2319 – 9245
IJARAI.COM Dec/2012 Page 57
correlated meta-alerts passing between system
parts, error recovery, multi-threading, etc.. The
rest of the package are plug-ins, separated into
following classes:
persistency (data abstraction)
input (data gathering)
filter (data correlation and modification)
trigger (automatic reporting and reaction)
Built-in software watchdog provides up-to-date
information on system status.
WUI makes browsing of correlated data easy via
graphical and tabular representation of gathered
and correlated events. System administrator can
easily see what is going on at every moment of
system's lifetime.Alert time series plot showing
the number of incoming messages during given
time period.The alert's page showing a sample
alert.
The WUI and the daemon interoperate through a
database. Daemon stores gathered data along
with the correlation results and its runtime
configuration. WUI is entitled to read and
display this data.
Notice that even though data base engine is not
required for running daemon, it is strongly
recommended to save data persistently.
Rejecting to use database makes it impossible to
obtain system information via WUI and leads to
a loss of historical data when system is restarted.
Events that are no longer processed by the
daemon are discarded as well.
V. CONCLUSION
Previous privacy schemes are provides only
limited features we are now providing the
solutions for it by considering memory , sensor
networks, and qos issues. We described a multi
component correlation process and a framework
that performs the correlation analysis. The most
complete set of components in the correlation
process. Therefore, in this paper we proposed
the first full network level privacy solution that
is composed of two new identity, route and
location privacy algorithms and data privacy
mechanism. Our solutions provide additional
trustworthiness and reliability at modest cost of
energy and memory.
REFERENCES
1. Xi, Y.; Schwiebert, L.; Shi, W. Preserving
Source Location Privacy in Monitoring-Based
Wireless Sensor Networks. In Proceedings of
Parallel and Distributed Processing
Symposium (IPDPS2006), Rhodes Island,
Greece, 2006.
2. Habitat monitoring on Great Duck Island
(Maine, USA), 2002. Available online:
http://ucberkeley. citris-
uc.org/research/projects/great duck island
(accessed on 21 August, 2009).
3. Ozturk, C.; Zhang, Y.; Trappe,W. Source-
Location Privacy in Energy-Constrained
Sensor NetworkRouting. In Proceedings of the
2nd ACM workshop on Security of Ad hoc and
Sensor Networks,Washington, DC, WA, USA,
2004; pp. 88–93.
4. Kamat, P.; Zhang, Y.; Trappe, W.; Ozturk, C.
Enhancing Source-Location Privacy in Sensor
Network Routing. In Proceedings of the 25th
IEEE International conference on Distributed
Computing Systems, Columbus, OH, USA,
2005; pp. 599–608.
5. A Comprehensive Approach to Intrusion
Detection Alert Correlation Fredrik Valeur,
Giovanni Vigna, Member, IEEE, Christopher
Kruegel, Member, IEEE, and Richard A.
Kemmerer, Fellow, IEEE
6. Wood, A.D.; Fang, L.; Stankovic, J.A.; He, T.
SIGF: A Family of Configurable, Secure
Routing Protocols for Wireless Sensor
Networks. In Proceedings of the 4th ACM
Workshop on Security ofAd Hoc and Sensor
Networks, Alexandria, VA, USA, 2006; pp.
35–48.
International Journal Of Advanced Research and Innovations Vol.1, Issue .1 ISSN Online: 2319 – 9253
Print: 2319 – 9245
IJARAI.COM Dec/2012 Page 58
7. Ouyang, Y.; Le, Z.; Chen, G.; Ford, J.;
Makedon, F. Entrapping Adversaries for
Source Protection in Sensor Networks. In
Proceedings of the 2006 International
Symposium on a World of Wireless,Mobile and
Multimedia Networks (WoWMoM’06),
Niagara-Falls, Buffalo, NY, USA, 2006;pp.
23–34.
8. Zorzi, M.; Rao, R.R. Geographic Random
Forwarding (GeRaF) for Ad Hoc and Sensor
Networks: Multihop Performance. IEEE Tran.
Mob. Comput. 2003, 2, 337–348.
9. Zorzi, M.; Rao, R.R. Geographic Random
Forwarding (GeRaF) for Ad Hoc and Sensor
Networks: Energy and Latency Performance.
IEEE Tran. Mob. Comput. 2003, 2, 349–365.
10. Capone, A.; Pizziniaco, L.; Filippini, I.; de la
Fuente, M.G. SiFT: An Efficient Method
11. for Trajectory Based Forwarding. In
Proceedings of International Symposium on
Wireless Communication Systems, Siena, Italy,
2005; pp. 135–139.
12. Blum, B.; He, T.; Son, S.; Stankovic, J. IGF: A
State-Free Robust Communication Protocol
for Wireless Sensor Networks; Technical
Report CS-2003-11; Department of Computer
Science,University of Virginia, USA, 2003
13. RYU, J.; Kim, S.G.; Choi, H.H.; An, S.S.;
Ahn, S.Y.; Kim, B.J. Method and System for
Locating Sensor Node in Sensor Network
Using Transmit Power Control. U.S. Patent
Application: 2009/0128298 A1, 2009.
14. Barbeau, M.; Kranakis, E.; Krizanc, D.;
Morin, P. Improving Distance Based
Geographic Location Techniques in Sensor
Networks. In Proceedings of 3rd International
Conference on Ad Hoc Networks and Wireless,
Vancouver, British Columbia, 2004; pp. 197–
210
15. Achieving Network Level Privacy in Wireless
Sensor Networks Riaz Ahmed Shaikh 1,
Hassan Jameel 2,‡, Brian J. d’Auriol 1, Heejo
Lee 3, Sungyoung Lee 1,⋆and Young-Jae
Song 1Karlof, C.; Sastry, N.; Wagner, D.
TinySec: A Link Layer Security Architecture
for Wireless Sensor Networks. In Proceedings
of the 2nd International Conference on
Embedded Networked.
16. a comprehensive approach to intrusion
detection alert correlation fredrik valeur,
giovanni vigna, member, ieee, christopher
kruegel, member, ieee, and richard a.
kemmerer, fellow, IEEE TRANSACTIONS