Intrusion Detection Approach Based on Clustering and Statistical Model for Wireless Sensor Networks

Abstract

In recent years, Intrusion detection has been the focus of security research for Wireless Sensor Networks (WSN). Some approaches or mechanisms have been designed for WSN. But none of them has been widely applied. In this paper, a scheme based on sensor node clustering and statistical model for WSN is presented. First, the sensor nodes are divided into several clusters by using k-means algorithm, and then a kind of anomaly detection algorithm based on statistical model is applied to different clusters for anomaly detection. It is shown through experiments that the scheme can decrease the false alarm rate and increase the detection rate in comparison with existing intrusion detection approaches. Introduction Nowadays Wireless Sensor Networks (WSN) has become a focus of international research. WSN consists of a large number of tiny sensor nodes [1]. Each sensor nodes can perform sensing, data processing and communicating. WSN has been used in a variety of domains, such as military, environmental monitoring and traffic management. With the in-depth research, the problem of network security has become a key issue for WSN [2]. In general, sensor nodes are deployed in unattended environment and communicate with each other using wireless signals. The limited capacity of sensor node such as limitation processing capacity, memory and battery lifetime further increases the insecurity of WSN. Many kinds of attacks against WSN have been identified. For example, bogus routing, sensed data attack, selective forwarding attack, sinkhole attack, wormhole attack, black hole attack and hello flood attack. At present, the research of security for WSN focuses on key management, security routing protocol, intrusion detection, authentication technology, etc. Intrusion detection technology, as a proactive defence method, is relatively mature in traditional network. But the intrusion detection system (IDS) for traditional networks cannot be used directly in WSN, since WSN has the following features: limited energy supply, limited communication capacity, limited computing capacity of sensor nodes, large number of sensor nodes and wide distribution. Therefore, the purpose of this paper is to propose an intrusion detection method for WSN. Related research Intrusion detection technique for WSN has two categories: misuse detection and anomaly detection [3]. Misuse detection detects intrusion behavior by comparing suspicious character with known attack signatures which are stored in the database. Since storage capacity of sensor nodes is limited and WSN data management system is immature, it is difficult to establish complete feature database. Anomaly detection should establish profiles of normal system state and user behaviors at first. Then the data are compared with the current activities. If these are obvious biases, it implies that abnormal behavior occurs. How to distinguish between abnormal behavior and normal behavior in WSN becomes a great challenge. Some schemes based on intrusion detection technology have been proposed for WSN in recent years. Cao et al [4] presented a simple and efficient traffic prediction model for WSN. The deviation of real traffic and forecast traffic is used to identify anomalous nodes. The disadvantage of approach is that the intrusion detection rate becomes lower when attack strength is weaker. International Conference on Advances in Mechanical Engineering and Industrial Informatics (AMEII 2015) © 2015. The authors Published by Atlantis Press 1455 Phuong et al [5] presented a scheme by using CUSUM to detect anomaly. By computing the CUSUM values of the number of incoming packets and the number of outgoing packets, then comparing with the thresholds, the anomaly can be detected. But this scheme has not any evaluation for WSN. Rajasegarar et al [6] presented a distributed anomaly detection approach based on oneclass quarter sphere SVM for WSN. But this method spends higher computational complexity. Ho et al [7] presented a detection method based on sequential probability. The threshold is computed by time that sensor nodes do not communicate with the surrounding nodes. This scheme can detect dynamic attack node, but the detection of static attack node is inapplicable. In this paper, a detection approach based on sensor nodes clustering and statistical model is proposed. The sensor nodes are divided into several clusters by using k-means algorithm. A kind of anomaly detection algorithm based on statistical model is proposed to be applied to different clusters for anomaly detection. The design of intrusion detection approach K-means clustering algorithm.The central idea of K-means clustering algorithm is that the data objects are divided into k different clusters by iteration to minimize the objective function and to make the formation of cluster as compact and independent as possible. The K-means algorithm is described in Fig.1. Fig.1: K-means clustering algorithm The cluster number k can be determined based on regional division and LEACH clustering protocol: 2 2 d L N k mp fs e e p = (1) Start Randomly selected K cluster heads