Abstract—As the key technology of next-generation wireless networks, wireless mesh networks (WMNs) have attracted attentions from both academic and industrial fields recently.
However, due to relative ease of medium access, dynamical changed topology, and lack of a centralized infrastructure, WMNs are vulnerable to various security attacks and difficult to be protected. These attacks affect the service availability and connectivity of WMNs, hence terribly destroy the network performance. Because of lacking the centralized infrastructure, the distributed intrusion detection is necessary for protecting the WMNs. A generic problem in distributed intrusion detection is how to effectively integrate a variety of local detection information from multiple dispersed nodes. In this paper, we propose the convex quadratic optimization approach for integrating the dispersed local detected information, which considerably reduces incorrect judgments compared with majority voting and is much simpler than Dempster-Shafer combination rules. Even under the situation that most of observer nodes have low trustworthiness, our approach can still work well.
Then, we design the algorithm for node’s trustworthiness.
Moreover, a feedback scheme is first proposed to ensure the reliability of intrusion detection. Finally, simulation results show that our solution can significantly improve the throughput of WMNs.
Index Terms—Convex quadratic optimization approach, Dempster-Shafer, intrusion detection, majority voting, wireless mesh networks.
I. INTRODUCTION
IRELESS mesh networks (WMNs) have started an upsurge in the wireless research area in recent years;
they are dynamically self-organized and self-configured with the nodes in the network automatically establishing and maintaining mesh connectivity among themselves. This feature brings many advantages to WMNs, such as low up-front cost, easy network maintenance, robustness, and reliable service coverage [1]. However, for a WMN to achieve the expectation, considerable research efforts are still needed, among which security is regarded as one of the most important and valuable issues.
Guo-Mei Zhu is with Telecommunications Engineering School, Beijing University of Posts and Telecommunications, Beijing, China.
Geng-Sheng (G. S.) Kuo is with National Chengchi University, Taipei, Taiwan. e-mail: [email protected]
Thomas M. Chen is with Institute of Advanced Telecommunications (IAT), Swansea University, Singleton Park, Swansea SA2 8PP, UK.
Similar to mobile ad hoc networks, WMNs are vulnerable to a variety of security threats and attacks due to their distributed network architecture, the vulnerability of channels and nodes in the shared wireless medium, and the dynamic change of network topology [1]. The attacks range from passive eavesdropping to active interference and affect their service availability and connectivity, hence terribly destroy the network performance. Unlike in wired networks, there are no firewalls and gateways in WMNs. Therefore, attacks can take place from all directions. In order to protect WMNs, it is necessary to perform intrusion prevention (it is used to answer the question “who can utilize the wireless medium?”), intrusion detection (it is used to answer the question “who is the malicious node?”), and intrusion exclusion (it is used to exclude the malicious nodes from the WMNs).
Intrusion prevention mechanisms, such as authentication, encryption, and key management, have been used in WMNs to prevent malicious nodes from joining the network. However, in spite of whatever prevention mechanism is used, there are always weak links someone can exploit and break in. Intrusion detection can be used as the second line of defense to protect network systems because once an intrusion is detected, the responsive mechanism can be used to minimize the damage and launch counter offensives [2], [13]. Since WMNs lack a centralized security infrastructure, intrusion detection should be both distributed and cooperative among the nodes, i.e., each node detects intrusion locally and independently and neighboring nodes conduct a collaborative investigation. A distributed intrusion detection system (DIDS) consists of multiple intrusion detection systems (IDSs) over a large WMN, all of which communicate with one another [16], [17].
Comparing to the single-node IDS, the DIDS provides many advantages. One of the advantages is the ability to detect attack patterns across the entire corporate network with geographic locations separated by time zones or even continents. Another proven advantage is to allow early detection of an Internet worm making its way through a WMN. This information could then be used to identify and clean systems that have been infected by the worm, and prevent further spread of the worm in the WMN. However, how to effectively combine local detection information from multiple separated IDSs that have various trustworthinesses is still a generic non-well-explored problem in distributed and cooperative intrusion detection [3], [15]. Meanwhile, in order to save the limited energy of the nodes in WMNs, the combination algorithm should be simple
Convex Quadratic Optimization Approach for Integrating Distributed Intrusion Detection in
Wireless Mesh Networks
Guo-Mei Zhu, Geng-Sheng (G.S) Kuo and Thomas M. Chen
W
and of low complexity.
Previous works used the average rule [11], majority voting (or majority-decision rule) [2], and Dempster-Shafer theory (D-S) [3] as the combination algorithm. They suffer from either highly incorrect judgment or high complexity. This paper takes advantages of the convex quadratic optimization approach [14]
to intrusion detection, and designs the algorithm for node’s trustworthiness. Moreover, a feedback scheme is proposed, which enhances the reliability of intrusion detection. We compare our solution with majority voting and D-S combination rule. Results show that our solution is more accurate than majority voting and much simpler than D-S combination rule. Simulation results show that our solution can significantly improve the throughput of WMNs.
The rest of the paper is organized as follows. Section II discusses the related work on intrusion detection. Sections III and IV describe the convex quadratic optimization approach for intrusion detection and the algorithm for node’s trustworthiness, respectively. Section V proposes the feedback scheme. Comparisons with majority voting and D-S rule and simulation results are illustrated in Section VI. Finally, conclusions are made.
II. RELATED WORK
To our knowledge, there is no previously published work on detection of misbehavior specific to WMNs, although there are many works focused on intrusion detection in ad hoc networks [2]-[6], [10]-[12], [18]-[22]. Deng and Li [5] described some types of attacks in the network layer, such as black hole, denial of service, routing table overflow, impersonation, energy consummation, and information disclosure. They also proposed a solution for the black hole problem for ad hoc on-demand distance vector (AODV) routing protocol. In [2], Zhang and Lee analyzed the importance of intrusion detection, and developed a multi-layer based IDS architecture to study the abnormalities in the network using anomaly detection. In their proposed architecture, individual IDS agents are placed in each node and every node in the network participates in intrusion detection and response.
Marti et al. [4] proposed a watchdog process which identifies misbehaving nodes and a pathrater tool which helps routing protocols avoid these nodes. In their paper, nodes monitor their neighboring nodes’ packet-forwarding behavior to insure the packets are correctly forwarded again. If a watchdog finds its neighboring node drops more packets than a given threshold, it determines that the node is misbehaving. However, their work fails to differentiate the misbehaviors caused in nodes due to collisions, collusions, power limitation, and other reasons.
Hasswa et al. [12] discussed many of the limitations and weaknesses suffered by the pathrater [4] and presented an intrusion detection and response system called Routeguard. In their paper, a classification system placed each network node into five classes: Fresh, Member, Unstable, Suspect, or Malicious. Each class has different incremental and
decremental factors based on its behaviors. However, no justification was provided for their choice (the values of the incremental and decremental factors).
Our work different from those is focused on the combination algorithm. In the aforementioned papers, the ad hoc network distributed intrusion detection among its nodes due to lacking a centralized security infrastructure. For fusing the local detection information from multiple nodes, efficient combination algorithm is important. Chen and Venkataramanan [3] introduced D-S theory [7], [8], [9] into ad hoc networks to estimate the likelihood of an intrusion. They also compared D-S theory with Bayesian approach and illustrated the application of D-S theory in distributed intrusion detection. However, how to obtain the initial estimates of nodes’ trustworthiness is a problem in their work. In our work, we present an algorithm to obtain nodes’ trustworthiness and compare our combination algorithm with D-S theory.
Moreover, a feedback scheme is proposed in this paper to enhance the reliability of intrusion detection.
III. CONVEX QUADRATIC OPTIMIZATION APPROACH FOR
COMBINATION
In this section, we discuss the convex quadratic optimization approach [14] for intrusion detection in WMNs. The main ideas are given as follows:
A. Convex Quadratic Optimization Approach for Information Combination
Fig. 1 shows an example of combining local detection information from multiple nodes. Node s is a suspected node.
Suppose K nodes, x1, x2, …, xK, act as observers. Each node has a trustworthiness P(Xk), k=1, 2, …, K (how to get P(Xk) is illustrated in Section IV.B). There is a set of n mutually exclusive and exhaustive propositions, which is represented as Ω={a1, a2, …, an}. For the m subsets of the propositions in Ω,
1k
ω , ωk2, …, ωkm, where k=1, 2, …, K, their relative likelihoods
Fig. 1. Combination model. K nodes observe and judge the trustworthiness of suspected node s.
of occurrence are r , k1 r , …, k2 r , respectively, where km rki≥ , 0
P ω be the node’s own estimate of the probability that subset ωki occurred. We have
( ) ( )
1 : 2 : :( )
m 1: 2: : mk k k k k k k k k
P ω P ω ⋅⋅⋅ P ω =r r ⋅⋅⋅ r . (1) Based on its own observation and local data processing, each node generates detection information which is sent to other observer nodes. The detection information given by observer node xk is After receiving the information sent by other observer nodes, each observer combines all the information together by using convex quadratic optimization approach and gets a set of probabilities:
P(a1)=p1, P(a2)=p2, …, P(an)=pn (4) for Ω. It is obvious that the probabilities must satisfy
1 The basic idea of convex quadratic optimization approach is to first set up an objective function for each node’s local detection information, then minimize a weighted sum of all the objective functions subject to the probability constraint (5). For each node’s local detection information, choose an objective function: the probability of occurrence of subset ωki . Clearly,
( )
0 discrepancy in the node’s local detection information. The factors( )
bkr 2 and ⎡⎣ωk( )
P ⎤⎦ reflect the importance of the local 2detection information. The objective function can be simplified as which is a convex quadratic function of the variables P={p1, p2, …, pn}.
Therefore, the combination problem can be formulated as a convex quadratic programming problem:
( ) ( )
The weighted factor αxk reflects the trustworthiness of each node, and
B. Convex Quadratic Optimization Approach Applied to Distributed Intrusion Detection
In the situation of intrusion detection, there are only two propositions in the sample space Ω of a suspected node s, i.e., Ω= {a1, a2}, and
a1 = node s is a normal node;
a2 = node s is a malicious node.
Therefore, the number of subsets, m, equals to 2, and for each node, ω1k=a1, ωk2=a2. Then, Based on (11) and (14), the objective function in (8) can be simplified as and the convex quadratic programming problem (9) can be as:
min
( )
2( )
2The convex quadratic programming problem can be solved
by the following equation set very simply and efficiently: Based on pi, node s can keep staying in the current network or be excluded from it. The decision rule can be represented as:
If p1>p2, then node s can keep staying in the current network.
If p1≦p2, then node s will be excluded from the network.
Consider the example shown in Fig. 1, and assume there are only two observer nodes, x1 and x2. If node x1 is trustworthy with probability 0.8 and claimed node s is trustworthy, then its local detection information is
( ) ( )
After collecting the information from node x1, node x2 gives its own detection information about node s. Assume node x2 is trustworthy with probability 0.4 and claimed the suspected node s is untrustworthy, then( ) ( )
The convex quadratic programming problem is:
min C(P),
subject to p1+p2=1, p1≧0, and p2≧0.
We get p1=0.733 and p2=0.267. Therefore, the suspect node s is regarded a normal node and can keep staying in the current network.
IV. TRUSTWORTHINESS UPDATE
The denial of service (DoS) attacks that prevent authorized users from gaining access to the networks form a severe security issue in all distributed systems. In this section, we describe the DoS attacks and present how to obtain the node’s trustworthiness P(Xk). All the nodes in the network employs watchdog [4]; they investigate the activities of their neighbors.
Here, the term neighbor refers to a node in the transmission range of another node.
A. Types of Denial of Service (DoS) Attack
The DoS attacks can be classified as the following four different types [5], [13]:
Black hole: The misbehaving node asks its neighbors to route packets through it by replying route request incorrectly or advertising itself as having the shortest path to the node whose packets it wants to intercept, but does not forward the packets.
Misdirection: The misbehaving node misroutes packets by providing false routing information or juggling the packet headers.
Exhaustion: Energy is a critical parameter in the WMNs because most devices are battery-powered. The misbehaving node can consume its neighbors’ energy by asking for unnecessary retransmissions, forwarding useless packets, or requesting routes frequently.
Flooding: Since all the nodes share the limited wireless resources in WMNs, they have to contend for the medium before communication. The misbehaving node can prevent other nodes from accessing the medium by sending numerous useless messages to the networks.
B. Trustworthiness of Each Node
Each node will obtain an initial trustworthiness Tinitial once it joins the network. Then, it can send, receive, and forward packets. All the nodes in the network investigate the activities of their neighbors. Suppose node s is supervised by its neighbors after joining the network. If they find it has misbehaviors described in Section IV.A, they broadcast an alarm to all the nodes in the WMN, and the trustworthiness of node s will be reduced. Each alarm causes a decrement of β. If the node behaves normally at periodic intervals of tinterval, its trustworthiness will be incremented by α. The maximum value of the trustworthiness attained is 1.
More formally, we present the algorithm for trustworthiness of node s as follows:
After node s joining the network, its neighboring nodes investigate its behavior. t is the duration of their investigation.
If node s has no misbehavior during t, its trustworthiness P(S) will be If node s has k misbehaviors during t, its trustworthiness will be
( )
misbehavior _1k misbehavior _ i misbehavior _ i
i int erval where tmisbehavior_i is the time of the ith misbehavior appearing and ⎢ ⎥⎣ ⎦ is the greatest integer no more than • . •
Then, define the exclusion threshold Texclusion. If the
trustworthiness of one node is less than Texclusion, the node will be excluded from the WMN, which means all of the nodes in the WMN will not send packets to it and its neighbors will not forward packets to and from it.
Simply using Texclusion to exclude malicious node from the WMN is not enough. As Hasswa et al. analyzed in [12], a malicious node may protect itself and deceive other nodes by employing a sigmoid behavioral pattern. Therefore, it is necessary to employ a cooperative intrusion detection procedure which works by collecting detection information from distributed observer nodes. In our solution, whenever a node suspects there is an intrusion in the network, it can initiate a cooperative detection among its neighbors. The cooperative detection was illustrated in Section III.B.
V. FEEDBACK SCHEME
As we know, the result of cooperative detection is determined by the local detection information given by distributed nodes. Therefore, some untrustworthy nodes may protect their “collaborator” or attack their “enemy” by giving deceitful information. In other words, the local detection information given by each observer node may independently reflect the relationship between the suspicious node and the observer node. In this paper, we propose a feedback scheme to ensure the reliability of intrusion detection. The feedback scheme can be described as follows:
After cooperative intrusion detection, the observer node’s trustworthiness will be affected by the result of the cooperative detection and its local detection information. For example, if node x1 claims node s is untrustworthy but node s is determined as trustworthy at last, then node x1’s trustworthiness will be decreased by β. Our new intrusion detection architecture with feedback scheme is illustrated in Fig. 2. After being excluded from the current network, the malicious node may rejoin the network and attack the network again. In order to avoid the malicious node rejoining the network, we use intrusion
detection during the node entry process, by which the node joins the WMN. The entry process can be described as follows:
Node s that plans to join an active WMN scans for active networks and listens to message advertised by active nodes.
Then, it sends Entry Request to the active nodes which are in its transmission range. Those nodes which received the request check their records about node s and then give the detection information. If there is no record, they give the information directly.
After all the nodes giving their detection information, these nodes calculate pi using (16).
If p1>p2, then node s can be accepted to join the WMN;
If p1≦p2, then node s will be rejected to join the WMN.
After sending Entry Request, node s waits for the detection information from observer nodes and records them. Then, if p1≦p2, node s can’t join the network. It waits for a long period of time or moves to another place and resends the Entry Request. If p1>p2, node s joins the network and obtains its initial trustworthiness Tinitial. After joining the WMN, node s broadcasts the records about detection information (i.e., which node claims it is trustworthy and which node claims it is not).
Other nodes receive this message and record it. If a node always rejects the node which is trustworthy (this can be verified by monitoring the node after it joins the network), it will be suspected as misbehaving, and its trustworthiness will be decreased β by each broadcast.
VI. PERFORMANCE ANALYSIS
To evaluate the intrusion detection and the response mechanism presented, we compare our combination rule with majority voting [2] and D-S combination rule [3] in this section.
Moreover, the simulation results show that our solution can significantly improve the performance of WMNs.
A. Comparison with Majority Voting and D-S Combination Rule
Consider the example in Fig. 1 and suppose there are five nodes, x1, x2, …, x5, act as observers. We can use a simple majority voting in combining local detection information — if at least three observers claim that s is trustworthy or untrustworthy, the judgment about s will follow the majority.
Obviously, there are three limitations in majority voting. First, the number of observers must be odd because we can’t use major voting when a half of observers suggest s be trustworthy while the other half doesn’t agree. Second, a correct majority judgment requires a majority of observers to provide accurate detection information. Third, the detection information offered by each observer is 0 or 1, which is too simple to reflect the degree of the observer’s trustworthiness.
Fig. 2. Intrusion detection architecture with feedback scheme.
Although D-S combination rule can eliminate these limitations, it is complex and takes a long time to calculate s’s trustworthiness. As shown in [3], D-S rule can only combine two nodes’ detection information each time. When there are K observers, node s’s trustworthiness will be obtained after (K-1) iterations of D-S combination. Therefore, the complexity of D-S method is O(K). However, by using convex quadratic optimization approach, node s’s trustworthiness can be obtained through (16) in one time. Since the energy of the nodes in WMNs is limited, the complex algorithm is not satisfied. It is obvious that our proposed weighted combination rule is much simpler than D-S rule. The three rules are compared in details as follow.
Although D-S combination rule can eliminate these limitations, it is complex and takes a long time to calculate s’s trustworthiness. As shown in [3], D-S rule can only combine two nodes’ detection information each time. When there are K observers, node s’s trustworthiness will be obtained after (K-1) iterations of D-S combination. Therefore, the complexity of D-S method is O(K). However, by using convex quadratic optimization approach, node s’s trustworthiness can be obtained through (16) in one time. Since the energy of the nodes in WMNs is limited, the complex algorithm is not satisfied. It is obvious that our proposed weighted combination rule is much simpler than D-S rule. The three rules are compared in details as follow.