超过470,000+ 应用技术资源下载


  • 1星
  • 日期: 2015-05-28
  • 大小: 1.49MB
  • 所需积分:1分
  • 下载次数:0
  • favicon收藏
  • rep举报
  • 分享
  • free评论
标签: 入侵检测ARMA


310 JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL. 14, NO. 3, JUNE 2012 Intrusion Detection Scheme Using Traffic Prediction for Wireless Industrial Networks Min Wei and Keecheon Kim Abstract: Detecting intrusion attacks accurately and rapidly in wireless networks is one of the most challenging security problems. Intrusion attacks of various types can be detected by the change in traffic flow that they induce. Wireless industrial networks based on the wireless networks for industrial automationprocess automation (WIA-PA) standard use a superframe to schedule network communications. We propose an intrusion detection system for WIA-PA networks. After modeling and analyzing traffic flow data by time-sequence techniques, we propose a data traffic prediction model based on autoregressive moving average (ARMA) using the time series data. The model can quickly and precisely predict network traffic. We initialized the model with data traffic measurements taken by a 16-channel analyzer. Test results show that our scheme can effectively detect intrusion attacks, improve the overall network performance, and prolong the network lifetime. Index Terms: Industrial wireless, intrusion detection, security, wireless networks for industrial automation-process automation (WIA-PA). I. INTRODUCTION Along with the rapid development of automated control, intelligent computers, communication, and network techniques, the need for wireless connection will increase. This is true even for industrial networks especially when hard-wiring a network to cover an entire area is difficult. This occurs in many factories and plants, and wireless connections are critical in these situations, hence the wireless connection is considered as critical in many factories and plants. Compared with wired network approaches, such as those based on fieldbus technology, the smaller number of cables required in a wireless network significantly reduces the cost and time needed for installation [1]– [3]. Industrial wireless networks are not only designed for the specific requirements of industrial applications, but also for high reliability and low energy consumption. Consequently, the existing wireless communication standards, such as IEEE 802.11, ZigBee, and Bluetooth, cannot be used directly for factory automation systems. Several international organizations are ac- Manuscript received March 22, 2011; approved for publication by Jung-Min (Jerry) Park, Division III Editor, April 9, 2012. This research is supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (2012R1A1A2006002). M. Wei is with the Department of Computer Science and Engineering, Konkuk University, Seoul, Korea and also works with the Key Laboratory of Industrial Internet of Things & Networked Control, Ministry of Education Chongqing University of Posts and Telecommunications, Chongqing, China, email: K. Kim is corresponding author, who is with the Department of Computer Science and Engineering, Konkuk University, Seoul, Korea, email: tively promoting industrial wireless network technology standard. Wireless networks for industrial automation-process automation (WIA-PA) [4] is a wireless networks standard for industrial automation-process automation. It was developed to meet unique requirements of industrial process automation. These requirements include satisfying anti-interference, low power consumption, and a definition of the architecture of wireless network system and the protocol standard. It provides the technological guidance for wireless networks. On Oct. 31, 2008, the WIA-PA specification IEC/PAS 62601 standard file was released to the public. On Sept. 24, 2010, WIA-PA was authorized by all the members of IEC and was released as 65C/596/CDV file. During October 2011, WIA-PA was published as IEC 62601 file. Wireless industrial networks are susceptible to certain types of attacks because they are deployed in open and unprotected environments. Preventive mechanisms can be implemented to protect wireless industrial networks against attacks. However, most of today’s intrusion detection systems (IDSs) focus on wired networks. The differences between WIA-PA networks and wired networks mean that traditional wired technologies are not directly applicable to WIA-PA networks. The WIA-PA standard provides the means to secure wireless systems. However, intrusion detection architectures and schemes have not yet been designed for wireless systems. Any new intrusion detection schemes should satisfy the WIA-PA network restrictions specified in the standard. Our aim is to help develop new mechanisms to protect wireless networks. In a network with high security requirements, it is necessary to use intrusion detection techniques. As the second layer of defense in WIA-PA network protection, WIA-PA IDSs should operate together with prevention mechanisms such as authentication, and encryption to guarantee high security. They should complement and be compatible with other WIA-PA security mechanisms to provide the high-availability network. Compared to conventional computers, wireless industrial network devices have limited resources in terms of battery-power, low energy requirements, low processing and communication capacity, and scarce memory. This means that such a network should be lightweight. However, because detection models rely only on partial and localized information, it is difficult to achieve the desired performance. Data traffic is commonly used in wireless sensor networks (WSNs) studies. Demirkol [5] studied the packet traffic model applied to intrusion detection applications. He defined probabilistic coverage degrees of surveillance area points for a uniformly distributed sensor scenario. The simulation results support the analytical work presented. However, the traffic load is heavily dependent on the application, which can be categorized 1229-2370/12/$10.00 c 2012 KICS MIN AND KIM: INTRUSION DETECTION SCHEME USING TRAFFIC PREDICTION FOR... 311 as either event-driven traffic generators or periodic traffic generators. Most traditional WSNs are based on event-driven traffic generation, and therefore, traffic prediction models cannot be used to detect intrusions accurately. Wireless industrial networks based on the WIA-PA standard use a superframe to schedule network communication, which uses time division multiple access (TDMA) as its access technology. This allows several devices to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, and each transmits in a separate time slot. We have designed a data traffic prediction model using the autoregressive moving average (ARMA) model by using the typical time sequence of data traffic volumes in WIA-PA networks. In this paper, we introduce a new packet traffic model that is designed for intrusion detection in WIA-PA networks. The rest of this paper is organized as follows. In Section III, we introduce intrusion detection techniques and attack models. Related works are discussed and the WIA-PA network module and its security requirements are also analyzed. In Section IV, we propose an intrusion detection security architecture for WIAPA networks. Section V introduces our data traffic prediction model based on ARMA. Our intrusion detection scheme is presented in Section VI. The results of our tests of the defense system for WIA-PA networks are presented in Section VII. Finally, we conclude the paper in Section VIII. II. INTRUSION DETECTION TECHNIQUES AND ATTACK MODELS proaches are based on manually developed specifications, and thus avoid a high ratio of false to true positives. The drawback of developing detailed specifications is that the process can be time-consuming. Thus, one has to consider the trade-off between the specification development effort and the increase in false negatives. It is very challenging to design an approach capable of detecting all types of attacks. Analysis of existing attack models can facilitate the extraction of effective features. This is one of the most important steps in building IDSs. Here, we discuss two types of representative attacks in the context of the wireless industrial network IDS. The first of these is routing logic compromise. In routing protocols, typical attack scenarios include black hole, routing update storm, fabrication, and modification of various fields in routing control packets (for example, route request message, route reply message and route error message) during different phases of routing procedures. All these attacks can lead to serious malfunctioning of WIA-PA networks. The second is traffic distortion. This type of attack includes packet dropping, packet corruption, and data flooding. Motivated by their different objectives, attackers can employ various techniques to manipulate packets. In addition to the attacks discussed above, other attacks such as rushing, wormhole, and spoofing have been discussed in reference to traditional WSNs. Furthermore, it is not difficult to fabricate intrusions based on a combination of the abovementioned attacks. Intrusion is defined as a set of actions that compromise the confidentiality, availability, and integrity of a system. Intrusion detection is a security technology that attempts to identify those who attempt to access and use the system without authorization. It also identifies those who abuse their legitimate access to the system. The system can be a host computer, network equipment, a firewall, a router, a corporate network, or any information system that is monitored by an IDS. Generally, there are two types of intrusion detection: Misusebased detection and anomaly-based detection. A misuse-based detection technique encodes known attack signatures and system vulnerabilities, and stores these in a database. If an operating IDS detects that current activities are the same as stored signatures, an alarm is triggered. Misuse detection techniques are not effective at detecting novel attacks because they lack the corresponding signatures. In contrast, in an anomaly-based detection technique, normal profiles of system states or user behaviors are created and these are compared to current activities. When a significant deviation is observed, the IDS raises an alarm. Anomaly detection can detect novel types of attacks. However, normal profiles are typically very difficult to develop. Specification-based detection techniques are a promising alternative that combine the advantages of misuse detection and anomaly detection by using manually developed specifications to characterize legitimate system behaviors. Specification-based detection approaches are similar to anomaly detection techniques in that both methods detect attacks as deviations from a normal profile. However, specification-based detection ap- III. RELATED WORKS Recently, some international organizations have begun to actively promote the industrial wireless network technology standardization process, which primarily consists of WIA-PA, ISA100.11a [6] and WirelessHART [7]. ISAl00.11a [6] is a standard proposed by the ISA100 committee for industrial applications. It has not yet been approved. However, its advantageous features, such as asymmetric cryptography, object-based application layer security, and key management, make it a suitable standard for industrial process automation and control systems. ISA100.11a defines network IDS (NIDS) in the acronyms section, but it does not provide detailed specifications of a NIDS. WirelessHART [7] is another international and recently developed standard. It specifies a security manager to provide key management. It provides communication security between two devices, i.e., the source and the destination at the data-link layer. At the network layer this provides confidentiality by encrypting the network protocol data unit (NPDU) payload and integrity by calculating the keyed message integrity code (MIC) over the entire NPDU. ZigBee [8] is a wireless mesh network standard that is lowcost, and has low-power requirements. It is secured by employing the AES-128 algorithm, which defines security at the application layer. However, no frequency diversity and path redundancy is offered and the mechanism also lacks robustness. These issues make ZigBee less reliable and inappropriate for use in industrial process automation. 312 JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL. 14, NO. 3, JUNE 2012 We have used data mining techniques in an intrusion detection module in order to improve the security of the WIA-PA nodes. In our study, we have determined that traffic-based intrusion detection has the most potential of all the data mining intrusion detection techniques, because of its ability to detect new attacks. Many traditional intrusion detection techniques are limited by the collection of training data from real networks and the manual labeling of behaviors and states as normal or abnormal [9], [10]. It is very time consuming to manually collect data from a wireless network and to classify the data. Recently, some researchers have investigated some works on intrusion detection methods in WSNs. In [11], Y. Zhang proposed an intrusion detection and response system structure for mobile ad hoc network (MANET), which was the foundation of most of the work that followed in this area. Based on pattern matching and statistical analysis, J. F. Tian [12] proposed and designed an IDS model called misuse and anomaly based IDS (MAIDS). MAIDS does not provide a solution to improve the security of an entire wireless network in response to allchannel intrusion attacks, to improve the detection speed of the IDS. For wireless mobile environments, L. Liu [13] proposed two intrusion detection mechanisms, which are anomaly mechanism and signature-based mechanism. Based on anomaly detection, Piya [14] proposed a self-organized criticality and stochastic learning based IDS for wireless sensor networks. S. Bo [15] proposed a nonoverlapping zone-based IDS (ZBIDS) for mobile ad-hoc networks. The ZBIDS uses the local IDS agent and the nonoverlapping zone-based framework. Simulation results illustrated that ZBIDS can achieve acceptable false positive and detection ratios. In response to changes in the environment, such methods can compare old and new data to detect system anomalies by using the self-organizing criticality and stochastic learning mechanism. However, the typical IDS and intrusion detection technology described above are based on simplified boundary conditions and therefore do not consider the full complexity or range of hostile attacks in industry environments. The fullchannel packet monitoring mechanism is not used in the abovementioned approaches, which results in a high probability that the resources occupied by intrusion nodes in the network are not detected. This means that huge potential security risks can remain hidden. The WIA-PA network is different from the traditional wireless sensor network. WSNs are application dependent, demanddriven, and deal with inquiry-based periodic data. Hence data flow is random, and the tracking of targets that results in a sudden flow of data cannot be described by the CBR or VBR model [5], [16]. The data flow in WIA-PA networks is unbalanced. There is a large amount of data transferred from the field device to the routing device. In contrast, there is little data transferred from the routing device to the field device. Therefore, a novel architecture design and model for the WIA-PA network is needed. IV. SYSTEM ASSUMPTION AND SYSTEM ARCHITECTURE In order to characterize WIA-PA networks, we assume that such a network could be divided into nonoverlapping zones. Fig. 1. Intrusion detection architecture in WIA-PA network. Because the network is wireless, the coverage can be designed to have nonoverlapping zones. The partitioning of the network could be based on the monitoring range of the channel analyzer, which enables these agents to cooperate with each other to perform the intrusion detection task. Our research focuses on the protection of WIA-PA networks. Preventing and detecting attacks aimed at the IDS itself will be another challenging research topic and is beyond the scope of this paper. We assume that information exchange between IDS agents cannot be forged by an attacker. Wireless communication is fundamentally distrusted. We assume that the normal and intrusive behaviors are distinct. If the attacker only sends one or two falsified pieces of data, it is difficult to detect the attacks. We assume that the field devices receive the beacons and send data in every superframe cycle in the WIA-PA network. If are different data cycles, the data series may not follow a normal distribution. It is very difficult to design an IDS that is effective against all types of attacks. Instead, an incremental enhancement strategy may be more feasible. A secure protocol should at least include mechanisms that are effective against known attack types. In addition, it should provide a scheme to easily add new security features in the future. Due to the importance of the availability of WIA-PA networks, we focus on the following types of intrusion attacks: DoS (denial of service) attacks, hello flooding attacks, sinkhole attacks, and black hole attacks. Due to the WIA-PA constraints on energy, bandwidth, processing power, and storage capacity, we designed the IDS as a third-party intrusion detection and analysis system as shown in Fig. 1. A full-channel analyzer introduced in the sensor network uses a lightweight mobile agent in the network to achieve real-time acquisition, processing, and integration of data. Data from the full-channel analyzer can be collected and analyzed and the results returned to the security manager. This will significantly reduce the energy demand of the whole network, while saving bandwidth. An expert intrusion detection analysis system and an all- MIN AND KIM: INTRUSION DETECTION SCHEME USING TRAFFIC PREDICTION FOR... 313 Fig. 2. WIA-PA superframe. channel analyzer compose the third-party intrusion detection module. The all-channel analyzer can capture network data from 16 channels in 2.4 GHz and send it to the expert intrusion detection analysis system for the IDS to easily analyze the results. Additionally, because this independent third-party intrusion detection module resides outside the WIA-PA network, it cannot consume network resources, which is a considerable advantage in such a resource limited network. Moreover, because of its independence, we can expand the security functionality without interrupting the operation of the other IDS. In order to guarantee real-time and reliable communication, the WIA-PA defines a superframe structure as shown in Fig. 2 [6]. The contention access period (CAP) is used for device joining, intra-cluster management, and retrying in the WIA-PA superframe. This paper pays close attention to this CAP period. Contention free period (CFP) is used for communication between the movable field devices and the cluster heads in the WIA-PA superframe. The inactive period is used for intracluster communication, inter-cluster communication, and sleeping in the WIA-PA superframe. The basic duration of the WIA-PA superframe is defined as 32 timeslots, because the inactive period is used for intra-cluster communication, inter-cluster communication, and sleeping. The duration of the WIA-PA superframe is defined as 2N (N is a natural integer) multiplied by the basic WIA-PA superframe duration. This means that for each device the communicating traffic in some period of time is distributed evenly. Therefore, we can consider all the WIA-PA network traffic as a high frequency time series and we set up our model based upon this assumption. V. NETWORK DATA TRAFFIC PREDICTION MODEL Because sensor networks and application traffic patterns are associated with unbalanced characteristics, sensor networks are different from traditional networks. First, because of unbalanced traffic patterns, such as many-to-one relationships, the closer a device is to the router, the heavier the traffic burden. Secondly, most applications are demand-driven, i.e., they depend on random bursts of data flow with periodic queries; however, they also have to deal with the relatively continuous and smooth flow of data. A sensor network traffic model must be selected and implemented with these considerations in mind. Accurate traffic models can accurately capture the statistical characteristics of actual wireless network traffic. This paper focuses on the periodic data of WIA-PA networks. Taking into ac- count the limitations of the node capacity, we use simple linear prediction technology for traffic analysis and forecasting. The basic idea of this is that each signal can be represented as the weighted sum of several previously sampled values. The weighting factors are determined by the minimum mean square prediction error. Typical linear forecasting and prediction models are autoregressive (AR) and ARMA. The ARMA model can be used to analyze the stability of the relevant data series more effectively than the AR model. Because ARMA has a smaller forecast error variance, it is suitable for short-term forecasting [17]. In building an ARMA model to use for forecasting, it is necessary to begin with a stable data series. Therefore, the original sequence often needs to be preprocessed. We use the logarithmic method to eliminate fluctuations in the series data and make the series stable. The ARMA (p, q) model is a combination of AR (p) and MA (q) processes. If q = 0, then the equation (1) becomes an AR model of order p. When p = 0, the model reduces to an MA model of order q. A time series xt is an ARMA (p, q) process if it is stationary and for every t: xt = μt + φ1xt−1 + · · · + φpxt−p + εt + ϕ1εt−1 + · · · + εt−q, (1) φp = 0, ϕq = 0, (2) E(εt) = 0, (3) V ar(εt) = σt2, (4) E(εsεt) = 0, s = 0 (5) where φi and ϕi are the parameters of the model, and εt are error values εt are assumed independent, identically distributed, and sampled from a normal distribution with a zero mean and finite variance σt2 [17]–[22]. In constructing an ARMA model, it is critical to estimate and test the parameters of the model. There are several ways do this, including the statistical F-test and Akaike information criterion (AIC) parameter-estimation rule. Here, we use autocorrelation function (ACF) and partial ACF (PACF) to estimate the parameters. By analyzing the ACF and PACF features, we confirm the order of the ARMA model. Constructing accurate and analytically tractable source models for WIA-PA network traffic will be the basis for further work on the proposed network protocols. Performance evaluation of WIA-PA networks is performed with real traffic loads. In addition, the effects of system parameters such as node density and target velocity can be analyzed without simulations. We collected 500 data traffic samples from all the channels in order to determine a representative time series. We stabilized the data traffic series in the following way. The measured data series is as follows. X0, X1, · · ·, Xi, · · ·, Xn. The original sniffer data sequence is depicted in Fig. 3. The stationary time series, which is obtained by taking the logarithm of the original data values, is represented as follows. X0, X1, · · ·, Xi, · · ·, Xn. (6) 314 JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL. 14, NO. 3, JUNE 2012 Fig. 3. Original sniffer data sequence. Fig. 5. Autocorrelation function. Fig. 4. The stationary time series. Fig. 6. Partial autocorrelation function. The stationary time series is depicted in Fig. 4. Through the process of repeated substitution, the feedback structure has been eliminated from the model. As a result, it becomes easier to assess the impact upon the output sequence of changes in the values of the input time series. The direct mapping from the input time series to the output one is described as a transfer function. The transfer function coefficients are estimated through a least squares optimization algorithm. We then determine whether the time series is stable. To do The PACF is given as follows. ⎧ ϕˆk,k = ⎪⎪⎪⎪⎪⎨ρˆρˆ1k, − k−1 ϕˆk−1,j ρˆk−j ⎪⎪⎪⎪⎪⎩ j=1 k−1 1 − ϕˆk−1,j ρˆk−j , j=1 k=1 k = 2, 3, 4, · · · (8) this we calculate the ACF and PACF. where The ACF is given as follows. ϕˆk,j = ϕˆk−1,j − ϕˆk,kϕˆk−1,k−j . where n−k (xt − x)(xt+k − x) ρˆk = t=1 n (xt − x)2 t=1 Here we use the ACF and PACF to estimate the parame(7) ters. For each q, we calculate the ρˆq+1, ρˆq+2, · · ·, ρˆq+M , where the following relationship holds true √ M = n. x = n xt . n t=1 If 1 ≤ k ≤ q0 and ρˆk = 0, then ρˆq0+1, ρˆq0+2, · · ·, ρˆq0+M ≈ 0, and if the number of ρˆk satisfying the following condition (9) is more than 95% of q0, we use q0 as parameters of ARMA MIN AND KIM: INTRUSION DETECTION SCHEME USING TRAFFIC PREDICTION FOR... 315 Fig. 7. The WIA-PA data traffic ARMA prediction result. model. q 2 (1 + 2 ρˆ2i ) n ρˆk ≤ √ . n (9) Similarly, for each p, we calculate {ϕˆk,k}, and if the number of ϕˆk,k satisfying the following condition (10) are more than 95% of p0, we use p0 as the parameters of the ARMA model. ϕˆk,k ≤ √2 n . (10) The simulation results are depicted in Fig. 5 and Fig. 6. We can see that the data traffic is well described by an ARMA model based on the features of the autocorrelation function and the partial autocorrelation function. The last step of modeling is analyzing the residual errors. By examining the residual errors of the model, we can confirm that the constructed model is a good representation of the given time series. The new time series will be obtained by using the minimum mean square error of predictions. We then have the data traffic model prediction shown in Fig. 7. Based on the above analysis, this paper uses the ARMA model to analyze the traffic in the WIA-PA network. If the parameter p is too big, it will create a large computational burden for real-time detection. Therefore, our algorithm only uses the ARMA (1, 1) model. We can then implement the ARMA (1, 1) model in MATLAB. By initializing this with previously collected traffic data, we can use it as a data traffic prediction model. The final model parameters are as follows. φ1 = 0.9227, ϕ1 = −0.7885. There |φ1| = 0.9227 < 1 indicates that it satisfies the conditions for a stationary time series are satisfied. We can then write the following equation. xt = 0.9227xt−1 + εt − 0.7885εt−1 = 1. (11) Fig. 8. Intrusion detection scheme for the WIA-PA network. We can use this model to predict data traffic. The comparison result in Fig. 7 shows that data traffic predicted with this model is not very different to measured data traffic. VI. INTRUSION DETECTION SCHEME BASED ON DATA TRAFFIC PREDICTION We use a full-channel analyzer to monitor the 16 channels on 2.4 GHz to detect intrusions. Because of the characteristics of the full-channel communication in industry wireless networks, the full-channel analyzer forwards the captured network data from the entire network to the third-party intrusion detection analysis system. After analyzing the traffic and all network data, the intrusion detection analysis system software ensures that the system responds to intrusions in the different channels quickly and accurately based on the ARMA model. The intrusion detection scheme is depicted in Fig. 8. The data acquired by the full-channel analyzer during a ‘training’ sampling stage is used for input of the prediction model. Real time data traffic is also sent to the abnormal analysis module. For each input at time t−1, the prediction model calculates xˆt using an initial value for real data traffic xt. The calculated traffic, real data traffic and the event noise will be gathered by the abnormal analysis module. The third-party intrusion detection module filters those unnecessary and incorrect intrusion detections. The intrusion detection analysis system will then analyze and compare the results from the measured traffic and predicted traffic. The intrusion detection analysis module will adjust the prediction model to eliminate the incorrect predictions of invasion attacks. After that, the third-party intrusion detection module sends these reports to the security manager. The security manager will generate an alarm based on the information received from the local intrusion detection module and the third-party intrusion detection module, after receiving feedback from the third-party intrusion detection module. 316 JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL. 14, NO. 3, JUNE 2012 The security management module will send a report to the system manager notifying of the situation related to the intrusion. Meanwhile, using this information, the system manager will re-configure the network resources, and enhance the security of the entire system by expanding the functionality of the local intrusion detection module and blacklisting the channel where most of the intrusions took place to avoid any communication through this channel to reduce further intrusions. Each device does not need to launch the intrusion detection mechanism in their protocol stack until some attacks have been detected by the IDS. Some of the limited resource devices do not need to have this mechanism embedded. The security manager will configure the security strategies of the WIA-PA network. It will launch the local intrusion detection solution module according to the analysis from the third-party detection system. The intrusion detection solution module is built into the security manager and the gateway. The external intrusion detection module is designed to prevent any attack from the cable network. We also designed the wireless network local intrusion detection module in the wireless gateway to prevent wireless network intrusion attacks. In our local intrusion detection module, we have constructed the rule record base by including the rules that match replay and anonymous attacks that are frequent in industrial wireless networks. Different events produce a large variation of alerts, which need to be translated into noise. In our model this translation is done by an events monitor module and the anomaly analysis module according to the emergencies and events motivated by the system manager. Alerts caused by the same event are grouped together by some correlation or aggregation technique. We use a threshold to classify an intrusion attack in this paper. We use the sliding time sequence to develop the data traffic estimation model. We also compare the predicted traffic to the measured traffic to determine whether the absolute value of the difference between the two is over a predetermined threshold, i.e., MAX. At time t the difference between xt and xˆt is given as follows. Fig. 9. The test environment of the WIA-PA intrusion detection system. Fig. 10. The channel analysis for the data traffic. We use a simple alarm assessment mechanism to determine the frequency of abnormal intrusion. During the period of time δt if the anomalies are detected m times, an alarm will be sent to the security manager. The security manager dynamically adjusts the δt and the value of m according to the system security requirements and the conditions of the devices. dt = xt − xˆt. (12) VII. SECURITY TEST AND RESULT ANALYSIS We use the root mean square error (RMSE) to evaluate the accuracy of the model prediction. If dt = RMSE > MAX, it means there is some abnormal traffic. The RMSE is defined as follows. RMSE = n (xt − xˆt)2 t=1 n In WIA-PA networks, traffic may be affected by changes caused by many variables, so we need to distinguish the cause of the variations in traffic. Here we decided to use a threshold based on the normal noise level in the WIA-PA network. If the thresholds are higher, the intrusion detection rate will be decreased; if the threshold is lower, the false alarm rate will be increased. Here, we choose an appropriate threshold decided by our previously recorded data that will achieve a high intrusion detection rate and a low false alarm rate. A performance analysis comparing different thresholds will be discussed in Section VII. In this section, we focus on testing the performance of the WIA-PA network based on our proposed security services. Our test system is based on the WIA-PA sensor nodes platform with various sensors that are developed in our lab. We use 40 field devices and 5 router devices to build the test environment. Fig. 9 shows the test window of the security system for a WIA-PA network. After securely joining the network, wireless nodes are distributed in a certain region to collect and process the wireless communications data and to do other tasks. Field information could be transmitted from routers to gateways. From the project tree window, we can see the project information and device information. Configuration software can monitor the real-time field data and security information. By combining the local intrusion detection module with the third party intrusion detection module, we could detect and prevent the intrusion more effectively because the third party intrusion system could completely capture the network data. There are 16 channels that are available for 2.4 GHz and they MIN AND KIM: INTRUSION DETECTION SCHEME USING TRAFFIC PREDICTION FOR... 317 Fig. 11. The test system real time data traffic. Fig. 13. The test system false positive ratio. PA network IDS compared with ZBIDS, local IDS are illustrated in Fig. 13. The false detection ratio in our WIA-PA network IDS is better is than that in local IDS, but a little higher than in ZBIDS. It is acceptable. VIII. CONCLUSION Fig. 12. The test system intrusion detection ratio. are from 0x0B to 0x1A. Figs. 10 and 11 show how the allchannel analyzer catches the data from the channel 0x0B to the channel 0x1A at 2.4 GHz. Test results prove that the all-channel analyzer could capture the flow of data packets. The detection analysis system could then be used to compare and analyze the results from the all-channel analyzer. We then simulated illegal intrusions in our network. The detection ratio and the false positive ratio are key performance parameter in IDSs. The detection ratio and the false positive ratio in our test system are shown below. For the detection ratio and false positive ratio, we use different alarm thresholds, namely 0.8MAX, MAX, and 1.2MAX, to observe the difference in performance due to the threshold value. As we can see, the detection ratio increases with the decrease of MAX. When MAX decreases, it is easier for the alert signal of the normal trace to exceed it, thus generating alerts. The false positive ratio increases with the decrease of MAX. When MAX decreases, it is easier for the alert signal of the normal trace to exceed MAX, thus generating alerts. Simulation results of the detection ratio in our IDSs compared to that of ZBIDS [15], and local IDS [15] are illustrated in Fig. 12. As we can see, the detection ratio for our scheme remains above 90%. WIA-PA intrusion detection mechanisms have a good detection ratio in comparison to the other two systems. Simulation results of the false detection ratio in our WIA- Because the use of wireless communication in industry applications is growing rapidly, providing security is very important for control systems in the industry. Securing wireless industry networks poses unique research challenges because of the fundamental differences between a wireless industrial network and a traditional wired network. These differences include resourcelimited nodes, very large scales, unattended deployment, and application-specific and data-centric communications. In this paper, we have presented a design of an IDS for WIA-PA networks. The proposed intrusion detection security method uses an ARMA model based approach to establish security. It provides a new security detection mechanism. In our IDS, we capture real data traffic by using the 16-chinnel analyzer from our test system. With the real data traffic, we could predict the network traffic precisely and quickly. Our analysis shows that the scheme can ensure detection of intrusion attacks, improve the whole performance of the system, and prolong the lifetime of the network, while isolating the malicious traffic injected by the compromised nodes or illegal intrusions into the network. In this paper, we assumed that the field devices in WIA-PA network receive beacons and send data based on superframe cycles. If there are different data cycles, the data series may not follow the normal distribution. In this case, the autoregressive integrated moving average (ARIMA) may be more appropriate. We will consider this in future work. We are continuing to conduct comprehensive simulations and experiments to further evaluate the performance of IDS. REFERENCES [1] A. Willig, K. Matheus, and A. Wolisz, “Wireless technology in industrial networks,” Proc. IEEE, vol. 93, pp. 1130–1151, June 2005. 318 JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL. 14, NO. 3, JUNE 2012 [2] M. Wei, P. Wang, and Q. Wang, “Research and implementation of the security strategy for the wireless industry control network,” Chinese J. Sci. Instrument, vol. 30, pp. 679–681, Apr. 2009. [3] A. Willig, “Recent and emerging topics in wireless industrial communications: A selection,” IEEE Trans Ind. Informat., vol. 4, pp. 102–124, May 2008. [4] IEC 6 601 Ed1, “Industrial communication networks-fieldbus specification -WIA-PA communication network and communication profile,” Oct. 2011. [5] I. Demirkol, F. Alagoz, H. Deliç, and C. Ersoy, “Wireless sensor networks for intrusion detection: Packet traffic modeling,” IEEE Commun. Lett., vol. 10, pp. 22–24, Jan. 2006. [6] IEC/PAS 62734, “Industrial Communication Networks—Fieldbus specifications—Wireless Systems for Industrial Automation: Process Control and Related Applications (based on ISA 100.11a),” Sept. 2011. [7] IEC 62591 Ed.1, “Industrial Communication Networks—Wireless Communication Network and Communication Profiles —WirelessHARTT M ,” Apr. 2010. [8] IEEE 802.15.4, “Information Technology-Telecommunications and Information Exchange between Systems-Local and Metropolitan NetworksSpecific Requirements-Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low Rate Wireless Personal Area Networks (LR-WPANs),” 2006. [9] P. Wang and H. Wang, Heng Wang, and Min Xiang. The Technology of Wireless Communication for Measuring and Controlling, Beijing: Publishing House of Electronics Industry, Mar. 2008. [10] M. Wei, X. Zhang, W. Ping, K. Kim, and Y. Kim, “Research and implementation of the security method based on WIA-PA standard,” in Proc. ICECE, China, Nov. 2010. pp. 1580–1585. [11] Y. Zhang and W. Lee, “Intrusion detection in wireless ad hoc networks,” in Proc. the 6th MobiCom, USA, Aug. 2000, pp. 275–283. [12] J. Tian, Z. Zhang, and W. Zhao, “The design and research of intrusion detection system based on misuse and anomaly,” J. Electron. Inf. Technol., vol. 28, pp. 2163–2166, Nov. 2006. [13] L. Lijun and L. Zhuowei, “A anomaly-based intrusion detection system in mobile wireless networks,” Comput. Eng. Appl., vol. 42, pp. 165–167, July 2006. [14] T. Piya and J. Andrew, “Energy efficiency of intrusion detection systems in wireless sensor network,” in Proc. IEEE/WIC/ACM Int. Conf. Web Intelligence and Intelligent Agent Technol., Dec. 2006, pp. 227–230. [15] S. Bo, Intrusion Detection in Moblie Ad Hoc Networks, Doctoral thesis, Texas A&M University, May 2004. [16] M. Guizani, A. Rayes, and B. Khan, Network Modeling and Simulation: A Practical Perspective, John Wiley & Sons, Ltd, Chichester, UK. Feb. 2010, pp. 260-261. [17] X. Wang, Q. Liu, and G. B. Giannakis, “Analyzing and optimizing adaptive modulation-coding jointly with ARQ for QoS-guaranteed traffic,” IEEE Trans. Veh. Technol., vol. 56, pp. 710–720, Mar. 2007. [18] T. Q. Yang, “A time series data mining based on ARMA and hopfield model for intrusion detection,” in Proc. Neural Netw. and Brain, China, Oct. 2005, pp. 1045–1049. [19] Q. Liu, S. Zhou, and G. B. Giannakis, “Queuing with adaptive modulation and coding over wireless links: Cross-layer analysis and design,” IEEE Trans. Wireless Commun., vol. 4, pp. 1142–1153, May 2005. [20] A. Lisa, The wireless network environment sensor: A technology independent sensor of faults in mobile wireless network links, Doctoral thesis, Rensselaer Polytechnic Institute Troy, New York, USA. Dec. 2002, pp. 2129. [21] A. Deshpande, C. Guestrin, and S. Madden, “Model-driven data acquisition in sensor networks,” in Proc. the 30th VLDB Conf., Canada, Sept. 2004. [22] Q. Cao, T. Abdelzaher, T. He, and J. Stankovic, “Towards optimal sleep scheduling in sensor networks for rare event detection,” in Proc. ISPN, USA, Apr. 2005, pp. 20–27. [23] S. J. Zhang and L. X. Qi, Time Series Analysis Simple Tutorial, Beijing: Tsinghua University Press, 2003, pp. 132–135. [24] D. Y. Uu, K. Yang, and J. Z. Chen, “Agents: Present status and trends,” J. Software, vol. 11, pp. 315–321, Mar. 2000. [25] Y. E. Sagduyu and A. Ephremides, “The problem of medium access control in wireless sensor networks,” IEEE Wireless Commun., vol. 11, pp. 44–53, June 2004. [26] H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensor networks,” in Proc. IEEE Symp. Research in Security and Privacy, USA, May 2003, pp. 197–213. [27] L. Zhou, J. Ni, and C. V. Ravishankar, “Supporting secure communication and data collection in mobile sensor networksm,” in Proc. IEEE INFOCOM, Spain, Apr. 2006, pp. 1–12. Min Wei was born in Guiyang, China, on September 28, 1982. He received a B.S. degree in Automation Science from Zhejiang University, Hangzhou, China, in 2005 and received a M.S. degree in Control Science from Chongqing University of Posts and Telecommunications, Chongqing, China, in 2008. He is currently a candidate of Ph.D. degree program in Computer Science in Konkuk University, Seoul, Korea and he also works with Key Laboratory of Industrial Internet of Things & Networked Control, Ministry of Education in Chongqing University of Posts and Telecommunications, Chongqing, China. His major research interests include industrial wireless networks, 6LoWPAN, intrusion detection, home networks, and information security. Keecheon Kim received a B.S. degree in Computer Science in Seoul National University, Seoul, Korea, in 1988 and received a Ph.D. degree in Computer Science from Northwestern University, Illinois, USA, in 1992. He is currently a Professor in Konkuk University now. He is the Director of the Konkuk Information Security Research Center and the Director of the Mobile Computing Laboratory in Konkuk University. His research interests include mobile and sensor networks, industrial networks, intrusion detection, home networks, and information security.




工业电子 汽车电子 个人电子
$(function(){ var appid = $(".select li a").data("channel"); $(".select li a").click(function(){ var appid = $(this).data("channel"); $('.select dt').html($(this).html()); $('#channel').val(appid); }) })