An Enhanced Hierarchical Energy Efficient Intrusion Detection System for Malicious Packet Dropping Attacks in Wireless Sensor Networks

Transcription

1 An Enhanced Hierarchical Energy Efficient Intrusion Detection System for Malicious Packet Dropping Attacks in Wireless Sensor Networks A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree Of Masters of Science in Software Engineering At the College of Computer and Information Sciences At Prince Sultan University By Afnan N. Al-Romi May 2015

2 An Enhanced Hierarchical Energy Efficient Intrusion Detection System for Malicious Packet Dropping Attacks in Wireless Sensor Networks By Afnan N. Al-Romi This thesis was defended and approved on May, 24 th Supervisor: Dr. Iman Al-Momani Members of the Exam Committee Dr. Iman Al-Momani Dr. Areej Al-Wabil Dr. Thavavel Murugesanv Chair Committee Member Committee Member

3 ACKNOWLEDGEMENT All praises and thanks go to Allah for the strengths and blessing in completing this thesis. My deepest gratitude goes to my advisor, Dr. Iman Almomani, for her guidance, caring and patience. Dr. Iman has offered her time, expertise, wisdom, and continuous encouragement mentoring me step by step through the whole research process. Without her advice, this thesis would not have come into being. Gratitude is extended to my committee members, as I am truly grateful for their insightful suggestions and comments on my thesis. My sincere appreciation also goes to all the professors for their devoted instructions during my graduate years. Special recognition goes out to Bassam Kasasbeh for his time, patients, enlightening knowledge and effort in guiding me. My greatest appreciation and love goes to my family for their constant support. They have taught me the value of hard work and dedication. Their belief in me never wavered, and they have always lifted my spirit with their constant love and support. I

4 ABSTRACT Software Engineering (SE) is an essential discipline and applying its processes is both of vital importance and a key feature in critical, complex large-scale systems, like Wireless Sensor Networks (WSNs) systems. A WSN consists of hundreds to thousands of lowpower and low-cost multi-functional sensor nodes, operating in unattended environments. WSNs are known of their challenging constraints in power and memory, thus making such networks in stringent limitations in lifetime (i.e. period of operation) and security. To address one of the main challenges, security solution systems have been developed by researchers. Those solutions are software-based Intrusion Detection Systems (IDSs). However, the developed IDSs are neither secure enough nor resource efficient. Thus, the problem is not all requirements are identified nor satisfied, as for some requirements have been compromised. Additionally, developed IDSs are not developed with the best design that can offer the best performance in the detection process and resource usage. In some IDSs, some of the developers and researchers have studied the design but from a high-level perspective. Moreover, from the literature, this study has found that different performance measurements are used in the testing process. In other words, there is no consistency in the performance validation matrices. So, from the discussed problems we can see that the drawbacks in the current IDSs are due to not following structured software development processes by researches and developers when developing IDS. Consequently, resulting in insufficient requirement management, process, validation and verification of requirements quality, which leads to unpleasant results, such as delays in the detection process, low detection accuracy, and resource consumptions. Therefore, integrating SE and WSNs is the solution and it is a real subject that will be expanded as technology evolves and spreads in industrial applications. So, this thesis has studied a set of existing IDSs and illustrated the absence of Requirement Engineering, Software Design, and Testing Processes. Also, in this thesis an enhanced version of a preexisting IDS has been developed by reducing the overhead, improving the node selection criteria, and applying monitoring techniques. The enhanced IDS will be developed through II

5 following and applying the SE process. Hence, the importance of SE process when developing IDSs is studied. Additionally, a case study on different designs that can be applied for specific detection scheme is performed and the results are analysed. The development and testing process is performed using the Network Simulator 2 (NS2) simulation tool. NS2 is one of the most popular and scalable simulation tools, as it provides substantial support for simulation of routing, multicast protocols and all internet protocols over wired and wireless networks, therefore it models the real world networks. NS2 is an open source tool that is composed of a set of components one of them is used for software development, one is used for graphical interface development, and one is used for building the scenarios and testing them to validate the results. Therefore, after performing the validation process, conclusions were drawn in regard of applying the SE processes to IDSs. The results were promising, as the developed IDS has delivered the required functionalities, with respect to operational constraints, within an acceptable level of performance and accuracy. Moreover, the results of the case study that was performed on the three software IDS designs: Scheduling, Broadcast and the Watchdog design were interesting, as they have illustrated the effect of SE process under different design considerations. The comparison between the three designs was in term of amount of energy consumed, network lifetime, and false negative ratio. The Watchdog design had the best performance and the Broadcast design had the worst performance and this is due to the number of messages used in this approach. So from the results, it can be seen that a set of objectives have been satisfied. Firstly, are the enhancements that were added to the IDS in order to improve the existing one and its effect on the energy consumption. Secondly, are the SE processes and their deployment while developing the enhanced IDS. Also, mastering the usage of the NS2 and learning a new scripting language. III

6 ARABIC ABSTRACT ملخص الرسالة هندسة البرمجيات هي االنضباط الضروري التي تحتاجة األنظمة وتطبيق عملياتها على حد سواء ذو أهمية وسمة أساسية في النظم واسعة النطاق و الحرجة والمعقدة مثل الشبكات االستشعارية الالسلكية. تتكون الشبكات االستشعارية الالسلكية من مئات اآلالف من العقد اإلستشعارية ذات طاقة و تكلفة منخفضة. حيث غالبا تعمل في البيئات الغير مراقبة و تقوم بعدد من الوظائف.من المعروف عن الشبكات االستشعارية الالسلكية بوجود الكثير من القسود الصعبة مثل الطاقة والذاكرة مما يجعل مثل هذه الشبكات في قيود صارمة و صعبة من حيث عمر )أي فترة التشغيل( وأمن الشبكة. لمعالجة والتغلب على هذه التحديات الرئيسية فقد تم تطوير أنظمة أمنية من قبل الباحثين. هذه الحلول هي البرامج المستندة إلى أنظمة الكشف عن التسلل و اإلختراق الشبكي. ومع ذلك فإن فاعلية هذه األنظمة ليست آمنة بما فيه الكفاية والتحافظ على مواردها بشكل كفء. وبالتالي فإن المشكلة هي ان ليس كل المتطلبات يتم تطبيقها ثم يتابع تنفيذها. وعالوة على ذلك فإن ليس كل المتطلبات يتم تحديدها حيث بعض المتطلبات قد تم المساس بها. باإلضافة إلى ذلك ال يتم دراسة اهمية تصميم الخوارزميات وبتالي ال يتم تطبيق أفضل تصميم التي يمكن أن تقدم أفضل أداء في عملية الكشف وإستخدام الموارد.ففي بعض أنظمة الكشف عن التسلل و اإلختراق الشبكي قد درس بعض المطورين والباحثين التصميم ولكن من منظور رفيع المستوى. وعالوة على ذلك من خالل االبحاث السابقه وجدنا أن في عملية اختبار جودة و فاعلية النظام يتم استخدام مقاييس أداء مختلفة. وبمعنى اخر أن ليس هناك اتساق في لمصفوفات التحقق من صحة األداء. لذلك من المشاكل التي نوقشت يمكننا أن نرى أن العوائق في فاعلية النظام الحالية هي نتيجة لعدم اتباع عمليات تطوير البرمجيات. ونتيجة لذلك أدى إلى عدم كفاءة إدارة المتطلبات و تنفيذ العمليات والتحقق من جودة المتطلبات و تنفيذها. الذي في حد ذاته قد يؤدي إلى نتائج غير سارة مثل التأخير في عملية الكشف وانخفاض دقة الكشف واستهالك الموارد. لذلك دمج هندسة البرمجيات و الشبكات االستشعارية الالسلكية هو الحل و هو الموضوع الحقيقي الذي سيتم التوسع فيها مع تطور التكنولوجيا وإنتشار التطبيقات الصناعية. لذلك في هذه األطروحة درسنا مجموعة من أنظمة الكشف عن التسلل و اإلختراق الشبكي و أوضحنا اثر غياب هندسة المتطلبات تصميم البرمجيات واالختبارات. أيضا قمنا بتطوير نسخة من أحد أنظمة الكشف عن التسلل و اإلختراق الشبكي الموجودة مسبقا عن طريق اتباع وتطبيق تقنيات هندسة البرمجيات. وايضا درسنا أهمية عملية هندسة البرمجيات في أنظمة الكشف عن التسلل و اإلختراق الشبكي.باإلضافة إلى ذلك قمنا بدراسة حالة تصميم خوارزميات مختلفة والتي يمكن تطبيقها لنظام الكشف و تحليل نتائجها. تم تنفيذ ذلك من خالل نماذج المحاكاة أجرينا عملية التطوير واالختبار باستخدام Network Simulator 2 IV

7 (NS2) NS2. هي إحدى أدوات المحاكاة األكثر شعبية وقابلة للتطوير حيث أنه يوفر دعما كبيرا لمحاكاة التوجيه بروتوكوالت البث المتعدد وجميع بروتوكوالت اإلنترنت عبر الشبكات السلكية والالسلكية وبالتالي فإنه يمكن محاكات شبكات الواقع. NS2 هي أداة مفتوحة المصدر و التي تتألف من مجموعة من العناصر إحداهم يستخدم لتطوير البرمجيات و أخر يستخدم لتطوير الواجهة الرسومية و أخر يستخدم لبناء السيناريوهات واختبارها للتحقق من صحة النتائج. لذلك تم التوصل إلى استنتاجات بسبب تطبيق عمليات هندسة البرمجيات على أنظمة الكشف عن التسلل و اإلختراق الشبكي لتقديم الوظائف المطلوبة فيما يتعلق بالقيود التشغيلية ضمن مستوى مقبول من األداء والدقة والموثوقية. و عالوة على ذلك فإن نتائج دراسة الحالة التي كانت متشكلة على تصاميم أنظمة الكشف عن التسلل و اإلختراق الشبكي وهي الجدولة البث و الحراسة كانت مثيرة لإلهتمام ألنه يتضح تأثير عملية هندسة البرمجيات تحت هذه التصاميم المختلفة. حيث كانت النتائج واعدة و وضحت تأثير عملية هندسة البرمجيات واعتبارات التصاميم المختلفة. و كانت المقارنة بين التصاميم الثالثة على أساس كمية الطاقة المستهلكة و عمر الشبكة و نسبة التحققات الغير صحيحة. حيث كان تصميم الحماية اإللكترونية أفضل التصاميم في األداء بينما تصميم البث كان األسوأ في االداء و هذا يرجع إلى عدد الرسائل المستخدمة في هذا النهج. لذلك من هذه النتائج فإنه يمكن التوصل إلى انه تم تحقيق مجموعة من األهداف. أوال هي التحسينات التي تمت إضافتها إلى نظام الكشف عن التسلل و اإلختراق الشبكي من أجل تحسين و تقليل كمية الطاقة المستهلكة و زيادة عمر الشبكة. ثانيا هي عمليات هندسة البرمجيات وانتشارهم في حين تطوير نظام الكشف عن التسلل و اإلختراق الشبكي. أيضا اتقان استخدام NS2 وتعلم لغة البرمجة الجديدة. V

8 Table of Contents ACKNOWLEDGEMENT... I ABSTRACT...II ARABIC ABSTRACT... IV LIST OF TABLES... VIII LIST OF FIGURES... IX LIST OF ABBREVIATIONS... X 1 CHAPTER ONE: INTRODUCTION Motivation Problem Definition Research Scope Research Questions Aims and Objectives Research Methodology Phase One: Data Collection Phase Two: Theory and IDS Development Phase Three: Simulation Modelling Phase Four: Result Analysis Contributions Thesis Structure CHAPTER TWO: LITERATURE REVIEW Introduction Background Wireless Sensor Networks (WSNs) Routing Protocols Denial of Service (DoS) Attacks Intrusion Detection Systems (IDSs) Watchdog Mechanism Related Work CHAPTER THREE: INTRUSION DETECTION SYSTEM DEVELOPMENT Introduction Software Engineering in WSNs Software Development Life Cycle VI

9 3.3.1 Phase One: Determine Objectives and Constraints Phase Two: Identify Risks and Evaluate Alternatives Phase Three: Develop and Verify the System Phase Four: Plan Next Phase Challenges Summary CHAPTER FOUR: CASE STUDY Introduction Case Overview IDS Software Designs First Design: Scheduling Design Second Design: Broadcasting Design Third Design: Watchdog Design Results and Analysis Energy Consumption Network Lifetime False Negative Ratio Summary CHAPTER FIVE: CONCLUSION Introduction Research Conclusion Limitations Future Research Directions Publications References VII

10 LIST OF TABLES Table 2.1 Network Layers and DoS Attacks Table 2.2 Performance Measurements Comparison Table 3.1: Theoretical Analysis of Enhancements Table 3.2: SDLC Model Selection Factors Table 3.3 IDS Selection Factors Table 3.4 Identified Risks Table 3.5 Identified Alternatives Table 4.1 Simulation Parameters Table 4.2 Number of Rounds Table 4.3 First Node to Die Table 4.4 Results Summary VIII

11 LIST OF FIGURES Figure 1.1 Research Process Methodology... 7 Figure 1.2 Thesis Structure Figure 2.1 A Sensor Node Architecture Figure 2.2 Wireless Sensor Network Figure 2.3 LEACH Protocol Topology Figure 2.4 IDS Components Figure 3.1 LEACH Routing Protocol Flow Figure 3.2 Proposed Intrusion Detection Scheme Figure 3.3 Spiral Model Phases Figure 3.4 Enhanced IDS Design Figure 3.5 Monitoring Report Figure 3.6 Detection Report Figure 4.1 Scheduling Design Flow Figure 4.2 Broadcast Design Process Flow Figure 4.3 Energy Consumption Measurement Figure 4.4 Packet Delivery Ratio Measurement Figure 4.5 Number of Nodes Alive Measurement Figure 4.6: Energy Consumption Measurements Figure 4.7: Number of Nodes Alive Measurements Figure 4.8 Results Summary Figure 4.9 Best Design Rating IX

12 LIST OF ABBREVIATIONS BS CH CSMA DoS EI IDS LEACH MAC MIT Base Station Custer Head Carrier Sense Multiple Access Denial of Service Energy Indicator Intrusion Detection System Low Energy Adaptive Clustering Hierarchy Message Authentication Code Massachusetts Institute of Technology NS2 Network Simulator (version 2) RPK RSSI SCH SDLC SE SEP TCL TDMA WSN Random Pair-wise Key Received Signal Strength Indicator Second Custer Head Software Development Life Cycle Software Engineering Stable Election Protocol Tool Command Language Time Division Multiple Access Wireless Sensor Network X

13 1 CHAPTER ONE: INTRODUCTION 1 P a g e

14 1.1 Motivation In the last few years, Wireless Sensor Networks (WSN) has been recognized as one of the promising technologies due to its use in military and healthcare applications [1][2]. WSNs consist of hundreds to thousands sensor nodes that are small in size and communicate over short-ranges [3][4][5][6]. These sensor nodes are deployed in large numbers at different locations to collect data through their sensing technology. Moreover, WSNs are usually deployed in unsafe environment where they are vulnerable to attacks [7][8]. Attacks are detected through Intrusion Detection Systems (IDSs) that are deployed on WSNs. Some IDSs detect an attack and accordingly broadcast an alarm, and some prevent the attack from occurring again or isolate the attacker and stop it from operating in the network. So this depends on the how critical and sensitive the application is. Furthermore, since batteries power the senor nodes, WSNs are known of their energy resource limitation. Therefore, developing a secure IDS while considering the energy resource is important. However, from the survey literature [9] it can be seen that not all IDSs fulfil this aspect. Moreover, the development of such system is unstructured and does not deploy the software engineering processes. Therefore this research was conducted. 1.2 Problem Definition Software engineering (SE) is an important discipline when developing software systems, especially in large-scale systems [10][11]. SE is concerned with all processes of software production, as it is defined by [10], to be a systematic approach to the analysis, design assessment, implementation, test, maintenance and reengineering of software. So it is clear that the engineering of software is an important problem-solving activity. SE ensures control over software functionalities, quality, and resources [10][11]. Hence, it ensures complete software development and requirement satisfaction. Unfortunately, the WSN and SE research communities have been mostly impermeable to each other [12]. Moreover, SE in WSNs is a real issue that will 2 P a g e

15 expand as the technology evolves and spreads in industrial applications [13]. As the evidences show [14][15][16][17][18],when IDS are developed by researches/developers they do not follow structured software development processes. Consequently, resulting in inadequate requirement management, process, validation and verification of requirements quality [19]. The outcome of such unstructured development process can been seen from the results of the IDS systems. Some existing energy efficient IDSs have drained the energy resource by implementing very expensive detection schemas that include cryptographic algorithms. Moreover, when IDSs are developed, usually, they are not developed with the best design that provides the best performance [20][21][22][23], because even the best algorithms may produce inefficient results when applied ineffectively. Even if the researchers/developers considered the design they would consider it from a high level perspective, for example eliminating overheads. Thus, we can see that this is another problem that was not identified due to not following the SE processes. This study has discussed this problem thoroughly in chapter four and has illustrated the impact of different designs for specific IDS. Furthermore, this study has found that the testing process is different in network applications and in specific in simulation environments [24][25]. What was more interesting is the different performance measurements that were used in validating and verifying IDS performance, regardless of the IDS purpose or the attack being detected [20][26][27]. 1.3 Research Scope The proposed research will develop an enhanced version of a hierarchical energy efficient IDS that was developed in 2013 by the authors in [20]. Since energy is a critical element and a limited resource in WSNs [28], Low-Energy Adaptive Clustering Hierarchy (LEACH) protocol is selected to be the communication protocol in the developed IDS. Also, LEACH protocol has reduced the energy by a factor of eight compared with the other communication protocols, hence, increasing the system s lifetime for the WSNs [29].The IDS will detect a specific attack, called 3 P a g e

16 Packet-Dropping attack. Packet-dropping is part of the Denial of Service (DoS) attack, it disrupts the network services and makes them unavailable [7]. Actually it is one of the most disruptive and devastating threats in WSNs [20], therefore it was selected for this study. Also, they are one of the common attacks that can be launched by attackers to disrupt the normal operation of the network communication [8]. The development of the IDS will follow the Software Development Life Cycle (SDLC) phases. However, the study will focus on the Requirement Engineering and Software Design and Testing processes. One of the main thrusts of this research is to follow the SDLC phases in the development of the IDS, enhance the energy and have it more efficient and improve the packet-dropping detection in WSNs. This IDS development will contribute in the field of SE as well as the WSNs research field. To elaborate more one how this study will contribute in the SE field, this study will illustrate the most common mistakes that have been done when developing IDSs in relation to requirement engineering. As for the software testing, this study will discuss how was the testing done and based on what criteria and measures the performance was measured. Also, this study will elaborate on the inconsistency in the adaptation of the performance measurements that have been used by various authors and researchers, as there is no standardization or a common list of measures. Moreover, after developing the IDS, it will be tested and the test results of the enhanced IDS with the previous IDS [20] will be compared then analysed. An IDS will be the outcome of this study, in the form of an intrusion detection algorithm. To assess, measure, and evaluate the proposed improvements on the packet-dropping IDS, tests will be performed through a simulation study using simulation tools. The simulation tool that will be used is Network Simulator version 2 (NS2). It is one of the most popular simulators used in the academic field for network, protocols, and topologies evaluation [30][31] and in specific in the WSN research community [32]. NS2 was developed in 1996 and it has been under continuous development since then [30][31][32]. Also, NS2 is one of the most popular and scalable simulation tools, as it provides substantial support for simulation of routing, multicast protocols and all internet protocols over wired and wireless networks, therefore it models the real 4 P a g e

17 world networks. NS2 is an open source tool that is composed of a set of components one of them is used for software development, one is used for graphical interface development, and one is used for building the scenarios and testing them to validate the results [32]. Furthermore, the aim is to investigate a set of areas related to this study such as the SE processes, approaches and techniques. Also, it will explore the security of WSNs and the hierarchical energy efficient IDSs and extended LEACH routing protocols and schemas in WSNs. 1.4 Research Questions The primary research question is: What are the enhancements that have been added to the hierarchical energy efficient intrusion detection system for improving the packet-dropping detection in WSNs? The subsidiary research questions are: 1. What are the challenges of improving the IDS without compromising the energy resource in WSNs and how was it done? 2. What are the analysis results of the improved IDS? 3. What are the benefits of following the SDLC phases in IDSs development? 4. What is the most suitable software process model for developing an IDS in WSNs? 5. How was the requirement engineering and software testing processes applied to the IDS? 6. What are the challenges of hierarchical IDSs, WSNs and energy-ware hierarchical protocols such as LEACH protocol? 5 P a g e

18 1.5 Aims and Objectives The goals and objectives of this study are: 1. To develop an enhanced version of an IDS for packet-dropping attacks in WSNs. 2. To follow a SDLC process model when developing an IDS in WSNs. 3. To apply requirement engineering and software testing techniques in IDSs. 4. To enhance the hierarchical IDS for malicious packet-dropping detection in WSNs. 5. To increase the detection rate without compromising the energy resource in WSNs. 6. To provide a more accurate and comprehensive detection result, improve the detection performance, and reduce the false positive/negative detection rate. 7. To learn and experience the features of software tools that will be used in implementation and testing, such as C++, Network Simulator (NS-2), and Tool Command Language (TCL). 1.6 Research Methodology The adopted research design strategy was experimental and the methodology used in collecting the data and performing the data analysis was mixed approach. The qualitative method was used in the development process and the quantitative method was used in the testing process. The flow of the research process is illustrated in Figure P a g e

19 Figure 1.1 Research Process Methodology The adopted research design strategy was conducted in four phases which includes: Phase One: Data Collection The data collection process was carried out through two methods: o Literature Review: Reviewing the state of art and studying related literature specific to packet-dropping detection using hierarchal LEACH routing protocol in WSNs and extended hierarchal LEACH protocols. This review did not only focus on the network energy and security aspects but also focused on the requirements, system design and testing measures that were used in those different subjects. This was done at an early stage and continued with as the study progressed. o Theoretical Analysis: Theories and research related to packetdropping IDSs in WSNs and extended hierarchal LEACH routing 7 P a g e

20 protocols in specific are carefully examined and studied. More importantly, this method is used to provide essential and primary knowledge about explored security and energy saving mechanisms and IDSs in WSNs. Those related studies have been studied and analysed in depth to derive the incorrect techniques that were used, in order to avoid them and reach a better performance while developing the IDS Phase Two: Theory and IDS Development A knowledge background was developed after completing the literature review and theoretical analysis study. Then from the gained knowledge, the factors and enhancements that will improve the selected IDS were determined. Subsequently, this study has adapted and deployed those factors to develop and build the packet-dropping IDS algorithm and also illustrate the different IDS designs that were applied. Therefore, the theory was built after conducting an inductive analysis process. The output of this phase has been provided and discussed in chapter three. The IDS has been developed through performing the SE processes that ensure control over software functionalities, quality, and resource usage [10][11], in our case the most important resource is the node s energy. Hence, it ensures complete software development and requirement satisfaction of attack detection Phase Three: Simulation Modelling The algorithm scheme was tested and validated through a simulation tool. The simulation tool that was used is Network Simulator version 2 (NS2). A simulation is built and developed to test different scenarios that are developed according to the requirements of the problem. This method provides the information by which the study s validity is judged. The results and findings that were rendered from the simulation are gathered and analysed quantitatively, and on the basis of the analysis, conclusions were drawn. 8 P a g e

21 Simulation is used to help visualize, measure, and evaluate the IDS impact, with regards to the nodes energy resource, on packet-dropping attack numerically. So, in this study, the validation metrics was in terms of detection accuracy and performance. The output of this phase has been provided and discussed in chapter three and four Phase Four: Result Analysis The analysis results were used to identify, address and validate the IDS enhancement factors used to improve the energy efficiency and performance detection of the packet-dropping attack. Also, they were used to measure the different designs developed for an IDS. The output of this phase has been provided and discussed in chapter four. 1.7 Contributions This thesis explores the development of an enhanced version of a hierarchical energy efficient IDS. The IDS will detect a specific attack, called Packet-dropping attack. Packet-dropping is part of the Denial of Service (DoS) attack. It is one of the most disruptive and devastating threats in WSNs, therefore it was selected for this study. The development of the IDS will follow the Software Development Life Cycle (SDLC) phases. However, the study will focus on the Requirement Engineering and Software Design and Testing processes. One of the main thrusts of this research is to follow the SDLC phases in the development of the IDS, enhance the energy and have it more efficient and improve the packet-dropping detection in WSNs. Also, this study will elaborate on the inconsistency in the adaptation of the performance measurements that have been used by various authors and researchers, as there is no standardization or a common list of measures. Moreover, this thesis studies the effect and the importance of the software design process by designing and developing three IDS designs, which are the Scheduling, Broadcast and Watchdog design, and then compares their results and measures their effect. 9 P a g e

22 1.8 Thesis Structure Apart from this introduction, the rest of the thesis is structured in four chapters as outlined in Figure 1.2. Chapter two discusses the related work and highlights the innovativeness of this research. Additionally, it reviews the main subjects discussed in this study to help understand the proposed work. Chapter three, discusses the main problems that had led to this study and illustrates the need to apply the SE processes in the WSN research field. Also, it shows the development of the IDS through following the SDLC phases. Chapter four analyses the simulation results and compares the three suggested IDS designs. Lastly, is chapter five, which consists of the conclusion, limitations and future research directions. Figure 1.2 Thesis Structure 10 P a g e

23 2 CHAPTER TWO: LITERATURE REVIEW 11 P a g e

24 2.1 Introduction This chapter goes through the background and the related work that have been explored in this field of study. Section reviews the WSNs and their characteristics, applications and challenges. Also, it explores the routing protocols and in specific the LEACH protocol. Section reviews the main security threats in WSNs and discuss in details the Denial of Service (DoS) attacks. Section explores the security techniques that have been proposed for securing WSNs from threats, like Intrusion Detection Systems (IDSs). Lastly, section reviews the monitoring techniques and in specific the Watchdog technique. 2.2 Background This section reviews the importance of wireless sensor networks, their applications and uses, routing protocols and detection systems Wireless Sensor Networks (WSNs) In recent years, it has been witnessed recent advances in micro-electronic systems technology, digital electronics, and wireless communications that have led to the development of Wireless Sensor Networks (WSNs) [3]. A Wireless Sensor Networks is a self-organizing network of sensor nodes connected by wireless links [4]. WSNs consist of hundreds to thousands of low-power, low-cost, multi-function sensor nodes that are small in size and communicate over short-ranges [3][4][5][6]. These sensor nodes are deployed in large numbers at different locations to collect data through their sensing technology. The sensed data can be temperature, pressure or motions, depending on the type of application it is used in. To elaborate more on the network nodes, they are wireless sensor tags [33], where each node is composed of a sensing unit, processing unit, communication unit and a power unit [1][34], as illustrated in Figure P a g e

25 Figure 2.1 A Sensor Node Architecture [27] So, from the node architecture and provided evidence in [1][3][34] it can be seen that sensor nodes have the capability of sensing, collecting, processing and communicating in an autonyms manner. The critical unit is the power unit [34][35], whereas the rest of the units use it the most. So, the energy is provided from an internal battery, in the power unit, which is built in the sensor s tag [33], and thus, it has limited resources. Consequently, such limitation, effects the node s lifetime and accordingly the WSN lifetime. Furthermore, the WSNs function in a certain manner. The sensed data, collected by the nodes, is sent to a base station (BS). The sending process is achieved through a wireless communication channel, without depending on any fixed infrastructure [28][33]. All nodes in network are linked wirelessly to create the WSN, as illustrated in Figure 2.2. However, in order to give high reliability and maximize the network lifetime, WSNs must function in a way to save energy, since energy is one of the limitations [28][33]. 13 P a g e

26 Figure 2.2 Wireless Sensor Network [29] Moreover, WSNs are known of their challenging characteristics, as they have a significant impact on the network design in terms of network services and performance [36]. The characteristics of WSNs include the following [36][37]: Self-Configurable: Sensor nodes are usually deployed randomly and autonomously configure themselves in the network. Low Cost: Since large numbers of sensor nodes are usually deployed in remote or hostile environment, they cannot be reused. Therefore reducing the cost of sensor nodes will result in the reduction of the whole network cost. Small Size: Since large numbers of sensor nodes are usually deployed in remote or hostile environment, reducing the size can facilitate node deployment. Low Power: Since sensor nodes are powered by batteries and are usually deployed in remote or hostile environment, it is very difficult or even impossible to replace them or recharge their batteries. Application Specific: There are different types of sensor nodes, depending on the type of application they are used in. Therefore the design of the network and its requirements differ from an application to another. Frequent Topology Change: Due to the node failure, death, energy loss or channel fading, the network topology frequently changes. 14 P a g e

27 Furthermore, WSNs are one of the most promising technologies and they have been embraced more than ever [7][38]. They have been used and deployed in different environments (e.g. in the air, on the ground, underwater, on human/animal bodies or on objects like doors and pipelines) for different purposes, so their applications vary. To elaborate more on the WSN application and their benefits some examples are listed below [1][33][39]: Military Applications: These types of applications include battlefield surveillance, guiding systems of intelligent missiles, monitoring friendly forces and equipment. Environmental Applications: These types of applications include monitoring temperature, traffic, habitat, and wild and forest fire. It helps in forest fire detection, flood detection and precision agriculture (e.g. the level of air pollution). Health Applications: These types of applications include tracking doctors and patients, diagnostics and drug administration. It helps doctors in monitor patients physiological data (e.g. heart rate or blood pressure). Planetary Applications: These types of applications include monitoring planets other than Earth to detect life likelihood. However, due to the distributed node nature, cost, size, and power constraints on the sensor nodes, WSNs result in stringent limitations on node resources such as energy, computational speed, memory, and communication bandwidth [1][33][35]. So when WSNs are deployed, those limitations should be considered in order to take full advantage of its capabilities. For sure such limitations pose several challenges for example sensor battery lifetime, efficient distributed signal processing, data processing, and network security [28][33][40]. However, the two main and critical challenges are the lifetime (i.e. period of operation) and security of the network [33][41][42], as discussed below: Network Lifetime: The network lifetime is constrained by the sensors battery, as sensor nodes use battery as their power supply. So in order to 15 P a g e

28 increase the network lifetime, WSNs should be designed with the requirement of low power consumption [40]. To elaborate more on the importance of the energy resource and its effect on the applications and their features (e.g. data processing and security), two examples of WSN applications are illustrated. The first example is when the network are installed and deployed in a remote geographical space to monitor physical phenomenon they will be unapproachable or battery s replacement is not easy [34][42]. Hence, recharging, replacing or maintaining those sensor nodes will cost more because of the far distance. The second example is when the network deploys a security mechanism to satisfy the data confidentiality and privacy requirements. Hence, extra computations will be performed and that will require more power. Thus, achieving energy efficiency is a main challenge and a critical issue in WSNs. Network Security: Owing to the network limitations, unreliable communication and insecure environment, it is difficult to achieve security in applications deployed over WSNs [13]. This sort of networks is a beneficial choice, and is usually deployed, in remote and hostile environment to perform its tasks [8][34]. However, hostile environments are usually unattended. Due to that, WSNs lack physical protection (e.g. no switches or gateways to monitor the flow of information) resulting a potential of node compromising as well as low network security and protection [7][8] Routing Protocols Routing protocols are used to allow nodes to communicate with each other, so they are responsible for maintaining the routes in the network [43]. However, routing protocols must ensure a reliable communication while considering the limitations and conditions of the network, as discussed above [36]. There are different types of routing protocols, which differ depending on the application and network architecture [44]. 16 P a g e

29 Since energy is a critical element and a limited resource in WSNs, as discussed above, the Low-Energy Adaptive Clustering Hierarchy (LEACH) protocol is selected to be the communication protocol in the developed WSN. LEACH protocol is one of the first energy efficient protocols for WSN [29][45]. Subsequently, LEACH protocol has reduced the energy by a factor of eight compared with the other communication protocols, hence, increasing the system s lifetime for the WSNs [29]. LEACH is defined as a selforganizing, adaptive clustering protocol that uses randomization to distribute the energy load evenly among the sensors in the network [29]. The LEACH s routing process includes: The network is divided to a collection of cluster heads (CHs); each has its own nodes; This is called the CH layer; Then the nodes transmit their data messages/packets to the CHs; this is called the Node layer; Afterwards the CHs aggregate and compress the data then forward it to the base station (BS). This is called the BS layer. (See Figure 2.3) Figure 2.3 LEACH Protocol Topology [46] LEACH protocol was developed to increase the lifetime of WSNs, however security is not taken into account [22]. Therefore, researchers have extended 17 P a g e

30 the LEACH protocol, with the attempt of adding security to it, to secure routing protocols [21][45]. Researchers have been adding security to the LEACH protocol from the time it was developed, which was in 2000 [29], till today. The extended LEACH protocols are discussed more in section Denial of Service (DoS) Attacks WSNs are usually deployed in unattended environment where they are not physically safe [47][48]. Due to that, WSNs lack physical protection (e.g. no switches or gateways to monitor the flow of information) resulting in low network security [7][8][47]. Another cause of having the WSNs more vulnerable to security attacks, is due to the broadcast nature of the transmission medium [47]. Additionally, most of the routing protocols that are used in transmitting the data in the medium are developed in an simple and straightforward way, so due to that WSNs are vulnerable and susceptible to attacks [49][50]. Therefore, it is important to secure such networks from attacks, especially in applications where security services are important. Many types of attacks can be performed over a WSN, for example, Sinkhole Attack, Sybil Attacks, Wormhole Attack and Denial of Service (DoS) Attacks. However, DoS attacks are one of the common, dangerous and disruptive attacks in the WSNs [51]. The Denial of Service (DoS) is defined as any event that diminishes or eliminates a network s capacity to perform its expected function or degrades network s intended service to its users [51]. Moreover, because of their resource limitations in WSNs, WSNs are considered an easy target for DoS [52]. Therefore, DoS attacks target energy efficient protocols that are unique to WSNs [49][53]. Furthermore, there are different types of DoS attacks depending on its occurrence in the network layers [37][47][51][53], as illustrated in Table P a g e

31 Table 2.1 Network Layers and DoS Attacks Network Layer Physical Layer Data Link Layer Network Layer Transport Layer Application Layer Attack Jamming, Tampering Exhaustion, Collision Packet-Dropping (e.g. Blackhole, Grayhole), Flooding, Homing SYN (synchronize), De-synchronization Flood Overwhelming Sensors, Path Based DoS Among those attacks, packet-dropping attacks (i.e. packet loss) are one of the most disruptive and devastating threats in WSNs [20]. Packet-dropping attack is dropping received data packets or control messages instead of forwarding them to other nodes, disrupting the normal operation of the network. Therefore, this study will investigate and analyse this attack Intrusion Detection Systems (IDSs) Efficient and effective security mechanisms are in demand in order to be safeguarded and secured from attacks. As a first line of security defences, intrusion detection and prevention approaches are used in order to reduce possible intrusions. According to [7] an intrusion can be defined as any kind of unauthorized or unapproved activities in a network or a system. Therefore, attacks need to be conveniently addressed by detecting and preventing such malicious behaviours. To address this important issue and overcome one of the main challenges of WSNs, security solution systems have been developed by researchers [54]. Those solutions are software-based network Intrusion Detection Systems (IDSs) [7][54][55]. Each IDS has its own requirements, design and architecture and implementation method. Therefore, these systems are deployed on different applications and environments. 19 P a g e

32 Moreover, IDS are composed of six components. These components include [56][57]: Monitoring Component: It is used for local activity monitoring or for monitoring immediate neighbour nodes or nearby nodes. Mostly, this component monitors internal activities, traffic patterns, and resource utilization [57]. Analysis Component: It is used to analyze the gathered data and records from all nodes in network, which includes event s information, patterns, normal behavior and misbehaviors [56][57]. Detection Component: It is considered as the main component, which is based on modeling algorithms. After analyzing the network behavior, operations, and activities, decisions are made to determine if they are a malicious or not [56][57]. Logging Component: It is used to store the performed operation over a network and keep track of the malicious behaviors. Also, it can be used to do some further analysis like study patterns. Alarm Component: It is used as a response-generating component, which raises an alarm in case of an intrusion detection [57]. For example, the alarm can be a broadcast message to notify all the nodes of an intrusion occurrence. Prevention Component: It can be seen as a type of a response to an intrusion, where the IDS takes a proper action according to the type of intrusion. The prevention technique can be isolating the intruder and compromised node or preventing the malicious nodes from the entire network routes [56][57]. 20 P a g e

33 The last three components are considered more of actions after an intrusion is detected, as illustrated in Figure 2.4. Figure 2.4 IDS Components Many organizations are starting to consider IDSs as the next logical step after deploying firewalls [58], as they play an essential role in the security landscape of an organization [7][55]. Firewalls differ from IDSs, firewalls are defined as a measure of control, enforcing the relevant components of the security policy [59]. On the other hand, IDSs detect intrusion attempts and trigger alerts accordingly Watchdog Mechanism The Watchdog mechanism is one of the intrusion detection techniques used in WSNs [60]. So it is a monitoring technique that monitors the nodes within its range (i.e. nearby nodes) [60][61]. Watchdog nodes can detect misbehaving nodes in the network or can collect data from nodes by listing to them, like listening to the transmissions of the neighbouring nodes. Also, the Watchdog nodes can listen to multiple nodes or a single node, depending on how it is used within an IDS. Moreover, the watchdog mechanism does not consider real traffic situations, such as collisions [61]. Therefore, it may not always be effective in the detection process because of the packet collisions [7]. As it does not recognize whether a packet drop is due to a real attack or network collision [61], thus it can result in high false positive ratios [60][61] in some attack detection. However, this is dependent on the type of attack that is being detected. For 21 P a g e

34 example, in the case of a Greyhole attack this technique would not be very effective, as it will result in high false positives ratios, because collisions will drop part of the data and that will be considered as a GreyHole attack. On the other hand, it is considered a good technique for Blackhole attack, because for the IDS to decide that this is a Blackhole attack, the whole data has to be dropped and not partially. Therefore, our study has used this technique for detecting Blackhole attacks. 2.3 Related Work WSN security has drawn the attention of many researchers [5]. In the past years, it has been witnessed [21][23][38][62], that IDSs have been developed and are very well investigated by researchers. However, those developed IDSs are not efficient enough to detect all malicious behaviours in a WSN. For example, the proposed IDS in [15] has introduced security to the LEACH protocol through cryptographic algorithms, however this approach has compromised the energy, since those types of algorithms require lot of processing. To elaborate more on the IDS studies proposed by researchers, a sample of existing IDSs are explored and reviewed in this literature. In [20], the authors have proposed a hierarchical energy efficient IDS for Blackhole attacks. The proposed detection schema has introduced a new layer to the LEACH protocol called the second cluster head (SCH) layer. The selected SCH node keeps track of what has been received by the CH. The control packets contain the node identifier and the number of packets received by the CH [20]. Then the control packets are exchanged between SCH and BS, in order for the BS to compare the number of packets received from the CH and SCH [20]. Some IDSs do not only detect attacks but also they remove them from the network to prevent the attack from happening again. For example in [63], the authors have proposed an IDS that does not only detect the malicious nodes but also removes the nodes from the network. The authors IDS is based on the Fuzzy Logic technique. Moreover, a cluster-based IDS was proposed by the authors of [64]. The IDS was based on Stable Election Protocol (SEP) for clustered heterogeneous WSNs. Since it is a heterogeneous-aware protocol it extends the time interval before the death of the 22 P a g e

35 first node. It has two types of nodes, normal nodes and advanced nodes, where each has a different energy level [64]. Furthermore, some researchers took different approaches when exploring and developing IDSs by taking into account the energy efficiency and simplicity. Energy efficiency, in IDSs, is as important as security, because one of the main challenges of WSNs is the network s lifetime [41] or else the network would be useless. One of the first energy efficient protocols for WSN is the Low-Energy Adaptive Clustering Hierarchy (LEACH) protocol [29][45]. LEACH protocol was developed to increase the lifetime of WSNs, however security is not taken into account [45][65]. Therefore, the need for security in LEACH protocol has inspired many researchers to extended the LEACH protocol with the attempt of adding security features to it, to secure the routing process [21][45] and have it resilient against insider and outsider attackers [65]. Researchers have been adding security to the LEACH protocol from the time it was developed, which was in 2000 [29], till today. To elaborate more on the extended protocols used in IDS, some studies are discussed below: In year 2005, S-LEACH was developed and it was the first protocol that added security to LEACH [15]. It adds two important security properties, data authentication and data freshness [15]. Data authentication ensures, the receiver that the data was really sent by the claimed sender. Data freshness ensures, that the message was not a replay of an old message [15]. In year 2006, SecLEACH was developed and it is based on a random key distribution mechanism [66]. The IDS has enhanced the security of the S- LEACH IDS through using random key pre-distribution technique [66]. It has enhanced the Node-to-CH authentication but it still has some drawbacks, for example data integrity of the schedule message is not delivered [45]. In year 2008, RLEACH was developed and it was based on a cryptographic version of the LEACH [17]. The security scheme used in this IDS is based on the improved random pair-wise keys (RPK) scheme, which relays on 23 P a g e

36 symmetric keys for Node-to-Node authentication. The RLEACH is composed of five phases. Moreover, RLEACH detects three types of attacks which include: selective forwarding, sibyl, and HELLO flood attacks [17]. In year 2009, MS-LEACH was developed and it is based multi-hop/singlehop transmission [18]. The IDS has enhanced the security of the S-LEACH IDS through providing node to CH authentication and data confidentiality using pairwise keys shared between CHs and their cluster members [18][45]. One of its drawbacks, it does not provide authentication for join request messages [45]. Moreover, from the performance evaluation provided in the literature and in [46][67], it can be seen how IDSs have compromised the network energy because of their IDS mechanism. As some researchers have introduced security through cryptographic algorithms, where those types of algorithms require lot of processing causing the energy requirement to be compromised or some did not provide total authentication or confidentiality. So it can be concluded, that not all IDSs are secure enough nor energy efficient [23][46]. Furthermore, performance measurements and metrics are used in evaluating IDSs and routing protocols and in reflecting the efficiency of the simulated network [24]. Used performance measurements and metrics differ from one study/research to another, for example the network lifetime, number of rounds, energy consumed, packets delivered, delay and overhead measurements [67][68]. Certainly, what you are measuring and evaluating will make a difference in the performance selection criteria/metrics, either if it is for the purpose of measuring the energy efficiency, security, scalability or overhead. However, it has been witnessed from recent studies in [20][26][27] that different performance measurement are used regardless of the purpose (as in to those were used for the same purpose). There is no criteria/metrics standardization for measuring the performance and specifying if it is secure, scalable or efficient enough. Thus, leading to inconsistent measures and conclusions. For example, the proposed IDSs in [20][26][27] have used different performance measurements, although they were measuring for the same purpose 24 P a g e

37 and for the same attack and using the same communication protocol. To clarify more, a performance comparison between those IDSs has been provided in Table 2.2. The compared IDSs have been developed with the same properties: Goal and Purpose: Energy Efficient Attack Detection (or Detect the attack with the least amount of energy consumed). Attack Detected: Packet-Dropping Attack Used Communication Protocol: LEACH protocol Table 2.2 Performance Measurements Comparison Intrusion Detection System Hierarchical Energy Efficient Intrusion Detection System [20] Comparing the Impact of Blackhole and Grayhole Attack [26] Selective Forwarding Attack in LEACH [27] Used Performance Measurements 1. Number of data packets sent to BS vs. Simulation time 2. Amount of energy consumed (i.e. power usage) vs. Simulation time 1. Network lifetime vs. Number of nodes 2. Number of data packets sent to BS vs. Number of nodes 3. Amount of energy consumed (i.e. power usage) vs. Number of nodes 1. Number of malicious nodes vs. Number of data packets sent to BS 2. Number of malicious nodes vs. Packet delivery ratio However, other important measurements should have been employed that are more relevant to the packet-dropping attack. For example, number of dropped packets, false positive and false negative ratios. As for the energy efficiency, when did the first and last node die, at what time in the simulation? In order to develop and test IDSs, SE processes are needed. Starting by the first step that is to select the suitable software model. In [69], a comparative analysis was provided to show the differences between the SDLC models. The features that were used to conduct this comparative analysis, include but not limited to: Requirement Specification and Understanding, Resource and Cost Control, Risk Involvement and Analysis and Reusability. Also in [70], another recent comparative analysis was provided, this analysis was focused on three models, which are the Waterfall, 25 P a g e

38 Spiral, and Incremental model. This analysis was performed through discussing the strengths, weaknesses, and suitability (when to use it) of the models. So, from the provided comparative analysis it can be seen how some models are chosen over the others due to their properties and how they match the system s requirements. Each model is consists of set of phases that provides a standard development of a system. Following such models, ensures the delivery of high quality systems, manages and keeps track of risks and prevent project failure that are caused of either not understating the requirements, poor project planning and change control [71][72]. 26 P a g e

39 3 CHAPTER THREE: INTRUSION DETECTION SYSTEM DEVELOPMENT 27 P a g e

40 3.1 Introduction This chapter will discuss the main problem and thrust of this study, which is to go through the development of the IDS by following the software development processes. Section 3.2 reviews the software engineering problem in WSNs and in section 3.3 explores the SDLC phases for the IDS development. Section 3.4 introduces the challenges in this study and then close with the chapter summary. 3.2 Software Engineering in WSNs As discussed in the previous chapters, developed IDS do not follow structured software development processes. Consequently, resulting in inadequate requirement management, process, validation and verification of requirements quality [19]. To elaborate more on the evidences provided in the literature, plus hierarchical based IDSs are neither secure enough nor accurate to detect all malicious behaviours including packet-dropping attacks. In other words, the detection process is not deployed in each layer of the hierarchy. For example, the malicious node or malicious routing can occur at the nodes layer, CHs layer or BS layer. Thus, the problem is the lack of coverage of all malicious behaviours in the proposed IDSs, leading to unpleasant results, such as delays in the detection process, low detection accuracy, or even worse, leading to detection failure, as illustrated in the previous studies. Also, another problem is the energy consumption in WSNs caused by IDS. So, in other words, not all requirements are implemented then traced. Maybe worse, not all requirements are identified nor satisfied, as for some requirements have been compromised. In [72][73], these problems are categorized as high software risks that may lead to software failure. As mentioned before, some problems may lead to intrusion detection failure, and hence it means that the software system has failed to satisfy its requirements and specifications. However, system failure is not limited to not detecting an intrusion, as these systems provide a very critical service, which is security. Therefore any absences, incorrect or misuse of the system s requirements that may cause security vulnerabilities in the system is categorized as system failure. 28 P a g e

41 To elaborate more on the software failure causes that were found in IDS, some of them have been discussed in [71][72][74], and they include but not limited to the following: Poor system development planning. Inadequate requirement engineering process. Requirements not adequately identified. Requirements not adequately managed. Requirements not adequately validated. Unclear and badly defined requirements. Incorrect requirements. Misunderstanding of requirements. Requirements continually changing. Not all requirements are traced while testing. Therefore, the above points need to be considered when developing an IDS and all requirements need to be gathered, fulfilled and traced with regards to the WSN resources limitation, in specific energy supply limitation. In order to reach such an outcome, the system development must go through set of SE processes, called the Software Development Life Cycle (SDLC). 3.3 Software Development Life Cycle Engineering an IDS and following the SDLC phases, applied on WSNs systems, is important to develop an efficient IDS. Allowing the system to deliver the required functionalities, with respect to operational constraints, within an acceptable level of performance, accuracy and reliability [75]. Therefore, this study has selected a hierarchical energy efficient IDS that was proposed by the authors of this paper [20], to illustrate the lack of SE and how it is important to have a synergy between the SE field and WSN field. This IDS was proposed in 2013, so it is a relatively recent research study and it detects Blackhole attacks. The routing protocol that has been used here is LEACH protocol, and that is why their IDS is energy efficient. As mentioned in chapter two, the LEACH protocol is an energy efficient routing 29 P a g e

42 protocol that has no security services, in other words the LEACH does not detect attacks. To clarify it more, Figure 3.1 illustrates the LEACH routing protocol. Figure 3.1 LEACH Routing Protocol Flow So on the same routing scheme of the LEACH protocol they have added a Blackhole detection schema. However, adding security to the LEACH is a challenging issue because it is a dynamic and random protocol [16]. Therefore, it periodically rearranges the CHs and changes the links between sensor nodes. Due to that it has a lot of overhead and hence it is not a good routing technique to provide security with the least amount of resource usage, as these properties make the security more difficult [16]. 30 P a g e

43 Furthermore, the detection process was performed on CHs only, because the LEACH is a cluster-based protocol that relies essentially on CHs for data aggregation and routing [22][65][66]. Thus, electing a malicious node as CHs is the most devastating and damaging attacks to the network [65][66]. The detection schema proposed by the authors was to select a second cluster head (SCH) that keeps track of what has been received by the CH. The SCH was selected based on the node that has the highest remaining energy. The tracking process starts by having the nodes, which are joined to the CH, send control packets to the SCH. The control packets contain the node identifier (ID) and the number of packets sent to the CH (Nbrpk). The associated nodes send their control packets at the end of the transmission phase to the SCH. Then the SCH sends its received data to the BS. Afterwards, the BS will compare what it has received from the CHs and SCHs and accordingly decide if an attack has been occurred or not. The attacking cases that have been considered by the authors are on the level of CHs only. As mentioned before Blackhole attack is to drop all data packets and not forwarding them. For example, if the BS gets 0 data packets from the CH and gets 10 data packets from the SCH, then this CH is determined by the BS as an attacker node. Afterwards, when the BS detects an attack it broadcasts an alarm message to all nodes to notify them about it. Each sensor node maintains a Blackhole table to prevent the selecting of malicious nodes as CHs in the next rounds. To clarify it more, the data flow of the authors proposed scheme is illustrated in Figure P a g e

44 Figure 3.2 Proposed Intrusion Detection Scheme [20] However, this proposed schema has many of vague steps and requirements. So after an extensive analysis, we have reached a set of questions that have no answers in their paper. Listed below are the steps and requirements that were found missing and not adequately identified and we recommend the authors to consider, include: Who has selected the SCH? Was it the BS or the CH? And if it was the CH then who has informed the BS who was the SCH? How was the BS notified who was the SCH? How were the rest of the nodes notified who was the SCH? How was the current energy calculated and based on what? How was the attacker dealt with? Was the attacker excluded from the network? How the performance measurements were calculated? In the energy 32 P a g e

45 consumption calculation, was the attackers energy included in the calculations? Moreover, some of the SE drawbacks that have been found in the proposed IDS and we recommend the authors to consider, include: Poor System Development Planning How the researchers plan to overcome collisions and node death (before packet delivery)? What if a certain node dies before or while sending its controls packets to the SCH? This case has a high probability of happening as controls packets are sent at the end of the transmission phase so the node might be dead during the round. What if the SCH dies before or while sending its data to the BS? What if the CH dies before or while sending its data to the BS? Requirements Not Adequately Validated What is the detection approach provided if the SCH is the malicious node? Badly Defined Requirements The requirement of making the associated nodes message the SCH causes too much overhead on the network and consequently causes energy loss. Requirements Not Adequately Managed The selection of the SCH was based on the current remaining energy and that is easy to retrieve in simulation, however in real life you cannot know how much is left of the node s energy. So from the illustrated drawbacks and unclear requirements, we can see why this IDS has been selected to be the study of this thesis and to be examined and enhanced. Another reason for selecting this IDS, although this software [20] studies a very common attack, however it has a tremendous effect on the network that can basically disrupt or terminate the network s services. The author s solution was not well studied nor covered all the requirements. Therefore, this study finds it a good case study to show the set of cases and requirements that have not been handled and the inefficiency of the system design and that is all due to not following the SE 33 P a g e

46 processes. Moreover, since the authors have not set clear requirements or system design to follow and basically they have left the readers open with possibilities. Therefore, section 4.3 presents a case study that shows the different designs that are suggested by this research, which the IDS could have been built upon. To illustrate the enhancements proposed by this study, the following have been added to the selected IDS: Add a new factor to the selection criteria of the SCH, which is the Received Signal Strength Indicator (RSSI). RSSI is defined as a measurement of the power present in a received radio signal [76]. Each node within the WSN has a RSSI value. The radio signal strength decreases with the distance [77], so it is negative correlation between the signal strength and the distance. Therefore, from the RSSI value we can determine the distance of the node. This factor has been added to guarantee that the chosen SCH node would be the closest node to the CH, because our goal is to ensure that the SCH node can hear all in/out transmissions of the CH. Change the monitoring and tracking process of the SCH, by deploying the Watchdog technique instead of letting the nodes contact the SCH. Once the Watchdog technique is adopted, only the CH and the BS know who are the SCHs and not all the nodes. Moreover, to discuss how these enhancements have improved the performance and security of this IDS on WSNs, a theoretical analysis has been illustrated in Table 3.1. Table 3.1: Theoretical Analysis of Enhancements Before Enhancement The monitoring process was based on letting the nodes, which are joined to CHs, communicate with the SCH and send their control packets. This has increased the number of sent messages from each node, which is expensive on the node especially if the SCH was far. Moreover, this process is performed at the transmission phase of each After Enhancement Change the monitoring and tracking process of the SCH, by deploying the Watchdog technique instead of letting the nodes communicate with the SCH [78][79]. This will decrease the energy consumption and hence increase the network lifetime. This is because the number of sent messages (overhead) has been decreased for each node 34 P a g e

47 round. Before Enhancement After Enhancement and consequently saves the nodes energy [78][79]. Therefore, this factor will contribute in increasing the network s lifetime, and hence, it will increases the network security because it will provide more time and thus increase the probability of detecting and eliminating more malicious nodes from the network [78][79]. The SCH selection criteria were based on the remaining energy indicator only. All the nodes in the network know who are the SCHs of their CHs. Add a new factor to the selection criteria of the SCH, which is the Received Signal Strength Indicator (RSSI). This way the closest node and with the highest remaining energy will be selected as SCH. This will enhance the security and energy consumption and hence enhance the network lifetime because: It ensures that the SCH hears all the nodes that are joined to the CH. Thus it ensures detection accuracy [77]. The process of listening to the nodes consumes a little amount of energy however selecting the closest one will decrease this value. Therefore, this factor will contribute in increasing the network s lifetime [77]. Since the Watchdog technique is adopted, only the CH and the BS know who are the SCHs and not all nodes. This increases the security by having fewer nodes targeting the SCHs for an attack. So in order to implement these enhancements and develop an enhanced version of the discussed IDS, this research has started with the first and very important step, which is to 35 P a g e

48 select the right and suitable SDLC model. The selection process depends on a set of selection factors [80], as illustrated in Table 3.2. Table 3.2: SDLC Model Selection Factors [80] Notation F1 F2 F3 F4 F5 F6 F7 F8 F9 F10 F11 F12 F13 F14 Factors Nature/type of project Project size Project duration Project complexity Level and type of expected risk Level of understating or user requirements Level of understanding of the application area Customer involvement Experience of developers Team size Man-machine interaction Availability of tools and technologies Versions of product Level of reliability required. However, to fulfil the characteristics of developing an IDS, the above factors are not enough. 36 P a g e

49 Therefore, according to the above factors [80] and the ones in [81][82], a combination of factors have been created and then applied to the characteristics of developing an IDS [7][9], as illustrated in Table 3.3. Table 3.3 IDS Selection Factors Factors Nature/type of project Project size Project duration Project complexity Level and type of expected risk Level of understanding of user requirements Change Incorporation Customer/User involvement Experience of developers Team size Risk analysis Understandability of the tools and technology Versions of the product Level of reliability required IDS Development Characteristics Iterative Large Long Complex High risks Initial Medium Low High Medium High Medium Many High According to the results in 3.3 and based on the studies done in [9][81][82] it can be decided that the suitable model is the Spiral Model. The spiral model of a software process is broken down into four phases [83], as illustrated in Figure P a g e

50 Figure 3.3 Spiral Model Phases [83] Moreover, the development of an IDS may go through several development iterations. Respectively, each iteration will repeatedly pass through the SDLC phases. The first iteration can detect attacks. The second iteration can enhance the network resource usage or remove the attacker (i.e. malicious node) from the network and so on. By going through the Spiral model phases, more details will be given on how the development of the proposed IDS was accomplished, as below Phase One: Determine Objectives and Constraints The first stage of software development is identifying and collecting the system s objectives and requirements. It is the most important and critical stage of the development process [80][81], because any requirement that is not resolved at this stage will be carried out through the rest of the SDLC. Therefore, requirements have been gathered and analyzed from the beginning, to cover all the requirements in the IDS hierarchy layers, with regards to 38 P a g e

51 resources constraints and avoid system failure or dissatisfaction. Firstly, the general and main requirements are listed based on the categories defined in [7][84][85]: Functional Requirements 1. The system shall detect intrusions, of type Blackhole attacks. 2. The system shall be energy efficient. System Requirements 1. The system shall not introduce new weaknesses. 2. The system shall use little system resources (e.g. energy). 3. The system shall not degrade the overall system performance by introducing overheads. 4. The system shall be reliable. 5. The system shall be scalable. 6. The system shall add a third layer to the LEACH hierarchy, called the second cluster head layer. 7. The system shall allow the SCHs to listen and monitor the CHs, by deploying the Watchdog technique. 8. The system shall allow the SCHs to communicate with the BS. 9. The system shall detect packet-dropping attacks at the CH layers only. 10. The system shall select the SCH nodes based on the highest energy indicator (EI) and received signal strength indicator (RSSI) of a node. 11. The system shall detect internal (within the network) intruders/attackers. 12. The system shall allow the BS to broadcast an alarm message when attacks occur. 13. The system shall maintain Blackhole table for each node to prevent the selection of malicious nodes as CHs or SCHs. 14. The system shall automatically record actions and incidents when they occur. 39 P a g e

52 Output Requirements 1. The system shall generate trace file report to log all actions. 2. The system shall generate monitoring report to track intrusion incidents and discover Blackhole attacks. 3. The system shall generate network performance reports including: Energy Consumption Network Lifetime through: o Number of Nodes Alive o Number of Rounds o Time of First Node to Die False Negative Ratio Simulation Requirements The functional requirements must meet real-time requirements and reflect the real-time cases and characteristics of nodes in WSNs. For example, if the IDS scheme functions based on the location of the node then it needs to take into account that this consumes a lot of energy, since in real-time you will have to add a GPS to the node but in simulation the location can be easily calculated. Therefore, the developer will have to subtract a lot from the energy when calculating the energy of the node in simulation Phase Two: Identify Risks and Evaluate Alternatives The second stage is to identify the alternatives and risks and evaluate them. Risks are definite in IDSs, therefore the risks associated with the enhanced IDS and their effects are illustrated in Table P a g e

53 Table 3.4 Identified Risks Risk The probability of consuming and compromising the node s energy. The probability of a collision to happen when the CHs send their data to the BS. The probability of a CH to die (i.e. no enough energy to send the data) when sending its data to the BS. Effect on IDS The node will die and become useless also it might cause false-positive detections. For example, in the case of a CH, data will not be sent because the node has died and accordingly the BS will classify this CH as a malicious node. The CH s data will be dropped because of the collision and accordingly the BS will classify this CH as a malicious node. The CH s data will not be sent because the node has died and accordingly the BS will classify this CH as a malicious node. So, from the discussed risks it can be seen that the main effect is the probability of false-positive detections. As the risk is to not receive the messages sent from CHs or SCHs. However, this does not affect the detection process of Blackhole attacks, since partial packets are dropped and not all of them. Therefore, this risk has more effect on Greyhole attacks, which drop part of the sent packets, and accordingly classify those nodes as Greyhole attackers. Thus, this will increase the false-positive ratio. As for the alternatives, they have been defined and discussed in Table 3.5. Table 3.5 Identified Alternatives Alternative Add a third selection criteria which is based on the history (reputation value) of the nodes like has it been selected as a SCH or a CH before? Evaluation This will increase the energy efficiency of CHs and SCHs. As previously selected CHs or SCHs have already consumed more energy than the ones who have not been selected because they have performed more expensive operations, including communications with the BS and process all packet received by CH. Therefore, the nonpreviously selected nodes will have more energy and thus have less probability to die before previously selected nodes. 41 P a g e

54 Alternative Add Message Authentication Code (MAC) for integrity and authentication process. Evaluation This will consume more energy and nodes will die sooner. However, it will increase the security and increase the originality of the node and assure authenticity. Those alternatives are planned in Phase Four and to be implemented in the next iterations of this system development to enhance the proposed IDS Phase Three: Develop and Verify the System In order to develop, verify and test the IDS this study has used the NS2 tool [32]. This tool uses two languages, the C++ and the Tool Command Language (TCL). The TCL is a scripting language used as a user interface and used to describe and create the simulation. The C++ language is used for internal packet and routing processing and provides complete control. However, TCL is faster to write and change, as it does not require any compilation. [32] Furthermore, to get high reliability, accuracy and efficiency in the developed IDS, this study has performed two steps before starting the actual development of the proposed IDS. Step One: Study the LEACH protocol implementation The LEACH code was an open source code that was developed by couple of researchers from Massachusetts Institute of Technology (MIT). This study started exploring the code and testing it using the NS2 tool. This was a good start to explore and learn the behavior of the WSNs, study the flow of control and data packets, and the LEACH hierarchy and how the communications were set up. Step Two: Implement the compared-to approach developed by the authors of [20] The source code of this IDS is not an open source code, therefore we had to implement the IDS scheme but the research had a lot of unclear points as mentioned before. Thus, in this research three different designs have been suggested, implemented, and tested. One of these designs is 42 P a g e

55 discussed in this section, as it is more efficient when compared with the other two designs in terms of performance. The three designs and their results have been discussed in details in the next chapter. In spite of that, this has offered us a chance to see the different aspects that must be considered when implementing the requirements. Therefore, we were able to find another contribution in the SE field, which is how different software designs of IDSs can affect the WSN performance and security. Afterwards, an enhanced software design of the IDS was developed and implemented. The flow of the pseudo code is illustrated in Figure 3.4. Figure 3.4 Enhanced IDS Design 43 P a g e

56 The new enhanced IDS keeps track of all packets sent and received by the CHs through deploying the Watchdog technique on the SCH nodes, which are playing the roles of Monitoring Agents. This technique helped us study the behavior of the nodes and extract attributes that help in identifying the nodes status if they are losing packets and consuming energy. The data attributes that are collected are: Node ID It distinguishes nodes by unique identifiers called IDs. This helps in identifying the nodes, to which CH they belong to and the SCH that they are monitored by. Time It refers to the current simulation time. It helps in keeping track of attack occurrences and organizing the flow of the schema phases, for example when to start the Schedule Phase or the Advertisement Phase. Most importantly setting channel transmits times to avoid collisions. Round Number It refers to the current running round within a stage in the network. Monitored CHs (CHs) It refers to the CH ID that is watched by the monitoring node (i.e. SCH). Monitoring Nodes (SCHs) It refers to the SCH ID that is monitoring the CH. Energy Indicator It refers to the current remaining energy of the node. Consumed Energy Indicator It refers to the amount of the energy consumed by the node. RSSI It refers to the receive signal strength indication between the sending node and receiving node, in our case it is the CHs. The higher RSSI value the closer the node is to the CH and vice versa. Therefore, from this attribute the distance between the nodes can be found and 44 P a g e

57 accordingly find their locations. Detected Blackhole Nodes It refers to a table that keeps track of all detected Blackhole attacks within the network. Number of Joined Nodes It refers to the number of nodes that have joined to a specific CH. Dropped Data: It refers to the number of data packets dropped by the attacker node. Monitored Data It refers to the monitored and heard data by the SCH node. It stores the Node ID of the sending node (joined node), number of packets it sent and which CH it is monitoring. In other words, it monitors that data received by the CH. Base Station Data It refers to the amount of data sent to the BS and from which CHs. Time of First Death It refers to simulation time of the first node to die in the network. Total Rounds It refers to the number of rounds the network went through. The higher the number, the longer the network has lived. Consequently, after collecting all the above data, reports will be generated to identify the behaviors and abnormal actions of the nodes. Figure 3.5, illustrates the Monitoring Report that collects all sorts of data attributes and Figure 3.6 shows the Detection Report that has all the detected Blackhole attacks. 45 P a g e

58 Figure 3.5 Monitoring Report Figure 3.6 Detection Report Therefore, through this report, this study has ensured that false negative ratio has been reduced to 0%, as this attack is very easy to detect. Additionally, this approach has enhanced the energy performance and network lifetime as will be illustrated in section 4.4. The above outcomes have been reached by running the experiments (simulation operations) twenty times for each approach and then an average has been taken. This testing approach is based on the common practice that is performed by the researcher as provided in the literature and in [20][32]. This 46 P a g e

59 was for the purpose of removing the effect of randomness or inconsistency in the results that are caused from simulation environments when tests are performed. Therefore, the best practice is to perform the tests until the results are consistent. Moreover, this takes us to another problem, which is the lack of systematic tools used by engineers to check if the requirements are achieved [41]. Also, there are no available standard IDS test suites [84], so engineers/testers need to generate both malicious activities and benign activities [84] to test their IDSs. Therefore, tests are carried out through simulation testing using simulation tools. Also, in such systems, simulation testing is not enough, realworld testing should be conducted after the simulation testing [72]. As for the scope of this work, only simulation testing was conducted and the real-world testing will be part of the future work Phase Four: Plan Next Phase 3.4 Challenges In this phase we plan to overcome the risks and implement the suggested alternatives and explore their effects. However, because of the limited thesis timeline we have considered them as future research work and extensions to this research study. With every project or a new task challenges are faced. The challenges that this study faced include: Adopting and considering the WSNs resource limitations while developing the IDS. Mastering the development and testing simulation environment (NS2). Learning the TCL scripting language. Tracing and debugging the code in simulated WSNs. Understanding the flow of operation in simulated WSN and the required realworld considerations. 47 P a g e

60 Understanding the simulation requirements and balancing them with the real- world requirement activities. 3.5 Summary This chapter has clarified the development of an IDS through following structured SDLC phases. Also, a set of algorithms have been studied and it has illustrated the reasons for selecting the proposed IDS and discussed the enhancement factors. The results are discussed and analyzed in the next chapter. 48 P a g e

61 4. CHAPTER FOUR: CASE STUDY 49 P a g e

62 4.1 Introduction This chapter illustrates three different software designs that have been suggested for the selected IDS. Also, comparisons between the designs are provided to show the different affects that are reflected on the selected IDS. Section 4.2 reviews the selected IDS and based on what it was selected. Section 4.3 explores the different design that can be built for the selected IDS and section 4.4 discusses and analyses the results of the different designs. Lastly, section 4.5 provides a summary of the results. 4.2 Case Overview The IDS that is studied here is a hierarchical energy efficient IDS that detects Blackhole attacks. This IDS was discussed in details in section 3.3. However, this proposed schema, in [20], had a lot of vague steps and requirements, which the authors did not clarify and left the readers with open possibilities. Therefore, this study has taken this research as a case study, in order to show how different software designs can affect the security and network performance. The suggested designs that have been designed and implemented, in this study, will be discussed in details below. 4.3 IDS Software Designs The suggested designs that have been developed include: First Design: Scheduling Design This design is the first suggested design that has been developed by this study. The nodes are informed whom the SCHs are through the scheduling message sent at the Schedule Creation Phase, therefore it is called Scheduling design. So, in addition to the data sent in the scheduling message, extra data is added to it, which is who the SCH node is. In other words, no extra message is required to send this information. The message is sent by the CHs to their 50 P a g e

63 joined (i.e. associate) nodes, so the nodes only know the SCH of their CH. To clarify more, Figure 4.1 illustrates the flow of this design. Figure 4.1 Scheduling Design Flow 51 P a g e

64 4.3.2 Second Design: Broadcasting Design This design is the second suggested design that has been developed by this study. The nodes are informed whom the SCHs are through a new broadcast message sent during the Schedule Creation Phase, therefore it is called Broadcasting design. So, a new message type has been introduced in this design, which the SCH Broadcast Message. The message is sent by the CHs to their joined nodes, so the nodes only know the SCH of their CH. To clarify it more, Figure 4.2 illustrates the flow of this design. Figure 4.2 Broadcast Design Process Flow 52 P a g e

65 4.3.3 Third Design: Watchdog Design This design is the third suggested design that has been developed in this study. The SCH nodes are selected as Watchdog nodes at the Schedule Creation Phase to monitor CHs. Therefore it is called the Watchdog design. This design deploys the monitoring technique instead of the message passing technique. So the nodes are not informed whom the SCH is and only the CH knows who it is. There are no extra messages sent and that is one of the reasons of being the most optimized design to be suggested. This design was the main thrust of this study and it was discussed in details in section 3.3. Figure Results and Analysis This section examines the impact of the different software designs on the performance of the selected IDS in terms of: Energy Consumption This metric is defined as the amount of energy used and spent by the sensor nodes in the WSN. The unit measurement used here is in Joules (j). Network Lifetime This metric is defined as the amount of time a WSN would be fully operative. The unit measurement used here is in Seconds (s). It is measured through a set of parameters, which include: o Number of Nodes Alive This metric is defined as the amount nodes that are still alive and have energy to function, in the WSN. o Number of Rounds Since the measured IDS is based on LEACH protocol, the operation of LEACH is broken up into rounds (i.e. rounds are basically time stamps) [29]. So, this metric is defined as the amount of rounds that were performed in the WSN. 53 P a g e

66 o Time of First Node to Die This metric is defined as the time until the first sensor node runs out of energy in the WSN. o False Negative Ratio This metric is defined as the percentage of incorrect detection results, which incorrectly indicates that an attack is absent although there is an attack. The different designs of the IDS were developed and tested using the NS2.34 simulation tool [32]. The number of tests performed was twenty tests, however the best practice is to perform the tests until the results are getting very close and become consistent. Therefore, through twenty tests we were able to reach such results in most of the measurements. In simulation testing, in order to have the infrastructure-based network to be compatible with the characteristics of WSNs, it is required to simulate different parameters for example, number of nodes used, size of the simulation area and traffic send rate and type [32]. The simulation parameters that were used in the testing process are summarized in Table 4.1. Table 4.1 Simulation Parameters Parameter Value Network surface 1000 m 2 BS location (50,175) Number of nodes 100 nodes Number of clusters 5 Size of data packet Size of packet header Routing protocol MAC protocol 500 bytes 25 bytes LEACH CSMA / TDMA Simulation time (in seconds) 3600 Initial energy (in joule) 2 54 P a g e

67 Attackers intensities 30% This research has started studying the effect of Blackhole attacks by performing two test cases on the original LEACH, one test case without injecting the attack and one with the attack. This step has given us an insight on how the sensor nodes are sensitive and the cost of the attacks. Also, this study was able to explore the routing process and the packet-dropping activities. The results of this study are illustrated in Figure 4.3, 4.4 and 4.5 and these results are from injecting 30% of the network s nodes with the packet-dropping attack. Figure 4.3, illustrates the amount of energy consumed along the simulation time. So, we can see that the energy consumed within an attack is less than without an attack. This is because when the node drops data packets it basically does not transmit data and hence it saves energy. Figure 4.3 Energy Consumption Measurement Furthermore, the effect of the attack was measured through the packet delivery ratio, because what this attack basically does is it drops the packets so it is important to measure the amount of delivered packets. Packet deliver ratio is defined as the ratio of the number of delivered data packets to the destination to those generated by the source [86]. So, in Figure 4.4 we can see that without an attack the data delivery ratio is 100%, because all the data is received. On the other hand, we can see that the 55 P a g e

68 percentage has decreased when the attacks were injected to drop the sent packets. The percentage of the delivery ratio has reached 97% at simulation time 220 seconds. Figure 4.4 Packet Delivery Ratio Measurement In Figure 4.5, it can be seen that within an attack the nodes live longer in the network as compared with the network that has no attacks. On the other hand, we can see that the percentage has decreased when the attacks were injected to drop the sent packets. The percentage of alive nodes has reached 77% at simulation time 240 seconds. Figure 4.5 Number of Nodes Alive Measurement 56 P a g e

69 Afterwards, the suggested designs were implemented and tested and their results were compared and discussed below Energy Consumption The more energy the network s nodes have the higher the probability of detecting an attack and the longer the network will live to perform its services. Figure 4.6, illustrates a comparison between the three designs in terms of energy consumption. Figure 4.6: Energy Consumption Measurements From the figure, we can see that the Watchdog design has consumed the least energy. This is due to the Watchdog monitoring mechanism, as it has reduced the number of message transmissions required and hence it has reduced the energy cost. The Watchdog technique has eliminated the need to have CHs communicate with the associated nodes and the communications between SCHs and the associated nodes of the monitored CH. For example, if a CH had 10 nodes associated to it then 20 (10 between the CH and associated 57 P a g e

70 nodes to inform them with the ID of the SCH + 10 between the associated nodes and SCH to report what they sent to the CH) message transmissions have been reduced to 0, because the SCH only monitors nodes and do not need to send messages. The worst design is the Broadcasting design. This is due to the message transmission process done at the Schedule Creation Phase and Data Transmission Phase. This design is exactly the opposite of the Watchdog design. For example, if a CH had 10 nodes associated to it then 20 message transmissions are required. As for the Scheduling design, it is more similar to the Broadcast design than the Watchdog design. The only difference is that the CH uses the same scheduling message used in the Schedule Creation Phase, however with small extra data added to it. So, this design does not initiate a new message transmission to inform the associated nodes whom the SCH is Network Lifetime Network lifetime is measured through a set of parameters, which include Number of Nodes Alive The number of nodes alive in the network is an indicator for the network lifetime because as long as there are functioning nodes in the network the network will keep running. Figure 4.7, illustrates a comparison between the three designs in terms of number of nodes alive. Figure 4.7: Number of Nodes Alive Measurements 58 P a g e

71 From the figure, we can see that in the Watchdog design nodes start to die after a long period of time when compared with the rest of the designs. Thus, this design will increase the network lifetime. This is due to the same reasons explained in Figure 4.6. The worst design is the Broadcasting design and this is due to the message transmission process done at the end of the round and mainly because of the SCH notification process, where each CH broadcasts a message to the entire associated nodes, to inform them whom the SCH. Routing messages are very expensive in WSNs and their cost can be seen in this design. Number of Rounds The more rounds in the network the longer the network will live and the more services are provided by the network and hence the higher probability of user satisfaction. Table 4.2, illustrates a comparison between the three designs. Table 4.2 Number of Rounds Design Number of Rounds Scheduling 29 Broadcast 20 Watchdog 27 As the figure shows the worst design is the Broadcast design as it performs the least amount of rounds and the best design here shows that it is the Scheduling design. However, this is not the case because, if more tests were performed the average result would have been the Watchdog design (as all the metrics show this result). So, from here we can see that some metrics require more tests to reach a consistent result but since all the used measurements were performed on twenty tests this was as well performed on twenty tests. Time of First Node to Die The earlier the node dies the more energy it has consumed and the less time for the network to last. Table 4.3, illustrates a comparison between the three designs. 59 P a g e

72 Table 4.3 First Node to Die Design Time of First Node to Die Scheduling Broadcast Watchdog As the figure shows the earliest first node to die is in the Broadcast design so that means that the network does not live for long here. So this is the worst design among them all. On the other hand, the Watchdog design has the latest first node to die so it is the best design among them all False Negative Ratio 4.5 Summary As discussed before, Blackhole attacks are devastating and disruptive attacks yet they are very easy to detect if they are well monitored. Therefore, the probability of getting false alarm detection is very low if not impossible. However, through this study the network lifetime has been increased in order to have more time to detect attacks. So, as long as the network is alive/functioning, all attacks are detected, therefore the detection rate is 100%. Results summary of the overall twenty tests that were performed is illustrated in Table 4.4. Performance Measurements Table 4.4 Results Summary Scheduling Design Broadcast Design Watchdog Design Energy Consumption (j) Network Lifetime (s) Nodes Alive at End of Simulation (No.) False Negative Ratio 100% 100% 100% 60 P a g e

73 Figure 4.8, clarifies the comparison between the network lifetime and energy consumed. Figure 4.8 Results Summary To conclude, the Watchdog design is the best design among the three suggested designs. Afterwards, comes the Scheduling design then the Broadcast design, as illustrated in Figure 4.9. Broadcast Design Scheduling Design Watchdog Design Figure 4.9 Best Design Rating The Broadcast design is the worst design as it has a lot of message transmission overhead, causing the nodes to lose their energy over message passing. These conclusions were drawn from the above performance measurements and the reasons have been discussed in details above. 61 P a g e

74 5 CHAPTER FIVE: CONCLUSION 62 P a g e

75 5.1 Introduction This chapter provides a conclusion to this study and answers the main research question, which was presented in the introductory chapter. Moreover, the contributions and objectives of this study and research issues, limitations and future research directions are raised and discussed. 5.2 Research Conclusion This study explores the development of an energy efficient IDS for packet-dropping attacks in WSNs through following the SDLC phases, processes and techniques. Also, it examines the effect of designing and developing three IDS designs and measures their effect on the performance of the IDS in terms of energy, network lifetime, and security. Furthermore, this study has achieved the research objectives across the phases of the methodology. In phase one, we explored the literature review and did a theoretical analysis to investigate the previous IDS studies, techniques, detection schemas and studied the challenges and limitations that have been introduced. Also, studied the absence of the SE practices and their effect on the overall results and in the development process such as missing requirements and inconsistency in the testing process and measures. More importantly, in this phase, we were able to see and feel the lack of SE practices applied in the field of WSNs in general and in the development of IDSs in particular. Afterwards, in phase two, we were able to build up our theory of detecting the Blackhole attack and determining the enhancement factors that were used in the new developed IDS. So, in this phase this study has developed a new enhanced version of an IDS through following the SDLC phases. To explore more the SE need, this study has designed three different IDS designs to illustrate the effect of software design, development and testing and measured the results. Then in phase three, the developed IDSs were tested and validated through simulation modeling using NS2. Lastly, in phase four, conclusions were drawn from the result comparisons and analyses performed in phase three. 63 P a g e

76 Subsequently, after completing and achieving the objectives of this study, we were able to answer the main and subsidiary research questions. As for the main research question it was addressed in chapter four, which was What are the enhancements that have been added to the hierarchical energy efficient intrusion detection system for improving the packet-dropping detection in WSNs?. The enhancements that were added include: adding another factor to the SCH selection criteria which is the RSSI factor to determine the closest node to the CH, deployed the watchdog technique, reduced the number of messages sent between the nodes and made the SCH only known by the CH and BS (increased the SCH s secrecy). As for the subsidiary research questions, they were addressed in this thesis study. For the first research question, which was What are the benefits of following the SDLC phases in IDSs development? this was addressed in chapter three section 3.2 and 3.3. The second question was What is the most suitable software process model for developing an IDS in WSNs? it is the Spiral model and it was addressed in chapter three section 3.3. As for the third question, which was How was the requirement engineering and software testing processes applied to the IDS?, it was addressed in chapter three and four. The fourth question was What are the challenges of hierarchical IDSs, WSNs and energy-aware hierarchical protocols such as LEACH protocol? and these points were addressed in chapter two section 2.1. The last question, which was What are the challenges of improving the IDS without compromising the energy resource in WSNs and how was it done? and this was addressed in chapter three section 3.4. Moreover, to conclude on the main results of the three suggested designs, which were the Scheduling, Broadcast and Watchdog design, in respect to the evaluation metrics the Watchdog design was the best design among the three suggested designs. Afterwards, comes the Scheduling design then the Broadcast design. The Broadcast design is the worst design as it has a lot of message transmission overhead, causing the nodes to lose their energy over message passing. So, it can be seen that the first research contribution has been accomplished. Also another contribution has been accomplished, which is to suggest some enhancements on a pre-existing IDS in order 64 P a g e

77 to improve the energy resource and network lifetime. Not to mention, develop the new enhanced IDS while deploying the SE processes is one of the important contributions that have been accomplished. 5.3 Limitations Throughout the study of this research limitations were encountered. Some of the shortcomings include: The lack of prior research studies that explore WSN problems from a SE perspective. The environmental aspects are not considered in NS2. Where it is assumed to be a flat empty area. The energy consumed from the data processing operation is not considered. The time collisions that cause partial packet delivery failures, consequently resulting in Greyhole attacks. However, this does not affect the Blackhole attack therefore this limitation will be considered as future research. 5.4 Future Research Directions In addition to all IDS enhancements mentioned in this study, yet there are more valuable enhancements that are important to mention as further research, including: To perform further performance analysis on different test scenarios, such as considering external intruders, larger sample size of WSNs, advanced attackers that have more energy than normal nodes. Enhance the detection process by having more scalable to detect Blackhole attacks at the SCH level. Detect Greyhole attacks by the proposed IDS. Eliminate all network collisions to prevent false positive alarms in Greyhole attack detections. 65 P a g e

78 5.5 Publications As part of this thesis study, publications have been disseminated in scientific venues. Two conference participations have been accepted for presentation in 2015 and they include: A. AlRomi, I. AlMomani, (September 2015). Requirement Engineering for Intrusion Detection Systems in Wireless Sensor Networks, 17th International Conference on Requirements Engineering (ICRE 2015). (Accepted) A. AlRomi, I. AlMomani, (August 2015). The Effects of Inefficient Intrusion Detection Systems upon User and Organizational Behaviours, 17th International Conference on Human Computer Interaction (HCII 2015) and the Affiliated Conferences was: the 3rd International Conference on Human Aspects of Information Security, Privacy and Trust. (Accepted) 66 P a g e

79 References [1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, And E. Cayirci, Wireless Sensor Networks: A Survey, Comput. Networks, Vol. 38, No. 4, Pp , [2] V. C. Gungor, B. Lu, And G. P. Hancke, Opportunities And Challenges Of Wireless Sensor Networks In Smart Grid, Ieee Transactions On Industrial Electronics, Vol. 57, No. 10, Pp , [3] V. Potdar, A. Sharif, And E. Chang, Wireless Sensor Networks : A Survey, In International Conference On Advanced Information Networking And Applications Workshops, 2009, Pp [4] S. Bin Zeni, Improving On The Network Lifetime Of Clustered-Based Wireless Sensor Network Using Modified Leach Algorithm, [5] S. H. Jokhio, I. A. Jokhio, And A. H. Kemp, Light-Weight Framework For Security- Sensitive Wireless Sensor Networks Applications, Iet Wirel. Sens. Syst., Vol. 3, No. 4, Pp , Dec [6] D. Bhattacharyya, T. Kim, And S. Pal, A Comparative Study Of Wireless Sensor Networks And Their Routing Protocols, 2010, Pp [7] I. Butun, S. D. Morgera, And R. Sankar, A Survey Of Intrusion Detection Systems In Wireless Sensor Networks, Ieee Commun. Surv. Tutorials, Vol. 16, No. 1, Pp. 1 17, [8] C. Wang, T. Feng, J. Kim, G. Wang, And W. Zhang, Catching Packet Droppers And Modifiers In Wireless Sensor Networks, Ieee Trans. Parallel Distrib. Syst., Vol. 23, No. 5, Pp , May [9] S. Aley, N. Kolte, A Review On Intrusion Detection Schemes In Wireless Sensor Network, Int. J. Comput. Sci. Mob. Comput., Vol. 3, No. 10, Pp , [10] Phillip A. Laplante, What Every Engineer Should Know About Software Engineering [11] R. S. Pressman, Software Engineering: A Practioner s Approach [12] G. Pietro Picco, Software Engineering And Wireless Sensor Networks: Happy Marriage Or Consensual Divorce?, In Proceedings Of The Fse/Sdp Workshop On Future Of Software Engineering Research - Foser 10, 2010, P [13] E. Platon And Y. Sei, Security Software Engineering In Wireless Sensor Networks, Prog. Informatics, Vol. 5, No. 1, Pp , [14] I. Krontiris, T. Dimitriou, T. Giannetsos, And M. Mpasoukos, Intrusion Detection Of Sinkhole Attacks In Wireless Sensor Networks, In Algosensors 07 Proceedings Of The 3rd 67 P a g e

80 International Conference On Algorithmic Aspects Of Wireless Sensor Networks, 2007, Pp [15] A. C. Ferreira And M. Aur, On The Security Of Cluster-Based Communication Protocols For Wireless Sensor Networks, In 4th International Conference On Networking, 2005, Pp [16] L. B. Oliveira, A. Ferreira, M. A. Vilac, M. Bern, R. Dahab, And A. A. F. Loureiro, Secleach On The Security Of Clustered Sensor Networks, J. Signal Process., Pp , [17] K. Zhang, C. Wang, And C. Wang, A Secure Routing Protocol For Cluster-Based Wireless Sensor Networks Using Group Key Management, In 4th International Conference On Wireless Communications, Networking And Mobile Computing, Wicom 08, 2008, Pp [18] T. Qiang, W. Bingwen, And D. Zhicheng, Ms-Leach: A Routing Protocol Combining Multi-Hop Transmissions And Single-Hop Transmissions, In 2009 Pacific-Asia Conference On Circuits, Communications And Systems, 2009, Pp [19] N. R. Mead, Measuring The Software Security Requirements Engineering Process, In Proceedings Of The 2012 {Ieee} 36th Annual Computer Software And Applications Conference Workshops, 2012, Pp [20] S. Athmani, D. E. Boubiche, And A. Bilami, Hierarchical Energy Efficient Intrusion Detection System For Black Hole Attacks In Wsns, In 2013 World Congress On Computer And Information Technology, Wccit 2013, 2013, Pp [21] M. Aslam, N. Javaid, A. Rahim, U. Nazir, A. Bibi, And Z. A. Khan, Survey Of Extended Leach-Based Clustering Routing Protocols For Wireless Sensor Networks, 2012 Ieee 14th Int. Conf. High Perform. Comput. Commun Ieee 9th Int. Conf. Embed. Softw. Syst., Pp , Jun [22] T. M. Rahayu, S.-G. Lee, And H.-J. Lee, Survey On Leach-Based Security Protocols, In 16th International Conference On Advanced Communication Technology, 2014, Pp [23] R. M. B. Hani And A. A. Ijjeh, A Survey On Leach-Based Energy Aware Protocols For Wireless Sensor Networks, J. Commun., Vol. 8, No. 3, [24] Y. Xue, H. S. Lee, M. Yang, P. Kumarawadu, H. H. Ghenniwa, And W. Shen, Performance Evaluation Of Ns-2 Simulator For Wireless Sensor Networks, In 2007 Canadian Conference On Electrical And Computer Engineering, 2007, Pp [25] L. Almazaydeh, E. Abdelfattah, M. A.- Bzoor, A. A.- Rahayfeh, And C. Science, Performance Evaluation Of Routing Protocols In Wireless Sensor Networks, Int. J. Comput. Sci. Inf. Technol., Vol. 2, No. 2, Pp , P a g e

81 [26] M. Tripathi, M. S. Gaur, And V. Laxmi, Comparing The Impact Of Black Hole And Gray Hole Attack On Leach In Wsn, 8th Int. Symp. Intell. Syst. Tech. Ad Hoc Wirel. Sens. Networks, Vol. 19, Pp , [27] N. K. Patel And G. Singal, Selective Forwarding Attack In Leach In Wsn, Int. J. Electron. Electr. Comput. Syst. Ijeecs, Vol. 1, No. 1, Pp. 1 5, [28] F. Wang And J. Liu, Networked Wireless Sensor Data Collection: Issues, Challenges, And Approaches, Ieee Commun. Surv. Tutorials, Vol. 13, No. 4, Pp , [29] W. R. Heinzelman, A. Chandrakasan, And H. Balakrishnan, Energy-Efficient Communication Protocol For Wireless Microsensor Networks, In Proceedings Of The 33rd Hawaii International Conference On System Sciences, 2000, Pp [30] M. J. Rahimi, S. Parveen, M. Morshed, And M. R. Khan, Development Of The Smart Qos Monitors To Enhance The Performance Of The Ns2 Network Simulator, In th International Conference On Computer And Information Technology (Iccit), 2010, No. Iccit, Pp [31] A. Ur Rehman Khan, S. M. Bilal, And M. Othman, A Performance Comparison Of Open Source Network Simulators For Wireless Networks, In 2012 Ieee International Conference On Control System, Computing And Engineering, 2012, Pp [32] J. Zhang, W. Li, D. Cui, X. Zhao, And Z. Yin, The Ns2-Based Simulation And Research On Wireless Sensor Network Route Protocol, In th International Conference On Wireless Communications, Networking And Mobile Computing, 2009, Pp [33] D. Puccinelli And M. Haenggi, Wireless Sensor Networks: Applications And Challenges Of Ubiquitous Sensing, Ieee Circuits Syst. Mag., Vol. 5, No. 3, Pp , [34] N. A Pantazis And D. D. Vergados, A Survey On Power Control Issues In Wireless Sensor Networks, Ieee Commun. Surv. Tutorials, Vol. 9, No. 4, Pp , [35] J. W. Branch, C. Giannella, B. Szymanski, R. Wolff, And H. Kargupta, In-Network Outlier Detection In Wireless Sensor Networks, 26th Ieee Int. Conf. Distrib. Comput. Syst. Icdcs06, Vol. 1, No. 34, Pp , [36] D. K. Singh, S. K., Singh, M. P., & Singh, Routing Protocols In Wireless Sensor Networks A Survey, Int. J. Comput. Sci. Eng. Surv., Vol. 1, No. 2, Pp , [37] D. R. Raymond, S. F. Midkiff, A. Wood, And J. Stankovic, Denial-Of-Service In Wireless Sensor Networks: Attacks And Defenses, Pervasive Comput., Vol. 7, No. 1, Pp , [38] B. Parmar, J. Munjani, J. Meisuria, And A. Singh, A Survey Of Routing Protocol Leach For Wsn, Int. J. Sci. Res. Publ., Vol. 4, No. 1, Pp. 2 5, [39] S. H. Gajjar, S. N. Pradhan, And K. S. Dasgupta, Wireless Sensor Network: Application Led Research Perspective, 2011 Ieee Recent Adv. Intell. Comput. Syst., Pp , Sep P a g e

82 [40] I. Paper, Wireless Sensor Networks: Applications And Challenges, In 9th International Symposium On Signal Processing And Its Applications (Isspa), [41] B. A. Bakr And L. Lilien, A Quantitative Comparison Of Energy Consumption And Wsn Lifetime For Leach And Leach-Sm, st Int. Conf. Distrib. Comput. Syst. Work., Pp , Jun [42] A. Garg, A. Tiwari, And H. K. Garg, A Secure Energy Efficiency Routing Approach In Wireless Sensor Networks, Int. J. Eng. Adv. Technol., Vol. 2, No. 3, Pp , [43] D. K. Singh, S. K., Singh, M. P., & Singh, Routing Protocols In Wireless Sensor Networks., Int. J. Comput. Sci. Eng. Surv., Vol. 1, No. 2, Pp , [44] J. N. J. N. Al-Karaki And A. E. A. E. Kamal, Routing Techniques In Wireless Sensor Networks: A Survey, In Ieee Wireless Communications, 2004, Vol. 11, No. 6, Pp [45] T. M. Rahayu, S. Lee, And H. Lee, Survey On Leach-Based Security Protocols, In International Conference In Advanced Communication Technology (Icact), 2014, Pp [46] N. Sharma And A. Nayyar, A Comprehensive Review Of Cluster Based Energy Efficient Routing Protocols For Wireless Sensor Networks, Int. J. Appl. Or Innov. Eng. Manag., Vol. 3, No. 1, Pp , [47] K. Sharma, Wireless Sensor Networks : An Overview On Its Security Threats, In Special Issue On Mobile Ad-Hoc Networks, 2010, Pp [48] D. G. Padmavathi And M. D. Shanmugapriya, A Survey Of Attacks, Security Mechanisms And Challenges In Wireless Sensor Networks, Int. J. Comput. Sci. Inf. Secur., Vol. 4, No. 1, Pp. 1 9, [49] D. Krishna Chaitanya And G. Arindam, Analysis Of Denial-Of-Service Attacks On Wireless Sensor Networks Using Simulation. [50] C. Karlof And D. Wagner, Secure Routing In Wireless Sensor Networks: Attacks And Countermeasures, J. Ad Hoc Networks, Vol. 1, No. 2 3, Pp , [51] N. Farooq, I. Zahoor, S. Mandal, And T. Gulzar, Systematic Analysis Of Dos Attacks In Wireless Sensor Networks With Wormhole Injection, Int. J. Inf. Comput. Technol., Vol. 4, No. 2, Pp , [52] D. Mansouri, L. Mokdad, J. Ben-Othman, And M. Ioualalen, Detecting Dos Attacks In Wsn Based On Clustering Technique, In Ieee Wireless Communications And Networking Conference, Wcnc, 2013, Pp [53] R. Needham, Denial Of Service In Sensor Networks, Proc. 1st Acm Conf. Comput., Vol. 35, No. 10, Pp , P a g e

83 [54] M. Bahrami And M. Bahrami, An Overview To Software Architecture In Intrusion Detection System, Int. J. Soft Comput. Softw. Eng., Vol. 1, No. 1, Pp. 1 8, Dec [55] T. Bhattasali And R. Chaki, A Survey Of Recent Intrusion Detection Systems For Wireless Sensor Network, In Advances In Network Security And Applications, 2011, Pp [56] H. Jadidoleslamy, A High-Level Architecture For Intrusion Detection On Heterogeneous Wireless Sensor Networks: Hierarchical, Scalable And Dynamic Reconfigurable, Wirel. Sens. Netw., Vol. 03, No. 07, Pp , [57] N. A. Alrajeh, S. Khan, And B. Shams, Intrusion Detection Systems In Wireless Sensor Networks: A Review, Int. J. Distrib. Sens. Networks, Vol. 2013, Pp. 1 8, [58] Sans, Intrusion Detection Systems: Definition, Need And Challenges, [59] J. Greensmith, U. Aickelin, And J. Greensmith, Firewalls, Intrusion Detection Systems And Anti-Virus Scanners, 2005, Pp [60] J. Baburajan And J. Prajapati, A Review Paper On Watchdog Mechanism In Wireless Sensor Network To Eliminate False Malicious Node Detection, Int. J. Res. Eng. Technol., Vol. 3, No. 1, Pp , [61] J. Ko, J. Seo, E. J. Kim, And T. Shon, Monitoring Agent For Detecting Malicious Packet Drops For Wireless Sensor Networks In The Microgrid And Grid-Enabled Vehicles, Int. J. Adv. Robot. Syst., Vol. 9, [62] J. Gnanambigai, N. Rengarajan, And K. Anbukkarasi, Leach And Its Descendant Protocols : A Survey, Int. J. Commun. Comput. Technol., Vol. 01, No. 3, Pp , [63] C. Science And E. Communication, A Reliable Solution Against Packet Dropping Attack Due To Malicious Nodes Using Fuzzy Logic In Manets, 2014 Int. Conf. Reliab. Optim. Inf. Technol. Icroit, Pp , [64] A. B. S. Georgios, I. Matta, Sep : A Stable Election Protocol For Clustered Heterogeneous Wireless Sensor Networks, 2004, Pp [65] M. Masdari, S. Mohammadzadeh, And M. Bidaki, Analysis Of Secure Leach-Based Clustering Protocols In Wireless Sensor Networks, J. Netw. Comput. Appl., Vol. 36, No. 4, Pp , [66] L. B. Oliveira, H. C. Wong, M. Bern, P. Alto, And R. Dahab, Secleach A Random Key Distribution Solution For Securing Clustered Sensor Networks, In 5th Ieee International Symposium On Network Computing And Applications, 2006, Pp [67] C. So-In And K. Udompongsuk, Performance Evaluation Of Leach On Cluster Head Selection Techniques In Wireless Sensor Networks, 9th Int. Conf. Comput. Informationtechnology, Vol. 209, Pp , P a g e

84 [68] B. Manimozhi And B. Santhi, Comparison Of Different Performance Measures Of Routing Protocols In Wsn, Int. J. Eng. Technol., Vol. 5, No. 1, Pp , [69] R. Sabale And A. Dani, Comparative Study Of Prototype Model For Software Engineering With System Development Life Cycle, Iosr J. Eng., Vol. 2, No. 7, Pp , [70] A. Alshamrani And A. Bahattab, A Comparison Between Three Sdlc Models Waterfall Model, Spiral Model, And Incremental / Iterative Model, Int. J. Comput. Sci., Vol. 12, No. 1, Pp , [71] D. Firesmith, Common Requirements Problems, Their Negative Consequences, And The Industry Best Practices To Help Solve, J. Object Technol., Vol. 6, No. 1, Pp , [72] T. Arnuphaptrairong, Top Ten Lists Of Software Project Risks : Evidence From The Literature Survey, In Proceedings Of The International Multiconference Of Engineers And Computer Scientists, 2011, 2011, Vol. I. [73] B. Boehm, Software Risk Management: Principles And Practices, Ieee Softw., Vol. 8, Pp , [74] J. Verner, J. Sampson, And N. Cerpa, What Factors Lead To Software Project Failure?, 2008 Second Int. Conf. Res. Challenges Inf. Sci., Pp , Jun [75] R. F. Babiceanu, Systems Engineering Life-Cycle Modeling Approach To Wireless Sensor Networks, In 2010 Ieee International Systems Conference, 2010, Pp [76] M. Sauter, From Gsm To Lte: An Introduction To Mobile Networks And Mobile Broadband. John Wiley And Sons, [77] S. Smolau, Evaluation Of The Received Signal Strength Indicator For Node Localization In Wireless Sensor Networks, [78] M. R. Rohbanian, M. R. Kharazmi, A. Keshavarz-Haddad, And M. Keshtgary, Watchdog- Leach : A New Method Based On Leach Protocol To Secure Clustered Wireless Sensor Networks, 2013, Pp [79] L. Huang And L. Liu, Extended Watchdog Mechanism For Wireless Sensor Networks, J. Inf. Comput. Sci., Vol. 3, No. 1, Pp , [80] C. Science And S. Publications, Factors Affecting The Choice Of Software Life Cycle Models In The Software Industry-An Empirical Study Department Of I And M, Xavier Institute Of Social Service Ranchi, India Department Of Cse, Birla Institute Of Technology, Ranchi, India, J. Comput. Sci., Vol. 8, No. 8, Pp , [81] C. Science And M. Studies, A Comparative Study Of Different Software Development Life Cycle Models In Different Scenarios, Int. J. Adv. Res. Comput. Sci. Manag. Stud., Vol. 1, No. 5, Pp , P a g e

85 [82] C. Science And S. Engineering, A Comparative Analysis Of Different Types Of Models In Software Development Life Cycle, Vol. 2, No. 5, Pp , [83] B. W. Boehm, T. R. W. Defense, And S. Group, A Spiral Model Of Software Development And Enhancement, Vol. 21, No. 5, Pp , [84] K. Scarfone And P. Mell, Guide To Intrusion Detection And Prevention Systems ( Idps ) Recommendations Of The National Institute Of Standards And Technology, Nist Spec. Publ., Vol. 800, [85] T. R. Metcalf And L. J. Lapadula, Intrusion Detection System Requirements A Capabilities Description In Terms Of The Network Monitoring And Assessment Module Of, Mitre Cent. Integr. Intell. Syst., [86] P. Rohal, R. Dahiya, And P. Dahiya, Study And Analysis Of Throughput, Delay And Packet Delivery Ratio In Manet For Topology Based Routing Protocols ( Aodv, Dsr And Dsdv ), Int. J. Adv. Res. Eng. Technol., Vol. 1, No. Ii, Pp , P a g e