Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation

Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation

We present a hybrid internal anomaly detection system that shares detection tasks between router and nodes. It allows nodes to react instinctively against the anomaly node by enforcing temporary communication ban on it. Each node monitors its own neighbors and if abnormal behavior is detected, the n...

Full description

Bibliographic Details
Main Authors: Nanda Kumar Thanigaivelan, Ethiopia Nigussie, Seppo Virtanen, Jouni Isoaho
Format: Article
Language:English
Published: Hindawi-Wiley 2018-01-01
Series:Security and Communication Networks
Online Access:http://dx.doi.org/10.1155/2018/3672698
id doaj-57e438e170d24120a55ebdc4fa9fd6ec
record_format Article
spelling doaj-57e438e170d24120a55ebdc4fa9fd6ec2020-11-25T01:14:54ZengHindawi-WileySecurity and Communication Networks1939-01141939-01222018-01-01201810.1155/2018/36726983672698Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer OperationNanda Kumar Thanigaivelan0Ethiopia Nigussie1Seppo Virtanen2Jouni Isoaho3Department of Future Technologies, University of Turku, FinlandDepartment of Future Technologies, University of Turku, FinlandDepartment of Future Technologies, University of Turku, FinlandDepartment of Future Technologies, University of Turku, FinlandWe present a hybrid internal anomaly detection system that shares detection tasks between router and nodes. It allows nodes to react instinctively against the anomaly node by enforcing temporary communication ban on it. Each node monitors its own neighbors and if abnormal behavior is detected, the node blocks the packets of the anomaly node at link layer and reports the incident to its parent node. A novel RPL control message, Distress Propagation Object (DPO), is formulated and used for reporting the anomaly and network activities to the parent node and subsequently to the router. The system has configurable profile settings and is able to learn and differentiate between the nodes normal and suspicious activities without a need for prior knowledge. It has different subsystems and operation phases that are distributed in both the nodes and router, which act on data link and network layers. The system uses network fingerprinting to be aware of changes in network topology and approximate threat locations without any assistance from a positioning subsystem. The developed system was evaluated using test-bed consisting of Zolertia nodes and in-house developed PandaBoard based gateway as well as emulation environment of Cooja. The evaluation revealed that the system has low energy consumption overhead and fast response. The system occupies 3.3 KB of ROM and 0.86 KB of RAM for its operations. Security analysis confirms nodes reaction against abnormal nodes and successful detection of packet flooding, selective forwarding, and clone attacks. The system’s false positive rate evaluation demonstrates that the proposed system exhibited 5% to 10% lower false positive rate compared to simple detection system.http://dx.doi.org/10.1155/2018/3672698
collection DOAJ
language English
format Article
sources DOAJ
author Nanda Kumar Thanigaivelan
Ethiopia Nigussie
Seppo Virtanen
Jouni Isoaho
spellingShingle Nanda Kumar Thanigaivelan
Ethiopia Nigussie
Seppo Virtanen
Jouni Isoaho
Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation
Security and Communication Networks
author_facet Nanda Kumar Thanigaivelan
Ethiopia Nigussie
Seppo Virtanen
Jouni Isoaho
author_sort Nanda Kumar Thanigaivelan
title Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation
title_short Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation
title_full Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation
title_fullStr Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation
title_full_unstemmed Hybrid Internal Anomaly Detection System for IoT: Reactive Nodes with Cross-Layer Operation
title_sort hybrid internal anomaly detection system for iot: reactive nodes with cross-layer operation
publisher Hindawi-Wiley
series Security and Communication Networks
issn 1939-0114
1939-0122
publishDate 2018-01-01
description We present a hybrid internal anomaly detection system that shares detection tasks between router and nodes. It allows nodes to react instinctively against the anomaly node by enforcing temporary communication ban on it. Each node monitors its own neighbors and if abnormal behavior is detected, the node blocks the packets of the anomaly node at link layer and reports the incident to its parent node. A novel RPL control message, Distress Propagation Object (DPO), is formulated and used for reporting the anomaly and network activities to the parent node and subsequently to the router. The system has configurable profile settings and is able to learn and differentiate between the nodes normal and suspicious activities without a need for prior knowledge. It has different subsystems and operation phases that are distributed in both the nodes and router, which act on data link and network layers. The system uses network fingerprinting to be aware of changes in network topology and approximate threat locations without any assistance from a positioning subsystem. The developed system was evaluated using test-bed consisting of Zolertia nodes and in-house developed PandaBoard based gateway as well as emulation environment of Cooja. The evaluation revealed that the system has low energy consumption overhead and fast response. The system occupies 3.3 KB of ROM and 0.86 KB of RAM for its operations. Security analysis confirms nodes reaction against abnormal nodes and successful detection of packet flooding, selective forwarding, and clone attacks. The system’s false positive rate evaluation demonstrates that the proposed system exhibited 5% to 10% lower false positive rate compared to simple detection system.
url http://dx.doi.org/10.1155/2018/3672698
work_keys_str_mv AT nandakumarthanigaivelan hybridinternalanomalydetectionsystemforiotreactivenodeswithcrosslayeroperation
AT ethiopianigussie hybridinternalanomalydetectionsystemforiotreactivenodeswithcrosslayeroperation
AT seppovirtanen hybridinternalanomalydetectionsystemforiotreactivenodeswithcrosslayeroperation
AT jouniisoaho hybridinternalanomalydetectionsystemforiotreactivenodeswithcrosslayeroperation
_version_ 1725155751070007296

Similar Items