A Hybrid Intrusion Detection System for IoT Applications with Constrained Resources

Introduction

Network forensics is the reconstruction of network event to provide definitive insight into action and behavior of users, applications as well as devices (Schwartz, 2010). Network forensics technologies focus on recording evidence of a network attack (Adeyemi, Razak, & Nor Azhan, 2013). However, Internet of Things (IoT) is a special network which integrates sensors and other objects to connect everything in our life together. The information in IoT is usually privacy-sensitive and even confidential, so IoT will become the objective of cyber criminals (Alaba, Othman, Hashem, & Alotaibi, 2017). Due to the device miniaturization and energy-efficiency of IoT, traditional network forensics technologies are not suitable for IoT. Thus, the network forensics technologies specialized for cybercrimes aiming at IoT are of great importance and challenging in the era of IoT. Different from traditional computer networks, IoT networks are typically Low-power and Lossy Networks (LLN) (Teklemariam, Van Den Abeele, & et al, 2016), so energy efficiency must be taken into consideration when it comes to network security and network forensics technology designs for IoT.

Intrusion Detection Systems (IDSs) can be categorized into three types by placement (Zarpelao, Miani, Kawakani, & de Alvarenga, 2017), as shown in Figure 1. Distributed IDS mean the detection system is placed in every physical node. Distributed IDSs are suitable for smart devices with higher computational capability and energy sources. Correspondingly, centralized IDS only rely on single or several dedicated components in the network to complete the detection work. Hybrid IDS combines distributed and centralized technologies to get the job done.

Figure 1.

Network threats and IDS categories

Aiming at computer networks, threats can be categorized into unauthorized access, malicious code and service interruption (Ahmed, 2017) as showed in Figure 1. In IoT networks, cyber criminals may manipulate data nodes in the network illegally, and generate plenty of fake or harmful information. Besides, unauthorized cyber criminals may access data nodes in IoT networks to perform Denial of Service (DoS) attacks. One form of DoS attacks in IoT is Energy Exhaustion Attack (EEA) (Alrajeh, Khan, Lloret, & Loo, 2014). EEA accelerates the expiration of the network lifetime and is fatal to the performance of IoT.

Sink mobility is recognized as an efficient method to improve the performance of IoT. However, mobility-constrained mobile sinks exist in many IoT applications, such as railway-based (Smeets, Shih, Zuniga, Hagemeier, & Marrón, 2013) or automobile-based (Huang & Savkin, 2016) information collection applications, mountainous or canal environment monitoring applications, and even the information collection application for Smart Grid.

This paper designs an information and energy-related IDS with hybrid mechanism for IoT applications with a path-constrained mobile sink. The hybrid IDS provides a trace-back mechanism for network forensics and enhances the network safety. The main contributions of this paper are summarized as follows: