Intrusion Detection System Framework for Internet of Things

Abstract

Today, we see an increasing trend towards connected devices. This trend of connecting devices instead of people is called the Internet of Things (IoT). Some of these devices are sensor nodes that are battery-driven micro controller units that are equipped with sensors and wireless communication capabilities. When they are connected to each other they compose a wireless sensor network (WSN). Historically the sensor nodes have been very limited both in terms of computational power and size of memory. As the nodes have grown more powerful, the WSNs have started to communicate using IP, allowing for communication towards the Internet, which makes the network vulnerable against common attacks against connected devices. This is a problem since the nodes often lack protection due to their hardware limitations. However, a new and more powerful generation of sensor nodes is currently available. Allowing for additional security for the applications because they now have more memory, hence they can store both the intended application and an Intrusion Detection System (IDS). This thesis presents the design, implementation and evaluation of a novel design of an IDS framework for sensor nodes. The IDS is implemented on top of the Contiki operating system (OS) which is a widely used OS for wireless sensor nodes. The evaluation of the IDS is performed with focus on energy consumption, detection rate, network reliability and latency, which makes the results comparable to other related works in the field. The main contribution of the thesis is a novel design of a detection method for detecting different routing attacks against RPL including sinkhole attacks, wormhole attacks and selective-forwarding attacks. The method is called RoVer which stands for role-based verification. The IDS framework combines different detection methods for discovering both Denial of Service attacks and routing attacks. The implementation is tested and evaluated on the modern sensor node platform called Texas Instruments SensorTag CC2650STK. Results show that the methods designed and implemented within the thesis are not just feasible but also effective when detecting attacks against the sensor nodes. Evaluation shows that RoVer has a detection rate of 100% while the two detection algorithms for flooding attacks have detection rates on 75%, all while keeping the amount of false alarms to a low number.