Wireless Intrusion Detection System Architecture

Published Date: 02 Nov 2017

To design and develop an Intrusion Detection Device (IDS) for Industrial Wireless Sensor Networks. The device will be capable of detecting the attack signatures, anomaly in the normal profiles of the system and also capable of analyzing the user behavior in the system. It shall also have a database of known attach signatures and vulnerabilities.

Introduction

Intrusion is defined as a set of actions that compromise the confidentiality, availability, and integrity of a system. Intrusion detection is a security technology that attempts to identify those who attempt to access and use the system without authorization. It also identifies those who abuse their legitimate access to the system.

There are two types of intrusion detection: Misuse based detection and anomaly-based detection. A misuse based detection technique encodes known attack signatures and system vulnerabilities, and stores these in a database. If an operating IDS detects that current activities are the same as stored signatures, an alarm is triggered. Misuse detection techniques are not effective at detecting novel attacks because they lack the corresponding signatures. In contrast, in an anomaly-based detection technique, normal profiles of system states or user behaviors are created and these are compared to current activities. When a significant deviation is observed, the IDS raise an alarm. Anomaly detection can detect novel types of attacks. Specification-based detection techniques are a promising alternative that combine the advantages of misuse detection and anomaly detection by using manually developed specifications to characterize legitimate system behaviors. Specification based detection approaches are similar to anomaly detection techniques in that both methods detect attacks as deviations from a normal profile. The main draw-back of specification based detection approach is that it is time consuming to develop detailed specifications.

Industrial Standards

ISAl00.11a is a standard proposed by the ISA100 committee for industrial applications. It has various advantageous features, such as asymmetric cryptography, object-based application layer security and key management which, makes it a suitable standard for industrial process automation and control systems. ISA100.11a defines network IDS (NIDS) in the acronyms section, but it does not provide detailed specifications of a NIDS.

WirelessHART (IEC 62591) has been developed as a wireless extension to the existing wired HART communications protocol. That has some impact on its applicability, design and even on the level of security incorporated into the standard. It specifies a security manager to provide key management. It provides communication security between two devices, i.e., the source and the destination at the data-link layer. At the network layer this provides confidentiality by encrypting the network protocol data unit (NPDU) payload and integrity by calculating the keyed message integrity code (MIC) over the entire NPDU.

Wireless networks for Industrial Automation – Process Automation (WIA-PA) built on IEEE STD 802.15.4-2006 is an international specification of industrial wireless networks for process automation. This standard is defined in the IEC 62061, which specifies the system architecture and the communication protocol of the WIS-PA.

Wireless Intrusion Detection System Architecture

The Wireless Sensor Network has constraints on energy, bandwidth, processing power, and storage capacity, the proposed Intrusion Detection System architecture shown in Fig. 1 does not consume network resources and is capable of operating independently. The architecture uses a wireless IDS, which uses a lightweight mobile agent in the network to achieve real-time acquisition, processing, and integration of data. Data from the wireless IDS can be collected and analysed and the results are returned to the security manager. This will significantly reduce the energy demand of the whole network, while saving bandwidth. An Intrusion Detection and Analysis System have been used for detection and analysis. The wireless IDS can capture network data from 16 channels in 2.4 GHz and send it to the intrusion detection analysis system for the IDS to easily analyse the results. This can also provide an independent third-party intrusion detection system since the module resides outside the wireless network.

Proposed Developments

Wireless IDS

Intrusion Detection Analysis System

Project Duration

3 years

Project Schedule

Activity

Year I

Year II

Year III

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Q4

Q1

Q2

Q3

Q4

Wireless IDS

Literature survey

Specification finalisation

Preliminary design

Hardware design and finalisation

Embedded software design

Wireless IDS

Intrusion Detection Analysis System

Requirement finalisation

Preliminary design

Software design and development

Intrusion Detection Analysis system

Integration and testing of Wireless Intrusion Detection System

Integration and testing with SCADA wireless testbed

Deliverables

Year I

Specification finalisation and Hardware Design of Wireless IDS

Preliminary design of Intrusion Detection Analysis system

Year II

Prototype of Wireless IDS

Detailed design of Intrusion Detection Analysis system

Prototype of the Intrusion Detection Analysis system

Year III

Integrated Wireless Intrusion Detection System

Wireless IDS

Intrusion Detection Analysis system

Integration and testing with the SCADA wireless testbed

Budget