Elsevier

Ad Hoc Networks

Volume 11, Issue 8, November 2013, Pages 2661-2674
Ad Hoc Networks

SVELTE: Real-time intrusion detection in the Internet of Things

https://doi.org/10.1016/j.adhoc.2013.04.014Get rights and content

Abstract

In the Internet of Things (IoT), resource-constrained things are connected to the unreliable and untrusted Internet via IPv6 and 6LoWPAN networks. Even when they are secured with encryption and authentication, these things are exposed both to wireless attacks from inside the 6LoWPAN network and from the Internet. Since these attacks may succeed, Intrusion Detection Systems (IDS) are necessary. Currently, there are no IDSs that meet the requirements of the IPv6-connected IoT since the available approaches are either customized for Wireless Sensor Networks (WSN) or for the conventional Internet.

In this paper we design, implement, and evaluate a novel intrusion detection system for the IoT that we call SVELTE. In our implementation and evaluation we primarily target routing attacks such as spoofed or altered information, sinkhole, and selective-forwarding. However, our approach can be extended to detect other attacks. We implement SVELTE in the Contiki OS and thoroughly evaluate it. Our evaluation shows that in the simulated scenarios, SVELTE detects all malicious nodes that launch our implemented sinkhole and/or selective forwarding attacks. However, the true positive rate is not 100%, i.e., we have some false alarms during the detection of malicious nodes. Also, SVELTE’s overhead is small enough to deploy it on constrained nodes with limited energy and memory capacity.

Introduction

With IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) [1], [2] it is possible to connect resource constrained devices, such as sensor nodes, with the global Internet using the standardized compressed IPv6 protocol. These networks of resource constrained devices, also called 6LoWPAN networks, and the conventional Internet form the Internet of Things or strictly speaking the IP-connected Internet of Things (IoT). A 6LoWPAN Border Router (6BR) is an edge node that connects 6LoWPAN networks with the Internet. Due to the resource constrained nature of the devices or things, 6LoWPAN networks mostly use IEEE 802.15.4 as link and physical layer protocol.

Unlike typical wireless sensor networks (WSN), 6LoWPAN networks or IP-connected WSN are directly connected to the untrusted Internet and an attacker can get access to the resource-constrained things from anywhere on the Internet. This global access makes the things vulnerable to intrusions from the Internet in addition to the wireless attacks originating inside 6LoWPAN networks. Potential applications of the IoT are smart metering, home or building automation, smart cities, logistics monitoring and management, etc. These applications and services are usually charged and the revenue is based on data or services used. Hence, the confidentiality and integrity of the data and timely availability of services is very important.

Researchers have already investigated message security for the IoT using lightweight DTLS [3], IPsec [4], and IEEE 802.15.4 link-layer security [5]. Even with message security that enables encryption and authentication, networks are vulnerable to a number of attacks aimed to disrupt the network. Hence, an Intrusion Detection System (IDS) is necessary to detect intruders that are trying to disrupt the network.

The available IDSs for WSNs could be used in the IoT. However, most of these approaches are built on the assumptions that (i) there is no central management point and controller, (ii) there exists no message security, and (iii) nodes cannot be identified globally. The IoT has a novel architecture where the 6BR is assumed to be always accessible, end-to-end message security is a requirement [5], and sensor nodes are globally identified by an IP address. Besides these opportunistic features, an IDS for the IoT is still challenging since the things (i) are globally accessible, (ii) are resource constrained, (iii) are connected through lossy links, and (iv) use recent IoT protocols such as CoAP [6], RPL [7], or 6LoWPAN [2]. Therefore, it is worth investigating and providing an IDS for the IoT exploiting these opportunities and threats.

To this end, we design, implement, and evaluate a novel Intrusion Detection system for the IoT that we call SVELTE.1 To the best of our knowledge this is the first attempt to develop an IDS specifically designed for the IoT. Network layer and routing attacks are the most common attacks in low power wireless networks [8], and in this paper we primarily target these attacks. SVELTE is also inherently protected against sybil and clone ID attacks; we discuss these attacks in Section 3.2.5. We evaluate SVELTE against sinkhole and selective-forwarding attacks. Our approach is, however, extensible and can be used to detect other attacks as we discuss in Section 7.

The IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) [7] is a novel standardized routing protocol primarily designed to meet the specific routing requirements of the IoT. SVELTE uses RPL as a routing protocol. It has two main components: the 6LoWPAN Mapper (6Mapper), and intrusion detection modules. The 6Mapper reconstructs RPL’s current routing state, i.e., its directed acyclic graph, at the 6BR and extends it with additional intrusion detection parameters.

One of the important decisions in intrusion detection is the placement of the IDS in the network. We use a hybrid approach, see Section 3, and place the processing intensive SVELTE modules in the 6BR and the corresponding lightweight modules in the constrained nodes. Fig. 1 presents an overview of our IDS that we explain in more detail in Section 3. One of our main design goals is that the IDS should be lightweight and comply with the processing capabilities of the constrained nodes.

In addition to the 6Mapper and the intrusion detection techniques, we also propose and implement a distributed mini-firewall to protect 6LoWPAN networks against global attackers from Internet. We implement SVELTE in the Contiki operating system [9].

The main contributions of this paper are:

  • We present SVELTE, a novel IDS with an integrated mini-firewall for the IP-connected IoT that uses RPL as a routing protocol in 6LoWPAN networks.

  • We implement SVELTE and thoroughly evaluate it for 6LoWPAN networks that consist of resource-constrained things and have lossy communication links.

The next section of this paper gives an overview of the technologies used in SVELTE. Section 3 describes SVELTE that includes 6Mapper, the actual intrusion detection techniques, and the firewall. In Section 4 we detail SVELTE’s implementation for the Contiki OS. Section 5 presents our detailed performance evaluation of SVELTE. We highlight the current IDSs and their applicability in the IoT in Section 6. Section 7 discusses the possible extensions in SVELTE, and finally we conclude the paper in Section 8.

Section snippets

Background

In this section we briefly discuss the technologies involved in SVELTE for the IoT.

SVELTE: An IDS for the IoT

Recall that a 6LoWPAN network is a lossy and wireless network of resource constrained nodes which uses IPv6 as networking protocol and often RPL as a routing protocol. One of the design goals of any protocol for the IoT is its ability to be deployed and run on constrained nodes in 6LoWPAN networks. Based on the novel requirements of the IoT, we propose SVELTE: a lightweight yet effective intrusion detection system for the IoT. We also compliment SVELTE with a distributed mini-firewall in order

Implementation

We implement SVELTE and the mini-firewall in the Contiki OS [9], a well known operating system for the IoT. Contiki has a well tested implementation of RPL (ContikiRPL). As SVELTE is primarily designed to detect routing attacks we make use of the RPL implementation in the Contiki operating system to develop the 6Mapper, the firewall, and the intrusion detection modules. The RPL implementation in Contiki utilizes in-network routing where each node keeps track of all its descendants. We borrow

Evaluation

In this section we present the empirical evaluation of SVELTE. After describing our experimental setup, we quantitatively evaluate the detection rate and the true positives for each experiment. We also measure the overhead of SVELTE both at the node-level and network-wide. We evaluate the overhead in terms of energy consumption and the memory footprint.

Related work

The IoT is a rather old concept and for many years RFID-based sensors were considered as things in the IoT. With the inception of 6LoWPAN, lightweight IP is being standardized and used in the IoT for the unique identification and global connectivity of the things. Even when confidentiality and integrity are enforced by message security solutions such as IPsec [4] it is possible to disrupt the IoT. A number of attacks against the IoT have been identified [8] in addition to those against WSN [12]

SVELTE extensions

One of the main advantages of our approach to intrusion detection is that the proposed and developed system is very easy to extend. There are a number of potential attacks against the Internet of Things and it is likely that more attacks will be discovered. As such extendability is very important for an IDS. The 6Mapper is easy to extend both conceptually and in practice. If a new detection scheme requires more data to be added to the network graph the response packets can easily be extended.

Conclusions

6LoWPAN networks will be an integral part of the IoT. Considering the potential applications of the IoT it is important that 6LoWPAN networks are protected against internal and external intrusions. To this end we present SVELTE, the first IDS for the IoT which consists of a novel architecture and intrusion detection algorithms. We implement and evaluate SVELTE and show that it is indeed feasible to use it in the context of RPL, 6LoWPAN, and the IoT. To guard against global attacks we also

Acknowledgements

This work was financed by the SICS Center for Networked Systems (CNS), SSF through the Promos project, and CALIPSO, Connect All IP-based Smart Objects, funded by the European Commission under FP7 with contract number FP7-ICT-2011.1.3-288879.

Shahid Raza is a researcher at the Swedish Institute of Computer Science and a final year PhD student at the Mälardalen University, Västerås, Sweden. His main research interests are security issues in the IP-based wireless sensor networks and lightweight security solutions for the Internet of Things.

References (35)

  • C. Karlof et al.

    Secure routing in wireless sensor networks: attacks and countermeasures

    Ad Hoc Networks

    (2003)
  • J. Hui, P. Thubert, Compression Format for IPv6 Datagrams Over IEEE 802.15.4-Based Networks, RFC 6282, September...
  • N. Kushalnagar, G. Montenegro, C. Schumacher, IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview,...
  • T. Kothmayr et al.

    Securing the internet of things with DTLS

  • S. Raza, S. Duquennoy, A. Chung, D. Yazar, T. Voigt, U. Roedig, Securing communication in 6LoWPAN with compressed...
  • S. Raza, S. Duquennoy, J. Höglund, U. Roedig, T. Voigt, Secure Communication for the Internet of Things – A Comparison...
  • Z. Shelby, K. Kartke, C. Bormann, B. Frank, Constrained Application Protocol (CoAP), draft-ietf-core-coap-12, October...
  • T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, P. Levis, K. Pister, R. Struik, J. Vasseur, R. Alexander, RPL:...
  • O. Garcia-Morchon, R. Hummen, S. Kumar, R. Struik, S. Keoh, Security Considerations in the IP-Based Internet of Things,...
  • A. Dunkels, B. Grönvall, T. Voigt, Contiki – a lightweight and flexible operating system for tiny networked sensors,...
  • S. Kent, R. Atkinson, IP Encapsulating Security Payload (ESP), RFC 2406, Obsoleted by RFCs 4303, 4305, November...
  • S. Kent, R. Atkinson, IP Authentication Header, RFC 2402, Obsoleted by RFCs 4302, 4305, November...
  • D. Couto et al.

    A high-throughput path metric for multi-hop wireless routing

    Wireless Networks

    (2005)
  • M. Hossain et al.

    Aegis: a lightweight firewall for wireless sensor networks

    Distributed Computing in Sensor Systems

    (2010)
  • F. Österlind et al.

    Cross-level sensor network simulation with Cooja

  • F. Österlind, Improving Low-Power Wireless Protocols With Timing-Accurate Simulation, Ph.D. Thesis, Uppsala University,...
  • J. Polastre, R. Szewczyk, D. Culler, Telos: enabling ultra-low power wireless research, in: IPSN’05, 2005, pp....
  • Cited by (741)

    • Deep learning for cyber threat detection in IoT networks: A review

      2024, Internet of Things and Cyber-Physical Systems
    View all citing articles on Scopus

    Shahid Raza is a researcher at the Swedish Institute of Computer Science and a final year PhD student at the Mälardalen University, Västerås, Sweden. His main research interests are security issues in the IP-based wireless sensor networks and lightweight security solutions for the Internet of Things.

    Linus Wallgren is a final year master student at the School of Computer Science and Communication at the Royal Institute of Technology in Stockholm, Sweden. He is currently a researcher at the Swedish Institute of Computer Science. His main research interests are computer security, embedded systems, autonomous systems and their real world applications.

    Thiemo Voigt is a Professor of Computer Science at the Department of Information Technology and the VINN Excellence Centre for Wireless Sensor Networks at Uppsala University, Sweden. He is the leader of the Networked Embedded Systems Group in the Swedish Institute of Computer Science, Sweden. He received his Ph.D. in 2002 from Uppsala University, Sweden. His current research focuses on wireless sensor networks and system software for embedded networked devices and the Internet of Things.

    View full text