Internet DRAFT - draft-zhang-roll-rpl-intrusion-defence
draft-zhang-roll-rpl-intrusion-defence
Network Working Group Lan Zhang
Internet Draft Gang Feng
Intended status: Standards Track Shuang Qin
Expires: May 2014 UESTC
November 27, 2013
Intrusion Detection System for Low-Power and Lossy Networks
draft-zhang-roll-rpl-intrusion-defence-00.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November 10,
2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on May 27, 2014.
Zhang et al. Expires May 27, 2014 [Page 1]
Internet-Draft IDSs for LLNs November 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents carefully,
as they describe your rights and restrictions with respect to this
document. Code Components extracted from this document must include
Simplified BSD License text as described in Section 4.e of the Trust
Legal Provisions and are provided without warranty as described in
the Simplified BSD License.
Abstract
This document specifies intrusion detection systems (IDSs) as the
second line of defence, to secure the Routing Protocol for Low-power
and Lossy Networks (RPL).
Table of Contents
1. Introduction ................................................ 4
2. Terminology ................................................. 5
3. Protocol Overview ........................................... 5
4. Detection methodologies...................................... 6
5. System architectures of IDSs ................................ 7
5.1. Stand-alone IDS......................................... 7
5.1.1. Centralized MN..................................... 8
5.1.2. Distributed MN..................................... 8
5.1.3. Estimation of stand-alone IDS ..................... 9
5.2. Distributed and Cooperative IDS ........................ 9
5.3. Distributed and Hierarchical IDS ...................... 10
5.4. Mobile Agent IDS....................................... 10
6. Detection data ............................................. 11
6.1. Detection source location ............................. 11
6.2. Collection frequency................................... 11
7. Intrusion response ......................................... 12
8. A general design of IDS for ETX intrusion detection......... 12
8.1. ETX intrusion ......................................... 12
8.2. Design of the IDS for ETX Intrusion ................... 13
9. Security Considerations..................................... 15
10. IANA Considerations........................................ 15
11. Conclusions ............................................... 15
12. References ................................................ 16
12.1. Normative References.................................. 16
12.2. Informative References................................ 16
13. Acknowledgments .......................................... 17
Zhang et al. Expires May 27, 2014 [Page 2]
Internet-Draft IDSs for LLNs November 2013
Authors' Addresses ............................................ 18
Zhang et al. Expires May 27, 2014 [Page 3]
Internet-Draft IDSs for LLNs November 2013
1. Introduction
With the advance of networked electronic devices and wireless
communications, network can connect human-to-human, human-to-thing
and even thing-to-thing. The network environment often consists of
large quantities of devices, which usually have constrained resources
such as limited processing capability, short battery life [Le2012].
As a consequence, the network links may have poor quality in
transmitting packets. IETF ROLL working group was formed to specify
routing protocol for such Low-Power and Lossy Networks (LLNs), and
the working group defined a Routing Protocol for LLNs (RPL) [RFC6550].
Due to the salient features of LLNs devices and the inherent
vulnerabilities of RPL, the security design to defence RPL intrusions
is a significant challenge, especially for mission-critical
applications such as military tasks and disaster recovery.
As a broad conception, intrusion generally refers to the unauthorized
or unapproved actions that attempt to compromise the system.
Intruders can usually be classified into external and internal
intruders. External intruders have no right to access the network,
which are outsiders with limited intrusion impact. Once they obtain
the authorization to become internal intruders, they have more severe
damage and as legitimate nodes they are hard to be detected. Usually,
internal intruders pass the network access control mechanism by
compromising a legitimate node or by deploying malicious nodes.
Security design to defence network intrusions involves three main
components, including prevention, detection and mitigation
[Farooqi2012]. Traditional cryptography technique is the typical
intrusion prevention technique, as the first line of defence to
prevent intrusions before their occurrence. However, the intruders
may break the preventive security techniques. For example, external
intruders compromise the encryption key to become internal. In this
case, the intrusion detection technique as the second line of defence
can be activated. Intrusion detection system (IDS) is designed to
remedy the consequence of intrusions before the system resources are
disclosed. IDSs also provide suspicious intrusion information, which
might be useful in intrusion mitigation, the third line of defence.
IDSs can be used to detect both internal and external intruders.
Since RPL devices have weak security nature for tamper resistance,
intrusions cannot be completedly solved by prevention techniques.
Thus IDSs are of great significance for RPL security.
This document specifies IDSs for RPL, which is weak in defensing
intrusions. This document is dedicated to analyzing the detection
methodologies, system architectures, detection data and intrusion
Zhang et al. Expires May 27, 2014 [Page 4]
Internet-Draft IDSs for LLNs November 2013
response of IDSs with some available promotions in different
scenarios.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance.
This document adopts the terminology defined in [RFC6550], and
additionally uses terminology from [ROLL-TERMS], with the following
introducing terminologies:
Node: An element of a low-power, lossy network that may be a router
or a host.
Sink node: The root node of a Destination Oriented Directed Acyclic
Graphs (DODAG). Usually, sink node is the LoWPAN Border Router (LBR),
which connects to the internet.
Monitor node (MN): A special node type, which is in charge of
monitoring job in IDSs. MNs can be LLNs devices or high-performance
devices based on the design of IDSs.
3. Protocol Overview
RPL is a distance vector IPv6 routing protocol designed for LLNs
[RFC6550]. Due to the special characteristics of LLNs, such as
resource-constrained devices, poor link quality and unattended
deployed environment, RPL mainly focuses on self-organizing
capability, such as auto-optimized topology construction, self-repair
and self-maintenance, etc.
RPL is composed of one or more DODAG. Each DODAG can be regarded as
many nodes connected to an LBR, so as to minimize the cost from any
node in the network to reach the LBR. LBRs are connected together and
linked to the Internet through a backbone or transit link. The DODAG
construction is based on Object Function (OF), which can minimize the
particular metrics in different application scenarios. To construct
the DODAG, RPL defines a set of new ICMPv6 messages, including DODAG
Information Solicitation (DIS), DODAG Information Object (DIO), and
Destination Advertisement Object (DAO) [RFC4443]. The sink node first
broadcasts DIO messages with information related to the DODAG, such
Zhang et al. Expires May 27, 2014 [Page 5]
Internet-Draft IDSs for LLNs November 2013
as Rank (which is generally the distance to the backbone network), OF,
DODAG-ID, etc. The parent nodes have lower Rank. After receiving DIO
message, neighbors calculate their Rank and decide whether to join
this DODAG. If a node joins this DODAG, it will send back a DAO
message and broadcast DIO message with its rank, OF, the DODAG it
belongs to, etc. Nodes can also ask for graph information by sending
DIS messages. All nodes repeat this process until each node joins a
DODAG, which means the auto-optimized topology construction is
completed.
RPL has local repair mechanism to achieve self-healing. Any
inconsistency between the routing decision for a packet and the rank
relationship between the two nodes indicates a possible loop. On
receiving such a packet, a node can institutes a local repair
operation, [RFC6550] which can be operated by poisoning mechanism or
the change of DODAG ID.
RPL also has timer trickle mechanism, which enables the self-healing
and self-maintenance in a highly robust, energy efficient, simple and
scalable manner. Each node has a timer to trigger its DIO messages,
which increases exponentially. RPL sets the smallest and the biggest
possible interval separately. Once network topology fluctuation
exists, such as the parent node is unreachable, the timer is reset to
the minimized interval value [RFC6206].
The self-organizing capability of RPL makes it more vulnerable to
internal intrusions. Many strict rules, which help to maintain
optimal RPL network state, may be utilized by the intruders.
Neighbors are unaware of the inside process changes of the
compromised nodes and continue to communicate as normal. Thus the RPL
self-optimized state can be broken.
4. Detection methodologies
Functionally, IDSs have three detection methodologies, which are
signature-based, anomaly-based and specification-based. This section
details the detection methodologies, analyzes their advantages and
disadvantages, and then gives some promotions.
o Signature-based detection: In this methodology, previously known
intrusions are profiled as a reference, and the data is matched
with the known intrusion signatures with a low false alarm rate.
The disadvantage of this detection type is that it cannot be
applicable to detect novel intrusions without well-defined
[Tseng2003].
Zhang et al. Expires May 27, 2014 [Page 6]
Internet-Draft IDSs for LLNs November 2013
o Anomaly-based detection: This detection methodology is based on
statistical behavior, which focuses on normal network behaviors
rather than intrusion behaviors with a defined threshold to
distinguish the compromised nodes. It can detect new intrusions
without well-defined. However, the profiled normal behaviors must
be updated, which may increase the load of nodes. Moreover the
dynamic system may emerge legitimate but previously unseen
behavior, which can produces a high degree of false alarms.
According to the behavioral model processing nature, G Teodoro et
al. [Garcia2009] further divide anomaly-based IDS into three
categories, namely statistical based, knowledge based and machine
learning based, which may be included in the future documents.
o Specification-based detection: This methodology also detects
attacks by comparing network behavior deviations. It can detect
new intrusions. Rather than previous network behaviors in anomaly-
based detection, it needs to manually extract and craft to
characterize legitimate system behavior, so as to avoid high
degree of false alarms. But the development of specifications
might be time-consuming. Specification-based IDS has been applied
to privileged programs, applications, and several network
protocols [Tseng2003].
Comparing the above three detection methodologies, the third one has
advantages in LLNs. This document promotes specification-based
detection methodology to deal with RPL intrusions. But in case of
constrined time, the other two methodologies can also be applied.
Thus the applied detection methodology can be adjusted based on the
application scenarios.
5. System architectures of IDSs
System architecture [Farooqi2012] is crucial to optimize each module
of IDSs, and it also directly affects the performance of IDSs. Thus
this document pays more attention to the analysis of IDS system
architecture. This section specifies three types of system
architecture for RPL in different application scenarios.
5.1. Stand-alone IDS
The basic idea of stand-alone IDS is that each MN independently
completes intrusion detection based on information collected by its
own. In stand-alone IDS, MNs can be classified into centralized and
distributed. The following part in this section will discuss the two
types of stand-alone IDS.
Zhang et al. Expires May 27, 2014 [Page 7]
Internet-Draft IDSs for LLNs November 2013
5.1.1. Centralized MN
In stand-alone IDS with centralized MN, each RPL node is viewed as an
MN. The network nodes perform RPL as well as monitoring. Watchdog
machine [Shakshuki2011] is a typical centralized MN machine.
This kind of architecture scheme obviously aggravates the load of RPL
nodes, which seriously affects the lifetime of RPL node. Due to the
resource-constrained RPL characteristics, this kind of system
architecture should be applied with caution.
5.1.2. Distributed MN
Distributed MNs are designed for intrusion detection for a certain
monitor area. This kind of IDS architecture deploys multiple MNs to
cover the network. The proper backbone of MNs should be accomplished
with minimal MNs, and each RPL node should be in the range of at
least one MN.
Distributed MN with FSM is first proposed by University of California,
which is promoted for stand-alone IDS with distributed MN in this
document. An FSM is implemented in each MN, which is designed based
on the intrusion detection. MNs passively listen to RPL packets and
extract information to store in their monitor lists. Each MN has a
monitor list, which is updated dynamically. MNs apply the FSM to
monitor the behavior flow of nodes in its monitoring area by
analyzing data recorded on their monitor list.
Considering the resource-constrained RPL characteristics, the
additional monitoring job may incurr big processing cost. Distributed
MN device can be designed to high-performance device or LLNs device,
and the MNs using LLNs devices can also be RPL node or another
special kind of node. Thus there exist three types of distributed MN
as follows.
1. As LLNs devices, this type of MN also works as normal RPL nodes.
They perform RPL as well as monitor tasks. As battery powered LLNs
devices, it is hard to replenish once the energy runs out. This
can leads to the network malfunctioning earlier. But this scheme
can decrease the network cost to a great extent. Moreover unlike
traditional security mechanism, MN does not require any harsh
encryption algorithm or operation. This scheme is promoted to be
applied to applications with simple security problems, such as
simple civil scenarios.
2. As LLNs devices, this type of MN does not perform any RPL
operation. As another special kind of node, it only monitors the
network security, and it can be applied to defense some
Zhang et al. Expires May 27, 2014 [Page 8]
Internet-Draft IDSs for LLNs November 2013
complicated attacks by the complex algorithm. The disadvantages
are that the additional nodes increase network cost and the
interferences among nodes are also increased. This scheme can be
applied to applications with high security requirements or
potential security issues, such as military scenarios.
3. As the high-performance device, this kind of MN can detect
intrusions without limitations of resource constraints. It is
benefitial to detect intrusions effectively, with the most
expensive cost. Also the special devices may lead to more
intrusions to them. But it is still a useful scheme for some
serious mission-task scenarios.
5.1.3. Estimation of stand-alone IDS
The advantage of stand-alone IDS is robust, since each MN can
complete intrusion detection independently. When some MNs become
invalid, others can operate as normal. This system architecture is
relatively simple, which is easy for deployment and implementation.
The stand-alone IDS with distributed MN also considers the energy
consuming problem of RPL. Three kind of schemes to different
application scenarios are designed.
The stand-alone IDS architecture also has some disadvantages. The MNs
do not cooperate or share information with others, which limits the
detection efficiency. Moreover, since the MNs are equal and operate
their IDS dependently, the detection results might have some
collisions.
5.2. Distributed and Cooperative IDS
In distributed and cooperative IDS, intrusion detection is
accomplished by the cooperation of MNs. Each MN runs an IDS agent to
participate in the intrusion detection and response to the overall
network. This kind of IDS applies two levels coordinate architecture
with neighbor-agent and local-agent. The deployment of agents and the
agent device type can refer to stand-alone IDS (in 5.1).
When a local-agent detects an intrusion with sufficient evidence, it
can alert intrusion independently. While the local-agent detects an
intrusion with weak or inconclusive evidence, it can initiate a
global detection procedure by interactive connection with neighbor-
agents. With the exchanges of data and responses, the globe response
will be delivered to each agent.
The distributed and cooperative IDS is suitable to the flat network
infrastructures, such as a DODAG in RPL. Thus, it can be applied to
small-scale network. The distributed and cooperative IDS solves the
Zhang et al. Expires May 27, 2014 [Page 9]
Internet-Draft IDSs for LLNs November 2013
low detection efficiency problem in stand-alone IDS, but with a more
complicated architecture.
5.3. Distributed and Hierarchical IDS
In large-scale RPL network, the network topology is usually composed
of several DODAGs, and the sink node of each DODAG connects together
to the internet. Thus RPL can be regarded as a multi-layer network.
The distributed and hierarchical IDS is promoted for such clustering
network. This IDS is of two level architecture. As the cluster heads
(CH), sink nodes are CH-agents. And the local-agents are deployed and
designed according to stand-alone IDS (in 5.1).
Each local-agent operates independently, and reports the detection
results to CH-agents. CH-agents are responsible to monitor the member
nodes and make the global intrusion detection decisions. CH-agents
complete the association and aggregation of alerts in the DODAG, and
the neighbor CH-agents can coordinate to complete the cross-DODAG
intrusion detection.
Since local-agent and CH-agent coordinate architecture does not need
the coordination of neighbor-agents, it decreases the risk of
eavesdropping. But the globe response by CH-agents might cause a long
delay.
5.4. Mobile Agent IDS
Mobile agent [Li2012] is assigned to perform monitoring task in a
selected node, based on specific tasks. The mobile agents
cooperatively perform the intrusion detection. And the selection of
agents might be changed after the task is completed or after a
certain time period. The movement of agents is usually evolved from
RPC methods through data duplication. The mobile agent saves its own
state, transfers the saved state to the new node, and resumes
execution from the saved state. The mobile agent is characterized by
the following attributes.
o Mobility: Mobile agents can actively migrate between nodes for
asynchronous execution at any time during their execution. This
makes them powerful to deal with distributed RPL applications.
Also the mobility characterize can increase the efficiency of IDS.
o Autonomy: Mobile agents operate independently without any manual
intervention, and use preprogrammed knowledge in order to execute
general tasks. They are also expected to be able to analyze the
changes of a network and take intuitive action accordingly.
Zhang et al. Expires May 27, 2014 [Page 10]
Internet-Draft IDSs for LLNs November 2013
The above attributes virtually improve the function of IDS in RPL.
However the mobile agent IDS architecture also has several
disadvantages, and this document only gives some sketchy introduction,
the detailed discussion may be included in the future. The main
disadvantages are listed below.
o Resource consumption: The IDSs may consist of a large amount of
codes, which might be very time-consuming for transfering codes
between agent nodes. Moreover the additional codes will cause a
resource overhead. Since all nodes are prepared to serve as a
mobile agent, the additional processes increase energy consumption.
The resource consumption problem must be effectively solved in RPL
before its application.
o Decisional confliction: Since the mobile agents usually have equal
status, the confliction is still hard to avoid.
o Security: The mobility and autonomy characteristics of mobile
agent also make it unsecure from intrusions.
6. Detection data
In aformentioned system architecture of IDSs, MNs defense intrusions
by detecting system data. This section mainly discusses the source of
data and the data detection frequency.
6.1. Detection source location
The source of detection data can be classified into three groups,
including host-based, network-based and hybrid.
o Host-based IDS: When the IDS only concern events on the host, the
source of detection data is host-based. This kind of detection can
be achieved in application or system log files on the host.
o Network-based IDS: The IDS places sniffers on interconnection
equipment, captures and examines the transmitting packets. It can
detect packets, payload or other information within the packet.
o Hybrid IDS: The hybrid IDS is a combination of host-based and
network-based IDS.
6.2. Collection frequency
Considering the resource-constrained characteristic of LLNs devices,
data detection frequency can be adjusted according to different
application scenarios. For real-time applications, MNs should detect
Zhang et al. Expires May 27, 2014 [Page 11]
Internet-Draft IDSs for LLNs November 2013
the data continuously or in a high frequency. In the contrary, in
applications such as weather prediction, a proper detection interval
is indispensable.
7. Intrusion response
As the second line of defence, IDSs do not do preventive tasks and
the IDS reacts when an intrusion is detected. This document simply
introduces the following intrusion response, and the detailed action
can be discussed in future docuemnts.
o The system may generate an alarm to inform the administrator or
the sink node, so as to decide the reaction to the intrusion.
o The system may react in the corrective action, such as designing a
new rule in a firewall or disconnection of suspicious connections,
which can prevent the identical future intrusions.
o A mitigation method may be induced as the third line of defence in
a comprehensive system, and the mitigation detection can stop the
intrusion with information provided by the IDS.
8. A general design of IDS for ETX intrusion detection
The above document analyzes several aspects of IDS with promotions
based on different application scenarios. The self-organizing
capability makes RPL be vulnerable to intrusions, especially the new
type of internal intrusions. Thus this section gives an example of
designing the IDS to defense ETX intrusion with single intruder,
which is a new type of internal intrusion in RPL.
8.1. ETX intrusion
RPL constructs auto-optimized topology based on metric and constrains.
In RPL with ETX metric[De2005], node chooses preferred parent based
on integrated ETX value, which is composed by neighbor ETX value from
received DIO messages and counted link ETX value to that neighbor.
Usually, node selects neighbor with smaller integrated ETX value as
preferred parent. ETX intrusion can be developed by single intruder
or multiple collaborated intruders. This section only deals with ETX
intrusion with single intruder.
The intruder advertises DIO messages with fake ETX value, which
misleads its neighbors to change preferred parents. It can form
redundant route paths and break RPL auto-optimized topology, which
degrades the network performance in many important QoS aspects, such
as energy consumption, throughput and delay. The intruders only need
Zhang et al. Expires May 27, 2014 [Page 12]
Internet-Draft IDSs for LLNs November 2013
to ignore the legitimate ETX detection by itself, and then work as
normal. Moreover, in LLNs devices, the cryptography techniques cannot
be applied to examine DIO message, and thus neighbors cannot judge
the legitimation of ETX value from received DIO messages. As a
consequence, the ETX intrusion is easy to start and hard to detect.
8.2. Design of the IDS for ETX Intrusion
Assume that ETX intrusion with single intruder is happened in a
stable network environment without other intrusions, and the network
initialization is secure. The IDS to defense this intrusion is
designed as follows.
o Detection methodology: The IDS applies specification-based
detection methodology, which can detect novel intrusions with a
lower false alarm rate.
o System architecture: The IDS applies stand-alone system
architecture, which is simple and effective to defense single
intruder without collaboration. Considering RPL resource-
constrained characteristic, stand-alone IDS employs distributed MN
with FSM architecture. Since the network environment is stable, MN
devices employ RPL devices, which do RPL jobs as well as the
monitoring work.
The deployment of distributed MNs is accomplished with minimal MNs
before network initialization, and each RPL node is in the range
of at least one MN. Thus MNs can collect the complete information
of neighbors to detect intrusions.
In distributed MN with FSM, MNs passively listen to RPL packets,
extract and record useful information in a dynamically updated
list. The FSM operates the detection based on that list. Since
specification-based IDSs detect intrusions by comparing network
behavior deviations, before designing FSM, normal RPL behaviors
should be discussed. In stable network environment, link ETX
values are nearly the same, and the integrated ETX value is only
depended on neighbor ETX value. Thus the selection of preferred
parent is only decided on neighbor ETX value. In secure RPL
environment, neighbor ETX values may change but without leading
massive topology fluctuation. Thus, in a stable RPL environment,
when a node broadcasts DIO message with decreased ETX value, the
number of its child nodes might be increased. If the increase
number of child nodes exceeds a threshold, that node must be an
ETX intruder.
Zhang et al. Expires May 27, 2014 [Page 13]
Internet-Draft IDSs for LLNs November 2013
According to above discussions, the list of MNs should include
useful information of all neighbors, including ETX value from DIO
messages, preferred parent from DAO messages, and child node
number counted by list item of preferred parent. There are six
states in FSM, including the start when network initialize, the
route path setup/change, the packets detection, the invalid route,
the network fluctuation and the ETX intrusion alarm.
1. When MN first receives a DIO message, its state will move to
topology setup/change state, in Step 2. The MN will record ETX
value, and build an entry for that node in its list.
2. In topology setup/change state, when MN sniffs DIO or DAO
message, its state is transited to packets detection state, in
Step 3.
When the list record shows that parent and child ETX
relationship is broken (parent node has bigger ETX value), the
state of FSM is transited to invalid route state, in Step 4.
When the recorded ETX value is decreased, the FSM state is
transited to network fluctuation state, in Step 5.
3. In packets detection state, if the node is new, MN will build
an entry and record information of that node to its list.
Otherwise the MN will update the corresponding ETX value from
DIO message or preferred parent information from DAO message.
Then the FSM state is transitted back to topology setup/change
state, in Step 2.
4. In invalid route state, an RPL local repair mechanism is needed
to recover the network topology.
5. In network fluctuation state, a time counter will be started
for that node to examine asynchronously consequences. Before
the timer expiration, if the number of child nodes increases to
exceed a threshold, the FSM state will move to ETX intrusion
alarm state, in Step 6. The threshold is depended on the
network environment and the network scale.
6. In ETX intrusion alarm state, MN broadcasts ETX intrusion alarm
packets. There might be a feedback mechanism to make sure that
the intrusion is noted by all neighbors.
o Detection data: The detection data is network-based, and the
detection frequency is the same as data packet sending frequency.
Zhang et al. Expires May 27, 2014 [Page 14]
Internet-Draft IDSs for LLNs November 2013
o Intrusion response: The IDS reacts in a corrective action. When
ETX intrusion is detected, the MN will broadcast alarms. Nodes
which receive the alarm will mark the intruder to avoid intrusion
again, and then check their parent list. If the intruder exists in
the parent list, it will delete the intruder and reselect its
preferred parent immediately. In this way, the intruder cannot
start ETX intrusions anymore.
9. Security Considerations
In RPL, the network security solution is largely limited by its
resource-constrained characteristic. This document specifies IDSs as
the second line to defence intrusions. However it does not take much
consideration on the security of IDSs, since RPL nodes may do not
have enough capability in using prevention detection methods to
protect the IDS process.
This document proposes three type MN devices (in 5.1.2), and the
latter two kinds may have the ability to adopt the prevention machine.
Some simple security machines such as simple authentication, or other
novel machines such as sequence authentication, can be considered to
be applied to secure the IDSs.
10. IANA Considerations
This memo includes no request to IANA.
11. Conclusions
This document specifies IDSs as the second line of defence for RPL.
Due to RPL self-organizing characteristics, it is necessary to design
IDS to defence intrusions, especially the internal intrusions. This
document first analyzes three type detection methodologies, and
promotes the specification-based method to RPL. Then it mainly
discusses the system architecture of IDSs. In stand-alone IDS, the
distributed MN with FSM architecture is promoted with three types of
MN device in different RPL applications. The distributed and
cooperative IDS is promoted to flat network infrastructure, such as a
DODAG. The distributed and hierarchical IDS is promoted in large-
scale network with several DODAGs. And there are also some sketchy
introductions on mobile agent IDS, which may be discussed in the
future. The document also specifies detection data with data source
and collection frequency. In addition, this document gives the
intrusion responses to complete the IDS process. To explicitly show
the design of IDSs, this document gives an example to apply IDS to
defense ETX intrusion with single intruder, which is a novel internal
Zhang et al. Expires May 27, 2014 [Page 15]
Internet-Draft IDSs for LLNs November 2013
RPL intrusion. At last this document presents some security
considerations for IDSs in RPL.
12. References
12.1. Normative References
[RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui,
J.,Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur,
JP., and Alexander, R., "RPL: IPv6 Routing Protocol for
Low-Power and Lossy Networks", RFC 6550, March 2012.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4443] Conta, A., Deering, S., and Gupta, M., "Internet Control
Message Protocol (ICMPv6) for the Internet Protocol Version
6 (IPv6) Specification", RFC 4443, March 2006.
12.2. Informative References
[ROLL-TERMS]
Vasseur, JP., "Terminology in Low power And Lossy Networks",
Work in Progress, March 2013.
[Farooqi2012] Farooqi, A. H., and Khan, F. A. "A survey of intrusion
detection systems for wireless sensor networks", Proc.
International Journal of Ad Hoc and Ubiquitous Computing
2012 PP. 69-83.
[Le2012] Le, A., Loo, J., Lasebae, A., Aiash, M., and Luo, Y.
"6LoWPAN: a study on QoS security threats and
countermeasures using intrusion detection system approach",
Proc. International Journal of Communication Systems 2012
pp. 1189-1212.
[Tseng2003] Tseng, C, Y., Balasubramanyam, P., Ko, C.,
Limprasittiporn, R., Rowe, J. and Levitt, K. "A
specification-based intrusion detection system for AODV"
Proc. the 1st ACM workshop on Security of ad hoc and sensor
networks 2003 pp. 125-134.
[Shakshuki2011] Shakshuki, E., Kang, N., and Sheltami, T. "EAACK-A
Secure Intrusion-Detection System for MANETs", Proc.
Industrial ElectronicsIEEE Transactions 2013 pp. 1089-1098.
Zhang et al. Expires May 27, 2014 [Page 16]
Internet-Draft IDSs for LLNs November 2013
[Garcia2009]Garcia-Teodoro, P., Diaz-Verdejo, J., et al. "Anomaly-
based network intrusion detection: Techniques, systems and
challenges", Proc. computers & security 2009 PP. 18-28.
[Li2012] Li, Y., and Qian, Z. "Mobile agents-based intrusion
detection system for mobile ad hoc networks",
Proc. Innovative Computing & Communication 2010 Intl Conf
on and Information Technology & Ocean Engineering, 2010
Asia-Pacific Conf 2010 pp. 145-148.
[De2005] De, Couto, D. S., Aguayo, D., Bicket, J., and Morris, R. "A
high-throughput path metric for multi-hop wireless routing",
Proc. Wireless Networks 2005 PP. 419-434.
13. Acknowledgments
This document was prepared using 2-Word-v2.0.template.dot.
Zhang et al. Expires May 27, 2014 [Page 17]
Internet-Draft IDSs for LLNs November 2013
Authors' Addresses
Lan Zhang, Gang Feng, Shuang Qin
National Key Laboratory of Science and Technology on Communications
UESTC (University of Electronic Science and Technology of China)
No.2006, Xiyuan Ave, West Hi-Tech Zone
Chengdu, Sichuan, P.R.China 611731
Phone: +86 151-9663-7390
Email: zhanglan_uestc@163.com
fenggang@uestc.edu.cn
blueqs@uestc.edu.cn
Zhang et al. Expires May 27, 2014 [Page 18]
