Web Spider Defense Technique in Wireless Sensor Networks

Wireless sensor networks (WSNs) are currently widely used in many environments. Some of them gather many critical data, which should be protected from intruders. Generally, when an intruder is detected in the WSN, its connection is immediately stopped. But this way does not let the network administrator gather information about the attacker and/or its purposes. In this paper, we present a bioinspired system that uses the procedure taken by the web spider when it wants to catch its prey. We will explain how all steps performed by the web spider are included in our system and we will detail the algorithm and protocol procedure. A real test bench has been implemented in order to validate our system. It shows the performance for different response times, the CPU and RAM consumption, and the average and maximum values for ping and tracert time responses using constant delay and exponential jitter.


Introduction
A wireless sensor network (WSN) is distributed in nature. It consists of several electronic devices with a memory, a processor, and one or more elements that sense the environment [1,2]. One of their main issues taken into account in their deployment is their power limitation and their need to save energy [3,4]. Sensor nodes can communicate among them using a particular or standard communication technology network interface card. The sensed values can be forwarded to a central manager that usually is a computer (or similar device). The computer allocates a manager that is in charge to manage the WSN. The most common strategy to read values of sensed elements consists of interrogating the manager in order to obtain a set of sensed values. In this sense, a WSN is used to collect and monitor the related information about a specific environment. This procedure has relevance in several cases: vigilance, oceanographic values of a strategic installation, police related information, and many more.
Generally, WSNs are used to sense private data. Some of them can also transmit critical data. Thus, it is very important to secure the collection of data and detect and avoid external intrusions. An intruder may be able to access unauthorized data, spread erroneous data and/or malicious code, implement unauthorized changes to data or sensor software, or steal data. Moreover, an intruder could initiate attacks to the network from that sensor node and open new doors to other intruders.
This work is focused on intrusion attacks in WSNs. A network intrusion detection system (IDS) is an essential element in a computer security strategy [16]. An IDS is a device or a software application that monitors network and system activities for malicious activities or policy violations. The IDS produces reports to a central system that allow humans to intervene or that can be responded by computer systems in an attempt to stop the intrusion. In a WSN, this attack means that an attacker (malicious user) wants to illegally read the data sensed by a set of sensors. We suppose the malicious user can interrogate the sensors in the WSN bypassing the control of the WSN manager/administrator. The difficult task here is to discover when a malicious attack is 2 International Journal of Distributed Sensor Networks happening and which the particular properties of the attacker are. The main idea behind this is that the IDS can learn about the attacker in order to prevent future attacks. Several techniques have been used to design the IDS.
(i) The intrusion detection policy proposed in [17] monitors the communication between neighboring nodes and finds those nodes that are not working normally. Some general rules are defined to detect such nodes, which are called compromised nodes. They simulated transport and routing layer in order to analyze the performance of the proposed policy. They showed that each node should be treated independently in the WSN, and purely centralized detection schemes may fail to identify the network behavior whether it is normal or it is under any attack.
(ii) Due to the huge volume of network traffic, coding the rules becomes difficult and time-consuming. Data mining techniques, used for example, in anomaly based systems [18], can build network intrusion detection models adaptively. They can analyze and predict the behaviors of users in order to know if these behaviors are attacks or a normal behavior.
(iii) The traffic prediction can also be used to model a mechanism against any intrusion detection. In [19] it is shown that, by inspecting received packet features, a sensor can identify an intruder impersonating a legitimate neighbor.
(iv) A honeypot is usually a valuable surveillance tool that provides early warnings to system administrator about the trends of malicious activity in the WSN. A wireless honeypot can be used to gather information about the intruder in the WSN, taking into account several implementation techniques for wireless local area network [20]. In a WSN a fake access point could be implemented by a sensor that responds with fake data to the intruder. A very interesting survey that includes results of honeypot technology applied to WSN can be found in [21]. The information sensitivity, resources, and time are the most important factors in choosing the type of honeypot for any WSN. We differentiate two types of honeypots: (a) lowinteraction, which only monitors for anomalies, and (b) high-interaction, where detailed information of the requests is used for predicting future attacks using pattern recognition. A multilevel security defense is presented in [22], which considers a hierarchical WSN. The authors arrange regular sensors, gateways that are in charge to control regular sensors, base stations that control the gateways, and honeypots that collaborate with base stations. In each level a different kind of attack can be controlled.
(v) Artificial intelligent based mechanisms: exploiting knowledge about the nature of biological systems can result in valuable information about the attacker. For example, bioinspired solutions are applied to efficient computing (bioinspired computing), making robots that are inspired by the biological systems (bioinspired robotics), technical developments in engineering (bioinspired systems), and networking (bioinspired networking). So, they can also be applied to the design of an IDS for WSN. Honeypot can be considered an artificial intelligent technique due to the fact that it mimics the biological nature of particular species. Artificial intelligence is becoming an effective method to be applied in security detection systems [23].
This work centers our attention on artificial bioinspired security mechanisms for IDS in WSNs. We have designed an algorithm and a protocol to detect an intrusion attack inspired in the web spider behavior when an attack suffered in its web [24]. We technically implement our algorithm and protocol considering the honeypots technique. In contrast to [17], we are not concerned with routing inside the WSN, but in addition to that work we propose a transport and policy algorithm and protocol. We do not inspect the traffic of the intruder (as [19] did) but we consider it to reduce the rate of attacks it can do. Our objective is to gain time to find out information about the intruder. To do this, we implement a low-interaction sensors honeypot that tries to detect the intruders and then delays the answer to them for earlier learning of their future behavior. In contrast to [22], we do not consider a hierarchical WSN. We consider all the nodes are regular and have the same role in the network (honeypot sensors and real sensors).
The paper is organized as follows. In Section 2, we analyze the works found about bioinspired mechanisms used in security. Section 3 describes our web spider-inspired proposal. The system algorithm and protocol are explained in Section 4. Test bench experiments and results are included in Section 5. Finally, Section 6 draws the conclusion and future work.

Related Work
The section shows some works related to bioinspired mechanisms for security in WSN.
A survey on practical applications and open research issues for bioinspired self-organized networking (SON) systems is presented in [25]. The benefits of using these bioinspired techniques against conventional SON solutions include, but are not limited to, lower MAC delays, communications overhead and hardware complexity, higher adaptivity to changes, and resource utilization. Considering the benefits of these techniques, SON systems, such as WSN and wireless ad hoc networks, can exploit the improvements introduced by the bioinspired techniques compared to the isolated conventional SON solutions.
The authors in [26] apply the biological knowledge about the human immune system to propose a new network security mechanism to disable the fraudulent nodes in a WSN. Bioinspired algorithms provide dynamic, adaptive, and real-time methods of intrusion detection. The work included in [27] presents a review on genetic algorithm, artificial immune, and artificial neural network (ANN) based intrusion detection systems (IDS) techniques used in WSN.
Moreover, an algorithm inspired on the human immune system behavior to detect intruders in WSN is presented in [28].
A key component of bioinspired response methods is the use of feedback from the network to better adapt their response to the specific attack [29]. The author developed a method to calculate response times for a WSN that could be used to improve the bioinspired method for selecting the most suitable intrusion response for ad hoc networks.
In [30], a honeypot based framework is proposed that is used to earlier learn future attacks of the intruder and serve as a defensive countermeasure. It is based on the biological behavior of a particular species of ant. The ants store food forming a living repository of food and are often attacked by raiders. They considered a WSN as composed by two types of ants: honey ants and real ants. They strategically distribute the honeypot sensors (honey ants) that will mimic the physical data (real ants). Then, the IDS will induce traffic from alleged intruders to these honeypot sensors. This is done by implementing a swarm intelligence algorithm that takes into account the communication among sensors like the ants do. They route virtual values to confuse the intruder and also to make it believe that it is receiving real values. In this way the intruder could be discovered earlier.
Most bioinspired methods for WSN intrusion attacks are generally applied to a single protocol layer of the OSI stack, for example, (i) genetic algorithm at the physical layer; (ii) antiphase synchronization at the MAC layer, a bioinspired method based on the behavior of Japanese tree frogs; (iii) ant colony optimization at the network layer; (iv) and quantified trust models at the application layer. At present the combination of several bioinspired methods for WSN is applied to improve the system performance [31].
We propose a honeypot implementation for IDS in a WSN, which is bioinspired in the behavior of the web spider. We have only found one paper that uses a web spider-inspired mechanism [32]. It proposes a bioinspired algorithm based on the social behavior of spiders from Congo to detect and eliminate misbehaving sensor nodes in WSN. The biological inspiration comes from the fact that these kinds of spiders form a collaborative group to listen vibrations of victims in the web in order to hunt them. The bioinspired algorithm is distributed among sensor nodes (spiders) and it works as follows: one or more sensor nodes detect an attack from a suspected node (victim); then the sensor node sets a first level of alert and sends this detection to all their neighbors (collaboration); to reduce false alarms in the detection, the algorithm sets that if a second attack from the same suspected node is detected for the same sensor that detected the first attack or for a neighbor sensor, then the suspected node is considered as an intruder node. The paper does not present how and why this node is considered suspicious and how to reduce this intruder.
As far as we know there is not any other work published that uses the web spider behavior for WSN security. Moreover, the work presented in this paper is completely different from [32]. We have used different parts of the web spider behavior than the ones presented in [32].

Web Spider Defense Description
This section presents the description of the web spider defense technique and how it is applied to our system.
Spiders are often underestimated as suitable behavioral models. Spiders show surprising cognitive abilities, changing their behavior to suit their situational needs [33]. All spiders are predators. There are many types of spiders and there is a wide variety of methods used by them to capture their prey. Some spiders are hunters that chase and overpower their prey. Other spiders instead weave silk snares, or webs, to capture their prey [34,35]. Some spiders inject poison into their prey. The poison paralyzes victims making them lose mobility. After paralyzing victims, spiders usually wrap their victims with silk and soften the meat with gastric juice. Finally spider absorbs the result of this mixture. The behavior that we are going to use in our system is the behavior of web spiders that use poison to paralyze their prey once it is trapped in the web. There are several types of web spiders, which can be spiral orb web, tangle web or cobweb, funnel web, tubular web, and sheet web.
When a spider wants to capture a prey, it builds a web and waits till some flies or mosquitoes are trapped in it. When it happens, the spider has a delicacy to attack bigger preys. It has just to wait some time till a new prey sees the fly and/or the mosquito and gets trapped when it tries to catch them. Now the procedure to paralyze this big prey is injecting poison, which slows down the mobility of the prey till it has no mobility. This procedure is used by our system. We will use one or several fake wireless sensor nodes placed in the WSN, which announce network services and provide false data. These nodes have few or no security. It (or they) will be honeypots for the intruders. The idea of attracting attackers is not really new. It has been used in many other types of networks [36]. As soon as the fake wireless sensor node detects a connection, it will contact the network administrator, which will follow the connection and gather information from the intruder (such as getting the IP address and DNS name). Fake wireless sensor nodes, where security level is very low, will detect intruders by using any of the existing intrusion detection systems [11]. They will send data to sink nodes as regular nodes, but these fake data will be discarded by the sink node. In order to keep the intruder busy, the fake wireless sensor node slows down the replies to the intruder messages, like the poison of the spider when the prey is trapped in the web.
The system uses the connection establishments to keep intruders trapped. Every request is replied before the timeout, but it is delayed in order to let the system administrator gather information about the intruder. The system administrator is a node that is placed in the network, whose purpose is to gather information about a node through its IP address, DNS name, traces, and so forth.

System Algorithm and Protocol
This section presents the algorithm designed for our system and the protocol created for the proper operation of our system.  Figure 1 shows the algorithm used for the intrusion or attackers detection and the steps followed to slow down their connections. At the beginning, the system listens if the fake wireless sensor node is receiving any connection request. If it receives a request, it slows down the connection and informs the network administrator that it has a possible intruder. This slow process is performed by a "wait procedure, " which delays the replies. The delay time is lower than the threshold used by TPC connections for the exceeded time. These delays in the replies allow the network administrator to gather information about the intruder in order to identify it. The network administrator will be able to use any information gathering technique using echo request/reply, who is, and so forth. This information will be used to know if the user establishing the connection is an intruder or an attacker. If system confirms that the user is an intruder or an attacker, it will deny the service. If the user has the rights to perform this task because it belongs to the system, then the connection is established correctly and it goes to the listen state.
The designed protocol is shown in Figure 2. When the fake wireless sensor node receives a connection, it first sends a message to the network administrator in order to ask whether it is a trustable node or an intruder/attacker. Meanwhile it slows down the connection. The network administrator  requests information about that node (by using its IP address, DNS name, traces, etc.) to the network gateways and interconnection devices. It gathers the information received about the type of node establishing the connection and informs the fake wireless sensor node. Then, it takes the appropriate action by denying or accepting the connection.

Test Bench Experiments
In order to carry out the performance study two experiments have been made. In both cases, the WSN attacker acts as the client and the wireless sensor node as server. Both communicate using TCP sockets and the communication is established following a three-way handshake algorithm. The last answer (segment [FIN, ACK]) is delayed to give time to the network manager to diagnose the connection as a secure or insecure one. Figure 3 shows the system architecture used for the first experiment. The WSN attacker uses a MacBook Pro with the following characteristics: Intel Core 2 Duo 2.4 GHz processor and 2 GB RAM. The sensor node has a 1.6 GHz processor and 1 GB RAM. The communication between the WSN attacker and sensor node is wireless. Wireshark sniffer program running in the WSN attacker node is used to compute the elapsed reply time. Both, client and server programs, have been coded in Java programming language. Figure 4 shows different response times from the wireless sensor node to the WSN attacker according to the artificial International Journal of Distributed Sensor Networks delay introduced by the sensor node (a loop varying the response time generates these different response times). As you can see, if the delay is high, the total amount of time elapsed from the first segment [SEQ] to the reception of the last segment [FIN, ACK] is closer to the artificial delay. This is not true if the artficial delay is low. Figure 5 shows the CPU and RAM consumption during the loop execution. The measurements were obtained with top Linux program. As it can be seen, RAM usage is not high enough to be considerable. On the contrary, the more the delay in the sensor node, the higher the CPU consumption in the sensor node. The delay should be close to the time needed by the network manager to diagnose if the attempt of connection initiated by the WSN attacker is secure or not. Moreover, we have to look for the minimum delay value that will affect the system performance, which is why we performed the second experiment.

Experiment 2.
This second experiment helps us to determine the delay by measuring the reply time of the tracert and ping to the wireless sensor nodes in a network with different delays. Figure 6 shows the system architecture used for the second experiment. The WSN attacker and each one of the 12 sensor nodes use the same equipment described for the previous experiment (the attacker uses a MacBook Pro with Intel Core 2 Duo 2.4 GHz processor and 2 GB RAM and the sensor node with 1.6 GHz processor and 1 GB RAM). Again, the communication between the WSN attacker and sensor node is wireless and the Wireshark sniffer program is running in the WSN attacker to compute the elapsed reply time.
Each sensor node is accessible from the WSN attacker via Internet. NetDisturb program [37] let us vary several network parameters such as the delay and jitter. Next we present the obtained simulation results.   As Figure 7 shows, the more the network delay, the higher the response time for ping and tracert. An important issue derived from our experimentation is that the probability of   having a peak is higher for high network delays. Figure 7 demonstrates that this probability increases from a network delay higher than 200 ms. From this figure, we can make an estimation of the amount of time needed by the network manager to give a diagnosis about the connection between the WSN attacker and wireless sensor node. For example, if the network delay is 100 ms, the network manager takes into account the fact that the response time is 160 ms on average. As a result, the time to answer to the WSN attacker connection request should be greater than 160 ms. Figure 8 shows results obtained varying exponentially the jitter according to the following equation: where = 10 and is the delay variation.
As Figure 8 shows, there is higher probability to obtain a peak using tracerts. Another observation is that ping and tracert behavior is lineal in this experiment in comparison with Figure 7. The lineal behavior assists the network manager to predict the response time.

Conclusion
In this paper, we have presented a bioinspired system that uses the web spider hunting technique. We have explained how all steps performed by the web spider are included in our system. Moreover, we have detailed the system algorithm and the protocol procedure for the proper operation of the system. A real test bench has been implemented in order to validate our system.
In order to carry out our performance study, we have made two experiments. First, we tested performance of the direct communication between the WSN attacker and the wireless sensor node. Then, we performed a second experiment to measure the reply time of the wireless sensor nodes in a network with different delays.
In future works we will make performance experiments using one and several wireless attackers in order to know response times for the ping and the tracert. Moreover, our system will include other spider behaviors from other types of spiders. Now we are developing the system for a real environment.