Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

CHAPTER 1
INTRODUCTION
From the very first deployments of Wireless Sensor Networks (WSNs), motivated by military
applications, security has been a major concern. Nowadays, WSNs are popular for IoT applications, such as smart
cities, smart grids and healthcare but security threats could still pose costly and even life-threatening problems.
WSNs are by nature exposed to severe vulnerabilities, since they are often physically accessible, unattended, and
continuously evolving because of sensors joining and leaving the network. Moreover, the use of security
mechanisms such as complex cryptographic mechanisms is restricted because of computational constraints. Thus,
the cost of exploiting such vulnerabilities is less a deterrent for malicious activities. In particular, the
measurements’ integrity may be impaired: we refer to this attack as malicious data injections.

Even when common security mechanisms are in place, they cannot prevent some of the attacks. In
particular, an attacker can gain control over the WSN by physically tampering with sensor devices or
manipulating the environment itself. In several scenarios, these cannot be prevented with proactive security
mechanisms. For example, urban traffic sensors may be deliberately biased at the time they are implanted to
silence alarms for road accidents. In such cases, the only mean to counteract malicious data injections is detection
through analysis of the measurements themselves. This is possible because of inter-measurements correlation.
Wireless Sensor Networks carry a high risk of being compromised since their deployments are often unattended,
physically accessible and the wireless medium is difficult to secure.

Malicious data injections take place when the sensed measurements are maliciously altered to trigger
wrong and potentially dangerous responses. When many sensors are compromised, they can collude with each
other to alter the measurements making such changes difficult to detect. Distinguishing between genuine and
malicious measurements is even more difficult when significant variations may be introduced because of events,
especially if more events occur simultaneously. We propose a novel methodology based on wavelet transform to
detect malicious data injections, to characterise the responsible sensors, and to distinguish malicious interference
from faulty behaviours. The results, both with simulated and real measurements, show that our approach is able to
counteract sophisticated attacks, achieving a significant improvement over state-of-the-art approaches.

1
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

CHAPTER 2
SYSTEM ANALYSIS
2.1 EXISTING SYSTEM:
We present the problem of detecting, characterizing and diagnosing malicious data injections in WSNs,
propose a complete methodology to deal with each of these tasks and test its validity on two datasets. A synthetic
set of temperature measurements in a wildfire monitoring WSN and a real dataset of seismic measurements in an
earthquake monitoring WSN.

DISADVANTAGES:
 Our novel approach uses a variation of Continuous Wavelet Transform (CWT) for non-evenly spaced
samples to isolate the events trends at specific locations and granularities that are respectively referred
to as translations and scales.

 The wavelet transform has been previously applied in its discrete form (discrete wavelet transform) for
detecting faulty sensors during event detection. Because of temporal correlation, the wavelet coefficients
at the lowest scale fluctuate more in the presence of events.

2.2PROPOSED SYSTEM:
Most of these techniques have been proposed to detect generic anomalies rather than deliberate malicious
injections so they are not designed to cope with collusion which drastically decreases the chances of detection.
The measurements distribution is assumed homogeneous and this assumption does not hold especially when
particular events of interest occur, such as wildfires, earthquakes, pathological conditions, etc.

ADVANTAGES:
 We propose a method for detection of malicious data injections in the presence of sophisticated collusion
strategies, based on a cross-scale analysis of the measurements wavelet transform in the spatial domain.
 Yet we highlight that detecting anomalies in the measurements is not sufficient to effectively counteract
them. The alterations in the malicious measurements and the affected sensors need to be identified. We
refer to this task as characterization.

2
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

CHAPTER 3
SYSTEM REQUIREMENT SPECIFICATION

System Requirement Specification (SRS) is a central report, which frames the establishment of the
product advancement process. It records the necessities of aframe work as well as has a depiction of its
significant highlight. A SRS is essentially an association's seeing (in composing) of a client or potential
customer's frame work necessities and conditions at a specific point in time (generally) before any genuine
configuration or improvement work. It's a two-way protection approach that guarantees that both the
customer and the association comprehend alternate's necessities from that viewpoint at a given point in
time.

The composition of programming necessity detail lessens advancement exertion,as watchful audit
of the report can uncover oversights, mistaken assumptions, and irregularities ahead of schedule in the
improvement cycle when these issues are less demanding to right. The SRS talks about the item however
not the venture that created it consequently the SRS serves as a premise for later improvement of the
completed item.

The SRS may need to be changed, however it does give an establishment to proceed with creation
assessment. In straightforward words, programming necessity determination is the beginning stage of the
product improvement action. The SRS means deciphering the thoughts in thebrains of the customers – the
information, into a formal archive – the yield of the prerequisite stage. Subsequently the yield of the stage
is a situated of formally determined necessities, which ideally are finished and steady, while the data has
none of these properties.

3
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

Chapter 4
SYSTEM STUDY
Feasibility study:
A feasibility study aims to objectively and rationally uncover the strengths and weaknesses of
an existing business or proposed venture, opportunities and threats present in the environment,
the resources required to carry through, and ultimately the prospects for success. In its simplest terms, the
two criteria to judge feasibility are cost required and value to be attained.

A well-designed feasibility study should provide a historical background of the business or project,
a description of the product or service, accounting statements, details of
the operations and management, marketing research and policies, financial data, legal requirements and
tax obligations. Generally, feasibility studies precede technical development and project implementation.
A feasibility study evaluates the project's potential for success; therefore, perceived objectivity is an
important factor in the credibility of the study for potential investors and lending institutions. It must
therefore be conducted with an objective, unbiased approach to provide information upon which decisions
can be based.

Technical Feasibility:

This assessment is based on an outline design of system requirements, to determine whether

the company has the technical expertise to handle completion of the project. When writing a feasibility
report, the following should be taken to consideration:

 A brief description of the business to assess more possible factors which could affect the study
 The part of the business being examined
 The human and economic factor
 The possible solutions to the problem

At this level, the concern is whether the proposal is both technically andfeasible (assuming
moderate cost). The assessment is focused on gaining an understanding of the present technical resources
of the organization and their applicability to the expected needs of the proposed system. It is an evaluation
of the hardware and software and how it meets the need of the proposed system.

4
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

These include such design-dependent parameters as reliability, maintainability, supportability,

usability, reducibility, disposability, sustainability, affordability and others. These parameters are required
to be considered at the early stages of design if desired operational behaviors are to be realized. A system
design and development requires appropriate and timely application of engineering and management
efforts to meet the previously mentioned parameters. A system may serve its intended purpose most
effectively when its technical and operating characteristics are engineered into the design. Therefore,
operational feasibility is a critical aspect of systems engineering that needs to be an integral part of the
early design phases.

ECONOMICAL FEASIBILITY
The purpose of the economic feasibility assessment is to determine the positive economic benefits
to the organization that the proposed system will provide. It includes quantification and identification.

SYSTEM DESIGN
System Design is the process of defining the architecture, components, modules, interfaces and
data for a system to satisfy specified requirements. System design could be seen as the application of the
systems theory to product development. The system design process builds up general framework building
design. Programming outline includes speaking to the product framework works in a shape that may be
changed into one or more projects. The prerequisite indicated by the end client must be put in a
systematical manner. Outline is an inventive procedure; a great configuration is the way to viable
framework. The framework "Outline" is characterized as "The procedure of applying different systems
and standards with the end goal of characterizing a procedure or a framework in adequate point of interest
to allow its physical acknowledgment". Different configuration components are taken after to add to the
framework. The configuration detail portrays the components of the framework, the segments or
components of the framework and their appearance to end-clients.

DESIGN CONSIDERATION
The reason for the design is to arrange the arrangement of the issue determined by the necessities report.
This stage is the initial phase in moving from issue to the arrangement space. As such, beginning with what is
obliged; outline takes us to work towards how tofullfill those needs. The configuration of the framework is maybe
the most basic component influencing the nature of the product and has a noteworthy effect on the later stages,

5
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

especially testing and upkeep. Framework outline depicts all the significant information structure, document
arrangement, yield and real modules in the frameworkand their Specification is chosen.

4.1 INPUT DESIGN

Input Design plays a vital role in the life cycle of software development, it requires very careful
attention of developers. The input design is to feed data to the application as accurate as possible. So inputs are
supposed to be designed effectively so that the errors occurring while feeding are minimized. According to
Software Engineering Concepts, the input forms or screens are designed to provide to have a validation control
over the input limit, range and other related validations.

This system has input screens in almost all the modules. Error messages are developed to alert the
user whenever he commits some mistakes and guides him in the right way so that invalid entries are not made.

Input design is the process of converting the user created input into a computer-based format. The goal of
the input design is to make the data entry logical and free from errors. The error is in the input are controlled by
the input design. The application has been developed in user-friendly manner. The forms have been designed in
such a way during the processing the cursor is placed in the position where must be entered. The user is also
provided within an option to select an appropriate input from various alternatives related to the field in certain
cases. Validations are required for each data entered. Whenever a user enters an erroneous data, error message is
displayed and the user can move on to the subsequent pages after completing all the entries in the current page.

4.2 OUTPUT DESIGN

The Output from the computer is required to mainly create an efficient method of communication within
the company primarily among the project leader and his team members. In other words,the administrator and the
clients. The output of VPN is the system which allows the project leader to manage his clients in terms of creating
new clients and assigning new projects to them, maintaining a record of the project validity and providing folder
level access to each client on the user side depending on the projects allotted to him. After completion of a
project, a new project may be assigned to the client. User authentication procedures are maintained at the initial
stages itself. A new user may be created by the administrator himself or a user can himself register as a new user
but the task of assigning projects and validating a new user rests with the administrator only.
The application starts running when it is executed for the first time. The server has to be started and then
the internet explorer in used as the browser. The project will run on the local area network so the server machine

6
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

will serve as the administrator while the other connected systems can act as the clients. The developed system is
highly user friendly and can be easily understood by anyone using it even for the first time.

4.3 MODULES OF THE PROJECT

Information security
The chance of detecting malicious data injections depends on the ability to exploit correlation as well as
on the attack’s sophistication.We envisage that malicious measurements can be injected with any sophisticated
strategy that maximises the damage to the WSN and minimises the risk of being detected. This is possible if
compromised nodes collude, i.e. act in concert towards a common goal. The problem becomes even more
challenging when events occur in the monitored physical phenomenon. Wildfires are an example of event for
temperature monitoring WSNs, while an event for seismic WSNs may be an earthquake.
Wireless sensor networks
The locations where the anomaly score is high indicate the presence of a conflict between sensors in that
area. A conflict arises when the measurements from different sensors originate from incompatible factors, for
instance areal event and a spoofed event. The remainder task for characterization is to identify conflicting groups,
and thereby the sensors that caused the conflicts. Since high anomaly scores indicate the presence of disruptions
in correlation, a conflict is registered for the two areas that are the closest to each anomalous location.
Event detection
When detection of malicious data injections is carried out the attacker has a trade off between the potential
damage introduced by malicious data and the risk of being detected: higher potential damage is more likely to
cause evident disruptions in correlations and, in turn, trigger detection. Our attacker model considers malicious
data that impair event detection and do not cause disruptions in correlation that are easy to identify. This is
possible when considering attackers with large resources and conducting highly sophisticated attacks. In
particular, we maximize the attack’s sophistication to focus on the impact of the attacker’s resources, above all
the number of malicious sensors.
Continuous wavelet transforms
Cross-scale correlation has been already exploited in the field of digital images steganalysis. Because of
significant differences between the two applications, there are several distinctions in the way we run detection,
characterization and diagnosis (the latter is not done in image steganalysis). For instance, the original image
cannot be completely replaced by forged data; otherwise the ultimate purpose of image forgery disappears. On the
contrary, the damage led to WSNs is proportional to the number of measurements tampered with.

7
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

4.4 SYSTEM ARCHITECTURE

The first step is the detection of anomalies in the measurements. Except when boundaries imposed by
physical constraints are not respected, the probability of observing a measurements set is rarely null.
Therefore, any measurements set is assigned an anomaly score, i.e. an indicator for the probability that
there are anomalies. This step is based on application of the wavelet transform and analysis of the
relationship between the coefficients at different scales.
Detecting an anomaly is generally not sufficient to identify the anomalous sensors. The second step,
which we refer to as characterization, identifies the anomalous sensors and determines if they have
ELICITED or MASKED events. Identification of anomalous sensors is complex in the presence of
collusion because malicious measurements can correlate well between themselves. Hence, we first identify
groups of sensors with highly correlated measurements. Then, measurements anomalies are translated into
group anomaly scores, at are used to identify anomalous groups .The general behavior of the
measurements in the anomalous group unveils if the anomalous measurements have elicited or masked
events This, in turn, enables to link back the group-wise anomaly to the individual sensors The presence of
anomalies does not imply the presence of malicious data injections since anomalies may be caused by
other phenomena, such as genuine faults. For this reason, we further evaluate properties of the
measurements to distinguish, among other, faulty and maliciously compromised sensors. We refer to the
task of ascribing the detected anomaly to a particular category as diagnosis
Our principle for detecting anomalous measurements is to contextualise the individual measurements
of each sensor by relating it to broader behaviours. For instance, a steep change, if isolated is just a spike,
while at the boundary of a wide transition is a change point. The wavelet transform enables us to
distinguish such scenarios thanks to a multi-scale analysis. While higher scales capture general trends, i.e.
increases/decreases that are common to many points in space (for time series we would talk about the
long-term trends), lower scales emphasise local variations.

8
Detection, Characterization and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

CONCLUSION
In this paper we have focused on detecting malicious data injections in WSNs, in particular when one or
more events can occur and collusion between compromised sensors exploits the loss in correlation brought in by
them. We have proposed a novel methodology to detect malicious data injections, based on the measurements
cross-scale relationship. In addition, we have provided an approach to characterize malicious colluding nodes, by
partitioning the sensor nodes based on the correlation between their measurements. This approach considers the
effects of events, hence it is able to detect groups of sensors that elicit or mask events. Finally, we provided a
novel measurements-based diagnosis technique to distinguish fault-induced anomalies from malicious anomalies.