An IoT-Based Intrusion Detection System Approach for TCP SYN Attacks

: The success of Internet of Things (IoT) deployment has emerged important smart applications. These applications are running independently on different platforms, almost everywhere in the world. Internet of Medical Things (IoMT), also referred as the healthcare Internet of Things, is the most widely deployed application against COVID-19 and offering extensive healthcare services that are connected to the healthcare information technologies systems. Indeed, with the impact of the COVID-19 pandemic, a large number of interconnected devices designed to create smart networks. These networks monitor patients from remote locations as well as tracking medication orders. However, IoT may be jeopardized by attacks such as TCP SYN flooding and sinkhole attacks. In this paper, we address the issue of detecting Denial of Service attacks performed by TCP SYN flooding attacker nodes. For this purpose, we develop a new algorithm for Intrusion Detection System (IDS) to detect malicious activities in the Internet of Medical Things. The proposed scheme minimizes as possible the number of attacks to ensure data security, and preserve confidentiality of gathered data. In order to check the viability of our approach, we evaluate analytically and via simulations the performance of our proposed solution under different probability of attacks.


Introduction
Internet of Things has become as a powerful industrial revolution by which a huge of heterogeneous objects such as sensors, mobile devices, cameras, and vehicles can connect with each other via Internet. These objects collect immense kinds of data and being further processed and analyzed in order to extract useful information. Internet of Things (IoT), specifically the Internet of Medical Things (IoMT) [1], is gaining importance to deal with the unprecedented COVID-19 pandemic. IoMT strategy has now become more exploring in many solutions such as heart rate variability (HRV), respiratory rate variability (RRV) affected by COVID-19 outbreak. Medical

Figure 1: A RPL network with three DODAGs in two instances
The root node on the DODAG acts as a Border Router (BR) to connect RPL nodes together and to the Internet. As aforementioned, given that RPL does not offer any security policies to low power networks, IoT services are vulnerable to a large variety of intruders and security attacks [12]. Such attacks can be external attacks as well as internal attacks and has as targeting the exhaustion of network resources (energy, memory and power). According to this vulnerability, we can note some of the particular topology attacks including hello flood, Sinkhole, Sybil, Wormhole, Blackhole, etc. Therefore, IDS solutions are efficient to monitor the network behavior and detect the compromised nodes. Pongle et al. [13] survey four most widely used approaches in IDS; Event detection-based IDS, Signature detection-based IDS, Host based IDS, and Specification based IDS. In event detection method, IDS captures the event triggered in the network to analyze them. If the IDS detect an attack, it will raise alarm. Jun et al. [14] propose a specification of Event detection-based IDS where event pattern is defined and stored in database using SQL and EPL (Event Processing Language). In signature-based IDS system approach, a signature pattern is compared with one stored in the IDS internal database. If the pattern is matching, an alarm will be generated. Oh et al. [15] proposed an example of signature-based IDS for resource-constrained sensor network connected to IP network. Authors in [16] have proposed IDS of immunity-based intrusion detection technology and dynamic defense. Indeed, self-learning and self-adaptation is employed dynamically to detect malicious events. In host-based IDS method, known also as hybrid method, a detection module is implemented in every device of the RPL network. Each node on the network acts as a monitoring node. Authors in [17] have proposed host-based IDS for intrusion detection on RPL networks such as forged or altered information, and selective-forwarding. The proposed overhead is small enough to deploy it on low power networks. In specification-based IDS scheme, also known as software engineering based [18] or Finite state machine (FSM) based IDS [19], a network expert defines manually a set of rules that are used as references to the behavior of network peripherals. Intrusion is detected by the IDS when there is a suspicious activity and deviation from the defined rules. The proposed scheme is tested on the Contiki platform. An abstract of the normal operations of a network is built manually and malicious activities are detected based on some specifications for RPL. However, the proposed scheme is described without no validation nor simulations has been proposed. In [20] Abduvaliyev et al. deploy the combination between anomaly and misuse based intrusion detection techniques (defined as hybrid intrusion detection system). Indeed, this technique incurs high detection and low false positive rates. Shin et al. [21] developed IDS for wireless industrial sensor networks (WISNs). They proposed a hierarchical framework for intrusion detection and prevention for WISNs. Through simulations on NesC simulator, authors present detailed results about the accuracy of the proposed scheme. Loulianou et al. [22] proposed signature-based IDS to detect DDoS attacks in IoT networks. The proposed scheme comprises two units, namely IDS router and IDS detectors. These two modules are deployed in a hybrid manner. The IDS router, placed on the border gateway, performs detection and firewall functionalities. IDS detectors employ sensors to monitor traffic and forward information about malicious nodes to the gateway for further action. Authors in [23] proposed new knowledge-driven IDS, namely Kalis, which combines signature rules and anomaly detection processes to detect attacks on IoT networks. Indeed, Kalis collect autonomously knowledge about features and entities of the monitored network and prevents DoS attacks. According to the authors, the proposed system enables detection of DoS and routing attacks. However, Kalis requires installation of particular detection modules to focuses on routing attacks that limits its accuracy. Tab. 1 gives the summary of attack on RPL with method used to detect intruders. Our proposal consists of an IDS which prevents any disruption against the network. It is considered as the first line of defense for security by monitoring network traffic. All network activities are analyzed and any abnormal traffic or malicious activity will be alerted by the IDS and appropriate actions should be taken. The main objective of our proposed scheme is to detect earlier TCP SYN attacks. Indeed, in this paper, an IDS is proposed to detect TCP SYN attack in IoT networks. Fig. 2 illustrates the application scenario used in this study. We consider the case of remote medical monitoring application. We adopt the case of a patient that wears different wireless sensors collecting vital recordings such as respiration rate, saturation of peripheral oxygen (SpO2), electrocardiography (ECG), accelerometers, gyroscopes, etc. These sensor nodes are attached to the patient's body and communicate, via access point, with servers in cloud. An attack model is composed of distant malicious attacker that is expected to act as a simple healthcare professional, but he violates the security policy and sending spoofed SYN packets to the victim sensor. The malicious healthcare professional starts a transmission by sending a SYN to the distant server. Then, the server allocates a buffer for the distant client and a SYN Acknowledge (ACK) packet is sent to the client in order to complete the connection setup. When the connection is complete, the attacker floods the victim with a large volume of traffic and continuous data stream disables the victim from providing services to the legitimate users (legitimate healthcare professional). The proposed solution in this paper aims to detect vulnerabilities to such attacks. We analyze and evaluate the proposed detection capability. In fact, detecting attack is considered as a first step towards obtaining a reliable estimate about TCP handshake protocol, which in turn facilitates eliminating the disruptive effects of missed-detection and false alarm. To satisfy this requirement and assuring good estimation performance of our proposed scheme, we use a relevant metric as a probability of misseddetection. This metric must be less than a given value. 3844 CMC, 2022, vol.71, no.2

Network Model
As aforementioned, we consider the case of a remote IoT-based monitoring and sensing system. We consider a set of randomly distributed sensor nodes (sensors wearable by patients). All sensor nodes are connected to a full function device carried by the patient [24]. This full function device acts as a gateway, namely body coordinator. It has the responsibility to forward all data received from wearable sensors to the distant medical monitoring platform. We consider a network composed of N nodes, N = {n: n = 1, . . . ,N}. These nodes act as monitoring and collect data and vital signs or symptoms (glucose level, temperature, heart rates, breathing rates, etc.) from body coordinator carried by the patient. In the case of normal connection, client or distant medical monitoring platform starts transmission by sending a SYN to the body coordinator.
On a legitimate TCP connection, the client initiates the connection by sending a SYN requesting to the distant server. Then, the server allocates some resources such as buffer for the client and replies with a SYN/ACK packet acknowledging receipt of the SYN packet. In this stage, we have a halfopen connection state and the server enter in the waiting state to complete the connection setup and begin transferring data. Indeed, the number of connections the server can be maintained while it is in the half-open connection is controlled in a limited backlog queue and when this number exceeds the queue size all subsequent incoming connections will be rejected, which will create a Denial of Service (DoS) condition. We consider a single server system composed of the body coordinator in our study case. This server serves N users. We assume that the system is slotted with unit fixed slot t ∈ {0, 1, 2, . . . , T}. The server receives a large number of TCP SYN messages. We define A(t) the amount of packet arriving into the server's queue at time slot t. We assume that A(t) is a stationary process and follows a Poisson distribution. The arrival rate of packets denoted as λ ∈ {λ 1 , λ 2 , . . . , λ n }, where λ n = E[A(t)]. Let q(t) denote the backlog queue length of the server at time slot t, with Q(0) = 0. The dynamics of queue length of the server node in each discrete time slot is calculating using Eq. (1): given as where γ + = max(γ , 0). In general, its own arrival and departure processes characterize the server queue model. When departures are less than arrivals this lead to the growth of queue backlog. We denoted that the system is stable if the mean queue length of the server is finite. Q(t), μ(t) and A(t) are semantically stand for the queue backlog, the departure and arrival processes of the Server at t respectively, describing the quantity added/removed to the queue in the time slot t. A queue is at finite-time stable if: Fig. 3 depicts the arrive-departure process. Mostly, clients in the network send their own legal number of SYN request messages. In order to detect if there is SYN attacks, we propose a Threshold of SYN requests can be send by one node without opening a session and proceed a three-way handshake process. In other word, each node must send a number of SYN request smaller than a given threshold, indicated by Thre. However, in the case of SYN attacks will exist malicious activity that desire to deteriorate the network performance by injecting a huge number of TCP SYN flood requests, greater than a threshold, and therefore exhausting the server workload and resources such as memory and queue length. The Intrusion Detection System (IDS) is a good choice to monitor nodes behavior and detect if there is a begin of attack or not, and then issues alerts to Cybersecurity Operations Center (CsOC) for investigation. Indeed, once the TCP SYN request threshold limit is reached, the IDS issues a TCP SYN flood attack and filter out abnormal packets taking part in DoS attacks. Let Req the number of request resources and Thre is the threshold value that can made the maximum number of requests at time slot t. Properly, the attack decision rule can be illustrated as follows: where D0 indicating the absenteeism of any TCP SYN flood attack and D1 indicating the presence of a legitimate attack [12]. To address the behavior of our proposed IDS, we illustrate through the diagram on Fig. 4 our research methodology.

IDS Criteria
To further enhance the detection rate and minimize the false alarm rate of IDS, network administrator must define an objective function to reduce the probability of false alarm as much as possible. Indeed, it can happen in some cases that the number of TCP SYN, due to a bad quality of connection, trigger a false alarms and others are labeled as unknown attacks. The IDS must be able to detect abnormal TCP SYN connection and classify them as unacceptable. Thus, without loss of generality, IDS must offer a high-quality detection's precision and the trade-off between the ability to detect correctly the setup of many false positives and true positives attacks. Thereby, the metrics can be described as follows: • True Positive (TP): when the number of actual attack is classified as an attack.
• True Negative (TN): when the number of actual normal is classified as normal.
• False Positive (FP): when the number of actual normal is classified as attack.
• False Negative (FN): when the number of actual attack is classified as normal.
Tab. 2 represents the Truth table for intrusion assertion by an IDS. Further, another main performance targets for any intrusion detection system involves precision, recall, accuracy, and specificity.
If the probability of false alarm is less than a threshold probability, then the IDS triggers that particular sequence is abnormal. We can formulate the problem as follows:  where P fa is the probability of false alarm (false positive), i.e., the flow is normal traffic and it is not an attack affected but it is wrongly classified as an attack. P miss is the probability of missed detection (False negative), i.e., the flow received by the server is an attack affected but it is wrongly classified as normal traffic. Indeed, in order to minimize the false negative errors, we need to fix an optimal trust threshold β and therefore the missed detection must be smaller than a given value β. The threshold value can be searched to minimize the total cost for a specific cost ratio of false negative errors to false positive errors.

The Conway-Maxwell-Poisson Distribution Model and Probability Function
The CMP distribution is a generalization of the Poisson distribution. It is a natural two-parameter that was originally developed in 1962 by Conway and Maxwell to model queues and services rates. Let Y denote a Conway-Maxwell-Poisson distributed random variable denoting the number of TCP SYN attacks during a single time slot. The probability mass function (pmf) of P(X = x) using the CMP distribution is given by: where Parameter λ is the CMP "location" (intensity) and ν is the dispersion parameter, i.e., Y ∼ CMP(λ, ν). Z(λ, ν) is often called the "Z-function" and represents a normalizing constant. The CMP distribution is a generalization of some well-known discrete distributions. When ν = 1 (and thus Z(λ, ϑ) = exp λ an ordinary Poisson (λ) distribution results) Eq. (5) can be written as: Therefore, based on the decision rule in Eq. (5), P miss is calculated as follows: Our proposed IDS implements an algorithm to calculate the probability of missed attack in each time slot. This probability is compared with a threshold value and depending on the comparison result, an appropriate alarm or signal is handled. This missed detection probability must be smaller than β. The complete process of attack detection is described in Algorithm 1. Firstly, two variables are fixed by the system administrator, namely P fa and β, which represent the probability of false alarm and the upper bound on the false alarm probability, respectively. On each iteration, we calculate the probability of missed detection and the threshold value based on equation adopted on Eq. (7).

Performance Evaluation
This section describes the simulation model used on this study and evaluate the IDS performance against any TCP SYN attack. Simulations carried out using the Matlab programming environment. To simplify our analysis, we assume that we have an IoT network composed of N = 50 source nodes. Each node sends one TCP SYN request packet per time slot. Packets sent has an average length of λ s = 40 bytes. All received packets are stored on the server queue (coordinator node) to be served later with an average rate of μ = 1950 bytes per time slot. The Time simulation employed on this study is at horizon of T = 1500 time slots. We consider a network with TCP SYN attack without the admission of the Intrusion Detection System. We calculate the backlog queue for an optimal trust threshold β = 0.2 and different probability values such as Pa = {0; 0.3; 0.6; 0.9}. Fig. 5 illustrates the backlog queue under different probability values of attack. As expected, we can see that the backlog queue linearly increases as probability of attack increases.  Fig. 6 shows that the backlog queue with probability Pa = 0.9 is quite large compared to one who has Pa = 0.3. Indeed, when the probability attack increases this lead in growing queue length. If these attacks traffic condition persist for a long time, the queue will block all other traffics that can be normal traffic and therefore cause bad influence on resource performance. To evaluate our proposed scheme, we illustrate on Fig. 6 the queue length of the server in the presence of the IDS. Fig. 6 has been illustrated with a probability of attack Pa = 0.6, β = 0.2, and L = 40B. Fig. 6 shows the queue length of the server in the case where there is no attack, the case of an attack occurs without IDS deployment, and the case with the presence of the IDS with probability Pa = 0.6. As we can see, without IDS the queue length grows to a value of 2874 Bytes. However, when we apply an IDS in the front of the server queue, we show clearly that the number of queue size decreases. This is due to the comparison of the number of requests against the threshold value. If the number of requests exceed a specific threshold, as defined by network administrator, all other request packets from such node will be handled as attack messages and should be rejected. Fig. 6 shows the effect of probability of attack with the IDS deployment on the queue length size. As expected, place IDS to cover attacks for different probabilities of attacks can minimize as possible server congestion and thus reducing network overload In this paper, we proposed an anomaly-based IDS for medical IoT networks. Indeed, open environment of Internet of Medical Things (IoMT) can be a potential primary target for various attacks. The proposed approach permits to identify suspicious network traffic and anomalies against IoT networks based on the network parameters, which allows us checking whether the medical IoT network is under TCP SYN attacks or not. Empirical results obtained by the proposed IDS solution seems to provide reasonable solution to predict probability of attacks on medical IoT networks. The proposed IDS has been evaluated analytically and via Matlab simulations. Results obtained show valuable contribution to the IoT architecture. In our plane for future work, more number of attacks will be considered and we plan to implement the proposed architecture in a real-world IoT environment. This will be achieved by importing the IDS system to ContikiOS devices and study several other factors affecting the detection process.