Lack of central control, scarce resource, limited bandwidth, wireless medium communication, node mobility, scalability and etc. make IoT more prone to be attacked by hackers (Aldaej, 2019). Intrusion Detection System (IDS) is one of the technologies that can be used as one of security defense mechanism. IDS is differentfrom?rewallandauthentication,wheretheyblockunknownthreadfrom disturbing the network.
Intrusion Detection System can be grouped into 3 categories, signature base, speci?cation based and anomaly based. In signature based IDS, to detect the attack on the network, the system must ?rst has some info regarding the attacks.
There is a ?aw for this type of IDS as if unknown attack is to intrude, the systemmightnothavetheproceduretodefenseagainsttheattacks. Inotherhand, speci?cationbasedIDSworksinaway,constraintsarespeci?edfortheoperation and protocol. For the last categories, anomaly based IDS, an anomaly is detected whenthesystemworkinanunusualmanners (Aldaej,2019).Thereare3typesof IDS architecture for IoT, hierarchical, stand-alone and co-operative. Hierarchical works in a way where a particular node is chosen to take the role and responsibilities to detect the malicious node. Also, for hsierarchical the network is branched to cluster.
For stand-alone IDS architecture, the nodes take their own responsibilitiesonmakingsuretheirnodeissecurefromanymaliciousattack. Thenodesdo not join force with each others. In the other hand, for co-operative IDS architecture, each node has their own IDS system. So they will cooperatively decide for themselves to determine if the node is malicious or not (Aldaej, 2019).
Example of IDS work such as monitoring the activity of network and taking pertinent action if required. Most design for IDS architecture are made for
wired network (Aldaej, 2019). Therefore, applying this IDS is not ef?cient and suitableforIoTdeviceswhichtheirmediumofcommunicationareusingwireless network. In ?nancial basis, it costs greatly (Aldaej, 2019).
ThisresearchwillfocusmoreonanomalytypeIDS (Aldaej,2019). Theproposed solution aims to grant an iterative and adaptive security system that can adapt whenever there is an update (Aldaej, 2019). The research will concentrate more onhowtopreventDDoSattackwhichmaketheservicenetworkandaccessibility performance decrease (Aldaej, 2019). The proposed solution is developed after analysing and investigating the bandwidth attacks which was caused by DDoS attacks (Aldaej, 2019).
TheproposedsolutionuseanexistingIDS,FlexibleIntrusiondetectionSystemfor IoT, which use the application of analyzed forensic log data and adequate report generation. TheIDSfunctionalitieswillthenbeenhancedhenceforth,addingnew preventive procedure to prevent from DDoS attacks (Aldaej, 2019). A set of R that maintain the detected malicious nodes list with their attack description can beusedtogenerateActivePro?leDatabase(APD)afteranalyzingthebehaviorof the malicious node. The APD will provide the characteristic of nodes statistical analysis, thus making it easy to get crucial information to prevent further attacks. A blacklist table is introduced in this solution where it will have the list of node with its malicious magnitude in orderly manners. The preventive threshold is set with an integer, ? denoted with highest malicious magnitude value (Aldaej, 2019).
Risdenotedfornodethatisdiagnosedasmaliciousandisdifferentiated with their own node ID. N is denoted for the number of node in the networks and
Misdenotedforthemaliciousmagnitudestatusnumberforeachnodemaintained by APD. For example, if there is a node ID I that is diagnosed to be malicious, Mi in the APD will then be incremented. Otherwise it will maintain the same. If the Mi is greater than ?p, then node ID I is added as a new entry of the blacklist table, denoted with B. Afterwards, the proposed preventive module will provide an alternative to the reactive module to maintain the network performance and security defense. Blacklisted node, B which have the highest probability of being malicious, its functionalities will be reduced by the systems responsive scheme. These node is categorized as untrustworthy and will be isolated from any activities in the networks. In worst case, the node could be incompetent and will be requested to be cut off from the network fully. The aim of the IDS architecture is to improve or at least sustain the network even during an attack (Aldaej, 2019).