This study is devoted to the problem of detecting anomalous behavior of nodes of a robotic system based on network tra c analysis. This article addresses the issue of analyzing changes in the level of network tra c passing through a network node in order to detect denial of service attacks and a black hole attack. To solve this problem, the authors propose to use probabilistic and statistical methods, as well as methods of information theory. The robot wireless network model was developed to collect statistics.
stored on foreign servers, event and voice recognition systems, as well as other services are located there. At the same time, the company Positive Tecnologies announce the following: This year, analysts call the development of IoT, the Internet of things, one of the main problems. Experts of Positive Technologies made the top 5 of the most dangerous for the user devices with access to the Internet. First of all, this is the heart of the entire home network - a Wi-Fi or 3G-4G router. Experts nd up to 10 vulnerabilities every month in these devices. To date, a large number of publications of scientists devoted to the analysis of threats and vulnerabilities of systems "Smart Home". At the same time, in the majority of works by Russian and foreign authors, the main security problems associated with the Smart Home systems are highlighted: Hacker attacks on the central server; Interception of information transmitted via wired and wireless communication channels; Access by an attacker with administrative rights to a central server by stealing passwords and other access control details; Access to the network of unauthorized users, etc.". Every year there are more and more cases of hacking of the systems of Smart Home, often the attacker does not need to have special means to penetrate the system or to get data from the servers [Bas17]. Such a formulation of the problem poses the task of developing fundamentally new methods and means of protecting information systems. Thus, the second problem can be formulated as: the development of means to ensure the security of the Smart Home systems, based on independently obtained fundamental methods, taking into account domestic software and hardware developments [She14].
This study provides a new method for detecting anomalies in the behavior of nodes without using a signature database, a rule base and a template for normal node behavior. Detection of anomalies will be determined by analyzing changes in the xed parameters of the node with respect to the current behavior of other nodes in the network. This method will reduce the cost of creating and storing databases of signatures, or rules, as well as allow you to get away from the need to build databases, if necessary, to x new attacks. In addition, this method is not tied to a speci c architecture and network structure of the system, for its implementation it is not important to use speci c protocols and data structures, it can be adapted for any system. 2
All methods for constructing stationary robotic systems can be combined into two groups: 1. With one main node (single-hop) - the transmitter transmitter power is su cient for transmitting the signal to the base station.
2. With several main nodes (multi-hop) - some nodes not only collect information about the observed process, but also collect information from other nodes [Par09].
Each stationary robotic system has a speci c set of parameters, such as: number of network nodes; data transmission rate over communication channels - the parameter is determined by the channel bit rate. As a rule, the wireless sensor network consists of the same devices, so for all communication channels the bit rate will be the same [Sigh15]; network topology - determined by the presence or absence of a radio channel between any two nodes; node placement density - the average number of neighbors located close to the node; network diameter - the minimum number of retransmissions for data transmission between the two most distant network nodes;
delay in the network - the time from the moment of the occurrence of the event to the moment the information about it appears at the base station; network operation time - network operation without recharging and without changing batteries; bandwidth - characterized by the amount of information per unit of time.
As a rule, robotic systems are based on the principles of a special network in which each of the nodes (part or nodes) can be a source or receiver of messages and a transit node. In this case, the network is determined by the operation of node selection protocols and routing protocols. Routing in such a network requires a signi cant investment of resources for transmission of service tra c, and the sum of these costs depends on the nature of the tra c, and the stability of the network structure depends on the characteristics of the tra c. The quality of wireless connections between nodes is strongly in uenced by the number of transit routes (hops) in the routes [Mill13]. In mobile networks, nodes can move, and the routing task is more complex. One of the ways to implement mobile networks is to use small mobile robots to transfer sensitive elements to the detection zone. If the algorithm that controls the movement of robots is based on the swarm approach, it consists of a swarm robot. In a typical swarm of robots, only communication between the robots is implemented to ensure the behavior of the swarm. Group communication between mobile robots thus requires protocols that can operate without central control and handle dynamic topology changes due to the mobility of mobile robots. Multicast is the most important group communication primitive and is critical in applications that require close collaboration between groups (for example, rescue teams, search groups). This is very useful when audio, video, images and other similar data should be passed on to team members. Multicast provides an e ective means of sending the same data to multiple recipients. Compared to multiple unicast streams, multicast minimizes channel bandwidth consumption, sender and router processing, and delivery delay. The use of multicast as a group communication primitive in networks of mobile robots can be provided in the following three scenarios: rst, multicast messages on networks of mobile robots can be transmitted from one mobile robot to a set of other mobile robots. These nodes can be organized into a multicast group to periodically notify each other about their positions and act as landmarks and navigation signs for other robots that do not know their positions [Vilch18].
To implement messaging between robots, the Multicast Routing Monitor (MRM) Protocol was chosen [Wei99].As a rule, the work of a group of robots is divided into several main stages: the collection of environmental data, the sending of the collected data to neighboring devices or the base station, and the receipt of commands from the base station. To simulate the sending of messages as part of these tasks, the TCP transport layer protocol was chosen.. Allowing to transfer a data stream with a pre-established connection, re-requests data in case of data loss and eliminates duplication when receiving two copies of one packet, thereby ensuring the integrity of the transmitted data and notifying the sender about the results of the transfer. A limited number of nodes were chosen for more accurate modeling and tracking of tra c [Pshikh11]. A base station has been created and nodes have the ability to group together, exchanging packets, and once they have completed their tasks, they will again be grouped. 3
The developed anomaly detection system has a modular structure. Each module performs its functions and communicates with other modules of the system. The basic idea underlying the operation of this system is as follows:
1. The robotic system operates according to the established algorithms and robots perform similar sets of actions. The work of the robot looks static. If robots exchange tra c with the control station or with each other, then this usually occurs within the framework of the request-response form. Thus, the tra c transmitted between network nodes also looks static and lends itself to the normal distribution law. That is, the total amount of tra c is gradually increasing over time [Bas18].
2. If we are talking about the detection of anomalies caused by an active attack, then the consequences of the impact should a ect the operation of the network. In particular, the pattern or algorithm of tra c transmission should change signi cantly and will di er from the situation when the node worked without an attack. First of all, an active network attack a ects integrity and availability. If we are talking about the violation of accessibility, then it may be su cient to conduct a statistical analysis of the transmitted tra c. Violation of integrity may a ect the accuracy of the functions performed and the measurements taken. In addition to network tra c, other parameters that are a ected by the attack can be analyzed, but this study is limited to analyzing network tra c.
Figure 1 shows the modular architecture of the anomaly detection system. The gure shows that four values fall into the input of the data acquisition module for further analysis. These values are collected on the node itself in real time. The idea of detecting anomalies at the host level is that the robot analyzes itself over the past periods of time.
Next, we consider the features of each module.
1. Data acquisition module. The developed method of analyzing the e ectiveness of an active network attack on a system of mobile robots, as one of the results is a set of system parameters that are a ected by the attack. So, the information collection module will collect statistical information at the current time and further, using the methods of mathematical statistics, to perform primary information processing. That is, a set of information on the change of xed parameters will be presented in the form of metrics that will allow us to further assess the presence of signs of abnormal activity. The information collected is divided into four large categories: parameters related to network tra c analysis; parameters associated with a change in the power plan of the device; parameters associated with changes in system characteristics, re ecting the load on the processor and the devices RAM. Each of the parameters is in uenced by certain sets of attributes, and then the attributes themselves are analyzed and formalized.
2. Abnormality detection module. This module receives data from the module for collecting and processing information and detects the presence of abnormal activity. The module is based on a developed method for detecting anomalies, which can be detected by an attacker without building a pattern of normal behavior and creating a database of signatures [Fag14]. The use of the method is possible due to the presence of a group of nodes that perform approximately the same functions: they x parameters and transfer information to the central node. Network nodes, as a rule, act according to a prede ned scenario and their actions should not go beyond the scope of the intended behavior. Depending on how strongly and which parameter deviated, it is possible to determine the probability of how malicious the node is and what kind of attack it conducts. This is possible due to the use of probabilistic methods, in particular, the construction of con dence intervals for the distribution function and the estimation of the probability of a parameter falling into a con dence interval. These calculations are made solely on the basis of those indicators that are obtained from the nodes - sensors and intelligent nodes for the past and current time interval, and there is no need to create a reference behavior pattern. Nodes themselves determine which of them behaves di erently than others.
3. Intrusion detection module in the robotic system. After the information obtained has been normalized and processed in the previous two stages, it can be concluded which attack is carried out, to reveal its intensity and to determine the object of impact. The identi cation of system-speci c attack criteria is an important task, since they will di er signi cantly from the standard sets of criteria of classical information systems. This is primarily connected with non-standard tra c patterns, protocols and standards. In addition, many attacks by an attacker can be associated with the exhaustion of resources of network nodes, thus cyber-parameters should be taken into account when an attack is detected. The intrusion detection and intrusion detection module, in turn, will be divided into two subsystems: the subsystem for analyzing changes in the site's own parameters; subsystem analysis of attacks and intrusions in the network. In other words, the creation of a system for detecting attacks and intrusions at the node level and not at the network level is implied. To implement the attack detection subsystem at the node level, information theory methods will be used, in particular, the KullbackLeibler divergence measurements. Measuring this distance makes it clear how much the current distribution di ers from the previously obtained. Thus, a node can build a normal distribution to change its parameters and compare the deviation from the previous one over time (or from that obtained in laboratory conditions) and draw a conclusion about whether there is an in uence on one or several analyzed parameters, and depending on the degree of deviation to make a conclusion about the intensity of exposure.
4. Alerting module. This module allows you to notify both the node itself and other nodes about the presence of an attack. In addition, if we are talking about a system of detection of intrusions at the host level, it is necessary to provide for the adoption of measures to block or limit the operation of the node.
Thus, a node can analyze both its own behavior and the behavior of other network nodes. At the same time, the same metrics will be analyzed; they will be processed in a similar way. The only di erence is that by analyzing their behavior, the node is described by the data that it collected itself and by analyzing the behavior of its neighbors by the data that it received via the wireless channel.
This study takes into account only metric network tra c. That is, the search for anomalies will be carried out in network tra c. In early studies, the network node load factor was analyzed as an integer value. In this study, we propose to divide network tra c into: sent packets, forwarded, received, and dropped. When the network load of the entire node is estimated, it is not fully understood what is connected with the change in this indicator. For example, if an attacker conducts a denial of service attack, then the number of packets that it sends out far exceeds the normal state. At the same time, the victim of the attack receives more requests and the tra c of the victim also increases. If you analyze the entire tra c or the network load of the node, you can conclude that the anomaly is present, but the victim and the attacker may be disquali ed from the job, and the source of the attack may not be detected. 4.1
To collect statistical information, software was developed that includes the following components: as a network sni er, we will use the tcpdump program, since it has a powerful tool for intercepting tra c, a lot of conveniently con gured lters, and a console interface;
programming language - Python, as it is supported by default by operating systems of the unix family, is interpretable, which eliminates hardware dependency, unlike compiled ones.
The program ful lls the following functional requirements: call the network tcpdump sni er from the main thread to intercept tra c on the node and then save the result to a le with the pcap resolution;
analyze the resulting le, highlighting the information that will generate statistical data for further calculation of the main indicators of the network;
to calculate the network performance indicators, compare them with the permissible values obtained in the study of a normally functioning network;
in case of deviation of the obtained values of the indicators from the permissible values, notify the user about the abnormal behavior of the node, about the type of possible attack;
save to the text le all the collected statistical information, calculated values of the indicators for the subsequent analysis of the incident by the user.
The collected values must be processed. We assume that the number of packets passing through the node is a random continuous value. This parameter is measured at the current time interval, and is summarized at all intervals, so we have a value that grows evenly throughout the entire time interval. The analysis of statistical data was carried out on the subject of what type of distribution they correspond to. To do this, quantile-quantile diagrams were constructed. This diagram estimates the change in the number of received packets by the node. Such diagrams were built for each type of package. It can be seen from the diagram that the statistics obtained are distributed uniformly near a straight line [Grjib08]. The idea is that if the values are distributed around a straight line, then the collected data correspond to the normal distribution.
Next, you need to calculate the values of the normal distribution. The di culty lies in the fact that the distribution needs to be calculated continuously and to evaluate possible changes. To estimate the degree of di erence between distributions, the use of Kullback-Leibler divergence is proposed. Divergence is a measure of the di erence between two distributions and is used in information theory.
In order to build a normal distribution, it is necessary to build up an initial data set. The normal distribution will be more accurate than for more random variables it is constructed. For a small number of random variables, the normal distribution takes the form of a straight line. Experimentally, it was revealed that the minimum number of random variables needed to build a normal distribution is 6. Further, after the rst normal distribution is constructed, it is necessary to compare it with subsequent distributions. It is proposed to use the concept of a sliding window. When we receive new measurements and after a certain period we build a new one. This takes into account the four previous values and two new ones. Thus, the sliding window is equal to two time intervals. It is assumed that the value of received / sent / received/discarded packets is xed for a certain period of time; you can record values every second, less often depending on the network requirements.
Next will be presented a technique for detecting anomalies in a robotic system based on statistical analysis of network tra c. 4.2
Method for detecting anomalous activity based on statistical analysis of network tra c 1. At the rst stage, it is necessary to construct a normal distribution of a random variable. To build a normal distribution, we de ne the conditions associated with the minimum necessary number of random variables to build up the distribution, as well as the size of the sliding window, in order to preserve the condition for dynamic construction of normal distribution.
(s; r; f; d) > m
t = i where are s - the sent packets, r - these are the received packets, f - these are the packets that were forwarded through the node, d - these are the packets that were dropped by the node, m - this is the threshold value that determines the minimum required number of random values of these parameters to build a normal distribution; ( t) - this is the value of the time window parameter;i - the number of time intervals that will be taken into account when building each new distribution.
To date, the principle of determining the threshold values of m and has not been developed. In this study, it was established that the minimum number of random variables is advisable to take equal to six, that is, each normal distribution will be based on six values. The value of the sliding window is chosen to be two, that is, when each new normal distribution is constructed, four values of a random variable obtained at previous intervals and two values obtained at the last intervals will be used. This way of posting the normal distribution is due to the following. The normal distribution smoothes the change in the random variable and the time of the beginning of the attack may not be xed if the distribution is rebuilt every time interval. If the scatter of values is signi cant, then the attack will be xed due to the fact that the standard deviation will increase dramatically and it may even exceed the value of the expectation. Therefore, the minimum size of a sliding window for six values is proposed to choose equal to two.
2. After the initial conditions are determined, a normal distribution is constructed.
2.1 To build the distribution after data collection, it is necessary to calculate the mathematical expectation and standard deviation, as shown in formulas 2,3.
f (s) = 1 p s 2
(s Ms) e 2 s2 ; f (r) = 1 p r 2
(r Mr) e 2 r2 ; where f(s), f(r) - the normal distribution function of a random variable (in this case, the number of sent and received packets) at speci ed time intervals.
The result of the construction of the normal distribution is shown in Figure 2. This gure speci cally shows the normal distributions for the parameter sent packets for the normal network node, which worked under normal conditions and was not a ected either by the attacker or by any other external in uence. These results of constructing a normal distribution were obtained during the simulation of the network operation of 120 seconds, while the time range was divided into intervals of 10 seconds. In particular, the distribution highlighted in blue was obtained in the range from 0-50 seconds; distribution highlighted in red from 20-80 seconds; the distribution highlighted in green is obtained in the interval from 40-100 seconds and respectively the last violet distribution from 60-120 seconds. Z t m t+i M (s) = sf (s)ds;
M (s) =
rf (s)dr; D(s) =
Z t m t+1 [s
M (s)]2 f (s)ds;
D(s) = [r
M (r)]2 f (r)dr; Z Z t m t+i t m t+1 (s) = pD(s);
(r) = pD(r): where M(s), M (r) is the mathematical expectation for send and received packets, it is also calculated in similar way for forwarded and received packets; D (s), D(r) - it is the variance of the random variable for the indicators adopted and sent pacts, also calculated for all types of packages; Third level headings must be ush left, initial caps and bold. (s); (r) - this is the standard deviation for the same parameters. 2.2 Next is the normal distribution. First, the distribution for the rst six intervals is constructed, then the four past intervals and the last two are taken, the formula for the calculation is presented below: (1) (2) (3) (4) (5)
From gure 3 it can be seen that the distributions practically overlap each other and there is no di erence between them. At all-time intervals, the probability values coincide. So the node behaved the same on all time intervals. However, this information does not provide a complete picture that would allow an assessment of the presence of abnormal behavior. As a rule, a con dence interval is used to detect deviations from the normal distribution. But in the case of anomalies, this method gives false positives. Therefore, in this paper we will use another mathematical method.
3. Calculation of Kullback-Leibler divergence for analyzing the degree of di erences between probability
distributions. The idea of using this distribution is to compare how much the distribution just received has
changed from the previous one. Kullback-Leibler divergence is used in information theory as a measure of the
distance from each other of two probability distributions [
DKL(fn(s)jfn 1(s)) = DKL(fn(r)jfn 1(r)) =
Z Z fn(s) ln fn(r) ln
fn(s) fn 1(s)
fn(r) fn 1(r) ds; dr; (6) (7) where DKL - this value Kullback Leibler divergence obtained by estimating the di erence between the normal distribution obtained in the last 6 time intervals fn(s) and with the distribution that was obtained during the previous intervals fn 1(s) , the same calculations are made for each type of packet, including for received packets, as shown in formula 7.
That is, starting from Figure 3, the di erence will be the computation between the blue and red distributions, between red and green, and between green and purple.
The resulting histogram con rms that the discrepancy between the distributions tends to zero, as it can be seen from Figure 3 . Figure 3 shows results of Kullback Leibler divergence calculation. Therefore, we assume that if the resulting divergence value can be rounded to zero, then the attack is not carried out. Further, in order to determine the boundaries of the divergence, denial-of-service attacks were conducted with varying degrees of intensity. And also carried out the Black-Hole attack.
The resulting histogram con rms that the discrepancy between the distributions tends to zero. Therefore, we assume that if the resulting divergence value can be rounded to zero, then the attack is not carried out. Further, in order to determine the boundaries of the divergence, denial-of-service attacks were conducted with varying degrees of intensity. And also carried out the Black-Hole attack.
4. The next step is to de ne the boundaries of the values that will signal an attack. The next step is to de ne the boundaries of the values that will signal an attack. For each site on which the normal distribution is built, certain limits of con dence intervals are characteristic, respectively, the greater the deviation of the obtained value from the con dence interval, the greater the likelihood of an attack. In a normal situation, the divergence should go to zero, but deviations in the network are still possible, therefore, the limit value that corresponds to the nominal value is 0.2. The maximum deviation in behavior that can be xed, based on the fact that the value of the normal distribution varies from 0 to 1, equal to 4.6. The maximum deviation in behavior that can be xed, based on the fact that the value of the normal distribution varies from 0 to 1, equal to 4.6. A deviation greater than 0.15 already indicates a signi cant di erence in the received distributions and may become the rst sign of an attack. When the value of divergence tends to a value from 0.5-1, this already indicates a signi cant change in the type of normal distribution. Of course, single deviations can be observed, an important condition is the presence of at least three consecutive intervals with similar deviations. Thus we de ne the conditions for xing the attack.
8<f (s)( t 1); f (s) t; f (s)( t+1) > 0; 2;
f (r)( t 1); f (r) t; f (r)( t+1) > 0; 01; :f (f )( t 1); f (f ) t; f (f )( t+1) > 0; 01:
At the same time indicators for the remaining packages may not change. The main thing is to increase the number of sent packets. The situation is more complicated with the victim node. When modeling denial-ofservice attacks with varying degrees of intensity, the victim node experienced signi cant changes in metrics, received packets, as well as redirected packets. The growth of redirected packets can be observed when a denial of service attack is directed not at one node but against a group of nodes, and a side e ect is the need to redirect nodes to a large number of packets. We de ne the conditions that allow us to determine the node-victim. <8f (s)( t 1); f (s) t; f (s)( t+1) 6 0; 2;
f (r)( t 1); f (r) t; f (r)( t+1) > 0; 2; :f (f )( t 1); f (f ) t; f (f )( t+1) > 0; 2: (8) (9) 4.2.1
Next, we simulated attacks with varying degrees of intensity on a group of robotic devices. An attack with a low degree of intensity is more di cult to detect, since it does not greatly a ect the tra c pattern. Nevertheless, such an attack was discovered by the developed methods within 30 seconds from the beginning of its implementation. Figure 4 shows the calculation of Kullback-Leibler divergence for normal tra c and for an attacker who is conducting a low-intensity attack.
The gure shows that there is an increase in the deviation between the normal distributions at the attacker's node and the maximum value reaches 0.7. Moreover, since the attack is not very intense, that is, the node sends not many more packets than during normal operation, a value close to 0.2 is observed for a long time.
Then an attack of medium intensity was carried out, while it had an impact on the network. The node began to receive and redirect more packets and wasted energy accordingly. Figures 5 show the result of calculating the divergence for sent and received packets for both the victim and the attacker. And also for comparison, the calculation of divergence for a normal network node is given.
The rst histogram depicts the deviation between normal distributions for the attacker. Attack is detected much faster than light attack. From the histogram there is an increase in the sent packets and the maximum value is also xed equal to 0.7. It can be said that this is a clear sign of this attack, the slow growth of the divergence value, which is xed at 0.2 and then reaching the value of 0.7 and xing on it. These changes can be used as necessary for signature analysis, neural network training and classi ers. In this case, as can be seen from the gure for the attacker, the growth of the packets received was not observed, as was assumed under the given conditions. Next, consider what happened to the victim. If you carefully compare the gures (a) and (b), then you can notice some symmetry. The histograms are very similar, only for the victim's site are similar deviations recorded for received packets. In this case, the level of sent packets was within the acceptable limits of the established norm. Special attention should also be paid to the divergence of a normal node. First, for sent packets, it does not exceed 0.1 in the general case. This is due to the fact that the node sends an approximately equal number of packets each interval with small deviations, which do not signi cantly a ect the form of the nominal distribution. As for the received packets, then the deviations reach 0.2. This is generally acceptable. It should be noted that this situation arises from the fact that a node receives packets from di erent nodes in di erent periods of time, which may not coincide, so there may be a slight di erence between the distributions of a given value. However, these gaps are minimal and uniformly overall. The pattern of deviation of the indicator is clearly di erent from the previous two gures. Thus, it should be noted that in this work an intrusion detection system based on a network node and a method that allows detecting anomalies was presented. The main idea of this method is that by analyzing itself a node can detect non-standard behavior. As it was proved by an experimental study, a node can x deviations between probability distributions built at di erent time intervals and nd out that it is conducting an attack or is a victim. Due to the fact that the normal distribution is used, the collected statistics are smoothed out and small jumps in the collected data are ignored. This reduces the occurrence of errors associated with his refusal. Moreover, when constant changes occur and an attack is clearly carried out, the type of distribution begins to change and x the anomaly is easy. During the attacks, the simulation lasted 200 seconds, the rst 100 seconds of the attack did not take place and the node behaved normally, and then the attack began. This study will be expanded and conducted for other types of attacks. In addition, it is planned to increase the number of analyzed parameters. 5.0.1
This work was partially supported by the Russian Foundation for Basic Research No.17-07-00106. [Wei99] L. Wei, and D. Farinacci. Multicast Routing Monitor (MRM). IETF Internet-Draft, draft-ietf-mbonedmrm-.txt. 1-22. February 1999. [Fag14]
A. Fagiolini, G. Dini, A. Bicchi. Distributed Intrusion Detection for the Security of Industrial Cooperative Robotic Systems. Proceeding of the 19th World Congress The International Federation of Automatic Control Cape Town. South Africa.7610-7615. 2014.