Signature-Based Intrusion Detection System in Wireless 6G IoT Networks

.


Introduction
An "Intrusion Detection System" (IDS) is a security measure designed to perceive and be aware of unauthorized access or malicious activity on a computer system or network [1].Intrusion Detection Systems can be divided into two main classes: signature-based and anomaly-based.
Signature-based IDSs employ an attack signature database to identify intrusions.This indicates that the system can only identify [1] known attacks and cannot identify brand-new or unidentified assaults.Signature-based IDSs are generally considered to [2] be less resource-intensive than anomalybased IDSs, and they can be used to detect a wide range of attacks, such as viruses, worms, and Trojans.
Anomaly-based IDSs, on the other hand, use machine learning or statistical techniques to identify abnormal behaviour in a system or network.This means that the system can detect unknown attacks, but it requires a large amount of labelled data to train the model, and it may generate more false positives than signature-based IDSs.
For wireless IoT networks, it's important to have a system that can detect intrusions in real-time, that can handle the high volume of data and can adapt to the resource-constrained environment of these networks.
The IDS algorithm should also include a mechanism for updating the attack signatures, and for generating alarms when an intrusion is detected [3].Additionally, it should be able to handle false positives and false negatives and it should be able to send alerts to the appropriate personnel via email, SMS, or other remote communication methods.
Wireless IoT networks are networks that connect "Internet of Things" (IoT) devices to each other and the internet using wireless communication technologies.These networks are designed to support a wide range of devices, from simple sensors to complex industrial equipment.
One of the key characteristics of wireless IoT networks is their ability to support a large number of devices with limited resources [3].This means that the devices in a wireless IoT network typically have limited processing power, memory, and battery life.To support these devices, wireless IoT networks use low-power wireless communication technologies such as Zigbee, Z-Wave, and LoRaWAN.
Wireless IoT networks can be split into two main classes: low-range and long-range networks.Low-range networks, such as Zigbee and Z-Wave, are typically used for home automation and building automation applications and have a [4] range of around 30 meters.Long-range networks, such as LoRaWAN and Sigfox, have a range of several kilometres and are typically used for industrial and agricultural applications.

Monitoring and Analysis of Network Traffic to Detect Malicious Activities
There are several ways to monitor and analyze network traffic to detect malicious activity in a wireless 6G IoT network, including: • Signature-Based Detection: With this technique, network traffic is compared to a database of recognised harmful [4] patterns or signatures.The traffic is marked as possibly malicious if a match is discovered.[5] patterns that might point to malicious behaviour.• Traffic Flow Analysis: This method involves collecting and analyzing network traffic data to understand the flow of data across the network, identify any anomalies and suspicious connections.• Security Information and Event Management (SIEM): Which may be used to track and examine data from many sources, including firewall logs and warnings from intrusion [6] detection systems, in order to find possible security concerns.• Virtualized Network Function (VNF): In 6G networks, which can be used to provide a more dynamic and programmable way to monitor, analyze and protect the network.

Signature-Based Intrusion Detection System
Signature-based detection is a method of identifying malicious activity [7] in a wireless 6G IoT network by comparing network traffic to a database of known malicious patterns or signatures.The process works by analyzing network packets and comparing them to a database of known malicious patterns, such as specific strings of data or specific instructions in a packet header.The traffic is marked as possibly malicious if a match is discovered.
The following steps outline the general process of how signature-based detection works: • Signature Database: A database of known malicious patterns or signatures is created and maintained.This database can include information [8] such as specific strings of data, specific instructions in a packet header, or known malware signatures.• Alarm Generation: If a match is found, an alarm is generated to alert the security team.This alarm can also trigger an automatic [9] response to block or isolate suspicious devices or traffic.• Signature Updates: The signature database is updated regularly to protect against newly discovered threats.

Algorithm for Signature Database
The algorithm used for the signature database in a wireless IoT network depends on the specific requirements of the system and the type of data being stored.However, some commonly used algorithms for signature databases include:

Hash-Based
These algorithms use a mathematical function, called a hash function, to create a unique value, called a hash, for each signature in the database.The hash function takes the signature as input and produces a fixed-size string of characters as output.By comparing the hash of a new signature to the hash of known signatures in the database, the system can quickly identify a match.

Algorithm
1. Define a function createHash function that takes a string signature as input and generates a hash using the SHA-256 algorithm.2. Define a function checkSignature function that takes a string signature as input and checks if the hash of the signature matches any known hash in the signatureDatabase array.It returns true if a match is found and false otherwise.// allowing the packet through pass

String Matching
These algorithms use techniques such as regular expressions or string matching to identify patterns in the data that match known signatures.

Algorithm
1.The checkSignature function takes a string signature as input and iterates over each signature in the signatureDatabase array.2. It compares the input signature with each known signature in the array, and if a match is found, it returns true.If no match is found, it returns false.3. The processPacket function takes a Packet object as input and extracts the signature from it using the extractSignature function (not defined in this code snippet).It then calls the checkSignature function to determine if the packet is potentially malicious or not.4. If the signature matches a known signature in the signatureDatabase, the packet is flagged as potentially malicious by calling the flagPacket function (not defined in this code snippet).5.If the signature is not found in the signatureDatabase, the packet is allowed to pass through by calling the Pass statement (which should be spelled with a lowercase "p").// allowing the packet through Pass

Bloom Filters
The Bloom filter is a probabilistic data structure that is utilised by this method to determine if an element is a part of a set.It is used to improve the speed of searching the signature database.

Algorithm
1.The createBloomFilter function creates a Bloom filter with the specified size.
2. The checkSignature function takes a string signature as input and checks if it is present in the Bloom filter using the contains method.3.If it is, it checks if the signature is present in the signatureDatabase using the contains method as well.4. If the signature is found in both the Bloom filter and the database, the function returns true.
Otherwise, it returns false. 5.The processPacket function takes a Packet object as input and extracts the signature from it using the extractSignature function (not defined in this code snippet).It then calls the checkSignature function to determine if the packet is potentially malicious or not.6.If the signature matches a known signature in the signatureDatabase, the packet is flagged as potentially malicious by calling the flagPacket function (not defined in this code snippet).7. If the signature is not found in the signatureDatabase, the packet is allowed to pass through by calling the pass statement (which should be spelled with a lowercase "p" // allowing the packet through pass

Trie-Based Data Structures
Trie is a tree-based data structure that is used to store the signature database, it allows for efficient lookups and prefix-based search.

Algorithm
1.The createTrie function creates an empty Trie data structure.
2. The checkSignature function takes a string signature as input and checks if it is present in the Trie using the contains method.3.If the signature is found in the Trie, the function returns true.Otherwise, it returns false.4. The processPacket function takes a Packet object as input and extracts the signature from it using the extractSignature function (not defined in this code snippet).It then calls the checkSignature function to determine if the packet is potentially malicious or not. 5.If the signature matches a known signature in the Trie, the packet is flagged as potentially malicious by calling the flagPacket function (not defined in this code snippet).6.If the signature is not found in the Trie, the packet is allowed to pass through by calling the Pass statement (which should be spelled with a lowercase "p").trie = createTrie() // allowing the packet through Pass

Artificial Intelligence-Based algorithms
These algorithm uses machine learning techniques to generate and update the signature database.They may be used to network traffic analysis to spot novel patterns that could point to malicious behaviour.

Algorithm Continued
6.It checks if the signature is present in the Trie using the contains method.If it is not present, the function returns false.7. It checks if the signature is malicious using the AI model's predict method.If the prediction is "malicious", the function returns true.Otherwise, it returns false.8.The processPacket function takes a Packet object as input and extracts the signature from it using the extractSignature function (not defined in this code snippet).It then calls the checkSignature function to determine if the packet is potentially malicious or not.9.If the prediction is "malicious", the packet is flagged as potentially malicious by calling the flagPacket function (not defined in this code snippet).10.If the prediction is not "malicious", the packet is allowed to pass through by calling the Pass statement (which should be spelled with a lowercase "p"

Algorithm for Alarm Generation for IDS in Wireless 6G IoT Networks
The Alarm Generation algorithm for IDS in wireless 6G IoT networks would need to consider the specific requirements and constraints [10] of this type of network.Here are a few examples of how this algorithm could be implemented: 1. Real-time Alerts: In wireless 6G IoT networks, it is important to generate alarms in real-time to minimize the impact of intrusions.The alarm generation algorithm [11] should be designed to generate alerts as soon as an intrusion is detected, rather than waiting for a batch of intrusions to be detected.2. Prioritization: Since wireless 6G IoT networks have a large number of connected devices and generate a high volume of data, it's important to prioritize [12] the alerts based on the severity of the intrusion and the criticality of the affected devices or network resources.3. Remote Management: Many wireless 6G IoT networks are deployed in remote or hard-toreach locations.The alarm generation algorithm should be [13] designed to send alerts to the appropriate personnel via email, SMS, or other remote communication methods.4. Handling False Positives: A rule-based or machine learning-based intrusion detection algorithm can generate false positives.The alarm generation algorithm should be designed to handle false positives by providing a mechanism for the system [14] administrator or security analyst to verify and clear the alarm.

Compliance and Auditing:
The alarm generation algorithm should be designed to generate alarms that comply with industry regulations and [14] standards and that can be audited for compliance purposes Algorithm 1. Import the smtplib library for sending email alerts 2. Define an empty list to store detected intrusions 3. Define a function called check_packet that takes a packet as input and checks it against a set of predefined rules to detect intrusions.If an intrusion is detected, it adds the packet to the intrusions list and calls the generate_alarm function.4. Define a function called generate_alarm that checks the intrusions list and generates alarms for any detected intrusions.It prioritizes the alerts based on the severity of the intrusion and the criticality of the affected devices or network resources.If a high-severity intrusion is detected on a high-criticality device, it sends an SMS alert and an email alert.If a medium-severity intrusion is detected, it sends an email alert.If the intrusion is of low severity, it takes no action.5. Define a function called send_sms that takes a message as input and sends an SMS alert using a third-party API. 6. Define a function called send_email that takes a subject, message, and recipient as input and sends an email alert using the SMTP protocol and the smtplib library.It uses the SMTP server for example.com to send the email.import smtplib # Define a list to store detected intrusions intrusions = [] # Function to check if a packet matches any of the rules def check_packet(packet): # Code to check packet against rules and detect intrusions if detected_intrusion: (Continued) Algorithm Continued intrusions.append(packet)generate_alarm() # Function to generate alarms for detected intrusions def generate_alarm(): if intrusions: for intrusion in intrusions: # Code to prioritize the alerts based on the severity of the intrusion and the criticality of the affected devices or network resources if intrusion["severity"] == "high" and intrusion["criticality"] == "high": send_sms("Intrusion detected on device X, immediate attention required.")send_email("Intrusion Alert", "Intrusion detected on device X, please check the logs for more details".,"security@example.com")elif intrusion["severity"] == "medium": send_email("Intrusion Alert", "Intrusion detected on device X, please check the logs for more details".,"security@example.com")else: pass # Function to send SMS alerts def send_sms(message): # Code to send SMS using a third-party API pass # Function to send email alerts def send_email(subject, message, recipient): server = smtplib.SMTP('smtp.example.com')server.sendmail("security@example.com",recipient, message) server.quit()

Algorithm for Signature Update for IDS in Wireless IoT Networks
The Signature Update algorithm is an important aspect of any signature-based intrusion detection system (IDS) as it ensures that the system [13] is able to detect new and evolving threats.
Here are a few examples of how the Signature Update algorithm could be implemented for IDS in wireless IoT networks: 1. Automatic Updates: The algorithm should be designed to automatically download and install new signature updates from a centralized server or [15] cloud-based service.This ensures that the system is always up-to-date with the latest threats.2. Scheduled Updates: The algorithm should be designed to schedule regular updates at specific times, such as during off-peak hours or when the [16][17][18] network is less busy.This minimizes the impact of updates on network performance and availability.

Incremental Updates:
The algorithm should be designed to only download and install the updated signatures that are required, rather than downloading and installing the entire signature database.This reduces the amount of bandwidth and storage [19][20][21] required for updates.

Rollback Capabilities:
The algorithm should be designed to include rollback capabilities [22] so that the system can revert to a previous version of the signature database if an update cause problem. 5. Authentication: The algorithm should be designed to include authentication mechanisms to ensure that only authorized updates are applied to the system, this can be done by using a [23] digital signature or encryption.The algorithms show a promising result with an achieved accuracy of 98.9% for detecting various malicious activities in IDS as shown in Table 2.The algorithms devised here in this study highly improve the overall efficacy of the system.The same algorithms can be implemented for various intrusion detection systems in order to uncover various hidden malicious threats or activities that are degenerating detection systems with overall prodigious accuracy and results as shown in Fig. 1.

Conclusion
In Conclusion, an IDS is a security measure that monitors a computer system or network for unauthorized access or malicious activity, it can be signature-based or anomaly-based.A Signaturebased Intrusion Detection System (IDS) in wireless 6G IoT networks is used to measure security that uses a pre-defined set of known malicious patterns or signatures to identify and flag potentially harmful packets.The system compares the incoming packets against the pre-defined signatures in a database, with the help of various techniques and if a match is found, the packet is flagged as potentially malicious.The advantages of using a Signature-based IDS in wireless 6G IoT networks include: • High detection rate for known threats • Low false positive rate • Easy to deploy and maintain • Can be used in conjunction with other security measures It's important to note that the use of a Signature-based IDS alone may not provide enough protection, and it's recommended to use a combination of different security measures such as machine learning-based detection to improve the overall security of wireless 6G IoT networks.

3 .
Define a function processPacket function takes a Packet object as input and extracts the signature from it.It then calls the checkSignature function to determine if the packet is potentially malicious or not.4. If the signature matches a known hash, the packet is flagged as potentially malicious by calling the flagPacket function.5.If the signature is not found in the signatureDatabase, the packet is allowed to pass through by calling the pass statement.6. extractSignature: This function extracts the signature from the given Packet object and returns it as a string.7. flagPacket: This function flags the given Packet object as potentially malicious.function createHash(signature: string): string // using a hash function such as SHA-256 (Continued) Algorithm Continued hash = SHA-256(signature) return hash function checkSignature(signature: string): boolean // comparing the hash of a new signature to the hash of known signatures in the database newHash = createHash(signature) for knownSignature in signatureDatabase: knownHash = knownSignature.hashif newHash == knownHash: return true return false function processPacket(packet: Packet): void // extracting the signature from the packet signature = extractSignature(packet) if checkSignature(signature): // flagging the packet as potentially malicious flagPacket(packet) else:

Figure 1 :
Figure 1: Shows the comparison between Existing Results and New results

• Anomaly-Based Detection: This
method involves monitoring network traffic for patterns or behaviors that deviate from what is considered normal.Any deviations from the norm are flagged as potentially malicious.• Behavioral-Based Detection: With this technique, people and device behaviour on the network are examined for patterns that might point to malicious activities.• Machine Learning-Based Detection: Using machine learning techniques, this technique analyses network data in real-time for

Table 1 :
Shows the accuracy of Signature Based Detection Algorithm with an overall collective accuracy of 98.8% 1. Import the hashlib, requests, and json modules.2.Define the URL of the server hosting the signature updates, the local file path where the signature database is stored, and the current version of the signature database.3.Define a function called check_for_updates() that will download new signatures if they are available.4.Declare CURRENT_VERSION as a global variable so it can be used within the function.5.Send a GET request to the server to retrieve the current version of the signature database.6.Compare the current version with the latest version to determine if new signatures are available.7.If new signatures are available, download the new signature database.8.Calculate the hash of the downloaded data using the hashlib module.9.Compare the calculated hash with the hash provided by the update server to ensure the downloaded signature database has not been tampered with.10.Save the new signature database to the local file system.11.Update the CURRENT_VERSION variable with the latest version of the signature database.Overall, this algorithm is useful for keeping the local signature database up to date with the latest signatures, helping to improve the detection of threats on the device or network.

Table 2 :
Existing Results and New Results