A Novel Intrusion Detection and Prevention Scheme for Network Coding-Enabled Mobile Small Cells

Network coding (NC)-enabled mobile small cells are observed as a promising technology for fifth-generation (5G) networks that can cover the urban landscape by being set up on-demand at any place and at any time on any device. Nevertheless, despite the significant benefits that this technology brings to the 5G of mobile networks, major security issues arise due to the fact that NC-enabled mobile small cells are susceptible to pollution attacks; a severe security threat exploiting the inherent vulnerabilities of NC. Therefore, intrusion detection and prevention mechanisms to detect and mitigate pollution attacks are of utmost importance so that NC-enabled mobile small cells can reach their full potential. Thus, in this article, we propose for the first time, to the best of our knowledge, a novel intrusion detection and prevention scheme (IDPS) for NC-enabled mobile small cells. The proposed scheme is based on a null space-based homomorphic message authentication code (MAC) scheme that allows detection of pollution attacks and takes proper risk mitigation actions when an intrusive incident is detected. The proposed scheme has been implemented in Kodo and its performance has been evaluated in terms of computational overhead.


I. INTRODUCTION
T HE fifth generation (5G) of mobile communications is expected to provide a connected society [1]- [4].The small cell technology is one of the major 5G enablers for effective provision of 5G services in an energy-efficient and cost-effective way [5], [6].It is shown that the network coding (NC) technology, due to power consumption, packet loss, and low communication bandwidth, can be a good solution for increasing the throughput and improving the performance of the wireless network in mobile small cells [7].Unlike the traditional store-and-forward routing in NC-enabled, the information flow can be mixed.In addition, there are two main approaches of NC: XOR NC and random linear NC (RLNC) (see Fig. 1).NC can provide essential benefits to networks such as: 1) reduction packet transmission in wireless multicast [8], [9]; 2) improving the network capacity [10]; and 3) gain robustness to packet losses [11] and low energy consumption [12].However, despite the outstanding benefits of NC technology, NC-enabled wireless networks are susceptible to pollution attacks, a security threat, where a malicious node injects corrupted packets into the network that makes destination nodes unable to decode the native packets correctly [13], [14].The impact of this type of attack is devastating as they lead not only to network resource waste but also to energy waste on the nodes.Based on that the security is a significant factor for the success of 5G technology, novel intrusion detection and prevention scheme (IDPS) against these kinds of attacks in the NC-enabled mobile small cells are needed [15]- [19].
Therefore, in this article, we propose for the first time, to the best of our knowledge, a novel IDPS for NC-enabled mobile small cells.The proposed scheme is based on a null space-based homomorphic message authentication code (MAC) scheme that allows the detection of pollution attacks and takes proper risk mitigation actions when an intrusive incident is detected.The proposed scheme has been implemented in Kodo and its performance has been evaluated in terms of computational overhead.
The rest of this article is organized as follows.In Section II, we provide the background and related work of NC technology, secure NC, and security schemes against pollution attacks in NC-enabled networks.The scenario architecture is presented in Section III.In Section IV, the detailed description of the proposed novel IDPS for NC-enabled mobile small cells is given.In Section V, we provide details of the implementation of the proposed scheme in Kodo.In Section VI, we provide the performance evaluation of the proposed scheme.Finally, Section VII concludes this article.

A. Mobile Small Cell in 5G Mobile Networks
New IT technologies, such as the Internet of Things, network resource sharing, network functions virtualization (NFV), software-defined networking (SDN), and NC can reach their high potential by evolving 5G wireless communications.Furthermore, recent research studies have shown that these technologies have the potential to make 5G networks more efficient and less costly [20].However, recent research studies have identified a few limitations of 5G technology as well.The main limitations include data speed, latency, and reliability.In order to address these limitations of 5G communications, the small cell technology is one of the good solutions.The use of small cell concept provides benefits, including higher capacity, less transmission power, local interference only, and robustness [21].Nevertheless, the small cell technology introduces new challenges such as complex infrastructure and high handover.In other words, the 5G small cells can play an essential role in order to provide 5G networks with densely deployed heterogeneous networks with increasing demand for capacity.In particular, 5G small cells will be enhanced by incorporating techniques related to massive aggregation, intercell interference mitigation, multicell coordination, new coding, and modulation [22], [23].In this regard, given the fact that we employ NC to form new energy-efficient and high-speed networking for mobile small cells, a bunch of security challenges have appeared and they are needed to be addressed.As an example, Ferrag et al. [24] provide a survey on privacy-preserving and authentication schemes for 5G networks derived from 50 articles.The authors also provide a classification for the attacks in 5G environment.In addition, a classification of countermeasures to mitigate the classified attacks is summarized.This classification is based on cryptographic methods, intrusion detection methods, and human factors [24].

B. Secure NC
By using the NC protocol, several security attacks, including eavesdropping attacks and pollution attacks, in NC-enabled mobile small cells have appeared recently.
Many secure NC schemes against pollution attacks have been proposed.Based on homomorphic functions, a security hashing scheme was proposed by Krohn et al. [25], where the generated hashes are responsible to validate blocks of rate-less codes.Moreover, a cooperative scheme where legal nodes collaborate to preserve themselves against adversary nodes is presented in [26].In this scheme, the cooperation between the nodes enables them to detect and verify malicious nodes.Finally, in multicast RLNC-enabled networks, Ho et al. [27] proposed an approach for detecting byzantine attacks.More precisely, the proposed approach first tries to calculate a polynomial function of the data symbols (hash).Then, it augments each source packet with a flexible number of hash symbols calculated earlier.

C. Pollution Attacks
Pollution attacks can be launched by either an external adversary or an internal adversary (i.e., byzantine modification attacks).In the case of an external adversary, as shown in Fig. 2, the adversary injects corrupted packets into the network in order to corrupt other coded packets and disrupts the routing operation.However, the main effort of an adversary in byzantine modification attack is to execute some changes (i.e., wrong coding operations) to data in transition and threat the integrity of the packets in the networks [14], [23], [24] (see Fig. 3).Both these types of attackers can also be considered as data pollution attacks and tag pollution attacks, as shown in Figs. 2 and 3.In particular, the main target of an adversary in data pollution attacks is to modify (i.e., corrupt) the transmitted data packet, and in tag pollution attacks, the adversary aims to modify the tags appended to the end of data packets.

D. Intrusion Detection and Prevention Systems
IDPSs are mainly focused on identifying potential security incidents and on blocking or preventing detected the malicious activity.Regarding malicious activity detection, IDPSs use signature detection to identify the known malicious behavior or anomaly detection to identify behavior that is not related to legitimate users [30]- [33].
Signature detection is based on a set of known malicious data patterns that are also referred to as signatures.These signatures are compared with current behavior to decide whether the current behavior is a malicious one or not.This method of detection is suitable for detecting only known attacks.
On the other hand, anomaly detection is based on data related to normal behavior (i.e., profiles) and derived from monitoring the characteristics of legitimate activity on the system or in the network over a period.Then, the anomaly detection is carried out by analyzing definitions of what action is supposed normal (i.e., created normal behavior profiles) against recognized events in order to identify meaningful deviations, which imply malicious activity.In the anomaly detection process, the profiles can either be static or dynamic.Next, a static profile does not change until the IDPS is forced to create a new profile.On the contrary, a dynamic profile is adjusted continuously as extra events are observed.In fact, based on the fact that systems and networks change over time, the corresponding measures of normal behavior also change.Therefore, static profiles become inaccurate over time, and thus, they should be periodically regenerated.However, although dynamic profiles do not have this issue, they are vulnerable to evasion attempts from attackers.Furthermore, it is worthwhile to mention that in contrast to signature detection, anomaly detection is very strong at identifying unknown attacks.Nevertheless, anomaly-based techniques are characterized by a high false alarm rate due to the fact that previously unseen normal system/network behaviors may be categorized as anomalies.

III. SCENARIO ARCHITECTURE
In this section, we provide the scenario architecture of the EU-funded H2020-MSCA project "SECRET" (see Fig. 4), which is focused on secure NC-enabled mobile small cells [34].This scenario architecture consists of a macrocell including a number of small cells that are controlled by a cluster head (i.e., hotspot).The hotspot is a mobile device (i.e., mobile node) within the identified cluster of mobile devices, which is nominated to play the role of the local radio manager to control and maintain the cluster.Moreover, the hotspots of different clusters cooperate to form a wireless network of mobile small cells that have several gateways/entry points to the mobile network using intelligent high-speed connections.It is worthwhile to mention that a centralized software-defined controller controls the hotspots of the different clusters.Finally, the data communication between the mobile nodes is established through device-to-device (D2D) communications and optimized by NC technology.In particular, in the studied scenario, it is assumed that a source mobile node (SN), locating at a mobile small cell, wants to multicast packets to two destination mobile nodes (DNs), locating at another mobile small cell.Thus, packets from the SN are coded (i.e., RLNC) and traverse multiple devices, over a multihop D2D network, before arriving at the DNs, where they are decoded.The multihop D2D network consists of several user equipments (UEs), such as legitimate mobile nodes and relay mobile nodes (RNs), as depicted in Fig. 4.

IV. NOVEL IDPS FOR NC-ENABLED MOBILE SMALL CELLS
In this section, we present our proposed IDPS for NC-enabled mobile small cells.Our IDPS is based on a null space-based homomorphic message authentication code (MAC) scheme proposed in [15] and allows the detection of pollution attacks and takes proper risk mitigation actions when an intrusive incident is detected.The focus of our IDPS is on the detection and mitigation of pollution attacks that comprise a severe threat in NC-enabled networks as their impact is similar to the impact of denial-of-service (DoS) attacks and network resource waste and energy waste at the nodes.In fact, the attacker targets the availability of the NCenabled network and its nodes [16], [28].The adopted scheme from our previous work in [15] enables the proposed IDPS to detect pollution attacks by checking (i.e., verifying) the orthogonality of the packets with tags and keys as described in the following.In case that the verification result is not equal to zero (i.e., detection of polluted packet), the packet will be dropped (i.e., prevention from pollution).

A. Outline of the IDPS Scheme
First, the source node divides each message into a sequence of native packets and partitions them into generations.
Following our assumption in [15], each generation consists of p messages packets denoted as c 1 , c 2 , L, c p .We assume that each packet c i is represented as a vector of q symbols [e.g., (c i,1 , c i,2 , . . ., c i,q )] in which each symbol stands in the finite field F q S , where S is the finite field size.Consequently, the source node generates an augmented packet c i . (1) Then, the source node sends c i to its neighbor nodes.During transmission, an intermediate node creates a new coded packet c i .In our proposed IDPS scheme, we have considered that the source node generates w tags that are based on null space properties [35].We define the following four steps.
1) Tag Generation: In this step, first, a key distribution center (KDC) delivers w key vectors X 1 , X 2 , . . ., X w to the source node.The size of each key vector is given by the finite field F p+q+w S . Then, the source node uses these w key vectors X 1 , X 2 , . . ., X w to calculate w tags for each coded packet.Furthermore, the source node appends the w tags to the end of the coded packet c i .The following formula is used in order to calculate the w tags: 2) Swapping Process: In this step, we use the swapping technique in order to avoid tag pollution attacks.In this regard, the KDC generates a secret positive integer value SV that is the swapping vector.In addition, the secret value SV is sent to the source node and destination nodes.Then, the w tag symbols of the coded packet c i are swapped with w out of the q symbols of the coded packet c i .Finally, a swapped coded packet c i is made by the source node with the swapping process and is represented by the following equation: At the destination side, the nodes have to proceed an inverse swapping in order to obtain the native packet before the RLNC decoding takes place.
3) Key Distribution Process: The KDC, based on SV mentioned in the swapping step, generates new key vectors X 1 , X 2 , . . ., X w .More precisely, each key vector is given by Our proposed IDPS mechanism follows the key distribution model proposed in [36], which is based on the cover free set systems.The KDC of our scheme adopts a key distribution model, based on the cover free set systems [37], in order to provide resistance against c compromised nodes.In this model, the maximum number of key vectors that should be assigned to each intermediate and destination node cannot be more than R = e * ln(1/q), where q is a security parameter (usually q = 10 − 3).In our proposed scheme, this assumption is satisfied since only one key vector is required to be assigned by the KDC to each intermediate and destination node.This is why each key vector is orthogonal to the swapped coded packet, and thus, the intermediate and destination nodes require only one key vector to verify the swapped coded packet.
4) Verification Process: The following formula verifies if a key vector X i is orthogonal to a swapped coded packet If η = 0, then our proposed IDPS accepts the swapped coded packet c i and transmits it to the next non-source nodes.If η = 0, our IDPS discards the coded packet c i .

B. Correctness
The correctness of our IDPS mechanism is proved by contradiction.In this regard, we consider that our IDPS is not correct.In the case that this is true, through the verification step, we should get η = 0 [from (5)].Then, we assume that a source node has a coded packet R i = (R i 1 , . . ., R i p+q ) and w key vectors (X = X 1 , X 2 , . . ., X L ).Afterward, it starts generating the w tags t i = (t i 1 , . . ., t i w ) according to (2).For simplicity, we assume SV = 1, and thus, is orthogonal to each of the w key vectors based on (2).Therefore, X * Ri T is calculated as By comparing ( 6) with ( 7), we can see that η = 0.However, it is a contradiction to our original assumption where we had assumed that η = 0. Therefore, our IDPS is correct.

V. IMPLEMENTATION
To evaluate the performance of the proposed IDPS, we first implement the butterfly topology where the RLNC approach is applied.Then, we implement the external attack scenario (Fig. 2) and the byzantine modification attack scenario (Fig. 3).Our implementation is based on the recoding library of Kodo, which allows encoding at the source node, recoding at the intermediate nodes, and decoding at the destination nodes [38].
Kodo is an open-source NC library, which is used as a practical open-source library in order to allow researchers and students to implement NC algorithms.Although Kodo is based on C++, it allows users familiar with other programming languages other than C++ (e.g., C and Python) to use the library functionality [38]- [41].Kodo supports various NC algorithms, e.g., standard RLNC, systematic RLNC, and sparse RLNC.The Kodo libraries are described in detail in [19] and [38].However, due to the limitations of Kodo to allow customized generation of packets and keys as well as tag generation, we used MATLAB.Specifically, we used MATLAB to generate the packets and the required keys of the source node and to generate the proper tags at the source node and the intermediate nodes.Then, we included the generated packets, keys, and tags manually in Kodo.
Throughout the performance measurements, we used a generation size of 16 symbols.The symbol size is set between 1000 and 10 000 bytes, as shown in Figs.11-19.As we mentioned, these packets and the required keys are generated randomly in MATLAB.The Galois field in use is GF (2 8 ) and we take into consideration that the number of the tags appended to the end of each coded packet is L, where L is equal to L = 27, 42, and 54 [41].We run the whole implementation process on a 2.7-GHz Core i7 machine with 8 GB of physical memory.

A. Scenarios
Since no attack has not been considered and defined in the Kodo library yet, we have generated the external attack and byzantine modification attack in the butterfly topology in order to evaluate the performance of the proposed IDPS mechanism.In this regard, we first implemented on Kodo the butterfly topology without any attacks as shown in Fig. 5.In particular, Fig. 6 shows the successful decoding of the received coded packets at the destination nodes.Then, we considered pollution attacks in the butterfly topology, which make the destination nodes unable to decode the packets successfully (see Fig. 7).
Afterward, we implemented our IDPS mechanism on Kodo over the butterfly topology and we show that the proposed scheme can detect and drop the corrupted packets inserted in the network due to pollution attacks (i.e., external attack and byzantine modification attack).In addition, our proposed IDPS mechanism does not bring high computational complexity.over the butterfly topology as shown in Fig. 5. Since there is not any adversary, the destination nodes decode the packets successfully (see Fig. 6) and the proposed IDPS mechanism does not detect any corrupted packet.
2) Scenario 2: External Attack: In this scenario, we consider that an external attack is carried out as an attacker pollutes a coded packet at node UE-1 (see Fig. 8).However, our proposed IDPS scheme detects and drops the corrupted packet.
3) Scenario 3: Byzantine Modification Attack: The byzantine modification attack is shown in Fig. 9, where an attacker inserts a corrupted packet in the network.It is worthwhile to mention that our proposed IDPS scheme detects and drops the corrupted packet (Fig. 10).

VI. PERFORMANCE EVALUATION
In this section, we have provided the proposed IDPS mechanism performance evaluation in terms of computational and communication overheads as well as successfully decoding probability.

A. Computational Overhead
Following [42], we take into consideration that the number of the tags appended to the end of each coded packet is L (i.e., L = 27, 42, and 54), and the selected Galois fields is GF (2 8 ).In addition, we consider that the symbol size is set between 1000 and 10 000 bytes.The total time T total elapsed from when the packet is generated to when the packet is verified and decoded at the destination nodes is given by the following formula: where T enc , T dec , T rec , and T ver are the time for encoding at the source node, decoding at the destination node, recoding at each intermediate nodes, and verifying at the intermediate and destination nodes, respectively.T total , in the first scenario is illustrated in Fig. 11.Based on the number of tags, this figure includes four curves.As shown, by increasing the number of tags, T total increases as well.
On the other hand, in scenario 2, T total for different numbers of tags (e.g., 27, 42, and 54) is shown in Fig. 12.Furthermore, T total for different numbers of tags (e.g., 27, 42, and 54), in scenario 3, is shown in Fig. 13.It is worthwhile to mention that T total in scenario 2 and scenario 3 increases compared to T total in scenario 1.The reason is that the proposed IDPS mechanism needs additional time which is required to drop the corrupted packet.
In addition, the time required by our IDPS scheme to verify and detect any corrupted packet in the network, for both scenarios 2 and 3, is presented in Figs. 14 and 15, respectively.As we can see from these figures, the required time for different numbers of tags is almost the same and does not add significant computational overhead to T total .

B. Communication Overhead
To determine the communication overhead of the proposed IDPS scheme, we consider that the communication time T comm Fig. 13.T total for different numbers of tags when the byzantine modification attack is carried out.  is defined as follows: Figs. 16 and 17 show T comm based on different numbers of tags used in scenario 2 and scenario 3, respectively.Our results show that T total is almost the same as T comm because Fig. 16.
Communication time for different numbers of tags when the byzantine fabrication attack is carried out.time for different numbers of tags when the byzantine modification attack is carried out.

C. Decoding Probability
We define P r the probability that a corrupted packet is not detected in the verification phase.Figs.18 and 19 show P r Fig. 19.P r for different numbers of tags when the byzantine modification attack is carried out.based on three different numbers of tags (27, 42, and 54).As shown in these figures, P r is almost 0%.In other words, in our proposed IDPS mechanism, the adversary does not have any chance to distribute the corrupted packet in the network without being detected.

VII. CONCLUSION
In this article, we proposed for the first time, to the best of our knowledge, a novel IDPS for NC-enabled mobile small cells.The proposed scheme has been implemented in Kodo and its performance evaluation has shown that it does not add significant computational overhead.The proposed scheme is based on a null space-based homomorphic MAC scheme that allows the detection of pollution attacks that comprise a severe security threat in NC-enabled networks.Moreover, the proposed scheme drops the corrupted packets that are detected and the adversary does not have any chance to distribute the corrupted packet in the network without being detected in order to protect the NC-enabled mobile small cells from network resource waste and energy waste.However, it is not enough because the attackers may continue to make pollution in the next rounds, which can lead to waste of the network's throughput.As a future work, we plan to extend the proposed IDPS into a collaborative IDPS that will also allow the detection of the source(s) of the pollution attacks and the localization of the attackers in order to block them from having access to the network.Also, we plan to enhance the proposed IDPS in order to support correction of detected corrupted packets as well.

Fig. 1 .
Fig. 1.(a) XOR NC based on the butterfly topology.b) RLNC based on the butterfly topology.

1 )
Scenario 1: Well-Behaved Network (No Pollution Attack): We have implemented the proposed IDPS mechanism

Fig. 11 .Fig. 12 .
Fig. 11.T total for different numbers of tags when pollution attack has not occurred.

Fig. 14 .
Fig. 14.Verification time for different numbers of tags when the byzantine fabrication attack is carried out.

Fig. 15 .
Fig. 15.Verification time for different numbers of tags when the byzantine modification attack is carried out.

Fig. 17
Fig. 17.time for different numbers of tags when the byzantine modification attack is carried out.
Fig. 17.time for different numbers of tags when the byzantine modification attack is carried out.

Fig. 18 .
Fig. 18.P r for different numbers of tags when the byzantine fabrication attack is carried out.theverification time T ver required by the proposed IDPS mechanism is negligible.