06407453

IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013 1223

On the Vital Areas of Intrusion DetectionSystems in Wireless Sensor Networks

Abror Abduvaliyev, Al-Sakib Khan Pathan, Jianying Zhou, Rodrigo Roman, and Wai-Choong Wong

Abstract—This paper surveys recently proposed works onIntrusion Detection Systems (IDS) in WSNs, and presents acomprehensive classification of various IDS approaches accordingto their employed detection techniques. The three main categoriesexplored in this paper are anomaly detection, misuse detection,and specification-based detection protocols. We give a descriptionof existing security attacks in WSNs and the correspondingproposed IDS protocols to tackle those attacks. We analyzethe works with respect to the network structure of WSNs. Inaddition, we highlight various critical shortcomings that IDSscurrently have and define future research tracks for IDSs inwireless sensor networks. Though a few restricted survey workson this topic have already been done, we feel that there is a greatneed of performing a detailed and comprehensive study on thevital aspects so that the IDS in WSN could be analyzed fromall the ‘need-to-know’ angles. Thus, the paper’s main aim is toinclude the most recent advancements in this area as well as topredict the future course of research so that the general as wellas expert readers could be greatly benefited.

Index Terms—Intrusion detection, wireless sensor networks,anomaly, misuse, specification-based

I. INTRODUCTION

IN MANY WSN (Wireless Sensor Network) applicationscenarios security is a very important concern; especially

the applications designed for WSNs deployed in hostile en-vironments and commercial applications. With the level ofimportance of security in a WSN application, ensuring it to theexpected level also becomes relatively more difficult than itsother wireless network counterparts. In fact, security in WSNhas a great number of challenges that may not be seen inother types of wireless networks. This is due to many reasonslike the broadcast nature of wireless communications, limitedresources of the sensor nodes, unattended environment wheresensor nodes might be susceptible to physical attacks, etc [1],[2], [10]. Security solutions like authentication, cryptographyor key management can enhance the security of WSNs.Nevertheless, these solutions alone cannot prevent all possibleattacks. As a wide range of attacks can be launched bycompromised nodes in a WSN (i.e., nodes that appear to belegitimate in the network but not or working for other party[7], [11]), a second line of defense like Intrusion DetectionSystem (IDS) [3], [77] is needed.

Manuscript received January 13, 2012; revised June 6, 2012 and October12, 2012.

A. Abduvaliyev and W. C. Wong are with the Department of Electrical andComputer Engineering, National University of Singapore (NUS), Singapore(e-mail: wong [email protected]).

A.S.K. Pathan is with Department of Computer Science, InternationalIslamic University Malaysia (IIUM), Kuala Lumpur, Malaysia, email:[email protected].

J. Zhou and R. Roman are with Institute for Infocomm Research (I2R),Singapore, email: [email protected] and [email protected].

Digital Object Identifier 10.1109/SURV.2012.121912.00006

An IDS, which has been successfully implemented in wirednetworks, can detect the misbehavior of participating nodesand notify other nodes in the network to take appropriatecountermeasures. However, an IDS scheme designed for wirednetworks cannot be applied directly to WSNs because of theirspecific network characteristics such as limited processingpower, memory and battery. Especially, in a wireless sensornetwork, an IDS is an important security mechanism againstboth insider and outsider attacks [16]. It focuses on detectionof misbehavior or malicious nodes. When IDS detects a sensornode misbehaving, it tries to isolate that malicious node fromthe network.

In the recent years, many IDSs have been proposed forvarious WSN structures (flat, cluster, hierarchical). However,there is still a great need of a comprehensive survey on therecent developments in this particular area. In fact, in spiteof the presence of some partial works like [15], [79], [81],[85], till this date there have not been any survey paper thatcollects all the significant IDSs and gives overviews of thoseworks in terms of the underlying techniques they use alongwith important observations and obtained results. Thus, themain purpose of this work, besides providing readers witha reference paper on IDS in WSN, is to analyze the vitalareas of IDS for WSN from various angles. We present notonly the most well-known threats, but also introduce someless-known security attacks which need to be detected andprevented as well. We critically analyze works that have beenproposed over the last decade and discuss the current state-of-the-art in this research area. We also classify these IDSsbased on their detection techniques, analyze them with respectto the existing WSN network structures, and highlight variousunderdeveloped areas that need to be further researched.

The rest of the paper is organized as follows: Section IIgives the background of intrusion detection systems in WSN.The major security threats and attacks against WSNs areexplored in Section III. Section IV reviews the significant IDSapproaches proposed for WSNs. In Section V, we discuss afew key issues and finally, Section VI concludes the paperbased on our findings and analysis.

II. INTRUSION DETECTION SYSTEMS IN WSNIt is in reality extremely difficult to design a network where

attackers cannot find some way to break it. In fact, networksshould seriously consider the integration of self-awareness andfault tolerance capabilities. That is, not only to assume thatproblems will appear in one way or another, but also to providesome mechanisms that will detect and reduce the impact of aparticular threat. Therefore, we need a second line of defensethat can detect attackers or intruder nodes. An IDS is able todetect misbehaving nodes and inform neighbor nodes to take

1553-877X/13/$31.00 c© 2013 IEEE

1224 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013

proper countermeasures [5]. The actual detection mechanismsare implemented in specific elements known as IDS agents.

Although some type of IDS is used as a major preventionmechanism in wired and ad hoc networks, it is infeasibleto apply that directly in wireless sensor networks, mainlybecause of the vast difference in their network characteris-tics (specificity, autonomy, self-configurability, long lifetime,deployment location, and (limited) mobility [89]). This com-plicates the design of the security mechanisms. It is also a factthat the computing and power resources of sensor nodes aremore constrained than that of ad hoc nodes [4]. Thus, WSNsdemand for a novel and lightweight design of IDS.

There are three main approaches that an IDS can use toclassify the attacks:

1) Misuse detection: The action or behavior of nodesis compared with well-known attack patterns. In this case,these patterns must be defined and given to the system. Thedisadvantages are that this technique needs knowledge to buildattack patterns and they are not able to detect novel attacks. Inaddition, always someone has to update the database of attackpatterns. These drawbacks significantly reduce the efficiencyof this approach in terms of system management, as theadministrator of the network always has to provide IDS agentswith an up-to-date database. At current stage, most of theknown attacks are only the results of some assumptions orimitated from other classic networks. Whether these well-known attacks or any unknown security attack would be aserious problem for sensor networks still remains unclear.

2) Anomaly detection: This technique does not searchfor specific attack patterns, but instead it checks whetherthe behavior of the nodes can be considered as normal oranomalous. The approach first describes the actual features ofa ‘normal behavior’, which are established by using automatedtraining. Afterwards, it flags any activities that deviate fromthese behaviors as intrusions. If a sensor node does not actaccording to the defined specification of a particular protocol,the IDS would have high confidence to decide that the nodeis malicious. The wrong decisions made by IDS in terms offalse positive and false negative alarms affect the accuracy ofdetection. Hence, the disadvantage of this methodology is thatthe system can exhibit legitimate but unseen behavior, whichcould lead to a substantial false alarm rate. Also, an intrusionthat does not exhibit anomalous behavior may not be detected,resulting in false negatives.

3) Specification-based detection: This technique combinesthe aims of misuse and anomaly detection mechanisms, as itis focused on discovering deviations from normal behaviorsthat are defined neither by machine learning techniques norby training data. In fact, the specifications that describe whatcan be considered as normal behavior are defined manually.Any action is monitored with respect to these specifications.The drawback of this approach is the manual developmentof all specifications, which is a time-consuming process forhuman beings. Another disadvantage of this technique is thatit cannot detect malicious behaviors which do not violatedefined specifications of the IDS protocol. Note that, insome particular cases, misuse and anomaly-based detectiontechniques can be used side by side, giving birth to hybriddetection mechanisms.

Details of particular IDS models and techniques are dis-cussed later in the paper.

III. SECURITY THREATS AND TYPES OF ATTACKS IN WSNThere are several well-known and a few less-known security

attacks that exist in wireless sensor networks. In this section,we discuss these security attacks in brief with respect to theircountermeasures. Almost all of the attacks described belowfocus on the limitations of routing protocols in WSNs [6].However, some unknown attacks that are launched consideringother security constraints of the network are presented aswell. Table I introduces a brief summary of well-knownand less-known (or, less studied) security attacks and theircharacteristics in terms of attack behaviors and techniques.In addition, the relevant detection techniques for the attacksare highlighted in the table. Later in Section IV, we willdiscuss some of these techniques in terms of their benefitsand drawbacks.

A. Denial of Service (DoS) Attacks

We consider any type of intentional activity that can disrupt,subvert or even destroy the network as a Denial of Service(DoS) attack.

Basically, DoS attacks can be categorized into three types:• Consumption of scarce, limited or non-renewable re-

sources.• Destruction or alteration of configuration information.• Physical destruction or alteration of network resources.In the context of WSN, DoS attacks that target the network

resources are one of the most significant: the hardware ofsensor nodes is usually very constrained, and attackers can tryto overload them. Other DoS attacks that are very destructiveare jamming and tampering attacks. Jamming is the deliberatedinterference of the wireless communication channel. In fact,sensor nodes are very vulnerable against this type of physicalattack [37]. Tampering is another type of physical attack,which targets the actual hardware of the sensor nodes (e.g.sensitive chips, sensor hardware). While it is difficult to knowwhether any particular DoS situation is caused intentionally orunintentionally, there are some detection methods that help tothwart each type of DoS attack [72]. Still, tampering attacksremain an open issue.

B. Sinkhole/Blackhole Attacks

In this attack, a malicious node acts as a blackhole [22] topull in all the traffic in the network. The attacker listens to theroute requests and then replies to the target node informingthat it has the shortest path to the base station. A victim nodeis enticed to select it as a forwarder for its packets. Once amalicious node puts itself between the base station and sensornode, it is able to do whatever it wants (drop all packets,change the content, etc) with the packets that pass throughit. This type of attack can be very harmful for sensor nodesthat are deployed considerably far from the base station. Wehave to keep in mind that Blackhole and Sinkhole attacksare basically the same attacks by definition. Some recentworks have addressed this attack and possible IDSs have beenproposed in [11], [19], [23], [24].

ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS 1225

TABLE ISECURITY ATTACKS IN WSNS

Well-known Less-known (or, Less Studied)Name Characteristics Name Characteristics

DoS attacks in different layers [21],[37], [38]

Flooding, jamming, misdirection Fabrication during repro-gramming [69]

Unsecure reprogramming processwith bogus messages

Sinkhole/Blackhole [1], [11], [23],[24]

Shortest path, drop the packets External stimuli [71] Use external physical stimuli tocreate a large number of packets

Selective forwarding [25], [26],[27], [28], [29]

Selectively drop the packets Homing [71] Hamper the normal functioning ofcluster heads

The node replication [30], [31],[88]

Add extra node to the network with thesame cryptographic secrets

Neglect and greed [70] Deny transmission of legitimatepackets and give higher priority toown packets

HELLO flood [32] Flood with HELLO packets Unfairness [70] Unfair resource allocation on MACprotocols

Wormhole [18], [20], [33], [34],[35], [36], [73]

Offer less number of hops and less delaywhich is fake

Forced delay [89] A node delays packets within itsforwarding component

Sybil [28], [39], [40], [41], [42],[76]

A malicious node pretends to be more thanone node

C. Selective Forwarding

Multi-hop networks like WSNs rely on the assumption thatall nodes in the network will faithfully forward the receivedmessages to the base station. In these attacks, a maliciousnode in the routing path acts as a normal node by forwardingmessages, but selectively drops sensitive packets – which ishard to detect by the system. This attack is independent fromthe Sinkhole/Blackhole attacks, although a malicious node canmake use of them to increment its effect in the network. Aspossible solutions to detect this type of attack, some securerouting algorithms and IDSs using different techniques havebeen proposed in [19], [25], [26], [27], [29].

D. The Node Replication Attacks

As sensor nodes are constrained in terms of resourcesand usually deployed in unattended/public environments, anattacker can easily capture, analyze and extract their secrets.In this particular attack, an attacker seeks to add one ormore nodes in a network that use the same cryptographicsecrets as any other legitimate node in that network. This kindof attack may have severe consequences, like corruption ofdata by the adversary or even disconnection of some criticalparts of the network. For example, a replicated node cansend advertising information that is not consistent with thestate of the network (i.e. feature advertising [90]) in order tomanipulate a certain neighborhood. Some centralized detectionschemes, neighborhood-voting protocols, distributed detectiontechniques, and mobile-oriented statistics mechanisms havebeen proposed in [30], [31] and [88] to discover the existenceof these attacks.

E. HELLO Flood Attacks

Many routing protocols need to broadcast HELLO packetsin order to discover one-hop neighbors. This attack uses suchpackets as a weapon to attract sensor nodes. In particular, anattacker with a large radio range and enough processing powercan send HELLO packets to a large number of sensor nodesby flooding an entire section of the network. A node whichreceives such a packet may assume that the attacker is within

normal radio range. Hence, sensor nodes can be persuaded thatthe adversary is their neighbor. Possible solutions to detect thistype of attacks could be the use of bidirectional verificationof links, secure multipath routing, and use of multiple basestations [32].

F. Wormhole AttacksIn this attack, an attacker records the packets at one location

in the network and tunnels those to another location withthe help of a long-range wireless channel or an optical link.Wormhole attack is another significant and serious threat toWSNs: this attack can be launched even if the attacker hasnot compromised any node, because packets are broadcastedand can be overheard by anyone. Attackers offer less numberof hops and less delay than other normal routing paths, thussensor nodes are enticed to send data through them. Thereare various types of wormhole attacks. In fact, in a recentwork, Sharif and Leckie propose three types of wormholeattacks namely Energy Depleting Wormhole Attack (EDWA),Indirect Wormhole Attack (IBA), and Targeted Energy De-pleting Wormhole Attack (TEDWA) [33]. There are alsomany wormhole detection techniques, which make use ofconnectivity information [35] or even additional hardwaremechanisms such as directional antennas [36].

G. Sybil AttacksIn many applications, sensor nodes need to collaborate with

other nodes in order to accomplish a certain task; applicationscan then implement various management policies to distributesubtasks to different nodes. In this attack, a malicious node canpretend to be more than one node at the same time using theidentities of other legitimate nodes, effectively thwarting thecollaboration process. This is known as a Sybil attack, andhas been studied by Newsome et al. in [39]. By using thisattack, a malicious node can target the routing mechanisms,the data aggregation processes, and even the misbehaviordetection techniques. As possible countermeasures, we can uselogically centralized authority (base station or cluster head) inthe network. Some other recent IDSs could be found in [28],[40], [41], [42], [76], [78].


H. Other Security Attacks in WSNs

There are a few less-known (or, commonly unknown or less-studied) security threats that exist in WSNs. These attacksmostly concentrate on service availability (i.e., DoS) of thenetworks in different layers. We briefly describe them in thefollowing paragraphs.

1) Fabrication during reprogramming: The applicationlayer can be vulnerable against this attack if a WSN appli-cation allows reprogramming of the network. Reprogrammingof the network may be needed for maintenance and networkmanagement purposes: operators do not need to physicallyaccess the sensor nodes in order to refine or change theirbehavior [69]. If the reprogramming process is not secureenough, the attackers not only can cut off a portion of thenetwork by using bogus messages, but also can control thewhole network by exploiting particular vulnerabilities.

2) External stimuli: A possible attack against WSNs inapplication layer could be launched by using some externalphysical stimuli. The attacker uses this external stimuli tostimulate the nodes with a large number of important events(e.g. high temperature alerts), which must be sent directlyto the base station. However, this attack is not effectivewhen packets are sent at predefined regular intervals. OneIDS technique detects attackers in the network whenever aparticular region creates a large number of packets within ashort period of time [71].

3) Homing: In various WSN applications, leader nodes (e.g.cluster heads) can be given special responsibilities such asmanaging keys, maintaining a local group of nodes, etc. Inthis attack, the attackers hamper the normal functioning ofleader nodes within a WSN application [71], trying to handleand eavesdrop on their activities. Moreover, attackers can tryto become leader nodes by manipulating the election process,effectively gaining control of an entire group (e.g. cluster).

4) Neglect and greed: A neglecting node is a node thatnot only gives undue priority to its own packets, but alsocan deny the transmission of legitimate packets in case ofnetwork congestion. This attack is a special case of selectiveforwarding attack, as the greedy node may still acknowledgethe received packets to the sender, but it drops them randomlyand gives excessive priority to its own packets. The protocolswhich are based on Dynamic Source Routing (DSR) are themost vulnerable to this type of attack [70].

5) Unfairness: This attack is a weaker form of DoS attacklocated in the link layer. This attack could degrade service forreal-time MAC protocols by using unfair resource allocations(e.g. an attacker causes nodes to miss their transmissiondeadline). Note that providing fairness in WSNs is oftenviewed as a separate research issue [70].

6) Forced delay: A sensor node deliberately delays packetswithin its forwarding component, in order to delay the trans-mission of important events [89]. This attack can be effectivelyused to degrade the quality of service in systems with near-realtime requirements.

IV. TAXONOMY OF IDS APPROACHES IN WSNSo far, we have discussed various types of security threats

in WSNs. These attacks can be tackled by using some spe-cific countermeasures: IDS mechanisms and techniques that

make use of different underlying principles. Most of thoseprinciples are based on the assumption that there exists anoticeable difference between the behavior of an attacker andthe behavior of a legitimate node, such that the IDS canmatch those preprogrammed or learned rules. Following thisassumption, it is clear that IDSs can be classified accordingto the specific detection technique used for studying the auditdata. Therefore, we can classify IDSs into three groups: (a)misuse, (b) anomaly, and (c) specification based.

The misuse detection systems are used to detect knownpatterns of intrusions while anomaly detection techniques areused to detect new or unknown intrusions. Specification-baseddetection is based on some deviations from normal behaviors.Fig. 1 shows a taxonomy of IDSs in WSN that complies withthis classification.

In the following sections we will introduce the differentdetection techniques, providing an overview of the underlyingconcepts that help to separate a legitimate node from amalicious one. Note that, at present, most of the state of theart only provides isolated solutions, and does not considera scenario where different classes of detection mechanismscan collaborate together within the framework of a unifieddetection architecture. This and other open issues will bediscussed later in Section V.

A. Misuse Detection Schemes

The application of rule-based or misuse detection tech-niques in the context of a WSN is a complex task. In practice,it is difficult to think exactly as an attacker or to know themotive of the attacker. The administrator of the network hasto model attack patterns according to attacks that might occurin future. Moreover, the severe memory constraints of WSNsmake misuse-detection based IDSs that need to store attacksignatures relatively difficult to implement and less likely tobe effective [15]. Thus, there are very few papers that studymisuse-detection technique for WSNs. Still, most of themfollow the watchdog approach, where packet monitoring takesplace in several specific nodes in the network [43].

1) Watchdog approach: This approach relies on the broad-cast nature of the wireless communications and the assumptionthat sensors are usually densely deployed. Each packet broad-casted in the network is not only received by the receiver butalso by a set of neighboring nodes within the sender’s radiorange. In normal cases, neighbor nodes should discard thepacket, since they are not actual receivers, but for intrusiondetection this can be used as a valuable audit data. Hence,a node can activate its IDS agent and monitor the packetssent by its neighbors by overhearing them. Furthermore, todetect attacks with high accuracy of detection, it is not enoughto monitor only one node; system involves more informationfrom other neighbor nodes as well. For instance, to detect se-lective forwarding attack, a watchdog should overhear packetsarriving at a node and transmitted by that node.

If we want to see whether a node B forwards packets sent bynode A, we have to activate watchdogs that reside within theintersection of the radio ranges of A and B. A quick example isgiven in Fig. 2 where the nodes C, D, and E can be watchdogsfor the link between A and B.


Fig. 1. Taxonomy of IDSs in WSNs

Fig. 2. Nodes C, D, and E are watchdogs of the link A to B

Some researchers argue that watchdog approaches incurmore energy consumption on the sensor nodes, since thenodes must overhear every packet that is not addressed tothem. However, each node receives packets sent by neighbornodes anyway, due to the broadcast nature of the network.Furthermore, the nodes are not able to know if a packet isdestined to them unless they receive it and check the packetheader. Therefore, the overhead associated to this approachis basically the computational cost of analyzing the packetheader and contents in search for attack signatures.

In order to further reduce such overhead, some researchershave studied specific mechanisms that reduce the number ofnodes that analyze the packets of the network. In [4], Romanet al. proposed a novel technique for optimal monitoringof neighbors called spontaneous watchdog, which extendsthe watchdog monitoring mechanism proposed in [43]. Themechanism uses local agents in every sensor node to monitorlocal activities (i.e., information sent and received by the

sensor node), and randomly activated global agents in orderto overhear the communications of neighbors. Drawbacks:The problem with this approach is that not all packets canbe overheard by a global agent, due to the randomness ofthe selection process. Another drawback of the work is thatit does not deal with the collision of packets, which is highlikely due to the high density of nodes in various wirelesssensor networks applications.

B. Anomaly Detection Schemes

In WSN, there are many IDS mechanisms that use anomalydetection techniques. These types of systems usually rely onanalyzing whether the behavior of sensor nodes can be consid-ered as normal or abnormal according to certain assumptionsand metrics. Most researchers have taken this approach asa main method to detect intrusions, as they consider it iseasier to apply than misuse or specification based detections.Note, however, that many anomaly detection techniques haveinherited some of the strategies that are used in misuse-detection techniques, such as the watchdog approach.

In order to define what can actually be considered as normalbehavior, most anomaly detection techniques employ simpleassumptions [95] such as:

• Payload of a packet should not be altered or modified.• Retransmission of a packet must occur in a certain time

threshold.• Same packet can be resubmitted a limited number of

times.• Packet sending rate must be within some limits, etc.Table II provides an overall comparison of existing anomaly

based detection techniques, which will be described in the nextsubsections, in terms of their energy efficiency, accuracy andmemory requirements. Note that, from this table, we can infer


that there are no vastly superior detection mechanisms: there isalways a tradeoff between the resources (i.e. energy, memory)required to detect the anomalies and the actual accuracy ofthe detection techniques.

1) Statistical Model-Based Approach: Onat and Miri [3]proposed an anomaly detection based security scheme forWSNs. In their method, each sensor node builds a simplestatistical model of its neighbor’s behavior, and these statisticsare used to detect various attacks such as node impersonationand resource depletion changes. The system features that areused to detect anomalies are the average of the received powerand the packet arrival rate. At every node, only the last Npackets received from each neighbor are used to calculatethe statistics for that neighbor node and each arriving packetis then compared with those values. If the packet conformsto the statistics of the neighbor, it is accepted as a normalbehavior. Drawbacks: The authors do not present how theexperimental setup was designed. Also the information aboutthe used routing protocol and simulator is missing. Besides,the system cannot detect selective forwarding and wormholeattacks due to the use of simple statistics.

In [44], the same authors present the same main ideaof anomaly detection but with different evaluation metrics.Instead of the previously implemented inter-arrival times, thenew scheme uses mean and standard deviation metrics in thebuffers. A packet is identified as anomalous if the absolutevalue of the difference between the mean of the receivedpacket buffer and the mean of the intrusion buffer is greaterthan the standard deviation of the received packet buffer.Drawbacks: Again, no information is given about the numberof nodes, how nodes were tested, and the analysis of thecommunications and computational costs.

2) Clustering Algorithm Based Approach: In [5], Loo etal. developed an intrusion detection scheme for routing attacksthat uses a fixed-width clustering algorithm to build a modelof normal behavior. Note that here we refer to clusteringalgorithm as unsupervised learning algorithms, not cluster-based network structure (although this approach can be used inclustered networks). They use this model to detect anomaloustraffic patterns. The IDS module is implemented on eachsensor node and twelve network traffic patterns are identified.

These features are used in the training and testing stages. Inthe training stage, a fixed-width clustering algorithm is usedto build a set of clusters in the feature space. Clusters thatcontain less training traffic samples than a specific thresholdare identified as anomalous. During the testing stage, eachtraffic sample is compared to the cluster set to determinewhether it is anomalous or not. Drawbacks: Their method puttoo much computation on sensor node. The authors claim thatsince the proposed IDS do not require communication betweensensor nodes, it significantly reduces the power consumption.However, a statistical analysis of the actual reduction in powerconsumption compared to other existing IDSs is not provided.

A very similar approach to [5] was presented in [45] byJian-hua et al. The main difference between the two systemsis the input of the clustering technique: authors in [45] usedthe Apriori algorithm to construct the traffic features fromthe network data.Therefore, the traffic features used in theclustering algorithm can change at different time intervals. For

simulation purposes, five training data sets with normal trafficand two testing data sets with DoS and selective forwardingattack instances were used. Benefits: The results show that thealgorithm is able to detect both attacks with a high detectionrate. The algorithm is adaptive in the sense that each nodemight have a different detection model. Drawbacks: Providingeach node with a local training data set might be infeasiblein large WSNs, where the sensor nodes usually receive andforward a large number of packets in addition to their packetprocessing duty. This issue complicates the applicability of thealgorithm in practical environments, or at least would requirethe sensor nodes to have higher computational capabilities.

In [46], Wang and Zhang proposed an anomaly detectionsystem based on the arrival order of different packets. Thesystem is based on certain assumptions: all sensor nodescan become cluster heads, only communicate with a limitednumber of nodes, and should follow corresponding protocolspecifications. The IDS has two stages: profile learning andanomaly detection. In the profile learning stage, a node trafficprofile is created by extracting data from the information flowsuch as the source and destination addresses and the packettypes. In the anomaly detection phase, a pattern matchingtechnique is used to detect any unknown subsequences ofpacket events. Drawbacks: The limitation of this work is thatthe algorithm was not evaluated and performance results werenot provided.

3) Centralized Approach: A centralized, active anomalydetection system called ANDES was proposed by Gupta et al.in [47]. In this IDS the detection agent is located in the basestation, collecting application data, management information(e.g. node’s ID, hops towards the sink, total transmittedpackets, total number of failures to route a packet), and nodestatus information (e.g. normal, unavailable, duplicated andabnormal state), amongst others. All this information canthen be combined and analyzed in order to identify possibleanomalies. Benefits: This system was implemented in TinyOS[48] on Tmote sky sensor nodes. While the managementinformation might impose a certain overhead as additionalmanagement traffic must be acquired, the results obtained fromexperiments are shown to be positive.

4) Artificial Immune System: In a departure from tradi-tional anomaly detection techniques, the necessity of artificialimmune systems (AIS) was discussed in [51]. In this work,Shaust et al. address these biologically inspired algorithmsas a possible solution to detect misbehavior in WSNs. Theyconclude in the paper that AIS is actually a good choice formisbehavior detection in WSNs. In fact, various researchershave used this approach as part of their experiments.

For example, Kim et al. [49] showed the similarities be-tween the properties of WSNs and biological immune systems,and introduced a specific AIS, the Dendritic Cell algorithm(DCA), which was used to detect interest cache poisoningattacks in directed diffusion routing. A sensor node that usesdirected diffusion for routing packets maintains an interestcache table and a data cache table. When a node receivesa packet, directed diffusion updates both caches and extractsthe signals and antigens (e.g. bogus interest packets) fromthe received packets and caches. Such information is thenpassed to the DCA, which evaluates whether the antigens


TABLE IICOMPARISON OF ANOMALY BASED DETECTION TECHNIQUES

IDS Statisticalmodelsbased

Clusteringalgorithmbased

Centralized Artificialimmunesystem

Isolation table Game theory based Machinelearning

Accuracy Medium High High High/Medium Low High/Medium High

Energy efficiency No detail Yes No No detail No No YesMemory requirement No detail High Low No detail Medium Medium High

Network structure Normal Clustered Normal Normal Clustered Normal/ Distributed Normal

are benign or malicious. The algorithm was implemented inJ-Sim and also was tested in TOSSIM, a WSN simulator[54]. Drawbacks: There is no information available aboutthe performance of the DCA, and there are also no statisticalanalyses that might prove the effectiveness of the approach.

Another approach based on immunology theory was pro-posed by Liu and Yu [50], and an overview of its architecturecan be seen in Fig. 3. Their algorithm is divided into fourphases: (i) self acquisition, (ii) generation, (iii) detection, and(iv) clonal selection. The novelty of this approach lies mainlyin the clonal selection phase, which increases the responsetime of the detection system by accelerating the underlyingmechanisms (detectors). Besides, a feedback system is usedto reduce false-positive rates. This algorithm was also testedin TOSSIM.

5) Isolation table: In [17], Chen et al. proposed ananomaly detection method for three-level hierarchical WSNs(base station - primary cluster heads - secondary cluster heads)based on an isolation table.

In this method the isolation table records the anomalyinformation, and the detection agents use it to isolate nodesfrom the network. Note that these tables can be generatedby all cluster heads (secondary cluster heads monitor sensornodes and primary cluster heads, while primary cluster headsmonitor secondary cluster heads), and all tables are forwardedto the base station. As a result, isolation tables can be providedto any node that needs them (e.g. a newly elected clusterhead that needs to know the actual state of the network).The applicability of this method was analyzed using the ns-2simulator. Drawbacks: The results of these simulations showthat the method has disadvantages in terms of high energyconsumption whenever the number of nodes is increased. Inaddition, the authors did not consider the influence of nodefailure and node tampering, which can lead to a growth ofthe false negative rate. The authors extended their work andprovided more insightful details on [75] and [94], but theenergy consumption problem is still present.

6) : Machine Learning Based Approaches There are someIDSs that rely on various machine learning techniques. Forexample, [52], [56], [58], and [68] introduce machine learn-ing and automata-based learning approaches as an anomalydetection tool for wireless sensor networks.

In [52], Misra et al. used a learning automata based ap-proach (which is commonly used in optimization problems)to detect misbehaving nodes. This approach relies on packetsampling, where a proportion of the packets traversing thenetwork are sampled to identify whether they are maliciousnodes or not. Decisions are made depending on the feedback

of the environment to the automaton in partially favorable orpartially unfavorable cases. Benefits: Results obtained fromanalytical analysis show that the detection rate is high and theenergy consumption is low for WSNs. The extended versionof the work is presented in [82].

Doumit and Agrawal [58] introduced an anomaly approachbased on the structure of naturally occurring events. Thisapproach makes use of hidden Markov models (HMM), whichhave been applied in IDS for wired networks. It also makesuse of the concept of self-organized criticality (SOC), whichlinks complex phenomena to simplistic underlying laws. Inparticular, SOC provides a prediction on the most probableevent (e.g. expected temperature value). If the HMM findsthat the event is out of bounds, it raises an alarm. Recentwork by Rajasegarar et al. [83] used one class support vectormachines (SVM) in order to detect network anomalies. Thepaper proposes two SVM based approaches that are calledcentered hyperellipsoidal support vector machine (CESVM)and quarter-sphere support vector machine (QSSVM), re-spectively. CESVM has advantages in terms of parameterselection flexibility and the computational complexity, but itfaces certain limitations in distributed WSNs, as it uses acentralized approach. On the other hand, QSSVM works wellin a distributed environment. Benefits: The results from realand simulated data sets show that both approaches achievehigh detection accuracy.

7) Game Theory-Based Approaches: Other researchershave applied game theory-based models in intrusion detectionmechanisms [7], [59], [60], [61], [62], [63]. Game theorybased models can be excellent solutions for wired networksin terms of level of security, but for WSNs, it is necessaryto prove their applicability: sensors are equipped with con-strained energy sources, and the performance of these modelsseems to decrease when the number of nodes is large.

As an example of these approaches, we can mention theIDS developed by Agah et al. [7], which introduced a non-cooperative game approach to detect misbehaving nodes inclustered sensor networks. This non-cooperative game ap-proach, which formulates an attack-defense game as a non-cooperative two-player nonzero-sum game, achieves Nashequilibrium (i.e. best results for both players) whenever thedefense player (i.e. the IDS system) finds and protects themost vulnerable cluster. Consequently, clusters are classifiedaccording to their utility and the cost of defending them. Notethat the authors also introduced two more techniques (intuitivemetric technique and Markov decision process) that could beused to predict the future behavior of the attacker. Drawbacks:


Fig. 3. Architecture of Immunity-Based IDS

The authors claim that this IDS approach can improve thedetection rate. However, as every node is provided with aheavy IDS module and learning mechanism, the problem ofhigh energy consumption and communication overhead arises.

C. Specification-Based Schemes

Some specification-based schemes have been proposed asIDS solutions for WSNs. As noted earlier, the main disad-vantage of this approach is that the development of attackor protocol specifications is done by human beings. In thiscase, the administrator or the designer of the network has tomanually define the specifications that describe what a correctoperation is and monitor any behavior with respect to thoseconstraints.

1) Decentralized Approach: One of the first works in thisresearch track was introduced by Silva et al. in [14]. Theyproposed a decentralized IDS that is based on several pre-defined rules.

The method has three phases: (i) data acquisition, wherepackets are collected in a promiscuous mode in order to filterout the important data before storing it, (ii) rule application,where the rules are applied to the stored data, and (iii) detec-tion phase, where the number of raised failures are comparedwith the expected amount of occasional failures that defineswhether an intrusion has occurred or not. Fig. 4 illustrates thearchitecture of a monitor node which has an IDS function inaddition to sensing and message transmission capabilities. Theresults obtained from simulations, which tested attacks suchas jamming, blackhole and wormhole, show that the methodperforms well in a simulation environment. Drawbacks: Thealgorithm is simulated using a WSN simulator made by theauthors, whose technical details are unknown. This makes itdifficult to rely on the results presented by the authors, as a

simplified WSN model may not be something that could beused in practice. Besides, other types of analyses (numerical orprobabilistic or logical) should have been added alongside thepresented outputs. Moreover, the algorithm has no informationabout how to select the actual location of the IDS agents inthe application.

There are many other works in this topic [8], [9], [12], [55],[74], [86], [87], [96], [97] that use different techniques (e.g.group-based and collaborative) to specify intrusion detectionpatterns and attack signatures. For instance, Bhuse et al. [55]introduced a specification-based approach for detecting mas-querade (sybil) attacks. They propose two techniques whichcomplement each other when used concurrently. The first oneis mutual guarding, where the sensor nodes check the sourceid of received packets for intrusion. The second technique waslabeled by the authors as SRP, and consists of the verificationof the number of packets sent and received by a certain node.Drawbacks: Simulation results show that the mutual guardmethod has considerable overhead and it fails to protect nodeswhen the attacker has a shorter communication range than thesensor nodes.

2) Pre-defined Watchdog Approach: Krontiris et al. haveproposed various specification-based IDS in order to detectblackhole [15], selective forwarding [15], and sinkhole [11],[13] attacks in WSNs. Their approach is based on watchdogs,which have pre-defined rules for raising intrusion alerts.An example of one of those rules is as follows: “If morethan half of the watchdog nodes have raised an alert, thenthe target node is considered compromised and should berevoked, or the base station should be notified”. In defininga threshold value, the authors also take into consideration theloss of messages caused by network anomalies (e.g. wirelessnoise). The method has three common modules: 1) local


monitoring and detection engine, for collecting and analyzingdata according to the rules; 2) cooperative detection engine,for making accurate decisions collaboratively; and 3) localresponse module, for taking appropriate actions if an intrusionis verified by the network. Drawbacks: The method producesvery low false-negative and false-positive rates, which is agood thing. However, the actual simulator and experimentalsettings, which are used to calculate the rates, are not clear.

In a more recent work [16], the above authors proposeda cooperative IDS scheme which has been tested in a realenvironment. The method inherits various extended modulesfrom the authors’ previous works. The algorithm is based ondefined intrusion detection conditions (IDC), and the authorsargue that these conditions are necessary and sufficient to solvethe problem of detecting the most important WSN threats.Benefits: In fact, to the best of our knowledge, this paperis one of the few works that give details on a practicalimplementation of IDS agents in a real environment. Theresults show that the proposed algorithm is lightweight enoughto run on resource constrained sensor nodes such as telosb.

3) Hybrid System Approach: As stated earlier in SectionII, the specification-based approach integrates the aims of mis-use and anomaly detection techniques. However, some specificIDSs allow both detection techniques to coexist and interact inone single detection agent. That is, such agents will make useof automated training-based anomaly detection techniques andhuman-made rule-based misuse detection techniques. Theseapproaches are known as hybrid systems.

Hai et al. [65] proposed an hybrid intrusion detection systemthat integrates both anomaly and misuse techniques. Thespecific goal of this method is to detect routing attacks inWSNs. For energy efficiency, they use hierarchical WSNs. Inthe misuse detection module, the authors use pre-defined rulessuch as packet interval rule, integrity rule, packet delay rule,and radio transmission range rule. Drawbacks: Unfortunately,there is no proper and full explanation of the anomaly detec-tion techniques used in this paper, that is, how to effectivelyanalyze the collected data and how to make decision on theexistence of intrusions.

Later, the extended versions of the above work have beenpublished by the same leading author (along with others)in [26], [53] and [98]. The methods use two-hop neighborknowledge in order to prevent routing attacks. Two-hop neigh-bor knowledge is basically used in broadcasting protocols toreduce the number of packet transmissions such as Source-based Protocol and Dominant Pruning [66]. The two-hopneighbor list is established in each sensor node via a singlephase, by modifying the Hello packet. Other parts of this workconsist of local and global agents and pre-defined rules. Theglobal agents use the two-hop neighbors’ list and predefinedrules to monitor transmissions in their neighborhood. Themethod performs well for routing attacks. However, it needsto be tested in different attack scenarios in order to check theeffectiveness of the method.

Yan et al. [67] introduce a similar hybrid approach. Thealgorithm contains a misuse detection model, an anomalydetection model, and a decision making model. The noveltyof their method is the use of a back propagation network(BPN) for the anomaly detection module. First, the packet

records are given to the anomaly detection model, so as tocheck for abnormal activities. If activity is determined as‘abnormal’, then it will be forwarded to both the misusedetection model and the decision making model. Then, themisuse detection model analyzes the received data with thehelp of BPN and sends them to the decision making model.Finally, the decision making model combines the outputs ofboth models to determine whether or not an output can beconsidered as an intrusion, and the category of attack. In caseof intrusion, the model reports to the base station. Benefits:This approach has been tested by providing comprehensiveand detailed simulation results, which can be accessed in [84].

Finally, a dynamic IDS labeled as DIDS was proposedby Huo and Wang in [57]. This work is similar to [64] interms of used approaches. The method has an event monitormodule, a rules record base, a misuse and anomaly detectionmodule, and an alert module. The core architecture of theDIDS is shown in Fig. 5. Benefits: The method was simulatedin the ns-2 simulator using 70 nodes. The results obtainedby simulations state that their work has some advantagescompared to other static IDSs. Drawbacks: The distributedmechanisms implemented in DIDS can be able to detectmultiple intruders, although at the cost of increasing the energyconsumption. Besides, these mechanisms are not tested in areal environment.

V. DISCUSSION ON THE VITAL AREAS

We have so far discussed various types of IDSs in WSNs.Furthermore, we have classified them into different typesaccording to the detection techniques they use. Despite thefact that IDSs are a well-implemented technology in wirednetworks, there still remains enough scope of research onIDS for WSNs. Precisely, in this section we will highlightvarious vital areas that have been seldom considered by thepreviously surveyed major schemes: are there any simulationsor real-world implementations that prove the effectiveness ofthe different IDS mechanisms? In which types of networkstructures (see Fig. 6) can we integrate the IDS agents?Is there any real architecture/blueprint of a complete IDSsystem, where different IDS detection mechanisms can be usedtogether in a single agent? How can we implement it? Arethere any other issues that we need to consider in the nearfuture?

A. Drawbacks of existing IDS

Here we summarize various drawbacks that almost all ofthe previously discussed IDS mechanisms have:

• Simulation: Almost no detailed simulations exist forthe discussed IDS mechanisms, being anomaly-based ormisuse-based. In fact, most of the works do not providecomprehensive analyses or simulations. Note, however,that the lack of real network traces makes difficult toanalyze the effectiveness of an IDS mechanism.

• Real-world implementation: There are very few real-world implementations of IDS schemes (e.g. [16]) inWSNs. Although statistical analyses and simulations areimportant, such implementations are essential to provethe applicability of the IDS schemes in a real setting.


Fig. 4. Detection phases of decentralized IDS

Fig. 5. Core architecture of DIDS

• Lightweight modules: Energy efficiency is one of themain considerations in designing WSN application mod-ules. Hence, IDS mechanisms should consume as lit-tle energy as possible while achieving an acceptableperformance. Again, it should be mentioned that heavyIDS mechanisms (e.g. machine learning-based or gametheory-based) should be tested and evaluated so as to

prove both their effectiveness and their low resourceconsumption.

• Attack specific: Although many IDS schemes have beenproposed to detect malicious attacks, most of them targetonly one or two specific attacks by using different net-work and hardware assumptions. Thus, it is very difficultto combine these algorithms into a universal platform.


A promising research track would be to choose a set ofcommon criteria based on the features of different attacks.

B. Network structure based analysisWSN is a highly application-dependent network. Hence,

network structures vastly differ depending on the applicationtypes. There are mainly three types of network structures;cluster, tree, and hierarchy. We give a brief description of thesestructures and discuss with respect to IDSs:

• Tree(flat)-based – In this structure, base station playsthe role of main parent node, and sensor nodes takethe roles of leaf nodes or intermediate nodes. The one-hop neighbor nodes of base station can become parentnodes for the second hop neighbor nodes and this methodcontinues to cover the entire network in this fashion.

• Cluster-based – In this scenario, the network is dividedinto clusters. Every cluster has its own selected clusterhead (CH), which is the bridge between its clustermembers and the base station. In addition, cluster headsare often allowed to communicate among themselves forsome specific purposes.

• Hierarchical – The network is organized into a tree-likestructure with several different types of clusters in it. Thisstructure may have several layers representing parent-child type relationships (at least thematically). Note thatthis is different than a hybrid model, where a portion ofthe network is cluster-based while some other portion istree-based and some other portion may be of hierarchicalstructure or a combination of all.

Fig. 6 illustrates these network structures, highlightingpossible IDS locations where IDSs can provide services inan efficient manner. For instance, in the tree-based structure,global coverage can be achieved if an IDS deploys several(mobile) agents in the leaf nodes and an agent in the parentnode (i.e., base station). This helps the IDS to detect attackswith a higher accuracy while reducing the consumption ofresources at the same time [4].

In cluster-based network structures, it seems efficient tohave one IDS agent for a group of sensor nodes (i.e., installedon cluster head). Assuming that cluster heads are slightlymore powerful devices than their cluster members, we canimplement powerful IDS modules on them (which may notbe efficient on typical sensor nodes).

Furthermore, for hierarchical structures which include bothtree-based and cluster-based network structures, it might bea challenging problem to select satisfactory IDS locations.Still, a combination of mobile agents between layers and staticagents in cluster heads seems to be a good tradeoff.

In Table III, we present a comparison of various surveyedIDSs mechanisms with respect to three types of networkstructures: hierarchical, tree-based and cluster-based. Our goalis to provide researchers with a reference table that showsexplicitly which IDSs can be the best fit for which type ofnetwork structure due to their performance, applicability, andother factors. The metrics used in the table, i.e. ‘best’, ‘fair’,‘bad’ can be interpreted as following: an IDS algorithm can bewell suited for a particular network structure (‘best’), but canalso be moderately suitable (‘fair’) or even unsuitable (‘bad’)for other network structures.

C. Other vital issues

Before the concluding remarks, it is necessary to highlightvarious open issues and implementation strategies that shouldbe taken into account in future developments in this area.

1) Tamper-resistant IDS: There are mainly two placeswhere the IDS mechanisms can be installed; either in a sensornode or in a special, more powerful monitoring node. In bothcases, we need to take into account the physical integrity ofthe nodes when the deployment area is hostile (i.e. there areactive attackers trying to hinder the behavior of the IDS).For this particular case, tamper-resistant hardware solutionscould be used. However, employing tamper-proof methodswould make the network more costly, thus probably onlypowerful nodes can afford this kind of solution. This is notapplicable to distributed IDS, where normal sensor nodesexecute part of the IDS global logic. In such a case, thepossible solution would be to design low-cost tamper-resistanttechniques which can provide resilience to tampering attacks.In fact, some software-based solutions (e.g. attestation) havebeen proposed and intensely studied (cf. [92] [93]). However,it is necessary to integrate them with existing IDSs. Forexample, the attestation techniques can become another inputof the IDS infrastructure in order to flag any tampered nodes.In addition, after an IDS component produces an alert, it canalso test the integrity of the supposedly malicious node usingthese attestation techniques.

2) Cross-layer IDS: A significant issue of IDS for WSNsis that most of the proposed works target only one specificlayer of WSN without taking into account other layers. Forinstance, Fig. 7 illustrates both an IDS agent that is installed onthe application layer and a possible cross-layer IDS solution.The application layer agent might detect only a few typesof attacks (e.g., routing attacks) and will miss attacks fromother layers (e.g., physical layer). However, a cross-layer IDSsolution can be able to detect all types of attacks coming fromdifferent layers [91]. Another approach is to use a cross-layermechanism to manage the intrusion detection mechanismsused in different layers. Not only information can be sharedbetween layers (alerts, layer-specific information), but also allmechanisms can be coordinated. This way, the whole systemcan have a holistic point of view of all threats.

3) Dynamic IDS: Little work has been done on IDS formobile WSNs. In fact, applying IDS for mobile nodes orin presence of dynamic change of network topology is avery challenging task. Besides, IDS should take into accountauto-configurability and scalability with respect to dynamicnetwork topologies or communication failures.

4) IDS Architecture: In the literature of IDS for WSNsthere is a particular factor that has been rarely discussed: thearchitecture or template of the IDS itself. By architecture, werefer to the overall architecture of WSN-specific IDS systems:a template that can be filled with different mechanisms. Someexisting IDS approaches ([14], [51], [57], [90]) provide a par-tial architecture, where the detection mechanisms can interactwith other software elements of the sensor node. Still, thesepartial architectures seldom take into account the possibilityof integrating different detection and control modules. Theexistence of such IDS template must be considered in order


Fig. 6. Three types of network structures with possible IDS locations

TABLE IIICOMPARISON OF IDSS WITH RESPECT TO NETWORK STRUCTURE

Network structure /Techniques

Romanet al. [4]

Onat etal. [3],[44]

Loo etal. [5]

Gupta etal. [47]

Kim etal. [49]

Chen etal. [17]

Misra etal. [52],[82]

Leckie et al.[83]

Agah etal. [7]

Krontiriset al.[11],[13],[15]

Hierarchical Bad Fair Fair Bad Fair Best Fair Best Bad FairTree-based Best Bad Bad Best Fair Bad Bad Fair Bad BadCluster-based Fair Best Best Bad Fair Fair Fair Fair Best Fair

to allow the creation of well-adapted IDS that can respond tothe particular threats that can affect a specific application.

5) Internet-enabled IDS: Within the vision of the Internetof Things (IoT) [99] every object will have its own IP address,which makes them identifiable and reachable through theInternet. In fact, WSN are considered as one of the pillars ofthe IoT, thus experts are building IPv6-enabled WSN appli-cations and protocols. Consequently, next generation Internetapplications using IPv6 will be able to communicate withsensor nodes. However, once sensor nodes become citizensof the Internet, they will inherit not only the advantages (e.g.connectivity with anyone) but also the disadvantages – includ-

ing new threats and old attacks (e.g. Internet-based DoS). Infact, albeit very challenging, the problem of developing IDSmechanisms that cope with these novel circumstances is worthfurther studying.

VI. CONCLUSIONS

In this work, we have provided a detailed and comprehen-sive study on IDSs in wireless sensor networks, classifyingthem according to their underlying mechanisms. In addition,we have briefly introduced the existing security attacks inWSNs and their respective countermeasures. Furthermore, we


Fig. 7. IDS installed on application layer and possible cross layer IDS

have provided a critical analysis of the IDS mechanisms withrespect to network structure, highlighting various vital areasthat are currently underdeveloped.

Based on our observations and findings we can concludethat, while the field of IDS for WSN has advanced significantlyin these last years, there are still various research areas (e.g.IDS architectures, balance between accuracy and consumptionof resources, novel scenarios, better integration of underlyingmechanisms) that need to be further developed. We hope thatour results will be beneficial for both beginners and activeresearchers in this area.

ACKNOWLEDGMENTS

The work has been supported by NDC Lab., KICT, IIUM,Malaysia project PCS3-S001-2012-4800 and project grantNRF2007IDM-IDM002-069 on Life Spaces from the IDMProject Office, Media Development Authority of Singapore.

REFERENCES

[1] Y. Zhou, Y. Fang, and Y. Zhang, Securing Wireless Sensor Networks:A Survey, IEEE Commun. Surveys Tutorials, vol. 10, no. 3, pp. 6-28,2008.

[2] A.-S. K. Pathan, H.-W. Lee, and C.S. Hong, Security in WirelessSensor Networks: Issues and Challenges, in 8th International Confer-ence on Advanced Communication Technology (IEEE ICACT 2006),Volume II, 20-22 February, Phoenix Park, Korea, 2006, pp. 1043-1048.

[3] I. Onat and A. Miri, An Intrusion Detection System for WirelessSensor Networks, Wireless and Mobile Computing, Networking AndCommunications, vol. 3, 2005, pp. 253-259.

[4] R. Roman, J. Zhou, and J. Lopez, Applying Intrusion DetectionSystems to Wireless Sensor Networks, in Consumer Communicationsand Networking Conference, 2006, pp. 640-644.

[5] CE. Loo, MY. Ng, C. Leckie, and M. Palaniswami, Intrusion Detectionfor Routing Attacks in Sensor Networks, International Journal ofDistributed Sensor Networks, vol. 2, pp. 313-332, 2006.

[6] Y. Wang, G. Attebury, and B. Ramamurthy, A Survey of Security Issuesin Wireless Sensor Networks, IEEE Commun. Surveys Tutorials, vol.8, pp. 2-23, 2006.

[7] A. Agah, S.K. Das, K. Basu, and M. Asadi, Intrusion Detection inSensor Networks: A Non-Cooperative Game Approach, in 3rd IEEEInternational Symposium on Network Computing and Applications,September. 2004, pp. 343-346.

[8] L. Mostarda, and A. Navarra, Distributed Intrusion Detection Systemsfor Enhancing Security in Mobile Wireless Sensor Networks, Interna-tional Journal of Distributed Sensor Networks, vol. 4, no. 2, pp. 83-109,2008.

[9] Y. Wang, X. Wang, B. Xie, D. Wang, and P. Agrawal, Intrusion Detec-tion in Homogeneous and Heterogeneous Wireless Sensor Networks,IEEE Trans. Mobile Computing, vol. 8, no. 6, pp. 698-711, 2008.

[10] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, A Surveyon Sensor Networks, IEEE Commun. Mag., vol. 40, no. 8, pp. 102-114,August 2002.

[11] I. Krontiris, T. Dimitriou, T. Giannetsos, and M. Mpasoukos, IntrusionDetection of Sinkhole Attacks in Wireless Sensor Networks, LNCS,vol. 4837, pp. 150-161, 2008.

[12] L. Guorui, H. Jingsha, and F. Yingfang, Group-based Intrusion Detec-tion System in Wireless Sensor Networks, Computer Communications,vol. 32, no. 18, pp. 4324-4332, 2008.

[13] I. Krontiris, T. Dimitriou, and T. Giannetsos, LIDeA: a DistributedLightweight Intrusion Detection Architecture for Sensor Networks, in4th International Conference on Security and Privacy in Communica-tion Networks, Istanbul, Turkey, 2008.

[14] A.P.R. da Silva, M.H.T. Martins, B.P.S. Rocha, A.A.F. Loureiro, L.B.Ruiz, and H.C. Wong, Decentralized Intrusion Detection in WirelessSensor Networks, in 1st ACM International Workshop on Qualityof service and security in wireless and mobile networks, Montreal,Quebec, Canada, October 2005.

[15] I. Krontiris, T. Dimitriou, and F.C. Freiling, Towards Intrusion De-tection in Wireless Sensor Networks, in 13th European WirelessConference, Paris, France, 2007.

[16] I. Krontiris, Z. Benenson, T. Giannetsos, F.C. Freiling, and T. Dim-itriou, Cooperative Intrusion Detection in Wireless Sensor Networks,in EWSN 2009, LNCS, vol. 5432, pp. 263-278, 2009.

[17] R. Chen, C. Hsieh, and Y. Huang, A New Method for IntrusionDetection on Hierarchical Wireless Sensor Networks, in ICUIMC-09,Suwon, Korea, January. 2009, pp. 238-245.

[18] M. Azer, S. El-Kassas, A. Hassan, and M. El-Soudani, IntrusionDetection for Wormhole Attacks in Ad hoc Networks a Survey anda Proposed Decentralized Scheme, in 3rd Int. Conf. on Availability,Reliability and Security, 2008, pp. 636-641.

[19] B. Yu and B. Xiao, Detecting Selective Forwarding Attacks in Wire-less Sensor Networks, in 20th International Parallel and DistributedProcessing Symposium (SSN2006 Workshop), Rhodes, Greece, April.2006, pp. 1-8.

[20] L. Hu and D. Evans, Using Directional Antennas to Prevent WormholeAttacks,in 11th Annual Network and Distributed System SecuritySymp. (NDSS’04), San Diego, CA, Feb. 2004.

[21] W. Xu, W. Trappe, Y. Zhang, and T. Wood, The Feasibility ofLaunching and Detecting Jamming Attacks in Wireless Networks,in 6th ACM Int’l. Symposium on Mobile Ad Hoc Networking andComputing (MobiHoc’05), Urbana-Champaign, IL, May. 2005.

[22] N. Ahmed, S. Kanhere, and S. Jha, The Holes Problem in WirelessSensor Networks: A Survey, ACM SIGMOBILE Mobile Computingand Communications Review, vol. 9, no. 2, pp. 4-18, 2005.

[23] I. Krontiris, T. Dimitriou, T. Giannetsos, and M. Mpasoukos, IntrusionDetection of Sinkhole Attacks in Wireless Sensor Networks, in 3rdInternational Workshop on Algorithmic Aspects of Wireless SensorNetworks (AlgoSensors’07), Wroclaw, Poland, 2007.

[24] E.C.H. Ngai, J. Liu, and M.R. Lyu, An Efficient Intruder DetectionAlgorithm against Sinkhole Attacks in Wireless Sensor Networks,Computer Communications, vol. 30, pp. 2353-2364, 2007

[25] S. Kaplantzis, A. Shilton, N. Mani, and Y.A. Sekercioglu, DetectingSelective Forwarding Attacks in Wireless Sensor networks using Sup-port Vector Machines, in ISSNIP 2007, Melbourne, Australia, 2007,pp. 335-340.

[26] T.H. Hai and E.N. Huh, Detecting Selective Forwarding Attacks inWireless Sensor Networks Using Two-hops Neighbor Knowledge,in 7th IEEE International Symposium on Network Computing andApplications, 2008, pp. 325-331.

[27] C. Karlof and D. Wagner, Secure Routing in Wireless Sensor Networks:Attacks and Countermeasures, Elsevier’s Ad Hoc Network Journal,Special Issue on Sensor Network Applications and Protocols, pp. 293-315, 2003.

[28] M. Demirbas, and Y. Song, An RSSI-based Scheme for Sybil AttackDetection in Wireless Sensor Networks, in IEEE WoWMoM, 2006,pp. 564-570.


[29] C.E. Loo, M.Y. Ng, C. Leckie, and M. Palaniswami, Intrusion Detec-tion for Routing Attacks in Sensor Networks, International Journal ofDistributed Sensor Networks, vol. 2, no. 4, pp. 313-332, 2006.

[30] J. Zhou, T.K. Das, and J. Lopez, An Asynchronous Node ReplicationAttack in Wireless Sensor Networks, in IFIP TC 11 23rd InternationalInformation Security Conference, vol. 278, Boston Springer, 2008, pp.125-139.

[31] B. Parno, A. Perrig, and V. Gligor, Distributed Detection of NodeReplication Attack in Sensor Networks, in Proc. 2005 IEEE Sympo-sium on Security and Privacy, pp. 49-63, 2005.

[32] M.A. Hamid, M. Mamun-Or-Rashid, and C.S. Hong, Routing Securityin Sensor Network: HELLO Flood Attack and Defense, in IEEEICNEWS 2006, Dhaka, Bangladesh, 2-4 January 2006, pp.77-81.

[33] W. Sharif and C. Leckie, New variants of Wormhole Attacks forSensor Networks, in Australian Telecommunication Networks andApplications Conference, 2006, pp. 26-30.

[34] C. Y. Hu, and A. Perrig, Wormhole Attacks in Wireless Networks,IEEE J. Sel. Areas Commun., vol. 24, no. 2, pp. 370-380, 2006.

[35] R. Maheshwari, J. Gao, and S.R. Das, Detecting Wormhole Attacksin Wireless Sensor Networks Using Connectivity Information, inINFOCOM 2007, pp. 107-115, 2007.

[36] L. Hu and D. Evans, Using Directional Antennas to Prevent WormholeAttacks, in 11th Network and Distributed System Security Symposium,2003, pp. 131-141.

[37] M. Cagalj, S. Capkun, and J.-P. Hubaux, Wormhole-Based Anti-Jamming Techniques in Sensor Networks, IEEE Trans. Mobile Com-puting, vol. 6, no. 1, pp. 100-114, 2007.

[38] H. Chen, P. Han, X. Zhou, and C. Gao, Lightweight Anomaly IntrusionDetection in Wireless Sensor Networks, in PAISI 2007, LNCS 4430,pp. 105-116.

[39] J. Newsome, E. Shi, D. Song, and A. Perrig, The Sybil Attack in SensorNetworks: Analysis and Defense, in IEEE/ACM IPSN’04, 2004, pp.259-268.

[40] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman, SybilGuard:Defending Against Sybil Attacks via Social Networks, in ACM SIG-COMM 2006, pp. 267-278.

[41] W. Jiangtao, Y. Geng, S. Yuan, C. Shengshou, Sybil Attack DetectionBased on RSSI for Wireless Sensor Networks, in WiCom 2007, pp.2684-2687.

[42] D. Mukhopadhyay and I. Saha, Location Verification Based DefenseAgainst Sybil Attack in Sensor Networks, in ICDCN 2006. LNCS4308, Springer-Verlag 2006, pp. 509-521.

[43] S. Marti, T.J. Giuli, K. Lai, and M. Baker, Mitigating Routing Misbe-havior in Mobile Ad hoc Networks, in MobiCom’00, 2000, pp. 255-265.

[44] I. Onat, and A. Miri, A Real-Time Node-Based Traffic AnomalyDetection Algorithm for Wireless Sensor Networks, in ICW 2005, pp.422-427.

[45] S. Jian-hua and M. Chuan-Xiang, Anomaly Detection Based on Data-Mining for Routing Attacks in Wireless Sensor Networks, in CHINA-COM ’07, 22-24 Aug. 2007, pp. 296-300.

[46] Q. Wang and T. Zhang, Detecting Anomaly Node Behavior in WirelessSensor Networks, in AINAW, pp. 451-456, 2007.

[47] S. Gupta, R. Zheng, and A. Cheng, ANDES: an Anomaly DetectionSystem for Wireless Sensor Networks, in MASS 2007, pp. 1-9, 2007.

[48] TinyOS, http://www.tinyos.net/[49] J. Kim, P. Bentley, C. Wallenta, M. Ahmed, and S. Hailes, Danger is

Ubiquitous: Detecting Malicious Activities in Sensor Networks usingthe Dendritic Cell Algorithm, in ICARIS, LNCS 4163, 2006.

[50] Y. Liu and F. Yu, Immunity-Based Intrusion Detection for WirelessSensor Networks, in International Joint Conf. on Neural Networks,2008, pp. 439-444.

[51] S. Shaust and H. Szczerbicka, Misbehavior Detection for WirelessSensor Networks – Necessary or Not?, in 6th Fachgesprach “DrahtloseSensornetze” der GI/ITG-Fachgruppe “Kommunikation und VerteilteSysteme”, Germany, 2007, pp. 51-54.

[52] S. Misra, K. Abraham, M.S. Obaidat, and P. Venkata Krishna, LAID: aLearning Automata-based Scheme for Intrusion Detection in WirelessSensor Networks, Security and Communication Networks, vol. 2, pp.105-115, 2008.

[53] T.H. Hai, E.-N. Huh, and M. Jo, A Lightweight Intrusion DetectionFramework for Wireless Sensor Networks, Wireless Communicationsand Mobile Computing, vol. 10, no. 4, April, 2009.

[54] P. Levis, N. Lee, M. Welsh, and D. Culler, TOSSIM: Accurate andScalable Simulation of Entire TinyOS Applications, in 1st InternationalConference on Embedded Networked Sensor System, 2003, pp. 126-137.

[55] V. Bhuse, A. Gupta, and A. Al-Fuqaha, Detection of MasqueradeAttacks on Wireless Sensor Networks, in ICC’07, 2007, pp. 1142-1147.

[56] Z. Yu and J. Tsai, A Framework of Machine Learning Based IntrusionDetection for Wireless Sensor Networks, in SUTC’08, 2008, pp. 272-279.

[57] G. Huo and X. Wang, DIDS: A Dynamic Model of Intrusion DetectionSystem in Wireless Sensor Networks, in IEEE ICIA, 2008, pp. 374-378.

[58] S. Doumit and D. P. Agrawal, Self-organized Criticality and StochasticLearning based Intrusion Detection System for Wireless Sensor Net-work, in MILCOM 2003, pp. 609-614.

[59] Y. Ma, H. Cao, and J. Ma, The Intrusion Detection Method basedon Game Theory in Wireless Sensor Network, in IEEE Ubi-MediaComputing, 2008, pp. 326-331.

[60] A. Agah and S.K. Das, Preventing DoS Attacks in Wireless SensorNetworks: A Repeated Game Theory Approach, International Journalof Network Security (IJNS), vol. 5, no. 2, pp.145-153, 2006.

[61] M. Krishnan, Intrusion Detection in Wireless Sensor Networks, ProjectPaper, University of California at Berkeley, Unpublished.

[62] Yenumula B. Reddy, A Game Theory Approach to Detect MaliciousNodes in Wireless Sensor Networks, in SENSORCOMM’09, Greece,2009.

[63] Yenumula B. Reddy and S. Srivathsan, Game Theory Model forSelective Forward Attacks in Wireless Sensor Networks, in 17thMediterranean Conference on Control and Automat, 2009.

[64] P. Techateerawat and A. Jennings, Energy Efficiency of IntrusionDetection Systems in Wireless Sensor Networks, in WI-IATW’06,2006.

[65] T.H. Hai, F. Khan, and E.-N. Huh, Hybrid Intrusion Detection Systemfor Wireless Sensor Networks, in ICCSA 2007, LNCS 4706, pp. 383-396, 2007.

[66] A. Durresi, V. Parucheri, S. Iyengar, and R. Kannan, OptimizedBroadcast Protocol for Sensor Networks, IEEE Trans. Comput., vol.54, no. 8, pp. 1013-1024, 2005.

[67] K.Q. Yan, S.C. Wang, and C.W. Liu, A Hybrid Intrusion DetectionSystem of Cluster-based Wireless Sensor Networks, in IMECS 2009,Hong Kong, 2009, pp. 411-416.

[68] S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti, Intrusion De-tection on Sensor Networks Using Emotional Ants, Int’l J. of AppliedScience and Computations, vol. 12, no. 3, pp. 152-173, 2005.

[69] Q. Wang, Y. Zhu, and L. Cheng, Reprogramming Wireless SensorNetworks: Challenges and Approaches, IEEE Network, pp. 48-55,May. 2006.

[70] Y. Wang, G. Attebury, And B. Ramamurthy, A Survey Of SecurityIssues In Wireless Sensor Networks, IEEE Communications Surveysand Tutorials, vol. 8, no. 2, 2nd Quarter. 2006.

[71] D.R. Raymond and S.F. Midkiff, Denial of Service in Wireless SensorNetwork: Attacks and Defenses, IEEE Pervasive Computing, vol.7, no.1, pp. 74-81, March. 2008.

[72] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagrodia and B. Bhargava,Low-cost Attacks Against Packet Delivery, Localization and TimeSynchronization Services in Underwater Sensor Networks, in 4th ACMWorkshop on Wireless Security, 2005, pp. 87-96.

[73] R.d. Graaf, I. Hegazy, J. Horton, and R. Safavi-Naini, DistributedDetection of Wormhole attacks in Wireless Sensor Networks, Ad HocNetworks, LNCS, vol. 28, no. 1, 2010, pp. 208-223

[74] M.V. de Sousa Lemos, L. Barroso Leal and R. Holanda Filho, A NewCollaborative Approach for Intrusion Detection System on WirelessSensor Networks, in Novel Algorithms and Techniques, Springer, 2010.

[75] R.C. Chen, C.F. Hsieh, and Y.F. Haung, An Isolation Intrusion De-tection System for Hierarchical Wireless Sensor Networks, Journal ofNetworks, vol. 5, no. 3, 2010, pp. 335-342.

[76] R.C. Chen, Y.F. Haung, and C.F. Hsieh, Ranger Intrusion DetectionSystem for Wireless Sensor Networks with Sybil Attack based onOntology, in AIC’10, 2010.

[77] H.Y. Lin and T.C. Chiang, Intrusion Detection Mechanisms Based onQueuing Theory in Remote Distribution Sensor Networks, AdvancedMaterials Research, vol. 121-122, June 2010.

[78] A.-S.K. Pathan, Security of Self-Organizing Networks: MANET, WSN,WMN, VANET, ISBN: 978-1-4398-1919-7, Auerbach Publications,CRC Press, Taylor and Francis Group, USA, 2010.

[79] A.H. Farooqi and F.A. Khan, Intrusion Detection Systems for WirelessSensor Networks: A Survey, in FGCN/ACN 2009, CCIS, vol. 56, pp.234-241.

[80] Z. Bankovic, J.M. Moya, A. Araujo, D. Fraga, J.C. Vallejo, and J.M. deGoyeneche, Distributed Intrusion Detection System for Wireless Sensor


Networks based on a Reputation System Coupled with Kernel Self-organizing Maps, Integrated Computer-Aided Engineering, vol. 17, no.2, 2010, pp. 87-102.

[81] Y. Zhang, N. Meratnia, and P. Havinga, Outlier Detection Techniquesfor Wireless Sensor Networks: A Survey, IEEE Commun. SurveysTutorials, vol. 12, no. 2, 2010.

[82] S. Misra, P.V. Krishna, and K.I. Abraham, A Simple LearningAutomata-based Solution for Intrusion Detection in Wireless SensorNetworks, Wireless Communications and Mobile Computing, SpecialIssue on Architectures and Protocols for Wireless Mesh, Ad Hoc, andSensor Networks, vol. 11, no. 3, 2011, pp. 426-441.

[83] S. Rajasegarar, C. Leckie, J.C. Bezdek, and M. Palaniswami, CenteredHyperspherical and Hyperellipsoidal One-Class Support Vector Ma-chines for Anomaly Detection in Sensor Networks, IEEE Trans. Inf.Forens. Security, vol. 5, no. 3, 2010, pp. 518-533.

[84] S.S. Wang, K.Q. Yan, S.C. Wang, and C.W. Liu, An Integrated In-trusion Detection System for Cluster-based Wireless Sensor Networks,Expert Systems and Applications, vol. 38, no. 12, 2011.

[85] T. Bhattasali, and R. Chaki, A Survey of Recent Intrusion DetectionSystems for Wireless Sensor Network, in 4th International Conferenceon Network Security and Applications (CNSA-2011), Springer, 2011,pp. 268-280.

[86] S. Shin, T. Kwon, G.Y. Jo, Y. Park, and H. Rhee, An ExperimentalStudy of Hierarchical Intrusion Detection for Wireless Industrial SensorNetworks, IEEE Trans. Ind. Informat., vol. 6, no. 4, 2010, pp. 744-757.

[87] T.M. Mubarak, S.A. Sattar, A. Rao, and M. Sajitha, A Collaborative,Secure and Energy Efficient Intrusion Detection Method for Homoge-neous WSN, in International Conference on Advances in Computingand Communications (ACC-2011), Springer, 2011.

[88] W.T. Zhu, J. Zhou, R.H. Deng, and F. Bao, Detecting Node ReplicationAttacks in Mobile Sensor Networks: Theory and Approaches, Securityand Communication Networks, 2011.

[89] J. Lopez, R. Roman, and C. Alcaraz, Analysis of Security Threats, Re-quirements, Technologies and Standards in Wireless Sensor Networks,in Foundations of Security Analysis and Design 2009, LNCS 56705,August 2009, pp. 289-338.

[90] R. Roman, J. Lopez, and S. Gritzalis, Situation Awareness Mechanismsfor Wireless Sensor Networks, IEEE Commun. Mag., vol. 46, no. 4,April 2008, pp. 102-107.

[91] R. Roman, J. Lopez, and P. Najera, A Cross-layer Approach forIntegrating Security Mechanisms in Sensor Networks Architectures,Wireless Communications and Mobile Computing, vol. 11, no. 2,February 2011, pp. 267-276.

[92] A. Perrig, and L. van Doorn, Refutation of On the Difficulty ofSoftware-Based Attestation of Embedded Devices. Technical Report,Carneige Mellon University, 2010.

[93] A. Francillon, C. Castelluccia, D. Perito, and C. Soriente, Commentson ‘Refutation of On the Dificulty of Software-Based Attestation ofEmbedded Devices’, Technical Report, INRIA, 2010.

[94] C. F. Hsieh, Y. F. Huang, and R.C. Chen, A Light-weight RangerIntrusion Detection System on Wireless Sensor Networks, in ICGEC2011, November 2011, pp. 49-52.

[95] M.S. Islam, and S. AshiqurRahman, Anomaly Intrusion DetectionSystem in Wireless Sensor Networks: Security Threats and ExistingApproaches, in Int. J. Advanced Science and Technology, vol. 36,November 2011.

[96] S.K. Singh, M.P. Singh, and D.K. Singh, Intrusion Detection basedSecurity Solution for Cluster-based Wireless Sensor Networks, in Int.J. Advanced Science and Technology, vol. 30, May 2011.

[97] H. Jadidoleslamy, A High-Level Architecture for Intrusion Detectionon Heterogeneous Wireless Sensor Networks: Hierarchical, Scalableand Dynamic Reconfigurable, in Wireless Sensor Network, vol. 3,2011, pp. 241-261.

[98] E.N. Huh, and T.H. Hai, Lightweight Intrusion Detection for WirelessSensor Networks, in Intrusion Detection Systems, Pawel Skrobanek(Ed.), InTech, 2011.

[99] CERP-IoT Cluster, Visions and Challenges for Realising the Internetof Things, European Commission, 2010.

Abror Abduvaliyev received his M.Eng in Com-puter Engineering in 2010 from Kyung Hee Univer-sity, South Korea. He holds B.Sc degree with hon-ors in Electronic Commerce from Tashkent Univer-sity of Information Technologies (TUIT), Tashkent,Uzbekistan, 2008. He is currently a security analystat Citibank. His research interests include wirelesssensor networks, Internet of Things and intrusiondetection systems. He is a student member of IEEE,ACM and member of IACSIT.

Al-Sakib Khan Pathan received Ph.D. degree inComputer Engineering in 2009 from Kyung HeeUniversity, South Korea. He received B.Sc. degree inComputer Science and Information Technology fromIslamic University of Technology (IUT), Bangladeshin 2003. He is currently an Assistant Professorat Computer Science department in InternationalIslamic University Malaysia (IIUM), Malaysia andthe Head, NDC Lab., KICT, IIUM. His researchinterest includes wireless sensor networks, networksecurity, and e-services technologies. He is actively

involved in various research activities and associated with various reputedjournals and conferences as Editor, Chair, TPC member, and Reviewer.

Jianying Zhou is a senior scientist at Institute forInfocomm Research, and heads the Network Secu-rity Lab. He received PhD in Information Securityfrom University of London in 1997. His researchinterests are in computer and network security, mo-bile and wireless communications security. He isa co-founder and steering committee member ofInternational Conference on Applied Cryptographyand Network Security (ACNS). He is also a co-founder and coordinating editor of Cryptology andInformation Security Series (CIS).

Rodrigo Roman Castro is a security researcherworking at the Institute for Infocomm Researchin Singapore. He also collaborates with the NICSsecurity lab at the University of Malaga, Spain,where he obtained his Ph.D. in Computer Science in2008. His research interests are mainly focused onsecurity architectures and the secure integration ofsensor networks with other infrastructures, such ascritical infrastructures, cloud environments, and theInternet of Things. He has published various papersand participated in various international research

projects related to network and sensor networks security.

Wai-Choong (Lawrence) Wong received the B.Sc.(1st class Honours) and Ph.D. degrees in Electronicand Electrical Engineering from Loughborough Uni-versity, UK, in 1976 and 1980, respectively. He iscurrently a Professor in the Department of Electricaland Computer Engineering, National University ofSingapore. His research interests include wirelessnetworks and systems, ambient intelligent platforms,multimedia networks, and source matched transmis-sion techniques with over 250 publications and 3patents in these areas. He received the IEE Marconi

Premium Award in 1989, NUS Teaching Award (1989), IEEE 3rd MillenniumAward in 2000, the e-nnovator Awards 2000, Open Category, and Best PaperAward at the IEEE International Conference on Multimedia and Expo (ICME)2006.

06407453

Documents

security of wsns

anomaly detection

misuse detection

security solutions

network structure of

level ofimportance of

index termsintrusion

employed detection techniques