A Survey of Intrusion Detection Systems in Wireless Sensor N.pdf

266 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 1, FIRST QUARTER 2014

A Survey of Intrusion Detection Systems inWireless Sensor NetworksIsmail Butun, Salvatore D. Morgera, and Ravi Sankar

AbstractWireless Sensor Networking is one of the mostpromising technologies that have applications ranging fromhealth care to tactical military. Although Wireless Sensor Net-works (WSNs) have appealing features (e.g., low installation cost,unattended network operation), due to the lack of a physical lineof defense (i.e., there are no gateways or switches to monitorthe information flow), the security of such networks is a bigconcern, especially for the applications where confidentiality hasprime importance. Therefore, in order to operate WSNs in asecure way, any kind of intrusions should be detected beforeattackers can harm the network (i.e., sensor nodes) and/orinformation destination (i.e., data sink or base station). In thisarticle, a survey of the state-of-the-art in Intrusion DetectionSystems (IDSs) that are proposed for WSNs is presented. Firstly,detailed information about IDSs is provided. Secondly, a briefsurvey of IDSs proposed for Mobile Ad-Hoc Networks (MANETs)is presented and applicability of those systems to WSNs arediscussed. Thirdly, IDSs proposed for WSNs are presented. Thisis followed by the analysis and comparison of each scheme alongwith their advantages and disadvantages. Finally, guidelines onIDSs that are potentially applicable to WSNs are provided. Oursurvey is concluded by highlighting open research issues in thefield.

Index Termsintrusion detection, IDS, mobile ad hoc network,MANET, security, wireless sensor network, WSN.

I. INTRODUCTION

OWING to their easy and cheap deployment features,Wireless Sensor Networks (WSNs1) are applied to var-ious fields of science and technology: To gather informationregarding human activities and behavior, such as health care,military surveillance and reconnaissance, highway traffic; tomonitor physical and environmental phenomena, such as oceanand wildlife, earthquake, pollution, wild fire, water quality; tomonitor industrial sites, such as building safety, manufacturingmachinery performance, and so on [1].

On the other hand, security in WSNs is an important issue,especially if they have mission-critical tasks [2]. For instance,a confidential patient health record should not be released tothird parties in a heath care application. Securing WSNs iscritically important in tactical (military) applications where asecurity gap in the network would cause causalities of thefriendly forces in a battlefield. Readers who are interestedmore on security in WSNs, may refer to [3], [4] and [5] forfurther information.

Manuscript received September 22, 2012; revised February 6, 2013.The authors are with the Department of Electrical Engineering, University

of South Florida, Tampa, FL, USA (e-mail: [email protected], [email protected], [email protected]).

Digital Object Identifier 10.1109/SURV.2013.050113.001911See Appendix for the list of abbreviations used throughout this survey.

Security attacks against WSNs are categorized into twomain branches: Active and Passive. In passive attacks, at-tackers are typically camouflaged (hidden) and either tapthe communication link to collect data; or destroy the func-tioning elements of the network. Passive attacks can begrouped into eavesdropping, node malfunctioning, node tam-pering/destruction and traffic analysis types. In active attacks,an adversary actually affects the operations in the attackednetwork. This effect may be the objective of the attackand can be detected. For example, the networking servicesmay be degraded or terminated as a result of these attacks.Active attacks can be grouped into Denial-of-Service (DoS),jamming, hole attacks (blackhole, wormhole, sinkhole, etc.),flooding and Sybil types. Readers who are interested more onsecurity attacks against WSNs, may refer to [4], [5] and [6]for further details.

Solutions to security attacks against networks (wirelessand/or wired) involve three main components [7]:

Prevention (defense against attack): This step aims toprevent any attack before it happens. Any proposedtechnique will have to defend against the targeted attack.

Detection (being aware of the attack that is present): Ifan attacker manages to pass the measures taken by theprevention step, then it means that there is a failureto defend against the attack. At this time, the securitysolution would immediately switch into the detectionphase of the attack in progress and specifically identifythe nodes that are being compromised.

Mitigation (reacting to the attack): The final step aimsto mitigate any attack after it happens by removing(revoking from the network routing tables) the affectednodes and securing the network.

Intrusion is an unauthorized (unwanted) activity in a net-work that is either achieved passively (e.g., informationgathering, eavesdropping) or actively (e.g., harmful packetforwarding, packet dropping, hole attacks). In a securitysystem, if the first line of defense, Intrusion Prevention,does not prevent intrusions, then the second line of defense,Intrusion Detection, comes into play. It is the detectionof any suspicious behavior in a network performed by thenetwork members.

In any security plan, Intrusion Detection Systems (IDSs)provide some or all of the following information to the othersupportive systems: identification of the intruder, location ofthe intruder (e.g., single node or regional), time (e.g., date)of the intrusion, intrusion activity (e.g., active or passive),intrusion type (e.g., attacks such as worm hole, black hole,sink hole, selective forwarding, etc.), layer where the intrusion

1553-877X/14/$31.00 c 2014 IEEE

BUTUN et al.: A SURVEY OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS 267

occurs (e.g., physical, data link, network). This informationwould be very helpful in mitigating (i.e., third line of defense)and remedying the result of attacks, since very specific infor-mation regarding the intruder is obtained. Therefore, intrusiondetection systems are very important for network security.

WSNs have unique characteristics such as limited powersupply, low transmission bandwidth, small memory size anddata storage. Due to these restricted operating conditions(constrained computational and energy resources along withan ad hoc communication environment) of WSNs, most of thesecurity techniques (including intrusion detection techniques)devised for traditional wired/wireless networks are not directlyapplicable to a WSN environment [8]. Designing an effectiveand efficient intrusion detection technique that is applicable toWSNs is a very big challenge, which motivated us to work onthis research area. The first task of any research is to conductan extensive literature review, which led us to the preparationof this survey as the first outcome of our research.

The rest of the paper is organized as follows: In Section II, abrief overview of IDSs, their classifications and their require-ments is provided. Section III includes a brief survey of IDSsproposed for MANETs, followed by the comments regardingtheir applicability to WSNs. Section IV specifies the chal-lenges and restrictions of WSNs and stresses the differencescompared to the other types of networks (wired/wireless).Then, a detailed literature review on IDSs devised for WSNs isprovided along with comments on their prominent and lackingfeatures. Finally, our paper is concluded by comparing existingapproaches, stressing their weaknesses and providing a generalmodel for an IDS that would be applicable to WSNs.

II. INTRUSION DETECTION SYSTEMS (IDSS)

In a network or a system, any kind of unauthorized orunapproved activities are called intrusions. An Intrusion De-tection System (IDS) is a collection of the tools, methods,and resources to help identify, assess, and report intrusions.Intrusion detection is typically one part of an overall pro-tection system that is installed around a system or deviceand it is not a stand-alone protection measure [9]. In [10],intrusion is defined as: any set of actions that attempt tocompromise the integrity, confidentiality, or availability ofa resource and intrusion prevention techniques2 (such asencryption, authentication, access control, secure routing, etc.)are presented as the first line of defense against intrusions.However, as in any kind of security system, intrusions cannotbe totally prevented. The intrusion and compromise of a nodeleads to confidential information such as security keys beingrevealed to the intruders. This results in the failure of thepreventive security mechanism. Therefore, IDSs are designedto reveal intrusions, before they can disclose the securedsystem resources. IDSs are always considered as a secondwall of defense from the security point of view. IDSs arecyberspace equivalent of the burglar alarms that are being usedin physical security systems today [12]. As mentioned in [10],the expected operational requirement of IDSs is given as: lowfalse positive rate, calculated as the percentage of normalcy

2For an application of intrusion prevention system to WSNs, please referto [11].

variations detected as anomalies, and high true positive rate,calculated as the percentage of anomalies detected.

A. Requirements of IDSs

The IDS that is being designed should satisfy the followingrequirements:

not introduce new weaknesses to the system, need little system resources and should not degrade

overall system performance by introducing overheads, run continuously and remain transparent to the system

and the users, use standards to be cooperative and open, be reliable and minimize false positives and false nega-

tives in the detection phase.

B. Classification of IDSs

As shown in Fig. 1, IDSs can be classified as follows [13],[14], [15]:

1) Intruder type: Intruders to a network can be classifiedinto two types:

External intruder: An outsider using different means ofattacks to reach the network.

Internal intruder: A compromised node that used to be amember of the network. According to [16], insider attacksagainst ad-hoc networks use two types of nodes: Selfish node: Uses the network resources but does

not cooperate, saving battery life for their owncommunications. It does not directly damage othernodes.

Malicious node: Aims at damaging other nodes bycausing network DoS by partitioning, while savingbattery life is not a priority.

An IDS can detect both external and internal intruders, butit should be noted that internal intruders are harder to detect.This is due to the fact that internal intruders have the necessarykeying materials to neutralize any precautions taken by theauthentication mechanisms.

2) Intrusion type: Intrusions in a network may happen invarious ways:

Attempted break-in: An attempt to have an unauthorizedaccess to the network.

Masquerade: An attacker uses a fake identity to gainunauthorized access to the network.

Penetration: The acquisition of unauthorized access to thenetwork.

Leakage: An undesirable information flow from the net-work.

DoS: Blockage of the network resources (i.e., communi-cation bandwidth) to the other users.

Malicious use: Deliberately harming the network re-sources.

IDSs may provide partial detection solution to those attacks.But of course, all system administrators would like to havea perfect IDS that would able to detect all of the intrusionslisted above.


Fig. 1. Classification of IDSs.

3) Detection methodologies: IDSs are functionally catego-rized into three groups: anomaly based detection, misuse baseddetection, and specification based detection:

Anomaly based detection: This is based on statisticalbehavior modeling. Normal operations of the membersare profiled and a certain amount of deviation from thenormal behavior is flagged as an anomaly. The disad-vantage of this detection type is that the normal profilesmust be updated periodically, since the network behaviormay change rapidly. This may increase the load on theresource constrained sensor nodes. According to [17], thismodel detects intrusions in a very accurate and consistentway (low false positive and false negative rates) underthe condition that the network being observed followsstatic behavioral patterns. The advantage of this detectiontype is that it is well suited to detect unknown orpreviously not encountered attacks. According to Garcia-Teodoro et al. [18], anomaly based IDSs are furtherdivided into three categories according to the nature of theprocessing involved in the behavioral model considered.These categories are modified according to [12] and thefinal categorization is illustrated in Fig. 2: Statistical based: In statistical based anomaly IDSs,

the network traffic is captured and then a profilerepresenting its stochastic behavior is generated. Asthe network operates in normal conditions (withoutany attack), a reference profile is created. After that,the network is monitored and profiles are generatedperiodically and an anomaly score is generated bycomparing it to the reference profile. If the scorepasses a certain threshold, the IDS will flag anoccurrence of the anomaly.

Univariate: Parameters are modeled as indepen-dent Gaussian random variables.

Multivariate: Correlations between two or moremetrics are also considered here.

Time series model: Here, an interval timer isused along with an event counter that takes intoaccount the order and inter-arrival times of theobservations and also their values.

Statistical methods for anomaly detection are verywell defined in [19] and here an example methodol-ogy for the detection of packet dropping attacks issummarized: Forwarding percentage (FP) of node m,is the ratio of forwarded packets by node m over thepackets that are transmitted from node M to node mthat are to be forwarded (in transit packets), observedfor a specific period of time ( ). It is calculated asfollows:

FPm =packets actually forwarded

packets to be forwarded(1)

=#(m,M)#([m],M)#(M,m)#(M, [m])

Where: m: monitored node M: monitoring node #(m,M): the number of outgoing packets from m

of which node M is the next hop #([m],M): the number of outgoing packets from

m of which node m is the source and node M isthe next hop

#(M,m): the number of outgoing packets from Mof which node m is the next hop


#(M, [m]): the number of outgoing packets fromM of which node m is the final destination

FPm: forwarding percentage of node mIf the denominator of equation (1) is not zero andif FPm = 0, then this event is detected as Un-conditional Packet Dropping and m is identified asattacker. If the denominator of equation (1) is notzero and if FPm is less than a certain threshold(TFP ) and following condition (2) holds then thisevent is detected as Random Packet Dropping andm is identified as attacker.

0 < FPm < TFP < 1 (2)

Knowledge based: Knowledge based anomaly IDSsrely on the availability of the prior knowledge (data)of the network parameters in normal operating con-dition as well as the one under certain attacks. Expert Systems: It is based on rules classification

of audit data. Description languages:Diagrams (such as Unified

Modeling Language (UML) diagrams) are gener-ated based on the data specifications.

Finite State Machine: States and transitions aredefined according to the available data set.

Data clustering and outlier detection: Observeddata is grouped into clusters according to a speci-fied similarity or distance measure. Points that donot belong to any cluster are named as the outliers.

Machine learning based: In machine learning basedanomaly IDSs, an explicit or implicit model ofthe analyzed patterns is generated. These modelsare updated periodically, in order to improve theintrusion detection performance on the basis of theprevious results. Bayesian networks: It is based on probabilistic

relationships among the variables of interest. Markov models: It is based on stochastic Markov

theory in which the topology and capabilities ofthe system are modeled as states that are inter-connected through certain transition probabilities.

Fuzzy logic: It is based on approximation anduncertainty.

Genetic algorithms: It is inspired by the evolu-tionary theory of biology.

Neural networks: It is based on the human brainfoundations.

Principal Component Analysis (PCA): It is basedon a dimensionality reduction technique.

Misuse based (signature based or rule based) detec-tion: The signatures (profiles) of the previously knownattacks are generated and are used as a reference todetect future attacks. For instance, a typical example ofa signature would be: there are 3 failed login attemptswithin 5 minutes for the brute force password attack.The advantage of this type of detection is that it canaccurately and efficiently detect known attacks; hencethey have a low false positive rate. The disadvantage isthat if the attack is a new kind (that was not profiled

Fig. 2. Classification of anomaly based IDSs according to their detectionalgorithms

before), then the misuse detection would not be able tocatch it. Sobh [13] pointed out that these systems are verymuch like the anti-virus systems, which can detect mostor all known attack patterns, but are of little use for theattack methods that are unknown yet. On the other hand,in [20], the authors present the following rules in orderto monitor the network anomalies:

Interval rule: delay between the arrivals of twoconsecutive messages must be within certain limits.

Retransmission rule: the transit messages should beforwarded by the intermediate nodes.

Integrity rule: the original message from the sendermust not deviate when it arrives to the receiver.

Delay rule: the retransmission of a message mustoccur after a certain wait time.

Repetition rule: same message can only be transmit-ted from the same node in certain number of counts.

Radio transmission range: the messages should beoriginated from the neighboring nodes only.

Jamming rule: the number of collisions for a packettransmission must be lower than a threshold.

Specification based detection: A set of specificationand constraints that describe the correct operation of aprogram or protocol is defined. Then execution of theprogram with respect to the defined specifications andconstraints is monitored [14]. This methodology wasintroduced in [21], which provided the capability to detectpreviously unknown attacks, while exhibiting a low falsepositive alarm rate.


Sobh [13] identified the main distinction among theanomaly based detection and misuse based detection as:anomaly detection systems try to detect the effect of badbehavior but misuse detection systems try to recognize knownbad behavior.

Specification based intrusion detection techniques combinethe advantages of both misuse and anomaly based detectiontechniques, by using manually developed specifications andconstraints to characterize legitimate system behavior. Spec-ification based intrusion detection techniques are similar toanomaly based detection techniques, in that both of themdetect attacks as the deviations from a normal profile. Sincespecification based detection techniques are based on manuallydeveloped specifications and constraints, they have low falsealarm rate compared to the high false alarm rated anomalybased detection techniques. On the other hand, the cost toachieve the mentioned low false alarm rate is that the de-velopment of detailed specifications and constraints would bevery time consuming [22].

4) Source of the audit data: IDSs can be categorizedinto three groups, according to the source of the audit data(depending on the location of the data to be analyzed):

Network based Intrusion Detection System (NIDS):NIDS passively or actively listens to the network trans-missions, captures and examines packets that are beingtransmitted. NIDS can analyze an entire packet, payloadwithin the packet, IP addresses or ports.

Host based Intrusion Detection System (HIDS): HIDSis concerned with the events on the host that they areserving. They are capable of (but not limited to) detectingthe following intrusions: changes to critical system fileson the host, repeated failure access attempts to thehost, unusual process memory allocations, unusual CPUactivity or I/O activity. HIDS achieves this by eithermonitoring the real-time system usage of the host or byexamining log files on the host.

Hybrid Intrusion Detection System: It is composed ofboth NIDS and HIDS components in an efficient mannerby the usage of the mobile agents. Mobile agents travelto each host and perform system log file checks whilea central agent checks the overall network traffic for theexistence of anomalies.

5) Computing location of the collected data: IDSs are di-vided into four categories according to the computing locationof the collected data:

Centralized IDS: A centralized computer monitors allthe activities in the network and detects intrusions byanalyzing the monitored network activity data.

Stand-alone IDS: An IDS runs on each node indepen-dently and every decision is based on the informationcollected at its own node. Members of the networkare not aware of the intrusions happening around thembecause stand-alone IDS do not allow individual nodes tocooperate or share information among each other. Theywork as if they are alone.

Distributed and Cooperative IDS: This is proposed forflat network infrastructures. Each node runs an IDSagent which participates (cooperatively participating in

the global intrusion detection decisions and actions) in theintrusion detection and response of the overall network.If a node detects an intrusion with weak or inconclusiveevidence, then it can initiate a cooperative global intru-sion detection procedure. If a node detects an intrusionlocally with sufficient evidence, then it can independentlyalert the network regarding an attack.

Hierarchical IDS: This is proposed for multi-layer (clus-tering) network infrastructures. Cluster heads (CHs) areresponsible for monitoring their member nodes, as well asparticipating in the global intrusion detection decisions.

Mobile Agent based IDS: Each mobile agent is assignedto perform a specific task of the IDS on a selected node;and the intrusion detection is performed by the coopera-tive action of these selected nodes. After a certain timeperiod or after a specific task is done, agents may relocateto other pre-defined nodes in order to increase networklifetime and/or efficiency of the IDS. Specifications ofmobile agents are provided as follows: Mobility: Mobile agents bring the code to the data

(to be processed) on a remote host for asynchronousexecution. This would help to reduce the amount ofthe exchanged data significantly.

Autonomy: Mobile agents are given a mission upontheir creation: they should be capable of achievingtheir tasks without any external help.

Adaptability: Mobile agents should adapt their be-haviors according to the information they gatherwhile performing their tasks.

6) Infrastructure: Anantvalee et al. [14] divided IDSs(for MANETs) into two groups according to their networkinfrastructures:

Flat: All nodes are considered as equal in capabilitiesand they may participate in routing functions. This in-frastructure is suitable for civilian applications, such asnetworking in a classroom or a conference.

Clustered: All nodes are not considered as equal. Nodeswithin transmission range are grouped into a clusterand they elect a node as cluster head (CH) to central-ize routing information for that cluster. Generally, CHsconsist of more powerful devices with backup batteries,resulting in a longer transmission range. Therefore, CHsform a virtual backbone of the network. Depending onthe routing protocol, intermediate gateways may relaypackets in between the CHs. This kind of infrastructuremodel is very suitable for military applications having acommand/control hierarchy.

7) Usage frequency: According to the usage frequency,IDSs are divided into two categories:

Continuous (on the fly): The IDS monitors the networkcontinuously.

Periodical: The IDS monitors the network in certainperiods of time.

C. Decision making in the IDS

There are two types of decision making mechanisms forIDSs:


Collaborative decision making: All (or some) of themembers of the network collaborate in making the de-cision regarding an event. For instance, in the case ofmajority voting, the final decision is made in favor of themajority of the members ending up with either of twodecisions: the event is an intrusion or the event is notan intrusion

Independent decision making: Each member concludes adecision regarding the events surrounding them.

According to [12], an IDS concludes either of four decisions(with non-zero probabilities) mentioned below as a result ofthe decision making process over an event:

Intrusive but not anomalous (false-negative): There is anintrusion to the system, but the IDS fails to detect it andconcludes the event as non-anomalous one.

Not intrusive but anomalous (false-positive): There is nointrusion to the system, but the IDS mistakenly concludesa normal event as an anomalous one.

Not intrusive and not anomalous (true-negative): Thereis no intrusion to the system, and the IDS concludes theevent as non-anomalous one.

Intrusive and anomalous (true-positive): There is an in-trusion to the system, and the IDS concludes the eventas an anomalous one.

For IDSs in WSNs, due to the nature of wireless communi-cations, the following situations would result in false positivesand hence, they need to be considered in the decision makingmodel [16]:

collisions packet drops limited transmission power fading battery power

D. Intrusion response

When an attack is possible to occur, the IDS does nottake preventive measures, since the prevention part is leftto the Intrusion Prevention System (IPS). The IDS works ina reactive way compared to the proactive way of the IPS.Whenever the intrusion alert is generated by the IDS, thefollowing action(s) would be taken according to the systemspecifications:

An audit record should be generated. All the network members, the system administrator (if

he/she exists) and the base station (if it exists) shouldbe alerted about the intrusion. If possible, location andidentity of the intruder should be provided in the alertmessage.

If it exists, a mitigation method should be induced inorder to stop the intrusion. For example, an automatedcorrective action should be generated through a collab-orative action of the network members (especially theneighboring members to the incident).

E. Related work and suggested readings

Readers, who are interested in the IDSs, can find moreinformation (general information or specific areas other thanWSNs) in the following papers:

A very good classification of the IDSs is provided bySobh [13].

Classification of the IDSs for MANETs are provided byNgadi et al. [9], Anantvalee and Wu [14], and Albers etal. [15].

Garcia-Teodoro et al. [18], provided a survey of tech-niques, systems and challenges on the anomaly basedNIDS.

A brief survey of IDSs that are proposed for WSNsis provided in [23] and in contrast, our paper providesan extended survey with in-depth details comparing theproposed methods.

A survey of IDSs for collaborative systems is providedin [24]. A more specific survey on alert correlationin collaborative intelligent IDSs is presented in [25].Another work on decentralized multi-dimensional alertcorrelation for collaborative IDSs is provided in [26].

A survey of IDS in cloud computing is provided in[27], which would be helpful to secure next generationnetworks.

Garcia et al. [28] provides details of postmortem intru-sion detection for cyber security systems and computerforensics. They show a classifier method for analyzinglog files by using hidden Markov model.

Evasion techniques that are threatening IDS are presentedin Cheng et al.s work [29]. They provide details of5 different techniques (DoS, packet splitting, duplicateinsertion, payload mutation, shell-code mutation) andassess the effectiveness of these techniques on 3 mostrecent IDSs.

Please note that the IDS that are investigated in this sur-vey are related to information and computer security; andthey are not related to the topic of Intrusion detectionfor perimeter protection. Readers who are interested inthe later topic, please refer to the works presented in [30]and [31].

Our survey does not include the methodologies and ideasthat are proposed to secure the IDSs. Readers who areinterested in that topic may refer to Shakshuki et al.s[32] work.

III. IDSS PROPOSED FOR MANETS AND THEIRAPPLICABILITY TO WSNS

The IDSs for MANETs are very well investigated and herea summary of the literature is provided, in order to help thereader with a better understanding of the current state of theart. Following each review, we will discuss about each of theproposed IDSs on their applicability to WSNs.

A. Agent based distributed and collaborative IDSs

The first article on intrusion detection for MANETs waswritten by Zhang and Lee [33]. They proposed an agent baseddistributed and collaborative IDS which is compliant with theWireless Ad Hoc Network operating conditions.

As also mentioned in [14], the IDS agent described in [33]is composed of six blocks as shown in Fig. 3: The local datacollection block is responsible for collecting real-time auditdata (user activities, system call activities, communication


Fig. 3. Building blocks of an IDS agent

activities, and other traces) within its radio receiver range.This real-time audit data is analyzed by the local detectionengine for the evidence of any kind of anomaly. In case of anyanomaly detection, this block informs the local response andglobal response blocks (either one of them or both, dependingthe type of attack) in order to take a response against theanomaly (a possible intrusion). If the detection is inconclusiveand needs more evidence, cooperation is conducted by thecooperative detection engine block and the communicationswith the neighboring agents needed for this cooperation isdone through the secure communication block.

For each agent, there is a module to detect anomalies,called the local detection engine. These modules have twocomponents, namely:

features: describes a logical event in the network such asthe percentage of the route changes of a nodes routingtable.

modeling algorithm: uses features as an input to therule based pattern matching algorithm and then specifieswhether the incidence is a normal or not according to thepredefined matching criterion.

In their model, every node participates in the decisionmaking process. After a certain threshold, the local IDSstrigger the global IDS which necessitate collaborative decisionof the nodes neighboring the flagged node. This decision ismade through a majority voting process. Detection is madeby using the means of entropy: The higher the entropy, thehigher is the probability of anomaly. The proposed method isuseful to detect only the attacks against the routing protocols;i.e., mis-routing, false route updating, packet dropping, DoS.

After anomalies are detected, depending on the level of theanomaly, either a local response is created or a global (collabo-rative) response is created among with the neighboring nodes.And communications pertaining to this global response shouldbe assessed through secure communication links among thenodes. According to the authors, determining the features thatwould lead the modeling algorithm to detect anomalies withlow percentage of false positive detection rates is a non-trivialtask.

The authors used two types of classifiers: Decision treeand Support Vector Machine. Updates of the routing tablesare chosen as a trace data in three ways: percentage of thechanged routes, percentage of changes in the sum of hops ofall the routes, and the percentage of newly added routes. Traceanalysis and anomaly detection are the two main methods

for the IDS that are used by the authors. Data obtainedfrom normal network routing operation is fed to the trainingalgorithm to obtain reference values of the classifiers. Thendeviations (correlate) from normal profile classifiers are usedto determine the anomalies in the network routing.

The devised method was tested on the ns-2 simulator forthe following MANET routing protocols: DSR (DynamicSource Routing; a reactive, source initiated, on-demand rout-ing protocol), AODV (Ad-hoc On-demand Distance Vector;a reactive, source initiated, on-demand routing protocol), andDSDV (Destination Sequenced Distance Vector; a proactive,table-driven, routing protocol). According to the results, theiralgorithm performs better for on-demand protocols than proac-tive protocols, because it is easier to observe the correlationbetween the traffic patterns and routing message flows in on-demand protocols.

As an extension to their previous work, Zhang et al.[10] introduced the idea of multi-layer integrated intrusiondetection and response, which is built upon the distributedand collaborative agent based IDS proposed in [33]. In thelatest proposal, the intrusion detection module at each layerstill needs to function properly, but detection on one layercan be initiated or aided by evidence from other layers. Bythis way, the authors claim that their IDS can achieve betterperformance in terms of both higher true positive and lowerfalse positive detection rates. The proposed schemes might beapplicable to WSNs in a sense that special care needs to betaken: As an example, they might be applied to a hierarchicalWSN, where CHs might run the proposed schemes in a globalsense and the sensor nodes in a local sense (division of labor).

Following the works of Zhang et al. ([10],[33]), Albers etal. [15] improved the distributed IDS structure by includingmobile agents with the design. Mobile agents bring the codeto the data, as opposed to traditional approaches where datais conveyed towards the computation location. By this way,asynchronous execution of the agent is performed on a remotehost. This decreases the amount of data traffic (involving theagents) in the network significantly. On the other hand, itincreases the individual work load of each node, which is notdesirable in WSNs. Besides, transmission of mobile code (anexecutable portion of the IDS is transferred to the nodes foron-site data processing) would decrease the bandwidth of theWSN. So, this approach is not suitable if bandwidth efficiencyis of prime importance.

Kachirski and Guha [34] further improved the mobile agentnotion of [15] by providing efficient distribution of mobileagents with specific IDS tasks (network monitoring, hostmonitoring, decision making and action taking) accordingto their functionality across the wireless ad hoc network.This way, the workload of the proposed IDS is distributedamong the nodes to minimize the power consumption and IDSrelated processing times by all nodes. Therefore, this schemeis applicable to WSNs. Another improvement is to restrictcomputation-intensive analysis of overall network security toa few nodes only.

B. Clustering (Hierarchical) based IDSsIn Kachirski and Guhas approach [17], regular nodes do

not participate in the global decision making process. Only the


CHs are responsible for the global decision making processand the response. The main reason for this is to reduce theenergy consumption. They wanted to conserve the energyof the majority of the nodes, by simply assigning them assubordinates under CHs.

In [19], clustering is used to select a single layer of sparselypositioned promiscuous monitors. These monitors are used todetermine routing misbehavior via statistical anomaly detec-tion. To conserve resources, a cluster based detection schemeis used in which a node is periodically elected as the intrusiondetection monitoring agent within each cluster. In the proposedarchitecture, a detection agent runs on each monitoring nodeto detect local intrusions and then it collaborates with otheragents to investigate the source of intrusion and coordinateresponses.

In [35], the authors proposed a scheme that applies decen-tralized, cooperative intrusion detection approach for clusteredMANETs. Dynamic hierarchy is used as an organizationalmodel which allows higher-layer nodes to selectively aggre-gate and reduce intrusion detection data as it is reportedupward from the leaf nodes to a root. This infrastructure notonly allows intrusion detection observations to be gatheredefficiently from the network, but also provides incrementalaggregation, detection, and correlation as well as efficientdissemination of intrusion response and management direc-tives. The proposed scheme is tested for the following threescenarios:

Intentional data packet dropping Attacks on MANET routing protocol Attacks on network and higher-layer protocolsClustering based IDSs would be beneficial for WSNs if they

are applied with special care. Because, CHs would depletetheir energies faster than the other nodes, which may causesegmentations (groups of nodes that are disconnected fromeach other) in the network. Therefore, extra batteries may haveto be installed on CHs in order to help them to live longer,or CHs would be elected periodically in a sense that the nodewith the highest energy at each period would become the CH.

C. Statistical detection based IDSs

Puttini et al. [36] provides an intrusion detection algorithmbased on Bayesian classification criteria. Their design is basedon statistical modeling of reference behavior using mixturemodels in order to cope with an observable traffic composed ofa mixture of different traffic profiles due to different networkapplications. It is focused on the detection of packet flooding,an example of a DoS attack, and scanning of attacks againstMANETs. The proposed model builds a behavioral model thattakes into account multiple user profiles and uses a posterioriBayesian classification of data as a part of the detectionalgorithm.

In [37], the authors use estimated congestion at intermediatenodes to make decisions about malicious packet droppingbehavior. They suggest that traffic transmission patterns shouldbe used in concert with suboptimal MAC to preserve thestatistical regularity from hop to hop. The proposed intrusiondetection technique is a general one which is suitable fornetworks that are not bandwidth limited but have strict security

requirements such as tactical networks. Therefore it is notapplicable to WSNs that have limited bandwidth.

Statistical methods require too much data processing inorder to sift the information that is valuable for statistics.Therefore, they are not applicable to WSNs.

D. Misuse detection based IDS

Nadkarni and Mishra [38] proposed an IDS based on amisuse detection algorithm. Their implementation focused ondistance-vector routing protocols such as DSDV protocol.Their implementation aimed at detecting DoS and replayattacks as well as compromised nodes. Their simulation resultshave provided significant results about not only the accuracyand robustness of the scheme but also the non-degradabilityof network performance.

On the other hand, DSDV requires regular update forits routing tables which would not only deplete the energyresources of the nodes faster but also consume a portion ofthe valuable available bandwidth. Therefore, application of thisalgorithm to WSNs is not recommended.

E. Reputation (trust) based IDSs

A reputation based IDS scheme promotes node cooperationthrough collaborative monitoring of the nodes and a gradingsystem associated with the results of the collaborative moni-toring.

Michiardi and Molva [16] used the concept of reputation inorder to evaluate a members contribution to the network. Thehigher a members reputation, the more selected connectionscan be made with other members of the network. This meansthat, members of the network would rather communicate withthat particular node compared to the lower reputation ones,which would encourage members to increase their reputations.The authors defined three types of reputations:

Subjective reputation: evaluated considering the directinteraction between a subject and its neighbors.

Indirect reputation: evaluated by the non-neighbor mem-bers of the community.

Functional reputation: subjective and indirect reputationscalculated with respect to different functions (packetforwarding, route discovery, etc.).

Their collaborative reputation evaluation system consists oftwo basic components:

Reputation Table: A data structure, stored on each nodewhich includes the reputation data pertaining to a node.

Watchdog Mechanism: Calculates pre-defined functionalreputations according to the data stored at the reputationtable and then detects misbehaving nodes. Detection isbased on a threshold value (e.g., zero) of the reputation;if the reputation of a specific member drops below thethreshold value, then the watchdog mechanism will denyany communications with that member.

DoS attacks were also of concern to them. Therefore,they proposed a generic mechanism based on reputation toenforce cooperation among the nodes. Besides, this reputationmechanism prevents DoS attacks resulting from selfish nodes.

CONFIDANT protocol [39] works as an extension to re-active source routing protocols, such as DSR, and uses a


reputation based system that rates nodes based on their mali-cious behavior. Alarm messages coming from other nodes areevaluated and the reputation of the node under investigationis updated only if the messages are coming from the fullytrusted nodes. A neighborhood watching scheme is used todetect intrusive activity made by the next node on the sourceroute. When a node detects a malicious neighbor, it sends analarm message to other nodes on its list of trusted neighbors.The overall protocol may be summarized in one sentence as:Cooperation of nodes for the sake of fairness.

Both the proposed schemes ([16] and [39]) are applicableto WSNs with a slight modification: The renewal period ofthe reputation tables would be decreased, in order to increasethe bandwidth efficiency.

F. Zone based IDS

With Zone based IDS of Sun et al. [40], the networkis divided into non-overlapping zones and each IDS agentbroadcasts locally generated alerts inside the zone. Gatewayzones are responsible for aggregation and correlation of locallygenerated alerts. Only gateway nodes can generate networkwide alarms. Alerts indicate possible attacks and are generatedby local IDS agents, while alarms indicate the final detectionand can be generated only by gateway nodes.

The functionality of their proposed local aggregation andcorrelation engine is to locally aggregate and correlate the de-tection results of detection engines. Whereas, the functionalityof their proposed global aggregation and correlation enginein gateway nodes is to aggregate and correlate the detectionresults from local nodes in order to make final decisions.

Local alerts are generated according to two detection crite-ria: 1) Percentage of change in route entries, which representsthe deleted and newly added routing entries in a certain timeperiod; 2) Percentage of change in number of hops, whichrepresents the change of the sum of hops of all routing entriesin a certain time period.

According to the authors simulations (performed on Glo-MoSim network simulator), their model responded with fewerfalse positives as the mobility decreased. Besides, aggrega-tion algorithm of gateway nodes achieved much lower falsepositives than the IDS of local nodes, because they cancollect information from a wider area and make more accuratedecisions.

The proposed model detects intrusions in the routing layerof the OSI stack but it ignores other layers. Since the attackshappening in other layers would not be detected by this model,it is a partial IDS.

The proposed scheme requires each node to have thegeographical information surrounding them. Although thisis possible by integrating global positioning system (GPS)receiver to the nodes in MANETs, it is not feasible in WSNs,because most sensor nodes are not generally equipped withGPS due to the cost and energy restrictions.

G. Game theory based IDSs

In [41] and [42], the authors present a game-theoreticmethod to analyze intrusion detection in MANETs. They usegame theory to model the interactions between the nodes

of an ad hoc network. They model the interaction betweenan attacker and an individual node as a two player non-cooperative game. According to their assumptions, as long asthe beliefs are consistent with the information obtained and theactions are optimal given the beliefs, the model is theoreticallyconsistent.

The proposed schemes need a central processing unit in or-der to process all the observations collected by the monitoringmechanism. This requires a high speed microprocessor as wellas a large memory space to store the data to be processed.Therefore, in order to apply these schemes to WSNs, oneshould pick a centralized WSN, where a base station (BS)equipped with a computer that has high speed processingpower and large memory. Besides, the schemes should bemodified to decrease the traffic load in between each nodeand the BS. For example, a logging mechanism can be used,where each node may store information regarding the datainteractions with other nodes (and also if possible with theattackers). Then, these logs may be sent to the BS for theapplication of the game theory based detection.

H. Genetic algorithm based IDS

Sen and Clark [43] investigated the use of evolutionary com-putation techniques to discover detectors suited to complex(lack of central computing unit, highly mobile nodes, limitedresources) MANET environment. Authors applied grammati-cal evolution and genetic programming techniques to detectad hoc flooding and route disruption attacks on AODV. Au-thors showed that their evolved programs performed good onsimulated networks with varying mobility and traffic patterns.

Although this methodology might be very promising forMANETs where most of the nodes (e.g., PDAs) are powerfulenough to run such energy consuming algorithms, it is notapplicable to WSNs where sensor nodes have limited capacityfor data processing and storage.

I. Other works

In [44], the watchdog mechanism is implemented on top ofDSR protocol to verify that when a node forwards a packet,the next node in the path also forwards the packet; otherwisethe next node is announced as misbehaving. Watchdogs runon each node, listens to transmissions of the neighboringnodes in a promiscuous mode. Watchdogs may not alwaysbe effective because of the packet collisions. The proposedwatchdog mechanism is applicable to WSNs.

Wai et al. [45] proposed a hybrid IDS that can both workon wired networks as well as wireless ad hoc networks. Theproposed model promises to use both anomaly and misusedetection algorithms. Both the details of the proposed modeland the implementation results were not provided, thus makingit impossible to compare its performance to the previouslyproposed models. Besides, the proposed scheme requires anend-to-end secure communication channel between nodes,which generally does not exist in WSNs.

MANETs became very useful for tactical networks such ascommand posts, vehicle convoys, autonomous robot systems,and also for infantry troops. The authors of MITE (MANETIntrusion Detection for Tactical Environments [46]) aim at


developing prototypical solutions for intrusion detection inMANETs, especially in tactical scenarios. The results of MITEhave been realized and evaluated as real-world implementa-tions besides the simulation results. The authors proposed arobust and resource saving sensor detector infrastructure aswell as supporting components. The TOGBAD module of theproposed scheme uses a significant amount of the networktraffic. Therefore, it is not applicable to WSNs, where thebandwidth is a scarce resource and needs to be utilized veryefficiently.

Wei and Kim [47] used traffic prediction to detect intrusionsin wireless industrial networks. Authors proposed a data trafficprediction model based on autoregressive moving average(ARMA) using the time series data. According to their simu-lations, the model quickly and precisely predicted the networktraffic and sifted out the attackers. Although the achievementsseems promising, the proposed method brings extensive trafficload to the network for the sake of the monitoring data packetsand also requires a centralized processing unit to store andanalyze the whole traffic data, which are not provided inWSNs.

Readers who are interested in IDSs designed for MANETswould find more information in the following papers:

Brutch and Ko [21] provided a brief overview of re-search efforts on IDS for wired networks and wirelessad hoc networks. Besides, they provide classificationsand different architectures of IDSs and stress on theirlimitations in wireless ad hoc operation environment.They mention the methods to detect the attacks againstthe routing infrastructure and also methods to detect theattacks against mobile nodes.

Mishra et al. [48] provided a brief introduction ofMANETs and IDSs, and then summarized the key fea-tures of the IDSs proposed in the literature. They pro-vided a survey on IDSs devised for MANETs.

Sun et al. [22] provided a brief overview of intrusiondetection techniques and a thorough survey on IDSs inMANETs. They also provided a literature overview ofintrusion prevention algorithms proposed for WSNs. Thearticle is written from the point view of secure in-networkdata aggregation.

Sen and Clark [49], provided a survey of IDSs forMANETs. According to the authors, intrusion detectionfor MANETs is a complex and difficult task due to thedynamic nature of MANETs, their highly constrainednodes and the lack of central monitoring points.

Ngadi et al. [9] also provided a brief survey of IDSs forMANETs.

J. Summary and future remarks

In this section, we presented IDSs that have been proposedfor MANETs and discuss their applicability to WSNs. Somesystems would be applicable directly (generic proposals),some would be applicable with major modifications, whilethe rest would not be applicable to WSNs (specific proposals),simply because of the unique design requirements of WSNs.Table I summarizes the schemes discussed so far, in terms oftheir detection technique and their applicability to WSNs.

Clustering (hierarchical networking) would be beneficialin adapting MANET IDS schemes to WSNs. For instance,consider the application of agent based IDS of [10] to aclustered WSN. The proposed IDS scheme would be dividedinto two categories as follows: Global IDS agents would beinstalled (with a full version of the scheme) on CHs; whereaslocal IDS agents would be installed (with a light version ofthe scheme excluding the global components) on each sensornode as shown in Fig. 4. After two or more local IDS agentsreport the occurrence of an event, a global IDS agent wouldtake charge and run a global detection sequence throughout thenetwork. By running the full version of the scheme only onCHs and running the lighter version on the sensor nodes, theenergy consumption of the whole scheme on the WSN wouldbe significantly decreased and as a result, total life time of thenetwork would be increased.

IV. IDSS PROPOSED FOR WSNSIntrusion detection in WSNs is becoming a key research

topic addressed in the literature. Therefore, in this section,the research done so far in this field is summarized. Beforestarting, in section IV-A, the unique challenges of WSNsthat make it difficult to apply traditional (designed for wiredor generic wireless networks) IDSs are presented. WSNsare special version of MANETs, with very specific designrestrictions. Therefore, in section IV-B, the key differencesof both networks will be mentioned. Finally, in section IV-C,the state-of-the-art IDSs in the literature of WSNs will beprovided. Following all the reviews, we will discuss aboutadvantages and disadvantages of each scheme and provide acomparison chart.

A. Constraints and Research Challenges in WSNsThe proliferation of WSNs led researchers to develop strate-

gies about providing stable communications and networkingfor distributed network environments, and also about how tosecure these strategies with limited resources. The lack of fixedinfrastructure (i.e., gateways, routers, base stations, etc.) makesthe design of security related models and algorithms for WSNsmore difficult. Bandwidth, throughput, battery power are thescarce resources that need to be used with great consideration.Following is a brief list of constraints and the correspondingchallenges they bring to WSNs:

There is no infrastructure in WSNs to support operationssuch as communications, routing, real time traffic analy-sis, encryption, etc.

Nodes are prone to physical capture, tampering or hijack-ing which compromises network operations.

Compromised nodes may provide misleading routinginformation to the rest of the WSN leaving the networkun-operational (blackhole, wormhole, sinkhole attacks).

Wireless communication is susceptible to eavesdropping,which would reveal important data to adversaries and/orto jamming/interfering, which would cause DoS in theWSN.

There is no trusted authority; decisions have to be con-cluded in a collaborative manner.

In designing an IDS for WSNs, these constraints andchallenges should be considered.


TABLE IPROPOSED IDSS FOR MANETS AND THEIR APPLICABILITY TO WSNS.

Proposed system Detection technique Applicability to WSNsZhang and Lee [10] [33] distributed and collaborative applicable with modification

Albers et al. [15] distributed and collaborative not applicableMichiardi and Molva [16] reputation applicable with modificationKachirski and Guha [17] clustering applicable with modificationKachirski and Guha [34] distributed and collaborative applicableHuang and Lee [19] clustering applicable with modificationSterne et al. [35] clustering applicable with modificationPuttini et al. [36] statistical not applicable

Rao and Kesidis [37] statistical not applicableNadkarni and Mishra [38] misuse not applicableCONFIDANT protocol [39] reputation applicable with modification

Sun et al. [40] zone based not applicablePatcha and Park [41] [42] game theory applicable with modification

Marti et al. [44] watchdog applicableWai et al. [45] hybrid not applicable

MITE protocol [46] network monitoring not applicableSen and Clark [43] genetic algorithms not applicableWei and Kims [47] autoregressive moving average not applicable

B. Differences between MANETs and WSNs

Roman et al. [50], stressed the fact that the IDSs that aredesigned for MANETs cannot be applied to WSNs directly.Since MANETs are mobile and IDSs for them are designedin the same manner, they will be less effective in a station-ary network such as WSNs. Following are basic distinctivefeatures that differentiate WSNs from MANETs:

Mobility: Compared to mobile MANET nodes, WSNnodes are generally stationary.

Computational capacity: WSN nodes have limited com-putational power compared to the MANET nodes. Atypical sensor node such as MICAz [51] runs an AtmelATmega128L processor with a maximum speed of 16MHz [52], whereas a typical MANET node, such asgeneric commercial laptop, may have a processor witha maximum speed of 4 GHz [53].

Communications range: The range of communication isaround 20-30 meters for WSN nodes (for MICAz [51]),whereas it is up to 100 meters for MANET nodes (forXBee WiFi module [54]).

Communications bandwidth: The communication band-width is limited to 250 kbps (for a typical MICAz mote[51]) data rate in WSNs, whereas it goes up to 65 Mbps(for a typical XBee WiFi module [54]) data rate inMANETs.

Power supply: WSN nodes have a very limited powersupply, such as 2 AA sized batteries for MICAz motes[51] (with an approximate energy capacity of 10 Wh),whereas MANET nodes generally have a bigger battery,such as laptop batteries (with an approximate energycapacity of 150 Wh). Obviously, this would affect theirlifetime directly. Assuming that their power consumptionrates are the same, MANETs would have approximately15 times more life time compared to WSNs.

Autonomy: In MANETs, every node is managed by ahuman user, whereas in WSNs every node is autonomousin a sense that it receives and sends data from/to the basestation (BS). BS is generally managed by a human butnot the sensor nodes.

Node density: Node density in WSNs is higher thanthat in MANETs. On the other hand, WSNs nodes aremore susceptible to hardware failures (battery constraints,lacking physical security, etc.), which would decrease thenode density with advancing time.

These distinctive features should be considered beforeadapting an IDS that is designed for a MANET to a WSN.

C. Proposed Schemes

1) Clustering (Hierarchical) based IDSs: In [55], a hier-archical framework for intrusion detection as well as dataprocessing is proposed. Throughout the experiments on theproposed framework, they stressed the significance of one-hop clustering. The authors believed that their hierarchicalframework was useful for securing industrial applications ofWSNs with regard to two lines of defense.

In [56], the authors proposed an isolation table to detectintrusions in hierarchical WSNs in an energy efficient way.Their proposal required two-levels of clustering. Accordingto their experiment, their isolation table intrusion detectionmethod could detect attacks effectively. The problem withthis proposal is as follows: The authors claim that each levelmonitors the other level and report any anomalies to the basestation. Since it is a hierarchical network, any alert generatedby the lower level nodes must pass through the higher levelnodes. In the case that the higher level node is the intruder,it will not allow the BS to be aware of its misbehavior bysimply blocking the alert messages it receives from the lowerlevel nodes.

In [57], an IDS based on clustering approach was proposed.Their proposal also ensured the security of the CHs. Intheir approach, members of a cluster monitor their CH in atime scheduled manner. In this way, energy for all clustermembers is saved. On the contrary, cluster members aremonitored by the CH, not by the contribution of clustermembers. This also saves the energies of the cluster members.Through simulations, the authors showed that their proposedalgorithm is much more efficient compared to other algorithmsin the literature. The problem with this approach is its key


Fig. 4. Application of an IDS devised for a MANET to a WSN by using clustering approach.

management mechanism. It is a part of the IDS and helpsIDS to establish pairwise keys among the nodes. The IDSuses these keys through the authentication of the messages.The key management assumes that the nodes are stationary(non-mobile) and the new nodes cannot be added after thepairwise keys are established. This constitutes a handicap forthe model considering the fact that WSN may periodicallyrequire deployment of new nodes.

In [58], the authors incorporated a hierarchical IDS model inwhich the network is divided into clusters and for each cluster,a CH is elected. They issued centralized routing, meaning thatevery packet of transmitted data will be forwarded to the CHand then to the base station. Their proposal included a methodto place intrusion detectors in the CHs so that the entirenetwork is covered with a minimum number of detectors.The authors did not provide any simulation results or any realexperimental data. So, it is not clear whether the system wouldperform as promised.

In [59], a distributed cluster based anomaly detection al-gorithm was proposed. They minimized the communicationoverhead by clustering the sensor measurements and mergingclusters before sending a description of the clusters to theother nodes. The authors implemented their proposed modelin a real-world project. They demonstrated that their schemeachieves comparable accuracy when compared to centralized

schemes with a significant reduction in communication over-head.

2) Distributed and collaborative IDSs: Krontiris et al. [60]proposed a distributed IDS for WSNs based on collaborativeneighborhood watching. In a simulation environment, theauthors evaluated the effectiveness of their IDS scheme againstblackhole and selective forwarding attacks.

In [61], a solution to the problem of cooperative intrusiondetection in WSNs was proposed, where the nodes wereequipped with local detector modules and have to identify theintruder in a distributed way. The detector modules triggeredsuspicions about an intrusion in the sensors neighborhood.The authors presented necessary and sufficient conditionsfor successfully exposing the attacker and a correspondingalgorithm that is shown to work under a general threat model.

In [20], the proposed IDS used a specification based detec-tion algorithm. The authors used a decentralized approach ofdetection in which intrusion detectors were distributed amongthe network (their distance was one-hop, covering the entirenetwork). The collected information and its processing wereperformed in a distributed fashion. They claimed that thisdistributed approach was more scalable and robust comparedto a centralized approached owing to the fact that the intru-sion detectors had different views of the network by beingdistributed to all over the network.


3) Statistical detection based IDSs: Ngai et al. [62] pre-sented an algorithm to detect the intruder in a sinkholeattack. The proposed algorithm first finds a list of suspectednodes and then effectively identifies the intruder in the listthrough a network flow graph. The algorithm implementsa multivariate technique (statistical - parametric technique)based on the chi-square test. Effectiveness and accuracy ofthe proposed algorithm is verified by both numerical analysisand simulations. The authors claimed that their algorithmscommunication and computational overheads are reasonablefor WSNs.

In the proposed algorithm of [63], the sensor network adaptsto the norm of the dynamics in its natural surroundings sothat any unusual activities can be singled out. In order toachieve this, they employ a hidden Markov model. The authorsclaimed that their proposed algorithm is easy to employ,requiring minimal processing and data storage. The func-tionality and practicality of the algorithm is shown throughexperimental scenarios. The proposed algorithm sifts out anyunusual readings by using the statistical approach. So it isa very specific kind of IDS that is mainly focused on theaccuracy of the data gathered rather than the security of thenodes or the links.

In [64], the authors proposed a real time, node basedanomaly detection algorithm that observes the arrival pro-cesses experienced by a sensor node. They developed anarrival model for the traffic that can be received by a sensornode and devised a scheme to detect anomalous changes inthat arrival process. The detection algorithm kept short termstatistics using a multi-level sliding window event storagescheme. In this way the algorithm could compare arrivalprocesses at different time scales. The authors claimed thattheir algorithm was resource aware and has low complexity.

4) Game theory based IDSs: In [65] and [66], Agah etal. considered attack and detection as both participants ofthe game and formulated strategies for both parties. In orderto increase detection probability, strategies were normalizedinto a non-cooperative, non-zero game model. Both schemesfocused on determining the weakest node in the network andthen providing strategies to defend that node. The problemwith this approach was that there might be multiple intrusionsto the WSN and only one of them would be caught by theIDS while leaving others undetected.

5) Anomaly detection based IDSs: In [67], Rajasegararet al. provided a survey article about the state of the artin anomaly detection techniques for WSNs. They suggestedfor the researchers (for anomaly detection) to consider theinherent limitations of WSNs in their design so that the energyconsumption in sensor nodes is minimized and the lifetime ofthe network is maximized.

In [68], the same authors proposed a solution to theproblem of minimizing the communication overhead in thenetwork while performing in-network computation when de-tecting anomalies. Their approach to this problem is basedon a formulation that uses distributed one-class quarter-spheresupport vector machines to identify anomalous measurementsin the data. Data vectors are mapped from the input spaceto a higher-dimensional space for further investigations. Theauthors implemented their proposal in a real-world project

and they claimed that their model was energy efficient interms of communication overhead while achieving comparableaccuracy to a centralized scheme.

Bhuse and Gupta [69] proposed lightweight methods todetect anomaly intrusions in WSNs. Their main idea was to re-use the already available system information (such as neighborlists, routing tables, sleep/wake-up schedules, receive signalstrength indication, MAC layer transmission schedules) thatwas generated at various OSI layers of a network protocolstack, especially the physical, MAC and routing layers. Inorder to have a better detection rate, the authors proposedmultiple detectors monitoring different layers of the OSI stack.This is not feasible for WSNs, because intrusion monitoringin different layers and sustaining the coordination of thesemonitors may rapidly deplete the scarce resources of theWSN. Besides, the authors proposed their schemes for outsiderattacks only, ruling out the insider attacks. This is inadequatechoice, because sensor nodes in a WSN are very vulnerableto insider attacks such as physical capture attack, Sybil attack,etc.

Onat and Miri [70] provided an IDS for WSNs that wasbased on detection of packet level receive power anomalies.The detection scheme was focused on transceiver behaviorsand packet arrival rates of the neighboring nodes of a particularnode. WSNs are rarely mobile and therefore they have astable communication pattern when compared to MANETs.The authors exploited this specific distinction. Each node builta simple statistical model of its neighbors behavior and usedthis statistics to detect any abnormal changes in the future. Theproposed model worked well to detect impersonation attacks.

6) Watchdog based IDS: Roman et al. [50] providedguidelines about application of IDSs (that are designed forMANETs) to static WSNs. Then, they propose an IDS forWSNs called spontaneous watchdogs in which the neighborsare optimally monitored and where some nodes choose toindependently monitor the communications in their neighbor-hood.

7) Reputation (Trust) based IDS: Wang et al. [71] proposedan IDS for WSNs that uses packet marking and then heuristicranking algorithms to identify most likely bad nodes in thenetwork. Each packet is encrypted and padded so as to hidethe source of the packet. The packet mark is added in eachpacket such that the data sink can recover the source of thepacket and then figure out the dropping ratio associated withevery sensor node. According to their simulations, most ofthe bad nodes could be identified by their heuristic rankingalgorithm with small false positive rate.

Bao et al. [72] proposed a hierarchical trust managementfor WSNs to detect selfish and malicious nodes. Authorsdeveloped a probability model utilizing stochastic Petri netstechnique to analyze the protocol performance and validatedsubjective trust against objective trust obtained based onground truth node status. Their trust-based IDS algorithmoutperforms anomaly-based IDS algorithms in the detectionprobability percentage while maintaining sufficiently low falsepositive rates.


TABLE IICOMPARISON OF THE IDSS PROPOSED FOR WSNS

Proposed sys-tem

Architecture Detection technique Highlighting features

Da Silva et al.[20]

Distributed Rule based approach (interval rule) Scalable, robust and fast intrusion detection.

Roman et al.[50]

Distributed andCooperative

Spontaneous watchdogs Relies on the broadcast nature of sensor communications andtakes advantage of the high density of sensors being deployedin the field.

Chen et al. [56] Hierarchical Rule based approach Uses monitoring group of nodes and routing tables for detectionSu et al. [57] Hierarchical Rule based approach (packet dropping rate) Saves energy, extends the network lifetime. On the other hand,

new nodes cannot be added to the network.Strikos [58] Hierarchical Rule based approach Combined already existing approaches, in order to achieve a

more complete solution. Neither simulation results, nor realworld experimental results are provided.

Rajasegarar etal. [59]

Hierarchical Specification based approach, data clustering(standard deviation from the average inter-cluster distance)

Achieved comparable performance with the centralizedschemes.

Krontiris et al.[60]


Rule based approach (packet dropping rate) Detects only blackhole and selective forwarding attacks. Be-sides, proposed solution works only when there is one attacker.

Krontiris et al.[61]


Specification based approach Proposed solution works only when there is one attacker.

Ngai et al. [62] Centralized(BS)

Statistical based anomaly detection (paramet-ric), routing pattern anomalies

Specified to detect Sinkhole attacks only.

Doumit andAgrawal [63]

Hierarchical Statistical anomaly based approach (paramet-ric), hidden Markov model

Focused on the accuracy of the data gathered, rather than thesecurity of the nodes or the links.

Onat and Miri[64]

Stand alone Statistical based anomaly detection (real timetraffic on the nodes, arrival process)

Keeps short term dynamic statistics using a multi-level slidingwindow event storage scheme. The scheme works on each node,therefore the detections are local and nodes are not aware ofthe attacks globally (network-wide).

Agah et al. [65][66]

Hierarchical Game theory along with Markov decision pro-cess

Only one of the clusters of the network is monitored at a time.This leaves the rest of the network un-protected.

Bhuse andGupta [69]

Stand-alone Rule based approaches (for physical, MAC,routing and application layers)

Proposed lightweight techniques that would detect anomalies atall layers of a network stack in WSNs.

Onat and Miri[70]


Statistical anomaly based approach (average re-ceive power and average packet arrival rate)

Exploits the stability of the neighborhood information of theWSN nodes.

Rajasegarar etal. [68]

Distributed Anomaly based approach, support vector ma-chine

Minimizes communication overhead while performing in-network anomaly detection.

Wang et al. [71] Centralized(data sink)

Reputation based approach Uses heuristic ranking algorithms to identify most likely badnodes in the network.

Bao et al. [72] Hierarchical Reputation based approach Uses high scalable cluster-based hierarchical trust managementprotocol to effectively identifying the selfish and maliciousnodes.

D. Issues concerning the proposed schemesIDSs proposed for WSNs are summarized in Table II includ-

ing their required network architecture, detection techniqueand highlighting features of each scheme. Accordingly, thefollowing conclusions can be drawn for the proposed IDSs inWSNs:

In hierarchical, clustering based IDSs, clustering algo-rithms may consume considerable amount of the net-works energy through the formation of the clusters. Afterthe clusters are formed and the CHs are elected, CHs mayconstitute a single point of failure and they have to besecured. Besides, if the CH is not a special node (morepowerful), then the overhead of being a CH will diminishits resources very quickly.

Agent based IDSs reduce the network load and latency.On the other hand, they cause high energy consumptionof the nodes they are working on. Communication costbetween agents and coordinator, or in between agents,may cause congestion and bottle neck in the network.

Rule based IDSs are simple to install and easy to operate.On the other hand, they need continuous rule updates inorder to cope with the new released attacks.

Data mining based IDSs can detect unknown attacks.

Unfortunately they have high computational complexityand high energy consumption requiring large amounts ofdata samples. Besides, they also need efficient analytictools to analyze large amount of audit data and a massmemory space to store them.

In game theory based IDSs, the detection rate can beadjusted by the network security administrator throughchanging the parameters. The problem with this systemis that it is non-adaptive and requires human interventionfor a stable operation.

V. FUTURE DIRECTIONS IN THE SELECTION OF IDS FORWSNS

Energy consumption of the IDSs is an important issue froma system design point of view. WSNs consume energy throughsensing the surrounding phenomena, processing the sensedinformation and transmitting the resultant data. Therefore, theIDSs need to spend the least amount of energy as possible tospare enough energy for the crucial operations of the WSN. Asa result of this low energy consumption requirement of WSNs,it is beneficial to use a hierarchical model for IDSs. Thismeans that the network would be divided into clusters, each ofwhich will have a CH. Accordingly, the energy consumption


will be minimized by avoiding the need for all the nodes tosend data to the BS. Besides, high energy consuming IDSalgorithms would run only on the CHs which would saveenergy on the rest of the nodes and ultimately increase thetotal lifetime of the network.

Since there are a variety of intrusion detection algorithmsavailable, the selection of the intrusion detection techniquewould be specific to the requirements of the intended appli-cation; i.e., the attacks that need to be detected, the accuracyof the detection (percentage of the false positives and truepositives), and the duration of the detection time.

Our suggestion for the selection of the IDS for WSNswill be application specific (various suggestions for differentapplications):

For the mobile applications, where sensor nodes are inmovement, we recommend the usage of distributed andcooperative IDS schemes, as they are scalable, robust andfast. Da Silva et al.s [20], Roman et al.s [50] and finallyOnat and Miris [70] proposed schemes are recommendedas the most promising ones among those presented inTable II.

For the stationary applications, where there is a central-ized computing unit at BS or at data sink, we recom-mend the usage of centralized IDS schemes, as they arepowerful and can detect whole range of attacks. Amongthe schemes presented in Table II, Wang et al.s [71]proposed scheme is recommended for adopting or canbe a good starting point to build on it.

For the cluster based applications, where the networkis divided into clusters, the usage of hierarchical IDSschemes is suggested. Among the schemes presentedin Table II, Su et al.s [57] work is recommended, ifthe network is stable and no nodes are to be added.Otherwise, Bao et al.s [72] work is suggested, as it isefficient for the scalable and dynamic network topologies.

For the researchers that are considering to simulate andcompare the performances of the various IDS schemes, Adaobiet al.s work [73] would be a good starting point. In theirwork, authors provide a case scenario on how to simulate anattack against a WSN and evaluate the performance of ananomaly-based IDS. Authors simulate their scenario in ns-2 simulation environment [74], with AODV protocol. Theyprovide 4 metrics (namely, true positives, true negatives, falsepositives, and false negatives) calculated by analyzing thepacket delivery ratio while changing the pulse rate.

To the best of our knowledge, there is no paper publishedregarding the effects of the IDSs on the energy consumptionof WSNs. For the researchers that are considering to evaluatethe cost of the IDS schemes on the WSNs, this would be agood topic to research.

VI. CONCLUSIONSIn this survey paper, IDSs along with their classifications,

design specifications, and requirements are briefly introduced.Secondly, IDSs that are proposed for MANETs are presentedand their applicability to WSNs are discussed. Thirdly, IDSsproposed for WSNs are discussed and their distinctive featuresare highlighted in a comparable chart, followed by the com-ments regarding IDSs that would be applicable to WSNs are

TABLE IIILIST OF ABBREVIATIONS.

ARMA autoregressive moving averageAODV ad-hoc on-demand distance vector (routing)BS base stationCH cluster headDoS denial of serviceDSDV destination sequenced distance vectorDSR dynamic source routingGPS global positioning systemHIDS host based intrusion detection systemIDS intrusion detection systemIPS intrusion prevention system

MANET mobile ad-hoc networkNIDS network based intrusion detection systemPCA principal component analysisUML unified modeling languageWSN wireless sensor network

presented. Finally, in order to help researchers in the selectionof IDS for WSNs, recommendations of promising proposedschemes are provided along with future directions for thisresearch.

VII. ACKNOWLEDGEMENT

We would like to give special thanks to our colleagues Mr.David Donnelly, Dr. Dennis M. Parra, Ali Gorcin, Dr. MuradKhalid and Dr. Young-seok Lee for their reviews and valuablecomments regarding the preparation and editing of this survey.

Last but not least, we would like to thank the anonymousreviewers for their valuable suggestions to improve the contentand quality of our paper.

APPENDIX

Table III summarizes abbreviations used in this survey.

REFERENCES[1] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam and E. Cayirci, A survey

on sensor networks, IEEE Commun. Mag., vol. 40, num. 8, pp. 102-114, 2002.

[2] X. Chen, K. Makki, K. Yen and N. Pissinou, Sensor network security:A survey, IEEE J. Communications Surveys and Tutorials, vol. 11,num. 2, pp. 52-73, 2009.

[3] Y. Zhou, Y. Fang and Y. Zhang, Securing wireless sensor networks: asurvey, IEEE Commun. Surveys Tutorials, vol. 10, num. 3, pp. 6-28,2008.

[4] E. Cayirci and C. Rong, Security in Wireless Ad Hoc and SensorNetworks, book published by Wiley, 2009.

[5] Y. Wang, G. Attebury and B. Ramamurthy, A survey of security issuesin wireless sensor networks, IEEE Commun. Surveys and Tutorials,vol. 8, num. 2, pp. 223, 2006.

[6] G. Padmavathi and D. Shanmugapriya, A Survey of Attacks, SecurityMechanisms and Challenges in Wireless Sensor Networks, Interna-tional J. Computer Science, vol. 4, num. 1, pp. 19, 2009.

[7] A. Fuchsberger, Intrusion detection systems and intrusion preventionsystems, Elsevier J. Information Security Technical Report, vol. 10,num. 3, pp. 134-139, 2005.

[8] I. Butun and R. Sankar, A Brief Survey of Access Control in WirelessSensor Networks, in Proc. IEEE Consumer Communications andNetworking Conference, Las Vegas, Nevada, January 2011.

[9] M. Ngadi, A.H. Abdullah, and S. Mandala, A survey on MANETintrusion detection, International J.Computer Science and Security,volume 2, number 1, pages 1-11, 2008.

[10] Y. Zhang, W. Lee, and Y.A. Huang, Intrusion detection techniques formobile wireless networks, J. Wireless Networks, vol. 9, num. 5, pp.545-556, 2003.


[11] I. Butun, Y. Wang, Y. Lee and R. Sankar, Intrusion preventionwith twolevel user authentication in heterogeneous wireless sensornetworks, International J. Security and Networks, vol. 7, no. 2, pp.107121, 2012.

[12] A. Patcha and J.M. Park, An overview of anomaly detection techniques:Existing solutions and latest technological trends, Elsevier J. ComputerNetworks, volume 51, number 12, pages 3448-3470, 2007.

[13] T.S. Sobh, Wired and wireless intrusion detection system: Classifica-tions, good characteristics and state-of-the-art, Elsevier J. ComputerStandards and Interfaces, volume 28, number 6, pages 670-694, 2006.

[14] T. Anantvalee and J. Wu, A survey on intrusion detection in mobile adhoc networks, Springer J. Wireless Network Security, pages 159-180,2007.

[15] P. Albers, O. Camp, J. Percher, B. Jouga, L. M, and R. Puttini, Securityin Ad Hoc Networks: A General Intrusion Detection ArchitectureEnhancing Trust Based Approaches, Proc. 1st International Workshopon Wireless Information Systems (WIS-2002), pp. 1-12, April 2002.

[16] P. Michiardi and R. Molva, Core: A Collaborative Reputation mecha-nism to enforce node cooperation in Mobile Ad Hoc Networks, Com-munication and Multimedia Security Conference (CMS02), September2002.

[17] O. Kachirski and R. Guha, Effective Intrusion Detection Using MultipleSensors in Wireless Ad Hoc Networks, Proc. 36th Annual HawaiiInternational Conference on System Sciences (HICSS03), p. 57.1,January 2003.

[18] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macia-Fernandez and E.Vazquez, Anomaly-Based Network Intrusion Detection: Techniques,Systems and Challenges, Elsevier J. Computers and Security, vol. 28,num. 1-2, pp. 18-28, 2009.

[19] Y. Huang and W. Lee, A Cooperative Intrusion Detection System forAd Hoc Networks, Proc. 1st ACM workshop on Security of Ad Hocand Sensor Networks, 2003.

[20] A.P. da Silva, M. Martins, B. Rocha, A. Loureiro, L. Ruiz andH.C. Wong, Decentralized Intrusion Detection in Wireless SensorNetworks, in Proc. 1st ACM International Workshop on Quality ofService and Security in Wireless and Mobile Networks (Q2SWinet 05),ACM Press, October 2005, pp. 16-23.

[21] P. Brutch and C. Ko, Challenges in Intrusion Detection for Ad HocNetworks, in Proc. IEEE Workshop on Security and Assurance in Adhoc Networks, Orlando, FL, January 28, 2003.

[22] B. Sun, L. Osborne, Y. Xiao and S. Guizani, Intrusion DetectionTechniques in Mobile Ad Hoc and Wireless Sensor Networks, IEEETrans. Wireless Commun., vol. 14, num. 5, pp. 56-63, 2007.

[23] A.H. Farooqi and F.A. Khan, Intrusion detection systems for wirelesssensor networks: A survey, Springer J. Communication and network-ing, pp. 234241, 2009.

[24] C.V. Zhou, C. Leckie and S. Karunasekera, A survey of coordinatedattacks and collaborative intrusion detection, Elsevier J. Computers &Security, vol. 29, num. 1, pp. 124140, 2010.

[25] H.T. Elshoush and I.M. Osman, Alert correlation in collaborativeintelligent intrusion detection systems: A survey, Elsevier J. AppliedSoft Computing, vol. 11, num. 7, pp. 43494365, 2011.

[26] C.V. Zhou, C. Leckie and S. Karunasekera, Decentralized multi-dimensional alert correlation for collaborative intrusion detection, Else-vier J. Network and Computer Applications, vol. 32, num. 5, pp. 11061123, 2009.

[27] C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel and M. Rajarajan, Asurvey of intrusion detection techniques in Cloud, Elsevier J. Networkand Computer Applications, vol. 36, pp. 4257, 2013.

[28] K.A. Garcia, R. Monroy, L.A. Trejo, C. Mex-Perera,E. Aguirre, Ana-lyzing Log Files for Postmortem Intrusion Detection, IEEE Trans. Syst.Man Cybern., vol. 42, num. 6, pp. 16901704, 2012.

[29] T.S. Cheng, Y.D. Lin, Y.C. Lai, P.C. Lin, Evasion Techniques: Sneakingthrough Your Intrusion Detection/Prevention Systems, IEEE Commun.Surveys Tutorials, vol. 14, num. 4, pp. 10111020, 2012.

[30] G.Y. Keung, B. Li and Q. Zhang, The intrusion detection in mobilesensor network, IEEE/ACM Trans. Netw. (TON), vol. 20, num. 4, pp.11521161, 2012.

[31] Y. Wang, W. Fu, D.P. Agrawal, Gaussian versus Uniform Distributionfor Intrusion Detection in Wireless Sensor Networks, IEEE Trans.Parallel Distrib. Syst., vol. 24, num. 2, pp. 342355, 2013.

[32] E. Shakshuki, N. Kang and T. Sheltami, EAACK A Secure IntrusionDetection System for MANETs, IEEE Trans. Ind. Electron., vol. 60,num. 3, pp. 10891098, 2013.

[33] Y. Zhang and W. Lee, Intrusion detection in wireless ad-hoc networks,Proc. 6th annual international conference on Mobile computing andnetworking, pp. 275-283, 2000.

[34] O. Kachirski and R. Guha, Intrusion Detection using Mobile Agentsin Wireless Ad Hoc Networks, IEEE Computer Society, 2002.

[35] D. Sterne, P. Balasubramanyam, D. Carman, B. Wilson, R. Talpade, C.Ko, R. Balupari, C.-Y. Tseng, T. Bowen, K. Levitt, and J. Rowe, AGeneral Cooperative Intrusion Detection Architecture for MANETs,Proc. 3rd IEEE International Workshop on Information Assurance(IWIA05), pp. 57-70, March 2005.

[36] R. Puttini, M. Hanashiro, F. Miziara, R. de Sousa, L. Garcia-Villalbaand C. Barenco, On the Anomaly Intrusion-Detection in Mobile AdHoc Network Environments, in Proc. 11th IFIP TC6 internationalconference on Personal Wireless Communications, Springer, pages 182-193, 2006.

[37] R. Rao and G. Kesidis, Detecting malicious packet dropping usingstatistically regular traffic patterns in multihop wireless networks thatare not bandwidth limited, in Proc. IEEE GLOBECOM, 2003.

[38] K. Nadkarni and A. Mishra, Intrusion detection in MANETs-the secondwall of defense, in Proc. 29th Annual Conference of the IEEE IndustrialElectronics Society, 2003.

[39] S. Buchegger and J. Le Boudec, Performance Analysis of the CON-FIDANT Protocol (Cooperation Of Nodes - Fairness In Dynamic Ad-hoc NeTworks), Proc. 3rd ACM International Symposium on MobileAd Hoc Networking and Computing (MobiHoc02), pp. 226-336, June2002.

[40] B. Sun, K. Wu and U.W. Pooch, Zone-based intrusion detection formobile ad hoc networks, Int. J. Ad Hoc and Sensor Wireless Networks,volume 2, number 3, 2003.

[41] A. Patcha and J.M. Park, A game theoretic approach to modeling intru-sion detection in mobile ad hoc networks, in Proc. IEEE InformationAssurance Workshop, 2004.

[42] A. Patcha and J.M. Park, A game theoretic formulation for intrusiondetection in mobile ad hoc networks, International J. Network Security,volume 2, number 2, pages 131-137, 2006.

[43] S. Sen and J.A. Clark, Evolutionary computation techniques for in-trusion detection in mobile ad hoc networks, Elsevier J. ComputerNetworks, vol. 55, num. 15, pp. 34413457, 2011.

[44] S. Marti, T. Giuli, K. Lai and M. Baker, Mitigating routing misbehav-ior in mobile ad hoc networks, International Conference on MobileComputing and Networking (MobiCom), pp. 255-265, 2000.

[45] F.H. Wai, Y.N. Aye, and N.H. James, Intrusion Detection in WirelessAd-Hoc Networks, 2003.

[46] M. Jahnke, A. Wenzel, G. Klein, N. Aschenbruck, E. Gerhards-Padilla,P. Ebinger and S. Karsch, MITE-MANET Intrusion Detection for Tac-tical Environments, in Proc. NATO/RTO IST-076 Research Symposiumon Information Assurance for Emerging and Future Military Systems,Ljubljana, Slovenia

Documents

A Survey of Intrusion Detection Systems in Wireless Sensor N.pdf