06407453

IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO.
3, THIRD QUARTER 2013
1223
On the Vital Areas of Intrusion Detection

Systems in Wireless Sensor Networks
Abror Abduvaliyev, Al-Sakib Khan Pathan, Jianying Zhou, Rodrigo Roman, and Wai-Choong Wong
AbstractThis paper surveys recently proposed works on
Intrusion Detection Systems (IDS) in WSNs, and presents a
comprehensive classification of various IDS approaches according
to their employed detection techniques. The three main categories
explored in this paper are anomaly detection, misuse detection,
and specification-based detection protocols. We give a description
of existing security attacks in WSNs and the corresponding
proposed IDS protocols to tackle those attacks. We analyze
the works with respect to the network structure of WSNs. In
addition, we highlight various critical shortcomings that IDSs
currently have and define future research tracks for IDSs in
wireless sensor networks. Though a few restricted survey works
on this topic have already been done, we feel that there is a great
need of performing a detailed and comprehensive study on the
vital aspects so that the IDS in WSN could be analyzed from
all the need-to-know angles. Thus, the papers main aim is to
include the most recent advancements in this area as well as to
predict the future course of research so that the general as well
as expert readers could be greatly benefited.
Index TermsIntrusion detection, wireless sensor networks,
anomaly, misuse, specification-based
I. I NTRODUCTION
N MANY WSN (Wireless Sensor Network) application
scenarios security is a very important concern; especially
the applications designed for WSNs deployed in hostile environments and commercial applications. With the level of
importance of security in a WSN application, ensuring it to the
expected level also becomes relatively more difficult than its
other wireless network counterparts. In fact, security in WSN
has a great number of challenges that may not be seen in
other types of wireless networks. This is due to many reasons
like the broadcast nature of wireless communications, limited
resources of the sensor nodes, unattended environment where
sensor nodes might be susceptible to physical attacks, etc [1],
[2], [10]. Security solutions like authentication, cryptography
or key management can enhance the security of WSNs.
Nevertheless, these solutions alone cannot prevent all possible
attacks. As a wide range of attacks can be launched by
compromised nodes in a WSN (i.e., nodes that appear to be
legitimate in the network but not or working for other party
[7], [11]), a second line of defense like Intrusion Detection
System (IDS) [3], [77] is needed.
Manuscript received January 13, 2012; revised June 6, 2012 and October
12, 2012.
A. Abduvaliyev and W. C. Wong are with the Department of Electrical and
Computer Engineering, National University of Singapore (NUS), Singapore
(e-mail: wong lawrence@nus.edu.sg).
A.S.K. Pathan is with Department of Computer Science, International
Islamic University Malaysia (IIUM), Kuala Lumpur, Malaysia, email:
sakib@iium.edu.my.
J. Zhou and R. Roman are with Institute for Infocomm Research (I2R),
Singapore, email: jyzhou@i2r.a-star.edu.sg and rroman@i2r.a-star.edu.sg.
Digital Object Identifier 10.1109/SURV.2012.121912.00006
An IDS, which has been successfully implemented in wired

networks, can detect the misbehavior of participating nodes
and notify other nodes in the network to take appropriate
countermeasures. However, an IDS scheme designed for wired
networks cannot be applied directly to WSNs because of their
specific network characteristics such as limited processing
power, memory and battery. Especially, in a wireless sensor
network, an IDS is an important security mechanism against
both insider and outsider attacks [16]. It focuses on detection
of misbehavior or malicious nodes. When IDS detects a sensor
node misbehaving, it tries to isolate that malicious node from
the network.
In the recent years, many IDSs have been proposed for
various WSN structures (flat, cluster, hierarchical). However,
there is still a great need of a comprehensive survey on the
recent developments in this particular area. In fact, in spite
of the presence of some partial works like [15], [79], [81],
[85], till this date there have not been any survey paper that
collects all the significant IDSs and gives overviews of those
works in terms of the underlying techniques they use along
with important observations and obtained results. Thus, the
main purpose of this work, besides providing readers with
a reference paper on IDS in WSN, is to analyze the vital
areas of IDS for WSN from various angles. We present not
only the most well-known threats, but also introduce some
less-known security attacks which need to be detected and
prevented as well. We critically analyze works that have been
proposed over the last decade and discuss the current stateof-the-art in this research area. We also classify these IDSs
based on their detection techniques, analyze them with respect
to the existing WSN network structures, and highlight various
underdeveloped areas that need to be further researched.
The rest of the paper is organized as follows: Section II
gives the background of intrusion detection systems in WSN.
The major security threats and attacks against WSNs are
explored in Section III. Section IV reviews the significant IDS
approaches proposed for WSNs. In Section V, we discuss a
few key issues and finally, Section VI concludes the paper
based on our findings and analysis.
II. I NTRUSION DETECTION SYSTEMS IN WSN
It is in reality extremely difficult to design a network where
attackers cannot find some way to break it. In fact, networks
should seriously consider the integration of self-awareness and
fault tolerance capabilities. That is, not only to assume that
problems will appear in one way or another, but also to provide
some mechanisms that will detect and reduce the impact of a
particular threat. Therefore, we need a second line of defense
that can detect attackers or intruder nodes. An IDS is able to
detect misbehaving nodes and inform neighbor nodes to take
c 2013 IEEE
1553-877X/13/$31.00
1224
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
proper countermeasures [5]. The actual detection mechanisms

are implemented in specific elements known as IDS agents.
Although some type of IDS is used as a major prevention
mechanism in wired and ad hoc networks, it is infeasible
to apply that directly in wireless sensor networks, mainly
because of the vast difference in their network characteristics (specificity, autonomy, self-configurability, long lifetime,
deployment location, and (limited) mobility [89]). This complicates the design of the security mechanisms. It is also a fact
that the computing and power resources of sensor nodes are
more constrained than that of ad hoc nodes [4]. Thus, WSNs
demand for a novel and lightweight design of IDS.
There are three main approaches that an IDS can use to
classify the attacks:
1) Misuse detection: The action or behavior of nodes
is compared with well-known attack patterns. In this case,
these patterns must be defined and given to the system. The
disadvantages are that this technique needs knowledge to build
attack patterns and they are not able to detect novel attacks. In
addition, always someone has to update the database of attack
patterns. These drawbacks significantly reduce the efficiency
of this approach in terms of system management, as the
administrator of the network always has to provide IDS agents
with an up-to-date database. At current stage, most of the
known attacks are only the results of some assumptions or
imitated from other classic networks. Whether these wellknown attacks or any unknown security attack would be a
serious problem for sensor networks still remains unclear.
2) Anomaly detection: This technique does not search
for specific attack patterns, but instead it checks whether
the behavior of the nodes can be considered as normal or
anomalous. The approach first describes the actual features of
a normal behavior, which are established by using automated
training. Afterwards, it flags any activities that deviate from
these behaviors as intrusions. If a sensor node does not act
according to the defined specification of a particular protocol,
the IDS would have high confidence to decide that the node
is malicious. The wrong decisions made by IDS in terms of
false positive and false negative alarms affect the accuracy of
detection. Hence, the disadvantage of this methodology is that
the system can exhibit legitimate but unseen behavior, which
could lead to a substantial false alarm rate. Also, an intrusion
that does not exhibit anomalous behavior may not be detected,
resulting in false negatives.
3) Specification-based detection: This technique combines
the aims of misuse and anomaly detection mechanisms, as it
is focused on discovering deviations from normal behaviors
that are defined neither by machine learning techniques nor
by training data. In fact, the specifications that describe what
can be considered as normal behavior are defined manually.
Any action is monitored with respect to these specifications.
The drawback of this approach is the manual development
of all specifications, which is a time-consuming process for
human beings. Another disadvantage of this technique is that
it cannot detect malicious behaviors which do not violate
defined specifications of the IDS protocol. Note that, in
some particular cases, misuse and anomaly-based detection
techniques can be used side by side, giving birth to hybrid
detection mechanisms.
Details of particular IDS models and techniques are discussed later in the paper.
III. S ECURITY THREATS AND TYPES OF ATTACKS IN WSN
There are several well-known and a few less-known security
attacks that exist in wireless sensor networks. In this section,
we discuss these security attacks in brief with respect to their
countermeasures. Almost all of the attacks described below
focus on the limitations of routing protocols in WSNs [6].
However, some unknown attacks that are launched considering
other security constraints of the network are presented as
well. Table I introduces a brief summary of well-known
and less-known (or, less studied) security attacks and their
characteristics in terms of attack behaviors and techniques.
In addition, the relevant detection techniques for the attacks
are highlighted in the table. Later in Section IV, we will
discuss some of these techniques in terms of their benefits
and drawbacks.
A. Denial of Service (DoS) Attacks
We consider any type of intentional activity that can disrupt,
subvert or even destroy the network as a Denial of Service
(DoS) attack.
Basically, DoS attacks can be categorized into three types:
Consumption of scarce, limited or non-renewable resources.
Destruction or alteration of configuration information.
Physical destruction or alteration of network resources.
In the context of WSN, DoS attacks that target the network
resources are one of the most significant: the hardware of
sensor nodes is usually very constrained, and attackers can try
to overload them. Other DoS attacks that are very destructive
are jamming and tampering attacks. Jamming is the deliberated
interference of the wireless communication channel. In fact,
sensor nodes are very vulnerable against this type of physical
attack [37]. Tampering is another type of physical attack,
which targets the actual hardware of the sensor nodes (e.g.
sensitive chips, sensor hardware). While it is difficult to know
whether any particular DoS situation is caused intentionally or
unintentionally, there are some detection methods that help to
thwart each type of DoS attack [72]. Still, tampering attacks
remain an open issue.
B. Sinkhole/Blackhole Attacks
In this attack, a malicious node acts as a blackhole [22] to
pull in all the traffic in the network. The attacker listens to the
route requests and then replies to the target node informing
that it has the shortest path to the base station. A victim node
is enticed to select it as a forwarder for its packets. Once a
malicious node puts itself between the base station and sensor
node, it is able to do whatever it wants (drop all packets,
change the content, etc) with the packets that pass through
it. This type of attack can be very harmful for sensor nodes
that are deployed considerably far from the base station. We
have to keep in mind that Blackhole and Sinkhole attacks
are basically the same attacks by definition. Some recent
works have addressed this attack and possible IDSs have been
proposed in [11], [19], [23], [24].
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
1225
TABLE I
S ECURITY ATTACKS IN WSN S
Name
Well-known
Characteristics
DoS attacks in different layers [21],

[37], [38]
Sinkhole/Blackhole [1], [11], [23],
[24]
Selective forwarding [25], [26],
[27], [28], [29]
The node replication [30], [31],
[88]
Flooding, jamming, misdirection
Name
Less-known (or, Less Studied)

Characteristics
Shortest path, drop the packets
Fabrication during reprogramming [69]

External stimuli [71]
Selectively drop the packets
Homing [71]
Add extra node to the network with the

same cryptographic secrets
Neglect and greed [70]
HELLO flood [32]
Flood with HELLO packets
Unfairness [70]
Wormhole [18], [20], [33], [34],

[35], [36], [73]
Sybil [28], [39], [40], [41], [42],
[76]
Offer less number of hops and less delay

which is fake
A malicious node pretends to be more than
one node
Forced delay [89]
C. Selective Forwarding
Multi-hop networks like WSNs rely on the assumption that
all nodes in the network will faithfully forward the received
messages to the base station. In these attacks, a malicious
node in the routing path acts as a normal node by forwarding
messages, but selectively drops sensitive packets which is
hard to detect by the system. This attack is independent from
the Sinkhole/Blackhole attacks, although a malicious node can
make use of them to increment its effect in the network. As
possible solutions to detect this type of attack, some secure
routing algorithms and IDSs using different techniques have
been proposed in [19], [25], [26], [27], [29].
D. The Node Replication Attacks
As sensor nodes are constrained in terms of resources
and usually deployed in unattended/public environments, an
attacker can easily capture, analyze and extract their secrets.
In this particular attack, an attacker seeks to add one or
more nodes in a network that use the same cryptographic
secrets as any other legitimate node in that network. This kind
of attack may have severe consequences, like corruption of
data by the adversary or even disconnection of some critical
parts of the network. For example, a replicated node can
send advertising information that is not consistent with the
state of the network (i.e. feature advertising [90]) in order to
manipulate a certain neighborhood. Some centralized detection
schemes, neighborhood-voting protocols, distributed detection
techniques, and mobile-oriented statistics mechanisms have
been proposed in [30], [31] and [88] to discover the existence
of these attacks.
E. HELLO Flood Attacks
Many routing protocols need to broadcast HELLO packets
in order to discover one-hop neighbors. This attack uses such
packets as a weapon to attract sensor nodes. In particular, an
attacker with a large radio range and enough processing power
can send HELLO packets to a large number of sensor nodes
by flooding an entire section of the network. A node which
receives such a packet may assume that the attacker is within
Unsecure reprogramming process

with bogus messages
Use external physical stimuli to
create a large number of packets
Hamper the normal functioning of
cluster heads
Deny transmission of legitimate
packets and give higher priority to
own packets
Unfair resource allocation on MAC
protocols
A node delays packets within its
forwarding component
normal radio range. Hence, sensor nodes can be persuaded that

the adversary is their neighbor. Possible solutions to detect this
type of attacks could be the use of bidirectional verification
of links, secure multipath routing, and use of multiple base
stations [32].
F. Wormhole Attacks
In this attack, an attacker records the packets at one location
in the network and tunnels those to another location with
the help of a long-range wireless channel or an optical link.
Wormhole attack is another significant and serious threat to
WSNs: this attack can be launched even if the attacker has
not compromised any node, because packets are broadcasted
and can be overheard by anyone. Attackers offer less number
of hops and less delay than other normal routing paths, thus
sensor nodes are enticed to send data through them. There
are various types of wormhole attacks. In fact, in a recent
work, Sharif and Leckie propose three types of wormhole
attacks namely Energy Depleting Wormhole Attack (EDWA),
Indirect Wormhole Attack (IBA), and Targeted Energy Depleting Wormhole Attack (TEDWA) [33]. There are also
many wormhole detection techniques, which make use of
connectivity information [35] or even additional hardware
mechanisms such as directional antennas [36].
G. Sybil Attacks
In many applications, sensor nodes need to collaborate with
other nodes in order to accomplish a certain task; applications
can then implement various management policies to distribute
subtasks to different nodes. In this attack, a malicious node can
pretend to be more than one node at the same time using the
identities of other legitimate nodes, effectively thwarting the
collaboration process. This is known as a Sybil attack, and
has been studied by Newsome et al. in [39]. By using this
attack, a malicious node can target the routing mechanisms,
the data aggregation processes, and even the misbehavior
detection techniques. As possible countermeasures, we can use
logically centralized authority (base station or cluster head) in
the network. Some other recent IDSs could be found in [28],
[40], [41], [42], [76], [78].
1226
H. Other Security Attacks in WSNs

There are a few less-known (or, commonly unknown or lessstudied) security threats that exist in WSNs. These attacks
mostly concentrate on service availability (i.e., DoS) of the
networks in different layers. We briefly describe them in the
following paragraphs.
1) Fabrication during reprogramming: The application
layer can be vulnerable against this attack if a WSN application allows reprogramming of the network. Reprogramming
of the network may be needed for maintenance and network
management purposes: operators do not need to physically
access the sensor nodes in order to refine or change their
behavior [69]. If the reprogramming process is not secure
enough, the attackers not only can cut off a portion of the
network by using bogus messages, but also can control the
whole network by exploiting particular vulnerabilities.
2) External stimuli: A possible attack against WSNs in
application layer could be launched by using some external
physical stimuli. The attacker uses this external stimuli to
stimulate the nodes with a large number of important events
(e.g. high temperature alerts), which must be sent directly
to the base station. However, this attack is not effective
when packets are sent at predefined regular intervals. One
IDS technique detects attackers in the network whenever a
particular region creates a large number of packets within a
short period of time [71].
3) Homing: In various WSN applications, leader nodes (e.g.
cluster heads) can be given special responsibilities such as
managing keys, maintaining a local group of nodes, etc. In
this attack, the attackers hamper the normal functioning of
leader nodes within a WSN application [71], trying to handle
and eavesdrop on their activities. Moreover, attackers can try
to become leader nodes by manipulating the election process,
effectively gaining control of an entire group (e.g. cluster).
4) Neglect and greed: A neglecting node is a node that
not only gives undue priority to its own packets, but also
can deny the transmission of legitimate packets in case of
network congestion. This attack is a special case of selective
forwarding attack, as the greedy node may still acknowledge
the received packets to the sender, but it drops them randomly
and gives excessive priority to its own packets. The protocols
which are based on Dynamic Source Routing (DSR) are the
most vulnerable to this type of attack [70].
5) Unfairness: This attack is a weaker form of DoS attack
located in the link layer. This attack could degrade service for
real-time MAC protocols by using unfair resource allocations
(e.g. an attacker causes nodes to miss their transmission
deadline). Note that providing fairness in WSNs is often
viewed as a separate research issue [70].
6) Forced delay: A sensor node deliberately delays packets
within its forwarding component, in order to delay the transmission of important events [89]. This attack can be effectively
used to degrade the quality of service in systems with near-real
time requirements.
IV. TAXONOMY OF IDS APPROACHES IN WSN
So far, we have discussed various types of security threats
in WSNs. These attacks can be tackled by using some specific countermeasures: IDS mechanisms and techniques that
make use of different underlying principles. Most of those

principles are based on the assumption that there exists a
noticeable difference between the behavior of an attacker and
the behavior of a legitimate node, such that the IDS can
match those preprogrammed or learned rules. Following this
assumption, it is clear that IDSs can be classified according
to the specific detection technique used for studying the audit
data. Therefore, we can classify IDSs into three groups: (a)
misuse, (b) anomaly, and (c) specification based.
The misuse detection systems are used to detect known
patterns of intrusions while anomaly detection techniques are
used to detect new or unknown intrusions. Specification-based
detection is based on some deviations from normal behaviors.
Fig. 1 shows a taxonomy of IDSs in WSN that complies with
this classification.
In the following sections we will introduce the different
detection techniques, providing an overview of the underlying
concepts that help to separate a legitimate node from a
malicious one. Note that, at present, most of the state of the
art only provides isolated solutions, and does not consider
a scenario where different classes of detection mechanisms
can collaborate together within the framework of a unified
detection architecture. This and other open issues will be
discussed later in Section V.
A. Misuse Detection Schemes
The application of rule-based or misuse detection techniques in the context of a WSN is a complex task. In practice,
it is difficult to think exactly as an attacker or to know the
motive of the attacker. The administrator of the network has
to model attack patterns according to attacks that might occur
in future. Moreover, the severe memory constraints of WSNs
make misuse-detection based IDSs that need to store attack
signatures relatively difficult to implement and less likely to
be effective [15]. Thus, there are very few papers that study
misuse-detection technique for WSNs. Still, most of them
follow the watchdog approach, where packet monitoring takes
place in several specific nodes in the network [43].
1) Watchdog approach: This approach relies on the broadcast nature of the wireless communications and the assumption
that sensors are usually densely deployed. Each packet broadcasted in the network is not only received by the receiver but
also by a set of neighboring nodes within the senders radio
range. In normal cases, neighbor nodes should discard the
packet, since they are not actual receivers, but for intrusion
detection this can be used as a valuable audit data. Hence,
a node can activate its IDS agent and monitor the packets
sent by its neighbors by overhearing them. Furthermore, to
detect attacks with high accuracy of detection, it is not enough
to monitor only one node; system involves more information
from other neighbor nodes as well. For instance, to detect selective forwarding attack, a watchdog should overhear packets
arriving at a node and transmitted by that node.
If we want to see whether a node B forwards packets sent by
node A, we have to activate watchdogs that reside within the
intersection of the radio ranges of A and B. A quick example is
given in Fig. 2 where the nodes C, D, and E can be watchdogs
for the link between A and B.
1227
Fig. 1. Taxonomy of IDSs in WSNs
sensor node), and randomly activated global agents in order

to overhear the communications of neighbors. Drawbacks:
The problem with this approach is that not all packets can
be overheard by a global agent, due to the randomness of
the selection process. Another drawback of the work is that
it does not deal with the collision of packets, which is high
likely due to the high density of nodes in various wireless
sensor networks applications.
B. Anomaly Detection Schemes
Fig. 2. Nodes C, D, and E are watchdogs of the link A to B
Some researchers argue that watchdog approaches incur

more energy consumption on the sensor nodes, since the
nodes must overhear every packet that is not addressed to
them. However, each node receives packets sent by neighbor
nodes anyway, due to the broadcast nature of the network.
Furthermore, the nodes are not able to know if a packet is
destined to them unless they receive it and check the packet
header. Therefore, the overhead associated to this approach
is basically the computational cost of analyzing the packet
header and contents in search for attack signatures.
In order to further reduce such overhead, some researchers
have studied specific mechanisms that reduce the number of
nodes that analyze the packets of the network. In [4], Roman
et al. proposed a novel technique for optimal monitoring
of neighbors called spontaneous watchdog, which extends
the watchdog monitoring mechanism proposed in [43]. The
mechanism uses local agents in every sensor node to monitor
local activities (i.e., information sent and received by the
In WSN, there are many IDS mechanisms that use anomaly

detection techniques. These types of systems usually rely on
analyzing whether the behavior of sensor nodes can be considered as normal or abnormal according to certain assumptions
and metrics. Most researchers have taken this approach as
a main method to detect intrusions, as they consider it is
easier to apply than misuse or specification based detections.
Note, however, that many anomaly detection techniques have
inherited some of the strategies that are used in misusedetection techniques, such as the watchdog approach.
In order to define what can actually be considered as normal
behavior, most anomaly detection techniques employ simple
assumptions [95] such as:
Payload of a packet should not be altered or modified.
Retransmission of a packet must occur in a certain time
threshold.
Same packet can be resubmitted a limited number of
times.
Packet sending rate must be within some limits, etc.
Table II provides an overall comparison of existing anomaly
based detection techniques, which will be described in the next
subsections, in terms of their energy efficiency, accuracy and
memory requirements. Note that, from this table, we can infer
1228
that there are no vastly superior detection mechanisms: there is

always a tradeoff between the resources (i.e. energy, memory)
required to detect the anomalies and the actual accuracy of
the detection techniques.
1) Statistical Model-Based Approach: Onat and Miri [3]
proposed an anomaly detection based security scheme for
WSNs. In their method, each sensor node builds a simple
statistical model of its neighbors behavior, and these statistics
are used to detect various attacks such as node impersonation
and resource depletion changes. The system features that are
used to detect anomalies are the average of the received power
and the packet arrival rate. At every node, only the last N
packets received from each neighbor are used to calculate
the statistics for that neighbor node and each arriving packet
is then compared with those values. If the packet conforms
to the statistics of the neighbor, it is accepted as a normal
behavior. Drawbacks: The authors do not present how the
experimental setup was designed. Also the information about
the used routing protocol and simulator is missing. Besides,
the system cannot detect selective forwarding and wormhole
attacks due to the use of simple statistics.
In [44], the same authors present the same main idea
of anomaly detection but with different evaluation metrics.
Instead of the previously implemented inter-arrival times, the
new scheme uses mean and standard deviation metrics in the
buffers. A packet is identified as anomalous if the absolute
value of the difference between the mean of the received
packet buffer and the mean of the intrusion buffer is greater
than the standard deviation of the received packet buffer.
Drawbacks: Again, no information is given about the number
of nodes, how nodes were tested, and the analysis of the
communications and computational costs.
2) Clustering Algorithm Based Approach: In [5], Loo et
al. developed an intrusion detection scheme for routing attacks
that uses a fixed-width clustering algorithm to build a model
of normal behavior. Note that here we refer to clustering
algorithm as unsupervised learning algorithms, not clusterbased network structure (although this approach can be used in
clustered networks). They use this model to detect anomalous
traffic patterns. The IDS module is implemented on each
sensor node and twelve network traffic patterns are identified.
These features are used in the training and testing stages. In
the training stage, a fixed-width clustering algorithm is used
to build a set of clusters in the feature space. Clusters that
contain less training traffic samples than a specific threshold
are identified as anomalous. During the testing stage, each
traffic sample is compared to the cluster set to determine
whether it is anomalous or not. Drawbacks: Their method put
too much computation on sensor node. The authors claim that
since the proposed IDS do not require communication between
sensor nodes, it significantly reduces the power consumption.
However, a statistical analysis of the actual reduction in power
consumption compared to other existing IDSs is not provided.
A very similar approach to [5] was presented in [45] by
Jian-hua et al. The main difference between the two systems
is the input of the clustering technique: authors in [45] used
the Apriori algorithm to construct the traffic features from
the network data.Therefore, the traffic features used in the
clustering algorithm can change at different time intervals. For
simulation purposes, five training data sets with normal traffic

and two testing data sets with DoS and selective forwarding
attack instances were used. Benefits: The results show that the
algorithm is able to detect both attacks with a high detection
rate. The algorithm is adaptive in the sense that each node
might have a different detection model. Drawbacks: Providing
each node with a local training data set might be infeasible
in large WSNs, where the sensor nodes usually receive and
forward a large number of packets in addition to their packet
processing duty. This issue complicates the applicability of the
algorithm in practical environments, or at least would require
the sensor nodes to have higher computational capabilities.
In [46], Wang and Zhang proposed an anomaly detection
system based on the arrival order of different packets. The
system is based on certain assumptions: all sensor nodes
can become cluster heads, only communicate with a limited
number of nodes, and should follow corresponding protocol
specifications. The IDS has two stages: profile learning and
anomaly detection. In the profile learning stage, a node traffic
profile is created by extracting data from the information flow
such as the source and destination addresses and the packet
types. In the anomaly detection phase, a pattern matching
technique is used to detect any unknown subsequences of
packet events. Drawbacks: The limitation of this work is that
the algorithm was not evaluated and performance results were
not provided.
3) Centralized Approach: A centralized, active anomaly
detection system called ANDES was proposed by Gupta et al.
in [47]. In this IDS the detection agent is located in the base
station, collecting application data, management information
(e.g. nodes ID, hops towards the sink, total transmitted
packets, total number of failures to route a packet), and node
status information (e.g. normal, unavailable, duplicated and
abnormal state), amongst others. All this information can
then be combined and analyzed in order to identify possible
anomalies. Benefits: This system was implemented in TinyOS
[48] on Tmote sky sensor nodes. While the management
information might impose a certain overhead as additional
management traffic must be acquired, the results obtained from
experiments are shown to be positive.
4) Artificial Immune System: In a departure from traditional anomaly detection techniques, the necessity of artificial
immune systems (AIS) was discussed in [51]. In this work,
Shaust et al. address these biologically inspired algorithms
as a possible solution to detect misbehavior in WSNs. They
conclude in the paper that AIS is actually a good choice for
misbehavior detection in WSNs. In fact, various researchers
have used this approach as part of their experiments.
For example, Kim et al. [49] showed the similarities between the properties of WSNs and biological immune systems,
and introduced a specific AIS, the Dendritic Cell algorithm
(DCA), which was used to detect interest cache poisoning
attacks in directed diffusion routing. A sensor node that uses
directed diffusion for routing packets maintains an interest
cache table and a data cache table. When a node receives
a packet, directed diffusion updates both caches and extracts
the signals and antigens (e.g. bogus interest packets) from
the received packets and caches. Such information is then
passed to the DCA, which evaluates whether the antigens
1229
TABLE II
C OMPARISON OF ANOMALY BASED DETECTION TECHNIQUES
IDS
Statistical
models
based
Clustering
algorithm
based
Centralized
Artificial
immune
system
Isolation table
Game theory based
Accuracy
Medium
High
High
High/Medium
Low
High/Medium
High
Energy efficiency
Memory requirement
Network structure
No detail
No detail
Normal
Yes
High
Clustered
No
Low
Normal
No detail
No detail
Normal
No
Medium
Clustered
No
Medium
Normal/ Distributed
Yes
High
Normal
are benign or malicious. The algorithm was implemented in

J-Sim and also was tested in TOSSIM, a WSN simulator
[54]. Drawbacks: There is no information available about
the performance of the DCA, and there are also no statistical
analyses that might prove the effectiveness of the approach.
Another approach based on immunology theory was proposed by Liu and Yu [50], and an overview of its architecture
can be seen in Fig. 3. Their algorithm is divided into four
phases: (i) self acquisition, (ii) generation, (iii) detection, and
(iv) clonal selection. The novelty of this approach lies mainly
in the clonal selection phase, which increases the response
time of the detection system by accelerating the underlying
mechanisms (detectors). Besides, a feedback system is used
to reduce false-positive rates. This algorithm was also tested
in TOSSIM.
5) Isolation table: In [17], Chen et al. proposed an
anomaly detection method for three-level hierarchical WSNs
(base station - primary cluster heads - secondary cluster heads)
based on an isolation table.
In this method the isolation table records the anomaly
information, and the detection agents use it to isolate nodes
from the network. Note that these tables can be generated
by all cluster heads (secondary cluster heads monitor sensor
nodes and primary cluster heads, while primary cluster heads
monitor secondary cluster heads), and all tables are forwarded
to the base station. As a result, isolation tables can be provided
to any node that needs them (e.g. a newly elected cluster
head that needs to know the actual state of the network).
The applicability of this method was analyzed using the ns-2
simulator. Drawbacks: The results of these simulations show
that the method has disadvantages in terms of high energy
consumption whenever the number of nodes is increased. In
addition, the authors did not consider the influence of node
failure and node tampering, which can lead to a growth of
the false negative rate. The authors extended their work and
provided more insightful details on [75] and [94], but the
energy consumption problem is still present.
6) : Machine Learning Based Approaches There are some
IDSs that rely on various machine learning techniques. For
example, [52], [56], [58], and [68] introduce machine learning and automata-based learning approaches as an anomaly
detection tool for wireless sensor networks.
In [52], Misra et al. used a learning automata based approach (which is commonly used in optimization problems)
to detect misbehaving nodes. This approach relies on packet
sampling, where a proportion of the packets traversing the
network are sampled to identify whether they are malicious
nodes or not. Decisions are made depending on the feedback
Machine
learning
of the environment to the automaton in partially favorable or

partially unfavorable cases. Benefits: Results obtained from
analytical analysis show that the detection rate is high and the
energy consumption is low for WSNs. The extended version
of the work is presented in [82].
Doumit and Agrawal [58] introduced an anomaly approach
based on the structure of naturally occurring events. This
approach makes use of hidden Markov models (HMM), which
have been applied in IDS for wired networks. It also makes
use of the concept of self-organized criticality (SOC), which
links complex phenomena to simplistic underlying laws. In
particular, SOC provides a prediction on the most probable
event (e.g. expected temperature value). If the HMM finds
that the event is out of bounds, it raises an alarm. Recent
work by Rajasegarar et al. [83] used one class support vector
machines (SVM) in order to detect network anomalies. The
paper proposes two SVM based approaches that are called
centered hyperellipsoidal support vector machine (CESVM)
and quarter-sphere support vector machine (QSSVM), respectively. CESVM has advantages in terms of parameter
selection flexibility and the computational complexity, but it
faces certain limitations in distributed WSNs, as it uses a
centralized approach. On the other hand, QSSVM works well
in a distributed environment. Benefits: The results from real
and simulated data sets show that both approaches achieve
high detection accuracy.
7) Game Theory-Based Approaches: Other researchers
have applied game theory-based models in intrusion detection
mechanisms [7], [59], [60], [61], [62], [63]. Game theory
based models can be excellent solutions for wired networks
in terms of level of security, but for WSNs, it is necessary
to prove their applicability: sensors are equipped with constrained energy sources, and the performance of these models
seems to decrease when the number of nodes is large.
As an example of these approaches, we can mention the
IDS developed by Agah et al. [7], which introduced a noncooperative game approach to detect misbehaving nodes in
clustered sensor networks. This non-cooperative game approach, which formulates an attack-defense game as a noncooperative two-player nonzero-sum game, achieves Nash
equilibrium (i.e. best results for both players) whenever the
defense player (i.e. the IDS system) finds and protects the
most vulnerable cluster. Consequently, clusters are classified
according to their utility and the cost of defending them. Note
that the authors also introduced two more techniques (intuitive
metric technique and Markov decision process) that could be
used to predict the future behavior of the attacker. Drawbacks:
1230
Fig. 3. Architecture of Immunity-Based IDS
The authors claim that this IDS approach can improve the
detection rate. However, as every node is provided with a
heavy IDS module and learning mechanism, the problem of
high energy consumption and communication overhead arises.
C. Specification-Based Schemes
Some specification-based schemes have been proposed as
IDS solutions for WSNs. As noted earlier, the main disadvantage of this approach is that the development of attack
or protocol specifications is done by human beings. In this
case, the administrator or the designer of the network has to
manually define the specifications that describe what a correct
operation is and monitor any behavior with respect to those
constraints.
1) Decentralized Approach: One of the first works in this
research track was introduced by Silva et al. in [14]. They
proposed a decentralized IDS that is based on several predefined rules.
The method has three phases: (i) data acquisition, where
packets are collected in a promiscuous mode in order to filter
out the important data before storing it, (ii) rule application,
where the rules are applied to the stored data, and (iii) detection phase, where the number of raised failures are compared
with the expected amount of occasional failures that defines
whether an intrusion has occurred or not. Fig. 4 illustrates the
architecture of a monitor node which has an IDS function in
addition to sensing and message transmission capabilities. The
results obtained from simulations, which tested attacks such
as jamming, blackhole and wormhole, show that the method
performs well in a simulation environment. Drawbacks: The
algorithm is simulated using a WSN simulator made by the
authors, whose technical details are unknown. This makes it
difficult to rely on the results presented by the authors, as a
simplified WSN model may not be something that could be

used in practice. Besides, other types of analyses (numerical or
probabilistic or logical) should have been added alongside the
presented outputs. Moreover, the algorithm has no information
about how to select the actual location of the IDS agents in
the application.
There are many other works in this topic [8], [9], [12], [55],
[74], [86], [87], [96], [97] that use different techniques (e.g.
group-based and collaborative) to specify intrusion detection
patterns and attack signatures. For instance, Bhuse et al. [55]
introduced a specification-based approach for detecting masquerade (sybil) attacks. They propose two techniques which
complement each other when used concurrently. The first one
is mutual guarding, where the sensor nodes check the source
id of received packets for intrusion. The second technique was
labeled by the authors as SRP, and consists of the verification
of the number of packets sent and received by a certain node.
Drawbacks: Simulation results show that the mutual guard
method has considerable overhead and it fails to protect nodes
when the attacker has a shorter communication range than the
sensor nodes.
2) Pre-defined Watchdog Approach: Krontiris et al. have
proposed various specification-based IDS in order to detect
blackhole [15], selective forwarding [15], and sinkhole [11],
[13] attacks in WSNs. Their approach is based on watchdogs,
which have pre-defined rules for raising intrusion alerts.
An example of one of those rules is as follows: If more
than half of the watchdog nodes have raised an alert, then
the target node is considered compromised and should be
revoked, or the base station should be notified. In defining
a threshold value, the authors also take into consideration the
loss of messages caused by network anomalies (e.g. wireless
noise). The method has three common modules: 1) local
monitoring and detection engine, for collecting and analyzing

data according to the rules; 2) cooperative detection engine,
for making accurate decisions collaboratively; and 3) local
response module, for taking appropriate actions if an intrusion
is verified by the network. Drawbacks: The method produces
very low false-negative and false-positive rates, which is a
good thing. However, the actual simulator and experimental
settings, which are used to calculate the rates, are not clear.
In a more recent work [16], the above authors proposed
a cooperative IDS scheme which has been tested in a real
environment. The method inherits various extended modules
from the authors previous works. The algorithm is based on
defined intrusion detection conditions (IDC), and the authors
argue that these conditions are necessary and sufficient to solve
the problem of detecting the most important WSN threats.
Benefits: In fact, to the best of our knowledge, this paper
is one of the few works that give details on a practical
implementation of IDS agents in a real environment. The
results show that the proposed algorithm is lightweight enough
to run on resource constrained sensor nodes such as telosb.
3) Hybrid System Approach: As stated earlier in Section
II, the specification-based approach integrates the aims of misuse and anomaly detection techniques. However, some specific
IDSs allow both detection techniques to coexist and interact in
one single detection agent. That is, such agents will make use
of automated training-based anomaly detection techniques and
human-made rule-based misuse detection techniques. These
approaches are known as hybrid systems.
Hai et al. [65] proposed an hybrid intrusion detection system
that integrates both anomaly and misuse techniques. The
specific goal of this method is to detect routing attacks in
WSNs. For energy efficiency, they use hierarchical WSNs. In
the misuse detection module, the authors use pre-defined rules
such as packet interval rule, integrity rule, packet delay rule,
and radio transmission range rule. Drawbacks: Unfortunately,
there is no proper and full explanation of the anomaly detection techniques used in this paper, that is, how to effectively
analyze the collected data and how to make decision on the
existence of intrusions.
Later, the extended versions of the above work have been
published by the same leading author (along with others)
in [26], [53] and [98]. The methods use two-hop neighbor
knowledge in order to prevent routing attacks. Two-hop neighbor knowledge is basically used in broadcasting protocols to
reduce the number of packet transmissions such as Sourcebased Protocol and Dominant Pruning [66]. The two-hop
neighbor list is established in each sensor node via a single
phase, by modifying the Hello packet. Other parts of this work
consist of local and global agents and pre-defined rules. The
global agents use the two-hop neighbors list and predefined
rules to monitor transmissions in their neighborhood. The
method performs well for routing attacks. However, it needs
to be tested in different attack scenarios in order to check the
effectiveness of the method.
Yan et al. [67] introduce a similar hybrid approach. The
algorithm contains a misuse detection model, an anomaly
detection model, and a decision making model. The novelty
of their method is the use of a back propagation network
(BPN) for the anomaly detection module. First, the packet
1231
records are given to the anomaly detection model, so as to

check for abnormal activities. If activity is determined as
abnormal, then it will be forwarded to both the misuse
detection model and the decision making model. Then, the
misuse detection model analyzes the received data with the
help of BPN and sends them to the decision making model.
Finally, the decision making model combines the outputs of
both models to determine whether or not an output can be
considered as an intrusion, and the category of attack. In case
of intrusion, the model reports to the base station. Benefits:
This approach has been tested by providing comprehensive
and detailed simulation results, which can be accessed in [84].
Finally, a dynamic IDS labeled as DIDS was proposed
by Huo and Wang in [57]. This work is similar to [64] in
terms of used approaches. The method has an event monitor
module, a rules record base, a misuse and anomaly detection
module, and an alert module. The core architecture of the
DIDS is shown in Fig. 5. Benefits: The method was simulated
in the ns-2 simulator using 70 nodes. The results obtained
by simulations state that their work has some advantages
compared to other static IDSs. Drawbacks: The distributed
mechanisms implemented in DIDS can be able to detect
multiple intruders, although at the cost of increasing the energy
consumption. Besides, these mechanisms are not tested in a
real environment.
V. D ISCUSSION ON THE VITAL AREAS
We have so far discussed various types of IDSs in WSNs.
Furthermore, we have classified them into different types
according to the detection techniques they use. Despite the
fact that IDSs are a well-implemented technology in wired
networks, there still remains enough scope of research on
IDS for WSNs. Precisely, in this section we will highlight
various vital areas that have been seldom considered by the
previously surveyed major schemes: are there any simulations
or real-world implementations that prove the effectiveness of
the different IDS mechanisms? In which types of network
structures (see Fig. 6) can we integrate the IDS agents?
Is there any real architecture/blueprint of a complete IDS
system, where different IDS detection mechanisms can be used
together in a single agent? How can we implement it? Are
there any other issues that we need to consider in the near
future?
A. Drawbacks of existing IDS
Here we summarize various drawbacks that almost all of
the previously discussed IDS mechanisms have:
Simulation: Almost no detailed simulations exist for
the discussed IDS mechanisms, being anomaly-based or
misuse-based. In fact, most of the works do not provide
comprehensive analyses or simulations. Note, however,
that the lack of real network traces makes difficult to
analyze the effectiveness of an IDS mechanism.
Real-world implementation: There are very few realworld implementations of IDS schemes (e.g. [16]) in
WSNs. Although statistical analyses and simulations are
important, such implementations are essential to prove
the applicability of the IDS schemes in a real setting.
1232
Fig. 4. Detection phases of decentralized IDS
Fig. 5. Core architecture of DIDS
Lightweight modules: Energy efficiency is one of the

main considerations in designing WSN application modules. Hence, IDS mechanisms should consume as little energy as possible while achieving an acceptable
performance. Again, it should be mentioned that heavy
IDS mechanisms (e.g. machine learning-based or game
theory-based) should be tested and evaluated so as to
prove both their effectiveness and their low resource

consumption.
Attack specific: Although many IDS schemes have been
proposed to detect malicious attacks, most of them target
only one or two specific attacks by using different network and hardware assumptions. Thus, it is very difficult
to combine these algorithms into a universal platform.
A promising research track would be to choose a set of

common criteria based on the features of different attacks.
B. Network structure based analysis
WSN is a highly application-dependent network. Hence,
network structures vastly differ depending on the application
types. There are mainly three types of network structures;
cluster, tree, and hierarchy. We give a brief description of these
structures and discuss with respect to IDSs:
Tree(flat)-based In this structure, base station plays
the role of main parent node, and sensor nodes take
the roles of leaf nodes or intermediate nodes. The onehop neighbor nodes of base station can become parent
nodes for the second hop neighbor nodes and this method
continues to cover the entire network in this fashion.
Cluster-based In this scenario, the network is divided
into clusters. Every cluster has its own selected cluster
head (CH), which is the bridge between its cluster
members and the base station. In addition, cluster heads
are often allowed to communicate among themselves for
some specific purposes.
Hierarchical The network is organized into a tree-like
structure with several different types of clusters in it. This
structure may have several layers representing parentchild type relationships (at least thematically). Note that
this is different than a hybrid model, where a portion of
the network is cluster-based while some other portion is
tree-based and some other portion may be of hierarchical
structure or a combination of all.
Fig. 6 illustrates these network structures, highlighting
possible IDS locations where IDSs can provide services in
an efficient manner. For instance, in the tree-based structure,
global coverage can be achieved if an IDS deploys several
(mobile) agents in the leaf nodes and an agent in the parent
node (i.e., base station). This helps the IDS to detect attacks
with a higher accuracy while reducing the consumption of
resources at the same time [4].
In cluster-based network structures, it seems efficient to
have one IDS agent for a group of sensor nodes (i.e., installed
on cluster head). Assuming that cluster heads are slightly
more powerful devices than their cluster members, we can
implement powerful IDS modules on them (which may not
be efficient on typical sensor nodes).
Furthermore, for hierarchical structures which include both
tree-based and cluster-based network structures, it might be
a challenging problem to select satisfactory IDS locations.
Still, a combination of mobile agents between layers and static
agents in cluster heads seems to be a good tradeoff.
In Table III, we present a comparison of various surveyed
IDSs mechanisms with respect to three types of network
structures: hierarchical, tree-based and cluster-based. Our goal
is to provide researchers with a reference table that shows
explicitly which IDSs can be the best fit for which type of
network structure due to their performance, applicability, and
other factors. The metrics used in the table, i.e. best, fair,
bad can be interpreted as following: an IDS algorithm can be
well suited for a particular network structure (best), but can
also be moderately suitable (fair) or even unsuitable (bad)
for other network structures.
1233
C. Other vital issues

Before the concluding remarks, it is necessary to highlight
various open issues and implementation strategies that should
be taken into account in future developments in this area.
1) Tamper-resistant IDS: There are mainly two places
where the IDS mechanisms can be installed; either in a sensor
node or in a special, more powerful monitoring node. In both
cases, we need to take into account the physical integrity of
the nodes when the deployment area is hostile (i.e. there are
active attackers trying to hinder the behavior of the IDS).
For this particular case, tamper-resistant hardware solutions
could be used. However, employing tamper-proof methods
would make the network more costly, thus probably only
powerful nodes can afford this kind of solution. This is not
applicable to distributed IDS, where normal sensor nodes
execute part of the IDS global logic. In such a case, the
possible solution would be to design low-cost tamper-resistant
techniques which can provide resilience to tampering attacks.
In fact, some software-based solutions (e.g. attestation) have
been proposed and intensely studied (cf. [92] [93]). However,
it is necessary to integrate them with existing IDSs. For
example, the attestation techniques can become another input
of the IDS infrastructure in order to flag any tampered nodes.
In addition, after an IDS component produces an alert, it can
also test the integrity of the supposedly malicious node using
these attestation techniques.
2) Cross-layer IDS: A significant issue of IDS for WSNs
is that most of the proposed works target only one specific
layer of WSN without taking into account other layers. For
instance, Fig. 7 illustrates both an IDS agent that is installed on
the application layer and a possible cross-layer IDS solution.
The application layer agent might detect only a few types
of attacks (e.g., routing attacks) and will miss attacks from
other layers (e.g., physical layer). However, a cross-layer IDS
solution can be able to detect all types of attacks coming from
different layers [91]. Another approach is to use a cross-layer
mechanism to manage the intrusion detection mechanisms
used in different layers. Not only information can be shared
between layers (alerts, layer-specific information), but also all
mechanisms can be coordinated. This way, the whole system
can have a holistic point of view of all threats.
3) Dynamic IDS: Little work has been done on IDS for
mobile WSNs. In fact, applying IDS for mobile nodes or
in presence of dynamic change of network topology is a
very challenging task. Besides, IDS should take into account
auto-configurability and scalability with respect to dynamic
network topologies or communication failures.
4) IDS Architecture: In the literature of IDS for WSNs
there is a particular factor that has been rarely discussed: the
architecture or template of the IDS itself. By architecture, we
refer to the overall architecture of WSN-specific IDS systems:
a template that can be filled with different mechanisms. Some
existing IDS approaches ([14], [51], [57], [90]) provide a partial architecture, where the detection mechanisms can interact
with other software elements of the sensor node. Still, these
partial architectures seldom take into account the possibility
of integrating different detection and control modules. The
existence of such IDS template must be considered in order
1234
Fig. 6. Three types of network structures with possible IDS locations

TABLE III
C OMPARISON OF IDSS WITH RESPECT TO NETWORK STRUCTURE
Network structure /
Techniques
Roman
et al. [4]
Onat et
al. [3],
[44]
Loo et
al. [5]
Gupta et
al. [47]
Kim et
al. [49]
Chen et
al. [17]
Misra et
al. [52],
[82]
Leckie et al.
[83]
Agah et
al. [7]
Krontiris
et
al.
[11],
[13],
[15]
Hierarchical
Tree-based
Cluster-based
Bad
Best
Fair
Fair
Bad
Best
Fair
Bad
Best
Bad
Best
Bad
Fair
Fair
Fair
Best
Bad
Fair
Fair
Bad
Fair
Best
Fair
Fair
Bad
Bad
Best
Fair
Bad
Fair
to allow the creation of well-adapted IDS that can respond to

the particular threats that can affect a specific application.
5) Internet-enabled IDS: Within the vision of the Internet
of Things (IoT) [99] every object will have its own IP address,
which makes them identifiable and reachable through the
Internet. In fact, WSN are considered as one of the pillars of
the IoT, thus experts are building IPv6-enabled WSN applications and protocols. Consequently, next generation Internet
applications using IPv6 will be able to communicate with
sensor nodes. However, once sensor nodes become citizens
of the Internet, they will inherit not only the advantages (e.g.
connectivity with anyone) but also the disadvantages includ-
ing new threats and old attacks (e.g. Internet-based DoS). In

fact, albeit very challenging, the problem of developing IDS
mechanisms that cope with these novel circumstances is worth
further studying.
VI. C ONCLUSIONS
In this work, we have provided a detailed and comprehensive study on IDSs in wireless sensor networks, classifying
them according to their underlying mechanisms. In addition,
we have briefly introduced the existing security attacks in
WSNs and their respective countermeasures. Furthermore, we
Fig. 7. IDS installed on application layer and possible cross layer IDS
have provided a critical analysis of the IDS mechanisms with

respect to network structure, highlighting various vital areas
that are currently underdeveloped.
Based on our observations and findings we can conclude
that, while the field of IDS for WSN has advanced significantly
in these last years, there are still various research areas (e.g.
IDS architectures, balance between accuracy and consumption
of resources, novel scenarios, better integration of underlying
mechanisms) that need to be further developed. We hope that
our results will be beneficial for both beginners and active
researchers in this area.
ACKNOWLEDGMENTS
The work has been supported by NDC Lab., KICT, IIUM,
Malaysia project PCS3-S001-2012-4800 and project grant
NRF2007IDM-IDM002-069 on Life Spaces from the IDM
Project Office, Media Development Authority of Singapore.
R EFERENCES
[1] Y. Zhou, Y. Fang, and Y. Zhang, Securing Wireless Sensor Networks:
A Survey, IEEE Commun. Surveys Tutorials, vol. 10, no. 3, pp. 6-28,
2008.
[2] A.-S. K. Pathan, H.-W. Lee, and C.S. Hong, Security in Wireless
Sensor Networks: Issues and Challenges, in 8th International Conference on Advanced Communication Technology (IEEE ICACT 2006),
Volume II, 20-22 February, Phoenix Park, Korea, 2006, pp. 1043-1048.
[3] I. Onat and A. Miri, An Intrusion Detection System for Wireless
Sensor Networks, Wireless and Mobile Computing, Networking And
Communications, vol. 3, 2005, pp. 253-259.
[4] R. Roman, J. Zhou, and J. Lopez, Applying Intrusion Detection
Systems to Wireless Sensor Networks, in Consumer Communications
and Networking Conference, 2006, pp. 640-644.
[5] CE. Loo, MY. Ng, C. Leckie, and M. Palaniswami, Intrusion Detection
for Routing Attacks in Sensor Networks, International Journal of
Distributed Sensor Networks, vol. 2, pp. 313-332, 2006.
[6] Y. Wang, G. Attebury, and B. Ramamurthy, A Survey of Security Issues
in Wireless Sensor Networks, IEEE Commun. Surveys Tutorials, vol.
8, pp. 2-23, 2006.
1235
[7] A. Agah, S.K. Das, K. Basu, and M. Asadi, Intrusion Detection in

Sensor Networks: A Non-Cooperative Game Approach, in 3rd IEEE
International Symposium on Network Computing and Applications,
September. 2004, pp. 343-346.
[8] L. Mostarda, and A. Navarra, Distributed Intrusion Detection Systems
for Enhancing Security in Mobile Wireless Sensor Networks, International Journal of Distributed Sensor Networks, vol. 4, no. 2, pp. 83-109,
2008.
[9] Y. Wang, X. Wang, B. Xie, D. Wang, and P. Agrawal, Intrusion Detection in Homogeneous and Heterogeneous Wireless Sensor Networks,
IEEE Trans. Mobile Computing, vol. 8, no. 6, pp. 698-711, 2008.
[10] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, A Survey
on Sensor Networks, IEEE Commun. Mag., vol. 40, no. 8, pp. 102-114,
August 2002.
[11] I. Krontiris, T. Dimitriou, T. Giannetsos, and M. Mpasoukos, Intrusion
Detection of Sinkhole Attacks in Wireless Sensor Networks, LNCS,
vol. 4837, pp. 150-161, 2008.
[12] L. Guorui, H. Jingsha, and F. Yingfang, Group-based Intrusion Detection System in Wireless Sensor Networks, Computer Communications,
vol. 32, no. 18, pp. 4324-4332, 2008.
[13] I. Krontiris, T. Dimitriou, and T. Giannetsos, LIDeA: a Distributed
Lightweight Intrusion Detection Architecture for Sensor Networks, in
4th International Conference on Security and Privacy in Communication Networks, Istanbul, Turkey, 2008.
[14] A.P.R. da Silva, M.H.T. Martins, B.P.S. Rocha, A.A.F. Loureiro, L.B.
Ruiz, and H.C. Wong, Decentralized Intrusion Detection in Wireless
Sensor Networks, in 1st ACM International Workshop on Quality
of service and security in wireless and mobile networks, Montreal,
Quebec, Canada, October 2005.
[15] I. Krontiris, T. Dimitriou, and F.C. Freiling, Towards Intrusion Detection in Wireless Sensor Networks, in 13th European Wireless
Conference, Paris, France, 2007.
[16] I. Krontiris, Z. Benenson, T. Giannetsos, F.C. Freiling, and T. Dimitriou, Cooperative Intrusion Detection in Wireless Sensor Networks,
in EWSN 2009, LNCS, vol. 5432, pp. 263-278, 2009.
[17] R. Chen, C. Hsieh, and Y. Huang, A New Method for Intrusion
Detection on Hierarchical Wireless Sensor Networks, in ICUIMC-09,
Suwon, Korea, January. 2009, pp. 238-245.
[18] M. Azer, S. El-Kassas, A. Hassan, and M. El-Soudani, Intrusion
Detection for Wormhole Attacks in Ad hoc Networks a Survey and
a Proposed Decentralized Scheme, in 3rd Int. Conf. on Availability,
Reliability and Security, 2008, pp. 636-641.
[19] B. Yu and B. Xiao, Detecting Selective Forwarding Attacks in Wireless Sensor Networks, in 20th International Parallel and Distributed
Processing Symposium (SSN2006 Workshop), Rhodes, Greece, April.
2006, pp. 1-8.
[20] L. Hu and D. Evans, Using Directional Antennas to Prevent Wormhole
Attacks,in 11th Annual Network and Distributed System Security
Symp. (NDSS04), San Diego, CA, Feb. 2004.
[21] W. Xu, W. Trappe, Y. Zhang, and T. Wood, The Feasibility of
Launching and Detecting Jamming Attacks in Wireless Networks,
in 6th ACM Intl. Symposium on Mobile Ad Hoc Networking and
Computing (MobiHoc05), Urbana-Champaign, IL, May. 2005.
[22] N. Ahmed, S. Kanhere, and S. Jha, The Holes Problem in Wireless
Sensor Networks: A Survey, ACM SIGMOBILE Mobile Computing
and Communications Review, vol. 9, no. 2, pp. 4-18, 2005.
[23] I. Krontiris, T. Dimitriou, T. Giannetsos, and M. Mpasoukos, Intrusion
Detection of Sinkhole Attacks in Wireless Sensor Networks, in 3rd
International Workshop on Algorithmic Aspects of Wireless Sensor
Networks (AlgoSensors07), Wroclaw, Poland, 2007.
[24] E.C.H. Ngai, J. Liu, and M.R. Lyu, An Efficient Intruder Detection
Algorithm against Sinkhole Attacks in Wireless Sensor Networks,
Computer Communications, vol. 30, pp. 2353-2364, 2007
[25] S. Kaplantzis, A. Shilton, N. Mani, and Y.A. Sekercioglu, Detecting
Selective Forwarding Attacks in Wireless Sensor networks using Support Vector Machines, in ISSNIP 2007, Melbourne, Australia, 2007,
pp. 335-340.
[26] T.H. Hai and E.N. Huh, Detecting Selective Forwarding Attacks in
Wireless Sensor Networks Using Two-hops Neighbor Knowledge,
in 7th IEEE International Symposium on Network Computing and
Applications, 2008, pp. 325-331.
[27] C. Karlof and D. Wagner, Secure Routing in Wireless Sensor Networks:
Attacks and Countermeasures, Elseviers Ad Hoc Network Journal,
Special Issue on Sensor Network Applications and Protocols, pp. 293315, 2003.
[28] M. Demirbas, and Y. Song, An RSSI-based Scheme for Sybil Attack
Detection in Wireless Sensor Networks, in IEEE WoWMoM, 2006,
pp. 564-570.
1236
[29] C.E. Loo, M.Y. Ng, C. Leckie, and M. Palaniswami, Intrusion Detection for Routing Attacks in Sensor Networks, International Journal of
Distributed Sensor Networks, vol. 2, no. 4, pp. 313-332, 2006.
[30] J. Zhou, T.K. Das, and J. Lopez, An Asynchronous Node Replication
Attack in Wireless Sensor Networks, in IFIP TC 11 23rd International
Information Security Conference, vol. 278, Boston Springer, 2008, pp.
125-139.
[31] B. Parno, A. Perrig, and V. Gligor, Distributed Detection of Node
Replication Attack in Sensor Networks, in Proc. 2005 IEEE Symposium on Security and Privacy, pp. 49-63, 2005.
[32] M.A. Hamid, M. Mamun-Or-Rashid, and C.S. Hong, Routing Security
in Sensor Network: HELLO Flood Attack and Defense, in IEEE
ICNEWS 2006, Dhaka, Bangladesh, 2-4 January 2006, pp.77-81.
[33] W. Sharif and C. Leckie, New variants of Wormhole Attacks for
Sensor Networks, in Australian Telecommunication Networks and
Applications Conference, 2006, pp. 26-30.
[34] C. Y. Hu, and A. Perrig, Wormhole Attacks in Wireless Networks,
IEEE J. Sel. Areas Commun., vol. 24, no. 2, pp. 370-380, 2006.
[35] R. Maheshwari, J. Gao, and S.R. Das, Detecting Wormhole Attacks
in Wireless Sensor Networks Using Connectivity Information, in
INFOCOM 2007, pp. 107-115, 2007.
[36] L. Hu and D. Evans, Using Directional Antennas to Prevent Wormhole
Attacks, in 11th Network and Distributed System Security Symposium,
2003, pp. 131-141.
[37] M. Cagalj, S. Capkun, and J.-P. Hubaux, Wormhole-Based AntiJamming Techniques in Sensor Networks, IEEE Trans. Mobile Computing, vol. 6, no. 1, pp. 100-114, 2007.
[38] H. Chen, P. Han, X. Zhou, and C. Gao, Lightweight Anomaly Intrusion
Detection in Wireless Sensor Networks, in PAISI 2007, LNCS 4430,
pp. 105-116.
[39] J. Newsome, E. Shi, D. Song, and A. Perrig, The Sybil Attack in Sensor
Networks: Analysis and Defense, in IEEE/ACM IPSN04, 2004, pp.
259-268.
[40] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman, SybilGuard:
Defending Against Sybil Attacks via Social Networks, in ACM SIGCOMM 2006, pp. 267-278.
[41] W. Jiangtao, Y. Geng, S. Yuan, C. Shengshou, Sybil Attack Detection
Based on RSSI for Wireless Sensor Networks, in WiCom 2007, pp.
2684-2687.
[42] D. Mukhopadhyay and I. Saha, Location Verification Based Defense
Against Sybil Attack in Sensor Networks, in ICDCN 2006. LNCS
4308, Springer-Verlag 2006, pp. 509-521.
[43] S. Marti, T.J. Giuli, K. Lai, and M. Baker, Mitigating Routing Misbehavior in Mobile Ad hoc Networks, in MobiCom00, 2000, pp. 255265.
[44] I. Onat, and A. Miri, A Real-Time Node-Based Traffic Anomaly
Detection Algorithm for Wireless Sensor Networks, in ICW 2005, pp.
422-427.
[45] S. Jian-hua and M. Chuan-Xiang, Anomaly Detection Based on DataMining for Routing Attacks in Wireless Sensor Networks, in CHINACOM 07, 22-24 Aug. 2007, pp. 296-300.
[46] Q. Wang and T. Zhang, Detecting Anomaly Node Behavior in Wireless
Sensor Networks, in AINAW, pp. 451-456, 2007.
[47] S. Gupta, R. Zheng, and A. Cheng, ANDES: an Anomaly Detection
System for Wireless Sensor Networks, in MASS 2007, pp. 1-9, 2007.
[48] TinyOS, http://www.tinyos.net/
[49] J. Kim, P. Bentley, C. Wallenta, M. Ahmed, and S. Hailes, Danger is
Ubiquitous: Detecting Malicious Activities in Sensor Networks using
the Dendritic Cell Algorithm, in ICARIS, LNCS 4163, 2006.
[50] Y. Liu and F. Yu, Immunity-Based Intrusion Detection for Wireless
Sensor Networks, in International Joint Conf. on Neural Networks,
2008, pp. 439-444.
[51] S. Shaust and H. Szczerbicka, Misbehavior Detection for Wireless
Sensor Networks Necessary or Not?, in 6th Fachgesprach Drahtlose
Sensornetze der GI/ITG-Fachgruppe Kommunikation und Verteilte
Systeme, Germany, 2007, pp. 51-54.
[52] S. Misra, K. Abraham, M.S. Obaidat, and P. Venkata Krishna, LAID: a
Learning Automata-based Scheme for Intrusion Detection in Wireless
Sensor Networks, Security and Communication Networks, vol. 2, pp.
105-115, 2008.
[53] T.H. Hai, E.-N. Huh, and M. Jo, A Lightweight Intrusion Detection
Framework for Wireless Sensor Networks, Wireless Communications
and Mobile Computing, vol. 10, no. 4, April, 2009.
[54] P. Levis, N. Lee, M. Welsh, and D. Culler, TOSSIM: Accurate and
Scalable Simulation of Entire TinyOS Applications, in 1st International
Conference on Embedded Networked Sensor System, 2003, pp. 126137.
[55] V. Bhuse, A. Gupta, and A. Al-Fuqaha, Detection of Masquerade

Attacks on Wireless Sensor Networks, in ICC07, 2007, pp. 11421147.
[56] Z. Yu and J. Tsai, A Framework of Machine Learning Based Intrusion
Detection for Wireless Sensor Networks, in SUTC08, 2008, pp. 272279.
[57] G. Huo and X. Wang, DIDS: A Dynamic Model of Intrusion Detection
System in Wireless Sensor Networks, in IEEE ICIA, 2008, pp. 374378.
[58] S. Doumit and D. P. Agrawal, Self-organized Criticality and Stochastic
Learning based Intrusion Detection System for Wireless Sensor Network, in MILCOM 2003, pp. 609-614.
[59] Y. Ma, H. Cao, and J. Ma, The Intrusion Detection Method based
on Game Theory in Wireless Sensor Network, in IEEE Ubi-Media
Computing, 2008, pp. 326-331.
[60] A. Agah and S.K. Das, Preventing DoS Attacks in Wireless Sensor
Networks: A Repeated Game Theory Approach, International Journal
of Network Security (IJNS), vol. 5, no. 2, pp.145-153, 2006.
[61] M. Krishnan, Intrusion Detection in Wireless Sensor Networks, Project
Paper, University of California at Berkeley, Unpublished.
[62] Yenumula B. Reddy, A Game Theory Approach to Detect Malicious
Nodes in Wireless Sensor Networks, in SENSORCOMM09, Greece,
2009.
[63] Yenumula B. Reddy and S. Srivathsan, Game Theory Model for
Selective Forward Attacks in Wireless Sensor Networks, in 17th
Mediterranean Conference on Control and Automat, 2009.
[64] P. Techateerawat and A. Jennings, Energy Efficiency of Intrusion
Detection Systems in Wireless Sensor Networks, in WI-IATW06,
2006.
[65] T.H. Hai, F. Khan, and E.-N. Huh, Hybrid Intrusion Detection System
for Wireless Sensor Networks, in ICCSA 2007, LNCS 4706, pp. 383396, 2007.
[66] A. Durresi, V. Parucheri, S. Iyengar, and R. Kannan, Optimized
Broadcast Protocol for Sensor Networks, IEEE Trans. Comput., vol.
54, no. 8, pp. 1013-1024, 2005.
[67] K.Q. Yan, S.C. Wang, and C.W. Liu, A Hybrid Intrusion Detection
System of Cluster-based Wireless Sensor Networks, in IMECS 2009,
Hong Kong, 2009, pp. 411-416.
[68] S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti, Intrusion Detection on Sensor Networks Using Emotional Ants, Intl J. of Applied
Science and Computations, vol. 12, no. 3, pp. 152-173, 2005.
[69] Q. Wang, Y. Zhu, and L. Cheng, Reprogramming Wireless Sensor
Networks: Challenges and Approaches, IEEE Network, pp. 48-55,
May. 2006.
[70] Y. Wang, G. Attebury, And B. Ramamurthy, A Survey Of Security
Issues In Wireless Sensor Networks, IEEE Communications Surveys
and Tutorials, vol. 8, no. 2, 2nd Quarter. 2006.
[71] D.R. Raymond and S.F. Midkiff, Denial of Service in Wireless Sensor
Network: Attacks and Defenses, IEEE Pervasive Computing, vol.7, no.
1, pp. 74-81, March. 2008.
[72] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagrodia and B. Bhargava,
Low-cost Attacks Against Packet Delivery, Localization and Time
Synchronization Services in Underwater Sensor Networks, in 4th ACM
Workshop on Wireless Security, 2005, pp. 87-96.
[73] R.d. Graaf, I. Hegazy, J. Horton, and R. Safavi-Naini, Distributed
Detection of Wormhole attacks in Wireless Sensor Networks, Ad Hoc
Networks, LNCS, vol. 28, no. 1, 2010, pp. 208-223
[74] M.V. de Sousa Lemos, L. Barroso Leal and R. Holanda Filho, A New
Collaborative Approach for Intrusion Detection System on Wireless
Sensor Networks, in Novel Algorithms and Techniques, Springer, 2010.
[75] R.C. Chen, C.F. Hsieh, and Y.F. Haung, An Isolation Intrusion Detection System for Hierarchical Wireless Sensor Networks, Journal of
Networks, vol. 5, no. 3, 2010, pp. 335-342.
[76] R.C. Chen, Y.F. Haung, and C.F. Hsieh, Ranger Intrusion Detection
System for Wireless Sensor Networks with Sybil Attack based on
Ontology, in AIC10, 2010.
[77] H.Y. Lin and T.C. Chiang, Intrusion Detection Mechanisms Based on
Queuing Theory in Remote Distribution Sensor Networks, Advanced
Materials Research, vol. 121-122, June 2010.
[78] A.-S.K. Pathan, Security of Self-Organizing Networks: MANET, WSN,
WMN, VANET, ISBN: 978-1-4398-1919-7, Auerbach Publications,
CRC Press, Taylor and Francis Group, USA, 2010.
[79] A.H. Farooqi and F.A. Khan, Intrusion Detection Systems for Wireless
Sensor Networks: A Survey, in FGCN/ACN 2009, CCIS, vol. 56, pp.
234-241.
[80] Z. Bankovic, J.M. Moya, A. Araujo, D. Fraga, J.C. Vallejo, and J.M. de
Goyeneche, Distributed Intrusion Detection System for Wireless Sensor
[81]
[82]
[83]
[84]
[85]
[86]
[87]
[88]
[89]
[90]
[91]
[92]
[93]
[94]
[95]
[96]
[97]
[98]
[99]
Networks based on a Reputation System Coupled with Kernel Selforganizing Maps, Integrated Computer-Aided Engineering, vol. 17, no.
2, 2010, pp. 87-102.
Y. Zhang, N. Meratnia, and P. Havinga, Outlier Detection Techniques
for Wireless Sensor Networks: A Survey, IEEE Commun. Surveys
Tutorials, vol. 12, no. 2, 2010.
S. Misra, P.V. Krishna, and K.I. Abraham, A Simple Learning
Automata-based Solution for Intrusion Detection in Wireless Sensor
Networks, Wireless Communications and Mobile Computing, Special
Issue on Architectures and Protocols for Wireless Mesh, Ad Hoc, and
Sensor Networks, vol. 11, no. 3, 2011, pp. 426-441.
S. Rajasegarar, C. Leckie, J.C. Bezdek, and M. Palaniswami, Centered
Hyperspherical and Hyperellipsoidal One-Class Support Vector Machines for Anomaly Detection in Sensor Networks, IEEE Trans. Inf.
Forens. Security, vol. 5, no. 3, 2010, pp. 518-533.
S.S. Wang, K.Q. Yan, S.C. Wang, and C.W. Liu, An Integrated Intrusion Detection System for Cluster-based Wireless Sensor Networks,
Expert Systems and Applications, vol. 38, no. 12, 2011.
T. Bhattasali, and R. Chaki, A Survey of Recent Intrusion Detection
Systems for Wireless Sensor Network, in 4th International Conference
on Network Security and Applications (CNSA-2011), Springer, 2011,
pp. 268-280.
S. Shin, T. Kwon, G.Y. Jo, Y. Park, and H. Rhee, An Experimental
Study of Hierarchical Intrusion Detection for Wireless Industrial Sensor
Networks, IEEE Trans. Ind. Informat., vol. 6, no. 4, 2010, pp. 744-757.
T.M. Mubarak, S.A. Sattar, A. Rao, and M. Sajitha, A Collaborative,
Secure and Energy Efficient Intrusion Detection Method for Homogeneous WSN, in International Conference on Advances in Computing
and Communications (ACC-2011), Springer, 2011.
W.T. Zhu, J. Zhou, R.H. Deng, and F. Bao, Detecting Node Replication
Attacks in Mobile Sensor Networks: Theory and Approaches, Security
and Communication Networks, 2011.
J. Lopez, R. Roman, and C. Alcaraz, Analysis of Security Threats, Requirements, Technologies and Standards in Wireless Sensor Networks,
in Foundations of Security Analysis and Design 2009, LNCS 56705,
August 2009, pp. 289-338.
R. Roman, J. Lopez, and S. Gritzalis, Situation Awareness Mechanisms
for Wireless Sensor Networks, IEEE Commun. Mag., vol. 46, no. 4,
April 2008, pp. 102-107.
R. Roman, J. Lopez, and P. Najera, A Cross-layer Approach for
Integrating Security Mechanisms in Sensor Networks Architectures,
Wireless Communications and Mobile Computing, vol. 11, no. 2,
February 2011, pp. 267-276.
A. Perrig, and L. van Doorn, Refutation of On the Difficulty of
Software-Based Attestation of Embedded Devices. Technical Report,
Carneige Mellon University, 2010.
A. Francillon, C. Castelluccia, D. Perito, and C. Soriente, Comments
on Refutation of On the Dificulty of Software-Based Attestation of
Embedded Devices, Technical Report, INRIA, 2010.
C. F. Hsieh, Y. F. Huang, and R.C. Chen, A Light-weight Ranger
Intrusion Detection System on Wireless Sensor Networks, in ICGEC
2011, November 2011, pp. 49-52.
M.S. Islam, and S. AshiqurRahman, Anomaly Intrusion Detection
System in Wireless Sensor Networks: Security Threats and Existing
Approaches, in Int. J. Advanced Science and Technology, vol. 36,
November 2011.
S.K. Singh, M.P. Singh, and D.K. Singh, Intrusion Detection based
Security Solution for Cluster-based Wireless Sensor Networks, in Int.
J. Advanced Science and Technology, vol. 30, May 2011.
H. Jadidoleslamy, A High-Level Architecture for Intrusion Detection
on Heterogeneous Wireless Sensor Networks: Hierarchical, Scalable
and Dynamic Reconfigurable, in Wireless Sensor Network, vol. 3,
2011, pp. 241-261.
E.N. Huh, and T.H. Hai, Lightweight Intrusion Detection for Wireless
Sensor Networks, in Intrusion Detection Systems, Pawel Skrobanek
(Ed.), InTech, 2011.
CERP-IoT Cluster, Visions and Challenges for Realising the Internet
of Things, European Commission, 2010.
1237
Abror Abduvaliyev received his M.Eng in Computer Engineering in 2010 from Kyung Hee University, South Korea. He holds B.Sc degree with honors in Electronic Commerce from Tashkent University of Information Technologies (TUIT), Tashkent,
Uzbekistan, 2008. He is currently a security analyst
at Citibank. His research interests include wireless
sensor networks, Internet of Things and intrusion
detection systems. He is a student member of IEEE,
ACM and member of IACSIT.
Al-Sakib Khan Pathan received Ph.D. degree in

Computer Engineering in 2009 from Kyung Hee
University, South Korea. He received B.Sc. degree in
Computer Science and Information Technology from
Islamic University of Technology (IUT), Bangladesh
in 2003. He is currently an Assistant Professor
at Computer Science department in International
Islamic University Malaysia (IIUM), Malaysia and
the Head, NDC Lab., KICT, IIUM. His research
interest includes wireless sensor networks, network
security, and e-services technologies. He is actively
involved in various research activities and associated with various reputed
journals and conferences as Editor, Chair, TPC member, and Reviewer.
Jianying Zhou is a senior scientist at Institute for

Infocomm Research, and heads the Network Security Lab. He received PhD in Information Security
from University of London in 1997. His research
interests are in computer and network security, mobile and wireless communications security. He is
a co-founder and steering committee member of
International Conference on Applied Cryptography
and Network Security (ACNS). He is also a cofounder and coordinating editor of Cryptology and
Information Security Series (CIS).
Rodrigo Roman Castro is a security researcher

working at the Institute for Infocomm Research
in Singapore. He also collaborates with the NICS
security lab at the University of Malaga, Spain,
where he obtained his Ph.D. in Computer Science in
2008. His research interests are mainly focused on
security architectures and the secure integration of
sensor networks with other infrastructures, such as
critical infrastructures, cloud environments, and the
Internet of Things. He has published various papers
and participated in various international research
projects related to network and sensor networks security.
Wai-Choong (Lawrence) Wong received the B.Sc.

(1st class Honours) and Ph.D. degrees in Electronic
and Electrical Engineering from Loughborough University, UK, in 1976 and 1980, respectively. He is
currently a Professor in the Department of Electrical
and Computer Engineering, National University of
Singapore. His research interests include wireless
networks and systems, ambient intelligent platforms,
multimedia networks, and source matched transmission techniques with over 250 publications and 3
patents in these areas. He received the IEE Marconi
Premium Award in 1989, NUS Teaching Award (1989), IEEE 3rd Millennium
Award in 2000, the e-nnovator Awards 2000, Open Category, and Best Paper
Award at the IEEE International Conference on Multimedia and Expo (ICME)
2006.

06407453

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

06407453

Cargado por

Copyright:

Formatos disponibles

IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO.

3, THIRD QUARTER 2013

On the Vital Areas of Intrusion Detection

An IDS, which has been successfully implemented in wired

proper countermeasures [5]. The actual detection mechanisms

DoS attacks in different layers [21],

Flooding, jamming, misdirection

Less-known (or, Less Studied)

Shortest path, drop the packets

Fabrication during reprogramming [69]

Selectively drop the packets

Add extra node to the network with the

Neglect and greed [70]

HELLO flood [32]

Flood with HELLO packets

Wormhole [18], [20], [33], [34],

Offer less number of hops and less delay

Forced delay [89]

Unsecure reprogramming process

normal radio range. Hence, sensor nodes can be persuaded that

H. Other Security Attacks in WSNs

make use of different underlying principles. Most of those

Fig. 1. Taxonomy of IDSs in WSNs

sensor node), and randomly activated global agents in order

Fig. 2. Nodes C, D, and E are watchdogs of the link A to B

Some researchers argue that watchdog approaches incur

In WSN, there are many IDS mechanisms that use anomaly

that there are no vastly superior detection mechanisms: there is

simulation purposes, five training data sets with normal traffic

Game theory based

are benign or malicious. The algorithm was implemented in

of the environment to the automaton in partially favorable or

Fig. 3. Architecture of Immunity-Based IDS

simplified WSN model may not be something that could be

monitoring and detection engine, for collecting and analyzing

records are given to the anomaly detection model, so as to

Fig. 4. Detection phases of decentralized IDS

Fig. 5. Core architecture of DIDS

Lightweight modules: Energy efficiency is one of the

prove both their effectiveness and their low resource

A promising research track would be to choose a set of

C. Other vital issues

Fig. 6. Three types of network structures with possible IDS locations

to allow the creation of well-adapted IDS that can respond to

ing new threats and old attacks (e.g. Internet-based DoS). In

have provided a critical analysis of the IDS mechanisms with

[7] A. Agah, S.K. Das, K. Basu, and M. Asadi, Intrusion Detection in

[55] V. Bhuse, A. Gupta, and A. Al-Fuqaha, Detection of Masquerade

Al-Sakib Khan Pathan received Ph.D. degree in

Jianying Zhou is a senior scientist at Institute for

Rodrigo Roman Castro is a security researcher

Wai-Choong (Lawrence) Wong received the B.Sc.

También podría gustarte