Documentos de Académico
Documentos de Profesional
Documentos de Cultura
1223
I. I NTRODUCTION
N MANY WSN (Wireless Sensor Network) application
scenarios security is a very important concern; especially
the applications designed for WSNs deployed in hostile environments and commercial applications. With the level of
importance of security in a WSN application, ensuring it to the
expected level also becomes relatively more difficult than its
other wireless network counterparts. In fact, security in WSN
has a great number of challenges that may not be seen in
other types of wireless networks. This is due to many reasons
like the broadcast nature of wireless communications, limited
resources of the sensor nodes, unattended environment where
sensor nodes might be susceptible to physical attacks, etc [1],
[2], [10]. Security solutions like authentication, cryptography
or key management can enhance the security of WSNs.
Nevertheless, these solutions alone cannot prevent all possible
attacks. As a wide range of attacks can be launched by
compromised nodes in a WSN (i.e., nodes that appear to be
legitimate in the network but not or working for other party
[7], [11]), a second line of defense like Intrusion Detection
System (IDS) [3], [77] is needed.
Manuscript received January 13, 2012; revised June 6, 2012 and October
12, 2012.
A. Abduvaliyev and W. C. Wong are with the Department of Electrical and
Computer Engineering, National University of Singapore (NUS), Singapore
(e-mail: wong lawrence@nus.edu.sg).
A.S.K. Pathan is with Department of Computer Science, International
Islamic University Malaysia (IIUM), Kuala Lumpur, Malaysia, email:
sakib@iium.edu.my.
J. Zhou and R. Roman are with Institute for Infocomm Research (I2R),
Singapore, email: jyzhou@i2r.a-star.edu.sg and rroman@i2r.a-star.edu.sg.
Digital Object Identifier 10.1109/SURV.2012.121912.00006
c 2013 IEEE
1553-877X/13/$31.00
1224
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
Details of particular IDS models and techniques are discussed later in the paper.
III. S ECURITY THREATS AND TYPES OF ATTACKS IN WSN
There are several well-known and a few less-known security
attacks that exist in wireless sensor networks. In this section,
we discuss these security attacks in brief with respect to their
countermeasures. Almost all of the attacks described below
focus on the limitations of routing protocols in WSNs [6].
However, some unknown attacks that are launched considering
other security constraints of the network are presented as
well. Table I introduces a brief summary of well-known
and less-known (or, less studied) security attacks and their
characteristics in terms of attack behaviors and techniques.
In addition, the relevant detection techniques for the attacks
are highlighted in the table. Later in Section IV, we will
discuss some of these techniques in terms of their benefits
and drawbacks.
A. Denial of Service (DoS) Attacks
We consider any type of intentional activity that can disrupt,
subvert or even destroy the network as a Denial of Service
(DoS) attack.
Basically, DoS attacks can be categorized into three types:
Consumption of scarce, limited or non-renewable resources.
Destruction or alteration of configuration information.
Physical destruction or alteration of network resources.
In the context of WSN, DoS attacks that target the network
resources are one of the most significant: the hardware of
sensor nodes is usually very constrained, and attackers can try
to overload them. Other DoS attacks that are very destructive
are jamming and tampering attacks. Jamming is the deliberated
interference of the wireless communication channel. In fact,
sensor nodes are very vulnerable against this type of physical
attack [37]. Tampering is another type of physical attack,
which targets the actual hardware of the sensor nodes (e.g.
sensitive chips, sensor hardware). While it is difficult to know
whether any particular DoS situation is caused intentionally or
unintentionally, there are some detection methods that help to
thwart each type of DoS attack [72]. Still, tampering attacks
remain an open issue.
B. Sinkhole/Blackhole Attacks
In this attack, a malicious node acts as a blackhole [22] to
pull in all the traffic in the network. The attacker listens to the
route requests and then replies to the target node informing
that it has the shortest path to the base station. A victim node
is enticed to select it as a forwarder for its packets. Once a
malicious node puts itself between the base station and sensor
node, it is able to do whatever it wants (drop all packets,
change the content, etc) with the packets that pass through
it. This type of attack can be very harmful for sensor nodes
that are deployed considerably far from the base station. We
have to keep in mind that Blackhole and Sinkhole attacks
are basically the same attacks by definition. Some recent
works have addressed this attack and possible IDSs have been
proposed in [11], [19], [23], [24].
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
1225
TABLE I
S ECURITY ATTACKS IN WSN S
Name
Well-known
Characteristics
Name
Homing [71]
Unfairness [70]
C. Selective Forwarding
Multi-hop networks like WSNs rely on the assumption that
all nodes in the network will faithfully forward the received
messages to the base station. In these attacks, a malicious
node in the routing path acts as a normal node by forwarding
messages, but selectively drops sensitive packets which is
hard to detect by the system. This attack is independent from
the Sinkhole/Blackhole attacks, although a malicious node can
make use of them to increment its effect in the network. As
possible solutions to detect this type of attack, some secure
routing algorithms and IDSs using different techniques have
been proposed in [19], [25], [26], [27], [29].
D. The Node Replication Attacks
As sensor nodes are constrained in terms of resources
and usually deployed in unattended/public environments, an
attacker can easily capture, analyze and extract their secrets.
In this particular attack, an attacker seeks to add one or
more nodes in a network that use the same cryptographic
secrets as any other legitimate node in that network. This kind
of attack may have severe consequences, like corruption of
data by the adversary or even disconnection of some critical
parts of the network. For example, a replicated node can
send advertising information that is not consistent with the
state of the network (i.e. feature advertising [90]) in order to
manipulate a certain neighborhood. Some centralized detection
schemes, neighborhood-voting protocols, distributed detection
techniques, and mobile-oriented statistics mechanisms have
been proposed in [30], [31] and [88] to discover the existence
of these attacks.
E. HELLO Flood Attacks
Many routing protocols need to broadcast HELLO packets
in order to discover one-hop neighbors. This attack uses such
packets as a weapon to attract sensor nodes. In particular, an
attacker with a large radio range and enough processing power
can send HELLO packets to a large number of sensor nodes
by flooding an entire section of the network. A node which
receives such a packet may assume that the attacker is within
1226
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
1227
1228
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
1229
TABLE II
C OMPARISON OF ANOMALY BASED DETECTION TECHNIQUES
IDS
Statistical
models
based
Clustering
algorithm
based
Centralized
Artificial
immune
system
Isolation table
Accuracy
Medium
High
High
High/Medium
Low
High/Medium
High
Energy efficiency
Memory requirement
Network structure
No detail
No detail
Normal
Yes
High
Clustered
No
Low
Normal
No detail
No detail
Normal
No
Medium
Clustered
No
Medium
Normal/ Distributed
Yes
High
Normal
Machine
learning
1230
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
The authors claim that this IDS approach can improve the
detection rate. However, as every node is provided with a
heavy IDS module and learning mechanism, the problem of
high energy consumption and communication overhead arises.
C. Specification-Based Schemes
Some specification-based schemes have been proposed as
IDS solutions for WSNs. As noted earlier, the main disadvantage of this approach is that the development of attack
or protocol specifications is done by human beings. In this
case, the administrator or the designer of the network has to
manually define the specifications that describe what a correct
operation is and monitor any behavior with respect to those
constraints.
1) Decentralized Approach: One of the first works in this
research track was introduced by Silva et al. in [14]. They
proposed a decentralized IDS that is based on several predefined rules.
The method has three phases: (i) data acquisition, where
packets are collected in a promiscuous mode in order to filter
out the important data before storing it, (ii) rule application,
where the rules are applied to the stored data, and (iii) detection phase, where the number of raised failures are compared
with the expected amount of occasional failures that defines
whether an intrusion has occurred or not. Fig. 4 illustrates the
architecture of a monitor node which has an IDS function in
addition to sensing and message transmission capabilities. The
results obtained from simulations, which tested attacks such
as jamming, blackhole and wormhole, show that the method
performs well in a simulation environment. Drawbacks: The
algorithm is simulated using a WSN simulator made by the
authors, whose technical details are unknown. This makes it
difficult to rely on the results presented by the authors, as a
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
1231
1232
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
1233
1234
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
Roman
et al. [4]
Onat et
al. [3],
[44]
Loo et
al. [5]
Gupta et
al. [47]
Kim et
al. [49]
Chen et
al. [17]
Misra et
al. [52],
[82]
Leckie et al.
[83]
Agah et
al. [7]
Krontiris
et
al.
[11],
[13],
[15]
Hierarchical
Tree-based
Cluster-based
Bad
Best
Fair
Fair
Bad
Best
Fair
Bad
Best
Bad
Best
Bad
Fair
Fair
Fair
Best
Bad
Fair
Fair
Bad
Fair
Best
Fair
Fair
Bad
Bad
Best
Fair
Bad
Fair
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
Fig. 7. IDS installed on application layer and possible cross layer IDS
1235
1236
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 15, NO. 3, THIRD QUARTER 2013
[29] C.E. Loo, M.Y. Ng, C. Leckie, and M. Palaniswami, Intrusion Detection for Routing Attacks in Sensor Networks, International Journal of
Distributed Sensor Networks, vol. 2, no. 4, pp. 313-332, 2006.
[30] J. Zhou, T.K. Das, and J. Lopez, An Asynchronous Node Replication
Attack in Wireless Sensor Networks, in IFIP TC 11 23rd International
Information Security Conference, vol. 278, Boston Springer, 2008, pp.
125-139.
[31] B. Parno, A. Perrig, and V. Gligor, Distributed Detection of Node
Replication Attack in Sensor Networks, in Proc. 2005 IEEE Symposium on Security and Privacy, pp. 49-63, 2005.
[32] M.A. Hamid, M. Mamun-Or-Rashid, and C.S. Hong, Routing Security
in Sensor Network: HELLO Flood Attack and Defense, in IEEE
ICNEWS 2006, Dhaka, Bangladesh, 2-4 January 2006, pp.77-81.
[33] W. Sharif and C. Leckie, New variants of Wormhole Attacks for
Sensor Networks, in Australian Telecommunication Networks and
Applications Conference, 2006, pp. 26-30.
[34] C. Y. Hu, and A. Perrig, Wormhole Attacks in Wireless Networks,
IEEE J. Sel. Areas Commun., vol. 24, no. 2, pp. 370-380, 2006.
[35] R. Maheshwari, J. Gao, and S.R. Das, Detecting Wormhole Attacks
in Wireless Sensor Networks Using Connectivity Information, in
INFOCOM 2007, pp. 107-115, 2007.
[36] L. Hu and D. Evans, Using Directional Antennas to Prevent Wormhole
Attacks, in 11th Network and Distributed System Security Symposium,
2003, pp. 131-141.
[37] M. Cagalj, S. Capkun, and J.-P. Hubaux, Wormhole-Based AntiJamming Techniques in Sensor Networks, IEEE Trans. Mobile Computing, vol. 6, no. 1, pp. 100-114, 2007.
[38] H. Chen, P. Han, X. Zhou, and C. Gao, Lightweight Anomaly Intrusion
Detection in Wireless Sensor Networks, in PAISI 2007, LNCS 4430,
pp. 105-116.
[39] J. Newsome, E. Shi, D. Song, and A. Perrig, The Sybil Attack in Sensor
Networks: Analysis and Defense, in IEEE/ACM IPSN04, 2004, pp.
259-268.
[40] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman, SybilGuard:
Defending Against Sybil Attacks via Social Networks, in ACM SIGCOMM 2006, pp. 267-278.
[41] W. Jiangtao, Y. Geng, S. Yuan, C. Shengshou, Sybil Attack Detection
Based on RSSI for Wireless Sensor Networks, in WiCom 2007, pp.
2684-2687.
[42] D. Mukhopadhyay and I. Saha, Location Verification Based Defense
Against Sybil Attack in Sensor Networks, in ICDCN 2006. LNCS
4308, Springer-Verlag 2006, pp. 509-521.
[43] S. Marti, T.J. Giuli, K. Lai, and M. Baker, Mitigating Routing Misbehavior in Mobile Ad hoc Networks, in MobiCom00, 2000, pp. 255265.
[44] I. Onat, and A. Miri, A Real-Time Node-Based Traffic Anomaly
Detection Algorithm for Wireless Sensor Networks, in ICW 2005, pp.
422-427.
[45] S. Jian-hua and M. Chuan-Xiang, Anomaly Detection Based on DataMining for Routing Attacks in Wireless Sensor Networks, in CHINACOM 07, 22-24 Aug. 2007, pp. 296-300.
[46] Q. Wang and T. Zhang, Detecting Anomaly Node Behavior in Wireless
Sensor Networks, in AINAW, pp. 451-456, 2007.
[47] S. Gupta, R. Zheng, and A. Cheng, ANDES: an Anomaly Detection
System for Wireless Sensor Networks, in MASS 2007, pp. 1-9, 2007.
[48] TinyOS, http://www.tinyos.net/
[49] J. Kim, P. Bentley, C. Wallenta, M. Ahmed, and S. Hailes, Danger is
Ubiquitous: Detecting Malicious Activities in Sensor Networks using
the Dendritic Cell Algorithm, in ICARIS, LNCS 4163, 2006.
[50] Y. Liu and F. Yu, Immunity-Based Intrusion Detection for Wireless
Sensor Networks, in International Joint Conf. on Neural Networks,
2008, pp. 439-444.
[51] S. Shaust and H. Szczerbicka, Misbehavior Detection for Wireless
Sensor Networks Necessary or Not?, in 6th Fachgesprach Drahtlose
Sensornetze der GI/ITG-Fachgruppe Kommunikation und Verteilte
Systeme, Germany, 2007, pp. 51-54.
[52] S. Misra, K. Abraham, M.S. Obaidat, and P. Venkata Krishna, LAID: a
Learning Automata-based Scheme for Intrusion Detection in Wireless
Sensor Networks, Security and Communication Networks, vol. 2, pp.
105-115, 2008.
[53] T.H. Hai, E.-N. Huh, and M. Jo, A Lightweight Intrusion Detection
Framework for Wireless Sensor Networks, Wireless Communications
and Mobile Computing, vol. 10, no. 4, April, 2009.
[54] P. Levis, N. Lee, M. Welsh, and D. Culler, TOSSIM: Accurate and
Scalable Simulation of Entire TinyOS Applications, in 1st International
Conference on Embedded Networked Sensor System, 2003, pp. 126137.
ABDUVALIYEV et al.: ON THE VITAL AREAS OF INTRUSION DETECTION SYSTEMS IN WIRELESS SENSOR NETWORKS
[81]
[82]
[83]
[84]
[85]
[86]
[87]
[88]
[89]
[90]
[91]
[92]
[93]
[94]
[95]
[96]
[97]
[98]
[99]
Networks based on a Reputation System Coupled with Kernel Selforganizing Maps, Integrated Computer-Aided Engineering, vol. 17, no.
2, 2010, pp. 87-102.
Y. Zhang, N. Meratnia, and P. Havinga, Outlier Detection Techniques
for Wireless Sensor Networks: A Survey, IEEE Commun. Surveys
Tutorials, vol. 12, no. 2, 2010.
S. Misra, P.V. Krishna, and K.I. Abraham, A Simple Learning
Automata-based Solution for Intrusion Detection in Wireless Sensor
Networks, Wireless Communications and Mobile Computing, Special
Issue on Architectures and Protocols for Wireless Mesh, Ad Hoc, and
Sensor Networks, vol. 11, no. 3, 2011, pp. 426-441.
S. Rajasegarar, C. Leckie, J.C. Bezdek, and M. Palaniswami, Centered
Hyperspherical and Hyperellipsoidal One-Class Support Vector Machines for Anomaly Detection in Sensor Networks, IEEE Trans. Inf.
Forens. Security, vol. 5, no. 3, 2010, pp. 518-533.
S.S. Wang, K.Q. Yan, S.C. Wang, and C.W. Liu, An Integrated Intrusion Detection System for Cluster-based Wireless Sensor Networks,
Expert Systems and Applications, vol. 38, no. 12, 2011.
T. Bhattasali, and R. Chaki, A Survey of Recent Intrusion Detection
Systems for Wireless Sensor Network, in 4th International Conference
on Network Security and Applications (CNSA-2011), Springer, 2011,
pp. 268-280.
S. Shin, T. Kwon, G.Y. Jo, Y. Park, and H. Rhee, An Experimental
Study of Hierarchical Intrusion Detection for Wireless Industrial Sensor
Networks, IEEE Trans. Ind. Informat., vol. 6, no. 4, 2010, pp. 744-757.
T.M. Mubarak, S.A. Sattar, A. Rao, and M. Sajitha, A Collaborative,
Secure and Energy Efficient Intrusion Detection Method for Homogeneous WSN, in International Conference on Advances in Computing
and Communications (ACC-2011), Springer, 2011.
W.T. Zhu, J. Zhou, R.H. Deng, and F. Bao, Detecting Node Replication
Attacks in Mobile Sensor Networks: Theory and Approaches, Security
and Communication Networks, 2011.
J. Lopez, R. Roman, and C. Alcaraz, Analysis of Security Threats, Requirements, Technologies and Standards in Wireless Sensor Networks,
in Foundations of Security Analysis and Design 2009, LNCS 56705,
August 2009, pp. 289-338.
R. Roman, J. Lopez, and S. Gritzalis, Situation Awareness Mechanisms
for Wireless Sensor Networks, IEEE Commun. Mag., vol. 46, no. 4,
April 2008, pp. 102-107.
R. Roman, J. Lopez, and P. Najera, A Cross-layer Approach for
Integrating Security Mechanisms in Sensor Networks Architectures,
Wireless Communications and Mobile Computing, vol. 11, no. 2,
February 2011, pp. 267-276.
A. Perrig, and L. van Doorn, Refutation of On the Difficulty of
Software-Based Attestation of Embedded Devices. Technical Report,
Carneige Mellon University, 2010.
A. Francillon, C. Castelluccia, D. Perito, and C. Soriente, Comments
on Refutation of On the Dificulty of Software-Based Attestation of
Embedded Devices, Technical Report, INRIA, 2010.
C. F. Hsieh, Y. F. Huang, and R.C. Chen, A Light-weight Ranger
Intrusion Detection System on Wireless Sensor Networks, in ICGEC
2011, November 2011, pp. 49-52.
M.S. Islam, and S. AshiqurRahman, Anomaly Intrusion Detection
System in Wireless Sensor Networks: Security Threats and Existing
Approaches, in Int. J. Advanced Science and Technology, vol. 36,
November 2011.
S.K. Singh, M.P. Singh, and D.K. Singh, Intrusion Detection based
Security Solution for Cluster-based Wireless Sensor Networks, in Int.
J. Advanced Science and Technology, vol. 30, May 2011.
H. Jadidoleslamy, A High-Level Architecture for Intrusion Detection
on Heterogeneous Wireless Sensor Networks: Hierarchical, Scalable
and Dynamic Reconfigurable, in Wireless Sensor Network, vol. 3,
2011, pp. 241-261.
E.N. Huh, and T.H. Hai, Lightweight Intrusion Detection for Wireless
Sensor Networks, in Intrusion Detection Systems, Pawel Skrobanek
(Ed.), InTech, 2011.
CERP-IoT Cluster, Visions and Challenges for Realising the Internet
of Things, European Commission, 2010.
1237
Abror Abduvaliyev received his M.Eng in Computer Engineering in 2010 from Kyung Hee University, South Korea. He holds B.Sc degree with honors in Electronic Commerce from Tashkent University of Information Technologies (TUIT), Tashkent,
Uzbekistan, 2008. He is currently a security analyst
at Citibank. His research interests include wireless
sensor networks, Internet of Things and intrusion
detection systems. He is a student member of IEEE,
ACM and member of IACSIT.