1

On the Vital Areas of Intrusion Detection Systemsin Wireless Sensor Networks

Abror Abduvaliyev, Al-Sakib Khan Pathan, Jianying Zhou, Rodrigo Roman and Wai-Choong Wong

Abstract—This paper surveys recently proposed works onIntrusion Detection Systems (IDS) in WSNs, and presents acomprehensive classification of various IDS approaches accordingto their employed detection techniques. The three main categoriesexplored in this paper are anomaly detection, misuse detection,and specification-based detection protocols. We give a descriptionof existing security attacks in WSNs and the correspondingproposed IDS protocols to tackle those attacks. We analyze theworks with respect to the network structure of WSNs. In addition,we highlight various critical shortcomings that IDSs currentlyhave and define future research tracks for IDSs in wirelesssensor networks. Though a few restricted survey works on thistopic have already been done, we feel that there is a great needof performing a detailed and comprehensive study on the vitalaspects so that the IDS in WSN could be analyzed from all theneed-to-know angles. Thus, the papers main aim is to include themost recent advancements in this area as well as to predict thefuture course of research so that the general as well as expertreaders could be greatly benefited.

Index Terms—Intrusion detection, wireless sensor networks,anomaly, misuse, specification-based

I. INTRODUCTION

IN many WSN (Wireless Sensor Network) application sce-narios security is a very important concern; especially

the applications designed for WSNs deployed in hostile en-vironments and commercial applications. With the level ofimportance of security in a WSN application, ensuring it tothe expected level also becomes relatively more difficult thanits other wireless network counterparts. In fact, security inWSN has a great number of challenges that may not be seenin other types of wireless networks. This is due to manyreasons like the broadcast nature of wireless communications,limited resources of the sensor nodes, unattended environ-ment where sensor nodes might be susceptible to physicalattacks, etc [1], [2], [10]. Security solutions like authentication,cryptography or key management can enhance the security ofWSNs. Nevertheless, these solutions alone cannot prevent allpossible attacks. As a wide range of attacks can be launchedby compromised nodes in a WSN (i.e., nodes that appear to belegitimate in the network but not or working for other party[7], [11]), a second line of defense like Intrusion DetectionSystem (IDS) [3], [77] is needed.

A. Abduvaliyev and W. C. Wong are with the Department of Electrical andComputer Engineering, National University of Singapore (NUS), Singapore,e-mail: wong lawrence@nus.edu.sg.

A.S.K. Pathan is with Department of Computer Science, InternationalIslamic University Malaysia (IIUM), Kuala Lumpur, Malaysia, email:sakib@iium.edu.my.

J. Zhou and R. Roman are with Institute for Infocomm Research (I2R),Singapore, email: jyzhou@i2r.a-star.edu.sg and rroman@i2r.a-star.edu.sg.

An IDS, which has been successfully implemented in wirednetworks, can detect the misbehavior of participating nodesand notify other nodes in the network to take appropriatecountermeasures. However, an IDS scheme designed for wirednetworks cannot be applied directly to WSNs because of theirspecific network characteristics such as limited processingpower, memory and battery. Especially, in a wireless sensornetwork, an IDS is an important security mechanism againstboth insider and outsider attacks [16]. It focuses on detectionof misbehavior or malicious nodes. When IDS detects a sensornode misbehaving, it tries to isolate that malicious node fromthe network.

In the recent years, many IDSs have been proposed forvarious WSN structures (flat, cluster, hierarchical). However,there is still a great need of a comprehensive survey on therecent developments in this particular area. In fact, in spiteof the presence of some partial works like [15], [79], [81],[85], till this date there have not been any survey paper thatcollects all the significant IDSs and gives overviews of thoseworks in terms of the underlying techniques they use alongwith important observations and obtained results. Thus, themain purpose of this work, besides providing readers witha reference paper on IDS in WSN, is to analyze the vitalareas of IDS for WSN from various angles. We present notonly the most well-known threats, but also introduce someless-known security attacks which need to be detected andprevented as well. We critically analyze works that have beenproposed over the last decade and discuss the current state-of-the-art in this research area. We also classify these IDSsbased on their detection techniques, analyze them with respectto the existing WSN network structures, and highlight variousunderdeveloped areas that need to be further researched.

The rest of the paper is organized as follows: Section IIgives the background of intrusion detection systems in WSN.The major security threats and attacks against WSNs areexplored in Section III. Section IV reviews the significant IDSapproaches proposed for WSNs. In Section V, we discuss a fewkey issues and finally, Section VI concludes the paper basedon our findings and analysis.

II. INTRUSION DETECTION SYSTEMS IN WSN

It is in reality extremely difficult to design a network whereattackers cannot find some way to break it. In fact, networksshould seriously consider the integration of self-awareness andfault tolerance capabilities. That is, not only to assume thatproblems will appear in one way or another, but also to providesome mechanisms that will detect and reduce the impact of a

2

particular threat. Therefore, we need a second line of defensethat can detect attackers or intruder nodes. An IDS is able todetect misbehaving nodes and inform neighbor nodes to takeproper countermeasures [5]. The actual detection mechanismsare implemented in specific elements known as IDS agents.

Although some type of IDS is used as a major preventionmechanism in wired and ad hoc networks, it is infeasible to ap-ply that directly in wireless sensor networks, mainly because ofthe vast difference in their network characteristics (specificity,autonomy, self-configurability, long lifetime, deployment loca-tion, and (limited) mobility [89]). This complicates the designof the security mechanisms. It is also a fact that the computingand power resources of sensor nodes are more constrained thanthat of ad hoc nodes [4]. Thus, WSNs demand for a novel andlightweight design of IDS.

There are three main approaches that an IDS can use toclassify the attacks:

1) Misuse detection: The action or behavior of nodesis compared with well-known attack patterns. In this case,these patterns must be defined and given to the system. Thedisadvantages are that this technique needs knowledge to buildattack patterns and they are not able to detect novel attacks. Inaddition, always someone has to update the database of attackpatterns. These drawbacks significantly reduce the efficiencyof this approach in terms of system management, as theadministrator of the network always has to provide IDS agentswith an up-to-date database. At current stage, most of theknown attacks are only the results of some assumptions orimitated from other classic networks. Whether these well-known attacks or any unknown security attack would be aserious problem for sensor networks still remains unclear.

2) Anomaly detection: This technique does not searchfor specific attack patterns, but instead it checks whetherthe behavior of the nodes can be considered as normal oranomalous. The approach first describes the actual features ofa normal behavior, which are established by using automatedtraining. Afterwards, it flags any activities that deviate fromthese behaviors as intrusions. If a sensor node does not actaccording to the defined specification of a particular protocol,the IDS would have high confidence to decide that the nodeis malicious. The wrong decisions made by IDS in terms offalse positive and false negative alarms affect the accuracy ofdetection. Hence, the disadvantage of this methodology is thatthe system can exhibit legitimate but unseen behavior, whichcould lead to a substantial false alarm rate. Also, an intrusionthat does not exhibit anomalous behavior may not be detected,resulting in false negatives.

3) Specification-based detection: This technique combinesthe aims of misuse and anomaly detection mechanisms, as itis focused on discovering deviations from normal behaviorsthat are defined neither by machine learning techniques norby training data. In fact, the specifications that describe whatcan be considered as normal behavior are defined manually.Any action is monitored with respect to these specifications.The drawback of this approach is the manual developmentof all specifications, which is a time-consuming process forhuman beings. Another disadvantage of this technique is that itcannot detect malicious behaviors which do not violate defined

specifications of the IDS protocol. Note that, in some particularcases, misuse and anomaly-based detection techniques can beused side by side, giving birth to hybrid detection mechanisms.

Details of particular IDS models and techniques are dis-cussed later in the paper.

III. SECURITY THREATS AND TYPES OF ATTACKS IN WSN

There are several well-known and a few less-known securityattacks that exist in wireless sensor networks. In this section,we discuss these security attacks in brief with respect to theircountermeasures. Almost all of the attacks described belowfocus on the limitations of routing protocols in WSNs [6].However, some unknown attacks that are launched consideringother security constraints of the network are presented aswell. Table I introduces a brief summary of well-knownand less-known (or, less studied) security attacks and theircharacteristics in terms of attack behaviors and techniques.In addition, the relevant detection techniques for the attacksare highlighted in the table. Later in Section IV, we willdiscuss some of these techniques in terms of their benefitsand drawbacks.

A. Denial of Service (DoS) Attacks

We consider any type of intentional activity that can disrupt,subvert or even destroy the network as a Denial of Service(DoS) attack.

Basically, DoS attacks can be categorized into three types:• Consumption of scarce, limited or non-renewable re-

sources.• Destruction or alteration of configuration information.• Physical destruction or alteration of network resources.In the context of WSN, DoS attacks that target the network

resources are one of the most significant: the hardware ofsensor nodes is usually very constrained, and attackers can tryto overload them. Other DoS attacks that are very destructiveare jamming and tampering attacks. Jamming is the deliberatedinterference of the wireless communication channel. In fact,sensor nodes are very vulnerable against this type of physicalattack [37]. Tampering is another type of physical attack,which targets the actual hardware of the sensor nodes (e.g.sensitive chips, sensor hardware). While it is difficult to knowwhether any particular DoS situation is caused intentionally orunintentionally, there are some detection methods that help tothwart each type of DoS attack [72]. Still, tampering attacksremain an open issue.

B. Sinkhole/Blackhole Attacks

In this attack, a malicious node acts as a blackhole [22] topull in all the traffic in the network. The attacker listens to theroute requests and then replies to the target node informingthat it has the shortest path to the base station. A victim nodeis enticed to select it as a forwarder for its packets. Once amalicious node puts itself between the base station and sensornode, it is able to do whatever it wants (drop all packets,change the content, etc) with the packets that pass throughit. This type of attack can be very harmful for sensor nodes

3

TABLE I: Security attacks in WSNs

Well-known Less-known (or, Less Studied)Name Characteristics Name Characteristics

DoS attacks in different layers [21],[37], [38]

Flooding, jamming, misdirection Fabrication during repro-gramming [69]

Unsecure reprogramming processwith bogus messages

Sinkhole/Blackhole [1], [11], [23],[24]

Shortest path, drop the packets External stimuli [71] Use external physical stimuli tocreate a large number of packets

Selective forwarding [25], [26],[27], [28], [29]

Selectively drop the packets Homing [71] Hamper the normal functioning ofcluster heads

The node replication [30], [31],[88]

Add extra node to the network with thesame cryptographic secrets

Neglect and greed [70] Deny transmission of legitimatepackets and give higher priority toown packets

HELLO flood [32] Flood with HELLO packets Unfairness [70] Unfair resource allocation on MACprotocols

Wormhole [18], [20], [33], [34],[35], [36], [73]

Offer less number of hops and less delaywhich is fake

Forced delay [89] A node delays packets within itsforwarding component

Sybil [28], [39], [40], [41], [42],[76]

A malicious node pretends to be more thanone node

that are deployed considerably far from the base station. Wehave to keep in mind that Blackhole and Sinkhole attacksare basically the same attacks by definition. Some recentworks have addressed this attack and possible IDSs have beenproposed in [11], [19], [23], [24].

C. Selective ForwardingMulti-hop networks like WSNs rely on the assumption that

all nodes in the network will faithfully forward the receivedmessages to the base station. In these attacks, a maliciousnode in the routing path acts as a normal node by forwardingmessages, but selectively drops sensitive packets which ishard to detect by the system. This attack is independent fromthe Sinkhole/Blackhole attacks, although a malicious node canmake use of them to increment its effect in the network. Aspossible solutions to detect this type of attack, some securerouting algorithms and IDSs using different techniques havebeen proposed in [19], [25], [26], [27], [29].

D. The Node Replication AttacksAs sensor nodes are constrained in terms of resources

and usually deployed in unattended/public environments, anattacker can easily capture, analyze and extract their secrets.In this particular attack, an attacker seeks to add one ormore nodes in a network that use the same cryptographicsecrets as any other legitimate node in that network. This kindof attack may have severe consequences, like corruption ofdata by the adversary or even disconnection of some criticalparts of the network. For example, a replicated node cansend advertising information that is not consistent with thestate of the network (i.e. feature advertising [90]) in order tomanipulate a certain neighborhood. Some centralized detectionschemes, neighborhood-voting protocols, distributed detectiontechniques, and mobile-oriented statistics mechanisms havebeen proposed in [30], [31] and [88] to discover the existenceof these attacks.

E. HELLO Flood AttacksMany routing protocols need to broadcast HELLO packets

in order to discover one-hop neighbors. This attack uses such

packets as a weapon to attract sensor nodes. In particular, anattacker with a large radio range and enough processing powercan send HELLO packets to a large number of sensor nodesby flooding an entire section of the network. A node whichreceives such a packet may assume that the attacker is withinnormal radio range. Hence, sensor nodes can be persuaded thatthe adversary is their neighbor. Possible solutions to detect thistype of attacks could be the use of bidirectional verificationof links, secure multipath routing, and use of multiple basestations [32].

F. Wormhole Attacks

In this attack, an attacker records the packets at one locationin the network and tunnels those to another location withthe help of a long-range wireless channel or an optical link.Wormhole attack is another significant and serious threat toWSNs: this attack can be launched even if the attacker hasnot compromised any node, because packets are broadcastedand can be overheard by anyone. Attackers offer less numberof hops and less delay than other normal routing paths, thussensor nodes are enticed to send data through them. There arevarious types of wormhole attacks. In fact, in a recent work,Sharif and Leckie propose three types of wormhole attacksnamely Energy Depleting Wormhole Attack (EDWA), Indi-rect Wormhole Attack (IBA), and Targeted Energy DepletingWormhole Attack (TEDWA) [33]. There are also many worm-hole detection techniques, which make use of connectivityinformation [35] or even additional hardware mechanisms suchas directional antennas [36].

G. Sybil Attacks

In many applications, sensor nodes need to collaborate withother nodes in order to accomplish a certain task; applicationscan then implement various management policies to distributesubtasks to different nodes. In this attack, a malicious nodecan pretend to be more than one node at the same time usingthe identities of other legitimate nodes, effectively thwartingthe collaboration process. This is known as a Sybil attack,and has been studied by Newsome et al. in [39]. By using this

4

attack, a malicious node can target the routing mechanisms,the data aggregation processes, and even the misbehaviordetection techniques. As possible countermeasures, we can uselogically centralized authority (base station or cluster head) inthe network. Some other recent IDSs could be found in [28],[40], [41], [42], [76], [78].

H. Other Security Attacks in WSNsThere are a few less-known (or, commonly unknown or less-

studied) security threats that exist in WSNs. These attacksmostly concentrate on service availability (i.e., DoS) of thenetworks in different layers. We briefly describe them in thefollowing paragraphs.

1) Fabrication during reprogramming: The applicationlayer can be vulnerable against this attack if a WSN appli-cation allows reprogramming of the network. Reprogrammingof the network may be needed for maintenance and networkmanagement purposes: operators do not need to physicallyaccess the sensor nodes in order to refine or change theirbehavior [69]. If the reprogramming process is not secureenough, the attackers not only can cut off a portion of thenetwork by using bogus messages, but also can control thewhole network by exploiting particular vulnerabilities.

2) External stimuli: A possible attack against WSNs inapplication layer could be launched by using some externalphysical stimuli. The attacker uses this external stimuli tostimulate the nodes with a large number of important events(e.g. high temperature alerts), which must be sent directlyto the base station. However, this attack is not effectivewhen packets are sent at predefined regular intervals. OneIDS technique detects attackers in the network whenever aparticular region creates a large number of packets within ashort period of time [71].

3) Homing: In various WSN applications, leader nodes (e.g.cluster heads) can be given special responsibilities such asmanaging keys, maintaining a local group of nodes, etc. Inthis attack, the attackers hamper the normal functioning ofleader nodes within a WSN application [71], trying to handleand eavesdrop on their activities. Moreover, attackers can tryto become leader nodes by manipulating the election process,effectively gaining control of an entire group (e.g. cluster).

4) Neglect and greed: A neglecting node is a node thatnot only gives undue priority to its own packets, but alsocan deny the transmission of legitimate packets in case ofnetwork congestion. This attack is a special case of selectiveforwarding attack, as the greedy node may still acknowledgethe received packets to the sender, but it drops them randomlyand gives excessive priority to its own packets. The protocolswhich are based on Dynamic Source Routing (DSR) are themost vulnerable to this type of attack [70].

5) Unfairness: This attack is a weaker form of DoS attacklocated in the link layer. This attack could degrade service forreal-time MAC protocols by using unfair resource allocations(e.g. an attacker causes nodes to miss their transmissiondeadline). Note that providing fairness in WSNs is oftenviewed as a separate research issue [70].

6) Forced delay: A sensor node deliberately delays packetswithin its forwarding component, in order to delay the trans-

mission of important events [89]. This attack can be effectivelyused to degrade the quality of service in systems with near-realtime requirements.

IV. TAXONOMY OF IDS APPROACHES IN WSN

So far, we have discussed various types of security threatsin WSNs. These attacks can be tackled by using some spe-cific countermeasures: IDS mechanisms and techniques thatmake use of different underlying principles. Most of thoseprinciples are based on the assumption that there exists anoticeable difference between the behavior of an attacker andthe behavior of a legitimate node, such that the IDS canmatch those preprogrammed or learned rules. Following thisassumption, it is clear that IDSs can be classified accordingto the specific detection technique used for studying the auditdata. Therefore, we can classify IDSs into three groups: (a)misuse, (b) anomaly, and (c) specification based.

The misuse detection systems are used to detect knownpatterns of intrusions while anomaly detection techniques areused to detect new or unknown intrusions. Specification-baseddetection is based on some deviations from normal behaviors.Fig. 1 shows a taxonomy of IDSs in WSN that complies withthis classification.

In the following sections we will introduce the differentdetection techniques, providing an overview of the underlyingconcepts that help to separate a legitimate node from amalicious one. Note that, at present, most of the state of theart only provides isolated solutions, and does not considera scenario where different classes of detection mechanismscan collaborate together within the framework of a unifieddetection architecture. This and other open issues will bediscussed later in Section V.

A. Misuse Detection Schemes

The application of rule-based or misuse detection techniquesin the context of a WSN is a complex task. In practice, itis difficult to think exactly as an attacker or to know themotive of the attacker. The administrator of the network hasto model attack patterns according to attacks that might occurin future. Moreover, the severe memory constraints of WSNsmake misuse-detection based IDSs that need to store attacksignatures relatively difficult to implement and less likely tobe effective [15]. Thus, there are very few papers that studymisuse-detection technique for WSNs. Still, most of themfollow the watchdog approach, where packet monitoring takesplace in several specific nodes in the network [43].

1) Watchdog approach: This approach relies on the broad-cast nature of the wireless communications and the assumptionthat sensors are usually densely deployed. Each packet broad-casted in the network is not only received by the receiver butalso by a set of neighboring nodes within the senders radiorange. In normal cases, neighbor nodes should discard thepacket, since they are not actual receivers, but for intrusiondetection this can be used as a valuable audit data. Hence,a node can activate its IDS agent and monitor the packetssent by its neighbors by overhearing them. Furthermore, todetect attacks with high accuracy of detection, it is not enough

5

Fig. 1: Taxonomy of IDSs in WSNs

to monitor only one node; system involves more informationfrom other neighbor nodes as well. For instance, to detect se-lective forwarding attack, a watchdog should overhear packetsarriving at a node and transmitted by that node.

If we want to see whether a node B forwards packets sent bynode A, we have to activate watchdogs that reside within theintersection of the radio ranges of A and B. A quick example isgiven in Fig. 2 where the nodes C, D, and E can be watchdogsfor the link between A and B.

Fig. 2: Nodes C, D, and E are watchdogs of the link A to B

Some researchers argue that watchdog approaches incurmore energy consumption on the sensor nodes, since thenodes must overhear every packet that is not addressed tothem. However, each node receives packets sent by neighbornodes anyway, due to the broadcast nature of the network.Furthermore, the nodes are not able to know if a packet isdestined to them unless they receive it and check the packetheader. Therefore, the overhead associated to this approach is

basically the computational cost of analyzing the packet headerand contents in search for attack signatures.

In order to further reduce such overhead, some researchershave studied specific mechanisms that reduce the number ofnodes that analyze the packets of the network. In [4], Romanet al. proposed a novel technique for optimal monitoringof neighbors called spontaneous watchdog, which extendsthe watchdog monitoring mechanism proposed in [43]. Themechanism uses local agents in every sensor node to monitorlocal activities (i.e., information sent and received by thesensor node), and randomly activated global agents in orderto overhear the communications of neighbors. Drawbacks:The problem with this approach is that not all packets canbe overheard by a global agent, due to the randomness ofthe selection process. Another drawback of the work is thatit does not deal with the collision of packets, which is highlikely due to the high density of nodes in various wirelesssensor networks applications.

B. Anomaly Detection Schemes

In WSN, there are many IDS mechanisms that use anomalydetection techniques. These types of systems usually rely onanalyzing whether the behavior of sensor nodes can be consid-ered as normal or abnormal according to certain assumptionsand metrics. Most researchers have taken this approach asa main method to detect intrusions, as they consider it iseasier to apply than misuse or specification based detections.Note, however, that many anomaly detection techniques haveinherited some of the strategies that are used in misuse-detection techniques, such as the watchdog approach.

In order to define what can actually be considered as normalbehavior, most anomaly detection techniques employ simpleassumptions [95] such as:

6

• Payload of a packet should not be altered or modified.• Retransmission of a packet must occur in a certain time

threshold.• Same packet can be resubmitted a limited number of

times.• Packet sending rate must be within some limits, etc.Table II provides an overall comparison of existing anomaly

based detection techniques, which will be described in the nextsubsections, in terms of their energy efficiency, accuracy andmemory requirements. Note that, from this table, we can inferthat there are no vastly superior detection mechanisms: there isalways a tradeoff between the resources (i.e. energy, memory)required to detect the anomalies and the actual accuracy of thedetection techniques.

1) Statistical Model-Based Approach: Onat and Miri [3]proposed an anomaly detection based security scheme forWSNs. In their method, each sensor node builds a simplestatistical model of its neighbors behavior, and these statisticsare used to detect various attacks such as node impersonationand resource depletion changes. The system features that areused to detect anomalies are the average of the received powerand the packet arrival rate. At every node, only the last Npackets received from each neighbor are used to calculatethe statistics for that neighbor node and each arriving packetis then compared with those values. If the packet conformsto the statistics of the neighbor, it is accepted as a normalbehavior. Drawbacks: The authors do not present how theexperimental setup was designed. Also the information aboutthe used routing protocol and simulator is missing. Besides,the system cannot detect selective forwarding and wormholeattacks due to the use of simple statistics.

In [44], the same authors present the same main ideaof anomaly detection but with different evaluation metrics.Instead of the previously implemented inter-arrival times, thenew scheme uses mean and standard deviation metrics in thebuffers. A packet is identified as anomalous if the absolutevalue of the difference between the mean of the receivedpacket buffer and the mean of the intrusion buffer is greaterthan the standard deviation of the received packet buffer.Drawbacks: Again, no information is given about the numberof nodes, how nodes were tested, and the analysis of thecommunications and computational costs.

2) Clustering Algorithm Based Approach: In [5], Loo etal. developed an intrusion detection scheme for routing attacksthat uses a fixed-width clustering algorithm to build a modelof normal behavior. Note that here we refer to clusteringalgorithm as unsupervised learning algorithms, not cluster-based network structure (although this approach can be used inclustered networks). They use this model to detect anomaloustraffic patterns. The IDS module is implemented on eachsensor node and twelve network traffic patterns are identified.

These features are used in the training and testing stages. Inthe training stage, a fixed-width clustering algorithm is usedto build a set of clusters in the feature space. Clusters thatcontain less training traffic samples than a specific thresholdare identified as anomalous. During the testing stage, eachtraffic sample is compared to the cluster set to determinewhether it is anomalous or not. Drawbacks: Their method put

too much computation on sensor node. The authors claim thatsince the proposed IDS do not require communication betweensensor nodes, it significantly reduces the power consumption.However, a statistical analysis of the actual reduction in powerconsumption compared to other existing IDSs is not provided.

A very similar approach to [5] was presented in [45] byJian-hua et al. The main difference between the two systemsis the input of the clustering technique: authors in [45] usedthe Apriori algorithm to construct the traffic features fromthe network data.Therefore, the traffic features used in theclustering algorithm can change at different time intervals. Forsimulation purposes, five training data sets with normal trafficand two testing data sets with DoS and selective forwardingattack instances were used. Benefits: The results show that thealgorithm is able to detect both attacks with a high detectionrate. The algorithm is adaptive in the sense that each nodemight have a different detection model. Drawbacks: Providingeach node with a local training data set might be infeasiblein large WSNs, where the sensor nodes usually receive andforward a large number of packets in addition to their packetprocessing duty. This issue complicates the applicability of thealgorithm in practical environments, or at least would requirethe sensor nodes to have higher computational capabilities.

In [46], Wang and Zhang proposed an anomaly detectionsystem based on the arrival order of different packets. Thesystem is based on certain assumptions: all sensor nodescan become cluster heads, only communicate with a limitednumber of nodes, and should follow corresponding protocolspecifications. The IDS has two stages: profile learning andanomaly detection. In the profile learning stage, a node trafficprofile is created by extracting data from the information flowsuch as the source and destination addresses and the packettypes. In the anomaly detection phase, a pattern matchingtechnique is used to detect any unknown subsequences ofpacket events. Drawbacks: The limitation of this work is thatthe algorithm was not evaluated and performance results werenot provided.

3) Centralized Approach: A centralized, active anomalydetection system called ANDES was proposed by Gupta et al.in [47]. In this IDS the detection agent is located in the basestation, collecting application data, management information(e.g. nodes ID, hops towards the sink, total transmitted packets,total number of failures to route a packet), and node statusinformation (e.g. normal, unavailable, duplicated and abnor-mal state), amongst others. All this information can then becombined and analyzed in order to identify possible anomalies.Benefits: This system was implemented in TinyOS [48] onTmote sky sensor nodes. While the management informationmight impose a certain overhead as additional managementtraffic must be acquired, the results obtained from experimentsare shown to be positive.

4) Artificial Immune System: In a departure from tradi-tional anomaly detection techniques, the necessity of artificialimmune systems (AIS) was discussed in [51]. In this work,Shaust et al. address these biologically inspired algorithmsas a possible solution to detect misbehavior in WSNs. Theyconclude in the paper that AIS is actually a good choice formisbehavior detection in WSNs. In fact, various researchers

7

TABLE II: Comparison of anomaly based detection techniques

IDS Statisticalmodelsbased

Clusteringalgorithmbased

Centralized Artificialimmunesystem

Isolation table Game theory based Machinelearning

Accuracy Medium High High High/Medium Low High/Medium High

Energy efficiency No detail Yes No No detail No No YesMemory requirement No detail High Low No detail Medium Medium High

Network structure Normal Clustered Normal Normal Clustered Normal/ Distributed Normal

have used this approach as part of their experiments.For example, Kim et al. [49] showed the similarities be-

tween the properties of WSNs and biological immune systems,and introduced a specific AIS, the Dendritic Cell algorithm(DCA), which was used to detect interest cache poisoningattacks in directed diffusion routing. A sensor node that usesdirected diffusion for routing packets maintains an interestcache table and a data cache table. When a node receivesa packet, directed diffusion updates both caches and extractsthe signals and antigens (e.g. bogus interest packets) fromthe received packets and caches. Such information is thenpassed to the DCA, which evaluates whether the antigensare benign or malicious. The algorithm was implemented inJ-Sim and also was tested in TOSSIM, a WSN simulator[54]. Drawbacks: There is no information available about theperformance of the DCA, and there are also no statisticalanalyses that might prove the effectiveness of the approach.

Another approach based on immunology theory was pro-posed by Liu and Yu [50], and an overview of its architecturecan be seen in Fig. 3. Their algorithm is divided into fourphases: (i) self acquisition, (ii) generation, (iii) detection, and(iv) clonal selection. The novelty of this approach lies mainlyin the clonal selection phase, which increases the responsetime of the detection system by accelerating the underlyingmechanisms (detectors). Besides, a feedback system is usedto reduce false-positive rates. This algorithm was also testedin TOSSIM.

5) Isolation table: In [17], Chen et al. proposed an anomalydetection method for three-level hierarchical WSNs (basestation - primary cluster heads - secondary cluster heads) basedon an isolation table.

In this method the isolation table records the anomalyinformation, and the detection agents use it to isolate nodesfrom the network. Note that these tables can be generatedby all cluster heads (secondary cluster heads monitor sensornodes and primary cluster heads, while primary cluster headsmonitor secondary cluster heads), and all tables are forwardedto the base station. As a result, isolation tables can be providedto any node that needs them (e.g. a newly elected clusterhead that needs to know the actual state of the network).The applicability of this method was analyzed using the ns-2simulator. Drawbacks: The results of these simulations showthat the method has disadvantages in terms of high energyconsumption whenever the number of nodes is increased. Inaddition, the authors did not consider the influence of nodefailure and node tampering, which can lead to a growth ofthe false negative rate. The authors extended their work andprovided more insightful details on [75] and [94], but the

energy consumption problem is still present.6) : Machine Learning Based Approaches There are some

IDSs that rely on various machine learning techniques. Forexample, [52], [56], [58], and [68] introduce machine learn-ing and automata-based learning approaches as an anomalydetection tool for wireless sensor networks.

In [52], Misra et al. used a learning automata based ap-proach (which is commonly used in optimization problems)to detect misbehaving nodes. This approach relies on packetsampling, where a proportion of the packets traversing thenetwork are sampled to identify whether they are maliciousnodes or not. Decisions are made depending on the feedbackof the environment to the automaton in partially favorable orpartially unfavorable cases. Benefits: Results obtained fromanalytical analysis show that the detection rate is high and theenergy consumption is low for WSNs. The extended versionof the work is presented in [82].

Doumit and Agrawal [58] introduced an anomaly approachbased on the structure of naturally occurring events. Thisapproach makes use of hidden Markov models (HMM), whichhave been applied in IDS for wired networks. It also makesuse of the concept of self-organized criticality (SOC), whichlinks complex phenomena to simplistic underlying laws. Inparticular, SOC provides a prediction on the most probableevent (e.g. expected temperature value). If the HMM findsthat the event is out of bounds, it raises an alarm. Recentwork by Rajasegarar et al. [83] used one class support vectormachines (SVM) in order to detect network anomalies. Thepaper proposes two SVM based approaches that are calledcentered hyperellipsoidal support vector machine (CESVM)and quarter-sphere support vector machine (QSSVM), re-spectively. CESVM has advantages in terms of parameterselection flexibility and the computational complexity, but itfaces certain limitations in distributed WSNs, as it uses acentralized approach. On the other hand, QSSVM works wellin a distributed environment. Benefits: The results from realand simulated data sets show that both approaches achievehigh detection accuracy.

7) Game Theory-Based Approaches: Other researchershave applied game theory-based models in intrusion detectionmechanisms [7], [59], [60], [61], [62], [63]. Game theorybased models can be excellent solutions for wired networksin terms of level of security, but for WSNs, it is necessary toprove their applicability: sensors are equipped with constrainedenergy sources, and the performance of these models seemsto decrease when the number of nodes is large.

As an example of these approaches, we can mention theIDS developed by Agah et al. [7], which introduced a non-

8

Fig. 3: Architecture of Immunity-Based IDS

cooperative game approach to detect misbehaving nodes inclustered sensor networks. This non-cooperative game ap-proach, which formulates an attack-defense game as a non-cooperative two-player nonzero-sum game, achieves Nashequilibrium (i.e. best results for both players) whenever thedefense player (i.e. the IDS system) finds and protects themost vulnerable cluster. Consequently, clusters are classifiedaccording to their utility and the cost of defending them. Notethat the authors also introduced two more techniques (intuitivemetric technique and Markov decision process) that could beused to predict the future behavior of the attacker. Drawbacks:The authors claim that this IDS approach can improve thedetection rate. However, as every node is provided with aheavy IDS module and learning mechanism, the problem ofhigh energy consumption and communication overhead arises.

C. Specification-Based Schemes

Some specification-based schemes have been proposed asIDS solutions for WSNs. As noted earlier, the main disad-vantage of this approach is that the development of attackor protocol specifications is done by human beings. In thiscase, the administrator or the designer of the network has tomanually define the specifications that describe what a correctoperation is and monitor any behavior with respect to thoseconstraints.

1) Decentralized Approach: One of the first works in thisresearch track was introduced by Silva et al. in [14]. Theyproposed a decentralized IDS that is based on several pre-defined rules.

The method has three phases: (i) data acquisition, wherepackets are collected in a promiscuous mode in order to filterout the important data before storing it, (ii) rule application,

where the rules are applied to the stored data, and (iii) detec-tion phase, where the number of raised failures are comparedwith the expected amount of occasional failures that defineswhether an intrusion has occurred or not. Fig. 4 illustrates thearchitecture of a monitor node which has an IDS function inaddition to sensing and message transmission capabilities. Theresults obtained from simulations, which tested attacks suchas jamming, blackhole and wormhole, show that the methodperforms well in a simulation environment. Drawbacks: Thealgorithm is simulated using a WSN simulator made by theauthors, whose technical details are unknown. This makes itdifficult to rely on the results presented by the authors, as asimplified WSN model may not be something that could beused in practice. Besides, other types of analyses (numerical orprobabilistic or logical) should have been added alongside thepresented outputs. Moreover, the algorithm has no informationabout how to select the actual location of the IDS agents inthe application.

There are many other works in this topic [8], [9], [12], [55],[74], [86], [87], [96], [97] that use different techniques (e.g.group-based and collaborative) to specify intrusion detectionpatterns and attack signatures. For instance, Bhuse et al. [55]introduced a specification-based approach for detecting mas-querade (sybil) attacks. They propose two techniques whichcomplement each other when used concurrently. The first oneis mutual guarding, where the sensor nodes check the sourceid of received packets for intrusion. The second technique waslabeled by the authors as SRP, and consists of the verificationof the number of packets sent and received by a certain node.Drawbacks: Simulation results show that the mutual guardmethod has considerable overhead and it fails to protect nodeswhen the attacker has a shorter communication range than the

9

sensor nodes.2) Pre-defined Watchdog Approach: Krontiris et al. have

proposed various specification-based IDS in order to detectblackhole [15], selective forwarding [15], and sinkhole [11],[13] attacks in WSNs. Their approach is based on watchdogs,which have pre-defined rules for raising intrusion alerts. Anexample of one of those rules is as follows: If more than halfof the watchdog nodes have raised an alert, then the targetnode is considered compromised and should be revoked, or thebase station should be notified. In defining a threshold value,the authors also take into consideration the loss of messagescaused by network anomalies (e.g. wireless noise). The methodhas three common modules: 1) local monitoring and detectionengine, for collecting and analyzing data according to therules; 2) cooperative detection engine, for making accuratedecisions collaboratively; and 3) local response module, fortaking appropriate actions if an intrusion is verified by thenetwork. Drawbacks: The method produces very low false-negative and false-positive rates, which is a good thing. How-ever, the actual simulator and experimental settings, which areused to calculate the rates, are not clear.

In a more recent work [16], the above authors proposeda cooperative IDS scheme which has been tested in a realenvironment. The method inherits various extended modulesfrom the authors previous works. The algorithm is based ondefined intrusion detection conditions (IDC), and the authorsargue that these conditions are necessary and sufficient to solvethe problem of detecting the most important WSN threats.Benefits: In fact, to the best of our knowledge, this paperis one of the few works that give details on a practicalimplementation of IDS agents in a real environment. Theresults show that the proposed algorithm is lightweight enoughto run on resource constrained sensor nodes such as telosb.

3) Hybrid System Approach: As stated earlier in Section II,the specification-based approach integrates the aims of misuseand anomaly detection techniques. However, some specificIDSs allow both detection techniques to coexist and interact inone single detection agent. That is, such agents will make useof automated training-based anomaly detection techniques andhuman-made rule-based misuse detection techniques. Theseapproaches are known as hybrid systems.

Hai et al. [65] proposed an hybrid intrusion detection systemthat integrates both anomaly and misuse techniques. Thespecific goal of this method is to detect routing attacks inWSNs. For energy efficiency, they use hierarchical WSNs. Inthe misuse detection module, the authors use pre-defined rulessuch as packet interval rule, integrity rule, packet delay rule,and radio transmission range rule. Drawbacks: Unfortunately,there is no proper and full explanation of the anomaly detec-tion techniques used in this paper, that is, how to effectivelyanalyze the collected data and how to make decision on theexistence of intrusions.

Later, the extended versions of the above work have beenpublished by the same leading author (along with others)in [26], [53] and [98]. The methods use two-hop neighborknowledge in order to prevent routing attacks. Two-hop neigh-bor knowledge is basically used in broadcasting protocols toreduce the number of packet transmissions such as Source-

based Protocol and Dominant Pruning [66]. The two-hopneighbor list is established in each sensor node via a singlephase, by modifying the Hello packet. Other parts of this workconsist of local and global agents and pre-defined rules. Theglobal agents use the two-hop neighbors list and predefinedrules to monitor transmissions in their neighborhood. Themethod performs well for routing attacks. However, it needsto be tested in different attack scenarios in order to check theeffectiveness of the method.

Yan et al. [67] introduce a similar hybrid approach. Thealgorithm contains a misuse detection model, an anomalydetection model, and a decision making model. The noveltyof their method is the use of a back propagation network(BPN) for the anomaly detection module. First, the packetrecords are given to the anomaly detection model, so asto check for abnormal activities. If activity is determinedas abnormal, then it will be forwarded to both the misusedetection model and the decision making model. Then, themisuse detection model analyzes the received data with thehelp of BPN and sends them to the decision making model.Finally, the decision making model combines the outputs ofboth models to determine whether or not an output can beconsidered as an intrusion, and the category of attack. In caseof intrusion, the model reports to the base station. Benefits:This approach has been tested by providing comprehensive anddetailed simulation results, which can be accessed in [84].

Finally, a dynamic IDS labeled as DIDS was proposedby Huo and Wang in [57]. This work is similar to [64] interms of used approaches. The method has an event monitormodule, a rules record base, a misuse and anomaly detectionmodule, and an alert module. The core architecture of theDIDS is shown in Fig. 5. Benefits: The method was simulatedin the ns-2 simulator using 70 nodes. The results obtainedby simulations state that their work has some advantagescompared to other static IDSs. Drawbacks: The distributedmechanisms implemented in DIDS can be able to detectmultiple intruders, although at the cost of increasing the energyconsumption. Besides, these mechanisms are not tested in areal environment.

V. DISCUSSION ON THE VITAL AREAS

We have so far discussed various types of IDSs in WSNs.Furthermore, we have classified them into different typesaccording to the detection techniques they use. Despite thefact that IDSs are a well-implemented technology in wirednetworks, there still remains enough scope of research onIDS for WSNs. Precisely, in this section we will highlightvarious vital areas that have been seldom considered by thepreviously surveyed major schemes: are there any simulationsor real-world implementations that prove the effectiveness ofthe different IDS mechanisms? In which types of networkstructures (see Fig. 6) we can integrate the IDS agents?Is there any real architecture/blueprint of a complete IDSsystem, where different IDS detection mechanisms can be usedtogether in a single agent? How can we implement it? Arethere any other issues that we need to consider in the nearfuture?

10

Fig. 4: Detection phases of decentralized IDS

Fig. 5: Core architecture of DIDS

A. Drawbacks of existing IDS

Here we summarize various drawbacks that almost all ofthe previously discussed IDS mechanisms have:

• Simulation: Almost no detailed simulations exist forthe discussed IDS mechanisms, being anomaly-based ormisuse-based. In fact, most of the works do not provide

comprehensive analyses or simulations. Note, however,that the lack of real network traces makes difficult toanalyze the effectiveness of an IDS mechanism.

• Real-world implementation: There are very few real-world implementations of IDS schemes (e.g. [16]) inWSNs. Although statistical analyses and simulations are

11

important, such implementations are essential to provethe applicability of the IDS schemes in a real setting.

• Lightweight modules: Energy efficiency is one of themain considerations in designing WSN application mod-ules. Hence, IDS mechanisms should consume as lit-tle energy as possible while achieving an acceptableperformance. Again, it should be mentioned that heavyIDS mechanisms (e.g. machine learning-based or gametheory-based) should be tested and evaluated so as toprove both their effectiveness and their low resourceconsumption.

• Attack specific: Although many IDS schemes have beenproposed to detect malicious attacks, most of them targetonly one or two specific attacks by using different net-work and hardware assumptions. Thus, it is very difficultto combine these algorithms into a universal platform.A promising research track would be to choose a set ofcommon criteria based on the features of different attacks.

B. Network structure based analysis

WSN is a highly application-dependent network. Hence,network structures vastly differ depending on the applicationtypes. There are mainly three types of network structures;cluster, tree, and hierarchy. We give a brief description of thesestructures and discuss with respect to IDSs:

• Tree(flat)-based In this structure, base station plays therole of main parent node, and sensor nodes take theroles of leaf nodes or intermediate nodes. The one-hopneighbor nodes of base station can become parent nodesfor the second hop neighbor nodes and this methodcontinues to cover the entire network in this fashion.

• Cluster-based In this scenario, the network is dividedinto clusters. Every cluster has its own selected clus-ter head (CH), which is the bridge between its clustermembers and the base station. In addition, cluster headsare often allowed to communicate among themselves forsome specific purposes.

• Hierarchical The network is organized into a tree-likestructure with several different types of clusters in it. Thisstructure may have several layers representing parent-child type relationships (at least thematically). Note thatthis is different than a hybrid model, where a portion ofthe network is cluster-based while some other portion istree-based and some other portion may be of hierarchicalstructure or a combination of all.

Fig. 6 illustrates these network structures, highlightingpossible IDS locations where IDSs can provide services inan efficient manner. For instance, in the tree-based structure,global coverage can be achieved if an IDS deploys several(mobile) agents in the leaf nodes and an agent in the parentnode (i.e., base station). This helps the IDS to detect attackswith a higher accuracy while reducing the consumption ofresources at the same time [4].

In cluster-based network structures, it seems efficient tohave one IDS agent for a group of sensor nodes (i.e., installedon cluster head). Assuming that cluster heads are slightlymore powerful devices than their cluster members, we can

implement powerful IDS modules on them (which may not beefficient on typical sensor nodes).

Furthermore, for hierarchical structures which include bothtree-based and cluster-based network structures, it might bea challenging problem to select satisfactory IDS locations.Still, a combination of mobile agents between layers and staticagents in cluster heads seems to be a good tradeoff.

In Table III, we present a comparison of various surveyedIDSs mechanisms with respect to three types of networkstructures: hierarchical, tree-based and cluster-based. Our goalis to provide researchers with a reference table that showsexplicitly which IDSs can be the best fit for which type ofnetwork structure due to their performance, applicability, andother factors. The metrics used in the table, i.e. best, fair, badcan be interpreted as following: an IDS algorithm can be wellsuited for a particular network structure (best), but can alsobe moderately suitable (fair) or even unsuitable (bad) for othernetwork structures.

C. Other vital issues

Before the concluding remarks, it is necessary to highlightvarious open issues and implementation strategies that shouldbe taken into account in future developments in this area.

1) Tamper-resistant IDS: There are mainly two placeswhere the IDS mechanisms can be installed; either in a sensornode or in a special, more powerful monitoring node. In bothcases, we need to take into account the physical integrity ofthe nodes when the deployment area is hostile (i.e. there areactive attackers trying to hinder the behavior of the IDS). Forthis particular case, tamper-resistant hardware solutions couldbe used. However, employing tamper-proof methods wouldmake the network more costly, thus probably only powerfulnodes can afford this kind of solution. This is not applicable todistributed IDS, where normal sensor nodes execute part of theIDS global logic. In such a case, the possible solution wouldbe to design low-cost tamper-resistant techniques which canprovide resilience to tampering attacks. In fact, some software-based solutions (e.g. attestation) have been proposed andintensely studied (cf. [92] [93]). However, it is necessary tointegrate them with existing IDSs. For example, the attestationtechniques can become another input of the IDS infrastructurein order to flag any tampered nodes. In addition, after an IDScomponent produces an alert, it can also test the integrity of thesupposedly malicious node using these attestation techniques.

2) Cross-layer IDS: A significant issue of IDS for WSNsis that most of the proposed works target only one specificlayer of WSN without taking into account other layers. Forinstance, Fig. 7 illustrates both an IDS agent that is installed onthe application layer and a possible cross-layer IDS solution.The application layer agent might detect only a few typesof attacks (e.g., routing attacks) and will miss attacks fromother layers (e.g., physical layer). However, a cross-layer IDSsolution can be able to detect all types of attacks coming fromdifferent layers [91]. Another approach is to use a cross-layermechanism to manage the intrusion detection mechanismsused in different layers. Not only information can be sharedbetween layers (alerts, layer-specific information), but also all

12

Fig. 6: Three types of network structures with possible IDS locations

TABLE III: Comparison of idss with respect to network structure

Network structure /Techniques

Romanet al. [4]

Onat etal. [3],[44]

Loo etal. [5]

Gupta etal. [47]

Kim etal. [49]

Chen etal. [17]

Misra etal. [52],[82]

Leckie et al.[83]

Agah etal. [7]

Krontiriset al.[11],[13],[15]

Hierarchical Bad Fair Fair Bad Fair Best Fair Best Bad FairTree-based Best Bad Bad Best Fair Bad Bad Fair Bad BadCluster-based Fair Best Best Bad Fair Fair Fair Fair Best Fair

mechanisms can be coordinated. This way, the whole systemcan have a holistic point of view of all threats.

3) Dynamic IDS: Little work has been done on IDS formobile WSNs. In fact, applying IDS for mobile nodes or inpresence of dynamic change of network topology is a verychallenging task. Besides, IDS should take into account auto-configurability and scalability with respect to dynamic networktopologies or communication failures.

4) IDS Architecture: In the literature of IDS for WSNsthere is a particular factor that has been rarely discussed: thearchitecture or template of the IDS itself. By architecture, we

refer to the overall architecture of WSN-specific IDS systems:a template that can be filled with different mechanisms. Someexisting IDS approaches ([14], [51], [57], [90]) provide a par-tial architecture, where the detection mechanisms can interactwith other software elements of the sensor node. Still, thesepartial architectures seldom take into account the possibilityof integrating different detection and control modules. Theexistence of such IDS template must be considered in orderto allow the creation of well-adapted IDS that can respond tothe particular threats that can affect a specific application.

13

Fig. 7: IDS installed on application layer and possible crosslayer IDS

5) Internet-enabled IDS: Within the vision of the Internetof Things (IoT) [99] every object will have its own IP address,which makes them identifiable and reachable through theInternet. In fact, WSN are considered as one of the pillars ofthe IoT, thus experts are building IPv6-enabled WSN appli-cations and protocols. Consequently, next generation Internetapplications using IPv6 will be able to communicate withsensor nodes. However, once sensor nodes become citizensof the Internet, they will inherit not only the advantages (e.g.connectivity with anyone) but also the disadvantages includingnew threats and old attacks (e.g. Internet-based DoS). Infact, albeit very challenging, the problem of developing IDSmechanisms that cope with these novel circumstances is worthfurther studying.

VI. CONCLUSIONS

In this work, we have provided a detailed and comprehen-sive study on IDSs in wireless sensor networks, classifyingthem according to their underlying mechanisms. In addition,we have briefly introduced the existing security attacks inWSNs and their respective countermeasures. Furthermore, wehave provided a critical analysis of the IDS mechanisms withrespect to network structure, highlighting various vital areasthat are currently underdeveloped.

Based on our observations and findings we can concludethat, while the field of IDS for WSN has advanced significantlyin these last years, there are still various research areas (e.g.IDS architectures, balance between accuracy and consumptionof resources, novel scenarios, better integration of underlyingmechanisms) that need to be further developed. We hope thatour results will be beneficial for both beginners and activeresearchers in this area.

ACKNOWLEDGMENTS

The work has been supported by NDC Lab., KICT, IIUM,Malaysia project PCS3-S001-2012-4800 and project grantNRF2007IDM-IDM002-069 on Life Spaces from the IDMProject Office, Media Development Authority of Singapore.

REFERENCES

[1] Y. Zhou, Y. Fang, and Y. Zhang, Securing Wireless Sen-sor Networks: A Survey, IEEE Communications Survey,vol. 10, no. 3, pp. 6-28, 2008.

[2] A.-S. K. Pathan, H.-W. Lee, and C.S. Hong, ”Securityin Wireless Sensor Networks: Issues and Challenges”, in8th International Conference on Advanced Communica-tion Technology (IEEE ICACT 2006), Volume II, 20-22February, Phoenix Park, Korea, 2006, pp. 1043-1048.

[3] I. Onat and A. Miri, An intrusion detection system forwireless sensor networks, Wireless and Mobile Comput-ing, Networking And Communications, vol. 3, 2005, pp.253259.

[4] R. Roman, J. Zhou, and J. Lopez, Applying intrusiondetection systems to wireless sensor networks, in Con-sumer Communications and Networking Conference,2006, pp. 640644.

[5] CE. Loo, MY. Ng, C. Leckie, Palaniswami M, Intrusiondetection for routing attacks in sensor networks, Inter-national Journal of Distributed Sensor Networks, vol. 2,pp. 313332, 2006.

[6] Y. Wang, G. Attebury, B. Ramamurthy, A survey ofsecurity issues in wireless sensor networks, IEEE Com-munication Surveys, vol. 8, pp. 2-23, 2006.

[7] Afrand Agah, Sajal K. Das, Kalyan Basu, and MehranAsadi, Intrusion Detection in Sensor Networks: A Non-Cooperative Game Approach, in 3rd IEEE InternationalSymposium on Network Computing and Applications,September. 2004, pp. 343-346.

[8] L. Mostarda, A. Navarra, Distributed Intrusion DetectionSystems for Enhancing Security in Mobile WirelessSensor Networks, International Journal of DistributedSensor Networks, vol. 4, no. 2, pp. 83-109, 2008.

[9] Y. Wang, X. Wang, B. Xie, D. Wang, and P. Agrawal,Intrusion Detection in Homogeneous and HeterogeneousWireless Sensor Networks, IEEE Trans. Mobile Com-puting, vol. 8, no. 6, pp. 698-711, 2008.

[10] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E.Cayirci, A Survey on Sensor Networks, IEEE Comm.Magazine, vol. 40, no. 8, pp. 102-114, August 2002.

[11] I. Krontiris, T. Dimitriou, Th. Giannetsos, and M.Mpasoukos, Intrusion Detection of Sinkhole Attacks inWireless Sensor Networks, LNCS, vol. 4837, pp. 150-161, 2008

[12] L. Guorui, H. Jingsha, and F. Yingfang, Group-basedintrusion detection system in wireless sensor networks,Computer Communications, vol. 32, no. 18, pp. 4324-4332, 2008.

[13] I. Krontiris, T. Dimitriou, and Th. Giannetsos, LIDeA:a distributed lightweight intrusion detection architecturefor sensor networks, in 4th International Conference

14

on Security and Privacy in Communication Networks,Istanbul, Turkey, 2008.

[14] Ana Paula R. da Silva , Marcelo H. T. Martins , BrunoP. S. Rocha , Antonio A. F. Loureiro , Linnyer B. Ruiz,and Hao Chi Wong, Decentralized intrusion detectionin wireless sensor networks, in 1st ACM InternationalWorkshop on Quality of service and security in wire-less and mobile networks, Montreal, Quebec, Canada,October. 2005.

[15] I. Krontiris, T. Dimitriou, and F.C. Freiling, TowardsIntrusion Detection in Wireless Sensor Networks, in 13thEuropean Wireless Conference, Paris, France, 2007.

[16] I. Krontiris, Z. Benenson, T. Giannetsos, F.C. Freiling,and T. Dimitriou, Cooperative Intrusion Detection inWireless Sensor Networks, in EWSN 2009, LNCS, vol.5432, pp. 263-278, 2009.

[17] R. Chen, Ch. Hsieh, and Y. Huang, A New Methodfor Intrusion Detection on Hierarchical Wireless SensorNetworks, in ICUIMC-09, Suwon, Korea, January. 2009,pp. 238-245.

[18] M. Azer, Sh. El-Kassas, A. Hassan, and M. El-Soudani, Intrusion Detection for Wormhole Attacks inAd hoc Networks a Survey and a proposed DecentralizedScheme, in 3rd Int. Conf. on Availability, Reliability andSecurity, 2008, pp. 636-641.

[19] B. Yu and B. Xiao, Detecting selective forwardingattacks in wireless sensor networks, in 20th Interna-tional Parallel and Distributed Processing Symposium(SSN2006 Workshop), Rhodes, Greece, April. 2006, pp.1-8.

[20] L. Hu and D. Evans, Using Directional Antennas toPrevent Wormhole Attacks, in 11th Annual Networkand Distributed System Security Symp. (NDSS04), SanDiego, CA, Feb. 2004.

[21] W. Xu, W. Trappe, Y. Zhang, and T. Wood, The Fea-sibility of Launching and Detecting Jamming Attacksin Wireless Networks, in 6th ACM Intl. Symposiumon Mobile Ad Hoc Networking and Computing (Mo-biHoc05), Urbana-Champaign, IL, May. 2005.

[22] N. Ahmed, S. Kanhere, and S. Jha, The holes problem inwireless sensor networks: A Survey, ACM SIGMOBILEMobile Computing and Communications Review, vol. 9,no. 2, pp. 4-18, 2005.

[23] I. Krontiris, T. Dimitriou, T. Giannetsos, and M. Mpa-soukos, Intrusion detection of sinkhole attacks in wire-less sensor networks, in 3rd International Workshopon Algorithmic Aspects of Wireless Sensor Networks(AlgoSensors07), Wroclaw, Poland, 2007.

[24] E. C. H. Ngai, J. Liu, and M. R. Lyu, An Efficient In-truder Detection Algorithm against Sinkhole Attacks inWireless Sensor Networks, Computer Communications,vol. 30, pp. 2353-2364, 2007

[25] S. Kaplantzis, A. Shilton, N. Mani, Y.A. S.Kaplantzis,A. Shilton, N. Mani, and Y.A. Sekercioglu, DetectingSelective Forwarding Attacks in Wireless Sensor net-works using Support Vector Machines, in ISSNIP 2007,Melbourne, Australia, 2007, pp. 335-340.

[26] T. H. Hai and Eui Nam Huh, Detecting Selective For-

warding Attacks in Wireless Sensor Networks UsingTwo-hops Neighbor Knowledge, in 7th IEEE Interna-tional Symposium on Network Computing and Applica-tions, 2008, pp. 325-331.

[27] C. Karlof and D. Wagner, Secure Routing in WirelessSensor Networks: Attacks and Countermeasures, Else-viers Ad Hoc Network Journal, Special Issue on SensorNetwork Applications and Protocols, pp. 293-315, 2003.

[28] M. Demirbas, and Y. Song, An RSSI-based Scheme forSybil Attack Detection in Wireless Sensor Networks, inIEEE WoWMoM, 2006, pp. 564-570.

[29] C.E. Loo, M.Y. Ng, C. Leckie, and M. Palaniswami, In-trusion detection for routing attacks in sensor networks,International Journal of Distributed Sensor Networks,vol. 2, no. 4, pp. 313332, 2006.

[30] J. Zhou, T.K. Das, and J. Lopez, An AsynchronousNode Replication Attack in Wireless Sensor Networks,in IFIP TC 11 23rd International Information SecurityConference, vol. 278, Boston Springer, 2008, pp. 125-139.

[31] B. Parno, A. Perrig, and V. Gligor, Distributed Detectionof Node Replication Attack in Sensor Networks, IEEES& P, 2005.

[32] M.A. Hamid, M. Mamun-Or-Rashid, and C.S. Hong,Routing Security in Sensor Network: HELLO FloodAttack and Defense, in IEEE ICNEWS 2006, Dhaka,Bangladesh, 2-4 January 2006, pp.77-81.

[33] W. Sharif and C. Leckie, New variants of WormholeAttacks for Sensor Networks, in Australian Telecommu-nication Networks and Applications Conference, 2006,pp. 26-30.

[34] C. Y. Hu, and A. Perrig, Wormhole Attacks in WirelessNetworks, IEEE Journal on Selected Areas in Commu-nications, vol. 24, no. 2, pp. 370-380, 2006.

[35] R. Maheshwari, J. Gao, and S. R. Das, DetectingWormhole Attacks in Wireless Sensor Networks UsingConnectivity Information, in INFOCOM 2007, pp. 107-115, 2007.

[36] L. Hu and D. Evans, Using directional antennas to pre-vent wormhole attacks, in 11th Network and DistributedSystem Security Symposium, 2003, pp. 131-141.

[37] Cagalj, M., Capkun, S., and Hubaux, J.-P., Wormhole-Based Anti jamming Techniques in Sensor Networks,IEEE Transactions on Mobile Computing, vol. 6, no. 1,pp. 100-114, 2007.

[38] H. Chen, P. Han, X. Zhou, and C. Gao, LightweightAnomaly Intrusion Detection in Wireless Sensor Net-works, in PAISI 2007, LNCS 4430, pp. 105-116.

[39] J. Newsome, E. Shi, D. Song, and A. Perrig, The SybilAttack in Sensor Networks: Analysis and Defense, inIEEE/ACM IPSN04, 2004, pp. 259-268.

[40] H. Yu, M. Kaminsky, P. B. Gibbons, and A. Flaxman,SybilGuard: Defending Against Sybil Attacks via SocialNetworks, in ACM SIGCOMM 2006, pp.267-278.

[41] W. Jiangtao, Y. Geng, S. Yuan, C. Shengshou, SybilAttack Detection Based on RSSI for Wireless SensorNetworks, in WiCom 2007, pp. 2684-2687.

[42] D. Mukhopadhyay and I. Saha, Location Verification

15

Based Defense Against Sybil Attack in Sensor Net-works, in ICDCN 2006. LNCS 4308, Springer-Verlag2006, pp. 509-521.

[43] S. Marti, T.J. Giuli, K. Lai, and M. Baker, MitigatingRouting Misbehavior in Mobile Ad hoc Networks, inMobiCom00, 2000, pp. 255-265.

[44] I. Onat, and A. Miri, A Real-Time Node-Based Traf-fic Anomaly Detection Algorithm for Wireless SensorNetworks, in ICW, 2005, pp. 422-427.

[45] S. Jian-hua and M. Chuan-Xiang, Anomaly DetectionBased on Data-Mining for Routing Attacks in WirelessSensor Networks, in CHINACOM ’07, 22-24 Aug. 2007,pp. 296-300.

[46] Q. Wang and T. Zhang, Detecting Anomaly Node Be-havior in Wireless Sensor Networks, in AINAW, pp.451-456, 2007.

[47] S. Gupta, R. Zheng, and A. Cheng, ANDES: anAnomaly Detection System for Wireless Sensor Net-works, in MASS2007, pp. 1-9, 2007.

[48] TinyOS, http://www.tinyos.net/[49] J. Kim, P. Bentley, C. Wallenta, M. Ahmed, and S.

Hailes, Danger is Ubiquitous: Detecting Malicious Ac-tivities in Sensor Networks using the Dendritic CellAlgorithm, in ICARIS, LNCS 4163, 2006.

[50] Y. Liu and F. Yu, Immunity-Based Intrusion Detectionfor Wireless Sensor Networks, in International JointConf. on Neural Networks, 2008, pp. 439-444.

[51] S. Shaust and H. Szczerbicka, Misbehavior Detectionfor Wireless Sensor Networks Necessary or Not?, in6th Fachgesprch ”Drahtlose Sensornetze” der GI/ITG-Fachgruppe ”Kommunikation und Verteilte Systeme”,Germany, 2007, pp. 51-54.

[52] S. Misra, K. Abraham, Md. Obaidat, and P. VenkataKrishna, LAID: a learning automata-based scheme forintrusion detection in wireless sensor networks, Securityand Communication Networks, vol. 2, pp. 105-115,2008.

[53] T. H. Hai, E. -N. Huh, and Minho Jo, A lightweightintrusion detection framework for wireless sensor net-works, Wireless Communications and Mobile Comput-ing, vol.10, no. 4, April, 2009.

[54] P. Levis, N. Lee, M. Welsh, and D. Culler, TOSSIM:Accurate and Scalable Simulation of Entire TinyOS Ap-plications, in 1st International Conference on EmbeddedNetworked Sensor System, 2003, pp. 126137.

[55] V. Bhuse, A. Gupta, and Ala Al-Fuqaha, Detection ofmasquerade attacks on Wireless Sensor Networks, inICC07, 2007, pp. 1142-1147.

[56] Z. Yu and J. Tsai, A Framework of Machine LearningBased Intrusion Detection for Wireless Sensor Net-works, in SUTC08, 2008, pp. 272-279.

[57] G. Huo and X. Wang, DIDS: A Dynamic Model of In-trusion Detection System in Wireless Sensor Networks,in IEEE ICIA, 2008, pp. 374-378.

[58] S. Doumit and D. P. Agrawal, Self-organized criticalityand stochastic learning based intrusion detection systemfor wireless sensor network, in MILCOM 2003, pp. 609-614.

[59] Y. Ma, H. Cao, and J. Ma, The intrusion detectionmethod based on Game theory in wireless sensor net-work, in IEEE Ubi-Media Computing, 2008, pp. 326-331.

[60] A. Agah and S. K. Das, Preventing DoS Attacks inWireless Sensor Networks: A Repeated Game TheoryApproach, International Journal of Network Security(IJNS), vol.5, no.2, pp.145-153, 2006.

[61] M. Krishnan, Intrusion Detection in Wireless SensorNetworks, Project Paper, University of California atBerkeley, Unpublished.

[62] Yenumula B. Reddy, A Game Theory Approach toDetect Malicious Nodes in Wireless Sensor Networks,in SENSORCOMM09, Greece, 2009.

[63] Yenumula B. Reddy and S. Srivathsan, Game theorymodel for selective forward attacks in wireless sensornetworks, in 17th Mediterranean Conference on Controland Automat, 2009.

[64] P. Techateerawat and A. Jennings, Energy Efficiency ofIntrusion Detection Systems in Wireless Sensor Net-works, in WI-IATW06, 2006.

[65] T.H. Hai, F. Khan, and E.N. Huh, Hybrid IntrusionDetection System for Wireless Sensor Networks, inICCSA 2007, LNCS 4706, pp. 383-396, 2007.

[66] A. Durresi, V. Parucheri, S. Iyengar, and R. Kannan,Optimized broadcast protocol for sensor networks, IEEETrans. on Computers, vol. 54, no. 8, pp. 1013-1024,2005.

[67] K. Q. Yan, S. C. Wang, and C. W. Liu, A HybridIntrusion Detection System of Cluster-based WirelessSensor Networks, in IMECS 2009, Hong Kong, 2009,pp. 411-416.

[68] S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti, In-trusion Detection on Sensor Networks Using EmotionalAnts, Intl J. of Applied Science and Computations, vol.12, no. 3, pp. 152-173, 2005.

[69] Q. Wang, Y. Zhu, and L. Cheng, Reprogramming wire-less sensor networks: Challenges and Approaches, IEEENetwork, pp. 48-55, May. 2006.

[70] Yong Wang, Garhan Attebury, And Byrav Ramamurthy,A Survey Of Security Issues In Wireless Sensor Net-works, IEEE Communications Surveys and Tutorials,vol. 8, no. 2, 2nd Quarter. 2006.

[71] D. R. Raymond and S. F. Midkiff, Denial of Service inWireless Sensor Network: Attacks and Defenses, IEEEPervasive Computing, vol.7, Issue 1, pp. 74 81, March.2008.

[72] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagrodia andB. Bhargava, Low-cost attacks against packet delivery,localization and time synchronization services in un-derwater sensor networks, in 4th ACM Workshop onWireless Security, 2005, pp. 87-96.

[73] R.d. Graaf, I. Hegazy, J. Horton, and R. Safavi-Naini,Distributed Detection of Wormhole attacks in WirelessSensor Networks, Ad Hoc Networks, LNCS, vol. 28, no.1, 2010, pp. 208-223

[74] Marcus Vincius de Sousa Lemos, Lliam Barroso Lealand Raimir Holanda Filho, A New Collaborative Ap-

16

proach for Intrusion Detection System on Wireless Sen-sor Networks, in Novel Algorithms and Techniques,Springer, 2010.

[75] R. C. Chen, Ch. F. Hsieh, Y. F. Haung, An IsolationIntrusion Detection System for Hierarchical WirelessSensor Networks, Journal of Networks, vol. 5, no. 3,2010, pp. 335-342.

[76] R. C. Chen, Y. F. Haung, Ch. F. Hsieh, Ranger intrusiondetection system for wireless sensor networks with Sybilattack based on ontology, in AIC10, 2010.

[77] H. Y. Lin, and T. C. Chiang, Intrusion Detection Mecha-nisms Based on Queuing Theory in Remote DistributionSensor Networks, Advanced Materials Research, vol.121-122, June 2010.

[78] A.-S. K. Pathan, Security of Self-Organizing Networks:MANET, WSN, WMN, VANET., ISBN: 978-1-4398-1919-7, Auerbach Publications, CRC Press, Taylor andFrancis Group, USA, 2010.

[79] A.H. Farooqi and F.A. Khan, ”Intrusion Detection Sys-tems for Wireless Sensor Networks: A Survey”, inFGCN/ACN 2009, CCIS, vol. 56, pp. 234-241.

[80] Z. Bankovic, J. M. Moya, A. Araujo, D. Fraga, J.C. Vallejo, J. M. de Goyeneche, Distributed intrusiondetection system for wireless sensor networks based ona reputation system coupled with kernel self-organizingmaps, Integrated Computer-Aided Engineering, vol. 17,no. 2, 2010, pp. 87-102

[81] Y. Zhang, N. Meratnia, P. Havinga, Outlier DetectionTechniques for Wireless Sensor Networks: A Survey,IEEE Communications Surveys & Tutorials, vol. 12, no.2, 2010

[82] S. Misra, P. V. Krishna, and K. I. Abraham, A simplelearning automata-based solution for intrusion detectionin wireless sensor networks, Wireless Communicationsand Mobile Computing, Special Issue on Architecturesand Protocols for Wireless Mesh, Ad Hoc, and SensorNetworks, vol. 11, no. 3, 2011, pp. 426-441.

[83] S. Rajasegarar, C. Leckie, J. C. Bezdek, and M.Palaniswami, Centered Hyperspherical and Hyperellip-soidal One-Class Support Vector Machines for AnomalyDetection in Sensor Networks, IEEE Transactions onInformation Forensics and Security, vol. 5, no. 3, 2010,pp. 518 -533.

[84] S. S. Wang, K. Q. Yan, S. C. Wang, and C. W. Liu,An Integrated Intrusion Detection System for Cluster-based Wireless Sensor Networks, Expert Systems andApplications, vol. 38, Issue. 12, 2011.

[85] T. Bhattasali, and R. Chaki, A Survey of Recent Intru-sion Detection Systems for Wireless Sensor Network, in4th International Conference on Network Security andApplications (CNSA-2011), Springer, 2011, pp. 268-280.

[86] S. Shin, T. Kwon, G. Y. Jo, Y. Park, and H. Rhee, AnExperimental Study of Hierarchical Intrusion Detectionfor Wireless Industrial Sensor Networks, IEEE Transac-tions on Industrial Informatics, vol. 6, no. 4, 2010, pp.744-757.

[87] T. M. Mubarak, S. A. Sattar, A. Rao, and M. Sajitha,

A Collaborative, Secure and Energy Efficient IntrusionDetection Method for Homogeneous WSN, in Inter-national Conference on Advances in Computing andCommunications (ACC-2011), Springer, 2011.

[88] W. T. Zhu, J. Zhou, R. H. Deng, and F. Bao, Detectingnode replication attacks in mobile sensor networks:theory and approaches, Security and CommunicationNetworks, 2011.

[89] J. Lopez, R. Roman, and C. Alcaraz, Analysis of Secu-rity Threats, Requirements, Technologies and Standardsin Wireless Sensor Networks, in Foundations of SecurityAnalysis and Design 2009, LNCS 56705, August 2009,pp. 289-338.

[90] R. Roman, J. Lopez, and S. Gritzalis, Situation Aware-ness Mechanisms for Wireless Sensor Networks, IEEECommunications Magazine, vol. 46, no. 4, April 2008,pp. 102-107.

[91] R. Roman, J. Lopez, and P. Najera, A Cross-layerApproach for Integrating Security Mechanisms in SensorNetworks Architectures, Wireless Communications andMobile Computing, vol. 11, no. 2, February 2011, pp.267-276.

[92] A. Perrig, and L. van Doorn, Refutation of On theDifficulty of Software-Based Attestation of EmbeddedDevices. Technical Report, Carneige Mellon University,2010.

[93] A. Francillon, C. Castelluccia, D. Perito, and C. Sori-ente, Comments on Refutation of On the Dificultyof Software-Based Attestation of Embedded Devices”,Technical Report, INRIA, 2010.

[94] C. F. Hsieh, Y. F. Huang, and R.C. Chen, ”A Light-weight Ranger Intrusion Detection System on WirelessSensor Networks”, in ICGEC 2011, November 2011, pp.49-52.

[95] Md. S. Islam, and S. AshiqurRahman, ”Anomaly In-trusion Detection System in Wireless Sensor Networks:Security Threats and Existing Approaches ”, in Int.Journal of Advanced Science and Technology, vol. 36,November 2011.

[96] Sh. K . Singh, M. P. Singh, and D. K. Singh, ”Intru-sion Detection based Security Solution for Cluster-basedWireless Sensor Networks” in Int. Journal of AdvancedScience and Technology, vol. 30, May 2011.

[97] H. Jadidoleslamy, ”A High-Level Architecture for In-trusion Detection on Heterogeneous Wireless SensorNetworks: Hierarchical, Scalable and Dynamic Recon-figurable ”, in Wireless Sensor Network, vol. 3, 2011,pp. 241-261.

[98] E. N. Huh, and T. H. Hai, ”Lightweight Intrusion De-tection for Wireless Sensor Networks”, in Intrusion De-tection Systems, Pawel Skrobanek (Ed.), InTech, 2011.

[99] CERP-IoT Cluster, Visions and Challenges for Realisingthe Internet of Things, European Commission, 2010.