Intrusion Detection Systems in Wireless Sensor Networks: A Review

Wireless Sensor Networks (WSNs) consist of sensor nodes deployed in a manner to collect information about surrounding environment. Their distributed nature, multihop data forwarding, and open wireless medium are the factors that make WSNs highly vulnerable to security attacks at various levels. Intrusion Detection Systems (IDSs) can play an important role in detecting and preventing security attacks. This paper presents current Intrusion Detection Systems and some open research problems related to WSN security.


Introduction
Wireless Sensor Networks (WSNs) are composed of sensor nodes and sinks.Sensor nodes have the capability of selfhealing and self-organizing.They are decentralized and distributed in nature where communication takes place via multihop intermediate nodes.The main objective of a sensor node is to collect information from its surrounding environment and transmit it to the sink.WSNs have many applications and are used in scenarios such as detecting climate changed, monitoring environments and habitats, and various other surveillance and military applications.Mostly sensor nodes are used in such areas where wired networks are impossible to be deployed.WSNs are deployed in physical harsh and hostile environments where nodes are always exposed to physical security risks damages.Furthermore, self-organizing nature, low battery power supply, limited bandwidth support, distributed operations using open wireless medium, multihop traffic forwarding, and dependency on other nodes are such characteristics of sensor networks that expose it to many security attacks at all layers of the OSI model.
Many security-related solutions for WSNs have been proposed such as authentication, key exchange, and secure routing or security mechanisms for specific attacks.These security mechanisms are capable of ensuring security at some level; however they cannot eliminate most of the security attacks [1].An IDS is one possible solution to address a wide range of security attacks in WSNs.
An IDS is also referred to as a second line of defence, which is used for intrusion detection only; that is, IDS can detect attacks but cannot prevent or respond.Once the attack is detected, the IDSs raise an alarm to inform the controller to take action.There are two important classes of IDSs.One is rule-based IDS and the other is anomaly-based IDS [2,3].Rule-based IDS is also known as signature-based IDS which is used to detect intrusions with the help of built-in signatures.Rule-based IDS can detect well-known attacks with great accuracy, but it is unable to detect new attacks for which the signatures are not present in intrusion database.Anomalybased IDSs detect intrusion by matching traffic patterns or resource utilizations.Although anomaly based IDSs have the ability to detect both well-known and new attacks, they have more false positive and false negative alarms.Some IDSs operate in specific scenarios or with particular routing protocols.Watchers [4] operate with proactive routing protocol to detect routing anomalies.It is implemented on each node, so all the nodes need some sort of cooperation to detect routing intrusions.Some intrusion detection mechanisms also operate with reactive routing protocols [5,6].These mechanisms enable the network to select a reliable path from source to destination.
This paper presents a review of existing IDSs.It is organized as follows.In Section 2, we examine existing security attacks.In Section 3, we analyze and discuss some already proposed IDSs.We make comparison of existing IDSs on the basis of detection.In Section 4, we highlight some open research issues and directions, and finally in Section 5, we conclude the paper.

Overview of Security in Wireless
Sensor Networks WSNs are vulnerable to many types of security attacks due to open wireless medium, multihop decentralized communication, and deployment in hostile and physically nonprotected areas.Different threat models are discussed in [7] such as mote-class attacks and laptop-class attacks.In mote-class attacks, the attacker compromises few of the sensor nodes inside a WSN.In laptop-class attacks, the attacker has more powerful device(s) to launch more intense attack against WSNs.
Security attacks against WSNs can be classified as active and passive [8][9][10].Passive attacks are silent in nature and are conducted to extract important information from the network.Passive attacks do not harm the network or network resources.Active attacks are used to misdirect, temper, or drop packets.The unique characteristics such as wireless medium, contention-based medium access, multihop nature, decentralized architecture, and random deployment of such networks make them more vulnerable to security attacks at various layers.
Physical layer of WSN is responsible for radio and signals management.Radio jamming is one of the severe attacks against WSN [8,11].Another physical layer attack is battery exhaustion attack.In a WSN, battery power of sensor nodes plays an important role and determines the lifetime of the network.Keeping in view the power limitations of WSNs, it is highly desirable to design power efficient mechanisms for sustainable WSNs.Sensor nodes in sleep mode consume less energy as compared to active mode.In energy exhaustion attack, the attacker tries not to allow sensor nodes to switch to sleep mode.This can be done by sending unnecessary data or beacons to sensor nodes to keep them always busy.As WSNs are deployed in hostile environment, it is susceptible to many physical attacks such as node destruction, node replacement, node replication, battery replacement, or reprogramming of node with malicious code [12,13].However such attacks need to physically access the network.
Most WSNs use contention based carrier sense multiple access with collision avoidance mechanism (CSMA/CA).This mechanism tries to avoid collision; however it adds more complications in the form of collision, hidden-node problem, MAC selfishness, and unfairness [7,8].Possible countermeasures against such kind of attacks are small frames and rate limitations [7,14].
Network layer is responsible for appropriate route selection from source to destination [15,16].In WSN, the multihop route from source to destination is vulnerable to many active and passive attacks [17,18].Active attacks include packetdropping attacks, packet-misdirecting attacks, rushing attack, Sybil attack, byzantine attack, routing table overflow attack, spoofed routing information, hello flood, and acknowledgement spoofing [8,19].

Intrusion Detection Systems
One of the key features of a WSN is its multihop distributed operations, which add more complexity in terms of security attack detection and prevention.In a multihop distributed environment, it is very difficult to locate attackers or malicious nodes.Many security attack detection and prevention mechanisms are designed for WSNs; however most of the existing solutions are capable of handling only a few security attacks.For example, most secure routing protocols are designed to counter few security attacks [20,21].Similarly new media access mechanisms are designed to handle hidden-node problem or selfishness.Encryption mechanisms are designed to protect data against passive attacks.Hence, one can say that there is a need to design mechanisms that are capable enough of detecting and preventing multiple security attacks in WSNs.An Intrusion Detection System (IDS) is one possible solution to it.
An intrusion is basically any sort of unlawful activity which is carried out by attackers to harm network resources or sensor nodes.An IDS is a mechanism to detect such unlawful or malicious activities [22].The primary functions of IDS are to monitor users' activities and network behaviour at different layers.
A single perfect defence is neither feasible nor possible in wireless networks, as there always exist some architectural weaknesses, software bugs, or design flaws which may be compromised by intruders.The best practice to secure wireless networks is to implement multilines of security mechanisms; that is why IDS is more critical in wireless networks.It is viewed as a passive defence, as it is not intended to prevent attacks; instead it alerts network administrators about possible attacks well in time to stop or reduce the impact of the attack.The accuracy of intrusion detection is generally measured in terms of false positives (false alarms) and false negatives (attacks not detected), where the IDSs attempt to minimize both these terms [3].
There are two important classes of IDSs.One is known as signature-based IDS, where the signatures of different security attacks are maintained in a database.This kind of IDS is effective against well-known security attacks.However, new attacks are difficult to be detected as their signatures would not be present in the database.The second type is anomaly-based IDS.This kind is effective to detect new attacks; however it sometimes misses to detect well-known security attacks.The reason is that anomaly-based IDSs do not maintain any database, but they continuously monitor traffic patterns or system activities.
IDS can operate in many modes, for example, standalone operation and cooperative cluster based operation [23].A standalone IDS operates on every node to detect unwanted activities.Cooperative cluster based IDS are mostly distributed in nature in which every node monitors its neighbours and surrounding nodes activities and operation; in case of any malicious activity detection, the cluster head is informed.
Broadly speaking, IDS has three main components [3] as shown in Figure 1.
(i) Monitoring component is used for local events monitoring as well as neighbours monitoring.This component mostly monitors traffic patterns, internal events, and resource utilization [24] [3].In this section, we present existing signature-based IDSs for WSNs.
In [25], a rule-based IDS for WSNs is presented.It is host based in which every node has IDS.The architecture of the proposed IDS has many modules such as packet monitoring, cooperative engine, detection engine, and response unit.The IDS is basically designed for routing attacks and is capable of detecting packet-dropping attacks.An IDS for detection of sink-hole attack is presented in [26].The proposed IDS is hosted on each sensor node and requires TinyOS with the combination of MintRoute routing protocol.It is an advanced version of [25] with narrow approach; that is, the former can detect many packet-dropping and misdirecting attacks while the latter is only designed for detection of sink-hole attacks.In both approaches, every node monitors and cooperates with neighbours.Intrusion Detection Architecture (IDA) is presented in [27].IDA is distributed and hierarchical in nature which can operate by cooperation of sensor nodes, cluster head, and central system.IDA generates either passive or active response on the basis of attack nature.However, this work does not present results on the detection rate and false positive and false negative ratios.
In [28], Intrusion Detection Program (IDP) is proposed, which is capable to detect known attacks.IDP is based on genetic programming (GP) technique and is effective against a variety of attacks such as denial of service (DoS) and unauthorized access.IDA uses three variants of GP such as lineargenetic programming (LGP), multiexpression programming (MEP), and gene-expression programming (GEP).GEP and MEP detection and classification accuracy are greater than 95%.A distributed IDS (DIDS) using soft computing techniques is presented in [29].It uses few fuzzy rule-based classifiers to identify intrusions.The authors claim that fuzzy classifier provides 100% accuracy for all kinds of intrusions.
A decentralized rule-based IDS is proposed in [30].This mechanism has three main phases, namely, data acquisition, rule application, and intrusion detection.The proposed mechanism is capable of detecting many routing attacks such as worm-hole, black-hole, selective-forwarding, and delay attacks.The authors also claim that the proposed solution is capable of detecting jamming attack as well; however they did not explain how jamming attacks are detected as it is a physical layer attack.Spontaneous watchdog IDS and its basic architecture is given in [31].This architecture consists of local and global agents; however it is not implemented yet.An ant-colony-based IDS in conjunction with machine learning [32] is another rule-based IDS.The proposed IDS perceives behaviour and acts using self-organizing principle initiated with probability values.Different signature-based IDSs are given in Table 1.

Anomaly-Based Intrusion Detection Systems.
Anomalybased IDS monitors network activities and classifies them as either normal or malicious using heuristic approach.Most of anomaly-based IDSs identify intrusions using threshold values; that is, any activity below a threshold is normal, while any condition above a threshold is classified as an intrusion.The main advantage of anomaly-based IDS is its capability to detect new and unknown attacks; however sometimes it fails to detect even well-known security attacks.Many anomalybased IDSs have been proposed so far [33].An unsupervised neural network based IDS [34] is capable of learning and detecting unknown attacks.This intelligent system learns the time-related changes using Markov model.When any intrusion occurs, a mobile agent moves to the malicious region of the WSN to investigate.The proposed mechanism can detect time-related changes and events.
A set of intrusion detection techniques at different layers is presented [35].These techniques are independent of each other.At physical layer, RSSI values are used to detect masquerade, while at network layer, a specialized table driven routing protocol is used to detect routing and authentication  [37] Support vector Black-hole attacks [38] Cross feature Packet dropping attacks [39] Sliding window Route depletion attack attacks.A cluster based IDS for routing attack is proposed [36].This mechanism is capable of building a normal traffic model, which is used to differentiate between normal and abnormal traffic.The normal traffic model consists of number of packets received and sent, number of route requests received and sent, and so forth.The IDS can detect many attacks such as periodic route error attack and sink-hole attack.A support vector machine based IDS [37] is used to detect routing attacks such as black hole.It is basically cooperation based detection in which nodes communicate and share information about security attacks.A cross feature based anomaly detection mechanism is proposed in [38].This mechanism monitors and learns normal traffic patterns in order to detect any intrusion in case of deviation.The IDS is capable of detecting packet-dropping and misdirecting attacks.A sliding window based IDS using threshold value is efficient in the detection of few security attacks such as route depletion attacks [39].Table 2 presents a summary of a number of anomaly-based IDSs.

Hybrid Intrusion Detection Systems.
Hybrid IDSs are a combination of both anomaly-based and signature-based approaches.Hybrid mechanisms usually contain two detection modules; that is, one module is responsible of detecting well-known attacks using signatures, while the other is responsible for detecting and learning normal and malicious patterns or monitor network behavior deviation from normal profile.Hybrid IDSs are more accurate in terms of attack detection with less number of false positives.However, such Support vector machine N/A [42] State transition Sync flood [43] C l u s t e r b a s e d R o u t i n g a t t a c k s [44] Cluster based, supervised learning, misuse detection Routing attacks [45] Hierarchical and hybrid Sink hole, worm hole mechanisms consume more energy and more resources.Hybrid IDSs are generally not recommended for a resource constraint networks such as a WSN; however they are still an active research area.A hybrid intrusion detection model is presented in [40].In this model, sensor nodes are divided into hexagonal regions like cellular networks.Each region is monitored by a cluster node, while cluster nodes are monitored by regional nodes.The base station has the responsibility to monitor all regional nodes.It is hierarchical in nature forming a tree-like structure.Attack signatures are stored in base station and propagated toward the leaf node for attack detection.Similarly the mechanism has predefined specifications of normal and abnormal behaviour.Anomaly detection is done by measuring deviation from defined specifications.The authors did not mention detection rate or false-alarm ratio of their proposed mechanism.Furthermore, it is not clear which security attacks are detected using this mechanism.Another hybrid IDS using support vector machine (SVM) and misuse detection is proposed in [41].A distributed learning algorithm is used to train SVM to distinguish normal and malicious patterns.This intrusion detection mechanism is designed to operate in cluster based WSNs, where all nodes monitor their neighbours.The authors claim high detection rate with fewer false positives; however attack types are not described.An IDS that uses state transition analysis and stream flow to detect sync-flood attack against WSNs is presented in [42].This mechanism monitors threeway handshake of TCP to identify attack pattern; however it is not yet implemented and tested.A cluster based hybrid IDS is given in [43], where the cluster head is responsible for detecting intrusions.The key idea behind this mechanism is to reduce energy consumption.A further enhanced IDS is proposed in [44].The enhanced IDS has three modules, that is, anomaly-based detection, signature-based detection, and decision making.A supervised back propagation network is used to learn and identify normal and malicious packets.Another hierarchical hybrid IDS for detection of routing attacks is presented in [45].It has high accuracy in terms of detection of network layer security attacks such as sink hole and worm hole.Table 3 presents a summary of a few hybrid IDSs.Cross layer intrusion detection agent (CLIDA) for WSNs is proposed in [47].CLIDA ensures cross layer information exchange amongst physical, MAC, and network layer.Cross layer data module collects and represents data to all layers.CLIDA is capable of detecting multi-layer security attacks.This architecture has good detection rate; however energy and computational comparison is not given, which could be more interesting.Another cross layer security mechanism for WSN is proposed in [48], in which the authors have the observations that such mechanism would exhaust the limited resources of sensor nodes.In [24], a real-time cross layer security mechanisms for large scale flood detection and attack trace-back mechanism is presented.It uses different parameters from MAC and network layers to detect multilayer flooding attacks.It maintains different profiles for low, medium, and high intensity attacks.

Comparison and Discussion
Wireless Sensor Networks are distributed in nature using the multihop communication model.These networks are usually deployed in such areas where direct human interaction is either impossible or very difficult.Furthermore, WSNs have limitations in terms of computation, bandwidth, memory, and energy.These limitations are considered while designing any proposal for such networks.Due to the hostile environments of WSNs, security is one of their most important aspects.IDSs are widely used for securing WSNs.IDS has the ability to detect an intrusion and raise an alarm for appropriate action.Due to the energy and computational power limitations, designing appropriate IDS for WSN is a challenging task.
Anomaly-based IDSs are suitable for small-sized WSNs where few nodes communicate with the base station.In small sized WSNs, the traffic pattern is mostly the same, so unusual traffic pattern or changing behaviour can be treated as an intrusion.However such IDS may generate more false alarms and may not be able to detect well-known intrusions.Anomaly-based IDSs are usually lightweight in nature and mostly use statistical, probabilistic, traffic analysis or intelligent techniques.
Signature-based IDSs are suitable for relatively largesized WSNs, where more security threats and attacks can compromise network operations.Signature-based IDS needs more resources and computations as compared to anomalybased IDS.One of the important and complex activities is the compilation and insertion of new attack signatures in the databases.Such IDSs mostly use data mining or pattern matching techniques.
Hybrid IDSs are suitable for large and sustainable WSNs.These IDSs have both anomaly-based and signature-based modules, so they require more resources and computations.

International Journal of Distributed Sensor Networks
To reduce the usage of limited resources, such mechanisms are mostly used in cluster based or hierarchical WSNs, in which some parts of the network are used to execute anomaly detection while other parts are accompanied with signaturebased detection.
Cross layer IDSs are usually not recommended for a resource constraint networks such as WSNs, as it consumes more resources by exchanging parameters across the protocol suits for attack detection.Table 4 gives the comparison and characteristics of different IDSs.

Conclusions
While designing a security mechanism, we must consider the limited resources of WSNs.Anomaly-based IDSs are lightweight in nature; however they create more false alarms.Signature-based IDSs are suitable for relatively large-sized WSNs; however they have some overheads such as updating and inserting new signatures.Cross layer IDSs are usually not recommended for networks having resources limitations, as more energy and computation are required for exchanging multilayer parameters.

Table 4 :
Comparison of different IDSs.