Intrusion Detection System implementation in Wireless Sensor Network 1

Intrusion Detection System Implementation in Wireless Sensor Network

Dani Wafaul Falah

University of Vermont
Intrusion Detection System implementation in Wireless Sensor Network 2

Intrusion Detection System implementation in Wireless Sensor Network

Wireless Sensor Networks (WSNs) are used in various fields of science and technology.

They are composed of a collection of sensor and sink that are connected using wireless

communication in a multi-hop network and distributed over several areas. A sensor node has a role

to gather various data from surrounding area and send the data to a central sink server. Many WSNs

are used for detecting climate changed, monitoring environments and habitats, surveillance and

military applications and monitoring power plant resources. Due to WSNs deployment

configuration, it makes difficult to identify an intrusion, attacker location, and unintended access.

An intrusion can be a serious problem in WSNs when there is an unauthorized (unwanted) activity

in a network that wants to damage network resources or sensor nodes.

In network security area, there are two mechanisms to protect network resources. The first

mechanism or first line of defense is used to prevent intrusion, such as authorization, encryption,

and filtering. If these mechanisms failed to prevent intrusion, then the second mechanism is

needed. The second mechanism or second line of defense has the responsibility to detect an

intrusion. Intrusion Detection System (IDS) can be used as second line defense that has the

capability to recognizing malicious activity from normal behavior. In order to detect an intrusion,

Most of the IDS are composed of monitoring components, analysis & detection module, and

decision & alarm system.

In this literature review, IDS implementation in WSN can be classify into several

conditions, such as IDS Monitoring Component Placement, Detection Method, and Detection &

Decision Algorithm.
Intrusion Detection System implementation in Wireless Sensor Network 3

IDS Monitoring Component Placement

IDS monitoring component is used as data collector. It can be deployed into host level or

network level. In WSN, IDS monitoring component can be install at host level in sensor node or

install at network level by tapping into network communication. According to Ali (Ali, 2015), an

intrusion in WSNs mostly happen in the communication network, because it is the easy way to

gain the information that flows from sensor node to a sink server. This reason makes IDS

deployment in network level can be useful. In this deployment, IDS monitoring component taps

into communication network and listens to network transmission from sensor node to a sink server.

Meanwhile, another studies presented by Doumit (Doumit & Agrawal, 2003); da Silva (da

Silva et al., 2005); Gurou Li (Li, He, & Fu, 2008); have different scenario. In their scenario, IDS

monitoring component deployed at sensor node. This scenario uses the idea behind the nature

deployment of WSN that distribute across several areas. In da Silva (2005) study, he proposed to

put monitoring component in sensors node and gathers interference of the network behavior. The

sensor node monitoring any events in the network, such as data message that not intended to it,

and data collision when sensor node tries to send information.

Similarly, Gurou Li (2008) and Doumit (2003) put the monitoring component into sensor

node but they use different network architecture. In Gurou Li (2008) research, the group of sensors

are used to detect outlier in network behavior. Delta-grouping algorithm is used to decide a group

of sensor that physically closed and sense similar message pattern. Although Doumit (2003)

research has a similar approach, it used another way to cluster the sensor node into leader and

worker architecture. Each of cluster consists several workers that close to the most powerful node
Intrusion Detection System implementation in Wireless Sensor Network 4

or leader. This cluster organization makes IDS sensor placed at workers and let a leader be an IDS

decision module.

IDS Detection Module

IDS detection module is the IDS main component to detect an intrusion. This module

process data from monitoring component and then apply detection method to detect misuse activity

or intrusion. Basically, there are three types of IDS detection methods; Signature Based IDS,

Anomaly Based IDS, and a Specification-Based IDS. A Signature-Based IDS uses predefined rules

of attack pattern to detect intrusion. It is a better solution to detect well-known intrusions, however,

it becomes useless if there are new attack patterns. Anomaly-Based IDS is introduced to counter

this problem. This method can monitor user behavior and create classifiers to differentiate a normal

behavior from malicious activity using a heuristic algorithm. This type of IDS can learn new and

unknown attack pattern, but in many cases, it may fail to detect well-known attack pattern and

raise a false alarm for new normal activities that never occurred before.

Another IDS detection method is Specification-based detection systems. It is based on

deviations from normal behavior in order to detect attacks. This detection method also based on

manually defined specifications that describe what a correct operation is and monitor any behavior

with respect to these constraints (Ali, 2015).

In order to make IDS detection module work properly in WSNs configuration, it needs

deployment strategy to put this detection module in a sensor node. A sensor node is designed to

collect specific information in the harsh environment, that is the reason behind a sensor node

hardware design. The hardware design is built from simple hardware architecture with small

computing power and limited resources. With this sensor node limitation, each of detection method
Intrusion Detection System implementation in Wireless Sensor Network 5

has specific deployment strategy that does not cost a lot of resources for calculation and pattern

matching process. In Gurou Li and Doumit research for example, their research are based on

grouping and hierarchical types of sensor node. This deployment has several sensor nodes that act

as the processing node. This processing node is different than regular sensor node. It has greater

resources and computing power so it possible to run Anomaly-based detection. In Doumit research,

it used the leader node as processing node to run anomaly-based detection and heuristics algorithm.

In another way, Gurou Li research uses special node as decision node to detect the intrusion in

group based scheme using anomaly-based detection.

Another approach is used by da Silva, he proposed signature based detection that does not

burden the sensor node. Each message processed and compared to some rules if the result is a

failure, the sensor raised failure alarm. In network-level deployment as proposed by Ali, dedicated

IDS machine is used to run specification-based detection. This detection method uses predefined

rules same as signature based but it also calculates deviations from normal behavior to detect

intrusion.

IDS Detection & Decision Algorithm

Decision and Analysis Module in IDS is the main part of IDS. Some algorithm is used if

Detection module use Anomaly-based detection. These algorithms are used as heuristics algorithm

to measure the deviation between normal behavior and attack pattern. In Guorou Li (Li et al., 2008)

research, they used independent decision-making system that run in a certain sensor node. This

sensor node acts as a cluster-head node that gathers information from surrounding sensor node and

computes deviation using anomaly detection. The Mahalanobis distance measurement and OGK-
Intrusion Detection System implementation in Wireless Sensor Network 6

estimator algorithm are used to decide the intrusion based on inter-attribute dependencies of

multidimensional observed values and ensure a high breakdown point even with some missing

data at a lower computational cost.

Another algorithm used in Doumit Research. The combination of Self-Organized

Criticality (SOC) and Hidden Markov Models (HMM) is used to perform anomaly detection. SOC

algorithm is used as data extractor and data filter to simplify the information gathered from worker

node. This data analyzed using HMM to compute the deviation between intrusion traffic and

normal behavior.

However, some algorithm also used in another type of IDS detection method. These

algorithms are used to improve decision module because detection report from signature-based

detection and specification-based detection can be combined to produce higher detection rate and

reduce false alarm. For decision algorithm, da Silva introduces the idea of a deviation tolerance

that combine with a report from signature-based detection. Although occasional failures may

happen during each round of message capture by the monitor nodes, its number is not known

beforehand. By determining the variance bounds for it, an IDS can raise an attack indication

whenever these limits are reached.

Conclusion and Summary

In conclusion, most of IDS implementation in WSN has several types of deployment.

Among all of IDS types, each IDS type can be used as an optimal solution to protect WSN. Cluster-

based, Group-based, and hierarchical IDS has better performance to detect intrusion in large WSN

deployment and lowered false alarm generated. However, Network level IDS has another point to
Intrusion Detection System implementation in Wireless Sensor Network 7

avoid stressed out the Sensor Node, it uses traffic collected from network to detect the intrusion

and using specification-based detection to get higher rate detection.

in IDS detection module, Anomaly-based detection used some algorithm to detect an

intrusion. This algorithm is the main process that has a role in calculating the deviation between

an intrusion and normal traffic. Every algorithm has its own method and approach to improves

detection rate and lowered the false alarm. Although the signature-based and specification-based

detection do not use any algorithm as decision module, some of the research applied an algorithm

to gain higher detection rate and reduce false alarm generated by the detection module.
Intrusion Detection System implementation in Wireless Sensor Network 8

REFERENCES

Ali, S. (2015). Intrusion Detection System in Wireless Sensor Networks. International Journal of

Science and Research, 4(7), 1052–1058.

da Silva, A. P. R., Martins, M. H. T., Rocha, B. P. S., Loureiro, A. A. F., Ruiz, L. B., & Wong,

H. C. (2005). Decentralized Intrusion Detection in Wireless Sensor Networks. In

Proceedings of the 1st ACM International Workshop on Quality of Service & Security in

Wireless and Mobile Networks (pp. 16–23). New York, NY, USA: ACM.

https://doi.org/10.1145/1089761.1089765

Doumit, S. S., & Agrawal, D. P. (2003). Self-organized Criticality & Stochastic Learning Based

Intrusion Detection System for Wireless Sensor Networks. In Proceedings of the 2003

IEEE Conference on Military Communications - Volume I (pp. 609–614). Washington,

DC, USA: IEEE Computer Society. Retrieved from

http://dl.acm.org/citation.cfm?id=1950503.1950629

Li, G., He, J., & Fu, Y. (2008). Group-based intrusion detection system in wireless sensor

networks. Computer Communications, 31(18), 4324–4332.

https://doi.org/10.1016/j.comcom.2008.06.020