Documente Academic
Documente Profesional
Documente Cultură
University of Vermont
Intrusion Detection System implementation in Wireless Sensor Network 2
Wireless Sensor Networks (WSNs) are used in various fields of science and technology.
They are composed of a collection of sensor and sink that are connected using wireless
communication in a multi-hop network and distributed over several areas. A sensor node has a role
to gather various data from surrounding area and send the data to a central sink server. Many WSNs
are used for detecting climate changed, monitoring environments and habitats, surveillance and
military applications and monitoring power plant resources. Due to WSNs deployment
configuration, it makes difficult to identify an intrusion, attacker location, and unintended access.
An intrusion can be a serious problem in WSNs when there is an unauthorized (unwanted) activity
In network security area, there are two mechanisms to protect network resources. The first
mechanism or first line of defense is used to prevent intrusion, such as authorization, encryption,
and filtering. If these mechanisms failed to prevent intrusion, then the second mechanism is
needed. The second mechanism or second line of defense has the responsibility to detect an
intrusion. Intrusion Detection System (IDS) can be used as second line defense that has the
capability to recognizing malicious activity from normal behavior. In order to detect an intrusion,
Most of the IDS are composed of monitoring components, analysis & detection module, and
In this literature review, IDS implementation in WSN can be classify into several
conditions, such as IDS Monitoring Component Placement, Detection Method, and Detection &
Decision Algorithm.
Intrusion Detection System implementation in Wireless Sensor Network 3
IDS monitoring component is used as data collector. It can be deployed into host level or
network level. In WSN, IDS monitoring component can be install at host level in sensor node or
install at network level by tapping into network communication. According to Ali (Ali, 2015), an
intrusion in WSNs mostly happen in the communication network, because it is the easy way to
gain the information that flows from sensor node to a sink server. This reason makes IDS
deployment in network level can be useful. In this deployment, IDS monitoring component taps
into communication network and listens to network transmission from sensor node to a sink server.
Meanwhile, another studies presented by Doumit (Doumit & Agrawal, 2003); da Silva (da
Silva et al., 2005); Gurou Li (Li, He, & Fu, 2008); have different scenario. In their scenario, IDS
monitoring component deployed at sensor node. This scenario uses the idea behind the nature
deployment of WSN that distribute across several areas. In da Silva (2005) study, he proposed to
put monitoring component in sensors node and gathers interference of the network behavior. The
sensor node monitoring any events in the network, such as data message that not intended to it,
Similarly, Gurou Li (2008) and Doumit (2003) put the monitoring component into sensor
node but they use different network architecture. In Gurou Li (2008) research, the group of sensors
are used to detect outlier in network behavior. Delta-grouping algorithm is used to decide a group
of sensor that physically closed and sense similar message pattern. Although Doumit (2003)
research has a similar approach, it used another way to cluster the sensor node into leader and
worker architecture. Each of cluster consists several workers that close to the most powerful node
Intrusion Detection System implementation in Wireless Sensor Network 4
or leader. This cluster organization makes IDS sensor placed at workers and let a leader be an IDS
decision module.
IDS detection module is the IDS main component to detect an intrusion. This module
process data from monitoring component and then apply detection method to detect misuse activity
or intrusion. Basically, there are three types of IDS detection methods; Signature Based IDS,
Anomaly Based IDS, and a Specification-Based IDS. A Signature-Based IDS uses predefined rules
of attack pattern to detect intrusion. It is a better solution to detect well-known intrusions, however,
it becomes useless if there are new attack patterns. Anomaly-Based IDS is introduced to counter
this problem. This method can monitor user behavior and create classifiers to differentiate a normal
behavior from malicious activity using a heuristic algorithm. This type of IDS can learn new and
unknown attack pattern, but in many cases, it may fail to detect well-known attack pattern and
raise a false alarm for new normal activities that never occurred before.
deviations from normal behavior in order to detect attacks. This detection method also based on
manually defined specifications that describe what a correct operation is and monitor any behavior
In order to make IDS detection module work properly in WSNs configuration, it needs
deployment strategy to put this detection module in a sensor node. A sensor node is designed to
collect specific information in the harsh environment, that is the reason behind a sensor node
hardware design. The hardware design is built from simple hardware architecture with small
computing power and limited resources. With this sensor node limitation, each of detection method
Intrusion Detection System implementation in Wireless Sensor Network 5
has specific deployment strategy that does not cost a lot of resources for calculation and pattern
matching process. In Gurou Li and Doumit research for example, their research are based on
grouping and hierarchical types of sensor node. This deployment has several sensor nodes that act
as the processing node. This processing node is different than regular sensor node. It has greater
resources and computing power so it possible to run Anomaly-based detection. In Doumit research,
it used the leader node as processing node to run anomaly-based detection and heuristics algorithm.
In another way, Gurou Li research uses special node as decision node to detect the intrusion in
Another approach is used by da Silva, he proposed signature based detection that does not
burden the sensor node. Each message processed and compared to some rules if the result is a
failure, the sensor raised failure alarm. In network-level deployment as proposed by Ali, dedicated
IDS machine is used to run specification-based detection. This detection method uses predefined
rules same as signature based but it also calculates deviations from normal behavior to detect
intrusion.
Decision and Analysis Module in IDS is the main part of IDS. Some algorithm is used if
Detection module use Anomaly-based detection. These algorithms are used as heuristics algorithm
to measure the deviation between normal behavior and attack pattern. In Guorou Li (Li et al., 2008)
research, they used independent decision-making system that run in a certain sensor node. This
sensor node acts as a cluster-head node that gathers information from surrounding sensor node and
computes deviation using anomaly detection. The Mahalanobis distance measurement and OGK-
Intrusion Detection System implementation in Wireless Sensor Network 6
estimator algorithm are used to decide the intrusion based on inter-attribute dependencies of
multidimensional observed values and ensure a high breakdown point even with some missing
Criticality (SOC) and Hidden Markov Models (HMM) is used to perform anomaly detection. SOC
algorithm is used as data extractor and data filter to simplify the information gathered from worker
node. This data analyzed using HMM to compute the deviation between intrusion traffic and
normal behavior.
However, some algorithm also used in another type of IDS detection method. These
algorithms are used to improve decision module because detection report from signature-based
detection and specification-based detection can be combined to produce higher detection rate and
reduce false alarm. For decision algorithm, da Silva introduces the idea of a deviation tolerance
that combine with a report from signature-based detection. Although occasional failures may
happen during each round of message capture by the monitor nodes, its number is not known
beforehand. By determining the variance bounds for it, an IDS can raise an attack indication
Among all of IDS types, each IDS type can be used as an optimal solution to protect WSN. Cluster-
based, Group-based, and hierarchical IDS has better performance to detect intrusion in large WSN
deployment and lowered false alarm generated. However, Network level IDS has another point to
Intrusion Detection System implementation in Wireless Sensor Network 7
avoid stressed out the Sensor Node, it uses traffic collected from network to detect the intrusion
intrusion. This algorithm is the main process that has a role in calculating the deviation between
an intrusion and normal traffic. Every algorithm has its own method and approach to improves
detection rate and lowered the false alarm. Although the signature-based and specification-based
detection do not use any algorithm as decision module, some of the research applied an algorithm
to gain higher detection rate and reduce false alarm generated by the detection module.
Intrusion Detection System implementation in Wireless Sensor Network 8
REFERENCES
Ali, S. (2015). Intrusion Detection System in Wireless Sensor Networks. International Journal of
da Silva, A. P. R., Martins, M. H. T., Rocha, B. P. S., Loureiro, A. A. F., Ruiz, L. B., & Wong,
Proceedings of the 1st ACM International Workshop on Quality of Service & Security in
Wireless and Mobile Networks (pp. 16–23). New York, NY, USA: ACM.
https://doi.org/10.1145/1089761.1089765
Doumit, S. S., & Agrawal, D. P. (2003). Self-organized Criticality & Stochastic Learning Based
Intrusion Detection System for Wireless Sensor Networks. In Proceedings of the 2003
http://dl.acm.org/citation.cfm?id=1950503.1950629
Li, G., He, J., & Fu, Y. (2008). Group-based intrusion detection system in wireless sensor
https://doi.org/10.1016/j.comcom.2008.06.020