Wireless Sensor Networks (WSNs) are used in various fields of science and technology.

They are composed of a collection of sensor and sink that are connected using wireless

communication in a multi-hop network and distributed over several areas. A sensor node has a

role to gather various data from surrounding area and send the data to central sink server. Many

WSNs are used for detecting climate changed, monitoring environments and habitats,

surveillance and military applications and monitoring power plant resources. Due WSNs

deployment configuration, it makes difficult to identify an intrusion, attacker location, and

unintended access. An intrusion can be a serious problem in WSNs when there is an unauthorized

(unwanted) activity in a network that wants to damage network resources or sensor nodes.

In network security area, there are two mechanisms to protect network resources. The

first mechanism or first line of defense is used to prevent intrusion such as; authorization,

encryption, and filtering. If these mechanisms failed to prevent intrusion, then the second

mechanism is needed. The second mechanism or second line of defense has the responsibility to

detect an intrusion. Intrusion Detection System (IDS) can be used as second line defense that has

the capability to recognizing malicious activity from normal behavior. In order to detect an

intrusion, Most of the IDS are composed of monitoring components, analysis & detection

module, and alarm system.

In IDS Implementation for WSN, ….. it can be classify into several types, Sensor

Deployment, Detection Method and Decision Algorithm.

 IDS Deployment :

According to salfraz, an intrusion mostly happen in communication network, because it

is the easy way to gain the information that flow from sensor node to a sink server. This reason

make IDS deployment in network level can be useful. Meanwhile another research by Da Silva, Li

Gourou and Goumit have another approach, they deploy the IDS sensor into sensor node. This

approach consider nature deployment of WSN that distributed across several area. Da silva

proposed an IDS implementation that gather interference of the network behavior from sensor

node. The sensor node monitor event in network such as : data message that not intended to it

and data collision when sensor node try to send information.

Similar approach are used by Gourou Li and Doumit, with some modification. In Gourou

Li research, group of sensor used to detect outlier in network behavior. Delta grouping algorithm

is used to decide group of sensor that physically closed and sense similar message pattern.

However, doumit has another way to cluster the sensor node into leader and worker

architecture. Each of cluster consist several workers that close to the most powerful node or

leader. This cluster organization make IDS sensor placed at workers and let leader to be a IDS

decision module.

IDS Detection Method:

Basically, there are three types of IDS; Signature Based IDS, Anomaly Based IDS, and a

Hybrid IDS that combine Signature & Anomaly Based IDS. A Signature-Based IDS uses predefined

rules of attack pattern to detect intrusion. It is better solution to detect well-known intrusions,
however it becomes useless if there are new attack patterns. In contrary, an Anomaly-Based IDS

is introduced to monitor user behavior and create classifiers to differentiate a normal behavior

and malicious activity using a heuristic algorithm. This type of IDS can learn new and unknown

attack pattern, but in many cases, it may fail to detect well-known attack pattern and raise a false

alarm for new normal activities that never happen before.

Specification-based detection systems are also based on deviations from normal

behavior in order to detect attacks, but they are based on manually defined specifications

that describe what a correct operation is and monitor any behavior with respect to these

constraints. This is the technique we use in our approach. It is easier to apply in sensor

networks, since normal behavior cannot easily be defined by machine learning techniques

and training.

IDS detection module can be cost a lot of resources for Sensor Node. Each of detection

method can be useful for certain IDS deployment. In gourou li and doumit research that used

grouping and hierarchical types, they can used anomaly detection, because there are some node

that act as processing node. Doumit use the leader node as processing node while gourou li

detect the intrusion in group based scheme and let another decision node to raise alarm.

Another approach is used by da silva, he proposed signature based detection that is not

burden the sensor node. Each message processed and compared to some rules, if the result is

fail, the sensor raised failure alarm.

 In network based deployment as proposed by salfraz, dedicated IDS machine is used to

run specification based detection. This detection uses predefined rules same as signature based

but it also calculates deviations from normal behavior to detect intrusion.