2016 2nd International Conference on Next Generation Computing Technologies (NGCT-2016)
Dehradun, India 14-16 October 2016
Comprehensive Analysis of Security Attacks
and Intrusion Detection System in Wireless
Sensor Networks
Shanthi.S
Department of CSE
MallaReddy College of Engineering and Technology
Hyderabad, India
shanu_shivak@yahoo.com
AbstractWireless sensor networks consists of tiny sensor
nodes deployed in various geographic conditions to gather the
information about the environment. The distributed and
unattended environment makes the network more prone to
security breaches. Rather than many studies discuss many
potential issues of WSN security and detection mechanisms,
most of these are discussed in isolation. An attempt has been
made to provide a summary of the major security attacks and
present a comprehensive analysis of various Intrusion
Detection approaches. In addition, we present the comparison
of Intrusion Detection systems.
KeywordsWireless sensor networks;security attacks;Intrusion
Detection;Types of Intrusion detection;
I. INTRODUCTION
The wireless sensor networks consist of tiny sensor nodes
which are deployed randomly in various environments. These
sensor nodes have limited resources like memory,
computational capacity and energy. The function of sensor
nodes is to assemble the data and send the collected
information to the base station. These sensor nodes are
deployed in an hostile and unattended environment, where the
nodes are always prone to security attacks. WSN is more
susceptible to security breaches due its inherent nature, open
environment and unattended hostile environment, limited
resources. Among all the other aspects, Security is the most
important threat to the networks. The existing security
techniques are infeasible due to its limitations like memory,
energy and access of nodes after deployment. Subsequently,
the security aspect is the most challenging issue that deserves
more attention in the wireless sensor networks [1].
Many solutions have been provided to the security
issues such as authentication, key exchange, routing protocols
etc. They could able to prevent the attacks to some extent and
not eliminate the security attacks totally. One of the probable
solutions to deal with the security related issues in wireless
sensor networks is to make use of the IDS - Intrusion
Detection System. It can play a major role in detecting and
978-1-5090-3257-0/16/$31.00 2016 IEEE
E.G.Rajan
PRC Private Limited
Hyderabad
India
egrajan@gmail.com
preventing the attacks. The paper has been structured as
follows: Section II gives an overview of security in WSN.
Section III provides existing security attacks in WSN. Brief
introduction of IDS and its techniques is given in Section IV.
Classification of intrusion detection system and its comparison
is given in Section V and section VI describes the IDS
architecture followed by the challenges in WSN.
II. OVERVIEW OF SECURITY PROBLEMS IN WSN
WSNs are more vulnerable to security attacks due its open
environment. Some of the issues involved in security are listed
below [2]:
A. Limited Hardware
The sensor nodes are very tiny and in the recent trends
there is requirement to increase the lifetime of the nodes by
decreasing the bandwidth consumed, memory etc.Due to this
limited resources, establishing security among these nodes is a
quite challenging tasks.
B. Wireless Communication
The communication medium is more expensive and it is
more susceptible to threats like eavesdropping, inserting
malicious nodes into the network, flooding etc.Due to the
wireless medium, we cant opt for complicated protocols that
require exchange of more information or messages.
C.Hostile Environment
Since the sensor nodes are deployed in unattended areas,
the hackers can able access the nodes and change the contents.
The nodes are not tamper resistant due to its increasing cost
which also provides an easy means to the attacker to access
the nodes.
D.Aggregation Processing
Sensor nodes generally obtain the information from each
sensor and transfer the information to the destination. The
lifetime of the sensor nodes can be increased by reducing the
communication between the nodes. But this cant be
implemented since the sensor nodes have to communicate to
perform data processing of sensor nodes.
E. Large Scale Deployment
The present sensor networks use 100s to 1000s of sensors
in applications. So scalability is an important factor to be
426
2016 2nd International Conference on Next Generation Computing Technologies (NGCT-2016)
Dehradun, India 14-16 October 2016
considered in the future networks. Protocols or the security
algorithms designed should keep in mind the concept of
scalability otherwise it is of no use [4].
III. SECURITY ATTACKS IN WSN
There are many types of attacks possible in WSN.
Wireless sensor network are more vulnerable to attacks due to
its hostile environment and broadcast nature. The attacks are
classified generally as active attacks and passive attacks.
Active attacks are dangerous and passive attacks dont modify
the data/information and are passive in nature [3].
Figure 1: Attacks on wireless sensor networks
a. Jamming Attack:
Jamming Attack is caused by interfering the radio
frequency of attacker nodes with the other nodes. This attack
is carried out by the transmission of radio signals. It mainly
causes the Denial of service attack and all the nodes are not
communicating because of the jamming attack and mainly
caused by jammer.
b. Collision Attack:
In this collision attack, whenever the legitimate node is
transmitting data, the attacker hears the transmission and
transmits its own signal for producing interferences. Even a
collision of single byte can produce error and damage entire
message. This collision attack is better than jamming attack
with respect to consumption of power and detection ability.
This attack intends at draining the communication channel and
deprivation of network services.
c. Sinkhole Attack:
427
Figure 2: Sinkhole Attack
In the Sinkhole attack, the main intention of the attacker
is to attract all the traffic. The compromised node may listen
for the request for routes in the case of flooding and it tries to
give a false route informing the nodes about the shortest path.
d. Sybil Attack:
The attacker is having multiple identities and having
duplicates and present in multiple locations. It mainly targets
the fault tolerant systems like storage, network topology,
multipath routing, data aggregation, voting, misbehaviour
detection and fair resource allocation, etc[8].
Figure 3: Sybil Attack
e. Wormhole Attack:
The wormhole attack requires the presence of atleast
malicious nodes. They establish a wormhole link between the
malicious nodes. Then the packets received at one location of
the network are routed to the other location of the network. In
this given figure.4, X and Y are malicious nodes and the
communication is established between the two nodes [8].
Figure 4: Wormhole Attack
f. Hello flood Attack:
The HELLO packet is a beacon usually sent by the new
nodes to the other sensor nodes informing the new route. This
attack uses HELLO messages as a weapon to carry out the
task. In this attack, the attacker having high transmission
power tramsnits the HELLO messages to the sensor nodes
which are in an isolated large area and the nodes are
influenced that the attacker is a neighbor and starts
transmitting the information. The message is passed via the
attacker and the attacker leaks the message before transmitting
the information to the base station. In this type of attack, the
attacker will usually have good signal strength. The hello
flood attacker can find out by checking the average signal
strength of all the nodes and the node which is having more
signal strength than the average neighbors signal strength is
termed to be the attacker[8].
2016 2nd International Conference on Next Generation Computing Technologies (NGCT-2016)
Dehradun, India 14-16 October 2016
Figure 5: Hello Flood Attack
g. Battery Drainage:
In this attack, attacker forces the sensors to remain awake
so that they waste their energy. Because of this large power is
consumed by limited power sensor nodes. After the energy is
exhausted, these sensors stop working and causes Denial of
Services through Denial of Sleep [5].
Table 1: Comparison of Attacks in WSN
IV. INTRUSION DETECTION SYSTEM
Security is a major issue in WSN due to its restricted
resources like limited resources and vulnerable to physical
attacks. Some of the techniques used for security issues
include key management, routing protocols, cryptography and
security mechanisms for specific attacks and various IDS.The
above listed security mechanisms are not sufficient to identify
various attacks in WSNs. IDS provide efficient and effective
methods to detect the various attacks in WSN. Intrusion
detection system is used to detect the intruders in a network.
Intrusion is a second line of defense to save the network
Intrusion can be defined as an unauthorized activity which is
performed in a network. Intrusion detection System tries to
collect the data from the network and analyses the data
gathered for the abnormal behavior. Intrusion can be achieved
collect the data from the network and analyses the data
gathered for the abnormal behavior. Intrusion can be achieved
in two ways either statically or dynamically. IDS provide
much valuable information in the network like the intrusion
428
time; intrusion type; intention of the intruder; position of the
intruder; nature of the intruder etc.IDS can only be able to
detect the attacks it cannot prevent the attacks. Hence it only
used for detecting the attacks [10][11]. In this paper, various
kinds of Intrusion Detection systems are discussed.
The components of the IDS are generally classified as:
Monitoring Component Analyze the traffic and keep track of
it; Analysis and Detection Tries to detect the strange
behavior in the network; Alarm Component Once threats
identified it raises the alarm [6][7].
Figure 6: Components of IDS
IDS are basically classified into two types based on the
audit data: Host based and Network based. Host based
depends on the application logs for analyzing the attacks and
the network based IDS tries to detect the packets in the
network [11] [12]. The IDS can further be classified into
various types based on the detection techniques like:
Anomaly Based IDS
Signature Based IDS
Specification Based IDS
Cross Layer IDS
Hybrid IDS
Signature Based Detection Systems
The signature based IDS system is also known as rule
based IDS systems [13]. These IDS have pre-defined rules for
different security attacks. Any deviation of the network
behaviour from the pre-defined rules is classified as an attack.
One major advantage of these types of techniques is low false
positive rate. Signature based Detection systems works well
for known intrusions and it cant able to detect the attacks
having no predefined rules and the recent attacks. Routing
attacks and sinkhole attacks are detected by these signature
based detection systems. Every node observes and works
together with neighbours. Signature-based IDS are best suited
for large sized WSNs in which the operations of network are
compromised by added security threats and other attacks.
Signature-based IDS needs additional resources and more
computation power as evaluated against anomaly-based IDS.
The main drawback of these systems is that they cannot
identify the new attacks. The database should be continuously
updated for the attack signatures. Another drawback is that the
2016 2nd International Conference on Next Generation Computing Technologies (NGCT-2016)
Dehradun, India 14-16 October 2016
signatures should include all possible discrepancies of the
pertinent attack and it should avoid the intrusive activity.
Anomaly Based Detection Systems
In Anomaly based IDS system [14], identification of
Intrusion can be achieved by analyzing the history of the test
signal which is called unsupervised data or by collecting the
training data which is called semi supervised data. The data set
can be discrete, continues, or multivariable. Intrusions are
identified by providing threshold values; that is, any activity
carried out within a threshold value is normal, while any
activity having a value more than threshold is known as an
intrusion. The normal behavior is established by automated
training and in this way it could possibly able to detect the
novel attacks as Intrusions. Anomaly-based IDS are more
suitable for small-sized WSNs in which only a small number
of nodes exchange information with the base station. In small-
sized WSN, the change in normal traffic or behavioral change
can be considered as intrusion. The problems of misuse
detection are overcome by focusing on normal behaviors than
attack behaviors. The problems related with these methods
are, such as more false alarms are generated by IDS and it
could not be able to identify well-known intrusions.
Specification based Detection Systems
Specification based system is a form of anomaly based
detection system with slight deviation and it combines the
strengths of misuse and anomaly detection. The normal
behaviour is defined manually with specifications and it tries
to monitor the behaviour with respect to these constraints. It
looks for any abnormal behaviour at the system level. These
types of IDS define a legitimate behaviour and when the
system departs from this model, it can detect an intrusion [13].
In this way, legitimate but previously unseen behaviours will
not cause a high false alarm rate, as in the anomaly detection
approach. Also, since it is based on deviations from legitimate
behaviours, it can still detect previously unknown attacks. On
the other hand, the development of detailed specifications by
humans can be time-consuming and bare the inherent risk that
certain attacks may pass undetected.
Figure 7: IDS Models
429
Hybrid based Detection Systems
This is composed of anomaly based along with signature
based IDS system. It inherits the basic properties from
anomaly based as well as signature based IDS system. One
detection module verifies the known attacks using signatures
and other module monitors the overall network behaviour
deviation from normal behaviour. It is the most accurate
detection system with less number of false positive. The major
drawback of the hybrid system is it requires more energy and
resources. These IDS are mostly deployed in cluster based or
to some extent in hierarchical WSNs; some are used to carry
out signature based detection while others used to perform
anomaly detection in order to reduce the utilization of
resources. Hybrid IDS are appropriate for large and
sustainable Wireless Sensor Networks. It makes use of the
benefits of both the approaches and offers simplicity, high
safety, and low utilization of energy. The Hybrid IDS could
able to detect more attacks and the ratio of detection of false
attacks is comparatively less.
Cross layer IDS
Cross layer IDS can be applied at any layer of TCP/IP
protocol stack. It uses cross layer interface to detect intrusion
at each layer of TCP/IP stack by monitoring, communicating
and exchanging the information. The main drawbacks of this
type of IDS it is expensive in terms of cross layer interface
[13] [14].
Reputation (Trust) based IDS
Wang et al. [15] planned an intrusion detection system for
WSNs that uses the concept of packet marking and heuristic
ranking algorithms is used to identify the possible dangerous
nodes within the network. The identity of source packet is
hidden by encrypting and padding. Packet mark is added to
each packet and the data sink will identify the source packet. It
could able to measure the dropping ratio of the packets of each
sensor node. The heuristic ranking algorithms is used in order
to detect the intruders.
Statistical detection based IDS
Ngai et al. [16] proposed a proficient approach for detecting
intrusion in sinkhole assault. This approach initially identifies
the traces of suspected nodes. The proposed system examines
through a network flow graph and subsequently finds the
intruder efficiently. This approach makes use of multivariate
method which is based on chi-square test.
Clustering (Hierarchical) based IDS
In this Hierarchical IDS, the entire network is classified into
clusters with each cluster having a cluster-heads. In each
cluster, cluster-head acts as the head and it behaves as a
central point. The members of the cluster reports to the cluster
head about the malicious nodes and it performs the routing in
the group. Every node has IDS agent running within the node
and its duty is to locally monitor and detect all the intrusions.
However, clustered is responsible for both local and global
node for its cluster. It examines the network packet traffic and
2016 2nd International Conference on Next Generation Computing Technologies (NGCT-2016)
Dehradun, India 14-16 October 2016
controls the network whenever intrusion in the network has
been detected [17].Similarly, the attacks against the cluster
heads should be detected by other cluster-heads. All the
cluster heads communicate with the central base station to
form global IDS.
Su, et al. [18] has proposed two approaches inorder to improve
the security aspect for clusters in sensor networks using IDS.
The first approach is based on the concept of authentication,
which avoids the external attacks. Its uses the concept of
message authentication code (MAC) and is added to each
message. Message authentication code is usually produced as
a key-pair value. Along with the message, node adds a
timestamp and a MAC are generated by a key-pair or
individually depending on the sender. The security mechanism
LEAP is being used and the sender can be verified. The
second technique is called Energy-Saving. This method tries
to identify the nodes which are deviating from its actual
behaviour mainly the Member nodes (MN) and cluster-head
nodes (CH). Whenever an abnormal behaviour is detected in
the network, an encrypted warning message along with the
cluster key is broadcasted by CH to restrain this specific node.
The cluster-based model provides more security and consumes
Less Energy. Data delivery is guaranteed in this approach due
to Centralized routing.
Watchdog based IDS
Roman et al. [19] explains the application of IDSs to static
WSNs. spontaneous watchdogs have been recommended
IDS for WSNs. In this approach, the neighbors are monitored
optimally and few nodes wish to monitor their neighborhood
communication independently.
Distributed and collaborative IDS
Krontiris et al. [20] proposed distributed IDS for WSNs based
on the concept of collaborative neighborhood watching. The
proposed IDS works better against the black hole and selective
forwarding attacks The author[23] presented a solution for the
problem of cooperative intrusion detection in wireless sensor
network. The necessary conditions for exposing the attacker
have been presented by the author in an efficient way. Nodes
could able to recognize the intruder in a distributed manner by
using the local detector modules. The detector module triggers
uncertainties about an interruption in the sensors region In
[21], the proposed IDS used a specification based detection
algorithm. They used the decentralized approach in which
intrusion detectors were randomly distributed among the
network. The information gathering and processing were
carried out in distributed fashion. Due to scalability and robust
nature, the distributed approach was more useful than the
centralized approach.
Game theory based IDS
According to Agah et[22] al.the Game theory IDS consists of
two participants one is the attacker and the other one the
detecting intrusion. He formulated strategies for both parties.
This IDS is based on non-cooperative and non-zero game
model to improve the detection probability. Both schemes
430
focused on determining the weakest node in the network and
then providing strategies to defend that node. The problem
with this approach was that there might be multiple intrusions
to the WSN and only one of them would be caught by the IDS
while leaving others undetected.
V.IDS Architectures in WSN
The wireless sensor networks are susceptible to vulnerable
attacks because of its distributed nature. Since the nodes are
distributed in a random fashion, the chances of tampering the
node or attacking the nodes from any direction are easier. So
they are more vulnerable to attacks. In order to handle these
challenges, many possible IDS architectures are available
including standalone IDS, distributed and cooperative IDS and
hierarchical IDS [23].
Standalone IDS
In this approach, each node operates as independent IDS and
is responsible for the detection of various attacks. As the name
says, standalone IDS, they work separately and do not share
information with each other. In this approach, the nodes are
capable of executing and running its own IDS.In this network
infrastructure, malicious activities occurring in the victim
node are detected by running the IDS independently on each
and every node[24][25]. Moreover, different nodes collect
different information and each node separately makes the
decision based on the information collected on its own , since
its a standalone IDS,there is no sharing or updating between
the nodes in the network . Even though the nodes belong to the
same network information regarding the condition on other
nodes will not be known to other nodes. The infrastructure is
not worthy because of its restrictions, since all the nodes need
to be configured with IDS and this network would be more
efficient if all the nodes are not configured with IDS. The
intrusion could not be detected based on the information
collected from every node and the information will not be
sufficient enough to determine whether an intrusion occurred
or not. Therefore, this architecture is best suited only for flat
infrastructure network. To conclude with, this network was
not a feasible solution to design the IDS architecture for WSN.
Distributed and Cooperative IDS
Zhang et al., 2003[26], each node detects intrusion by running
an IDS agent individually. In general, the job of the IDS agent
is to identify and collect local events. IDS can monitor only
their own communication and data to detect possible
intrusions as well as it initiates response independently. This
IDS is more suitable for a flat network configuration than a
cluster based one.
VI.CHALLENGES OF IDS IN WSN
The IDS have been designed for wired networks and
it cant fit a wireless sensor networks. Some of the challenges
involved in WSN were as follows:
2016 2nd International Conference on Next Generation Computing Technologies (NGCT-2016)
Dehradun, India 14-16 October 2016

[7]. Nabil Ali Alrajeh, S. Khan, and Bilal Shams,Intrusion Detection Systems
in Wireless Sensor Networks: A Review, International Journal of
Distributed Sensor Networks Volume 2013, Article ID 167575, 7 pages.
[8]. Yassine MALEH and Abdellah Ezzati a review of security attacks
and intrusion detection schemes in wireless sensor network,
International Journal of Wireless & Mobile Networks (IJWMN) Vol. 5,
No. 6, December 2013
[9]. A Survey of Intrusion Detection Systems in Wireless Sensor Networks,
Ismail Butun, Salvatore D. Morgera, and Ravi Sankar,IEEE
COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 1,
FIRST QUARTER 2014
[10] Sonu Duhan, Padmavati khandnor,.Intrusion Detection System in
Wireless Sensor Networks: A Comprehensive Review, , International
Conference on Electrical, Electronics, and Optimization Techniques
(ICEEOT) 2016
[11]. Manali Singh,Khushbu Babbar, Kusum Lata Jain, A Survey on Intrusion
Detection System in Wireless Sensor Networks, International Journal of
Wireless Communications and Networking Technologies, Vol 3, No.3,
April - May 2014
[12]. Ranjit Panigrahi, Kalpana Sharma, M.K. Ghose,wireless sensor networks
architecture, security requirements,security threats and its
Figure 8: Challenges of IDS in WSN countermeasures, , pdcta 2013 pp. 107115, 2013. cs & it-cscp 2013
[13]. Raymond D R, Midkiff S F. Denial-of-service in wireless sensor
networks:attacks and defenses. IEEE
VII.COMPARISION OF IDS [14]. David R. Raymond, Scott. F. Midkiff Denial of Service in WSN:
Attacks and defences, IEEE pervasive computing, Vol. 1, No. 7, pp.
Characteristics Anomaly Signature Hybrid 74-81, 2008.
[15]. C. Wang, T. Feng, J. Kim, G. Wang and W. Zhang, Catching Packet
Based Based Based Droppers and Modifiers in Wireless Sensor Networks, IEEE Trans.
Memory Low Low Medium Parallel Distrib. Syst., vol. 23, num. 5, pp. 835843, 2012.
[16]. E. Ngai, J. Liu and M. Lyu, On the Intruder Detection for Sinkhole
Utilization Attack in Wireless Sensor Networks, ICC06, Istanbul, Turkey, June
Energy Low Low Medium 2006.
[18]. C.-C. Su, K.-M.Chang, Y.-H.Kuo, and M.- F. Horng, The new intrusion
Consumption prevention and detection approaches for clustering-based sensor
Detection Rate Medium Medium High networks, in 2005 IEEE Wireless Communications and Networking
Conference, WCNC 2005: Broadband Wirelss for the Masses - Ready
False Alarm Medium Medium Low for Take-off,2005.
[19].R. Roman, J. Zhou, and J. Lopez, Applying intrusion detection systems
VIII.CONCLUSION to wireless sensor networks, in Proc. IEEE Consumer Communications
and Networking Conference, 2006.
In many applications, WSN has it widespread usage. In the [20].I. Krontiris, Z. Benenson, T. Giannetsos, F. Freiling and T. Dimitriou,
absence of various security mechanisms, a variety of attacks is Cooperative intrusion detection in wireless sensor networks, Springer
possible in WSN. The main aim of the paper is to present the J. Wireless Sensor Networks, pp. 263-278, 2009.
[21]. A.P. da Silva, M. Martins, B. Rocha, A. Loureiro, L. Ruiz and H.C.
security attacks in WSN and the Intrusion Detection system in Wong, Decentralized Intrusion Detection in Wireless Sensor
WSN. The security problems in WSN, security attacks and the Networks, in Proc. 1st ACM International Workshop on Quality of
most promising Intrusion Detection System have been Service and Security in Wireless and Mobile Networks (Q2SWinet 05),
discussed with a hope that will assist the researchers to carry ACM Press, October 2005, pp. 16-23.
[22].A. Agah and S.K. Das, Preventing DoS attacks in wireless sensor
out further research. networks: A repeated game theory approach, International Journal of
Network Security, volume 5, number 2, pages 145-153,2007.
References [23]. Andreas A. Strikos, A full approach for Intrusion Detection in Wireless
Sensor Networks,School of Information and Communication
[1]. Y. Wang, G. Attebury, B. Ramamurthy, A survey of security issues in Technology , Stockholm, Sweden ,March 1, 2007.
wireless sensor networks, IEEE CommnsSurveys, vol. 8, pp. 2-23, 2006.
[24]. Rassam, Murad A., M. A. Maarof, and Anazida Zainal. "A Survey of
[2]. Y. Zhou, Y. Fang, and Y. Zhang, Securing Wireless Sensor Networks: A
Intrusion Detection Schemes in Wireless Sensor Networks." American
Survey, IEEE Communications Survey,vol. 10, no. 3, pp. 6-28, 2008.
Journal of Applied Sciences 9, no. 10 (2012): 1636.[19]
[3]. G. Padmavath, D. Shanmugapriya, A Survey of Attacks, Security
[25]. Anantvalee, Tiranuch, and Jie Wu. "A survey on intrusion detection in
Mechanisms and Challenges in Wireless Sensor Networks, (IJCSIS)
mobile ad hoc networks." In Wireless Network Security, pp. 159-180.
International Journal of Computer Science and Information Security,
Springer US, 2007.
Vol. 4, No. 1 & 2, 2009.
[26].Y. Zhang and W. Lee, Intrusion detection in wireless ad-hoc networks,
[4] A.S.K.Pathan,H.-W. Lee, and C.S. Hong,Security in Wireless Sensor
Proc. 6th annual international conference on Mobile computing and
Networks: Issues and Challenges, in 8th International Conference on
networking, pp. 275-283, 2000.
Advanced Communication Technology (IEEE ICACT 2006), Volume II,
20-22 February, Phoenix Park, Korea, 2006, pp. 1043-1048.
[5]. I.Onat and A. Miri, An intrusion detection system for wireless sensor
networks, Wireless and Mobile Computing,Networking And
Communications, vol. 3, 2005, pp.253259.
[6]. I. Krontiris, T. Dimitriou, Th. Giannetsos, and M.Mpasoukos, Intrusion
Detection of Sinkhole Attacks in Wireless Sensor Networks, LNCS, vol.
4837, pp. 150-161, 2008

431