intrusion detection for routing attacks in sensor...

International Journal of Distributed Sensor Networks, 2: 313–332, 2006Copyright © Taylor & Francis Group, LLCISSN: 1550-1329 print/1550-1477 onlineDOI: 10.1080/15501320600692044

313

UDSN1550-13291550-1477International Journal of Distributed Sensor Networks, Vol. 2, No. 4, October 2006: pp. 1–27International Journal of Distributed Sensor Networks

Intrusion Detection for Routing Attacks in Sensor Networks

Intrusion Detection for Sensor NetworksC. E. Loo et al. CHONG EIK LOO and MUN YONG NG

Department of Electrical and Electronic Engineering, The University of Melbourne, Parkville, Victoria 3010, Australia

CHRISTOPHER LECKIE

Department of Computer Science and Software Engineering, NICTA Victoria Laboratory, The University of Melbourne, Parkville, Victoria 3010, Australia

MARIMUTHU PALANISWAMI

Department of Electrical and Electronic Engineering, The University of Melbourne, Parkville, Victoria 3010, Australia

Security is a critical challenge for creating robust and reliable sensor networks. For example, routingattacks have the ability to disconnect a sensor network from its central base station. In this paper, wepresent a method for intrusion detection in wireless sensor networks. Our intrusion detection scheme usesa clustering algorithm to build a model of normal traffic behavior, and then uses this model of normaltraffic to detect abnormal traffic patterns. A key advantage of our approach is that it is able to detectattacks that have not previously been seen. Moreover, our detection scheme is based on a set of trafficfeatures that can potentially be applied to a wide range of routing attacks. In order to evaluate our intru-sion detection scheme, we have extended a sensor network simulator to generate routing attacks in wire-less sensor networks. We demonstrate that our intrusion detection scheme is able to achieve highdetection accuracy with a low false positive rate for a variety of simulated routing attacks.

Keywords Intrusion Detection; Anomaly Detection; Routing Attacks; Wireless Sensor Networks

1. Introduction

The development of wireless sensor networks offers the promise of a flexible, low costsolution for monitoring critical infrastructure. For example, sensor networks have beenproposed for applications such as traffic monitoring, building monitoring, and battlefieldsurveillance [1]. In any application involving critical infrastructure, there is the potentialrisk of malicious attacks on this infrastructure, either for financial gain or as a terrorist act.The sensor network has a critical role to play in detecting these attacks, and thus canbecome a target for attack in its own right. However, the problem of detecting attacks onsensor networks has not been addressed in the literature. In this paper, we investigate howto incorporate intrusion detection into wireless sensor networks, and present a method fordetecting novel routing attacks on these networks.

Address correspondence to Christopher Leckie, Department of Computer Science and Software Engineering,The University of Melbourne, Parkville, Victoria, Australia 3010, E-mail: [email protected]

314 C. E. Loo et al.

A key attraction of sensor networks is their ease of installation and operation. However,security is one of the key challenges to creating a robust and reliable sensor network [2].Currently, most research on security in sensor networks has focused on prevention techniques,such as secure routing protocols, cryptography, and authentication techniques [3]. Thesesecurity mechanisms are usually the first line of defense. However, experience with theInternet has shown that flaws in these protocols are continuously being found andexploited by attackers [4]. Sensor network protocols are faced with additional challengesdue to complexities such as a wireless access medium, unpredictable node movement, andunreliable node operation. These challenges create considerable potential to exploit weak-nesses in the network. Consequently, we cannot rely on intrusion prevention techniquesalone. In practice, Intrusion Detection Systems (IDSs) are needed to detect both knownsecurity exploits and even novel attacks that have yet to be experienced.

Intrusion detection is the problem of identifying misuse of computer systems and net-works [5]. Most IDSs apply signature-based techniques. In general, signature-based tech-niques test for features of known network attacks. This raises the question of how to learnthese features for known attacks, and how to detect new attacks. It is difficult to use super-vised learning in this context, since labeled training data is expensive to produce. Moreimportantly, it is difficult to detect new types of attacks whose signatures may differ fromthose in its signature set. This has motivated research into unsupervised learning techniques,which do not require labeled data and are able to detect previously “unseen” attacks.

Instead of learning the signature of attack traffic, unsupervised anomaly detection tech-niques focus on learning the signature of normal traffic. Unsupervised learning techniques donot require the data to be labeled, nor do they require the data to be purely of one type, i.e., nor-mal or attack traffic. This is a significant benefit over the supervised learning approach.

This paper focuses on constructing an Intrusion Detection System for wireless sensornetworks. We have made three main contributions in our work. First, we have explored theimpact of network attacks on sensor networks. In particular, we have simulated severalimportant categories of routing attacks on sensor networks. Second, we have developed anintrusion detection scheme that is suitable for use in wireless sensor networks. A majoradvantage of our intrusion detection scheme is that it is based on anomaly detection, ratherthan signature detection. This means that it is able to detect routing attacks that have notpreviously been seen. In addition, our intrusion detection scheme does not require communi-cation between sensor nodes, which significantly reduces the power consumption in power-constrained sensor nodes. Finally, we demonstrate the effectiveness of our scheme on avariety of routing attacks in a simulated network. Our IDS was able to achieve high detec-tion accuracy with a low false positive rate for each variety of attack that was simulated.

2. Sensor Networks

Sensor network technology is undergoing a rapid evolution. Early sensor networksinvolved simple transducers that convert a measured variable (e.g., temperature, sound,light) into a signal that can be transmitted to a central processing system for analysis [1].These sensor networks were based on a star topology, with single-hop point-to-point linksbetween the sensor and the central base station. The power requirements of single-hoplinks limited the range of the network, unless a significant power supply is available ateach node.

These communication limitations have been addressed by the advent of multi-hopwireless networks, based on routing protocols from ad hoc networks. In contrast to othertypes of networks, Akyildiz et al. [6] note that this new generation of wireless sensor net-works has several special requirements that raise novel technical challenges.

Intrusion Detection for Sensor Networks 315

• Varying network size—the number of sensor nodes can vary over time as nodesmove or lose power.

• Power constraints—in many situations the sensor nodes have a limited power sup-ply, which makes communication much more expensive in comparison to localstorage and computation.

• Geographic or data-centric routing—rather than relying on address-based routing,sensor nodes place greater emphasis on geographic routing or content-based rout-ing, where routing decisions can be made on the basis of the contents of the mes-sage, and whether there is scope for local aggregation of measurements.

These challenges have stimulated research into a new generation of routing protocols.In the remainder of this section, we introduce several important routing protocols thathave been used or proposed in sensor networks. We also survey some of the security risksand attacks that are raised by these new routing protocols.

2.1 Routing Protocols

As stated above, the routing protocols in sensor networks have evolved from those devel-oped for ad hoc networks. Both networks can have a highly dynamic topology and lackany centralized control. This means that routes can be constantly changing, and the net-work must be self-organizing. However, there are several important differences betweenad hoc and sensor networks:

• the number of nodes in a sensor network can be much larger than in ad hoc networks;• the traffic flows in sensor networks are from the sensors to a centralized base sta-

tion (or vice versa), rather than irregular one-to-one communication between nodesin ad hoc networks;

• sensor nodes can be exposed to hostile environments, and can have a higher likeli-hood of failure; and

• many sensor network applications have more severe resource constraints, whichmakes communication a more expensive task in contrast to computation.

Numerous routing protocols have been proposed to address these problems. AODV(Ad hoc On-demand Distance Vector) routing was initially designed for ad hoc networks,and supports the self-configuration required by sensor networks. LEACH (Low EnergyAdaptive Clustering Hierarchy) [7] is a cluster-based protocol where sensors in the net-work use localized coordination and control to organize themselves into clusters. Sensornodes in LEACH undergo a randomized rotation to be elected as the cluster head, whichprevents power being drained from any single sensor node. INSENS (Intrusion-TolerantRouting in Wireless Sensor Networks) [8] is designed to be a secure and intrusion tolerantrouting protocol for wireless sensor networks. INSENS utilizes symmetric-key cryptogra-phy to limit flooding and act as an authentication tool.

In this paper we have focused on AODV, since it has been used in numerous studiesinvolving sensor networks [9,10,11]. Note that the basic principles in our approach are notlimited to use in AODV, and can be applied to a variety of sensor network routing proto-cols. Let us now examine the basic operation of AODV.

AODV is designed for dynamic self-starting networks [12]. Some of the key advan-tages of this protocol are that nodes store only those routes that are required, the need forbroadcasting and duplication of messages is minimized, and it has low memory require-ments. Moreover, it can quickly update routes in response to link failures, and is scalableto large numbers of nodes.


AODV only discovers routes when they are needed. Each node maintains a routingtable. If the node needs to send a message to another destination node, it first checks ifthere is an entry for that destination in its routing table. If such an entry exists, it will spec-ify the next hop on the route to the destination. Otherwise, the node needs to discover aroute to the destination.

Route discovery starts when the source node broadcasts a Route Request message toeach of its neighbors. If a neighbor knows a route to the destination, then it sends a RouteReply message to the source node. Otherwise, it forwards the original route request to itsneighbours. For example, consider the network in Fig. 1(a). Node A wants to send apacket to the base station. It looks into its table and does not find an entry for the base sta-tion, so it has to discover the route. This property of discovering routes only when they areneeded is what makes the algorithm “on demand.”

To locate the base station, node A constructs a Route Request packet and broadcastsit. Since only node C is in range with A, only node C receives the request. Node C willthen search its own table for the route to the base station. When Node C fails to find theroute in its table, it will broadcast the Route Request again. Node B, node I and node D arewithin range of C so they will look in their table for the route to the base station. Thissequence will go on until the request reaches a node with the route to the base station orthe base station itself. A Route Reply packet will then be sent back using the node fromwhich the request came (Fig. 1(b)).

In order to avoid redundant broadcasts, the source node includes a Broadcast ID in itsRoute Request message. If an intermediate node receives a Route Request message contain-ing a Source Node ID and a Broadcast ID that it has seen before, it can discard the message.

In order to avoid discovering routes that are out of date, each node has an associatedDestination Sequence Number. When a node generates a Route Request, it includes themost recent Destination Sequence Number that it knows for that route. When the destina-tion receives the request, it increments its Destination Sequence Number, and includesthat number in its Route Reply message.

When an intermediate node receives a Route Reply Message for a particular destina-tion, it checks the Destination Sequence Number in the message. If it is higher than theDestination Sequence Number associated with the route that is currently stored in the rout-

FIGURE 1 Example of AODV.

(a). Node A wants to send a packet (b). Final route discovered by AODV


ing table of the intermediate node, then the route is updated and the message is forwardedto the source of the request.

2.2 Sensor Network Attacks

Perrig et al. [2] highlight the security challenges for sensor networks. Like any network,trust, authentication, and privacy are important issues for sensor networks. However, tra-ditional solutions such as public key cryptography and the associated key distribution pro-tocols are not directly applicable to sensor networks, particularly due to the need tominimize communication overhead.

Most sensor network protocols assume a high degree of trust between nodes in orderto eliminate the overhead of authentication. This creates the risk of attackers introducingmalicious nodes to the network, or manipulating the operation of existing nodes. Conse-quently, there is the potential for a wide variety of attacks on sensor networks. This sec-tion provides a brief summary of the main types of attacks that pose a risk for sensornetworks, based on the survey by Karlof and Wagner [13].

Denial of Service (DoS) Attacks. A DoS attack aims to flood the network with uselesstraffic. This has two effects on sensor networks. First, the attack traffic consumes networkresources, and prevents legitimate traffic from reaching the base station. More impor-tantly, it causes sleep deprivation of sensor nodes and wastes their energy. This can becombined with other attacks such as altering of the routing information in order to maxi-mize its effect.

Spoofing and Altering of Routing Information. Spoofing refers to an attacker impersonat-ing another node by falsifying the identity field in routing messages. In a simple but effec-tive attack, a compromised node can disrupt the network through spoofing and altering ofrouting information. This can enable an attacker to create routing loops in the network, orto increase the length of routes. This in turn causes increased traffic congestion anddeprives the network of resources.

Selective Forwarding. Selective forwarding occurs when a compromised node drops apacket that is bound for a particular destination. In this way, an attacker can selectivelyfilter traffic from a particular part of the network. Other possible variations of selectiveforwarding can involve dropping all packets or randomly dropping packets. Althoughrandom dropping is less disruptive, it can also be much harder to reliably detect and trace.

Sinkhole Attacks. The main purpose of the sinkhole attack is to lure all traffic from nodesin a region to a compromised node. This is achieved by forging or altering of the routepacket information to make a compromised node look very attractive to the routing algo-rithm, causing neighboring nodes to assume that the compromised node is the best path totheir destinations. Sinkhole attacks can also act as a platform for launching other attacks.An example would be to combine it with a selective forwarding attack. Since all the trafficbasically flows through the compromised node, a selective forwarding attack would thusbecome more effective and easier to achieve.

Sybil Attacks. In Sybil attacks [14] , a malicious node pretends to be a number of differentnodes in the network. The malicious node can acquire identities either by fabricating newones or by learning the identity of other nodes. To attack a network, the malicious nodecan use the impersonated identity to communicate with legitimate nodes directly, or by


indirect communication where the malicious node advertises that it has a path to theimpersonated node.

Wormholes. In a wormhole attack, a malicious node tunnels messages between two dif-ferent parts of the network via a high speed link. This can make distant nodes appear“closer” in the network, which can be useful as part of a Sybil attack. Moreover, if theattacker is appropriately positioned, it can disrupt the entire network by diverting trafficfrom the base station.

Summary. Many different types of protocols are available for sensor network applica-tions, some focus on energy saving, and some on resource awareness, or in-built securitymechanisms. However, there is no perfect protocol which has yet proven to be robustagainst all attacks. Sensor network attacks come in various forms. They can be combinedto create more complex forms of attacks by flooding, packet dropping, or manipulatingnodes in the network. It is an open question as to how we can efficiently detect these typesof attacks in sensor networks. In the rest of this paper, we focus on the problem of detect-ing routing attacks on sensor networks.

3. Problem Definition

Our aim is to develop an intrusion detection system that can detect routing attacks in sen-sor networks. We are given a wireless sensor network, which comprises a set of sensornodes S = {s1, . . ., sn}, and a base station B. The sensor nodes and the base station use asuitable routing protocol so that sensors can route messages to the base station and viceversa. Each node s ∈ S monitors the routing messages that it receives in order to detectrouting attacks in the network. The routing attack is caused by the activities of a compro-mised node denoted sa ∈ S. The problem is for each node s ∈ S to identify when an attackis occurring in S. Due to the cost of communication between nodes in sensor networks, weassume that each node acts independently when trying to detect an attack.

At every time interval Δi, each sensor node constructs a feature vector ci, which sum-marizes the routing information that has been seen by that node. The feature vector cicomprises a fixed number of attributes {xj, j = 1 . . . d}. There are two challenges for intru-sion detection in this context. First, we require an effective anomaly detection scheme fordetecting abnormal routing conditions in the network. Second, we require a suitable set ofattributes x that can summarize the relevant information about the routing conditions inthe network. These attributes must be both efficient to collect, and generally applicable toa wide range of different routing protocols.

4. Anomaly Detection for Sensor Network Attacks

Our approach is to have all nodes in the sensor network individually equipped with anIDS. The main requirement of the system is that every IDS should function independentlyand be able to detect signs of intrusion locally by observing all the data it received withoutcollaboration between its neighbors. Each IDS could rely solely on information extractedfrom the node’s routing table and traffic packets through the node. Querying of informa-tion from other sensor nodes is not possible as neighboring nodes could not be trusted andthis would incur a significant cost in terms of power resources.

We assume that each node has sufficient power and resources to perform the compu-tation required for intrusion detection. This may not be applicable to all sensor networkapplications. However, our approach does not require expensive communication between


nodes. Since each node operates independently when trying to detect occurrences ofattacks from its neighbors, we describe the operation of our intrusion detection schemefrom the perspective of a single node, which we refer to as the monitoring node. Inpractice, all nodes can potentially be monitoring nodes in the network for the purposes ofintrusion detection.

We assume it is possible to physically compromise sensor nodes in the network, or tointroduce compromised nodes. An example would be a node being captured and reconfig-ured to be under the control of an attacker, converting the sensor node to a malicious node.The malicious node would then be used as a launching pad for attackers to mount an attack.

As sensor networks use wireless communication, we assume that the radio links areinsecure and the attackers are able to bypass intrusion prevention techniques. Thus, mali-cious nodes may be able to eavesdrop on network traffic in order to acquire network infor-mation for launching attacks.

In the rest of this section, we describe our intrusion detection technique in detail. Ourfirst challenge is to define a set of traffic features that can be used to detect a wide varietyof attacks for a range of different routing protocols. Our second challenge is to develop asuitable anomaly detection technique for detecting attacks without the need for priorknowledge of the signatures of these attacks.

4.1 Feature Selection

Our first task is to identify suitable traffic features that are useful for detecting routinganomalies, while attempting to have as few features as possible. This is because more fea-tures means more computation time and resources are needed by the nodes in the sensornetwork. Another important requirement is that the features selected should be applicableto a variety of routing protocols.

We have identified a set of 12 features that need to be extracted from the networktraffic that is seen by the monitoring node. These features can be classified as non-trafficrelated and traffic related. Non-traffic related features represent the routing conditions ofthe sensor node, while traffic related features describe the conditions of the traffic flowthrough the node. These features are listed in Table 1, along with a summary of the

TABLE 1 Features for intrusion detection, showing the mean and standard deviation that was measured for each feature from the network traffic simulation under normal traffic conditions (see Section 5.2 for details)

Feature DescriptionMean for

Normal TrafficStd Dev for

Normal Traffic

1 Number of Data Packets Received 27.4 43.72 Number of Route Requests Received 134 1543 Number of Route Requests Sent 29.3 32.04 Number of Route Requests Dropped 0.65 0.945 Number of Route Request Replies Received 3.33 4.456 Number of Route Request Replies Forwarded 1.84 2.967 Number of Route Request Replies Sent 1.29 1.688 Number of Route Errors Received 12.7 9.949 Number of Route Errors Sent 2.45 2.2810 Number of updates on the Route to Base Station 2.37 2.6811 Mean of Hop Count to Base Station 2.38 2.0412 Standard Deviation of Hop Count to Base Station 0.36 0.60


distribution of values that were measured for each feature under normal traffic conditionsin our network simulation. A detailed description of this simulation is given in Section 5.2.

The first 9 features listed are traffic related and are primarily selected for detectingdenial-of-service attacks, and attacks that manipulate the routing protocol. Feature 1 isused to detect unusual levels of data traffic, which may indicate a denial-of-service attackbased on a data traffic flood. Features 2, 3, and 4 may be used to detect sinkhole attacks,since a sinkhole can generate artificial routes that may affect the need of other nodes torequest routes. Similarly, features 5, 6, and 7 can be affected by the manipulation of therouting protocol in sinkhole attacks. Features 8 and 9 measure the level of route errorsseen on the network, which directly relates to the operation of periodic route errorattacks. While we expect there to be some degree of correlation between some pairs offeatures, our tests have shown that different types of attacks can cause subtle differencesin the behaviour of related features.

The next 3 features are designed to monitor changes of the path to the base station.Feature number 10 is the most interesting among the 3 features. For sinkhole attacks inAODV, the attacker lures traffic by sending false routing packets that consist of a maxi-mum Destination Sequence Number and minimal hop count. While it is not possible todetect the authenticity of the routing packet, we are able deduce that there is an occurrenceof an attack if there is a sudden increase in the number of times the path to the base stationchanges compared to normal traffic conditions.

4.2 Anomaly Detection

The problem of anomaly detection for network intrusion detection can be defined usingthe model in [15] as follows. Our aim is to detect suspicious traffic in the network that weare trying to protect. For example, when a sample of traffic is collected from our network,we need to decide whether that traffic sample is normal or abnormal. In order to make thatdecision, we represent each sample by a set of d features, e.g., the features in Table 1.These features are encoded so that each sample is mapped onto a point c in a feature space

, i.e., c ∈ . We then analyze the surrounding region of the feature space for thepoint corresponding to that sample. If the point c lies in a sparse region of space where fewother samples have been seen, then we label c as abnormal or anomalous. Any abnormaltraffic is considered to be an attack. Conversely, if c lies in a dense region of space wherewe have seen many other traffic samples, then we label c as normal.

The process of anomaly detection comprises two phases: training and testing. Thetraining phase involves modeling the distribution of a given set of training points, i.e.,characterizing a set of given network traffic samples. Note that this training data maycontain both normal and abnormal data. For example, we cannot guarantee that a traffictrace from a monitored network contains no attack traffic. Consequently, in order to builda model that discriminates between normal and abnormal data points, we need to make thefollowing standard assumptions [16] :

• We need to assume that attack traffic occurs far less frequently than normal traffic.As a guide we need to assume that less than y % of the data consists of abnormaltraffic samples. This assumption is used to differentiate between normal and attacktraffic.

• We assume that attack traffic samples are statistically different from normalconnections.

The second phase of anomaly detection, the testing phase, analyses new networktraffic samples based upon the information gathered in the training phase. New traffic

ℜd ℜd


samples are mapped to the feature space and are labeled as abnormal or normal basedupon the model developed in the training phase.

Due to the fact that we have assumed attacks occur far less frequently than normaltraffic and that they are statistically different from the normal traffic samples, attacks willappear as outliers in the feature space. This means we can detect the attacks by analyzingand identifying anomalies in the data set. This is known as the process of anomaly detec-tion for network intrusion.

The problem of anomaly detection for network intrusion has been an active area ofresearch. Our approach is based on a fixed-width clustering algorithm, which is used tomodel the distribution of training points. This clustering algorithm has been shown to behighly effective for anomaly detection in IP networks [15,17].

Fixed-width clustering builds a set of clusters, such that each cluster has a fixed radius inthe feature space. In the training phase of the fixed-width clustering technique, a threshold w ischosen as the maximum radius of a cluster. The first data point forms the centroid of a newcluster. If the distance of each successive point to its closest cluster is less than w, then the pointis assigned to the cluster, and the centroid of the cluster is recalculated. Otherwise, the newpoint forms the centroid of a new cluster. At the end of training, the clusters that contain lessthan a threshold τ % of the total set of points are labeled as anomalous. All other clusters arelabeled as normal. The testing phase operates by calculating the distance between a new point cand each cluster centroid. If the distance from the test point c to the centroid of its nearest clus-ter is less than w, then the new point c is given the label of the nearest cluster, i.e., normal oranomalous. If the distance from c to the nearest cluster is greater than w, then c lies in a sparseregion of the feature space, and is labeled as anomalous.

The algorithm for fixed-width clustering appears in Algorithm 1. We are given a setof network traffic samples CTr for training, where each sample ci in this set is representedby a d-dimensional vector of attributes. We then proceed through the following stages of(1) normalization, (2) cluster formation, and (3) cluster labeling.

Normalization. There is considerable variation in the range of each attribute—insome cases many orders of magnitude. Hence, when calculating the distance betweenpoints, attributes with larger values will dominate those attributes with smaller values.Therefore to ensure that all features have the same influence when calculating distancebetween traffic samples, we must normalize each attribute before mapping into the featurespace. This is accomplished by normalizing each continuous attribute xj in terms of thenumber of standard deviations from the mean of the attribute as follows:

Cluster Formation. After normalization, we measure the distance of each traffic sam-ple ci in the training set CTr to the centroid of each cluster that has been generated so far inthe cluster set Φ. If the distance to the closest cluster φ is less than the threshold w, thenthe centroid of the closest cluster is updated, and the total number of points in the cluster isincremented.

Note that the only information that needs to be stored for each cluster is a count of thetotal number of points belonging to that cluster and the mean of the cluster. Furthermore,only one pass is required through the traffic samples, and traffic samples do not need to bestored. This has the important benefit that it minimizes the computational load on sensornodes when they perform anomaly detection. During the clustering process, we need to

Normalized mean

standard deviation x

x x

xjj

j j=− ( )

( )


calculate the distance between a point and the centroid of each cluster. We have used theEuclidean distance metric in our application.

Cluster Labelling. The assumption that the attack to normal traffic ratio is extremelysmall is used as a classification criterion in this algorithm. Furthermore, as per the secondassumption, anomalous data-points are statistically different to normal data-points andhence are likely to belong to different clusters.

Based on these initial assumptions we define the following as the classification crite-rion. If a cluster contains more than the classification threshold fraction τ of the totalpoints in the data set, it is labeled as a normal cluster, else it is labeled as anomalous.

ALGORITHM 1 Fixed-width clustering.

Fixed-width clustering

Given training samples CTr = {ci, i = 1… NTr } Where sample ci = <x1,…,xd>

Initially, the set of clusters Φ := {}, the number of clusters M := 0

Normalise CTr

For each training sample ci ∈ CTr

If M = 0 then Make a new cluster φ1 with centroid φ1

* from ci

φ1 := { ci }, φ1* := ci, Φ:= {φ1}, M := M + 1

Else Find the nearest cluster φn to ci

n := argmin k { Distance(ci, φk*) }, where k = 1…M

If distance to nearest cluster Distance(ci, φn*) < w then

Add ci to cluster φn and update cluster centroid φn*

φn := { ci } ∪ φn,Else Make a new cluster φM+1 with centroid φM+1

* from ci

φM+1 := { ci }, * := ci, Φ:= {φM+1} ∪ Φ , M := M + 1

For each cluster φk Find the outermost point cmax in cluster φk

cmax := argmin i { Distance(ci, φk*) }, where ci ∈ φk

Set width wk of cluster φk wk := Distance(cmax, φk

*)

If |φk| / NTr < classification threshold τ then Label φk as anomalous Else Label φk as normal

φM+1


Testing Phase. In the testing or real-time phase, each new traffic sample is comparedto the cluster set Φ to determine whether it is anomalous. The distance from the trafficsample to each of the clusters is calculated. If the distance to the nearest cluster is less thanthe cluster width parameter w, then the traffic sample shares the label (normal or anoma-lous) of its nearest cluster. Otherwise, the data-point is labeled as anomalous.

One of the limitations of clustering is the fixed threshold distance for a data point tobe considered in a cluster during the learning phase, as illustrated in Fig. 2(a). This may leadto an anomaly data point to be considered as part of a normal cluster. The problem can beresolved by having a different threshold distance for each cluster, as shown in Fig. 2(b).After the learning phase, the threshold distance of each cluster can be optimized by changingit to be the same as the furthest point in each cluster. This will minimize the area of normaldata clusters, and anomalies are less likely to fail into them during the testing phase.

5. Evaluation

In order to evaluate the effectiveness of our intrusion detection system, we have simulateda range of attacks on sensor networks. The goal of our evaluation is to test the detectionaccuracy of our system under normal and attack conditions. Our simulation is based on asensor network simulation library from the Naval Research Laboratory [18] . This simula-tion uses the NS-2 simulator to implement a sensor network that uses the AODV routingprotocol. We have extended the simulation package to implement three types of attacks:periodic route error attacks, active sinkhole attacks, and passive sinkhole attacks. In thissection, we first describe these attacks in detail; we then describe the implementation ofour simulation; finally, we present the results of our evaluation.

5.1 Simulated Attacks

We now present the three attack types that we have simulated. Each attack is implementedfor the AODV protocol, which is the basis of the simulation package we have used.

Periodic Route Error Attack. The periodic route error attack is a form of DoS. A sensornode is initially physically compromised by the attacker. Next, the compromised node willproceed to broadcast Route Error Messages to neighbouring nodes. These error messagesinform the neighboring nodes that the route to the base station is down (Fig. 3(a)). Nodes

FIGURE 2 Anomaly detection using clusters.

(a). Clustered training data (b). Evaluation of test pointusing clusters


that utilized this route will lose their path to the base station (Fig. 3(b)) and would have torepeat the process of searching for a route to the base station. This causes the affected por-tion of network to be congested with packets, and also causes sleep deprivation of theaffected sensor nodes.

This type of attack is only effective if the route to the base station is through the attacknode. If none of the nodes in the network has a route through the attack node, the broad-casting of a route error will have no effect on the network. A Periodic Route Error Attackis best used with a sinkhole attack where traffic is drawn towards the attack node.

Active Sinkhole Attack. The active sinkhole attack aims to lure traffic to the attacker. Anattacker first takes over a sensor node. Next, it sends a Route Request message for a routeto the base station regardless of whether a path already exists. This is immediately fol-lowed by sending of a Route Reply Message, which contains the maximum DestinationSequence Number and minimum hop count (Fig. 4(a)). Neighboring nodes which receivethe initial route request will reply to the compromised node if a route to the base stationexists in their routing table, or else will forward the request message. However, theseneighboring nodes would then receive the Route Reply Message from the compromisednode, which will cause them to update their routing table with the compromised node asthe best path to the base station (Fig. 4(b)). This effectively creates a black hole and shutsdown this area of the network, since all packets bound for the base station are forwarded tothe compromised node instead.

This attack is devastating to the network because it does not need any node to gener-ate a request. Even if there is no other traffic in the network, the attack node can still gen-erate a request and reply itself.

Passive Sinkhole Attack. The passive sinkhole attack is similar to the active sinkholeattack. The only difference is that instead of broadcasting a Route Request message, thecompromised node starts the attack by replying to a genuine Route Request message froma sensor node in the network with a Route Reply message. The reply message from theattacker contains the maximum Destination Sequence Number and a minimum hop count.This attack has the advantage that the probability of detection is reduced as the frequencyof the attack is randomized.

FIGURE 3 Example of a periodic route error attack.

(a). Attacker broadcasts error packetsperiodically

(b). Affected nodes lose link tobase station


However, this attack is not as effective as the active sinkhole attack as it has to waitfor a Route Request to arrive before it replies. If the nodes in the area have no measure-ments to transmit, the attack node will not receive any Route Request.

5.2 Sensor Network Simulation

Our simulation was based on the sensor network package from the Naval Research Labo-ratories, running on the NS-2 simulator platform (version 2.27). Our simulation scenariosused 25 sensor nodes, one base station and one phenomenon node. The phenomenon noderepresents a moving object, which is being tracked by the mobile sensor nodes. The sensornodes use the Constant Bit Rate transport protocol, and use AODV as the routing protocol.The movement of all nodes except the base station was randomly generated over a 500m x500m field, with a maximum speed of 55 m/s and an average pause of 0.01s. Each simula-tion was over a time period of 10,000 simulation seconds.

We have relied on a random node movement to generate routing activity under nor-mal operating conditions. The continuous routing activity in our simulation reflects thepotentially dynamic nature of real-life wireless sensor networks. In practice, routingactivity can also be the result of a number of different factors, such as changes in theradio environment caused by the movement of vehicles, or changes in the routing topol-ogy caused by the failure of sensor nodes. Note that many sensor network applicationsinvolve the use of static sensor nodes. In that case, we would expect the routing topologyto be much more stable in comparison to the case of mobile nodes, and thus involve farless routing activity. In such an environment, the routing activity caused by routingattacks is likely to be much more noticeable than in the case of dynamic nodes, and thuseasier to detect using anomaly detection techniques. Consequently, we consider that oursimulation using randomly moving sensor nodes is a more challenging test for our anomaly-based IDS.

We implemented four simulation scenarios: normal traffic, periodic route errorattacks, active sinkhole attacks, and passive sinkhole attacks. We repeated five simulationruns of each traffic scenario, giving a total of five normal traces and 15 attack traces forevaluating our intrusion detection scheme. Each simulation run generates two trace files—one containing all the network traffic generated, and the other containing the status ofrouting tables throughout the simulation. Each trace is approximately 1 Gbyte in size, andis used to extract the 12 features used by each sensor node.

FIGURE 4 Example of a sinkhole attack.

(a). Sensor node broadcastsa route request followed by a route reply

(b). Affected nodes update routeusing attacker as best path


We use a single monitoring node in our simulation, and analyze the detection accu-racy of the IDS in this node. In each simulation run, the monitoring node is chosen to bethe closest node to the attacking node. In order to ensure consistency of our simulationresults, we ensure that the monitoring node remains within transmission range of theattacking node. This guarantees that the traces from our monitoring node always containattack traffic when an attack occurs.

We used one set of normal traffic to train our anomaly detection model during itstraining phase. We then used a second set of normal traffic to test the false positive rate ofour IDS, i.e., the frequency with which it reports an attack when there is no attack.

We then used the attack traffic traces to measure the frequency with which the IDS inthe monitoring node correctly detects the attack. We refer to this as the detection rate.

5.3 Simulation Results

Before we analyze the detection accuracy of our IDS, let us first consider the statisticalprofile the network traffic in our simulation under normal and attack conditions. As abaseline, we have summarized in Table 1 the statistical profile of each feature as measuredunder normal traffic conditions. Note that under normal traffic conditions there is a contin-uous level of routing activity, which is a result of the random movement of sensor nodes inthe simulation.

We then compared the traffic profiles for each of the three simulated attack scenariosagainst the baseline of the normal traffic simulation. In the case of both the passive sink-hole and the periodic route error attacks, we found that for each feature there was an over-lap in the measured distributions of values for the normal and attack traffic scenarios attwo standard deviations or less from the mean. This indicates that no feature on its owncan accurately discriminate either of these attacks from normal traffic conditions. In con-trast, we found that in the case of the active sinkhole attack, there were two features whosemeasured distributions did not overlap at two standard deviations from the mean, namely,Feature 7 (Number of Route Request Replies Sent) and Feature 10 (Number of Updates onthe Route to Base Station). This indicates that it should be reasonably easy for an anomalydetection system to discriminate this attack from normal traffic conditions with a highdegree of accuracy.

Let us now consider the detection accuracy of our IDS. The results of our evaluationof our IDS are shown in Fig. 5. This figure shows the Receiver Operating Characteristic(ROC) curve for our IDS. The vertical axis shows the detection rate, while the horizontal

FIGURE 5 Receiver Operating Characteristic of the IDS for each type of attack.

Reciever Operating Characteristics

0102030405060708090

100

0 10 20 30 40 50 60 70 80 90 100

False Positive Rate (%)

)%( eta

R noitceteD

Active Sink Hole Attack Period Route Error AttackPassive Sink Hole Attack Worst Case


axis shows the false positive rate. A perfect IDS would have 100% detection rate with a0% false positive rate.

For each attack type, we repeatedly tested the accuracy of our IDS using different val-ues of the cluster width parameter w from Algorithm 1. Each setting of this parameterresulted in a different version of our IDS, which corresponds to a single point on the ROCgraph. Figure 5 contains three ROC curves, corresponding to the accuracy of our approachfor each attack type.

An important issue for the use of this anomaly detection approach in practice is howto set the cluster width parameter w. As can be seen from Fig. 5, a reasonable trade-offbetween the detection rate and false positive rate is achieved at a false positive rate ofapproximately 5% on normal traffic. By using a maximum target false positive rate, anappropriate value for the cluster width parameter w can be chosen in practice by decreas-ing w on normal traffic until the target false positive rate is reached. Potentially, the opti-mum choice of w may vary depending on the size and topology of the sensor network. Weexpect that the distance normalization scheme should lessen the effect of topologychanges. An issue for further research is to test the sensitivity of the choice of w for differ-ent network scenarios.

We can characterize the performance of our approach using two measures based onthe ROC curves in Fig. 5. The first measure is the detection rate for a false positive rate of5%. The second measure is the area under the ROC curve. The area under the ROC curvefor a perfect IDS would be 100%, whereas the curve for an IDS that picks at randomwould be a diagonal line, where the area under this curve would be 50%. We summarisethe performance of our system on each attack type in Table 2.

For each type of attack, Table 2 summarizes how it is implemented, the potential impactof the attack, and the detection rate of our scheme for a 5% false positive rate. We also include

TABLE 2 Summary of results by attack type

Attack ImplementationImpact on

Sensor Networks

Detection Rate

(5% false detection)

Important Feature

Periodic Route Error

Keeps sending route errors

LOW Effective onlywhen route to base station is through attack node

95% Number of route errors received

Passive Sink Hole

Attacker replies to route request with the a forged “best” route (least number of hops)

MEDIUM Effective only when route request reaches attack node

70% Mean and standard deviation of hop count to base station

Active Sink Hole

Attacker requests route to base station and replies with the “best” route itself

VERY HIGH Effective anywhere, anytime

100% Number of times the route to base station is updated


the main features that helped discriminate each attack from normal traffic, based on an inspec-tion of the features in the attack traffic that contributed most to the distance calculation.

In the case of the periodic route error attack, we achieved a 95% detection rate for a5% false positive rate. In practice, this type of attack only has a high impact on the net-work if many of the routes to the base station pass through the attacking node.

In the case of the passive sinkhole attack, the detection rate was 70% for a 5% falsepositive rate. This attack can only take effect when a normal Route Request reaches theattacker. This lowers its impact, and also makes the attack harder to detect.

In the case of the active sinkhole attack, we achieved a 100% detection rate for a 5%false positive rate. This is an important result, because this is the most disruptive of all theattacks. It can occur anytime, and does not depend on the location of the attacker.

These results confirmed our expectations of the difficulty of anomaly detection for eachtype of attack. Recall from our discussion at the start of this section that in the cases of theperiodic route error attack and the active sinkhole attack, there was substantial overlapbetween the measured statistical profiles of each feature in the normal and attack trafficcases. In contrast, in the case of the active sinkhole attack there were two features with verydifferent statistical profiles for the normal and attack traffic cases. As expected, our anomalydetection system achieved extremely high accuracy on the active sinkhole attack. In the caseof the other two attack types, our anomaly detection scheme achieved a high degree of accu-racy, despite the substantial overlap in the feature profiles in comparison to normal traffic.

It is important to note that for each type of attack, a different set of features dominatedthe distance calculation for the attack traffic. Given that our detection scheme is onlytrained on normal traffic, this demonstrates the effectiveness of our approach for detectingnew types of attacks. Our scheme also proved to be most effective for the attack that hasthe greatest impact on the sensor network, i.e., active sinkhole attacks.

6. Related Work

Intrusion detection for sensor networks is an emerging field of research. Doumit and Agrawal[19] have used hidden Markov models to detect abnormal transitions in measurements fromsensor networks. While their approach can detect attacks on individual sensor nodes, it doesnot address the problem of how to detect attacks on the sensor network infrastructure.

The most relevant body of work is in the area of ad hoc networks. Brutch and Ko [20]and Mishra et al. [21] highlight the challenges for intrusion detection in ad hoc networks,and propose the use of anomaly detection, but do not provide a detailed solution or imple-mentation for the problem. However, a number of papers have presented intrusion detec-tion schemes for ad hoc networks. We now summarize these schemes.

One approach is to make use of prior knowledge to guide the IDS. Anjum et al. [22] inves-tigate the effectiveness of signature-based detection of attack traffic. Their focus is on howchanges in the number of IDS-capable nodes affects the accuracy of detecting attacks. They donot consider the problem of detecting previously unseen attacks. Tseng et al. [23] propose aspecification-based IDS, which makes use of a specification of how the underlying ad hocrouting protocol should behave. However, their approach requires detailed state information tobe kept for each flow by the IDS, and no evaluation is given for their approach.

Some researchers have focused on the problem of how to achieve cooperationbetween IDSs that operate on different nodes. Albers et al. [24] propose an architecture fora cooperative IDS in ad hoc networks, but provides no details about implementation orevaluation. Kachirski and Guha [25] investigate the use of mobile agents in an ad hoc net-work. Their focus is on how nodes should be grouped for cooperation so as to increase theoverall coverage of the network.


Several papers have considered the use of anomaly detection in ad hoc networks.Zhang et al. [26] have developed a queuing model to detect packet dropping in ad hoc net-works. Each node compares the predicted and measured packet loss for each of its neigh-boring nodes. Their approach is focused on a single type of attack, and their evaluation islimited to a single node with a single flow.

Deng, Zeng, and Agrawal [27] have developed an anomaly detection scheme for adhoc networks, based on one-class support vector machines. They demonstrate how theirscheme can be used to detect black hole routing attacks in ad hoc networks. They use aform of information sharing between nodes in order to detect the attack, whereas ourscheme does not require any form of information sharing. This is important, since commu-nication is an expensive operation in sensor networks.

Huang et al. [28] have also applied anomaly detection techniques for intrusion detec-tion in ad hoc networks. They have developed an anomaly detection technique calledcross-feature analysis, which learns correlations of features that appear in normal traffic.Their technique is able to detect black hole attacks and packet dropping attacks in simu-lated ad hoc networks. While this is a promising technique, a potential drawback of cross-feature analysis is that the detection model can contain a large number of rules, based ondifferent combinations of feature values. In the context of sensor networks, the size of thedetection model may become a problem in terms of its memory requirements, and thecomputation time required to test the model on incoming traffic.

7. Future Work

Our approach highlights several promising challenges for future research. As new routingprotocols are proposed for sensor networks, it is important to identify possible vulnerabil-ities and attacks for these protocols, and to investigate the effectiveness of our approachon these protocols. In this paper, we have considered the essential first step of demonstrat-ing that nodes in isolation can infer evidence of an attack. Currently, our detection schemeis designed to run on the sensor nodes, due to the goals of minimizing energy-expensivecommunication operations, and the difficulties of managing trust between nodes. How-ever, there are several possible extensions to our approach that could be considered asfuture research.

One promising direction for future research is whether sensor nodes can improve theirintrusion detection accuracy by sharing evidence in a limited manner. For example,Leckie and Kotagiri [29] have developed an approach that can minimize both the delayand communication overhead required to detect network intrusions in a distributed intru-sion detection system. We consider that this scheme could form the basis for collaborativedetection in bandwidth-limited environments such as wireless sensor networks. Anotheralternative approach is to investigate how attacks can be detected from the perspective ofthe base station. This could be particularly useful if there is more than one base station,since the base stations are likely to have better communication infrastructure for sharinginformation. Finally, once an attack has been detected, it is important to establish suitableresponses to the attack. These responses need to be able to mitigate the effect of the attack,while not becoming vulnerable to attacks themselves.

There is also scope for further work in terms of validating our approach on the differ-ent types of attacks. In this paper we have simulated situations where an attack is eitherpresent or absent. In practice, the onset of an attack may appear gradually, so that theattacker does not cause an abrupt change in the network, or the attack may be intermittent.We have also concentrated on simulations involving sensor networks of moderate size, interms of the number of nodes in the network. An important issue for further research is the


development of a simulation platform that can support a wider variety of attacks on largerscale networks. In addition, it is important to move beyond simulations and validate thesetechniques on deployed sensor network hardware.

8. Conclusion

A critical issue for security in wireless sensor networks is how to detect attacks on the net-work in an accurate and computationally efficient manner. In this paper, we have madethree important contributions to this problem. First, we have presented an intrusion detec-tion scheme for sensor networks, which uses anomaly detection so that it can detect previ-ously unseen attacks. Second, we have identified a general set of features that can be usedto characterize the routing behavior in a network for intrusion detection, and are poten-tially applicable to a wide range of routing protocols. Third, we have extended a sensornetwork simulator so that we can simulate three important types of routing attacks in sen-sor networks, and demonstrated the effectiveness of our detection scheme on theseattacks. In particular, we found that our detection scheme was highly effective at detectingactive sinkhole attacks, which are an extremely disruptive form of attack. An importantadvantage of our detection approach is that it requires no communication between sensornodes, which is a significant factor in minimizing the energy required in power-con-strained sensor networks. Given the growing importance of sensor network applications,our intrusion detection scheme provides a valuable tool for developing robust and securesensor networks in the future.

Acknowledgements

We thank the Naval Research Laboratory for making available their sensor network simulator.

About the Authors

Mr Daniel Loo was educated at the University of Melbourne and graduated in 2004 with aBachelor Degre e (Honours) in Computer Engineer. He is currently based in Singaporeworking for a semiconductor distributor as product marketing for various brands like PhilipsSemiconductors, STMicroelectronics and Vishay Intertechnology. His technical interestsinclude studying advances in network security.

Mr Darren Ng is a Projects Officer with the Singapore Armed Forces (SAF). He grad-uated from the University of Melbourne with a Bachelor of Engineering (Honours) in2004. He now manages technical projects and takes great pride in contributing to thetransformation of SAF into a third generation army.

Dr Chris Leckie is a Senior Lecturer in the Department of Computer Science andSoftware Engineering at the University of Melbourne, Australia. His research interestsinclude using data mining and other artificial intelligence techniques for network intrusiondetection and network management, as well as the design and management of optical net-works. Prior to joining the University of Melbourne, he was a Principal Engineer at Tel-stra Research Laboratories, where he conducted research and development into artificialintelligence techniques for various telecommunication applications.

Associate Professor Marimuthu Palaniswami received his ME from the Indian Insti-tute of Science, India, MEngSc from the University of Melbourne and Ph.D from the Uni-versity of Newcastle, Australia before rejoining the University of Melbourne. He has beenserving the University of Melbourne for over 16 years. He has published more than 180refereed papers and a huge proportion of them appeared in prestigious IEEE Journals and


Conferences. His research interests include SVMs, Sensors and Sensor Networks,Machine Learning, Neural Network, Pattern Recognition, Signal Processing and Control.He is the co-director of an active research centre, Centre of Expertise on Networked Deci-sion & Sensor Systems, attracting grants from industry and defence agencies in Australiaand USA.

References

1. C.Y. Chong and S. Kumar, “Sensor networks: evolution, opportunities, and challenges,” in Pro-ceedings of the IEEE, Vol. 39, No. 8, August 2003, pp. 1247–1256.

2. A. Perrig, J. Stankovic and D. Wagner, “Security in wireless sensor networks,” in Communica-tions of the ACM, Vol. 47, No. 6, June 2004, pp. 53–57.

3. J. Undercoffer, S. Avancha, A. Joshi, and J. Pinkston, “Security for sensor networks,” in Pro-ceedings of the 2002 CADIP Research Symposium, October 2002.

4. V. Yegneswaran, P. Barford and J. Ullrich. “Internet intrusions: global characteristics and prev-alence,” in Proceedings of ACM SIGMETRICS, June 2003, pp 138–147.

5. S. Snapp, J. Brentano, G. Dias, T. Goan, L. Heberlein, C. Ho, K. Levitt, B. Mukherjee,S. Smaha1, T. Grance, D. Teal, and D. Mansur, “DIDS (Distributed Intrusion DetectionSystem). Motivation, Architecture, and an Early Prototype,” in Internet besieged: counteringcyberspace scofflaws, ACM Press, 1998.

6. I. Akyildiz, W. Su, Y. Sankarasubramaniam and E. Cayirci, “A survey on sensor networks,” inIEEE Communications Magazine, Vol. 40, No. 8, August 2002, pp. 102–114.

7. W. Heinzelman, A. Chandrakasan and H. Balakrishnan, “Energy efficient communication pro-tocol for wireless micro sensor networks,” in Proceedings of the 33rd Annual Hawaii Interna-tional Conference on System Sciences, 2000, pp. 3005–3014.

8. J. Deng, R. Han and S. Mishra, “INSENS: intrusion-tolerant routing in wireless sensor net-works,” in Proceedings of the 23rd IEEE International Conference on Distributed ComputingSystems (ICDCS 2003), May 2003.

9. S. Tilak and N. Abu-Ghazaleh and W. Heinzelman, “Infrastructure tradeoffs for sensor net-works,” in Proceedings of the 1st ACM international workshop on Wireless sensor networks andapplications, 2002, pp. 49–58.

10. Y. Yao, J. Gehrke, “Query processing in sensor networks,” in Proceedings of the First BiennialConference on Innovative Data Systems Research (CIDR 2003), January 2003.

11. H. Gharavi and K. Ban, “Multihop sensor network design for wide-band communications,” inProceedings of the IEEE, Vol. 91, No. 8, August 2003, pp. 1221–1234.

12. C. Perkins and E. Royer, “Ad-hoc on-demand distance vector routing,” in Proceedings of the 2ndWorkshop on Mobile Computing Systems and Applications (WMCSA ‘99), February 1999, pp. 90–100.

13. C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: attacks and countermea-sures,” in Proceedings of the First IEEE International Workshop on Sensor Network Protocolsand Applications, May 2003, pp. 113–127.

14. J. Newsome, E. Shi, D. Song and A. Perrig. “The Sybil attack in sensor networks: analysis anddefenses,” in Proceedings of the Third International Symposium on Information Processing inSensor Networks (IPSN 2004), April 2004.

15. E. Eskin, A. Arnold, M. Prerau, L. Portnoy and S. Stolfo, “A Geometric framework for unsuper-vised anomaly detection: detecting intrusions in unlabeled data,” in Data Mining for SecurityApplications, Kluwer, 2002.

16. L. Portnoy, E. Eskin and S. Stolfo, “Intrusion detection with unlabeled data using clustering,” inProceedings of the Workshop on Data Mining for Security Applications, November 2001.

17. J. Oldmeadow, S. Ravinutala and C. Leckie, “Adaptive clustering for network intrusion detec-tion,” in Proceedings of the Third International Pacific-Asia Conference on Knowledge Discov-ery and Data Mining (PAKDD 2004), May 2004, pp. 255–259.

18. I. Downard, Simulating Sensor Networks in NS-2. Technical Report NRL/FR/5522–04–10073,Naval Research Laboratory, Washington, D.C., U.S.A., May 2004.


19. S. Doumit and D. Agrawal, “Self-organized criticality & stochastic learning based intrusiondetection system for wireless sensor networks,” in Proceedings of the IEEE Military Communi-cations Conference (MILCOM 2003), Vol. 22, No. 1, October 2003, pp. 609–614.

20. P. Brutch and C. Ko, “Challenges in Intrusion Detection for Wireless Ad-hoc Networks,” inProceedings of the 2003 Symposium on Applications and the Internet Workshops (SAINT 2003),27–31 January 2003 pp. 368–373.

21. A. Mishra, K. Nadkarni, and A. Patcha, “Intrusion Detection in Wireless Ad-Hoc Networks.” inIEEE Wireless Communications, February 2004, pp. 48–60.

22. F. Anjum, D. Subhadrabandhu and S. Sarkar, “Intrusion Detection for Wireless Adhoc Net-works,” in Proceedings of the IEEE Vehicular Technology Conference, Wireless Security Sym-posium, October 2003, pp. 2152–2156.

23. C. Tseng, P. Balasubramanyam, C. Ko, R. Limprasittiporn, J.Rowe and K. Levitt, “A specifica-tion-based intrusion detection system for AODV,” in Proceedings of the 1st ACM Workshop onSecurity of ad hoc and Sensor Networks, 2003, pp. 125–134.

24. P. Albers, O. Camp, J. Percher, B. Jouga, L. Mé, R. Puttini, “Security in ad hoc networks: a gen-eral intrusion detection architecture enhancing trust based approaches,” in Proceedings of the1st International Workshop on Wireless Information Systems (WIS 2002), April 2002, pp. 1–12.

25. O. Kachirski and R. Guha, “Effective intrusion detection using multiple sensors in wireless adhoc networks,” in Proceedings of the 36th Annual Hawaii International Conference on SystemSciences, January 2003, pp. 57–64.

26. W. Zhang, R. Rao, G. Cao and G. Kesidis, “Secure routing in ad hoc networks and a relatedintrusion detection problem,” in Proceedings of the IEEE Military Communications Conference(MILCOM 2003), October 2003, pp. 735–740.

27. H. Deng, Q. Zeng and D. Agrawal, “SVM-based intrusion detection system for wireless ad hocnetworks,” in Proceedings of the IEEE Vehicular Technology Conference, October 2003,pp. 2147–2151.

28. Y. Huang, W. Fan, W. Lee and P. Yu, “Cross-feature analysis for detecting ad-hoc routinganomalies,” in Proceedings of the 23rd International Conference on Distributed ComputingSystems, 2002.

29. C. Leckie and R. Kotagiri, “Learning to share distributed probabilistic beliefs,” in Proceedingsof the Nineteenth International Conference on Machine Learning (ICML-2002), 8–12 July2002, Sydney, Australia, pp. 371–378.

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttp://www.hindawi.com Volume 2010

RoboticsJournal of

Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation http://www.hindawi.com

Journal ofEngineeringVolume 2014

Submit your manuscripts athttp://www.hindawi.com

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

The Scientific World JournalHindawi Publishing Corporation http://www.hindawi.com Volume 2014

SensorsJournal of


Modelling & Simulation in EngineeringHindawi Publishing Corporation http://www.hindawi.com Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks


intrusion detection for routing attacks in sensor...

Documents