Abstract
Wireless sensor networks (WSNs) have emerged as an important research paradigm since the last decade, thereby motivating researches to take up new theoretical and practical challenges. WSNs need to be provided with efficient security features generally due to their deployment in inaccessible terrain and also communication being in the wireless domain. Therefore the question of providing security to such networks arises but the major constraints are the limited resources present in the sensor nodes. Prior importance is given to the energy parameter as it is the most vital component of the sensor nodes. So the objective of any intrusion detection framework would be to design robust mechanisms capable of handling attacks in energy efficient manner. Intrusion detection is used in WSNs because of their ability to detect unknown attacks and finding means to thwart them for preserving energy. Therefore energy efficient intrusion detection has become a significant research area for researchers. Keeping this in mind, we survey the major topics of energy efficient intrusion detection in WSNs. The survey work presents topics such as the fundamentals of intrusion detection techniques, as well as the various energy saving mechanisms used in different architectural models. The earlier achievements in energy efficient intrusion detection in WSNs are also summarized and existing problems are discussed. We also give an insight into the possible directions for future work in intrusion detection by highlighting open research areas.
Keywords
Introduction
In recent years WSNs have emerged as a promising research platform with various interesting application areas such as battlefield surveillance [36], ambient intelligence [1] etc. In battlefield surveillance, sensors are generally deployed in areas where human accessibility is restricted and use the unguarded wireless medium for communication. On the contrary, in ambient intelligence applications such as assisted living and building monitoring applications, some of the sensors are statically deployed in the environment, while others are mobile [17]. Irrespective of application areas, large numbers of wireless sensors spread in the environment collect environmental parameters and transmit them to the sink. One of the major issues in this context is the security of communication within the WSN. In fact, in the ambient intelligence context, the sensors collect a large amount of confidential data related to the activities of the user and to his/her physiological or emotional state. Further, an attacker tampering with such data may easily damage the main purpose of ambient intelligence application and may, possibly, even cause a greater damage (for example, an attack could result in wrong or missed medications/therapies).
The factors mentioned earlier are largely responsible for making security one of the prime factors of importance in WSNs. Sensor nodes are usually resource-constrained in terms of computational and communication abilities. Therefore, during the design of security systems for WSNs the design guidelines should conform to the limited resources and capabilities of the sensor nodes [16,61,89]. Therefore, researchers working in the WSN platform have always tried to use lightweight security schemes for energy conservation that are robust enough to handle the attacks faced by these networks [45]. In recent years, intrusion detection system (IDS) has been considered as an option for providing security in WSNs. IDS is defined as a system that tries to detect and alert attempted intrusions into a system or a network [41]. It is a set of actions that discover, analyze and report unauthorized and damaging activities through network monitoring. Such systems are able to distinguish between normal and abnormal activities in order to discover malicious attempts.
In WSNs, the aim of IDS should be to defend attacks utilizing minimum amount of resources so as to reduce the energy consumption factor. The fundamental components of a traditional IDS are: (i) sensors or agents for monitoring and analyzing activity, (ii) a management server for centralizing information collected by the sensors or agents and managing them, (iii) a database server for storing all the data produced by the IDS, and (iv) a console that acts as an interface between users and administrators for checking the status of the system monitored, receive alerts, investigate events and configure the system. The work reported by Anderson [8] is generally considered as one of the earliest works in intrusion detection that introduced the idea of anomaly detection by creating profiles for normal use and detecting deviations from those profiles. This idea was later formally presented by Denning [20] and this work is considered to be the stepping stone for modern intrusion detection. A block diagram representing basic IDS is shown in Fig. 1 [10,19].

Block diagram of basic intrusion detection system.
It can be seen from Fig. 1 that the IDS receives audit information from the system it is protecting. There are several inputs that include – a database containing presently known attacks, the current configuration of the system and audit information that describes the events as they are happening in the system. When the detector has access to all the required data, it decides which information is important and deduces the possibility of normal actions that can be considered as indications of intrusions. Several state-of-the art works that proposed to detect intrusion in WSNs include [2,12,26,29,84], however, in our present survey we consider only those works which have addressed energy efficient intrusion detection.
Many security works has focused on specific types of attacks in WSNs and ways of preventing them using various techniques [28,42]. One such security technique is cryptography, defined as the first line of defense that is used for ensuring authentication and integrity by verifying the data source and its contents [30]. The cryptographic operations based on primitives such as hash functions, symmetric encryption and public key cryptography [10] are capable of protecting WSNs against external attacks but are unable to detect internal attacks. As mentioned earlier, due to several inherent factors it is quite impossible to guarantee full prevention from threats in WSNs. Also, attackers always try to launch new attacks unknown to the protection system of the network. This necessitates establishment of a second line of defense: an IDS that can detect an attack (known or unknown) and notify the sensor nodes about it i.e. one that can handle both internal and external attacks [12]. To the best of our knowledge, existing surveys [7,12,25,26,29] on intrusion detection systems (IDSs) have dealt with the works on IDS mainly from security point of view. The paramount concern of our survey is to make findings on works that have implemented IDS in an energy efficient manner. This is because energy is one of the major factors in WSNs and its preservation is an important part of IDSs design.
Key challenges
Designing IDSs in WSNs involves many challenges, mainly due to the resource-constrained nature of such networks [12,29]. Intrusion detection works on the basic principle that the behaviour of a network under attack is different from that of a normal working network. As compared to entities of traditional wired networks, the nodes in WSNs are highly susceptible to failures, thereby, making implementation of IDSs further difficult. Moreover, the vast differences in network characteristics of WSNs are also responsible for accomplishing the task of intrusion detection in such type of networks rather complicated [19]. The key challenge of developing intrusion detection technique in WSN is to identify the intruder with high accuracy and minimum energy cost, so that network lifetime is enhanced. This goal can be attained in several ways. First, a detection scheme needs to be developed that is compact and efficient by paying much more attention on lightweight detection techniques. Secondly, the detection scheme should be distributed in nature so that the energy overhead is dissipated around the entire network for effective reduction in communication overhead. A suitable detection pattern is also responsible for conserving the energy cost without losing security and reliability [40]. In addition, taking smart strategies into account, such as shrinking the scale of attributes set, compressing the input dataset and simplifying the procedure of analysis and decision, can have significant impact on conserving energy during the setup of IDS.
Contribution and organization
In the existing literature, a number of issues relating to designing an effective and efficient IDS mechanism are reviewed. Farooqi and Khan [25,26], presented a survey that covers different IDSs proposed for detecting node(s) compromised attacks like DoS, routing, Sybil. In both of their works, based on the IDS agent installation mechanism, the existing approaches are categorized into three classes namely purely distributed, purely centralized and distributed-centralized. In another work, Alrajeh et al. [7] reviewed the security aspect in WSN and classified the existing IDSs into four classes viz. signature-based IDSs, anomaly-based IDSs, hybrid IDSs, and cross layer IDSs. Recently, Ghosal and Halder [29] studied the architectural models used in different approaches for intrusion detection and highlighted the intrusion detection methods applicable for different layers in WSNs. The achievements of the existing works are also summarized by the authors. More recently, Butun et al. [12], provided a detailed information about IDSs such as requirements, design specifications, classifications, decision making mechanism. They reviewed the existing IDSs for mobile ad-hoc networks and discussed the applicability of those systems to WSNs.
Although plethora of works on surveying the state-of-the-art of IDS in WSNs were performed before [7,12,25,26,29], our work differs from the previous efforts in terms of timeliness, emphasis, and comprehensiveness. The need of performing a detailed and comprehensive study on the vital aspects of the IDS design in WSN has lead the researchers to design secure approaches from the onset level so that the security attacks against WSN could be analyzed from various perspectives. Further, due to the constrained computational and energy resources of WSNs, most of the security techniques (including intrusion detection techniques) devised for traditional wired/wireless networks are not directly applicable to a WSN. Thus, different from [7,12,25,26,29], this paper aims to review IDS architectures and methods proposed over the past decades that have energy conservation mechanisms. Further, unlike [7,12,25,26,29], we present a comprehensive comparative study of the recent advancements in this area on the basis of IDS architectures, detection methodologies, detection techniques, location of data analysis, use of energy conservation methods, and detection accuracy. Finally, we identify the future research trends for the benefit of both general and expert readers.
The contributions of this survey are organized as follows. In Section 2, requirements of IDSs, their classifications and detection methodologies based on parameters such as detection methodologies, location of data analysis etc. are provided. Section 3 elaborates the existing state-of-the-art works based on different approaches that concentrate on energy efficiency. This survey is summarized with potential future areas for research in Section 4. Finally, the survey is concluded in Section 5.
Energy efficient intrusion detection systems
As mentioned earlier WSNs have unique characteristics such as limited power supply, low transmission bandwidth, small memory size and data storage along with an ad hoc communication environment. Thus most of the security techniques devised for traditional wired/wireless networks are not directly applicable in WSNs [12]. All these factors are largely responsible for creating a big challenge in designing of effective, energy efficient intrusion detection technique that is applicable to WSNs.
Requirements of energy efficient IDSs
The IDS developed for energy constrained WSNs should have the following design requirements:
modest system resources that should not reduce overall system performance by introducing overheads. chances of introducing additional weaknesses in the system should be least. functioning should be transparent and continuous. maintain reliability and reduce false positive and negative rates in the detection phase. standards used should be cooperative and open.
Classification of IDSs
IDSs can be classified based on different parameters such as detection mechanisms, architecture used etc. In this section, we have classified IDSs considering the parameters which can have an effect on the energy consumption factor of sensor networks.

Classification of intrusion detection techniques based on architecture.
Based on the detection methodology IDSs are primarily classified into three categories namely anomaly based IDSs, misuse (signature or rule) based IDSs, specification based IDSs [84]. Nowadays, another methodology is evolving as a promising category i.e., hybrid system based IDSs [7]. In this section, we briefly discuss about all these four categories.
Anomaly based IDSs. Typically, anomaly based IDSs are based on statistical behaviour modelling. The normal operations of nodes are stored as profiles and any deviation from normal operation is marked as an anomaly [85]. They have low false positive and negative rates [84]. Intrusion detection of such systems is consistent and accurate. The main advantage of anomaly based IDSs is that they are suitable for detection of unknown attacks that are not faced by the networks. The disadvantage of this system lies in the fact that profiles of sensors have to be updated regularly due to frequent changes in network behaviour. According to some authors [38,84] anomaly based IDS are classified into three categories, namely: (i) statistical based, (ii) knowledge based, and (iii) machine learning based. In statistical based anomaly IDSs, the network traffic is monitored periodically and a profile is generated representing its stochastic behaviour [51]. In knowledge based anomaly IDSs, the availability of prior knowledge of network parameters are needed both under normal working condition as well as under some attacks [51]. Machine learning based anomaly IDSs generate an explicit or implicit model of the analyzed patterns that are updated periodically for improving the system performance based on previous results [11]. Misuse (Signature or rule) based IDSs. Misuse based IDS uses the signatures (profiles) of already known attacks as a reference for detecting future attacks [34,42]. Similar to the previous intrusion detection system, this also has the advantage of accurate detection of known attacks with low false positive rate. However, if the network faces any new attack, misuse based IDS is not able to detect it. Network anomalies are detected based on some rules such as interval rule, retransmission rule, delay rule, repetition rule, radio transmission range and jamming rule. Specification based IDSs. Specification based intrusion detection technique combines the advantages of both misuse and anomaly based detection techniques, by developing specifications manually and constraints that reflect the characteristics of a legitimate network [73,74]. They are similar to anomaly based detection techniques as both of them use normal profiles for detecting attacks. Nevertheless, they have low false positive rates as compared to anomaly based detection [2]. In specification based IDS, the group of specifications and constraints describe the correct operation of a program or protocol. Here, monitoring is done based on the defined specifications and constraints while program execution is taking place. Hybrid system based IDSs. Unlike specification based IDSs, there are several explicit IDSs for WSNs that allow both detection techniques to co-exist and interact in one single detection agent. Precisely, such agents will make use of automated training-based anomaly detection techniques and human-made rule-based misuse detection techniques [2,7]. These approaches are known as hybrid systems.
Location of data analysis
Depending on the location of the data to be analyzed, IDSs can be categorized into three groups: network based IDS, host based IDS and hybrid IDS.
Network based Intrusion Detection System (NIDS): The NIDS captures and examines the packets that are being transmitted passively or actively by listening to the network transmissions. NIDS analyzes an entire packet, payload within the packet, IP addresses or ports. Host based Intrusion Detection System (HIDS): The HIDS monitors the events occurring on the host that they are serving. They are able to detect intrusions like modification in system files on the host, repeated access to the host that have failed, abnormal process memory allocations and unusual CPU activity or I/O activity. This is achieved by either monitoring the real-time system usage of the host or by examining the log files on the host. Hybrid Intrusion Detection System (HyIDS): This uses the combination of both NIDS and HIDS components in an efficient manner by using mobile agents. System log file checks are performed by the mobile agents after travelling to each host and a central agent is responsible for checking the overall network traffic for detection of presence of anomalies.
Location of data collection
According to the location of the collected data, IDSs can be divided into five categories, namely: Centralized IDS, Stand-alone IDS, Distributed and cooperative IDS, Hierarchical IDS and Mobile agent based IDS [12].
Centralized IDS: Here, a centralized computer performs the task of monitoring all the activities in the network and detects intrusions by analyzing the monitored network data. Stand-alone IDS: In this case, on each node an IDS runs independently and the nodes take decision based on their collected information. Network nodes are unaware of the intrusions happening around them as stand-alone IDS do not allow individual nodes to cooperate or share information among them. They work as individual entities. Distributed and cooperative IDS: Such type of IDS is used in flat network infrastructures. An IDS agent (IDA) runs at each node that participates in the intrusion detection process of the whole network. On detection of an intrusion with weak evidence, a node initiates cooperative global intrusion detection procedure. If the intrusion is detected with sufficient evidence, then the node works independently in alerting the network about the attack. Hierarchical IDS: This is used in multi-layer clustered network infrastructures. Cluster heads (CHs) are responsible for monitoring their member nodes (MNs), as well as participating in the global intrusion detection decisions. Mobile agent based IDS: Every mobile agent is assigned the responsibility for performing a specific task of the IDS on a selected node. The intrusion detection is performed by using the cooperative actions of these selected nodes. Agents may relocate to other pre-defined nodes in order to increase network lifetime and/or efficiency of the IDS after a certain time period or after a specific task is done.
Network architecture

Network architecture of WSNs (a) flat architecture, (b) hierarchical architecture.
Based on the network architecture, IDS can be categorized into two groups, i.e., flat and hierarchical [12]. Designing of an effective and efficient IDS mechanism for WSNs requires comparable intrusion detection technique. Since the designing of such an IDS is strongly related to the network architecture, thus, there exists several potential detection techniques associated with flat and hierarchical architectures. The classifications of existing state-of-the-art detection techniques associated with flat and hierarchical architectures are shown in Fig. 2. The commonly used detection techniques for both architectures are: statistical techniques, data mining, and computational intelligence. Statistical techniques consist of statistical distribution [80], statistical measure [88], and statistical model [18]. On the contrary, data mining mainly focuses on discovering patterns, associations, changes, anomalies, and statistically significant structures and events in datasets. Finally, computational intelligence is closely related to machine learning and remotely linked to data mining, whereas machine learning is involved with design and development of learning algorithms from large datasets for computers. The category of data mining and computational intelligence consists of examples such as clustering algorithms [59,69], support vector machine [64,68], self-organizing map [81], genetic algorithm [39,46] and association rule learning [87]. Game theory is responsible for creating smart strategies for identifying areas in WSNs that are vulnerable [3–5,73]. Graph-based techniques [60] consist of modeling a graph containing the network flow. Here, some graph algorithms such as tree construction, depth-first search, etc. are used for detecting anomaly. Rule-based techniques [43,48], are usually developed based on previous knowledge.
Flat architecture. In flat architecture, shown in Fig. 3(a), all the nodes contribute equally in any team-functions and participate in internal protocols. Since all the nodes participate and function equally, therefore, intrusion detection schemes which are lightweight and require less communication are more preferable in flat architecture [50,57]. In flat architecture, detection patterns are more likely to use rule-based techniques and statistical techniques. There are three categories of detection pattern used in flat sensor networks. One category can be a group of nodes that is responsible for monitoring its neighbourhood, where neighbours can be those nodes located within one-hop distance or within the radio range or having some specific characteristics. The second category is where the sink conducts anomaly detection across the network. The third category comprises of a network that is divided into groups and a part of sensor nodes in each group is activated for taking charge of the monitoring and data processing procedures.
Hierarchical architecture. In a hierarchical architecture, unlike flat architecture, all the sensor nodes are grouped into clusters as shown in Fig. 3(b), where each cluster constitutes one CH and several MNs. The common feature of the detection pattern is implementing detection in a distributed manner, which spreads the energy overhead around the entire network and relieves the communication burden. As in distributed detection a central entity is required to globally organize and coordinate the sub-computation tasks throughout a group, therefore the CH is suitable for such purpose, while, MNs participate in data processing procedure. This results in taking over a part of computing cost of the CH and exchanging less information with the CH resulting in conserving the communication overhead. In distributed detection, there are three detection patterns. First, the CH is solely responsible for the data processing procedure. Second, the CH and MNs cooperate to provide data processing. Finally, the third procedure is carried out at the sink.
Comparison of IDS mechanisms based on network architecture
Table 1 presents a comparison of suitability of existing IDS mechanisms with respect to two types of network architecture: flat and hierarchical. Our objective is to provide readers with a reference table that shows explicitly which IDSs can be the best fit for which type of network architecture due to their performance, applicability, and other factors. The metrics used in the table viz. best, fair, worst are interpreted as follows: an intrusion detection technique can be well suited for a particular network architecture (best), but can also be moderately suitable (fair) or else unsuitable (worst) for other network architectures. To summarize, for most of the existing intrusion detection techniques in Table 1, hierarchical architecture is more suitable compared with flat architecture.
Since in WSNs, sensors communicate wirelessly, the following factors should be considered while IDS decision making: collisions, packet drops, limited transmission power and fading battery power. Decision making mechanisms for IDSs are of two types: collaborative and independent decision making.
Collaborative decision making: Here, all or some sensors of the network collaborate among themselves while making a decision regarding any event that occurred in the network. For example, in case of majority voting, decision is made in favour of the majority of the sensors having their decision as either the event occurred is an intrusion or it is not an intrusion. Independent decision making: In this case, every sensor produces a decision of its own. One out of the four decisions given below is done by the sensors. The four decisions are as follows: Intrusive but not anomalous (false-negative): An intrusion takes place in the system, but an IDS fails to detect it and makes the decision that the event is non-anomalous one. Not intrusive but anomalous (false-positive): No intrusion actually occurs in the system, but an IDS by mistake concludes a normal event as an anomalous one. Not intrusive and not anomalous (true-negative): There is no intrusion in the system, and an IDS concludes the event as non-anomalous one. Intrusive and anomalous (true-positive): There is an intrusion in the system, and an IDS concludes the event as an anomalous one.
Energy efficient IDS proposed for WSNs
In this section, we describe some of the promising IDS approaches for WSNs. The existing approaches consider different architectures and detection patterns while devising their IDS. In presence of different classifications presented in Section 2.1, we broadly classify the existing IDS approaches for safeguarding WSNs into three distinct categories, namely: (i) Centralized approach, (ii) Distributed approach, and (iii) Innovative approach. As shown in Fig. 4, each of these three approaches consists of several techniques. This section provides an in depth review of the existing techniques along with their strengths and limitations. Further, we explored the measures taken by the researchers for conserving energy in their proposed schemes.

Taxonomy of IDS approaches in WSNs.
In centralized intrusion detection approach, computational intelligence, one-time key chain, trust and over-hearing, signaling game and energy prediction are employed for realizing energy efficient detection schemes. Generally, in this approach, each common sensor collects input from the network, followed by a preprocessing procedure or a part of computation tasks coming from the procedure of data processing [65]. The original/preprocessed inputs are then sent to the CH or sink. The procedures of analysis and decision are carried out at each common sensor and/or CH respectively. Finally, the output of intrusion detection is produced as a specified form where the analysis and decision procedures are done. In this section, a number of recently published potential works on energy efficient centralized intrusion detection are elaborated.
Cryptography based IDS
There are some IDS approaches that rely on various cryptographic techniques. For example, [44] and [78] introduce security key and help IDS to establish pairwise keys among the nodes. In [78], two techniques are proposed for clustered architecture-based WSNs. The first one uses a model that depends on authentication and can defend external attackers only. It basically appends a message authentication code (MAC) to every message. Whenever a node sends a message, a time stamp is attached to it and a MAC is generated using the pairwise key or individual key depending whether the sender is CH, MN, or sink. The receiver verifies the sender using the LEAP [90] security mechanism. The second technique is energy saving and like the previous one also withstands external attackers. It focuses on detecting misbehaviour in both MN and CH. The monitoring of MNs is done by their respective CHs. On detection of any misbehaviour, CH broadcasts an encrypted alarm message for controlling the specific misbehaving node. Here, monitoring of the CH is also done and that responsibility lies with some of the MNs under it. For monitoring the CH, the MNs are chosen randomly and have maximum remaining energy. This is implemented by sending messages that inquire the remaining energy status of every MN. The MNs having lower remaining energy are ignored by the CH. Rest of the MNs are divided into groups. Each group is responsible for monitoring the CH turn wise. At any time, only one group monitors the CH and that group is called active group. If any misbehaviour is detected by some threshold numbers of monitor MNs, then the CH is declared as compromised.
The proposed scheme is energy-efficient as well as fast for locating the compromised nodes as it uses a time stamp. However, the drawback of this scheme is that new sensors cannot be added. In addition, the proposed mechanism is suitable for static WSNs.
Collaborative based IDS
In [47,79], the researchers proposed collaborative based IDS for WSNs. In work [79], Su et al. proposed an energy efficient hybrid intrusion prohibition system called eHIP which combines intrusion prevention and intrusion detection. The authors assume clustered architecture-based WSNs, in which data is routed through the CHs to the sink. To prevent intrusions, they use two authentication mechanisms, one for control messages (e.g. routing messages) and one for sensed data. The reason for using these two mechanisms is to use reservoir energy more efficiently. In addition, from a security point of view, usages of two types of messages have different importance. As control messages need to be highly secured, a keyed-Hash Message Authentication Code (HMAC) is applied to them on the basis of hop-by-hop security. This means, each intermediate node has to verify a control message by checking the HMAC and regenerating a new one for the verified control message until it arrives at the destination node. Regarding the delivery of sensed data, each intermediate node needs to authenticate the data sender. Otherwise, an attacker can send bogus data which would be forwarded and eventually, result in energy depletion. In the proposed work, since HMAC generation is computational intensive and transmission is time consuming, the authors use an energy-efficient one-time key chain to authenticate the sender. Further, as a second line of defense, the authors implement a collaboration-based IDS mechanism for monitoring both the CHs and MNs. In collaboration-based IDS, the MNs cooperatively monitor the CH to detect misbehaviour, whereas the CH is responsible for monitoring the MNs. Finally, the authors claim that security attacks such as packet dropping, packet duplicating and packet jamming can be detected using their proposed mechanism. However, in their work, no details are given regarding how the detection is done. Their simulation focuses on energy-efficiency and makes no statements about detection accuracy.
The proposed scheme is able to ensure energy-efficiency as well as provide strong security. However, new nodes cannot be added once the pairwise key has been established. To overcome this flaw, one can use a dynamic key management and distribution mechanism.
Trust and over-hearing based IDS
In [31,32,34], the authors proposed trust and over-hearing based IDS for WSNs. Hai et al. [31], initially, studied the problem of intrusion detection in WSNs and proposed a hybrid intrusion detection scheme for clustered WSNs. The objective of using clustered WSNs is to reduce the energy consumption, so that network lifetime can be prolonged. In the proposed scheme, an IDA is located in every node. Each node has two intrusion modules-local IDA and global IDA. On the basis of requirement each agent is activated. The local IDA module is responsible for monitoring the information sent and received by the sensors. The global IDA module is responsible for monitoring the communication of its neighbouring sensors.
The authors used the watchdog monitoring mechanism and predefined routing attack based rules for monitoring packets in their neighbourhood. If the monitor nodes discover a potential attack like selective forwarding, wormhole, sinkhole, and hello flood attacks in their radio range, they create and send an alert to the CHs. If the number of alerts about a suspicious sensor crosses a threshold, the CHs create a rule and propagate it to every sensor in the cluster. As the proposed intrusion detection scheme requires every sensor to be active and send alert packets to the CHs for intrusion detection, therefore, large number of alert packets are transmitted throughout the network. Hence, the proposed intrusion detection scheme is not energy efficient.
Further, to make the intrusion detection scheme energy efficient, the authors proposed two algorithms for reducing the energy consumption related to processing of the alert packets. First algorithm is trust based where each sensor calculates the average trust of its neighbour sensors. If average trust for a neighbour sensor is below a threshold, the CHs drop the alert packets received from them without further processing. Second algorithm is over-hearing, based on the fact that if a monitor sensor is aware about any malicious activity within its transmission range, an alert packet is prepared to be sent to the CHs. If a monitor sensor does not obtain the medium to send an alert packet, it knows there is transmission taking place within its range. The monitor sensor buffers the alert packets and overhears the packets sent within its range. If the monitor sensor detects a neighbour sending the same alert packet, it drops the alert packet from its buffer. Thus, using the two algorithms, the authors ensured reduction of transmission of alert packets by monitor sensors. Finally, the authors show that the proposed intrusion detection scheme can detect more than 90% of the malicious nodes.
In the proposed scheme, the intruder is identified by calculating the average trust of the sensors, along with a majority vote mechanism. If the average trust value of a node fails to meet the realistic situation, this proposed scheme would be invalid.
Signaling game based IDS

Intrusion detection mechanism based on signaling game.
Another promising approach for designing effective and efficient IDS is based on signaling game [24,73]. Shen et al. [73] proposed an intrusion detection game based on the signaling game for intrusion detection. The signaling game refers to a class of two-player game in which one player (called the sender) is informed and the other (called the receiver) is not. Generally, in a signaling game, the sender has private information about its type set while the receiver has the common information about its type only. To balance the energy consumption uniformly on all the nodes, the authors considered a cluster based network, where the CHs are re-clustered periodically. Further, each of the considered sensor is equipped with an IDA, but only the IDA installed in CH is launched. As shown in Fig. 5, the proposed IDS mechanism consists of four entities: stored data, administrator, member sensor node, and CH-IDS agent. The stored data include different game parameters, the probability of malicious member sensor nodes etc. Since a member sensor node may be malicious or normal, thus, it sends various attacks or cooperate actions that consist of the monitored data to the CH-IDS agent. Before the CH-IDS agent starts working, administrator configured the CH-IDS agent for making it more reliable and accurate. Each CH-IDS agent consists of IDS engine which integrates the well-known detection technique and can decide whether the monitored data is malicious or normal. Then the CH-IDS agent begins to initiate game parameters from the stored data. Based on these parameters, the one-stage intrusion detection game is built up. It receives the output of the IDS engine and formulates the game in which the administrator has defined the utilities first and manually. Next, based on the input data from the game, the CH-IDS agent implements an algorithm to calculate the probability of defense. Based on the result of the probability of defense, each CH-IDS agent either remains idle or defends intruders. Finally, the CH-IDS agent computes the probability of posterior belief of member sensor node and updates the probability of malicious member sensor nodes into the stored data for the next stage game. The effectiveness of the proposed solution is measured through simulation experiment. The result shows that the proposed game can efficiently predict the type of member sensor nodes i.e., whether intruder or not.
Under this category, several researchers proposed promising works [39,40,63] for detecting intrusions in WSNs. In [39], Hassanzadeh and Stoleru proposed a cooperative intrusion detection method. The objective of the proposed method is minimizing energy consumption and event reporting delay in the nodes, while maximizing network coverage and data accuracy in the network. The authors considered cooperative IDS architecture where nodes are organized in cluster trees with a single sink. Architecture of a node with cooperative IDS is shown in Fig. 6. Based on the roles of nodes, the authors identified four types, namely: joined, aggregator, leader, and orphan as shown in Fig. 6(a). Joined nodes are the leaves in a cluster tree. They monitor local activity such as communication, processes running, data produced and run a local IDS. Next, monitored results are reported to the parent, which can be an aggregator or a leader node. Aggregator nodes also monitor local activity, receive reports from children, either joined or other aggregator nodes, and aggregate received data with their information using the data aggregation module. The aggregated data is reported to either another aggregator or leader parent. Here, leader is the root of a cluster tree. A leader receives reports from either joined or aggregator children nodes, and executes intrusion detection functions as part of a cooperation module. The results are reported to the sink. Leaders of all the cluster trees form a connected graph, which contains the sink. Orphan nodes are not part of a cluster tree. They run local IDS and do not forward their observations to their neighbours.
(a) Network model of cooperative IDS with various nodes responsibilities, (b) General node architecture in cooperative IDS.
In order to minimize energy consumption and event reporting delay in the nodes, while maximizing network coverage and data accuracy in the network, the authors formulated it as a multi-objective optimization problem. A genetic algorithm based on penalized function is developed to solve the multi-objective optimization problem. Finally, the authors validated the superior network performance and intrusion detection rates obtained by the proposed collaborative IDS.
This proposed scheme is particularly appropriate to cooperate with any intrusion detection scheme, not only for conserving resource usage, but also to promote its detection performance. The genetic algorithm based scheme suffers from exponential time increase if the network’s size increases [12].
In [37,74], a group of researchers devised an energy prediction based IDS mechanisms for clustered WSNs. Shen et al. [74] proposed an intrusion detection scheme based on energy prediction in clustered WSNs. The authors considered the energy consumption of a sensor as a metric to identify denial-of-service attacks. It is a well known fact that an adversary can compromise any sensor in the network and a compromised sensor requires abnormal energy to launch an attack. Based on these facts, in the proposed scheme, each CH initially predicts the energy consumption rate of its MNs and compares it with the actual energy consumption rate of the MNs in each round. If there exists significant difference between the predicted and actual energy consumption rate of a MN, based on certain predefined threshold energy consumption values, the scheme is able to identify the attacks like selective forwarding, hello flood, Wormhole, Sinkhole, and Sybil attacks. The authors adopted Markov chains [71] for predicting energy consumption of nodes in each round.
At the beginning of each round, CH predicts the energy consumption rate of each MN and stores the predicted result. On the contrary, the sink predicts the energy consumption rate of each CH and stores the predicted result. Then, at the end of each round, the sink collects the residual energy of each CH and MN. The collection process starts at the sink which broadcasts a message to each CH. After receiving the broadcast message, each CH collects the residual energy from its MNs and sends the value to the sink including the present residual energy value of itself. After receiving the residual energy from all the MNs and CH, the actual energy consumption is calculated at the sink. If the sink detects any abnormal deviation of actual energy consumption rate from predicted energy consumption rate at any CH or MN, that node is considered as malicious and the node’s id is recorded in a blacklist. Finally, the nodes in the blacklist are segregated from the network by removing them from the routing table. Through simulation, the authors show that the proposed scheme is energy efficient as it consumes least energy. This is because the scheme does not require monitoring energy as well as there is no requirement for exchange of control messages among the sensors.
Table 2 provides an overall comparison of existing state-of-the-art IDS mechanisms based on centralized detection approaches. Since different system assumptions and experimental methods are used by the authors to evaluate the performance of the devised mechanisms, thus it poses a difficulty for finding a common ground to evaluate which centralized detection techniques is most suitable. Hence, for a better understanding, the comparison is performed in terms of their detection methodology, location of data analysis, measure for energy conservation, and accuracy of detection. To summarize, irrespective of detection technique and location of data analysis, misuse based detection methodology shows high accuracy of intrusion detection compared with anomaly or specification based. Now, for all the schemes, if we compare the accuracy of detection, except [55] and [62], all the other works always produce high accuracy.
Comparison of IDS mechanisms based on centralized approaches
Comparison of IDS mechanisms based on centralized approaches
In this section, we discuss several potential intrusion detection approaches which are distributive or de-centralized in nature. Distributed intrusion detection approaches are one of the most suited approaches for WSNs because the detection mechanism is distributed among the nodes [21,27]. As detection scheme is distributed among the nodes, the energy overhead gets spread throughout the entire network and eventually reduces the communication overhead. Reduction in communication overhead effectively enhances the network lifetime.
Rule based IDS
Rule based IDS mechanism is another promising and efficient approach in WSNs. In recent past, a number of good works [33,76,80] has been done in this category. In [76], Silva et al. proposed an IDS mechanism to detect intrusion in WSNs. The proposed IDS mechanism is based on inference or rule, where rules are framed from the network behaviour obtained during the analysis of events detected by a monitor node. Here, the monitor node runs the common node functions, like sensing, data message sending and retransmitting, in addition to the IDS functions. As shown in Fig. 7, the proposed IDS mechanism works in three phases, namely: Data acquisition, Rule application, Intrusion detection as shown in Fig. 7.

Intrusion detection mechanism based on rule.
In data acquisition phase, messages are heard in promiscuous mode by the monitor node and important information is filtered and stored for subsequent analysis. Important information includes message fields that may be useful to the rule application phase. Here, the messages are stored in an array data structure and discarded after a given period of time or when there is no space left in the memory. In rule application phase, each entry in the array data structure is evaluated according to a sequence of rules specific to each message type. If a message fails in one of the rules, a failure counter is incremented. Then the message is discarded and no other rule is applied to it. In intrusion detection phase, the monitor node detects the number of network failure by analyzing the messages transmitted in its neighbourhood. The number of raised failures is compared to the expected amount of occasional failures in the network. If the former is higher than the latter, an intrusion detection alarm is raised. To make the proposed IDS energy efficient, the authors suggested discarding a message when a monitor node discovers that the message is not addressed to the receiving node or is not considered for the sink in case of forwarding. Such message discarding mechanism effectively reduces unnecessary processing of messages, thereby saving the node’s energy.
This scheme gives a good framework to rule-based detection. Nevertheless, there is a lack of clear description with regard to the details of determining monitor nodes, such as particularly how many and which sensors should be on duty to make sure that the entire network is under protection. Further, the proposed scheme is not suitable for application scenarios that require a high detection accuracy and low false alarm rate.
Krontiris et al. [48] proposed a specification based IDS mechanism for detecting black-hole and selective forwarding attacks. To detect attacks, specification based IDS mechanism measures the deviations of current behaviour from normal one. More specifically, IDS mechanism measures the behaviour using a set of manually defined specifications that describe what a correct operation is and monitor any behaviour with respect to these constraints. In this work, to monitor the behaviour of the neighbour node, the authors used the watchdog approach. Watchdog runs in some nodes (called watchdog nodes), for monitoring the activity of the neighbouring nodes. Based on the monitoring result, watchdog nodes collectively take the ultimate decision of whether a node is malicious or not. Here, monitoring and intrusion detection are done based on the set of detection rules. For example, if a watchdog node measures the probability of packet dropping rate of a node is more than a certain threshold limit for a specific time period, an alarm will be generated by that watchdog node. Finally, watchdog nodes apply the majority rule in order to take decision on whether a node is malicious or not. For example, if more than half of the watchdog nodes report that the behaviour of a sensor is suspicious, it is designated as a malicious one. The benefit of using majority rule is that if a watchdog node is compromised and issues a false alarm trying to revoke a legitimate node, or issues no alarms for another malicious node that launches an attack, it would have no effect because the majority would still triumph.
Since simple probability based detection rules are used, therefore, the detection mechanism is energy efficient and requires less communication overhead. Also, the scheme reduces false alarm rate [48].
Hierarchical clustering based IDS
Intrusion detection in wireless industrial sensor networks (WISNs) is a great matter of concern because if the alert generated is not reliable and in time due to the alert being stolen or modified, the leakage of toxic chemicals, flammable liquids, and gases could pollute the environment and endanger public life. In [75], Shin et al. first studied the intrusion detection for WISNs to achieve effective, fast and accurate detection. Next, the authors proposed a new hierarchical framework for detecting intrusion in WISNs. Initially, they constructed a hierarchical framework based on two tier clustering. Here, two tier clustering consists of multi-hop clustering (first tier) for efficient data gathering and single-hop clustering (second tier) for effective intrusion detection. The authors assumed that each node in the network has an IDS module as shown in Fig. 8. An IDS module has two sub-modules: (i) intrusion detection rules that decide an intrusion by applying detection rules and threshold to the neighbour’s traffic, and (ii) intruder handling that reactively handles the intruder. As per the application and security requirements, different conditions for rules in the modules of intrusion detection rules are set. Once the condition of rules in the intrusion detection rules module is satisfied, a node concludes that a malicious intrusion occurred around it and reactively handles the intrusion depending on the module of intruder handling.

Intrusion detection mechanism in the hierarchical framework.
To detect intrusion, the authors further assumed two tier clustering with four levels: sink or base station (BS), gateway (GW), CH, and MN. Each level detects the intrusions with similar detection rules and performs a different handling method. If a MN detects an intruder among its neighbours, including a GW and CH, it does not handle it by itself and only reports it to a higher level. A CH monitors a MN and GW within its communication range (one-hop) directly while the CH indirectly monitors a GW located outside of its communication range by evaluating messages that the GW transmits. If the CH detects a malicious MN as an intruder, it removes the intruder MN. On the other hand, if it detects a malicious GW as an intruder, the CH reports it to the sink at the root level. A GW node monitors its own member CHs. When the GW detects a malicious CH as an intruder, it removes the CH from its cluster and reports it to the sink. When a CH or GW is reported as an intruder, the sink instructs the network to re-perform the second clustering or the first clustering, respectively. As the proposed framework allows performing in-network processing, hence results obtained are more accurate with regard to sensing and intrusion monitoring. Also, as it allows in-network processing, the proposed intrusion detection framework is energy efficient.
Although, the proposed work ensured accurate detection, however, the solutions are only for a specific subset of sensor nodes of WISNs rather than providing for a generic one. Moreover, this study claims to support several attacks using real sensors and reported the performance of intrusion detection via real experiments, but there is no explicit evaluation of the performance of each defense mechanism on sensors. For instance, the implementation details and the overhead and cost associated with the design are not analyzed.

Building blocks of an IDA.
An extensive body of research exists on neighbour monitoring based IDS for WSNs [49,66,77]. In [49], Krontiris et al. proposed a generalized architecture for intrusion detection that can operate under any circumstances based on neighbour monitoring. The IDS mechanism is based on a distributed intelligent agent-based system as shown in Fig. 9. According to the proposed approach, each node hosts an IDA. The IDA performs neighbour monitoring, decision making, and response. During the neighbour monitoring, every node monitors each immediate neighbour and collects audit data. During the decision making, every node based on local audit data determines the existence of possible intrusions and forwards its conclusions to each immediate neighbour in order to make the final collective decision. The local detection engine applies to the defined specifications about what is normal behaviour and monitors audit data according to these constraints. The cooperation between neighbouring nodes is performed by applying the majority vote rule to determine the existence of an attack. Further, when an attack is detected the local response module is activated. Depending on the severity of the attack, the response might be direct or indirect. The direct response excludes the suspected node from the routing paths and forces regeneration of cryptographic keys for the rest of the neighbours. The indirect response notifies the sink about the suspected behaviour of the possible intruder and reduces the reputation of the link to that node so as to gradually characterize it as unreliable. The proposed approach is evaluated against the sinkhole attack. In voting based IDS mechanism there is possibility of drastic flooding over the network caused by broadcasting local detection results. In the proposed work, to prevent message flooding, alarm messages are restricted to a region formed only by the alerted nodes.
Learning automata based IDS

LA model for intrusion detection in WSNs.
There are number of IDS mechanisms that rely on learning technique. For example, [55–57] introduce learning automata for detecting intrusion in WSNs. In [57], Misra et al. proposed a self-learning, distributed, energy-aware routing protocol for detecting intrusion in WSNs. The proposed approach is based on the concepts of learning automata (LA) as given in Fig. 10. LA is a self-operating learning model, where learning refers to the process of gaining knowledge during the execution of a simple machine/code (automaton) and using the gained knowledge to decide on actions to be taken in future. This model has three main components viz. automaton, environment, and reward/penalty structure. The Automaton refers to the self-learning system. The medium on which this machine functions is called the environment. The Automaton continuously performs actions on the environment and the environment responds to these actions. This response may be either positive or negative and serves as the feedback to the automaton, which, in turn, leads to the automaton either getting rewarded or penalized.
The proposed intrusion detection technique is based on the concept of packet sampling. During packet sampling, a portion of the packets traversed through the node are examined to ascertain whether the packets are malicious or not. Generally, in the network, the intruder tries to get as many malicious packets injected into the system as possible, and the system, tries to detect and remove as many malicious packets from the intruder. Therefore, in the protocol, each node samples the packets traversed through it. Depending on the circumstances, the nodes detect the malicious packets that pass through it. If any malicious packets are found, the node removes them from the network. If malicious packets are found and the detection rate is higher than the penalty threshold, then the sampling rate is increased. Sampling is again performed with a new sampling rate. If the detection rate is still high, the rate may be further increased. When the detection rate reduces below the penalty threshold, the sampling rate is reduced. To make the protocol energy aware, the authors used LA on packet sampling mechanism. The authors show that the proposed protocol provides promising results for intrusion detection.
Principal component analysis is increasingly drawing more attention as a dimensionality reduction mechanism to design an effective and efficient IDS mechanism for WSNs [41,52,53,83]. In one such work, Livani et al. [52] proposed two techniques for detecting intrusion in WSNs, one of them is principal component analysis based centralized technique (PCACID) and the other is principal component analysis based distributed technique (PCADID). The authors partitioned the nodes deployed in the network into a number of groups and in each group some nodes act as monitor nodes. The proposed PCACID technique consists of two phases, namely: training, and detection. In the training phase, every monitor node independently establishes its own normal network traffic profile using principal component analysis. In the detection phase, every monitor node detects irregular network traffic using its own normal network traffic established in the training phase. Similar to the PCACID technique, the PCADID technique also consists of training and detection phases. Nevertheless, in the training phase, every monitor node establishes a sub-profile of its own normal network traffic and cooperates with other monitor nodes to compose a global normal profile. In the detection phase, every monitor node detects anomalous feature vectors based upon the global normal profile established in the training phase. Through simulation experiment, the authors show that the distributed PCADID technique outperforms the centralized PCACID technique in terms of memory and energy usage.
Group based IDS
Li et al. [50] proposed a distributed group based intrusion detection scheme for WSNs. The proposed IDS mechanism works in two phases. In the first phase, the entire network area is partitioned into several groups depending on the location proximity among the nodes and their sensing capabilities. Since the nodes are spatially located at different places, therefore, the sensed data of the nodes within the same group differ by a certain threshold δ. Further, each δ-group is partitioned into equal-sized sub-groups. To reduce the energy consumption, every node in a sub-group takes liability of monitoring the network area, whereas these sub-groups monitor the entire δ-group in turn. After partitioning the network area into several groups, in the second phase intrusion detection operation starts.
In the second phase, intrusion detection is carried out in two steps, considering number of attributes like sensed data, packet sending rate, packet dropping rate, packet sending power etc. In the first step, if a node in a sub-group detects a divergence, it alerts the other nodes in its sub-group. In the second step, if alert messages coming from the same node is more than a threshold or charging against the same node during a period, promiscuous mode is activated for monitoring the suspicious node specifically. Through simulation experiments, the authors showed that the proposed technique decreases the false alarm rate in comparison to other existing techniques. Further, the authors showed that the proposed technique incurs less computational and transmission overheads that effectively saves energy.
Table 3 provides an overall comparison of existing potential IDS mechanisms based on distributed approaches. Similar to Table 2, here also the comparison is performed in terms of their detection methodology, location of data analysis, measure for energy conservation, and accuracy of detection due to difficulty for finding a common ground in performance measurement. To summarize, in distributed approaches, irrespective of detection technique and location of data analysis, anomaly based detection methodology consistently provides high intrusion detection accuracy. On the contrary, the intrusion detection accuracy for misused or specification based methods lies between medium to high.
Comparison of IDS mechanisms based on distributed approaches
Comparison of IDS mechanisms based on distributed approaches
In this type of IDS mechanism, different innovative approaches are proposed by the authors for detecting intrusion as well as measures adopted for saving energy in WSNs. In this section, we have elaborated a few state-of-the-art works which are based on certain innovative approaches.
Game theory based IDS
Game theory provides a rich set of mathematical tools for investigating multi-person strategic decision-making, which has been widely applied in the field of sensor network security [3,4,22,23,54,70,72,73]. Repeated game theory is an extensive form of game theory. In [3,4], the researchers proposed a repeated game theory based IDS mechanism for WSNs. The proposed approach is formulated as a game repeatedly played between detection system and the nodes. The authors assumed that the network consists of two types of nodes. One type of nodes agree to forward data packets and the other type not willing to forward data packets. Further, depending on the dynamic change in behaviour, nodes are categorized in different groups and enforce them to work collaboratively. Any non-cooperative behaviour of a node is punished. The intrusion detector located at the sink monitors the collaboration of other nodes and builds up a history that represents their reputation. Nodes that contribute to common network operation increase their reputation. The reputation is used as a metric of reliability and is used to statistically predict the future behaviour of the nodes. The advantage of the proposed approach is that using reputation of each node it is possible to create routing paths consisting of less malicious nodes for more secure transmissions. Since the malicious nodes are isolated from routing paths, therefore, communication overhead is reduced. The reduction of communication energy makes the proposed technique more energy efficient. The main disadvantage of the proposed approach is that when the number of malicious nodes in the network increases, the success rate of the IDS mechanism decreases. This can be explained if we consider the fact that the IDS attempts to lower false positive and negative rates, and as a result the detection rate is decreased since it misses more malicious nodes. This technique may not be suitable for certain environmental monitoring applications, but may be considered in applications in which an intrusion is likely to be tolerated.
Markov decision procedure based IDS
Markov decision procedure is another promising method for detecting intrusion in WSNs. Significant numbers of research works exist where the researchers [22,45,62] considered Markov decision procedure for designing an effective and efficient IDS mechanism. In one such work, Premkumar and Kumar [62] proposed a quick intrusion detection scheme for WSNs by keeping minimum number of nodes active. To quicken the intrusion detection, the authors modeled the intrusion detection problem as a Markov decision process. In the proposed work, there is a fusion center based on Markov decision process that decides how many sensors need to be turned on after each time slot. The problem studied by the authors is to minimize the detection delay and energy consumption, subject to a constraint on the probability of false alarm. A Lagrangian version of the problem is posed within the framework of dynamic programming for the classical quickest change detection. It is shown that the posterior probability
The primary weakness of the proposed Markov decision procedure based IDS mechanism is the profuse resource consumption and communication overhead.
Code attestation based IDS
Chen et al. [13–15] are the first to introduce the code attestation based IDS in WSNs. In [14], they developed a probability model for analyzing how often code attestation should be performed to maximize the expected lifetime of a sensor. A sensor fails when either the sensor’s energy is depleted, or it is compromised before energy depletion and returns incorrect sensor readings during a reading event. The code attestation is invoked for verifying the memory content of a sensor node by computing the checksum of program code and data. If code attestation happens too often, the energy consumption may drain the battery quickly such that the reliability of the sensor node decreases and this offsets the benefits of code attestation. On the other hand, if it is not done frequently enough, an intrusion may not be detected in time such that a compromised sensor may return incorrect sensor readings resulting in system failure. Therefore, the authors provided the probability of invoking code attestation probabilistically, considering, triggering a periodic sensor reading event. The authors concluded from their simulation results that code attestation can be executed more often whenever the sensor compromising rate is high. Also, the results show that both the false result probability (negative or positive) and the energy consumption for running code attestation are low. Finally, the results show that the energy consumption for code recovery is low compared to the energy consumption for sensor data reading. To measure the reliability of a sensor, the authors used the parameter mean time to failure. Mean time to failure is defined by the number of periodic sensor reading events that the sensor node is able to return correctly before failure.

Intrusion detection mechanism in IHIDS.
In recent past, it has been seen that in some particular cases, misuse and anomaly-based detection techniques can exists side-by-side to form hybrid detection mechanisms. In [35,82,86], the group of researchers proposed hybrid system based IDS mechanism for WSNs. Wang et al. [82] proposed a hybrid system based IDS mechanism for clustered WSNs. The proposed IDS mechanism is integrated and able to resist intrusions, as well as does real time processing by analyzing the attacks. According to the different capabilities and probabilities of attacks, the authors proposed three different dedicated IDS mechanisms for the sink, CH and sensor node.
Initially, the authors devised a learning ability based Intelligent Hybrid Intrusion Detection System (IHIDS) for detecting possible attacks in the sink as shown in Fig. 11. The IHIDS combines anomaly and misuse detection, and goals for high detection rate and low false positive rate. The anomaly detection model can filter a large number of normal packets first, and then the abnormal packets are forwarded to the misuse detection model to identify the type of attacks. However, if the misuse detection model cannot identify the type of attack, it is then forwarded to the learning mechanism of IHIDS for learning the new classes of attacks. For CHs, the authors proposed a HyIDS, which has the same detection model as IHIDS, but there is no learning ability. The goals of HyIDS are to detect attacks efficiently and avoid resource wastage. However, HyIDS would retrain the behaviour of new attacks, which are detected and classified from IHIDS. Finally, for sensor nodes, the authors proposed a misuse based intrusion detection mechanism, which uses the attack model for fast matching of the packets and then to find the attacks. Since the resources of sensor nodes are less than the sink and CHs, the authors adopted a simple and fast detection method in sensor node to avoid overwork, and to save resources for the purpose of safety. Finally, the performances of the proposed IDS mechanisms are measured under well-known attacks and unknown attacks using back propagation network and adaptive resonance theory, respectively. The results reveal that adaptive resonance theory outperforms back propagation network in terms of detection accuracy and low false positive rate.
Clustering ellipsoid based IDS
The first work on this research track was introduced by Moshtaghi et al. [58,59]. In [59], they proposed an IDS mechanism based on clustering ellipsoids (hyperellipsoids) for WSNs. During designing the IDS mechanism, the authors took advantage of the fact that across the network area, a WSN may contain multiple types of data underlying distribution. The common sensors sense the environment and send their sensory data to the CH. Upon receiving the data, the CH generates local ellipse and sends them to the sink. After receiving ellipsoids from the CHs, the sink creates a global ellipsoid based on the similarity between ellipsoids. Once the global ellipsoid is created, the sink transmits them to the common sensor for detecting intruders locally. The authors used cluster based network to reduce data redundancy which makes the scheme energy efficient. Since the main computation task in the proposed technique is performed by the sink, so the scheme is more energy efficient.
Comparison of IDS mechanisms based on innovative approaches
Comparison of IDS mechanisms based on innovative approaches
Although the proposed technique is energy efficient, however successful detection of intruders depends on the precise global ellipsoid. In this context, it also requires a more appropriate elliptical boundary than a standard deviation, in order to evade extreme false positive alarms.
Table 4 provides an overall comparison of existing state-of-the-art IDS mechanisms based on certain innovative techniques. Similar to the earlier approaches, in innovative approaches, different system assumptions and experimental methods are used by the authors to evaluate the performance of the proposed IDS mechanisms, thus posing a difficulty for finding a common ground to evaluate which innovative technique is most suitable. Similar to Table 3, comparison is performed in terms of detection methodology, location of data analysis, measure for energy conservation, and accuracy of detection. To summarize, similar to distributed detection technique, in terms of detection accuracy, anomaly based innovative techniques show best performance compared with misuse based and it is irrespective of detection technique and location of data analysis.
Comparison of energy efficient IDS mechanisms
Comparison of energy efficient IDS mechanisms
In earlier sections, we reviewed number of existing intrusion detection techniques and classified them broadly into three categories, namely: centralized approach, distributed approach, and innovative approach. In this section, we compare the reviewed intrusion detection methods. The performance of almost all the reviewed IDS mechanisms are measured by the authors using different WSN simulators, whose technical details are almost unknown. This makes it difficult to evaluate the performance of the proposed IDS mechanisms, thus creating a difficulty for finding a common ground to evaluate which IDS mechanism is most suitable. Hence, in this section, for a better understanding on the performance of different schemes, we summarize the performance of those schemes with respect to network architecture, detection technique, energy saving mechanism, and highlighting features of each scheme in Table 5. Accordingly, the following conclusions can be drawn for the existing energy efficient IDS mechanisms:
Although number of energy efficient IDS mechanisms are proposed to detect and alert attempted intrusions into networks, most of the works target only one or two specific attacks such as Sybil [74], black-hole [48], selective forwarding [33,82] attacks by using different network and hardware assumptions. Hence, in a universal platform, it is very difficult to combine all these mechanisms. A promising research track would be to choose a set of common criteria based on the features of different attacks.
There are limited numbers of real world implementations of energy efficient IDS mechanisms. Precisely, unlike [47,75], performance of the proposed IDS mechanisms are measured through simulation irrespective of detection method and network architecture. In fact, most of the works do not provide comprehensive analyses or simulations which make it difficult to analyze the effectiveness of an IDS mechanism.
The rule based detection technique implemented in WSNs shows low false negative and false positive rates [76,82], which is a good thing. However, the application of rule-based detection techniques in the context of a WSN is a complex task, since the problem of high energy consumption and communication overhead arises.
In game theory based IDSs, secure routing paths can be created for more secure communication between sensors and the sink [3–5]. Further, the detection rate can be adjusted by the network security administrator through change of parameters. The problem with this system is that it is non-adaptive and requires human intervention for a stable operation.
Agent based IDSs reduce the network load and latency [34,49], however, they cause high energy consumption of the sensors. Further, communication cost between agents and coordinator, or in between agents, may cause congestion and bottleneck in the network.
In hierarchical or clustering architecture based IDS mechanisms [39,79], clustering algorithms consume considerable amount of the network’s energy during cluster formation. After the clusters are formed and the CHs are elected, CHs may be compromised, hence they have to be secured. Besides, if the CH is not a special node (more processing power and battery), then the overhead of being a CH will reduce its scarce resources more quickly.
Although considerable research effort has been devoted to devise energy efficient IDS mechanisms, there are number of issues that are yet to be addressed. Based on the outcomes of our work, we derive and list the potential open issues that need further investigation.
Different attack scenarios in WSN can have different effects on energy consumption. This is because attacks are based on several factors that influence how much energy of the network is utilized. This study can be beneficial as a future research topic as the level of intrusion detection provided is based on the attack a network is exposed to. This will definitely save the implementation cost of IDS and provide an optimal solution of intrusion detection in WSNs. Another upcoming research area is efficient energy management intrusion detection in multimedia WSNs such as in camera sensor networks [36]. As the multimedia factor introduces several overheads mostly in the form of resources for such resource constrained networks, care should be taken such that a balance is achieved while designing the IDS mechanisms. This is very much required so that WSNs can support a multimedia system along with IDS that conserves energy. In the context of ambient intelligence application like intelligence monitoring of smart home [9], healthcare [67] etc., the IDS mechanism should be developed for the comfort of the monitored people. Any privacy flaw enables the intruder to monitor the activity of daily living of the people. Although the authors proposed a hybrid scheme [6] for thwarting this kind of intruder, however, there are still many potential attacks to be studied. Energy efficient target monitoring using IDS can be an important area for future research. Target monitoring finds application in several critical areas in WSNs. So, IDS if implemented in an energy efficient manner can be of much use for object tracking in such networks. Another vital area of future work can be that of implementing energy saving cross layer IDS for WSNs. Research in cross layer techniques in WSNs is fast gaining momentum and implementing IDS here can have much potential. Also, cross layer techniques can have wide areas of applications in WSNs and designing IDS for such networks that is energy conserving will definitely be beneficial for the working of the network. Energy efficient IDS can be achieved while deploying the nodes in the network and this area also possesses a promising scope for future research. If the nodes used in IDS can be deployed in such a way that minimum amount of energy is required to carry out the desired functions, then it will be positively effective for any network. Implementing energy efficient technique in IDS while deploying the network will surely conserve energy as reconfiguring the nodes later on when the network is running can result in overheads.
Conclusion
Intrusion detection system has become a prime research domain in the field of WSNs primarily due to its ability to act as a more robust mechanism than existing techniques applicable to WSN. The objective of this survey paper is to bring out how IDS can work by optimizing energy utilization in WSNs as energy conservation is one of the prime aim’s in these networks but at the same time trying to maintain detection accuracy to its fullest. This work gives a brief outline about intrusion detection together with the challenges one faces during its design in such networks. It also presents a vivid description of the different parameters that influence rate of energy consumption in WSN. Further, the existing IDS approaches for safeguarding WSNs are classified into three distinct categories, namely: Centralized approach, Distributed approach, and Innovative approach. A brief comparative study is done on existing works for evaluating their performance with respect to energy efficient intrusion detection.
The paper also discusses future enhancement that can be achieved in implementing energy efficient intrusion detection. Several factors affecting energy in the network along with the different application areas where energy conservation is vital has been pointed out which can help in creating more energy efficient IDSs for WSNs.
