Towards Intrusion Detection in Wireless Sensor Networks

Transcription

1 Towards Inrusion Deecion in Wireless Sensor Neworks Kroniris Ioannis, Tassos Dimiriou and Felix C. Freiling Ahens Informaion Technology, Peania, Ahens, Greece Deparmen of Compuer Science, Universiy of Mannheim, Germany Absrac In his work we sudy he problem of Inrusion Deecion is sensor neworks and we propose a lighweigh scheme ha can be applied o such neworks. Is basic characerisic is ha nodes monior heir neighborhood and collaborae wih heir neares neighbors o bring he nework back o is normal operaional condiion. We emphasize in a disribued approach in which, even hough nodes don have a global view, hey can sill deec an inrusion and produce an aler. We apply our design principles for he blackhole and selecive forwarding aacks by defining appropriae rules ha characerize malicious behavior. We also experimenally evaluae our scheme o demonsrae is effeciveness in deecing he afore-menioned aacks. I. INTRODUCTION A wireless sensor nework (WSN) is a nework of cheap and simple processing devices (sensor nodes) ha are equipped wih environmenal sensors for emperaure, humidiy, ec. and can communicae wih each oher using a wireless radio device. Mos of he applicaions in WSNs require he unaended operaion of a large number of sensor nodes. This raises immediae problems for adminisraion and uilizaion. Even worse, some imes i is no possible o approach he deploymen area a all, like for example in hosile, dangerous environmens or miliary applicaions. So, sensor neworks need o become auonomous and exhibi responsiveness and adapabiliy o evoluion changes in real ime, wihou explici user or adminisraor acion. This need is even more imperaive when i comes o securiy hreas. The unaended naure of WSNs and he limied resources of heir nodes make hem suscepible o aacks. Any defensive mechanism ha could proec and guaranee heir normal operaion should be based on auonomous mechanisms wihin he nework iself. Currenly, research on providing securiy soluions for WSNs has focused mainly in hree caegories: 1) Key managemen: A lo of work has been done [1] in esablishing crypographic keys beween nodes o enable encrypion and auhenicaion. 2) Auhenicaion and Secure Rouing: Several proocols [2] have been proposed o proec informaion from being revealed o an unauhorized pary and guaranee is inegral delivery o he base saion. 3) Secure services: Cerain progress has been made in providing specialized secure services, like secure localizaion [3], secure aggregaion [4] and secure ime synchronizaion [5]. All menioned securiy proocols are based on paricular assumpions abou he naure of aacks. If he aacker is weak, he proocol will achieve is securiy goal. This means ha an inruder is prevened from breaking ino a sensor nework and hinder is proper operaion. If he aacker is srong (i.e., behaves more maliciously), here is a nonnegligible probabiliy ha he adversary will break in. Because of heir resource consrains, sensor nodes usually canno deal wih very srong adversaries. So wha is needed is a second line of defense: An Inrusion Deecion Sysem (IDS) ha can deec a hird pary s aemps of exploiing possible insecuriies and warn for malicious aacks, even if hese aacks have no been experienced before. Relaed work Inrusion deecion is an imporan aspec wihin he broader area of compuer securiy, in paricular nework securiy, so an aemp o apply he idea in WSNs makes a lo of sense. However, here are currenly only a few sudies in his area. Da Silva e al. [6] and Ona and Miri [7] propose similar IDS sysems, where cerain monior nodes in he nework are responsible for monioring heir neighbors, looking for inruders. They lisen o messages in heir radio range and sore in a buffer specific message fields ha migh be useful o an IDS sysem running wihin a sensor node, bu no deails are given how his sysem works. In hese archiecures, here is no collaboraion among he monior nodes. I is concluded from boh papers ha he buffer size is an imporan facor ha grealy affecs he rae of false alarms. Loo e al. [8] and Bhuse and Gupa [9] describe wo more IDSs for rouing aacks in sensor neworks. Boh papers assume ha rouing proocols for ad hoc neworks can also be applied o WSNs: Loo e al. [8] assume he AODV (Ad hoc On-Demand Disance Vecor) proocol while Bhuse and Gupa [9] use he DSDV and DSR proocols. Then, specific characerisics of hese proocols are used like number of roue requess received o deec inruders. However, o our knowledge, hese rouing proocols are no aracive for sensor neworks and hey have no been applied o any implemenaion ha we are aware of.

2 More exensive work has been done in inrusion deecion for ad hoc neworks [10]. In such neworks, disribued and cooperaive IDS archiecures are also preferable. Deailed disribued designs, acual deecion echniques and heir performance have been sudied in more deph. While also being ad hoc neworks, WSNs are much more resource consrained. We are unaware of any work ha has invesigaed he issue of inrusion deecion in a general way for WSNs. In his paper we herefore aemp o move owards ha direcion, defining he requiremens, sudying he possible design choices and proposing a specific modular archiecure appropriae for IDSs in WSNs. Conribuions While an adversary can compleely ake over nodes and exrac heir crypographic keys [11], we assume ha such an adversary canno ounumber legiimae nodes by replicaing capured nodes or inroducing new ones in sufficienly many pars of he nework. This assumpion is needed because an IDS for WSNs should exploi he massive parallelism in such a nework o deec inrusion aemps. Paricularly nasy aacks o deec are he blackhole and selecive forwarding aacks [12], in which a capured sensor node refuses o forward all or a subse of he messages i receives. The consribuion of his paper is hreefold: 1) Firs, we review he basic archiecures of IDS sysems and we elaborae on which is he mos appropriae for sensor neworks. We believe his is imporan as i will enable furher work in he area ha will also ake ino consideraion he special properies of such neworks. 2) Second, we design an IDS o deec blackhole and selecive forwarding aacks [12], based on specificaionbased deecion, requiring only small amouns of communicaion and compuaional resources. 3) Finally, we demonsrae he effeciveness of our scheme by measuring he deecion accuracy in a realisic simulaed environmen. The remainder of his paper is organized as follows. In Secion II we elaborae on he requiremens ha an IDS in sensor neworks should have and in Secion III we build sepby-sep our proposed archiecure. Then we presen he overall design in a more modular and generalized form in Secion IV. The performance of he proposed IDS is evaluaed in Secion V hrough simulaions. Finally, Secion VI concludes he paper. II. REQUIREMENTS FOR IDSS IN SENSOR NETWORKS In his secion we elaborae on he requiremens ha an IDS sysem for sensor neworks should saisfy. To do so, one has o look a he specific characerisics of hese neworks. Each sensor node has limied communicaion and compuaional resources and a shor radio range. Furhermore, each node is a weak uni ha can be easily compromised by an adversary [11], who can hen load malicious sofware o launch an insider aack. In his conex, a disribued archiecure, based on node cooperaion is a desirable soluion. In paricular, we require ha an IDS sysem for sensor neworks mus saisfy he following properies: 1) Localize audiing. An IDS for sensor neworks mus work wih localized and parial audi daa. In sensor neworks here are no cenralized poins (apar from he base saion) ha can collec global audi daa, so his approach fis he sensor nework paradigm. 2) Minimize resources. An IDS for sensor neworks should uilize a small amoun of resources. The wireless nework does no have sable connecions, and physical resources of nework and devices, such as bandwidh and power, are limied. Disconnecion can happen a any ime. In addiion, he communicaion beween nodes for inrusion deecion purposes should no ake oo much of he available bandwidh. 3) Trus no node. An IDS canno assume any single node is secure. Unlike wired neworks, sensor nodes can be very easily compromised. Therefore, in cooperaive algorihms, he IDS mus assume ha no node can be fully rused. 4) Be ruly disribued. Tha means daa collecion and analysis is performed on a number of locaions. The disribued approach also applies o execuion of he deecion algorihm and aler correlaion. 5) Be secure. An IDS should be able o wihsand a hosile aack agains iself. Compromising a monioring node and conrolling he behavior of he embedded IDS agen should no enable an adversary o revoke a legiimae node from he nework, or keep anoher inruder node undeeced. III. INTRUSION DETECTION IN WSN In his secion we develop an IDS archiecure based on he above design goals. We break his ino hree pars. Firs, we alk abou audiing mechanisms, hen abou deecion algorihms and finally abou decision making echniques. For each par we presen he available soluions and we elaborae on which is more appropriae for sensor neworks. Then we apply our findings o deec blackhole and selecive forwarding [12] aacks. A. Inrusion Deecion Archiecure In sensor neworks, mos adversaries would arge he rouing layer, since ha allows hem o ake conrol of he informaion flowing in he nework. Besides, sensor neworks are mainly abou reporing daa back o he base saion, and disruping his process would make an aack a successful one. So, for such neworks, he mos appropriae archiecure for an IDS would be nework-based, as opposed o hos-based. A nework-based IDS uses raw nework packes as he daa source. I lisens on he nework and capures and examines individual packes in real ime. Since all communicaion in he WSN is conduced over he air and a node can overhear raffic passing from a neighboring node, nodes can muually check nework raffic. For example, in [13] an archiecure for ad-hoc neworks is proposed, where

3 E D S A B C D A B C Fig. 1. Node B is selecively forwarding packes o node C. Node A promiscuously lisens o node B s ransmissions. nodes are pariioned in clusers, and only he cluser-heads are responsible for monioring he raffic wihin heir clusers. However, a single monior node fails o mee he rus no node requiremen, since i could be capured by he adversary and force he nework o isolae anoher legiimae node. Insead, a cerain fracion of nodes in an area should agree on an observaion. If he number of nodes ha can form such a deecion quorum is larger han he number of nodes ha can be capured by an adversary in he specific area, a simple majoriy voe can be used o form a decision. The requiremen of a majoriy voe is also necessary for oher reasons as well. To see why, le us use neighbor monioring for deecing selecive forwarding aacks in sensor neworks. Neighboring nodes can easily monior he behavior of a node o see wheher i forwards correcly he packes i receives. This can be done by using he wachdog approach [14]. Suppose ha a packe should follow he pah A B C D for he example shown in Figure 1. Node A can ell if node B forwards he packe o node C, by lisening promiscuously o node B s ransmissions. By promiscuously we mean ha since node A is wihin range of node B, i can overhear communicaions o and from B. We can see now why here are more reasons ha only one monioring node canno be enough for inrusion deecion of misbehaving nodes. Le s consider again he example of Figure 1 and suppose ha B is malicious. There are hree cases, arising from he wireless naure of communicaions, where having a node A monioring node B canno resul in a successful deecion of node B: 1) A he same ime ha node B forwards is packe, anoher node S sends a packe o A, causing a collision a A (he hidden erminal problem). Node A canno be cerain which packes caused his collision, so i canno conclude on B s behavior. 2) A he same ime ha node B forwards is packe o node C, node D also makes a ransmission, causing a collision a C. Node A hinks ha B has successfully forwarded is packe, since i doesn know abou he collision. Therefore, node B could skip reransmiing he packe, wihou being deeced. 3) Node B wais unil C makes a ransmission, and hen ransmi is packe causing a collision a C. Again, node C never receives he packe, bu node A canno accuse Fig. 2. Nodes A, C, D and E can be wachdogs of he link A B. B of anyhing. From he above cases we can conclude ha he wachdog approach should involve informaion from more han one node. So, for our inrusion deecion sysem we require ha any oher neighbor of B ha can lisen o he packes his node is sending or receiving will paricipae in he inrusion deecion procedure. In paricular, for a link A B, he wachdog nodes will be all he nodes ha reside wihin he inersecion of A s and B s radio range, including node A. For example, in Figure 2, he nodes A, C, D and E can be wachdogs for he communicaion beween A and B. We have simulaed random opologies of 1000 uniformly disribued nodes and calculaed he average number of wachdogs for differen nework densiies. Wha we have found is ha for any communicaion link beween wo nodes and for any nework densiy, he number of wachdogs on he average is approximaely half he neighborhood size. So, for example, in a nework where nodes have 8 neighbors he average number of wachdogs for any link is close o 4. B. Inrusion Deecion Techniques Inrusion deecion sysems mus be able o disinguish beween normal and abnormal aciviies in order o discover malicious aemps in ime. There are hree main echniques ha an inrusion deecion sysem can use o classify acions [15]; misuse deecion, anomaly deecion and specificaionbased deecion. In misuse deecion or signaure-based deecion sysems, he observed behavior is compared wih known aack paerns (signaures). Acion paerns ha may pose a securiy hrea mus be defined and sored o he sysem. Then, he misuse deecion sysem ries o recognize any bad behavior according o hese paerns. I is already concluded from research in ad hoc neworks ha severe memory consrains make ID sysems ha need o sore aack signaures relaively difficul o build and less likely o be effecive [10]. Anomaly deecion sysems focus on normal behaviors, raher han aack behaviors. Firs hese sysems describe wha consiues a normal behavior (usually esablished by auomaed raining) and hen flag as inrusion aemps any aciviies ha differ from his behavior by a saisically significan amoun.

4 Finally, specificaion-based deecion sysems are also based on deviaions from normal behavior in order o deec aacks, bu hey are based on manually defined specificaions ha describe wha a correc operaion is and monior any behavior wih respec o hese consrains. This is he echnique we use in our approach. I is easier o apply in sensor neworks, since normal behavior canno easily be defined by machine learning echniques and raining. Since we follow he specificaion-based approach, we need o define which norms are going o be used o describe normal operaion. These specificaions for deecing blackhole and selecive forwarding aacks can simply be a rule on he number of messages being dropped by a node. Each of he wachdog nodes will apply ha rule for iself o produce an inrusion aler. The naive approach would be o incremen a couner every ime a packe is dropped and produce an aler when his value reaches a hreshold. However, we should ake under consideraion loss of messages due o oher reasons, as hose described in Secion III-A. So, his approach will cause he couner of he wachdog nodes o incremen and evenually reach he hreshold value. Then he node would be charged wihou being malicious. If we consider a rae a which packes are being los no by a selecive forwarding aack, bu because of oher legiimae facors in he nework, hen in case of an aack, he packes will be dropped a a higher rae han hey normally do. So, we need o se a hreshold of he rae a which packes are dropped, and when his is reached an alarm can be generaed. For ha, we subsiue he couner crierion wih a rae crierion. To measure a rae we need o keep rack of ime duraion. Therefore we require each wachdog node o keep rack of he packes no being forwarded wihin a fixed amoun of ime, le s say w unis, and we modify he inrusion deecion rule as follows: Rule 1: For each packe ha a node A sends o node B, emporally buffer his packe and wai o see if node B forwards i. If no, incremen a couner corresponding o ha node B. Else remove he packe from he buffer. If afer w unis he node has dropped more han percen of he packes, produce an aler. So, each wachdog node has a window of w unis, during which i creaes saisics on he overheard packes. A he end of each window an aler may be produced according o he hreshold crierion, which is broadcased by ha node. Then he nex window is sared, and he same process is repeaed periodically, for all wachdog nodes. We do no require ha he nodes are synchronized, so he windows in each node are also no synchronized. They may have any ime difference beween 0 and w unis. C. Decision Making Techniques The nex design issue we need o solve is who is going o make he final decision ha a node is indeed an inruder and acions should be aken. There are wo approaches for his. Eiher we could use a cooperaive mechanism or le nodes decide independenly. In an independen decision-making sysem, here are cerain nodes ha have he ask o perform he decision-making funcionaliy. They collec inrusion and anomalous aciviy evidences from oher nodes and hey make decisions abou nework-level inrusions. The res of he nodes do no paricipae in his decision. For example, reviewing he archiecure proposed in [13] for ad-hoc neworks, he cluser-heads gaher informaion from heir cluser members and mainain a sae machine for each one of hem. Then he cluser-head can decide wih a cerain confidence ha a node has been compromised by looking a repors regarding ha node. In such archiecures, he decision-making nodes can arac he ineres of an aacker, since compromising hem would leave he nework undefended. Anoher drawback of such an approach is ha hey resric compuaion-inensive analysis of he overall nework securiy sae o jus a few key nodes. This special mission of processing he informaion from oher nodes and deciding on inrusion aemps resuls in an exra processing overhead, which may quickly lead o energy exhausion. In a cooperaive IDS sysem, if an anomaly is deeced by a node, or if he evidence is inconclusive, hen a cooperaive mechanism is iniiaed wih he neighboring nodes in order o produce a global inrusion deecion acion. Even if a node is cerain abou he guiliness of a suspicious node, sill he decision should be cooperaive, because, he node aking a decision could be malicious iself. In our approach, we use a cooperaive decision making approach, where he wachdog nodes of a link A B cooperae in order o decide wheher node B is launching a selecive forwarding aack and ake appropriae acions. In Secion III-A we explained why a node canno make such a decision on is own. So, we require ha each node makes is final decision based on he alers produced by all oher wachdogs of he same link. In order o build a cooperaive decision mechanism, we ake advanage of he fac ha all wachdog nodes of a link are wihin communicaion range of each oher. Tha means any wachdog node can lisen o he messages broadcased by he res. So, i is easy for hese nodes o announce heir alers o each oher, by making a single message broadcas. Wih his knowledge, each node can make a safer conclusion by applying a majoriy rule: Rule 2: If more han half (i.e., he majoriy) of he wachdog nodes have raised an aler, hen he arge node (i.e. node B) is considered compromised and should be revoked, or he base saion should be noified. In paricular, for he link A B, we will define node A as he responsible node o gaher he alers from he res of he wachdogs and apply he majoriy rule. We call ha node he collecor. The res of he wachdogs do no need o acivae

5 W IDS agen Collecor wachdog 1 wachdog 2 local response local packe monioring cooperaive deecion engine local deecion engine communicaion wachdogs IDS agens wachdog 3 wachdog 4 w Fig. 3. Cooperaive deecion mechanism applied by he collecor. Each window W sars a he recepion of he firs aler from any wachdog, including he collecor iself. In his example, W = 2w. heir cooperaive deecion engines for ha link. So, he above majoriy rule saes ha for n wachdogs of a link A B, if a leas n alers are received by he collecor A, including is own local aler, hen a decision is made ha node B is compromised. The problem ha arises nex is how long he collecor should wai for he alers. As we described in Secion III-B, each wachdog node needs w unis o decide wheher a node is dropping packes a a higher rae han he normal. So, in order for he collecor o receive he alers from he res of hem, i has o wai for a longer inerval of W unis. Since we do no require he wachdog nodes o be synchronized (see Figure 3), W mus be long enough in order o ensure ha any possible alers from oher wachdogs are received. In he wors case i has o be a lile longer ha w, bu in he experimenal secion we show how oher values of W affec he success of deecion. Also noe ha if during ha period, a second aler from he same wachdog arrives, hen ha aler is ignored in he applicaion of he majoriy rule. Wih his majoriy rule, if a wachdog is compromised and issues a false alarm rying o revoke a legiimae node, or issues no alarms for anoher malicious node ha launches an aack, i would have no effec because he majoriy would sill prevail. However, if he collecor iself is compromised, hen he adversary can gain he conrol of he inrusion resul. To avoid his scenario, we could have he res of he wachdog nodes apply he majoriy rule over he alers hey receive and check heir conclusions wih he collecor s repor. Alernaively we could use a probabilisic version of verifiable agreemen [16] in which he majoriy voe conains a crypographic proof ha i was formed based on real alarms of he wachdogs. IV. BUILDING BLOCKS OF THE IDS CLIENT In our discussion so far we have described all he operaions a sensor nework IDS sysem should perform o deec blackhole and selecive forwarding aacks. In his secion, we formalize our approach by presening a more modular archiecure of he IDS sysem. We require ha each node in he nework has an IDS clien wih he following funcionaliy: Fig. 4. communicaion aciviies The building blocks of he IDS clien exising in each sensor node. Nework Monioring: Every node performs packe monioring in heir immediae neighborhood collecing audi daa. Decision Making: Using his audi daa, every node decides on he inrusion hrea level on a hos-based basis. Then hey publish heir findings o heir neighbors and make he final collecive decision. Acion: Every node has a response mechanism ha allow i o respond o an inrusion siuaion. Based on hese funcions we build he archiecure of he IDS clien based on five concepual modules, as shown in Figure 4. Each module is responsible for a specific funcion, which we describe in he secions below. The IDS cliens are idenical in each node and hey can broadcas messages for cliens in neighboring nodes o lisen. The communicaion amongs he cliens allows us o use a disribued algorihm for he final decision on he inrusion hrea. A. Local Packe Monioring This module gahers audi daa o be provided o he local deecion module. Audi daa in a sensor nework IDS sysem can be he communicaion aciviies wihin is radio range. This daa can be colleced by lisening promiscuously o neighboring nodes ransmissions. B. Local Deecion Engine This module collecs he audi daa and analyzes i according o given rules. As we said in Secion III-B, specificaion-based deecion is mos appropriae for sensor neworks, so he local deecion engine sores and applies he defined specificaions ha describe wha is a correc operaion and moniors audi daa wih respec o hese consrains. C. Cooperaive Deecion Engine If here is an evidence of inrusion, his module broadcass he sae informaion of he local deecion process o he neighboring nodes. The same module in each node collecs his informaion from all he neighboring nodes and applies a majoriy rule o conclude wheher here is an inrusion or no. The inpu from he local deecion engine is also couned in for his conclusion.

6 D. Local Response Once he nework is aware ha an inrusion has aken place and have deeced he compromised area, appropriae acions are aken by he local response module. The firs acion is o cu off he inruder as much as possible and isolae he compromised nodes. Afer ha, proper operaion of he nework mus be resored. This may include changes in he rouing pahs, updaes of he crypographic maerial (keys, ec.) or resoring par of he sysem using redundan informaion disribued in oher pars of he nework. Auonomic behavior of sensor neworks means ha hese funcions mus be performed wihou human inervenion and wihin finie ime. Depending on he confidence and he ype of he aack, we caegorize he response o wo ypes: Direc response: Excluding he suspec node from any pahs and forcing regeneraion of new crypographic keys wih he res of he neighbors. Indirec response: Noifying he base saion abou he inruder or reducing he qualiy esimaion for he link o ha node, so ha i will gradually loose is pah reliabiliy. V. EXPERIMENTAL EVALUATION We have simulaed a sensor nework of 1000 nodes placed uniformly a random in order o es our proposed inrusion deecion sysem. The nework densiy was chosen so ha each node had 8 neighbors on he average. Each ime, we chose a random one link A B and programmed node B o launch a selecive forwarding aack, while node A was sending packes o i, a a given rae. This way we could have he wachdogs of ha link A B apply he inrusion deecion and monior he behavior of node B. Wih probabiliy, node B was dropping he packes ha were forwarded o i. Finally, we se he hreshold value for he percenage of packes dropped over a period w o = 20%. Above his hreshold, each wachdog was generaing an alarm. Packes dropped a a lower rae were aribued o oher facors, such as collisions or node failures, and did no produce an inrusion aler. Firs we esed how he raio of W and w effecs he accuracy on inruder idenificaion. The resuls are depiced in Figure 5, for 1000 repeiions of he experimen. As we said in Secion III-C, W mus be bigger han w, so we did no simulae he case of W/w < 1. False negaive rae represens he rae a which evens are no flagged inrusive by he collecor alhough he drop rae is higher han he hreshold and he aack exiss. If packes are dropped a a rae higher han he hreshold, hen ideally, all windows W a he collecor should give an alarm. However, since packes are dropped probabilisically, here migh be he case ha during a window w of some wachdogs, he dropped packes are less han = 20%, and no aler is produced by hose nodes. Then, he majoriy rule over a window W will no be saisfied, which will give no final alarm, producing a false negaive. This is less probable o happen as increases compared o. In his case, he probabiliy ha during a window w he False negaive rae (%) = 0.3 = 0.4 = W/w Fig. 5. False-negaive rae for differen raios of window lengh W o w. dropped packes are less han resuling in a false negaive is lower, and hence he beer accuracy in deecing he aack. We see from Figure 5 ha as he window lengh W increases, he false negaive probabiliy decreases. This is because he collecor can have a more accurae esimaion as i gives more ime o he wachdogs o produce heir alarms. However, we canno ake W o be a very large quaniy, since ha would delay he deecion of a compromised node. Therefore, for he res of he experimens we fixed W = 2w. Nex we esed how he window lengh w effecs he accuracy on inruder idenificaion. All wachdogs are required o have he same window lengh. Given a seady packe rae, we measure his lengh in number of packes. Figure 6 shows he false negaive rae for differen number of packes moniored by he wachdogs. For longer windows, more packes are moniored before he hreshold rule is applied by a wachdog o produce a local aler. Then, for a fixed simulaion ime, we measured he number of final inrusion alers produced by he cooperaive engine a he collecor. For he given window W (= 2w), each wachdog gahers he alers broadcased by he res of hem and applies he majoriy rule o produce a final decision, as we described. Figure 6 shows ha he false negaive rae is reduced as he window lengh w is increased. For bigger w, more packes are moniored, and herefore, each wachdog has a beer esimaion of he drop rae and alers are more successfully produced resuling in a cooperaive deecion a he collecor. In he res of he cases, he drop rae over he ime period w for a wachdog may be saisically below he hreshold, and no aler is produced. If his is rue for more han half of he wachdogs, he majoriy rule fails and no deecion is made. Figure 7 depics he number of alers from he collecor as a funcion of he drop probabiliy. Two hresholds of 20% and 10% have been assumed for he local deecion a he wachdogs. In all experimens we ook W = 2w. The simulaion ime is fixed for 1000 repeiions and we se w o be long enough for 30 messages o be moniored a each wachdog. Noe ha he maximum number of final alers

7 False negaive rae (%) Number of alarms = 0.3 = 0.4 = Number of messages in window w Fig. 6. False-negaive rae for differen window lenghs w = 20% = 10% Drop probabiliy Fig. 7. Number of alers for differen drop probabiliies. ha could be produced by he collecor is 16, since his is he maximum number of windows W ha fi in he fixed simulaion ime. For drop probabiliies below he hreshold a small number of alers is produced. This is he number of false posiives and ideally i should be zero. Since he packes are dropped probabilisically, here are cases where more han 20% (or 10% respecively) of he packes are dropped, even if he drop probabiliy is lower. However, on he average, he cooperaive mechanism produces a small number of false posiives and his effec is shown clearly on smaller drop probabiliies. For example, if we se he hreshold = 20% and assume ha packes are dropped a a lower rae = 0.1, hen he graph indicaes ha he false posiives will be 0.52, which is a rae of /16 = 3.25%. VI. CONCLUSIONS In his paper we have inroduced a model for disribued inrusion deecion in sensor neworks which is designed o work wih only parial and localized informaion available a each node of he nework. Nodes collaborae and exchange his informaion wih heir neighbors in order o make a correc decision on wheher an aack has been launched. We focused our research on rouing because i is he foundaion of sensor neworks. In paricular, we demonsraed how our IDS sysem can be used o deec blackhole and selecive forwarding aacks, producing very low false-negaive and false-posiive raes. We also provided a se of general principles ha an IDS sysem for sensor neworks should follow. We believe his se of principles can be used as a valuable ool for developing more robus and secure sensor neworks in he fuure and enable furher research in he area. VII. ACKNOWLEDGMENTS We hank he reviewers for heir houghful and helpful commens ha helped enhance he readabiliy of he paper. REFERENCES [1] S. Camepe and B. Yener, Key disribuion mechanisms for wireless sensor neworks: a survey, Rensselaer Polyechnic Insiue, Troy, New York, Technical Repor 05-07, March [2] E. Shi and A. Perrig, Designing secure sensor neworks, IEEE Wireless Communicaions, vol. 11, no. 6, pp , December [3] L. Lazos and R. Poovendran, Serloc: Robus localizaion for wireless sensor neworks, ACM Transacions on Sensor Neworks, vol. 1, no. 1, pp , [4] T. Dimiriou and I. Kroniris, Securiy in Sensor Neworks. CRC Press, 2006, ch. Secure In-nework Processing in Sensor Neworks, pp [5] S. Ganeriwal, S. Capkun, C.-C. Han, and M. Srivasava, Secure ime synchronizaion service for sensor neworks, in Proceedings of he 4h ACM workshop on Wireless securiy (WiSe 05), 2005, pp [6] A. P. da Silva, M. Marins, B. Rocha, A. Loureiro, L. Ruiz, and H. C. Wong, Decenralized inrusion deecion in wireless sensor neworks, in Proceedings of he 1s ACM inernaional workshop on Qualiy of service & securiy in wireless and mobile neworks (Q2SWine 05). ACM Press, Ocober 2005, pp [7] I. Ona and A. Miri, An inrusion deecion sysem for wireless sensor neworks, in Proceeding of he IEEE Inernaional Conference on Wireless and Mobile Compuing, Neworking and Communicaions, vol. 3, Monreal, Canada, Augus 2005, pp [8] C. E. Loo, M. Y. Ng, C. Leckie, and M. Palaniswami, Inrusion deecion for rouing aacks in sensor neworks, Inernaional Journal of Disribued Sensor Neworks, [9] V. Bhuse and A. Gupa, Anomaly inrusion deecion in wireless sensor neworks, Journal of High Speed Neworks, vol. 15, no. 1, pp , [10] A. Mishra, K. Nadkarni, and A. Pacha, Inrusion deecion in wireless ad hoc neworks, IEEE Wireless Communicaions, vol. 11, no. 1, pp , February [11] A. Becher, Z. Benenson, and M. Dornseif, Tampering wih moes: Realworld physical aacks on wireless sensor neworks, Proceeding of he 3rd Inernaional Conference on Securiy in Pervasive Compuing (SPC), pp , April [12] C. Karlof and D. Wagner, Secure rouing in wireless sensor neworks: Aacks and counermeasures, AdHoc Neworks Journal, vol. 1, no. 2 3, pp , Sepember [13] O. Kachirski, R. Guha, D. Schwarz, S. Soecklin, and E. Yilmaz, Casebased agens for packe-level inrusion deecion in ad hoc neworks, in Proceedings of he 17h Inernaional Symposium on Compuer and Informaion Sciences. CRC Press, Ocober 2002, pp [14] S. Mari, T. J. Giuli, K. Lai, and M. Baker, Miigaing rouing misbehavior in mobile ad hoc neworks, in Proceedings of he 6h annual inernaional conference on Mobile Compuing and Neworking (MobiCom 00), 2000, pp [15] S. Axelsson, Inrusion deecion sysems: A survey and axonomy, Deparmen of Compuer Engineering, Chalmers Universiy of Technology, Tech. Rep , March [16] Z. Benenson, F. C. Freiling, B. Pfizmann, C. Rohner, and M. Waidner, Verifiable agreemen: Limis of non-repudiaion in mobile peer-o-peer ad hoc neworks, in Third European Workshop on Securiy and Privacy in Ad hoc and Sensor Neworks (ESAS), Hamburg, Germany, Sep