![Classification of IDSs, taken in modified form from Anantvalee and Wu [2].](https://www.researchgate.net/publication/334230177/figure/fig1/AS:1086050621489185@1635946054801/Classification-of-IDSs-taken-in-modified-form-from-Anantvalee-and-Wu-2_Q320.jpg)
Access to this full-text is provided by Wiley.
Content available from Security and Communication Networks
This content is subject to copyright. Terms and conditions apply.
Review Article
Recent Advancements in Intrusion Detection Systems for
the Internet of Things
Zeeshan Ali Khan 1and Peter Herrmann 2
1School of Electrical Engineering, Minhaj University, Lahore, Pakistan
2Department of Information Security and Communication Technology, Norwegian University of Science and Technology (NTNU),
Trond heim, Nor way
Correspondence should be addressed to Peter Herrmann; herrmann@ntnu.no
Received 31 January 2019; Revised 20 May 2019; Accepted 29 May 2019; Published 3 July 2019
Guest Editor: Jose M. Alcaraz-Calero
Copyright © Zeeshan Ali Khan and Peter Herrmann. is is an open access article distributed under the Creative Commons
Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is
properly cited.
Many Internet of ings (IoT) systems run on tiny connected devices that have to deal with severe processor and energy restrictions.
Oen, the limited processing resources do not allow the use of standard security mechanisms on the nodes, making IoT applications
quite vulnerable to dierent types of attacks. is holds particularly for intrusion detection systems (IDS) that are usually too
resource-heavy to be handled by small IoT devices. us, many IoT systems are not suciently protected against typical network
attacks like Denial-of-Service (DoS) and routing attacks. On the other side, IDSs have already been successfully used in adjacent
network types like Mobile Ad hoc Networks (MANET), Wireless Sensor Networks (WSN), and Cyber-Physical Systems (CPS)
which, in part, face limitations similar to those of IoT applications. Moreover, there is research work ongoing that promises IDSs
that may better t to the limitations of IoT devices. In this article, we will give an overview about IDSs suited for IoT networks.
Besides looking on approaches developed particularly for IoT, we introducea lso work for the three similar network types mentioned
above and discuss if they are also suitable for IoT systems. In addition, we present some suggestions for future research work that
could be useful to make IoT networks more secure.
1. Introduction
e Internet of ings (IoT) is an emerging technology used
in various elds of application like healthcare, transport, and
smart grid. IoT (to improve the readability, we list in Table
the abbreviations used in our article) applications oen make
a dierence since they comprise very small devices that can,
e.g., be worn on the skin or attached to domestic appliances.
etininessofthedevicesandthefactthat,tobemobile,
they oen have to rely on light batteries, however, limit their
processing capabilities and restrict their energy supply. is
makes traditional security mechanisms too heavy-weight to
be eciently applied on such systems. In consequence, the
devices are used without sucient protection such that they
caneitherbeattackeddirectlyorutilizedbyattackersto
launch attacks on third parties. For instance, multiple IoT
devices were used to start a distributed Denial-of-Service
(DDoS) attack on an American Internet services company
that made it impossible for many customers to access certain
Internet services; see Nordrum []. Cases like this reveal that
thereisanurgentneedtobuildsecuresolutionsthatare
suitable for IoT devices. In general, security of IoT networks
is a relatively new research area that, however, can prot from
related research carried out for similar networks like Mobile
Ad hoc Networks (MANET), Wireless Sensor Networks
(WSN), and Cyber-Physical Systems (CPS). At least some of
the ndings in these areas seem to be promising also for the
development of protection mechanisms for IoT networks.
Intrusion Detection Systems (IDSs) are an important
countermeasure against many types of network attacks. Most
existing IDSs, however, require a signicant amount of
resources aggravating their usability on small IoT devices.
us, there is a demand for special IDS solutions that are
lightweight but, nevertheless, give a high degree of protection.
In this paper, we give a survey of existing IDS approaches
thataresuitedforIoTnetworks.SinceonlyrelativelyfewIDSs
Hindawi
Security and Communication Networks
Volume 2019, Article ID 4301409, 19 pages
https://doi.org/10.1155/2019/4301409
Security and Communication Networks
T : List of abbreviations.
AI Articial Intelligence
AODV Ad-hoc On-demand Distance Vector
API Application Programming Interface
BS Base Station
CH Cluster Head
CPS Cyber Physical System
DDoS Distributed Denial of Service
DoS Denial of Service
FSM Finite State Machine
GPS Global Positioning System
IDS Intrusion Detection System
IMS Intrusion Mitigation System
IoT Internet of ings
IPS Intrusion Prevention System
MANET Mobile Ad-hoc Network
RPL Routing Protocol for Low power
and Lossy networks
SVM Support Vector Machine
WSN Wireless Sensor Networks
for IoT systems have, yet, been developed, we further extend
ouroverviewonIDSsproposedforWSNs,MANETs,and
CPSs that have properties similar to IoT applications.
e article is structured as follows. First, we sketch
some relevant aspects of security issues for IoT networks in
Section . ereaer, in Section we give an introduction
to IDSs including a scheme to characterize their proper-
ties that was developed by Anantvalee and Wu []. ese
characteristics can then be used to distinguish the presented
IDS approaches and evaluate if they are appropriate for
IoT networks. is is discussed in Section . ereaer, we
introduce IDS approaches for WSNs, MANETs, and CPSs
in Section and discuss whether and how the solutions for
these akin network types can be adapted to IoT systems.
is is followed by the introduction of the IDS approaches
particularly developed for IoT networks in Section . Finally,
we present two suggestions for interesting research areas in
Section followed by a conclusion.
is article is signicantly dierent to others already
published:
(i) Butun et al. [] consider various types of IDSs that are
implemented for WSNs. ey, however, do not dis-
cuss the eligibility of these methods for IoT networks.
(ii) Granjal et al. [] present a survey article that discusses
IoT security issues in general, but does not focus on
the development of IDSs.
(iii) Gendreau and Moorman [] discuss IDSs for IoT
networks but more with the focus on properties, these
systems should have, and less a survey.
(iv) Benkhelifa et al. [] discuss the advancements in
intrusion detection systems for the IoT. However, they
do not write about intrusion detection solutions for
WSNs, MANETs, and CPSs that have the potential to
be also implemented for IoT networks. Likewise, in
contrast to this paper, they do not discuss implemen-
tation issues for the IoT networks.
(v) Ammar et al. [] published another article related to
IoT security. Yet, it is signicantly dierent from ours
as it only explains the security of IoT frameworks with
regard to their internal architecture.
(vi) Restuccia et al. [] provide a survey on IoT secu-
rity research by considering the application of
machine learning and soware-dened networking
only. erefore, it is signicantly dierent from our
survey article, as we consider a lot more techniques
that are suitable for IoT networks.
(vii) Ud Din et al. [] only discuss a survey on trust
management techniques for the IoT networks, with-
out considering the advancements in other elds
of IoT security. Further, the authors refrain from
discussing the challenges faced in deploying IDSs on
real platforms. Moreover, the article does not take
advantage of considering work done in akin network
types.
2. IoT Security
As mentioned above, important properties of IoT systems
arethelimitedprocessingandenergyresourcesoftheir
nodes. at is based on the fact that many IoT devices
shallbedirectlywornbypeople.isholdsparticularly
for IoT systems used in healthcare and ambient assisted
living that are seen as major elds of application for the
technology. In consequence, it is oen dicult to use well-
knownprotectiontechnologytosafeguardIoTdevices.For
instance, encryption tends to be processing-intensive making
itdiculttoencryptandsigndatatobetransmittedviaan
IoT network. us, encryption is oen omitted making the
wireless communication vulnerable against attacks; see Ngu
et al. [].
Another characteristic of these systems is their openness
andexibility.edevicesareoenplacedinphysicallyunse-
cured areas such that they can be easily accessed by attackers.
Moreover, they use decentralized wireless communication
making it easy to connect with them from the outside. In
addition, many IoT applications need to be highly exible in
accepting new devices for further temporary or permanent
usage. All this makes it relatively simple for attackers to add
malicious behavior to the system. As discussed in Roosta et al.
[], utilizing these vulnerabilities, various kinds of physical
tamperingaswellasnetworkattackscanbelaunched.While
some attacks compromise only few IoT nodes, others can be
massive and bring down whole networks.
Further, due to the required exibility and the hetero-
geneous nature of the devices, it is oen challenging to
develop correctly working, robust, and secure solutions. For
example, the heterogeneity of the devices makes it dicult
to embed them on well-understood infrastructures such
that important functions like network access, routing, or
encryption have to be built up from scratch. In addition,
the developer of an IoT network has also to consider the
Security and Communication Networks
IDS
Decision
Quality
Responses
on Attacks
Attacker Ty pe o f Detection Implementation
Typ e Attack Technique Strategy
F : Classication of IDSs, taken in modied form from Anantvalee and Wu [].
varying physical infrastructure. For instance, a patient may
be riding in a car or train operating in a tunnel or in remote
areas without cellular network access; see Balandina et al. [].
erefore, bandwidth and throughput of such networks need
to be carefully utilized without draining the scarce battery
resources of a device by too many transmissions. In spite
of these limitations, IoT systems in healthcare have to be
extremely robust and secure to avoid medical malpractice
of their users. All these factors must be considered while
designing, engineering, and deploying an IoT network. For
all these reasons, IoT devices are subject to various kinds of
malicious attacks.
Typical attacks based on physical access are the replace-
ment of nodes or their batteries as well as the reprogramming
of nodes; see Mohammadi and Jadidoleslamy []. With
respect to network attacks, we can distinguish between active
andpassiveattacks;seeKhanandLoo[].Passiveattacks
only extract the vital information from the network without
harming its integrity. In contrast, active attacks assail the
communication of network nodes by tempering, dropping
or misdirecting the data packets. An active attack can easily
inuence a large number of IoT devices since a network
oen consists of peripherally deployed units that cooperate
with each other based on multihop communication. A well-
known example is Denial-of-Service (DoS) attacks that try to
disable the nodes from providing their tasks. Another active
type of attack is radio jamming in which the communication
is spoiled by the introduction of noise or faulty packets.
A type of attack special to IoT systems with weak devices
is battery exhaustion attacks. For instance, a device is kept
busybyleadingittosendorreceivedataunnecessarilyin
order to drain its battery power faster. Alternatively, one can
attack the network layer that is responsible for sending the
packet towards its destination using an appropriate route;
see Popescu et al. []. In most IoT devices, the protocol
mechanisms of the network layer are not protected such
that soware changes causing packet dropping and the
misdirection of packets are possible.
e typical countermeasure against all these types of
attack is intrusion detection systems (IDSs) that are intro-
duced in the following.
3. Intrusion Detection Systems (IDSs)
e IDS is a well-known technique to protect networks
against attacks as those named above. It is oen seen as a
solution for the second line of defense when attacks cannot
be detected by other security mechanisms like encryption or
access control; see Djenouri et al. []. e task of an IDS is
to detect unusual activities that potentially indicate ongoing
attacks.
To rate the IDSs presented in this paper, we use, in
adapted form, the classication scheme from Anantvalee and
Wu [] that is depicted in Figure . us, we consider the
six criteria decision quality,Responses on Attacks,Attacker
Type ,Type of At tac k,Detection Technique,andimplemen-
tation strategy.erstvearediscussedinthefollowing
subsections. Since the selected implementation strategy of an
IDS is very important for its usability for IoT networks, we
look more in-depth on this criterion. is is done in S ection .
3.1. Decision Quality. Important for the quality of an IDS is, of
course, whether it detects all occurring attacks. Moreover, the
IDS should report only actual attacks but not behavior that is
benevolent but was misinterpreted as an attack. Particularly,
the ratio between alerts given by an IDS and the actual
appearance of attacks is relevant to evaluate the decision
quality. In this context, the following terms are used; see
Patcha and Park []:
(i) True positive: an attack is happening in the system
which is correctly detected and alerted by the IDS.
(ii) True negative: no attack is happening in the system,
and the IDS correctly considers the behavior as
normal.
(iii) False positive: no attack is happening in the system,
but the IDS misinterprets the behavior as an attack
and gives a false alert.
(iv) False negative: an attack is happening in the system
which, however, is not detected by the IDS such that
no alert about the attack is given.
According to Zhang et al. [], an IDS should have a “low
falsepositiverate,calculatedasthepercentageofnormalcy
variations detected as anomalies, and high true positive rate,
calculated as the percentage of anomalies detected.”us,
it should have a minimum number of false positives and
negatives. Moreover, an IDS should have low overhead and
not degrade the system performance which is particularly
relevant for the use in IoT networks. Further, it should not
add new vulnerabilities.
3.2. Responses on Attacks. In its pure form, an IDS is not
intended to antagonize attacks by itself but it shall only alert
the network operators about ongoing attacks such that these
Security and Communication Networks
can decide about taking precautions and countermeasures.
An IDS comprises three main components:
(i) Monitoring module: used to constantly monitor the
network trac and/or events happening at certain
network nodes.
(ii) Detection module: tries to detect a malicious attack
basedonthemonitoreddata.
(iii) Alarm module: raises an alarm if an intrusion activity
has been detected.
Most systems used in practice are such IDSs without
autonomous correction capabilities but two variants that can
intervene themselves exist as well; see Fuchsberger []:
(i) An Intrusion Prevention System (IPS) automatically
takes countermeasures aer detecting an attack guar-
anteeing a timely reaction. On the other side, an
IPSalsoreactsonfalsepositiveswhichcanmake
the network unstable. ese wrong reactions can be
vulnerability in itself since sometimes false positives
can be deliberately created by attackers who want to
utilize the wrong countermeasures.
(ii) An Intruder Mitigation System (IMS) quarantines
nodes that were detected as sources of malicious net-
work attacks. As measures typically taken by an IMS,
Butun et al. [] name the generation of audit records
to gain evidence, the information of network nodes
about presumed attackers by revealing its location
and identity, and the initiation of a mitigation process
quarantining the attacker. Also this type is subject to
false positives which might lead to wrong expulsions
of correct working nodes.
e absence of reacting automatically on false positives is
themainreasonthatpureIDSsaremuchmoreoenused
in practice than IPSs and IMSs. Indeed, all approaches,
discussed in this article, are IDSs without the ability to correct
autonomously.
3.3. Attacker Type. Like other network types, an IoT system
can be threatened by both, attackers controlling one or more
network nodes and those from the environment that do
not have control over network devices. us, we dene the
following attacker types:
(i) External attacker: a node outside the network that
connects to network nodes in order to launch a
malicious attack.
(ii) Internal attacker: a node within the network that is
compromised and tries to launch attacks on other
nodes of the network.
One can distinguish whether an IDS is suited to detect attacks
launched from only external attackers, internal ones, or both
types.
3.4. Type of Attack. ere are several kinds of attacks to be
usedagainstnetworks.Withrespecttothespecialproperties
of IoT networks, we see the following types of attack:
(i) Selective forwarding (see Karlof and Wagner [];
Wallgren et al. []): due to the weakness of IoT
devices, the strengths of their transmitters are oen
limited. erefore, not all packets can be sent to their
destination in a single hop but intermediate nodes
have to be used to relay messages. By compromising
an intermediate node, an attacker can block the
forwarding of certain packets such that only those
benetting the attacker are forwarded.
(ii) Sinkhole/black hole/packet dropping (see Karlof and
Wagner []; Wallgren et al. []): oen, IoT networks
organize themselves impromptu using special proto-
cols like the RoutingProtocolforLowpowerandLossy
networks (RPL) (see IETF []). In such protocols, a
node oen prefers neighbors that guarantee a short
number of hops to the destination. By falsely claiming
a shorter number of hops than it can provide in reality,
a malicious node can attract a lot of trac from
its neighbors such that other attacks like selective
forwarding have a greater impact.
(iii) Node selshness (see Michiardi and Molva []): to
conserve its limited resources, a node may falsely
claim a higher number of hops to the destination such
that it has to forward less packets. is selsh behavior
strains the battery of neighboring nodes and degrades
the overall network performance.
(iv)Versionnumber(seeMayzaudetal.[]):thistype
of attack is also relevant for ad hoc networks. If,
duetochangesinthetopologyorcongestions,the
routing structure of a network needs to be changed, in
protocols like RPL, a new version number is assigned
triggeringafullrebuildofthenetwork.Rebuilding,
however, demands to exchange a relatively large
number of packets such that the energy resources
ofthenodesarestrained.Inconsequence,byini-
tiating many rebuilds, a malicious node may attack
the batteries of weaker nodes. Moreover, during the
rebuilding process, the network tends to be unstable
since data transfer in both versions is active at the
same time which may lead to erroneous behavior like
loops in the routing. ese vulnerabilities can be used
for other attacks.
(v) Resource depletion/battery exhaustion (see Onat and
Miri []; Boubiche and Bilami []): as already
mentioned, avoiding the straining of battery power
is an important property of wireless devices. In this
type of attack, the attacker explicitly tries to deplete
these resources of the network by using multiple
techniques. is may include the generation of high
volumes of unnecessary data injected into the net-
work.
e types of attack introduced above are particular to
IoT networks with resource-constrained nodes. In addition,
these systems are also subject to more standard types of
network attacks that have to be addressed by IDSs, too. In the
following, we name those more general attack types:
Security and Communication Networks
(i) Denial-of-Service (DoS) (see Abraham et al. [];
Albers et al. []): an attacker may overwhelm the
nodes of a network with duties such that they cannot
provide their intended tasks anymore. While DoS
attacks are critical for all network types, they are
particularly problematic for IoT devices since they are
oen also Resource Depletion attacks.
(ii) Distributed Denial-of-Service (DDoS) (see Shamshir-
bandetal.[]):thisisavariantofDoSinwhich
an attack is carried out in a coordinated manner by
ateamofattackers.Inthisway,evenlargerdamage
canbedonetothenetworkanditsnodes.
(iii) Jamming (see Bao et al. []; Sajjad et al. []): this
isalsoavariantofaDoSattack.eattackerspoils
the communication within a wireless network by
intentionally transmitting interferences on the used
communication band. us, the nodes in the network
cannot cooperate anymore.
(iv) Unauthorized access (see Abraham et al. [, ]): this
type of attack refers to gaining access to resources
without permission.
(v) Remote-to-Local (see Tsang and Kwong []): this
variant of unauthorized access attacks may happen
if an attacker has the ability to send packets to a
network from the outside, but does not have direct
access to any of the network nodes. In this case, the
attacker may utilize possible vulnerabilities to achieve
unauthorized access to the system.
(vi) User-to-Root (see Tsang and Kwong []): this is also
akindofunauthorizedaccessattack.eattacker
has only access to a normal user account but utilizes
vulnerabilities in the network to get also root access
on the system.
(vii) Probing (see Tsang and Kwong []; Abraham et
al.[]):Attackerslaunchacollaborativeattackby
probing a node. is might give useful information
helping to break its defense mechanisms.
(viii) Spoong (see Boubiche and Bilami []; Chen et al.
[]): here, packets with a false source IP address are
used to hide the identity of an attacker.
(ix) Packet repetition (see Da Silva et al. []): attackers
construct fake packets which appear as if they are
part of the normal communication. Amongst others,
this will lead to an increase in network load and
performance degradation.
(x) Packet delay (see Da Silva et al. []): valid data
transmissions are maliciously delayed but, in contrast
to selective forwarding attacks, not removed. us,
the attack leads to delayed data delivery and, in
consequence, to network performance degradation.
(xi) Wormhole (see Maleh et al. []; Da Silva et al. []):
the attacker uses two or more malicious nodes which
are linked by a nonlegitimate connection, a so-called
tunnel, faking a route that is shorter than the original
one within the network. Packets passing the tunnel
canthenbeusedforotherkindsofattack.
(xii) Packet alteration/bad data injection (see Da Silva et al.
[]): these attacks try to alter the contents of a packet
to inject malicious data into the network nodes.
(xiii) Periodic route error (see Eik Loo et al. []): here,
a compromised node broadcasts special route error
messages to neighboring nodes. ese messages say
that the route to the border router is down at the
moment and there is a need to search a new path. is
will lead to network performance degradation.
(xiv) Hello ooding, (see Maleh et al. []): most proto-
cols supporting the dynamical adding of nodes to a
network use hello messages to indicate that a node
wants to join. An attacker with a strong transmitter
unitmayconstantlytransmitsuchhellopacketstoa
large number of neighboring nodes. is may confuse
the receiving nodes, reduce their performance, and
decrease the overall network performance.
(xv) Routing misdirection and disruption (see Zhang et al.
[]): these attacks are launched by router nodes that
forward trac along wrong paths. As a consequence,
the data transmission is delayed.
(xvi) Node capture (see Mitchell and Chen [, ]): a node
is maliciously captured in order to help in launching
other attacks in the network.
(xvii) Eavesdropping (see Shin et al. []): this attack is an
unauthorized interception of data that may lead to the
extraction of useful information.
Another group of attacks can apply to trust management
systems that are used to rate the behavior of nodes in a
network. A trust management system provides a computer
system with mechanisms reecting the natural trust and
reputation gaining process of humans; see, e.g., Khare and
Riin []. In particular, it allows us to describe the trust
in an entity by a special trust value; see Jøsang []. Using
certain metrics, these trust values are computed from the
numbers of positive and negative experiences the system has
with a trustee. Moreover, the trust values of several trusters
inthesametrusteecanbeaggregatedsuchthatonecanrate
the general reputation of this trustee. In IoT networks, one
can build reputations of nodes depending on observations of
their behavior by neighboring nodes. If a node proves to be
distrustful, it can be quarantined; see Khan and Herrmann
[]. Further, one can use the reputation of a node for
routing decisions. Trust management systems, however, are
themselves vulnerable to certain attacks:
(i) Self-promotion (see Chen et al. []): a node can
promoteitselfbyeitherprovidinggoodrecommenda-
tions for itself or inciting other nodes to do so. us,
like with sinkhole attacks, it can gain more trac
thatitmaymisusetocarryoutselectiveforwarding
attacks.
(ii) Bad-mouthing (see Chen et al. []): an attacker can
issue baseless, bad trust evaluations about benevolent
nodes reducing the trac through them.
(iii) Sybil (see Karuppiah et al. []; Mitchell and Chen
[]): a malicious node creates a large number of
Security and Communication Networks
pseudonymous entities that all can rate other parties.
us, the attacking node inuences the reputation of
other nodes disproportionately. is attack type can
be utilized to target at routing, data storage, and fair
resource allocation in the network.
(iv) Ballot stung (see Chen et al. []): this is a type
of attack complementary to self-promotion attacks.
Several malicious nodes can form an alliance, and
each node provides positive trust recommendations
about its allies increasing their reputation values.
Promoting other bad nodes will eventually lead to
higher trac through them that can be misused, e.g.,
for selective forwarding or sinkhole attacks.
3.5. Detection Techniques. IDSs use signatures, anomalies,
and hybrids between both of them as the main techniques to
detect attacks. ese three techniques will be introduced in
the following.
3.5.1. Signature-Based IDSs. Systems following this strategy
are also known as rule-based IDSs. A signature refers to
system and network behavior that typically occurs when
attacks of a certain kind are launched. A signature-based IDS
keeps databases of these signatures and constantly checks the
actual network behavior for compliance with them. If the
observed behavior ts with one or more signatures, the IDS
raises an alarm. Signature-based IDSs have oen excellent
false positive rates but are not able to detect novel types of
attack for which they do not have signatures ready. erefore,
they tend to be subject to a large number of false negatives.
In order to implement this technique, proles of known
attacks are generated from which the signatures are formed.
An example of a signature could be: “If there are or more
unsuccessful tries to login within minutes, a brute force
unauthorized access attack is on its way”. Da Silva et al. []
dene a number of rules that are typical for signatures:
(i) Interval rule: the time dierence between two consec-
utive packet arrivals is considered.
(ii) Retransmission rule: this rule measures the rate of
correctly retransmitted transit messages by interme-
diate nodes.
(iii) Integrity rule: it is checked if a message is changed on
its way towards the destination node.
(iv) Delay rule: this rule takes the time an intermediate
node needs between receiving and further transmit-
ting a message into account.
(v) Repetition rule: the number of retransmissions of a
certainmessagebyanodeischecked.
(vi) Radio transmission range: in order to nd newly
deployed unauthorized nodes, the IDS tests if all
messages are originated by known stations within a
certain radio transmission range.
(vii) Jamming rule: the number of collisions faced by
a node is counted. It should not exceed a certain
threshold.
To detect also version number attacks one can add the
following rule type:
(i) Version number check: if the version number of
an ad hoc network changes, it is checked which
node has initiated this amendment that leads to a
reconguration of a network. Only certain nodes have
the permission to trigger adaptations of the version.
3.5.2. Anomaly-Based IDSs. ese IDSs use a set of rules to
detect anomalies in the network behavior based on heuristic
techniques. Oen, thresholds for certain behavioral patterns
are used to dene whether the activity is an intrusion or not.
In this way, a system can recognize not already known attacks.
On the other side, these IDSs tend to produce a relatively
high rate of false positives since, e.g., a threshold can also be
exceeded for other reasons that do not result from malicious
attacks. In addition, it is oen dicult to frame a useful
heuristic such that sometimes even well-known attacks can
be hardly detected.
3.5.3. Hybrid IDSs. is type of IDS combines the signature-
and anomaly-based approaches. A hybrid IDS uses two
modules, one that detects attacks based on signatures while
the other one nds anomalies from the normal network
behavior prole. A hybrid IDS has a lower number of false
positives and negatives compared to the singular approaches,
but requires signicantly higher computational resources
sincebothmoduleshavetoruninparallel.
4. Implementation Strategies
AnIDSmayresideinasinglenodefromwhichthenetwork
trac is observed or distributed over several nodes. Since IoT
applications are inherently distributed, stand-alone solutions
in which an IDS resides in a local node and protects just
this node are a bad t. As a centralized solution, we name
an IDS that is implemented on a single node but watches
also other ones and makes its decisions based on the locally
observed behavior. Also this layout does not seem suited for
IoT networks consisting of many nodes since the IDS is quite
processor-intensive such that the node executing it would
be strained. Not surprisingly, we did not nd any solutions
using these technologies for the network types discussed
in this paper. In consequence, all implementation strategies
discussed below are distributed.
Altogether, the IDSs used for WSNs, MANETs, CPSs,
and IoT networks follow nine dierent implementation
strategies listed in Table . ese strategies are not completely
orthogonal. For instance, the mentioned voting-based IDSs
and reputation-based IDSs are special forms of distributed and
collaborative IDSs that, however, use particular methods to
evaluate network behavior. Also the statistical detection-based
IDSs and machine learning-based IDSs are related. Garcia-
Teodoro et al. [] distinguishes three main techniques
allowing an anomaly-based IDS to detect the anomalies in
the system. Two are the statistical- and the machine learning-
based IDSs. e third one is knowledge-based IDSs. In this
type of system, the dierences with respect to network data
and behavior are “learned” for normal as well as for attack
Security and Communication Networks
T : IDS implementation schemes for IoT networks.
Implementation
Strategy
Energy
Consumption
Processor Requirements in
a Net With Powerful Nodes
Processor Requirements in
a Net Without Powerful
Nodes
Detection
Accuracy
Implementation on
Resource-constrained
Nodes
Hierarchical B†ACCA
Distributed and
Collaborative DB BCC
Voti n g A A A D A
Reputation E A A C A
Cross Layer F F F A D
Mobile Agent E E E C F
Game eory E E E B F
Statistical Detection E B F B F
Machine Learning E B F B F
†e cluster head has a higher energy consumption that can be rated as E.
conditions. Such an IDS can be implemented using various
techniques from Articial Intelligence (AI) including Expert
Systems, Finite State Machines, or Data Clustering and
Outlier Detection. Since these AI methods tend to be highly
processor-intensive, this strategy seems to be unsuited for
IoT networks with their vast number of small and resource-
restricted devices. We did not nd any knowledge-based
strategies for monitoring the four network types.
Analyzing the various IDSs, we found out that the type
of nodes typically used in an IoT network plays an important
role for deciding about the suitability of an approach. Some
IDSs will only work in networks consisting of a mix of
resource limited and more powerful nodes since the latter
can take the more complex and resource-constraining system
tasks. Other techniques seem to work well also in a network
consisting only of performance-restricted nodes. In Table ,
we give an overview about how we rate the suitability
of the dierent implementation strategies with respect to
the energy consumption, the processor requirements, the
accuracy of the methods, and the possibility of implementing
the IDSs on IoTs with many resource-constrained nodes. e
two conguration types, i.e., IoT networks with or without
powerful nodes, are separated with respect to the processor
requirements. In the table, we use letters from Ato Fas
applied for grading in schools and universities in the US and
other countries. e letter Agives the best rating while Fis
the worst.
Inthefollowing,weintroducethenineimplementation
strategies to greater detail. Further, we elaborate their impact
on energy and processing resources. is determines whether
IDSs using a certain strategy have the potential to be a good
t for IoT networks.
4.1. Hierarchical IDSs. e network is partitioned into clus-
ters. Here, nodes that are close to each other usually belong
to the same cluster. Each cluster is assigned a leader, the so-
called cluster head (CH), that monitors the member nodes
and participates in network-wide analyses.
e formation of the clusters is oen a highly inter-
active process that requires a fair amount of communica-
tion between the nodes and is therefore energy-intensive.
Aer completing the cluster building, however, most of the
coordination necessary to nd signatures or anomalies is
performed within the clusters. erefore, the resources to
monitor a cluster and to process the observed results tend
to be manageable and will likely not exceed the processor,
storage, and energy restrictions of typical IoT nodes. In
addition,energyissavedduetothesmallernumberof
messages to be exchanged. On the other side, in spite of the
fact that most of the communication takes place within the
clusters, a CH oen has to relay data between members of its
cluster and other CHs. is additional communication can
strain the resources of a CH.
Altogether, using this strategy for IoT networks consisting
just of energy- and processing-restricted nodes will be prob-
lematic as those acting as CHs will probably be signicantly
strained over time. Nevertheless, hierarchical IDSs seem to t
well for IoT systems that contain some more powerful nodes
sincethesecanthentaketheroleoftheCHs.
4.2. Distributed and Collaborative IDSs. Here, an IDS is
implemented on several nodes that observe separate aspects
ofasystem.elocallyobserveddataarethenshared
between the dierent nodes, which make a collaborative
decision whether the network behavior should be rated as
malicious.
is solution is promising for IoT systems without strong
devices since signatures or anomalies are detected by several
collaborating nodes. us, the processing eort is spread over
several devices such that the stress for each one is reduced. On
the other side, the coordination between the nodes requires a
lot of data exchange which tends to consume energy.
4.3. Voting-Based IDSs. In this variant of Distributed and
CollaborativeIDSs,thedecisionaboutevaluatingthecurrent
behavior as an intrusion is made collaboratively based on a
ballot of the distributed components.
Security and Communication Networks
is type of scheme is lightweight in nature and friendly
for the processor and battery of a node. us, it seems suited
for typical IoT systems. However due to its simplistic nature,
the rate of false negatives, i.e., not detected attacks, can be
quite large.
4.4. Reputation-Based IDSs. at is another variant of the
distributed and collaborative IDSs, in which the benevolence
of nodes is rated based on their previous behavior. us, each
node has a reputation that can be modeled and calculated
using trust management mechanisms as described in Sec-
tion ..
In general, the trust values do not need a lot of storage,
and the metrics for trust value computation and aggregation
consist of relatively simple calculations that are processor-
friendly. is makes the approach suited for IoT devices. A
problem, however, is the way nodes observe their neighbors.
For that, they oen have not only to listen to their own
network trac but also to those of the observed nodes. at
leads to long channel listening times which may drain the
battery of the unit faster. is aspect is taken up in the sug-
gestion for future research directions discussed in Section ..
Another issue is the exchange of trust values to compute a
general reputation but, thanks to their compactness, that is
less problematic.
Like other Distributed and Collaborative IDSs, this
method seems to be a good t to IoT networks thanks to
the simple computation and storage mechanisms used but
the potentially signicant communication eort can be an
impeding factor.
4.5. Cross Layer IDSs. Each of the implementation strategies
mentioned above operates on a single layer of the OSI
stack and detects attacks on this layer only. In contrast, a
cross layer IDS observes dierent layers. Critical information
is exchanged between the layers, and the decision about
intrusions is made based on the synthesized observations.
eadvantageofthismethodisagooddecisionquality.
Realizing this strategy, however, demands to process data
on several layers as well as a large amount of coordination
between dierent nodes that has to cover all observed layers.
erefore, this technique tends to require a lot of energy and
computational resources. us, this approach seems to be
less suited to IoT networks with the processor and battery
restrictions of their nodes.
4.6. Mobile Agent-Based IDSs. eIDSisrealizedasamobile
agent that may relocate itself between the nodes of the
network. In the various positions, the agent may conduct
the observations necessary to decide about the presence of
attacks.
is technology mainly used for MANETs reduces the
communication costs between nodes. On the other side, it
requires lengthy transfers of the agent code and data which
will drain battery power. Moreover, there can be signicant
congestions between the network coordinator and the agent
node. e processing power of a node is unevenly strained
by this mechanism since the node only carries out IDS-
related computations when it bears the agent while all other
nodes cannot contribute to the intrusion detection process.
is can be a problem when nodes with weak processors
slow down the overall analysis process. Finally, it can be
quite problematic to realize the complex agent-handling
functionalityondeviceswithlimitedAPIs.
In consequence, this strategy does not seem to be a good
t for IoT networks with many restricted devices.
4.7. Game eory-Based IDSs. In this strategy, an IDS is real-
ized using mathematical models of conict and cooperation
knownfromgametheory;seeMyerson[].
e eligibility of this method for IoT systems is hard to
predict since the processor and energy load depends heavily
on the games used. If one applies games that only strain few
devices in the network, it may be a t for IoT networks with
some more powerful devices. A more general problem is that
game theory-based systems tend to be interactive since the
network administrators need to adjust the detection rate from
time to time. is makes them highly personal-intensive and
therefore expensive.
4.8. Statistical Detection-Based IDSs. isisoneofthethree
strategies mentioned above, where Garcia-Teodoro et al.
[] suggest to use for anomaly-based IDSs. It comprises
the generation of a stochastic prole for the trac to be
observed. ereaer the network is monitored and the real
trac is compared with the reference prole. e IDS ags
an anomaly if the behavior exceeds a certain threshold in
comparison with the pattern. e statistic models can be
univariate, multivariate, and time series models.
e strategy includes the handling of large amounts of
data which, however, requires strong processors and good
storage abilities. In addition, the statistical computation tends
to be computational intensive. Since the computations are
usually done centrally, statistical detection, yet, can be applied
when an IoT system uses some more powerful components
like a border router. is device can then keep the informa-
tion, compute it based on the detection model to be used, and,
if necessary, forward relevant data from time to time to the
other stations.
Like the hierarchical IDSs, this strategy seems only to t
to IoT networks that include a fair number of powerful nodes.
4.9. Machine Learning-Based IDSs. isisanotherstrat-
egy suggested by Garcia-Teodoro et al. [] to categorize
anomaly-based IDSs. In such an IDS, a model of the analyzed
patterns is generated. ese models are constantly updated to
increase the detection rate of the IDS. Machine learning can
be realized by various techniques such as Bayesian Networks,
Markov Models, Fuzzy Logic, Genetic Algorithms, Neural
Networks, and Principal Component Analysis.
Since machine learning uses processing-intensive algo-
rithms, the same issues as for statistical detection will apply
and the method seems to suit only IoT networks with a fair
amount of powerful nodes.
5. IDSs for WSNs, MANETs, and CPSs
As discussed in the introduction, we will not only look on
IDSs particularly developed for IoT networks but also look
Security and Communication Networks
on those protecting adjacent network types. In this respect,
we see WSNs, MANETs, and CPSs as worthwhile since they
have properties that, in part, resemble those of IoT networks.
ese three network types can be described as follows (see
also Mitchell and Chen []):
(i) Wireless Sensor Networks (WSNs) are used to trans-
port data from physically dislocated sensors to a
common sink. us, the data ows tend to be more
uniform than in IoT networks in which the devices
oen have both sensor and actuator functionality.
Further, the WSN nodes are, in general, not connected
to external networks and cannot be accessed through
the Internet. Moreover, they are oen screwed to xed
positions and not mobile. On the other side, like IoT
devices, many WSN nodes have limited energy and
processing capabilities.
(ii) Mobile Ad hoc Networks (MANET) are self-
conguring networks without a central control unit
that have mobile member nodes. Since IoT nodes
canalsobemobile;e.g.,iftheyareusedintransport
vehicles, their structure is close to those of MANETs.
A dierence is, however, that not all IoT nodes
cooperateinanadhocstylewitheachotherbutcan
also have a stable network topology.
(iii) Cyber-Physical Systems (CPS) are heterogeneous
control systems for technical systems acting in the
physical space, e.g., transport systems, industrial
plants,orrobots.Oen,thesesystemsfacemultiple
interacting control loops, varying networks and hard
real-time properties to fulll. In addition, many CPSs
operate in hazardous locations with extreme temper-
ature or in the vicinity of dangerous materials. Also,
various units operate in close proximity to each other
such that collisions have to be avoided.
Altogether, the three mentioned networks have properties
that are quite close to those of IoT systems such that the con-
versionofIDSsdevelopedforthemtoIoTnetworksseems
promising. However, there are some signicant dierences
that may aggravate this conversion:
(i) Computational capacity: MANET nodes are usually
more powerful units, e.g., modern personal com-
puters with powerful processors and a large storage
capability. at is very dierent to the oen very small
nodes used in IoT or WSN networks.
(ii) Power supply: the same holds for the energy supply.
MANET devices are oen plugged or use large bat-
teries while those in the other network types have to
rely on small batteries that can be easily drained.
(iii) Mobility: IoT, MANET, and CPS nodes are oen
installedonmobileunitswhileWSNnodestendto
be xed.
(iv) Node density: since the nodes of IoT, WSN, and
CPS networks are in many cases used to sense and
inuence physical environments, there are typically
more of them in a geographical area than MANET
nodes.
(v) Communication range: due to the physical limitations
of their transmitters, the communication range for
IoT and WSN devices is in the range of to
meters, while MANET nodes can transmit data up to
distances of meters.
(vi) Communication bandwidth: likewise, the communi-
cation bandwidth of WSN and IoT devices is less than
that of MANET nodes.
(vii) Internet connectivity: the IoT network and MANET
nodes are oen connected via the Internet using an
IPv-enabled border router, while WSNs and CPSs
are usually private networks that are not connected to
the outer world.
Keeping these dierences in mind, we look in the fol-
lowing subsections for particular IDS solutions for WSNs,
MANETs, and CPSs.
5.1. WSNs. e IDSs for Wireless Sensor Networks are
realized using altogether seven of the nine implementation
strategies introduced in Section . In each of the following
subsections, we list all approaches realizing a certain strategy.
Further, we discuss if our expectations about the suitability
of the implementation strategies for IoT networks are met
by the actual IDS realizations. To keep track of the various
approaches, we also sketch them together with their most
relevant properties in Table . ere, we also mark if an
IDS approach seems to be suitable for being used for IoT
networks.
5.1.1. Hierarchical IDSs. In Shin et al. [], the authors pro-
pose a one-hop clustering mechanism for intrusion detection.
e target application for the proposed solution is industrial
applications. Similarly, Chen et al. [] talk about an energy-
ecient way for intrusion detection in WSNs using an
isolation table. In their solution, two levels of clustering
are proposed to detect intrusions in a performance-eective
way. When the leader of a lower level detects an intrusion
in a subcluster, it forwards the according message to the
leader of the higher level who forwards it to the base
station. While this approach is performance-eective, since
a leader has to observe smaller subclusters, the problem
of hierarchical IDSs that a malicious leader may not pass
analerttothesinkisnotsolvedhere.InStrikos[],
the author proposes a method to place intruder detectors
to strategic positions of the network such that the whole
network is covered. However, no simulation or experimental
results proving his claims are provided. Rajasegarar et al. []
discuss an anomaly detection algorithm for a clustered WSN
that minimizes the communication overhead. e proposed
scheme is evaluated using a real-world project. Eik Loo et
al. [] present a clustered IDS for WSNs that dierentiates
between normal and abnormal trac using a normal trac
model. us, it is able to detect route errors and sinkhole
attacks. Another approach distinguishing between normal
and abnormal behavior is introduced in Mamun and Kabir
[]. It comprises a hybrid IDS for WSNs that are divided
into hexagonal regions each having a cluster head. e attack
signatures are propagated from the base station towards the
Security and Communication Networks
T : Comparative analysis of IDSs implemented for WSNs.
IDS Implementation Detection Attacks IoT
Abraham et al. [] Statistical Detection Signature DoS, Unauthorized Access N
Abraham et al. [] Statistical Detection Signature Probing, Unauthorized Access N
Agah et al. [] Game eory Signature N/A N
Agah and Das [] Game eory Signature DoS, Selective Forwarding N
Bao et al. [] Reputation Signature Jamming, Sybil, DoS, Sinkhole
Boubiche and Bilami [] Cross Layer Signature Sinkhole, Spoong, Battery Exhaustion
Chen et al. [] Hierarchical Signature Spoong, Sinkhole
Da Silva et al. [] Distributed and
Collaborative Signature Repetition, Packet Delay, Wormhole, Packet,
Alteration,Blackhole,SelectiveForwarding
Deng et al. [] Machine Learning Anomaly Blackhole N
Doumit and Agrawal [] Statistical Detection Anomaly N/A
Eik Loo et al. [] Hierarchical Anomaly Periodic Route Error, Sinkhole †
Guerroumi et al. [] Hierarchical Signature Sinkhole †
Ioannis et al. [] Distributed and
Collaborative Signature Selective Forwarding, Blackhole
Jadidoleslamy [] Hierarchical Signature N/A †
Khan and Loo [] Cross Layer Signature Hello Flooding
Krontiris et al. [] Distributed and
Collaborative Signature Selective Forwarding
Maleh et al. [] Machine Learning Hybrid Blackhole, Wormhole, Hello Flooding, Selective
Forwarding †
Mamun and Kabir [] Hierarchical Hybrid N/A †
Ngai et al. [] Statistical Detection Anomaly Sinkhole
Onat and Miri [] Statistical Detection Anomaly Hello Flooding
Onat and Miri [] Statistical Detection Signature Resource Depletion N
Rajasegarar et al. [] Hierarchical Anomaly N/A †
Sedjelmaci and Feham [] Machine Learning Hybrid Routing Disruption †
Shamshirband et al. [] Game eory Anomaly Distributed DoS
Shin et al. [] Hierarchical Signature Selective Forwarding †
Strikos [] Hierarchical Signature DoS, Routing Disruption †
Wang et al. [] Reputation Signature Selective Forwarding
†Suited for IoT networks with some stations without energy limitations that can act as cluster heads.
leaf nodes and the mechanism has predened specications
for normal and abnormal behavior. e anomaly detection
is done by measuring deviations from the predened speci-
cations. A signature-based IDS is presented in Jadidoleslamy
[]. It is distributed and hierarchical making the detection
of both active and passive response-based attacks possible.
Guerroumi et al. [] propose an intrusion detection system
against sinkhole attacks on IDSs with mobile sinks. e
scheme is implemented in a hierarchical topology using
attack signatures.
Evaluating these approaches conrms our prediction
about hierarchical IDSs made in Section .. ey seem to be
a good t also for IoT networks since each cluster consists of
a limited number of nodes. Nevertheless, it is good if an IoT
network also contains stronger nodes that can take the role of
the CHs.
5.1.2. Distributed and Collaborative IDSs. In Ioannis et al.
[], a collaborative watching scheme is used for a distributed
IDS implementation, in order to detect selective forwarding
attacks. Krontiris et al. [] present an IDS, which applies
nodes equipped with a local detector that triggers suspicions
about a neighbor. Moreover, the nodes collaborate to evaluate
suspicions in order to detect whether a node in question is,
indeed, an attacker. Similarly, Da Silva et al. [] discuss a
specication-based IDS that uses a decentralized detection
process. In this algorithm, the collection of a data unit and
itsprocessingisperformedinadistributedmannertomake
theIDSscalableandrobust.
AspredictedinSection.,theseIDSsseemtot
generally well to IoT networks while the extended data
exchange necessary for coordination may have an impact on
the energy resources.
Security and Communication Networks
5.1.3. Reputation-Based IDS. Wang et al. [] propose an IDS
that uses the idea of marking the exchanged packets while
heuristic ranking algorithms identify malicious nodes in the
network. When the sink receives a marked packet, it can
compute the average dropping ratio for each node. If this ratio
exceeds a threshold, the node is declared to be malicious. Bao
et al. [] propose a probability model-based technique to
analyzesubjectiveversusobjectivetrust.eauthorsclaim
that the proposed scheme has a better detection capability
than anomaly-based IDS. e two schemes are lightweight in
nature. erefore, as predicted in Section ., they are suitable
for IoT networks.
5.1.4. Cross Layer IDS. Boubiche and Bilami [] introduce
a cross layer IDS that uses an intrusion detection agent
to exchange information between the physical, MAC, and
network layers of a protocol stack. Comparing the obser-
vations on the dierent layers makes the agent capable of
detecting multilayer attacks. Another cross layer design is
proposed in Khan and Loo []. It detects ooding by using
and comparing parameters from the MAC and network
layers. In both approaches, the processing requirements
seem moderate such that, in contrast to our predictions in
Section ., the IDSs might also be implemented on IoT
networks.
5.1.5. Game eory-Based IDSs. A noncooperative game for
WSNs is presented in Agah et al. [] and Agah and Das
[]. e goal of the game is to determine the weakest
node in the network and thereaer to propose strategies to
defend it against malicious attacks. A disadvantage of this
approachisthatthegamedetectsonlyasingleattackeven
in the presence of multiple ones, such that the others are le
undetected. is weakness makes the approach less suited to
IoT networks for which we expect simultaneous attacks on
dierent network nodes. Shamshirband et al. [] introduce
a game theoretic strategy that adopts a combination of a fuzzy
Q-learning algorithm and a game theoretic approach. e
proposed model consists of sink nodes, a base station, and
an attacker that are tested for distributed DoS attacks. e
authors claim that the proposed model has a better defense
rate than Markovian game theoretic solutions. Since the
approach seems to be lightweight with respect to resources,
it may also be applied to IoT devices.
5.1.6. Statistical Detection-Based IDSs. In Ngai et al. [],
an IDS for sinkhole attacks is presented that rst identies
suspected nodes and then detects attackers using a network
ow graph. is algorithm applies the Chi-square based
multivariate analysis technique that is carried out using
simulations and theoretical analysis. e authors claim that
the proposed strategy has a low performance overhead which
makesitsuitedtoIoTnetworks.DoumitandAgrawal[]
use a hidden Markov Model to nd unusual activities.
e authors claim that their algorithm requires minimal
processing resources using experimental scenario. Hence, it
canalsobeusedforanIoTbasednetwork.OnatandMiri
[] discuss an algorithm that is based on processing arrival
trac. In particular, the arrival trac pattern for a node is
observed, and, based on these studies, a technique to nd
anomalies is devised. Short term statistics are kept by the
algorithm using a multilevel sliding window that reduces the
resource requirement. erefore, such a scheme can also be
considered for resource-constrained IoT devices. Another
algorithm by the same authors is introduced in Onat and
Miri []. Here, each node develops a model for its neighbors
based on their transceiver behavior and packet arrival rates.
When there are major deviations, this is considered as
abnormal behavior. is approach, however, may require
monitoring every neighbor which can demand a lot of energy
consumption. us, it might not be a feasible solution for
IoT devices. Abraham et al. [] present an IDS that is
eective against Denial-of-Service (DoS) and unauthorized
attacks.ItisbasedontheGeneticProgrammingTechnique.
A fuzzy rule-based classier for intrusion detection is shown
in Abraham et al. []. It is claimed to have % accuracy for
every type of attack. e technique, however, seems to be not
very energy-ecient making it less suited for IoT networks.
5.1.7. Machine Learning-Based IDSs. In Deng et al. [], an
anomaly-based IDS using a Support Vector Machine (SVM)
is implemented to detect routing attacks. A SVM is also
proposed by Sedjelmaci and Feham [] who distinguish
between normal and abnormal patterns. e scheme seems
to be energy consuming but it can run on an IoT node
with larger processing capabilities. us, as predicted in Sec-
tion ., it ts with IoT networks containing more powerful
nodes. e IDS presented in Maleh et al. [] bridges machine
learning with using clusters. It is basically a hierarchical
IDS that, however, uses also SVMs to nd out about attack
signatures. So, it ts also for IoT networks with some stronger
nodes that both can act as CH and can execute the machine
learning computations.
5.2. MANETs. e approaches for Mobile Ad hoc Networks
(MANETs) are also arranged with respect to the implementa-
tionstrategiesused.eyareintroducedbelow.Further,we
depict the introduced approaches in Table . Here, we also
mark approaches suited to be usable for IoT systems.
5.2.1. Hierarchical IDSs. Kachirski and Guha [] present an
approach in which only the cluster heads (CH) are responsi-
ble for making decisions such that the energy consumption
is reduced. In Huang and Lee [], clustering is used in
monitors that are sparsely positioned over the network.
eir purpose is to detect routing intrusions using anomaly
detection. e CH is periodically elected to avoid that the
energy of single nodes is drained too much. us, in contrast
to our predictions in Section ., this hierarchical IDS works
also for IoT networks without stronger nodes. Sterne et al.
[] introduce a dynamic hierarchic scheme that reduces
intrusion detection data packets by data aggregation. e
proposed scheme is tested for intentional data dropping and
attacks on network and higher layer protocols. In Sun et al.
[], an IDS is presented in which the network is divided into
nonoverlapping physical zones. A local agent is responsible
for broadcasting alerts in its zone. Moreover, a special gateway
zone is dened that aggregates locally generated alerts and
Security and Communication Networks
T : Comparative analysis of IDSs implemented for MANETs.
IDS Implementation Detection Attacks IoT
Albers et al. [] Mobile Agent Signature DoS N
Buchegger and Le Boudec [] Reputation Signature Packet Dropping
Huang and Lee [] Hierarchical Anomaly Routing, DoS
Kachirski and Guha [] Hierarchical Anomaly Packet Dropping †
Michiardi and Molva [] Reputation Anomaly Node Selshness
Patcha and Park [] Game eory Signature DoS †
Puttini et al. [] Statistical Detection Anomaly Routing Disruption N
Rao and Kesidis [] Statistical Detection Signature Routing Disruption N
Shakshuki et al. [] Machine Learning Signature Routing Disruption N
Sterne et al. [] Hierarchical Hybrid Packet Dropping, Node Capture †
Sun et al. [] Hierarchical Anomaly Routing Disruption N
Zhang and Lee [] Mobile Agent Anomaly DoS N
Zhang et al. [] Mobile Agent Anomaly Routing Misdirection, Packet Dropping N
†Suited for IoT networks with some stations without energy limitations that can act as cluster heads.
disseminates network-wide alarms. e purpose of such a
system is to process the detection results in the zones locally
while the gateway nodes process nal system-wide results
from the disseminated results in the various zones. Since
the approach operates with GPS data, it cannot be directly
transferred to IoT networks in which not all nodes can be
expected to have GPS receivers available.
5.2.2. Reputation-Based IDSs. Michiardi and Molva []
describeamechanismthatcomputesthereputationforeach
node in a network based on supervision of its behavior
byothernodes.ereputationisusedfortherouting
decisions, and a node selects neighbors with high reputation
values. Further, a watchdog mechanism is used to deny
communication with a node whose reputation falls below
a certain threshold. In Buchegger and Le Boudec [], a
system for reactive source routing protocols is presented.
e reputation of a node is updated based on input from
fully trusted nodes that monitor their neighbors using a
special watching scheme. As predicted in Section ., both
presented approaches are relatively lightweight and, with
some modications, can therefore be used for IoT networks.
5.2.3. Mobile Agent-Based IDSs. In Zhang and Lee [], the
authors propose an agent-based distributed and collaborative
IDS. e approach uses a local data collection block that
collects and analyzes the observed data in real-time. If it
unambiguously detects an anomaly, it informs either a local
or a global response block in order to initiate a remedy of a
subsystem.Iftheresultoftheobservationsisinconclusive,the
data collection block interacts with those in the neighboring
nodesviaasecurechannel,andacollaborativedecisionis
made. Each agent has a local detection engine that uses a
modeling algorithm to decide based on predened match-
ing criteria whether an incidence is normal or anomalous.
Depending on whether a decision was taken locally or aer
coordination with other nodes, either a local or a global
response is initiated. In extension to this work, the authors
introduce a cross layer IDS in Zhang et al. []. In this
work, each layer has an IDS module but the detection on
onelayermaybeinitiatedbythoseontheotherlayerssuch
that attacks on dierent layers can be detected. As described
in Section ., due to the amount of coordination required
and the somehow complex functionality to be implemented,
we are skeptical about the usability of this approach on
IoT networks with tiny devices. In Albers et al. [], the
authors describe a distributed mobile agent-based IDS in
which the agents migrate to the various data sources. us,
theworkloadofeachnodecanbedecreased.Whilethissaves
processing resources, the approach might, nevertheless, not
be a suitable approach for IoT based networks since the freely
migrating mobile agents might exceed the abilities of many
IoT nodes.
5.2.4. Game eory-Based IDSs. Patcha and Park [] present
an IDS that models interactions between nodes of a MANET
as a noncooperative game with two players. e scheme
requires a central processing unit computing the collected
observations that runs on a high-performance microproces-
sor and demands a relatively large amount of memory for data
storage and processing. erefore, this scheme may only be
usable for IoT networks with a border router that oers the
necessary processing and storage capabilities.
5.2.5. Statistical Detection-Based IDSs. In Puttini et al. [],
theauthorsintroduceanIDSbasedonBayesianclassication.
It models reference behavior statistically observing various
network applications. e behavioral model forms then the
basis for the detection algorithm that monitors the network
for anomalies. Rao and Kesidis [] use the estimation of
congestions to make decisions about the packet dropping
problem. eir IDS is dedicated to networks without band-
width constraints but that have security requirements. Due to
this limitation, we do not think that this technique is suitable
for resource-constrained IoT devices.
5.2.6. Machine Learning-Based IDSs. In Shakshuki et al. [],
evolutionary computation techniques are used to detect the
Security and Communication Networks
T : Comparative analysis of IDSs implemented for CPSs.
IDS Implementation Detection Attacks IoT
Mitchell and Chen [] Voting Signature Spoong, Bad Data Injection
Porras and Neumann [] Statistical Detection Hybrid N/A N
Shin et al. [] Hierarchical Hybrid Eavesdropping, DoS, Routing Misdirection
Tsang and Kwong [] Machine Learning Anomaly DoS, Remote-to-Local, User-to-Root, Probing †
†Suited for IoT networks with some stations without energy limitations that can act as cluster heads.
presence of attackers in a MANET causing ooding and
route disruption attacks. e performance of such a scheme
is evaluated using simulations for dierent mobility and
trac patterns. is technique demands a high processing
capability on all the nodes such that it seems not suitable for
resource-constrained IoT networks.
5.3. CPSs. For Cyber-Physical Systems (CPSs), we found only
four IDS solutions that each uses a separate implementation
strategy. e approaches are described below and depicted in
Tabl e .
5.3.1. Hierarchical IDSs. Shin et al. [] combine one-hop
clustering for intrusion detection with multihop clustering
for data aggregation, carefully balancing the eciency of the
procedure against the provided security. e approach uses
a base station, gateways, cluster heads, and leaf nodes each
playingacertainroleintheIDS.estructurehelpstodetect
anumberofattacktypescarriedoutonthenetwork.e
performance for each node seems to be moderate such that,
against our predictions in Section ., the approach might be
a suitable scheme also for resource-constrained IoT devices.
5.3.2. Voting-Based IDSs. e IDS presented in Mitchell
and Chen [] uses a voting-based mechanism for anomaly
detection. e authors validate their design by considering
spoong and data manipulation attacks. e scheme is quite
simple and, as predicted in Section ., seems suited for
being implemented also in IoT networks. Nevertheless, the
detection rate for a particular network conguration should
be analyzed thoroughly rst.
5.3.3. Statistical Detection-Based IDSs. Porras and Neumann
[] discuss an IDS that applies hybrid analysis. A signature-
based analysis checks nodes for compliance with a rule set. In
addition, an anomaly-based analysis uses statistical analysis
to detect intrusions that are not yet covered by the rules. e
scheme is not dedicated to any specic attack type such that
a complex analysis of the observed data is expected. at
would make it dicult to implement this technique on IoT
networks.
5.3.4. Machine Learning-Based IDSs. TsangandKwong[]
present an unsupervised machine learning-based approach
to detect anomalies. A goal of this approach is to reduce the
usually high rate of false positives in anomaly-based IDS.
Since this machine learning approach requires signicant
computing resources, it is only suitable for IoT networks with
ecient border routers.
6. IDSs for IoTs
In this section, we discuss IDS approaches that have been
explicitly developed for the use in IoT systems. Since the
Internetofingsisarelativelynewtechnology,onlyfew
approaches have been published, yet. Nevertheless, we found
some promising solutions that we again grouped according to
the implementation strategies used. To give a summary, the
approaches are further depicted in Table .
6.1. Distributed and Collaborative IDSs. Liu et al. [] use
articial immunity mechanisms to protect IoT networks.
eir approach comprehends an attack library to which the
sensed behavior is compared. A similar IDS is introduced by
Kasinathan et al. [] who, however, use penetration testing
to detect the DoS attacks. Raza et al. [] introduce a hybrid
IDS for IoT networks that targets typical routing attacks such
as sinkhole, spoofed, and selective forwarding. e technique
is based on network graph inconsistency detection. is
approach is criticized by Matsunaga et al. [] for its high
rate of false positives. Arshad et al. [] describe an intrusion
detection mechanism using active collaboration between
resource-constrained devices and border nodes, using a col-
laborative and distributed technique. e technique assigns
processing-intensive tasks to the border nodes, in order to
eciently exploit their capabilities.
6.2. Reputation-Based IDSs. Cervantes et al. [] present an
IDS that uses trust-based solutions to detect anomalies in
mobile IoT networks. e solution targets sinkhole attacks on
the routing layer of IoT networks by using a watchdog and
trust-based mechanism. If the trust of a device falls below
a certain threshold, it is declared as a threat to the system.
A similar approach but with particular consideration of the
processinglimitationsofIoTdevicesisdiscussedbyourselves
in Khan and Herrmann []. is approach is tailored to
the Routing Protocol for Low power and Lossy networks
(RPL) (see IETF []) that has become quite popular for IoT
systems. e communication behavior of network nodes is
observed by their neighbors for selective forwarding, sink-
hole, and version number attacks. Based on the observations,
a general reputation of a node is computed in a processor-
friendly way using the Subjective Logic; see Jøsang []. If
theamountofdistrustinanodeexceedsacertainthreshold,
it will be quarantined. In Khan et al. [], we further show that
our approach also addresses self-promotion, bad-mouthing,
and ballot stung attacks successfully.
6.3. Game eory-Based IDSs. Sedjelmaci et al. [] intro-
duce an anomaly detection approach that tries to minimize
Security and Communication Networks
T : Comparative analysis of IDSs for IoT networks.
IDS Implementation Detection Attacks
Anthi et al. [] Machine Learning Anomaly DoS, Hello Flood, Sybil, Sinkhole attacks
Arrington et al. [] Statistical Detection Anomaly N/A
Arshad et al. [] Distributed and Collaborative Anomaly Routing and application specic attacks
Azmoodeh et al. [] Machine Learning Anomaly Junk code insertion attacks
Cervantes et al. [] Reputation Anomaly Sinkhole Attacks
Fu et al. [] Statistical Detection Anomaly Bad Data Injection, DoS
Kasinathan et al. [] Distributed and Collaborative Rule DoS
Khan and Herrmann [] Reputation Rule Selective Forwarding, Sinkhole, Version Number
Khan et al. [] Reputation Rule Self Promoting, Bad Mouthing, Ballot Stung
La et al. [] Game eory Rule N/A
Li et al. [] Machine Learning Anomaly Probing, DoS
Liu et al. [] Distributed and Collaborative Rule N/A
LiuandWu[] StatisticalDetection Anomaly N/A
Liu et al. [] Machine Learning Anomaly N/A
Raza et al. [] Distributed and Collaborative Hybrid Spoong, Sinkhole, Selective Forwarding
Sedjelmaci et al. [] Game eory Anomaly DoS
Summerville et al. [] Statistical Detection Anomaly Wormhole, Bad Data Injection, User-to-Root
Xiao et al. [] Machine Learning Anomaly Identity based, Malwares, Ooading attacks
Yang et al. [] Machine Learning Anomaly Packet dropping, hole attacks, eavesdropping
the energy consumption. In particular, game theory is used to
nd out whether the signature of a new attack is expected to
occur. Only then, the energy-intensive anomaly detection is
activated.Laetal.[]proposeamodelwhichcomprehends
attacks of varying seriousness that demand dierent degrees
of action. e problem is modeled as a Bayesian game and
its results determine the threshold to declare an activity as
an intrusion. In this way, a lower rate of false positives and
negatives shall be achieved.
6.4. Statistical Detection-Based IDSs. Arrington et al. []
simulate IoT-driven smart homes in order to detect behav-
ioral anomalies. e system constructs behavioral models
using special immunity-inspired algorithms for anomaly
detection. ese models can then be compared with the data
captured by the IoT sensors to detect deviations from the
expected behavior. Fu et al. [] present an anomaly mining
IDS to detect anomalies at the perception layer. A distributed
intrusion detection scheme uses the anomaly data to nd out
about attacks. A similar approach that, in addition, addresses
the processing limitations of IoT networks, is introduced by
Liu and Wu [] who propose a very lightweight anomaly
mining algorithm using the Jaccard coecient. Summerville
et al. [] publish an anomaly-based approach that provides
a discrimination between abnormal and normal packets. It
relies on bit pattern matching using a lookup table. e
processing limitations are addressed by making it possible to
implement the algorithm not only traditionally in soware
butalsodirectlyonthehardwarelayer.
6.5. Machine Learning-Based IDSs. In recent literature, a
number of machine learning approaches have been presented
forthedevelopmentofIDS.Yangetal.[]discussanactive
learning approach using human-in-the-loop for intrusion
detection in the IoT systems. Instead of just using machine
learning, the authors propose to combine machine and
human intelligence which allows them to detect malicious
nodes in the network more accurately. Li et al. [] depict
a soware-dened IoT network for enhancing the perfor-
mance of IoT applications, based on Articial Intelligence-
based two stage intrusion detection. e approach uses the
Bat Algorithm with Swarm Division and Binary Dierential
Mutation for selecting features. However, this may also
increase the overhead in comparison with existing sim-
ilar solutions. Liu et al. [] discuss intrusion detection
using fuzzy clustering and Principal Component Analysis.
e authors classify the data into low risk and high risk
while analysis is performed using simulations. Although
this approach may have better results in comparison with
traditional techniques, it also increases the implementation
overhead. Xiao et al. [] explore IoT security using super-
vised learning, unsupervised learning, and reinforcement
learning-based machine learning techniques. Anthi et al.
[] employ machine learning techniques for detecting net-
work scanning probing and Denial-of-Service (DoS) attacks.
Finally, Azmoodeh et al. [] use deep learning methods to
detect Internet Of Battleeld ings (IoBT) malware via the
devices Operational Code (OpCode) sequence.
7. Future Directions
Based on the experience made during working for this
publication, we found out two research directions for IDSs
safeguarding IoT networks that, in our opinion, seem worth-
whiletobepursued.eyareintroducedinthefollowing.
Security and Communication Networks
7.1. Intrusion Detection As a Service in Fog Computing. Tabl e
gives the impression that one has more possibilities to
apply approaches existing for WSNs, MANETs, and CPSs
also for an IoT network if it contains at least some nodes
with sucient processing and energy capabilities. at holds
particularly when these high-performance nodes are plugged
such that energy issues are alleviated. ese devices can then
execute the computing intensive centralized IDS approaches
while the resource limited nodes only assist by delivering
data. is ts well to the novel Fog Computing concept;
see, e.g., Bonomi et al. []. Fog Computing is seen as an
alternative to traditional Cloud Computing in which the
various cloud services are not provided by remote data
centers but by local machines that are under the control of
the local network operator. For instance, local WLAN routers
that are provided with greater processing power and storage
facilities can, besides routing data packets between the wired
and the wireless network segments, oer various services
known from the cloud.
Since border routers connecting an IoT system with the
outside world are oen WLAN routers, the new Fog Com-
putingtechnologycaneasilybeintegratedintothenetwork.
For instance, it could run a centralized IDS protecting the IoT
network nodes to which it is connected or take processing-
and energy-intensive tasks of the implementation strategies
discussed in this paper. Moreover, if the IoT is larger and
applies several border routers, one can use their Fog Comput-
ing capabilities to realize a hierarchical IDS. In consequence,
we see the integration of IDSs on Fog Computing platforms
as a promising future research direction. Following the highly
virtual nature of the platforms, the IDS functionality can
then, like other cloud-based functionality, be oered in form
of services, which could be named intrusion detection as a
Service.
7.2. Reducing Active Channel Listening Times When Rating
Network Behavior. To realize an IDS is more dicult for IoT
systems when all nodes are resource-constrained, Table
reveals for this case that there are three basic strategies
available. One is voting-based IDSs that are already su-
ciently lightweight to be used in a resource-friendly way.
Unfortunately, their accuracy is still suboptimal and further
research is needed to reduce the rate of false negatives.
e second strategy is to reduce the workload by splitting
it into subtasks executed by dierent cooperating nodes. at
is done by hierarchical IDSs as well as the Distributed and
CollaborativeIDSs.eproblemhereisthatthereductionof
computation eorts takes place at the expense of more data
exchange which leads to a faster battery draining. To avoid
that, one should investigate the research and development
of IDSs that allow the nodes to cooperate with each other
minimizing the amount of data to exchange. Here, recent
developments in communication protocol technology will be
of help. An example is the new IEEE .. protocol (see
Bhar []) that reduces active channel listening. For that, the
data frames are divided into a number of slots, and a station
hastoonlylistenattimeintervalswhenslotsdedicatedto
itself are transmitted. For larger systems, that reduces the idle
listening time of a station signicantly.
e third strategy is to use reputation and trust man-
agement that provides IDSs with lightweight computation
and storage mechanisms. e approaches using trust man-
agement, however, are subject to increased active channel
listening since a node now also needs to listen to the
communication towards its neighbors, the behavior of which
shallbeevaluated.Ifournodehastolistencontinuously,this
can consume a lot of energy. erefore, it might be helpful to
conduct research in the combination of the approaches with
resource-friendly communication protocols. For instance, a
rst analysis to adapt the approach presented in Khan and
Herrmann [] and Khan et al. [] to the IEEE ..
protocol revealed that the active channel listening time can
be easily reduced by two-thirds when the listening strategy
is slightly changed. When our station wants to check if a
message sent by itself to another station is correctly forwarded
to rule a selective forwarding attack out, it only needs
to listen to the slots to itself and the one through which
the other node forwards the message of interest. us, the
additional listening cost can be eectively limited. Altogether,
thededicationofresearchincombiningenergy-ecient
networking with reputation-based IDSs seems a promising
eld of research.
8. Conclusion
We provided an overview about recent trends in using
Intrusion Detection Systems in the Internet of ings. In
particular, we presented a number of solutions directly devel-
oped for IoT systems as well as those for the adjacent network
typesWSNs,MANETs,andCPSs.Basedonthisoverview,
we could name a number of issues for the various IDS types
that reduce their applicability of the existing approaches.
is allowed us to nd out the schemes of IDSs that appear
promising to the IoT. Moreover, we identied two research
directions promising to alleviate the weaknesses of the IDSs
for being used with IoT networks. Altogether, we got the
impression that the majority of the existing IDSs are not
completely suited for the resource limitations of the IoT but
that the developments point into the right direction. Aer
conducting some eorts into research and development, we
see a high potential for adequate solutions that will protect
the IoT and its users eectively.
Conflicts of Interest
e authors declare that there are no conicts of interest
regarding the publication of this paper.
References
[] A. Nordrum, “What Is a Distributed Denial-of-Service Attack
and How Did It Break Twitter?” , https://spectrum.ieee.org/
tech-talk/telecom/security/what-is-a-distributed-denialofservice-
attack-and-how-did-it-break-twitter.
[] T. Anantvalee and J. Wu, “A survey on intrusion detection in
mobile ad hoc networks,” in Wireless Ne twork Security,chapter
,pp.–,Springer-Verlag,.
Security and Communication Networks
[] I. Butun, S. D. Morgera, and R. Sankar, “A survey of intrusion
detection systems in wireless sensor networks,” IEEE Commu-
nications Surveys & Tutorials,vol.,no.,pp.–,.
[] J.Granjal,E.Monteiro,andJ.S
´
a Silva, “Security for the internet
of things: a survey of existing protocols and open research
issues,” IEEE Communications Surveys & Tutorials,vol.,no.
, pp. –, .
[] A. A. Gendreau and M. Moorman, “Survey of intrusion detec-
tion systems towards an end to end secure internet of things,” in
Proceedings of the 4th IEEE International Conference on Future
Internet of ings and Cloud (FiCloud ’16), pp. –, IEEE
Computer, Vienna, Austria, August .
[] E. Benkhelifa, T. Welsh, and W. Hamouda, “A critical review of
practices and challenges in intrusion detection systems for IoT:
towards universal and resilient systems,” IEEE Communications
Surveys & Tutorials,vol.,no.,.
[] M.Ammar,G.Russello,andB.Crispo,“Internetofings:a
survey on the security of IoT frameworks,” Journal of Informa-
tion Security and Applications,vol.,pp.–,.
[] F. Restuccia, S. D’Oro, and T. Melodia, “Securing the internet
of things in the age of machine learning and soware-dened
networking,” IEEE Internet of ings Journal,vol.,no.,pp.
–, .
[] I. Ud Din, M. Guizani, B. Kim, S. Hassan, and M. Khurram
Khan, “Trust management techniques for the internet of things:
a survey,” IEEE Access, vol. , pp. –, .
[] A. H. Ngu, M. Gutierrez, V. Metsis, S. Nepal, and Q. Z. Sheng,
“IoT middleware: a survey on issues and enabling technologies,”
IEEE Internet of ings Journal,vol.,no.,pp.–,.
[] T. Roosta, S. Shieh, and S. Sastry, “Taxonomy of security attacks
in sensor networks and countermeasures,” in Proceedings of
the 1st IEEE International Conference on System Integration and
Reliability Improvements, vol. , pp. –, .
[] E. Balandina, S. Balandin, Y. Koucheryavy, and D. Mouromtsev,
“IoT use cases in healthcare and tourism,” in Proceedings of the
17th IEEE Conference on Business Informatics (CBI ’15),vol.,
pp.–,IEEEComputer,Lisbon,Portugal,July.
[] S. Mohammadi and H. Jadidoleslamy, “A comparison of phys-
ical attacks on wireless sensor networks,” International Journal
of Peer to Peer Networks,vol.,no.,pp.–,.
[] S. Khan and J. Loo, “Cross layer secure and resource-aware on-
demand routing protocol for hybridwireless mesh networks,”
Wireless Personal Communications,vol.,no.,pp.–,
.
[]A.M.Popescu,I.G.Tudorache,B.Peng,andA.H.Kemp,
“Surveying position based routing protocols for wireless sensor
and ad-hoc networks,” International Journal of Communication
Networks and Information Security,vol.,no.,pp.–,.
[] D. Djenouri, L. Khelladi, and N. Badache, “A survey of security
issues in mobile ad hoc and sensor networks,” IEEE Communi-
cations Surveys & Tutorials,vol.,no.,pp.–,.
[] A. Patcha and J.-M. Park, “An overview of anomaly detection
techniques: existing solutions and latest technological trends,”
Computer Networks,vol.,no.,pp.–,.
[] Y. Zhang, W. Lee, and Y.-A. Huang, “Intrusion detection
techniques for mobile wireless networks,” Wireless Networks,
vol. , no. , pp. –, .
[] A. Fuchsberger, “Intrusion detection systems and intrusion
prevention systems,” Information Security Technical Report,vol.
,no.,pp.–,.
[] C. Karlof and D. Wagner, “Secure routing in wireless sensor
networks: attacks and countermeasures,” Ad Hoc Networks,vol.
, no. -, pp. –, .
[] L. Wallgren, S. Raza, and T. Voigt, “Routing attacks and coun-
termeasures in the RPL-based internet of things,” Inter national
Journal of Distributed Sensor Networks,vol.,no.,.
[] IETF, RfC — RPL: IPv Routing Protocol for Low-Power
and Lossy Networks, , https://tools.ietf.org/html/rfc.
[] P. Michiardi and R. Molva, “Core: a collaborative reputation
mechanism to enforce node cooperation in mobile ad hoc net-
works,” in Advanced Communications and Multimedia Security,
vol. of IFIP — e International Federation for Information
Processing,pp.–,Springer,NewYork,NY,USA,.
[] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J.
Sch¨
onw¨
alder, “A study of RPL DODAG version attacks,” in
Proceedings of the IFIP International Conference on Autonomous
Infrastructure, Management and Security,pp.–,Springer-
Ve rl a g , .
[] I. Onat and A. Miri, “An intrusion detection system for wireless
sensor networks,” in Proceedings of the IEEE International
Conference on Wireless and Mobile Computing, Networking
and Communications (WiMob ’05),vol.,pp.–,IEEE
Computer, Qu´
ebec, Canada, August .
[] D. E. Boubiche and A. Bilami, “Cross layer intrusion detection
system for wireless sensor network,” International Journal of
Network Security & Its Applications,vol.,no.,p.,.
[] A. Abraham, C. Grosan, and C. Martin-Vide, “Evolutionary
design of intrusion detection programs,” International Journal
of Network Security,vol.,no.,pp.–,.
[]P.Albers,O.Camp,J.M.Percher,B.Jouga,L.Me,andR.
S. Puttini, “Security in ad hoc networks: a general intrusion
detection architecture enhancing trust based approaches,” in
Wireless Information Systems,pp.–,.
[]S.Shamshirband,A.Patel,N.B.Anuar,M.L.M.Kiah,and
A. Abraham, “Cooperative game theoretic approach using
fuzzy Q-learning for detecting and preventing intrusions in
wireless sensor networks,” Engineering Applications of Articial
Intelligence,vol.,pp.–,.
[] F. Bao, I. Chen, M. Chang, and J. Cho, “Hierarchical trust
managementforwirelesssensornetworksanditsapplicationsto
trust-based routing and intrusion detection,” IEEE Transactions
on Network and Service Management,vol.,no.,pp.–,
.
[] S. M. Sajjad, S. H. Bouk, and M. Yousaf, “Neighbor node trust
based intrusion detection system for WSN,” Procedia Computer
Science, vol. , pp. –, .
[] A. Abraham, R. Jain, J. omas, and S. Y. Han, “D-SCIDS:
distributed so computing intrusion detection system,” Journal
of Network and Computer Applications,vol.,no.,pp.–,
.
[] C.-H. Tsang and S. Kwong, “Multi-agent intrusion detection
system in industrial network using ant colony clustering
approach and unsupervised feature extraction,” in Proceedings
of the IEEE International Conference on Industrial Technology
(ICIT ’05), pp. –, IEEE Computer, Hong Kong, December
.
[] R.-C. Chen, C.-F. Hsieh, and Y.-F. Huang, “A new method for
intrusion detection on hierarchical wireless sensor networks,”
in Proceedings of the 3rd International Conference on Ubiquitous
Information Management and Communication (ICUIMC ’09),
pp.–,ACM,Suwon,RepublicofKorea,January.
Security and Communication Networks
[] A. P. R. Da Silva, M. H. Martins, B. P. Rocha, A. A. Loureiro, L.
B. Ruiz, and H. C. Wong, “Decentralized intrusion detection in
wireless se nsor networks,” in Proceedings of the 1st ACM Interna-
tional Workshop on Quality of Service & Security in Wireless and
Mobile Networks,pp.–,ACM,Quebec,Canada,October
.
[] Y. Maleh, A. Ezzati, Y. Qasmaoui, and M. Mbida, “A global
hybrid intrusion detection system for wireless sensor networks,”
Procedia Computer Science, vol. , pp. –, .
[] C. E. Loo, M. Y. Ng, C. Leckie, and M. Palaniswami, “Intrusion
detection for routing attacks in sensor networks,” International
Journal of Distributed Sensor Networks,vol.,no.,pp.–,
.
[] R. Mitchell and I.-R. Chen, “A hierarchical performance model
for intrusion detection in cyber-physical systems,” in Proceed-
ings of the IEEE Wireless Communications and Networking Con-
ference (WCNC ’11), pp. –, IEEE Computer, Mexico,
March .
[] R. Mitchell and I.-R. Chen, “On survivability of mobile cyber
physical systems with intrusion detection,” Wireless Personal
Communications, vol. , no. , pp. –, .
[] S. Shin, T. Kwon, G.-Y. Jo, Y. Park, and H. Rhy, “An experimental
study of hierarchical intrusion detection for wireless industrial
sensor networks,” IEEE Transactions on Industrial Informatics,
vol. , no. , pp. –, .
[] R. Khare and A. Riin, “Weaving a web of trust,” Wor ld Wi de
Web J our n al,vol.,pp.–,.
[] A. Jøsang, “A logic for uncertain probabilities,” International
Journal of Uncertainty, Fuzziness and Knowledge-Based Systems,
vol. , no. , pp. –, .
[] Z. A. Khan and P. Herrmann, “A trust based distributed
intrusion detection mechanism for internet of things,” in Pro-
ceedings of the IEEE 31st International Conference on Advanced
Information Networking and Applications (AINA ’17),pp.–
, IEEE Computer, Taipei, Taiwan, March .
[] I.-R. Chen, F. Bao, M. Chang, and J.-H. Cho, “Dynamic trust
management for delay tolerant networks and its application to
secure routing,” IEEE Transactions on Parallel and Distributed
Systems,vol.,no.,pp.–,.
[] A. B. Karuppiah, J. Dalah, K. Yuvashri, S. Rajaram, and A.-S. K.
Pathan, “A novel energy-ecient sybil node detection algorithm
for intrusion detection system in wireless sensor networks,” in
Proceedings of the 3rd International Conference on Eco-Friendly
Computing and Communication Systems (ICECCS ’14),pp.–
, IEEE Computer, India, December .
[] R. Mitchell and I.-R. Chen, “Eect of intrusion detection
and response on reliability of cyber physical systems,” IEEE
Transactions on Reliability,vol.,no.,pp.–,.
[] P. Garc´
ıa-Teodoro, J. D´
ıaz-Verdejo, G. Maci´
a-Fern´
andez, and E.
V´
azquez, “Anomaly-based network intrusion detection: tech-
niques, systems and challenges,” Computers & Security,vol.,
no. -, pp. –, .
[] R. B. Myerson, Game eory: Analysis of Conict,Harvard
University Press, .
[] R. Mitchell and I.-R. Chen, “A survey of intrusion detection in
wireless network applications,” Computer Communications,vol.
,pp.–,.
[]A.Agah,S.K.Das,K.Basu,andM.Asadi,“Intrusiondetec-
tion in sensor networks: a non-cooperative game approach,”
in Proceedings of the 3rd IEEE International Symposium on
Network Computing and Applications (NCA ’04), pp. –,
IEEE Computer, Cambridge, Mass, USA, September .
[] A. Agah and S. K. Das, “Preventing DoS attacks in wireless sen-
sor networks: a repeated game theory approach,” International
Journal of Network Security,vol.,no.,pp.–,.
[] H. Deng, Q.-A. Zeng, and D. P. Agrawal, “SVM-based intrusion
detection system for wireless ad hoc networks,” in Proceedings of
the 2003 IEEE 58th Vehicular Technology Conference, VTC2003-
Fall,vol.,pp.–,IEEEComputer,Orlando,Fla,USA,
October .
[] S. S. Doumit and D. P. Agrawal, “Self-organized criticality
& stochastic learning based intrusion detection system for
wireless sensor networks,” in Proceedings of the IEEE Military
Communications Conference (MILC OM ’03),vol.,pp.–,
IEEEComputer,Boston,Mass,USA,October.
[] M. Guerroumi, A. Derhab, and K. Saleem, “Intrusion detection
system against sink hole attack in wireless sensor networks with
mobile sink,” in Proceedings of the 12th International Conference
on Information Technology: New Generations (ITNG ’15),pp.
–, IEEE Computer, USA, April .
[] K. Ioannis, T. Dimitriou, and F. C. Freiling, “Towards intrusion
detection in wireless sensor networks,” in Proceedings of the 13th
European Wireless Conference,pp.–,.
[] H. Jadidoleslamy, “A hierarchical intrusion detection archi-
tecture for wireless sensor networks,” International Journal of
Network Security & Its Applications,vol.,no.,p.,.
[] S. Khan an d K.-K. Loo, “Real-time cross -layer design for a large-
scale ood detection and attack trace-back mechanism in IEEE
. wireless mesh networks,” Network Security,vol.,no.
, pp. –, .
[] I. Krontiris, Z. Benenson, T. Giannetsos, F. C. Freiling, and T.
Dimitriou, “Cooperative intrusion detection in wireless sensor
networks,” in Proceedings of the 6th European Conference on
Wireless Sensor Networks (EWSN ’09),vol.ofLecture Notes
in Computer Science, pp. –, Springer-Verlag.
[] M. S. I. Mamun and A. S. Kabir, “Hierarchical design based
intrusion detection system for wireless ad hoc sensor network,”
International Journal of Network Security & Its Applications,vol.
, no. , pp. –, .
[] E. C. Ngai, J. Liu, and M. R. Lyu, “On the intruder detection
for sinkhole attack in wireless sensor networks,” in Proceedings
of the IEEE International Conference on Communications (ICC
’06),vol.,pp.–,IEEEComputer,Istanbul,Turkey,
June .
[] I. Onat and A. Miri, “A real-time node-based trac anomaly
detection algorithm for wireless sensor networks,” in Proceed-
ings of the International Conference on Systems Communications,
pp.–,IEEEComputer,Ockland,Calif,USA,August
.
[] S. Rajasegarar, C. Leckie, M. Palaniswami, and J. C. Bezdek,
“Distributed anomaly detection in wireless sensor networks,” in
Proceedings of the 10th IEEE Singapore International Conference
on Communications Systems (ICCS ’06), pp. –, IEEE Com-
puter, Singapore, November .
[] H.SedjelmaciandM.Feham,“Novelhybridintrusiondetection
system for clustered wireless sensor network,” International
Journal of Network Security & Its Applications,vol.,no.,.
[] A. A. Strikos, “A Full Approach for Intrusion Detection in
Wireless Sensor Networks,” , http://citeseerx.ist.psu.edu/
viewdoc/summary?doi=.....
[] C. Wang, T. Feng, J. Kim, G. Wang, and W. Zhang, “Catching
packet droppers and modiers in wireless sensor networks,”
in Proceedings of the 6th Annual IEEE Communications Society
Security and Communication Networks
Conference on Sensor, Mesh and Ad Hoc Communications and
Networks (SECON ’09),pp.–,IEEEComputer,Italy,June
.
[] S. Buchegger and J. Y. Le Boudec, “Performance analysis of the
CONFIDANT protocol,” in Proceedings of the 3rd ACM Interna-
tional Symposium on Mobile Ad Hoc Networking & Computing
(MobiHoc ’02), pp. –, ACM, Lausanne, Switzerland, June
.
[] Y.-A. Huang and W. Lee, “A cooperative intrusion detection
system for ad hoc networks,” in Proceedings of the 1st ACM
Workshop on Security of Ad Hoc and Sensor networks (in
association with 10th ACM Conference on Computer and Com-
munications Security), pp. –, ACM, USA, October .
[] O. Kachirski and R. Guha, “Eective intrusion detection using
multiple sensors in wireless ad hoc networks,” in Proceedings
ofthe36thAnnualHawaiiInternationalConferenceonSystem
Sciences (HICSS ’03),IEEEComputer,USA,January.
[] A. Patcha and J.-M. Park, “A game theoretic approach to
modeling intrusion detection in mobile ad hoc networks,” in
Proceedings of the 5th Annual IEEE System, Man and Cybernetics
Information Assurance Workshop (SMC ’04), pp. –, IEEE
Computer, USA, June .
[] R. Puttini, M. Hanashiro, F. Miziara, R. de Sousa, L. J. Garc´
ıa-
Villalba, and C. J. Barenco, “On the anomaly intrusion-detection
in mobile ad hoc network environments,” in Proceedings of the
11th IFIP International Conference on Personal Wireless Com-
munications (PWC ’06),vol.ofLecture Notes in Computer
Science, pp. –, Springer, Albacete, Spain, September .
[] R. Rao and G. Kesidis, “Detecting malicious packet dropping
using statistically regular trac patterns in multihop wireless
networks that are not bandwidth limited,” in Proceedings of the
IEEE Global Telecommunications C onference (GLOBECOM ’03),
vol. , pp. –, IEEE Computer, USA, December .
[] E. M. Shakshuki, N. Kang, and T. R. Sheltami, “EAACK
— a secure intrusion-detection system for MANETs,” IEEE
Transactions on Industrial Electronics,vol.,no.,pp.–
, .
[]D.Sterne,P.Balasubramanyam,D.Carmanetal.,“Ageneral
cooperative intrusion detection architecture for MANETs,” in
Proceedings of the 3rd IEEE International Workshop on Informa-
tion Assurance (IWIA ’05), pp. –, IEEE Computer, College
Park, Md, USA, March .
[] B. Sun, K. Wu, and U. W. Pooch, “Zone-based intrusion
detection for mobile ad hoc networks,” International Journal of
Ad Hoc and Sensor Wireless Networks,vol.,no.,.
[] Y. Zhang and W. Lee, “Intrusion detection in wireless ad-
hoc networks,” in Proceedings of the 6th Annual International
Conference on Mobile Computing and Networking (MobiCom
’00), pp. –, ACM, Boston, Mass, USA, August .
[] P. A. Porras and P. G. Neumann, “EMERALD: event moni-
toring enabling response to anomalous live disturbances,” in
Proceedings of the 20th National Information Systems Security
Conference (NISSC ’97), pp. –, .
[] A. Patcha and J.-M. Park, “A game theoretic formulation for
intrusion detection in mobile Ad hoc networks,” International
Journal of Network Security,vol.,no.,pp.–,.
[] E. Anthi, L. Williams, and P. Burnap, “Pulse: an adaptive
intrusion detection for the internet of things,” in Proceedings of
the Living in the Internet of ings: Cybersecurity of the IoT,pp.
–, London, UK, March .
[] B. Arrington, L. E. Barnett, R. Rufus, and A. Esterline, “Behav-
ioral modeling intrusion detection system (BMIDS) using
internet of things (IoT) behavior-based anomaly detection
via immunity-inspired algorithms,” in Proceedings of the 25th
International Conference on Computer Communications and
Networks (ICCCN ’16),pp.–,IEEEComputer,Waikoloa,
Hawaii, USA, August .
[] J. Arshad, M. A. Azad, M. Mahmoud Abdellatif, M. H. Ur
Rehman, and K. Salah, “COLIDE: a collaborative intrusion
detection framework for Internet of ings,” IET Networks,vol.
,no.,pp.–,.
[] A. Azmoodeh, A. Dehghantanha, and K. R. Choo, “Robust mal-
ware detection for internet of (Battleeld) things devices using
deep eigenspace learning,” IEEE Transactions on Sustainable
Computing,vol.,no.,pp.–,.
[] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos, “Detec-
tion of sinkhole attacks for supporting secure routing on LoW-
PAN for Internet of ings,” in Proceedings of the 14th IFIP/IEEE
International Symposium on Integrated Network Management
(IM ’15), pp. –, IEEE Computer, Canada, May .
[] R.Fu,K.Zheng,D.Zhang,andY.Yang,“Anintrusiondetection
scheme based on anomaly mining in internet of things,” in
Proceedings of the 4th IET International Conference on Wireless,
Mobile & Multimedia Networks (ICWMMN ’11),pp.–,
IET, Beijing, China, November .
[] P. Kasinathan, C. Pastrone, M. A. Spirito, and M. Vinkovits,
“Denial-of-service detection in LoWPAN based internet of
things,” in Proceedings of the 2013 IEEE 9th International
Conference on Wireless and Mobile Computing, Networking and
Communications (WiMob ’13), pp. –, IEEE Computer,
Lyon, France, October .
[] Z.A.Khan,J.Ullrich,A.G.Voyiatzis,andP.Herrmann,“A
trust-based resilient routing mechanism for the internet of
things,” in Proceedings of the 12th International Conference on
Availability, Reliability, and Security (ARES ’17),pp.–,ACM,
Reggio Calabria, Italy, August .
[]Q.D.La,T.Q.Quek,J.Lee,S.Jin,andH.Zhu,“Deceptive
attack and defense game in honeypot-enabled networks for the
internet of things,” IEEE Internet of ings Journal,vol.,no.,
pp.–,.
[] J. Li, Z. Zhao, R. Li, and H. Zhang, “AI-based two-stage
intrusion detection for soware dened IoT networks,” IEEE
Internet of ings Journal,vol.,no.,pp.–,.
[] C. Liu, J. Yang, R. Chen, Y. Zhang, and J. Zeng, “Research
on immunity-based intrusion detection technology for the
Internet of ings,” in Proceedings of the 7th International
Conference on Natural Computation (ICNC ’11),vol.,pp.–
, IEEE Computer, China, July .
[] Y. Liu and Q. Wu, “A lightweight anomaly mining algorithm
in the Internet of ings,” in Proceedings of the 5th IEEE
International Conference on Soware Engineering and Service
Science (ICSESS ’14),pp.–,IEEEComputer,China,June
.
[] L. Liu, B. Xu, X. Zhang, and X. Wu, “An intrusion detection
method for internet of things based on suppressed fuzzy
clustering,” EURASIP Journal on Wireless Communications and
Networking,vol.,no.,p.,.
[] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: real-time intrusion
detection in the internet of things,” Ad Hoc Networks, vol. , no.
, pp. –, .
[] H. Sedjelmaci, S. M. Senouci, and M. Al-Bahri, “A lightweight
anomaly detection technique for low-resource IoT devices:
a game-theoretic methodology,” in Proceedings of the IEEE
Security and Communication Networks
International Conference on Communications (ICC ’16),pp.–,
IEEE Computer, Kuala Lumpur, Malaysia, May .
[] D. H. Summerville, K. M. Zach, and Y. Chen, “Ultra-lightweight
deep packet anomaly detection for internet of things devices,”
in Proceedings of the 34th IEEE International Performance
Computing and Communications Conference (IPCCC ’15),pp.–
, IEEE Computer, Nanjing, China, December .
[] L.Xiao,X.Wan,X.Lu,Y.Zhang,andD.Wu,“IoTsecurity
techniques based on machine learning: how do IoT devices use
AI to enhance security?” IEEE Signal Processing Magazine,vol.
,no.,pp.–,.
[] K.Yang,J.Ren,Y.Zhu,andW.Zhang,“Activelearningforwire-
less IoT intrusion detection,” IEEE Wireless Communications
Magazine,vol.,no.,pp.–,.
[] T. Matsunaga, K. Toyoda, and I. Sasase, “Low false alarm
rate RPL network monitoring system by considering timing
inconstancy between the rank measurements,” in Proceedings of
the 11th International Symposium on Wireless Communications
Systems (ISWCS ’14), pp. –, IEEE Computer, Spain,
August .
[] F. Bonomi, R. Milito, J. Zhu, and S. Addepalli, “Fog computing
and its role in the internet of things,” in Proceedings of the 1st
ACM Mobile Cloud Computing Workshop (MCC ’12),pp.–,
ACM, Helsinki, Finland, August .
[] J. Bhar, “A mac protocol implementation for wireless sensor
network,” Journal of Computer Networks and Communications,
vol. , no. , .
Available via license: CC BY 4.0
Content may be subject to copyright.
