Lightweight Intrusion Detection for Wireless Sensor Networks

Wireless Sensor Networks (WSNs) have grown to become one of the most promising and interesting fields over the past few years. WSNs are wireless networks consisting of distributed sensor nodes which cooperatively monitor physical or environmental conditions. A sensor node is a tiny and simple device with limited computational resources. Sensor nodes are randomly and densely deployed in a sensed environment. WSN is designed to detect events or phenomena, and collect and return sensed data to the user. WSNs have been used inmany applications such as battlefield surveillance, trafficmonitoring, health-care, environment monitoring, etc. Some basic features of sensor networks are (Ilyas & Mahgoub, 2005):


Introduction
Wireless Sensor Networks (WSNs) have grown to become one of the most promising and interesting fields over the past few years. WSNs are wireless networks consisting of distributed sensor nodes which cooperatively monitor physical or environmental conditions. A sensor node is a tiny and simple device with limited computational resources. Sensor nodes are randomly and densely deployed in a sensed environment. WSN is designed to detect events or phenomena, and collect and return sensed data to the user. WSNs have been used in many applications such as battlefield surveillance, traffic monitoring, health-care, environment monitoring, etc. Some basic features of sensor networks are (Ilyas & Mahgoub, 2005): -Self-organization -Short-range broadcast communication and multi-hop routing -Dense deployment and cooperative sensors -Frequently changing topology, due to fading and node failures -Limitations in computational resources, such as energy and memory The characteristics of wireless infrastructure and characteristics of WSNs cause potential risks of attacks on the network. Numerous studies have attempted to address vulnerabilities in WSNs such as Denial of Service in Sensor Networks (Wood & Stankovic, 2002), Secure Routing in Sensor Networks (Karlof & Wagner, 2003). Current research on security in sensor networks generally focuses on secure routing protocols, key management and prevention techniques for specific attacks (Djenouri et al., 2005). Although research on security (related to) issues in WSN is productive, the need for a security framework for WSNs still exists.Intrusion Detection System (IDS) is a common prevention mechanism which protects the network from intrusion. In this chapter, we study the problem of intrusion detection in WSNs, and propose a hybrid intrusion detection framework for clustered sensor networks. Our scheme suits the demands and restrictions of the infrastructure and characteristics of WSNs. The analytical analysis and simulation result show that our IDS scheme can detect over 90% of malicious nodes under various attacks, with a high rate of packet collision. Our contribution is as follows: -A distributed IDS framework for creating, updating and evaluating alert packets in clustered WSNs.

13
www.intechopen.com 2 Intrusion Detection Systems -Detection of common routing problems and attacks in clustered WSNs, based on neighbor knowledge and routing rules.
-Use of a reputation system as the basis of self triggering IDS modules and evaluation of the alert packet from monitor nodes.
-Reduction of alerts using over-hearing to reduce energy consumption in IDS modules.
-High detection rate under burst attacks.
Following this introduction section, the chapter is organized as follows: In the next section, we review and study the problem of application of IDS in WSNs and outline the challenges. Section 3 proposes our security architecture and detection algorithms for WSNs. In section 4, we provide two algorithms to self-trigger and reduce energy consumption in IDS modules. Section 5 provides the simulation and performance analysis. Finally, the chapter ends with a conclusion and future work.

Security in wireless sensor networks 2.1 Routing threats
The design of routing protocols in sensor networks never considers security as a primary goal. Routing protocols in sensor networks are simpler and more susceptible to attacks than the other two types of wireless networks: Ad-Hoc and Cellular. The first serious discussion and analysis on secure routing were performed by (Karlof & Wagner, 2003). They studied multiple types of attacks on routing protocols in detail, and the effects on common routing protocols in WSNs. The assumption is that there are two types of attacks, outside attacks and inside attacks. In this chapter we only examine inside attacks. Outside attacks are prevented by using link layer security mechanisms (Camtepe & Yener, 2005). They propose two types of adversaries, a mote-class adversary and laptop-class adversary. In the mote-class one, the adversary accesses a few sensor nodes with capabilities similar to legitimate nodes. These nodes are tampered with and reprogrammed for an adversary's purpose. In the laptop-class one, the adversary accesses more powerful devices such as a laptop with greater battery power, high CPU processing rate and high-power radio transmitter. In this case, the adversary has more opportunities to deploy attacks on the network. In this section, we review the most common network layer attacks on WSNs and highlight the characteristics of these attacks (Karlof & Wagner, 2003). Selective forwarding: In a selective forwarding attack, malicious nodes prevent the flow of routing information in sensor networks by refusing to forward or drop the messages traversing them (Karlof & Wagner, 2003). Another aspect of this type of attack is that malicious nodes may forward the messages along an incorrect path, creating inaccurate routing information in the network. Sinkhole: In a sinkhole attack, the adversary redirects nearly all the traffic from a particular area via a malicious node, creating a metaphorical sinkhole (Karlof & Wagner, 2003). The laptop-class adversary may use higher computational resources and communication power than a legitimate node, to advertise itself as the shortest path to the base-station, or, in our case, the cluster head (CH). A CH aggregates the data of member nodes in a cluster and relays them to another CH or the sink node. Wormhole: In a wormhole attack, the adversary tunnels messages received in one malicious node and replays them in a different part of the network. The two malicious nodes usually claim that they are merely two hops from the base station. Khalil suggests five modes of wormhole attacks in his paper. Details of these modes are in (Khalil et al., 2005;2008). Hello flood attack: Many routing protocols use Hello broadcast messages to announce themselves to their neighbor nodes. The nodes that receive Hello messages assume that source nodes are within range and add source nodes to their neighbor list. The laptop-class adversary can spoof Hello messages with sufficient transmission power to convince a group of nodes that they are its neighbor. Sybil attack: In this attack, a malicious node can present multiple identities to other nodes in the network. The Sybil attack poses a significant threat to most geographic routing protocols. Sybil attacks are prevented via link layer authentication (Camtepe & Yener, 2005;Sultana et al., 2007). Within the limited scope of this paper, we assume that the Sybil attack is prevented via authentication, so the combination of Sybil with other attacks is not considered in this paper.

Intrusion detection system in wireless networks
Intrusion Detection System (IDS) is defined as a system that tries to detect and alert of attempted intrusions into a system or a network (Richard Heady, 1990). IDSs are classified into two major approaches: misuse detection and anomaly detection. Each approach has its own unique advantage. The misuse technique has the advantage that it can detect most known attacks in a rule database. But, new attacks require new rules to be constructed and distributed (Roesch, 2002;Paxson, 1999). The anomaly technique has the advantage that it doesn't require any rules and can detect novel attacks. The main disadvantage of anomaly detection is the high false positive rate (Balasubramaniyan et al., 1998;Cuppens & Miège, 2002;Janakiraman et al., 2003). Although IDS is used as a major prevention mechanism in wired networks, it is difficult to apply IDS in wireless networks, because of the vast difference in network characteristics. Sensor networks inherit all aspects of wireless networks. And, they have their own distinct characteristics that make the design of a security model for sensor networks different from that of Ad Hoc networks. The batteries in sensor networks may not be rechargeable, thus, we cannot recharge or replace the batteries if sensor nodes use excessive computational resources to process the data. Sensor networks are constrained in resource compared to Ad Hoc and cellular networks (Aboelaze & Aloul, 2005). A typical sensor node such as MICA has an 8 MHz microprocessor, 128 KB program flash memories and 512 KB serial flash memories (Technology, n.d.). WSNs are deployed more densely and randomly in the environment and sensor node failure is likely to happen. So, it is impossible for a sensor node to store the signature data about malicious nodes for the whole network in a manner similar to additional misuse detection. Also, it is very difficult to use traditional anomaly detection methods in WSNs, because sensor nodes cannot monitor all the traffic traversing them and compute anomalous events. These specific characteristics of WSN demand a novel design of the security architecture for such an environment. Though wireless Ad Hoc networks and wireless sensor networks share some common characteristics, and there was development of IDS in a wireless Ad Hoc network (Mishra et al., 2004), R. Roman showed in his paper that they can't be directly applied in WSNs (Roman, 2006). They proposed a novel technique for optimal monitoring of neighbors called spontaneous watchdog, which extends the watchdog monitoring mechanism in (Marti et al., 2000). The problem with this approach is that the author fails to consider the selection of a global agent. Another weakness of this approach is that it does not deal with the collision of packets, which is likely due to the high density of nodes in WSNs. Ilker Onat et al. (2005) proposed an anomaly detection based on security scheme for WSNs. In their method, each  (Onat & Miri, 2005). The system features which analyze anomalies are; the average of received power and packet arrival rate. Their system cannot detect selective forwarding and wormhole attacks, because of their simple statistical features. Soumya et al. (2005) proposed an intrusion detection mechanism based on an ant colonies system (Banerjee et al., 2005). Their basic idea is to identify the affected path of intrusion in the sensor network, by investigating the pheromone concentration. However, they do not specify the detailed solution to routing attacks. In 2006, Techateerawat P. et al published a paper in which they designed an intrusion framework based on the layout and selection of monitor nodes (Techateerawat & Jennings, 2006). They proposed a voting algorithm for selection of nodes which must trigger their IDS agent. Their approach reduced monitor nodes and energy consumption in networks, but also reduced the probability of detection. Unfortunately, their detection algorithms weren't demonstrated in detail. A recent study of Chong E. L. et al. (2006) developed an intrusion detection scheme that uses a clustering algorithm to build a model of normal traffic behavior. Then, they used this model to detect anomalous traffic patterns (Chong Eik Loo & Palaniswami, 2006). A.P. Silva et al. proposed a decentralized IDS scheme, based on the specification in (da Silva et al., 2005). In these two schemes, every IDS agent functions independently, and can detect signs of intrusion locally, by observing all data received, without collaboration between its neighbors. They tried to apply an anomaly technique based on wired networks for WSNs, so their scheme incurs excessive computational resourceconsumptionineachnode. Afrand Agah et al. applied game theory in order to build a detection framework for denial of service in WSNs. However, their scheme is not specified for routing attacks in WSNs (Agah et al., 2006). There are multiple IDS proposals for WSNs, but many are incomplete or only focus on a specific attack (Wang et al., 2006). Our contribution is based on previous works and involves the creation of a novel, efficient IDSs for WSNs. Furthermore, we propose a simple selection algorithm to trigger IDS modules in particular nodes. Our algorithm minimizes the monitor nodes which must trigger the intrusion detection modules, thus enhancing the network lifetime.

Architecture
In sensor networks, multiple routing protocols, power management and data dissemination are designed, in which energy and computational resources are essential designs. Cluster-based routing protocols were developed for sensor networks (LEACH, HEED, PEGASIS, TEEN and APTEEN (Abbasi & Younis, 2007)) to achieve scalability, power savings, data routing redundancy, etc. Routing is usually separated into two phases: the setup phase and the steady phase. In the setup phase, the cluster is organized, and cluster heads are randomly selected and rotated to distribute the energy load among the network. In the steady phase, the cluster heads receive all data in their clusters and send aggregated data to the base station, to reduce the amount of information arriving at the base station. In our IDS architecture, every node belongs to a single cluster among the clusters which are geographically distributed across the whole network. Our aim is to utilize cluster-based protocols in energy saving, reduced computational resources and data transmission redundancy. In this section, we propose an intrusion framework for information sharing, which utilizes hierarchical architecture to improve intrusion detection capability for all participating nodes. Previous work on the application of IDS for sensor networks was undertaken by R. Roman (Roman, 2006). The author suggested general guidelines for the application of IDS to WSNs, which influenced our work. In addition, our proposed intrusion detection framework is influenced and improved by previous works in (Khalil et al., 2005;da Silva et al., 2005;Hu & Burmester, 2009). In our scheme, an IDS agent is located in every sensor node. Each sensor node has two intrusion modules, called local IDS agent and global IDS agent. Because of the limited battery life and resources, each agent is only active when it is needed. Local agent: The local agent module is responsible for monitoring the information sent and received by the sensor. The node stores an internal database, named a blacklist, about specific malicious nodes in network. When the network is initially configured, the sensor nodes lack any knowledge about malicious nodes. After the deployment of WSNs, the signature database is gradually constructed. The entry into the malicious node database is created and propagated to every node by CHs. Global agent: The global agent is responsible for monitoring the communication of its neighbor nodes. Because of the broadcast nature of wireless networks, every node can receive all packets within its communication range. We use the watchdog monitoring mechanism and pre-defined routing rules with two-hop neighbor knowledge to monitor these packets. If the monitor nodes discover a potential breach of security in their radio range, they create and send an alert to the CHs. Then, the CHs receive the alert and make the decision about a suspicious node. Both agents are implemented in the application layer illustrated in Fig. 1.

Detection algorithms
We assume that when a sensor node is first deployed in the environmental field, an adversary requires a particular period of time to deploy an attack. This implies that no malicious node appears during the initial stage of sensor node deployment. The monitor nodes use the watchdog monitoring mechanism and predefined rules with two-hop neighbor knowledge to detect anomalies within their transmission ranges. In watchdog, due to the broadcast nature of wireless networks, monitor nodes receive packets within their radio range. These packets are captured and stored in a buffer which contains information including the packet identification and type, source and destination, etc. Each  (Khalil et al., 2005;2008). We also apply two-hop neighbor knowledge as a component of our detection technique. Unlike the two-phase setup in Khalil's work, we establish our two-hop neighbor list in each sensor node via a single phase, by modifying the Hello packet. When the sensor nodes are initially deployed in the sensing environment, each node must build its direct neighbor list and a list of two-hop neighbors accessible to these one-hop neighbors.
To accomplish this, each node broadcasts its Hello message; fields contain information about source node ID, immediate node, and the hop counter is set to two. In the case of the source node, the source node ID and immediate node have the same node ID. When a node receives a two-hop Hello packet, it changes the immediate node as its node ID, decrements the hop count to one and re-broadcasts it. The sensor node receiving this Hello message assigns the immediate node as its direct neighbor, and the source node as its two-hop neighbor. This process is performed once, after the deployment of sensor nodes. We make the assumption that the neighbor node knowledge is secure and confidential within the deployment period. Malicious node database/ blacklist: This internal database is computed and generated in the CH via the use of anomaly detection in the global detection algorithms of monitor nodes. Once a monitor node discovers an anomalous event within its neighborhood, it creates and sends an alert to its CH. If the malicious counter from a suspicious node stored in a CH crosses a threshold X, the CHs create and propagate a new rule to every sensor node in the cluster. The sensor nodes update the new rule and add the entry to its malicious database. The malicious node is isolated from the cluster and not involved in communication in the network. CH  Pre-defined routing rules: When the sensor node is initially deployed, there is no entry in its internal malicious node database, except for some predefined, simple rules in the global agent. The global agent uses pre-defined rules and the two-hop neighbors' list to monitor communication in their neighborhood. These rules help monitor nodes detect common problems and specific attacks on routing protocols, based on previous work (da Silva et al., 2005). In our scheme, these rules are adapted to the routing protocols used.
-Interval rule: An alert is created by monitor nodes if the period between the receptions of two consecutive packets exceeds the allowed limit.
-Integrity rule: The packet payload must be the same along the path on a transmission link.
-Delay rule: The delay of a packet from one node must be limited to the timeout period.
-Radio transmission range rule: All packets received by a monitor node must originate from among its neighbors or a previous hop; via the estimation of the average receive power (dBm).
-Neighbor rule: 1. The monitor node waits to determine if the destination node forwards the packet along the path to the sink. If not, it sends an alert packet to the CH.
2. The monitor node waits to detect the packet which was forwarded along the path to the sink. It checks its two-hop neighbor knowledge to determine if the destination node of the forwarded packet is on the right path to the sink. If not, it sends an alert packet to the CHs.
When a sensor node receives a packet from a sensor in the network, if the source node's ID is in its black list then the sensor node uses Local function() to drop the packet. If both source and destination's node are its one-hop neighbors, it triggers the Global detection function. The algorithm is illustrated in Fig. 4. The global detection modules use two-hop neighbor knowledge and routing rules to detect anomalies within their transmission ranges. The illustration of Global function() is represented in Fig. 5. The CHs are responsible for alert aggregation from monitor nodes and computation. If the number of alerts about a suspicious node crosses the threshold X, the CHs create a rule and propagate it to every node in the cluster. The algorithm is illustrated as follows:  By applying our proposed algorithm, following attacks introduced in section 2 are detected easily.

Detection of Selective forwarding:
In selective forwarding attacks, the transmission link from node A to node B is monitored by their monitor nodes, for example X, Y, Z. Node X, Y, Z catch and store the packets going out of node A with node B as their next intermediate node. If node B tries to stop or drop these packets, the monitor nodes will create and send an alert to CH. The monitor nodes can also use the predefined rules to check if node B forwards the packet in the right path. If node B tries to send the packets to wrong path by forwarding to an unknown node, the monitor nodes will check their 2 hops neighbor node's list. If the destination node's identification of the forwarded packet is not in node B's neighbor list, the monitor nodes will send an alert to CH. After the packets are forwarded to right path, the entry in the monitor node's intrusion buffer is remove.

Detection of Sinkhole and Hello flood:
The common feature between the two attacks is that the malicious node will convince it as the nearest path to base station by using high power transmission. All packets came to node A must be originated from A's neighbor list, the monitor nodes use neighbor's list and predefined signal rule to check if a packet is originated from a far located node. Detection of Wormhole: Our system can detect four types of wormhole attacks by inherit the advantage of local monitoring mechanism. We use 2 hops neighbor's list and predefined rules to improve the detection of wormhole in clustered WSNs.

Optimal triggering of intrusion detection modules
In our scheme and previous work, every node participates in the intrusion detection, so the network lifetime is potentially quickly reduced, because the workload is concentrated in IDS modules. In this section, we provide two algorithms to reduce the energy consumption in IDS modules in WSNs. Current research on intrusion detection and prevention techniques in WSNs are generally built on the assumption of a trusted environment. Unfortunately, sensor nodes are randomly deployed in an unknown, hostile environment, so they cannot be trusted. A disadvantage of cooperative IDS is the detection accuracy of IDSs, because they cannot evaluate alerts from monitor nodes. By using a lightweight trust-based framework as the basis of cooperative IDSs, we can overcome this problem and evaluate alerts from monitor nodes based on their trust values. Evaluation of alerts arriving at CHs makes our IDS scheme more resilient and accurate. We can apply any reputation framework for WSN as an integrated part in our IDS scheme.

Triggering based on trust priority
Trust is defined as the level of trustworthiness of a particular node. Tv xy is the trust value of node Y calculated by node X. In our schemes, we require each sensor node to maintain a reputation table of its neighbors; the reputation value is a metric of trust. A reputation table is a small database of trust values of direct neighbor nodes, as for example node X.
Tv X =(Tv X,1 , Tv X,2 , ..., Tv X,N ) Where Tv X,i represent the trust value of the i th neighbor node of X. Calculation and update of reputation tables in sensor nodes can be found in (Kaplantzis et al., 2007). Our reputation system is fully adaptive with detection modules, because both schemes are based on an over-hearing mechanism. Each sensor node calculates the average trust of its neighbor nodes with the following equation: Where E[X] represents the average trust value of X's neighbor nodes. The trust value is classified by the following mapping function: After calculating the trust average, the sensor node sets this value according to the mapping function above, to indicate the trust level requirement. Only nodes having a better than average trust value can trigger the global agent for cooperative detection. Each packet includes its own trust requirement (high, medium or uncertain) in its header. Thus, only sensor nodes with a trust value better than the trust requirement can trigger their global agent. However, if a sensor node with a low trust value tries to send a false alert packet to the CHs, the CHs drop the alert packet, and its trust value is reduced for its malicious behavior. In our case, nodes having a low trust value cannot trigger or participate in the intrusion detection.

Evaluation of alert packets
The CHs are responsible for alert aggregation and computation. We propose four levels of trust, so we can compute the alert counter in each malicious node, based on trust states of our monitor nodes. The malicious counter is defined as the threshold of malicious activities of a sensor node which cannot be exceeded. If the malicious counter of a sensor node exceeds the threshold, the sensor node is revoked from the cluster and WSNs. We suggest four parameters (λ, β, δ, ϕ) associated with four trust levels of a monitor node's incoming alert packet, in our proposed scheme λ = 0. The equation for computing the alert counter of a malicious node is described as follows: Where 0 < β < δ < ϕ < 1 and i, j, k are the number of alert packets with the correlative trust states mentioned above. So, aggregation and computation of alert packets at CHs is improved as Fig. 7 below. By setting the trust-requirement as the average of the trust, we can reduce participation of sensor nodes in the intrusion detection, while providing high trustworthiness of incoming alert packets. By setting the trust-requirement as the average of the trust, we can reduce participation of sensor nodes in the intrusion detection, while providing high trustworthiness of incoming alert packets.

Selection algorithm
As mentioned in the previous section, the monitor nodes observe the behavior's packet that pass through them to destination. To minimize the number of nodes activating the intrusion detection modules, our proposed scheme select the nodes which cover as many other nodes as possible. Our main idea is to choose the set of nodes which corporately cover all the nodes in the networks. Our proposed scheme is based only on the neighbor node information built on each node to find these nodes. We also make the assumption that the adversary cannot successfully compromise a node during the short deployment phase. Thus, the neighbor node information sent to sink node is trustful. The selection of monitor nodes is performed by sink node by following process:  Fig. 8. Selection algorithm at sink node -After deployment, the sensor node builds its direct neighbor node's list and sends it to the sink node.
-The sink node finds the set of nodes which corporately cover all nodes in the network as the chosen monitor nodes. The finding algorithm is explained in detail below.
-The sink node sends the request message to these chosen nodes to require them activating their intrusion detection modules.
-Every message sent by sensor node or sink node is authenticated by using their shared keys.
We consider a network of N sensors as a set of static nodes denotes as and a single sink node denoted as R = {n 1 , n 2 , ...., n N }. To describe selection algorithm, we use the term "sensor" and "node" interchangeably. The communication in the network is always destined toward the sink node . Nodes i and j are neighbors if they are in its radio range, denoted by an edge (ij). Let N(i) := j|(i, j) denote the set of neighbors of node i and N(i)|j denote the set without node j. Besides, we assume sink node or cluster heads (CHs) can have a greater battery powers, a more capable CPU or a sensitive antenna which can reach to other CHs or the sink node. The sink node search for the set of nodes which corporately cover all nodes in the network based on their neighbor node information received. The algorithm is described in Fig. 8.

Reduction of alert packets using over-hearing
In some cases of deployment, there are multiple sensor nodes concentrated in a small area. Consequently, if there is malicious activity in a link, multiple alert packets may be transmitted to CHs from different monitor nodes in an instant. Fig. 9 illustrates the case when two monitor nodes X, Z send the same alert packet about a malicious node Y. The major issue in this case is the redundancy of the transmission of alert packets to CHs, which can cause collisions and waste energy on transmission of the same alert packets. Until now, in a given case, we need a single alert packet sent simultaneously to CHs, for malicious activity. If a single alert packet is sent at the instant malicious activity occurs, we can reduce redundant alert packets, thus reducing energy consumption in monitor nodes. To resolve this problem, we apply an over-hearing mechanism for the Medium Access Control (MAC)

Lightweight Intrusion Detection for Wireless Sensor Networks
Intrusion Detection Systems layer. Over-hearing is not a new approach. It was initially applied in 802.11 (Bianchi, 2000), where nodes use over-hearing to determine when the channel is free. In (Le et al., 2006), the authors extended S-MAC to event-driven applications, where there are multiple redundant transmissions. The principle of our approach is very simple. When malicious activity occurs in a transmission link, multiple monitor nodes are aware of this malicious activity, and prepare alert packets to send to the CHs. If a monitor node doesn't obtain the medium to send an alert packet, it knows there is a transmission within range. The monitor node buffers the alert packet and over-hears the packets sent within range. If the monitor node detects a neighbor sending the same alert packet, it drops the alert packet in its buffer. Otherwise, the monitor node sends the alert packet until it obtains the medium. Using this method, we can reduce both the number of transmissions and the number of collisions in sending the same alert packets of monitor nodes. The study in (Hill et al., 2000a; found that each bit transmitted in WSNs consumes power about equivalent to executing 800-1,000 instructions. Thus, we can minimize the power consumption in detection modules, because communication is more costly than computation in WSNs.

Performance analysis
In this section, we analyze and evaluate the proposed detection capability, to determine the performance of our schemes. The probability of detection of an attack, P D , depends on three factors: number of monitor nodes, probability of a missed detection of a monitor node, and our malicious counter threshold X. We defined K as the number of monitor nodes and P C as the probability of a collision occurring in a transmission link. When the number of alerts cross the threshold X, the rule is created and propagated to every sensor nodes by CHs. Therefore, P D is the probability of more than X nodes in the total of K nodes which send an alert to CH. The event of the probability P D occurs whenever there is an event which has the probability of more than X nodes sending an alert. Because the events are independent so P D = P X + P X+1 + ... + P K The probability of an event that there are X nodes sending alert to CH is: So the probability detection of an attacker PD can be written as following: As the result, when K monitor nodes collaborate in monitoring, the probability detection of an attack is: We defined P F as the probability of a false positive for a legitimate node. A false positive occurs in a link when a monitor node M receives a packet from D, but in its buffer doesn't have any information about the packet from S because of the collision. So the monitor node M may think the node D fabricating the packet instead of forwarding along the path to the destination. The monitor node considers it as a malicious action of the node D. The Fig. 10 illustrates the false positive of a monitor node. The probability of false detection of monitor node M can be found as following steps: P F = P S + P D ,whereP S is the probability of a monitor node M which does not receive a packet from S but receive the forwarded packet from D and P D is the probability of the monitor node M which receive a packet from S but does not receive the forwarded packet from D. The probability of P S can be written as following: The probability of P D can be written as following: Similar to equation (8), we have the false probability of monitor nodes: With different detection algorithms (in both wired and wireless IDS) there is always a different way to estimate the threshold. There is no way to determine the exactly threshold, just estimate and chose the best threshold based on analytical calculation of the detection algorithms and throughout simulations for the best result. In our model, the threshold is depending on the probability of collision and the average number of monitor nodes in  Fig. 11). For any distance x, the radio coverage of two communication nodes is the area of the sectors XAY and XBY minus the area of the rhombus AXBY and is calculated as following: The probability distribution function of x is given by So the probability density function is The expected area XY is calculated as following: So the average number of monitor nodes for each individual link is given by where d is network density. As shown in Fig. 12, the scheme is effective when the number of monitor nodes is increased. The probability of a missed detection also affects the efficiency of the scheme. However, the probability of detection is close to 1, if the number of monitor nodes exceeds 5, regardless of the high probability of a missed detection. The probability of a false positive, as shown in Fig. 13, indicates that the number of nodes is related to the probability of false detection. Increasing the number of nodes results in an increase in the probability of a collision. We must consider a balance between the number of monitor nodes and the probability of false detection, which suits the requirement of our applications.  (Gui & Mohapatra, 2005). Sensor nodes are deployed in a randomized grid. The simple MAC Carrier Sense is used as the MAC protocol and Simple Tree Routing is used as the routing protocol. The detection algorithms are implemented in the application layer. While handling packets, sensor nodes must call the detection algorithm before forwarding or receiving the data. To simplify algorithms, we assign each sensor node a random trust value. There is no low-trust value during the periods of deployment. Fig.  14 shows the performance of our scheme with malicious nodes. Castalia also supports packet collision by setting the parameter SN.WirelessChannel.CollisionModel (Castalia Simulator). We set sensor nodes to exhibit malicious behavior by increasing their dropped packet ratio, changing the fields of forwarded packets and sending false Hello  packets with abnormal radio power. This result proves that our scheme yields a good packet delivery ratio under different types of routing attacks. Our simulation investigates the effect of the percentage of malicious nodes on the packet delivery ratio. As the percentage of malicious nodes increases, revoking malicious nodes requires a particular period of time. So, the packet delivery ratio is quickly reduced, if malicious nodes increase. As shown in Fig. 15, our scheme yields a good detection rate; exceeding 90%; when the collision error is low, 2-5%, and the percentage of malicious nodes is under 5%. An increased collision ratio and malicious nodes cause greater packets loss, so it is difficult to distinguish malicious nodes and lost packets from normal nodes, because of collisions. As the collision error rate increases, misdetection is inevitable. To overcome this problem, we propose a dynamic threshold mechanism to make our scheme more efficient under a high collision rate or dropped packet rate. Here, we study the energy consumption in detection modules in sensor nodes, in accordance with watchdog-based methods, and our approach with an over-hearing mechanism.
Watchdog is used as a selection method of monitor nodes, which was applied in previous detection mechanisms in (Khalil et al., 2005;2008;Roman, Fig. 15. Detection ratio of malicious nodes 248 Intrusion Detection Systems  Loo & Palaniswami, 2006;Hu & Burmester, 2009;Marti et al., 2000;Kaplantzis et al., 2007;Hai et al., 2007). For simplicity, we analyze the energy consumption in monitor nodes in transmission from node A to node B, with n intermediate hops. Using energy consumption models in (Hai et al., 2007;Holger & W, 2005), we obtain the energy consumption of monitor nodes in the transmission link in Fig. 16 with various hops. It is apparent that our scheme has lower energy consumption than the watchdog-based mechanism. We postulate that our scheme reduces energy consumption in monitor nodes, thus enhances the network lifetime. In summary, in Table 1 we review the proposed detection framework compared with other related work on intrusion detection schemes for WSNs. Onat and Chong's schemes are based on the model of traffic and signal power data for each neighbor node to detect anomalies. In this mechanism, as the number of neighbor nodes and sample data increase, there is substantial consumption of memory and computational resources, which results in delays in detecting attacks. Their schemes are based on previous IDS that are effective for wired networks, but, we postulate it is not currently practical, for WSNs. In Afrand's work (Agah et al., 2006), a detection framework was proposed, based on Table 1. A review of related works on intrusion detection 249 Lightweight Intrusion Detection for Wireless Sensor Networks Intrusion Detection Systems non-cooperative games, but the detection algorithms were not shown in detail.

Conclusion
In this chapter, we propose a simple, lightweight detection framework for the prevention and detection of common routing attacks in WSNs. Our detection framework was evaluated and it was demonstrated that it was effective, even when the density of the network is high and there is a high probability of collisions in WSNs. In addition, our detection modules involve less energy consumption than techniques proposed in previous works, using an over-hearing mechanism to reduce the transmission of alert packets. In our future work, further research on this topic will be performed, with detailed simulation of different attack scenarios, to test the performance of our proposed algorithm. We expect the result to be available in the near future.