Security is a critical challenge for creating robust and reliable sensor networks. For example, routing attacks have the ability to disconnect a sensor network from its central base station. In this paper, we present a method for intrusion detection in wireless sensor networks. Our intrusion detection scheme uses a clustering algorithm to build a model of normal traffic behavior, and then uses this model of normal traffic to detect abnormal traffic patterns. A key advantage of our approach is

more »

... at it is able to detect attacks that have not previously been seen. Moreover, our detection scheme is based on a set of traffic features that can potentially be applied to a wide range of routing attacks. In order to evaluate our intrusion detection scheme, we have extended a sensor network simulator to generate routing attacks in wireless sensor networks. We demonstrate that our intrusion detection scheme is able to achieve high detection accuracy with a low false positive rate for a variety of simulated routing attacks. 314 C. E. Loo et al. A key attraction of sensor networks is their ease of installation and operation. However, security is one of the key challenges to creating a robust and reliable sensor network [2] . Currently, most research on security in sensor networks has focused on prevention techniques, such as secure routing protocols, cryptography, and authentication techniques [3] . These security mechanisms are usually the first line of defense. However, experience with the Internet has shown that flaws in these protocols are continuously being found and exploited by attackers [4] . Sensor network protocols are faced with additional challenges due to complexities such as a wireless access medium, unpredictable node movement, and unreliable node operation. These challenges create considerable potential to exploit weaknesses in the network. Consequently, we cannot rely on intrusion prevention techniques alone. In practice, Intrusion Detection Systems (IDSs) are needed to detect both known security exploits and even novel attacks that have yet to be experienced. Intrusion detection is the problem of identifying misuse of computer systems and networks [5] . Most IDSs apply signature-based techniques. In general, signature-based techniques test for features of known network attacks. This raises the question of how to learn these features for known attacks, and how to detect new attacks. It is difficult to use supervised learning in this context, since labeled training data is expensive to produce. More importantly, it is difficult to detect new types of attacks whose signatures may differ from those in its signature set. This has motivated research into unsupervised learning techniques, which do not require labeled data and are able to detect previously "unseen" attacks. Instead of learning the signature of attack traffic, unsupervised anomaly detection techniques focus on learning the signature of normal traffic. Unsupervised learning techniques do not require the data to be labeled, nor do they require the data to be purely of one type, i.e., normal or attack traffic. This is a significant benefit over the supervised learning approach. This paper focuses on constructing an Intrusion Detection System for wireless sensor networks. We have made three main contributions in our work. First, we have explored the impact of network attacks on sensor networks. In particular, we have simulated several important categories of routing attacks on sensor networks. Second, we have developed an intrusion detection scheme that is suitable for use in wireless sensor networks. A major advantage of our intrusion detection scheme is that it is based on anomaly detection, rather than signature detection. This means that it is able to detect routing attacks that have not previously been seen. In addition, our intrusion detection scheme does not require communication between sensor nodes, which significantly reduces the power consumption in powerconstrained sensor nodes. Finally, we demonstrate the effectiveness of our scheme on a variety of routing attacks in a simulated network. Our IDS was able to achieve high detection accuracy with a low false positive rate for each variety of attack that was simulated. Sensor Networks Sensor network technology is undergoing a rapid evolution. Early sensor networks involved simple transducers that convert a measured variable (e.g., temperature, sound, light) into a signal that can be transmitted to a central processing system for analysis [1] . These sensor networks were based on a star topology, with single-hop point-to-point links between the sensor and the central base station. The power requirements of single-hop links limited the range of the network, unless a significant power supply is available at each node. These communication limitations have been addressed by the advent of multi-hop wireless networks, based on routing protocols from ad hoc networks. In contrast to other types of networks, Akyildiz et al. [6] note that this new generation of wireless sensor networks has several special requirements that raise novel technical challenges. Engineering Hindawi Publishing Corporation