Wireless sensor networks have become a mature technology. They are increasingly being used in different practical applications. Examples include the monitoring of industrial environments and light adaptation in tunnels. For such applications, attacks are a serious concern. A disrupted sensor network may not only have a financial impact, but could also be safety-critical. Hence, the availability of a wireless sensor network is our key protection goal in this thesis. A special challenge lies in the fact, that sensor nodes typically are physically unprotected. Hence, insider attacks are supposed to occur, e.g., by compromising the nodes and getting in possession of the cryptographic keys, thereby becoming a legitimate member of the network. As a result, mechanisms to detect attacks during operation are necessary.
Traditionally, intrusion detection systems are used to discover network anomalies. Due to severe resource-restrictions, building such a system for wireless sensor networks is challenging; it has to be small in size. Therefore, it is important to reduce the required information for intrusion detection. The majority of these systems designed for wireless sensor networks is working decentralized, i.e., the nodes try to detect the attacks locally, mostly by using some type of collaboration with other nodes. So far, the real-world effects of attacks on wireless sensor networks have not yet been studied widely. Consequently, state-of-the-art intrusion detection systems often need to analyze a large number of metrics for attack detection. The execution frequency of the detection algorithm is mainly periodic or constant. Another problem that needs further research, is the possibility of reducing the detection frequency. We also investigate the feasibility of performing intrusion detection without collaboration, in order to enable the lightweight detection of denial-of-service attacks on wireless sensor networks.
To overcome these shortcomings, in this work we conduct systematic measurements in a real testbed in order to quantify the impact of denial-of-service attacks. This allows us to identify those metrics, which are significantly influenced by an attack, and thus are appropriate for attack detection. We present a fully localized intrusion detection system, in which the nodes do not have to collaborate with each other. Based on these results we propose two architectures, allowing the randomization of the detection frequency. The advantage here is, that an adversary may not predict well in advance, which node is responsible to perform intrusion detection at a certain point in time.
The gathered data from the extensive measurements is analyzed with statistical approaches. The presented intrusion detection systems are evaluated in simulations and prototypical implementations.