There are generally two types of intrusion detection – anomaly detection and signature
(sometimes denoted as misuse) detection. A difference can be seen in the way they discover
malicious nodes. Any unusual behavioural deviations in the network opposed to its normal
behaviour is announced as an anomaly in case of the anomaly detection. An IDS of such a
type has to be able to learn about the normal behaviour of the network. There is usually a
start-up phase, often denoted as a training phase, of an IDS for this purpose and the IDS only
gathers information about normal flow for some period of time. It has to be ensured that no
intruders exist in the network during this phase which might be hard to achieve. “Signature
based detection techniques match the known attack profiles with suspicious behaviours”
as stated in . For this purpose, attack footprints have to be defined for each type of the
attack that should be recognized by the IDS.
Both anomaly and signature based IDSs have their pros and cons. A signature based
detection is very effective in revealing known attacks whose patterns are defined in the
IDS. However, it fails completely to uncover unknown attacks. They can be recognized by
an anomaly detection though. Unfortunately, such an IDS requires training to learn what
a normal traffic flow looks like and if network’s dynamics have changed, the IDS has to
be re-trained. Employing both detection techniques should provide an effective detection
mechanism for a sensor network. Additionally, a specification detection is sometimes introduced
as the third type of IDSs. It is very similar to an anomaly detection, however, the set
of rules is defined a priori and so no training phase is involved. This work deals with the
neighbour-based intrusion detection which is a specific type of the anomaly detection. The
neighbour-based detection technique is well-described later in this chapter.
i am working on neighbour base anomly intrussion detection system for wireless sensor networks.