Hindawi Publishing Corporation International Journal of Distributed Sensor Networks Volume 2013, Article ID 167575, 7 pages http://dx.doi.org/10.1155/2013/167575 Research Article Intrusion Detection Systems in Wireless Sensor Networks: A Review Nabil Ali Alrajeh, 1 S. Khan, 2 and Bilal Shams 2 1 Biomedical Technology Department, College of Applied Medical Sciences, King Saud University, Riyadh 11633, Saudi Arabia 2 Institute of Information Technology, Kohat University of Science and Technology (KUST), Kohat City 26000, Pakistan Correspondence should be addressed to Nabil Ali Alrajeh; nabil@ksu.edu.sa Received 28 February 2013; Accepted 16 April 2013 Academic Editor: Jaime Lloret Copyright © 2013 Nabil Ali Alrajeh et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Wireless Sensor Networks (WSNs) consist of sensor nodes deployed in a manner to collect information about surrounding environment. Teir distributed nature, multihop data forwarding, and open wireless medium are the factors that make WSNs highly vulnerable to security attacks at various levels. Intrusion Detection Systems (IDSs) can play an important role in detecting and preventing security attacks. Tis paper presents current Intrusion Detection Systems and some open research problems related to WSN security. 1. Introduction Wireless Sensor Networks (WSNs) are composed of sensor nodes and sinks. Sensor nodes have the capability of self- healing and self-organizing. Tey are decentralized and distributed in nature where communication takes place via multihop intermediate nodes. Te main objective of a sen- sor node is to collect information from its surrounding environment and transmit it to the sink. WSNs have many applications and are used in scenarios such as detecting climate changed, monitoring environments and habitats, and various other surveillance and military applications. Mostly sensor nodes are used in such areas where wired networks are impossible to be deployed. WSNs are deployed in physical harsh and hostile environments where nodes are always exposed to physical security risks damages. Furthermore, self-organizing nature, low battery power supply, limited bandwidth support, distributed operations using open wire- less medium, multihop trafc forwarding, and dependency on other nodes are such characteristics of sensor networks that expose it to many security attacks at all layers of the OSI model. Many security-related solutions for WSNs have been proposed such as authentication, key exchange, and secure routing or security mechanisms for specifc attacks. Tese security mechanisms are capable of ensuring security at some level; however they cannot eliminate most of the security attacks [1]. An IDS is one possible solution to address a wide range of security attacks in WSNs. An IDS is also referred to as a second line of defence, which is used for intrusion detection only; that is, IDS can detect attacks but cannot prevent or respond. Once the attack is detected, the IDSs raise an alarm to inform the controller to take action. Tere are two important classes of IDSs. One is rule-based IDS and the other is anomaly-based IDS [2, 3]. Rule-based IDS is also known as signature-based IDS which is used to detect intrusions with the help of built-in signatures. Rule-based IDS can detect well-known attacks with great accuracy, but it is unable to detect new attacks for which the signatures are not present in intrusion database. Anomaly- based IDSs detect intrusion by matching trafc patterns or resource utilizations. Although anomaly based IDSs have the ability to detect both well-known and new attacks, they have more false positive and false negative alarms. Some IDSs operate in specifc scenarios or with particular routing pro- tocols. Watchers [4] operate with proactive routing protocol to detect routing anomalies. It is implemented on each node, so all the nodes need some sort of cooperation to detect routing intrusions. Some intrusion detection mechanisms also operate with reactive routing protocols [5, 6]. Tese