Intrusion detection systems (IDS) are important security tools in computer 
networks. There exist many approaches to this problem in traditional computer 
networks and wireless adhoc networks [ZL00], but literature on this topic with 
regard to sensor networks is scarce. The goal of failure recovery is to extend 
the lifetime of a sensor network by restarting or reprogramming failed or 
misbehaving nodes. In combination, these two measures raise the cost for a 
potential attacker. Even if an attacker manages to capture a node and abuses 
it for his own purposes, there is a chance that the aberrant behaviour of this 
node will be detected and the node be recovered, thus nullifying the attack. 
When trying to protect a system from malicious use, it is important to define 
the goals and capabilities of potential attackers. Here, we consider attackers 
that try to capture nodes by taking control of the code they are executing. 
This would allow an attacker to take part in the network?s ordinary operation 
and thus exercise a certain influence on the outcome of its operation, and to 
exploit the resources of the captured nodes. We will not consider 
denial-of-service attacks. There are many possible ways for an attacker to 
inject malicious code into a node, including the exploitation of weaknesses in 
its application code or in protocols used for application management, or 
physical vulnerabilities. The impact of software vulnerabilities can be 
minimized by using qualitiy assurance tools like code verification and others. 
Defending against physical attempts at rewriting the application code requires 
barriers that make access to physical features of the node?s hardware as 
difficult as possible [AK97]. However, all defense mechanisms increase the 
cost of a sensor network. Therefore, it may be sensible to devote resources to 
intrustion detection and recovery in order to mitigate the effects of attacks. 
Active measures against physical manipulations are also possible. The sensors 
already built into sensor nodes could help detect physical manipulations. For 
example, if a node is relocated, acceleration sensors can trigger the 
zeroization of key material, rendering the node inoperable within the network. 
In principle, all defense mechanisms can be circumvented, but the required 
effort should be prohibitively high. Generally, we would like to avoid that 
attacking a single node becomes cheaper if many nodes have already been 
attacked. In this paper, we sketch a system for detecting intrusions and 
recovering sensor nodes. We plan to come up with an approach for 
application-based anomaly specification and detection and node recovery, and a 
prototypical implementation based on BTnodes [BKR03].