Sequential anomaly detection in wireless sensor networks and effects of long-range dependent data. (English) Zbl 1293.62164
Summary: Anomaly detection is important for the correct functioning of wireless sensor networks. Recent studies have shown that node mobility along with spatial correlation of the monitored phenomenon in sensor networks can lead to observation data that have long range dependency, which could significantly increase the difficulty of anomaly detection. In this article, we develop an anomaly detection scheme based on multiscale analysis of the long-range dependent traffic to address this challenge. In this proposed detection scheme, the discrete wavelet transform is used to approximately de-correlate the traffic data and capture data characteristics in different timescales. The remaining dependencies are then captured by a multilevel hidden Markov model in the wavelet domain. To estimate the model parameters, we develop an online discounting expectation maximization (EM) algorithm, which also tracks variations of the estimated models over time. Network anomalies are detected as abrupt changes in the tracked model variation scores. Statistical properties of our detection scheme are evaluated numerically using long-range dependent time series. We also evaluate our detection scheme in malicious scenarios simulated using the NS-2 network simulator.
Software:
ns-2References:
| [1] | DOI: 10.1109/18.650984 · Zbl 0905.94006 · doi:10.1109/18.650984 |
| [2] | DOI: 10.1007/s10986-011-9126-4 · doi:10.1007/s10986-011-9126-4 |
| [3] | Barford , P. , Kline , J. , Plonka , D. , and Ron , A. ( 2002 ). A Signal Analysis of Network Traffic Anomalies,Proceedings of ACM SIGCOMM Internet Measurement Workshop, November 6–8, pp. 71–82, France: Marseille. · doi:10.1145/637201.637210 |
| [4] | Cappe O., Inference in hidden Markov models (2005) |
| [5] | DOI: 10.1198/jcgs.2011.09109 · doi:10.1198/jcgs.2011.09109 |
| [6] | DOI: 10.1007/978-0-8176-4801-5 · Zbl 1273.62016 · doi:10.1007/978-0-8176-4801-5 |
| [7] | Cheng , C. , Kung , H. , and Tan , K. ( 2002 ). Use of Spectral Analysis in Defense Against DoS Attacks,Proceedings of IEEE GLOBECOM, November 17–21, pp. 2143–2148, Taiwan: Taipei. |
| [8] | DOI: 10.1109/78.668544 · doi:10.1109/78.668544 |
| [9] | Dewaele , G. , Fukuda , K. , Borgnat , P. , Abry , P. , and Cho , P. ( 2007 ). Extracting Hidden Anomalies Using Setch and Non-Gaussian Multiresolution Statistical Detection Procedures, inProceedings of ACM SIGCOMM Workshop on Large-Scale Attack DefenseAugust 27–31, pp. 145–152, Japan: Kyoto. |
| [10] | DOI: 10.1109/TIT.2006.885460 · Zbl 1309.94196 · doi:10.1109/TIT.2006.885460 |
| [11] | Gu , Y. , McCallum , A. , and Towsley , D. ( 2005 ). Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation, inProceedings of the ACM SIGCOMM Conference on Internet Measurement, October 19–21, pp. 32–32, CA, USA: Berkeley. · doi:10.1145/1330107.1330148 |
| [12] | DOI: 10.1002/sam.10032 · Zbl 1166.62384 · doi:10.1002/sam.10032 |
| [13] | Hussain , A. , Heidemann , J. , and Papadopoulos , C. ( 2003 ). A Framework for Classifying Denial of Service Attacks, inProceedings of ACM SIGCOMM, August 25–29, pp. 99–110, Germany: Karlsruhe. |
| [14] | Hussain , A. , Heidemann , J. , and Papadopoulos , C. ( 2006 ). Identification of Repeated Denial of Service Attacks, inProceedings of IEEE INFOCOM, April 23–29, Spain: Barcelona. · doi:10.1109/INFOCOM.2006.126 |
| [15] | Jin , S. and Yeung , D. ( 2004 ). A Covariance Analysis Model for DDoS Attack Detection, inProceedings of IEEE International Conference on CommunicationsJune 20–24, pp. 1882–1886, France: Paris. |
| [16] | Kim , M. , Kim , T. , Shin , Y. , Lam , S. , and Powers , E. J. ( 2004 ). A Wavelet-Based Approach to Detect Shared Congestion, inProceedings of ACM SIGCOMM, August 30–September 3, pp. 293–306, Portland, OR. |
| [17] | Lakhina , A. , Crovella , M. , and Diot , C. ( 2005 ). Mining Anomalies Using Traffic Feature Distributions, inProceedings of ACM SIGCOMM, August 22–26, pp. 217–228, Pennsylvania, USA: Philadelphia. |
| [18] | DOI: 10.1109/34.142909 · doi:10.1109/34.142909 |
| [19] | Nychis , G. , Sekar , V. , Andersen , D. , Kim , H. , and Zhang , H. ( 2008 ). An Empirical Evaluation of Entropy-based Traffic Anomaly Detection, inProceedings of 8th ACM SIGCOMM Conference on Internet Measurement, October 20–22, pp. 151–156, Greece: Vouliagmeni. · doi:10.1145/1452520.1452539 |
| [20] | Pukkawanna , S. and Fukuda , K. ( 2010 ). Combining Sketch and Wavelet models for Anomaly Detection, inProceedings of 6th IEEE International Conference on Intelligent Computer Communication and Processing, August 26–28, pp. 313–319, Romania: Cluj-Napoca. |
| [21] | Raghavan , V. and Veeravalli , V. ( 2008 ). Quickest Detection of a Change Process across a Sensor Array, inProceedings of the 11th International Conference on Information Fusion, June 30–July 3, pp. 1305–1312, Germany: Cologne. |
| [22] | DOI: 10.1109/TDSC.2007.12 · doi:10.1109/TDSC.2007.12 |
| [23] | DOI: 10.1109/TSP.2006.879308 · Zbl 1373.68144 · doi:10.1109/TSP.2006.879308 |
| [24] | DOI: 10.1016/j.stamet.2005.05.003 · Zbl 1248.94032 · doi:10.1016/j.stamet.2005.05.003 |
| [25] | Wang , P. and Akyildiz , F. ( 2009 ). Spatial Correlation and Mobility Aware Traffic Modeling for Wireless Sensor Networks,Proceedings of IEEE GlOBECOM, vol. 4, pp. 3128–3133, Honolulu, HI, USA. |
| [26] | Zhang , L. , Zhu , Z. , Jeffay , K. , Marron , J. , and Smith , F. ( 2008 ). Multi-resolution anomaly detection for the Internet, inProceedings of INFOCOM Workshops, April 13–18, pp. 1–6, Phoenix, AZ, USA. |
| [27] | Zhang , Y. , Roughan , M. , Willinger , W. , and Qiu , L. ( 2009 ). Spatio-Temporal compressive sensing and Internet traffic matrices, inProceedings of ACM SIGCOMM, August 17–21, pp. 267–278, Barcelona, Spain. |
| [28] | Zuraniewski , P. and Rincon , D. ( 2006 ). Wavelet Transforms and Change-Point Detection Algorithms for Tracking Network Traffic Fractality, inProceedings of 2nd Conference on Next Generation Internet Design and Engineering, April 3–5, pp. 216–223, Valencia, Spain. |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
