1 / 32

LAD: Location Anomaly Detection for Wireless Sensor Networks

LAD: Location Anomaly Detection for Wireless Sensor Networks . Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State Univ.). Sponsored by the NSF CyberTrust Program. Location Discovery in WSN . Sensor nodes need to find their locations

skylar
Download Presentation

LAD: Location Anomaly Detection for Wireless Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State Univ.) Sponsored by the NSF CyberTrust Program

  2. Location Discovery in WSN • Sensor nodes need to find their locations • Rescue missions • Geographic routing protocols. • Constraints • No GPS • Low cost

  3. Existing Positioning Schemes Beacon Nodes

  4. Attacks Beacon Nodes

  5. Attacks Beacon Nodes

  6. What is Anomaly • Localization error: | Lestimation – Lactual | • Le = Lestimation • La = Lactual • Anomaly: |Le – La | >MTE • MTE: Maximum Tolerable Error. • D-Anomaly: |Le – La | >D

  7. |Le – La | >D A >T The Anomaly Detection Problem Is |Le – La | >D ? Find another metric A and a threshold T

  8. False Positive and Negative Ideal Situation: A > T |Le – La | >D False Positive (FP): A > T, but |Le – La | <D False Negative (FN): A < T, but |Le – La | >D Detection Rate: 1 – (False Negative Rate)

  9. Our Task • We assume that the location discovery is already finished. • Find a good metric A • What metric can help a sensor find out whether it is in a “wrong” location? • It should be more robust than the location discovery itself.

  10. A Group-Based Deployment Scheme

  11. A Group-Based Deployment Scheme

  12. Modeling of The Group-Based Deployment Scheme Deployment Points: Their locations are known.

  13. Actual Observation Expected Observation The Observations A B

  14. Using pdf function to model the node distribution. Example: two-dimensional Gaussian Distribution. Modeling of the Deployment Distribution

  15. Le The Idea A C La B D

  16. The Problem Formulation Location Discovery Observation a = (a1, a2, … an) Z LAD Is Z abnormal?

  17. The Problem Formulation Expected Observation e(Z) = (e1, e2, … en) Actual Observation a = (a1, a2, … an) Estimated Location: Z Are e(Z) and a consistent?

  18. Various Metrics • Diff Metric: • A = | e(Z)–a | • Probability Metric: • A = Pr (a | Z) • Others

  19. How to Find the Threshold? • Recall: we use A >T to decide |Le – La | >?D • How to obtain T • T is obtained for a non-compromised network. • One location discovery scheme is used • Derivation: preferable but difficult • Simulation: e.g., Find T, such that Pr(|Le – La | >D |A>T)= 99.99%, • We use T as the threshold for A. • False positive = 1 – 99.99% = 0.01%.

  20. Attacks A B

  21. Attacks I am actually from group 5, But I am not telling anybody. Silence Attack Range-Change Attack

  22. Attacks (continued) Group 3 I am from group 9 Group 5 I am actually from group 5. Group 6 Impersonation Attack Multi-Impersonation Attack and Wormhole Attack

  23. Arbitrary Attack a = (1, 2, 8, 10) Arbitrary Change a’ = (10, 9, 3, 1) • Attackers can arbitrarily change a sensor’s observation (both increasing and decreasing). • There is no hope. • Observation: decreasing is more difficult.

  24. Dec-Bounded Attack a = (1, 2, 8, 10) Dec-Bounded Change a’ = (10, 9, 7, 8) • a’i can be arbitrarily larger than ai (multi-impersonation attacks). • But a’i cannot be arbitrarily smaller than ai. • Difficult in preventing non-compromised nodes from broadcasting their membership. •  (ai– a’i) < x, for all ai > a’i

  25. Dec-Only Attack Dec-Only Change a’ = (1, 2, 5, 7) a = (1, 2, 8, 10) • Prevent impersonation attacks • Authentication • No wormhole attacks. • Attackers cannot move sensors. • Attackers cannot enlarge the transmission power.

  26. Evaluation via Simulation • X nodes are compromised • Random pick a node atLa(actual location) with the actual observation a • Find a locationLes.t. |Le-La| = D • Compute expected observationufrom Le • Generate a new observationa’from a(attacking) • FindLe, s.t.a’is as close touas possible

  27. The ROC Curves • Evaluating Intrusion Detection • Detection rate • False positive • We need to look at them both • Receive Operating Characteristic (ROC) • Y-axis: Detection rate • X-axis: False positive ratio

  28. ROC Curves for Different Metrics

  29. ROC Curves for Different Attacks

  30. Detection Rate vs.Degree of Damage False Positive = 0.01

  31. Detection Rate vs.Node Compromise Ratio False Positive = 0.01

  32. Conclusion • We have developed an effective anomaly detection scheme for location discovery • Future Studies • How the deployment knowledge model affect our scheme • How the location discovery schemes affect our scheme • How to correct the location errors caused by the attacks.

More Related