320 likes | 438 Views
LAD: Location Anomaly Detection for Wireless Sensor Networks . Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State Univ.). Sponsored by the NSF CyberTrust Program. Location Discovery in WSN . Sensor nodes need to find their locations
E N D
LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State Univ.) Sponsored by the NSF CyberTrust Program
Location Discovery in WSN • Sensor nodes need to find their locations • Rescue missions • Geographic routing protocols. • Constraints • No GPS • Low cost
Existing Positioning Schemes Beacon Nodes
Attacks Beacon Nodes
Attacks Beacon Nodes
What is Anomaly • Localization error: | Lestimation – Lactual | • Le = Lestimation • La = Lactual • Anomaly: |Le – La | >MTE • MTE: Maximum Tolerable Error. • D-Anomaly: |Le – La | >D
|Le – La | >D A >T The Anomaly Detection Problem Is |Le – La | >D ? Find another metric A and a threshold T
False Positive and Negative Ideal Situation: A > T |Le – La | >D False Positive (FP): A > T, but |Le – La | <D False Negative (FN): A < T, but |Le – La | >D Detection Rate: 1 – (False Negative Rate)
Our Task • We assume that the location discovery is already finished. • Find a good metric A • What metric can help a sensor find out whether it is in a “wrong” location? • It should be more robust than the location discovery itself.
Modeling of The Group-Based Deployment Scheme Deployment Points: Their locations are known.
Actual Observation Expected Observation The Observations A B
Using pdf function to model the node distribution. Example: two-dimensional Gaussian Distribution. Modeling of the Deployment Distribution
Le The Idea A C La B D
The Problem Formulation Location Discovery Observation a = (a1, a2, … an) Z LAD Is Z abnormal?
The Problem Formulation Expected Observation e(Z) = (e1, e2, … en) Actual Observation a = (a1, a2, … an) Estimated Location: Z Are e(Z) and a consistent?
Various Metrics • Diff Metric: • A = | e(Z)–a | • Probability Metric: • A = Pr (a | Z) • Others
How to Find the Threshold? • Recall: we use A >T to decide |Le – La | >?D • How to obtain T • T is obtained for a non-compromised network. • One location discovery scheme is used • Derivation: preferable but difficult • Simulation: e.g., Find T, such that Pr(|Le – La | >D |A>T)= 99.99%, • We use T as the threshold for A. • False positive = 1 – 99.99% = 0.01%.
Attacks A B
Attacks I am actually from group 5, But I am not telling anybody. Silence Attack Range-Change Attack
Attacks (continued) Group 3 I am from group 9 Group 5 I am actually from group 5. Group 6 Impersonation Attack Multi-Impersonation Attack and Wormhole Attack
Arbitrary Attack a = (1, 2, 8, 10) Arbitrary Change a’ = (10, 9, 3, 1) • Attackers can arbitrarily change a sensor’s observation (both increasing and decreasing). • There is no hope. • Observation: decreasing is more difficult.
Dec-Bounded Attack a = (1, 2, 8, 10) Dec-Bounded Change a’ = (10, 9, 7, 8) • a’i can be arbitrarily larger than ai (multi-impersonation attacks). • But a’i cannot be arbitrarily smaller than ai. • Difficult in preventing non-compromised nodes from broadcasting their membership. • (ai– a’i) < x, for all ai > a’i
Dec-Only Attack Dec-Only Change a’ = (1, 2, 5, 7) a = (1, 2, 8, 10) • Prevent impersonation attacks • Authentication • No wormhole attacks. • Attackers cannot move sensors. • Attackers cannot enlarge the transmission power.
Evaluation via Simulation • X nodes are compromised • Random pick a node atLa(actual location) with the actual observation a • Find a locationLes.t. |Le-La| = D • Compute expected observationufrom Le • Generate a new observationa’from a(attacking) • FindLe, s.t.a’is as close touas possible
The ROC Curves • Evaluating Intrusion Detection • Detection rate • False positive • We need to look at them both • Receive Operating Characteristic (ROC) • Y-axis: Detection rate • X-axis: False positive ratio
Detection Rate vs.Degree of Damage False Positive = 0.01
Detection Rate vs.Node Compromise Ratio False Positive = 0.01
Conclusion • We have developed an effective anomaly detection scheme for location discovery • Future Studies • How the deployment knowledge model affect our scheme • How the location discovery schemes affect our scheme • How to correct the location errors caused by the attacks.