LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.)...
-
date post
21-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.)...
LAD: Location Anomaly Detection for
Wireless Sensor Networks
Wenliang (Kevin) Du (Syracuse Univ.)
Lei Fang (Syracuse Univ.)
Peng Ning (North Carolina State Univ.)
Sponsored by the NSF CyberTrust Program
Location Discovery in WSN
Sensor nodes need to find their locations Rescue missions Geographic routing protocols.
Constraints No GPS Low cost
Existing Positioning Schemes
Beacon Nodes
Attacks
Beacon Nodes
Attacks
Beacon Nodes
What is Anomaly
Localization error: | Lestimation – Lactual | Le = Lestimation
La = Lactual
Anomaly: |Le – La | > MTE MTE: Maximum Tolerable Error.
D-Anomaly: |Le – La | > D
The Anomaly Detection Problem
Is |Le – La | > D ?
Find another metric A and a threshold T
A > T |Le – La | > D
False Positive and Negative
Ideal Situation: A > T |Le – La | > D
False Positive (FP): A > T, but |Le – La | < D
False Negative (FN): A < T, but |Le – La | > D
Detection Rate: 1 – (False Negative Rate)
Our Task
We assume that the location discovery is already finished.
Find a good metric A What metric can help a sensor find out whether it
is in a “wrong” location? It should be more robust than the location
discovery itself.
A Group-Based Deployment Scheme
A Group-Based Deployment Scheme
Modeling of The Group-Based Deployment Scheme
Deployment Points:Their locations are known.
The Observations
A
B
Actual Observation
Expected Observation
Modeling of the Deployment Distribution
Using pdf function to model the node distribution.
Example: two-dimensional Gaussian Distribution.
The Idea
A
B D
CLa
Le
The Problem Formulation
Is Z abnormal?
Observation a = (a1, a2, … an)
LAD
Location Discovery
Z
The Problem Formulation
Actual Observation a = (a1, a2, … an)
EstimatedLocation: Z
Expected Observation e(Z) = (e1, e2, … en)
Are e(Z) and a consistent?
Various Metrics
Diff Metric: A = | e(Z) – a |
Probability Metric:A = Pr (a | Z)
Others
How to Find the Threshold?
Recall: we use A > T to decide |Le – La | >? D How to obtain T
T is obtained for a non-compromised network. One location discovery scheme is used Derivation: preferable but difficult Simulation: e.g., Find T, such that
Pr(|Le – La | > D | A > T) = 99.99%, We use T as the threshold for A.
False positive = 1 – 99.99% = 0.01%.
Attacks
A
B
Attacks
I am actually from group 5,But I am not telling anybody.
Silence Attack Range-Change Attack
Attacks (continued)
I am actually from group 5.
Impersonation Attack Multi-Impersonation Attackand Wormhole Attack
I am from group 9 Group 3
Group 5
Group 6
Arbitrary Attack
Attackers can arbitrarily change a sensor’s observation (both increasing and decreasing).
There is no hope. Observation: decreasing is more difficult.
a = (1, 2, 8, 10)a’ = (10, 9, 3, 1)
Arbitrary Change
Dec-Bounded Attack
a’i can be arbitrarily larger than ai (multi-impersonation attacks).
But a’i cannot be arbitrarily smaller than ai. Difficult in preventing non-compromised nodes from
broadcasting their membership. (ai – a’i) < x, for all ai > a’i
a = (1, 2, 8, 10) a’ = (10, 9, 7, 8)Dec-Bounded Change
Dec-Only Attack
Prevent impersonation attacks Authentication No wormhole attacks. Attackers cannot move sensors. Attackers cannot enlarge the transmission power.
a = (1, 2, 8, 10) a’ = (1, 2, 5, 7)Dec-Only Change
Evaluation via Simulation
X nodes are compromised Random pick a node at La (actual location) with
the actual observation a Find a location Le s.t. |Le - La | = D
Compute expected observation u from Le
Generate a new observation a’ from a (attacking) Find Le, s.t. a’ is as close to u as possible
The ROC Curves
Evaluating Intrusion Detection Detection rate False positive We need to look at them both
Receive Operating Characteristic (ROC) Y-axis: Detection rate X-axis: False positive ratio
ROC Curves for Different Metrics
ROC Curves for Different Attacks
Detection Rate vs. Degree of Damage
False Positive = 0.01
Detection Rate vs. Node Compromise Ratio
False Positive = 0.01
Conclusion
We have developed an effective anomaly detection scheme for location discovery
Future Studies How the deployment knowledge model affect our
scheme How the location discovery schemes affect our
scheme How to correct the location errors caused by the
attacks.