Title: LAD: Location Anomaly Detection for Wireless Sensor Networks
1LAD Location Anomaly Detection for
Wireless Sensor Networks
- Wenliang (Kevin) Du (Syracuse Univ.)
- Lei Fang (Syracuse Univ.)
- Peng Ning (North Carolina State Univ.)
Sponsored by the NSF CyberTrust Program
2Location Discovery in WSN
- Sensor nodes need to find their locations
- Rescue missions
- Geographic routing protocols.
- Constraints
- No GPS
- Low cost
3Existing Positioning Schemes
Beacon Nodes
4Attacks
Beacon Nodes
5Attacks
Beacon Nodes
6What is Anomaly
- Localization error Lestimation Lactual
- Le Lestimation
- La Lactual
- Anomaly Le La gt MTE
- MTE Maximum Tolerable Error.
- D-Anomaly Le La gt D
7The Anomaly Detection Problem
Find another metric A and a threshold T
8False Positive and Negative
Ideal Situation A gt T ? Le La gt D
False Positive (FP) A gt T, but Le La lt D
False Negative (FN) A lt T, but Le La gt D
Detection Rate 1 (False Negative Rate)
9Our Task
- We assume that the location discovery is already
finished. - Find a good metric A
- What metric can help a sensor find out whether it
is in a wrong location? - It should be more robust than the location
discovery itself.
10A Group-Based Deployment Scheme
11A Group-Based Deployment Scheme
12Modeling of The Group-Based Deployment Scheme
Deployment Points Their locations are known.
13The Observations
A
B
14Modeling of the Deployment Distribution
- Using pdf function to model the node
distribution. - Example two-dimensional Gaussian Distribution.
15The Idea
A
C
La
B
D
16The Problem Formulation
Location Discovery
Observation a (a1, a2, an)
Z
LAD
Is Z abnormal?
17The Problem Formulation
Expected Observation e(Z) (e1, e2, en)
Actual Observation a (a1, a2, an)
Estimated Location Z
Are e(Z) and a consistent?
18Various Metrics
- Diff Metric
- A e(Z) a
- Probability Metric
- A Pr (a Z)
- Others
19How to Find the Threshold?
- Recall we use A gt T to decide Le La gt? D
- How to obtain T
- T is obtained for a non-compromised network.
- One location discovery scheme is used
- Derivation preferable but difficult
- Simulation e.g., Find T, such that
- Pr(Le La gt D A gt T) 99.99,
- We use T as the threshold for A.
- False positive 1 99.99 0.01.
20Attacks
A
B
21Attacks
I am actually from group 5, But I am not telling
anybody.
Silence Attack
Range-Change Attack
22Attacks (continued)
Group 3
I am from group 9
Group 5
I am actually from group 5.
Group 6
Impersonation Attack
Multi-Impersonation Attack and Wormhole Attack
23Arbitrary Attack
a (1, 2, 8, 10)
Arbitrary Change
a (10, 9, 3, 1)
- Attackers can arbitrarily change a sensors
observation (both increasing and decreasing). - There is no hope.
- Observation decreasing is more difficult.
24Dec-Bounded Attack
a (1, 2, 8, 10)
a (10, 9, 7, 8)
Dec-Bounded Change
- ai can be arbitrarily larger than ai
(multi-impersonation attacks). - But ai cannot be arbitrarily smaller than ai.
- Difficult in preventing non-compromised nodes
from broadcasting their membership. - ? (ai ai) lt x, for all ai gt ai
25Dec-Only Attack
a (1, 2, 5, 7)
Dec-Only Change
a (1, 2, 8, 10)
- Prevent impersonation attacks
- Authentication
- No wormhole attacks.
- Attackers cannot move sensors.
- Attackers cannot enlarge the transmission power.
26Evaluation via Simulation
- X nodes are compromised
- Random pick a node at La (actual location) with
the actual observation a - Find a location Le s.t. Le - La D
- Compute expected observation u from Le
- Generate a new observation a from a (attacking)
- Find Le, s.t. a is as close to u as possible
27The ROC Curves
- Evaluating Intrusion Detection
- Detection rate
- False positive
- We need to look at them both
- Receive Operating Characteristic (ROC)
- Y-axis Detection rate
- X-axis False positive ratio
28ROC Curves for Different Metrics
29ROC Curves for Different Attacks
30Detection Rate vs. Degree of Damage
False Positive 0.01
31Detection Rate vs. Node Compromise Ratio
False Positive 0.01
32Conclusion
- We have developed an effective anomaly detection
scheme for location discovery - Future Studies
- How the deployment knowledge model affect our
scheme - How the location discovery schemes affect our
scheme - How to correct the location errors caused by the
attacks.