Distributed Anomaly Detection in Wireless Sensor Networks Ksutharshan Rajasegarar, Christopher Leckie, Marimutha Palaniswami, James C. Bezdek IEEE ICCS2006(Institutions of Communications and Computer Systems) - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Distributed Anomaly Detection in Wireless Sensor Networks Ksutharshan Rajasegarar, Christopher Leckie, Marimutha Palaniswami, James C. Bezdek IEEE ICCS2006(Institutions of Communications and Computer Systems)

Description:

Distributed Anomaly Detection in Wireless Sensor Networks ... in sensor networks Monitoring Fault diagnosis Intrusion ... local data vectors, vector of ... – PowerPoint PPT presentation

Number of Views:193
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: Distributed Anomaly Detection in Wireless Sensor Networks Ksutharshan Rajasegarar, Christopher Leckie, Marimutha Palaniswami, James C. Bezdek IEEE ICCS2006(Institutions of Communications and Computer Systems)


1
Distributed Anomaly Detection in Wireless
Sensor NetworksKsutharshan Rajasegarar,
Christopher Leckie, Marimutha Palaniswami,
James C. BezdekIEEE ICCS2006(Institutions of
Communications and Computer Systems)
2
Contents
  1. Overview
  2. Introduction
  3. Problem statement
  4. Anomaly Detection
  5. Evaluation
  6. Conclusion

3
Overview
  • Identifying misbehaviors is important in
    sensor networks
  • Monitoring
  • Fault diagnosis
  • Intrusion detection
  • Key problems is minimization
  • Communication overhead
  • Energy consumption
  • This paper propose anomaly detection based on
    below,
  • Distributed operation in sensors
  • Cluster based algorithm

4
Introduction
  • WSN is vulnerable by fault and malicious attack
    due to the facts
  • Large number of tiny sensor nodes in WSN
  • Limited power, bandwidth, memory, CPU power
  • The distribution of misbehaviors
  • May not be known a priori
  • Can be identified by sensor or traffic
    measurements

5
Problem statement
  • A set of sensor node
  • At time interval each sensor measures a
    feature vector
  • , each vector is composed of features or
    attributes
  • where , and
  • After a window size of m measurements each sensor
    has collected a set of measurements
  • An anomaly is defined as an
    observation that is appears to be
    inconsistent with other data in the combined set
    of measurements

6
Hierarchical Network Topology
7
Anomaly Detection
  • Clustering (fixed width clustering) based
  • Finding groups of similar data points by
    Euclidian distance as a similarity measure
    between pair of data
  • Fixed width clustering
  • Detection algorithm
  • Use nearest neighbor algorithm
  • Detection Approaches
  • Centralized
  • Distributed

8
Centralized approach
9
Distributed approach
10
Distributed approach
11
Basic data conditioning
  • Standardization for the values of the feature
  • in different range for using as a distance

2. Feature data scaling into range 0,1
12
Data conditioning in Sensor node
13
Data conditioning in Gateway
  • Gateway collect linear sum, linear sum of square,
    number of local data vectors, vector of maximum
    and minimum values
  • for
    each attribute from each sensor node and computes
    the global data below.

14
Gateway node distributes global data to sensors
15
Anomaly detection
  • Merging of clusters
  • Compare each Ci with all other Cj where i!j and
    merges Ci with Cj where d(Ci, Cj) lt w and jgti
  • Eg) a pair of cluster c1 and c2 are similar if
    inter-cluster distance d(C1, C2) lt w (width)
  • Then new cluster C3 is produced
  • Center is the mean of the centers of C1 and C2
  • Number of data vectors is the sum of those in C1
    and C2

16
Anomaly detection
  • Classify clusters as normal or anomaly
  • Use KNN(K nearest neighbor) algorithm
  • For each cluster Ci, a set of inter cluster
    distances DCid(Ci, Cj) j1(C-1), j ! i is
    computed between centroids of them
  • Among the set of DCi for cluster Ci, the shorest
    K distances are selected, and computes average
    inter-cluster distance ICDi of cluster Ci is
    computed

17
Anomaly detection
  • Ci is anomalous if ICDi gt one standard deviation
    of the inter-cluster distance SD(ICD) from the
    mean inter-cluster distance AVG(ICD)
  • anomaly Ca

18
Experiments
19
Experiments
20
Complexity
  • Each sensor node send once the data
  • Gateway send to each sensor
  • Computational complexity of each sensor
  • O(m) , m is the number of measurement during time
    window
  • Fix width clustering algorithm. where is it
    done ?
  • For each data vectors, computes distance to each
    exsiting cluster O(mNc)
  • Cluster merging. where is it done? And for
    what?
  • O(Nc2), Nc is number of cluster

21
Conclusion
  • Presented anomaly detection algorithm
  • distributed based on the data clustering
  • Simulation
  • using real data gathered from Great Duck Island
  • Evaluation results
  • Distributed approach achieves comparable
    performance with centralized approach
  • Significant reduction in communication overhead
  • Future research in distributed approach
  • Using multiple KNN parameters
  • Different kind of anomaly (network attack)
Write a Comment
User Comments (0)
About PowerShow.com