![Page 1: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/1.jpg)
LAD: Location Anomaly Detection for
Wireless Sensor Networks
Wenliang (Kevin) Du (Syracuse Univ.)
Lei Fang (Syracuse Univ.)
Peng Ning (North Carolina State Univ.)
Sponsored by the NSF CyberTrust Program
![Page 2: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/2.jpg)
Location Discovery in WSN
Sensor nodes need to find their locations Rescue missions Geographic routing protocols.
Constraints No GPS Low cost
![Page 3: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/3.jpg)
Existing Positioning Schemes
Beacon Nodes
![Page 4: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/4.jpg)
Attacks
Beacon Nodes
![Page 5: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/5.jpg)
Attacks
Beacon Nodes
![Page 6: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/6.jpg)
What is Anomaly
Localization error: | Lestimation – Lactual | Le = Lestimation
La = Lactual
Anomaly: |Le – La | > MTE MTE: Maximum Tolerable Error.
D-Anomaly: |Le – La | > D
![Page 7: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/7.jpg)
The Anomaly Detection Problem
Is |Le – La | > D ?
Find another metric A and a threshold T
A > T |Le – La | > D
![Page 8: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/8.jpg)
False Positive and Negative
Ideal Situation: A > T |Le – La | > D
False Positive (FP): A > T, but |Le – La | < D
False Negative (FN): A < T, but |Le – La | > D
Detection Rate: 1 – (False Negative Rate)
![Page 9: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/9.jpg)
Our Task
We assume that the location discovery is already finished.
Find a good metric A What metric can help a sensor find out whether it
is in a “wrong” location? It should be more robust than the location
discovery itself.
![Page 10: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/10.jpg)
A Group-Based Deployment Scheme
![Page 11: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/11.jpg)
A Group-Based Deployment Scheme
![Page 12: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/12.jpg)
Modeling of The Group-Based Deployment Scheme
Deployment Points:Their locations are known.
![Page 13: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/13.jpg)
The Observations
A
B
Actual Observation
Expected Observation
![Page 14: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/14.jpg)
Modeling of the Deployment Distribution
Using pdf function to model the node distribution.
Example: two-dimensional Gaussian Distribution.
![Page 15: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/15.jpg)
The Idea
A
B D
CLa
Le
![Page 16: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/16.jpg)
The Problem Formulation
Is Z abnormal?
Observation a = (a1, a2, … an)
LAD
Location Discovery
Z
![Page 17: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/17.jpg)
The Problem Formulation
Actual Observation a = (a1, a2, … an)
EstimatedLocation: Z
Expected Observation e(Z) = (e1, e2, … en)
Are e(Z) and a consistent?
![Page 18: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/18.jpg)
Various Metrics
Diff Metric: A = | e(Z) – a |
Probability Metric:A = Pr (a | Z)
Others
![Page 19: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/19.jpg)
How to Find the Threshold?
Recall: we use A > T to decide |Le – La | >? D How to obtain T
T is obtained for a non-compromised network. One location discovery scheme is used Derivation: preferable but difficult Simulation: e.g., Find T, such that
Pr(|Le – La | > D | A > T) = 99.99%, We use T as the threshold for A.
False positive = 1 – 99.99% = 0.01%.
![Page 20: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/20.jpg)
Attacks
A
B
![Page 21: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/21.jpg)
Attacks
I am actually from group 5,But I am not telling anybody.
Silence Attack Range-Change Attack
![Page 22: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/22.jpg)
Attacks (continued)
I am actually from group 5.
Impersonation Attack Multi-Impersonation Attackand Wormhole Attack
I am from group 9 Group 3
Group 5
Group 6
![Page 23: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/23.jpg)
Arbitrary Attack
Attackers can arbitrarily change a sensor’s observation (both increasing and decreasing).
There is no hope. Observation: decreasing is more difficult.
a = (1, 2, 8, 10)a’ = (10, 9, 3, 1)
Arbitrary Change
![Page 24: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/24.jpg)
Dec-Bounded Attack
a’i can be arbitrarily larger than ai (multi-impersonation attacks).
But a’i cannot be arbitrarily smaller than ai. Difficult in preventing non-compromised nodes from
broadcasting their membership. (ai – a’i) < x, for all ai > a’i
a = (1, 2, 8, 10) a’ = (10, 9, 7, 8)Dec-Bounded Change
![Page 25: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/25.jpg)
Dec-Only Attack
Prevent impersonation attacks Authentication No wormhole attacks. Attackers cannot move sensors. Attackers cannot enlarge the transmission power.
a = (1, 2, 8, 10) a’ = (1, 2, 5, 7)Dec-Only Change
![Page 26: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/26.jpg)
Evaluation via Simulation
X nodes are compromised Random pick a node at La (actual location) with
the actual observation a Find a location Le s.t. |Le - La | = D
Compute expected observation u from Le
Generate a new observation a’ from a (attacking) Find Le, s.t. a’ is as close to u as possible
![Page 27: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/27.jpg)
The ROC Curves
Evaluating Intrusion Detection Detection rate False positive We need to look at them both
Receive Operating Characteristic (ROC) Y-axis: Detection rate X-axis: False positive ratio
![Page 28: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/28.jpg)
ROC Curves for Different Metrics
![Page 29: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/29.jpg)
ROC Curves for Different Attacks
![Page 30: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/30.jpg)
Detection Rate vs. Degree of Damage
False Positive = 0.01
![Page 31: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/31.jpg)
Detection Rate vs. Node Compromise Ratio
False Positive = 0.01
![Page 32: LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State](https://reader035.vdocuments.site/reader035/viewer/2022062407/56649d6b5503460f94a4aed9/html5/thumbnails/32.jpg)
Conclusion
We have developed an effective anomaly detection scheme for location discovery
Future Studies How the deployment knowledge model affect our
scheme How the location discovery schemes affect our
scheme How to correct the location errors caused by the
attacks.