LAD: Location Anomaly Detection for

Wireless Sensor Networks

Wenliang (Kevin) Du (Syracuse Univ.)

Lei Fang (Syracuse Univ.)

Peng Ning (North Carolina State Univ.)

Sponsored by the NSF CyberTrust Program

Location Discovery in WSN

Sensor nodes need to find their locations Rescue missions Geographic routing protocols.

Constraints No GPS Low cost

Existing Positioning Schemes

Beacon Nodes

Attacks

Beacon Nodes

Attacks

Beacon Nodes

What is Anomaly

Localization error: | Lestimation – Lactual | Le = Lestimation

La = Lactual

Anomaly: |Le – La | > MTE MTE: Maximum Tolerable Error.

D-Anomaly: |Le – La | > D

The Anomaly Detection Problem

Is |Le – La | > D ?

Find another metric A and a threshold T

A > T |Le – La | > D

False Positive and Negative

Ideal Situation: A > T |Le – La | > D

False Positive (FP): A > T, but |Le – La | < D

False Negative (FN): A < T, but |Le – La | > D

Detection Rate: 1 – (False Negative Rate)

Our Task

We assume that the location discovery is already finished.

Find a good metric A What metric can help a sensor find out whether it

is in a “wrong” location? It should be more robust than the location

discovery itself.

A Group-Based Deployment Scheme

A Group-Based Deployment Scheme

Modeling of The Group-Based Deployment Scheme

Deployment Points:Their locations are known.

The Observations

A

B

Actual Observation

Expected Observation

Modeling of the Deployment Distribution

Using pdf function to model the node distribution.

Example: two-dimensional Gaussian Distribution.

The Idea

A

B D

CLa

Le

The Problem Formulation

Is Z abnormal?

Observation a = (a1, a2, … an)

LAD

Location Discovery

Z

The Problem Formulation

Actual Observation a = (a1, a2, … an)

EstimatedLocation: Z

Expected Observation e(Z) = (e1, e2, … en)

Are e(Z) and a consistent?

Various Metrics

Diff Metric: A = | e(Z) – a |

Probability Metric:A = Pr (a | Z)

Others

How to Find the Threshold?

Recall: we use A > T to decide |Le – La | >? D How to obtain T

T is obtained for a non-compromised network. One location discovery scheme is used Derivation: preferable but difficult Simulation: e.g., Find T, such that

Pr(|Le – La | > D | A > T) = 99.99%, We use T as the threshold for A.

False positive = 1 – 99.99% = 0.01%.

Attacks

A

B

Attacks

I am actually from group 5,But I am not telling anybody.

Silence Attack Range-Change Attack

Attacks (continued)

I am actually from group 5.

Impersonation Attack Multi-Impersonation Attackand Wormhole Attack

I am from group 9 Group 3

Group 5

Group 6

Arbitrary Attack

Attackers can arbitrarily change a sensor’s observation (both increasing and decreasing).

There is no hope. Observation: decreasing is more difficult.

a = (1, 2, 8, 10)a’ = (10, 9, 3, 1)

Arbitrary Change

Dec-Bounded Attack

a’i can be arbitrarily larger than ai (multi-impersonation attacks).

But a’i cannot be arbitrarily smaller than ai. Difficult in preventing non-compromised nodes from

broadcasting their membership. (ai – a’i) < x, for all ai > a’i

a = (1, 2, 8, 10) a’ = (10, 9, 7, 8)Dec-Bounded Change

Dec-Only Attack

Prevent impersonation attacks Authentication No wormhole attacks. Attackers cannot move sensors. Attackers cannot enlarge the transmission power.

a = (1, 2, 8, 10) a’ = (1, 2, 5, 7)Dec-Only Change

Evaluation via Simulation

X nodes are compromised Random pick a node at La (actual location) with

the actual observation a Find a location Le s.t. |Le - La | = D

Compute expected observation u from Le

Generate a new observation a’ from a (attacking) Find Le, s.t. a’ is as close to u as possible

The ROC Curves

Evaluating Intrusion Detection Detection rate False positive We need to look at them both

Receive Operating Characteristic (ROC) Y-axis: Detection rate X-axis: False positive ratio

ROC Curves for Different Metrics

ROC Curves for Different Attacks

Detection Rate vs. Degree of Damage

False Positive = 0.01

Detection Rate vs. Node Compromise Ratio

False Positive = 0.01

Conclusion

We have developed an effective anomaly detection scheme for location discovery

Future Studies How the deployment knowledge model affect our

scheme How the location discovery schemes affect our

scheme How to correct the location errors caused by the

attacks.