SRNET: A Real-time, Cross-based Anomaly Detection andVisualization System for Wireless Sensor Networks

Eirini KarapistoliDepartment of Information

SystemsUniversity of Macedonia

Egnatias 156, 54006,Thessaloniki, Greeceikarapis@uom.gr

Panagiotis SarigiannidisDept. of Informatics and

TelecommunicationsEngineering

University of WesternMacedonia

Karamanli & Ligeris Street,50100, Kozani, Greece

psarigiannidis@uowm.gr

Anastasios A.Economides

Department of InformationSystems

University of MacedoniaEgnatias 156, 54006,Thessaloniki, Greece

economid@uom.gr

ABSTRACTSecurity concerns are a major deterrent in many applica-tions wireless sensor networks are envisaged to support. Todate, various security mechanisms have been proposed forthese networks dealing with either Medium Access Con-trol (MAC) layer or network layer security issues, or keymanagement problems. Security visualization is the latestweapon that has been added in the arsenal of a securityofficer who is tasked with detecting network anomalies byanalyzing large amounts of audit data. This paper proposesa novel security visualization system for analyzing and de-tecting complex patterns of sensor network attacks, calledSRNET. Both selective forwarding and jamming attacks areidentified through visualizing and analyzing network trafficdata on multiple coordinated views, namely the multidimen-sional crossed view, the crossed view perspective, and thetrack area view. Through simulations, we demonstrate thatSRNET is able to help detect and further identify the rootcause of the aforementioned sensor network attacks.

Categories and Subject DescriptorsC.2.0 [Computer-Communication Networks]: General| Security and protection; H.5.2 [User Interfaces]: Graph-ical user interfaces (GUI)—interaction techniques

General TermsSecurity Visualization

KeywordsWireless Sensor Network Security Visualization, Cross-basedAnomaly Detection and Visualization, Detection of SelectiveForwarding and Jamming Attacks

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.VizSec ’13 October 14 2013, Atlanta, GA, USACopyright 2013 ACM 978-1-4503-2173-0/13/10 ...$15.00.

1. INTRODUCTIONA wireless sensor network (WSN) is a network of cheap

and simple processing devices (sensor nodes) that are spa-tially distributed in an area of interest in order to coop-eratively monitor physical or environmental conditions andtransmit the collected information to a remote server forfurther processing. Most applications WSNs are envisagedto support require the remote and unattended operation ofa large number of sensor nodes. The unattended nature ofthe deployed WSNs and the limited resources of the wire-less nodes raises immediate administration problems and ap-points the security as an increasingly critical element in thenetwork design [1]. Currently, research on providing securitysolutions for WSNs has primarily focused in three categories[2]; key management, authentication and secure routing, aswell as in secure services such as secure localization, aggre-gation and time synchronization.

All mentioned security protocols are based on particularassumptions about the nature of the attacker. If the attackeris ‘weak’ (i.e. a passive mote-class attacker), the protocolwill achieve its security goal. If the attacker is ‘strong’ (i.e.,a laptop-class attacker), there is a non-negligible probabilitythat the adversary will break in, and will start running somemalicious code. Because of their resource constraints, sen-sor nodes usually cannot deal with very strong adversaries.So, what is needed is a second line of defense: an IntrusionDetection System (IDS) that can detect a third party’s at-tempts of exploiting possible insecurities, and as such, warnfor malicious attacks.

An effective IDS must be able to recognize familiar threatsas well as identify threats that have not been experiencedbefore. Automated systems are currently very effective inthe first of these two categories; that is, a well-designed au-tomatic IDS can very quickly identify a network intrusion ifthat intrusion has a previously seen pattern of data [3]. De-spite the fast development of automated IDSs, the evolvingnature of the attacks as well as the scale and complexity ofthe generated network traffic (also known as the “Big Data”problem) put ever-increasing challenges to the interpreta-tion and understanding of security-related information [4,5]. Moreover, the state of the art in anomalous activity de-tection, which is required for recognizing new threats, is veryunreliable in automated systems. These systems require vig-ilant human oversight, but most importantly, they lack the

49

reasoning ability that is crucial for making decisions aboutanomalous data that may or may not be a threat, with thetypical consequence of an extremely high false positive rate.In order to meet the inherent analytical needs, the sci-

entific community turned to the Visual Analytics approach.Visual Analytics can be described as “the science of ana-lytical reasoning facilitated by interactive visual interfaces”[6]. It is a tight integration of visual and automatic dataanalysis methods for information exploration and scalabledecision support. Whenever automatic systems become in-sufficient for recognizing malicious patterns, advanced visu-alization and interaction techniques can be used as a bridge,encouraging the expert user to explore the relevant data andto take advantage of the human perception, intuition, andbackground knowledge [7, 8]. This feature should be consid-ered as the main benefit of visualization for network security.Moreover, a visual-based approach to the anomaly detectionproblem does not need a “normal” data set and mainly re-lies on the superior visual processing capability of the humanbrain to detect patterns and draw inference. Starting withno prior knowledge of what shape or form the anomaliestake, researchers use visualization as a novel tool for discov-ering the intrinsic properties of normal and abnormal data[9, 10].This paper contributes to the area of security visualization

for wireless sensor networks. We propose a robust Visual-assisted Intrusion Detection System (VIDS) devised for theprocess of detecting complex patterns of abnormal networkbehavior in large-scale WSNs, called SRNET. SRNET is anintegrated system that tackles the sensor network anomalydetection problem by using novel visual analytics technolo-gies. To help address the security visualization challenges,SRNET offers the following contributions;

• Amultidimensional crossed view enhanced with a high-light function that monitors the evolving status of twoclasses of sensor network attacks, namely selective for-warding attacks and jamming attacks.

• A crossed view perspective combined with a track view,which is introduced so as to timely locate the sourceof the correlated anomaly.

• A novel track area view that tracks the source andthe pattern of a potential jamming attack and whichenables attribution of the attacker.

The remainder of the paper is organized as follows. InSection 2 we review visualization assisted approaches aimedat detecting network attacks in WSNs. Section 3 introducesthe basic features and views of the SRNET visual analyt-ics system. We present experimental results in Section 4.Finally, Section 5 concludes the paper and discusses futureextensions.

2. RELATED WORKSeveral security visualization systems have been proposed

in the literature to address the problem of visual-based ano-maly detection in WSNs. Early in 2004, Wang and Bhar-gava [11] proposed a security enhancing visualization mecha-nism for WSNs, called MDS-VOW, which is capable of iden-tifying the occurrence of a wormhole attack in stationarywireless sensor networks. Using multi-dimensional scaling(MDS) and a surface smoothing strategy, a virtual layout of

the network is computed. The shape of the reconstructednetwork is then analyzed. If any wormhole exists, the shapeof the network will bend and curve towards the wormhole,otherwise the network will appear flat. MDS-VOWwas eval-uated for its wormhole detection accuracy through simula-tions. While efficient, this approach has several deficiencies,especially when applied to dynamic wireless environments(the detection rate drops from over 95% to less than 70%and the ratio of false positives rises from less than 10% toover 80%).

Wang and Lu [12] extended the MDS-VOW concept propos-ing an improved detection mechanism, called interactive vi-sualization of wormholes (IVoW). IVoWmechanism efficientlyintegrates automatic intrusion detection algorithms with vi-sual representation and user interaction to support visual-ization of several wormholes in large scale dynamic WSNs.Simulation results showed that IVoW accelerates the detec-tion process and improves the algorithm accuracy when com-pared to the MDS-VOW approach.

Wang and Lu [13] proposed an effective approach for mon-itoring and detecting Sybil attacks in large scale WSNs. Thisapproach uses multiple 2D and 3D views that allow the userto observe the network topology information through multi-ple aspects and reveal data correlations. Simulation studiesshowed that the proposed mechanism can effectively identifyboth direct and indirect Sybil attacks. One drawback of thistool is that greater visualization effort is needed to come upwith a firm final resolution.

Recently, Lu et al. [14] developed an integrated approachto detect Sybil attacks in mobile WSNs through visualizingand analyzing multiple reordered topology patterns. Differ-ent from the previous approach, the automatic reorderingand evaluation algorithms used here reveal the maliciousnodes in the network topology faster and more accurately.The proposed approach also provides a time-series analy-sis in order to identify attack durations. This analysis isbased on time histograms and an automatic time segmenta-tion method. Overall, this approach was evaluated througha series of real-life attack scenarios, and has shown successat unveiling unknown Sybil attacks.

Abuaitah et al. [15], developed a security visualizationsystem, called SecVizer, capable of parsing any QualNetgenerated traffic trace from both wired and wireless net-works. SecVizer combines topology visualization with theparallel coordinate plot technique in order to obtain a fasterand more effective detection of network vulnerabilities. Byexploring noticeable traffic patterns at both the networktopology window and the parallel plot window, the toolhas demonstrated its ability to detect various malicious net-work activities, most notably Distributed Denial of Service(DDoS) attacks. The tool, in its current status, is intuitiveenough to allow an analyst to process network events in real-time, but further drill down depth is needed to come up witha firm final resolution.

In the settings of WSNs, Shi et al. [16] proposed a novelapproach to sensor network anomaly detection and fault di-agnosis through visualization. The SAVE system encom-passes three distinct visualization components that interpretthe topological, correlational and dimensional sensor datadynamics and their anomalies. SAVE was validated througha case study deployment on the real-world large-scale WSNsystem called GreenOrbs.

As it can be seen, the existing security visualization sys-

50

Figure 1: The SRNET visual interface.

tems can only deal with a single type of attack instance.Compared to the previous security methods, within SRNET,we apply as well as develop novel views for visually detectinga number of sensor network attacks in one single view.

3. THE SRNET SYSTEMSRNET is a system that fully leverages the power of both

visualization and anomaly detection analytics to guide theuser to quickly and accurately detect complex patterns ofsensor network attacks. At its current state, SRNET detectsselective forwarding [17] and jamming attacks [18] againstthe WSN through visualizing and analyzing network traf-fic data on multiple coordinated views. Figure 1 shows thewhole picture of the provided visualizations of the SRNETsystem. The main user interface is composed of the Ge-ographical Topology View (lower right), the Crossed View(upper left), the Track View (upper right) and the TrackArea View (lower left). In the following subsections, theadded value of each of these contributions is discussed indetail.

3.1 The Geographical Topology ViewThe Geographical Topology View illustrates the physical

topology of the sensor nodes, which resembles a multi-clustertree structure similar to the one proposed by the IEEE802.15.4 standard [19]; a dominant communication standarddeveloped to provide low-power and highly reliable wirelessconnectivity among inexpensive, battery-powered devices.Each node is illustrated with a circle. A different color dif-ferentiates the role of each node, which in the case of cluster-based WSNs, can either act as a coordinator (i.e. the prin-cipal controller of a cluster) or as a device (i.e. a clustermember with sensing and communicating capabilities). Aring accompanying each node shows the node’s transmissionrange, while the connection lines represent the parent-child

relationships between the sensor nodes. While the networkunder investigation comprises of 40 sensor networks orga-nized into five clusters following the association procedureof the 802.15.4 standard, the SRNET system can supportWSNs of arbitrary number of nodes and clusters.

3.2 The Crossed ViewWe devised the concept of the Crossed View in order to

provide a multidimensional, consolidated, and effective viewof the network status to the human behind the monitor. Therationale behind the visualization of the crossed view is thesimplicity of the interpretation of the potential threads tothe network. The design behind the picture aims at illus-trating the thread immediately, without entailing complexactions or complicated human interaction. In order to over-come scalability issues, a similar but more focused view isalso provided, which is triggered just with a simple click bythe administrator. This focused view is called Crossed Clu-ster View and restricts the view to a simple cluster of thesensor network keeping the provided properties and config-uration intact. Figure 2 illustrates the crossed view undernormal operation. The whole view is divided into four quar-ters. All information provided by this view is synchronized.Each quarter endeavors to point a crucial feature of the net-work. For example, the upper right quarter reorganizes thenetwork topology in a single view, the lower right quarterreveals potential selective forwarding threads together withanalytics, the lower left quarter focuses on the jamming ef-fects at each node, and the upper left quarter constitutes thecorrelated thread analyzer providing a dynamic projectionof the state of the whole sensor network.

More specifically, the Upper Right Quarter constitutes thecontrol panel of the scheme. It includes all nodes drawn ina square block shape using different colors to distinguishthe coordinators from the devices. The placement of the

51

Figure 2: The Crossed View perspective

nodes is static and represents the euclidean distance from thesink node (also referred to as the central PAN coordinator).This attribute is designed to offer an immediate image of thelocation of the attacker, i.e., how far the attack took placefrom the central point. Hence, the administrator is able todetect a potential thread immediately by taking a look inthe upper right quarter of the monitor.The Lower Right Quarter tackles selective forwarding thre-

ads. It shows all sensor nodes in square blocks using differ-ent colors depending on whether the node is a coordinatoror a device. The scale shows the percentage of the droppedpackets by each node separately. Conceptually, the illustra-tion is based on an animation. Each block representing thesensor node is progressively moving to the observed valueas an animated figure. This method was selected in orderto capture the magnitude of the thread instead of a simplevalue in a time point. Similarly, the animated object is mov-ing backwards when the thread is diminished or resolved soas to highlight the recession of the previous thread. Thepace of the animated block depends on the observed win-dow. In essence, a specific time window is maintained foreach node representing the percentage of dropped data dur-ing this time. The size of the window as well as the frequencyof the update define the pace of the animation.Figure 3 reveals an example of an attack on the nodes 30

and 31. The square blocks representing nodes 30 and 31 aremoving towards the bottom edge of the quarter, expressinga considerable drop ratio that should be treated by the ob-server. The alarm is triggered in the upper right quarter,which plays the role of the analyzer, by changing the colorof the nodes’ indices under attack. The threshold (dropratio) triggering this color is considered as a system param-eter. Assuming that at least 5% drop ratio is acceptable,under normal network operation, the adopted threshold inthe demonstration was set to 5%. The magnitude of thealarm depends on the distance the square block covers. Forinstance, as the Figure 3 illustrates, currently both nodesexperience at least 40% drop ratio. The added value of thisperspective lies in the animated graph, where the observercould timely perceive the potential thread, identify the vic-tims, and recognize the level of the thread.The jamming thread is monitored in the Lower Left Quar-

ter. Once more, the animation concept is utilized in order toeffectively illustrate potential jamming attacks in the sensor

Figure 3: An example of selective forwarding attackon nodes 30 and 31

network. All sensor nodes are incessantly moving showing anormal operation. This action represents the ongoing trafficsent rate. In other words, the height where a node is placedwithin this quarter reveals its traffic sent rate in packets/sec.This rate is normalized between 0 and the maximum rateobserved during the network operation. Under normal net-work operation, all nodes are uninterruptedly moving upand down in accordance with their current network dynam-ics, i.e., depending on their traffic rates. The rationale be-hind this coincides with the jamming attack operation. Asensor node that is under jamming attack is unable to sendand forward data, hence the number of sent and receiveddata packets tends to zero. To visualize this phenomenonwe plot the current traffic rate of each node in order to iso-late problematic situations that affect one or more nodes.For example, Figure 4 depicts a jamming attack affectingnodes 16, 17, and 18. It is worth mentioning that in thevisualization paradigm of the lower left quarter, the level ofdetail regarding the traffic rate is deliberately low since theview aims at highlighting the existence of traffic instead oftraffic details. Nonetheless, the notification of the thread isalso reflected in the upper right quarter, wherein the ana-lyzer takes into account the monitored attack and marks thelinks of the nodes under (jamming) attack.

One of the major contributions of this work lies in theUpper Left Quarter. In this illustration, we tried to encodeanalytics considering the network cluster’s perspective. Aset of adjacent columns, one for each existing cluster, dy-namically change color introducing the level of granularityof the threads upon each cluster. By highlighting the levelof the thread in each cluster separately, we address the ro-bustness and the efficacy of the visualization results. In thismanner, the crossed view is applicable to human diagnosis ofmedium and large scale data, since an administrator is ableto determine the granularity and the localization factors,i.e., where the thread is moving and what is the level of thethread. By using the red color as a basis, in order to furtherhighlight the potential attacks, different scaling of thread di-mensions are normalized based on the opacity (alpha) colorproperty. Alternatively, a sequential color scheme could beused [20]. We consider the following additive expression fordetermining the highlight function (HF )i, where i stands forthe cluster ID:

52

Figure 4: An example of jamming attack on nodes16, 17, and 18

HF i = wSF × SFIM i + wJ × JIM i (1)

The parameters SFIM i and JIM i denote the impact ofthe selective forwarding and jamming attack respectively.The weighting factors wSF and wJ provide the relative sig-nificance of the two threads to the determination of the high-light function. A wide range of functions may be definedsimply by introducing different specifications of the SFIM i

and the JIM i expressions. However, taking into accountthat the color opacity takes values in the range [0,255], thehighlight function should satisfy the following constraint:

0 ≤ HF i ≤ 255 ⇒ 0 ≤ wSF × SFIM i + wJ × JIM i ≤ 255 (2)

Functions SFIM i and JIM i should be incremental, byshowing higher levels of thread by higher values. The formerfunction expresses the level of thread observed by a single ormultiple selective forwarding attacks in the sensor network.Intuitively, it should reflect the level of alarm for each clusterseparately. Given that the measurement of a node that isunder selective forwarding attack is between 0% (no thread)and 100% (complete attack), we define the SFIM i functionas follows:

SFIM i = Di × 125 (3)

The parameter Di denotes the average drop ratio of thei-th cluster, thus it holds that 0 ≤ Di ≤ 1. If Di = 0,the corresponding cluster experiences no selective forward-ing attack. On the contrary, a complete selective forwardingattack occurs in all sensor nodes of a cluster when Di = 1.On the other hand, the JIM i function corresponds to

the results obtained by a jamming attack to a single or tomultiple sensor nodes. In this case, the result is boolean;i.e., a sensor node is or is not under jamming attack. Hence,this phenomenon could be formed based on the number ofsensor nodes identified as jamming victims divided by thetotal number of sensor nodes the cluster includes. Followingthe above remarks, the JIM i function is defined as follows:

SFIM i = J i × 125 (4)

The parameter J i expresses the portion of the jamming’svictim nodes in a single cluster. Obviously, the lowest value

Figure 5: An example of massive attack on cluster1 as illustrated by the Crossed View

the function J i can receive is 0, meaning that no jammingattacks were observed in cluster i, whereas the value 1 dic-tates a complete jamming attack within the cluster i.

As previously mentioned, the weighting factors wSF andwJ express the relative significance of the two threads. Theweights offer the capability of dynamically readjusting thepoint of view regarding the two types of attack. For ex-ample, an administrator may consider the jamming attackmuch more important than the selective forwarding attacksince the environment could be outdoor and more hostile topotential jamming attackers. In order to comply with therelation (2), the summation of the two weight factors is one:

wSF + wJ = 1 (5)

Initially, we treat both threads equally, so it holds:

wSF = 0.5, wJ = 0.5 (6)

However, a fair treatment of the above weights could beinsufficient. For instance, it is important to take into ac-count the frequency an attack is exploited in order to evalu-ate the attack in the visualization paradigm accordingly. Inthis way, we further determine the adequate relative signif-icance of the two weights by proposing a dynamic formulathat defines the relative values of the above parameters. LetSFI and JI be the number of the selective forwarding andjamming attack instances of the previous time window, T ,respectively. Then, the weighting factors wSF and wJ aredefined as follows:

wSF =SFI

SFI + JI, wJ =

JI

SFI + JI, ∀SFI + JI = 0 (7)

One major drawback of the crossed view is the lack ofspace when the area under investigation is a large-scale WSN.In this case, we tried to address scalability issues by inau-gurating a more focused view, similar to the crossed view,called Crossed Cluster View. Figure 5 shows a massive at-tack on cluster 1. Specifically, nodes 16 and 17 experience aselective forwarding attack, while node 15 is under jammingattack. The analyzer in the upper right quarter marks theevidences of the massive attack, i.e., it marks the link of thenode 15 and draws the numbers of nodes 16 and 17 with redcolor. At the same time, the corresponding column in theupper left quarter indicates a massive attack on cluster 1. In

53

Figure 6: An alternative view of massive attack oncluster 1 by using the Crossed Cluster View

this case, it useful for the administrator to detect significantchanges only in the area of interest, i.e., in cluster 1. Hence,by a single click on the related column the user may navigateto the cluster of interest and further investigate the situa-tion. Figure 6 shows the focused view of the crossed clusterview, in which the problematic cluster is isolated allowingfor more efficient countermeasures.

3.3 The Track ViewThe Crossed View offers a dynamic projection of the sys-

tem status in multiple perspectives. It identifies the nodesunder attack, the magnitude of the thread, and the danger-ous cluster. However, the localization property of the attackis not addressed. The user is aware of the thread but is un-aware of two facts; when and where the thread occurred.In order to address this weakness, we further strengthenedthe capabilities of the SRNET system by introducing theTrack View. The Track View aims at tracking a potentialthread by estimating its source coordinates. Figure 7 de-picts the outcome of the Track View as a jamming attack isin progress somewhere between the clusters 1 and 2. In thisparadigm, the nodes are designed in circles, having their IDwithin the circle, while the coordinate nodes have differentcolor from the devices. The area is the normalized version ofthe original Geographical Topology View, where the connec-tion points implicitly reveal the area of each cluster. More-over, a black ring distinguishes each cluster to its area. Theradius of each ring is calculated so as to enclose all nodesthat belong to this cluster. It is worth mentioning that thefill color of each cluster obeys to the rules described in theSection 3.1, i.e., it includes the same color the correspondingcolumn the upper left quarter in the Crossed View has. Therationale behind this is to maintain the thread level to thisview, and as such, avoid the disorientation of the observer.The contribution here lies in the yellow surface that stands

between the two clusters. This surface is called the TrackSurface, and endeavors to estimate the source and the rangeof the jamming attack. While the notification of the selec-tive forwarding evidences is a trivial issue, i.e., we use a redring to point a node that experiences a notable drop ratio, asit happens in the case of node 16, the attachment of the jam-ming source and its properties is a challenge. The Track Al-gorithm describes the logic behind the determination of the

Figure 7: An example of jamming attack on nodes1,2, 12, 15, 16, 19, 20, and 21.

jamming activity area. In essence, the algorithm calculatesthe central point of the surface formed by the coordinates ofthe nodes under attack. Then, it calculates the maximumdistance from this point to the most far cited node; that is,the radius. It is worth mentioning that if there is only asingle node under jamming attack, then the Track Surfaceis simply its range. For example, by observing the Figure7 we can see the nodes under jamming attack marked witha red ring, namely the nodes 1, 2, 12, 15, 16, 19, 20, and21. The Track Surface estimates that the intruder may belocated in the central point considering all nodes together.

Algorithm 1 Track Algorithm

Input: The coordinates of z nodes under jamming attack(N = N1X , N1Y , N2X , N2Y , ...NzX , NzY ).

Output: The estimating coordinates of the jamming source(JX , JY ) and the its radius (RADIUS).{ Find the Activity Center }tempSumX = 0tempSumY = 0for each node i under jamming attack do

tempSumX = tempSumX +NiXtempSumY = tempSumY +NiY

end forJX = tempSumX/zJY = tempSumY/zMaxDistanceFromSource = 0for each node i under jamming attack do

if Euclidean Distance(JX , JY , NiX , NiY ) >MaxDistanceFromSource then

MaxDistanceFromSource =Euclidean Distance(JX , JY , NiX , NiY )

end ifend forRADIUS = MaxDistanceFromSource

3.4 The Track Area ViewIn order to accurately track the source of a potential jam-

ming attack, we introduce the Track Area View. This illus-tration is complementary to the Track View adding a crucial

54

Figure 8: An instance of four jamming attacks indifferent time periods.

value in the dynamic network behavior, namely the time pa-rameter. As previously mentioned, the Track View estimatesthe location of the intruder as well as the radius of the jam-ming interference. By applying the track area perspective,we enhance the obtained image with the time dimension.The time correlation is achieved using a different color huefor each monitored jamming attack.Initially, the whole sensor network is divided into tiles of

squared shape. The track area view aims at characterizingthe area in accordance with the obtained results using a dif-ferent color. The red color is used again in order to highlightthe dangerous area. The opacity of the color corresponds tothe time the attack was perceived. The Track Area Algo-rithm (TAA) describes the way of treating a jamming attackin both distance and time domains. The algorithm consistsof two phases, the Refresh Phase and the Update Phase. Therefresh phase is responsible to demonstrate the time dimen-sion by fading the color opacity of the tiles that have beenaffected by past jamming attacks. It operates periodicallyso as to pinpoint the time elapsed from previous attacks.The speed of the evaporation, denoted as Trefresh, deter-mines when the past points of interest will be completelydisappeared, and therefore defines the time window of thepresence of past attacks. On the other hand, the updatephase attributes fresh color to the current, interesting tiles,forming the incomings jamming attack. A fresh color is de-fined by its opacity; the maximum opacity, i.e., the valueof 255, shows a very recent anomaly that needs immediatemeasures. We employ the simple, but effective, Euclideandistance in order to decide whether a specific tile belongsto the area of the jamming attack. As a result, the freshcolored tiles represent the current time, the weak red areasindicate past attacks, and the white area stands for a clearterritory.Figure 8 captures four jamming attacks occurred in differ-

ent times. Regarding the first attack within the borders ofcluster 5, the color of the Track Surface is quite light. Withregard to the attack located in the lower left, the color islight but more intense than the previous attack. The twoupper attacks are more recent, while the right one is thecurrent attack. The current attack is drawn in full red inorder to highlight an emergent situation.

Algorithm 2 The Track Area Algorithm

Input: .The number of available tiles (TI)The coordinates of a tile of the given network area (Tx,Ty)The coordinates of the estimated jamming source (Sx,Sy)The estimated range of the jamming source Srange

The refresh period Trefresh

A flag denoting whether there is an active jamming attack(jamming thread)

Output: The new color value Topacity.

Algorithm 3 The Phases of the TAA Algorithm

{ Refresh Phase }for each period Trefresh do

for each tile TI doif Topacity > 0 then

Topacity = Topacity − 1end if

end forend for{ Update Phase }if jamming thread == TRUE then

if Euclidean Distance(TX , Ty, Sx, Sy) ≤ Srange thenTopacity = 255

end ifend if

4. PERFORMANCE EVALUATIONIn this Section, we provide an evaluation paradigm of the

proposed analytics. In particular, the Track Area Algorithmis assessed so as to demonstrate its accuracy. We considera bot machine that performs a jamming attack as it movesthrough the sensor network. The machine follows a fixedpath starting from the middle of the network left side andfinishing in the middle of the network right side. We assumethat the sensor network is placed within an area of 1000×800distance points, e.g., meters. We measure the difference ofthe estimating central point of the attack compared to theactual coordinates of the bot. The bot changes position witha speed of 50 distance points per 60 seconds. The evaluationcriterion is the Euclidean distance between the estimatedand the actual coordinates of the attack source.

!"" !#" $"" $#" %"" %#" &""!&"

!&#

!#"

!##

!'"

!'#

!("

!(#

!)"

!)#

*+,-./01.223450.,,.+607.45809:;34,<=

*>87.580877;703408<,32.,3450?3<,.4+809:;34,<=

Figure 9: Average distance error of the Track AreaAlgorithm in terms of distance units.

55

Figure 9 depicts the evaluation results. One importantpoint raised by this figure is that the error level is reducedas the range of the attack comes larger. This is attributed tothe fact that a larger attack affects more nodes, so it is moreaccurate to estimate the coordinates of the source. Anotherpoint of interest is that the error is quite limited given thatthe estimation of the proposed framework is blind. The es-timation depends on the nodes under attack, hence, a densesensor network could provide better estimations comparedto a spatial network such as the one under investigation.Nonetheless, the introduced visualization tool is a step to-ward in the area of visual-based anomaly detection assistingthe security professionals at identifying networks attacks.

5. CONCLUSIONS AND FUTURE WORKThe ever-increasing amount of security events reported in

mission-critical applications wireless sensor networks are en-visaged to support asks for new tools to deal with them. Asa novel network security visualization tool, SRNET standsout as one such solution. In this work we proposed a ro-bust, efficient, and effective visualization tool that is ca-pable of identifying selective forwarding and jamming at-tacks, two of the most daunting challenges in the sensornetwork security field. The tool is based on multiple pointof views, each offering a compelling perspective on address-ing potential threads in a sensor network. The add-on valuesof the presented views focus on identifying multiple threadsat a glance, tracking unpredictable jamming attacks, andenhancing the whole view with the time dimension. Theaccuracy of the tracking capability was assessed and the re-sults indicated that the proposed tool could be a power-ful visual analyzer on confronting dynamic, unpredictable,and massive network threads. In the future, we intend tovalidate the SRNET system through extended user studieswhere network analysts and experts will use the system andprovide feedback on its usability. Moreover, we will extendthe capabilities of the SRNET system in order to enable thetool to detect a series of new attack patterns, such as Sybilattacks, Sinkhole attacks, Wormhole attacks, etc.

AcknowledgmentsThis work was performed within the framework of the Action“Supporting Postdoctoral Researchers” of the OperationalProgram “Education and Lifelong Learning” (Action’s Be-neficiary: General Secretariat for Research & Technology),and is co-financed by the European Social Fund and theGreek State.

6. REFERENCES[1] Y. Zhou, Y. Fang, and Y. Zhang, “Securing wireless

sensor networks: a survey,” IEEE Commun. SurveysTuts., vol. 10, no. 3, pp. 6–28, 2008.

[2] X. Chen, K. Makki, K. Yen, and N. Pissinou, “Sensornetwork security: a survey,” IEEE Commun. SurveysTuts., vol. 11, no. 2, pp. 52–73, 2009.

[3] A. Farooqi and F. Khan, “Intrusion detection systemsfor wireless sensor networks: A survey,” inCommunication and Networking. Springer, 2009,vol. 56, pp. 234–241.

[4] J. J. Thomas and K. A. Cook, “A Visual AnalyticsAgenda,” IEEE Computer Graphics and Applications,

vol. 26, pp. 10–13, 2006.

[5] D. A. Keim, F. Mansmann, J. Schneidewind,J. Thomas, and H. Ziegler, “Visual data mining,” inVisual Analytics: Scope and Challenges.Springer-Verlag, 2008, pp. 76–90.

[6] J. J. Thomas and K. A. Cook, Illuminating the Path:The Research and Development Agenda for VisualAnalytics. National Visualization and Analytics Ctr,2005.

[7] S. T. Teoh, K.-L. Ma, S. F. Wu, and T. J.Jankun-Kelly, “Detecting flaws and intruders withvisual data analysis,” IEEE Comput. Graph. Appl.,vol. 24, no. 5, pp. 27–35, Sep. 2004.

[8] G. Conti, Security Data Visualization: GraphicalTechniques for Network Analysis, 1st ed. No StarchPress, Oct. 2007.

[9] R. Marty, Applied Security Visualization, 1st ed.Pearson Education Inc., 2009.

[10] H. Shiravi, A. Shiravi, and A. Ghorbani, “A Survey ofVisualization Systems for Network Security,” IEEETransactions on Visualization and ComputerGraphics, vol. 1, no. 99, pp. 1–19, 2011.

[11] W. Wang and B. Bhargava, “Visualization ofwormholes in sensor networks,” in ACM workshop onWireless Security. ACM Press, 2004, p. 51U60.

[12] W. Wang and A. Lu, “Interactive wormhole detectionin large scale wireless networks,” in Visual AnalyticsScience And Technology, 2006 IEEE Symposium On,nov. 2006, pp. 99–106.

[13] ——, “Visualization assisted detection of Sybil attacksin Wireless Networks,” in Proceedings of the 3rdinternational workshop on Visualization for computersecurity, ser. VizSEC, 2006, pp. 51–60.

[14] A. Lu, W. Wang, A. Dnyate, and X. Hu, “Sybil attackdetection through global topology patternvisualization,” Information Visualization, vol. 10,no. 1, pp. 32–46, 2011.

[15] G. Abuaitah and B. Wang, “SecVizer: A SecurityVisualization Tool for QualNet-Generated TrafficTraces,” in Proceedings of the 6th Int. Workshop onVisualization for Cyber Security, 2009, pp. 111–118.

[16] L. Shi, Q. Liao, Y. He, R. Li, A. Striegel, and Z. Su,“SAVE: Sensor anomaly visualization engine,” in IEEEConference on Visual Analytics Science andTechnology (VAST), 2011, oct. 2011, pp. 201–210.

[17] L. Bysani and A. Turuk, “A survey on selectiveforwarding attack in wireless sensor networks,” inDevices and Communications (ICDeCom), 2011International Conference on, 2011, pp. 1–5.

[18] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “Thefeasibility of launching and detecting jamming attacksin wireless networks,” in Proceedings of the MobiHoc’05 International Symposium. ACM, 2005, pp. 46–57.

[19] “IEEE 802.15.4TM

-2011: IEEE Standard for Local andMetropolitan Area Networks–Part 15.4: Low-RateWireless Personal Area Networks (LR-WPANs),” 2011.

[20] C. Brewer, M. Harrower, and The Pennsylvania StateUniversity, “Colorbrewer 2.0 - color advice forcartography.” [Online]. Available:http://colorbrewer2.org

56