Hidden Markov models on a self-organizing map for anomaly detection in 802.11 wireless networks

Abstract

The present work introduces a hybrid integration of the self-organizing map and the hidden Markov model (HMM) for anomaly detection in 802.11 wireless networks. The self-organizing hidden Markov model map (SOHMMM) deals with the spatial connections of HMMs, along with the inherent temporal dependencies of data sequences. In essence, an HMM is associated with each neuron of the SOHMMM lattice. In this paper, the SOHMMM algorithm is employed for anomaly detection in 802.11 wireless access point usage data. Furthermore, we extend the SOHMMM online gradient descent unsupervised learning algorithm for multivariate Gaussian emissions. The experimental analysis uses two types of data: synthetic data to investigate the accuracy and convergence of the SOHMMM algorithm and wireless simulation data to verify the significance and efficiency of the algorithm in anomaly detection. The sensitivity and specificity of the SOHMMM algorithm in anomaly detection are compared to two other approaches, namely HMM initialized with universal background model (HMM-UBM) and SOHMMM with zero neighborhood (Z-SOHMMM). The results from the wireless simulation experiments show that SOHMMM outperformed the aforementioned approaches in all the presented anomalous scenarios.

Appendix

$$\begin{aligned}&\alpha _{1}(i)=\pi _{i}b_{i}(o_{1}) \qquad 1 \le i \le n \end{aligned}$$

(32)

$$\begin{aligned}&\alpha _{t+1}(j)=\Big [ \varSigma \alpha _{t}(i)a_{ij}b_{j}(o_{t+1})\Big ] \qquad 1 \le j \le n, \quad 1 \le t \le T-1 \end{aligned}$$

(33)

$$\begin{aligned}&\beta _{T}(i)=1 \qquad 1 \le i \le n \end{aligned}$$

(34)

$$\begin{aligned}&\beta _{1}(i)=\varSigma a_{ij}b_{j}(O_{t+1})\beta _{t+1}(j) \qquad 1 \le i \le n, \quad 1 \le t \le T-1 \end{aligned}$$

(35)

According to the forward–backward algorithm, there are T ways to compute the likelihood value or probability of observation sequence O, given model \(\lambda \):

$$\begin{aligned} P(O|\lambda ) = \sum _{j=1}^{n} \alpha _{t}(j)\beta _{t}(j) \qquad 1 \le t \le T. \end{aligned}$$

(36)

The propositions referenced in the main text are listed as follows:

Lemma 1

$$\begin{aligned} \frac{\partial P(O|\lambda )}{\partial a_{rs}} = \sum _{l=1}^{T-1}\big [\alpha _{l}(r)b_{s}(o_{l+1})\beta _{l+1}(s)\big ]. \end{aligned}$$

(37)

Proposition 1

$$\begin{aligned} \frac{\partial P(O|\lambda )}{\partial w_{ij}} = a_{ij}\sum _{l=1}^{T-1}\big [\alpha _{l}(i)b_{j}(o_{l+1})\beta _{l+1}(j) - \alpha _{l}(i)\beta _{l}(i) \big ]. \end{aligned}$$

(38)

Lemma 2

$$\begin{aligned} \frac{\partial P(O|\lambda )}{\partial b_{x}(y)} = \frac{1}{b_{x}(y)} \sum _{l=1}^{T}I\{o_{l}=y|\lambda \}\alpha _{l}(x)\beta _{l}(x). \end{aligned}$$

(39)

Proposition 2

$$\begin{aligned} \frac{\partial P(O|\lambda )}{\partial r_{jt}} = \sum _{l=1}^{T}\big [I\{o_{l}=t|\lambda \}\alpha _{l}(j)\beta _{l}(j) - b_{j}(t)\alpha _{l}(j)\beta _{l}(j) \big ]. \end{aligned}$$

(40)

Lemma 3

$$\begin{aligned} \frac{\partial P(O|\lambda )}{\partial \pi _{r}} = b_{r}(o_{1}\beta _{1}(r)). \end{aligned}$$

(41)

Proposition 3

$$\begin{aligned} \frac{\partial P(O|\lambda )}{\partial u_{j}} = \pi _{j}b_{j}(o_{1})\beta _{1}(j) - \pi _{j}P(O|\lambda ). \end{aligned}$$

(42)

The proof of Lemma (1) can be found in [31]. The proofs of Lemma (2) and Proposition (2) can be found in [7].