Abstract
Anomaly detection is emerging as a necessary component as wireless networks gain popularity. Anomaly detection has been addressed broadly in wired networks and powerful methods have been developed for correct detection of a variety of known attacks and other anomalies. In this paper, we propose a real-time anomaly detection and identification scheme for wireless mesh networks (WMN) using components from previous methods developed for wired networks. Experiments over a WMN testbed show the effectiveness of the proposed scheme in isolating different types of anomalies, such as Denial-of-service attacks, port scan attacks, etc. Our scheme uses Chi-square statistics and it is based on similar ideas as the scheme presented by Lakhina et al. although it has lower computational complexity. The original method by Lakhina et al. was developed for wired networks and used Principal Component Analysis (PCA) for reducing the dimensions of observed data and Hotelling’s t 2 statistics to distinguish between normal and abnormal traffic conditions. However, in our studies we found that dimension reduction is the most computationally intensive process of the scheme. In this paper we propose an alternative way of reducing dimensions using flow variances in a Chi-square test. Experimental results show that the Chi-square test performs similarly well to the PCA-based method at merely a fraction of the computations. Moreover, we propose an automatic identification scheme to pin-point the cause of the detected anomaly and its contribution in terms of additional or lack of traffic. Our results and comparison with other statistical tools show that the Chi-square test and the PCA-based method with identification scheme make powerful tools for real-time detection of various anomalies in an interference prone wireless networking environment.
Similar content being viewed by others
References
Caberera, J. B. D., Ravichandran, B., & Mehra, R. K. (2000). Statistical traffic modeling for network intrusion detection. In Proceedings of the IEEE MASCOTS, 2000 (pp. 466–473).
Chen, T., Kuo, G.-S., Li, Z.-P., & Zhu, G.-M. (2007). Intrusion detection in wireless mesh networks. In Security in wireless mesh networks. Boca Raton: CRC Press.
Dickinson, P., Bunke, H., Dadej, A., & Kraetzl, M. (2002). Median graphs and anomalous change detection in communication networks. In Proceedings of the IEEE information, decision and control, 2002 (pp. 59–64).
Feather, F., Siewiorek, D., & Maxion, R. (1993). Fault detection in an ethernet network using anomaly signature matching. In Proceedings of the ACM SIGCOMM 1993 (pp. 279–288).
Frenk, H., Roos, K., Terlaky, T., & Zhang, S. (1999). High performance optimization. New York: Springer.
Fukunaga, K. (1972). Introduction to statistical pattern recognition. New York: Academic Press.
Gupta, D., Chuah, C.-N., & Mohapatra, P. (2008). Efficient monitoring in wireless mesh networks: Overheads and accuracy trade-offs. In Proceedings of the IEEE MASS 2008 (pp. 13–23).
Hakami, S., Zaidi, Z. R., Landfeldt, B., & Moors, T. (2008). Detection and identification of anomalies in wireless mesh networks using Principal Component Analysis (PCA). In Proceedings of the IEEE I-SPAN 2008 (pp. 266–271).
Hohn, N. (2004). Measuring understanding and modelling internet traffic. Ph.D. thesis in Electrical and Electronic Engineering, The University of Melbourne.
Huang, P., Feldmann, A., & Willinger, W. (2001). A non-intrusive, wavelet-based approach to detecting network performance problems. In Proceedings of internet measurement workshop, 2001 (pp. 213–227).
Iftikhar, M., Landfeldt, B., & Caglar, M. (2006). Multiclass G/M/1 Queueing system with self-similar input and non-preemptive priority. In Proceedings of the IEEE ICI-06.
Ishmael, J., Bury, S., Pezaros, D., & Race, N. (2008). Deploying rural community wireless mesh networks. IEEE Internet Computing, 12(4), 22–29.
Jackson, J. E. (1991). A user’s guide to principal components. New York, NY: Wiley.
Karamcheti, V., Geiger, D., Kedem, Z., & Muthukrishnan, S. (2005). Detecting malicious network traffic using inverse distributions of packet contents. In Proceedings of the ACM SIGCOMM workshop MineNet 2005 (pp. 165–170).
Lakhina, A., Crovella, M., & Diot, C. (2004). Characterization of network-wide anomalies in traffic flows—Technical report BUCS-2004-020, Boston University.
Lakhina, A., Crovella, M., & Diot, C. (2004). Diagnosing network-wide traffic anomalies. In ACM SIGCOMM 2004 (pp. 219–230).
Lakhina, A., Papagiannaki, K., Crovella, M., Diot, C., Kolaczyk, E., & Taft, N. (2004). Structural analysis of network traffic flows. In Proceedings of the ACM SIGMETRICS 2004 (pp. 61–72).
Lan, K., Wang, Z., Berriman, R., Moors, T., Hassan, M., Libman, L., et al. (2007). Implementation of a wireless mesh network testbed for traffic control. In Proceedings of the IEEE WiMAN 2007 (pp. 1022–1027).
Li, N., Chen, G., & Zhao, M. (2008). Autonomic fault management for wireless mesh networks—UMass Lowell technical report 2008–04.
Marti, S., Giuli, T. J., Lai, K., & Baker, M. (2000). Mitigating routing misbehavior in mobile ad hoc networks. In Proceedings of MOBICOM ’00 (pp. 255–265).
MIT Roofnet. URL- http://www.pdos.csail.mit.edu/roofnet/doku.ph.
Qiu, L., Bahl, P., Rao, A., Zhou, L. (2006). Troubleshooting wireless mesh networks. SIGCOMM Computer Communication Review, 36(5), 17–28
Ridoux, J., Nucci, A., & Veitch, D. (2006). Seeing the difference in IP traffic: Wireless versus wireline. In Proceedings of IEEE INFOCOM ’06 (pp. 1–12).
Salem, N. B., & Hubaux, J.-P. (2006) Securing wireless mesh networks. IEEE Wireless Communications, 13(2), 50–55.
Sarafijanovic, S., & Boudec, J. Y. L. (2005). An artificial immune system approach with secondary response for misbehavior detection in mobile ad hoc networks. IEEE Trans. on Neural Networks, 16(5), 1076–1087.
Siddiqui, M. S., & Hong, C. S. (2007). Security issues in wireless mesh networks. In Proceedings of IEEE international conference on multimedia and ubiquitous engineering (MUE) 2007 (pp.717–722).
Ye, N., & Chen, Q. (2001). An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Wiley Quality and Reliability Engineering International, 17, 105–112.
Zaidi, Z. R., Landfeldt, B., & Zomaya, A. (2007). Fault management in wireless mesh networks. In Handbook on ad hoc and mobile computing. Valencia, CA, USA: American Scientific Publishers.
Acknowledgments
The authors want to acknowledge the help of Mr. Rodney Berriman and Dr. Mohsin Iftikhar in setting up experiments.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zaidi, Z.R., Hakami, S., Landfeldt, B. et al. Real-time detection of traffic anomalies in wireless mesh networks. Wireless Netw 16, 1675–1689 (2010). https://doi.org/10.1007/s11276-009-0221-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11276-009-0221-y