Anomaly detection in wireless sensor networks: A survey
Introduction
A wireless sensor network (WSN) is made up of a mass of spatially distributed autonomous sensors, to jointly monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion and pollutants (Yick et al., 2008). To date, WSNs have been successfully applied to many industrial and civil domains, including industrial process, monitoring and control, machine health monitoring, environment and habitat monitoring, healthcare applications, home automation, and traffic control. A typical WSN has little or no infrastructure. If the deployment of a WSN is subject to an ad hoc manner, it is categorized as unstructured. In contrast, the network deployed with a pre-planned manner is categorized as structured. Each sensor node is optionally built up with a variety of network services such as localization, coverage, synchronization, data compression and aggregation, and security, for the purpose of enhancing the network's overall performance. Sensor nodes communicate with each other, through following the typical five-layer communication protocol stack, which consists of physical layer, data link layer, network layer, transport layer, and application layer.
The properties of WSN inevitably cause that a sensor node is extremely restricted by resources, including energy, memory, computing, bandwidth, and communication. Hence, WSN is vulnerable to security threats both external and internal. In addition, physical access is allowed for sensor nodes, as the network is usually deployed near the physical source of the event, but without tamper-resistance owing to cost constraint. What is worse, the information exchange can be captured by any internal and external devices, caused by the use of publicly accessible communication channels. In consequence, a WSN is often threatened by multiple security threats, which could be categorized as follows (Lopez and Zhou, 2008):
- •
communication attack;
- •
denial of service attack;
- •
node compromise;
- •
impersonation attack;
- •
protocol-specific attack.
Securing WSN is imperative and challenging accordingly. Prevention-based techniques that fundamentally build upon cryptography are the first line of defense for protecting WSN. Based on a primitive of secret key management, encryption and authentication are the primary measures in a prevention-based technique, as that introduced in the security framework SPINS (Perrig et al., 2001). However, in case the first line of defense is broken through, compromised nodes could extract security-sensitive information (e.g. secret key), leading to breaches of security. Thus, developing detection-based techniques as the second line of defense appears to be of great importance. Intrusion detection is a typical example of detection-based techniques. This concept was originally proposed by Anderson (1980) two decades ago in a report “Computer Security Threat Monitoring and Surveillance”. Intrusion detection is defined as the process of monitoring the events occurring in a computer system or network and analyzing them for any signs of possible incidents, which are violations or imminent threats of violation of computer policies, acceptable use policies, or standard practices (Scarfone and Mell, 2007). However, anomaly detection (Hu, 2010, also referred as outlier detection, deviation detection, etc.), a branch of intrusion detection, is best suited to WSN because its methodology is flexible and resource-friendly in general. Anomaly detection is defined as the process of comparing definitions of activity that is considered normal against observed events in order to identify significant deviations. Moreover, an anomaly in a dataset is defined as an observation that appears to be inconsistent with the remainder of the dataset (Hodge and Justin, 2004).
Anomaly may be caused by not only security threats, but also faulty sensor nodes in the network or unusual phenomena in the monitoring zone (Rajasegarar et al., 2008). In the real world, isolated node failures can bring down the entire network, which is harmful to reliability of WSN. This survey paper merely focuses on anomaly detection techniques in WSN, irrespective of causes of generating anomaly. The overview of the content of this survey paper is given in Fig. 1.
The research relating to anomaly detection in WSN has been followed with much interest in recent years. From the ISSNIP (Intelligent Sensors, Sensor Networks and Information Processing, The University of Melbourne, Australia) group, Rajasegarar et al. (2008) did a survey on the related works before 2007 with a simpler criteria: statistical parameter estimation techniques or non-parametric techniques. Nevertheless, a technology-concerned survey is yet absent to present the latest progress of developing anomaly detection in WSN.
Moreover, our paper expects acting as a guideline of selecting appropriate anomaly detection techniques. Through analyzing and comparing those particular approaches that belong to a similar technique category, the advantages and shortcomings of each technique category can be identified. Accordingly, it further extracts the key design principles to overcome possible flaws.
The pattern of anomaly detection significantly impacts on the performance of a detection scheme, which basically relates to who is mainly responsible for the data processing of detection. The choice of detection pattern depends on the application scenario. The fair understanding with regard to these available anomaly detection patterns could facilitate the development of detection schemes. In consequence, these anomaly detection patterns are surveyed separately in this paper.
In our survey paper, all detection schemes are divided into two types of detection method: prior-knowledge based, or prior-knowledge free. The prior-knowledge-based detection schemes are better suited to the applications which are biased to detection speed; the prior-knowledge free schemes, on the contrary, are capable of providing applications with stronger detection generality. This awareness is positive to optimally selecting anomaly detection techniques. Attribute selection is traditionally a critical issue in a detection system, as using less number of attributes is able to conserve resource. Our paper emphasizes the importance of this issue for developing anomaly detectors in WSNs, whereas a detailed discussion is not given owing to space constraint.
Finally, the developing orientations in this area are examined, and a number of potential research areas in the near future are proposed.
Other than anomaly detection, there are also misuse/signature detection and stateful protocol analysis in the category of intrusion detection (Scarfone and Mell, 2007). Misuse/signature detection is defined as a process of comparing signatures against observed events to identify possible incidents, where each signature is a pattern corresponding to a known threat. Stateful protocol analysis is defined as the process of comparing predetermined profiles of generally accepted definitions of benign protocol activities for each protocol state against observed events to identify outliers. Misuse/signature detection and stateful protocol analysis need complicated expression computing and/or sizeable memory, to which WSNs usually cannot afford. Moreover, they are unable to defense against unknown security threats. Consequently, anomaly detection is currently the dominant technology for enhancing the security and reliability of WSN.
Though WSN is derived from wireless ad hoc networks, the most of detection schemes well-functioned in ad hoc networks are not suitable for WSN, probably because (Akyildiz et al., 2002):
- •
the number of sensor nodes in a WSN can be several orders of magnitude higher than that of an ad hoc network;
- •
sensor nodes are densely deployed;
- •
a sensor node is less stable;
- •
the topology of WSNs varies frequently;
- •
sensor nodes mainly use a broadcast communication paradigm, whereas ad hoc networks are mainly based on point-to-point communication;
- •
each sensor node is highly constrained in energy, computation capability, memory, etc.
- •
sensor nodes may have no global identifications as a result of the large amount of overhead.
Accordingly, the advanced anomaly detection schemes in ad hoc networks (Qian et al., 2007, Tarique et al., 2009, Wu et al., 2007) cannot be applied to WSN, as well as those developed in wired networks.
In this survey paper, recently proposed detection schemes in WSN are introduced. Because the architecture of a WSN is strongly related to many aspects of designing a suited scheme, these detection schemes are classified as hierarchical and flat (homogeneous) according to their architectures. In a hierarchical WSN, all sensor nodes are grouped or clustered, where only a single node is elected as the cluster head (possibly equipped with stronger capacity) to conduct the organizational functions within its group or cluster. On the contrary, all sensor nodes equally contribute to any team-functions and participate in internal protocols (e.g. routing protocols) in a flat WSN. For each of the architectures, a number of typical examples are given in terms of the technique category that they belong to.
As far as the technique categories, statistical techniques, data mining, and computational intelligence are employed most widely. Statistical techniques consist of statistical distribution (Palpanas et al., 2003, Subramaniam et al., 2006, Liu et al., 2007, Dallas et al., 2007, Li et al., 2008a, Tiwari et al., 2009), statistical measure (e.g. mean, variance, self-defined, etc.) (Zhang et al., 2008, Pires et al., 2004; Onat and Miri, 2005a, Onat and Miri, 2005b; Li et al., 2008b), and statistical model (e.g. auto regression) (Curiac et al., 2007). Computational intelligence is closely linked to machine learning and remotely linked to data mining. Conceptually, machine learning is more concerned with design and development of the algorithms that enable computers to learn from large-scale datasets. Data mining, however, principally focuses on discovering patterns, associations, changes, anomalies, and statistically significant structures and events in datasets. Under the technique category of data mining and computational intelligence, a couple of examples are introduced, including clustering algorithms (Rajasegarar et al., 2006, Masud et al., 2009, Wang et al., 2009), support vector machine (SVM) (Rajasegarar et al., 2007), artificial neural network (ANN) (Wang et al., 2009), self-organizing map (SOM) (Wang et al., 2009), genetic algorithm (GA) (Rahul et al., 2009), and association rule learning (Yu and Tsai, 2008). Game theory is dedicated to build up smart strategies for identifying vulnerable areas in WSN (Agah et al., 2004a, Agah et al., 2004b). There is only a case that concentrates on linking detection with prevention together to protect a hierarchical WSN from both internal and external attacks (Su et al., 2005). Graph-based techniques specialize in modeling a graph with the network flow (Ngai et al., 2006, Ngai et al., 2007), which allows applying a few of graph algorithms (such as tree construction, depth-first search, etc.) to detect anomaly. Finally, rule-based techniques, which often build upon prior-knowledge such as assumption and experience, are preferred in flat WSNs (Silva et al., 2005, Yu and Xiao, 2006, Ioannis et al., 2007, Ho et al., 2009). Table 1 shows this taxonomy in brief.
The key challenge of evolving anomaly detection in WSN is to identify anomaly with high accuracy but minimized energy cost, so as to prolong the lifetime of the entire network. This target could be attained from several paths. Above all, paying much more attention on lightweight detection techniques, which are characterized by compactness and efficiency. Second, reconstructing detection schemes with a distributed manner can spread the energy overhead around the entire network and markedly reduce the communication overhead, such that the lifetime of the network stretches. A suited detection pattern could also conserve the energy cost without losing the security and reliability. In addition, taking smart strategies into account such as shrinking the scale of attributes set, compressing the input dataset, and simplifying the procedure of analysis and decision could make lots of progress for conserving energy.
The rest of this paper is organized as follows. In the second section, these key design principles with respect to anomaly detection in WSNs are discussed in detail. The following two sections introduce many representative detection schemes, in terms of hierarchical and flat topologies respectively. The fifth section states the analysis and comparisons between schemes that belong to a similar technique category. Finally, this survey is summarized with a presentation about the potential research areas in the near future.
Section snippets
Key design principles
The key design principles of anomaly detection in WSN must be followed along with several aspects
- •
target;
- •
typical security threats;
- •
detection pattern;
- •
detection method;
- •
attribute selection.
Anomaly detection based on hierarchical WSNs
In hierarchical WSNs, statistical techniques, data mining and computational intelligence, game theory, and hybrid detection have been employed to realizing detection schemes. The input is collected at each common sensor node, probably followed by a preprocessing procedure or a part of computation tasks coming from the procedure of data processing. The original/preprocessed inputs or local normal profiles are then sent to the cluster head or base station, where the global normal profile is
Anomaly detection based on flat WSNs
In flat WSNs, rule-based techniques and statistical techniques are more likely to be made use of. Without hierarchical architecture, all nodes are equally capable of functioning and participating in internal protocols. Consequently, detection schemes which are lightweight and require less communication are preferable. In this section, we survey some of the representative literatures for each technique category mentioned above.
A rule-based model is commonly developed in accordance with
Analysis and comparison
The advantages and disadvantages of each detection scheme have been individually mentioned above. The analysis and comparison are meaningful between these schemes horizontally and vertically. As a result, a number of representative cases are selected from three most popular technique categories: rule-based, data mining and computational intelligence, and statistical techniques. Although an evaluation standard on the performance of a detection scheme has been suggested in Section 2.1, this might
Potential research areas and conclusion
Anomaly detection has received much attention for the recent years, as a result of its outstanding effort made to securing WSNs. The increasingly complicated application scenarios and risky adversaries, however, force us to keep this research going forward. According to the papers surveyed above, a number of potential research areas are suggested as follows.
References (52)
Feature deduction and ensemble design of intrusion detection systems
Computers & Security
(2005)Distributed detection of replica node attacks with group deployment knowledge in wireless sensor networks
Ad Hoc Networks
(2009)Group-based intrusion detection system in wireless sensor networks
Computer Communications
(2008)An efficient intruder detection algorithm against sinkhole attacks in wireless sensor networks
Computer Communications
(2007)Detection of wormhole attacks in multi-path routed wireless ad hoc networks: a statistical analysis approach
Journal of Network and Computer Applications
(2007)Survey of multipath routing protocols for mobile ad hoc networks
Journal of Network and Computer Applications
(2009)Secure and efficient key management in mobile ad hoc networks
Journal of Network and Computer Applications
(2007)- et al.
Wireless sensor network survey
Computer Networks
(2008) - Agah A, et al. A non-cooperative game approach for intrusion detection in sensor networks. Presented at the IEEE 60th...
- Agah A, et al. Intrusion detection in sensor networks: a non-cooperative game approach. Presented at the 3rd IEEE...
Computer security threat monitoring and surveillance
Ensemble methods for anomaly detection and distributed intrusion detection in mobile ad-hoc networks
Information Fusion
Anomaly detection: a survey
ACM Computing Surveys
An intrusion-detection model
IEEE Transactions on Software Engineering
From intrusion detection to self-protection
Computer Networks
A survey of outlier detection methodologies
Artificial Intelligence Review
Host-based anomaly IDS
New approaches to fuzzy-rough feature selection
IEEE Transactions on Fuzzy Systems
Cited by (0)
- 1
Tel.: +61 040 1400624.