Anomaly detection in wireless sensor networks: A survey

https://doi.org/10.1016/j.jnca.2011.03.004Get rights and content

Abstract

Since security threats to WSNs are increasingly being diversified and deliberate, prevention-based techniques alone can no longer provide WSNs with adequate security. However, detection-based techniques might be effective in collaboration with prevention-based techniques for securing WSNs. As a significant branch of detection-based techniques, the research of anomaly detection in wired networks and wireless ad hoc networks is already quite mature, but such solutions can be rarely applied to WSNs without any change, because WSNs are characterized by constrained resources, such as limited energy, weak computation capability, poor memory, short communication range, etc. The development of anomaly detection techniques suitable for WSNs is therefore regarded as an essential research area, which will enable WSNs to be much more secure and reliable. In this survey paper, a few of the key design principles relating to the development of anomaly detection techniques in WSNs are discussed in particular. Then, the state-of-the-art techniques of anomaly detection in WSNs are systematically introduced, according to WSNs' architectures (Hierarchical/Flat) and detection technique categories (statistical techniques, rule based, data mining, computational intelligence, game theory, graph based, and hybrid, etc.). The analyses and comparisons of the approaches that belong to a similar technique category are represented technically, followed by a brief discussion towards the potential research areas in the near future and conclusion.

Introduction

A wireless sensor network (WSN) is made up of a mass of spatially distributed autonomous sensors, to jointly monitor physical or environmental conditions, such as temperature, sound, vibration, pressure, motion and pollutants (Yick et al., 2008). To date, WSNs have been successfully applied to many industrial and civil domains, including industrial process, monitoring and control, machine health monitoring, environment and habitat monitoring, healthcare applications, home automation, and traffic control. A typical WSN has little or no infrastructure. If the deployment of a WSN is subject to an ad hoc manner, it is categorized as unstructured. In contrast, the network deployed with a pre-planned manner is categorized as structured. Each sensor node is optionally built up with a variety of network services such as localization, coverage, synchronization, data compression and aggregation, and security, for the purpose of enhancing the network's overall performance. Sensor nodes communicate with each other, through following the typical five-layer communication protocol stack, which consists of physical layer, data link layer, network layer, transport layer, and application layer.

The properties of WSN inevitably cause that a sensor node is extremely restricted by resources, including energy, memory, computing, bandwidth, and communication. Hence, WSN is vulnerable to security threats both external and internal. In addition, physical access is allowed for sensor nodes, as the network is usually deployed near the physical source of the event, but without tamper-resistance owing to cost constraint. What is worse, the information exchange can be captured by any internal and external devices, caused by the use of publicly accessible communication channels. In consequence, a WSN is often threatened by multiple security threats, which could be categorized as follows (Lopez and Zhou, 2008):

  • communication attack;

  • denial of service attack;

  • node compromise;

  • impersonation attack;

  • protocol-specific attack.

Han et al. (2005) also propose a good taxonomy that surveys the security threats according to a more detailed criteria.

Securing WSN is imperative and challenging accordingly. Prevention-based techniques that fundamentally build upon cryptography are the first line of defense for protecting WSN. Based on a primitive of secret key management, encryption and authentication are the primary measures in a prevention-based technique, as that introduced in the security framework SPINS (Perrig et al., 2001). However, in case the first line of defense is broken through, compromised nodes could extract security-sensitive information (e.g. secret key), leading to breaches of security. Thus, developing detection-based techniques as the second line of defense appears to be of great importance. Intrusion detection is a typical example of detection-based techniques. This concept was originally proposed by Anderson (1980) two decades ago in a report “Computer Security Threat Monitoring and Surveillance”. Intrusion detection is defined as the process of monitoring the events occurring in a computer system or network and analyzing them for any signs of possible incidents, which are violations or imminent threats of violation of computer policies, acceptable use policies, or standard practices (Scarfone and Mell, 2007). However, anomaly detection (Hu, 2010, also referred as outlier detection, deviation detection, etc.), a branch of intrusion detection, is best suited to WSN because its methodology is flexible and resource-friendly in general. Anomaly detection is defined as the process of comparing definitions of activity that is considered normal against observed events in order to identify significant deviations. Moreover, an anomaly in a dataset is defined as an observation that appears to be inconsistent with the remainder of the dataset (Hodge and Justin, 2004).

Anomaly may be caused by not only security threats, but also faulty sensor nodes in the network or unusual phenomena in the monitoring zone (Rajasegarar et al., 2008). In the real world, isolated node failures can bring down the entire network, which is harmful to reliability of WSN. This survey paper merely focuses on anomaly detection techniques in WSN, irrespective of causes of generating anomaly. The overview of the content of this survey paper is given in Fig. 1.

The research relating to anomaly detection in WSN has been followed with much interest in recent years. From the ISSNIP (Intelligent Sensors, Sensor Networks and Information Processing, The University of Melbourne, Australia) group, Rajasegarar et al. (2008) did a survey on the related works before 2007 with a simpler criteria: statistical parameter estimation techniques or non-parametric techniques. Nevertheless, a technology-concerned survey is yet absent to present the latest progress of developing anomaly detection in WSN.

Moreover, our paper expects acting as a guideline of selecting appropriate anomaly detection techniques. Through analyzing and comparing those particular approaches that belong to a similar technique category, the advantages and shortcomings of each technique category can be identified. Accordingly, it further extracts the key design principles to overcome possible flaws.

The pattern of anomaly detection significantly impacts on the performance of a detection scheme, which basically relates to who is mainly responsible for the data processing of detection. The choice of detection pattern depends on the application scenario. The fair understanding with regard to these available anomaly detection patterns could facilitate the development of detection schemes. In consequence, these anomaly detection patterns are surveyed separately in this paper.

In our survey paper, all detection schemes are divided into two types of detection method: prior-knowledge based, or prior-knowledge free. The prior-knowledge-based detection schemes are better suited to the applications which are biased to detection speed; the prior-knowledge free schemes, on the contrary, are capable of providing applications with stronger detection generality. This awareness is positive to optimally selecting anomaly detection techniques. Attribute selection is traditionally a critical issue in a detection system, as using less number of attributes is able to conserve resource. Our paper emphasizes the importance of this issue for developing anomaly detectors in WSNs, whereas a detailed discussion is not given owing to space constraint.

Finally, the developing orientations in this area are examined, and a number of potential research areas in the near future are proposed.

Other than anomaly detection, there are also misuse/signature detection and stateful protocol analysis in the category of intrusion detection (Scarfone and Mell, 2007). Misuse/signature detection is defined as a process of comparing signatures against observed events to identify possible incidents, where each signature is a pattern corresponding to a known threat. Stateful protocol analysis is defined as the process of comparing predetermined profiles of generally accepted definitions of benign protocol activities for each protocol state against observed events to identify outliers. Misuse/signature detection and stateful protocol analysis need complicated expression computing and/or sizeable memory, to which WSNs usually cannot afford. Moreover, they are unable to defense against unknown security threats. Consequently, anomaly detection is currently the dominant technology for enhancing the security and reliability of WSN.

Though WSN is derived from wireless ad hoc networks, the most of detection schemes well-functioned in ad hoc networks are not suitable for WSN, probably because (Akyildiz et al., 2002):

  • the number of sensor nodes in a WSN can be several orders of magnitude higher than that of an ad hoc network;

  • sensor nodes are densely deployed;

  • a sensor node is less stable;

  • the topology of WSNs varies frequently;

  • sensor nodes mainly use a broadcast communication paradigm, whereas ad hoc networks are mainly based on point-to-point communication;

  • each sensor node is highly constrained in energy, computation capability, memory, etc.

  • sensor nodes may have no global identifications as a result of the large amount of overhead.

Accordingly, the advanced anomaly detection schemes in ad hoc networks (Qian et al., 2007, Tarique et al., 2009, Wu et al., 2007) cannot be applied to WSN, as well as those developed in wired networks.

In this survey paper, recently proposed detection schemes in WSN are introduced. Because the architecture of a WSN is strongly related to many aspects of designing a suited scheme, these detection schemes are classified as hierarchical and flat (homogeneous) according to their architectures. In a hierarchical WSN, all sensor nodes are grouped or clustered, where only a single node is elected as the cluster head (possibly equipped with stronger capacity) to conduct the organizational functions within its group or cluster. On the contrary, all sensor nodes equally contribute to any team-functions and participate in internal protocols (e.g. routing protocols) in a flat WSN. For each of the architectures, a number of typical examples are given in terms of the technique category that they belong to.

As far as the technique categories, statistical techniques, data mining, and computational intelligence are employed most widely. Statistical techniques consist of statistical distribution (Palpanas et al., 2003, Subramaniam et al., 2006, Liu et al., 2007, Dallas et al., 2007, Li et al., 2008a, Tiwari et al., 2009), statistical measure (e.g. mean, variance, self-defined, etc.) (Zhang et al., 2008, Pires et al., 2004; Onat and Miri, 2005a, Onat and Miri, 2005b; Li et al., 2008b), and statistical model (e.g. auto regression) (Curiac et al., 2007). Computational intelligence is closely linked to machine learning and remotely linked to data mining. Conceptually, machine learning is more concerned with design and development of the algorithms that enable computers to learn from large-scale datasets. Data mining, however, principally focuses on discovering patterns, associations, changes, anomalies, and statistically significant structures and events in datasets. Under the technique category of data mining and computational intelligence, a couple of examples are introduced, including clustering algorithms (Rajasegarar et al., 2006, Masud et al., 2009, Wang et al., 2009), support vector machine (SVM) (Rajasegarar et al., 2007), artificial neural network (ANN) (Wang et al., 2009), self-organizing map (SOM) (Wang et al., 2009), genetic algorithm (GA) (Rahul et al., 2009), and association rule learning (Yu and Tsai, 2008). Game theory is dedicated to build up smart strategies for identifying vulnerable areas in WSN (Agah et al., 2004a, Agah et al., 2004b). There is only a case that concentrates on linking detection with prevention together to protect a hierarchical WSN from both internal and external attacks (Su et al., 2005). Graph-based techniques specialize in modeling a graph with the network flow (Ngai et al., 2006, Ngai et al., 2007), which allows applying a few of graph algorithms (such as tree construction, depth-first search, etc.) to detect anomaly. Finally, rule-based techniques, which often build upon prior-knowledge such as assumption and experience, are preferred in flat WSNs (Silva et al., 2005, Yu and Xiao, 2006, Ioannis et al., 2007, Ho et al., 2009). Table 1 shows this taxonomy in brief.

The key challenge of evolving anomaly detection in WSN is to identify anomaly with high accuracy but minimized energy cost, so as to prolong the lifetime of the entire network. This target could be attained from several paths. Above all, paying much more attention on lightweight detection techniques, which are characterized by compactness and efficiency. Second, reconstructing detection schemes with a distributed manner can spread the energy overhead around the entire network and markedly reduce the communication overhead, such that the lifetime of the network stretches. A suited detection pattern could also conserve the energy cost without losing the security and reliability. In addition, taking smart strategies into account such as shrinking the scale of attributes set, compressing the input dataset, and simplifying the procedure of analysis and decision could make lots of progress for conserving energy.

The rest of this paper is organized as follows. In the second section, these key design principles with respect to anomaly detection in WSNs are discussed in detail. The following two sections introduce many representative detection schemes, in terms of hierarchical and flat topologies respectively. The fifth section states the analysis and comparisons between schemes that belong to a similar technique category. Finally, this survey is summarized with a presentation about the potential research areas in the near future.

Section snippets

Key design principles

The key design principles of anomaly detection in WSN must be followed along with several aspects

  • target;

  • typical security threats;

  • detection pattern;

  • detection method;

  • attribute selection.

Anomaly detection based on hierarchical WSNs

In hierarchical WSNs, statistical techniques, data mining and computational intelligence, game theory, and hybrid detection have been employed to realizing detection schemes. The input is collected at each common sensor node, probably followed by a preprocessing procedure or a part of computation tasks coming from the procedure of data processing. The original/preprocessed inputs or local normal profiles are then sent to the cluster head or base station, where the global normal profile is

Anomaly detection based on flat WSNs

In flat WSNs, rule-based techniques and statistical techniques are more likely to be made use of. Without hierarchical architecture, all nodes are equally capable of functioning and participating in internal protocols. Consequently, detection schemes which are lightweight and require less communication are preferable. In this section, we survey some of the representative literatures for each technique category mentioned above.

A rule-based model is commonly developed in accordance with

Analysis and comparison

The advantages and disadvantages of each detection scheme have been individually mentioned above. The analysis and comparison are meaningful between these schemes horizontally and vertically. As a result, a number of representative cases are selected from three most popular technique categories: rule-based, data mining and computational intelligence, and statistical techniques. Although an evaluation standard on the performance of a detection scheme has been suggested in Section 2.1, this might

Potential research areas and conclusion

Anomaly detection has received much attention for the recent years, as a result of its outstanding effort made to securing WSNs. The increasingly complicated application scenarios and risky adversaries, however, force us to keep this research going forward. According to the papers surveyed above, a number of potential research areas are suggested as follows.

References (52)

  • Akyildiz IF, et al. A survey on sensor networks. IEEE Communications Magazine...
  • J.P. Anderson

    Computer security threat monitoring and surveillance

    (April 1980)
  • Axelsson S. Research in intrusion-detection systems: a survey; December...
  • J.o.B.D. Cabrera

    Ensemble methods for anomaly detection and distributed intrusion detection in mobile ad-hoc networks

    Information Fusion

    (2008)
  • V. Chandola

    Anomaly detection: a survey

    ACM Computing Surveys

    (2009)
  • Curiac D-I, et al. Malicious node detection in wireless sensor networks using an autoregression technique. Presented at...
  • Dallas D, et al. Hop-count monitoring: detecting sinkhole attacks in wireless sensor networks. Presented at the 15th...
  • Deng J, et al. Intrusion tolerance and anti-traffic analysis strategies for wireless sensor networks. Presented at the...
  • D.E. Denning

    An intrusion-detection model

    IEEE Transactions on Software Engineering

    (1987)
  • D. Frinckea

    From intrusion detection to self-protection

    Computer Networks

    (2006)
  • Han S, et al. Taxonomy of attacks on wireless sensor networks. Presented at the 1st European conference on computer...
  • V.J. Hodge et al.

    A survey of outlier detection methodologies

    Artificial Intelligence Review

    (2004)
  • J. Hu

    Host-based anomaly IDS

  • Huang L, et al. Distributed PCA and network anomaly detection; July...
  • Ioannis K, et al. Towards intrusion detection in wireless sensor networks. Presented at the 13th European wireless...
  • R. Jensen et al.

    New approaches to fuzzy-rough feature selection

    IEEE Transactions on Fuzzy Systems

    (2009)
  • Cited by (0)

    1

    Tel.: +61 040 1400624.

    View full text