Presentation is loading. Please wait.

Presentation is loading. Please wait.

LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State.

Similar presentations


Presentation on theme: "LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State."— Presentation transcript:

1 LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State Univ.) Sponsored by the NSF CyberTrust Program

2 Location Discovery in WSN Sensor nodes need to find their locations Rescue missions Geographic routing protocols. Constraints No GPS Low cost

3 Existing Positioning Schemes Beacon Nodes

4 Attacks Beacon Nodes

5 Attacks Beacon Nodes

6 What is Anomaly Localization error: | L estimation – L actual | L e = L estimation L a = L actual Anomaly: |L e – L a | > MTE MTE: Maximum Tolerable Error. D-Anomaly: |L e – L a | > D

7 The Anomaly Detection Problem Is |L e – L a | > D ? Find another metric A and a threshold T A > T |L e – L a | > D 

8 False Positive and Negative Ideal Situation: A > T  |L e – L a | > D False Positive (FP): A > T, but |L e – L a | < D False Negative (FN): A D Detection Rate: 1 – (False Negative Rate)

9 Our Task We assume that the location discovery is already finished. Find a good metric A What metric can help a sensor find out whether it is in a “wrong” location? It should be more robust than the location discovery itself.

10 A Group-Based Deployment Scheme

11

12 Modeling of The Group-Based Deployment Scheme Deployment Points: Their locations are known.

13 The Observations A B Actual Observation Expected Observation

14 Modeling of the Deployment Distribution Using pdf function to model the node distribution. Example: two- dimensional Gaussian Distribution.

15 The Idea A B D C LaLa LeLe

16 The Problem Formulation Is Z abnormal? Observation a = (a 1, a 2, … a n ) LAD Location Discovery Z

17 The Problem Formulation Actual Observation a = (a 1, a 2, … a n ) Estimated Location: Z Expected Observation e(Z) = (e 1, e 2, … e n ) Are e(Z) and a consistent?

18 Various Metrics Diff Metric: A = | e(Z) – a | Probability Metric: A = Pr (a | Z) Others

19 How to Find the Threshold? Recall: we use A > T to decide |L e – L a | >? D How to obtain T T is obtained for a non-compromised network. One location discovery scheme is used Derivation: preferable but difficult Simulation: e.g., Find T, such that Pr(|L e – L a | > D | A > T) = 99.99%, We use T as the threshold for A. False positive = 1 – 99.99% = 0.01%.

20 Attacks A B

21 I am actually from group 5, But I am not telling anybody. Silence AttackRange-Change Attack

22 Attacks (continued) I am actually from group 5. Impersonation AttackMulti-Impersonation Attack and Wormhole Attack I am from group 9 Group 3 Group 5 Group 6

23 Arbitrary Attack Attackers can arbitrarily change a sensor’s observation (both increasing and decreasing). There is no hope. Observation: decreasing is more difficult. a = (1, 2, 8, 10) a’ = (10, 9, 3, 1) Arbitrary Change

24 Dec-Bounded Attack a’ i can be arbitrarily larger than a i (multi- impersonation attacks). But a’ i cannot be arbitrarily smaller than a i. Difficult in preventing non-compromised nodes from broadcasting their membership.  (a i – a’ i ) a’ i a = (1, 2, 8, 10)a’ = (10, 9, 7, 8)Dec-Bounded Change

25 Dec-Only Attack Prevent impersonation attacks Authentication No wormhole attacks. Attackers cannot move sensors. Attackers cannot enlarge the transmission power. a = (1, 2, 8, 10) a’ = (1, 2, 5, 7)Dec-Only Change

26 Evaluation via Simulation X nodes are compromised Random pick a node at L a (actual location) with the actual observation a Find a location L e s.t. |L e - L a | = D Compute expected observation u from L e Generate a new observation a ’ from a (attacking) Find L e, s.t. a ’ is as close to u as possible

27 The ROC Curves Evaluating Intrusion Detection Detection rate False positive We need to look at them both Receive Operating Characteristic (ROC) Y-axis: Detection rate X-axis: False positive ratio

28 ROC Curves for Different Metrics

29 ROC Curves for Different Attacks

30 Detection Rate vs. Degree of Damage False Positive = 0.01

31 Detection Rate vs. Node Compromise Ratio False Positive = 0.01

32 Conclusion We have developed an effective anomaly detection scheme for location discovery Future Studies How the deployment knowledge model affect our scheme How the location discovery schemes affect our scheme How to correct the location errors caused by the attacks.


Download ppt "LAD: Location Anomaly Detection for Wireless Sensor Networks Wenliang (Kevin) Du (Syracuse Univ.) Lei Fang (Syracuse Univ.) Peng Ning (North Carolina State."

Similar presentations


Ads by Google