Research On The Anomaly Detection Technologies For Wireless Sensor Network

Because of advances in sensor technology, embedded technique, network technology, wireless communication and distributed information processing technology, wireless sensor networks (WSNs) are designed and developed, which can collect and process real-time environmental information through various microsensors, and has a wide range of potential applications including national defense, environment monitoring, traffic management, medical systems, manufacturing industry, counter-terrorism, anti-disaster, etc. It also provides a kind of method to obtain information for the Internet of Things. For lack of infrastructural facilities and the characteristics of open communication medium in WSNs, the attacker can easily eavesdrop, intercept, forge and tamper data information. Because of particularity of deployment of WSNs nodes, the attacker may inflict damage or decode on captured nodes.The high-speed dynamic routing topology makes it no clear boundaries for the normal operating and abnormal operating. The nodes that send wrong message may be the captured nodes, it may be also the fast moving nodes, which are temporary nodes of loss of synchronization. The general intrusion detection systems are difficult to identify the real invasion or a temporary system failure. WSNs node’s energy is limited, this makes WSNs more vulnerable to resource consumption attacks. Therefore, an effective security mechanism is needed to stop and prevent network attacks to ensure data confidentiality, integrity and availability. Regarding the features of WSNs, the research of anomaly intrusion detection was focused on by this dissertation from aspects of traffic forecasting techniques, statistical analysis techniques, secure routing attack detection technology and intelligent technology. The main contributions of this dissertation are as follows:First, the existing anomaly intrusion detection methods depend only on the deviation of real traffic and forecast traffic of nodes (cluster head node, monitor nodes, neighbors nodes) to determine if the nodes are attacked or not, where there is the risk of wrong judgment. An anomaly intrusion detection approach has been proposed based on threshold, combined with correlation coefficient matrix and traffic prediction, where this method adopts the deviation of correlation coefficients m to detection anomaly intrusion. In addition, the results of applications of Chaos and Times Series Analysis, Autoregressive Moving Average (ARMA), Kalman Filter have been analyzed in WSNs intrusion detection system. Experimental results demonstrate the efficiency of the proposed approach, compared with other methods, it has higher detection rate when the intensity of attacking is weaker.Second, the statistical analysis is the most commonly used techniques in anomaly intrusion detection, with low computational complexity, easy deployment. However, the threshold parameters are still difficult to determine for mean and standard deviation model, chi-square test method, CUSUM method. Given that the single detection threshold of the cumulative sum (CUSUM) algorithm causes longer detection delays and a lower detection rate, a multi-class CUSUM algorithm is hereby proposed. Firstly a maximum and minimum thresholds that sensor node are able to reach during sending packet were set to eliminate abnormal flow to enhance the detection efficiency. Secondly, CUSUM algorithms of different thresholds, all of which are selected according to the mean of traffic sequences, are applied to detect anomalous nodes. This study aims to optimize threshold parameters, the size of which increases with the number of traffic sequence. Using the NS2tool, the different values of network traffic sequence were generated and simulated. Based on these values, the detection rates of the CUSUM algorithm and multi-class CUSUM algorithms, as well as their false positive rates, are then evaluated. Theory analysis and simulation experiment results show that the proposed algorithm achieves a higher and more accurate rate of detection and lower false positive rates than do the current important intrusion detection schemes of WSNs.Third, a secure routing protocol is essential for wireless sensor networks (WSN) to ensure the exactness of sensed data transmission. However, the typical routing protocol of the wireless sensor network only makes complement to the network application, it doesn’t consider the safety aspects of the network sufficiently. Based on the architecture of heterogeneous WSNs, a secure routing protocol with anomaly detection (SRPAD) is hereby proposed. To resolve the optimizing problems of routing overhead, this paper proposes an improved ant colony algorithm to search the lowest cost routing from cluster nodes to base station, and based on the results, we can detect whether or not there are router attacks according to the variant condition on average, their variance of data traffic, and energy consumption of monitoring cluster nodes. Theory analysis and simulation experiment results show that the proposed protocol is effective in data transfer, with low consumed energy. In addition, the proposed protocol has a higher detection rate and lower false positive, compared with the current important protocol of WSNs.Fourth, A Bayesian network based anomaly detection scheme is proposed and designed, where a new clustering approach is presented by using the K nearest neighbor algorithm, and the partition of clusters of WSNs is proved to be the only one. Bayesian classification algorithm is used to detect anomaly nodes in inter-cluster, the anomaly detection of cluster-head nodes is detected by using average probability approach. By using network simulation tool NS2, network attack traffic was generated and simulated, intrusion detection rules were developed, and based on this, its detection rate, and average detection rate, false positive rate and average false positive rate were evaluated. Simulation results demonstrate that the scheme achieves higher accuracy rate of detection and lower false positive rate than the current important intrusion detection schemes of WSNs.Fifth, the characteristics of intelligent processing algorithm, such as adaptation, fault tolerance, high computational speed and error resilience in the face of noise information fit the requirements of building a good intrusion detection model. Based on the principle that sensor nodes situated spatially close to each other tend to have similar behavior, an anomaly intrusion detection method is hereby proposed, and the generalization ability of algorithm is theoretically analyzed. To solve the problem of k-means algorithm that requires initializing parameters, this section proposes an improved k-means algorithm with a strategy using adjustable parameters. By applying improved k-means algorithm to WSNs, we can obtain clustering results, and based on the results, an SVM multi-classification algorithm is applied to different clusters for anomaly intrusion detection. Experimental results on the Intel Berkeley Laboratory testing datasets show that the proposed method can efficiently detect abnormal behaviors. In addition, the proposed method has a high detection rate and low false positive rate compared with the current important intrusion detection schemes of WSNs.