Sequential Anomaly Detection in Wireless Networks and Effects of Long Range Dependent Data

J. S. Baras and S. Zheng

Invited paper,  Proceedings of the International Workshop on Sequential Methodologies (IWSM 2011), Stanford University, Palo Alto, CA, June 14-16, 2011.

Abstract

Anomaly detection is an important but difficult task for wireless networks such as mobile ad hoc networks (MANET) and wireless sensor networks (WSN). We present various sequential detection schemes for anomaly detection in such networks including protocol violation, wormhole attacks, fraudulent data injection or algorithm modification. We present both parametric and non parametric algorithms, as well as centralized and distributed schemes. Recent studies have shown that node mobility along with spatial correlations of the monitored traffic in such wireless networks can lead to long range dependent (LRD) traffic, which could significantly increase the difficulty of anomaly detection. We next analyze the effects of LRD traffic on these sequential anomaly detection schemes. Various models of LRD traffic are considered. In the proposed schemes, wavelet transforms are used to approximately de-correlate the traffic data and capture data characteristics at different time scales. The remaining dependencies are then captured by a multilevel hidden Markov model in the wavelet domain. To estimate the model parameters, we proposed an online discounting Expectation Maximization (EM) algorithm, which also tracks variations of the estimated models over time. Network anomalies are then detected as abrupt changes in the tracked model variation scores. We develop statistical properties of these detection schemes as well as performance results, especially stemming from using incorrect short range dependent traffic models.