Elsevier

Computer Networks

Volume 64, 8 May 2014, Pages 195-207
Computer Networks

An adaptive elliptical anomaly detection model for wireless sensor networks

https://doi.org/10.1016/j.comnet.2014.02.004Get rights and content

Abstract

Wireless Sensor Networks (WSNs) provide a low cost option for monitoring different environments such as farms, forests and water and electricity networks. However, the restricted energy resources of the network impede the collection of raw monitoring data from all the nodes to a single location for analysis. This has stimulated research into efficient anomaly detection techniques to extract information about unusual events such as malicious attacks or faulty sensors at each node. Many previous anomaly detection methods have relied on centralized processing of measurement data, which is highly communication intensive. In this paper, we present an efficient algorithm to detect anomalies in a decentralized manner. In particular, we propose a novel adaptive model for anomaly detection, as well as a robust method for modeling normal behavior. Our evaluation results on both real-life and simulated data sets demonstrate the accuracy of our approach compared to existing methods.

Introduction

A Wireless Sensor Network (WSN) consists of a set of nodes, where each node is provided with a set of sensing devices, a processing unit and a wireless communication unit. WSNs provide a cost-effective platform for monitoring and data collection in environments where the deployment of wired sensing infrastructure is too expensive or impractical [1]. An important challenge in the management of such WSNs is the detection of anomalies, i.e., unusual measurements that are inconsistent with the distribution of the majority of observations. Anomaly detection has several important roles in the management of WSNs. For example, anomalous measurements can be caused by faults in sensors. In this context, it is important to detect and filter those erroneous measurements, to ensure the integrity of the collected data. Anomalies also correspond to events of interest. In this case, we may be interested in only collecting those unusual changes in order to avoid wasting resources on reporting normal measurements. The focus of this paper is on detecting changes from the normal behavior in the node.

In a centralized approach to monitoring, each node sends its data to a central location where the data is analyzed to detect anomalies. This is an inefficient approach since the communication cost of sending all the data over the network is high and this drains the batteries of sensor nodes. For example, transmitting one bit can consume as much energy as running several thousand instructions on a sensor’s CPU [2]. While a centralized approach incurs a communication overhead, it potentially provides the best results in terms of accuracy [3], so it forms a baseline for comparing different algorithms. An alternative is a decentralized approach where each sensor performs local processing to detect and remove anomalies. However, due to the limited resources available in a wireless sensor node, we cannot use common anomaly detection techniques for this purpose. Hence our challenge is to detect anomalies in data that is distributed among a set of sensors, while minimizing communication between nodes. We also need to consider the limited computational capabilities of each node.

A naïve approach for detecting anomalies in WSNs that keeps the computational complexity low, is to define maximum and minimum bounds for the normal data [4], [5]. However, this approach has low accuracy because minimum and maximum bounds are not flexible enough to create a tight boundary over the data. The limitations of maximum and minimum boundaries have motivated research into decentralized data modeling approaches to anomaly detection in WSNs, so that in-network processing can be used to reduce energy intensive communication within the network [6]. By effectively selecting critical measurements and forwarding them to the base station, we can increase the life span of the WSNs without affecting the decision making process. We aim to increase the lifetime of the network, which can make the application of WSNs more practical in large scale monitoring applications.

There are a variety of algorithms that have been proposed to detect anomalies by using different data models to accomplish this task [7], [8], [9]. However, they either incur high computational cost on each sensor [10], [8], [9] or they assume that the monitored environment is homogeneous [7], i.e., the underlying distribution of measurements seen by each sensor is approximately identical. In addition, in many applications the underlying system changes often, which limits the usage of the static methods. The authors of [11] demonstrated a need for adaptive modeling for anomaly detection in WSNs.

The main contributions of this paper are as follows: (1) we introduce two models for estimating the global decision boundary for robust anomaly detection, based on the minimum volume ellipsoid covering a set of ellipsoids from different sensors, and the Vysochanskij–Petunin inequality; (2) we evaluate the performance of these two methods on two real-life datasets; and (3) we propose an adaptive model for maintaining the decision boundary for anomaly detection without the need for re-training, and give an empirical evaluation of the performance of our approach on two real-life datasets. Our results demonstrate that our new approach can achieve higher accuracy compared to a state-of-the art approach [12], and it can adapt to changes in the environment, which makes it suitable for use in practical situations. In the next section we summarize related work in this field. In Section 3, we present the formal statement of the problem we address. We then present an overview of previous work in Section 4. Sections 5 Boundary detection for merged ellipsoids, 6 Adaptive modeling of normal behavior are dedicated to our new approach to global boundary detection and our proposed adaptive model, respectively. A summary and conclusions are given in Section 7.

Section snippets

Background and related work

An important aspect of a monitoring system is to detect significant events or unusual behavior in that environment. Anomaly detection methods play an important role in modeling and detecting these anomalous events in the system.

Anomaly detection has been applied in a variety of applications [13], including intrusion detection [14], [6], and event detection [15]. Numerous factors affect the use of anomaly detection in these applications, such as mobility in sensors, benign or adverse

Problem statement

Our aim is to find ellipsoidal boundaries over a set of data in each node, such that data points outside the ellipsoids are considered as anomalous measurements and those inside the boundaries as normal measurements. The intention is to forward only anomalous measurements to the sink in order to reduce the communication overhead in the network. In this section, we first give a formal statement of the problem and then introduce the datasets that are used to evaluate our proposed adaptive model.

Anomaly detection using clustering of ellipsoids

The initialization process involved in our proposed adaptive model is similar to that of the anomaly detection algorithm proposed in [12]. For completeness purposes, we briefly explain that process in the following. We conclude this section by highlighting the challenges in this approach, and subsequently address those challenges in Sections 5 Boundary detection for merged ellipsoids, 6 Adaptive modeling of normal behavior.

Boundary detection for merged ellipsoids

As we mentioned in the previous section, when combining a set of ellipsoids e1eK at the base station, where these ellipsoids represent the level set t=(χd2)1--1 in Eq. (1), the assumption of the normality of the resulting distribution is not necessarily true in real life applications. In this section, we examine two alternative approaches to find a more appropriate global ellipsoid after merging: (1) a statistical approach based on the Chebyshev inequality, which provides an alternative way

Adaptive modeling of normal behavior

In this section, our adaptive procedure of finding a global model is explained. In this method, each sensor, after the initial time Tt, compares its local readings with the global ellipsoids that it has received from the base station. As a result, we have local and global boundaries plus the measurements at the base station that do not conform to the global boundaries (after time Tt, using the subset of data Xj). The problem that we address in this section is how can we use this information to

Conclusion

In this paper we proposed an adaptive model for anomaly detection in WSNs. Compared to an earlier approach based on clustering ellipsoids, our approach can achieve better results in non-homogeneous environments without adding extra load on the sensor nodes. Further, we proposed two methods of finding global ellipsoids that make less restrictive assumptions about the statistical properties of the data.

The performance of the adaptive model depends greatly on the automatic clustering approaches

Acknowledgments

NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program.

Masud Moshtaghi received the B.Sc. in Computer Science (2006), the MSEng in Software Engineering (2008) from The University of Tehran, and Ph.D. in Computer Science from The University of Melbourne (2013). He has been a Research Fellow at Monash University since April 2012. His research interests include pattern recognition, artificial intelligence for network security, data mining and wireless sensor networks.

References (39)

  • G. Anastasi et al.

    Energy conservation in wireless sensor networks: a survey

    Ad Hoc Netw.

    (2009)
  • M. Moshtaghi et al.

    Clustering ellipses for anomaly detection

    Pattern Recogn.

    (2011)
  • A. Willig

    Recent and emerging topics in wireless industrial communications: a selection

    IEEE Trans. Ind. Inform.

    (2008)
  • C. Chong, S. Kumar, Sensor networks: evolution, opportunities, and challenges, in: Proc. of IEEE, vol. 91, 2003, pp....
  • V. Bhuse et al.

    Anomaly intrusion detection in wireless sensor networks

    J. High Speed Netw.

    (2006)
  • I. Onat, A. Miri, An intrusion detection system for wireless sensor networks, in: Proc. IEEE Intl. Conf. on Wireless...
  • S. Rajasegarar et al.

    Anomaly detection in wireless sensor networks

    IEEE Wire. Commun.

    (2008)
  • S. Rajasegarar, J.C. Bezdek, C. Leckie, M. Palaniswami, Elliptical anomalies in wireless sensor networks, ACM Trans....
  • S. Rajasegarar, C. Leckie, M. Palaniswami, J. Bezdek, Quarter sphere based distributed anomaly detection in wireless...
  • S. Rajasegarar, C. Leckie, M. Palaniswami, CESVM: centered hyperellipsoidal support vector machine based anomaly...
  • C. Ezeife, M. Ejelike, A.K. Aggarwal, WIDS: a sensor-based online mining wireless intrusion detection system, in: Proc....
  • E.W. Dereszynski, T.G. Dietterich, Spatiotemporal models for data-anomaly detection in dynamic environmental monitoring...
  • M. Moshtaghi, S. Rajasegarar, C. Leckie, S. Karunasekera, Anomaly detection by clustering ellipsoids in wireless sensor...
  • V. Chandola et al.

    Anomaly detection: a survey

    ACM Comput. Surv.

    (2009)
  • D. Djenouri et al.

    A survey of security issues in mobile ad hoc and sensor networks

    IEEE Commum. Surv. Tutor.

    (2005)
  • S. Subramaniam, T. Palpanas, D. Papadopoulos, V. Kalogeraki, D. Gunopulos, Online outlier detection in sensor data...
  • M. Hill, M. Campbell, Y.-C. Chang, V. Iyengar, Event detection in sensor networks for modern oil fields, in: Proc. of...
  • G. Boggia, P. Camarda, L. Grieco, M. Palattella, Fire detection using wireless sensor networks: an approach based on...
  • S. Appadwedula et al.

    Decentralized detection with censoring sensors

    IEEE Trans. Signal Process.

    (2008)
  • Cited by (25)

    • Data mining methodology employing artificial intelligence and a probabilistic approach for energy-efficient structural health monitoring with noisy and delayed signals

      2019, Expert Systems with Applications
      Citation Excerpt :

      Accordingly, if the number of sensors is n, each pattern was represented by n features at each time step. Once sensor node responses were arranged as a pattern, a PR approach employing anomaly detection (Basharat, Gritai, & Shah, 2008; Moshtaghi, Leckie, Karunasekera, & Rajasegarar, 2014) was used to identify patterns as normal or damaged. A schematic illustration of the proposed image-based PR approach for damage detection of a simply supported plate with 9 sensor nodes is presented in Fig. 6.

    • DODS: A Distributed Outlier Detection Scheme for Wireless Sensor Networks

      2019, Computer Networks
      Citation Excerpt :

      We conclude the paper and suggest future work in Section 5. Outlier detection in WSNs has been studied and a number of schemes and surveys have been proposed in the literature [6–10]. However, designing a solution that does not require neighborhood information remains a challenging issue in WSN’s research.

    • Localized damage identification in plate-like structures using self-powered sensor data: A pattern recognition strategy

      2019, Measurement: Journal of the International Measurement Confederation
      Citation Excerpt :

      Anomaly detection consists of identifying patterns (i.e., images) that depart from expected behavior. A noticeable growth in research activity aimed at using anomaly detection along with PR techniques has taken place in recent years [35,28,36,37]. The proposed image-based PR method is based on the deviation of patterns with respect to each other.

    • Extracting semantic event information from distributed sensing devices using fuzzy sets

      2018, Fuzzy Sets and Systems
      Citation Excerpt :

      The range-free technique is cost-effective but the accuracy cannot be guaranteed, and the quality of localization using their technique is highly sensitive to sensor position errors. Masud et al. [19] proposed an adaptive model for detecting anomalies in a decentralized manner, which finds global ellipsoids based on a restrictive assumption regarding the statistical properties of the data, but the performance of this method was not evaluated convincingly. Ould-Ahmed-Vall et al. [20] presented a fault-tolerant event detection scheme that allows nodes to detect erroneous local decisions based on the local decisions reported by their neighbors.

    • Outlier tolerant adaptive sampling rate approach for wireless sensor node

      2022, Indonesian Journal of Electrical Engineering and Computer Science
    View all citing articles on Scopus

    Masud Moshtaghi received the B.Sc. in Computer Science (2006), the MSEng in Software Engineering (2008) from The University of Tehran, and Ph.D. in Computer Science from The University of Melbourne (2013). He has been a Research Fellow at Monash University since April 2012. His research interests include pattern recognition, artificial intelligence for network security, data mining and wireless sensor networks.

    Christopher Leckie is an Associate Professor and Deputy-Head of the Department of Computer Science and Software Engineering at the University of Melbourne in Australia. He has over two decades of research experience in artificial intelligence (AI), especially for problems in telecommunication networking, such as data mining and intrusion detection. His research into scalable methods for data mining has made significant theoretical and practical contributions in efficiently analyzing large volumes of data in resource-constrained environments, such as wireless sensor networks.

    Shanika Karunasekera received the B.Sc. (Honours) degree in electronics and telecommunications engineering from the University of Moratuwa, Sri Lanka, in 1990 and the Ph.D. degree in electrical engineering from the University of Cambridge, UK, in 1995. From 1995 to 2002, she was a Software Engineer and a Distinguished Member of Technical Staff at Lucent Technologies, Bell Labs Innovations, USA. Since January 2003, she has been a Senior Lecturer at the Department of Computer Science and Software Engineering, University of Melbourne. Her current research interests are distributed computing, software engineering and peer-to-peer computing.

    Sutharshan Rajasegarar received the B.Sc. Engineering degree in Electronic and Telecommunication Engineering (with first class honours) in 2002, from the University of Moratuwa, Sri Lanka, and the Ph.D. in 2009 from the University of Melbourne, Australia. He is currently a Research Fellow with the Department of Electrical and Electronic Engineering, The University of Melbourne, Australia. His research interests include wireless sensor networks, anomaly/outlier detection, machine learning, pattern recognition, signal processing and wireless communication.

    View full text