Sage Journals: Discover world-class research

Abstract

As WSNs gain popularity, they are becoming more and more necessary for traffic anomaly detection. Because worms, attacks, intrusions, and other kinds of malicious behaviors can be recognized by traffic analysis and anomaly detection, WSN traffic anomaly detection provides useful tools for timely reaction and appropriate prevention in network security. In the paper, we improve exploitation of GM(1,1) model to make traffic prediction and judge the traffic anomaly in WSNs. Based on our systematical researches on the characteristics of WSN traffic, the causes of WSN abnormal traffic, and latest related research and development, we better exploit the GM(1,1) model following four guidelines: using a sliding window to determine historical data for modeling, optimizing initial value of one-order grey differential equation, making traffic prediction by short step exponential weighted average method, and judging whether the traffic of the next moment is abnormal by Euclidean distance. Then, we propose a traffic anomaly detection algorithm for WSNs based on the improved exploitation of GM(1,1) model. Simulation results and comparative analyses demonstrate that our proposed WSN traffic anomaly detection algorithm can reduce the undetected rate and has better anomaly detection accuracy than traditional traffic anomaly detection algorithms.

1. Introduction

In recent years, the emergence of a variety of wireless sensor networks (WSNs) applications, such as military applications [1], home automation [2], smart building [3], health and medical applications [4], vehicle and target tracking [5], and industry domains [6, 7], has been prompted by the developments in the field of distributed computing and microelectromechanical systems. In general, a WSN is composed of a mass of battery-powered thick-deployed and low-power sensor nodes with sensing, processing, and storage capabilities and wireless communication [6]. Monitoring a certain phenomenon, such as object tracking or environmental data, is the main purpose of sensor nodes composed of power, sensing, computing, and communication modules [8].

As WSNs gain popularity, they are becoming more and more necessary for traffic anomaly detection. In a WSN, traffic anomaly detection is a useful method to understand the network behavior and determine network performance and reliability contributing to effective and prompt troubleshooting and resolving various issues. Over the past few years, traffic anomaly detection, applied in WSN scenario, has become increasingly a dynamic field of study. Furthermore, intrusions, attacks, worms, and other kinds of malicious behaviors can be identified by traffic analysis and anomaly detection, so traffic anomaly detection in a WSN provides a sound basis for prevention and reaction in network security.

As is well known, in the wired networks, in order to correctly detect abnormal traffic, traffic anomaly detection has been widely discussed and a variety of methods have been exploited. Because the traffic characteristics of traditional wired networks are greatly different from WSNs, the method of detecting abnormal served wired networks cannot be directly applied to WSNs. The fact that the nodes energy, storage capacity, and computing power are severely limited is an obvious characteristic of a WSN. In this case, while designing the WSN traffic anomaly detection algorithm is a huge challenge, dealing with the application correlation (burst) and nonstationary characteristics of WSN traffic is another huge challenge.

In this paper, we summarize the characteristics of traffic and the causes of abnormal traffic in a WSN. Classification research on traffic anomaly detection model and method in WSN is made, and comparative analyses are also carried out. The GM(1,1) model is efficient and has low computational complexity. So it is quite suitable for the real-time traffic anomaly detection of WSN in which the energy and capability in calculation of the node are limited. We better exploit the GM(1,1) model following four guidelines: using a sliding window to determine historical data for modeling, optimizing initial value of one-order grey differential equation, making traffic prediction by short step exponential weighted average method, and judging whether the traffic of the next moment is abnormal by Euclidean distance. Simulation results and comparative analyses indicate that the novel algorithm, which is based on improved exploitation of GM(1,1) model, possesses higher detection accuracy and better real time than the traditional method.

The remainder of this paper is organized as follows. In Section 2, we briefly introduce the existing anomaly detection algorithms and make a comparative analysis of them. In Section 3, we analyze the characteristics of WSN traffic and the cause of WSN abnormal traffic in depth and introduce GM(1,1) model in detail. Then, we design four methods to improve exploitation of GM(1,1) model in Section 4. And a complete traffic anomaly detection algorithm for WSN is proposed in Section 5. In Section 6, we use Matlab to simulate this algorithm and the simulation results demonstrate that this algorithm can reduce the undetected rate and improve the detection accuracy. Section 7 concludes our paper.

2. Related Work

The researches on traffic anomaly detection can be classified into three main research directions, namely, detection based on feature and behavior, statistic-based detection, and intelligent detection based on machine learning and data mining. Here, we will review the main research directions.

2.1. Detection Based on Feature and Behavior

The method to detect the anomaly, which is based on the flow characteristics and behavior, is to detect abnormal traffic through looking for patterns matching the anomalous traffic in traffic data of the network. This method, which requires the input of network traffic or data packets, has real-time performance and good detection accuracy. The approach can not only detect network anomalies, but also be applied to analyze and ascertain the types.

However, due to this method's requirement for real-time comparison between the features of abnormal traffic and current traffic, the database of the characteristics of abnormal traffic is a vital factor restricting the detection accuracy. In this method, a huge feature database needs to be built and constantly updated, which will be a great challenge for wireless sensor networks with constrained computing and storage capacity.

In [9], Wang extracts profiles of the characteristic of sensor nodes and network behavior through wireless sensor network packet traffic, and then anomalies can be identified by monitoring behavior of nodes and network.

2.2. Detection Based on Statistics

Detection method based on statistics, mainly including CUSUM algorithms and wavelet analysis, does not require advanced knowledge of the behaviors characteristics of nodes and network. It directly calculates statistics of the inputted traffic data, such as mean and variance, and then, according to statistical bias, we can determine whether the traffic is abnormal.

In [10], a multistatistics modified CUSUM algorithm (M-CUSUM), which is based on matrix, is proposed. By computing the ratio between the sum of subtracting and absolute value of traffic among ingress and egress ports, it can real-timely detect network flow. A wavelet analysis-based real-time anomaly detection (WARAD) algorithm, proposed in [11], reversely collects the network traffic in real time and then utilizes the variance of the wavelet coefficients. This method can not only improve the accuracy and the instantaneity of anomaly detection, but also reduce the computational complexity of solving the Hurst values. Moreover, the variances of different level wavelet coefficients compose Hurst parameters of different decomposition levels. Therefore, through only detecting marked change of variances of adjacent level wavelet coefficients, abnormalities can be determined.

2.3. Intelligent Detection Based on Machine Learning and Data Mining

In this type of algorithm, anomaly detection is usually regarded as a clustering or classification problem, and then a machine learning model can be established. Finally, judgment is made in real time. This intelligent method includes many segments branches, such as ARMA model, Markov model, support vector machine (SVM), Backpropagation (BP) Neural Networks, and Immune-Genetic Algorithm.

In [12], a series of Markov models, including tree-indexed Markov chains, are applied to characterize the network behavior. Moreover, optimal decision rules and large deviations techniques are made use of to identify anomalies. A community intrusion detection system on the strength of classification of support vector machine (SVM) is presented by Tian et al. in [13]. In [14], the researchers put forward two new clustering algorithms, namely, the supervised improved competitive learning network (SICLN) and the improved competitive learning network (ICLN). In [15], in order to maximize the detection rates, an enhanced method to detect DDoS attacks, the parameters of the traffic matrix of which are optimized by using a Genetic Algorithm (GA), is proposed.

In the last three sections, the current mainstream methods to detect traffic anomaly in WSNs are summarized. And Table 1, in which G means good, B means bad, H means high, L means low, N means normal, and R means relatively, presents advantages and disadvantages of their performance.

Table 1

Performance of different detection methods.

Detection method (based on)	Data needed	Complexity	Accuracy	Intelligence	Independence
Feature and behavior	RH	RL	N	RG	RG
CUSUM	L	RL	N	N	G
Wavelet analysis	RL	N	RG	RG	RB
Markov model	RH	N	RG	N	RG
ARMA model	RL	N	RG	N	G
Immune-Genetic	H	H	G	G	B
Neural networks	H	RH	G	G	RB
SVM	RH	RH	G	G	RG

Notations. G: good; B: bad; H: high; L: low; N: normal; R: relatively.

In Table 1, independence is the performance of the detection method, which is alone applied to detect anomalies. Usually, the methods with relatively bad and bad independence are optimization and assist methods [16]. The method, which is based on feature and behavior, demands that feature database is built, which needs abundant data. The method based on Markov model needs to get Markov prediction model, which requires a mass of data. Similarly, the last three methods also require plenty of data. Generally, the complexity is also increasing with the improvement of detection accuracy. A detection method with low complexity and high accuracy is our research goal.

3. Theoretical Analysis

3.1. WSN Traffic Characteristics

On the whole, there are two important properties, namely, imbalance and application correlation [16], for WSN traffic: (1)

The imbalance is mainly reflected in traffic of sensor nodes and convergence nodes. A large proportion of data is transferred from sensor nodes to convergence nodes, but only a small proportion of data, namely, control messages, need to be transferred from convergence nodes to sensor nodes. Therefore, most of the data is aggregated at the base station and convergence nodes.

(2)

The application correlation means that the network is full of unexpected traffic. WSN is associated with application, which means a full-time driver and periodic data inquiring. Therefore, its traffic data is cyclical. When tracking and collecting the target data, the traffic will increase sharply since a mass of data needs to be transferred in the very short period of time.

3.2. Causes of WSN Traffic Anomaly

The fact that nodes of WSN usually use radio to communicate and are deployed in an open area not only makes it vulnerable to malicious damage of people, but also brings about a series of security risks, such as disclosure of information.

Frequent attack methods, including resource depletion attack [17], sinkhole attack, and flooding attack, will cause the abnormal behavior of network traffic. The common attack methods of different layers of network are elaborated in Table 2, as well as their caused anomaly. As we can see, almost all the attacks will cause an exception. So monitoring network traffic in a network contributes to the judgment of whether the abnormality has happened and whether a network is suffering from the attack. These are in favor of making appropriate defensive measures in subsequence.

Table 2

WSN traffic anomaly causes and traffic changes shape.

WSN layer	Attack method	Traffic change
Application layer	Malicious code	Anomaly (whole)

Transport layer	Ping/ICMP flood	Increase (whole)
Transport layer	SYN flood	Increase (whole)

Network layer	Packet forgery/playback	Indefinite
	Selected forwarding	Anomaly (part)
	Direction misleading	Anomaly (part)
	Sinkhole	Increase (part)

Link layer	Resource depletion	High for a long time
Link layer	Collision	Concentrated (part)

Physical layer	Congestion	High anomaly (part)
Physical layer	Physical damage	Decrease to zero

3.3. Definition of GM(1,1) Model

The grey systems theory, established by Julong Deng in 1982, is a new methodology that focuses on the study of problems involving small samples and poor information. It deals with uncertain systems with partially known information through generating, excavating, and extracting useful information from what is available. So, systems' operational behaviors and their laws of evolution can be correctly described and effectively monitored [18]. The grey model is abstracted from the grey system. GM(1,1) model, the simplest model of the grey model, represents a differential equation with one order and one variable. In the natural world, uncertain systems with small samples and poor information exist commonly. That fact determines the wide range of applicability of grey systems theory. GM(1,1) model has the characteristics of less data, less computation speed, accurate forecasting, and so forth. So, it is widely used in agriculture, forestry, water conservancy, energy, transportation, economy, and other fields. But, so far, no one has applied GM(1,1) model to WSN traffic anomaly detection.

Denote the original data sequence by $x^{(0)} = (x^{(0)} (1), x^{(0)} (2), \dots, x^{(0)} (n))$ ; $x^{(0)}$ is the given discrete dimensional sequence of n length.

The 1-AGO (accumulated generating operation) formation is defined as

\begin{matrix} x^{(1)} = (x^{(1)} (1), x^{(1)} (2), \dots, x^{(1)} (n)), \end{matrix}

(1)

where

x^{(1)} (1) = x^{(0)} (1)

, and

x^{(1)} (k) = \sum_{i = 1}^{k} x^{(0)} (i)

k = 2,3, \dots, n

According to GM(1,1), we can get the following first-order grey differential equation:

\begin{matrix} \frac{d x^{(1)}}{d t} + a x^{(1)} = b, \end{matrix}

(2)

where a is the developing coefficient of GM and b is the grey control variable. Denoting the differential coefficient subentry in the form of difference, we can get

\begin{matrix} \frac{d x^{(1)}}{d t} = x^{(1)} (k + 1) - x^{(1)} (k) . \end{matrix}

(3)

Before building a grey GM(1,1) model, a proper α value is needed to be assigned for a better background value $z^{(1)} (k)$ . The sequence of background values was defined as follows:

\begin{matrix} z^{(1)} = \{z^{(1)} (1), z^{(1)} (2), \dots, z^{(1)} (n)\}, \end{matrix}

(4)

where

z^{(1)} (k) = α * x^{(1)} (k) + (1 - α) * x^{(1)} (k - 1)

k = 2,3, \dots, n

0 \leq α \leq 1

. For convenience, the α value is often set to be 0.5, and

z^{(1)} (k)

is derived as

\begin{matrix} z^{(1)} (k) = 0.5 x^{(1)} (k) + 0.5 x^{(1)} (k - 1) . \end{matrix}

(5)

Set $u = [a, b]^{T}$ , coefficient vector $Y = [x^{(0)} (2), x^{(0)} (3), \dots, x^{(0)} (n)]^{T}$ , and accumulated matrix

\begin{matrix} B = [\begin{bmatrix} - z^{(1)} (2) & 1 \\ - z^{(1)} (3) & 1 \\ ⋮ & ⋮ \\ - z^{(1)} (n) & 1 \end{bmatrix}] . \end{matrix}

(6)

Then, set

J (u) = (Y - B u)^{T} (Y - B u)

. According to the Ordinary Least Square (OLS) method, when

J (u)

is minimum, the estimate of u is

\begin{matrix} \hat{u} = {[\hat{a}, \hat{b}]}^{T} = {(B^{T} B)}^{- 1} B^{T} Y . \end{matrix}

(7)

Solving the first-order grey differential equation, we can get the solution:

\begin{matrix} {\hat{x}}^{(1)} (k) = [x^{(0)} (1) - \frac{\hat{a}}{\hat{b}}] e^{- \hat{a} (k - 1)} + \frac{\hat{a}}{\hat{b}}, k = 1,2, \dots, n . \end{matrix}

(8)

3.4. Prediction Steps of GM(1,1) Model

Step 1 (inspection and processing on the data sequence).

First, in order to guarantee the feasibility of the model, inspection and processing on the original data sequence are necessary.

Denote the original data sequence by $x^{(0)} = (x^{(0)} (1), x^{(0)} (2), \dots, x^{(0)} (n))$ . Calculate the stepwise ratio $λ (k)$ of series, and it is defined as

\begin{matrix} λ (k) = \frac{x^{(0)} (k - 1)}{x^{(0)} (k)}, k = 2,3, \dots, n . \end{matrix}

(9)

If all stepwise ratios $λ (k)$ are in the range $Θ = (e^{- 2 / (n + 2)}, e^{2 / (n + 2)})$ , sequence $x^{(0)}$ can be used to forecast by GM(1,1) model. Otherwise, an identical number c is added to $x^{(0)}$ , where c is a constant, in order to make $λ (k)$ in the range $Θ = (e^{- 2 / (n + 2)}, e^{2 / (n + 2)})$ .

Step 2 (build GM(1,1) model).

Based on the data sequence which has passed inspection, GM(1,1) model can be established according to (2).

Step 3 (model checking).

(a) Residual test: set residual as $ε (k)$ . And it is defined as

\begin{matrix} ε (k) = \frac{x^{(0)} (k) - {\hat{x}}^{(0)} (k)}{x^{(0)} (k)}, k = 1,2, \dots, n, \end{matrix}

(10)

where

{\hat{x}}^{(0)} (1) = x^{(0)} (1)

. If

ε (k) < 0.2

, the GM(1,1) model has reached the general requirements; if

ε (k) < 0.1

, the model has reached the higher requirements.

(b) Stepwise ratio deviation test: according to the stepwise ratio $λ (k)$ of the original data sequence $x^{(0)}$ and the developing coefficient a, the corresponding stepwise ratio deviation can be calculated as follows:

\begin{matrix} ρ (k) = 1 - (\frac{1 - 0.5 a}{1 + 0.5 a}) λ (k) . \end{matrix}

(11)

If $ρ (k) < 0.2$ , the GM(1,1) model has reached the general requirements; if $ρ (k) < 0.1$ , the model has reached the higher requirements.

Step 4 (predicting).

Based on GM(1,1) model which has passed the test, according to (8), we can predict the future value.

3.5. Advantages of GM(1,1) Model

Applying GM(1,1) model to detect traffic anomaly of WSN has three main advantages: (1)

The modeling of GM(1,1) does not need a mass of data. Only four pieces of data are needed when establishing a GM(1,1) model. So GM(1,1) model can be used under the circumstances that the historical data is less and the integrity of sequence is poor.

(2)

Using differential equation to build the model can fully tap the essence of the system and has a higher accuracy.

(3)

It is quite suitable for the real-time traffic anomaly detection of WSN in which the energy and capability in calculation of the node are limited.

4. Improvement of Exploitation of GM(1,1) Model

4.1. Using a Sliding Window to Determine Historical Data for Modeling

The historical data, which is used to build GM(1,1) model and predict future data, is quite short. In order to ensure the real time and accuracy of the model, we design a fixed-size sliding window, which should be as short as possible under the premise of high accuracy. In addition to ensuring the real time of the model, this will also guarantee the effectiveness of the latest historical data. Therefore, more accurate predicative data (reasonable network traffic expectation) can be got.

4.2. Optimizing Initial Value of One-Order Grey Differential Equation

In the traditional GM(1,1) model, the first piece of data of historical data is used as the initial condition for first-order grey differential equation. But, in fact, the cognitive function of the new information is greater than the cognitive function of the old information. Therefore, in order to make GM(1,1) model more accurate, the last piece of data of historical data is used as the initial condition of the GM(1,1) model. That is to say, set the last piece of data as $x^{(1)} (n)$ ; then,

\begin{matrix} {\hat{x}}^{(1)} (k) = [x^{(1)} (n) - \frac{\hat{b}}{\hat{a}}] e^{- \hat{a} (k - n)} + \frac{\hat{b}}{\hat{a}}, k = 1,2, \dots, n, \\ {\hat{x}}^{(0)} (k) = {\hat{x}}^{(1)} (k) - {\hat{x}}^{(1)} (k - 1), k = 2,3, \dots, n, {\hat{x}}^{(0)} (1) = {\hat{x}}^{(1)} (1) . \end{matrix}

(12)

4.3. Making Traffic Prediction by Short Step Exponential Weighted Average Method

The short step exponential weighted average method, which is mainly divided into two parts, short step prediction and predicted traffic value weighted average, is a vital step to perceive WSN traffic anomaly. To a certain degree, the method brings down the accuracy. However, it improves the capability of judging abnormal traffic.

Correlation exists in between data at different times. The shorter the interval between them is, the greater their relevance is; conversely, the longer the interval between them is, the smaller their relevance is. Therefore, when using several time series data as sample data to make traffic prediction, it has higher accuracy making shorter step forecast and lower accuracy making longer step forecast [16]. For GM(1,1) model, when $L \leq 3$ , its predictive value is highly effective. And the shorter the step is, the more accurate the value is.

According to the analysis above, when $L = 1$ , the predictive value is the most effective and accurate. However, the value is not suitable. Therefore, sometimes, it is necessary for designing an anomaly detection algorithm to achieve “inaccurate” predication value. Thus, when the abnormal traffic comes, the normal fitting GM(1,1) model cannot be changed easily. So better predictive value, which could be applied to detect abnormalities easily, can be obtained. Its theoretical basis is that network traffic is often at a certain steady state, which has certain “inertia,” so any sudden traffic change is caused by equipment malfunction or human-caused nonnatural behaviors, which can be judged to be abnormal state [16].

For the purpose of making detecting traffic anomalies easier, short step exponential weighted average method is brought in normal traffic. It is shown in Figure 1 and described in the following: (1)

Using the data in the sliding window to establish the model, predicting the following L-step, and saving predictive values in corresponding position of timetable (column coordinate corresponds to different time).

(2)

Producing a final determination value by making exponential weighted average on L values in the same column of timetable.

Figure 1

Exponential weighted average method.

4.4. Judging Whether the Traffic of the Next Moment Is Abnormal by Euclidean Distance

In traditional judgment method, relative error method is often used. But its effect is not ideal. So, we propose the Euclidean distance method. Set two W-size data sequences as $a = (a_{1}, a_{2}, \dots, a_{W})$ and $b = (b_{1}, b_{2}, \dots, b_{W})$ . The Euclidean distance D is defined as

\begin{matrix} D = \sqrt{{(a_{1} - b_{1})}^{2} + {(a_{2} - b_{2})}^{2} + \dots + {(a_{W} - b_{W})}^{2}} . \end{matrix}

(13)

If we consider the final determination value sequence as $p = (p_{1}, p_{2}, \dots, p_{n})$ and need to judge whether the Tth data of the original data sequence is abnormal, we define $a = (x^{(0)} (T - W + 1), x^{(0)} (T - W + 2), \dots, x^{(0)} (T))$ and $b = (p_{T - W + 1}, p_{T - W + 2}, \dots, p_{T})$ . Then, we calculate the Euclidean distance D. To clarify, we need to set a threshold depending on different WSN, and when D exceeds the threshold, the traffic is considered as abnormal and marked by means of a warning signal. In addition, it is important to select the appropriate W and threshold. If W is too large, the model will be slow; conversely, the model will not be accurate enough. Similarly, if threshold is too large, the system is not sensitive to abnormal traffic; conversely, normal traffic is easily considered to be abnormal. The method to obtain the threshold is not the only one. That is to say, you can obtain this threshold in various ways. Our method to correctly determine the threshold is as follows. Measure some normal traffic data and calculate the maximum $D_{m a x}$ of a sequence of D. Then, consider $C D_{m a x}$ as threshold, where $1 < C \leq 3$ in general.

5. Design and Implementation of Traffic Anomaly Detection in WSN

Based on the improved exploitation of GM(1,1) model mentioned in the last two sections, a complete anomaly detection algorithm for WSN is designed. Furthermore, we introduce another traffic anomaly determination mechanism to assist anomaly detection. That is, first detected traffic anomaly value is regarded as a reference. Then, if the traffic is still fluctuating around the reference traffic value within the relative error judging threshold in this continuous time, it is considered abnormal and we send out warning signals.

The whole improved GM(1,1)-based traffic anomaly detection algorithm for WSN is described in Figure 2.

Figure 2

Flow chart of the whole proposed algorithm.

6. Simulations and Results Analysis

In this section, a simulated and a part of real WSN traffic data consisting of humidity measurement collected during 6-hour period at intervals of 5 seconds in 2010 gathered from the University of North Carolina are used to carry out simulations. We all set sliding window to 5 steps and prediction length to 3 steps. As for the Euclidean distance D, which depends on different WSN traffic properties, we consider W as 5 and choose 0.05 on simulation for simulated WSN traffic and 2.5 for real WSN traffic. In the end, the simulation results are shown in Figures 3(c) and 4(c). We also display the results by traditional GM(1,1)-based algorithm in Figures 3(b) and 4(b) as comparison.

Figure 3

Simulation results on simulated WSN traffic.

Figure 4

Simulation results on real WSN traffic.

From the simulation results, we could clearly see that a smoother predictive curve is obtained. This reflects the “inertia” (stability) of normal traffic. Consequently, when an exception takes place, in order to better detect the occurrence of abnormal traffic, the model will not quickly adapt to the abnormality. And the delay mechanism can well contribute to the detection of anomaly and send out an alert. As shown in Figures 3 and 4, compared with traditional methods, the improved algorithm raises the correct detection rate considerably, but the incorrect detection rate remains at quite low level. Therefore, the improved GM(1,1)-based algorithm outperforms the traditional GM(1,1)-based algorithm.

To clarify the conclusion from some measures, true positive (TP), false positive (FP), true negative (TN), and false negative (FN) are defined and explained in Table 3. Actually, positive/negative means that the model predicts that the data is abnormal/normal and true/false means that the prediction is right/wrong.

Table 3

Definition of TP, FP, TN, and FN.

Predicted	Actual
Predicted	Abnormal	Normal
Abnormal	True positive (TP)	False positive (FP)
Normal	False negative (FN)	True negative (TN)

Now, we use the terms of false positive rate (FPR) and false negative rate (FNR) to measure traditional and improved GM(1,1)-based algorithm. FPR and FNR are explained in the following formulas:

\begin{matrix} FPR = \frac{FP}{FP + TN}, \\ FNR = \frac{FN}{FN + TP}, \end{matrix}

(14)

with TP being true positive, TN being true negative, FP being false positive, and FN being false negative. Here, positive/negative means that we judge that the data is abnormal/normal and true/false means that the judgment is right/wrong. In this paper, we only take simulation results on real WSN traffic as an example and the results are shown in Table 4.

Table 4

Detection capabilities of different algorithms.

Anomaly detection algorithm	FPR	FNR
Traditional GM(1,1)-based algorithm	0	87.18%
Improved GM(1,1)-based algorithm	0	20.51%

The results show that while FPR maintains 0, the improved algorithm sharply lowers the FNR, meaning reducing the undetected rate; thus, it improves the detection accuracy. Particularly note that the results shown in Table 4 were got from our implemented simulations. Different embodiments could get slightly variant consequence, but they all hold the same trend.

7. Conclusions

In this paper, we introduce the traffic anomaly detection technique in WSN and GM(1,1) model in detail. Then, through model improvements analysis and algorithm design, an improved GM(1,1)-based traffic anomaly detection algorithm for WSN is proposed. Finally, we use Matlab to simulate this algorithm and the simulation results demonstrate that this algorithm can reduce the undetected rate and improve the detection accuracy. In addition, this algorithm requires less computation and is efficient. So it is quite suitable for the real-time traffic anomaly detection of WSN in which the energy and capability in calculation of the node are limited.

Footnotes

Competing Interests

The authors declare that they have no competing interests.

Acknowledgments

This work is partly supported by the Chengdu Science and Technology Project (2014-HM01-00310-SF), the Information Technology Research Projects of Ministry of Transport of China (2014 364X14 040), and the National Natural Science Foundation of China (61104042 and 61273235).

References

Simon

Maroti

Lédeczi

Sensor network-based countersniper system

Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems (SenSys '04)

November 2004

Baltimore, Md, USA

1 12

10.1145/1031495.1031497

M.-T.

Tran

V.-S.

Nguyen

T.-D.

Huynh

H.-T.

Wireless sensor network for multi-storey building: design and implementation

Proceedings of the International Conference on Computing, Management and Telecommunications (ComManTel '13)

January 2013

Ho Chi Minh City, Vietnam

175 180

10.1109/commantel.2013.6482386

2-s2.0-84875948699

Familiar

M. S.

Martinez

J. F.

Lopez

Pervasive smart spaces and environments: a service-oriented middleware architecture for wireless Ad Hoc and sensor networks

International Journal of Distributed Sensor Networks 2012 2012 11

725190

10.1155/2012/725190

2-s2.0-84861024938

Al Ameen

Liu

Kwak

Security and privacy issues in wireless sensor networks for healthcare applications

Journal of Medical Systems 2012 36 1 93 101

10.1007/s10916-010-9449-4

2-s2.0-84860253312

Arora

Dutta

Bapat

Kulathumani

Zhang

Naik

Mittal

Cao

Demirbas

Gouda

Choi

Herman

Kulkarni

Arumugam

Nesterenko

Vora

Miyashita

A line in the sand: a wireless sensor network for target detection, classification, and tracking

Computer Networks 2004 46 5 605 634

10.1016/j.comnet.2004.06.007

2-s2.0-6444240823

Akyildiz

I. F.

Sankarasubramaniam

Cayirci

Wireless sensor networks: a survey

Computer Networks 2002 38 4 393 422

10.1016/s1389-1286(01)00302-4

2-s2.0-0037086890

Flammini

Ferrari

Marioli

Sisinni

Taroni

Wired and wireless sensor networks for industrial applications

Microelectronics Journal 2009 40 9 1322 1336

10.1016/j.mejo.2008.08.012

2-s2.0-69249216532

Saric

Z. M.

Kukolj

D. D.

Teslic

N. D.

Acoustic source localization in wireless sensor network

Circuits, Systems, and Signal Processing 2010 29 5 837 856

10.1007/s00034-010-9187-3

ZBL1196.94036

2-s2.0-78649595320

Wang

Packet traffic: a good data source for wireless sensor network modeling and anomaly detection

IEEE Journals & Magazines 2011 25 3 15 21

10.1109/mnet.2011.5772056

2-s2.0-79957614894

10.

Sun

Z.-X.

Tang

Y.-W.

Cheng

Router anomaly traffic detection based on modified-CUSUM algorithms

Journal of Software 2005 16 12 2117 2123

10.1360/jos162117

2-s2.0-33644935055

11.

Zhiyuan

Qiuzhi

Yongkun

Zhenyu

Huaming

Wavelet analysis-based real-time anomaly detection algorithm for wireless sensor network

Journal of Nanjing Normal University (Natural Science Edition) 2014 1 87 92

12.

Paschalidis

I. C.

Chen

Anomaly detection in sensor networks based on large deviations of Markov chain models

Proceedings of the 47th IEEE Conference on Decision and Control (CDC '08)

December 2008

Cancun, Mexico

IEEE

2338 2343

10.1109/cdc.2008.4738773

2-s2.0-62949134156

13.

Tian

Gao

Zhou

Wireless sensor network for community intrusion detection system based on classify support vector machine

Proceedings of the IEEE International Conference on Information and Automation (ICIA '09)

June 2009

Zhuhai, China

1217 1221

10.1109/icinfa.2009.5205102

2-s2.0-70449647131

14.

Lei

J. Z.

Ghorbani

A. A.

Improved competitive learning neural networks for network intrusion and fraud detection

Neurocomputing 2012 75 135 145

10.1016/j.neucom.2011.02.021

2-s2.0-82455199118

15.

Lee

S. M.

Kim

D. S.

Lee

J. H.

Park

J. S.

Detection of DDoS attacks using optimized traffic matrix

Computers and Mathematics with Applications 2012 63 2 501 510

10.1016/j.camwa.2011.08.020

2-s2.0-84855432757

16.

Jibin

Jiang

An improved ARIMA-based traffic anomaly detection algorithm for wireless sensor networks

International Journal of Distributed Sensor Networks 2016 2016 9

9653230

10.1155/2016/9653230

2-s2.0-84958553046

17.

Rongrong

Research on Key Technologies of Intrusion Detection for Wireless Sensor Network 2013

Beijing, China

Beijing Jiaotong University

18.

Liu

Forrest

Yang

A brief introduction to grey systems theory

Proceedings of the IEEE International Conference on Grey Systems and Intelligent Services (GSIS '11)

September 2011

Nanjing, China

IEEE

1 9

10.1109/gsis.2011.6044018

2-s2.0-80155132615

Traffic Anomaly Detection Algorithm for Wireless Sensor Networks Based on Improved Exploitation of the GM(1,1) Model

Abstract

1. Introduction

2. Related Work

2.1. Detection Based on Feature and Behavior

2.2. Detection Based on Statistics

2.3. Intelligent Detection Based on Machine Learning and Data Mining

3. Theoretical Analysis

3.1. WSN Traffic Characteristics

3.2. Causes of WSN Traffic Anomaly

3.3. Definition of GM(1,1) Model

3.4. Prediction Steps of GM(1,1) Model

Step 1 (inspection and processing on the data sequence).

Step 2 (build GM(1,1) model).

Step 3 (model checking).

Step 4 (predicting).

3.5. Advantages of GM(1,1) Model

4. Improvement of Exploitation of GM(1,1) Model

4.1. Using a Sliding Window to Determine Historical Data for Modeling

4.2. Optimizing Initial Value of One-Order Grey Differential Equation

4.3. Making Traffic Prediction by Short Step Exponential Weighted Average Method

4.4. Judging Whether the Traffic of the Next Moment Is Abnormal by Euclidean Distance

5. Design and Implementation of Traffic Anomaly Detection in WSN

6. Simulations and Results Analysis

7. Conclusions

Footnotes

Competing Interests

Acknowledgments

References