Over the course of operation, sensor network deployments usually exhibit numerous types of anomalies that can result in missing, erroneous, malicious, or rather meaningful data points indicating an important event. Sensor data points can go missing due to network performance degradation as a result of a failing node, a network failure, or a malicious network behavior. Erroneous points are faulty measurements potentially generated by malfunctioning sensors. Malicious data points are usually injected into the network, replayed, or altered by an adversary. Finally, events manifest themselves as abnormal data points reported by sensor nodes expectedly. The significance of such anomalies calls for detection mechanisms that can identify an abnormal behavior in a sensor network deployment. In this chapter, the authors systematically analyze the different types of anomalies prevalent in a sensor network, construct a taxonomy of such anomalies, and discuss potential detection mechanisms necessary to reveal the root causes behind each anomaly.
TopIntroduction
In the past few years, sensing data generated by various sensor devices have helped researchers and data scientists draw better conclusions about targeted environments. However, sometimes a sensor network deployed in an environment may fail to report a large number of its sensor readings, defeating the purpose of the deployment in the first place. Sensor networks may also generate inconsistent1 data, affecting the quality of decision making as a consequence. This necessitates running an anomaly detection algorithm to identify inconsistencies and possibly filter them to improve quality. In sensor network deployments which aim at detecting events of interest (Liu et al., 2011b; Ingelrest et al., 2010), sensor nodes may choose to report an observation only if it deviates from the normal behavior. Therefore, an event can also be perceived by an anomaly detection mechanism running at every node in the network. Sensor networks are also susceptible to malicious threats if deployed in a hostile environment. A malicious threat can vary from a simple passive eavesdropping attack to a total compromise of a sensor node. Sensor nodes, once compromised, can inject falsified readings into the network. Any malicious data behavior as a result from a security threat can degrade the trustworthiness, integrity, and/or accuracy of the sensor data. In addition, compromised nodes can launch smart attacks such as Denial of Service (DoS) attacks which may eventually hinder the performance and lifetime of the deployed sensor network.
This chapter provides a comprehensive taxonomy of the different types of anomalies prevalent in sensor network deployments and discusses their root causes. The chapter also surveys potential anomaly detection mechanisms that may help identify a single anomaly. Figure 1 illustrates three major types of anomalies that can exist in a sensor network deployment; (i) a natural fault; (ii) a malicious behavior; and (iii) an event. We discuss each category independently, pinpointing the possible root causes and the potential tools or mechanisms necessary to detect (and possibly recover from) all or a subset of these anomalies.
Figure 1.
Types of anomalies in sensor network deployments and their corresponding detection mechanisms
The chapter is organized as follows. Natural faults, malicious behaviors, and events are discussed in the next three sections. Having emphasized the demand for anomaly detection mechanisms in real-world applications and deployments of sensor networks, we then summarize the challenges of designing an anomaly detection algorithm for sensor networks. Finally, we discus related work and conclude at the end of the chapter.
TopNatural Faults
Natural faults are of high occurrence and are considered major anomalies that need to be addressed in almost every sensor network deployment. They can roughly be divided into: (a) network failures; (b) node failures; and (c) sensor data faults (i.e., measurement faults). Network and node failures highly impact the network performance and lifetime and are usually diagnosed either at the base station by specialized tools such as Sympathy (Ramanathan et al., 2005) and AD (Agnostic Diagnosis) (Miao et al., 2011) or in a decentralized manner by on-line self-diagnosis tools like the recently proposed TinyD2 (Liu et al., 2011a). These tools usually attempt to identify the root cause of the failure and resolve the issue immediately either via an automated action or by human intervention (e.g., changing node location or replacing a dead battery). A comparative survey of diagnosis and debugging tools for wireless sensor networks was compiled in (Rodrigues et al., 2012). Visualization tools (Jurdak et al., 2011a; Shi et al., 2011) can also be helpful in detecting network and node failures. Sensor data faults, on the other hand, degrade the quality of the overall collected dataset, resulting in imprecise conclusions or maybe meaningless inferences.