Detecting interesting events and anomalous behaviors inwireless sensor networks is an important challenge for taskssuch as monitoring applications, fault diagnosis and intru-sion detection. A key problem is to define and detect thoseanomalies with few false alarms while preserving the lim-ited energy in the sensor network. In this paper, using con-cepts from statistics, we perform an analysis of a subset ofthe data gathered from a real sensor network deployment atthe Intel Berkeley Research Laboratory (IBRL) in the USA,and provide a formal definition for anomalies in the IBRLdata. By providing a formal definition for anomalies in thispublicly available data set, we aim to provide a benchmarkfor evaluating anomaly detection techniques. We also dis-cuss some open problems in detecting anomalies in energyconstrained wireless sensor networks.
1 Introduction
Wireless sensor networks are formed using large num-bers of tiny sensor nodes which are resource constrained.These sensors have on-board processing and wireless com-munication capabilities [1]. These sensors are usually bat-tery powered, and hence, extremely energy constrained.Wireless sensor networks can be deployed for remote mon-itoring and actuation purposes.
Sensor networks deployed for monitoring purposes mayhave to detect and report unusual behavior in the networkor in the environment where they are deployed. Comparedto wired networks, inherent limitations in a sensor networkmake it more vulnerable to faults and malicious activitiessuch as denial of service attacks or flooding attacks, whichcan cause all or part of the network to be inoperative [2, 3].
These activities can cause anomalous behavior in the net-work or in the measurements it collects. Therefore it is vitalto identify anomalous behavior in the sensor network for re-liable, secure functioning and reporting events of interest tothe user.
An anomaly or outlier in the data measurements or net-work traffic is an observation that appears to be inconsis-tent with the remainder of the data set [4]. A key challengein sensor networks is to identify anomalies with high ac-curacy while consuming minimal energy in the network.In sensor networks, a majority of the energy is consumedin communication activity compared to computation activ-ity [5]. Hence, we want to minimise the communicationoverhead while performing in-network processing for theanomaly detection process. This necessitates a distributedapproach for anomaly detection, which performs detectionat the local nodes and communicates only summary infor-mation over the network to reach a global decision aboutthe anomalies. This approach is much more energy effi-cient in terms of communication overhead, as opposed to acentralised approach wherein all the node data are commu-nicated to a central node in the network for processing.
Several real wireless sensor network deployments havebeen used for testing and monitoring purposes. The GreatDuck Island Project [6] in the USA, the Intel Berkeley Re-search Laboratory (IBRL) deployment [7], farm monitoring[8] in Australia, and the proposed sensor network for theGreat Barrier Reef [9] in Australia are examples. In thisnote, we analyse a four hour period of data for fifty-fournodes, gathered in the IBRL deployment project [7, 10].We perform multivariate statistical analysis on this dataand provide a formal definition for anomalies in the dataset. In particular, we introduce the concept of an ellipti-cal anomaly, which is capable of modeling a wide varietyof normal behavior in sensor networks. To the best of our
2007 International Conference on Sensor Technologies and Applications
knowledge, this is the first time such an analysis has beenperformed for the IBRL data for anomaly detection (refer toSection 2).
Several studies of anomaly detection in sensor networkshave recently appeared in the literature. Loo et al. [11] useda data clustering approach to detect routing attacks in sensornetworks, without co-operation among the nodes. Subrama-nium et. al. [12] proposed a distributed approach for intru-sion detection based on kernel density estimators. Ngai et.al. [13] used a statistical technique for detecting sink holeattacks in sensor networks. Rajasegarar et. al. proposeda distributed cluster based approach [14], and distributedsupport vector machine based approach [15] for anomalydetection in sensor networks.
While many methods have been proposed to search foranomalous measurements in sensor networks, an impedi-ment to systematic progress in this field is the lack of a cleardefinition for what constitutes anomalous measurements. Inthis paper we provide a formal definition for anomalies ina subset of the IBRL data. By providing a formal defini-tion for anomalies on a publicly available data set, we be-lieve that this provides a valuable benchmark for evaluat-ing anomaly detection research. We conclude by discussingsome open questions in detecting anomalies in the sensornetwork environment.
The rest of the paper is organised as follows. We intro-duce the Intel Berkeley Research Laboratory (IBRL) data,and analyse and define anomalies in Section 2. We discusssome open issues and future research options in Section 3.
2 Intel Berkeley Research Laboratory Data
We consider a data set gathered from a wireless sensornetwork deployment at the Intel Berkeley Research Labora-tory (IBRL) [7, 10]. A wireless sensor network consistingof 54 Mica2Dot sensor nodes was deployed in the IBRL fora 30 day (720 hour) period between 28th Feb 2004 and 5th
April 2004 [10]. Figure 1 shows the deployed node loca-tions in the laboratory. The sensors collect five measure-ments: light in Lux, temperature in degrees celsius, humid-ity (temperature corrected relative humidity) ranging from0% to 100%, voltage in volts and network topology infor-mation in each 30 second interval. Node 0 is the gatewaynode. Other nodes transmit their data in multiple hops tothe gateway node. The furthest node in the network is about10 hops away from the gateway node. During the 30 dayperiod, the 54 nodes collected about 2.3 million readings.
For our analysis of the IBRL sensor data, we define thefollowing notation. The sampling window is four hours.Each sensor Mj in a set of sensor nodes M = {Mj :j = 1...N} measures a data vector xj
i . Each data vectoris composed of attributes (or features) xj
ik, where xji =
{xjik : k = 1...d} and xj
i ∈ �d. At the end of sam-
Figure 1. Sensor nodes in IBRL deployment.Nodes are shown in black with their corre-sponding node-IDs. Node 0 is the gatewaynode [10].
Figure 2. Scatter plot of centralised node Mc
pling, each sensor Mj has collected a set of measurementsXj = {xj
i : i = 1...nj}. Let Mc denote a hypotheticalnode with data vectors X =
⋃j=1..N Xj . We call Mc a
centralised node.In this paper we consider the IBRL data set obtained
from 54 nodes, namely node IDs from 1 to 54, during the4 hour period collected on 1th March 2004 during the timeinterval from 00:00am to 03:59am. While the lab in Fig-ure 1 has a total of 55 sensors (including the gateway node),only 52 of them provided data during the four hour timewindow examined in this paper. Nodes M5 and M15 didnot contain any data during this time window. We considertwo features, namely temperature and humidity, and we callthis data set the IBRL Data. Figure 2 shows scatter plot ofthe data vectors at centralised node Mc. We do not providescatter plots of other nodes due to space constraints.
In Figure 2, note especially that some data vectors differsignificantly from the mass of data in the center. A smallcollection of data vectors can be seen in the lower righthand corner of the graph in Figure 2. These points comefrom node M14. These vectors are good candidates to beanomalies; we call these points A14. A14 is only a smallportion of the node data X14, A14 ⊂ X14. Another col-lection of data vectors visually apparent in Figure 2 comefrom node M37. Specifically we refer to the three ”islands”
159159
17 17.5 18 18.5 19 19.5 2040
41
42
43
44
45
46
47
Temp (deg C)
Hu
mid
ity
(%)
D99%
D3σ
D94%
D2σ
(a) M14
15.4 15.6 15.8 16 16.2 16.448.5
49
49.5
50
50.5
51
Temp (deg C)
Hu
mid
ity
(%)
(b) M50
15 16 17 18 19 2040
42
44
46
48
50
52
Temp (deg C)
Hu
mid
ity
(%)
D2σ
D94%
D3σ
D99%
(c) Mc
Figure 3. Ellipses at nodes (a) M14, (b) M50 and (c) Mc
marked M37 in Figure 2. While A14 is but a small portionof M14, it appears that all of M37 are good candidates foranomalies. Thus it appears that A37 = X37.
2.1 Statistical Analysis for IBRL Data
We perform multivariate statistical analysis on this datato see whether we can detect the anomalies mentionedabove. In order to ease the notation burden, we drop thesuperscript j that denotes the data vectors at sensor nodeMj , but we keep superscript j for all other quantities associ-ated with node j. For each node we compute the following[16]:
• Sample mean vector mj = {mjk : k = 1...d}, and
mjk = 1
nj
∑nj
i=1 xik
• Sample covariance matrix Sj = {sjlk : l, k =
1...d}, trace tr(Sj) and determinant |Sj |, where sjlk =
1nj−1
∑nj
i=1(xli − ml)(xki − mk)
• Eigen decomposition [16] of the sample covariancematrix Sj = PjΛjP
Tj , where Pj is a 2×2 matrix with
column vectors as the eigenvectors, and Λj is a 2 × 2diagonal matrix with eigenvalues {λj
k : k = 1, 2} asdiagonal elements. We shall assume λj
1 ≥ λj2 > 0 for
each node pair.
• Mahalanobis distances [16] of the data vectors Dj ={Dj
i : i = 1...nj}, where (xi−mj)S−1j (xi−mj)T =
(Dji )
2 and S−1j is the inverse of the sample covariance
matrix Sj . We use Mahalanobis distance because it ac-counts for linear correlation between pairs of features,and we know that all data vectors having the same Ma-halanobis distance lie on a hyperellipsoidal surface.
If we adopt some threshold Mahalanobis distance, it definesa hyperellipsoidal boundary which encompasses some frac-tion of data vectors at a node. A chosen ellipsoid can be
uniquely represented by its center (mean vector) mj , co-variance matrix Sj and a threshold (known as the effectiveradius). We use an ellipse as it is capable of adusting tomany shapes, depending on the eigen structure of the co-variance matrix, from a spherical structure to a linear struc-ture.
Having adopted level sets of the ellipse defined by theeigenvalue-eigenvector structure of the sample covariancematrix at any node, it only remains to choose a particularlevel set (an ellipse of constant effective radius) to definethe anomalies at a node. Several definitions appeal to us.
• 94% cardinality anomalies: Consider the thresholdMahalanobis distance Dj
94% beyond which 6% of thedata vectors (i.e.,�6nj/100�) lie further away thanDj
94%. We define the 94% cardinality anomalies as
those data vectors that lie further away than Dj94%.
Similarly, the 99% cardinality anomalies are those 1%of the data vectors that lie further away than Dj
99%.
• 2σ anomalies: These are the data vectors that lie fur-ther away from the threshold Mahalanobis distanceDj
2σ = 2. Similarly 3σ anomalies are computed us-ing Dj
3σ = 3.
Henceforth, we will indicate the observations at Mj thatlie outside the ellipse (xi − mj)S−1
j (xi − mj)T = (Dj∗)2
as Aj∗, where (∗) can be 94%, 99%, 2σ or 3σ. Thus, for
example, A142σ are the 2σ elliptical anomalies at node M14.
Table 1 shows the results of statistical analysis for theIBRL data set for each node M1,M2, ...,M54 (except M5
and M15) and the centralised node Mc. Figures 3(a) and3(b) show the above defined ellipses for the data vectorsof nodes M14 and M50 respectively. For node M50, thefour ellipses are very similar, indicating observations thatare very compact. For node M14, all the ellipses exceptD14
99% separate the A14 anomalies in the figure. In otherwords, A14
94% = A142σ = A14
3σ = A14, but A1499% �= A14. This
160160
0 0.002 0.004 0.006 0.008 0.010
0.5
1
1.5
2
2.5
3
λ1j
λ 2j
M14
M37
(a) λj2 Vs λj
1
0 0.5 1 1.5 2 2.5 30
1
2
3
4
5
6x 10
−3
tr(Sj)
|Sj|
M14
M37
(b) |Sj | Vs tr(Sj)
4 5 6 7 8 9 101
1.001
1.002
1.003
1.004
1.005
1.006
1.007
log(tr(Sj)/|S
j|)
exp
(|S
j|)
M14
M37
(c) exp(|Sj |) Vs loge(tr(Sj)/|Sj |)
Figure 4. Eigenvalues (λj1, λj
2), determinant (|Sj |) and trace (tr(Sj)) of covariance matrix for eachsensor node except nodes M5,M15 and Mc
happens because M14 has only n14 = 72 points, so Aj99%
can contain only 1% ≈ 1 of the 3 points in A14. Figure3(c) shows the ellipses for the centralised node Mc, and theellipse Dc
3σ clearly separates the A14 anomalies and A37
anomalies.
Figure 5 shows the normal and anomalous data vec-tors identified for the hypothetical centralised node Mc.It has four plots for the four scenarios of anomaly detec-tion, namely (i) 94% cardinality anomalies (D94%) (ii) 2σanomalies (D2σ) (iii) 99% cardinality anomalies (D99%)(iv) 3σ anomalies (D3σ). The blue dots represent the datavectors that are identified as normal and the red stars rep-resents the identified anomalous data vectors. Ac
3σ capturesboth node (A14) and network (A37) anomalies without falsedetection.
16 18 2040
42
44
46
48
50
52
Temp (deg C)
Hum
idity
(%)
D2σ
16 18 2040
42
44
46
48
50
52
D94%
16 18 2040
42
44
46
48
50
52
D3σ
16 18 2040
42
44
46
48
50
52
D99%
Figure 5. Scatter plots for Mc using variousanomaly detection scenarios: 2σ anomalies(D2σ), 94% cardinality anomalies (D94%), 3σanomalies (D3σ) and 99% cardinality anoma-lies (D99%). Blue dots represent normal dataand red stars represents anomalous data.
2.2 Types of Anomalies in DistributedSensor Networks
So far, we have used the ellipses (xi − mj)S−1j (xi −
mj) = (Dj∗)2 to isolate sets of elliptical anomalies Aj
∗ atan individual node Mj . When we apply this strategy to Mc,however, we see two types of anomalies: A14, which areanomalous points at a node; and A37, which is an anoma-lous node in the network. This leads to the idea that dis-tributed sensor networks have different types of anoma-lies. We will call node anomalies such as A14 first orderanomalies; and network anomalies such as A37 second or-der anomalies. Figure 5 shows that Dc
∗ may identify bothfirst and second order anomalies, while we can only hopeto find first order anomalies at a single node. This is onereason to investigate the “centralised” node Mc.
Unfortunately, building Mc for second order anomalydetection requires transmission of all NN =
∑Nj=1 nj data
vectors from the nodes {Mj} to a centralised processor, andthis entails a heavy communication burden on the network.
We need an alternative to the method for second or-der detection represented in Figure 5. We are currentlyinvestigating a number of possibilities, one of whichis to use the eigenstructure at each node to representit. Figures 4(a), 4(b) and 4(c) are scatter plots, re-spectively of the pairs {(λj
1, λj2)}, {(|Sj |, tr(Sj))} and
{(exp(|Sj |), loge(tr(Sj)/|Sj |))}. Plots of this kind rep-resent each node in the network by new features, and arethus capable of revealing second order anomalies. Unfor-tunately the first order anomalies at M14 are so severe thatthey cause M14 to look like a second order anomaly in Fig-ures 4(a), 4(b) and 4(c). This begs the question: at whichpoint does the severity of a first order anomaly cause us todeclare the whole node faulty?.
Plots such as Figures 4(a), 4(b) and 4(c) are useful onlyfor second order detection, and further, do not isolate A37
161161
from the other nodes. Thus, we need different features, ora different method of using the node parameters we have,{mj , Sj , λ
j1, λ
j2}, to replace the anomalies represented by
Figure 5. Before embarking on a quest for such a represen-tation, we may ask: is A37 really a second order anomaly,or is this conclusion simply an artifact of our definitions ofelliptical anomalies?
Referring back to Figure 1, we see that M37 is closer tothe door of the kitchen than any other node in the network.We conjecture that the physical location of M37 is respon-sible for the elevation of its (Temperature, Humidity) pairswhich in turn causes it to appear as a second order anomalyin Figure 5. We expect higher humidity and temperaturearound the kitchen area, which would explain this anomaly.As for A14, these points are clearly first order anomalies atM14, and our method successfully isolates them in all butthe 99% case.
The authors of the IBRL deployment [7] observed thatnodes M11, ...,M20 have seen the lowest percentage of suc-cessful transmissions, and they believe that the corner of thelab where these nodes are located is subjected to unusual in-terference. We believe this may be the cause for the anoma-lies A14 at node M14.
3 Conclusions and Future Research
In this paper we used a real sensor network data set de-ployed at the Intel Berkeley Research Laboratory (IBRL)and analysed a four hour period of data for fifty-four nodes.We performed several types of multivariate statistical anal-ysis on this data and developed formal definitions for ellip-tical anomalies in the IBRL data.
We conclude with a short list of open questions sug-gested by this initial analysis of the IBRL data. How will theelliptical anomaly analysis hold up over time? We will di-vide the remaining 20 hours of 1st March 2004 into 4 hourwindows to study this question. Can we apply the defini-tions of elliptical anomalies to plots such as Figures 4(a),4(b) and 4(c) to identify second order anomalies? At whatpoint do first order anomalies at a node push that node to be-come a second order anomaly in the network? If we assumenormality for the observations at each node, can we substi-tute statistical theory for the method of Figure 5 to detectsecond order anomalies? If we use all d = 4 measurementsfor the IBRL nodes, will the results be the same, different,or contradictory? Our immediate plan is to attack one ormore of these open questions.
Acknowledgment
We thank the ARC Research Network on Intelligent Sen-sors, Sensor Networks and Information Processing (ISS-NIP), and DEST International Science and Linkage Grant.
This work was supported by the Australian Research Coun-cil (ARC).
References
[1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, andE. Cayirci, “Wireless sensor networks: A survey,”Comp. Networks, vol. 38, no. 4, pp. 393–422, 2002.
[2] A. Perrig et al., “Security in wireless sensor net-works,” CACM, vol. 47, no. 6, pp. 53–57, 2004.
[3] N. R. Prasad and M. Alam, “Security framework forwireless sensor networks,” Wireless Personal Comm.,vol. 37, no. 3-4, 2006.
[4] V. Barnett and T. Lewis, Outliers in Statistical Data.John Wiley and Sons, 3rd ed., 1994.
[5] G. J. Pottie and W. J. Kaiser, “Wireless integrated net-work sensors,” CACM, vol. 43, no. 5, pp. 51–58, 2000.
[6] R. Szewczyk et al., “Habitat monitoring with sensornetworks,” CACM, vol. 47, no. 6, pp. 34–40, 2004.
[7] P. Buonadonna et al., “Task: sensor network in a box,”in Proc. of Second European Workshop on WirelessSensor Networks, pp. 133–144, 2005.
[8] P. Sikka et al., “Wireless ad hoc sensor and actuatornetworks on the farm,” IPSN, pp. 492– 499, 2006.
[9] S. Kininmonth et al., “Sensor networking the greatbarrier reef,” Spatial Science Qld journal, pp. 34–38,Spring 2004.
[10] 2006, “http://db.lcs.mit.edu/labdata/labdata.html,” in[online], Accessed on 07/09/2006.
[11] C. Loo et al., “Intrusion detection for routing attacksin sensor networks,” Inl. Journal of Distributed SensorNetworks, vol. 2, no. 4, pp. 313–332, Oct-Dec 2006.ISSN 1550-1329.
[12] S. Subramaniam et al., “Online outlier detection insensor data using non-parametric models,” in VLDB,pp. 187–198, VLDB Endowment, 2006.
[13] E. Ngai et al., “On the intruder detection for sinkholeattack in wireless sensor networks,” in ICC’06, 2006.
[14] S. Rajasegarar et al., “Distributed anomaly detectionin wireless sensor networks,” in ICCS’06, 2006.
[15] S. Rajasegarar et al., “Quarter sphere based distributedanomaly detection in wireless sensor networks,” inICC’07, 2007.
[16] R. A. Johnson and D. W. Wichern, Applied Multivari-ate Statistical Analysis. Printice Hall, 1982.
162162
Table 1. Statistics of the IBRL data of sensor nodes (except node M5 and M15). D2σ = 2 and D3σ = 3Node nj λj
![Page 1: [IEEE 2007 International Conference on Sensor Technologies and Applications (SENSORCOMM 2007) - Valencia, Spain (2007.10.14-2007.10.20)] 2007 International Conference on Sensor Technologies](https://reader035.documents.pub/reader035/viewer/2022080409/575097041a28abbf6bcfb509/html5/thumbnails/1.jpg)
![Page 2: [IEEE 2007 International Conference on Sensor Technologies and Applications (SENSORCOMM 2007) - Valencia, Spain (2007.10.14-2007.10.20)] 2007 International Conference on Sensor Technologies](https://reader035.documents.pub/reader035/viewer/2022080409/575097041a28abbf6bcfb509/html5/thumbnails/2.jpg)
![Page 3: [IEEE 2007 International Conference on Sensor Technologies and Applications (SENSORCOMM 2007) - Valencia, Spain (2007.10.14-2007.10.20)] 2007 International Conference on Sensor Technologies](https://reader035.documents.pub/reader035/viewer/2022080409/575097041a28abbf6bcfb509/html5/thumbnails/3.jpg)
![Page 4: [IEEE 2007 International Conference on Sensor Technologies and Applications (SENSORCOMM 2007) - Valencia, Spain (2007.10.14-2007.10.20)] 2007 International Conference on Sensor Technologies](https://reader035.documents.pub/reader035/viewer/2022080409/575097041a28abbf6bcfb509/html5/thumbnails/4.jpg)
![Page 5: [IEEE 2007 International Conference on Sensor Technologies and Applications (SENSORCOMM 2007) - Valencia, Spain (2007.10.14-2007.10.20)] 2007 International Conference on Sensor Technologies](https://reader035.documents.pub/reader035/viewer/2022080409/575097041a28abbf6bcfb509/html5/thumbnails/5.jpg)
![Page 6: [IEEE 2007 International Conference on Sensor Technologies and Applications (SENSORCOMM 2007) - Valencia, Spain (2007.10.14-2007.10.20)] 2007 International Conference on Sensor Technologies](https://reader035.documents.pub/reader035/viewer/2022080409/575097041a28abbf6bcfb509/html5/thumbnails/6.jpg)
