Multiple Tracking Based Anomaly Detection OfMobile Nodes

Shun-Zheng YuSun Yat-Sen University, Guangzhou 510275, China

Abstract- Location or mobility information of nodes, GPS characterized as a malicious node [3]. The ability of variousinformation, load, link change rate, and routing information, etc., routing protocols is investigated in [4] to facilitate signaturehave been used for security purposes for wireless networks, such based intrusion detection. The link change rate is used and aas intrusion detection in ad hoc networks. However, existing Markov chain based anomaly detection algorithm isintrusion detection approaches usually focus on one of the aspects . . .of nodes to detect statistical anomaly or malicious signatures. In stlect in []o acateiosthis paper, a new model is introduced to characterize multiple select normal profiles adaptively.aspects of legitimate nodes in a general state-space, which is Therefore, the existing intrusion detection approachesrepresented by a hidden semi-Markov process, and is used to usually focus on individual behaviors of the nodes to detectdetect the anomaly of a malicious node. Based on this model, statistical anomaly or malicious signatures. Few of themauthorized nodes which are GPS-enabled track the aggregate simultaneously track multiple aspects of the nodes and exploitbehavior of the unauthorized nodes and distinguish suspects from the relationship among the traces.them. If there exists a suspect, then RSS (received signal strength),claimed GPS positions, media access control information, routing In this paper, a new tracking model iS introduced thatinformation, exchanged messages, and other significant aspects characterizes node behavior in a general state-space using aregard the suspect are tracked and the likelihood of the semi-Markov process representation [6][7]. We assume thatobservations against the hidden semi-Markov model (HSMM) is there are a number of authorized nodes that are GPS-enabledcalculated. This likelihood represents how abnormal the suspect is and a number of unauthorized nodes that are going to beagainst the normal behavior of the legitimate nodes, and, tracked. All the authorized nodes observe the unauthorizedtherefore, it should be blocked by the network if the likelihood is~~loethnatrsod nodes' behavior by various available means, such as RSS,lower than a threshold.v

claimed GPS positions, media access control information,I. INTRODUCTION routing information, exchanged messages, etc. We assume that

Location or mobility information of nodes has been used for the multiple observation sequences are governed by a common

security purposes for wireless networks, such as intrusion hidden semi-Markov process, where a hidden semi-Markovdetection in ad hoc networks. However, large ambiguity state represents a general mobile state of a node includingusually exists in the existing position techniques performed by position, moving speed, moving direction, access to the

the network because thacuanetwork, handoff, change of route, usage of wireless resources,the network because the accuracy of positioning method based an an'teset fitrs.Tedeltm fasaeion RSS (received signal strength) could be tens to hundreds frh assumed tob gnera strbTed.meters. This may result in false alarms in applicationsassociated with those security approaches. Though GPS can Then, the authorized nodes can exploit the relationship

provide higheraccuracy of posit n aamong the multiple observations and estimate the state of theprovide higher accuracy of positioning and GPS nformation unauthorized nodes based on the hidden semi-Markov modelhas been used directly in the encryption and decrypton (HSMM). The model parameters can be estimated by trainingprocesses [1] for security services, the encryption device and aao pae datvl hntee sn vdnetaGPS receiver may not make tamper proof of the GPS location show ormaty ofanodes. Therefore is model willinformation. This makes it possible that malicious nodes would choaractrizeth no beh . other legithisma odes For

not ientiy thirtre poitio to te nework[2].characterize the normal behavior of the legitimate nodes. For

Inoid mentf otheir itruepositionto dethenetwor [2].oathe illegitimate nodes, the likelihood of the observations for theIn some other intrusion detection approaches the .. '..misbehaving nodes are identified by having limits on the given model will be much lower. This implies that the nodes

information that should be given out by a node in a given period may have a malicious threat. Those nodes, therefore, should beblocked by the system. A tamper proof, a resource allocation,of time. If a node violates this limit, then such a node iS an anamsincnrlbokn.ceefrscrtand an admission control/blocking scheme for securitypurposes can be similarly performed based on the likelihood of

This work was supported in part by National Natural Science Foundation of the multiple observations.China under grant no. 90304011 and Guangdong Natural Science Foundation Thmutperaknadaoaldtcinagrtmcnunder grant no. 04009747.Th utpetaknananmldtctoagrtmcn

S.-Z. Yu is with Department of Electrical and Communication Engineering, be implemented in real-time using a computationally efficientSun Yat-Sen University, Guangzhou 510275, P.R. China, Email: parameter estimation algorithm that has been proposed recentlysyu(sysu.edu.cn.

in [7]. Besides, the authorized nodes do not have to exchange malicious actions will have statistical evidences that are verytracking information frequently. They inform each other and different from those of the legitimate nodes. Therefore, it isstart an intrusion mitigation action only when a threat has been possible to apply the compact model that characterizes thedetected. In contrast to the existing intrusion detection legitimate behaviors in detecting the abnormal behaviors of aapproaches which usually focus on individual behaviors of the malicious node.unauthorized nodes, the correlation among the multiple All the authorized nodes have the responsibility to monitorobservation sequences is used for anomaly detection in this the unauthorized nodes. They keep observing the unauthorizedpaper. The approach will be robust against the affect of nodes' behavior by various available means, such as RSS,individual factors such as large ambiguity in positioning by claimed GPS positions, media access control information,RSS, instant violation of flow rate over a given limit, or tamper routing information, exchanged messages, etc. Theof the GPS location information. observations are made in two modes: aggregate tracking mode

and individual tracking mode. In default, each authorized nodeII. MULTIPLE TRACKING SCHEME performs in the aggregate tracking mode. In this mode, each

In this paper, a new tracking model is introduced that authorized node collects multiple series of observations fromcharacterizes the behavior of legitimate nodes in a general all observable quantities of all unauthorized nodes, without thestate-space using a semi-Markov process representation [6] [7]. needs to distinguish the observed nodes. The observations can

The wireless network we refer to in this paper can be an be RSS from the neighboring nodes, RTS (request toinfrastructure-based wireless network or an ad hoc network, send)/CTS (clear to send) at the MAC layer, exchanged routingbut for simplicity in discussion, we implicitly assume that it is information, and request/response packets. Based on thosean ad hoc network. multiple observation series, each authorized nodeWe assume that there are a number of authorized nodes that independently performs the statistical anomaly detection

are GPS-enabled, which can be mobile nodes or fixed base algorithm to detect probably existing intrusions, withoutstations. In other words, we always know the exact locations of exchange of the detection information and cooperation amongthe authorized nodes. These locations are used as the references the authorized nodes. Once an authorized node finds a

in positioning unauthorized nodes. The authorized nodes abnormal evidence that indicates a malicious threat, it issues an

exchange necessary intrusion detection and mitigation alarm to trigger all authorized nodes into the individualinformation in a secure protocol. tracking mode.

There are a number of unauthorized nodes that are going to In the individual tracking mode, the authorized nodes mustbe tracked. Most of the unauthorized nodes are assumed to be find the suspects at first. The suspects should be the commonlegitimate nodes. The legitimate nodes may join or departure neighbors of the authorized nodes who just issued the alarms.the wireless network randomly. In the most cases, each active Therefore, when authorized node issues an alarm, it also sendslegitimate node behaves normally in the sense that it moves at a out a list of its neighbor's IDs. Based on the lists from multiplereasonable speed and in right directions, functions according to authorized nodes, all authorized nodes can determine whichthe MAC and routing protocols, and communicates with other unauthorized nodes are common neighbors to two or more

nodes at a limited rate of information. Obviously, the authorized nodes that just issued the alarms. This mechanismmovement, the functionality, the communication and any other also implies that if only one alarm issued by a node, theobservable behavior of the unauthorized nodes have strong individual tracking mode may not start because the authorizedcorrelations. For instance, the movement of a node may cause nodes cannot find the suspects. After having determined thethe MAC actions, the route changes, and some location-aware suspects, all authorized nodes start tracking every suspect. Theinformation exchanges. Therefore, for the legitimate nodes, all RSS, claimed GPS, arrival time of RTS/CTS, routingthose observable behaviors can be characterized by a compact information, and arrival rate of request/response packets thatmodel, and the model can then be used in the statistical are issued by each of the suspects are collected by everyanomaly detection. This model is going to be discussed in the authorized node that is neighboring to the suspect or is able tofollowing sections. acquire those samples. The collected samples are then reportedWe assume there may have only a few unauthorized nodes to an elected tracking center/server, i.e., an elected authorized

that may be malicious to the network. The intrusion of the node, which is responsible to judge which is the maliciousmalicious nodes to the network could be achieved through the node(s) and make the decision of intrusion mitigation. We noteholes of the network. For instance, the malicious nodes can that electing a tracking center/server is not necessary for theissue higher strength of signal to interference to other nodes, scheme to implement. The collected samples can be distributedmove fast to cause frequent MAC and route changes, misuse to all authorized nodes and each of them can make intrusionthe MAC and routing protocol to mislead the network, or send a detection independently.lot of requests to congest/exhaust the wireless In both the aggregate and individual tracking modes, theresources/bandwidth or server capacities. However, all those tracking algorithms are based on the HSMM. These models are

built based on the observations on a large number of legitimate

nodes, which are going to be discussed in the following the conditional probability that at time t the observation is o°sections. given the state being m. For simplicity, we assume that this

For the illegitimate nodes, the likelihood of the observations probability is time-invariant. Denote B as the set of all thosefitted to the given models may be much lower than the observation probabilities.legitimate nodes. This means that the illegitimate nodes may Therefore, the model is characterized by A, P, B and thehave a very different behavior from the normal and hence may initial state probability vector at, i.e., the following 4-tuplebe malicious to the network. For security purposes, those nodes k=(A, B, P, t) specifies the discrete hidden semi-Markovshould be blocked by the system. model.

Our main objective is to apply the model in anomalyIII. MODEL FOR THE AGGREGATE TRACKING MODE detection. Therefore, we first build the model for the normal

In the aggregate tracking mode, each authorized node behavior of the legitimate nodes. That is, the model parametersconcerns only the aggregate behavior of the unauthorized X=(A, B, P, rc) are trained based on the process {°o} that isnodes. Samples of received signal strengths from all the collected in a typical situation when there exist no illegitimateunauthorized nodes form a time series because each time the nodes. The parameter estimation algorithms for the HSMMauthorized node can receive only one valid signal from one of from observation sequences have been provided in [6], [7] andthe unauthorized nodes. Similarly, RTS/CTSs arrived at the [8].authorized node also form a time series. The number ofpackets We use st to denote the state of the legitimate nodes at time t,arrived per second forms another series. Therefore, multiple st E S, and o$ the observation sequence from time 1 to t. Thenseries can be obtained by observing the aggregate behavior of the main steps in our training algorithm is summarized asthe unauthorized nodes. follows:To synchronize the multiple observation series, RSS is 1. Apply the HSMMre-estimation algorithm described in [7]

sampled in a regular time interval, say one second. The arrival I I I I

process of RTS/CTSs is counted by the number of arrivals per and [8] to obtain the initial estimates .= (oA Bt Pagr ) ofsecond, instead ofthe inter-arrival time. Therefore, at each time, the model parameters based on observations on the aggregatethe authorized node has a 3-tuple observation on the aggregate behavior of the legitimate nodesbehavior 2. Refine the estimates A = (A, B, P, r ) by applying the

°t = (RSSt,RTSt,packets,) (1) HSMM re-estimation algorithm described in [7] and [8] to thewhere RSSt is the sample ofthe received signal strength from an newly acquired observation sequences if there are nounauthorized node at time t, RTS, the number of RTS/CTSs illegitimate nodes present.received in the tth second, and packets, the number of packets After having obtained the model that represent the normalarrived in the tth second. behavior of the legitimate nodes, we apply the model in

In the normal cases, the process {°o} represents the aggregate detecting the abnormal behavior that may have malicious treat.behavior of the legitimate nodes that can be observed by an Specifically, the anomaly detection algorithm is to calculate theauthorized node. The aggregate behavior is determined by likelihood of the observation sequence collected by observingvarious factors of the legitimate nodes and the authorized node, the aggregate behavior of the unauthorized nodes against thesuch as their relative positions and movements, activities, HSMM. If the likelihood is lower than a threshold, there maywireless environment, etc. We define all those underlying exist a few malicious nodes among the unauthorized nodes. Thefactors as the state of the network. For each given state, we may anomaly detection algorithm will be discussed in the followinghave different vector, ot, of observations because there exists sections. Once an anomaly has been detected, the authorizedsome undetermined factors and randomness that influence the node issues an alarm to all other authorized nodes to triggeracquired samples. Therefore, we assume the process {°o} is a them into the individual tracking mode.hidden semi-Markov process, which can be defined as follows:We denote S as the set of possible states for the aggregate IV. MODEL FOR THE INDIVIDUAL TRACKING MODE

behavior of the legitimate nodes. We enumerate the distinct In the individual tracking mode, all authorized nodes reportpossible states in S and label them as 1, ..., M. The M-state their observations on the suspects to the tracking center. TheMarkov chain has a transition probability matrix A=[amn]MxM, tracking center has to process the collected samples. Obviously,where amn is the probability of transition from state m to state n, RSS is determined by the distance between the source of theandm, n=1,... ,M. signal and the receiver if the emission power is given and theWe assume that the dwell time of a given state is a random wireless channel is stable. Therefore, RSS can be considered as

variable taking values from the set { 1, . .., D}, with a general a deterministic function of the positions of the source and theprobability distributionPm(d) and the corresponding matrix P = receiver. The influence of the emission power and the wireless[pm(d):mES,d=1,...,.....^D]. channel can be treated as interference/noise to the receivedWe denote the observation probabilities as bm (°t ), which is signal strength. Therefore, we denote the observation vector on

RSS at time t by o7, which is given by This can be described by 17 discrete states given a distribution°

= [rss(l) rss(2) rs(N)1 (2) of the authorized nodes in that area. A direct movement (i.e., at -st rst r (2) direct state transition) of a legitimate node can take place only

where rss(i) is the signal strength of the suspect received by to one of the neighboring states that are available according toauthorized node i at time t, and o" is assumed to be the the geographical limitation.function of the suspect's position and authorized node i, plus However, in this paper, we do not have to explicitly definenoise. Then, o*, ors, o" is the observation sequence on RSS. the mobile state of a legitimate node associated with its location,1 2 T speed and direction. The state is assumed unobservable directlySimilarly, the observation on RTS/CTS can be defined by to the authorized node (so it is called "hidden state").0~~ ~~ ~~~~~~~~~~t rts rtsore nodeIs rts1S)cale ...e state").(3[rts(l),rts(2), rts(N)] (3) Since the number of transitions from a state is limited,where rts') is the number of RTS and CTS that authorized prediction and estimation procedures can be madenode i receives from the suspect in the tth time interval. As for computationally efficient. We also note that for an ad hocthe routing information, the tracking center can extract the network (or a cell for the infrastructure-based wireless network)routing table items about the number of hops to or from the there is a limited number of nodes registered to it at any givensuspect. This results in the following observation: time. If this number is too large, system scalability can also be

0hop = [hops'l), hops (2) ,..., hops(N)] (4) achieved by distributing the tracking task to multiple elected

where hops(i is the number of hops of the route from tracking centers/servers, each of which covers an area.t . Similar to the aggregate tracking model, the dwell time of a

authorized node i to the suspect or the vice versa. If the routes legitimate node in a given state is assumed to be distributedto and from the suspect are different, then two observationsmust be defined. Finally, the observation on the packets according to a probability pm(d) , where P = [kb (d)] VlXD . Also,originated or destined to the suspect can be defined by the observation probability b (8t) is the conditional

o = [packets(1) packets( packets(N)] (5) probability that at time t the observation takes °t given theIn a similar way, we can observe the suspect on many moreaspects of interest, such as its access to the network, handoff, state being m. Then, the model parameters X = {A,B,P,*} arechange of route, and usage of wireless resources. trained based on the processes { °t } that are collected from a

Obviously, the sequences { o7 }, { ot }, { o>' }, and { 0paket } large number of legitimate nodes.have a strong relationship for a legitimate node, and are Obviously, the number of authorized nodes determines theimplicitly determined by the relative position of the node to the dimension of °t . When the dimension is large, bm (°t)authorized nodes. We define becomes too complex to be practical use. In considering the

0t strong relationships between o's and orts, and between oh,

°' = hoph' (6) and o,"t' we can reduce the dimension by exploiting thoseo packet relationships. That is, we define

N

Therefore, we assume that the observation sequence 8' Zrssti rtsti

02 °t is governed by a hidden semi-Markov process, Pt N (7)where a hidden semi-Markov state represents a mobile state of ( (it )2 Z (rts() )2a legitimate node relative to the authorized nodes, including itsposition, moving speed, and moving direction. (hops() packets(i)) hops(i)

Similar to the aggregate tracking model, we denote S as the i N (8)set ofpossible states for a legitimate node. The dynamic motion Z (hopsM )2of a legitimate node, as defined by its time-varying attributevalues, can then be described by its trajectory in this space. We 1= (hops;M' packetsM'- hops, )2 (9)label the distinct possible states as 1, ..., M . We assume that N i=1

the mobility of a legitimate node is governed by a M -state where the points ( hops( ,hopsfipacketsf ), for i=l,.. .,N, isMarkov chain with transition probability matrix A= [a ] . expected to be a straight line when the packets sent by amnMM' legitimate node follows a route to a destination, q, is theWe note, however, that transitions among the states are estimated slope of the straight line, and

,is the fitting errors.

limited due to the geographical constraint and we mav assume Te w c d- .that from a given state transitions can occur to on the order of vector:ten neighboring states. For example, a legitimate node may be at = (,,£,) (10)stopping, walking, or driving in up to 8 directions in an area. Atrhvn bandtemdlta ersnstenra

behavior of a legitimate node, we can implement the anomaly the likelihood can be used in tamper proof, resource allocation,detection algorithm, i.e., calculate the likelihood of the and admission control/blocking scheme for security purposes.observation sequence on the behavior of the suspect against the The anomaly detection algorithm can be implemented inHSMM. If the likelihood is lower than a threshold, the suspect real-time. The current observations are used only once in themay have a malicious treat to the network. It should be blocked forward recursion algorithm and are not required to be stored.by the system. Only a few number of data that record the current recursive

results will be stored, which will be used for the next recursiveV. ANOMALY DETECTION ALGORITHM step when the observations at the next instant are obtained.

The anomaly detection algorithm is to calculate thelikelihood of the observation sequence against the trained VI. CONCLUSIONSHSMM. In both the aggregate tracking mode and the individual A new hidden semi-Markov model (HSMM) is introducedtracking mode, the anomaly detection algorithms are the same. for anomaly detection in a wireless network. The model is usedThey are different in the trained models and observation to characterize the normal behavior of the legitimate nodes andsequences. Therefore, in the following discussion, we will not the likelihood of the observations fitting to the model is used todistinguish the notations of the variables, i.e., we will use o, to detect the anomaly behavior of malicious nodes. The anomaly

detection is divided into two modes to reduce the overhead indob tho tand o~, ~ for both ~ and 2~ implementing the anomaly detection algorithms. In the

We denote: aggregate tracking mode, the authorized nodes concern onlyat (m,d) = Pr{st = m,t = d o$t4}, (11) the aggregate behavior of the unauthorized nodes; while in the

where zt is the extra time that the current state will last, and individual tracking mode, only a few suspects are tracked. ThePr{s,=m, z-=d ol',I } is the probability that the state at t is m tracked behavior includes various aspects of significant, suchfor some time given the observation sequences and the model as the received signal strength, claimed GPS positions, mediaA. Let access control information, routing information, and exchanged

at (m,d) = Pr{st = m,t = d,o$t A} , (12) messages, etc. Once an anomaly is detected, appropriate actionsthen we have for mitigating the threat are started by the network. A further

* m,d) a*(m,d) simulation and experiment based on data colleted from a realat (m, d) 't Z (13) wireless network should be made to validate the anomalyPr{o$ 24 ~ tdetection approach.

m,d

Now we apply the HSMM forward algorithm [7][8] tocalculate the likelihood Pr{ot A. If this likelihood is muchlower than a given threshold, an abnormal behavior is assumed [1] Dorothy E. Denning and Peter F. MacDoran, "Location-Basedhaving been detected. The iterative estimation algorithm Authentication: Grounding Cyberspace for Better Security," Internetconsists of the following steps: besieged: countering cyberspace scofflaws, ACM Press/Addison-Wesley

(i) The initial state is taken according to the probabilities 7: Publishing Co., pp. 167 - 174, 1997.[2] Robert A. Malaney, "A Location Enabled Wireless Security System,"

ao*(m, d)=2ZmPm(d), for m E S d21 (14) Globecom 2004, pp.2196-2200.(ii) At time t, we have the previous iteration results: at-l*(m, [3] s. Marti, T.J. Giuli, K. Lai and M. Baker, "Mitigating Routing

Misbehavior in Mobile Ad Hoc Networks", Mobicom 2000.d), for m E S, and the current observation °t. Then we compute [4] F. Anjum, D. Subhadrabandhu and S. Sarkar, "Signature based Intrusiona new iteration at (m', d') by: Detection for Wireless Ad-Hoc Networks: A Comparative study of

( Vfi 'd')-SPrX - r -d s-m' T-d' |A> various routing protocols," In IEEE 58th Vehicular Technologya,ni,d)=mt , =d,ts- =t r =- d,o1 Conference (VTC 2003-Fall) (Oct. 2003), vol. 3, IEEE Press, pp.meS,d.1l2152-2156.

(md )

* [5] Bo Sun, Kui Wu, Udo W. Pooch, "Towards Adaptive Intrusion Detectiont-(15) in Mobile Ad Hoc Networks," IEEE Globecom 2004, pp.3551-3555.

9 MGeS,M#M' [6] L. R. Rabiner, "A tutorial on hidden Markov models and selected

where m' is the state to which a transition can be made from any application in speech recognition," Proceedings of the IEEE, vol. 77, no.

state m E S. 2, pp. 257-286, Feb. 1989.stateOur purpose is to calculate the likelihood of the

[7] S-Z. Yu and H. Kobayashi, "An Efficient Forward-Backward Algorithm(iii) Our purpose is to calculate the likelihood of the for an Explicit Duration Hidden Markov Model," IEEE Signal Processing

observation sequence by Letters, vol.10, Issue 1, Jan. 2003, pp. 11-14.Pr{ot I }-AfYa(m,d). (16) [8] S-Z. Yu and H. Kobayashi, " A Hidden Semi-Markov Model with

m,(t 1 Missing Data and Multiple Observation Sequences for MobilityTracking," Signal Processing, Vol. 83, no. 2, pp 235-250, Feb 2003.

the given model may be much lower. This implies that theremay exist a malicious threat. An appropriate action to mitigatethe malicious treat has to be taken by the network. Similarly,