In previous work by the author, parameters across network protocol layers were selected as features in supervised
algorithms that detect and identify certain intrusion attacks on wireless ad hoc sensor networks (WSNs) carrying multisensor
data. The algorithms improved the residual performance of the intrusion prevention measures provided by any
dynamic key-management schemes and trust models implemented among network nodes.
The approach of this paper does not train algorithms on the signature of known attack traffic, but, instead, the
approach is based on unsupervised anomaly detection techniques that learn the signature of normal network traffic.
Unsupervised learning does not require the data to be labeled or to be purely of one type, i.e., normal or attack traffic.
The approach can be augmented to add any security attributes and quantified trust levels, established during data
exchanges among nodes, to the set of cross-layer features from the WSN protocols.
A two-stage framework is introduced for the security algorithms to overcome the problems of input size and
resource constraints. The first stage is an unsupervised clustering algorithm which reduces the payload of network data
packets to a tractable size. The second stage is a traditional anomaly detection algorithm based on a variation of support
vector machines (SVMs), whose efficiency is improved by the availability of data in the packet payload. In the first
stage, selected algorithms are adapted to WSN platforms to meet system requirements for simple parallel distributed
computation, distributed storage and data robustness. A set of mobile software agents, acting like an ant colony in
securing the WSN, are distributed at the nodes to implement the algorithms. The agents move among the layers
involved in the network response to the intrusions at each active node and trustworthy neighborhood, collecting
parametric values and executing assigned decision tasks. This minimizes the need to move large amounts of audit-log
data through resource-limited nodes and locates routines closer to that data.
Performance of the unsupervised algorithms is evaluated against the network intrusions of black hole, flooding,
Sybil and other denial-of-service attacks in simulations of published scenarios. Results for scenarios with intentionally
malfunctioning sensors show the robustness of the two-stage approach to intrusion anomalies.