DETECTION AND IDENTIFICATION OF ANOMALIES IN WIRELESS MESH NETWORKS USING PRINCIPAL COMPONENT ANALYSIS (PCA)

Abstract

Anomaly detection is becoming a powerful and necessary component as wireless networks gain popularity. In this paper, we evaluate the efficacy of PCA based anomaly detection for wireless mesh networks (WMN). PCA based method [1] was originally developed for wired networks. Our experiments show that it is possible to detect different types of anomalies, such as Denial-of-service (DoS) attack, port scan attack [1], etc., in an interference prone wireless environment. However, the PCA based method is found to be very sensitive to small changes in flows causing non-negligible number of false alarms. This problem prompted us to develop an anomaly identification scheme which automatically identifies the flow(s) causing the detected anomaly and their contributions in terms of number of packets. Our results show that the identification scheme is able to differentiate false alarms from real anomalies and pinpoint the culprit(s) in case of a real fault or threat. Moreover, we also found that the threshold value used in [1] for distinguishing normal and abnormal traffic conditions is based on assumption of normally distributed traffic which is not accurate for current network traffic which is mostly self-similar in nature. Adjusting the threshold also reduced the number of false alarms considerably. The experiments were performed over an 8 node mesh testbed deployed in a suburban area, under different realistic traffic scenarios. Our identification scheme facilitates the use of PCA based method for real-time anomaly detection in wireless networks as it can filter the false alarms locally at the monitoring nodes without excessive computational overhead.