Date of Award

12-2009

Degree Name

Doctor of Philosophy

Department

Computer Science

First Advisor

Dr. Ajay Gupta

Second Advisor

Dr. Rajib Paul

Third Advisor

Dr. Leszek T. Lilien

Abstract

Anomaly detection is an important and indispensable aspect of any computer security mechanism. Ad hoc and mobile networks consist of a number of peer mobile nodes that are capable of communicating with each other absent a fixed infrastructure. Arbitrary node movements and lack of centralized control make them vulnerable to a wide variety of unknown and known attacks from inside as well as from outside. In this dissertation we propose two efficient statistical techniques for anomaly detection for these networks.

In order to take into account incomplete testing samples and the interaction among multiple features, we present BANBAD •- a technique using Belief Networks and Bayesian inference. BANBAD identifies abnormal behavior in any feature, e.g., inappropriate energy consumption of a node in the network. By applying structure learning techniques to the training dataset, it extracts the dependencies among relevant features and represents them by a directed acyclic graph. Probability distributions are associated with the nodes (i.e., features) and edges of the graph. BANBAD maintains this belief network as a dynamic, updated normal profile of feature behaviors and then uses a specific Bayesian inference algorithm to detect abnormal behavior in testing data. Our technique works especially well in ad hoc networks but is applicable to other networks including wireless and sensor networks. The proposed method bounds FAR at a predefined threshold and maximizes DR. Experimental results demonstrate excellent performance for synthetic as well as real datasets. The real datasets are taken from Intel Lab Data (lab environment monitored by the sensors) and UMASS Trace Repository (users' laptop usage).

We present a mobility-pattern-based (MPB) anomaly detection algorithm that can identify abnormal pattern behavior of nodes in mobile networks. MPB characterizes the mobility profile of a node by a Multi-Leaf tree structure in which each node corresponds to a possible destination cluster. Through data mining and fuzzy logic techniques, a normal mobility profile is generated during the training process, and abnormal patterns are distinguished from the normal during testing. Statistical simulations demonstrate that proposed MPB algorithm achieves reasonably low false alarm rates (FAR) and sufficiently high detection rates (DR).

Access Setting

Dissertation-Open Access

Share

COinS