【作者】 肖政宏；

【导师】 陈志刚； 邓晓衡；

【作者基本信息】 中南大学 ， 计算机应用技术， 2012， 博士

【摘要】 无线传感器网络(Wireless Sensor Networks, WSNs)涉及的技术有传感器技术、嵌入式计算技术、网络技术、无线通信技术、分布式信息处理技术等,能够通过各种集成化的微型传感器协作的实时监测、感知各种环境或监测对象的信息,可广泛用于国防军事、国家安全、环境监测、交通管理、医疗卫生、制造业、反恐抗灾等领域,也是物联网获取信息的主要方式。由于无线传感器网络缺乏基础设施以及在空间上的开放性,使得攻击者可以很容易地窃听、拦截、伪造、篡改数据信息。由于传感器节点部署区域的特殊性,攻击者可能对被俘节点本身进行破坏或破解。无线传感器网络中高速动态变化的路由拓扑使得其正常与异常操作间没有明确的界限,发出错误信息的节点,可能是被俘节点,也可能是由于正在快速移动而暂时失去同步的节点,一般入侵检测系统很难识别出是真正的入侵还是系统的暂时性故障。无线传感器网络中的节点能量有限,使得WSNs易受到资源消耗型攻击。因此无线传感器网络需要有效的安全机制来阻止和预防各种网络攻击保证数据的机密性、完整性和可用性。本文针对无线传感器网络的特点,以异常入侵检测为主要研究内容,重点针对网络流量预测技术、统计分析技术、安全路由攻击检测技术,数据挖掘和智能处理技术在异常入侵检测中的应用进行分析、研究,提出有效的检测方案,本文的研究工作与主要成果包括：首先,针对现有方案仅仅通过监控节点(传感器节点、邻居节点、簇头节点)流量的变化来判断网络是否受到攻击的误判风险,提出了一种将流量预测和相关系数矩阵相结合基于阀值的异常入侵检测方法,该方法通过比较连续m个相关系数来进行异常检测。同时对三种典型的流量预测模型：自回归滑动平均模型、Kalman滤波、混沌时间序列分析方法在无线传感器网络异常入侵检测系统中的应用进行了比较,仿真结果表明本节所提出的方案在流量攻击的程度较弱时,具有较高的检测率第二,统计分析技术是异常入侵检测中常用的技术之一,具有计算复杂度低,容易部署等特点。然而无论是均值与标准差模型、卡方检验方法、累积和(CUSUM)方法,门限参数的确定依然是比较困难的。针对CUSUM算法单一检测门限引起的检测延迟较长,检测率偏低的问题。提出了一种适用于WSNs的Multi-CUSUM算法,该算法首先根据流量序列均值的大小选择具有不同门限参数的CUSUM算法,对门限参数的优化选择一种随流量序列个数增多而增大的方式。理论分析与实验结果表明基于Multi-CUSUM算法的异常检测方案对于WSNs来说是一个比较理想的检测方案,该方案与当前典型的WSNs入侵检测方案相比较具有更优越的性能。第三,安全路由协议是无线传感网络感知数据正确传输的保证。然而无线传感器网络中各种典型路由协议在设计时只对网络的应用进行了尽可能的完善并没有充分考虑路由安全方面的问题。基于异构无线传感器网络体系结构,提出了一种具有异常入侵检测功能的安全路由协议SRPAD。为优化路由选择,利用一种改进的蚁群算法搜索从簇头节点到基站节点的优化路由,提出了安全路由协议中根据节点流量、能量消耗的均值和方差变化检测异常攻击的方法。理论分析和仿真实验证明了本节所提出的SRPAD协议的可行性和有效性。从异常入侵检测的角度为无线传感器网络安全路由协议的研究提供了一种思路。第四,提出了基于贝叶斯(Bayes)分类的分布式入侵检测方案,为满足无线传感器网络轻量级计算的特点,该方案提出了基于K最近邻算法的WSNs分簇方法,并证明了WSNs中节点的K最近邻分簇是唯一的。方案中贝叶斯分类方法被用来进行簇内节点的异常检测,平均概率的方法被用来进行簇头节点异常行为的检测。通过模拟不同数据传输率下的攻击流量,构建了基于规则的检测策略。仿真结果和分析说明了提出的基于Bayes分类算法的入侵检测方法是适合WSNs特点的有效检测方案。第五,智能处理算法的一些特征如适应性、容错、高计算速度和差错恢复适合入侵检测系统的特性。基于“同类相近”的思想,提出了K-means-SVM异常入侵检测算法,同时从理论上分析了该算法的推广能力。该方法首先利用K-means算法对传感器网络中的节点进行聚类,对该算法难以解决的初始聚类参数K的问题,提出了一种带自调节参数K的计算方法,通过改进K-means算法初始聚类点的选择,克服了K-means算法初始聚类点选择的随机性和盲目性,有效的提高聚类的效率,在此基础上通过选择Multi-SVM算法来提高对不同类型攻击的异常检测效率,实验表明本文所提方法和WSNs中一些典型的异常检测方法相比具有更高的检测率和更低的误检率。更多还原

【Abstract】 Because of advances in sensor technology, embedded technique, network technology, wireless communication and distributed information processing technology, wireless sensor networks (WSNs) are designed and developed, which can collect and process real-time environmental information through various microsensors, and has a wide range of potential applications including national defense, environment monitoring, traffic management, medical systems, manufacturing industry, counter-terrorism, anti-disaster, etc. It also provides a kind of method to obtain information for the Internet of Things. For lack of infrastructural facilities and the characteristics of open communication medium in WSNs, the attacker can easily eavesdrop, intercept, forge and tamper data information. Because of particularity of deployment of WSNs nodes, the attacker may inflict damage or decode on captured nodes.The high-speed dynamic routing topology makes it no clear boundaries for the normal operating and abnormal operating. The nodes that send wrong message may be the captured nodes, it may be also the fast moving nodes, which are temporary nodes of loss of synchronization. The general intrusion detection systems are difficult to identify the real invasion or a temporary system failure. WSNs node’s energy is limited, this makes WSNs more vulnerable to resource consumption attacks. Therefore, an effective security mechanism is needed to stop and prevent network attacks to ensure data confidentiality, integrity and availability. Regarding the features of WSNs, the research of anomaly intrusion detection was focused on by this dissertation from aspects of traffic forecasting techniques, statistical analysis techniques, secure routing attack detection technology and intelligent technology. The main contributions of this dissertation are as follows:First, the existing anomaly intrusion detection methods depend only on the deviation of real traffic and forecast traffic of nodes (cluster head node, monitor nodes, neighbors nodes) to determine if the nodes are attacked or not, where there is the risk of wrong judgment. An anomaly intrusion detection approach has been proposed based on threshold, combined with correlation coefficient matrix and traffic prediction, where this method adopts the deviation of correlation coefficients m to detection anomaly intrusion. In addition, the results of applications of Chaos and Times Series Analysis, Autoregressive Moving Average (ARMA), Kalman Filter have been analyzed in WSNs intrusion detection system. Experimental results demonstrate the efficiency of the proposed approach, compared with other methods, it has higher detection rate when the intensity of attacking is weaker.Second, the statistical analysis is the most commonly used techniques in anomaly intrusion detection, with low computational complexity, easy deployment. However, the threshold parameters are still difficult to determine for mean and standard deviation model, chi-square test method, CUSUM method. Given that the single detection threshold of the cumulative sum (CUSUM) algorithm causes longer detection delays and a lower detection rate, a multi-class CUSUM algorithm is hereby proposed. Firstly a maximum and minimum thresholds that sensor node are able to reach during sending packet were set to eliminate abnormal flow to enhance the detection efficiency. Secondly, CUSUM algorithms of different thresholds, all of which are selected according to the mean of traffic sequences, are applied to detect anomalous nodes. This study aims to optimize threshold parameters, the size of which increases with the number of traffic sequence. Using the NS2tool, the different values of network traffic sequence were generated and simulated. Based on these values, the detection rates of the CUSUM algorithm and multi-class CUSUM algorithms, as well as their false positive rates, are then evaluated. Theory analysis and simulation experiment results show that the proposed algorithm achieves a higher and more accurate rate of detection and lower false positive rates than do the current important intrusion detection schemes of WSNs.Third, a secure routing protocol is essential for wireless sensor networks (WSN) to ensure the exactness of sensed data transmission. However, the typical routing protocol of the wireless sensor network only makes complement to the network application, it doesn’t consider the safety aspects of the network sufficiently. Based on the architecture of heterogeneous WSNs, a secure routing protocol with anomaly detection (SRPAD) is hereby proposed. To resolve the optimizing problems of routing overhead, this paper proposes an improved ant colony algorithm to search the lowest cost routing from cluster nodes to base station, and based on the results, we can detect whether or not there are router attacks according to the variant condition on average, their variance of data traffic, and energy consumption of monitoring cluster nodes. Theory analysis and simulation experiment results show that the proposed protocol is effective in data transfer, with low consumed energy. In addition, the proposed protocol has a higher detection rate and lower false positive, compared with the current important protocol of WSNs.Fourth, A Bayesian network based anomaly detection scheme is proposed and designed, where a new clustering approach is presented by using the K nearest neighbor algorithm, and the partition of clusters of WSNs is proved to be the only one. Bayesian classification algorithm is used to detect anomaly nodes in inter-cluster, the anomaly detection of cluster-head nodes is detected by using average probability approach. By using network simulation tool NS2, network attack traffic was generated and simulated, intrusion detection rules were developed, and based on this, its detection rate, and average detection rate, false positive rate and average false positive rate were evaluated. Simulation results demonstrate that the scheme achieves higher accuracy rate of detection and lower false positive rate than the current important intrusion detection schemes of WSNs.Fifth, the characteristics of intelligent processing algorithm, such as adaptation, fault tolerance, high computational speed and error resilience in the face of noise information fit the requirements of building a good intrusion detection model. Based on the principle that sensor nodes situated spatially close to each other tend to have similar behavior, an anomaly intrusion detection method is hereby proposed, and the generalization ability of algorithm is theoretically analyzed. To solve the problem of k-means algorithm that requires initializing parameters, this section proposes an improved k-means algorithm with a strategy using adjustable parameters. By applying improved k-means algorithm to WSNs, we can obtain clustering results, and based on the results, an SVM multi-classification algorithm is applied to different clusters for anomaly intrusion detection. Experimental results on the Intel Berkeley Laboratory testing datasets show that the proposed method can efficiently detect abnormal behaviors. In addition, the proposed method has a high detection rate and low false positive rate compared with the current important intrusion detection schemes of WSNs.更多还原