Quarter Sphere Based Distributed Anomaly Detection in Wireless Sensor Networks Sutharshan Rajasegarar 1 , Christopher Leckie 2 , Marimuthu Palaniswami 1 ARC Special Research Center for Ultra-Broadband Information Networks (CUBIN) 1 Department of Electrical and Electronic Engineering 2 NICTA Victoria Research Laboratory Department of Computer Science and Software Engineering University of Melbourne, Australia. Email: {r.sutharshan, swami}@ee.unimelb.edu.au, caleckie@csse.unimelb.edu.au James C. Bezdek Computer Science Department University of West Florida, USA. Email: jbezdek@uwf.edu Abstract—Anomaly detection is an important challenge for tasks such as fault diagnosis and intrusion detection in energy constrained wireless sensor networks. A key problem is how to minimise the communication overhead in the network while performing in-network computation when detecting anomalies. Our approach to this problem is based on a formulation that uses distributed, one-class quarter-sphere support vector machines to identify anomalous measurements in the data. We demon- strate using sensor data from the Great Duck Island Project that our distributed approach is energy efficient in terms of communication overhead while achieving comparable accuracy to a centralised scheme. I. I NTRODUCTION Wireless sensor networks are formed using large numbers of cheap, tiny and compact sensors which have inbuilt wire- less radios for communication [1]. They have limited power, bandwidth and memory. These inherent constraints on the network make it more vulnerable to faults and malicious attacks such as denial of service attacks, black hole attacks and eavesdropping [2], [3]. Therefore, identifying misbehaviors or anomalies in the network is important to provide reliable and secure functioning of the network. An anomaly or outlier in a set of data is defined as an observation that appears to be inconsistent with the remainder of the data set [4]. Misbehaviors in the network can be identified by analysing either sensor data measurements or traffic related attributes in the network. Note that the underlying distribution of these measurements may not be known a priori. A key challenge is to identify anomalies with acceptable accuracy while min- imising energy consumption in the wireless sensor network. In sensor networks, the majority of the energy is consumed in radio communication rather than in computation [5], [6]. For example, in Sensoria sensors and Berkeley motes, the ratio between communication and computation energy consumption ranges from 10 3 to 10 4 [7]. Hence, there are advantages to increasing computational overheads in order to reduce communication requirements in the network, and thus prolong the lifetime of energy-limited wireless sensor networks. In this paper, we propose an energy efficient non-parametric distributed approach for anomaly detection in wireless sensor networks, which performs in-network processing in order to reduce the need for radio communication in the network. Recent related work in anomaly or outlier detection in sensor networks can be found in the literature. Palpanas et al. [8] and Subramanium et al. [9] have proposed the use of kernel density estimators for online distributed outlier detection in streaming data in sensor networks. In this distributed approach, a random sample of the data set within the window of measurements are communicated between sensor nodes along with the bandwidth parameter of the kernel function that is used to model the data. Onat et al [10] have identified anoma- lies using a rule based technique on a predefined statistical model. Loo et al [11] have proposed a cluster based intrusion detection scheme for anomaly detection. However they have not considered co-operation between nodes. One class support vector machines (SVMs) have been proposed as a technique for outlier detection. Techniques have been proposed based on hyperplanes [12] and hyperspheres [13]. Navia-Vazquez et al. [14] and Flouri et al. [15] have proposed distributed and incremental techniques for training SVMs in sensor networks. However, a challenge for these SVM formulations for this application is their computational complexity. In our previous work [16] for anomaly detection, a cluster- based distributed approach was proposed, where the data measurements are clustered and summary information for each cluster is communicated between nodes for performing distributed anomaly detection and classifying the data. In this paper, we propose another communication efficient distributed technique based on a one-class quarter sphere SVM. The rest of the paper is organised as follows. We formally introduce the problem in Section II. The quarter sphere support vector machine formulation and our distributed approach are explained in Section III. An empirical comparison of the cen- tralised and distributed approaches is provided in Section IV. II. PROBLEM STATEMENT We consider the problem of anomaly detection in a wireless sensor network where the sensor nodes are connected by a routing tree such as Figure 1(a). The sensors are time synchronised and deployed in a homogeneous environment, where the measurements have the same unknown distribution. 1-4244-0353-7/07/$25.00 ©2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings.