Statistical Detection Methods For Abnormal Packet-Dropping Nodes In Wireless Communication Networks

Abnormal node detection is an important research topic in communication network security.One typical behavior of an abnormal node is to drop the packets to be relayed by itself.The statistical testing-based node behavior analysis combined with the watchdogbased behavior monitoring technology is a dominant technical approach widely used for abnormal node detection in wireless communication networks.Therefore,a thorough investigation of the abnormal packet-dropping behaviors of wireless relays and their detection is essentially the theoretical and practical challenge in variable scenarios of networks.This dissertation analyzes and extracts the characteristics of two significant classes of packet-dropping behaviors,the persistent and the intermittent,based on the statistical model of the abnormal node in wireless relay environments.Further,the statistical detection methods for different classes of anomalies in the relay networks or the tree topology network architectures are provided,achieving innovative results in the following four aspects.(1)The dynamic Hoeffding test for abnormal relay nodes with persistent packetdroppingThe Hoeffding test is an effective method suitable especially for detecting persistent packet-dropping of neighbors.However,the fixed threshold setup cannot guarantee the correct classification of normal and abnormal nodes.To address this limitation,this dissertation proposes a novel threshold update rule and obtains a Hoeffding test with dynamic thresholds.The proposed dynamic threshold update rule is constructed based on Sanov’s theorem and leverages the persistent characteristics of abnormal nodes.Thus different detection thresholds can be determined for normal and abnormal nodes according to their behaviors.The theoretical results show that both the false alarm and the missed detection probabilities can decrease rapidly within a small number of detection periods.Compared to the standard Hoeffding test,the numerical results demonstrate that the dynamic method achieves a total error probability of 0.01 with a 19% reduction in the number of detection periods.Therefore,the dynamic Hoeffding test has superior detection accuracy and efficiency.(2)The Wald-Wolfowitz runs test for abnormal relay nodes with intermittent packetdroppingUnlike persistent behaviors,intermittent behaviors possess a certain degree of concealment and are commonly observed at abnormal relay nodes.Since the Wald-Wolfowitz runs test works to decide whether the elements in the sequence are independently identical,this dissertation attempts to adopt this test for intermittent abnormal neighboring nodes.According to the weak dependency characteristics of the behavior sequence of abnormal nodes under the semi-Markov model,a pre-processing method to transform the behavior sequences is presented.Further,performing the Wald-Wolfowitz runs test on this preprocessed sequence can detect anomalies efficiently even though the normal packet loss probability due to the network environment is unknown.The theoretical analysis and the numerical results consistently show that the WaldWolfowitz runs test-based method is feasible to detect intermittent abnormal packet-dropping nodes under arbitrary semi-Markov models.Because the missed detection probability can decay exponentially to zero when the false alarm probability is sufficiently small(e.g.,0.01),in other words,this method can correctly and rapidly distinguish abnormal nodes from normal ones.(3)The prior-perturbative likelihood ratio test for both persistent and intermittent abnormal packet-dropping relay nodesConsidering the shortages of the standard likelihood ratio test that requires prior knowledge of abnormal nodes,this dissertation proposes a novel prior-perturbative likelihood ratio test method for abnormal packet-dropping relay nodes between neighbors.The proposed method uses a perturbation value of the prior normal packet loss probability as an alternative hypothesis in the test,which is feasible for detecting both the persistent and the intermittent anomalies.Thus the new method can work well while avoiding utilizing the knowledge of abnormal nodes.The asymptotic analysis results of the detection performance show that the false alarm and the missed alarm probabilities converge to zero exponentially with increasing the number of detection periods.The results indicate that this method can correctly detect both the persistent and the intermittent abnormal packet loss nodes in a wide range.The numerical results verify the analysis and demonstrate that,at tens number of detection periods,the mean probability of errors of the method is close to the optimal,i.e.,the value of the standard likelihood ratio method with a known overall packet loss probability of abnormal nodes.(4)The robust detection method for abnormal packet-dropping relay nodes under tree topology networksThe central node,also known as the root node,is the only trustworthy node in the tree topology network.To this end,this dissertation extends the detection method based on the prior-perturbative likelihood ratio test to the tree topology networks centered on the root node and proposes a two-phase detection method for both the persistent and the intermittent abnormal relay nodes.In the method,the detection data obtained by the child nodes in the first phase are aggregated at the root node in the second phase to improve the detection efficiency.In addition,due to the deception scenario where the malicious child nodes provide false detection data to the root node,the root node in this detection method employs a standardized Z-score metric to screen out the false detection data and then uses the filtered detection data for anomaly decisions.The optimal screening threshold for the standardized Z-score method is rigorously derived.This threshold guarantees that both the false alarm probability and the missed detection probability of the method decrease exponentially under the condition that the total traffic of malicious child nodes is less than half of the total traffic of all child nodes.The numerical results validate the theoretical results and reveal that the detection method combined with the standardized Z-score method can resist multiple falsification strategies of detection data.Hence,the proposed method is efficient and robust compared to the approach using the prior-perturbative likelihood ratio test only.Statistical testing,as a fundamental technology,has widespread applications in the field of abnormal node detection.Therefore,the enhanced detection methods based on the Hoeffding test,the Wald-Wolfowitz runs test and the likelihood ratio test,and the corresponding performance analysis in this dissertation are potentially valuable in practical engineering applications and theoretical research.