CN103561419A - Distributed event detection method based on correlation - Google Patents

Abstract

The invention discloses a distributed event detection method based on a correlation. The temporal correlation of data is analyzed in nodes through a clustering structure based on the locality of a wireless sensor network event area, the spatial correlation of the data is analyzed between adjacent nodes, and the node where an event happens is recognized. The abnormal correlation of the nodes is analyzed through the histogram method, and the detecting accuracy is improved. Due to the fact that the summary information of a histogram is transmitted among the nodes, the communication energy consumption among the nodes is reduced. The occurrence of new events can be effectively detected, the method has a low false alarm rate and low energy consumption, and compared with a centralized abnormality detection method, the distributed event detection method based on the correlation has the advantages of being high in detection performance and obviously reducing communication cost.

Description

Distributed event detection method based on correlation

Technical field

The present invention relates to the detection of the abnormal behaviour node of a kind of bunch of type structure organization sensor network, relate in particular to a kind of distributed event detection method based on correlation.

Background technology

Wireless sensor network (Wireless Sensor Networks, be called for short WSN) has been covered with sensor node, for detection of whether occurring abnormal conditions.If the departure degree of the data of sensor senses and historical data has surpassed the threshold value of appointment, think and occurred abnormal data; If all there are similar abnormal conditions in a plurality of nodes of certain area, can judge it is abnormal nodes, embody a kind of abnormal behaviour, need report in time base station, so that user processes.New events in WSN or part event do not have priori and decision condition, so just can not adopt event threshold as the method for event judgement, and this class event detection is also referred to as abnormality detection.In a lot of application, detect such event node or abnormal nodes, all significant, as intrusion detection.This event detection also can be used for obtaining the relevant information of new events.

The data of abnormal nodes and the historical data of self, or the data of other normal node, have very large difference.These abnormal datas may be produced by noise data or failure node; Also may comprise valuable information, embody a kind of abnormal behaviour.Such as, the numerical value of single temperature sensor is very high, may be that noise data causes; And if the numerical value of a plurality of temperature sensors in certain area is all very high, the generation that may indicate fire.This node often has certain local generality, and we claim that this node is event node or abnormal nodes; And for the abnormal conditions without generality, as the data of noise data or failure node, data or noise data that we are defined as isolated node failure node do not have correlation, and the data of abnormal nodes often have certain temporal correlation.

The detection algorithm of some abnormal nodes has been proposed in recent years.For example, detection algorithm based on Gaussian Profile (Wu W L, Cheng X Z, Ding M, et al.Localized outlying and boundarydata detection in sensor networks[J] .IEEE Transactions on Knowledge and Data Engineering, 2007,19 (8): 1145-1157), it utilizes the Data Comparison of adjacent node to detect abnormal conditions.Based on histogrammic Outlier Detection Algorithm (Sheng B, Li Q, Mao W.Outlier detection in sensor networks [C] .Procof MobiHoc ' 07, Qu é bec, Canada:ACM, 2007:219-228), it,, by collecting the histogram information of whole network, replaces the transmission of initial data.But these methods, or only considered spatial coherence, do not consider temporal correlation; Or communications cost is higher, extensibility is not strong, is not suitable for applying in large-scale sensor network.Jun M C, Jeong H, Jay Kuo CC.Distributed spatio-temporal outlier detection in sensor networks[C] .Proc of SPIE, 2005,5819:273-284 hypothesis abnormity point meets balanced α and distributes, and with this, carries out abnormality detection; But in reality, often there is no prior distribution, even and have suitable distribution to exist, new data also not necessarily meet known distribution.

Outlier Detection Algorithm in sensor network need to, saving under the prerequisite of energy, complete Detection task.For a sensor node, the energy that communication consumes is usually above calculating the several orders of magnitude of energy that consume.Therefore, can consider to utilize the computing capability of node self, first carry out calculating in node, reduce the data volume that needs transmission, with this, reduce the communications cost between node.Meanwhile, consider that the abnormal nodes in sensor network has locality, the Distributed Detection algorithm node that can note abnormalities in time, exactly.

Summary of the invention

Goal of the invention: in order to overcome the deficiencies in the prior art, the invention provides a kind of distributed incident Detection Algorithm (CDA based on correlation, Correlation-based Distributed Event Detection Algorithm), adopt cluster structured, according to the locality of event area, in node, carry out the analysis of temporal correlation, analysis space correlation between adjacent node, identifies the node of generation event.Adopt the abnormal correlation of data histogram analysis node, can improve the accuracy of detection; Because of what transmit between node, be histogrammic summary info simultaneously, can reduce inter-node communication energy consumption.

Technical scheme: for achieving the above object, the technical solution used in the present invention is:

A distributed event detection method based on correlation, carries out event detection for a bunch type topological structure wireless sensor network, comprises the steps:

(1) sensor node obtains the detection data of self, calculates summary data (the upper and lower border and the data volume that comprise data), and summary data is uploaded to a bunch head;

(2) bunch head gather bunch in the summary data uploaded of all the sensors node, set up the data histogram of complete bunch, issue this data histogram to bunch in all the sensors node, what issue also comprises the threshold data obtaining from base station simultaneously;

(3) bunch interior nodes generates local data histogram according to data histogram and the threshold data of complete bunch, calculate the average of nearest historical data, then detect nearest time window data, calculate the temporal correlation of current data and historical data: if meet temporal correlation, current data is normal, continues to detect; If do not meet temporal correlation, current data is abnormal, and current data is uploaded to a bunch head;

(4) spatial coherence of the data exception node in leader cluster node compute cluster: if meeting spatial correlation is considered as abnormal nodes, this node is included into abnormal nodes set; If do not meet spatial coherence, be considered as isolated node, this node is included into isolated node set; Bunch head is uploaded to base station by abnormal nodes set and isolated node aggregate information;

(5) base station is to the processing of classifying of abnormal nodes set and isolated node aggregate information:

Abnormal nodes set: abnormal nodes is carried out to Macro or mass analysis, detect abnormal area;

Isolated node set: isolated node is grouped in adjacent sub-clustering, sets up interim bunch, according to the raw information of the abnormal information of this isolated node and this adjacent cluster, set up new data histogram; In this interim bunch, reanalyse the spatial coherence of this isolated node: if meeting spatial correlation is included into abnormal nodes set by this isolated node, and upgrade to formal bunch by this interim bunch, this abnormal nodes is deleted from former bunch simultaneously; If do not meet spatial coherence, this isolated node is joined to the isolated node set of base station, and abandon this interim bunch; Isolated node in continuous time window, is included into failure node set by this isolated node, and upgrades the corresponding sub-clustering information of this isolated node.

Sensor node finite energy, so Outlier Detection Algorithm must consider to reduce the traffic between node, the present invention adopts distributed algorithm, has been worked in coordination with the task of abnormality detection by a bunch interior nodes, leader cluster node, base station; In sensor network, bunch interior nodes correlation analysis time, leader cluster node analysis space correlation collaborative each node processing, Macro or mass analysis is carried out in base station, so both can utilize the computing capability of node, can reduce internodal communications cost again.

In wireless sensor network event detection, if a plurality of nodes in certain region have all occurred extremely, only have these to be associated between abnormal, just can reflect a kind of anomaly trend.In the present invention, when the detection data generation marked change of node, temporal correlation and spatial coherence based on data histogram analysis abnormal nodes, from the direction of data movement, (be data-bias direction, according to the direction of data-bias, can distinguish abnormal nodes) and amplitude (be the amplitude of data-bias, be embodied in spatial Correlation Analysis, it is generally acknowledged that data-bias amplitude is within being less than a set of histograms, think that spatial data is relevant) two aspects consider the correlation that node is abnormal.Only have the change direction of node data all consistent with amplitude, we just think and have occurred relevant extremely, and new event has occurred.

Histogram is a kind of statistical framework, is usually used in the grouping of data.By setting up the unified data histogram of the overall situation, we can be in whole WSN, adopt the extremely whether relevant of unified mode decision node: significant abnormal if node has all occurred, and data are all in histogrammic same grouping or adjacent packets, think relevant abnormalities has occurred, there is event, so not only can improve the accuracy of detection, and because only need to transmit the summary info of grouping between node, do not need to transmit all detection data, so be a kind of detection algorithm of energy efficient.

Temporal correlation, the consistency for decision node data on time dimension, the i.e. consistency of current data and historical data; Concrete, described temporal correlation evaluation method is as follows:

For sensor node n _i, by node n _ithe mean value of the historical data of measuring as baseline mean, the data mean value of measuring in nearest time window is

computing time window average irrelevance t _wfor:

$t_w=\frac{|\stackrel{\‾}{w_i}-\stackrel{\‾}{n_i}|}{\stackrel{\‾}{n_i}}$

Direction d (the t that data depart from _w) be defined as follows:

$d\left(t_w\right)=\left\{\begin{array}{cc}1& \stackrel{\&OverBar;}{w_i}>\stackrel{\&OverBar;}{n_i}\\ -1& \stackrel{\&OverBar;}{w_i}<\stackrel{\&OverBar;}{n_i}\end{array}\right.$

Irrelevance threshold value t for the time window average of appointment ₀if: t _w≤ t ₀, think node n _idata meet temporal correlation; Otherwise, think node n _idata do not meet temporal correlation.

The computational methods of described mean value are:

A. for data x ₁, x ₂..., x _n, according to each data generated data histogram, obtain k grouping g ₁, g ₂..., g _i..., g _k;

B. define the size of i grouping | g _i| be the number of i the data that comprise in dividing into groups, according to the size of each grouping, descending arrangement obtains g _k' ..., g _i' ..., g ₂', g ₁';

C. a given mean data coverage m ₀, data are respectively organized in descending accumulation, until group g _r' meet following formula:

$\frac{\underset{i=r}{\overset{k}{\mathrm{\&Sigma;}}}{g}_i^{\text{'}}}{\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{g}_i^{\text{'}}}\&GreaterEqual;{\mathrm{<figure-callout\; id="0"\; label="m"\; filenames="HDA0000410161350000022.png"\; state="\{\{state\}\}">m</figure-callout>}}_0$

M ₀value is relevant with the signal to noise ratio of data, and signal to noise ratio is less, m ₀value is less, to filter more noise data; If the generation probability of noise data is p, m ₀should be less than 1-p;

D. with group g _k' ..., g _r' the data that comprise, calculating mean value

$p=\underset{i=r}{\overset{k}{\mathrm{\&Sigma;}}}\left|g_i^{\text{'}}\right|$

${\stackrel{\&OverBar;}{x}}_h=\frac{1}{p}\mathrm{\&Sigma;}{x}_j$

X herein _j∈ g _i', i=r, r+1 ..., k.

Node misdata and noise data are small probability events.This method filters out small probability data, has both reduced the impact of noise data, has considered again more normal data in calculating.

Spatial coherence is for the consistency of the abnormal data of compute cluster interior nodes; Concrete, described spatial coherence evaluation method is as follows:

Data exception node is pressed to offset direction classification, and the data exception interstitial content in establishing bunch with a certain offset direction feature is c ', and the data of the total node in bunch are c _h, calculate abnormal support s _efor:

$s_e=\frac{c^{\text{'}}}{c_h}$

Abnormal support threshold value s for appointment ₀if: s _e>=s ₀, think the node meeting spatial correlation of discovery data exception of bunch interior nodes; Otherwise, think that the node of discovery data exception of bunch interior nodes does not meet spatial coherence.

For the anomaly analysis based on temporal correlation, the size of time window is a very important index: time window is young, higher for the detection sensitivity of data variation, but easily produces false alarm for noise data; Time window is large, and corresponding false alarm reduces, but can real abnormal behaviour be produced and be failed to report.For this problem, a kind of dynamic time windowing mechanism is proposed, adopt delay process and dynamic adjustment mode: first transducer adopts shorter time window to detect, when finding that current data is abnormal, increasing time window continues to detect, if still there is data exception in the time window after this increase, carry out follow-up abnormality processing.

Beneficial effect: the distributed event detection method based on correlation provided by the invention, adopt clustering topology, according to the locality of event area, in node, carry out the analysis of temporal correlation, analysis space correlation between adjacent node, identifies the node of generation event; Adopt the abnormal correlation of histogram analysis node, can improve the accuracy of detection; Because of what transmit between node, be histogrammic summary info simultaneously, can reduce the energy that inter-node communication consumes; This method can effectively detect the generation of new events, and has lower rate of false alarm and energy consumption, with respect to centralized abnormality detection, has higher detection performance, and has significantly reduced communications cost.

Accompanying drawing explanation

Fig. 1 is flow chart of the present invention;

Fig. 2 is CDA algorithm: the contrast (s of average irrelevance threshold value and verification and measurement ratio ₀=0.15)

Fig. 3 is centralized algorithm: the contrast (s of average irrelevance threshold value and verification and measurement ratio ₀=0.15)

Fig. 4 is the contrast (t of abnormal support threshold value and verification and measurement ratio ₀=0.2);

Fig. 5 is the contrast (t of average irrelevance threshold value and communications cost economy ₀=0.2).

Embodiment

Below in conjunction with accompanying drawing, the present invention is further described.

Be illustrated in figure 1 a kind of distributed event detection method based on correlation, for a bunch wireless sensor network for type topological structure, carry out event detection, comprise the steps:

(1) sensor node obtains the detection data of self, calculates summary data (the upper and lower border and the data volume that comprise data) and summary data is uploaded to a bunch head;

(2) bunch head gather bunch in the summary data uploaded of all the sensors node, set up the data histogram of complete bunch, issue this data histogram to bunch in all the sensors node, what issue also comprises the threshold data obtaining from base station simultaneously;

(3) bunch interior nodes generates local data histogram according to data histogram and the threshold data of complete bunch, calculate the average of nearest historical data, then detect nearest time window data, calculate the temporal correlation of current data and historical data: if meet temporal correlation, current data is normal, continues to detect; If do not meet temporal correlation, current data is abnormal, and current data is uploaded to a bunch head;

(4) spatial coherence of the data exception node in leader cluster node compute cluster: if meeting spatial correlation is considered as abnormal nodes, this node is included into abnormal nodes set; If do not meet spatial coherence, be considered as isolated node, this node is included into isolated node set; Bunch head is uploaded to base station by abnormal nodes set and isolated node aggregate information;

(5) base station is to the processing of classifying of abnormal nodes set and isolated node aggregate information:

Abnormal nodes set: abnormal nodes is carried out to Macro or mass analysis, detect abnormal area;

Isolated node set: isolated node is grouped in adjacent sub-clustering, sets up interim bunch, according to the raw information of the abnormal information of this isolated node and this adjacent cluster, set up new data histogram; In this interim bunch, reanalyse the spatial coherence of this isolated node: if meeting spatial correlation is included into abnormal nodes set by this isolated node, and upgrade to formal bunch by this interim bunch, this abnormal nodes is deleted from former bunch simultaneously; If do not meet spatial coherence, this isolated node is joined to the isolated node set of base station, and abandon this interim bunch; Isolated node in continuous time window, is included into failure node set by this isolated node, and upgrades the corresponding sub-clustering information of this isolated node.

Temporal correlation, the consistency for decision node data on time dimension, the i.e. consistency of current data and historical data; Concrete, described temporal correlation evaluation method is as follows:

For sensor node n _i, by node n _ithe mean value of the historical data of measuring

as baseline mean, the data mean value of measuring in nearest time window is

computing time window average irrelevance t _wfor:

$t_w=\frac{|\stackrel{\&OverBar;}{w_i}-\stackrel{\&OverBar;}{n_i}|}{\stackrel{\&OverBar;}{n_i}}$

Direction d (the t that data depart from _w) be defined as follows:

$d\left(t_w\right)=\left\{\begin{array}{cc}1& \stackrel{\&OverBar;}{w_i}>\stackrel{\&OverBar;}{n_i}\\ -1& \stackrel{\&OverBar;}{w_i}<\stackrel{\&OverBar;}{n_i}\end{array}\right.$

Irrelevance threshold value t for the time window average of appointment ₀if: t _w≤ t ₀, think node n _idata meet temporal correlation; Otherwise, think node n _idata do not meet temporal correlation.

The computational methods of described mean value are:

A. for data x ₁, x ₂..., x _n, according to each data generated data histogram, obtain k grouping g ₁, g ₂..., g _i..., g _k;

B. define the size of i grouping | g _i| be the number of i the data that comprise in dividing into groups, according to the size of each grouping, descending arrangement obtains g _k' ..., g _i' ..., g ₂', g ₁';

C. a given mean data coverage m ₀, data are respectively organized in descending accumulation, until group g _r' meet following formula:

$\frac{\underset{i=r}{\overset{k}{\mathrm{\&Sigma;}}}{g}_i^{\text{'}}}{\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{g}_i^{\text{'}}}\&GreaterEqual;{\mathrm{<figure-callout\; id="0"\; label="m"\; filenames="HDA0000410161350000022.png"\; state="\{\{state\}\}">m</figure-callout>}}_0$

M ₀value is relevant with the signal to noise ratio of data, and signal to noise ratio is less, m ₀value is less, to filter more noise data; If the generation probability of noise data is p, m ₀should be less than 1-p;

D. with group g _k' ..., g _r' the data that comprise, calculating mean value

$p=\underset{i=r}{\overset{k}{\mathrm{\&Sigma;}}}\left|g_i^{\text{'}}\right|$

${\stackrel{\&OverBar;}{x}}_h=\frac{1}{p}\mathrm{\&Sigma;}{x}_j$

X herein _j∈ g _i', i=r, r+1 ..., k.

Spatial coherence is for the consistency of the abnormal data of compute cluster interior nodes; Concrete, described spatial coherence evaluation method is as follows:

Data exception node is pressed to offset direction classification, and the data exception interstitial content in establishing bunch with a certain offset direction feature is c ', and the data of the total node in bunch are c _h, calculate abnormal support s _efor:

$s_e=\frac{c^{\text{'}}}{c_h}$

Abnormal support threshold value s for appointment ₀if: s _e>=s ₀, think the node meeting spatial correlation of discovery data exception of bunch interior nodes; Otherwise, think that the node of discovery data exception of bunch interior nodes does not meet spatial coherence.

For the anomaly analysis based on temporal correlation, the size of time window is a very important index: time window is young, higher for the detection sensitivity of data variation, but easily produces false alarm for noise data; Time window is large, and corresponding false alarm reduces, but can real abnormal behaviour be produced and be failed to report.For this problem, a kind of dynamic time windowing mechanism is proposed, adopt delay process and dynamic adjustment mode: first transducer adopts shorter time window to detect, when finding that current data is abnormal, increasing time window continues to detect, if still there is data exception in the time window after this increase, carry out follow-up abnormality processing.

Specific design with regard to this case gives simple declaration below.

Set up data histogram

Data histogram is set up at each leader cluster node, and is distributed to whole network, can guarantee that so whole network all adopts unified standard analysis temporal correlation.While setting up data histogram, each node only needs to upload the summary info of measurement data, and needn't transmit all measurement data.

Set up histogrammic algorithm as follows:

Input: node n _idata summarization information

Output: histogrammic structure

Algorithm:

For histogram, grouping number is a very important index,, adopts in queueing theory the empirical equation k=1+3.22lgc that sample data is divided into groups herein _h.Because each node all needs to upload summary info, therefore, if network size is n, communication overhead is O (n).

The correlation analysis algorithm of data

Temporal correlation is analyzed: in bunch, each node defines according to temporal correlation, investigates the consistency of current window data and history window data.If meet temporal correlation, continue measurement data; Otherwise, be considered as data exception, the nodal information of data exception need to be uploaded to leader cluster node, further analyze abnormal spatial coherence.

Spatial Correlation Analysis: this algorithm is only in leader cluster node and base station operation, for calculating abnormal data in the consistency of Spatial Dimension.Now, both consider the direction that data depart from, whether unanimously considered again to depart from scope.Only have and meet offset direction simultaneously and depart from all consistent two conditions of scope, be just regarded as the data consistency on meeting spatial.Owing to adopting complete bunch of unified data histogram, therefore can be by investigating abnormal data in the ownership situation of histogram grouping, judge data whether depart from scope consistent.Gradual and the continuation that the event of considering occurs, falls into the situation of histogrammic same grouping or adjacent packets herein for abnormal data, be all considered as data to depart from scope consistent.

The algorithm of spatial Correlation Analysis is as follows:

Input: the abnormal data information that node is uploaded

Output: the information of abnormal nodes

Algorithm:

Below in conjunction with experiment, the present invention is further illustrated.

Experiment purpose is feasibility and the validity of check the inventive method, and provides certain reference to the selection of threshold value.What participate in the inventive method contrast is the centralized algorithm based on temporal and spatial correlations; Centralized algorithm using all detect data send to calculate total data in ，You base station, base station average as reference data.Follow-up temporal correlation processing and the present invention are similar.

Experimental design is as follows: in 8.4m * 7.2m laboratory, disposed 20 MICA2 nodes of measuring temperature.For the sake of simplicity, our definition time window is 5, in a time window, equally spaced detects temperature 5 times.Obtain the measurement data of 10 nearest time windows, as training data.Obtain the data of a nearest time window, added at random some artificial synthetic abnormal datas, abnormal with this analogue data.Suppose that the communications cost of node and the data volume of transmission are directly proportional, adopt the data volume of node transmission as the standard of weighing communications cost.

Fig. 2 and Fig. 3 have shown the impact of average irrelevance threshold value for testing result, and wherein Fig. 2 adopts the distributed algorithm of one's duty invention to process, and Fig. 3 adopts centralized algorithm to process.Can find out, adopt centralized algorithm, testing result is unstable, because the node average of zones of different is different, but centralized algorithm adopts the mean value computation of total data in whole network, and noise data wherein can make the average of calculating inaccurate.Therefore, a part of normal data is regarded as abnormal data; Meanwhile, a part of abnormal data is also regarded as normal data.And employing distributed algorithm, abnormality detection rate and rate of false alarm are all more stable.By scheming, threshold value t ₀between 25% and 30%, can guarantee higher verification and measurement ratio and lower rate of false alarm.

Fig. 4 has shown that abnormal support threshold value is for the impact of abnormality detection rate.Because two kinds of algorithms adopt same way as, calculate abnormal support, so their verification and measurement ratio is more stable generally.When support threshold value is less than 60%, distributed algorithm has higher verification and measurement ratio.And be greater than after 60% when threshold value, the verification and measurement ratio of distributed algorithm reduces to zero, and centralized algorithm still has certain verification and measurement ratio, is because the centralized algorithm processing time during correlation, can be abnormal nodes a part of normal node wrong report.In practical application, the threshold value of abnormal support has upper range, if because abnormal occurrence scope is very large, extremely changed a kind of general behavior into.

Fig. 5 has shown that distributed algorithm is with respect to centralized algorithm, adopt the impact of different average irrelevance threshold values on communications cost economy, communications cost economy herein equals the node average unit cost of distributed algorithm calculating with respect to the minimizing percentage of centralized algorithm cost.Along with the change of average irrelevance threshold value is large, communications cost economy also becomes greatly, this be because, the nodes of data exception now tails off, thus the cause that needs the data volume of transmission also to reduce.Known by Fig. 2 above, average irrelevance threshold value t ₀between 25% and 30%, can guarantee higher verification and measurement ratio and lower rate of false alarm.We also adopt this scope, and as shown in Figure 5, the communications cost of saving has reached 90% to 95%.

The above is only the preferred embodiment of the present invention; be noted that for those skilled in the art; under the premise without departing from the principles of the invention, can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (5)

1. the distributed event detection method based on correlation, carries out event detection for a bunch wireless sensor network for type topological structure, it is characterized in that: comprise the steps:

(1) sensor node obtains the detection data of self, calculates summary data and summary data is uploaded to a bunch head;

(2) bunch head gather bunch in the summary data uploaded of all the sensors node, set up the data histogram of complete bunch, issue this data histogram to bunch in all the sensors node, what issue also comprises the threshold data obtaining from base station simultaneously;

(3) bunch interior nodes generates local data histogram according to data histogram and the threshold data of complete bunch, calculate the average of nearest historical data, then detect nearest time window data, calculate the temporal correlation of current data and historical data: if meet temporal correlation, current data is normal, continues to detect; If do not meet temporal correlation, current data is abnormal, and current data is uploaded to a bunch head;

(4) spatial coherence of the data exception node in leader cluster node compute cluster: if meeting spatial correlation is considered as abnormal nodes, this node is included into abnormal nodes set; If do not meet spatial coherence, be considered as isolated node, this node is included into isolated node set; Bunch head is uploaded to base station by abnormal nodes set and isolated node aggregate information;

(5) base station is to the processing of classifying of abnormal nodes set and isolated node aggregate information:

Abnormal nodes set: abnormal nodes is carried out to Macro or mass analysis, detect abnormal area;

Isolated node set: isolated node is grouped in adjacent sub-clustering, sets up interim bunch, according to the raw information of the abnormal information of this isolated node and this adjacent cluster, set up new data histogram; In this interim bunch, reanalyse the spatial coherence of this isolated node: if meeting spatial correlation is included into abnormal nodes set by this isolated node, and upgrade to formal bunch by this interim bunch, this abnormal nodes is deleted from former bunch simultaneously; If do not meet spatial coherence, this isolated node is joined to the isolated node set of base station, and abandon this interim bunch; Isolated node in continuous time window, is included into failure node set by this isolated node, and upgrades the corresponding sub-clustering information of this isolated node.

2. the distributed event detection method based on correlation according to claim 1, is characterized in that: described temporal correlation evaluation method is as follows:

For sensor node n _i, by node n _ithe mean value of the historical data of measuring

as baseline mean, the data mean value of measuring in nearest time window is

computing time window average irrelevance t _wfor:

$t_w=\frac{|\stackrel{\&OverBar;}{w_i}-\stackrel{\&OverBar;}{n_i}|}{\stackrel{\&OverBar;}{n_i}}$

Direction d (the t that data depart from _w) be defined as follows:

$d\left(t_w\right)=\left\{\begin{array}{cc}1& \stackrel{\&OverBar;}{w_i}>\stackrel{\&OverBar;}{n_i}\\ -1& \stackrel{\&OverBar;}{w_i}<\stackrel{\&OverBar;}{n_i}\end{array}\right.$

Irrelevance threshold value t for the time window average of appointment ₀if: t _w≤ t ₀, think node n _idata meet temporal correlation; Otherwise, think node n _idata do not meet temporal correlation.

3. the distributed event detection method based on correlation according to claim 2, is characterized in that: the computational methods of described mean value are:

A. for data x ₁, x ₂..., x _n, according to each data generated data histogram, obtain k grouping g ₁, g ₂..., g _i..., g _k;

B. define the size of i grouping | g _i| be the number of i the data that comprise in dividing into groups, according to the size of each grouping, descending arrangement obtains g _k' ..., g _i' ..., g ₂', g ₁';

C. a given mean data coverage m ₀, data are respectively organized in descending accumulation, until group g _r' meet following formula:

$\frac{\underset{i=r}{\overset{k}{\mathrm{\&Sigma;}}}{g}_i^{\text{'}}}{\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{g}_i^{\text{'}}}\&GreaterEqual;m_0$

D. with group g _r' ..., g _k' the data that comprise, calculating mean value

$p=\underset{i=r}{\overset{k}{\mathrm{\&Sigma;}}}\left|g_i^{\text{'}}\right|$

${\stackrel{\&OverBar;}{x}}_h=\frac{1}{p}\mathrm{\&Sigma;}{x}_j$

X herein _j∈ g _i', i=r, r+1 ..., k.

4. the distributed event detection method based on correlation according to claim 1, is characterized in that: described spatial coherence evaluation method is as follows:

Data exception node is pressed to offset direction classification, and the data exception interstitial content in establishing bunch with a certain offset direction feature is c ', and the data of the total node in bunch are c _h, calculate abnormal support s _efor:

$s_e=\frac{c^{\text{'}}}{c_h}$

Abnormal support threshold value s for appointment ₀if: s _e>=s ₀, think the node meeting spatial correlation of discovery data exception of bunch interior nodes; Otherwise, think that the node of discovery data exception of bunch interior nodes does not meet spatial coherence.

5. the distributed event detection method based on correlation according to claim 1, it is characterized in that: the time window using in described step (3) is dynamic time window, that is: first transducer adopts shorter time window to detect, when finding that current data is abnormal, increasing time window continues to detect, if still there is data exception in the time window after this increase, carry out follow-up abnormality processing.

Images