CN109600378B - Heterogeneous sensor network abnormal event detection method without central node - Google Patents

Heterogeneous sensor network abnormal event detection method without central node Download PDF

Info

Publication number
CN109600378B
CN109600378B CN201811529692.3A CN201811529692A CN109600378B CN 109600378 B CN109600378 B CN 109600378B CN 201811529692 A CN201811529692 A CN 201811529692A CN 109600378 B CN109600378 B CN 109600378B
Authority
CN
China
Prior art keywords
node
event
sentinel
nodes
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811529692.3A
Other languages
Chinese (zh)
Other versions
CN109600378A (en
Inventor
原锦辉
周洪伟
张来顺
李福林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN201811529692.3A priority Critical patent/CN109600378B/en
Publication of CN109600378A publication Critical patent/CN109600378A/en
Application granted granted Critical
Publication of CN109600378B publication Critical patent/CN109600378B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/029Location-based management or tracking services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/38Services specially adapted for particular environments, situations or purposes for collecting sensor information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Alarm Systems (AREA)

Abstract

The invention provides a heterogeneous sensor network abnormal event detection method without a central node. The method comprises the following steps: when a specific event occurs, acquiring related data acquired by each node in the heterogeneous sensor network to form an original data set; carrying out data mining on the original data set by using an Apriori algorithm to obtain an event track set of the specific event, wherein the event track set comprises node tracks of all nodes; carrying out event pre-detection by utilizing the selected sentinel nodes and the selected sentinel nodes, and if suspected abnormal events are found in the event pre-detection stage, sending warning information to all other nodes, wherein the warning information comprises a suspected abnormal event list; and the nodes receiving the warning information confirm whether to participate in event re-detection according to the suspected abnormal event list, and the nodes participating in the event re-detection confirm whether abnormal events occur according to respective node tracks in the event re-detection stage. The invention can reduce the performance overhead and ensure the network security.

Description

Heterogeneous sensor network abnormal event detection method without central node
Technical Field
The invention relates to the technical field of sensor networks, in particular to a heterogeneous sensor network abnormal event detection method without a central node.
Background
A wireless sensor network is a network consisting of a large number of inexpensive passive miniature sensor nodes. The wireless sensor network is generally deployed in the following form: the system consists of a large number of cheap passive miniature nodes and a small number of central nodes. In this deployment form, the sensor nodes only complete a small amount of operations and only send necessary information (sending information is the main reason of energy consumption of the sensor nodes), and the collection, sorting and analysis of sensing data are completed by the central nodes due to the fact that the central nodes are not limited by energy and computing capacity.
In such a conventional sensor network, on one hand, due to the cost limitation of the sensor node, the sensor node often only completes necessary function implementation, and it is difficult to deploy excessive security measures, and it is difficult to ensure the security of the node itself. On the other hand, since the sensor nodes are often deployed at positions that may be reached by an attacker, the physical control right of the sensor nodes is difficult to guarantee. In general, the security of the sensor network is difficult to be ensured by the security of a single node.
By heterogeneous sensor network is meant that there are different types of sensor nodes in the network. The environmental indicators perceived by different sensor nodes may be different. For example, some sensor nodes sense temperature, some sensor nodes sense pressure, and some sensor nodes sense geographical location. When different types of sensor nodes are deployed in a sensor network, the types of sensing data must be effectively distinguished so as to process and analyze the sensing data. Compared with a homogeneous sensor network, the heterogeneous sensor network has richer acquired environment information, but the management is more complex.
A typical abnormal event detection method for a sensor network generally includes acquiring environmental data by a sensor node, and finishing abnormal event determination by a central node, such as a slad (objective logical analog detection). In the case, the sensor nodes collect the collected data to the central node, the central node collects the data collected by the sorting nodes, the abnormal degree of the node data is judged based on the time correlation and the space correlation, and the abnormal degree is quantified based on the subjective logic, so that a qualitative conclusion is given to the fact that the node is attacked. Obviously, when the sensor network has no central node, the abnormal event detection mode does not exist.
The detection of abnormal events in Heterogeneous sensor networks is more complex than in homogeneous networks, typically dfhn (data Fusion on a distributed Heterogeneous sensor network). In this case, a two-stage approach is proposed for anomalous event detection. Firstly, clustering a network by using geographical position information of sensor nodes, carrying out classifier training on data in the clusters, and obtaining a local view of an event according to whether the event occurs or not; secondly, training a classifier on the basis of the local view to calculate a global solution, namely, integrating the results of all clusters so as to judge whether an event occurs. In the process, the case uses machine learning technologies such as k nearest neighbor, neural network and support vector machine, and compared with a weighted voting algorithm, the detection rate of abnormal events can be improved. However, this case assumes that the probability of abnormal events occurring in different clusters in the network is the same, which is not normal in practical applications.
In a sensor network with a central node, the detection work of the abnormal event is usually completed by the central node, so that the energy overhead problem of the central node is not required to be considered too much. However, in a sensor network without a central node, the detection of the abnormal event can only be completed by the sensor node itself, and how to reduce the energy overhead of the sensor node and complete the detection of the network abnormal event becomes critical under the condition that the security of the node itself is threatened.
Disclosure of Invention
In order to solve the problem that the safety of nodes in the existing sensor network is threatened, the invention provides a heterogeneous sensor network abnormal event detection method without a central node.
The invention provides a heterogeneous sensor network abnormal event detection method without a central node, which comprises the following steps:
further, the heterogeneous sensor network refers to a network formed by a plurality of sensor nodes of different node types, and the method comprises the following steps:
step 1, when a specific event occurs, acquiring related data acquired by each node in the heterogeneous sensor network to form an original data set;
step 2, carrying out data mining on the original data set by using an Apriori algorithm to obtain an event track set of the specific event, wherein the event track set comprises node tracks of all nodes;
step 3, performing event pre-detection by using the selected sentinel nodes and the selected sentinel nodes, and if suspected abnormal events are found in the event pre-detection stage, sending warning information to all other nodes, wherein the warning information comprises a suspected abnormal event list;
and 4, the nodes receiving the warning information confirm whether to participate in event re-detection according to the suspected abnormal event list, and the nodes participating in the event re-detection confirm whether abnormal events occur according to respective node tracks in the event re-detection stage.
Further, the step 2 specifically includes:
step 2.1, traverse node SiObtaining the data of all sampling periods to obtain a node SiAll frequent 1 item sets L of1I is 1,2, …, n, n is the number of nodes;
step 2.2, node SiFrequent 1 item set L for the current sampling period1Frequent 1 item set L of its next sampling period1Connecting to generate candidate 2 item set C2
Step 2.3, calculate candidate 2 item set C2If the support degree of each candidate 2 item subset is greater than the minimum support degree min _ sup, the node S is obtainediFrequent 2 item set L2
Step 2.4, node SiFrequent 2 item set L2Continue to connect with the frequent 1 item set of its next sampling period to generate the candidate 3 item set C3Computing a candidate 3 item set C3If the support degree of each candidate 3 item subset is greater than the minimum support degree min _ sup, the node S is obtainediFrequent 3 item set L3
And 2.5, repeating the steps 2.1 to 2.4 by analogy until a new frequent item set with a larger length cannot be generated, and taking the current frequent item set as a node SiThe node trace of (1), denoted as pi
And 2. step 2.6. Repeating the step 2.1 to the step 2.5 by parity of reasoning until all the nodes finish node track mining to obtain a node track set { p }1,p2,…,pn};
Step 2.7, filtering the node track set { p1,p2,...,pnDeleting the frequent item set with the length smaller than a preset threshold min _ len to obtain an event track set s ═ e: p 'of a specific event e'1,p'2,…,p'n}。
Further, the step 3 further comprises:
distributing sentinel tokens, sentinel tokens and sentinel node selection token sequence sets and sentinel token sequences to each node;
and selecting a token sequence number set and a sentinel token sequence according to the sentinel token, the sentinel token and the sentinel node, and selecting the sentinel node and the sentinel node from all nodes.
Further, the selection protocol of the sentinel nodes is as follows:
step A1, after the current work cycle is finished, the sentinel node with the maximum sentinel token sequence number k sends out sentinel node selection information { m0, k, random };
step A2, calculating M by each nodeTK + random mod n, if the result M is calculatedTIf the number is equal to the sentinel token serial number a, the node is taken as the sentinel node of the next working cycle;
step A3, if the sentinel node is the sentinel node of the current working cycle, the sentinel node sends sentinel node transfer information { m1, a,1}, and the step A4 is skipped; if the energy level of the sentinel node is lower than a preset energy threshold, the sentinel node sends sentinel node transfer information { m2, a }, other nodes record the number of nodes with energy levels lower than the preset energy threshold, if the number of the nodes is higher than the preset warning threshold, an energy warning is sent, and the step A4 is skipped; otherwise go to step A5;
step A4, calculating M by each nodeTIf a +1mod n, the result M is calculatedT' in phase with the sentinel token serial number it holdsIf so, taking the node as a sentinel node of the next working cycle, and turning to the step A3, wherein d is the latest unused sequence number in the sentinel node selection token sequence number set;
step A5, if the number of sentinel nodes in the selected next working period reaches a preset value x, the protocol is ended; otherwise, the newly selected sentinel node f reads the sentinel node selection token sequence number set held by the sentinel node f and sends out sentinel node selection information { m0, f, d };
step A6, selecting other nodes of the token sequence number set by the sentinel node with the target node, verifying whether d in { m0, f, d } is legal, and if not, sending an alarm to stop operation; otherwise go to step A7;
step A7, calculating M by each nodeTIf "d + f mod n, the result M is calculatedTIf the token number is equal to the sentinel token number held by the node, the node is regarded as the sentinel node of the next work cycle, and the process goes to step a 3.
Further, the selection protocol of the sentinel node is as follows:
step B1, after the selection of the sentinel nodes is finished, all the nodes read the held secret token sequences;
and step B2, each node determines whether the next working period is a secret whistle node or not according to the secret whistle token sequence and the current working period.
Further, the event pre-detection in step 3 specifically includes:
step 3.1, the sentinel nodes collect first environment information according to a sampling period, broadcast the collected first environment information, and determine a suspected abnormal event list according to the first environment information and respective node tracks;
and 3.2, the sentinel node acquires second environment information according to a sampling period, receives the first environment information broadcast by the sentinel node, and determines a suspected abnormal event list according to the acquired first environment information and the acquired second environment information and respective node tracks.
Further, the nodes participating in the event redetection in the step 4 determine whether an abnormal event occurs according to respective node trajectories in the event redetection stage, specifically:
step 4.1, each node obtains judgment result information according to the collected data and the node track of the node, and broadcasts the judgment result information, wherein the judgment result information comprises an event serial number and a support degree corresponding to the event serial number;
step 4.2, each node collects all the judgment result information and generates comprehensive judgment data of the suspected abnormal event list, wherein the comprehensive judgment data comprises an event serial number, a node type and the support degree of different node types corresponding to the event serial number;
4.3, each node converts the support degree in the comprehensive judgment data into subjective logic opinions;
4.4, aiming at a single event in the suspected abnormal event list, combining subjective logic opinions of other nodes about the single event by each node to obtain a final opinion of the single event;
and 4.5, each node calculates the probability that the single event is an abnormal event according to the final opinion, and if the probability is greater than an abnormal probability threshold value, the abnormal event is judged to occur.
Further, the converting the support degree in the comprehensive judgment data into a subjective logical opinion in the step 4.3 specifically includes: if the support degree is b, the subjective logical opinion is (b,0, 1-b).
Further, the combining the subjective logical opinions of other nodes about the single event in the step 4.4 specifically includes:
combining the subjective logic opinions of other nodes of the same node type about the single event pairwise according to a first combination rule; combining the subjective logic opinions of other nodes of different node types about the single event pairwise according to a second combination rule; wherein the content of the first and second substances,
the first merging rule is:
setting subjective logical opinion of any two nodes A and B of the same node type about the single eventAre respectively (b)A,0,uA) And (b)B,0,uB) The combined subjective logical opinion is (b)A◇B,0,uA◇B):
Figure BDA0001905328050000051
The second merge rule is:
setting subjective logical opinion of any two nodes C and D of different node types about the single event (b)C,0,uC)、(bD,0,uD) The combined opinion is (b)C◇D,0,uC◇D):
Figure BDA0001905328050000061
Further, the step 4.6 specifically includes:
if the final opinion of the single event is (b)z,0,uz) Then the probability that the single event is an abnormal event is η ═ bz+0.5*uzAnd if the eta is larger than the anomaly probability threshold, judging that an anomaly event occurs.
The invention has the beneficial effects that:
the method for detecting the abnormal events of the heterogeneous sensor network without the central node adopts a small number of nodes selected randomly as sentinels to reduce the number of working nodes in the network and reduce the energy expenditure of the nodes. In order to avoid the control of the sentinel nodes, a mode of combining a plain sentinel and a secret sentinel and randomly selecting is adopted, so that an attacker has difficulty in controlling all the sentinel nodes. In order to further reduce energy expenditure and improve the identification degree of the abnormal event, the event track of the abnormal event is mined based on an Apriori algorithm, and the occurrence of the abnormal event is quickly detected by adopting a method combining pre-detection and complex detection.
Drawings
Fig. 1 is a schematic flowchart of a method for detecting an abnormal event in a non-central node heterogeneous sensor network according to an embodiment of the present invention;
fig. 2 is a second flowchart illustrating a method for detecting an abnormal event in a non-central node heterogeneous sensor network according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of event trajectory mining according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a principle of event pre-detection performed by a heterogeneous sensor network without a central node according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a sequence of sentinel tokens according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A sensor node: the micro node can sense specific environmental data (such as temperature, humidity and pressure) and can report the sensed data through a wireless network. In the invention, the sensor node is called node or end node for short.
The wireless sensor network: the system comprises nodes deployed in a monitoring area, and is formed into an ad hoc wireless network through wireless communication network connection.
Heterogeneous sensor network: the sensor network is composed of a plurality of sensor nodes of different types, and the environment data collected by different sensor nodes are different.
Center node (sink node): the wireless sensor network refers to a sink node and is mainly responsible for connection between the sensor network and an external network. Generally, the sink node is directly connected with the computer, the computer can supply power, and complex calculation can be finished by entrusting the computer, so that the sink node is infinite in energy and infinite in calculation capacity.
Time correlation: the data collected by the sensor nodes are continuous in time, and generally do not show the occurrence of sudden change. For example: the node senses the atmospheric temperature to be 23 degrees at the previous moment, and the atmospheric temperature sensed at the current moment generally does not change greatly. If a large change occurs, such as sensing an atmospheric temperature of 50 degrees, a fire or other abnormal event may occur.
Spatial correlation: the perception results of adjacent nodes to the same environmental factor often have some relation. For example, the node a and the node B are deployed outdoors at the same time and used for acquiring the atmospheric humidity, and since the atmospheric humidity does not change greatly within a short distance, the data perceived by the two nodes should be substantially consistent.
Plain whistle node: the term of the invention refers to a sensor node in a sensor network, which is in a working state. The working state refers to that the sensor node collects environmental information, sends the collected data in a broadcast mode and simultaneously performs abnormal event detection work.
The node of the whistle: the term of the invention refers to a sensor node in a sensor network in a latent state. The latent state refers to that the sensor node collects environment information, listens messages broadcast by the sentry node and simultaneously performs abnormal event detection work.
And (4) idle nodes: the term of the invention refers to a sensor node in an idle state in a sensor network. The idle state means that the sensor node only monitors the message broadcast by the sentinel node and only completes simple abnormal event detection calculation.
Event track: is a data reflection of a particular event on a sensor node. For example: a door open event. Given the difference in indoor and outdoor temperatures, the direct result of a door opening event is a change in indoor temperature. For a temperature sensor deployed in a room, a plurality of temperature sensor nodes in the room can sense the temperature change, and the change can be changed according to the change of the deployment positions of the nodes and the positions of the doors. Therefore, the occurrence of the opening of the door can be found through the change of the sensing data of the temperature sensor node.
Abnormal event detection rules: the rule is a mapping of a single node of an event track of an abnormal event in a single sampling period. For example: assuming that the outdoor temperature is higher than the indoor temperature, the door open event will cause the temperature sensed by the 5 nodes to continue to rise to a certain value within 3 sample periods. Thus, for a single node to perform exceptional event detection, the rules for that node are: the temperature rises for three consecutive sampling periods. In this way, the event trace of a complex exceptional event can be decomposed into rules which can be used by a single node.
The application scenarios of the embodiment of the invention are as follows: in the sensor network, a plurality of types of sensor nodes are densely deployed, and the nodes can be directly and wirelessly interconnected, but no central node exists in the sensor network.
Typical examples of applications: in order to monitor the safety of jewels in the transfer process, a plurality of sensor nodes are deployed on a jewel transport vehicle, are divided into different types (such as temperature sensing, pressure sensing and address location sensing) and form a heterogeneous sensor network. The condition that the central node is not arranged in the transport vehicle is avoided, and the concentration of the attack target caused by the arrangement of the central node is also avoided. The transit vehicle may deploy several security measures (e.g., alarms) in response to the sensor network discovering the anomalous event.
With reference to fig. 1 to 3, the technical solution of the embodiment of the present invention is mainly divided into a rule preparation phase and an event detection phase. In order to save energy expenditure, the event detection phase is divided into an event pre-detection phase and an event re-detection phase. The method for detecting the abnormal event of the heterogeneous sensor network without the central node mainly comprises the following steps:
s101, when a specific event occurs, acquiring related data acquired by each node in the heterogeneous sensor network to form an original data set;
the step is a data acquisition link. Data collection is to record relevant data of each sensor node by using a sensor network when a certain event occurs, so as to form a raw data set (also called a rough data set).
In order to increase the identification capability of the sensor network to the abnormal events, the data collected in the data collection step can be data collected when the abnormal network events occur or data collected when the normal network events occur. To improve the accuracy of event trace mining, each event is collected multiple times, forming a sufficient number of samples, resulting in a coarse data set for that event.
In the present invention, an abnormal network event is also referred to as an abnormal event, and a normal network event is also referred to as a normal event. That is, in this step, the specific event includes both an abnormal event and a normal event. The normal event refers to an event which normally occurs in the sensor network, for example, in a jewelry transport vehicle, a door is opened, so that the temperature sensed by the temperature sensor node changes regularly. The abnormal event refers to an abnormal event occurring in the sensor network, for example, in a jewelry transport vehicle, a vehicle door is violently opened by a thief by explosive, and the temperature sensed by the temperature sensor node shows a sudden abnormal rise. Of course, in addition to normal and abnormal events, unknown events are also included. For unknown events, the method classifies the unknown events into suspected abnormal events, processes the unknown events according to an abnormal event response flow, for example, the suspected abnormal events and the suspected abnormal events send warnings, and the content and the level of the warnings between the suspected abnormal events and the abnormal events are different.
S102, carrying out data mining on the original data set by using an Apriori algorithm to obtain an event track set of the specific event, wherein the event track set comprises node tracks of all nodes;
the event track is the data reflection of a specific event on the sensor node, namely, when a specific event occurs, the data sensed by each node of the sensor network is regularly changed. For example, an event trace may be represented as a set of individual node traces, in the form of: { node 1 trace, node 2 trace,.., node n trace }. The node track refers to the regular change condition of data sensed by a certain node when a certain specific event occurs. For example, a node trajectory may be represented as: (node identification: x)1,x2,...,xn) Wherein x is1,x2,...,xnShowing the change rule of the data collected by the node from the 1 st sampling period to the nth sampling period. If further analysis shows that the data change of the node in a certain sampling period or a certain sampling period does not have a necessary rule, the data change rule of the corresponding sampling period of the node track is empty, and the fact that the sampling period has no statistical value is indicated.
The mining of the event trajectory by means of the Apriori algorithm is divided into two steps. Firstly, training is carried out based on a perception data sequence of a single node, a node track is found, and the meaning of the node track is as follows: when a certain event occurs, it is observed whether a certain regular change always occurs in a node. In other words, a node trajectory is a time dimension that examines whether there is some connection between an event and node-aware data. Secondly, the relation among a plurality of nodes is counted, and an event track mapped to the whole network is found, wherein the meaning of the event track is as follows: when a certain event occurs, there is always a regular change in which nodes. Essentially, it is examined in the spatial dimension to which nodes an event has some connection.
The purpose of data mining in this step is to discover which nodes have which apparent changes in their perceptual data when a particular event occurs. Taking the detection of a door opening event as an example: when the door is opened, the temperature sensed at node a rises first, the temperature sensed at nodes B and C also begins to rise during the second sampling period, and the temperature sensed at nodes A, B and C both rise to the same level during the fourth sampling period and then do not change.
It should be noted that, in practical applications, in consideration of a certain noise interference existing in an original data set, before data mining is performed on the original data set, data preprocessing needs to be performed on the original data set. And the data preprocessing link is to reform the rough data set under the guidance of expert opinions to form a data set to be mined. In the data preprocessing step, firstly, the obviously wrong data needs to be filtered. Due to the reasons of the sensor nodes or external factors, the data sensed by the sensor nodes may be abnormal, and the data with obvious abnormality needs to be eliminated. Second, the data needs to be preprocessed according to expert opinion. For example: the expert thinks that the event of 'opening the door' should be found according to the temperature change rather than the temperature, so the data of the temperature continuous change is processed according to the data continuously collected by the sensor node to form a data set to be mined.
S103, performing event pre-detection by using the selected sentinel nodes and the selected sentinel nodes, and if suspected abnormal events are found in the event pre-detection stage, sending warning information to all other nodes, wherein the warning information comprises a suspected abnormal event list;
suppose that an attacker takes a certain amount of time (denoted by T1) to attack the sensor network behavior. The minimum interval of the sampling time of sensing the environment by each node of the sensor network is T2. It should be noted that T2< T1 means that the sensor network should have at least one sampling during the attack, otherwise the sensor network will not sense the attack. Of course, the higher the frequency of the node sampling time, the higher the probability that the sensor network will find the attack behavior, but frequent sampling will consume the energy of the node too fast. In other words, the invention hopes that the node can have the capability of discovering the attack behavior on the premise of sampling times as few as possible.
In order to quickly discover an abnormal event on the premise of no central node and as low as possible energy overhead, the embodiment of the invention is provided with event pre-detection.
Event pre-detection is a low-energy detection state when the sensor network is normally deployed. In the event pre-detection phase, only a few nodes are in working state, and most nodes are in dormant state. When a certain specific event is suspected to occur, the node in the working state sends out a signal to wake up the related node to participate in event double detection. Through the working mode, most of the sensor network nodes are in a dormant state most of the time, no message is sent, no data detection is carried out, and the energy consumption is greatly reduced.
In the event pre-detection phase, the nodes in working state must be faced with the risk of being controlled by enemies. In the event pre-detection phase, as only a few nodes in the network are in working states, if an attacker can determine the nodes and opportunistically attack the nodes, the whole sensor network can be controlled by controlling the few nodes. For this purpose, we propose a pre-detection working mode combining the sentinel nodes and the sentinel nodes.
As shown in fig. 4, a small number of nodes are randomly selected as sentinel nodes (such as shaded nodes in the graph) to complete normal abnormal event detection, and meanwhile, a small number of nodes are randomly selected as sentinel nodes (such as mesh nodes in the graph) to supervise whether the sentinel nodes work normally, and other nodes are in an idle state to reduce node energy overhead. In order to find out the network abnormal event in a small number of sampling periods, the embodiment of the invention perceives the event from different angles by means of heterogeneous sensor networks (such as nodes with different shapes in the figure).
And S104, the nodes receiving the warning information confirm whether to participate in event re-detection according to the suspected abnormal event list, and the nodes participating in the event re-detection confirm whether abnormal events occur according to respective node tracks in the event re-detection stage.
For a single node, some variation trace may correspond to multiple events according to the rules it holds, and further event confirmation needs to be assisted by other nodes, for example: the node senses that the temperature is high, possibly caused by a door opening event or a fire, and the judgment is required to be completed together with other nodes according to the subsequent change track of the node. Therefore, after step S103, the relevant node performs event double detection.
As shown in fig. 4, in the embodiment of the present invention, a method of network training and data mining is adopted to obtain an event trajectory of a specified network event, and decompose the event trajectory into related sensor nodes (e.g., dashed circles in the figure).
According to the heterogeneous sensor network abnormal event detection method without the central node, a small number of nodes are randomly selected to serve as sentinels, so that the number of working nodes in the network is reduced, and the energy expenditure of the nodes is reduced. In order to avoid the control of the sentinel nodes, a mode of combining a plain sentinel and a secret sentinel and randomly selecting is adopted, so that an attacker has difficulty in controlling all the sentinel nodes. In order to further reduce energy expenditure and improve the identification degree of the abnormal event, the event track of the abnormal event is mined based on an Apriori algorithm, and the occurrence of the abnormal event is quickly detected by adopting a method combining pre-detection and complex detection.
On the basis of the above embodiment, the present invention provides another embodiment, which comprises the following specific processes:
s201, in order to ensure the accuracy of event track mining and avoid mutual interference between events in an analysis process, only a single event is analyzed in each round of event mining, and a track set of all events is established through multi-round mining. Taking a specific event e as an example, assuming that a sensor network comprising n nodes starts to train the specific event e, and when the specific event e occurs, acquiring related data acquired by the n nodes in the heterogeneous sensor network to form an original data set; then, data preprocessing is performed on the original data set, which is the same as the related content in the above embodiment, and is not described herein again.
S202, node SiFor example, mining an event trajectory of an event e by using an Apriori algorithm specifically includes:
s2021, traversing node SiObtaining the data of all sampling periods to obtain a node SiAll frequent 1 item sets L of1I is 1,2, …, n, n is the number of nodes;
s2022, connecting the node SiFrequent 1 item set L for the current sampling period1Frequent 1 item set L of its next sampling period1Connecting to generate candidate 2 item set C2
S2023, calculating candidate 2 item set C2If the support degree of each candidate 2 item subset is greater than the minimum support degree min _ sup, the node S is obtainediFrequent 2 item set L2
S2024, node SiFrequent 2 item set L2Continue to connect with the frequent 1 item set of its next sampling period to generate the candidate 3 item set C3Computing a candidate 3 item set C3The support of each candidate 3-item subset in (a),if the minimum support degree min _ sup is greater than the minimum support degree min _ sup, the node S is obtainediFrequent 3 item set L3
S2025, repeating the steps 2.1 to 2.4 by analogy, until a new frequent item set with a larger length cannot be generated, and taking the current frequent item set as a node SiThe node trace of (1), denoted as pi
S2026, repeating the steps 2.1 to 2.5 by analogy until all the nodes finish node track mining to obtain a node track set { p }1,p2,…,pn};
S2027, filtering the node track set { p1,p2,...,pnDeleting the frequent item set with the length smaller than a preset threshold min _ len to obtain an event track set s ═ e: p 'of a specific event e'1,p'2,…,p'n}。
It should be noted that the event trajectory reflects a rule of change of data sensed by which nodes in the sensor network exist according to the sequence of sampling periods when an event occurs. If a certain node trace does not contain any frequent item set in the event trace, it means that the node has no relation with the event e. Each specific event can obtain a corresponding event track according to the event track mining process, and an event track set of the network event to be detected is formed after the event track mining is finished for all the events respectively.
S203, decomposing the event track set according to the condition of each node in the specific event detection, and forming an available rule set to be detected for each node;
event traces rely on detection of events based on the entire sensor network, and for a single node, finer-grained detection basis is required. Because the event track is composed of the change track of a single node, the method for decomposing the event track into the detection rule comprises the following steps: let event track s ═ { e: p'1,p'2,…,p'n}, node SiIs p'i
S204, distributing sentinel tokens, sentinel tokens and sentinel node selection token sequence sets and sentinel token sequences to each node; and selecting a token sequence number set and a sentinel token sequence according to the sentinel token, the sentinel token and the sentinel node, and selecting the sentinel node and the sentinel node from all nodes.
If the current sensor network has n nodes, x sentinel nodes and y sentinel nodes are screened from the network in each round. In a secure situation, such as node deployment, each sensor node is assigned a sentinel token and a sentinel token. The sentinel token has a token serial number from 1 to n, each node holds 1 sentinel token serial number, and the sentinel token serial numbers are not repeated among the nodes. After each work cycle is finished, a sentinel node selection protocol is started, and a node which serves as a sentinel in the next work cycle is selected. The sentinel node selection token sequence number set is an integer sequence held by all nodes, is not allowed to be reused and is distributed in advance by an administrator.
Specifically, the selection protocol of the sentinel node is as follows:
step A1, after the current working cycle is finished, the sentinel node with the maximum sentinel token sequence number k sends out sentinel node selection information { m0, k, random }, wherein random is a random number;
step A2, calculating M by each nodeTK + random mod n, if the result M is calculatedTIf the number is equal to the sentinel token serial number a, the node is taken as the sentinel node of the next working cycle;
step A3, if the sentinel node is the sentinel node of the current working cycle, the sentinel node sends sentinel node transfer information { m1, a,1}, and the step A4 is skipped; if the energy level of the sentinel node is lower than a preset energy threshold, the sentinel node sends sentinel node transfer information { m2, a }, other nodes record the number of nodes with energy levels lower than the preset energy threshold, if the number of the nodes is higher than the preset warning threshold, an energy warning is sent, and the step A4 is skipped; otherwise go to step A5;
step A4, calculating M by each nodeTIf the result M is calculatedT' equal to the sentinel token number it holds, it will holdThe node is taken as a sentinel node of the next work cycle, and the process goes to step A3, wherein d is the latest unused sequence number in the sentinel node selection token sequence number set;
step A5, if the number of sentinel nodes in the selected next working period reaches a preset value x, the protocol is ended; otherwise, the newly selected sentinel node f reads the sentinel node selection token sequence number set held by the sentinel node f and sends out sentinel node selection information { m0, f, d };
step A6, selecting other nodes of the token sequence number set by the sentinel node with the target node, verifying whether d in { m0, f, d } is legal, and if not, sending an alarm to stop operation; otherwise go to step A7;
step A7, calculating M by each nodeTIf "d + f mod n, the result M is calculatedTIf the token number is equal to the sentinel token number held by the node, the node is regarded as the sentinel node of the next work cycle, and the process goes to step a 3.
The sentinel selection protocol emphasizes that the next round of sentinel nodes cannot be determined by the current round of sentinel nodes, so that an attacker can control the next round of sentinel nodes after the sentinel nodes are controlled by the attacker, thereby avoiding node detection and disabling the abnormality detection function. Meanwhile, the sentinel node also has to consider the energy overhead problem of the whole sensor network, so that the node is allowed to abandon the qualification of the sentinel node due to the energy problem.
To ensure that the sentinel selection result is not exposed, each node holds a sequence of sentinel tokens. The administrator presets nodes which are responsible for whistle every period, and preassigns whistle token sequences for each node. The sentinel token sequence is shown in fig. 5, with shading indicating that a node acts as a sentinel node for a certain duty cycle. Each node holds a certain row of the sequence of sentinel tokens shown in the figure, and is unaware of the sequence of sentinel tokens of other nodes. When the sensor network has been in operation for a long time, the sequence of sentinel tokens may be consumed, requiring reassignment by an administrator. The administrator can set the number of whistles per cycle. If the current network has higher requirement on safety, the number of the whistle in each period can be increased, so that more nodes for executing the whistle tasks in the network are compared with the whistle.
Specifically, the selection protocol of the sentinel node is as follows:
step B1, after the selection of the sentinel nodes is finished, all the nodes read the held secret token sequences;
and step B2, each node determines whether the next working period is a secret whistle node or not according to the secret whistle token sequence and the current working period.
It should be noted that, if a node is a sentinel node and a sentinel node, the node only discloses the identity of the sentinel node itself and hides the identity of the sentinel node. In the event pre-detection stage, the intelligent whistle device works in the state of a clear whistle and also works in the state of a dark whistle.
S205, performing event pre-detection by using the selected sentinel nodes and the selected sentinel nodes, and if suspected abnormal events are found in the event pre-detection stage, sending warning information to all other nodes, wherein the warning information comprises a suspected abnormal event list;
after the selection of the plain whistle and the dark whistle is completed, the network event pre-detection is completed by the plain whistle node and the dark whistle node mainly according to the following steps:
s2051, collecting first environment information by a sentinel node according to a sampling period, broadcasting the collected first environment information, and determining a suspected abnormal event list according to the first environment information and respective node tracks;
the sentinel node is a sensor node in a working state. The nodes collect environment information at fixed time intervals, send collected data in a broadcast mode, carry out necessary event detection according to the obtained data, and make judgment of the occurrence of suspected abnormal events so as to wake other nodes to start subsequent detection. For example, assume that a node holds a rule { current, chg,. DELTA. | → event }, where current represents a current value, chg represents a change value, and Δ is a correction value; if the change condition of the data perceived by the node is consistent with [ chg-delta, chg + delta ], the current node sends a message { m4, current, chg, delta, suspected abnormal event list }, wherein the suspected abnormal event list indicates that the node determines a possible network event set in advance.
Typically, the number of sentinel nodes is only a small fraction, e.g., 5%, of the total number of network sensor nodes. Because the energy expenditure of the sentinel nodes is large, all the sensor nodes are required to be alternately used as the sentinel nodes, so that the energy expenditure degrees of all the nodes are consistent.
S2052, the sentinel nodes acquire second environment information according to a sampling period, receive the first environment information broadcast by the sentinel nodes, and determine a suspected abnormal event list according to the acquired first environment information and the acquired second environment information and respective node tracks.
The sentinel node refers to a sensor node in a latent state. The nodes collect the environment information at fixed time intervals, but do not broadcast the collected data any more, only listen to the data sent by the sentinel node, perform necessary event detection according to the obtained data, and make a determination of the occurrence of a suspected abnormal event, and the determination process is similar to the determination process of the sentinel node and is not described herein again. It should be noted that if it is determined that a suspected abnormal event occurs and the sentinel node does not give an alarm, the sentinel node gives an alarm message so as to wake up other nodes to start subsequent detection. Typically, the data of a sentinel node is about 2 times that of a sentinel node. Similarly, the sentinel nodes also adopt a rotation playing mode, so that all the nodes have the opportunity to become the sentinel nodes.
S206, event redetection, which specifically comprises the following steps:
s2061, the node receiving the warning information confirms whether to participate in event redetection or not according to the suspected abnormal event list;
each node checks whether to participate in the complex detection of the event according to a suspected abnormal event list listed in the message { m4, current, chg, delta and the suspected abnormal event list };
s2062, the nodes participating in the event redetection confirm whether abnormal events occur or not according to respective node tracks in the event redetection stage, namely, the following steps are executed;
s2063, each node obtains judgment result information according to the collected data and the node track of the node, and broadcasts the judgment result information, wherein the judgment result information comprises an event serial number and a support degree corresponding to the event serial number;
after each round of collecting environmental data, each node participating in the complex detection carries out judgment according to rules, and broadcasts a judgment result message { m5, (event i, support), (event i +1, support), … };
s2063, each node collects all the judgment result information and generates comprehensive judgment data of the suspected abnormal event list, wherein the comprehensive judgment data comprises event serial numbers, node types and support degrees of different node types corresponding to the event serial numbers;
each node participating in the complex detection collects all judgment results to form judgment data about different events, and the judgment data is as follows: { event i, (node type 1, degree of support 1), (node type 1, degree of support 2), …, (node type m, degree of support n) }, where node type refers to the type of sensor node, e.g., a temperature sensor.
S2064, each node converts the support degree in the comprehensive judgment data into subjective logic opinions;
the specific conversion method comprises the following steps: if the support degree is b, the subjective logical opinion is (b,0, 1-b).
S2065, aiming at the single event in the suspected abnormal event list, combining subjective logic opinions of other nodes about the single event by each node to obtain a final opinion of the single event;
combining the subjective logic opinions of other nodes of the same node type about the single event pairwise according to a first combination rule; combining the subjective logic opinions of other nodes of different node types about the single event pairwise according to a second combination rule; wherein the content of the first and second substances,
the first merging rule is:
let the subjective logical opinion of any two nodes A and B of the same node type about the single event (e.g., event i) be (B)A,0,uA) And (b)B,0,uB) The combined subjective logical opinion is (b)A◇B,0,uA◇B):
Figure BDA0001905328050000161
The second merge rule is:
let any two nodes C and D of different node types have subjective logical opinion (b) about the single event (e.g., event i)C,0,uC)、(bD,0,uD) The combined opinion is (b)C◇D,0,uC◇D):
Figure BDA0001905328050000162
S2066, each node calculates the probability that the single event is the abnormal event according to the final opinion, and if the probability is larger than an abnormal probability threshold value, the abnormal event is judged to occur.
If the final opinion of the single event is (b)z,0,uz) Then the probability that the single event (e.g., event i) is an abnormal event is η ═ bz+0.5*uzAnd if the eta is larger than the anomaly probability threshold, judging that an anomaly event occurs.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. The method for detecting the abnormal events of the heterogeneous sensor network without the central node is characterized in that the heterogeneous sensor network refers to a network formed by a plurality of sensor nodes of different node types, and the method comprises the following steps:
step 1, when a specific event occurs, acquiring related data acquired by each node in the heterogeneous sensor network to form an original data set;
step 2, carrying out data mining on the original data set by using an Apriori algorithm to obtain an event track set of the specific event, wherein the event track set comprises node tracks of all nodes;
step 3, performing event pre-detection by using the selected sentinel nodes and the selected sentinel nodes, and if suspected abnormal events are found in the event pre-detection stage, sending warning information to all other nodes, wherein the warning information comprises a suspected abnormal event list;
and 4, the nodes receiving the warning information confirm whether to participate in event re-detection according to the suspected abnormal event list, and the nodes participating in the event re-detection confirm whether abnormal events occur according to respective node tracks in the event re-detection stage.
2. The method according to claim 1, wherein the step 2 specifically comprises:
step 2.1, traverse node SiObtaining the data of all sampling periods to obtain a node SiAll frequent 1 item sets L of1I is 1,2, …, n, n is the number of nodes;
step 2.2, node SiFrequent 1 item set L for the current sampling period1Frequent 1 item set L of its next sampling period1Connecting to generate candidate 2 item set C2
Step 2.3, calculate candidate 2 item set C2If the support degree of each candidate 2 item subset is greater than the minimum support degree min _ sup, the node S is obtainediFrequent 2 item set L2
Step 2.4, node SiFrequent 2 item set L2Continue to connect with the frequent 1 item set of its next sampling period to generate the candidate 3 item set C3Computing a candidate 3 item set C3If the support degree of each candidate 3 item subset is greater than the minimum support degree min _ sup, the node S is obtainediFrequent 3 item set L3
Step 2.5, analogizing and repeatingRepeating the steps 2.1 to 2.4 until a new frequent item set with a larger length cannot be generated, and taking the current frequent item set as a node SiThe node trace of (1), denoted as pi
And 2.6, repeating the steps 2.1 to 2.5 by analogy until all the nodes finish node track mining to obtain a node track set { p }1,p2,…,pn};
Step 2.7, filtering the node track set { p1,p2,...,pnDeleting the frequent item set with the length smaller than a preset threshold min _ len to obtain an event track set s ═ e: p 'of a specific event e'1,p'2,…,p'n}。
3. The method of claim 1, wherein step 3 further comprises:
distributing sentinel tokens, sentinel tokens and sentinel node selection token sequence sets and sentinel token sequences to each node;
and selecting a token sequence number set and a sentinel token sequence according to the sentinel token, the sentinel token and the sentinel node, and selecting the sentinel node and the sentinel node from all nodes.
4. The method according to claim 3, characterized in that the selection protocol of the sentinel nodes is:
step A1, after the current work cycle is finished, the sentinel node with the maximum sentinel token sequence number k sends out sentinel node selection information { m0, k, random };
step A2, calculating M by each nodeTK + random mod n, if the result M is calculatedTIf the number is equal to the sentinel token serial number a, the node is taken as the sentinel node of the next working cycle; wherein n represents the number of nodes;
step A3, if the sentinel node is the sentinel node of the current working cycle, the sentinel node sends sentinel node transfer information { m1, a,1}, and the step A4 is skipped; if the energy level of the sentinel node is lower than a preset energy threshold, the sentinel node sends sentinel node transfer information { m2, a }, other nodes record the number of nodes with energy levels lower than the preset energy threshold, if the number of the nodes is higher than the preset warning threshold, an energy warning is sent, and the step A4 is skipped; otherwise go to step A5;
step A4, calculating M by each nodeTIf the result M is calculatedTIf the sentinel token sequence number is equal to the sentinel token sequence number held by the sentinel node, the node is taken as the sentinel node of the next working cycle, and the process goes to step A3, wherein d is the latest unused sequence number in the sentinel node selection token sequence number set;
step A5, if the number of sentinel nodes in the selected next working period reaches a preset value x, the protocol is ended; otherwise, the newly selected sentinel node f reads the sentinel node selection token sequence number set held by the sentinel node f and sends out sentinel node selection information { m0, f, d };
step A6, selecting other nodes of the token sequence number set by the sentinel node with the target node, verifying whether d in { m0, f, d } is legal, and if not, sending an alarm to stop operation; otherwise go to step A7;
step A7, calculating M by each nodeTIf "d + f mod n, the result M is calculatedTIf the token number is equal to the sentinel token number held by the node, the node is regarded as the sentinel node of the next work cycle, and the process goes to step a 3.
5. The method according to claim 3, characterized in that the selection protocol of the sentinel nodes is:
step B1, after the selection of the sentinel nodes is finished, all the nodes read the held secret token sequences;
and step B2, each node determines whether the next working period is a secret whistle node or not according to the secret whistle token sequence and the current working period.
6. The method according to claim 1, wherein the event pre-detection in step 3 is specifically:
step 3.1, the sentinel nodes collect first environment information according to a sampling period, broadcast the collected first environment information, and determine a suspected abnormal event list according to the first environment information and respective node tracks;
and 3.2, the sentinel node acquires second environment information according to a sampling period, receives the first environment information broadcast by the sentinel node, and determines a suspected abnormal event list according to the acquired first environment information and the acquired second environment information and respective node tracks.
7. The method according to claim 1, wherein the nodes participating in the event redetection in step 4 determine whether an abnormal event occurs according to respective node trajectories in the event redetection stage, specifically:
step 4.1, each node obtains judgment result information according to the collected data and the node track of the node, and broadcasts the judgment result information, wherein the judgment result information comprises an event serial number and a support degree corresponding to the event serial number;
step 4.2, each node collects all the judgment result information and generates comprehensive judgment data of the suspected abnormal event list, wherein the comprehensive judgment data comprises an event serial number, a node type and the support degree of different node types corresponding to the event serial number;
4.3, each node converts the support degree in the comprehensive judgment data into subjective logic opinions;
4.4, aiming at a single event in the suspected abnormal event list, combining subjective logic opinions of other nodes about the single event by each node to obtain a final opinion of the single event;
and 4.5, each node calculates the probability that the single event is an abnormal event according to the final opinion, and if the probability is greater than an abnormal probability threshold value, the abnormal event is judged to occur.
8. The method according to claim 7, wherein the step 4.3 of converting the support degree in the comprehensive judgment data into subjective logical opinion specifically comprises: if the support degree is b, the subjective logical opinion is (b,0, 1-b).
9. The method according to claim 8, wherein the step 4.4 of combining subjective logical opinions of other nodes about the single event comprises:
combining the subjective logic opinions of other nodes of the same node type about the single event pairwise according to a first combination rule; combining the subjective logic opinions of other nodes of different node types about the single event pairwise according to a second combination rule; wherein the content of the first and second substances,
the first merging rule is:
let the subjective logical opinion of any two nodes A and B of the same node type about the single event be (B)A,0,uA) And (b)B,0,uB) The combined subjective logical opinion is (b)A◇B,0,uA◇B):
Figure FDA0002949870970000041
The second merge rule is:
setting subjective logical opinion of any two nodes C and D of different node types about the single event (b)C,0,uC)、(bD,0,uD) The combined opinion is (b)C◇D,0,uC◇D):
Figure FDA0002949870970000042
10. The method according to claim 9, characterized in that said step 4.5 is in particular:
if the final opinion of the single event is (b)z,0,uz) Then said single event is an exception eventHas a probability of ═ bz+0.5*uzAnd if the eta is larger than the anomaly probability threshold, judging that an anomaly event occurs.
CN201811529692.3A 2018-12-14 2018-12-14 Heterogeneous sensor network abnormal event detection method without central node Active CN109600378B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811529692.3A CN109600378B (en) 2018-12-14 2018-12-14 Heterogeneous sensor network abnormal event detection method without central node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811529692.3A CN109600378B (en) 2018-12-14 2018-12-14 Heterogeneous sensor network abnormal event detection method without central node

Publications (2)

Publication Number Publication Date
CN109600378A CN109600378A (en) 2019-04-09
CN109600378B true CN109600378B (en) 2021-04-20

Family

ID=65961869

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811529692.3A Active CN109600378B (en) 2018-12-14 2018-12-14 Heterogeneous sensor network abnormal event detection method without central node

Country Status (1)

Country Link
CN (1) CN109600378B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110177115A (en) * 2019-06-10 2019-08-27 中国民航大学 LDoS attack detection method based on multi-feature fusion
WO2021087896A1 (en) * 2019-11-07 2021-05-14 Alibaba Group Holding Limited Data-driven graph of things for data center monitoring copyright notice

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
CN101883385A (en) * 2010-04-12 2010-11-10 北京航空航天大学 Actively predicted reliable data transmission method in wireless sensor network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107360048A (en) * 2016-05-09 2017-11-17 富士通株式会社 Joint behavior appraisal procedure, device and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
CN101883385A (en) * 2010-04-12 2010-11-10 北京航空航天大学 Actively predicted reliable data transmission method in wireless sensor network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于轨迹预测的无线传感器网络覆盖控制方法;金梦;《中国优秀硕士学位论文全文数据库 信息科技辑 (月刊)》;20131115;全文 *

Also Published As

Publication number Publication date
CN109600378A (en) 2019-04-09

Similar Documents

Publication Publication Date Title
Baradaran et al. HQCA-WSN: High-quality clustering algorithm and optimal cluster head selection using fuzzy logic in wireless sensor networks
CN106604267B (en) A kind of wireless sensor network intrusion detection intelligent method of dynamic self-adapting
Rajasegarar et al. Elliptical anomalies in wireless sensor networks
Nesa et al. Outlier detection in sensed data using statistical learning models for IoT
Rajan et al. Diagnosis of fault node in wireless sensor networks using adaptive neuro-fuzzy inference system
CN109600378B (en) Heterogeneous sensor network abnormal event detection method without central node
Sumalatha et al. RETRACTED ARTICLE: An intelligent cross layer security based fuzzy trust calculation mechanism (CLS-FTCM) for securing wireless sensor network (WSN)
CN103533571A (en) FEDAV (fault-tolerant event detection algorithm based on voting)
Kolomvatsos et al. Distributed localized contextual event reasoning under uncertainty
Effah et al. Survey: Faults, fault detection and fault tolerance techniques in wireless sensor networks
Mohapatra et al. Artificial immune system based fault diagnosis in large wireless sensor network topology
CN116794510A (en) Fault prediction method, device, computer equipment and storage medium
Abid et al. Centralized KNN anomaly detector for WSN
Mitchell et al. Survivability analysis of mobile cyber physical systems with voting-based intrusion detection
CN108966327B (en) Method and system for prolonging service life of agricultural wireless sensor network
KR20110056006A (en) Sensor network and clustering method for sensor network
Ghaffari et al. FDMG: Fault detection method by using genetic algorithm in clustered wireless sensor networks
Bhojannawar et al. Anomaly detection techniques for wireless sensor networks-a survey
CN106792795B (en) Method for generating optimal scheduling scheme of wireless sensor by discrete differential evolution algorithm
CN115903650A (en) Method and system for distributed acquisition of PLC signals
Ghosh et al. A novel approach towards selection of role model cluster head for power management in WSN
Royyan et al. Data-driven faulty node detection scheme for Wireless Sensor Networks
Blanchard et al. Energy and activity monitoring over wireless sensor networks
Xiang-hua et al. Tree topology based fault diagnosis in wireless sensor networks
Lee Adaptive data dissemination protocol for wireless sensor networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant