Anomaly detection of network-initiated LTE signaling traffic in wireless sensor and actuator networks based on a Hidden semi-Markov Model

LTE signaling attack is a serious threat to a wireless sensor and actuator network whose facilities are dispersed and connected with LTE technology on a large scale, in order to conduct a particular mission. An LTE attacker generates a lot of signaling initiating packets, named wakeup packets, to saturate the LTE network's resources. Existing LTE signaling attack detection schemes are merely based on measuring the mean wakeup packet generation rate. Since resulting from extensive amounts of facilities involved in a normal management process, severe fluctuations of signaling traffic are ordinarily expected in the wireless sensor and actuator network, and those mean-based schemes cannot effectively distinguish between attacks and normal traffic. In this paper, we propose an advanced LTE signaling attack detection scheme based on a Hidden semi-Markov model, which captures the spatial temporal characteristics of normal wakeup packet generation behavior. Our proposed detector takes the log-likelihood of a node's wakeup packet generation as the test criterion for normality. Through simulations with various parameter settings, we verified that the proposed scheme effectively distinguishes attacker nodes from normal nodes. (C) 2016 Elsevier Ltd. All rights reserved.