Anomaly Behavior Analysis For IoT Sensors
Anomaly Behavior Analysis For IoT Sensors
DOI: 10.1002/ett.3188
1 INTRODUCTION
Advances in mobile and pervasive computing, social network technologies, and the exponential growth in Internet applications
and services will lead to the development of the next generation of Internet services (Internet of Things [IoT]) that are pervasive
and ubiquitous and that touch all aspects of our life. It is expected that the number of IoT devices will reach more than 50 billion
devices by 2020.1 With the support of fog computing, the IoT services will be a key enabling technology to the development
of smart cities that will revolutionize the way we do business, maintain our health, manage critical infrastructure, and conduct
education and to how we secure, protect, and entertain ourselves.2,3 Since fog computing hosts services at the network edge, its
advantages include low service latency, high quality of services, support for mobility, awareness of location, and easier imple-
mentation of security measures. It was shown that fog computing supports IoT applications that require predictable latency,3,4
such as smart infrastructures (SIs), for example, smart buildings (SBs) and smart cities. As one of the IoT applications, SB
automation systems aim at integrating building equipment with sensors, actuators, and control devices to achieve reliable and
efficient operations and significantly reduce operational costs. However, with the use of fog computing and IoT techniques, we
are experiencing major challenges to secure and protect such advanced information services because of the significant increase
in the attack surface.3 The interconnections between growing amounts of devices expose the vulnerability of IoT applications to
attackers. Even devices that are intended to operate only in local area networks are sometimes connected to the Internet because
of careless configuration or to satisfy special needs (eg, they need to be remotely monitored). This makes control system data
vulnerable to falsification attacks that lead to incorrect information delivery to users, causing them to take wrong and dangerous
actions or to be unaware of an ongoing attack, as was the case with Stuxnet attack.4 Another example is in the work of Legezo,5
Trans Emerging Tel Tech. 2018;29:e3188. wileyonlinelibrary.com/journal/ett Copyright © 2017 John Wiley & Sons, Ltd. 1 of 15
https://doi.org/10.1002/ett.3188
2 of 15 PACHECO AND HARIRI
where the author showed how a Bluetooth connection was used in a city to change traffic sensors’ firmware to gather informa-
tion and to modify the data provided by those sensors. Finally, Takahashi et al.6 showed a comprehensive study of cyberattacks
targeting information gathered from medical wireless sensor networks. Here, the main concern is medical information disclo-
sure and falsification. These are some real-world scenarios that show how critically important it is to secure and protect the IoT
operations against cyberattacks, especially when it comes to IoT sensors.
In this work, we present a methodology to protect IoT sensors against a variety of cyberattacks. We first introduce our IoT
security framework for SIs that consists of 4 layers: devices (end nodes), network, services, and application. We then present a
methodology to develop a general threat model to better recognize the vulnerabilities in each layer and the possible countermea-
sures that can be deployed to mitigate their exploitation. In this scope, we show how to develop and deploy an anomaly behavior
analysis intrusion detection system (ABA-IDS) on the basis of the discrete wavelet transform (DWT) to detect anomalies that
might be triggered by attacks against the sensors in the first layer of our IoT framework. We have evaluated our approach by
launching several cyberattacks (eg, sensor impersonation, replay, and flooding attacks) against our SB testbed developed at the
Center for Cloud and Autonomic Computing, The University of Arizona. The results show that our approach can be used to
deploy effective security mechanisms to protect the normal operations of IoT sensors. Moreover, our approach can detect known
and unknown attacks against IoT end nodes with high detection rate and low false alarms.
The remainder of this paper is organized as follows. In Section 2, we provide background information about the concepts of
SIs, fog computing, IoT cybersecurity, ABA-IDS, and the use of a threat model. In Section 3, we explain our IoT security frame-
work for SIs. Section 4 is devoted in explaining our ABA methodology. In Section 5, we present our experimental environment
and discuss our evaluation results. In Section 6, we conclude this paper and discuss future research direction.
2 BACKGROUND
used to exploit existing vulnerabilities, and (4) some IoT devices and services may be shared and could have different ownership,
policy, and connectivity domains.
These challenges need to be addressed to build a secure and resilient IoT infrastructure, where confidentiality, integrity, and
availability must be assured. Consequently, there is a strong research interest in securing and protecting IoT and their services
using resilient techniques.15
There are several IoT frameworks that can be used to create a threat model and apply mitigation strategies.20-22 Figure 1 shows
an architecture that can be used to guide the security development of IoT SIs. The framework consists of 4 layers: IoT end nodes
(end devices), network, services, and applications. Cyberattacks can be launched against the functions and services provided
by each layer shown in Figure 1. For each layer in our framework, we can define the threats by target, impact, and mitigation
methods.
In the first layer (end nodes), the information passes through physical devices to identify the physical world. This information
includes object properties, environmental conditions, data, etc. The key components in this layer are the sensors for capturing
and representing the physical world in the digital world and the actuators to modify the environment to a desired state. The
targets at this level are local controllers, sensors, actuators, and information. The impact can be loss or waste of energy, money,
human safety, provider’s reputation, and time. Mitigation mechanisms include lightweight encryption, sensor authentication,
IDS, anti-jamming, and behavior analysis.
Network layer is responsible for the reliable transmission of information from/to end nodes.22 The technologies used in this
include the Internet, mobile communication networks, wireless sensor networks, network infrastructures, and communication
protocols. Network security and management play an important role to defend against cyberattacks targeting firewalls, routers,
protocols, and personal information. The impacts might be in money, reputation, safety, energy, control, and time. Network
mitigation mechanisms include authentication, anti-denial-of-service (DoS), encryption, packet filtering, congestion control,
anti-jamming, intrusion detection, and behavior analysis.
4 of 15 PACHECO AND HARIRI
Appli-
Appli- Users Devices
cations
cations
Internet Internet
IoT Fog
Services
Services
Internet
Network
Access Secure
Control Gateway
Local
Network
Devices Devices
The service layer acts as an interface between the application layer in the top level and the network layer in the lower level.21
At this layer, all the required computational power is mostly provided as a cloud and fog services. In this layer, cyberattacks
target personal and confidential information, IoT end devices, and monitor and control functions. The impact includes people
safety, money losses, and information leakage. Protection mechanisms include encryption, authentication, session identifiers,
intrusion detection, selective disclosure, data distortion, and behavior analysis.
The application layer provides the personalized services according to the needs of the user.22 The access to the IoT services is
through this layer, and it can be via mobile technology such as cell phone, mobile applications, or a smart appliance or device. In
this layer, data sharing is an important characteristic, and consequently, application security must address data privacy, access
control, and information leaks. The impacts can be in illegal access to intellectual properties, disclosure of critical business
plans, money loss, and damaging business reputation. Some mitigation mechanisms include encryption, authentication, and
ABA of applications and their services.
Attackers may use any existing vulnerability to gain access to the system and launch an attack. Our framework can be used to
identify the potential vulnerabilities and the appropriate mitigation mechanism. For instance, an IP temperature sensor located
in a remote place can be easily replaced by a computer to obtain illegal information and launch an attack (eg, replay attack).
Since sensors usually have low (or no) computational power, it is unrealistic to apply encryption techniques; a more suitable
approach is to authenticate each sensor and its data.
with several control units such as Arduino UNO, BACNet controller, and NI CompactRIO.25 The monitor and control tasks can
be performed locally by accessing our secure gateway and remotely by using fog or cloud services. The SBT will enable us
to experiment with and evaluate different security mechanisms and resilient algorithms and study their impacts on normal SB
services.
We have developed a methodology to protect the operations of end nodes against any type of threat by using continuous mon-
itoring and performing anomaly behavior analysis of the end node operations. The main modules to implement our approach
are shown in Figure 2: (1) continuous monitoring, (2) sensor behavior data structures (SBDSs), (3) anomaly behavior analysis
(ABA), (4) sensor classification, and (5) recovery actions.
the amount of data it can handle (outstanding performance), and (3) it provides useful capture and display filters. The information
obtained from Wireshark includes source IP, destination IP, and content of packets. The monitoring process occurs between the
controller and the secure gateway so we can detect any anomalous events before reaching the secure gateway. Hence, this enables
us to avoid the propagation of any attack. The sensor’s data are extracted from the payload and sent to the SBDS module, where
the sensor is automatically identified and its runtime profile is obtained. We refer to the sensor profile as the sensor-DNA data
structure (s-DNA) that is built by using the DWT method.
∑
y𝑙𝑜𝑤 [k] = x[n]∗ h[2k − n] (2)
n
The original signal x[n] is decomposed into an approximation coefficient yhigh [k] and a detail coefficient ylow [k] by applying a
high-pass g[n] and a low-pass h[n] filter, respectively. The number of samples in the signal follows n = 2i , where i is the number
of levels of decomposition. The DWT can be efficiently computed in a linear time, which is important when dealing with large
datasets. We use Haar wavelet as the function to extract the coefficients because any continuous function can be approximated
with Haar function.29 Once the signal is decomposed, the coefficients of each high-pass filter level are aggregated in a single
vector that is used to build the s-DNA data structure.
Once some of the sensors are discarded, the ED Dj in Equation 3 is computed between the runtime vector of coefficients v
and a matrix M (detailed in Section 5.1) of coefficients obtained from all the available sensors during the offline training phase.
√
√ n
√∑ ( )2
Dj = √ Mi,j , − vi (3)
i=1
The smallest distance obtained is used to classify the sensor type. This procedure can be taken as an authentication mechanism
for sensors. Once the sensor type has been identified, the rest of the data is compared with the coefficients in the same column
(j) of the matrix to obtain the ED in runtime.
𝑈 𝐶𝐿 = x + Zα∕2 σ (4)
The sensitivity level can be chosen depending on the required robustness. It is expected that at least 100(1 − α)% of the ES
falls between the UCL and the LCL; thus, we can choose a value between 0 and 1 for α such that31
( )
P x − Zα∕2 ,σ ≤ Dj ≤ x + Zα∕2 σ = 100 (1 − α) % (6)
For normal CLs, we assume that Zα/2 = 3 (P = 99.73%); this means that the probability of not discovering a deviation from
normal behavior is only 0.27%.31 We can also establish warning upper and lower limits (WUL and WLL, respectively) at Zα/2 = 2.
Figure 3 shows the control chart for the normal behavior of sensors using the ED. Any observation outside the CLs is taken as
an abnormal behavior.
4.4 Classification
Once the ABA module has determined that there is an abnormality in the analyzed sensor data, the classification unit function
is to identify the type of observed abnormality. For this task, Dj is used to detect behaviors and trends. For example, in a DoS
attack, the distance shows sudden changes above the UCL. It is possible to detect a trend before Dj falls out of boundaries or to
detect a mean shift in the data (ED); however, those scenarios will be inspected in future works.
8 of 15 PACHECO AND HARIRI
32 8
7
31 6
31 5
4
30
3
30 2
29 1
0
29 -1
0 50 100 150 200 250 0 50 100 150 200 250
Samples Coefficient Number
(A) (B)
FIGURE 5 Temperature sensor. A, raw data and B, DWT coefficients (254 samples)
sensors, and consequently, we choose 3 as a threshold for our system. However, there is a chance that we can obtain only 1
possible candidate, which is the best case scenario.
Analyzing the sensor data, we can observe that there is no strong correlation between them, as shown in Table 3. However,
we can notice that the moisture sensor introduces noise to the system; thus, using rules is not enough to uniquely identify the
sensors.
The next step is to apply DWT to the signal so that we can have a signature for each sensor. Figure 5A shows raw data
for temperature sensor, and Figure 5B shows its DWT coefficients with 8 levels of decomposition. The number of samples is
important to accurately detect some of the attacks; Section 5.3 explains how to choose the number of samples.
A vector of DWT coefficients is generated for each sensor and stored into matrix Mi , j , where j represents the j-index of the
sensor, and i is the DWT coefficient number used to compute Dj .
Once the matrix of coefficients is built and all the EDs are computed (as explained in Section 4.3) for the different sensors
that are used in our experimental evaluation, the limits of normal operation are calculated. Table 4 shows the results of the
offline training for each sensor.
Once the system has been trained for the normal behavior of a given sensor, the next step is to launch attacks against that
sensor to learn its behavior under attacks. The classification of the attacks is based on the trend of the ED (see Figure 6).
Depending on the intensity of the attack, it is possible to detect it before it goes out of the CLs by applying a trend rule. This rule
applies also for unknown attacks since the ED is developed for the normal distribution (verified with the Kolmogorov-Smirnov
test31 ). A window of 7 continuous EDs is used to verify any trend in the behavior. However, for some attacks (eg, DoS), the
7 ESs are not needed since the ED goes out of the CLs rapidly.
10 of 15 PACHECO AND HARIRI
16
Euclidean distance
14
12
10 Normal
Abnormal
8
4
0 20 40 60 80 100
Samples
a complete block of the network devices. For pulse DoS, the attack will be launched for a very short time, but with a very large
number of packets.34 A malicious computational device can claim that it is the sensor by taking the sensor’s IP in the network to
send fake data. This attack is known as sensor impersonation and is one of the most difficult to detect because the computational
device can follow closely the behavior of the real sensor.35 Sensors can be compromised by injecting malicious packets through
the network or by physically manipulating them, thus introducing noise to the system. Noise injection attack is easy to identify
but hard to classify because of the diversity on the sources of noise (eg, network noise and sensor natural failures).36
We have evaluated the performance of our ABA-IDS approach for the aforementioned attacks when they are launched against
all the sensors available in our testbed. Table 5 summarizes the detection and classification accuracy of our approach for each
attack type.
From Table 5, the pulse DoS and noise injection attacks are 2 new attacks that were not used during the offline training phase.
Here, the system detects these attacks and classifies them as “new attack”. There are 2 cases that trigger false positives. The
first case happens when the behavior is not considered in the training phase (eg, a cold object near the temperature sensor). In
the second case, the sensor needs to reach its steady state after an attack. Our experiments show that, at most, 3.2% of these
situations produced false positive alerts.
Table 6 shows that our ABA-IDS has a detection rate better than the compared approaches for unknown attacks, and unlike
signature-based IDS, it is able to detect new attacks.
12 of 15 PACHECO AND HARIRI
Detection Rate
ation
60.00 DoS
40.00 Noise
20.00 Replay
0.00
3 4 5 6 7 8 9 10
Levels of Decomposition
2.00
1.50
1.00
0.50
0.00
3 4 5 6 7 8 9 10
Levels of Decomposition
% Overhead
6.0
5.0
4.0
3.0
2.0
3 4 5 6 7 8 9 10
Levels of Decomposition
coefficient extraction and the ED computation, each one requiring certain amount of time depending on the volume of data
being processed. Figure 10 shows that levels 6 and 7 give the best results (less overhead), with less than 3% in time overhead.
Figures 8 and 9 show level 5 as the best option in detection rate and false positives. Figure 10 shows that level 5 gives more
overhead (3%) compared with levels 6 (2.4%) and 7 (2.8%). However, taking into consideration the detection and false positive
rates, level 5 is the best option, meaning that the system will use 32 samples of raw data to perform the ABA.
Figure 10 shows another effect of memory constraints. For levels below 6, the system needs to perform several inspections
and the whole process takes more time; for example, level 3 performs 2 inspections to reach the analysis capability of level 4.
On the other hand, from level 7, the memory usage represents a problem for the system as it needs to allocate the incoming
data and perform the operations over this data. As we can see, the overhead jumps after level 7, which is consistent with the
detection rate behavior in Figure 8.
In this paper, we presented an IoT security framework for SIs that consists of 4 layers: devices (end nodes), network, service,
and application layers. We also presented a methodology to develop a threat model that can be used to identify potential attacks
against each layer, their impacts, and how to mitigate and recover from these attacks.
In our experimental results, we showed how to use the threat model to secure and protect sensors in smart IoT infrastructure.
Our anomaly behavior analysis methodology includes the use of an s-DNA profile that is developed to accurately characterize
normal sensor operations. We showed that our s-DNA data structure can be used as an authentication mechanism for IoT sensors.
We have also shown that the ABA-IDS approach can detect both known and unknown attacks with high detection rates and
low false positive alarms (less than 0.5%). We have also developed an attack classification methodology with 98% accuracy for
known attacks and up to 97.4% accuracy for unknown attacks (classified as “new attacks”).
It is important to emphasize that our methodology is intended to protect the normal operation of end nodes where the number
of sensor is limited (eg, in a single room) and, before an attack, can affect other systems as we showed in the attack surface.
However, for large amount of sensors (eg, SBs), where data association techniques are required, we need to test our approach
in upper layers (eg, in the service layer with fog computing). In such case, other factors such as behavioral drift may affect the
outcome of our ABA-IDS module.
We are currently investigating techniques for detecting attacks by analyzing the behavior of other layers. For example, if an
attacker collects enough sensors’ information (eg, 1 day of information), it can launch a replay attack without the need of using
the same dataset. We are working on several solutions for such kind of attacks, including: (1) big data analytics to search for
patterns in the stored data and (2) applied MTD strategy that will make it extremely difficult for an attacker to collect relevant
data because they will not be relevant in the future because of the continuous random change in the configuration.
ACKNOWLEDGEMENTS
This work was partly supported by the Air Force Office of Scientific Research Dynamic Data-Driven Application Sys-
tems (award FA95550-12-1-0241), the National Science Foundation (research projects NSF 1624668, SES-1314631, and
DUE-1303362), and Thomson Reuters in the framework of the Partner University Fund project (a program of the French
Embassy in the United States and the FACE Foundation and is supported by American donors and the French Government).
REFERENCES
1. Verizon. Create intelligent, more meaningful business connections. http://www.verizonenterprise.com/solutions/connected-machines/. Accessed
June 2016.
2. Zanella A, Bui N, Castellani A, Vangelista L, Zorzi M. Internet of Things for Smart Cities. IEEE IoT Journal. 2014;1(1):22-32.
3. Pacheco J, Hariri S. IoT security framework for smart cyber infrastructures. Paper presented at: IEEE 1st International Workshops on Foundations
and Applications of Self* Systems (FAS*W); 2016; Augsburg, Germany.
4. Kushner D. The Real Story of Stuxnet: How Kaspersky Lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program.
IEEE Spectr. 2013;50(3):48-53.
5. Legezo D. How to trick traffic sensors. Kaspersky Lab. https://securelist.com/blog/research/74454/how-to-trick-traffic-sensors/. Accessed
April 2016.
6. Takahashi D, Xiao Y, Hu F. A survey of security in telemedicine with wireless sensor networks. In: Xiao Y, Chen H, eds. Mobile Telemedicine:
A Computing and Networking Perspective. Boca Raton, Florida, United States: CRC Press; 2008:209-235.
7. Wang Z, Wang L, Dounis A, Yang R. Multi-agent control system with information fusion based comfort model for smart buildings. Appl Energy.
2012;99:247-254.
8. Mehta A, Tärneberg W, Klein C, Tordsson J, Kihl M, Elmroth E. How beneficial are intermediate layer data centers in mobile edge networks?
Paper presented at: IEEE 1st International Workshops on Foundations and Applications of Self* Systems (FAS*W); 2016; Augsburg, Germany.
9. Orsini G, Bade D, Lamersdorf W. CloudAware: A context-adaptive middleware for mobile edge and cloud computing applications. Paper
presented at: IEEE 1st International Workshops on Foundations and Applications of Self* Systems (FAS*W); 2016; Augsburg, Germany.
10. Hegyi A, Flinck H, Ketyko I, Kuure P, Nemes C, Pinter L. Application orchestration in mobile edge cloud: Placing of IoT applications to the edge.
Paper presented at: IEEE 1st International Workshops on Foundations and Applications of Self* Systems (FAS*W); 2016; Augsburg, Germany.
11. Garcia-Perez C, Merino P. Enabling low latency services on LTE networks. Paper presented at: IEEE 1st International Workshops on Foundations
and Applications of Self* Systems (FAS*W); 2016; Augsburg, Germany.
12. Yaseen Q, AlBalas F, Jararweh Y and Al-Ayyoub M. A fog computing based system for selective forwarding detection in mobile wireless sensor
networks. Paper presented at: IEEE 1st International Workshops on Foundations and Applications of Self* Systems (FAS*W); 2016; Augsburg,
Germany.
PACHECO AND HARIRI 15 of 15
13. Suo H, Wan J, Zou C, Liu J. Security in the Internet of Things: A review. Paper presented at: International Conference on Computer Science and
Electronics Engineering (ICCSEE); 2012; Hangzhou, China.
14. Brito MSD, Hoque S, Steinke R, Willner A. Towards programmable fog nodes in smart factories. Paper presented at: 2016 IEEE 1st International
Workshops on Foundations and Applications of Self* Systems (FAS*W); 2016; Augsburg, Germany.
15. Ding C, Yang LJ, Wu M. Security architecture and key technologies for IoT/CPS. ZTE Technology Journal. 2011;17(1):11-16.
16. Can O, Sahingoz OK. A survey of intrusion detection systems in wireless sensor networks. Paper presented at: 6th IEEE International Conference
on Modeling, Simulation, and Applied Optimization (ICMSAO); 2015; Istanbul, Turkey.
17. Fayssal S, Hariri S, Al-Nashif Y. Anomaly-based behavior analysis of wireless network security. Paper presented at: 2007 Fourth Annual
International Conference on Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous); 2007; Philadelphia, USA.
18. Xu D, Tu M, Sanford M, Thomas L, Woodraska D, Xu W. Automated security test generation with formal threat models. IEEE Trans Dependable
Secure Comput. 2012;9(4):526-540.
19. Schlegel R, Obermeier S, Schneider J. Structured system threat modeling and mitigation analysis for industrial automation systems. Paper
presented at: IEEE 13th International Conference on Industrial Informatics (INDIN); 2015; Cambridge, United Kingdom.
20. Jin J, Gubbi J, Marusic S, Palaniswami M. An information framework for creating a smart city through internet of things. IEEE Internet of Things
J. 2014;1(2):112-121.
21. Ferreira HGC, Canedo ED, de Sousa Junior RT. IoT architecture to enable intercommunication through REST API and UPnP using IP, ZigBee
and Arduino. Paper presented at: 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications
(WiMob); 2013; Lyon, France.
22. Soliman M, Abiodun T, Hamouda T, Zhou1 J, Lung C. Smart home: Integrating Internet of Things with web services and cloud computing.
Paper presented at: IEEE 5th International Conference on Cloud Computing Technology and Science; 2013; Bristol, United Kingdom.
23. Manadhata PK, Wing JM. An Attack Surface Metric. IEEE Trans Software Eng. 2011;37(3):371-386.
24. Hossain M, Fotouhi M, Hasan R. Towards an analysis of security issues, challenges, and open problems in the Internet of Things. Paper presented
at: IEEE World Congress on Services; 2015; New York, USA.
25. Pacheco J, Tunc C, Hariri S. Design and evaluation of resilient infrastructures systems for smart cities. Paper presented at: 2016 IEEE International
Smart Cities Conference (ISC2); 2016; Trento, Italy.
26. Hoque N, Bhuyan M, Charan Baishya R, Bhattacharyya DK, Kalita JK. Network attacks: taxonomy, tools and systems. J Netw Comput Appl.
2014;40:307-324.
27. Mishra C. Mastering Wireshark. Birmingham, UK: Packt Publishing Ltd; 2016.
28. Mallat S. A Wavelet Tour of Signal Processing, Third Edition: The Sparse Way. 3rd ed. Amsterdam, Netherlands: Academic Press; 2008.
29. Kozionov A, Kalinkin M, Natekin A, Loginov A. Wavelet-based sensor validation: Differentiating abrupt sensor faults from system dynamics.
Paper presented at: IEEE 7th International Symposium on Intelligent Signal Processing (WISP); 2011; Floriana, Malta.
30. Weka. http://weka.sourceforge.net/doc.dev/weka/classifiers/rules/JRip.html. Accessed June 2016.
31. Montgomery DC. Statistical Quality Control. 7th ed. Chichester: John Wiley & Sons; 2012.
32. Lee S, Jo J, Kim Y, Stephen H. A framework for environmental monitoring with Arduino-based sensors using Restful web service. Paper presented
at: 2014 IEEE International Conference on Services Computing (SCC); 2014; Anchorage, Alaska.
33. Hoehn A, Zhang P. Detection of replay attacks in cyber-physical systems. Paper presented at: American Control Conference (ACC); 2016;
Boston, MA.
34. Namboodiri V, Aravinthan V, Mohapatra S, Karimi B, Jewell W. Toward a secure wireless-based home area network for metering in smart grids.
IEEE Syst J. 2013;8(2):1-12. https://doi.org/10.1109/JSYST.2013.2260700
35. Tanabe N, Kohno E, Kakuda Y. A path authenticating method using bloom filters against impersonation attacks on relaying nodes for wireless
sensor networks. Paper presented at: 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops; July 8, 2013;
Philadelphia, Pennsylvania, USA.
36. Illiano VP, Lupu E. Detecting malicious data injections in wireless sensor networks: a survey. ACM Comput Surv (CSUR). 2015;48(2):
Article No. 24.
37. Mac Farland DC, Shue CA. The SDN shuffle: creating a moving-target defense using host-based software-defined networking. Paper presented
at: Proceedings of the Second ACM Workshop on Moving Target Defense; October 12, 2015; Denver, Colorado, USA.
How to cite this article: Pacheco J, Hariri S. Anomaly behavior analysis for IoT sensors. Trans Emerging Tel Tech.
2018;29:e3188. https://doi.org/10.1002/ett.3188