Network anomaly detection for railway critical infrastructure based on autoregressive fractional integrated moving average

The article proposes a novel two-stage network traffic anomaly detection method for the railway transportation critical infrastructure monitored using wireless sensor networks (WSN). The first step of the proposed solution is to find and eliminate any outlying observations in the analyzed parameters of the WSN traffic using a simple and fast one-dimensional quartile criterion. In the second step, the remaining data is used to estimate autoregressive fractional integrated moving average (ARFIMA) statistical models describing variability of the tested WSN parameters. The paper also introduces an effective method for the ARFIMA model parameters estimation and identification using Haslett and Raftery estimator and Hyndman and Khandakar technique. The choice of the “economically” parameterized form of the model was based on the compromise between the conciseness of representation and the estimation of the error size. To detect anomalous behavior, i.e., a potential network attack, the proposed detection method uses statistical relations between the estimated traffic model and its actual variability. The obtained experimental results prove the effectiveness of the presented approach and aptness of selection of the statistical models.


Introduction
Intelligent transportation systems (ITS) are currently a key technology that is identified as an answer to the growing need for mobility of goods and people. Owing to the use of ITS, it is possible to establish a fully functioning, accurate, real-time, and efficient transportation management system. It can be achieved by combining information systems and technologies like wireless networks and sensors, computing/networking devices, Global Positioning System (GPS), mobile telephony, and camera recognition systems. Thanks to ITS, it is possible to improve the level of services and capacity of transportation systems. In particular, ITS can help to enhance the transportation infrastructures, its overall safety, and security of critical information for different transportation means. It must be noted that currently, the main focus of academics and industry is on vehicular networks and more precisely on developing inter-vehicle and vehicle-to-infrastructure networks [1][2][3]. However, ITS are not limited only to manage vehicular traffic but they can also provide services and they can be successfully implemented in air, water transport, and rail systems [4,5] as well.
An important aspect of any ITS is to correctly address potential security and privacy issues. Aijaz et al. [4] define the following vital attack aspects depending on what the target is. Authors identify attacks on the following: (i) wireless interface; (ii) sensor inputs to different processing units; (iii) software and hardware parts of the systems; and (iv) security infrastructure behind wireless access networks (e.g., certification and traffic authorities, transportation vehicle manufacturers). On the other hand, various security solutions have been proposed to tackle these problems and they can be classified [6] as proactive (e.g., tamper resistant hardware, proprietary system design, and digitally signed messages) or reactive (e.g., anomaly-based, context-based, and signature-based approaches). Especially anomaly-based detection systems constitute an important part of every ITS-based management system. They allow to assess the imminent emergence of any incidents, i.e., to detect deviations from normal patterns (events, situations). Therefore, identifying anomalous events is essential as they can lead to critical conditions where immediate actions must be taken.
In the existing literature, several anomaly detection approaches for ITS have been proposed. However, they have been mostly proposed for the vehicular networks, see e.g., [7][8][9]. However, very few solutions so far have been proposed for railway systems and they are mentioned below.
Rabatel et al. [10] focused on the field of train maintenance. Monitoring of trains is provided using sensors positioned on the main train components, e.g., motors wheels, to transmit information regarding, e.g., the temperature, acceleration, and velocity. Then an automatic detection system is introduced to identify anomalies in order to predict potential failures in advance. The proposed approach considers also the contextual criteria associated to railway data like weather conditions and itinerary.
Holst et al. [11] developed a statistical anomaly detection method which has been deployed in a tool which aim is to monitor train fleets and that allows inspecting and visualizing the occurrence of event messages generated on the trains. The designed anomaly detection component is based on the Bayesian Principal Anomaly [12] and aids operators to quickly find significant deviations from normal behavior and to detect early indications of potential problems.
Anomaly detection system that is able to indicate degraded condition of track and rolling stock has been proposed by Goodman et al. [13]. Authors utilized a sensor system installed on one of the 110 boxcars on a train on a high-tonnage loop test track. The data from the sensors was sent to a specialized collection gateway hub which was mounted inside the boxcar. The main goal was to discover abnormalities in railroad tracks, rolling stock, bearings, rotating shafts, and gears. The obtained results confirmed that such a detection system is efficient enough to identify, locate, and characterize such types of anomalies.
Considering the above, in this article we introduce another type of a novel anomaly detection system dedicated for wireless sensor networks (WSN) traffic that is based on clustering and statistical model with long memory, i.e., autoregressive fractional integrated moving average (ARFIMA). The main idea of the proposed approach is to analyze the deviations between parameters of the real network traffic and the estimated statistical models of that traffic. We develop a two-stage anomaly detection method. The first step is to find and eliminate possible observations outlying from the analyzed WSN traffic parameters. This step is performed by means of a simple yet effective one-dimensional quartile criterion. In the second step, the remaining data are used to estimate the ARFIMA statistical models describing variability of the tested WSN parameters.
The proposed anomaly detection method is used as a security measure for railroad gates tracking system that is based on WSN sensors. It is a part of a more comprehensive system responsible for supervising and visualization of the critical infrastructure, i.e., railroad crossings. The feasibility and effectiveness of the introduced method is proved based on the abovementioned real-life railroad crossings monitoring system; however, it must be noted that it can be conveniently ported to any other transportation system as well.
The rest of this paper is structured as follows. The next section focuses on the main security issues related to WSN. Then in Section 3, the assumed scenario as well as details of the proposed anomaly detection approach is outlined. Section 4 presents the real-life setup as well as obtained experimental results. Finally, Section 5 concludes our work.

Overview of security in WSN
Ensuring security of the WSNs is an important factor for their correct operation due to the fact that they are distinctly sensitive to hazards emerging from human intentional actions that include illegal use or incapacitation (e.g., impersonating or eavesdropping the user, terrorist attacks) [14], or from environmental influence, for instance fire, electromagnetic signal, etc. [15]. When comparing cable networks to WSNs, the latter offer restricted computational abilities and limited energy resources [16].Taking this into account, maintaining safe operation of WSN is difficult, nevertheless necessary. It is because the networks must be able to uphold their basic functioning which consists in collecting data from the sensors and transmitting it to both the monitoring unit and the WSN infrastructure management centers.
Wireless sensor networks might be subjected to different types of attacks (either passive or active). Passive attacks happen when an intruder does not utilize signal emissions aimed at disturbing the proper operation of WSN in order to, e.g., access its data, infrastructure, or modify transmitted messages. On the other hand, active attacks rely on utilization of such emissions of signals or actions that may be detected [15,17], while trying to obtain an unauthorized access or a possibility to alter the messages.
During passive attacks on WSN, the intruder aims at passive interception of the exchanged network traffic to implicitly acquire the transmitted data. An example of such action is eavesdropping of the data that is transmitted between the nodes. The WSN radio medium, because of its specific features, is relatively vulnerable to such attacks. Another instance may be the network traffic analysis which intends to examine and disclose the WSN topology. A characteristic aspect of wireless sensor networks is a great load of information transmitted through a part of their nodes. If this data transmission is increased on these nodes, the neighboring nodes counteract by retransmitting the information to the base station. Due to the network traffic analysis, the attacker may obtain knowledge of how much workload the sensor network critical nodes are burdened with [18,19].
Contrary to the passive methods, active attacks enable the intruder to directly or indirectly influence data content transmitted in the WSN. Moreover, the active attacks can be easily detected because their impact on WSN performance is direct, i.e., they may degrade the WSN quality, or even deny access to some services or completely disenable control over the network. For the network critical infrastructure, direct attacks on WSN hardware are especially dangerous. Such attacks can cause diminishing of the monitoring area of the sensor network, or entire disposal of the WSN [19,20].
The aim of manipulating WSN nodes is to distract the operator of the sensor network from the main origin of the threat. e.g.. from spoofing or distributed denial of service ((D)DoS) attacks. Moreover, if the attacker uses a short-term high-energy electromagnetic pulse then an annihilation of either the given sensor network or any electronic device within the EMP destruction field [21] is possible.
The attacks aimed at the data's confidentiality or integrity constitute an immense threat because they let the intruder enter the network without authorization to transmit data. The Sybil Attack is an example of a masking technique which consists in spoofing by transmitting numerous identifiers through a harmful confluence, or framing a legal confluence and taking over its specification to obtain access to the WSN infrastructure [22].
The (D)DoS attacks in WSN aim at excessive charging of the attacked sensor networks features in order to disenable data gathering from the attacked nodes or to restrain the efficiency of tools provided by the victim WSN. The (D)DoS invasions can be directed onto every level of the network model, i.e., ISO/OSI [21].
Because the WSN are vulnerable to a large number of dangers, limiting the possibility of a successful attack requires the use of advanced methods and algorithms. These methods are spread spectrum techniques (hindering the successful interfering with radio transmission); methods using cryptographic algorithms (securing the confidentiality and integrity of the transferred information); a proper nodes' device construction to deny access to their internal systems (for instance, information about cryptographic algorithms, or keeping secret keys); utilizing related protocols (documents guarding the transfer of information); and ways of monitoring and identifying abnormalities in the WSN data transfer [23][24][25].
In this paper, we suggest the two stages of analysis of abnormal behavior detection for WSN traffic. The first step prepares proper data by removing the outlier values. In the second step, the parameters of ARFIMA statistical model are used for detecting anomalies. In the course of stages, performed according to particular scenarios, the satisfying results were obtained. The following scenarios of anomaly attacks are analyzed and calculated for the sake of efficient protection of railroad crossings: (i) electromagnetic distortion; (ii) intentional damage of selected infrastructure; and (iii) attacks performed by means of the important WSN component, i.e., the WSN IP gateway.

Network anomaly detection: the proposed approach
In the rest of the paper, we assume the scenario depicted in Fig. 1 in which there is a management system that is utilized for visualizing and controlling railroad crossings critical infrastructure. The required infrastructure for monitoring a single railroad crossing consists of WSN sensors used for analyzing the state and position of the railroad crossing separate gates, WSN IP gateway which aggregates the traffic from sensors, firewall, and multi-WAN router for providing different links to the WAN network.
As mentioned in the introduction, an anomaly detection system is a vital component of any ITS management solution. That is why the Intrusion Detection/Prevention Systems (IDS/IPS) for detecting attacks and/or intrusions are currently utilized as one of the main components to provide security of the critical infrastructure. Their main function is to accurately identify, detect, and respond to an unauthorized activity directed against the protected network resources [26].
Generally, we may classify IDS/IPS based on the utilized threat identification technique to signature-based or anomaly detection systems. The first consists in the detection of intrusions using the signature of previously known attacks [27]. Comparatively, the latter relies on monitoring the defended system and to detect any abnormalities. Thus, any deviation from a defined model or profile of legitimate activities reflected in the WSN network traffic parameters is treated as a symptom of the attack. Such a deviation from normal reference is called an anomaly [14,28].
The outstanding profit of abnormal behavior noticing solutions is the fact that they are able to detect unknown intrusions interrupting correct network traffic parameters. Therefore, ID/PS relying on anomaly detection are (if properly configured) more effective than signature-based ones [29].
Considering the above, in this article the recognition of abnormal behavior is applied. This approach is based on the idea of analyzing the deviations of parameters of the real network traffic from the estimated statistical models of that traffic (see Fig. 2). We suggest a two-stage anomaly detection method. In the first step, ARFIMA model base for the analyzed WSN network traffic parameters is built. This is realized on the formerly selected and calculated features of the network traffic. In the following steps, outlier observations are eliminated and estimation of ARFIMA models parameters of the analyzed WSN network traffic features is performed. In result, statistical models base is created and serves as a basis for an anomaly detection system. The second step is a normal operation of an anomaly detection system (ADS), i.e., selection and calculation of the relevant network traffic features, and assessment of the difference between the actually transmitted data (i.e., network traffic) and the calculated ARFIMA representation of the traffic for the chosen WSN network parameters.
The motivation for choosing the ARFIMA statistical model was based on the results of previous authors' research, i.e., on the use of autoregressive models and heteroscedastic and regression models with variable sampling resolution of the dataset for anomaly detection in the LAN/WAN networks. Findings included in [30][31][32] clearly indicate the superiority of the ARFIMA model for modeling network traffic parameters' variability for the purpose of anomaly detection.
It must be emphasized that the first stage is always initiated after performing any change in WSN network infrastructure or topology. It can also be performed periodically to update the statistical models base, which is a basis for the anomaly detection system. However, the elimination procedure of outliers' observations (realized at this stage) disables degradation of ARFIMA models by rejecting non-standard parameters of the analyzed network traffic.
Below we present and discuss main components of the proposed approach in details.

Detection of outlying observations-one-dimensional quartile criterion
Due to the nature of the transportation critical infrastructure and its monitoring using WSN, there is a real hazard of fluctuation of the analyzed network traffic parameters, i.e., possibility of emerging outlying observations (outliers). These fluctuations may have diverse sources, for instance (i) environmental-connected with interference of radio wave propagation, (ii) technical-related to changes in the infrastructure, (iii) devices' damage; or (iv) they can be a consequence of network attack. In our approach, identification of the outliers of the analyzed WSN traffic parameters is performed by means of one-dimensional quartile criterion introduced by Tukey [33], which is used for the construction of box plots. For every parameter, we calculate the first (Q1) and third (Q3) quartile and interquartile range IRQ = Q3 − Q1. Quartiles divide all our observations into four equal-number groups (Fig. 3, left).
The first quartile (Q1) divides observations in respect of 25-75 %, which means that 25 % are lower or equal to Q1, and 75 % of observations are equal or greater that Q1. The second quartile (Q2), otherwise known as the median, divides observations into 50-50 % proportion. The third quartile (Q3) divides the observations in respect of 75-25 %, which means that 75 % of observations are lower or equal to Q3, and 25 % are equal or greater that Q1. Observations which can be considered as outliers are those whose values exceed the range (Q1 − 1.5IRQ, Q3 + 1.5IRQ). In contrast, observations of extreme outliers (see Fig. 3, right) are identified as those for which the attributes are outside the range (Q1 − 3IRQ, Q3 + 3IRQ).

The ARFIMA model-estimation of the WSN traffic features variability
Grange, Joyeux [34], and Hosking [35] introduced a model called the autoregressive fractional integrated moving average (ARFIMA) which is composed of the two different processes, i.e., fractional differenced noise and auto regressive moving average. ARFIMA's aim is to examine the attribute of long memory, and for data presented as time series y t n È É , it is: where t n e 0; σ 2 ð Þ is the statistic process (white noise process) with zero mean and variance σ 2 , The gamma function is marked by Γ(*) and the number of differences necessary to present the stationary series is marked with d. The d th power of the differencing operator, included in Eq. (1) is marked with (1 − B) d .
When the value of the differencing parameter is in range (−0.5, 0.5), the ARFIMA model can be described as stationary, and if the value of the differencing parameter belongs to (0, 0.5), the process is characterized as a longmemory behavior. If there are suitable k differences, it is possible to transform many non-stationary processes into stationary ones by fulfilling condition (1). Consequently, the non-stationary processes obtain the long-memory attribute [36]. It is possible to predict the ARFIMA processes by means of an infinite autoregressive representation of formula (1), recorded as Π B ð Þy t n ¼ t n , also where From the perspective of numerical realization, the above equation requires truncation after k lags; nevertheless, it is not easy to obtain. The difficulty in truncation will influence the forecast horizon included in predictions (see [36]). Formula (2) explains that the predicting rule absorbs the impact of the remote lags, by which it captures their persistent impact. However, if shifts appear in the process, the pre-shift lags will also influence the prediction, and in consequence, the postshift horizons may have some biases [37,38].

Estimation and selection of parameters of the ARFIMA model
To find a proper prognostic model, contrary to using the highest number of precise parameters that describe the variability of the analyzed data presented as time series, it is of crucial importance to understand that too large adjustment of series may provide either the description of the signal itself or the random noise (that may show accidental regularity in a definite number of attempts). Therefore, the main aim is to find a model which, with the use of a limited number of statistically important parameters, will be able to describe the essential features of the analyzed time series.
There are two relatively simple and effective methods for calculation of the autoregressive models' parameters: maximum likelihood estimation (MLE) and quasimaximum likelihood estimation (QMLE) [39,40]. For the MLE, the basic computational problem is finding the solution of the following equation: where θ is the calculated data set, L T (ϑ) is the likelihood function, and T is the quantity of modeled parameters controls. For many cases, it is impossible to find analytical solution to Eq. (3) for the defined form of the model; thus, the numerical estimation is used. Using the maximum likelihood method requires establishing the complete model, hence the formed estimator's sensitivity to possible mistakes in procedure of the auto regressive (AR) and moving average (MA) polynomials that define the dynamics of the process. A universal criterion for selecting model's form does not exist. The common practice is that mapping the model onto the data is most optimal when the model's likelihood function and level of complexity increase concurrently. Nevertheless, there is a bigger possibility of an error occurrence when a greater number of parameters is being estimated. Therefore, one should seek an optimization of the quantity of parameters that appears i.e., they suggest selecting the form that possesses the minimal value of information criterion [41]. Below we present results of parameter estimation obtained by means of MLE and QMLE methods, and the ARFIMA form of the model. The differentiation parameter d value is calculated with the use of the mentioned techniques and the HR estimator, which is developed by Haslett and Raftery [42]. Furthermore, we calculated the selection of the row of the analyzed model using exponential smoothing in the state space and such information factors as Akaike (AIC) (see Hyndman and Khandakar [43]). Owing to the above approach, we were able to obtain satisfactory computational efficiency and automatic realization of the used algorithms.

MLE method in estimation of parameter d
The analysis of an ARFIMA process Z t from the perspective of the Gaussian Log-likelihood presented by formula (1) that refers to with z = (z 1 , z 2 , …, z n ) t being the vector described by parameter, and ϱ = (σ 2 , H e ), Σ describes the n x n covariance matrix of Z relying on z and ϱ, H e denotes the Hurst exponent and where the determinant of Σ is described by |Σ|. The MLE ofρ may be calculated by the maximum value of log G L (z; ϱ) respectively to ϱ. The calculation of first partial derivative of formula (4) has been described by The maximum likelihood estimation ϱ̂creates the result of the G 0 L z; ϱ ð Þ ¼ 0 . Provided that the parameters present high dimension, or there is a long time series, it is difficult to compute the exact MLE due to its numerical instability, for the formula (5) stimulates the estimation of the determinant and the elements of matrix Σ are inversed [36,44,45].
Out of numerous analogous MLE methods that can be conveyed by calculation of approximation of the likelihood function, we decided to use the HR estimator based on a quick and precise Haslett and Raftery's method [42], whose heuristic idea is to achieve autoregressive approximations. Such autoregressive, infinite order process may represent a Gaussian ARFIMA.
However, since the quantity of samples is definite, the truncated model is obtained in accordance with m < t ≤ n, with ϱ being the coefficients of the formula Φ(B)Θ(B)(1 − B) d . Since approximating as well as refining are performed, a QMLE ofρ is brought about by the operation of maximization where C is a constant, A more extensive study on this approximation method can be found in [42].

The calculation and selection of model features
The ways of exponential smoothing of the models of state space are obtained as follows: where {ϵ t } is a Gaussian white noise process with zero mean and variance σ 2 , and μ t = W(a t − 1 ). The sample containing additional mistakes has R(a t − 1 ) = 1, and consequently, b t = μ t + ϵ t . The analyzed model with multiplicative mistakes has R(a t − 1 ) = μ t , and consequently, b t = μ t (1 + ϵ t ). Hence, ϵ t = (b t − μ t )/μ t creates the mistake related to the multiplicative model. The models created as a result of this action are not distinctive. Apparently, each value of R(a t − 1 ) results in creating identical prediction points for b t . The values of a 0 and the parameter ϑ are necessary for these models to be useful in terms of forecasting. Hence, calculating the likelihood of the improvements of models of state space (8) does not create difficulties, and so is achieving the maximum likelihood estimates: It is easy to calculate (9) with the recursive equations in [43,46]. As far as multiple sources of mistakes of the state space models are concerned, it is necessary to apply the Kalman filter to estimate likelihood; our calculations are free of that requirement. The sets of the parameters ϑ and the initial states a 0 are realized by operation of computing of minimization of G Ã L . The method for choosing the present model is based on the Akaike criterium where V AIC is the value of AIC, n p creates the quantity of parameters in ϑ along with the quantity of free states in a 0 , andθ and â 0 define the calculations of ϑ together with a 0 . From the models applicable for the data, we selected the one that minimizes the AIC. On the basis of the mentioned ideas we achieve an efficient and commonly appropriate algorithm for automatic predicting. To summarize, the stages of the undertaken performances are as follows [43]: Stage 1: optimize the parameters, i.e., smooth them and the initial state variable, for every series use all the matching models Stage 2: choose the most effective model in terms of AIC Stage 3: create point forecasts with the use of most applicable model (with parameters that are created in the optimization process) for any stages in advance as necessary A thorough explanation of the proposed method is described in Hyndman and Khandakar work [43].
In this section, we describe our experimental setup which has been implemented on a real-life railroad transportation system. Using this installation, a set of experiments has been performed to prove that the approach proposed in this paper is feasible and effective.

Experimental setup
As mentioned above, experimental results presented in this paper have been obtained using real-world installation placed on the active railroad crossings. Railroad gates tracking component that is based on WSN sensors is a part of the more comprehensive system for supervising and visualization railroad crossings. The presented system is an original solution for supervising critical infrastructure of railroad crossings.
In Fig. 4, main components of the control and visualization system for railroad crossings is illustrated. Telecommunication infrastructure for one railroad crossing consists of WSN sensors used for analyzing the state and position of the railroad crossing separate gates, industrial SCADA computer, classic Intrusion Detection System (IDS) using previously known attacks signatures database, firewall, and multi-WAN router for providing different links to the WAN network. In our solution, we propose an anomaly detection system (ADS) for the WSN part that is complementary to the implemented classic IDS. ADS system obtains the WSN traffic from Ethernet link provided by the WSN IP gateway. As already mentioned proposed in this paper, a novel detection approach is based on the statistical model with long memory-ARFIMA. Parameters of the ARFIMA models obtained for different traffic features are stored in ADS database. For every railroad crossing, a separate ADS instance exists and the same telecommunication infrastructure. WAN routers are used for communication with control and visualization management application. Railroad crossings were situated on the same rail link and connected to the control and visualization system by fiber or radio WAN connection, e.g., by means of long-term evolution (LTE). Practical realization of WSN IP gateway is depicted in Fig. 5 where a printed circuit board and the gateway installed on one of the railroad crossing column are presented.
WSN sensors are installed on the top of railroad gates. Installed sensors on the railroad crossing and a sensor printed circuit board are presented in Fig. 6.The sensor is powered by battery banks and additionally supported by a small solar panel. Static position/tilt of the railroad gate is measured by a Microelectromechanical Systems (MEMS) sensor which provides position in three dimensions-x, y, and z. WSN sensors transmit packets in an idle state (gates are not moving) in approximately constant periods of time. In the idle state, we control physical presence of railroad gates and battery health, signal strength (RSSI), ambient temperature, and gates' three dimensional position. In the idle state, insignificant railroad gates' movements resulting from, e.g., wind or vibrations caused by heavy vehicles are not taken into account. For the sake of reliability, packets from sensors are received by two redundant IP gateways. Every sensor transmits packets to the WSN IP gateway when triggered by railroad gates' movements.
In Fig. 7, part of the railroad crossings management application with railroad gates visualization is depicted. One   Fig. 7). The list below button ribbons provides information, for example, about the state and the position of separate railroad gates (e.g., gate open, closed, changing position, broken gate). As mentioned, presented in Fig. 7 screenshot is a part of the more comprehensive system for analyzing railroad crossings critical infrastructure which considers also, for example, video images.

Experimental results
As mentioned before, the proposed anomaly detection system comprises two main steps. In the first step, we remove outlier values (see Section 3.1) for every observed traffic feature (see Table 1). This step prepares data for the next step where parameters of the statistical model with long memory dependence are calculated. The second step is based on the calculation of parameters of ARFIMA statistical model (see Section 3.2). We selected seven features which are related to the most important functionalities of railroad crossing critical infrastructure (see Table 1). For every WSN traffic feature, we achieve forecasting interval (30 samples forecasting horizon) based on ARFIMA model (see Figs WSN traffic features presented in Table 1 are captured from the Ethernet link of the WSN IP gateway. WSN sensors transmit packets to WSN IP gateways placed on both sides of the railroad crossing. WSN gateway converts received packets to IP packets. Then, packets converted by WSN IP gateway are captured in the next step by software sensor installed on railroad industrial computer. Every WSN traffic feature presented in Table 1 is extracted from packets captured by the IP network sensor.
In a subsequent step, WSN traffic features are in real time processed by the proposed anomaly detection solution that indicates possible anomaly/attack when the value of the online calculated traffic feature is outside an interval determined by two prediction intervals. When values for a given traffic feature are inside 80 % prediction intervals, we assume that there is no anomaly/attack for a given traffic feature. When WSN traffic features lie inside interval described by 80 to 95 % of prediction intervals, we treated this traffic as suspicious where an anomaly or attack can be present. Traffic features with values outside 95 % prediction intervals triggers anomaly/attack by anomaly detection algorithm. The proposed anomaly detection method for WSN traffic has been tested with different anomaly/attack scenarios assumed. Because railroad crossing is a critical railway infrastructure anomaly/attacks had to be simulated and carefully controlled in order to preserve safety on active testing railroad crossings. In this paper, we evaluated the following anomaly/attack scenarios:  Table 2: Scenario 2 can be understood as a situation where, for example, railroad gates will be hit or bent by a vehicle (but sensors are still able to communicate with the IP gateway). In this scenario, the most noticeable impact will be seen for features responsible for measurement of three dimensional positions of railroad gates-F2, F3, and F4. Results for this scenario are presented in Table 3.
A different variant of scenario 2 covers situations where railroad gates will be moved outside the railroad crossing area, but the sensor will not be damaged or sensors and railroad gates will be completely damaged. In these cases, we can observe an impact on features F2, F3, F4, F5, F6, and F7. Results can be observed in Table 4.
In scenario 3, WSN IP gateway was used to perform an attack. The aim of this attack was to drain batteries or delay packets from sensors. This attack requires the knowledge of the specific communication protocol between sensors and the IP gateway. F1, F6, and F7 are features influenced by this attack scenario (see Table 5).
Experimental results presented in Table 6 contains aggregated detection rate together with false positive for all seven WSN traffic features (see Table 1). Based on the obtained results, an overall performance of the proposed ADS solution can be observed taking into account all anomaly/attack scenarios described earlier. Most of the anomaly/attacks have been successfully identified. Detection rates varied between 93 and 98 %, while false positive rates were below 9 %. The best results have been achieved for WSN features: F2, F3, and F4 calculated based on readings from MEMS sensors and feature F1 (but only for scenario 3).

Conclusions
Ensuring a proper level of security for resources and systems of critical infrastructure, particularly transportation ones, realized as sensor radio networks is currently an intensively explored research topic. It is apparent that WSN, due to their nature, are vulnerable to a substantial number of threats originating both from the outside and inside of their own infrastructure. Therefore, these networks require ensuring the integrity and confidentiality   of the transmission, as well as protection of nodes and data transferred with their use. While developing mechanisms, algorithms, or protocols that increase transmission security in WSN, one also needs to consider the restrictions imposed by the unique characteristics of WSN, such as self-organization, dislocation, equipment limitations, and ease of fiasco of nodes and protocols. The increasing number of novel attacks, their global scope, and complexity level enforce dynamic development of network security systems. The most often implemented solution aiming at ensuring security are detection and classification methods that allow to identify abnormal behaviors reflected in the analyzed network traffic.
The advantage of such an approach is the protection against so far unknown attacks, developed specially (targeted attacks) in order to realize attacks onto particular resources of network infrastructures or simply constituting so called zero-day exploits. Anomaly detection systems may play a crucial role in those environments. Their purpose is to detect (for auto-response) unusual traffic behavior representing symptoms of unauthorized actions directed against protected critical infrastructure resources, implemented as WSN networks.
That is why in this paper we introduced a novel network traffic anomaly detection method for a critical railway transportation infrastructure which is utilizing sensor radio network. In order to detect anomalies, differences between the actual network traffic and the estimated ARFIMA model of that traffic for the analyzed WSN network parameters were used. For the purpose of suitable preparation of data for statistical modeling, observations outlying in the analyzed WSN network parameters with the use of a simple and fast onedimensional quartile criterion were found and eliminated. Parameter estimation and identification of the row of the ARFIMA statistical models were realized as a compromise between the model's coherence and the size of its estimation error. The obtained experimental results performed on the real-life railway crossings infrastructure confirm efficacy and accuracy of the presented anomaly detection method. We achieved overall detection rates varied between 93 and 98 %, while false positive rates were below 9 %. Most valuable WSN features for anomaly detection purposes were F1, F2, and F3 and they were based on reading from MEMS sensor. In case of sensor failure, we took into account other undamaged sensors readings in order to ensure system successful operation. To conclude, we consider utilization of an efficient IDS system as a must in every railway critical infrastructure management system. Future work will be related to further exploring the most efficient set of parameters used for the proposed network traffic anomaly detection method. Moreover, we also plan experiments on a greater scale and during a longer time period which will allow to further tune the proposed solution and to model the abnormal behaviors even better.