Aula virtual para desarrollar la competencia investiga y profundiza los

5.9

Inter operability with other IDS

The proposed system is designed for two security purposes, either authentication (standalone operation discussed earlier) or as processing component in another IDS or authentication system e.g. TAS. In this mode, the Behaviour Profiling system only provides a verification result or profile matching score respectively and the final decision will be made by the other security mechanism.

As mentioned in section 3.2.6, TAS is an authentication system utilising a number of biometrics to provide transparent and continuous authentication for mobile users. This has been achieved by employing a two-tier approach: Tier 1 selects various biometric techniques and Tier 2 combines a number of multi-biometric methods together.

The Behaviour Profiling system can be used as one of the biometric techniques in Tier 1 by TAS as it employs the way users utilise mobile applications to verify them; also, the Behaviour Profiling system can provide unique contributions in operations of the Tier 2 to the TAS system. As the Behaviour Profiling system verifies mobile users based upon their application usage, TAS can utilise its verification output alone in pass-through mode to provide transparent and continuous authentication. Moreover, the Behaviour Profiling system can work with other biometric techniques to form a fusion mode in the TAS system. For instance, when a user sends a text message, their keystroke activities (i.e. how each character is typed into the message) and their behaviour profiling activities (i.e. where and who the message is sent) can be used in one fusion function. In this way, TAS can provide the authentication decision more confidently.

There are a number of IDS systems proposed to detect malware presence within the mobile device environment, such as the one Knowledge-based Temporal Abstraction based IDS proposed by (Shabtai et al., 2010). This host based IDS can accommodate

Fig. 5.9 Hybrid IDS for mobiles (Shabtai et al., 2010)

the aforementioned MLP of our HIDS (as depicted in Figure 5.9). Their evaluation indicates that their architecture works well for detecting mobile malware. Nonetheless, their system cannot detect any user related misuse. Therefore, the Behaviour Profiling system and the KBTA based IDS could work together to form a new host based IDS for mobile devices which can provide comprehensive detection of user misuse and also mobile malware.

As a result, an alert will be raised not only when a device is infected by malware but also when it is misused by a user. Also, more accurate alerts would be generated when an application is infected by malware. For instance, when the text messaging service is infected by malware, it may send messages to a premium number without the owner’s knowledge. If any messages were sent to the premium number, the Behaviour Profiling system should detect the abnormal activity as it deviated from the user’s normal behaviour. In addition, as the messages were generated by malware, the malware detection part of the IDS can also pick up the abnormal activity. Therefore, two alerts would be raised by the IDS system after an unauthorised text message was sent. This will improve the performance of the IDS system significantly.

5.10 Summary 94

5.10

Summary

In this chapter, a novel Behaviour Profiling based anomaly detection system which provides robust, transparent and continuous protection for mobile devices by verifying mobile usage activities has been designed and the components and functionalities of the system described in detail. By employing the dynamic profiling technique, the system can generate a fresh user’s profile allowing more accurate verification results to be obtained. By utilising the scaling function, the system reduces the impact of the high false rejection problem which every single behavioural biometric technique experiences; hence, the performance of the system can be improved despite decision making taking longer to process. Also, a user’s identity is not verified based upon a single pass or fail but a number of consecutive verification results. The HIDS can operate in different modes to serve a variety of purposes. When the system operates in stand alone mode, it verifies a user’s identity and responds accordingly in isolation. When the system works in dependent mode, it provides verification results based upon user’s activities, with the final decision being made by another security mechanism (either an authentication system or an IDS system). In the next chapter, the Behaviour Profiling system will be evaluated using data collected from 10 subjects using Matlab to simulate the tests.

HIDS Evaluation

6.1

Introduction

This purpose of this chapter is to outline the evaluation process of our HIDS that proposed in the chapter 5 and to discuss the results of tests that were performed. To begin with this process, we developed an Android application for data collection to work as the Feature Extractor component of HIDS. The working details of this component were discussed in details in the section 5.5. This application was installed on 10 smartphones and the data collection duration was 15 days. After this time the users sent the usage data (SQlite database file) via email option in the application.

A simulation of MLP component (see section 5.6) of the HIDS was implemented as a Matlab program hosted on a PC. Once the data was received from all users, MLP was applied on it to train and test the accuracy of the system based on the criteria set out in section 5.6.2. This enabled a evaluation of the processes and mechanisms over a far wider range of variables than would have been possible with an smartphone application.

Due to privacy concerns from the users of our Android application, the dataset didn’t include fine grained details like telephone numbers, names of applications,