Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jeyanthi Hall Ph.D. Candidate - Carleton University

Published byMaria Jørgensen Modified over 6 years ago

Similar presentations

Presentation on theme: "Jeyanthi Hall Ph.D. Candidate - Carleton University"— Presentation transcript:

1 Using Mobility Profiles for Anomaly-based Intrusion Detection in Mobile Networks
Jeyanthi Hall Ph.D. Candidate - Carleton University Supervisors: Michel Barbeau and Evangelos Kranakis Network and Distributed System Security Workshop Supported by: MITACS, ALCATEL and NSERC) Copyright 2005 Jeyanthi Hall

2 Presentation Outline Use of profiles in anomaly-based intrusion detection (ABID) ABID using mobility profiles Create user mobility profiles Design a classification system Analysis of two key system parameters (sequence length and cluster size) Simulation Results Conclusions Future Research Initiatives

3 Use of profiles in ABID Previous research: Focus of our research:
Node/device profiles [Hall 05] Operating System profiles [Taleck 03] User-behavior profiles based on calling patterns [Boukerche et al. 02] and service usage [HP/Compaq 03] Focus of our research: Explore the feasibility of using mobility profiles of users (APRS and IBL) for enhancing anomaly-based intrusion detection (ABID) in mobile networks Analyze the impact of mobility characterization and cluster size on the false alarm and detection rates

4 Anomaly-based Intrusion Detection Using Mobility Profiles

5 ABID using mobility profiles
Objective 1: Create a mobility profile for each user Phase 1 Data Collection Phase 2 High Level Mapping Phase 3 Feature Extraction Phase 4 Definition of a user mobility profile (UMP)

6 Data High Level Feature Definition of UMP Collection Mapping Extraction Objective: Capture location broadcasts (latitude, longitude) using the Automatic Position Reporting System (APRS)

7 High Level Mapping Data Feature Definition of UMP Collection Extraction Objective: Reduce intra-user variability between sequences of location broadcasts latitude Sequence on day 1 Sequence on day 2 longitude

8 QUESTION 1: What cluster size is appropriate?
High Level Mapping Data Feature Definition of UMP Collection Extraction Approach: Transform location coordinates (LCs) in each broadcast into a cluster of given size (reduce the precision) QUESTION 1: What cluster size is appropriate?

9 QUESTION 2: What sequence length is appropriate?
Data High Level Feature Definition of UMP Collection Mapping Extraction Objective: Extract the LCs (feature) from each location broadcast Create a set of mobility sequences (specified by sequence length) QUESTION 2: What sequence length is appropriate?

10 Objective: Define a mobility profile for each user Data High Level
Feature Definition of UMP Collection Mapping Extraction Objective: Define a mobility profile for each user

11 1 Second subset of the mobility sequences
Data High Level Feature Definition of UMP Collection Mapping Extraction Profile: User 19 Minimum/Maximum thresholds calculated using mobility sequences in training and parameter1 sets Parameters: sequence length = 10 cluster size = 3 1 Second subset of the mobility sequences

12 ABID using mobility profiles
Data High Level Feature Definition of UMP Classification Collection Mapping Extraction ABID using mobility profiles Objective 1: Create a mobility profile for each user Phase 1 Data Collection Phase 2 High Level Mapping Phase 3 Feature Extraction Phase 4 Definition of a user mobility profile (UMP) Objective 2: Design a classification system Compares an observed mobility sequence of user A to each of the mobility sequences stored in his/her profile → similarity measure (SM) Determines the type of behavior normal – SM value is within pre-established thresholds anomalous – user A or intruder?

13 ABID using mobility profiles
Data High Level Feature Definition of UMP Classification Collection Mapping Extraction ABID using mobility profiles Approach Implement the Instance-Based Learning (IBL) classification framework [Lane 1999] Provides a mechanism for reducing noise (minor deviations from a given path due to external/internal factors)

14 Analysis of system parameters: Sequence length and Cluster size
Primary Goal: Detect intrusions

15 Analysis of system parameters (sequence length)
As SL is increased Acceptance region expands towards left/right Distribution of intrusions shifts to the right - towards the acceptance region Acceptance Region

16 Analysis of system parameters (cluster size)
As CS is decreased (SL=5) Acceptance region shifts towards left Distribution of intrusions shifts to the left – away from the acceptance region Acceptance Region

17 Simulation Exercise

18 Simulation Exercise Objective: Definition: Methodology:
Determine impact of characterization and cluster size on false alarm and detection rates Definition: False positives/alarm and detection (NSMP values – outside the thresholds) Methodology: False alarm (NSMP values using test/training data – user 19) Detection (training data of user 19 and test data of the remaining 19 users)

19 Quality of Characterization
How well do the mobility sequences (training data) reflect the on-going mobility behavior? 1 key indicator: Acceptance Region Determined by comparing sequences (parameter data) with those (training data) High level of similarity – mobility behavior is consistent with regards to time Increase the level of similarity Using larger cluster sizes? How will this affect the false alarm and detection rates?

20 Simulation Results False alarms
At CS=3 (biggest cluster or lowest precision) Acceptance region – localized at the higher end of similarity spectrum Acceptance Region

21 Simulation Results False alarms
At CS=2 (second biggest cluster or lower precision) Acceptance region – left margin shifts towards the left Acceptance Region

22 Question: Can we choose any one of the sizes?
Simulation Results False alarms At CS=1 (smallest cluster or highest precision) Acceptance region – shifts towards the left Acceptance Region Question: Can we choose any one of the sizes?

23 Simulation Results Detection Rate
At CS=1 (smallest cluster or highest precision) Large number of intrusions within the acceptance region – lowest detection rate Acceptance Region Detection Intrusions

24 Simulation Results Detection Rate
At CS=2 (second biggest cluster or lower precision) Less intrusions within the acceptance region – higher detection rate Acceptance Region

25 Question: Is CS of 3 the best choice?
Simulation Results Detection Rate At CS=3 (biggest cluster or lowest precision) Least number of intrusions within the acceptance region – highest detection rate Acceptance Region Question: Is CS of 3 the best choice?

26 Conclusion Yes, it is feasible to use mobility profiles for ABID as long as User Mobility Profiling Accurately characterize the mobility behavior of users Select values for sequence length and cluster size - based on user’s/group mobility behavior (consistent or chaotic) Classification scheme Design a classification system that provides sufficient functionality

27 Future Research Initiatives
Enhance the characterization of mobility behavior of users Proposed alternate mechanism (Hall 05) Extend the feature set to include timeframe, average speed, etc. Prove useful in detecting potential intruders Explore the use of different values for system parameters – based on users’ mobility behavior Reduce the complexity of the classification system (space and time) Current level of performance is less efficient than statistical classification systems Address the issue of user privacy Possible techniques include the use of hash codes, statistical trees and other representations of LCs

28 References Use of profiles for ABID IBL
A. Boukerche, Security and fraud detection in mobile and wireless networks. John Wiley and Sons, Inc., 2002, ch.27. J. Hall, M. Barbeau, and E. Kranakis, “Enhancing intrusion detection in wireless networks using radio frequency fingerprinting”, in Proceedings of the 3rd IASTED International Conference on Communications, Internet and Information Technology, St. Thomas, U.S. Virgin Islands, Nov. 2004, pp J.Hall, M. Barbeau, and E. Kranakis, “Anomaly-based intrusion detection using mobility profiles of public transportation users”, Carleton University, Tech. Rep. TR-05-01, Jan. 10, 2005 (2003) Hp – fraud management system. Hewlett Packard [online] Available: G. Taleck, “Ambiguity resolution via passive os fingerprinting”, in Proceedings of the International Conference on Recent Advances in Intrusion Detection, Berlin Heidelberg, 2003, pp IBL T.Lane and C.Brodlay, “Temporal sequence learning and data reduction for anomaly detection” ACM Transactions on Information and System Security, vol. 2, pp , Aug

29 Network and Distributed System Security Workshop
Thank You Jeyanthi Hall Questions ? Network and Distributed System Security Workshop

Download ppt "Jeyanthi Hall Ph.D. Candidate - Carleton University"

Similar presentations

Applications of one-class classification

Applications of one-class classification
Incremental Clustering for Trajectories

Incremental Clustering for Trajectories
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Ziming Zhang, Yucheng Zhao and Yiwen Wan.  Introduction&Motivation  Problem Statement  Paper Summeries  Discussion and Conclusions.

Ziming Zhang, Yucheng Zhao and Yiwen Wan.  Introduction&Motivation  Problem Statement  Paper Summeries  Discussion and Conclusions.
Doc.: IEEE 802.11-13/1387r0 Submission Nov. 2013 Yan Zhang, et. Al.Slide 1 HEW channel modeling for system level simulation Date: 2013-11-11 Authors:

Doc.: IEEE /1387r0 Submission Nov Yan Zhang, et. Al.Slide 1 HEW channel modeling for system level simulation Date: Authors:
Yue Han and Lei Yu Binghamton University.

Yue Han and Lei Yu Binghamton University.
Date : 21 st of May, 2014. Shri Ramdeo Baba College of Engineering and Management Presentation By : Rimjhim Singh Under the Guidance of: Dr. M.B. Chandak.

Date : 21 st of May, Shri Ramdeo Baba College of Engineering and Management Presentation By : Rimjhim Singh Under the Guidance of: Dr. M.B. Chandak.
Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.

Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.
Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.

Behavior Intrusion Detection: Enhanced Hakan Evecek Rodolfo Ortiz Hakan Evecek Rodolfo Ortiz.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
Student: Hsu-Yung Cheng Advisor: Jenq-Neng Hwang, Professor

Student: Hsu-Yung Cheng Advisor: Jenq-Neng Hwang, Professor
Statistical Critical Path Selection for Timing Validation Kai Yang, Kwang-Ting Cheng, and Li-C Wang Department of Electrical and Computer Engineering University.

Statistical Critical Path Selection for Timing Validation Kai Yang, Kwang-Ting Cheng, and Li-C Wang Department of Electrical and Computer Engineering University.
Chapter 51Introduction to Statistical Quality Control, 5th Edition by Douglas C. Montgomery. Copyright (c) 2005 John Wiley & Sons, Inc.

Chapter 51Introduction to Statistical Quality Control, 5th Edition by Douglas C. Montgomery. Copyright (c) 2005 John Wiley & Sons, Inc.
WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A.C. Chen ADL M Zubair Rafique Muhammad Khurram Khan Khaled Alghathbar Muddassar Farooq The 8th FTRA International Conference on Secure and.

A.C. Chen ADL M Zubair Rafique Muhammad Khurram Khan Khaled Alghathbar Muddassar Farooq The 8th FTRA International Conference on Secure and.
Kansas State University Department of Computing and Information Sciences CIS 830: Advanced Topics in Artificial Intelligence From Data Mining To Knowledge.

Kansas State University Department of Computing and Information Sciences CIS 830: Advanced Topics in Artificial Intelligence From Data Mining To Knowledge.

Similar presentations

Ads by Google