Using Mobility Profiles for Anomaly-based Intrusion Detection in Mobile Networks

The high rate of false alarms, which results from the use of anomaly-based intrusion detection (ABID) in mobile networks, can be addressed by combining observations across time and across domains. When ABID is carried out using a single profile, multiple observations can be correlated in time using a state-probabilistic model such as Bayes filters [1]. Furthermore, using a statistical tool such as multivariate analysis [2], the detection results, obtained using multiple profiles from different domains, can also be combined to further reduce the rate of false alarms. Examples of intrusion detection systems (IDSs), which make use of multi-sensor data for enhanced detection, include AAFID by Balasubramaniyan et al. [3] and EMERALD by Porras and Neumann [4]. To date, the use of different profiles for ABID has been investigated by various groups. Node/device profiles are created by exploiting the unique hardware signature of their wireless interface, operating system (proposed by Taleck [5]) and other characteristics of a wireless device. In terms of userbased profiling, the use of calling patterns for fraud detection in cellular networks is explored by Boukerche et al. [6]. In addition, commercial systems, namely the Fraud Management System by Hewlett-Packard (FMS-HP) [7] and Compaq (FMSC) [8] also make use of service usage profiles. The focus of this research is to examine the feasibility of using mobility profiles for enhancing ABID in mobile networks. In particular, a unique classification approach, using an instance based learning (IBL) technique [9], is adopted. In addition, we focus on the analysis of two key system parameters in order to determine their impact on the false alarm and detection rates. Finally, simulations, which were conducted, are based on location broadcasts (LBs) from users, who make use of public transportation, e.g. bus in Los Angeles. This environment promotes a high probability of intrusions, a necessary prerequisite for a meaningful analysis.