Behaviour profiling for mobile devices

Mobile devices have become essential to modern society; however, as their popularity has grown, so has therequirement to ensure devices remain secure. This paper proposes a behaviour-based profiling technique usinga mobile user’s application usage to detect abnormal activities. Through operating transparently to the user,the approach offers significant advantages over traditional point-of-entry authentication and can providecontinuous protection. The experiment employed the MIT Reality dataset and a total of 45,529 log entries.Four experiments were devised based on an inter-application dataset containing the general application;two intra-application datasets combined with telephony and text message data; and a combined dataset thatincluded both inter-application and intra-application. Based on the experiments, a user’s profile was builtusing either static or dynamic profiles and the best experimental results for the application-level applications,telephone, text message, and multi-instance applications were an EER (Equal Error Rate) of 13.5%, 5.4%,2.2%, and 10%, respectively. through service provider’s network, Internetsurfing via Wi-Fi hotspots, video conferencingthrough a 3G connection, road navigating byGPS (Global Positioning System), picture shar-ing by using Bluetooth pairing, data synchronis-ing with laptop/desktop computers, documentcreation and modification, and entertainment(i.e., playing music). Indeed, the functionalityand interconnectivity of mobile devices onlytends to increase with time.DOI: 10.4018/ijcwt.2011010105 44 International Journal of Cyber Warfare & Terrorism, 1(1), 43-55, January-March 2011 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.While people enjoy the convenience pro-vided by mobile devices, there are also threatswhich could make their life less comfortable,such as the loss or theft of the device, servicefraud, information disclosure, mobile malware,Smishing (SMS [Short Message Service] phish-ing) and Vishing (Voice phishing). Accordingto the metropolitan police website, there arearound 10,000 mobile devices lost or stolenin London every month (Metropolitan PoliceService, 2011). When a mobile device is lost orstolen, there is an initial cost of replacement;however, more damage could occur if the at-tacker accesses the mobile services and informa-tion. According to the Communications FraudControl Association’s (CFCA) Global FraudLoss Survey 2009, service fraud is estimatedto cost telecom service providers $72-$80 bil-lion every year (CFCA, 2009). Also, a surveyshows that 32% of all information disclosureincidents were related to lost or stolen mobiledevices (Ponemon Institute, 2011). Moreover,the McAfee mobile and security report indi-cated that “Four in 10 organizations have hadmobile devices lost or stolen and half of lost/stolen devices contain business critical data”,such as customer data, corporate intellectualproperty and financial information (McAfee,2011, p. 12).Mobile malware can also harm the mobilephone in a variety of ways, such as: infect-ing files and damaging user data. Since firstdiscovered in 2004, there are more than 106malware families with 514 variants (Securelist,2009). Furthermore, the number of new mobilemalware being found in 2010 has increasedconsiderably (by 46% compared with thoseoccurring in 2009) (McAfee, 2010). Smishingand Vishing are new types of phishing attackswhich are performed by utilising text messagingand telephone calls (FBI, 2010). If the phoneowner is fooled, its personal information canbe exposed and abused.With the aim to counter mobile threats,a number of security mechanisms have beendeveloped both on the mobile device and theservice provider’s network. The PIN (PersonalIdentification Number) based authenticationmethod is the most widely deployed approachon mobile devices. Although widely used, manyusers do not employ the technique properly(i.e., never changing the PIN) (Clarke & Fur-nell, 2005; Kurkovsky & Syta, 2010). Mobileantivirus software and firewall applications aremainly deployed for detecting malware presenceand blocking unwanted network traffic. None-theless, obtaining the latest virus signaturesand updating rules for network traffic are noteasy tasks; furthermore, their ability to detectuser related activities is limited. As a mobiledevice has limited computing power, more so-phisticated mechanisms, such as IDS (IntrusionDetection System), are primarily deployed onthe service provider’s network. These systemscontinuously monitor the mobile users’ callingand migration activities to detect telephonyservice fraud. However, given the modernmobile device has the ability to access severalnetworks simultaneously and accommodate awide range of services, existing network-basedsecurity mechanisms are unable to provide com-prehensive protection for the mobile handset.Therefore, a new security mechanism whichcan ensure a user’s legitimacy (authentica-tion function) in a continuous manner (IDSfunction) is needed. This paper focuses uponpresenting the findings from a feasibility studyinto utilising a host-based behavioural profilingapproach to identify mobile device misuse, andproviding continued and transparent protectionfor mobile devices.This paper begins by introducing variousmobile device applications, mobile threats, andgeneral security mechanisms and continues todescribe the current state-of-the-art. A series ofexperimental studies on three aspects of user’sapplications usage (application-level, appli-cation-specific and overall) are presented inSection 3, with the following section describingthe results. The paper then proceeds to discussthe results and conclude with highlighting thefuture direction of the research. International Journal of Cyber Warfare & Terrorism, 1(1), 43-55, January-March 2011 45 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.2. behAVIour-bAsedMobIle deVIce securItyMechAnIsMsResearch in mobile device security has been anestablished area for more than 10 years with asubstantial amount of activity focused uponthe areas of authentication, antivirus, firewalls,and IDS. Of particular interest however is theresearch that has been undertaken in behaviour-based mechanisms. This research falls primarilyinto two behaviour-based categories: networkand host mechanisms.behaviour-based NetworkMobile security MechanismsThe research for studying mobile behaviour-based mechanisms started around 1995 mainlyfocusing upon the area of fraud detection.These mobile IDSs monitor user calling andmigration behaviour over the service pro-vider’s network, and detect telephony servicefraud (Gosset, 1998; Samfat & Molva, 1997;Boukerche & Nitare, 2002). One particularlysuccessful approach is based upon developinga profile of users calling history over a periodof time and comparing this historical profileagainst current usage, with deviations abovea predefined threshold resulting in an alarm.Various supervised and unsupervised clas-sifiers were successfully developed to dealwith various attributes of the problem-space(known and unknown attack vectors) and theresulting systems were combined so that thestrengths of each approach can be capitalisedupon (Gosset, 1998).Research has also focused on the use ofgeo-location information as a basis for detect-ing misuse. Based upon the hypothesis thatpeople have a predictable travelling pattern, themigration based mobile IDS monitors a user’slocation activities to detect abnormal behaviour.The user’s location information can be obtainedeither from the mobile cellular network (i.e., cellID) or via a GPS link (i.e., longitude, latitude).By recording the users’ location informationover a time period, a mobility profile can begenerated. When a mobile user carries theirdevice from one location to another, the prob-ability of the event will be calculated. If thissurpasses a threshold, then the current eventwill be considered as an intrusion. A numberof studies have been carried out by profilinguser migration activities (Buschkes, Kesdogan,& Reichl, 1998; Hall, Barbeau, & Kranakis,2005; Sun, Chen, Wang, Yu, & Leung, 2006).By studying a user’s calling or locationactivities, behaviour based IDSs can achievea high detection rate and offer the ability todetect unforeseen attacks. In addition, as theclassification and identification procedures areprocessed by the network service provider, itdoes not require any additional computationalpower from the mobile device. This has tradi-tionally been critical for mobile devices, as theyhave limited processing power and storage whencompared with traditional desktop computers.behaviour-based Host Mobilesecurity MechanismsExisting host behaviour-based mobile securitysystems are mainly authentication-based sys-tems being studied in the research field. Thesesystems usually employ one or more characteris-tics of a user’s behaviour to assess the legitimacyof the current user – techniques include and gaitrecognition, handwriting verification, keystrokeanalysis and voice verification.Gait recognition is based upon the theorythat people can be discriminated by how peoplewalk when they carry their mobile device (Boyd& Little, 2005). When a user carries their mobiledevice in their trouser pocket, the user’s gaitinformation can be collected (Derawi, Nickel,Bours, & Busch, 2010). The user’s gait data canthen be compared with an existing template. Ifit matches, the user is considered legitimate;otherwise, they are an intruder. The experi-ment result shows that an EER (Equal ErrorRate) of 20.1% can be achieved. It shows thepossibility to deploy this method on a mobilehandset. However, as the authentication processis heavily reliant on user’s gait information, thiscould leave the mobile device unprotected when 46 International Journal of Cyber Warfare & Terrorism, 1(1), 43-55, January-March 2011 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.gait information is not available – for examplewhen the user sits in the office.Handwriting verification: it is widely be-lieved that each person has a unique handwrit-ing style. Currently, a significant proportion ofmobile devices have been equipped with a touchscreen, enabling the handwriting verificationtechnique to be deployed. A user’s identity canbe verified when they perform their signature(static) or while they write a message by usinga stylus (dynamic). Clarke and Mekala (2007)proposed a dynamic approach to verify a userwhen certain words were written. With a 1%EER, their system performance was excellent.Despite their approach not being fully dynamicas the words were pre-chosen, their work dem-onstrated that it is possible to identify usersbased upon the way they write on a mobiledevice. Nonetheless, as the verification processis fully dependent upon user’s handwritingactivities, little protection can be provided ifa user views a webpage or reads a document.Keystroke analysis based authenticationsystems monitor users’ keystroke patterns, typi-cally monitoring the inter-keystroke latency andhold-time. The authentication can be performedin two modes: static (text dependent) and dy-namic (text independent). In the static mode,users will be authenticated when a specificword or phrase has been entered. For instance,the system will authenticate the user when theyenter a PIN to unlock their mobile devices. Inthe dynamic mode, a user’s legitimacy will bechecked based upon their typing speed andrhythm independent of what they type. Forexample, authentication will transparently oc-cur while the user composes a text message.Previous work in this area includes Clarke andFurnell (2006), Buchoux and Clarke (2008),and Campisi, Maiorana, Bosco, and Neri(2009). With an average experimental EER of13%, keystroke analysis based authenticationsystems can be deployed in practice to provideextra security for a mobile device. However,this method is only practical in scenarios withsufficient keystroke activity (i.e., activities suchas reading a document or viewing a picturewould be unlikely to generate sufficient data tosuccessfully validate a users’ identity).Voice verification, also known as speakerrecognition is based upon the way people speak.Traditionally, mobile devices were primarilyused for making telephone calls, during whicha user’s voice sample can be captured for thepurpose of voice verification. Woo, Park, andHazen (2006) examined the possibility ofusing static voice verification for the mobiledevice by using an ASR-dependent speakerverification approach. Despite the comparisonprocess being carried out by a standard com-puter, their work achieved a 7.8% EER provingthat a user’s identity can be verified by theirvoice, even in a noisy environment (i.e., in anoffice). Nevertheless, again, a user can only beauthenticated during a conversation but not forother occasions.summary of current Mobilebehaviour security MechanismsThe aforementioned literature suggests thatexisting behaviour-based network IDSs candetect calling service fraud attacks. However,in practice it can be seen that the mobile net-work operator can only monitor calling andmigration behaviours, rather than examiningevery single mobile service. For the existinghost-based behaviour authentication system, itcould only provide periodically security whenthe user interacts with the device in the desiredmanner (e.g., when the keypad is touched or thedevice is carried in the back pocket). Therefore,none of the current research in mobile behavioursecurity mechanisms provides a comprehen-sive and continuous protection against devicemisuse. Hence, a mobile security mechanismwhich can offer continuous detection across awider range of services and connections on themobile device is needed. International Journal of Cyber Warfare & Terrorism, 1(1), 43-55, January-March 2011 47 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.3. behAVIour profIlIngfor trAnspArentAuthentIcAtIon forMobIle deVIcesThe previous section shows that the network-based behavioural security mechanisms canonly monitor network-based services throughthe service provider’s network. As current mo-bile devices have the ability to access multiplenetworks simultaneously, a host based approachmust be taken into consideration when design-ing the new system. Furthermore, with the dif-ficulty of obtaining and updating the signaturesand the lack of the ability to detect unforeseenthreats, a behaviour profiling technique wouldbe prudent. As application usage represents anoverview of how the user interacts with thedevice (Miettinen, Halonen, & Hatonen, 2006),and due to the lack of research regarding the dis-criminatory nature of application usage within amobile device environment, an experiment wasdeveloped focused on three aspects: application-level, application-specific and multi-instance(or fused) applications interactions.experiment procedureThe experiment employed a publicly availabledataset provided by the MIT Reality Miningproject (Eagle, Pentland, & Lazer, 2009).The dataset contains 106 participants’ mobilephone activities from September 2004 to June2005. By using preinstalled logging software,various mobile data attributes were collectedfrom participants’ using Nokia 6600 mobilephones. As shown in Table 1, the MIT Realitydataset contains a large and varied selectionof information which covers two levels of ap-plication usage: application-level information(general applications) and application-specificinformation (voice call and text message).Application-level AnalysisBy default, a number of common applicationsare preinstalled on the mobile device by themanufacture, such as: phonebook, clock andvoice calling. With increased computing pro-cessing power and storage space and almost15,000 new mobile applications becomingavailable on the market every month, mobileusers have the freedom of installing any ad-ditional applications on the device (Distimo,2010); this option completely changed the waythat people utilise their mobile devices: from adummy handset into a personalised computinggadget. From a high-level perspective the gen-eral use of applications can provide a basic levelof information on how the mobile user utilisesthe device. Such basic information could be thename of the application, time, and location ofusage. Given the hypothesis that mobile usersutilise their mobile applications differently (i.e.,two users utilise different applications in differ-ent time periods and at different locations), anexperiment was devised to explore the possibil-ity of utilising application-level information fordiscriminating mobile device users.Application-specific AnalysisThe second experiment focused on utilisingfurther information about the applications.Within many applications the user connects todata that could provide additional discrimina-tory information. For instance, when surfing theInternet, the Internet browser can capture all theTable 1. The MIT reality dataset ActivityNumber of LogsInformation ContainsGeneral Applications 662,393Application name, date, time of usage and cell IDVoice Call54,440Date, time, number of calling, duration and cell IDText Message5,607Date, time, number of texting and cell ID 48 International Journal of Cyber Warfare & Terrorism, 1(1), 43-55, January-March 2011 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.URLs an individual accesses. Unfortunately,due to limitations on the dataset (collected priorto data-based applications becoming prevalent),the range of application-specific analysis thatcould be undertaken were limited to telephonyand text messaging.The prior literature shows that callingbehaviour has been studied several times in anetwork-based environment with results dem-onstrating the ability to discriminate mobilephone users. Within a mobile host environment,the availability of calling features does changeslightly – for example, the IMSI (InternationalMobile Subscriber Identity) is not a usefulfeature in a host-based solution. Furthermore,although several studies suggested utilising auser’s location information, it was never beentreated as a calling feature. Therefore, it wasinteresting to identify the effectiveness of anew set of calling features, which included theuser’s location information.Due to the enormous use of text messag-ing, with the UK alone sending more than 100billion text messages in 2010 (Ofcom, 2010),the application is amongst the most widelyused application on a mobile device. Despitethe high volume of text message usage, littleresearch has been undertaken to show how textmessages may be used to detect abnormal usagein the mobile environment. Hence, it was alsodeemed important to discover the possibilityand usefulness of employing text messagingto detect anomalous mobile user’s behaviours.Multi-Instance AnalysisThe final experiment aimed at employing themulti-instance application usage to discriminateindividual mobile users. In the experiment,all applications will be put in a chronologicalorder – replaying what a user did with theirmobile devices in the real time. For instance, auser switched off the clock alarm (application-level) at 6:05 AM, then visited a number ofnews websites (application-specific) at 6:20AM, at 7:10 AM, he/she made several phonecalls (application-specific), and started listeningto the music (application-level) at 7:36 AM.Hence, the multi-instance applications can con-tinuously present an image of what a user doeson the whole, while either the application-levelor application-specific applications could onlypartially provide information on user’s activity.As a result, it is critical to explore the feasibil-ity of utilising multi-instance applications forconstantly monitoring every single activity toidentify abnormal mobile usages.For methodological reasons: to maximisethe number of participants within a reasonabletimeframe, the experiment employed 76 par-ticipants whose activities occurred during theperiod of 24/10/2004-20/11/2004. As not allparticipants started or finished the experimentat the same time, it was imperative to isolate asub-section of the dataset that maximised thenumber of participants and available data. Themethodology employed two types of profiletechniques: static and dynamic. For the staticprofiling, each individual dataset was dividedinto two halves: the first half was used forbuilding the profile, and the other half wasutilised for testing. For the dynamic profiling,the profile contained 7/10/14 days of the user’smost recent activities; the evaluation processwas carried out on the same sub-dataset asfor the static experiment in order to providea meaningful comparison. Given the highlyvariable nature of the input data a smooth-ing function was applied. Rather than takingeach individual result, the smoothing functionpermitted the system to make a decision aftera number of results were present (similar to awinner-takes-all decision-based biometric fu-sion model). The basis for this approach wasderived from the descriptive statistics producedwhen analysing the data and the large variancesobserved. A dynamic approach therefore seemedsensible to cope with the changing nature of theprofile. Based on the premise that the historicalprofile can be used to predict the probability ofa current event, the following formula illustratedin Equation 1 was devised. The equation alsoincludes a weighting factor to allow for morediscriminative features to have a greater contri-bution (Wi) within the resulting score than lessdiscriminative features. Moreover, the equation International Journal of Cyber Warfare & Terrorism, 1(1), 43-55, January-March 2011 49 Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.also provides a mechanism to ensure all outputsare bounded between 0 and 1 to assist in defin-ing an appropriate threshold.Equation 1: Alarm if: 111−==∑∑iNixOccurannce of FeatureOccurannce of FeaturexMixiW×