Efficient location aware intrusion detection to protect mobile devices

Sausan Yazji 0 1 2 Peter Scheuermann 0 1 2 Robert P. Dick 0 1 2 Goce Trajcevski 0 1 2 Ruoming Jin 0 1 2 0 S. Yazji (&) P. Scheuermann G. Trajcevski EECS Department, Northwestern University , Evanston, IL 60208, USA 1 R. Jin CS Department, Kent State University , Kent, OH 44242, USA 2 R. P. Dick EECS Department, University of Michigan , Ann Arbor, MI 48109, USA This paper addresses the problem of efficient intrusion detection for mobile devices via correlating the user's location and time data. We developed two statistical profiling approaches for modeling the normal spatio-temporal behavior of the users: one based on an empirical cumulative probability measure and the other based on the Markov properties of trajectories. An anomaly is detected when the probability of a particular (location, time) evolution matching the normal behavior of a given user becomes lower than a certain threshold, determined by controlling the recall rate of the model of the normal user's behavior. We used compression techniques to reduce processing overhead while maintaining high accuracy. Our evaluation based on the Reality Mining and Geolife data sets shows that the proposed system is capable of detecting a potential intrusion within 15 min and with 94 % accuracy. 1 Introduction Recent technological advancements caused a huge increase in the use of mobile devices. Smart phones, notebooks, and iPads come with many capabilities including email, text messaging, gaming, web browsing, navigation, and recording pictures/videos. These devices store a lot of personal information and, if stolen, loss of control over the data may be more important than the loss of the smart mobile device. Some prior works on mobile device security have focused on physical aspects and/or access control methods (e.g., strong passwords, voice recognition [26], or fingerprints [21]). However, such approaches do not protect the private data on stolen devices in the post-authentication state. Todays smart devices are already equipped with tools that allow us to obtain vast amount of data about user behavior, such as application usage logs. In addition, many mobile devices are equipped with location identification tools such as Global Positioning System (GPS) receivers, which can be used to track locations in case of theft. However, existing works using GPS-features to protect mobile devices (e.g., GadgetTrak [12] and RecoveryCop [25]) depend on the owner to report the theft, and it may take hours before the owner realizes it, at which point private data may have already been exploited. Even Laptop Cop [23] requires user intervention to remotely/manually delete the data on stolen devices. Our main goal is to develop efficient techniques for protecting data saved on mobile devices by detecting anomalous spatiotemporal behavior as compared to the regular motion patterns of the owners. A study performed by Gonzalez et al. [14] on 100,000 trajectories of anonymized mobile phone users whose positions were tracked for a 6-month period has demonstrated that many individuals tend to have small sets of locations that they visit frequently (e.g. home, work, school) and tend to take the same path when moving between locations. Observations Gonzalez et al. [14] imply that the users presence at a certain time in a certain location is predictablehence, we can utilize this to build a user profile which, in turn, can be used to perform anomaly detection. In a previous study [34], we used network access patterns and file system activities on laptops to build a behavioral model based on K-means clustering that permitted attack detection with a latency of 5 min and an accuracy of 90 %. In a recent work [35], we used users location information and trajectory data to build the profile of smart phone users, and we were able to detect attacks within 15 min with 81 % accuracy. This paper extends our results [35] as follows: We present an enhanced user model based on the previously discussed spatiotemporal information and trajectory data approach where we assumed a normal distribution histogram for the user profile. We eliminated the low end of the distribution (lower than 10 % values) during the detection analysis in order to achieve 96 % detection accuracy. We propose, implement, and compare two data reduction techniques that enable us to reduce the memory requirements by &90 % and consequently reduce the processing time. Those techniques are the Row-Merge algorithm, which combines adjacent rows in our data structures and the MDLP algorithm, which is an adaptation of an existing statistical technique [3] to our settings. We evaluated our techniques on an additional spatio temporal data setGeolife [3638]. In summary, this article makes the following main contributions. We develop two statistical profiling approaches and corresponding representations: one based on empirical cumulative probability measure and the other based on the Markov property, in order to model the normal behavior of a user in a fixed time-window. An anomaly is detected when the probability of a user window reflecting a normal behavior falls below a threshold that is determined by controlling the recall rate of the users normal behavior. We present two techniques that reduce user profile memory requirements while still allowing accurate attack detection. We present a detailed experimental evaluation of the proposed methodologies over two data sets, quantifying the benefits of our approaches. In the rest of this paper, Sect. 2 places the work in the context of our system architecture and discusses the data and feature extraction methods. Section 3 presents the detail of the user profile representation and our anomalybased detection schemes. Section 4 presents the methods used to reduce the size of the user profile data. Section 5 presents a comprehensive experimental evaluation of our methods. Section 6 describes related work and Sect. 7 concludes the paper and indicates directions for future work. 2 Preliminaries We now give an overview of our system architecture, followed by discussion of the properties of the data and their use in feature extraction. Our system for automatic generation of mobility models and detection of spatiotemporal behavioral anomalies is based on a clientserver architecture utilizing cloud computing. Its main modules are (1) data collection, (2) feature extraction, (3) user profile/model building, (4) data reduction, and (5) anomaly detection. The detection accuracy will be determined by which anomalous behavior can be distinguished using such models and considering other users models for anomaly detection; Fig. 1 illustrates the integration of these modules into our system architecture, which consists of the following sub-systems: (ICS)the information capturing system, which resides on the mobile device, contains an application to track the device location, register it periodically, and save it in a new log file every T minutes. (...truncated)