WIRELESS NETWORK SECURITY 189 There are some other anomaly-based detection techniques Detection techniques

based on immunology [17] first capture a large set of event sequences from historic data to construct the normal profile. They then use either negative selection or positive selection algorithms to detect the difference of incoming event sequences from event sequences in the normal profile [18]. Expert systems can also be used to implement anomaly-based techniques [9]. To describe normal behaviors, these expert systems can study the activities of the target system to form a set of rules. Leeet al. proposed to use data mining approach to construct intrusion detection models [19]. Anomaly- based detection techniques utilizingChi-square Testare introduced in [20] and [21]. There are also anomaly-based detection techniques that use a first-order or high-order Markov model of event transitions to represent a normal profile [22],[23],[24],[25]. In [22], utilizing a Markov Chain model, Jhaet al. proposed a general framework to construct anomaly detectors.

Besides misuse-based detection and anomaly-based detection, there is a new class of detection algorithms: specification-based techniques [27]. They combine the advan- tages of both misuse-based detection and anomaly-based detection techniques. These approaches are based on manually developed specifications, thus avoiding the high rate of false alarms. IDSs detect deviations of observed program behaviors from these spec- ifications, rather than detect the occurrence of specific attack patterns. Thus, attacks can be detected even though they have not previously been encountered.

3.2. Intrusion Detection for Cellular Mobile Networks

Most of the proposed work in the areas of wireless IDSs explores the regularity of users’ behaviors (for example, mobility patterns, calling activities) to construct normal profiles. Regularity is one of the basic assumptions to develop realistic IDSs. For example, in terms of mobility patterns, a mobile user usually travels with a specific destination in mind and tends to follow the shortest path to it. A user’s mobility pattern is a reflection of his/her daily routines and most mobile users have favorite routes and habitual movement patterns. In terms of calling activities, most mobile users have his/her regular calling activities. For example, because of the regular working rhythms like daily or weekly business telephone conference, most users demonstrate certain calling patterns. Although an attacker can compromise all the secrets associated with a mobile device, he/she could not follow the movement pattern of the authentic owner and mimic the authentic user’s profile. By establishing an accurate normal profile that can reflect the normal pattern and comparing it with the current observed pattern, misbehaviors can be effectively identified.

Relatively few research efforts have been devoted to Intrusion Detection for Cel- lular Mobile Networks. B¨uschkeset al.[28] applied the Bayes decision rule to user’s mobility patterns to increase the security in mobile networks. Through proper behavior predictions, they applied anomaly-based detection techniques to profile mobile users. Samfatet al. [29] proposed IDAMN (Intrusion Detection Architecture for Mobile Net- works) that included two algorithms to model the behavior of users in terms of both telephony activity and migration patterns. IDAMN can perform intrusion detection in

190 BO SUN et al. the visited location and within the duration of a typical call. Y. -B Lin [1] presented an excellent study to detect the potential fraudulent usage of cloned phones in cellular mobile networks. They showed how quickly the fraudulent usage can be detected under GSM/UMTS call setup procedures and how to reduce the possibility of fraudulent us- age. Exploring mobility patterns of public transportation users, Hallet al.[30] utilized an Instance based Learning technique to classify different users’ behaviors. There are also some research efforts dedicated to fraud detection systems in cellular mobile net- works. Hollm´en [31] presented fraud detection techniques in mobile communications networks by means of user profiling and classification. Call data is used to describe behavioral patterns of mobile users. Neural networks and probabilistic models were employed to learn their usage patterns. Based on these models, abrupt changes from established usage patterns can be detected.

It is worth mentioning that some of the above mentioned schemes require the track- ing of uses’ locations. This will cause location privacy issues because of the potential exposure of users’ whereabouts. Fortunately, there is some work in the literature that are aimed to address the privacy issues. For example, Heet al. [34] proposed to useblind signatureto generate an authorized-anonymous-ID for the server to autho- rize the mobile device. Location-based IDSs should be properly integrated with these privacy-enhanced schemes in order to be readily deployed.

4.

One of the most important steps in constructing intrusion detection systems is to extract effective features. Features are security related measures that could be used to construct suitable detection algorithms. Desirable features must be selected to reflect the subject activities. Feature selection plays such a critical role in constructing effective features that its importance cannot be overemphasized.

Each intrusion detection approach is technically suited to identify a subset of secu- rity violations to which the system is subject. The selection of security measures should be based on good understanding about the system itself as well as all possible attacks that may influence the system’s normal behaviors. Different attacks may be sensitive to different statistical features. Sometimes it requires domain expert knowledge to help selecting good features. In the history of IDSs, people have used various features to construct detection models. They tend to define the normal behavior of a user, a pro- gram, or a network element. Since the ground-breaking discovery of S. Forrect [32], people find that the short sequence of system calls of privileged programs is stable in characterizing system’s behaviors. Therefore, many research efforts have focused on constructing different detection models using the short sequence of system calls since then.

Although there are some theoretical guidelines in optimal feature selection [33], it is still challenging to apply them in practice. In [26], Leeet al.utilized data mining algorithms to compute activity patterns from system audit data and extract temporal and statistical features from the pattern. They identified intrusion-only patterns from

WIRELESS NETWORK SECURITY 191