WIRELESS NETWORK SECURITY 191 training data (a set of network connection records) and parsed these patterns to define

features accordingly. Experiments based on test data were also needed to tell whether the selected features can be used to distinguish normal and abnormal activities. This process was repeated until a satisfactory set of features can be selected.

Today, features used in most anomaly-based IDSs are still selected empirically. It remains an open problem to decide the right set of features to construct IDSs in the context of cellular mobile networks. Some example features used includecall times and duration,roaming behavior,location coordinates,the list of traversed cells, and so on.

5.

It is necessary to integrateadaptabilityinto the construction of IDSs. In reality, it is highly possible that a single user will demonstrate different mobility behaviors. Even if the user demonstrates the same mobility level, a user will have a set of mobil- ity patterns during weekdays, while demonstrating a different set of mobility patterns during weekends. Therefore, established users’ normal profiles need to be changed adaptively in order to reflect users’ activities more accurately. Moreover, in construct- ing an anomaly-based IDS, a threshold-based scheme is often used. That is, the distance between observed activities and established normal profiles is compared with a thresh- old in order to decide whether the system needs to generate an alarm or not. It is also necessary to adjust the threshold adaptively in order to achieve desirable performance. However, how to adaptively adjust the normal profile and the threshold of IDSs in the context of cellular mobile networks is a very challenging problem. Special mechanisms need to integrate with existing detection techniques to achieve adaptability. For example, an individual subject’s activity may change over time. Therefore, it is necessary for the normal profile to be updated in order to reflect the recent activities. Exponentially Weighted Moving Average(EWMA) techniques [35] provide a suitable way to make activities in the recent past weigh more than activities long time ago. In this way, normal profiles can be adjusted accordingly. To adjust the threshold, usually an effective metric is needed to reflect the uncertainty of established normal profiles. Entropymay be a good choice here. We will see a more detailed example illustrating the integration of adaptability in Section 6.

6.

6.1. Introduction

It is very difficult to design a once-for-all Intrusion Detection System for cellular mobile networks. Instead, an incrementally refined methodology is suitable. In this section, we introduce an exemplary IDS for cellular mobile networks [36],[37] that focuses on the exploitation of users’ mobility patterns. Other important features like calling activities need to be integrated into the system to provide more comprehensive

192 BO SUN et al. protections. In the sequel, we introduce system assumptions, models (threat model, network model, and mobility model), and detailed detection techniques.

6.2. Assumptions

First, we assume that most mobile users have favorite or regular itineraries. This makes it viable for us to establish each user¡¯s normal profile. This assumption is reasonable given that most users have regular daily lives. Studies in [38] conducted experiments over a period of six weeks to study the trajectories that users follow, and found out that users tend to follow regular trajectories more than 70%of time.

Actually, research on intrusion detection has two basic assumptions: 1) subject activities are observable via some system auditing mechanisms, and 2) normal and malicious activities should demonstrate distinct behaviors. Therefore, it is possible to reason about the evidence in the data to determine whether the system is currently under attack. If a user has totally random behavior, for example, the movement of a taxi driver, it will be very difficult, if not impossible, to create his normal movement profile. Our mobility-based detection algorithm alone is not suitable for such kind of users. Based on these considerations, our research is not motivated to build a system to accurately detect all intrusions. Instead, we aim at providing an optional service to end users as well as a useful administration tool to service providers. If the system observes some abnormal behaviors, other channels (e.g., email, phone calls to home) can be used to issue some warnings to the real users. Given the increasing number of security related incidents in wireless networks, these kinds of optional services can protect both the service providers and the end users from financial losses.

Second, we assume that there is a mobility database for each mobile user that describes his normal activities. This is a reasonable assumption in cellular mobile networks because this mobility database could be constructed by location tracking and prediction services. This mobility database could be stored together with the mobile user¡¯s personal information, such as billing information, in the Home Location Register (HLR). Note that in realistic networks, the locations of mobile users are actually tracked for the purpose of service provision and smooth handoff, even though the end users may be unaware of such monitoring. We assume that HLR is secure and the movement information is accurate. Usually, because of its importance, HLR is protected with highly secure measures, and thus it is extremely hard to be compromised. Also, the update and registration of the location are usually based on the device¡¯s current serving cell and the hardware registration such as the serial number of SIM card. Therefore, it will be hard for the attacker to hide or fabricate his location even if he has compromised all the secrets of the mobile device. Even if an attacker finds some magical ways to fabricate his location, he still has no idea about the normal movement profile of the real device owner.

Third, we assume that mobile devices can be compromised and all secrets asso- ciated with the compromised devices are open to attackers. Under this assumption, we do not need to assume or apply tamper-resistant hardware and software, which are still costly and impractical to handheld devices. This assumption justifies our re-

WIRELESS NETWORK SECURITY 193