Mobility-based anomaly detection in cellular mobile networks
- 1 October 2004
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
This paper presents an efficient on-line anomaly detection algorithm that can effectively identify a group of especially harmful internal attackers - masqueraders in cellular mobile networks. Our scheme is derived from a well-developed data compression technique. We use cell IDs traversed by a user as the feature value. Based on this, the mobility pattern of a user is characterized by a high order Markov model. Ziv-Lempel data compression algorithms are utilized to parse the data and store relevant statistical information in a mobility trie. Moreover, the technique of Exponentially Weighted Moving Average (EWMA) is used to efficiently update the mobility trie in order to modify the user's normal profile constantly. In this way, an up-to-date normal profile is maintained. The proposed normal profile can characterize the normal behavior of each user accurately and is sensitive to abnormal changes. A threshold scheme is then used to determine whether the mobile device is potentially compromised or not. Simulation results demonstrate that our proposed detection algorithm can achieve good performance in terms of false alarm rate and detection rate for users having regular itineraries.Keywords
This publication has 12 references indexed in Scilit:
- A cooperative intrusion detection system for ad hoc networksPublished by Association for Computing Machinery (ACM) ,2003
- Alert aggregation in mobile ad hoc networksPublished by Association for Computing Machinery (ACM) ,2003
- Mobility-based predictive call admission control and bandwidth reservation in wireless cellular networksComputer Networks, 2002
- Mitigating routing misbehavior in mobile ad hoc networksPublished by Association for Computing Machinery (ACM) ,2000
- LeZi-updatePublished by Association for Computing Machinery (ACM) ,1999
- IDAMN: an intrusion detection architecture for mobile networksIEEE Journal on Selected Areas in Communications, 1997
- Optimal prefetching via data compressionJournal of the ACM, 1996
- On the Ziv-Lempel proof and related topicsProceedings of the IEEE, 1994
- An Intrusion-Detection ModelIEEE Transactions on Software Engineering, 1987
- Data Compression Using Adaptive Coding and Partial String MatchingIEEE Transactions on Communications, 1984