Estimating Accuracy of Mobile-Masquerader Detection Using Worst-Case and Best-Case Scenario

  • Oleksiy Mazhelis
  • Seppo Puuronen
  • Mika Raento
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4307)


In order to resist an unauthorized use of the resources accessible through mobile terminals, masquerader detection means can be employed. In this paper, the problem of mobile-masquerader detection is approached as a classification problem, and the detection is performed by an ensemble of one-class classifiers. Each classifier compares a measure describing user behavior or environment with the profile accumulating the information about past behavior and environment. The accuracy of classification is empirically estimated by experimenting with a dataset describing the behavior and environment of two groups of mobile users, where the users within groups are affiliated with each other. It is assumed that users within a group have similarities in their behavior and environment and hence are more difficult to differentiate, as compared with distinguishing between the users of different groups. From the practical detection perspective, the former case corresponds to the “worst-case” scenario where the masquerader has a rich knowledge of the user behavior and environment and is able to mimic them, while the latter case corresponds to the “best-case” scenario, where the masquerader makes little or no attempt to mimic the behavior and environment of the user. The classification accuracies are also evaluated for different levels of false rejection errors. The obtained results indicate that, when smaller values of false rejection errors are required, ensembles of few best-performing classifiers are preferable, while a five-classifier ensemble achieves better accuracy when higher levels of false rejection errors are tolerated.


Intrusion Detection Anomaly Detection Mobile Terminal Legitimate User Battery Consumption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Pointsec Mobile Technologies: IT professionals turn blind eye to mobile security as survey reveals sloppy handheld habits. Pointsec news releases (2005), available from: (read 09.02.2006)
  2. 2.
    Pointsec Mobile Technologies: Half of all corporate PDAs unprotected despite employer risk. Pointsec News Letter 2 (2004), available from: (read 09.02.2006)
  3. 3.
    Schonlau, M., DuMouchel, W., Ju, W., Karr, A., Theus, M., Vardi, Y.: Computer intrusion: Detecting masquerades. Statistical Science 16(1), 58–74 (2001)MATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Sequeira, K., Zaki, M.: ADMIT: anomaly-based data mining for intrusions. In: Hand, D., Keim, D., Ng, R. (eds.) Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, Edmonton, Alberta, Canada, pp. 386–395. ACM Press, New York (2002)CrossRefGoogle Scholar
  5. 5.
    Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings of the International Conference on Dependable Systems and Networks, pp. 219–228. IEEE Computer Society Press, Los Alamitos (2002)CrossRefGoogle Scholar
  6. 6.
    Lane, T., Brodley, C.E.: An empirical study of two approaches to sequence learning for anomaly detection. Machine Learning 51(1), 73–107 (2003)MATHCrossRefGoogle Scholar
  7. 7.
    Shavlik, J., Shavlik, M.: Selection, combination, and evaluation of effective software sensors for detecting abnormal computer usage. In: Proceedings of the 2004 ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 276–285. ACM Press, New York (2004)CrossRefGoogle Scholar
  8. 8.
    Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Clarke, N.L., Furnell, S.M.: Authenticating mobile phone users using keystroke analysis. International Journal of Information Security, 1–14 (2006)Google Scholar
  10. 10.
    Mäntyjärvi, J., Lindholm, M., Vildjiounaite, E., Mäkelä, S.M., Ailisto, H.: Identifying users of portable devices from gait pattern with accelerometers. In: Proc. of IEEE International Conference on Acoustics, Speech, and Signal Processing, vol. II, pp. 973–976 (2005)Google Scholar
  11. 11.
    Sun, B., Yu, F., Wu, K., Leung, V.C.M.: Mobility-based anomaly detection in cellular mobile networks. In: Jakobsson, M., Perrig, A. (eds.) Proceedings of the 2004 ACM workshop on Wireless security, pp. 61–69. ACM Press, New York (2004)CrossRefGoogle Scholar
  12. 12.
    Fawcett, T., Provost, F.J.: Adaptive fraud detection. Data Mining and Knowledge Discovery 1(3), 291–316 (1997)CrossRefGoogle Scholar
  13. 13.
    Samfat, D., Molva, R.: IDAMN: An intrusion detection architecture for mobile networks. IEEE Journal on Selected Areas in Communications 15(7), 1373–1380 (1997)CrossRefGoogle Scholar
  14. 14.
    Howard, P., Gosset, P.: D20 - Project final report and results of trials. ASPeCT: Advanced security for personal communications technologies. Final report AC095/VOD/W31/DS/P/20/E (1998)Google Scholar
  15. 15.
    Hollmen, J.: User Profiling and Classification for Fraud Detection in Mobile Communications Networks. PhD thesis, Helsinki University of Technology (2000)Google Scholar
  16. 16.
    Kumar, S.: Classification and Detection of Computer Intrusions. Ph.D. thesis, Purdue University, West Lafayette, USA (1995)Google Scholar
  17. 17.
    Tax, D.: One-class classification. Ph.D. thesis, Delft University of Technology (2001)Google Scholar
  18. 18.
    Obaidat, M.S., Sadoun, B.: Verification of computer users using keystroke dynamics. IEEE Trans. Syst. Man, and Cybernet. Part B: Cybernet. 27(2), 261–269 (1997)CrossRefGoogle Scholar
  19. 19.
    Gunetti, D., Picardi, C.: Keystroke analysis of free text. ACM Trans. Inf. Syst. Secur. 8(3), 312–347 (2005)CrossRefGoogle Scholar
  20. 20.
    Mazhelis, O., Puuronen, S.: Characteristics and measures for mobile-masquerader detection. In: Dowland, P., Furnell, S., Thuraisingham, B., Wang, X.S. (eds.) Proc. IFIP TC-11 WG 11.1 & WG 11.5 Joint Working Conference on Security Management, Integrity, and Internal Control in Information Systems, pp. 303–318. Springer Science+Business Media (2005)Google Scholar
  21. 21.
    Mazhelis, O., Puuronen, S., Raento, M.: Evaluating classifiers for mobile-masquerader detection. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) Security and Privacy in Dynamic Environments. IFIP International Federation for Information Processing, Boston, vol. 201, pp. 271–283. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Anderson, D., Lunt, T., Javitz, H., Tamaru, A., Valdes, A.: Detecting unusual program behavior using the statistical components of NIDES. SRI Technical Report SRI-CRL-95-06, Computer Science Laboratory, SRI International, Menlo Park, California (1995)Google Scholar
  23. 23.
    Burge, P., Shawe-Taylor, J.: Detecting cellular fraud using adaptive prototypes. In: Fawcett, T. (ed.) Technical Report of AAAI-1997 Workshop on AI Approaches to Fraud Detection and Risk Management, WS-97-07, pp. 1–8. AAAI Press, Menlo Park (1997)Google Scholar
  24. 24.
    Ye, N., Chen, Q.: An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Engineering International 17(2), 105–112 (2001)CrossRefMathSciNetGoogle Scholar
  25. 25.
    Aggarwal, C.C., Yu, P.S.: Outlier detection for high dimensional data. In: Proceedings of the 2001 ACM SIGMOD international conference on Management of data, pp. 37–46. ACM Press, New York (2001)CrossRefGoogle Scholar
  26. 26.
    Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In: Data Mining for Security Applications. Kluwer, Dordrecht (2002)Google Scholar
  27. 27.
    Xu, L., Krzyzak, A., Suen, C.Y.: Methods for combining multiple classifiers and their applications to handwriting recognition. IEEE Transactions on Systems, Man, and Cybernetics 22(3), 418–435 (1992)CrossRefGoogle Scholar
  28. 28.
    Dasarathy, B.V.: Decision Fusion. IEEE Computer Society Press, Los Alamitos (1994)Google Scholar
  29. 29.
    Raento, M., Oulasvirta, A., Petit, R., Toivonen, H.: Contextphone, a prototyping platform for context-aware mobile applications. IEEE Pervasive Computing 4(2) (2005)Google Scholar
  30. 30.
    Oulasvirta, A., Raento, M., Tiitta, S.: Contextcontacts: Re-designing smartphone’s contact book to support mobile awareness and collaboration. In: Proceedings of the 7th International Conference on Human Computer Interaction with Mobile Devices and Services, MOBILEHCI 2005, pp. 167–174. ACM, New York (2005)CrossRefGoogle Scholar
  31. 31.
    Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. John Wily & Sons, Inc., New York (2000)Google Scholar
  32. 32.
    Kittler, J., Hatef, M., Duin, R.P., Matas, J.: On combining classifiers. IEEE Transactions on Pattern Analysis and Machine Intelligence 20(3), 226–239 (1998)CrossRefGoogle Scholar
  33. 33.
    Puuronen, S., Tsymbal, A.: Local feature selection with dynamic integration of classifiers. Fundamenta Informaticae, Special Issue ”Intelligent Information Systems” 47(1-2), 91–117 (2001)MATHMathSciNetGoogle Scholar
  34. 34.
    Kuncheva, L.: A theoretical study on six classifier fusion strategies. IEEE Transactions on Pattern Analysis and Machine Intelligence 24(2), 281–286 (2002)CrossRefGoogle Scholar
  35. 35.
    Mazhelis, O., Puuronen, S.: Combining one-class classifiers for mobile-user substitution detection. In: Seruca, I., Filipe, J., Hammoudi, S., Cordeiro, J. (eds.) Proceedings of the 6th International Conference on Enterprise Information Systems (ICEIS 2004), Portugal, vol. 4, pp. 130–137. INSTICC Press (2004)Google Scholar
  36. 36.
    Witten, I.H., Frank, E.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann Publishers, San Francisco (2000)Google Scholar
  37. 37.
    Hanley, J.A., McNeil, B.J.: The meaning and use of the area under a receiver operating characteristic (ROC) curve. Radiology 143, 29–36 (1982)Google Scholar
  38. 38.
    Maxion, R.A., Roberts, R.R.: Proper use of roc curves in intrusion/anomaly detection. Technical Report Series CS-TR-871, School of Computing Science, University of Newcastle (2004)Google Scholar
  39. 39.
    Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Atluri, V. (ed.) CCS 2002: Proceedings of the 9th ACM conference on Computer and communications security, pp. 255–264. ACM Press, New York (2002) (General Chair-Sushil Jajodia and Program Chair-Ravi Sandhu)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Oleksiy Mazhelis
    • 1
  • Seppo Puuronen
    • 1
  • Mika Raento
    • 2
  1. 1.University of JyväskyläFinland
  2. 2.University of Helsinki and Helsinki Institute for Information TechnologyFinland

Personalised recommendations