An autonomous host-based intrusion detection and prevention system for Android mobile devices. Design and implementation of an autonomous host-based Intrusion Detection and Prevention System (IDPS), incorporating Machine Learning and statistical algorithms, for Android mobile devices

View/ Open
PhD Thesis (11.39Mb)
Download
Publication date
2019Author
Ribeiro, José C.V.G.Supervisor
Abd-Alhameed, Raed A.Shepherd, Simon J.
Mantas, G.
Keyword
SecurityIntrusion detection
Android
5G
Prevention
Host-based
Malware detection
Host-based IDS
Statistical anomaly detection
Machine learning
HIDROID (Host-based Intrusion Detection and protection system for andROID)
Rights

The University of Bradford theses are licenced under a Creative Commons Licence.
Institution
University of BradfordDepartment
School of Engineering, Design and TechnologyAwarded
2019
Metadata
Show full item recordAbstract
This research work presents the design and implementation of a host-based Intrusion Detection and Prevention System (IDPS) called HIDROID (Host-based Intrusion Detection and protection system for andROID) for Android smartphones. It runs completely on the mobile device, with a minimal computation burden. It collects data in real-time, periodically sampling features that reflect the overall utilisation of scarce resources of a mobile device (e.g. CPU, memory, battery, bandwidth, etc.). The Detection Engine of HIDROID adopts an anomaly-based approach by exploiting statistical and machine learning algorithms. That is, it builds a data-driven model for benign behaviour and looks for the outliers considered as suspicious activities. Any observation failing to match this model triggers an alert and the preventive agent takes proper countermeasure(s) to minimise the risk. The key novel characteristic of the Detection Engine of HIDROID is the fact that it requires no malicious data for training or tuning. In fact, the Detection Engine implements the following two anomaly detection algorithms: a variation of K-Means algorithm with only one cluster and the univariate Gaussian algorithm. Experimental test results on a real device show that HIDROID is well able to learn and discriminate normal from anomalous behaviour, demonstrating a very promising detection accuracy of up to 0.91, while maintaining false positive rate below 0.03. Finally, it is noteworthy to mention that to the best of our knowledge, publicly available datasets representing benign and abnormal behaviour of Android smartphones do not exist. Thus, in the context of this research work, two new datasets were generated in order to evaluate HIDROID.Type
ThesisQualification name
PhDCollections
Related items
Showing items related by title, author, creator and subject.
-
Current Based Fault Detection and Diagnosis of Induction Motors. Adaptive Mixed-Residual Approach for Fault Detection and Diagnosis of Rotor, Stator, Bearing and Air-Gap Faults in Induction Motors Using a Fuzzy Logic Classifier with Voltage and Current Measurement only.Ebrahimi, Kambiz M.; Wood, Alastair S.; Pestell, Charles; Bradley, William J. (University of BradfordSchool of Engineering, Design and Technology, 2015-06-16)Induction motors (IM) find widespread use in modern industry and for this reason they have been subject to a significant amount of research interest in recent times. One particular aspect of this research is the fault detection and diagnosis (FDD) of induction motors for use in a condition based maintenance (CBM) strategy; by effectively tracking the condition of the motor, maintenance action need only be carried out when necessary. This type of maintenance strategy minimises maintenance costs and unplanned downtime. The benefits of an effective FDD for IM is clear and there have been numerous studies in this area but few which consider the problem in a practical sense with the aim of developing a single system that can be used to monitor motor condition under a range of different conditions, with different motor specifications and loads. This thesis aims to address some of these problems by developing a general FDD system for induction motor. The solution of this problem involved the development and testing of a new approach; the adaptive mixed-residual approach (AMRA). The main aim of the AMRA system is to avoid the vast majority of unplanned failures of the machine and therefore as opposed to tackling a single induction motor fault, the system is developed to detect all four of the most statistically prevalent induction motor fault types; rotor fault, stator fault, air-gap fault and bearing fault. The mixed-residual fault detection algorithm is used to detect these fault types which includes a combination of spectral and model-based techniques coupled with particle swarm optimisation (PSO) for automatic identification of motor parameters. The AMRA residuals are analysed by a fuzzy-logic classifier and the system requires only current and voltage inputs to operate. Validation results indicate that the system performs well under a range of load torques and different coupling methods proving it to have significant potential for use in industrial applications.
-
A new model for worm detection and response. Development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis.Cullen, Andrea J.; Woodward, Mike E.; Mohd Saudi, Madihah (University of BradfordDepartment of Computing, School of Computing, Informatics and Media, 2012-04-17)Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future.
-
Automated dust storm detection using satellite images. Development of a computer system for the detection of dust storms from MODIS satellite images and the creation of a new dust storm database.Ipson, Stanley S.; Qahwaji, Rami S.R.; El-Ossta, Esam E.A. (University of BradfordDigital Imaging, School of Computing, Informatics and Media, 2013-12-09)Dust storms are one of the natural hazards, which have increased in frequency in the recent years over Sahara desert, Australia, the Arabian Desert, Turkmenistan and northern China, which have worsened during the last decade. Dust storms increase air pollution, impact on urban areas and farms as well as affecting ground and air traffic. They cause damage to human health, reduce the temperature, cause damage to communication facilities, reduce visibility which delays both road and air traffic and impact on both urban and rural areas. Thus, it is important to know the causation, movement and radiation effects of dust storms. The monitoring and forecasting of dust storms is increasing in order to help governments reduce the negative impact of these storms. Satellite remote sensing is the most common method but its use over sandy ground is still limited as the two share similar characteristics. However, satellite remote sensing using true-colour images or estimates of aerosol optical thickness (AOT) and algorithms such as the deep blue algorithm have limitations for identifying dust storms. Many researchers have studied the detection of dust storms during daytime in a number of different regions of the world including China, Australia, America, and North Africa using a variety of satellite data but fewer studies have focused on detecting dust storms at night. The key elements of this present study are to use data from the Moderate Resolution Imaging Spectroradiometers on the Terra and Aqua satellites to develop more effective automated method for detecting dust storms during both day and night and generate a MODIS dust storm database.