An autonomous host-based intrusion detection and prevention system for Android mobile devices. Design and implementation of an autonomous host-based Intrusion Detection and Prevention System (IDPS), incorporating Machine Learning and statistical algorithms, for Android mobile devices

View/ Open
PhD Thesis (11.39Mb)
Download
Publication date
2019Author
Ribeiro, José C.V.G.Supervisor
Abd-Alhameed, Raed A.Shepherd, Simon J.
Mantas, G.
Keyword
SecurityIntrusion detection
Android
5G
Prevention
Host-based
Malware detection
Host-based IDS
Statistical anomaly detection
Machine learning
HIDROID (Host-based Intrusion Detection and protection system for andROID)
Rights

The University of Bradford theses are licenced under a Creative Commons Licence.
Institution
University of BradfordDepartment
School of Engineering, Design and TechnologyAwarded
2019
Metadata
Show full item recordAbstract
This research work presents the design and implementation of a host-based Intrusion Detection and Prevention System (IDPS) called HIDROID (Host-based Intrusion Detection and protection system for andROID) for Android smartphones. It runs completely on the mobile device, with a minimal computation burden. It collects data in real-time, periodically sampling features that reflect the overall utilisation of scarce resources of a mobile device (e.g. CPU, memory, battery, bandwidth, etc.). The Detection Engine of HIDROID adopts an anomaly-based approach by exploiting statistical and machine learning algorithms. That is, it builds a data-driven model for benign behaviour and looks for the outliers considered as suspicious activities. Any observation failing to match this model triggers an alert and the preventive agent takes proper countermeasure(s) to minimise the risk. The key novel characteristic of the Detection Engine of HIDROID is the fact that it requires no malicious data for training or tuning. In fact, the Detection Engine implements the following two anomaly detection algorithms: a variation of K-Means algorithm with only one cluster and the univariate Gaussian algorithm. Experimental test results on a real device show that HIDROID is well able to learn and discriminate normal from anomalous behaviour, demonstrating a very promising detection accuracy of up to 0.91, while maintaining false positive rate below 0.03. Finally, it is noteworthy to mention that to the best of our knowledge, publicly available datasets representing benign and abnormal behaviour of Android smartphones do not exist. Thus, in the context of this research work, two new datasets were generated in order to evaluate HIDROID.Type
ThesisQualification name
PhDCollections
Related items
Showing items related by title, author, creator and subject.
-
A new model for worm detection and response. Development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis.Cullen, Andrea J.; Woodward, Mike E.; Mohd Saudi, Madihah (University of BradfordDepartment of Computing, School of Computing, Informatics and Media, 2012-04-17)Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future.
-
Fast and Accurate Image Feature Detection for On-The-Go Field Monitoring Through Precision Agriculture. Computer Predictive Modelling for Farm Image Detection and Classification with Convolution Neural Network (CNN)Abd-Alhameed, Raed A.; Sheriff, Ray E.; Mahieddine, Fatima; Abdullahi, Halimatu S. (University of BradfordFaculty of Engineering and Informatics, School of Electrical Engineering and Computer Science, 2020)This study aimed to develop a novel end-to-end plant diagnosis model for the analysis of plant health conditions in near real-time to optimize the rate of production on farmlands for an intensive, yet environmentally safe farming production to preserve the natural environment. First, field research was conducted to determine the extent of the problems faced by farmers in agricultural production. This allowed us to refine the research statement and the level of technology involved in the production processes. The advantages of unmanned aerial systems were exploited in the continuous monitoring of farm plantations to develop automated and accurate measures of farm conditions. To this end, this thesis applies the Precision Agricultural technology as a data based management system that takes into account spatial variations by using the Global Positioning System, Geographical Information System, remote sensing, yield monitors, mapping, and guidance system for variable rate applications. An unmanned aerial vehicle embedded with an optic and radiometric sensor was used to obtain high spectral resolution images of plantation status during normal production/growth cycle. Then, an ensemble of classifiers with Convolution Neural Networks (CNN) was used as off the shelf feature extractor to train images to develop an end-to-end feature detection and multiclass classification system for plant overall health’s conditions. Whereby previous works have concentrated on using CNN as off the shelf feature extractor and model training to detect only plant diseases from plants. To date, no research has yet been carried out to develop an end-to-end model for the overall plant diagnosis system. Previous studies focused on the detection of diseases at any given time, making it difficult to implement comprehensive real-time PA systems. Applying the pretrained model to the new images showed that the model can accurately predict any plant condition with an average of 97% accuracy.
-
A novel intrusion detection system (IDS) architecture. Attack detection based on snort for multistage attack scenarios in a multi-cores environment.Mellor, John E.; Cullen, Andrea J.; Pagna Disso, Jules F. (University of BradfordComputing, 2011-12-02)Recent research has indicated that although security systems are developing, illegal intrusion to computers is on the rise. The research conducted here illustrates that improving intrusion detection and prevention methods is fundamental for improving the overall security of systems. This research includes the design of a novel Intrusion Detection System (IDS) which identifies four levels of visibility of attacks. Two major areas of security concern were identified: speed and volume of attacks; and complexity of multistage attacks. Hence, the Multistage Intrusion Detection and Prevention System (MIDaPS) that is designed here is made of two fundamental elements: a multistage attack engine that heavily depends on attack trees and a Denial of Service Engine. MIDaPS were tested and found to improve current intrusion detection and processing performances. After an intensive literature review, over 25 GB of data was collected on honeynets. This was then used to analyse the complexity of attacks in a series of experiments. Statistical and analytic methods were used to design the novel MIDaPS. Key findings indicate that an attack needs to be protected at 4 different levels. Hence, MIDaPS is built with 4 levels of protection. As, recent attack vectors use legitimate actions, MIDaPS uses a novel approach of attack trees to trace the attacker¿s actions. MIDaPS was tested and results suggest an improvement to current system performance by 84% whilst detecting DDOS attacks within 10 minutes.