Yuxin Meng

Touch Gestures Based Biometric Authentication Scheme for Touchscreen Mobile Phones

Nowadays, touchscreen mobile phones make up a larger and larger share in the mobile market. Users also often use their mobile phones (e.g., Android phones) to store personal and sensitive data. It is therefore important to safeguard mobile phones by authenticating legitimate users and detecting impostors. In this paper, we propose a novel user authentication scheme based on touch dynamics that uses a set of behavioral features related to touch dynamics for accurate user authentication. In particular, we construct and select 21 features that can be used for user authentication. To evaluate the performance of our scheme, we collect and analyze touch gesture data of 20 Android phone users by comparing several known machine learning classifiers. The experimental results show that a neural network classifier is well-suited to authenticate different users with an average error rate of about 7.8% for our selected features. Finally, we optimize the neural network classifier by using Particle Swarm Optimization (PSO) to deal with variations in users’ usage patterns. Experimental results show that the average error rate of our optimized scheme is only about 3%, achieved solely by analyzing the touch behavior of users on an Android phone.

Adaptive False Alarm Filter Using Machine Learning in Intrusion Detection

Intrusion detection systems (IDSs) have been widely deployed in organizations nowadays as the last defense for the network security. However, one of the big problems of these systems is that a large amount of alarms especially false alarms will be produced during the detection process, which greatly aggravates the analysis workload and reduces the effectiveness of detection. To mitigate this problem, we advocate that the construction of a false alarm filter by utilizing machine learning schemes is an effective solution. In this paper, we propose an adaptive false alarm filter aiming to filter out false alarms with the best machine learning algorithm based on distinct network contexts. In particular, we first compare with six specific machine learning schemes to illustrate their unstable performance. Then, we demonstrate the architecture of our adaptive false alarm filter. The evaluation results show that our approach is effective and encouraging in real scenarios.

Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection

Network intrusion detection systems (NIDS) are widely deployed in various network environments. Compared to an anomaly based NIDS, a signature-based NIDS is more popular in real-world applications, because of its relatively lower false alarm rate. However, the process of signature matching is a key limiting factor to impede the performance of a signature-based NIDS, in which the cost is at least linear to the size of an input string and the CPU occupancy rate can reach more than 80% in the worst case. In this paper, we develop an adaptive blacklist-based packet filter using a statistic-based approach aiming to improve the performance of a signature-based NIDS. The filter employs a blacklist technique to help filter out network packets based on IP confidence and the statistic-based approach allows the blacklist generation in an adaptive way, that is, the blacklist can be updated periodically. In the evaluation, we give a detailed analysis of how to select weight values in the statistic-based approach, and investigate the performance of the packet filter with a DARPA dataset, a real dataset and in a real network environment. Our evaluation results under various scenarios show that our proposed packet filter is encouraging and effective to reduce the burden of a signature-based NIDS without affecting network security.

Design of touch dynamics based user authentication with an adaptive mechanism on mobile phones

Behavioral-biometric based authentication schemes on mobile phones usually begin by establishing a normal-behavioral model using machine learning classifiers and then identify behavioral anomalies through comparing current behavioral events with the established model. If an anomaly is detected, this kind of schemes will require the user for validation (i.e., input correct PIN). In this paper, we first propose a lightweight touch-dynamics-based user authentication scheme on a touchscreen mobile phone, which consists of only 8 touch-gesture related features. In addition, we further design an adaptive mechanism that can periodically select a better classifier to maintain the authentication accuracy during user authentication. As a study, we implement a cost-based metric that enables this mechanism to choose a less costly classifier. In the evaluation, the experimental results of involving 50 participants indicate that our proposed user authentication scheme can achieve an average error rate of 2.46% and that the adaptive mechanism can maintain the authentication accuracy at a relatively stable level.

Towards adaptive character frequency-based exclusive signature matching scheme and its applications in distributed intrusion detection

Network intrusion detection systems (NIDSs), especially signature-based NIDSs, are being widely deployed in a distributed network environment with the purpose of defending against a variety of network attacks. However, signature matching is a key limiting factor to limit and lower the performance of a signature-based NIDS in a large-scale network environment, in which the cost is at least linear to the size of an input string. The overhead network packets can greatly reduce the effectiveness of such detection systems and heavily consume computer resources. To mitigate this issue, a more efficient signature matching algorithm is desirable. In this paper, we therefore develop an adaptive character frequency-based exclusive signature matching scheme (named ACF-EX) that can improve the process of signature matching for a signature-based NIDS. In the experiment, we implemented the ACF-EX scheme in a distributed network environment, evaluated it by comparing with the performance of Snort. In addition, we further apply this scheme to constructing a packet filter that can filter out network packets by conducting exclusive signature matching for a signature-based NIDS, which can avoid implementation issues and improve the flexibility of the scheme. The experimental results demonstrate that, in the distributed network environment, the proposed ACF-EX scheme can positively reduce the time consumption of signature matching and that our scheme is promising in constructing a packet filter to reduce the burden of a signature-based NIDS.

Enhancing Trust Evaluation Using Intrusion Sensitivity in Collaborative Intrusion Detection Networks: Feasibility and Challenges

Intrusion detection systems (IDSs) have been widely deployed in computers and networks to identify a variety of attacks. But network intrusions are now becoming more and more sophisticated to detect, thus, collaborative intrusion detection networks (CIDNs) have been proposed which enables an IDS to collect information and learn experience from other IDS nodes. By maintaining interactions among a set of IDS nodes, a CIDN is expected to be more powerful in detecting some complicated attacks such as denial-of-service (DoS) than a single IDS. In real deployment, we identify that each IDS may have different levels of sensitivity in detecting different types of intrusions (i.e., based on their own signatures and settings). In this paper, we therefore define a notion of intrusion sensitivity and investigate the feasibility of using it to evaluate the trustworthiness of an IDS node. In addition, we describe several challenges when using this notion in practice. In the evaluation, the experimental results indicate that the use of intrusion sensitivity is feasible and encouraging to enhance the accuracy of detecting malicious nodes.

Enhancing False Alarm Reduction Using Voted Ensemble Selection in Intrusion Detection

Abstract Network intrusion detection systems (NIDSs) have become an indispensable component for the current network security infrastructure. However, a large number of alarms especially false alarms are a big problem for these systems which greatly lowers the effectiveness of NIDSs and causes heavier analysis workload. To address this problem, a lot of intelligent methods (e.g., machine learning algorithms) have been proposed to reduce the number of false alarms, but it is hard to determine which one is the best. We argue that the performance of different machine learning algorithms is very fluctuant with regard to distinct contexts (e.g., training data). In this paper, we propose an architecture of intelligent false alarm filter by employing a method of voted ensemble selection aiming to maintain the accuracy of false alarm reduction. In particular, there are four components in the architecture: data standardization, data storage, voted ensemble selection and alarm filtration. In the experiment, we condu...

Intrusion detection using disagreement-based semi-supervised learning: detection enhancement and false alarm reduction

With the development of intrusion detection systems (IDSs), a number of machine learning approaches have been applied to intrusion detection. For a traditional supervised learning algorithm, training examples with ground-truth labels should be given in advance. However, in real applications, the number of labeled examples is limited whereas a lot of unlabeled data is widely available, because labeling data requires a large amount of human efforts and is thus very expensive. To mitigate this issue, several semi-supervised learning algorithms, which aim to label data automatically without human intervention, have been proposed to utilize unlabeled data in improving the performance of IDSs. In this paper, we attempt to apply disagreement-based semi-supervised learning algorithm to anomaly detection. Based on our previous work, we further apply this approach to constructing a false alarm filter and investigate its performance of alarm reduction in a network environment. The experimental results show that the disagreement-based scheme is very effective in detecting intrusions and reducing false alarms by automatically labeling unlabeled data, and that its performance can further be improved by co-working with active learning.

Design of Cloud-Based Parallel Exclusive Signature Matching Model in Intrusion Detection

Signature-based intrusion detection systems have been widely deployed in current network environments to defend against various attacks, but the expensive process of signature matching is a major suffering problem for these detection systems. Thus, a high-performance signature matching scheme is of great importance for a signature-based IDS. In our previous work, we have developed an exclusive signature matching scheme that aims to identify a mismatch instead of locating an accurate match and achieved good results in the experiments. With the advent of Cloud Computing, IDS as a service (IDSaaS) has been proposed as an alternative by offloading the expensive operations such as the process of signature matching to the cloud. In this paper, we attempt to design a parallel model to conduct the exclusive signature matching in a cloud. In the evaluation, we implemented our model in a cloud environment and investigated its performance compared with Snort. The experimental results indicate that our proposed model can achieve promising performance in such a cloud environment.

Adaptive context-aware packet filter scheme using statistic-based blacklist generation in network intrusion detection

By using string matching, signature-based network intrusion detection systems (NIDSs) can achieve a higher accuracy and lower false alarm rate than the anomaly-based systems. But the matching process is very expensive regarding to the performance of a signature-based NIDS in which the cost is at least linear to the size of the input string and the CPU occupancy rate can reach more than 80 percent in the worst case. This problem greatly limits the high performance of a signature-based NIDS in a large operational network. In this paper, we present a context-aware packet filter scheme aiming to mitigate this problem. In particular, our scheme incorporates a list technique, namely the blacklist to help filter network packets based on the confidence of the IP domains. Moreover, our scheme will adapt and update the blacklist contents by using the method of statistic-based blacklist generation according to the actual network environment. In the experiment, we implemented our scheme and showed the first experimental evaluation of its effectiveness.