SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2011; 00:1–9 DOI: 10.1002/sec RESEARCH ARTICLE Evaluation of Anomaly-Based IDS for Mobile Devices Using Machine Learning Classifiers Dimitrios Damopoulos 1* , Sofia A. Menesidou 1 , Georgios Kambourakis 1 , Maria Papadaki 2 , Nathan Clarke 2 and Stefanos Gritzalis 1 1 Info-Sec-Lab Laboratory of Information and Communications Systems Security, University of the Aegean, Samos, Greece 2 Centre for Security, Communications and Network Research University of Plymouth, Plymouth, United Kingdom ABSTRACT Mobile devices have evolved and experienced an immense popularity over the last few years. This growth however has exposed mobile devices to an increasing number of security threats. Despite the variety of peripheral protection mechanisms described in the literature, authentication and access control cannot provide integral protection against intrusions. Thus, a need for more intelligent and sophisticated security controls such as Intrusion Detection Systems (IDSs) is necessary. Whilst much work has been devoted to mobile device IDSs, research on anomaly-based or behaviour-based IDS for such devices has been limited leaving several problems unsolved. Motivating by this fact, in this paper we focus on anomaly-based IDS for modern mobile devices. A dataset consisting of iPhone users data logs has been created and various classification and validation methods have been evaluated to assess their effectiveness in detecting misuses. Specifically, the experimental procedure includes and cross-evaluates four machine learning algorithms (i.e. Bayesian Networks, Radial Basis Function, K-Nearest Neighbours and Random Forest) which classify the behaviour of the end-user in terms of Telephone calls, SMS and Web browsing history. In order to detect illegitimate use of service by a potential malware or a thief, the experimental procedure examines the aforementioned services independently as well as in combination in a Multimodal fashion. The results are very promising showing the ability of at least one classifier to detect intrusions with a high True Positive Rate (TPR) of 99.8%. Copyright c  2011 John Wiley & Sons, Ltd. KEYWORDS Mobile devices; anomaly-based Intrusion Detection System; user behaviour; machine learning classifiers * Correspondence Dimitrios Damopoulos, Laboratory of Information and Communication Systems Security, Department of Information and Communication Systems Engineering, University of the Aegean, Karlovassi, Samos GR-83200, Greece. E-mail: ddamop@aegean.gr Received . . . 1. INTRODUCTION Mobile devices have evolved and experienced a great success over the last few years [1]. Such devices are capable of performing sophisticated tasks and communicate through various wireless interfaces [2]. However, along with their popularity, mobile devices face an everyday growing number of security threats [3, 4]. This is despite the variety of peripheral protection mechanisms proposed in the literature in recent years. Without doubt, authentication and access control methods can be used in many cases, but alone, they are not sufficient to offer integral protection against intrusions. Overall, with the increasing risk of mobile malware, the theft or loss of mobile devices and the physical vulnerability, i.e. rewiring a circuit on the chip or using probing pins to monitor data flows to retrieve private keys or find flaws in the hardware components [5], designing a highly secure mobile device is still a very challenging task. While more than four billion people [6] enjoy their mobile devices using 2G/3G mobile networks, Kaspersky Lab has very recently identified 39 new mobile malware families (SMS trojans, iPhone malware, Android spyware) with 143 modifications [7]. According to a ScanSafe report malware volumes grew 300% in 2008, and it is noted that most of the legitimate web pages crawling on the Internet are not trustworthy or infected by different kinds of viruses [8]. Moreover, according to the UK Home Office, 69% Copyright c  2011 John Wiley & Sons, Ltd. 1 Prepared using secauth.cls [Version: 2010/06/28 v2.00] D R A F T