Intrusion Detection Systems Smartphone Security Enhancements

Published Date: 02 Nov 2017

Abstract:

Mobile becomes a necessary element in our daily basis. Many communication companies and business organization have shifted to manage their task and resources using Smartphone's capability. Although, the Smartphone has many capabilities that serve its users in different areas, but it is still not efficient, effective, and secure to perform confidential transactions. Due to the explosive increase of network security violation and threats, major study and analysis should be performed to secure the confidentiality and privacy of data transmission against intrusions and attacks. The protection of data transmission in a crucial condition requires secure and robust detection system to ensure data transfers without being exposed or intruded by a third party. Specifically intrusion into Smartphone communication and transaction is significantly affecting the reliability of data transfer and security. The security in Smartphone has not received many attentions. Hence in proposed system significantly ensures the security of Smartphone's users and to enhance the current intrusion detection and prevention systems for more secure and reliable data transmission as well as efficient group communications and transactions.

Introduction

A Smartphone is a new technology mobile phone  which basicalley works with a mobile operating system, with more advanced operating capability and connectivity than a feature phone.[1] while Smartphones were entred into the market with combined the functions of a personal digital assistant (PDA) with a mobile phone. Nowadays the smartphones added the functionality of media file support, low-end compact digital cameras, pocket video cameras, and GPS navigation units to form one multi-purpose device. Many modern Smartphones also include high-resolution touch-screens and web browsers that display standard web pages as well as mobile-optimized sites. High-speed data access is provided by Wi-Fi and mobile broadband. In recent years, the rapid development and innovation of mobile appmarkets and of mobile commerce have been drivers of Smartphone adoption.[2]

Types

The mobile operating systems (OS) used by modern Smartphones include Google's Android, Apple's iOS, Nokia's Symbian, RIM's BlackBerry OS, Samsung's Bada, Microsoft's WindowsPhone, Hewlett-Packard's webOS, and embedded Linux distributions such as Maemo and MeeGo. Such operating systems can be installed on many different phone models, and typically each device can receive multiple OS software updates over its lifetime. A few other upcoming operating systems are Mozilla's Firefox OS and Canonical Ltd.'sUbuntu Phone.

Network Protocols

Smartphone are also use cell-phone network technology only for sending and receiveing data (such as phone calls, web browsing, file transfers, etc.). Developers classify this technology into generations. The first generation developed the analog cell phone technology. Later Digital cell phones require more advanced protocols, which constitute the second generation. After long gap between two and three generation the network engineers created protocols that are more advanced than generation two’s digital technology but still that innovations are also not so innovative that they are a truly new generation. Developers refer to these protocols as generation 2.5. This generation includes several primal Smartphone protocols, behalf of that innovation still we are using some of the protocols

General Packet Radio Services (GPRS) is a wireless, packet-based communication service and until we are recently using these technology nowadays 2.5G protocol used in most of the Smartphone. Unlike a circuit-switched voice connection, this is a packet-switched, "always on" connection that remains active as long as the phone is within range of the service. It allows Smartphone to do things like run applications remotely over a network, interface with the Internet, participate in instant messengersessions, act as a wireless modem for a computer and transmit and receive e-mails. GPRS can send and receive data at a rate of 114 kilobytes per second. Some Smartphone in the United States still use this protocol, though newer, faster protocols are available

One protocol that is faster than GPRS used in the U.S. market is Enhanced Data GSM Environment (EDGE). EDGE can transmit data at more than three times the rate of GPRS (384 Kbps). Basicalley many Smartphone in the United States and developing countries are now using EDGE protocol [7]. Still, these protocols are only generation 2.5. Generation three (3G) is the latest in network communication technology. Protocols in 3G transmit data in terms of megabytes per second rather than kilobytes (some as fast as 10 Mbps). While some U.S. carriers support 3G protocols, many still rely on 2.5G technology. Europe and Asia have much stronger 3G integration in their respective cell phone networks. Some 3G protocols are:

Universal Mobile Telecommunication Service (UMTS)

Wideband Code-Division Multiple Access (WCDMA)

High-Speed Downlink Packet Access (HSDPA)

Evolution Data Maximized (EVDO)

C:\Documents and Settings\Ajay Louis\My Documents\My Pictures\untitled.JPG

Figure 1.1 Performance for mobile core

Problems Encountered

As usage of smartphone increases , these devices become more challenge to attackers who try to strike them with malicious software (malware).Smartphone security literature suggests that Smartphone malware can be written even by average developers.[3] basicalley the smartphone have not fullfleged security orand also no security mechanisms, such as app kill switch (aka remote app removal), review process for their content, etc. Often malware is obscure in pirated versions of countenance apps, which are then distributed through 3rd party app stores. Malware risk also comes from what's known as an "update attack," where a legitimate application is later changed to include a malware component, which users then install when they are notified that the app has been updated. Additionally, the ability to acquire software directly from links on the web results in a distribution vector called "malvertizing," where users are directed to click on links, such as on ads that look legitimate, which then open in the device's web browser and cause malware to be downloaded and installed automatically.[4].

Solution

For communication and data transmission with full secured manner the Introducing intrusion detection system (ids) can be adjuvant. These system should be provided to observe any malicious events on the phone. Intrusion detection system has a powerful impact in providing in-depth a necessary layer protection in networks either ad hoc networks or wireless sensor networks. The objective of the IDS is to identify unusual events and notify the network administrator of the occurred events. In Other words, intrusion detection system has been generally defined as a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies. Many IDS tools will also store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control [5].

Related works

Recently, the number of hacking and intrusion incidents is increasing year on year as technology rolls out. unfortunately, the security and risks associate with Smartphone device has not been considered to be a wild issue to many wireless and mobile vendors such AT&T Company. The ignorance of user's privacy may cause fatal problems

To client's credits cards, usernames, passwords, etc. this potential causality needs careful consideration and vendors should acknowledge the user's concern and deal with them in a straightforward manner. Because the classified information should not be liable to any attempt of hacking or intrusion incidents. Intrusion detection should be operated at all level of security to ensure the user privacy and confidentiality. Therefore, manufacturing companies should provide a system that acts solely on the recent information and past history of the mobile phone owner activities and classifies the Smartphone users into classes according to their usage logs. Such logs contain the

Relevant characteristics for every call made by the user. As soon as the system identifies a fraud or unusual event, it notifies automatically both the carrier telecom and the victim immediately.

Proposed System:

The existing intrusion or security systems that run on the Smartphone device is a complicated task since it involves complex implementation due to the differences in the each mechanism infrastructure. In our proposed system will provide a solid security protection against any threats to user privacy and information that on the web that processing on the Smartphone device.

The proposed system provides function and performs all types of security mechanisms.

It can efficiently detect suspicious events that can greatly cause harm to data or any other form of harms.

It can strongly prevent suspicious events from occurring.

It can completely remove viruses that reside in a Smartphone.

It can notify the users about the new threats or attack on the device.

The proposed system is not only limited to the functions mentioned above. It will fully offer the user more security features on Smartphone device. A-cloud-based Intrusion system for mobile security was proposed to offer security features in a mobile communication platforms but there are a few drawbacks accompanied.

The proposed system provides well known security mechanisms to detect, prevent, halt, and discard any type of penetrations into Smartphone device. With a successful integration of the above said techniques, we can assure our proposed system will perform well when comparing other existing systems. The Proposed System will be implemented in near future, which will ensure the data transmission and any confidential transaction reliability. The system could be costly due to its integration with other systems and security mechanisms, but individuals' privacy and belongings are also important assets.

Module Description:

The tremendous increase of mobiles theft and their communication platform brings an opportunity to researchers and scholars to improve the communications and transactions security and reliability. Security of the new communication technology, which evolves gradually to meet user requirements and satisfactions, is called Smartphone device technology. The environments where Smartphone becomes the main source of computing instead of the conventional and traditional computers. The Smartphone is a tiny device that performs tasks which cannot be performed in an ordinary phone. Smartphone is considered to be a hand-held computer and gradually will take over portable computer's role.

In this module there are three modules as,

Authentication

Intrusion Detection System,

Smartphone Intrusion Detection System,

Authentication:

Smartphone is increasingly become the target of malware and an easy leak for hackers to thefts. Username and password are highly at risk and can be obtained by professional intrusion thefts. There are tremendous security risks associated with the increased data and application usage on Smartphone device. Since Smartphone device has the capability of letting more personal information to migrate into it, many researchers and experts identified that hackers have increasing chances to track individuals, listen in on phone calls and intercept emails or documents.

For instance, Smartphone can be used in healthcare environments to monitor patients’ diseases status, which involves data flow back and forth between the patients and their specialists. This kind of information flow is strictly confidential and should not be exposed to a third party because patients are concerned about their privacy. Even though major studies warn about the potential risk of the information that flows through Smartphone device but still, Smartphone device has not fully come to researcher and scholar attentions. The security of the patient information needs to be robustly stored in secure forms which intruders should not get any access into it by any means. In this module an security is enhanced by creating an authentication for every user who using the Smartphones.

Intrusion Detection System:

Intrusion Detection System is completely different from Firewall particularly in terms of functionality and efficiency. Firewalls are designated to be outward looking and to restrict access between networks in order to prevent any attempt of intrusion. While intrusion detection system is a hardware or software used to detect undesirable or abnormal access or events to a network. An ID monitors traffic on a network looking for and logging threats and alerting personnel to respond. The detection or observation of abnormal events or threats on networks is performed in two different ways that IDS supported: Signature-based and Anomaly-based detection.

Signature-based detection is considered inefficient in terms of detecting threats and other attempt of attacks. Signature-based is basically designed to detect some defined threats or attacks. In other words, it only alerts and detects about known and defined attacks, which it can be deceived by other attacks or threats that are undefined. This deficiency in the intrusion detection system grants accessibility to Smartphone user’s privacy and confidentiality. Attackers gain unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorize. The issue of privacy and confidentiality is still not come to attention of many IDS providers.

Anomaly-based detection is unlike Signature­ based detection. The main function of anomaly-based detection is to detects unknown attacks and notify the user of network attack or threats. However, anomaly­ based detection provides notifications of normal traffic, which can cause no harm or threats to the Smartphone holder or any data loss and transmission. Regrettably, the efficiency of detecting all types of traffic attacks seems to be inadequate and unsatisfactory to notify the users of all types of data transmission including the usual events.

Intrusion Prevention System (IPS):

Intrusion Prevention System (IPS) is a proactive protection technology that provides security at the network level. It is the first line of defense against malware.

 There is sometimes confusion between an IPS and a firewall. Personal firewalls are more basic, making allow/deny decisions to ensure that only "selected" programs are allowed to interact over the internet. Firewalls also block network communication on non-standard ports, which are generally not used by legitimate programs and services. On the other hand, an IPS goes one step further, and examines all network traffic that is allowed through the firewall.

 We can demonstrate the difference between firewalls and IPS by using the real world example of airport security. Airline officials and security officers confirm the identity of people traveling. They only allow people with proper identification and tickets to pass the checkpoint and proceed towards the gates. On your PC, the personal firewall provides the same function – either allowing "unscreened" traffic or blocking it. Back at the airport, baggage screeners and X-Ray machines make sure that authorized travelers do not carry dangerous items to the gate or onto an airplane. Similarly, the IPS engine’s role in the Norton security suite is to carefully examine the traffic that the firewall has already allowed.

 In the past, Intrusion Prevention Systems simply protected against operating system (OS) threats, or denial of service (DOS) and distributed denial of service (DDOS) attacks. These threats exploited vulnerabilities that were mostly in the OS network stack and services.

Intrusion Prevention System (IPS) is a proactive protection technology that provides security at the network level. It is the first line of defense against malware.

 There is sometimes confusion between an IPS and a firewall. Personal firewalls are more basic, making allow/deny decisions to ensure that only "selected" programs are allowed to interact over the internet. Firewalls also block network communication on non-standard ports, which are generally not used by legitimate programs and services. On the other hand, an IPS goes one step further, and examines all network traffic that is allowed through the firewall.

 We can demonstrate the difference between firewalls and IPS by using the real world example of airport security. Airline officials and security officers confirm the identity of people traveling. They only allow people with proper identification and tickets to pass the checkpoint and proceed towards the gates. On your PC, the personal firewall provides the same function – either allowing "unscreened" traffic or blocking it. Back at the airport, baggage screeners and X-Ray machines make sure that authorized travelers do not carry dangerous items to the gate or onto an airplane. Similarly, the IPS engine’s role in the Norton security suite is to carefully examine the traffic that the firewall has already allowed.

 In the past, Intrusion Prevention Systems simply protected against operating system (OS) threats, or denial of service (DOS) and distributed denial of service (DDOS) attacks. These threats exploited vulnerabilities that were mostly in the OS network stack and services.

Now that firewalls can keep track of TCP sequence numbers and have the ability to block certain type of traffic (such as Code Red or Nimda) even they can act as intrusion prevention systems. However, this is not what we are going to look at. Rather, this discussion will look at five different categories of IPSs that focus on attack prevention at layers that most firewalls are not able to decipher, at least not yet. The five types of IPSs that we will look at are inline NIDS, application-based firewalls/IDS, layer seven switches, network-based application IDSs, and deceptive applications.

Inline Network Intrusion Detection Systems

Most NIDS would be configured with two NICs, one for management and one for detection (Figure 1). The NIC that is configured for detection usually does not have an IP address assigned to it, making it a "stealth" interface. Since it does not have an IP address assigned to it no one can send packets to it or cause the NIDS to reply using that interface.

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_1.jpg

Figure 1

The inline NIDS works like a layer two bridge, sitting between the systems that need to be protected and the rest of the network (Figure 2).

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_2.jpg

Figure 2

All traffic will pass through the inline NIDS. Unlike a regular bridging device though, the inline NIDS will inspect the packet for any vulnerabilities that it is configured to look for. If a packet contains a piece of information that trips a signature the packet can be forwarded or dropped and either logged or unlogged. Hogwash can take it a bit further though: it has the added ability to rewrite the offending packet(s) to something that won’t work, a procedure known as packet scrubbing (Figure 3). This type of IPS is useful if you don’t want the attacker to know that their attacks are unsuccessful or if you want the attacker to continue to attack one of your systems in an attempt to gather more evidence. It is also useful when deploying a honeynet so that only the outbound traffic, from the honeynet, is "scrubbed".

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_3.jpg

Figure 3

An inline NIDS offers the great capabilities of a regular NIDS with the blocking capabilities of a firewall. As with most NIDS, the user can monitor, in this case protect, many servers or networks with a single device. This can be both a blessing and a curse. If the system were to fail or crash the traffic would not get through the device. (ISS Guard actually fails open when the product crashes). If you are concerned about uptime and SLAs, this might cause a big issue for your network.

These IPSs will feel most comfortable in the hands of security teams that already deal with NIDS. Because these IPSs are variants of existing NIDS, writing rules for them is very easy and offers a way to catch new attacks. To block unknown attacks with a signature-based inline NIDS, you would have to have some generic rules, like looking for NOOP sleds. This does not, however, stop all new attacks. In the case of a protocol anomaly inline NIDS, it will be able to stop unknown attacks based on the protocols that it is able to decode, as well as the knowledge of those protocols. Both these systems have the drawback of only being able to protect certain applications that are in wide use (such as, IIS, Apache, etc.). If you have an application that uses either one of these Web servers, the inline NIDS will offer no protection for bad programming or misconfigurations. They provide a generic level of protection, but they still have a great place in protecting systems that are hard to protect (i.e. AS400, Tandem, mainframes). For many of these systems there is no other form of protection or monitoring.

Layer Seven Switches

Traditionally switches were layer 2 devices. But now, with the high demands on networks and servers to deliver bandwidth intensive content, layer seven switches are on the rise. Network engineers mostly use these switches to load-balance an application across multiple servers. To do this they can inspect layer seven information (i.e. HTTP, DNS, SMTP) to make switching or routing decisions. In the case of a Web application, they can inspect the URL to direct particular request to specific servers based on predefined rules. The companies that make these devices have now started to add security features to their products, like DoS and DDoS protection.

These devices are built on custom hardware to deliver high performance, even in the most demanding networks. These systems can easily handle gigabit and multi-gigabit traffic. They work similarly to a signature-based inline NIDS when it comes to stopping attacks. Placing these devices in front of your firewalls would give protection for the entire network. That said, the drawbacks are similar to the inline NIDS. They can only stop attacks that they know about (Figure 4), but they do offer a way to write signatures just like a NIDS. The one attack that they can stop that most others can’t are the DoS attacks. These devices have the horsepower to mitigate DoS attacks without affecting the rest of the network performance. They offer security as a byproduct of what they do in regards to inspecting layer seven content for routing/switching decisions.

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_4.jpg

Figure 4

Layer seven switches also are configurable for redundancy. They can be configured in a hot standby mode or in a load-balancing mode. This feature is not found in any of the other IPSs. While their ability to stop attacks may not match up with the last two technologies that this article will discuss, they do offer many other features that can make them worth the money. Since most of these devices have origins in the networking world, they can load balance servers, firewalls and NIDS, route using BGP, OSPF and RIP and are geared towards guaranteeing speed and uptime. A lot of the security features offered are available as a software upgrade, so it may be possible to use an all ready existing switch that is used in the network.

Application Firewalls/IDS

Application firewalls and IDSs are usually marketed as an intrusion prevention solution rather than a traditional IDS solution. These IPSs are loaded on each server that is to be protected. While the overhead in management of this many IPSs could be daunting, it does pay off. These types of IPSs are customizable to each application that they are to protect. They don’t look at packet level information; rather, they look at API calls, memory management (i.e. buffer overflow attempts), how the application interacts with the operating system, and how the user is suppose to interact with the application (Figure 5). This helps protect against poor programming and unknown attacks.

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_5.jpg

Figure 5

Application IPSs can profile a system before protecting it. During the profiling phase, the IPS can watch the user’s interaction with the application and the applications interaction with the operating system to determine what legitimate interaction looks like. After the IPS has created a profile, or policy, of the application, it can be set to enforce it. Unlike the inline NIDS or the layer seven switch, the application layer IPSs are a "fail close" type of system, which means that if some action is attempted that is not predefined then the IPS will stop the action from taking place. One drawback of this type of system is that when an application is profiled, the user needs to make sure that every aspect of the application is used so that the application IPS can see the interaction and write a rule for it. If thorough testing of the application is not carried out, then some parts of the application may not work. Another drawback is that when the application is updated it might have to be profiled again to ensure that the policy does not block legitimate use.

By profiling the application prior to enforcing the policy you can get very granular with the policies that are made. This type of IPS offers the one of the greatest amounts of protection for custom written applications. Since each application firewall/IPS is loaded on each physical server you can customize each policy so that it can offer the greatest amount of protection. Of the IPSs that are discussed in this paper, this one is the only one that looks at how the application interacts with the operating system and memory management on the server.

Hybrid Switches

This type of technology is a cross between the host-based application firewall/IDS and the layer seven switch. These systems are hardware based in front of the servers(s), like the layer seven switch, but instead of using a regular NIDS type of rule set, hybrid switches use a policy similar to the application IDS/firewall (Figure 6). They inspect specific traffic for malicious content defined by the policy that is configured. Some of these companies offer application layer vulnerability assessment products that compliment their IPS. An application can be scanned with their vulnerability assessment product and the information from that scan can be imported into their IPS as a policy. This saves the security administrator a lot of time configuring the policy to defend the application.

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_6.jpg

Figure 6

The hybrid switch works in a similar manner to the layer seven switch, but instead of only having a handful of signatures that can block attacks aimed at the Web server, it can have detailed knowledge of the Web server and the application that sits on top of the Web server. It also fails close if the user’s request does not match any of the permitted requests. If the application that is being protected receives a lot of traffic, the hybrid switch can be combined with a layer seven switch to offer even higher performance. The layer seven switch can be configured to send certain types of requests to the hybrid switch for further inspection, decreasing the amount of requests that the hybrid switch has to look at and increasing performance.

Deceptive Applications

Now we will look at a type of technology that does things a bit differently. The methodology is not new, it was first discussed in 1998 at a RAID conference. This type of technology uses some deceptive practices. First, it watches all your network traffic and figures out what is good traffic (Figure 7), similar to the profiling phase of the application firewall/IDS. Then, when it sees attempts to connect to services that do not exist or at least exist on that server, it will send back a response to the attacker (Figure 8).

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_7.jpg

Figure 7

http://www.symantec.com/connect/sites/default/files/infocus/desai_ips_8.jpg

Figure 8

The response will be "marked" with some bogus data so that when the attacker comes back and tries to exploit the server the IPS will see the "marked" data and stop all traffic coming from the attacker. The attacker does not have to try to attack the fake web server to be detected. Based on the configuration of the product, there can be "marked" data within the packet data. This would catch an attacker even if he/she was to attack a legitimate web server.

Smartphone Intrusion Detection System:

The concept of intrusion detection system (IDS), we have identified the efficiency and inefficiency of the existing system on Smartphone device that require much attention to prevent any threats and attack, which can hugely affect Smartphone's users in many different aspects. The massive increase of Smartphone’s users and buyers every day take our attention to provide a user security to their tiny thin device. This device requires extensive consideration regarding to security of data transactions and transmission.

Smartphone's users want to be secure with credit card, phone bills, and so on. In order to provide a strong detection system that detects all undefined and unusual events, we therefore propose Smartphone Intrusion Detection System (SIDS). The proposed system will act solely to detect all types of unwanted and suspicious events that cause threats to Smartphone security. The system will uniquely operate at all the level of security to ensure the data transmissions and transactions without causing any faulty to the device. The schema of the proposed system that will be implemented in the near future.

G:\ilakkiamsa.jpg

The proposed system is enhanced with well known security mechanisms to detect, prevent, halt, and discard any type of penetrations into Smartphone device. With a successful integration of the techniques, the proposed system will outperform other existing systems in many aspects. This system will have its unique impact on the security of Smartphone in a diversity of aspects, which is used to widely protect the privacy of users and other concerns accompanied by their portable device. The system could be costly due to its integration with other systems and security mechanisms, but individuals' privacy and belongings are also important assets.

Conclusion:

Smartphone device needs a robust and reliable intrusion detection system to ensure the privacy and confidentiality of the holder. In propose system is to compensate some of the deficiency with IDs that operates on Smartphone device. The existing intrusion detection system is unfortunately not as efficient as user expectation. SIDS will certainly be effective and operated at all level of security that complies with the international security policy and privacy. In the future, there is plan to implement the proposed system in real to demo. However, complexity of the IPS infrastructure is a challenge task that may delay for the processes continuation of the implementation. Determination of the entire performance of the proposed system before implantation cannot be predicted in a complete form. However, the expectation is to exceed the highest level of security in comparison with other existing systems.

[1]  Andrew Nusca (20 August 2009). "Smartphone vs. feature phone arms race heats up; which did you buy?". ZDNet. Retrieved 2011-12-15.

[2] http://en.wikipedia.org/wiki/Smartphone

[3]  Mylonas Alexios; Dritsas Stelios, Tsoumas Bill and Gritzalis Dimitrios (2011). Samarati and Lopez. ed. Proc. of International Conference of Security and Cryptography (SECRYPT '11). SciTePress. pp. 25–36.

[4] Lookout, Retrevo warn of growing Android malware epidemic, note Apple's iOS is far safer". Appleinsider.com. 2011-08-03. Retrieved 2012-01-05.

[5] Gene Tyler, "Intrusion Detection Systems", Sixth Edition,

pp.5-93, September 2009.

[6] http://www.crossbeam.com/mobile-network-providers-face-a-potential-exodus-of-74-percent-of-Smartphone-users-after-a-security-breach/ - Mobile network providers will be blamed for Smartphone attacks, regardless of fault

[7] Source: Whatis.com