The University of British Columbia

Location information is an important feature in users' profiles in cellular mobile networks. In this paper, by exploiting the location history traversed by a mobile user, two domain-independent online anomaly detection schemes are designed, namely the Lempel-Ziv (LZ)-based and Markov-based detection schemes. The authors focus on the identification of a group of especially harmful internal attackers-masqueraders. For both schemes, cell IDs traversed by each mobile user are extracted as the feature value. Specifically, the mobility pattern of each user is characterized by a high-order Markov model. The LZ-based detection scheme from the well-developed data compression techniques is derived. Moreover, the technique of exponentially weighted moving average is used to modify a user's normal profile dynamically. The user profile can characterize the normal behavior of each user accurately and is sensitive to abnormal changes. For the Markov-based detection scheme, a fixed-order Markov model is used to characterize the normal behavior. Based on the constructed probability transition matrix, the probability of the user's current activity is calculated. A threshold policy is then used in both schemes to determine whether a mobile device is potentially compromised or not. Simulation results are presented to show the effectiveness of the proposed schemes. Moreover, our results show that the LZ-based detection scheme performs better than the Markov-based detection scheme, especially for low-speed mobile users