Journal Of Informatics Faculty

ANOMALY DETECTION MODELLING IN MEDICAL PERVASIVE SYSTEMS

BINIYAM ASFAW*

And

Dawit Bekele (PhD) **

Abstract:  Pervasive computing is being applied to different areas of specialization. This is basically because of the features of pervasive computing like context-awareness, invisibility, non-intrusiveness, and mobility. The medical area is one where such devices are hugely deployed. In this case, the pervasive devices; PDA (Personal Digital Assistant), mobile phones and the like, are used for manipulating medical records on the move.

The use of pervasive devices also comes with new challenges that did not exist with traditional computing systems. Among these challenges, security is probably the major one. In fact, insuring security with pervasive systems is difficult due to the use of wireless communication, the physical nature and the low processing and low power nature of the devices.

In this research, we deal with intrusion detection, ID, to secure such systems. ID Systems, IDSs, are used to monitor a resource and notify someone in the event of a specific occurrence for an appropriate response. Based on attack identification, they can be those which implement misuse detection, matching against known attack patterns, and those which implement anomaly detection, deviation from normal patterns. Misuse detection is used for matching only known attack patterns while anomaly detection is capable of identifying new attacks. Based on source of information for the IDS, it may be host-based, network-based or application-based. For our case, we deal with application based anomaly detection issues through building normal users application usage profiles.

Keywords- Security, Intrusion Detection, Anomaly Detection, Medical Systems, Pervasive

1. INTRODUCTION

 

As computer systems play increasingly vital roles in modern society, they have become the targets of enemies and criminals. When an attack occurs which can be any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource, prevention techniques such as encryption and authentication, using passwords or biometrics, are usually the first line of defense. However, attack prevention alone is not sufficient because as systems become ever more complex, while security is still often the after-thought, there are always exploitable weaknesses in the systems due to design and programming errors.

Attacks on computer systems may originate from external or internal sources. In addition to the illegitimate attackers, legitimate users, who have access to the system, may try, consciously or unconsciously, to misuse their privileges. Intrusion detection can be used as a second wall to protect systems.

Intrusion Detection Systems (IDSs) are used to monitor a resource and notify someone in the event of a specific occurrence for an appropriate response [1]. IDSs are the `burglar alarms' of the computer security field. From a high-level view, the goal is to find out whether or not a system is operating normally.

IDSs can be categorized based on their detection methods. When the IDS uses information about the normal behaviour of the system it monitors, it can be categorized as anomaly-based IDS. When the IDS uses information about the attack signatures it qualifies as a misuse-based IDS. Anomaly-based IDSs are capable of identifying new attacks, but they may suffer from high false positive rate[1].

The behaviour on detection describes the response of the IDS to attacks. When it actively reacts to the attack by taking either corrective (closing holes) or proactive (logging out possible attackers, closing down services) actions, then the IDS is said to be active. If the IDS merely generates alarms (such as paging), it is said to be passive.

The audit source location discriminates IDSs based on the kind of input information they analyze. This input information can be system logs on the host, network packets, application logs, user commands, or even intrusion alerts generated by other IDSs.

Traditional computing provides functionalities which may not be comfortable to use for some specific areas of specialization. This can be attributed to lack of allowing mobility, inability to integrate context information and their intrusive nature [2]. This is particularly true with healthcare systems. Medical work is usually referred as nomadic, where the healthcare works exhibit mobility and interrupted operations [3]. Location based computing is required in healthcare environments to enable delivery of accurate medical information anywhere and anytime, thereby reducing errors and improving access. Since context-awareness, invisibility and non-intrusiveness, and mobility are feature of pervasive computing, pervasive devices are widely deployed in healthcare environments. A large amount of information about patients' health status, like blood pressure and heart beat, is collected from different devices monitoring the patients' health. In this case, without necessarily requiring intervention of the medical staff, pervasive devices can monitor the information sent from these devices and alarm the medical staff only whenever like, for example, blood pressure becomes out of the expected range for some specific patient.

When using pervasive devices the security challenges get more intensified. The wireless links used in pervasive environments make passive eavesdropping and active interference possible. The cooperation environment in pervasive systems also contributes to the aggravated security problems. With cooperative environment, devices report their state and sensor information to other objects [4]. The devices used are also less physically secured, compared to nodes used in fixed networks, which contributes to the ease of compromising the devices [5]. Resource limits also contribute to pausing problems in implementing heavy cryptographic algorithms.

Yet, considering a specific case where pervasive computing technology is deployed in a healthcare system, it is likely to create concerns about security. Reasons can be; increased data aggregation, ubiquitous access, and increasing dependency on technical solutions [1].

The aim of this research is to develop a model for host-based anomaly detection system for pervasive medical systems. The model to be developed will be tailored specifically for medical applications that tries to model normal activities of the medical staff to evaluate every activity against these normal behaviours.