Differentiating Users Based on Changes in the Underlying Block Space of Their Smartphones
thesisposted on 06.05.2020, 19:27 by Eric D Katz
With the growing popularity of using smartphones in business environments, it is increasingly likely that phones will be the target of attacks and sources of evidence in cyber forensic investigations. It will often be important to identify who was using the phone at the time an incident occurred. This can be very difficult as phones are easily misplaced, borrowed, or stolen. Previous research has attempted to find ways to identify computer users based on behavioral analysis. Current research into user profiling requires highly invasive examinations of potentially sensitive user data that the user might not be comfortable with people inspecting or could be against company policy to store. This study developed user profiles based on changes in a mobile phone's underlying block structure. By examining where and when changes occur, a user profile can be developed that is comparable to more traditional intrusion detection models, but without the need to use invasive data sets. These profiles can then be used to determine user masquerading efforts or detect when a compromise has occurred. This study included 35 participants that used Samsung Galaxy S3s for three months. The results of the study show that this method has a high accuracy of classifying a phone's actual sessions correctly when using 2-class models. Results from the 1-class models were not as accurate, but the Sigmoid SVM was able to correctly classify actual user sessions from attack sessions.