DYNAMIC ANALYSIS OF MALWARAE INTRUSION IN MOBILE DEVICES USING ADABOOST ALGORITHM, KNN AND SVM BASE CLASSIFIERS

Cyber security is becoming more worrisome; malware is spreading by the day through proliferation and distribution of variants of known family signatures using obfuscation techniques. Mobile devices components such as central processing unit, memory, battery life, executable files and operating systems are constantly being attacked and rendered unusable. Attack agents are specifically evading detection, damaging mobile devices’ executive files, stealing information, surcharging users for SMS sent and received without their knowledge or permission, and freezing applications for a ransom among others. This research work is keying into the fight against malware intrusion by designing and developing an intrusion detection system (IDS) using ensemble learning, boosting. Adaboost algorithm trains base classifiers (KNN and SVM) using network security laboratory-knowledge discovery in databases (NSL-KDD) dataset to build a more formidable classifier that will detect malware intrusion in mobile devices using cloud technology. The result obtained in this combination technique is 91.4% accurate with a bias (standard deviation) as low as 2.7%.

Recent trends in communication technology include proliferation of malware variants, use of encryption to hide embedded code in seemingly genuine applications, use of ransomware to harass innocent users, by freezing their phones for a ransom (Stein, 2020).These nefarious activities are achieved by malware developers using sophisticated tools, most of which are freely available on the net.Novel cyber-attacks are on the increase (encrypting embedded malware code in seemingly genuine applications) and recognizing controlled environment (sandboxes) and delay launching their payload to avoid detection.These tactics and many more have forced companies to incur serious financial losses, litigations for breach of contracts, and indeed, the reputation of affected companies (Sullivan, 2015).The attacks are categorized into denial of service (DOS), probe (surveillance), user to root (U2R), and remote to local (R2L).They are perpetrated by agent (programs written to carry out the wicked intents of their masters): viruses, worms, Trojans, rootkits, backdoor, ransomware, among others (Wang et al., 2015;Bhuyan et al., 2014) One way to fight the menace of malware and their masters is the use of machine learning (ML) tools.ML attempts to find a suitable solution in a large space of possible solutions.Intrusion detection system (IDS) is one possible method of diagnosing attacks and abnormal behavior, through continuous observation of specific locations or objects of a network (Wang et al., 2015).To develop an effective IDS, the research community has proposed the combination of ML techniques, as no single algorithm or classifier can do it all (Bamhdi et al, 2021;Bui et al, 2017).To conform to the above proposal, this research work combines Adaboost, KNN and SVM using ensemble learning to produce a more efficient classifier that will conduct binary classification of benign (normal) from anomalous applications seeking for permission from the user to either install themselves, other malicious applications or distort operations of the mobile device.

MATERIALS AND METHODS
The dataset used to train and test the proposed IDS is NSL-KDD dataset.It is obtained from Kaggle, a public data repository.It is further subdivided into training dataset (80%) with 125,973 records and testing dataset (20%) with 22, 544 records.In all, there are forty-two (42) features in each record of the dataset (Pham et al., 2018).Figure 1 depicts column chart of the percentage of training and testing datasets used to train and test the models respectively.

Algorithms used in the research work
The training algorithm, the base models and voting classifier include.i. Adaboost (Adaptive Boost) -Used to train and monitor base models and update the weights of misclassified labels.ii.K-Nearest Neighbor (K-NN) -Base model, used to load training dataset into memory, finds the nearest neighbors to the target object using Euclidean distance measure; and assigns the target object to the majority vote.iii.Support Vector Machine (SVM) -Base model 2, trains with the improved dataset and classify the test dataset into benign and anomalous classes.iv.Voting Classification technique (majority vote or plurality vote or hard vote), used to aggregate the predictions of the base classifiers and determine a befitting classifier.v. Python programming language, and its external libraries (scikit learn, pandas, numpy, matplotlib, etc).was used to code and plot the system (IDS).
Given the limitations of mobile devices, which are limited processing power, limited memory, battery longevity, and constrained operating system, the data and code are uploaded to the cloud, via the internet, for analysis and detection of malicious applications.This process is achieved using cloud computing technology.

System Requirements Specification (SRS)
This subsection explains the key operations to the programmer that lead to the computation of results.The program is written in python programming language, using both in-built and external libraries.
i. Import the relevant external libraries ii.Load the dataset to train and access the models, using pandas (pd.).For instance, Data = pd.read_csv("H:/user/oyong/desktop/nsl_kdd.csv") iii Divide the dataset into input vector, x ∈ R d and label, y ∈ {-1, +1}.iv Convert the Categorical features into numerical values One_hot_encoder() and Label_encoder() of sklearn library before processing v Normalization the dataset using minMaxScaler() function, and split it into training dataset (80%) with 125,973 records and test dataset (20%) with 22,544 records using train_test_split() of sklearn library vi Reduce the dimension of the dataset using principal component analysis (PCA) vii Train the base models (KNN and SVM) using Adaboost algorithm, and aggregate their predictions into a formidable classifier (hard vote) using votingclassifier() function of sklearn library.For instance: Ab_clf = AdaboostClassifier (n_estimators = 2, base_estimator = "KNN").viii Classify (predict) the test dataset using hard vote classifier ix Compare the predicted results with the expected values using confusion matrix, being a supervised learning problem and ascertain TP, TN, FP and FN values.

RESULTS
In this Section, the predictions of boosted KNN and boosted SVM are depicted with respect to voting classification (Hard-vote).Hard vote counts the votes of each classifier in the ensemble and picks the class that gets the highest votes; box and whiskers visual representation, accuracy, precision, recall, f1-score and FPR.

Voting classification
In voting classification, the screenshot of mean and deviations of boosted KNN and boosted SVM are depicted in Figure 2. Observe that the Hard_vote value, which is an aggregation of the five sets of KNN with different k values, has 90.2% mean and 3.4% standard deviation (std.).(2.7%) of boosted SVM as against that of boosted KNN, which is 3.4%.

Box and whiskers plot
Box-and-whisker plot depicts the spread of the data values in a dataset.Figure 3 depicts the graphical representation of boosted KNN using the box and whisker plot.It is observed that the spread seems steadily increasing as the values of the data elements or weights increase.Unlike knn3, the mean value of each box is lower than that of the median.However, the box and whiskers plot of SVM exhibits an interesting pattern.Almost all the box plots are skewed to the bottom, with the lower whiskers longer than the top whiskers as depicted in Figure 4. Another observation is that the variability is, indeed, scattered.

Confusion matrix
The results of the trained model are evaluated to ascertain its generalization and performance with unknown dataset (test dataset).One way to achieve this is the use of confusion matrix.Confusion matrix is a cross table that records the number of occurrences between the predicted and actual classifications.While the columns represent model predictions, rows represent actual values (Kulkarni, 2022;Grandini et al., 2020;Bhandari, 2020).To calculate TP, TN, FP, and FN for each class, the following observations on Figure 7 are taken into consideration (Grandini et al., 2020;Bhandari, 2020).For ease of explanation, the cells are numbered, while the numerical value there-in are generated by the developed python program using scikit learn and other external libraries: TP: This is the cell value where the predicted and actual value are the same, and for each class, only one TP value is considered.FN: For a class analysis, FN is the sum of values in cells of the corresponding row, except the TP cell value.FP: The FP value for a class analysis is the sum of cells' values in the corresponding column, except the TP cell value.TN: In a class analysis, the TN value is the sum of all the values in columns and rows, aside from those in the class being considered.
The same technique is applied in analyzing all the classes, then the computations are aggregated using python scikit learn metrics.confusion_matrix(y_test, y_pred) function.3.
Table 3: Performance Metrics with Respect to Anomalous Types using linear space for boosted KNN.
(Source: system code) The trained (boosted) SVM classification reports are presented in Table 4.
Table 4: Performance Metrics with Respect to Anomalous Types using linear kernel for boosted SVM.

Source: system code
From the computations in Table 3 and Table 4, it is observed that the boosted KNN performed almost as good as boosted SVM in linear space.While the highest accuracy in boosted KNN is (99.5%) that of SVM is (99.92%).This points to the fact that SVM is not efficient in linear space, but higher spaces (Wang and Wang, 2015).The hard vote value (91.4%) of SVM is indeed better than that of KNN (90.2%).This proves that Adaboost did a good job in training the models, starting with KNN and after evaluating its mistakes, updated the weights of misclassified labels, it came up with a better score (91.4%) for SVM with standard deviation as low as (2.7%).
Figure 5 illustrates the standard metrics of KNN using a bar char.
Figure 5: Classification Report on boosted KNN in terms of anomalous types.
Figure 6: Classification Report on boosted SVM in terms of anomalous types From figure 6, U2R is virtually uniform in terms of all the measurement values.U2R has the highest accuracy (99.92%), while Probe provides the least accuracy (88.7%).In precision, DOS has the highest value (97%), while Probe has the least value (84.3%).Similarly, in Recall, U2R has the highest value of (98.0%) while DOS has the least value (86.5%).In Fmeasure, U2R provides the highest value of (97.0%), while R2L has as low as (88.6%).FPR is high in some anomalous types like Probe (19.0%) while in others, zero percent was recorded, especially R2L and U2R.These values, especially in FPR, are below the saturation point of 0.5 (50% random guess error for Adaboost), which is the accepted tolerance.
The saturation point of 50% random guess error for Adaboost is the turning point where adding more weak classifiers would produce no further increase in efficiency (Bhandari, 2022)

DISCUSSION
In this section, the results of this research work are compared with that of other works in literature.

Basis for Comparison of Results
The works in literature compared with this research work operate under the same Android operating system, used either ensemble learning approach or hybridization technique.The dataset used to train and analyze the models is KDDcup'99 or its variant NSL-KDD dataset.The base models trained include KNN and SVM.They have a common intent of detecting malware using permissions, although some in addition used APIs.The analysis was done using cloud computing technology, although some papers used static analysis.However, while this work uses Adaboost (an ensemble boosting technique) to train the base models (KNN and SVM), the other works used Adaboost or particle swarm optimization (PSO) algorithm.

Comparison of Results with that of other works in literature
Table 5 depicts a collection of papers and their result that will be compared with values from this research work.From

CONCLUSION
The efficiency rate of 91.4% and a false positive rate of 0.024% will give the user trust and confidence in transacting business over the internetelectronic commerce (also called e-commerce).It will also instill confidence in the use of mobile devices to transact business and reduce queues in banking halls, fear of hijacking business transactions by middle men (popularly called 'yahoo boys/girls' or 419 operators).This system will in no small way increase sales and usage of mobile devices, reduce risk of theft, reduce cost and accident rates since most transactions can be carried out in the comfort of one's room.
This research work has contributed to knowledge in the following ways: i. Designing and implementing an IDS application that will detect anomalous applications in mobile devices using cloud computing technology.ii.The application is tested for efficiency and scored 91.4% accuracy with FPR as low as 0.024% iii.The work further demonstrated the use of ensemble learning to curb intrusion, and reduce the sophistication of malware over single classifiers.

Figure 1 :
Figure 1: Column chart illustrating percentage of Training and Test datasets System Development Tools The laptop system used to develop the program is made up of the following configurations: i.Operating System: Windows 10, with 64-bit word length ii CPU: Inte® Celeron® 1000M, 1.80GHZ speed, iii RAM: 4.00GB, HDD 500 GB, DVD Drive, Keyboard, and Mouse.iv Printer: hp LaserJet p2035 v Applications: Microsoft Office Suite ver.16: MS Word, Excel, and Power Point such as Accuracy, Precision, Recall, F-measure, false positive rates (FPR) with respect to anomalous data types such as DOS, Probe, R2L and U2R.xi Compare the results of this research work with that of other works in literature xii Draw conclusion based on the results of the work, and suggest further works based on the limitations experienced with this research work.

Figure 2 :
Figure 2: Screenshot of Mean and standard Deviation of KNN and SVM Similarly, in SVM, the linear values are varied and the mean of the aggregated (hard_vote) model is 91.4%.It is observed that as the models are trained, and the weights of misclassified labels updated, the standard deviation or bias also falls, as depicted in the std.(2.7%) of boosted SVM as against that of boosted KNN, which is 3.4%.

Figure 3 :
Figure 3: Graphical representation of voting classification of KNN with hard voting

Figure 4 :
Figure 4: Box and whiskers plot of SVM voting classification.
determined in each case.Then performance parameters such as Accuracy, Precision, Recall, F1-score, etc. are computed using appropriate formulae.
Table1depictsconfusion matrix of multiclass classification problem for boosted KNN with the following classes (labels): DOS, Probe, R2L and U2R.With this type of matrix, unlike confusion matrix of binary classification problem, parameters such as True positive (TP), True Negative (TN), False Negative (FN), and False Positive (FP) do not apply directly(Markoulidakis et al., 2021; Grandini et al., 2020;  Bhandari, 2020).Because of that, the classes are analyzed one by one, with confusion matrix parameters TP, TN, FP and FN

Table 2
Dynamic Analysis of Malwarae Intrusion in Mobile Devices using Adaboost Algorithm, KNN and SVM Base Classifiers https://dx.doi.org/10.4314/WOJAST.v15i1.78 Figure 6 depicts boosted SVM in terms of anomalous types.Please note that the Normal class was allowed to terminate, as our interest is in the anomalous classes and how to control their effect on mobile devices.The second part of this research work handles the control part (IRS and how it selects optimum counter measure against each attack type) World Journal of Applied Science and Technology, Vol. 15 No. 1 (2023) .78-84 82

Table 5 :
Comparing Results of This Research Work with Other works in literature