Context-enhanced mobile device authorization and authentication.

摘要

Mobile devices (e.g., smartphones and tablets) are pervasive today, continuously opening up immense opportunities for everyday users. Their burgeoning popularity, however, brings forth various security and privacy threats. One well-established threat is of mobile malware (a form of insider attack) - malicious apps that may surreptitiously misuse the sensitive resources and services available on the device. Other threats relate to unauthorized access of the device (outsider attacks) by a malicious entity in close physical proximity to the device, or having (temporary or permanent) physical possession of the device. The traditional defensive mechanisms, such as existing anti-virus software, distance-bounding protocols or passwords, are not sufficient to defeat these threats.;This dissertation work explores the notion of "context"---a potentially unique signature of a benign usage scenario---to address insider-outsider attacks against mobile devices without undermining the overall usability of these devices. Our proposed defense system automatically detects the presence of a valid context using the information acquired by device's many on-board sensors; the absence of such a context being indicative of malicious usage. Depending upon the application scenario, we elicit the context provided, explicitly or transparently, by the device user (e.g., a hand gesture or body movement), or captured from the device's ambient environmental attributes (e.g., audio, temperature or altitude). When applicable, we use machine learning techniques and sensor fusion approaches towards designing a highly robust contextual mobile security system.;To be specific, this dissertation work comprises four parts: (1) enhancing mobile app authorization using implicit/explicit context, (2) enhancing user authentication using transparent implicit context, (3) enhancing co-presence detection using environmental context, and (4) strengthening the contextual security adversarial models and evaluating the context detection systems against such strong models.;In the first part, we present the design, implementation and evaluation of our contextual security mechanisms to defeat mobile malware attacks against prominent phone resources/services, namely, phone calls, camera and NFC payments. We use explicit as well as implicit context to detect user-friendly explicit gestures or transparent gesture so as to ascertain if the app requesting the permission to a sensitive resource is legitimate (and not malicious). In the second part, we present the design, implementation and evaluation of schemes to authenticate users transparently in the case of mobile (NFC) payments and zero-interaction authentication systems. In the third part, we present the design, implementation and evaluation of our co-presence detection system using different environmental context to thwart outsider "relay attacks" against mobile zero-interaction authentication systems and mobile payment systems. In the fourth part, we stretch the limits of the contextual security threat model to incorporate adversaries who may be capable of actively manipulating the context or underlying sensor data (internally or externally). Further, we present our insights to defend against such strong adversaries.