SpotCheck: On-Device Anomaly Detection for Android
Article No.: 20, Pages 1 - 6
Abstract
In recent years the PC has been replaced by mobile devices for many security sensitive operations, both from a privacy and a financial standpoint. While security mechanisms are deployed at various levels, these are frequently put under strain by previously unseen malware. An additional protection layer capable of novelty detection is therefore needed. In this work we propose SpotCheck, an anomaly detector intended to run on Android devices. It samples app executions and submits suspicious apps to more thorough processing by malware sandboxes. We compare Kernel Principal Component Analysis (KPCA) and Variational Autoencoders (VAE) on app execution representations based on the well-known system call traces, as well as a novel approach based on memory dumps. Results show that when using VAE, SpotCheck attains a level of effectiveness comparable to what has been previously achieved for network anomaly detection. Interestingly this is also true for the memory dump approach, relinquishing the need for continuous app monitoring.
References
[1]
Jinwon An and Sungzoon Cho. 2015. Variational autoencoder based anomaly detection using reconstruction probability. Special Lecture on IE 2, 1 (2015), 1–18.
[2]
Christian Callegari, Lisa Donatini, Stefano Giordano, and Michele Pagano. 2018. Improving stability of PCA-based network anomaly detection by means of kernel-PCA. International Journal of Computational Science and Engineering 16, 1(2018), 9–16.
[3]
Andrew Case and Golden G Richard III. 2017. Memory forensics: The path forward. Digital Investigation 20(2017), 23–33.
[4]
Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly detection: A survey. ACM computing surveys (CSUR) 41, 3 (2009), 1–58.
[5]
Clarence Chio and David Freeman. 2018. Machine learning and security: Protecting systems with data and algorithms. ” O’Reilly Media, Inc.”.
[6]
Carl Doersch. 2016. Tutorial on variational autoencoders. arXiv preprint arXiv:1606.05908(2016).
[7]
GlobalStats. [n.d.]. Mobile Operating System Market Share Worldwide. https://gs.statcounter.com/os-market-share/mobile/worldwide [Accessed: 02.09.2020]
[8]
William Hardy, Lingwei Chen, Shifu Hou, Yanfang Ye, and Xin Li. 2016. DL4MD: A deep learning framework for intelligent malware detection. In Proceedings of the International Conference on Data Mining (DMIN). The Steering Committee of The World Congress in Computer Science, Computer …, 61.
[9]
Shifu Hou, Aaron Saas, Lifei Chen, and Yanfang Ye. 2016. Deep4MalDroid: A deep learning framework for android malware detection based on linux kernel system call graphs. In 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW). IEEE, 104–111.
[10]
Hahnsang Kim, Joshua Smith, and Kang G Shin. 2008. Detecting energy-greedy anomalies and mobile malware variants. In Proceedings of the 6th international conference on Mobile systems, applications, and services. 239–252.
[11]
Diederik P Kingma and Max Welling. 2013. Auto-encoding variational bayes. arXiv preprint arXiv:1312.6114(2013).
[12]
MA Ajay Kumara and CD Jaidhar. 2017. Leveraging virtual machine introspection with memory forensics to detect and characterize unknown malware using machine learning techniques at hypervisor. Digital Investigation 23(2017), 99–123.
[13]
Manuel Lopez-Martin, Belen Carro, Antonio Sanchez-Esguevillas, and Jaime Lloret. 2017. Conditional variational autoencoder for prediction and feature recovery applied to intrusion detection in IoT. Sensors 17, 9 (2017), 1967.
[14]
David A Nix and Andreas S Weigend. 1994. Estimating the mean and variance of the target probability distribution. In Proceedings of 1994 ieee international conference on neural networks (ICNN’94), Vol. 1. IEEE, 55–60.
[15]
Madhu K Shankarapani, Subbu Ramamoorthy, Ram S Movva, and Srinivas Mukkamala. 2011. Malware detection using assembly and API call sequences. Journal in computer virology 7, 2 (2011), 107–119.
[16]
Sophos. [n.d.]. Sophos 2020 Threat Report. https://www.enterpriseav.com/datasheets/sophoslabs-uncut-2020-threat-report.pdf [Accessed: 02.09.2020]
[17]
Joe Sylve, Andrew Case, Lodovico Marziale, and Golden G Richard. 2012. Acquisition and analysis of volatile memory from android devices. Digital Investigation 8, 3-4 (2012), 175–184.
[18]
Mark Vella and Vishwas Rudramurthy. 2018. Volatile memory-centric investigation of SMS-hijacked phones: a Pushbullet case study. In 2018 Federated Conference on Computer Science and Information Systems (FedCSIS). IEEE, 607–616.
Index Terms
- SpotCheck: On-Device Anomaly Detection for Android
Index terms have been assigned to the content through auto-classification.
Recommendations
Combining traditional machine learning and anomaly detection for several imbalanced Android malware dataset's classification
ICMLT '22: Proceedings of the 2022 7th International Conference on Machine Learning TechnologiesAs the number of mobile devices has exploded in recent years, so has the amount of advanced Android malware. Among the popular Android malware on the market today, click fraud malware, adware, banking Trojans, spyware, etc. are usually disguised and ...
Profiling user-trigger dependence for Android malware detection
As mobile computing becomes an integral part of the modern user experience, malicious applications have infiltrated open marketplaces for mobile platforms. Malware apps stealthily launch operations to retrieve sensitive user or device data or abuse ...
A Novel Hybrid Mobile Malware Detection System Integrating Anomaly Detection With Misuse Detection
MCS '15: Proceedings of the 6th International Workshop on Mobile Cloud Computing and ServicesAs the dominator of the Smartphone operating system market, Android has attracted the attention of malware authors and researchers alike. The number of Android malware is increasing rapidly regardless of the considerable number of proposed malware ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2020 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 February 2021
Check for updates
Author Tags
Qualifiers
- Short-paper
- Research
- Refereed limited
Conference
SIN 2020
SIN 2020: 13th International Conference on Security of Information and Networks
November 4 - 7, 2020
Merkez, Turkey
Acceptance Rates
Overall Acceptance Rate 102 of 289 submissions, 35%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 89Total Downloads
- Downloads (Last 12 months)17
- Downloads (Last 6 weeks)0
Reflects downloads up to 31 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format