SpotCheck: On-Device Anomaly Detection for Android
This addresses the need for an additional protection layer against novel malware on mobile devices, which is an incremental improvement in security for Android users.
The authors tackled the problem of detecting previously unseen malware on Android devices by proposing SpotCheck, an on-device anomaly detector that samples app executions and uses Variational Autoencoders (VAE) to achieve effectiveness comparable to prior network anomaly detection methods.
In recent years the PC has been replaced by mobile devices for many security sensitive operations, both from a privacy and a financial standpoint. While security mechanisms are deployed at various levels, these are frequently put under strain by previously unseen malware. An additional protection layer capable of novelty detection is therefore needed. In this work we propose SpotCheck, an anomaly detector intended to run on Android devices. It samples app executions and submits suspicious apps to more thorough processing by malware sandboxes. We compare Kernel Principal Component Analysis (KPCA) and Variational Autoencoders (VAE) on app execution representations based on the well-known system call traces, as well as a novel approach based on memory dumps. Results show that when using VAE, SpotCheck attains a level of effectiveness comparable to what has been previously achieved for network anomaly detection. Interestingly this is also true for the memory dump approach, relinquishing the need for continuous app monitoring.