Hybrid Multilevel Detection of Mobile Devices Malware Under Concept Drift

Abstract

Malwares are a major threat to the security of mobile devices, and Machine Learn- ing (ML) is a widespread approach to automatically detect them. However, running ML analysis pipelines can be excessively burdensome for energy-constrained mobile devices. On the other hand, completely off-loading all the analysis to a remote server can introduce unacceptable communication overheads and delays in the detection process. In this paper, we propose a multilevel approach for malware detection on mobile devices that combines a lightweight local analysis of static features with a more computationally expensive remote analysis of dynamic features, through the adoption of ML methods. However, the effectiveness of automatic malware detec- tion systems based on ML is often limited by unforeseen variations in the statistical characteristics of the observed data. This phenomenon, known as concept drift, can lead to a degradation of the performance of ML models over time. The proposed malware detection system is equipped with self-evaluation capabilities, enabling it to detect the occurrence of periods when its predictions become unreliable due to concept drift so that appropriate response strategies can be activated. In particular, when such critical events occur, the self-evaluation agent triggers the execution of an additional layer of analysis, hosted by a remote server, which allows the system to react to the unexpected reduction in its detection capabilities. The computational cost of the detection process is minimized by limiting the remote analysis to only those samples for which the analysis performed on-board the mobile device is likely to incorrectly classify the app.