On-device Resilient Android Malware Detection using Incremental Learning

Abstract

In most cases, the Android runs in a battery-driven, low-power connected, embedded real-time environment. New malware attacks are reported every day targeting Android embedded devices. This is because the existing Android malware detection engines are not resilient to zero day attacks. The machine learning based malware detection engines must be re-trained with the newly reported malware and benign samples to manage the zero-day attacks. The re-training is very expensive in terms of CPU and memory. Re-training at embedded devices is very challenging because of its hardware, memory, and energy constraints. In these scenarios, a lightweight, resilient and incremental learning based dynamic Android malware detection mechanism is becoming mandatory. Very little evidence is observed in the related literature; most of the existing incremental learning approaches have not demonstrated their experiments in a real device environment and have not worked in bench-marked real device dynamic analysis datasets. In this work, we select the latest KronoDroid Android dynamic hybrid dataset and propose efficient incremental learning based Android malware detection mechanism using the linear incremental algorithm. We have incrementally trained our mechanism in the real device Android environment and proved the consistent performance keeping the resilient aspect. We have evaluated our mechanism and found that we could achieve the highest incremental accuracy of 97.94%, the lowest training time of 0.5 seconds, and lowest detection time of 0.04 seconds with the smallest model size of 456 bytes when experimented within an on-device Android environment. To the best of our knowledge, this is the first work that proves the incremental learning and resilience scenario using a bench-marked Android real-device dynamic dataset keeping the lowest computational complexity and consistent performance.