Detecting anomalously behaving devices in security-and-safety-critical applications is an important challenge. This paper presents an off-device methodology for detecting the anomalous behavior of devices considering their power consumption data. The methodology takes advantage of the fact that every action on-board a device will be reflected in its power trace. This argument makes it inevitable for anomalously behaving device to go undetected. We transform the device’s 1-D instantaneous power consumption signals to 2-D time-frequency images using Constant Q Transformation (CQT). The CQT images capture valuable information about the tasks performed on-board a device. By applying Histograms of Oriented Gradients (HOG) on the CQT images, we extract robust features that preserve the edges of time-frequency structures and capture the directionality of the edge information. Consequently, we transform the anomaly detection problem into an image classification problem. We train a Convolutional Neural Network on the HOG images to classify the power signals to detect anomaly. We validated the methodology using a wide spectrum of emulated malware scenarios, five real malware applications from the well-known Drebin dataset, DDOS attacks, cryptomining malware, and faulty CPU cores. Across 18 datasets, our methodology demonstrated detection performance of ∼ 88% accuracy and 85% F-Score, resulting in improvements of 9% - 17% over other methods using power signals.
Detecting anomalous behavior on smartphones is challenging since malware evolution. Other methodologies detect malicious behavior by analyzing static features of the application code or dynamic data samples obtained from hardware or software. Static analysis is prone to code's obfuscation while dynamic needs that malicious activities to cease to be dormant in the shortest possible time while data samples are collected. Triggering and capturing malicious behavior in data samples in dynamic analysis is challenging since we need to generate an efficient combination of user's inputs to trigger these malicious activities. We propose a general model which uses a data collector and analyzer to unveil malicious behavior by analyzing the device's power consumption since this summarizes the changes in software. The data collector uses an automated tool to generate user inputs. The data analyzer uses changepoint analysis to extract features from power consumption and machine learning techniques to train these features. The data analyzer stage contains two methodologies that extract features using parametric and non-parametric changepoint. Our methodologies are efficient in data collection time than a manual method and the data analyzer provides higher accuracy compared to other techniques, reaching over 94% F1-measure for emulated and real malware.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.