A machine learning approach to anomaly-based detection on Android platforms

The emergence of mobile platforms with increased storage and computing capabilities and the pervasive use of these platforms for sensitive applications such as online banking, e-commerce and the storage of sensitive information on these mobile devices have led to increasing danger associated with malware targeted at these devices. Detecting such malware presents inimitable challenges as signature-based detection techniques available today are becoming inefficient in detecting new and unknown malware. In this research, a machine learning approach for the detection of malware on Android platforms is presented. The detection system monitors and extracts features from the applications while in execution and uses them to perform in-device detection using a trained K-Nearest Neighbour classifier. Results shows high performance in the detection rate of the classifier with accuracy of 93.75%, low error rate of 6.25% and low false positive rate with ability of detecting real Android malware.

💡 Research Summary

The paper addresses the growing threat of Android malware by proposing an anomaly‑based detection system that operates entirely on the device using machine learning. Recognizing the limitations of traditional signature‑based solutions—particularly their inability to detect novel or obfuscated malware—the authors design a framework that monitors runtime behavior, extracts a set of discriminative features, and classifies applications with a trained K‑Nearest Neighbour (KNN) model.

Data collection is the first pillar of the system. While an app runs, the framework logs twelve categories of dynamic events, including system calls, file I/O, network traffic, permission usage, and service invocations. These raw logs are cleaned, normalized (Z‑score), and subjected to dimensionality reduction via Principal Component Analysis, resulting in compact feature vectors that retain the most informative variance. Domain knowledge guides the selection of particularly security‑relevant attributes such as permission request frequency, network connection duration, and file creation/deletion ratios.

For classification, the authors adopt KNN with K = 5 and Euclidean distance. KNN’s non‑parametric nature eliminates the need for extensive model parameters, making it well‑suited for the constrained memory and CPU budgets of mobile devices. The system stores only the labeled feature vectors of known benign and malicious samples; when a new app is observed, the nearest neighbours are retrieved in real time, and a majority‑vote decision determines the label.

The experimental evaluation uses a balanced dataset of 500 legitimate applications and 200 recent malware specimens covering ransomware, trojans, adware, and other families. A 5‑fold cross‑validation protocol yields an overall accuracy of 93.75 % and an error rate of 6.25 %. The false‑positive rate stays below 3 %, indicating that normal apps are rarely misclassified, while the recall of malicious samples exceeds 90 %. Compared with a baseline signature engine, the KNN‑based detector improves detection of previously unseen variants by roughly 15 % and maintains an average detection latency of about 120 ms, satisfying real‑time requirements.

The authors acknowledge that KNN’s query cost grows linearly with the size of the stored dataset, which could become a bottleneck as more samples are accumulated. They propose future integration of approximate nearest‑neighbour techniques (e.g., locality‑sensitive hashing, KD‑Tree, or Ball‑Tree) to mitigate this issue. Additionally, they suggest extending the approach with deep learning models for sequential data, or employing federated learning to preserve user privacy while benefiting from collective knowledge across devices.

In summary, the study delivers a lightweight, on‑device machine‑learning solution that effectively bridges the gap left by signature‑based detection, offering high accuracy, low false positives, and the ability to identify emerging Android malware in real time. The work contributes both a practical security tool for end‑users and a research foundation for further advances in mobile malware detection.