166 J Intell Inf Syst (2012) 38:161–190
gathered data can be used for anomaly detection methods in order to distinguish
between normal and abnormal behavior; however, (Schmidt et al. 2008) demon-
strated the ability of differentiating applications using the collected features and the
framework was not tested for detecting abnormal behavior (i.e., malicious behavior).
Additionally, the processing of the collected data was performed on a remote server,
whereas in this paper we attempt to understand the feasibility of applying the
detection on the device. Schmidt et al. (2008) focus on monitoring events at the
kernel; that is, identifying critical kernel, log file, file system and network activity
events, and devising efficient mechanisms to monitor them in a resource limited
environment. They demonstrated their framework on static function call analysis and
performed a statistical analysis on the function calls used by various applications.
An interesting behavioral detection framework is proposed in Bose et al. (2008)
to detect mobile worms, viruses and Trojans. The method employs a temporal
logic approach to detect malicious activity over time. An efficient representation of
malware behaviors is proposed based on a key observation that the logical ordering
of an application’s actions over time often reveals malicious intent even when each
action alone may appear harmless. The ability of this framework to detect new types
of malware is still dubious as it requires a process of specifying temporal patterns for
the malicious activities.
Special efforts were invested in research pertaining Intrusion Detection Systems
(IDS) that analyze generic battery power consumption patterns to block Distributed
Denial of Service (DDoS) attacks or to detect malicious activity via power depletion.
For example, Kim et al. (2008) present a power-aware, malware-detection frame-
work that monitors, detects, and analyzes previously unknown energy-depletion
threats.
Buennemeyer et al. (2008) introduced capabilities developed for a Battery-Sensing
Intrusion Protection System (B-SIPS) for mobile computers, which alerts when
abnormal current changes are detected. Nash et al. (2005) presented a design for
an intrusion detection system that focuses on the performance, energy, and memory
constraints of mobile computing devices. Jacoby and Davis (2004) presented a host
Battery-Based Intrusion Detection System (B-BID) as a mean of improving mobile
device security. The basic idea is that monitoring the device’s electrical current and
evaluating its correlation with known signatures and patterns, can facilitate attack
detection and even identification.
Miettinen et al. (2006) claim that host-based approaches are required, since
network-based monitoring alone is not sufficient to encounter the future threats.
They adopt a hybrid network/host-based approach. A correlation engine on the
back-end server filters the received alarms according to correlation rules in its
knowledge base and forwards the correlation results to a security monitoring GUI
to be analyzed by security-monitoring administrators. Hwang et al. (2009) evaluated
the effectiveness of Keystroke Dynamics-based Authentication (KDA) on mobile
devices. Their empirical evaluation focused on short PIN numbers (four digits) and
the proposed method yielded a 4% misclassification rate.
All in all, the aforementioned frameworks and systems proved valuable in protect-
ing mobile devices in general however, they do not leverage Android’s capabilities
to their full extent. Since Android is an open source and extensible platform it
allows to extract as many features as we would like. This enables to provide richer
detection capabilities, not relying merely on the standard call records (Emm 2006),