Malware Anomaly Detection on Virtual Assistants

Abstract

This work explores the application of anomaly detection techniques, specifically one-class support vector machine (SVM) and online change-point detection, to construct a model that can distinguish, in real-time, between the normal operation of an Amazon Alexa Virtual Assistant IoT device from anomalous operation due to malware infections. Despite the current absence of widespread malware for IoT devices, the anticipated rapid growth in deployment and use of IoT devices will likely attract many different malware attacks in the near future. Because of their highly specialized and, hence, predictable expected behavior, malware detection on IoT devices is not difficult given large training sets, long testing vectors, and extensive computational power. The challenge we address in this paper is to ascertain how quickly malware may be detected, i.e., the distribution on the number of system calls before a suitably high confidence decision may be made.