- The paper proposes a multi-expert BERT framework that fuses identity, battery, and Wi-Fi log modalities to deliver continuous, sensor-free authentication.
- It employs domain-adapted log parsing and specialized BERT models per channel, achieving high accuracy with sub-1% false positives in anomaly detection.
- Empirical results showcase near-perfect recall under resource-exhaustion and spatial shift attacks, underscoring its potential for zero-trust access control.
Continuous Behavioral Authentication via Multi-Expert BERT Log Analysis for Secure Data Sharing
Overview and Motivation
This work introduces a domain-adapted, multi-expert BERT-based framework for continuous user-device behavioral authentication in Android environments via the direct analysis of system logs. The core hypothesis is that, unlike traditional static authentication or physical biometrics, the sequential behavioral patterns embedded in Android logs—encompassing device-network interactions, battery usage rhythms, and Wi-Fi environment topologies—offer a robust, sensor-free signal for ongoing authentication and zero-trust access control. Existing methods predominantly utilize discrete behavioral features or server-side log analytics, missing the joint behavioral semantics encoded at the OS-log level. By fusing multi-modal signals with expert BERT models, this framework seeks to provide a low-latency continuous trust score suitable for fine-grained, risk-adaptive access management.
Architecture and Methodology
The proposed pipeline is structured into four main phases:
- Domain-adapted Log Parsing: A modified Drain parser with domain-specific regular expressions processes raw Android logcat data, decomposing log entries into stable event templates and dynamic variables. This parsing process enables the extraction of log event structures critical for subsequent semantic understanding.
- Multi-Modal Feature Engineering: Parsed logs are distributed across three specialized channels—Identity, Battery, and Wi-Fi—each reflecting independent behavioral modalities. Features are carefully engineered to maximize the discriminative power of sequential device usage dynamics, charger and battery level transitions, and spatial Wi-Fi topology observations.
- Multi-Expert BERT Modeling: Each channel uses a BERT-base encoder, pre-trained on masked placeholder prediction to internalize log syntax, and subsequently fine-tuned:
- The Identity Expert predicts masked dynamic variable values (e.g., MACs, IPs, SSIDs) in log templates, leveraging augmented token vocabularies for device- and network-identity parameters.
- The Battery Expert detects anomalies in temporal battery transition behaviors, modeling transitions across discrete operational modes and temporal classes derived from K-Means clustering.
- The Wi-Fi Topology Expert jointly reconstructs SSIDs (categorical) and signal strengths (ordinal) using a dual-head loss, enabling sensitivity to spatial environmental shifts.
- Fusion and Decision Layer: Scalar confidence scores from the experts are fused via a log-space transformation and Z-score standardization, producing a three-dimensional vector embedding the joint behavioral state. A 5-nearest-neighbor classifier, trained solely on clean data, delineates the boundary of “normal” behavior in this transformed space. Anomalous behaviors are detected as deviations from this learned manifold, with scores relayed to a Policy Decision Point (PDP) for risk-aware access decisions.
Numerical Results and Empirical Observations
The paper reports extensive evaluation of each expert and the full pipeline under both normal operations and controlled anomaly scenarios. Key results include:
- Identity Expert: Achieved top-1 accuracy of 99.07% and high contextual robustness; ablation studies confirm that the sequence and memory context are critical, with performance dropping sharply in their absence. The model demonstrates effective low-confidence rejection for OOV tokens and detects value-template inconsistencies with confidence scores falling from 98% to near 10% as the inconsistency rate increases.
- Battery Expert: On normal traces, DRAIN events nearly exclusively fall in the TS_MID temporal class (91.26%), with rapid discharge (TS_INSTANT) absent. Under resource-exhaustion attacks, DRAIN events shift to TS_INSTANT/TS_SHORT (100%), which are strongly detected as outliers. The expert achieves 100% recall with zero false positives on these events.
- Wi-Fi Topology Expert: The dual-head model demonstrates sub-1% confidence for completely unknown environments, ~97% confidence when faced with benign access point loss, and 71–82% under signal fluctuations or significant spatial position changes, indicating both sensitivity and robustness.
- End-to-End Fusion: Across over 2,000 normal log entries, the system maintains a sub-1% FPR (0.59%). Controlled injects of anomalies (identity OOV, battery timing, Wi-Fi topology shifts) are flagged with zero missed detections (FNR = 0). The nearest-neighbor classifier boundary is responsible for the occasional benign false positives, rather than the expert models themselves.
Theoretical and Practical Implications
This framework addresses a notable gap at the intersection of continuous authentication and advanced log analytics. By directly modeling the semantics and relative timing of behavioral log streams across orthogonal device contexts, the approach moves beyond traditional discrete-feature CA and server-centric anomaly detectors that lack user binding or operate on a single modality. Its design is especially relevant for zero-trust architectures, as it outputs a dynamic confidence score consumable by PDPs for risk-sensitive access control.
Sensorless operation—relying purely on system logs—enables device-native deployment with minimal user impact and without the privacy implications of capturing direct physiological or biometric data. The architecture’s modularity also allows for future expansion to include more behavioral modalities or adaptation to long-term drift and multi-user/device scenarios.
Future Directions
The study suggests several avenues for further research:
- Vocabulary Adaptation and Drift Management: As device environments and user habits evolve, dynamic updating of the vocabulary and handling of statistical drift will be required for long-term reliability.
- Generalization Across Users and Devices: Larger-scale multi-user validation is needed to explore inter-user discriminability and the vulnerability to targeted behavioral mimicry.
- Integration of Additional Behavioral Channels: Expansion to include app usage, touchscreen dynamics, or process-level sequences can further increase the expressiveness and resilience against adversarial behaviors.
- Lightweight and On-Device Inference: Optimization and benchmarking on constrained environments will facilitate broader deployment in practical real-world and edge scenarios.
Conclusion
This paper demonstrates that continuous behavioral authentication using multi-expert BERT analysis of Android system logs is feasible and effective. By capturing and modeling behavioral regularities in identity, power consumption, and Wi-Fi topology signals, the framework provides a robust, sensor-free mechanism for ongoing device assurance with strong detection of semantic and contextual anomalies, all while maintaining user transparency and sub-1% false positive rates. This work lays groundwork for adaptive, device-native authentication integrated into future mobile and zero-trust data-sharing systems.
For further technical details, see "Continuous Behavioral Authentication via Multi-Expert BERT Log Analysis for Secure Data Sharing" (2606.21900).