Papers
Topics
Authors
Recent
Search
2000 character limit reached

Continuous Behavioral Authentication via Multi-Expert BERT Log Analysis for Secure Data Sharing

Published 20 Jun 2026 in cs.CR and cs.LG | (2606.21900v1)

Abstract: Continuous authentication for mobile and zero-trust systems requires nonintrusive evidence confirming the enrolled user-device context remains valid after initial login. This paper presents a BERT log analysis framework for continuous behavioral authentication using Android system logs. The proposed pipeline parses logcat streams into event templates and dynamic variables, pre-trains a domain-adapted BERT encoder on Android log syntax, and fine-tunes three expert models for network/device identity, battery-transition timing, and Wi-Fi topology. The expert confidence scores are fused through a log-space transformation and a 5-nearest-neighbor distance classifier to generate a normality score that is provided to a Policy Decision Point (PDP) for risk-aware access control. Experiments on normal traces, controlled anomaly injections, and benign Wi-Fi perturbations indicate that multi-expert BERT log analysis can detect semantic, battery-timing, and topology deviations in the evaluated setting while maintaining sub-1% False Positive Rate (FPR). The results suggest that Android system logs are a practical sensor-free signal for continuous authentication and user-device context assurance.

Summary

  • The paper proposes a multi-expert BERT framework that fuses identity, battery, and Wi-Fi log modalities to deliver continuous, sensor-free authentication.
  • It employs domain-adapted log parsing and specialized BERT models per channel, achieving high accuracy with sub-1% false positives in anomaly detection.
  • Empirical results showcase near-perfect recall under resource-exhaustion and spatial shift attacks, underscoring its potential for zero-trust access control.

Continuous Behavioral Authentication via Multi-Expert BERT Log Analysis for Secure Data Sharing

Overview and Motivation

This work introduces a domain-adapted, multi-expert BERT-based framework for continuous user-device behavioral authentication in Android environments via the direct analysis of system logs. The core hypothesis is that, unlike traditional static authentication or physical biometrics, the sequential behavioral patterns embedded in Android logs—encompassing device-network interactions, battery usage rhythms, and Wi-Fi environment topologies—offer a robust, sensor-free signal for ongoing authentication and zero-trust access control. Existing methods predominantly utilize discrete behavioral features or server-side log analytics, missing the joint behavioral semantics encoded at the OS-log level. By fusing multi-modal signals with expert BERT models, this framework seeks to provide a low-latency continuous trust score suitable for fine-grained, risk-adaptive access management.

Architecture and Methodology

The proposed pipeline is structured into four main phases:

  1. Domain-adapted Log Parsing: A modified Drain parser with domain-specific regular expressions processes raw Android logcat data, decomposing log entries into stable event templates and dynamic variables. This parsing process enables the extraction of log event structures critical for subsequent semantic understanding.
  2. Multi-Modal Feature Engineering: Parsed logs are distributed across three specialized channels—Identity, Battery, and Wi-Fi—each reflecting independent behavioral modalities. Features are carefully engineered to maximize the discriminative power of sequential device usage dynamics, charger and battery level transitions, and spatial Wi-Fi topology observations.
  3. Multi-Expert BERT Modeling: Each channel uses a BERT-base encoder, pre-trained on masked placeholder prediction to internalize log syntax, and subsequently fine-tuned:
    • The Identity Expert predicts masked dynamic variable values (e.g., MACs, IPs, SSIDs) in log templates, leveraging augmented token vocabularies for device- and network-identity parameters.
    • The Battery Expert detects anomalies in temporal battery transition behaviors, modeling transitions across discrete operational modes and temporal classes derived from K-Means clustering.
    • The Wi-Fi Topology Expert jointly reconstructs SSIDs (categorical) and signal strengths (ordinal) using a dual-head loss, enabling sensitivity to spatial environmental shifts.
  4. Fusion and Decision Layer: Scalar confidence scores from the experts are fused via a log-space transformation and Z-score standardization, producing a three-dimensional vector embedding the joint behavioral state. A 5-nearest-neighbor classifier, trained solely on clean data, delineates the boundary of “normal” behavior in this transformed space. Anomalous behaviors are detected as deviations from this learned manifold, with scores relayed to a Policy Decision Point (PDP) for risk-aware access decisions.

Numerical Results and Empirical Observations

The paper reports extensive evaluation of each expert and the full pipeline under both normal operations and controlled anomaly scenarios. Key results include:

  • Identity Expert: Achieved top-1 accuracy of 99.07% and high contextual robustness; ablation studies confirm that the sequence and memory context are critical, with performance dropping sharply in their absence. The model demonstrates effective low-confidence rejection for OOV tokens and detects value-template inconsistencies with confidence scores falling from 98% to near 10% as the inconsistency rate increases.
  • Battery Expert: On normal traces, DRAIN events nearly exclusively fall in the TS_MID temporal class (91.26%), with rapid discharge (TS_INSTANT) absent. Under resource-exhaustion attacks, DRAIN events shift to TS_INSTANT/TS_SHORT (100%), which are strongly detected as outliers. The expert achieves 100% recall with zero false positives on these events.
  • Wi-Fi Topology Expert: The dual-head model demonstrates sub-1% confidence for completely unknown environments, ~97% confidence when faced with benign access point loss, and 71–82% under signal fluctuations or significant spatial position changes, indicating both sensitivity and robustness.
  • End-to-End Fusion: Across over 2,000 normal log entries, the system maintains a sub-1% FPR (0.59%). Controlled injects of anomalies (identity OOV, battery timing, Wi-Fi topology shifts) are flagged with zero missed detections (FNR = 0). The nearest-neighbor classifier boundary is responsible for the occasional benign false positives, rather than the expert models themselves.

Theoretical and Practical Implications

This framework addresses a notable gap at the intersection of continuous authentication and advanced log analytics. By directly modeling the semantics and relative timing of behavioral log streams across orthogonal device contexts, the approach moves beyond traditional discrete-feature CA and server-centric anomaly detectors that lack user binding or operate on a single modality. Its design is especially relevant for zero-trust architectures, as it outputs a dynamic confidence score consumable by PDPs for risk-sensitive access control.

Sensorless operation—relying purely on system logs—enables device-native deployment with minimal user impact and without the privacy implications of capturing direct physiological or biometric data. The architecture’s modularity also allows for future expansion to include more behavioral modalities or adaptation to long-term drift and multi-user/device scenarios.

Future Directions

The study suggests several avenues for further research:

  • Vocabulary Adaptation and Drift Management: As device environments and user habits evolve, dynamic updating of the vocabulary and handling of statistical drift will be required for long-term reliability.
  • Generalization Across Users and Devices: Larger-scale multi-user validation is needed to explore inter-user discriminability and the vulnerability to targeted behavioral mimicry.
  • Integration of Additional Behavioral Channels: Expansion to include app usage, touchscreen dynamics, or process-level sequences can further increase the expressiveness and resilience against adversarial behaviors.
  • Lightweight and On-Device Inference: Optimization and benchmarking on constrained environments will facilitate broader deployment in practical real-world and edge scenarios.

Conclusion

This paper demonstrates that continuous behavioral authentication using multi-expert BERT analysis of Android system logs is feasible and effective. By capturing and modeling behavioral regularities in identity, power consumption, and Wi-Fi topology signals, the framework provides a robust, sensor-free mechanism for ongoing device assurance with strong detection of semantic and contextual anomalies, all while maintaining user transparency and sub-1% false positive rates. This work lays groundwork for adaptive, device-native authentication integrated into future mobile and zero-trust data-sharing systems.

For further technical details, see "Continuous Behavioral Authentication via Multi-Expert BERT Log Analysis for Secure Data Sharing" (2606.21900).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.