🤖 AI Summary
This study addresses the challenge of continuously verifying user-device context trustworthiness in mobile zero-trust environments by proposing a seamless, sensor-free continuous authentication method based on Android system logs. The approach parses log templates to extract semantic events and dynamic variables, employs a domain-adaptive BERT encoder, and integrates three expert models to capture network/device identity, battery state dynamics, and Wi-Fi topology characteristics. A confidence-weighted fusion of these experts yields a normality score that drives risk-aware access control. To the best of our knowledge, this is the first work to apply a multi-expert BERT architecture to semantic-level behavioral modeling of system logs without relying on additional sensors. Experimental results demonstrate effective detection of semantic, temporal, and topological anomalies under normal usage, injected attacks, and benign perturbations, achieving a false positive rate below 1%.
📝 Abstract
Continuous authentication for mobile and zero-trust systems requires nonintrusive evidence confirming the enrolled user-device context remains valid after initial login. This paper presents a BERT log analysis framework for continuous behavioral authentication using Android system logs. The proposed pipeline parses logcat streams into event templates and dynamic variables, pre-trains a domain-adapted BERT encoder on Android log syntax, and fine-tunes three expert models for network/device identity, battery-transition timing, and Wi-Fi topology. The expert confidence scores are fused through a log-space transformation and a 5-nearest-neighbor distance classifier to generate a normality score that is provided to a Policy Decision Point (PDP) for risk-aware access control. Experiments on normal traces, controlled anomaly injections, and benign Wi-Fi perturbations indicate that multi-expert BERT log analysis can detect semantic, battery-timing, and topology deviations in the evaluated setting while maintaining sub-1% False Positive Rate (FPR). The results suggest that Android system logs are a practical sensor-free signal for continuous authentication and user-device context assurance.