Droidetec: Android Malware Detection and Malicious Code Localization through Deep Learning

TL;DR

Droidetec employs deep learning to detect Android malware and localize malicious code by modeling applications as behavior sequences, achieving high accuracy and effective code localization.

Contribution

It introduces a novel sequence-based approach using bi-directional LSTM for malware detection and malicious code localization in Android apps.

Findings

Accuracy of 97.22% in malware detection

F1-score of 98.21% for classification

91% hit rate in malicious code localization

Abstract

Android malware detection is a critical step towards building a security credible system. Especially, manual search for the potential malicious code has plagued program analysts for a long time. In this paper, we propose Droidetec, a deep learning based method for android malware detection and malicious code localization, to model an application program as a natural language sequence. Droidetec adopts a novel feature extraction method to derive behavior sequences from Android applications. Based on that, the bi-directional Long Short Term Memory network is utilized for malware detection. Each unit in the extracted behavior sequence is inventively represented as a vector, which allows Droidetec to automatically analyze the semantics of sequence segments and eventually find out the malicious code. Experiments with 9616 malicious and 11982 benign programs show that Droidetec reaches an accuracy of 97.22% and an F1-score of 98.21%. In all, Droidetec has a hit rate of 91% to properly find out malicious code segments.