DetectBERT: Towards Full App-Level Representation Learning to Detect Android Malware

TL;DR

DetectBERT combines a BERT-like model with multiple instance learning to improve Android malware detection at the app level, capturing complex behaviors beyond static analysis methods.

Contribution

It introduces a novel framework that integrates DexBERT with correlated Multiple Instance Learning for effective app-level Android malware detection.

Findings

DetectBERT outperforms existing state-of-the-art methods.

It effectively handles high dimensionality and variability of malware features.

The framework shows adaptability to evolving malware threats.

Abstract

Recent advancements in ML and DL have significantly improved Android malware detection, yet many methodologies still rely on basic static analysis, bytecode, or function call graphs that often fail to capture complex malicious behaviors. DexBERT, a pre-trained BERT-like model tailored for Android representation learning, enriches class-level representations by analyzing Smali code extracted from APKs. However, its functionality is constrained by its inability to process multiple Smali classes simultaneously. This paper introduces DetectBERT, which integrates correlated Multiple Instance Learning (c-MIL) with DexBERT to handle the high dimensionality and variability of Android malware, enabling effective app-level detection. By treating class-level features as instances within MIL bags, DetectBERT aggregates these into a comprehensive app-level representation. Our evaluation demonstrates that DetectBERT not only surpasses existing state-of-the-art detection methods but also adapts to evolving malware threats. Moreover, the versatility of the DetectBERT framework holds promising potential for broader applications in app-level analysis and other software engineering tasks, offering new avenues for research and development.