Why an Android App is Classified as Malware? Towards Malware Classification Interpretation
release_mkvlm2jiivdr7e6odmvz6oq5j4
by
Bozhi Wu, Sen Chen, Cuiyun Gao, Lingling Fan, Yang Liu, Weiping Wen, Michael Lyu
2020
Abstract
Machine learning (ML) based approach is considered as one of the most
promising techniques for Android malware detection and has achieved high
accuracy by leveraging commonly-used features. In practice, most of the ML
classifications only provide a binary label to mobile users and app security
analysts. However, stakeholders are more interested in the reason why apps are
classified as malicious in both academia and industry. This belongs to the
research area of interpretable ML but in a specific research domain (i.e.,
mobile malware detection). Although several interpretable ML methods have been
exhibited to explain the final classification results in many cutting-edge
Artificial Intelligent (AI) based research fields, till now, there is no study
interpreting why an app is classified as malware or unveiling the
domain-specific challenges.
In this paper, to fill this gap, we propose a novel and interpretable
ML-based approach (named XMal) to classify malware with high accuracy and
explain the classification result meanwhile. (1) The first classification phase
of XMal hinges multi-layer perceptron (MLP) and attention mechanism, and also
pinpoints the key features most related to the classification result. (2) The
second interpreting phase aims at automatically producing neural language
descriptions to interpret the core malicious behaviors within apps. We evaluate
the behavior description results by comparing with the existing interpretable
ML-based methods (i.e., Drebin and LIME) to demonstrate the effectiveness of
XMal. We find that XMal is able to reveal the malicious behaviors more
accurately. Additionally, our experiments show that XMal can also interpret the
reason why some samples are misclassified by ML classifiers. Our study peeks
into the interpretable ML through the research of Android malware detection and
analysis.
In text/plain
format
Archived Files and Locations
application/pdf 1.1 MB
file_xqcvmtvf2zgtfkgoyz3crnvgiq
|
arxiv.org (repository) web.archive.org (webarchive) |
2004.11516v1
access all versions, variants, and formats of this works (eg, pre-prints)