ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2021, Vol. 58 ›› Issue (11): 2456-2474.doi: 10.7544/issn1000-1239.2021.20210560

Special Issue: 2021密码学与网络空间安全治理专题

Previous Articles     Next Articles

InterDroid: An Interpretable Android Malware Detection Method for Conceptual Drift

Zhang Bing1,2, Wen Zheng1,2, Wei Xiaoyu3, Ren Jiadong1,2   

  1. 1(School of Information Science and Engineering, Yanshan University, Qinhuangdao, Hebei 066004);2(Key Laboratory of Software Engineering of Hebei Province(Yanshan University), Qinhuangdao, Hebei 066004);3(China Wuzhou Engineering Group, Beijing 100053)
  • Online:2021-11-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (61802332, 61807028, 61772449) and the Doctoral Foundation Program of Yanshan University (BL18012).

Abstract: Aiming at the problems in Android malware detection, which are high subjectivity of feature definition, poor interpretability of feature selection process, and lack of temporal instability of training model detection accuracy, an interpretable Android malware detection method for concept drift called InterDroid is proposed. Firstly, four characteristics of the detection model: permission, API package name, intention and Dalvik bytecode are inferred through the high-quality artificial Android malware analysis report. And InterDroid training and comparison algorithm are obtained through automatic machine learning algorithm TPOT (tree-based tipeline optimization tool), thus abandoning the complicated process of model selection and parameter adjustment in traditional methods. After that, the traditional feature wrapper method is improved by integrating the model interpretation algorithm SHAP (shapley additive explanations), and the feature set with high contribution to the classification results is obtained for detection model training. Finally, the existence of concept drift in Android malware detection is proved by the double tests of MWU(Mann-Whitney U) and machine learning model. Based on the JDA(joint distribution adaptation), the accuracy of the detection model for Android malware in the new era is improved. The experimental results show that the feature screened by InterDroid is stable and interpretable. At the same time, the feature-representation transfer module in InterDroid can improve the detection accuracy of Android malware in 2019 and 2020 by 46% and 44%.

Key words: Android malware detection, interpretability, concept drift, feature-representation transfer, automated machine learning

CLC Number: