Explaining the Effectiveness of Machine Learning in Malware Detection: Insights from Explainable AI

  • Hendrio Bragança UFAM
  • Vanderson Rocha UFAM
  • Eduardo Souto UFAM
  • Diego Kreutz UNIPAMPA
  • Eduardo Feitosa UFAM


We use Explainable Artificial Intelligence (XAI) to understand and assess the decisions made by ML models in Android malware detection. To evaluate malware detection, we conducted experiments using seven datasets. Our findings indicate that it is possible to accurately identify malware across multiple datasets. However, each dataset may have a different collection of features available. We also discuss the implications of incorporating expert-dependent features into the malware detection procedure. Such features have the potential to increase model accuracy by detecting minor indicators of harmful behaviour that automated algorithms may miss. However, because of the necessity for in-depth manual analysis, this strategy increases the resource and time requirements. It also risks adding human bias into the models and raises scaling issues in the continuously developing Android application landscape. Our results suggest that XAI techniques should be used to help malware analysis researchers understand how ML models work, rather than only concentrating on increasing accuracy.


Aboaoja, F. A., Zainal, A., Ghaleb, F. A., Al-rimy, B. A. S., Eisa, T. A. E., and Elnour, A. A. H. (2022). Malware detection issues, challenges, and future directions: A survey. Applied Sciences, 12(17):8482.

Alani, M. M. and Awad, A. I. (2022). Paired: An explainable lightweight android malware detection system. IEEE Access, 10:73214–73228.

Alikhademi, G., Richardson, B., Drobina, E., and Gilbert, J. E. (2018). Can explainable ai explain unfairness? a framework for evaluating explainable ai. arXiv preprint arXiv:1810.07339.

Bhat, P., Behal, S., and Dutta, K. (2023). A system call-based android malware detection approach with homogeneous & heterogeneous ensemble machine learning. Computers & Security, 130:103277.

Bragança, H., Rocha, V., Souto, E., Kreutz, D., and Feitosa, E. (2023). Capturing the behavior of android malware with mh-100k: A novel and multidimensional dataset. In XXIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. SBC.

Charmet, F., Tanuwidjaja, H. C., Ayoubi, S., Gimenez, P.-F., Han, Y., Jmila, H., Blanc, G., Takahashi, T., and Zhang, Z. (2022). Explainable artificial intelligence for cybersecurity: a literature survey. Annals of Telecommunications, pages 1–24.

Chen, T. and Guestrin, C. (2016). Xgboost: A scalable tree boosting system. In Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, pages 785–794.

Colaco, C., Bagwe, M., Bose, S., and Jain, K. (2021). Defensedroid: A modern approach to android malware detection. Strad Research.

Devan, P. and Khare, N. (2020). An efficient xgboost–dnn-based classification model for network intrusion detection system. Neural Computing and Applications, 32:12499–12514.

Fan, M., Wei, W., Xie, X., Liu, Y., Guan, X., and Liu, T. (2020). Can we trust your explanations? sanity checks for interpreters in android malware analysis. IEEE Transactions on Information Forensics and Security, 16:838–853.

Guerra-Manzanares, A., Bahsi, H., and Nõmm, S. (2021). Kronodroid: time-based hybrid-featured dataset for effective android malware detection and characterization. Computers & Security, 110:102399.

Guo, W., Mu, D., Xu, J., Su, P., Wang, G., and Xing, X. (2018). Lemna: Explaining deep learning based security applications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, page 364–379, New York, NY, USA. Association for Computing Machinery.

Kim, H., Lee, Y., Lee, E., and Lee, T. (2021). Cost-effective valuable data detection based on the reliability of artificial intelligence. IEEE Access, 9:108959–108974.

Kinkead, M., Millar, S., McLaughlin, N., and O’Kane, P. (2021). Towards explainable cnns for android malware detection. Procedia Computer Science, 184:959–965.

Kouliaridis, V., Barmpatsalou, K., Kambourakis, G., and Chen, S. (2020). A survey on mobile malware detection techniques. IEICE Transactions on Information and Systems, 103(2):204–211.

Liu, K., Xu, S., Xu, G., Zhang, M., Sun, D., and Liu, H. (2020). A review of android malware detection approaches based on machine learning. IEEE Access, 8:124579–124607.

Lundberg, S. M. and Lee, S.-I. (2017). A unified approach to interpreting model predictions. Advances in neural information processing systems, 30.

Martín, A., Calleja, A., Menéndez, H. D., Tapiador, J., and Camacho, D. (2016). Adroit: Android malware detection using meta-information. In 2016 IEEE Symposium Series on Computational Intelligence (SSCI), pages 1–8. IEEE.

Mathews, S. M. (2019). Explainable artificial intelligence applications in nlp, biomedical, and malware classification: a literature review. In Intelligent Computing: Proceedings of the 2019 Computing Conference, Volume 2, pages 1269–1292. Springer.

Melis, M., Scalas, M., Demontis, A., Maiorca, D., Biggio, B., Giacinto, G., and Roli, F. (2022). Do gradient-based explanations tell anything about adversarial robustness to android malware? International journal of machine learning and cybernetics, pages 1–16.

Mendes, C. and Rios, T. N. (2023). Explainable artificial intelligence and cybersecurity: A systematic literature review. arXiv preprint arXiv:2303.01259.

Miranda, T. C., Gimenez, P.-F., Lalande, J.-F., Tong, V. V. T., and Wilke, P. (2022). Debiasing android malware datasets: How can i trust your results if your dataset is biased? IEEE Transactions on Information Forensics and Security, 17:2182–2197.

Muzaffar, A., Hassen, H. R., Lones, M. A., and Zantout, H. (2022). An in-depth review of machine learning based android malware detection. Computers & Security, page 102833.

Nellaivadivelu, G., Di Troia, F., and Stamp, M. (2020). Black box analysis of android malware detectors. Array, 6:100022.

Odusami, M., Abayomi-Alli, O., Misra, S., Shobayo, O., Damasevicius, R., and Maskeliunas, R. (2018). Android malware detection: A survey. In 1st ICAI, pages 255–266. Springer.

Palša, J., Ádám, N., Hurtuk, J., Chovancová, E., Madoš, B., Chovanec, M., and Kocan, S. (2022). Mlmd—a malware-detecting antivirus tool based on the xgboost machine learning algorithm. Applied Sciences, 12(13):6672.

Pimenta, T. S. R., Ceschin, F., and Gregio, A. (2023). Androidgyny: Reviewing clustering techniques for android malware family classification. Digital Threats: Research and Practice.

Qamar, A., Karim, A., and Chang, V. (2019). Mobile malware attacks: Review, taxonomy & future directions. Future Generation Computer Systems, 97:887–909.

Sarma, B. P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., and Molloy, I. (2012). Android permissions: a perspective combining risks and benefits. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pages 13–22.

Scalas, M. et al. (2021). Malware analysis and detection with explainable machine learning. Technical report.

Sisto, A. (2013). AndroCrawl: Studying Alternative Android Marketplaces. Master’s thesis, Politecnico di Milano.

Talbi, A., Viens, A., Leroux, L.-C., François, M., Caillol, M., and Nguyen, N. (2022). Feature importance and deep learning for android malware detection. In ICISSP.

Ullah, F., Alsirhani, A., Alshahrani, M. M., Alomari, A., Naeem, H., and Shah, S. A. (2022). Explainable malware detection system using transformers-based transfer learning and multi-model visual representation. Sensors, 22(18):6766.

Yerima, S. Y. and Sezer, S. (2019). Droidfusion: A novel multilevel classifier fusion approach for android malware detection. IEEE Transactions on Cybernetics, 49(2).

Yin, M., Wortman Vaughan, J., and Wallach, H. (2019). Understanding the effect of accuracy on trust in machine learning models. In Proceedings of the 2019 chi conference on human factors in computing systems, pages 1–12.

Zakeya, N., Ségla, K., Chamseddine, T., and Alvine, B. B. (2022). Probing androvul dataset for studies on android malware classification. Journal of King Saud University-Computer and Information Sciences, 34(9):6883–6894.
BRAGANÇA, Hendrio; ROCHA, Vanderson; SOUTO, Eduardo; KREUTZ, Diego; FEITOSA, Eduardo. Explaining the Effectiveness of Machine Learning in Malware Detection: Insights from Explainable AI. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 23. , 2023, Juiz de Fora/MG. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2023 . p. 181-194. DOI: https://doi.org/10.5753/sbseg.2023.233595.

Artigos mais lidos do(s) mesmo(s) autor(es)

1 2 3 4 5 6 7 > >>