A Surrogate-Based Technique for Android Malware Detectors' Explainability

Martina Morcos; Hussam Al Hamadi; Ernesto Damiani; Sivaprasad Nandyala; Brian McGillion

doi:10.1109/WiMob55322.2022.9941515

A Surrogate-Based Technique for Android Malware Detectors' Explainability

Martina Morcos, Hussam Al Hamadi, Ernesto Damiani, Sivaprasad Nandyala, Brian McGillion

Electrical Engineering

Technology Innovation Institute (TII)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

7 Scopus citations

Abstract

With the emergence of Android malware and be-havioral polymorphism, it has been increasingly popular to use advanced machine learning and deep learning approaches for malware detection. Despite the fact that such classifiers have proven accurate in real-life settings, they remain uninterpretable and difficult for analysts and users to comprehend how they arrive at their classification decisions. Considering that the exfiltration of sensitive information is one of the most significant security threats, we examined both monograms and trigrams of system calls for normal and malicious software and received higher detection accuracy by using the trigram dataset. Based on this, we propose an auxiliary architecture for model explainability of complex data features via enhancement and aggregation of the auxiliary model with the main model based on the degree of disagreement between the two models. In this study, we employ the SHAP (Shapley Additive Explanations) framework to interpret the random forest models in order to identify the features most influential in predicting the model's predictions, along with quantifying their contributions to individual predictions. The obtained results confirm that the models are not biased and the features that influence the classification prediction are intuitive in terms of the exfiltration problem in question. In addition, our proposed methodology increases transparency and interpretability of our exfiltration detection model running in production, increasing the users' trust in the model's predictions.

Original language	British English
Title of host publication	2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022
Publisher	IEEE Computer Society
Pages	112-117
Number of pages	6
ISBN (Electronic)	9781665469753
DOIs	https://doi.org/10.1109/WiMob55322.2022.9941515
State	Published - 2022
Event	18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022 - Thessaloniki, Greece Duration: 10 Oct 2022 → 12 Oct 2022

Publication series

Name	International Conference on Wireless and Mobile Computing, Networking and Communications
Volume	2022-October
ISSN (Print)	2161-9646
ISSN (Electronic)	2161-9654

Conference

Conference	18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022
Country/Territory	Greece
City	Thessaloniki
Period	10/10/22 → 12/10/22

Keywords

Android Malware
Exfiltration
Explainable AI
LIME
Random Forest
SHAP
TreeSHAP

Access to Document

10.1109/WiMob55322.2022.9941515

Cite this

Morcos, M., Al Hamadi, H., Damiani, E., Nandyala, S., & McGillion, B. (2022). A Surrogate-Based Technique for Android Malware Detectors' Explainability. In 2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022 (pp. 112-117). (International Conference on Wireless and Mobile Computing, Networking and Communications; Vol. 2022-October). IEEE Computer Society. https://doi.org/10.1109/WiMob55322.2022.9941515

Morcos, Martina ; Al Hamadi, Hussam ; Damiani, Ernesto et al. / A Surrogate-Based Technique for Android Malware Detectors' Explainability. 2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022. IEEE Computer Society, 2022. pp. 112-117 (International Conference on Wireless and Mobile Computing, Networking and Communications).

@inproceedings{4c496322211c4c0cabafdbb570b6585f,

title = "A Surrogate-Based Technique for Android Malware Detectors' Explainability",

abstract = "With the emergence of Android malware and be-havioral polymorphism, it has been increasingly popular to use advanced machine learning and deep learning approaches for malware detection. Despite the fact that such classifiers have proven accurate in real-life settings, they remain uninterpretable and difficult for analysts and users to comprehend how they arrive at their classification decisions. Considering that the exfiltration of sensitive information is one of the most significant security threats, we examined both monograms and trigrams of system calls for normal and malicious software and received higher detection accuracy by using the trigram dataset. Based on this, we propose an auxiliary architecture for model explainability of complex data features via enhancement and aggregation of the auxiliary model with the main model based on the degree of disagreement between the two models. In this study, we employ the SHAP (Shapley Additive Explanations) framework to interpret the random forest models in order to identify the features most influential in predicting the model's predictions, along with quantifying their contributions to individual predictions. The obtained results confirm that the models are not biased and the features that influence the classification prediction are intuitive in terms of the exfiltration problem in question. In addition, our proposed methodology increases transparency and interpretability of our exfiltration detection model running in production, increasing the users' trust in the model's predictions.",

keywords = "Android Malware, Exfiltration, Explainable AI, LIME, Random Forest, SHAP, TreeSHAP",

author = "Martina Morcos and {Al Hamadi}, Hussam and Ernesto Damiani and Sivaprasad Nandyala and Brian McGillion",

note = "Funding Information: This work was jointly supported between the Center for Cyber Physical Systems (C2PS) at Khalifa University and the Technology Innovation Institute (TII) under Fund number 8434000379. Publisher Copyright: {\textcopyright} 2022 IEEE.; 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022 ; Conference date: 10-10-2022 Through 12-10-2022",

year = "2022",

doi = "10.1109/WiMob55322.2022.9941515",

language = "British English",

series = "International Conference on Wireless and Mobile Computing, Networking and Communications",

publisher = "IEEE Computer Society",

pages = "112--117",

booktitle = "2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022",

address = "United States",

}

Morcos, M, Al Hamadi, H, Damiani, E, Nandyala, S & McGillion, B 2022, A Surrogate-Based Technique for Android Malware Detectors' Explainability. in 2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022. International Conference on Wireless and Mobile Computing, Networking and Communications, vol. 2022-October, IEEE Computer Society, pp. 112-117, 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022, Thessaloniki, Greece, 10/10/22. https://doi.org/10.1109/WiMob55322.2022.9941515

A Surrogate-Based Technique for Android Malware Detectors' Explainability. / Morcos, Martina; Al Hamadi, Hussam; Damiani, Ernesto et al.
2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022. IEEE Computer Society, 2022. p. 112-117 (International Conference on Wireless and Mobile Computing, Networking and Communications; Vol. 2022-October).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A Surrogate-Based Technique for Android Malware Detectors' Explainability

AU - Morcos, Martina

AU - Al Hamadi, Hussam

AU - Damiani, Ernesto

AU - Nandyala, Sivaprasad

AU - McGillion, Brian

N1 - Funding Information: This work was jointly supported between the Center for Cyber Physical Systems (C2PS) at Khalifa University and the Technology Innovation Institute (TII) under Fund number 8434000379. Publisher Copyright: © 2022 IEEE.

PY - 2022

Y1 - 2022

N2 - With the emergence of Android malware and be-havioral polymorphism, it has been increasingly popular to use advanced machine learning and deep learning approaches for malware detection. Despite the fact that such classifiers have proven accurate in real-life settings, they remain uninterpretable and difficult for analysts and users to comprehend how they arrive at their classification decisions. Considering that the exfiltration of sensitive information is one of the most significant security threats, we examined both monograms and trigrams of system calls for normal and malicious software and received higher detection accuracy by using the trigram dataset. Based on this, we propose an auxiliary architecture for model explainability of complex data features via enhancement and aggregation of the auxiliary model with the main model based on the degree of disagreement between the two models. In this study, we employ the SHAP (Shapley Additive Explanations) framework to interpret the random forest models in order to identify the features most influential in predicting the model's predictions, along with quantifying their contributions to individual predictions. The obtained results confirm that the models are not biased and the features that influence the classification prediction are intuitive in terms of the exfiltration problem in question. In addition, our proposed methodology increases transparency and interpretability of our exfiltration detection model running in production, increasing the users' trust in the model's predictions.

AB - With the emergence of Android malware and be-havioral polymorphism, it has been increasingly popular to use advanced machine learning and deep learning approaches for malware detection. Despite the fact that such classifiers have proven accurate in real-life settings, they remain uninterpretable and difficult for analysts and users to comprehend how they arrive at their classification decisions. Considering that the exfiltration of sensitive information is one of the most significant security threats, we examined both monograms and trigrams of system calls for normal and malicious software and received higher detection accuracy by using the trigram dataset. Based on this, we propose an auxiliary architecture for model explainability of complex data features via enhancement and aggregation of the auxiliary model with the main model based on the degree of disagreement between the two models. In this study, we employ the SHAP (Shapley Additive Explanations) framework to interpret the random forest models in order to identify the features most influential in predicting the model's predictions, along with quantifying their contributions to individual predictions. The obtained results confirm that the models are not biased and the features that influence the classification prediction are intuitive in terms of the exfiltration problem in question. In addition, our proposed methodology increases transparency and interpretability of our exfiltration detection model running in production, increasing the users' trust in the model's predictions.

KW - Android Malware

KW - Exfiltration

KW - Explainable AI

KW - LIME

KW - Random Forest

KW - SHAP

KW - TreeSHAP

UR - http://www.scopus.com/inward/record.url?scp=85140752916&partnerID=8YFLogxK

U2 - 10.1109/WiMob55322.2022.9941515

DO - 10.1109/WiMob55322.2022.9941515

M3 - Conference contribution

AN - SCOPUS:85140752916

T3 - International Conference on Wireless and Mobile Computing, Networking and Communications

SP - 112

EP - 117

BT - 2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022

PB - IEEE Computer Society

T2 - 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022

Y2 - 10 October 2022 through 12 October 2022

ER -

Morcos M, Al Hamadi H, Damiani E, Nandyala S, McGillion B. A Surrogate-Based Technique for Android Malware Detectors' Explainability. In 2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022. IEEE Computer Society. 2022. p. 112-117. (International Conference on Wireless and Mobile Computing, Networking and Communications). doi: 10.1109/WiMob55322.2022.9941515

A Surrogate-Based Technique for Android Malware Detectors' Explainability

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this