A Surrogate-Based Technique for Android Malware Detectors' Explainability

Martina Morcos, Hussam Al Hamadi, Ernesto Damiani, Sivaprasad Nandyala, Brian McGillion

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

5 Scopus citations

Abstract

With the emergence of Android malware and be-havioral polymorphism, it has been increasingly popular to use advanced machine learning and deep learning approaches for malware detection. Despite the fact that such classifiers have proven accurate in real-life settings, they remain uninterpretable and difficult for analysts and users to comprehend how they arrive at their classification decisions. Considering that the exfiltration of sensitive information is one of the most significant security threats, we examined both monograms and trigrams of system calls for normal and malicious software and received higher detection accuracy by using the trigram dataset. Based on this, we propose an auxiliary architecture for model explainability of complex data features via enhancement and aggregation of the auxiliary model with the main model based on the degree of disagreement between the two models. In this study, we employ the SHAP (Shapley Additive Explanations) framework to interpret the random forest models in order to identify the features most influential in predicting the model's predictions, along with quantifying their contributions to individual predictions. The obtained results confirm that the models are not biased and the features that influence the classification prediction are intuitive in terms of the exfiltration problem in question. In addition, our proposed methodology increases transparency and interpretability of our exfiltration detection model running in production, increasing the users' trust in the model's predictions.

Original languageBritish English
Title of host publication2022 18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022
PublisherIEEE Computer Society
Pages112-117
Number of pages6
ISBN (Electronic)9781665469753
DOIs
StatePublished - 2022
Event18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022 - Thessaloniki, Greece
Duration: 10 Oct 202212 Oct 2022

Publication series

NameInternational Conference on Wireless and Mobile Computing, Networking and Communications
Volume2022-October
ISSN (Print)2161-9646
ISSN (Electronic)2161-9654

Conference

Conference18th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2022
Country/TerritoryGreece
CityThessaloniki
Period10/10/2212/10/22

Keywords

  • Android Malware
  • Exfiltration
  • Explainable AI
  • LIME
  • Random Forest
  • SHAP
  • TreeSHAP

Fingerprint

Dive into the research topics of 'A Surrogate-Based Technique for Android Malware Detectors' Explainability'. Together they form a unique fingerprint.

Cite this