Sustainability of Machine Learning-based Android Malware Detection Using API calls and Permissions

Abstract

As the Android platform and malicious apps continue to evolve, most existing Android malware detection techniques using machine learning are turning out to be unsustainable. In this paper, we propose machine learning-based Android malware detection techniques which uses both API calls and permissions as a feature set. These features are complementary and are often used to detect malicious apps. We first analyze whether a ‘yearly dataset-based trained classifier’ (YDataC) is sustainable or not. The ‘yearly dataset-based trained classifier’ refers to the classifier that learns from 80% of the dataset of a specific year from 2014 to 2021, and is tested with 20% of the datasets of every year between 2014 and 2021. Through experiments, we discovered that the classification rate has dropped significantly since 2019, and something big has changed. Therefore, the ‘yearly dataset-based trained classifier’ is judged to be unsustainable. Next, we present and evaluate two incremental learning methods for gradual training: an incrementally trained Random Forest (RF) and an incrementally trained Neural Network (NN). Evaluation results show that two incremental learning classifiers have better sustainability than the ‘yearly dataset-based trained classifier’. The incrementally trained RF has better sustainability than the incrementally trained NN in terms of given metrics such as $f_{1}\ score$ and AUT (Area under Time).