Towards a robust android malware detection model using explainable deep learning

The growing threat of Android malware demands effective and trustworthy detection mechanisms. This paper investigates the robustness of explainable deep learning models for Android malware detection and classification using network flow features. Three deep learning architectures — DNN, 1D-CNN, and BiLSTM — were evaluated on the CICAndMal2017 dataset, with BiLSTM achieving the best performance on unseen samples. Model decisions were analyzed using LIME and SHAP to identify influential and potentially manipulable features. Using domain knowledge, features were categorized based on their resistance to evasion, with emphasis on robust indicators such as TCP flags and initial window sizes. Retraining models using only these robust features resulted in minimal performance degradation while significantly improving explainability and resilience to evasion. On the unseen dataset, the BiLSTM model achieved a 70.90% F1-score for malware detection and 62.84% for classification, with AUC scores of 73.39% and 79.96%, respectively. After removing weak features, the retrained detection model maintained a 71% F1-score, and the classification model achieved 57%, demonstrating that robustness can be improved without major loss in performance. These results highlight the potential for transparent and dependable AI-driven cybersecurity solutions, particularly in adversarial settings where evasion is common. By emphasizing explainability and robustness, this work contributes towards models that balance performance with trust in evolving threat landscapes.