Evaluating Lightweight Transformers With Local Explainability for Android Malware Detection
Mobile phones have evolved into powerful handheld computers, fostering a vast application ecosystem but also increasing security and privacy risks. Traditional deep learning-based Android malware detection, reliant on Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), struggl...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11028131/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850161431254663168 |
|---|---|
| author | Fatima Bourebaa Mohamed Benmohammed |
| author_facet | Fatima Bourebaa Mohamed Benmohammed |
| author_sort | Fatima Bourebaa |
| collection | DOAJ |
| description | Mobile phones have evolved into powerful handheld computers, fostering a vast application ecosystem but also increasing security and privacy risks. Traditional deep learning-based Android malware detection, reliant on Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), struggles to capture long-range dependencies, which are critical for identifying complex malware patterns. Transformers, with their self-attention mechanism, offer a promising alternative but are often computationally intensive for mobile deployment. To tackle this gap, this study assesses ten models—five customized architectures and five fine-tuned lightweight transformers (DistilBERT, CodeBERT, TinyBERT, MobileBERT, ALBERT), using a real-world dataset of 100K Android applications from Koodous, with API calls and permissions as features. The fine-tuned DistilBERT achieves an accuracy of 91.6% and an AUC of 96.5%, outperforming the customized variants (up to 90.5% accuracy), thereby highlighting the advantage of transfer learning. It remains competitive compared to AutoGluon leaderboard models (90–92% accuracy). With an average inference time of <inline-formula> <tex-math notation="LaTeX">$4.46 \pm 0.43$ </tex-math></inline-formula> ms and a 275 MB memory footprint, it balances efficiency and accuracy better than heavier transformers. Local Interpretable Model-Agnostic Explanations (LIME) are further integrated, with explanations aligning closely with VirusTotal’s malware descriptions. The findings demonstrate the viability of lightweight transformers for near-real-time Android malware detection, balancing accuracy, efficiency, and interpretability. |
| format | Article |
| id | doaj-art-e8a0dd554f754891b47d92805aea31e5 |
| institution | OA Journals |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-e8a0dd554f754891b47d92805aea31e52025-08-20T02:22:50ZengIEEEIEEE Access2169-35362025-01-011310100510102610.1109/ACCESS.2025.357777511028131Evaluating Lightweight Transformers With Local Explainability for Android Malware DetectionFatima Bourebaa0https://orcid.org/0000-0003-0559-412XMohamed Benmohammed1https://orcid.org/0000-0001-9489-177XLIRE Laboratory, Faculty of New Technologies of Information and Communication, University of Abdelhamid Mehri Constantine 2, Constantine, AlgeriaLIRE Laboratory, Faculty of New Technologies of Information and Communication, University of Abdelhamid Mehri Constantine 2, Constantine, AlgeriaMobile phones have evolved into powerful handheld computers, fostering a vast application ecosystem but also increasing security and privacy risks. Traditional deep learning-based Android malware detection, reliant on Convolutional Neural Networks (CNNs) and Recurrent Neural Networks (RNNs), struggles to capture long-range dependencies, which are critical for identifying complex malware patterns. Transformers, with their self-attention mechanism, offer a promising alternative but are often computationally intensive for mobile deployment. To tackle this gap, this study assesses ten models—five customized architectures and five fine-tuned lightweight transformers (DistilBERT, CodeBERT, TinyBERT, MobileBERT, ALBERT), using a real-world dataset of 100K Android applications from Koodous, with API calls and permissions as features. The fine-tuned DistilBERT achieves an accuracy of 91.6% and an AUC of 96.5%, outperforming the customized variants (up to 90.5% accuracy), thereby highlighting the advantage of transfer learning. It remains competitive compared to AutoGluon leaderboard models (90–92% accuracy). With an average inference time of <inline-formula> <tex-math notation="LaTeX">$4.46 \pm 0.43$ </tex-math></inline-formula> ms and a 275 MB memory footprint, it balances efficiency and accuracy better than heavier transformers. Local Interpretable Model-Agnostic Explanations (LIME) are further integrated, with explanations aligning closely with VirusTotal’s malware descriptions. The findings demonstrate the viability of lightweight transformers for near-real-time Android malware detection, balancing accuracy, efficiency, and interpretability.https://ieeexplore.ieee.org/document/11028131/AndroidBERTdeep learningexplainabilitymalwareLIME |
| spellingShingle | Fatima Bourebaa Mohamed Benmohammed Evaluating Lightweight Transformers With Local Explainability for Android Malware Detection IEEE Access Android BERT deep learning explainability malware LIME |
| title | Evaluating Lightweight Transformers With Local Explainability for Android Malware Detection |
| title_full | Evaluating Lightweight Transformers With Local Explainability for Android Malware Detection |
| title_fullStr | Evaluating Lightweight Transformers With Local Explainability for Android Malware Detection |
| title_full_unstemmed | Evaluating Lightweight Transformers With Local Explainability for Android Malware Detection |
| title_short | Evaluating Lightweight Transformers With Local Explainability for Android Malware Detection |
| title_sort | evaluating lightweight transformers with local explainability for android malware detection |
| topic | Android BERT deep learning explainability malware LIME |
| url | https://ieeexplore.ieee.org/document/11028131/ |
| work_keys_str_mv | AT fatimabourebaa evaluatinglightweighttransformerswithlocalexplainabilityforandroidmalwaredetection AT mohamedbenmohammed evaluatinglightweighttransformerswithlocalexplainabilityforandroidmalwaredetection |