Available

Available online at www.sciencedirect.com

Available online
online at
at www.sciencedirect.com
www.sciencedirect.com
ScienceDirect
ScienceDirect
ScienceDirect
ScienceDirect
Available online at www.sciencedirect.com
Procedia
Procedia
Available Computer Science 00 (2022) 000–000
Procedia Computer
Computer Science
online Science 00
00 (2022)
(2022) 000–000
at www.sciencedirect.com
000–000
Procedia Computer Science 00 (2022) 000–000
ScienceDirect
www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia
ScienceDirect
Procedia Computer Science 00 (2022) 000–000
Procedia Computer Science 212 (2022) 429–440
www.elsevier.com/locate/procedia

11th
11th International
International Young
Young Scientists
Scientists Conference
Conference on
on Computational
Computational Science
Science
11th
11th International
International Young
Young Scientists
Scientists Conference
Conference on
on Computational
Computational Science
Science
Transfer
Transfer Learning
Learning Approach
Approach for
for Malware Images Classification on
Transfer11th Learning Approach
International for Malware
Young Scientists Malware
Conference onImages
Images Classification
Classification
Computational Science on
on
Android
Android Devices Using Deep Convolutional Neural Network
Android DevicesDevices Using Using Deep
Deep Convolutional
Convolutional NeuralNeural Network
Network
Transfer
Zahraddeen
Learning
Zahraddeen Bala
Balaa,, Fatima
a
a Approach
Fatima Umar for
Umar Zambuk bMalware Images Classification
Zambukb,, Badamasi
b Badamasi Ya’u
Ya’u Imam
Imamc,, Abdulsalam
c
c Abdulsalam Ya’u
Ya’u on
Zahraddeen Bala a, Fatima Umar Zambuk b, Badamasi Ya’u Imam c, Abdulsalam Ya’u
Android
Zahraddeen
Gital
Gital d, Fatima
d
Devices
Bala
Gitaldd,, Fatima
, Fatima
Shittu
Fatima Shittu
Using Deep
Umar Zambuk
e, Muhammad
e
Shittuee,, Muhammad
Aliyu
Muhammad Aliyu
Convolutional
, Badamasi
f and Mustapha
f
Aliyuff andand Mustapha
Neural
Ya’u Imam
Lawal
Mustapha Lawal
Network
,Abdulrahman
Abdulsalam
Lawal Abdulrahman
Ya’u
g*
g
Abdulrahmangg**
Gital , Fatima Shittu , Muhammad Aliyu and Mustapha Lawal Abdulrahman *
Department of Mathematical
Mathematical Science,
a,b,c,d,e,,f,g
Abubakar Tafawa Balewa
Balewa University, Bauchi, Nigeria
Zahraddeen BalaDepartment of Science, Abubakar Tafawa University, Bauchi, Nigeria
a,b,c,d,e,,f,g
a
, Fatima
Department of Umar Zambuk
of Mathematical
a,b,c,d,e,,f,g
Department Mathematical
a,b,c,d,e,,f,g Science, b
, Badamasi
Science, Abubakar
Abubakar Tafawa Ya’u
Tafawa Balewa
Balewa Imam
University,
University,
c
, Abdulsalam
Bauchi,
Bauchi, Nigeria
Nigeria Ya’u
Gital d
, Fatima Shittu e
, Muhammad Aliyu f
and Mustapha Lawal Abdulrahman g
*
Abstract: More malware types are being developed today to carry out numerous destructive operations due to the Internet and
Abstract:
Abstract: More
More malware types are being developed today to carry out numerous destructive operations due to the Internet and
software
Abstract:
software More malware
industries'
industries' rapid
malware
a,b,c,d,e,,f,g
rapid
types
expansion.
types are
are being
Department
expansion. Malware
being
Malware
developed
variants
developed
of Mathematical
variants
today
cannotto
today
Science,
cannot becarry
toAbubakar
becarry out
detected
out
detected
numerous
usingBalewa
numerous
Tafawa
using
destructive
conventional
destructive
University,
conventional
operations
signature-based
operations
Bauchi, Nigeria
signature-based
due
due to
to the
detection
detectionthe Internet
Internet and
techniques.
and
techniques.
software
Given their
software industries'
their escalating
industries' rapid
rapid expansion.
complexity
expansion. Malware
andMalware variants
volume,variants cannot
dealingcannot be
with malware
malwaredetected using
is becoming
be detected becoming conventional
more and
using conventional signature-based
and more
more difficult. Many
signature-based detection
Many techniques.
researchers
detection have
techniques.
Given escalating complexity and volume, dealing with is more difficult. researchers have
Given
becometheir
Given their escalating
interested
escalating complexity
in malware
malware
complexity and
and volume,
analysis, detection,
volume, dealing with
with malware
and classification
dealing classification
malwarein inis becoming
recent
isrecent years.more
becoming Thisand
more more
topic
and has difficult.
more been approachedMany
Many researchers
approached
difficult. have
using aa variety
researchers variety
have
become
become interested
interested in
in malware analysis,
analysis, detection,
detection, and
and classification in recent years.
years. This
This topic
topic has
has been
been approached using
using aa results.
variety
Abstract:
of techniques
become
of More
interested
techniques malware
based
basedin on
malware
on types
machine
machine are being
learning
analysis, developed
(ML),
detection,
learning (ML), and today
computer to
classification
computer carry
vision,
vision, inout
and
and numerous
deep
recent
deep years. destructive
learning,
This
learning, which
topic
which operations
hashave
been
have shown due
approached
shown to
some
some the Internet
useful
using
useful and
variety
results.
of techniques
Antivirus
software
of based
software
industries'
techniques based andon
rapid
on machine
conventional
expansion.
machine learning
Malware
learning (ML),
detection computer
methods
variants
(ML), have
cannot
computer vision,
bepoor and
detected
vision, and deep
accuracy.
using
deep learning,
Furthermore,
conventional
learning, which
there have shown
aren't
signature-based
which have shown some
enough
detection
some useful
samples
useful results.
overall,
techniques.
results.
Antivirus
Antivirus software and conventional detection methods have poor accuracy. Furthermore, there aren't enough samples overall,
Given
Antivirustheirsoftware
particularly
particularly when it
software
when itand
escalating comes
and
comes
conventional
complexity
conventional
to and detection
to malware
malware volume,
samples,
detection
samples,
methods
dealing
and the
methods
and the have
with poor
poor accuracy.
malware
representativeness
have accuracy.
representativeness of Furthermore,
is becoming
of themore
the malware
Furthermore,
malware
there
and more
features
features
aren't
that enough
theredifficult.
aren't
that Many
have
enough
have been
been
samples
researchers
samples overall,
discovered have
is
overall,
discovered is
particularly
become
still weak.
particularly when
interested
The
when it
in
types comes
malware
and
it comes to malware
analysis,
quantity
to malwareof samples,
detection,
samples
samples, in and
and
the
and the representativeness
classification
malware sample in
the representativeness recent
datasetof the
years.
need
ofneed malware
This
to be
the malware features
topic has
regularly been that
improved.
featuresimproved. have
approached
that haveThe been
The discovered
using
hybrid
beenhybrid a is
variety
model's
discovered is
still
still weak.
weak. The types and quantity of samples in the malware sample dataset to be regularly model's
still weak. The
computing
of techniques
computing The types
requirements
based
types on
requirements
and quantity
are
andmachine greater
quantity
are greater
of samples
than
learning
ofthan those
samples in
(ML),
those ofthe
inof
the themalware
computer
themalware
single
sample
singlevision,
model
sampleand
model and
dataset
the need to
to be
conventional
deepconventional
dataset
the learning,
need regularly
machine
be which
regularly
machinehaveimproved.
learning The
The hybrid
techniques.
shown techniques.
improved.
learning some model's
Transfer
usefulTransfer
hybrid results.
model's
computing
Antivirus
learning,
computing requirements
software
on the and
other
requirements hand, are
are greater
conventional
deals
greater than
with
thanthethose
detection
issue
those of
ofof the
methodshow
the single
have
to
single model
use poor
a
model and
large
and the
accuracy.
amount
the conventional
Furthermore,
of labeled
conventional machine
there
data
machinebasedlearning
aren't on
learning techniques.
enough
existing samples
Deep
techniques. Transfer
overall,
Learning
Transfer
learning,
learning, on
on the
the other hand, deals with the issue of how to use aa large amount of labeled data based on existing Deep Learning
particularly
models that
learning,
models that the other
when
have
onhave it comes
been
other
been
hand,
pre-trained
hand,
pre-trainedtodeals
deals with
malware
on
on
the
the issue
samples,
enormous
with
enormous
of
of how
and
image
issueimage the
how to
to use
datasets
datasets
large
representativeness
toasolve
useto solve amount
ofbut
related
largerelated
amount of
the
but labeled
malware
distinct
ofdistinct data
problems
labeledproblems
data based
features
basedinthat
in
ontarget
existing
have
aaontarget beenDeep
domain,
existing
domain,Deep Learning
discovered
even when
Learning
even whenis
models
the
still
models that
training
weak. have
and
The
that have been
testing
types pre-trained
and problems
been pre-trained quantity on
have
of
on enormous
different
samples
enormous image
in the
image datasets
distributions
malware
datasets to to
or solve
sample
solve related
features, thus
dataset
related but
need
but distinct
dealing
to be problems
with the
regularly
distinctwith
problems in
issue a
improved.
in aof target
of
target domain,
building
The
domain, a
hybrid even
model
even when
from
model's
when
the
the training
training and
and testing problems have different distributions or features, thus dealing the issue building a model from
computing
scratch.
the training
scratch. We and testing
Werequirements
propose
testing
propose an
problems
are greater
an Android
Android
problems have
thandifferent
malware
have
malware those
different
image
distributions
imageofclassifier
the single
classifier
distributions that
or
thatmodel
or features,
and the
leverages
features,
leverages
thus
thus
transfer
dealing
conventional
transfer learning
dealing
learning
with
based
with
based
the
machine issue
on
the on of
of building
learning
convolutional
issue techniques.
building
convolutional
aa model
neural
neuralmodel from
Transfer
network
from
network
scratch.
learning,
(TL-CNN)
scratch. We
Weon propose
the other
architectures
propose an
an Android
hand,
to
Android dealsmalware
distinguishwith
malware the image
between issue
image classifier
of
benign howand
classifier tothat
use leverages
malignant
that a large
images
leverages transfer
amountin
transfer oflearning
labeled
response
learningto based
data
this
based on
basedconvolutional
success.
on on existing
According
convolutional neural
Deep
to network
Learning
experimental
neural network
(TL-CNN)
(TL-CNN) architectures to distinguish between benign and malignant images in response to this success. According to experimental
findings,that
models
(TL-CNN)
findings, thearchitectures
the proposed
have to
to distinguish
model
been pre-trained
architectures
proposed model had the
had the between
highest
on enormous
distinguish between
highest
benign
detection and
image datasets
benign
detection and malignant
accuracy,
accuracy,
images
scoring
to scoring
malignant solve related
images
an
in response
an average
average
inbut to
distinct
responseof
this
this success.
of 97.24%
97.24%
toproblems in aAccording
followed
success.
followed by the
thedomain,
target
According
by hybrid
hybrid
to
to experimental
DBN-GRU
even when
experimental
DBN-GRU
findings,
the
withtraining the
an average
findings, proposed
the and
average testing
accuracy
proposed model
problems
model scorehadofthe
hadof have
the highest
96.82%.
highest detection
different
the other
detection accuracy,
distributions
deep
accuracy, orscoring
learningfeatures,an average
anthus
algorithms
scoring average (DBN of
of 97.24%
dealing withGRU)
and
97.24%GRU)followed
the showofby
issue
followed by the
the hybrid
building
competitive
hybrid DBN-GRU
a model
results
DBN-GRU from
with
with
with an
an average accuracy
accuracy score
score of 96.82%.
96.82%. the
the other
other deep
deep learning
learning algorithms
algorithms (DBN
(DBN and
and GRU) show
show competitive
competitive results
results with
with
scratch.
accuracies
with an
accuracies We ofpropose
average
of 94.55% an
accuracy
94.55% Android
and
and score malware
92.50%
of
92.50% 96.82%. image
respectively.
the
respectively. classifier
otherThese
deep
These that
resultsleverages
learning
results suggest transfer
that
algorithms
suggest that learning
deep
(DBN
deep andbased
learning
GRU) on convolutional
algorithms
show
learning algorithms have
competitive
have neural
overall
overall network
superior
results with
superior
accuracies
performance
(TL-CNN)
accuracies of 94.55%
compared
architectures
ofcompared
94.55% to and
to the
tothe
and 92.50%
convention
distinguish
92.50% respectively.
machine
between
respectively. benign These
learning results
algorithms
and malignant
These results suggest
which
images
suggest that deep
deep learning
includes
inincludes
that response (SVM withalgorithms
to thiswith
learning 90.57%,
success.
algorithms have
KNN
According
have withoverall
with superior
83.36%
to experimental
overall and
superior
performance
performance compared to the convention
convention machine
machine learning
learning algorithms
algorithms which
which includes (SVM
(SVM with 90.57%,
90.57%, KNN
KNN with 83.36%
83.36% and
and
findings,
NB with
performance
NB the proposed
with 82.27%).
82.27%). Thismodel
compared
This result
to
resultthe had the highest
suggests
convention
suggests that detection
transfer
machine
that transfer accuracy,
learning
learning
learning has thescoring
the
algorithms
has an average
advantage
which
advantage includes
of of(SVM
97.24%
of decreasing
decreasing the followed
with
the training
90.57%,
training byKNN
time
timethefor
forhybrid
aa learning
with DBN-GRU
learning
83.36% model
and
model
NB
and with
with 82.27%).
an result
average This
in accuracy result scoresuggests that
that transfer
of 96.82%. the other learning
deep has the
learning advantage
algorithms of decreasing
of (DBN the
and GRU) training
showtime for
for aa learning
competitive modelmodel
NB
and
and
can
with
can
can
result
82.27%).
result in
in
lower
lower
lower
generalization
This generalization
result suggests
generalization
error
error
error
with
transfer
with
with
better
better
better
accuracy
learning
accuracy
accuracy
has compared
the advantage
compared
compared
to the
to
to
the
the
conventional
decreasing
conventional
conventional
approach
theapproach
training
approach
of
time
of
of
training
training
training aaa results
learning
model
model
with
from
model
from
from
scratch.
accuracies
and can
scratch. of
result 94.55%
in lower and 92.50%
generalization respectively.
error with These
better results
accuracy suggest
compared that
to thedeep learning
conventional algorithms
approach of have
training overall
a modelsuperior
from
scratch.
performance compared to the convention machine learning algorithms which includes (SVM with 90.57%, KNN with 83.36% and
scratch.
© 2022
NB withThe
Keywords: Authors.
82.27%).
Deep This
Learning, Published
result
Machine by
suggestsElsevier
Learning, B.V. Learning,
thatTransfer
transfer learningMalware,
has the advantage
Android, and ofDeep
decreasing the training
Convolutional Neural time for a learning model
Network.
This is an Deep
Keywords: openLearning,
Deep access article Machine Learning,
under the CC Transfer
BY-NC-ND Learning, Malware,
license Android, and Deep Convolutional Neural
(https://creativecommons.org/licenses/by-nc-nd/4.0) Network.
Keywords:
and can result
Keywords: DeepinLearning,
Learning, Machine
Machine Learning,
lower generalization errorTransfer
Learning, Transfer Learning,
with better Malware,
accuracy
Learning, Malware, Android,
Android,toand
compared andtheDeep Convolutional
conventional
Deep Neural
approach
Convolutional Neural of Network.
training a model from
Network.
Peer-review under responsibility of the scientific committee of the 11th International Young Scientist Conference on Computational
scratch.
Science.
Keywords: Deep Learning, Machine Learning, Transfer Learning, Malware, Android, and Deep Convolutional Neural Network.
*
* Corresponding
Corresponding author.
author. Tel.:
Tel.: 07035773462;
07035773462; fax:
fax: +0-000-000-0000
+0-000-000-0000 ..
*
* Corresponding
E-mail author.
address:
Corresponding Tel.: 07035773462;
[email protected]
author. Tel.: 07035773462; fax:
fax: +0-000-000-0000
+0-000-000-0000 ..
E-mail
E-mail address:
address: [email protected]
[email protected]
E-mail address: [email protected]
1877-0509
1877-0509 ©
© 2022
2022 The
The Authors.
Authors. Published
Published by
by ELSEVIER
ELSEVIER B.V.
B.V.
1877-0509
This is an
1877-0509 ©
© 2022
open
2022 The
access
The Authors.
article
Authors. Published
under the
PublishedCCby
by ELSEVIER
BY-NC-ND
ELSEVIER B.V.
license
B.V. (https://creativecommons.org/licenses/by-nc-nd/4.0)
*
ThisCorresponding
is an open author.
access Tel.:
article 07035773462;
under the CCfax: +0-000-000-0000
BY-NC-ND license .
(https://creativecommons.org/licenses/by-nc-nd/4.0)
This is an
Peer-review
ThisE-mail open access
under
is an address:
open access article under
responsibility of
article under the
the CC BY-NC-ND
scientific
thescientific license
committee
CC BY-NC-ND of
license (https://creativecommons.org/licenses/by-nc-nd/4.0)
the 11th International Young Scientist Conference
(https://creativecommons.org/licenses/by-nc-nd/4.0)on Computational
Peer-review under [email protected]
responsibility of the committee of the 11th International Young Scientist Conference on Computational
Peer-review
Science
Peer-review under
under responsibility
responsibility of
of the
the scientific
scientific committee
committee of
of the
the 11th
11th International
International Young
Young Scientist
Scientist Conference
Conference on
on Computational
Computational
Science
Science
Science
1877-0509 © 2022 The Authors. Published by ELSEVIER B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the 11th International Young Scientist Conference on Computational
1877-0509 © 2022 The Authors. Published by Elsevier B.V.
Science
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the 11th International Young Scientist Conference on Computational Science.
10.1016/j.procs.2022.11.027
430 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440
2 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

1. Introduction

Today's smartphones are changing every day, and as they do, security becomes a major concern. Security is a crucial
component of human existence, and in a society with insufficient security, it becomes a concern for smartphone users'
safety. One of the biggest security threats to smartphones is the issue of malware [1]. Malware is a malicious code that
affects the user system or computer and intently harms the computer by an attacker, Malware comes in a variety of
forms, including viruses, trojan horses, backdoors, rootkits, worms, botnets, spyware, adware, key loggers, and others.
On the internet, a variety of their families are there and constantly expanding. According to the survey conducted by
AV-Test Institute, it registers that everyday 350,000 new malicious code and potentially unwanted applications, each
malicious one is classified concerning their behavior and saved accordingly by this institute, and gives the malware
statistics in 2018 is 847.34m malicious code was found and recorded and registered [2]. With the booming
development of the Internet and software industry, more and more variants of malware are emerging and almost
everywhere [3]. According to a 2018 McAfee threats report, the total number of malware samples has grown almost
34% over the quarters to more than 774 million samples. It can be seen that the number of malwares has continues to
increase. Hence, malware detection is always an attractive and meaningful issue [1].
One of the most active markets on the planet today is the one that the Internet of Things (IoT) has transformed into
in recent years. An open-source platform with a sizable user base, has drawn malware threats in addition to acting as
the catalyst for the IoT's quick development [2]. Android has become the driving force behind the rapid development
of the IoT, attracting malware attacks [4]. In the current technological era, the mobile device has unquestionably
emerged as a new, expanding trend as many online applications have moved their services, applications, and platform
this platform to increase productivity and interoperability.
The growth of mobile devices is driving a circumvolution change in our information security [5]. However, the
growth of mobile devices increased the associated threat some of which are: SMS spam thrashing, malware, license
to kill spyware, etc. Because of its open nature, the Android Operating System (OS) platform has had the quickest
growth among mobile OSs, making it the OS of choice for many users and developers. However, this OS has enabled
the operation of thousands of programs from various markets, resulting in easy user functionality.
As a result of its affordability and wide availability, Android smartphones are immensely popular. However, the
Android platform has seen a sharp increase in malware applications in recent years because of security flaws [3]. The
following are some of the benefits of Android OS over other mobile operating systems: It is incredibly flexible and
user-friendly since it lets users pick the apps they want to use, and it executes very powerful applications [4]. Android
phones' popularity and growing openness have drawn the attention of numerous illegal enterprises. It is simple for an
attacker to hack into the code of a typical application.
As a result, malware that compromises Android applications is expanding at a risky rate, making it extremely
important to secure both the devices themselves and the resources to which they grant access. Researchers has
developed a number of several techniques for detecting malware due to security concern.
Additionally, there have been numerous important academic advancements in Android malware detection. The
approaches now in use for Android malware detection can generally be divided into three groups. The first is static
detection, which includes approaches based on permissions, byte codes, signatures, and hybrid static analysis methods.
Without executing the program, these techniques scan static Android applications for any potential harmful
characteristics. The second method is dynamic detection, which runs programs via simulator or virtual machines and
assesses whether or not they are dangerous by seeing and recording their actions. The third type is hybrid detection,
which combines static and dynamic detection [2].
It has been challenging to react to the fast expansion of Android malware because traditional malware detection
systems rely mostly on the building of signature libraries and human intervention by malware researchers. [5]. Machine
learning technology has been widely applied to these three categories of detection approaches as data has accumulated
and computer power has continued to advance, offering a new angle on effective and automatic Android malware
detection. The four main steps of the machine learning-based Android malware detection approaches are as follows:
First, both good and bad Android applications are gathered to create datasets. The second step is feature engineering,
which extracts features to define Android applications. Third, malware detection is trained into machine learning
models. Fourth, test sample predictions are used to assess how well the trained models performed. Several number of
machine learning-based malware detection algorithms have been put forth recently. The performance of the earlier
 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440 431
3 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

method was adequate. To train a machine learning classifier, most of these techniques manually collect malware
features [6]. Nowadays, neural network methodology has reached a level that may exceed the limits of previous
machine learning methods, such as Hidden Markov Models and Support Vector Machines (SVM) [7]. Convolutional
neural networks (CNNs) have therefore demonstrated improved performance in comparison to conventional learning
methods, particularly in applications like image categorization. It is clear from the literature that several malware
classification approaches perform well in terms of data nonlinearity. However, it presents a significant barrier when
working with small-scale data. [7].
Transfer learning addresses the problem of how to utilize plenty of labelled data based on existing Deep Learning
models that have been pre-trained on massive image datasets domain to solve related but different problems in a target
domain, even when the training and testing problems have different distributions or features [8]. Motivated by this
success, we propose a CNN-based architecture for malware classification.
The following sections make up the summary of this research paper: The review of related work is presented in
section 2, the technique is presented in section 3, and the experimental setup and findings are presented in sections 4
and 5. Section 6 concludes the paper and offers suggestions for additional research.

2. Related Work

Malware detection is an important factor in the security of the smart devices. However, currently utilized signature-
based methods cannot provide accurate detection of zero-day attacks and polymorphic viruses. In this context, [8]
presented an efficient hybrid framework for detection of malware in Android Apps. The proposed framework
considers both signature and heuristic-based analysis for Android Apps by using the Android Apps to extract manifest
files, and binaries, and employed state-of-the-art machine learning algorithms to efficiently detect malwares. For this
purpose, a rigorous set of experiments were performed using various classifiers such as SVM, Decision Tree, W-J48
and KNN. It has been observed that SVM in case of binaries and KNN in case of manifest.xml files are the most
suitable options in robustly detecting the malware in Android devices. However, the research fails to update the
designed data structure of malicious keywords for detection of newly created malwares. Similarly, [9] propose a novel
android malware detection system that uses a deep convolutional neural network (CNN). Malware classification is
performed based on static analysis of the raw op-code sequence from a disassembled program. Features indicative of
malware are automatically learned by the network from the raw op-code sequence thus removing the need for hand-
engineered malware features. The main advantages of the system are that it removes the need for hand-engineered
malware features, it is much more computationally efficient than existing n-gram based malware classification
systems, and can be implemented to run on the GPU of mobile devices. However, the methodology wasn’t extended
to analyze both dynamic and static malware analysis in different platforms. Malware writers are usually focused on
those platforms which are most used among common users, with the aim of attacking as many devices as possible.
Due to this reason, Android has been heavily attacked for years [10]. Efforts dedicated to combat Android malware
are mainly concentrated on detection, in order to prevent malicious software to be installed in a target device.
However, it is equally important to put effort into an automatic classification of the type, or family, of a malware
sample, in order to establish which actions are necessary to mitigate the damage caused. For example [10] present
CANDYMAN, a tool that classifies Android malware families by combining dynamic analysis and Markov chains.
A dynamic analysis process allows to extract representative information of a malware sample, in form of a sequence
of states, while a Markov chain allows to model the transition probabilities between the states of the sequence, which
is used as features in the classification process. The space of features built is used to train classical Machine Learning,
including methods for imbalanced learning, and Deep Learning algorithms, over a dataset of malware samples from
different families, in order to evaluate the proposed method. The experimental results indicate a precision performance
of 81.8% over this dataset. However, a major limitation of the study is how to hybridize the features derived from the
dynamic behavior with those derived from static analysis, in order to improve the accuracy of the classifier for a
similar reason. ([11] focuses on developing an efficient computational framework based on Deep Belief Networks for
malware detection.
The proposed framework merges high level static analysis, dynamic analysis and system calls in feature extraction
in order to achieve the highest accuracy. The evaluation compares the most familiar machine learning approaches that
were applied in malware detection with the proposed framework. The evaluation compares several machine learning
432 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440
4 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

approaches: Support Vector Machine, Naive Bayesian Network and Random Forest with Deep Belief Networks
algorithm. The obtained results demonstrate that Deep Belief Networks technique can realize 99.1% accuracy with
the presented dataset. Similar to the previous researches a major limitation of the study is how to hybridize the features
derived from the dynamic behavior with those derived from static analysis, in order to improve the accuracy of the
classifier.
[12] propose an efficient and accurate solution to the aforementioned limitations, named SAMADroid, which is a
novel 3-level hybrid malware detection model for Android operating systems. The research contribution includes
multiple folds. First, many of the existing Android malware detection techniques are thoroughly investigated and
categorized on the basis of their detection methods. Also, their benefits along with limitations are deduced. A novel
3-level hybrid malware detection model for Android operating systems is developed, that can provide high detection
accuracy by combining the benefits of the three different levels: 1) Static and Dynamic Analysis; 2) Local and Remote
Host; and 3) Machine Learning Intelligence. Experimental results show that SAMADroid achieves high malware
detection accuracy by ensuring the efficiency in terms of power and storage consumption. However, the study does
not check the interdependency of static and dynamic features used in their machine learning classifiers. Which can
lead to multi-collinearity problem which can affect the classifier’s performance.
The existing static malware detection mechanisms can locate malicious components associated with the source
code of an application and dynamic analysis can identify exploits in the runtime environment. Hence, the advantages
of both static and dynamic mechanisms need to be combined to form a hybrid analysis mechanism for achieving better
accuracy in malware detection [3]. The existing machine learning based hybrid malware analysis mechanisms do not
check the interdependency of static and dynamic features used in their machine learning classifiers. This
interdependency can lead to multi-collinearity problem which can affect the classifier’s performance.
Hence to address this issues, [3] propose a novel TAN (Tree Augmented naive Bayes) based hybrid malware
detection mechanism by employing the conditional dependencies among relevant static and dynamic features (API
calls, permissions and system calls) which are required for the functionality of an application and trained three ridge
regularized logistic regression classifiers corresponding to API calls, permission and system calls of an application
and modeled their output relationships as a TAN (Tree Augmented naive Bayes) for identifying whether the
application is malicious or not. The experimental results show that the proposed mechanism can detect malicious
applications over a long period with an accuracy of 0.97. However, few malware applications can escape from the
detection mechanism by employing adversarial techniques.
Similarly, [13] proposed an Android malware detection algorithm based on a hybrid deep learning model which
combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, they analyze the Android malware;
in addition to extracting static features, dynamic behavioral features with strong ant obfuscation ability are also
extracted. Then, they build a hybrid deep learning model for Android malware detection. Because the static features
are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal
correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU
are input into the BP neural network, and the final classification results are output. Experimental results show that,
compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid
deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated
malware. However, the research has the following deficiencies and needs to be improved in future research work.
First, the number of samples, especially malware samples, is not enough, and the representativeness of the obtained
malware features is still not strong. It is necessary to constantly enrich the types and number of samples in the malware
sample dataset; second, the calculating consumption of the hybrid model is larger than that of the separate model and
the traditional machine learning algorithm, so further improvement and optimization is needed to reduce the time cost.
Many approaches base on static and dynamic malware identification techniques as mention above require a lot of
human intervention and resources to design the malware classification model. The real challenge lies with the fact that
inspecting all files of the application structure leads to high processing time, more storage, and manual effort [14]. To
solve these problems, optimization algorithms and deep learning has been recently tested for mitigating malware
attacks for example, [14] proposes Summing of neural architecture and Visualization Technology for Android
Malware identification (SARVOTAM). The system converts the malware non-intuitive features into fingerprint
images to extract the quality information. A fine-tuned Convolutional Neural Network (CNN) is used to automatically
extract rich features from visualized malware thus eliminating the feature engineering and domain expert cost.
 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440 433
5 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

The experiments were done using the DREBIN dataset. A total of fifteen different combinations of the Android
malware image sections were used to identify and classify Android malware. The softmax layer of CNN was
substituted with machine learning algorithms like K-Nearest Neighbor (KNN), Support Vector Machine (SVM), and
Random Forest (RF) to analyze the grayscale malware images. It is observed that CNN-SVM model outperformed
original CNN as well as CNN-KNN, and CNN-RF. However, the scope of this experiment was limited to evaluate the
performance of the proposed model using malware images.
Similarly, [15] presented DL-Droid, an automated dynamic analysis framework for Android malware detection.
DL-Droid employs deep learning with a state-based input generation approach as the default method, although it has
the capability to employ the state-of-the-practice popular Monkey tool (stateless method). Comparing its performance
to traditional machine learning classifiers as well as existing DL-based frame- works. The presented results clearly
demonstrate that DL-Droid achieved high accuracy performance reaching better figures than those presented in
existing deep learning-based Android malware detection frameworks.
In recent years, deep learning algorithms such as Convolution Neural Network (CNN) [2, 14-16] have played
various irreplaceable roles in malware detection, which is considered an emerging research area. This encourages anti-
malware providers to find novel detection approaches based on the widely used method in malware detection systems
i.e Convolution Neural Network (CNN), which can be easily applied to regular grids, e.g., pixels in digital images.
After the CNN has been trained, it can extract the high-level features by learning the weights in the trainable filters.
For example, [2] propose two end-to-end Android malware detection methods based on deep learning (CNN).
Compared with the existing detection methods, the proposed methods have the advantage of their end-to-end learning
process. The proposed methods resample the raw byte codes of the classes. dex files of Android applications as input
to deep learning models. These models are trained and evaluated in a dataset containing 8K benign applications and
8K malicious applications. Experiments show that the proposed methods can achieve 93.4% and 95.8% detection
accuracy respectively. However, the patterns learned by the proposed detectors are still difficult to understand, how
to make these patterns correspond to benign or malicious areas in dex files still requires further research in the future.
Similarly, [16] propose a novel and highly reliable deep learning framework, named AMalNet, to learn multiple
embedding representations for Android mal- ware detection and family attribution by introducing a version of Graph
Convolutional Networks (GCNs) for modeling high-level graphical semantics, which automatically identifies and
learns the semantic and sequential patterns, using an Independently Recurrent Neural Network (IndRNN) to decode
the deep semantic information, making full use of remote dependent information between nodes to independently
extract features. The experimental results on multiple benchmark datasets indicated that the AMalNet framework
outperforms other state-of-the-art techniques significantly. However, the final representation of a node is related to
the hidden state of a large number of neighbor nodes. Hence, how to efficiently calculate larger-scale graph neural
networks is the major limitations of this study which needs to be explored in depth.
Owing to the recent development of deep learning techniques. Transfer learning has shown to achieved promising
results making it far superior in the context of image classifications compare to the deep learning approach. Transfer
learning is the reuse of a pre-trained model on a new problem. It's currently very popular in deep learning because it
can train deep neural networks with comparatively little data. This is very useful in the data science field [17, 18]
since most real-world problems typically do not have millions of labeled data points to train such complex models. In
transfer learning, a machine exploits the knowledge gained from a previous task to improve generalization about
another. Transfer learning has several benefits, but the main advantages are saving training time, better performance
of neural networks (in most cases), and not needing a lot of data [19].
For example, [20] propose a CNN-based architecture for malware classification. The malicious binary files are
represented as grayscale images and a deep neural network is trained by freezing the pre-trained VGG16 layers on the
Image Net dataset and adapting the last fully connected layer to the malware family classification. The evaluation
results show that our approach is able to achieve an average of 98% accuracy for the MALIMG dataset.
As stated by [20] that this study can be considered as an introduction to many new experiments in the field of using
transfer learning for malware classification. However, the Drawbacks of VGG Net are long training time, Heavy
model, computationally expensive and Vanishing/exploding gradient problem.
After VGG Nets, as CNNs were going deep, it was becoming hard to train them because of vanishing gradients
problem that makes the derivate infinitely small. Therefore, the overall performance saturates or even degrades. The
idea of skips connection came from highway network where gated shortcut connections were used hence the rapid
434 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440
6 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

development of ResNets to address the shortcomings of VGG Nets Vanishing/exploding gradient problem. Hence this
study will employ transfer learning technique base on CNN architecture specifically the ResNet architecture.

3. Methodology

In this study, we offer an improve and effective way to detect malware utilizing transfer learning methodology to
train our CNN model based on ResNet pre-trained model on larger dataset in order to reduce the cost of artificial
feature engineering on large datasets. The work is based on the recent approach in [20] that allows for reading a
specific malware binary as a vector of 8-bit unsigned integers and then organizing them into a 2D array. This approach
allows for the display of malware as an image. Lastly, this can be seen as a grayscale image in the [0,255] range (0:
black, 255: white). Through this presentation, we are able to see malware from the same family that looks quite similar
to one another. However, because this malware visualization is based on binary code, if a malware writer decides to
produce a new malware by altering the code of an existing malware, the new malware will be visualized using an
image that is remarkably similar to the original. Then, we may quickly classify it into the same family using our later-
presented classification model (CNN).
In order to alter and retrain ResNet-18, a pretrained convolutional neural network, to perform image classification
on an android malware dataset, this study uses transfer learning. A CNN's general framework consists of the following
two elements: the initial stage's feature extractor and classifier:

Fig. 1 CNN architecture

The transfer learning is to replace the Classifier component of the pre-trained model, ResNet-50 in our case, from
Residual Network family with a customized classifier to resolve our classification problem. Thus, we will replace the
last layer of the ResNet 50 (Fig. 1), which takes a probability for each of the 1000 classes in the ImageNet and replaces
it with a Fully Connected layer that takes 25 probabilities corresponding to 25 families of malwares. This way, we
will use all the knowledge that ResNet-50 has trained on the ImageNet dataset and apply it to our malware
classification problem. Fig. 2 depict the architecture of the ResNet.
7 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000
Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440 435

Fig. 2 ResNet Architecture

The input layer is an RGB image with a fixed size of 224 224. The image is then processed through a stack of
convolutional layers with filters that are 3 x 3 and stride 1. The padding and maxpool layers are always 2x2 filters
with stride 2. Last but not least, it features two fully linked layers for classification and a SoftMax for output. The
frame work for the proposed model is depicted in Fig. 3.

Fig. 3 Model for the proposed system

436 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440
8 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

ResNet network converges quicker than its basic predecessor. In comparison to a shallow network, the training
results of the deeper ResNet are better. The 50 in ResNet-50 refers to its total of 50 layers, which are made up of 48
Convolution layers, 1 MaxPool layer, 1 Average Pool layer, a fully connected layer with 1000 nodes at the end, and
a SoftMax function layer. This study will use the MalImg dataset from [21], which includes 9435 grayscale photos of
malwares bundled with UPX and was gathered from 25 families. The results are evaluated using accuracy, precision
and recall.

4. Experimental Setup

In order to pre-train the network and fine-tune it using a malware image dataset, the dataset was imported
into the simulation program and fed to ResNet. The transfer learning convolutional neural network (TL-CNN)
classifier model then performed additional training on the network. Following the simulation, the classifier's accuracy
was estimated using the classification accuracy. MATLAB R2021a was used to implement the developed CNN
classifier model. The system in use is a 12-gigabyte (GB) HP laptop with a 1 TB hard drive and a Pentium ® Core i7
CPU running Windows 10 operating system.

The created Android malware image classifier leverages transfer learning pre-trained on ResNet and then
fine-tunes them on the malware images to distinguish between benign and malicious images using TL-CNN
architectures. The simulation results are analyzed and compared in three separate phases, including accuracy,
precision, and computing time, to choose the model that performs the best. The sample of malware images is shown
in Figure 4.

Fig. 4. Sample malware and benign images from the datsets

Next, we split the data into training and test sets and load the pre-trained Network (ResNet). ResNet is a pre-
trained network trained on 1000 object categories. ResNet is available as a support package on File Exchange. We
further Modify Pre-trained Network ResNet which was trained to recognize 1000 classes; hence we need to modify it
to recognize just 2 classes which is benign and malignant. After training the network with the parameter’s settings in
Table 1. The network can accurately detect and classify Images using the fine-tuned network, and calculate the
classification accuracy, precision, and recall. The setup for the parameter settings is further presented in Table 1.
 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440 437
9 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

Table 1. parameter settings

Parameter Settings
Image Input layer 1
Convolution’s layer 2
ReLu 1
Max pool layer 1
Fully connected layer 1
Softmax layer 1
Max epoch 10
Max iterations 400
Transposed Conv2d Layer 4
Gradient Threshold 1
Initial Learn Rate 0.0003
Learn Rate Schedule piecewise
Learn Rate Drop Period 125
Mini Batch Size 64
Verbose 0

5. Result and Discussion

The outcome of the network simulation performed using MATLAB 2021a is shown in this section. The
findings are shown in tabular and graphical formats, and they are analysed using standard performance classification
evaluation metrics for malware applications. To measure the indices of precision, recall, and accuracy to assess the
effectiveness of the proposed transfer deep learning model in detecting Android malware.; the results are shown in
Table 2.
Table 2. Overall detection performance against other different classifiers
Model Precision (%) Recall (%) Accuracy (%)
Proposed model 98.22 97.19 97.24
DBN-GRU 95.79 97.62 96.82
SVM 88.38 92.38 90.57
KNN 83.90 81.90 83.36
NB 78.45 86.67 82.27
DBN 93.06 95.71 94.55
GRU 91.16 93.33 92.50

Table 2. Show the outcomes of the proposed system in comparison to the other related approaches. It serves
as further evidence of the suggested model's superiority compare to another algorithm. In terms of accuracy, precision,
and recall, the proposed system performed better. The evaluation is further broken down according to the metrics for
easy discussion and analysis as shown in Fig. 5.
438 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440
10 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

120

100

80

60

40

20

0
Proposed DBN-GRU SVM KNN NB DBN GRU
model

Precision Recall Accuracy

Figure 5. Performance comparison against other different classifiers

5.1 Classification Accuracy

This measure of performance is concerned with the model's accurate prediction. Table 2 displays the
outcomes of the proposed system when compared to the reference study. It also indicates the superiority of the
suggested model over the competing method. Clearly from Table. 2. The proposed model achieved the best
classification accuracy compared to the other conventional machine learning approach. This over all result is further
depicted in Fig. 5. From on Table 2 It is noticed that the Proposed model attained an average accuracy score of 97.24%,
which is the best detection accuracy, followed by the Hybrid DBN-GRU, with an average accuracy score of 96.82%.
The accuracy levels of the other deep learning algorithms (DBN and GRU) are competitive, with 94.55% and 92.50%,
respectively. These findings imply that deep learning algorithms perform better overall than traditional machine
learning methods (SVM 90.57%, KNN 83.36%, and NB 82.27%). This is because most of the features in traditional
machine learning approaches need to be extracted by a separate feature extractor to decrease the complexity of the
data and make the data patterns more obvious for learning algorithms to work. The main benefit of deep learning
algorithms, as previously explained, is that they attempt to incrementally learn high-level features from data. Complex
feature extraction and specialisation are extracted automatically thereby making deep learners achieved better
detection accuracies than traditional machine learning techniques.
In addition, the transfer learning approach utilized in this study has allowed the model to train more quickly
and accurately than any of the methods used in the benchmark approaches. The best accuracy was reached by the
proposed model in 22 seconds and 10 epochs. This is due to the flexibility of transfer learning, which permits the use
of previously trained models directly, as feature extraction pre-processing, and merged into completely new models.
Through transfer learning, a computer can use its understanding of one activity to better generalize about another.
5.2 Precision
Precisions tell us how precise a model. The results obtained was depicted earlier in Table 2. From Table 2. The
proposed model achieved a better precision compared to other approaches. This overall result is graphically depicted
in Figure 5. For better understanding on how the trend continues. From figure 5, It can be noticed that the Proposed
model attained an average precision score of 98.22%, which is the best precision rate compare to the other approaches,
followed by the hybrid DBN-GRU, with an average precision score of 95.79%. The precision of the DBN and GRU
deep learning algorithms, which also produce competitive results, is 93.16% and 91.16%, respectively. Once more,
deep learning algorithms have shown themselves to be more effective than traditional machine learning ones.
 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440 439
11 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

5.3 Recall
Recall aids in elucidating the degree to which the accuracy is precise. From Table 5. The DBN-GRU model
performed better than the proposed model in terms of recall. The proposed model, which attained an average score of
97.19% which was second best compare to the DBN-GRU which had the highest precision score 97.62%. However,
the proposed model's overall detection rate is much higher than all the algorithms used for comparison, despite the
DBN-GRU's performance. This finding suggests that, in comparison to the conventional method of building a model
from scratch, transfer learning has the advantage of taking less time to train a learning model and can produce better
accuracy and lower generalization error.

6. Conclusion

Transfer learning addresses the issue of how to use a large amount of labeled data based on pre-trained Deep
Learning models on massive image datasets to solve related but distinct problems in a target domain, even when the
training and testing problems have different distributions or features, thus addressing the issue of training a model
from scratch. Thus, in this research, we proposed a CNN-based architecture for classifying malware. The developed
Android malware image classifier uses transfer learning pre-trained on ResNet and then fine tune on the malware
photos to distinguish between benign and malicious images. The simulation results are examined and contrasted in
three stages, including accuracy, precision, and computing time, to choose the model that performs the best. According
to experimental findings, the proposed model had the highest detection accuracy, achieving an average accuracy of
97.24%, followed by the hybrid DBN-GRU, which attained an average accuracy of 96.82%. The accuracy of the other
deep learning methods (DBN and GRU) is 94.55% and 92.50% respectively which was also a competitive result.
These findings imply that deep learning algorithms perform better overall than traditional machine learning methods
which includes (SVM with 90.57%, KNN with 83.36%, and NB with 82.27%). This suggests that the transfer learning
strategy utilized in this study has made it possible for the model to train more quickly and accurately than it could
have under any other method currently in use.
Despite the performance of the proposed model, it is important to note that the DBN-GRU takes first place
for recall score. As a result, we advise applying a novel strategy for parameter tuning that may boost the model's
overall generalization in terms of accuracy, precision, and recall.

Acknowledgments

This study was supported by the Tertiary Education Trust Fund (TETFund) Institutional Based Research (IBR)
Fund, through the directorate of Research and Innovation of Abubakar Tafawa Balewa University, Bauchi.

References
1. Lu, R., Malware Detection with LSTM using Opcode Language. arXiv preprint arXiv:1906.04593, 2019.
2. Ren, Z., et al., End-to-end malware detection for android IoT devices using deep learning. Ad Hoc Networks, 2020. 101: p. 102098.
3. Surendran, R., T. Thomas, and S. Emmanuel, A TTAN-based hybrid model for android malware detection. Journal of Information
Security and Applications, 2020. 54: p. 102483.
4. Odusami, M., et al. Android malware detection: A survey. in International Conference on Applied Informatics. 2018. Springer.
5. Liu, Y., et al., Deep Learning for Android Malware Defenses: a Systematic Literature Review. arXiv preprint arXiv:2103.05292, 2021.
6. Sharma, S., C.R. Krishna, and S.K. Sahay, Detection of advanced malware by machine learning techniques, in Soft Computing: Theories
and Applications. 2019, Springer. p. 333-342.
7. Qian, F., et al., Potential analysis of the transfer learning model in short and medium-term forecasting of building HVAC energy
consumption. Energy, 2020. 193(C).
8. Rehman, Z.-U., et al., Machine learning-assisted signature and heuristic-based detection of malware in Android devices. Computers &
Electrical Engineering, 2018. 69: p. 828-841.
9. McLaughlin, N., et al. Deep android malware detection. in Proceedings of the Seventh ACM on Conference on Data and Application
Security and Privacy. 2017.
10. Martín, A., V. Rodríguez-Fernández, and D. Camacho, CANDYMAN: Classifying Android malware families by modelling dynamic
traces with Markov chains. Engineering Applications of Artificial Intelligence, 2018. 74: p. 121-133.
11. Saif, D., S. El-Gokhy, and E. Sallam, Deep Belief Networks-based framework for malware detection in Android systems. Alexandria
engineering journal, 2018. 57(4): p. 4049-4057.
12. Arshad, S., et al., Samadroid: a novel 3-level hybrid malware detection model for the android operating system. IEEE Access, 2018. 6:
p. 4321-4339.
13. Lu, T., et al., Android malware detection based on a hybrid deep learning model. Security and Communication Networks, 2020. 2020.
14. Singh, J., et al., Deep Feature Extraction and Classification of Android Malware Images. Sensors, 2020. 20(24): p. 7013.
440 Zahraddeen Bala et al. / Procedia Computer Science 212 (2022) 429–440
12 Zahradden Bala / Procedia Computer Science 00 (2019) 000–000

15. Alzaylaee, M.K., S.Y. Yerima, and S. Sezer, DL-Droid: Deep learning based android malware detection using real devices. Computers
& Security, 2020. 89: p. 101663.
16. Pei, X., L. Yu, and S. Tian, AMalNet: A deep learning framework based on graph convolutional networks for malware detection.
Computers & Security, 2020. 93: p. 101792.
17. Jónsson, B.A., et al., Brain age prediction using deep learning uncovers associated sequence variants. Nature communications, 2019.
10(1): p. 1-10.
18. Chen, C.-L., et al., Generalization of diffusion magnetic resonance imaging-based brain age prediction model through transfer learning.
Neuroimage, 2020. 217: p. 116831.
19. Kimura, N., et al., Convolutional neural network coupled with a transfer-learning approach for time-series flood predictions. Water,
2020. 12(1): p. 96.
20. Prima, B. and M. Bouhorma Using Transfer Learning for Malware Classification. The International Archives of Photogrammetry,
Remote Sensing and Spatial Information Sciences, 2020. 44: p. 343-349.
21. Nataraj, L., et al. Malware images: visualization and automatic classification. in Proceedings of the 8th international symposium on
visualization for cyber security. 2011.