An Explainable Convolutional Neural Network for Dynamic Android Malware Detection

Mobile devices, in particular the ones powered by the Android operating system, are constantly subjected to attacks from malicious writers, continuously involved in the development of aggressive malicious payload aimed to extract sensitive and private data from our smartphones and mobile devices. From the defensive point of view, the signature-based approach implemented in current antimalware has largely demonstrated its inefficacy in fighting novel malicious payloads but also old ones, when attackers apply (even simple) obfuscation techniques. In this paper, a method aimed to detect malware attacking mobile platforms is proposed. We exploit dynamic analysis and deep learning: in particular, we design the representation of an application as an image directly generated from the system call trace. This representation is then exploited as input for a deep learning network aimed to discern between malicious or trusted applications. Furthermore, we provide a kind of explainability behind the deep learning model prediction, by highlighting into the image obtained from the application under analysis the areas symptomatic of a certain prediction. An experimental analysis with more than 6000 (malicious and legitimate) Android real-world applications is proposed, by reaching a precision of 0.715 and a recall equal to 0.837, showing the effectiveness of the proposed method. Moreover, examples of visual explainability are discussed with the aim to show how the proposed method can be useful for security analysts to better understand the application malicious behaviour.