On the Influence of Image Settings in Deep Learning-based Malware

Detection

Francesco Mercaldo

1,2

, Fabio Martinelli

2

, Antonella Santone

1

and Vinod P.

deep learning techniques, modeling applications like images. In state-of-the-art, several methods are proposed,

each of one using a different kind of images and a different dimension of images: currently these are not

standard settings for image preprocessing in Android malware detection. The aim of this paper is to compare

different deep learning models performances to understand the best settings in terms of kind of image and

image dimension. The idea is to trace a path in order to indicate the optimal settings for processing a dataset

for malware detection using deep learning.

1 INTRODUCTION

Mobile devices quickly attracted the interest of the at-

tackers, and it is easy to understand the reason why

if compared with PC platforms, in our smartphones

view (Xiao et al., 2019).

Mobile operating systems producers tried to rem-

edy to this rampant spread of malicious software

aimed to spy infected users. For instance, Google in

order to consent the publication of a new app on Play

Store (the official market for Android users) requires a

deep scan of the app aimed to find possible malicious

activities. Indeed, the new app must be submitted to

Bouncer (Oberheide and Mille, 2012), an automatic

application scanning system introduced in 2012 with

malware technologies, it is possible to mark a ma-

licious sample as malware only if their signature is

present into the anti-malware repository (and conse-

quently it is not possible to detect zero-day threats.

(Mercaldo et al., 2016b), (Mercaldo et al., 2016a)).

With regard to the dynamic analysis, the app is

ran for a limited time window (5 minutes): in case the

app does not exhibit the malicious behaviour in this

period passes this test (Mercaldo and Santone, 2021).

Furthermore, usually malware is able to understand

whether it is executed on a virtual environment (in

The current defense mechanism from malicious

software is represented by anti-malware software,

currently based on the extraction of the so-called sig-

nature. Basically the anti-malware vendor release a

repository of signature, each signature is related to

a specific malicious behaviour. The signature is ob-

tained from information gathered from the samples,

and they are in form of string. This mechanism has

two principal drawbacks: first of all the signature ex-

et al., 2013; Rastogi et al., 2014) (for this reason

malware writers produce several variants exhibiting

the same malicious behavior by applying obfuscation

techniques, usually with automatic framework).

Considering the weaknesses of the defense

mechanisms (for example, Bouncer and the cur-

rent signature-based anti-malware technologies), re-

techniques proposed by current state-of-the-art litera-

ture aimed to detect malware, with particular regard

to the Android operating systems.

The techniques currently employed are basically

based on static (i.e., the application is analysed with-

out the need to analysed it) and dynamic (i.e., the ap-

plication must be run to analyse the behaviour). With

the advent of the deep learning techniques, that are

mainly working of images, also in malware analysis

research field, we are witnessing an increase in the

size of the input image. In this paper we propose a

comparison between different deep learning models,

in particular we evaluate the effectiveness of models

trained with both greyscale and color images, also us-

ing different input image sizes, in order to find the

ideal settings in terms of image size and type of im-

ages for the malware detection task in the Android

environment.

Image based malware detection considers the rep-

resentation of mobile binaries as gray-scale or RGB

independent i.e., there is no need to reverse engineer

the application code to extract some kind of feature

from the source code.

nutshell we design a deep learning network and we in-

droid environment.

The paper proceeds as follows: in the next section

we present the proposed deep learning network, Sec-

tion 3 shows the results of the different experiments

we performed, in Section 4 current state-of-the-art in

mobile malware detection is discussed and, finally, in

last section conclusion and future research directions

are drawn.

2 METHOD

In this section we describe the proposed method

of a gray-scale and RGB PNG image (Bhodia et al.,

2019; Nataraj et al., 2011). We consider a predefined

width of 256, and a variable length, depending on the

size of the binary. We developed a script to encode

any binary file into two different lossless (greyscale

and RGB) PNG.

In detail the script, developed by authors, is based

on following steps:

1. each bytes of the binary file are converted to num-

bers (0-255), which will then define a pixel color;

where this number is stored as an 8-bit integer giv-

ing a range of possible values from 0 to 255. Typi-

cally zero is taken to be black, and 255 is taken to be

white. Values inbetween make up the different shades

of gray.

In Figure 2 we show the architecture of the pro-

posed deep learning network.

The proposed network is composed by 12 differ-

ent layers, in detail we exploit a combination of fol-

lowing layers:

tial dimensions (height and width) by taking the

ron in the dense layer receives input from all neu-

a matrix-vector multiplication. The values used

3 EXPERIMENTAL RESULTS

side polymorphic, which means the server could

Table 1: Number of samples for the top 10 families with

installation details (standalone, repackaging, update), kind

of attack (trojan, botnet) and events that trigger malicious

payload.

quest. There are variants of FakeInstaller that not

only send SMS messages to premium rate num-

bers, but also include a backdoor to receive com-

mands from a remote server. There is a large

number of variants for this family, and it has dis-

tributed in hundreds of websites and alternative

markets. The members of this family hide their

malicious code inside repackaged version of pop-

ular applications. During the installation process

the malware sends expensive SMS messages to

break out of the Android security container. When

it runs, it decrypts these exploits and then contacts

a remote server without the user knowing.

3. Plankton uses an available native functionality

(i.e., class loading) to forward details like IMEI

and browser history to a remote server. It is

present in a wide number of versions as harmful

adware that download unwanted advertisements

and it changes the browser homepage or add un-

wanted bookmarks to it.

is written with an algorithm that can change shape

over time so to evade any detection by signature

based antimalware.

to a remote website, as well as install applica-

tions without user interaction. It is also a tro-

jan application and similarly to the DroidKungFu

family the malware starts its malicious services

as soon as it receives a BOOT COMPLETED

or USER PRESENT intent. The malware can

successfully avoid detection by mobile anti-virus

software by using polymorphic techniques to hide

malicious code, obfuscating class names for each

infected object, and randomizing package names

and self-signed certificates for applications.

mote server running one ore more malicious ser-

vices in background, like IMEI, IMSI and other

files to premium-rate numbers. BaseBridge mal-

that displays botnet-like capabilities. Once the

malware is installed, it has the potential to receive

commands from a remote server that allows the

owner of that server to control the phone. Gein-

imi makes use of a bytecode obfuscator. The mal-

ware belonging to this family is able to read, col-

lect, delete SMS, send contact informations to a

remote server, make phone call silently and also

launch a web browser to a specific URL to start

files download.

gained root access to device to access unique iden-

tification information. This malware could also

downloads additional malicious programs without

the user’s knowledge as well as open the phone up

to control by hackers. The name derives from the

fact that it was set up to run between the hours of

11pm and 8am when users were most likely to be

sleeping and their phones less likely to be in use.

tained for different dataset preprocessing.

Table 2 show the analysis results. For the eval-

(AUC).

We split the dataset into three parts: Training, Val-

idation and Testing. In the training dataset there are

the sample of data used to fit the model. In the val-

idation dataset there are the sample of data used to

provide an unbiased evaluation of a model fit on the

training dataset while tuning model hyperparameters.

The evaluation becomes more biased as skill on the

validation dataset is incorporated into the model con-

figuration. In the test dataset there are the sample of

data used to provide an unbiased evaluation of a final

obtained by exploited the Greyscale images. In fact

by exploiting this data format the precision, the recall

and the accuracy obtained is equal to 0.99. We evalu-

ated the classification performances exploiting RGB

images of different dimensions i.e., 32x32, 64x64,

128x128 and 256x256. All the RGB experiments

show a decrease in the classification performances, if

compared to the ones obtained by the Greyscale im-

ages. In fact, the accuracy is ranging from 0.9818

(with RGB images with a size of 32x32) to 0.985

classifier that exploits the rich semantics of Intents,

i.e., a messaging object of the Android communica-

tion system describing the operations that an applica-

tion intends to perform and that can be extracted from

the code. The cited paper shows that the use of An-

droid Intents allows obtaining a better detection ratio

that the use of permissions (Canfora et al., 2013).

Methods based on static analysis do not require

infecting any device nor do they require any instru-

mented platform for collecting data during execution

A classification method based on features col-

lected both statically and dynamically is proposed

authors employ a machine learning technique with the

aim of classifying Android applications using a fea-

ture set gathered from static and dynamic analysis of

a set of known malicious and legitimate mobile appli-

cation based solely on dynamic features. The frame-

work consists of a form of Host-based Malware De-

tection System able to monitor features (i.e., CPU

consumption, number of packets sent through the net-

work, number of running processes and battery level)

and events obtained from the mobile device during

execution.

A combination of static and dynamic techniques is

used in (Blasing et al., 2010) for analyzing suspicious

Android applications. The approach consists, essen-

2011) hypothesized that there is a strong correla-

tion between mobile devices power consumption pat-

tern and location and studied power consumption data

from twenty smartphone users collected over a period

of three months. They tested the method on a Nokia

5500 Sport to evaluate real-world mobile malware.

Method proposed in reference (Kim et al., 2008) con-

sists in a power-aware malware-detection framework

monitoring and detecting unknown energy-depletion

threats. Their solution is composed of (1) a power

ples, and (2) a data analyzer which generates a power

signature from the constructed history. To generate a

head. They conducted the experiment using an HP

iPAQ running a Windows Mobile OS.

Recently, researchers from both the academic and in-

dustrial word are proposing methods to detect mal-

ware, with particular regard to the Android environ-

ment, exploiting images and deep learning. Differ-

ent authors typically perform a preprocessing of the

dataset using different size of images and different

format (i.e., Greyscale and RGB). For this reason in

this paper we input a deep learning architecture with

types of images (i.e., Greyscale and RGB) and dif-

ferent sizes for the RGB images (i.e., 32x32, 64x64,

cessing. From the experimental results it emerges that

the Greyscale image is able to outperform the RGB

ones, regardless of the size used by the latter. As

future work, we are currently investigating whether

the same considering emerging from the experimen-

tal analysis we presented can be demonstrated on mal-

ware working on different operating systems i.e., iOS

and Microsoft Windows.

mobile devices.

Faiella, M., La Marra, A., Martinelli, F., Mercaldo, F.,

rity (ARES), 2016 11th International Conference on,

pages 372–381. IEEE.

Gandotra, E., Bansal, D., and Sofat, S. (2014). Malware

analysis and classification: A survey. Journal of In-

formation Security, 5(02):56.

Google (2015). Play. https://play.google.com/store.

Kim, H., Smith, J., and Shin, K. G. (2008). Detecting

energy-greedy anomalies and mobile malware vari-

ants. In Proceedings of the 6th international confer-

ence on Mobile systems, applications, and services.

Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., San-

gaiah, A. K., and Cimitile, A. (2018). Evaluating

model checking for cyber threats code obfuscation

identification. Journal of Parallel and Distributed

Computing, 119:203–218.

Martinelli, F., Mercaldo, F., and Santone, A. (2019). So-

cial network polluting contents detection through deep

learning techniques. In 2019 International Joint Con-

ference on Neural Networks (IJCNN), pages 1–10.

IEEE.

somware inside out. In Availability, Reliability and

Security (ARES), 2016 11th International Conference

on, pages 628–637. IEEE.

Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A.

ference on, pages 261–262. IEEE.

Mercaldo, F., Nardone, V., Santone, A., and Visaggio,

C. A. (2016c). Ransomware steals your phone. for-

ponents, and Systems, pages 212–221. Springer.

Mercaldo, F. and Santone, A. (2021). Audio signal process-

ing for android malware detection and family identi-

fication. Journal of Computer Virology and Hacking

Techniques, 17(2):139–152.

bouncer. In SummerCon.

Parnas, D. L. (2017). The real risks of artificial intelligence.

Communications of the ACM, 60(10):27–31.

Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis,

M., and Ioannidis, S. (2014). Rage against the virtual

machine: hindering dynamic analysis of android mal-

ware. In Proceedings of the Seventh European Work-

shop on System Security, page 5. ACM.

Rastogi, V., Chen, Y., and Jiang, X. (2013). Droid-

chameleon: evaluating android anti-malware against

Forensics and Security, 9(1):99–108.

Shabtai, A., Kanonov, U., and Elovici, Y. (2010). Intrusion

detection for mobile devices using the knowledge-

based, temporal abstraction method. In Journal of Sys-

tems and Software, 83(8):1524–1537.

Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., and Weiss,

Y. (2012). “andromaly”: a behavioral malware detec-

tion framework for android devices. Journal of Intel-

ligent Information Systems, 38(1):161–190.

Spreitzenbarth, M., Echtler, F., Schreck, T., Freling, F. C.,

In Proceedings of the 2014 ACM SIGSAC Conference

on Computer and Communications Security, pages

1329–1341. ACM.

Xiao, X., Zhang, S., Mercaldo, F., Hu, G., and Sangaiah,

A. K. (2019). Android malware detection based on

system call sequences and lstm. Multimedia Tools and

Applications, 78(4):3979–3999.

Zhou, Y. and Jiang, X. (2012). Dissecting android mal-

ware: Characterization and evolution. In Proceed-

ings of 33rd IEEE Symposium on Security and Privacy