ANDROID MALWARE DETECTION FRAMEWORK USING ATTENTION-BASED DEEP LEARNING

Abstract

The persistent rise of Android malware, coupled with the platform's dominance in the global mobile ecosystem, presents a critical challenge for cybersecurity researchers and practitioners. Traditional malware detection approaches, primarily reliant on static or dynamic analysis, have struggled to keep pace with the rapidly evolving tactics of malicious actors, including code obfuscation and runtime evasion. This thesis addresses these challenges by developing a comprehensive and interpretable hybrid detection framework that leverages both static and dynamic features extracted from Android applications. Using the large-scale KronoDroid dataset—which integrates time-based features from real and emulated environments—an end-to-end methodology was established, encompassing rigorous data preprocessing, advanced feature engineering, and careful handling of class imbalance. A suite of classical machine learning models, including ensemble methods such as Extra Trees and Random Forest, was systematically evaluated to establish robust performance baselines. Building upon these results, advanced deep learning architectures—including convolutional neural networks (CNN), long short-term memory networks (LSTM), and a hybrid CNN-LSTM model with integrated attention mechanisms—were deployed to capture complex spatial and temporal patterns inherent in hybrid app data. To further enhance detection accuracy and robustness, a confidence-based ensemble strategy was developed, fusing the probabilistic outputs of the best-performing machine learning and deep learning models. Empirical results demonstrate that the proposed framework achieves state-of-the-art detection rates, with the attention-based CNN-LSTM model delivering significant gains in accuracy, interpretability, and resilience against both false positives and false negatives. The final ensemble fusion approach outperformed all standalone models, achieving an accuracy of 99.61% and minimizing error rates on the KronoDroid benchmark. Detailed analysis of feature importance and attention weights further confirms the practical relevance and transparency of the detection process. This research establishes a scalable, interpretable, and empirically validated blueprint for next-generation Android malware detection, offering actionable insights and a robust methodological foundation for future advances in the field.