Recent advancements in ML and DL have significantly improved Android malware detection, yet many methodologies still rely on basic static analysis, bytecode, or function call graphs that often fail to capture complex malicious behaviors. DexBERT, a pre-trained BERT-like model tailored for Android representation learning, enriches class-level representations by analyzing Smali code extracted from APKs. However, its functionality is constrained by its inability to process multiple Smali classes simultaneously. This paper introduces DetectBERT, which integrates correlated Multiple Instance Learning (c-MIL) with DexBERT to handle the high dimensionality and variability of Android malware, enabling effective app-level detection. By treating class-level features as instances within MIL bags, DetectBERT aggregates these into a comprehensive app-level representation. Our evaluation demonstrates that DetectBERT not only surpasses existing state-of-the-art detection methods but also adapts to evolving malware threats. Moreover, the versatility of the DetectBERT framework holds promising potential for broader applications in app-level analysis and other software engineering tasks, offering new avenues for research and development.
翻译:近年来,机器学习和深度学习的进展显著提升了安卓恶意软件检测水平,然而许多方法仍依赖于基础的静态分析、字节码或函数调用图,这些方法往往难以捕捉复杂的恶意行为。DexBERT是一种专为安卓表征学习设计的预训练类BERT模型,通过分析从APK中提取的Smali代码来丰富类级表征。然而,其功能受限于无法同时处理多个Smali类。本文提出DetectBERT,它将相关的多示例学习(c-MIL)与DexBERT相结合,以处理安卓恶意软件的高维性和变异性,从而实现有效的应用级检测。通过将类级特征视为MIL包中的实例,DetectBERT将这些特征聚合为全面的应用级表征。我们的评估表明,DetectBERT不仅超越了现有的最先进检测方法,还能适应不断演变的恶意软件威胁。此外,DetectBERT框架的通用性在应用级分析及其他软件工程任务中展现出广阔的应用潜力,为研究与开发提供了新的途径。