Following publication of the first academic paper to ever discuss the use of Deep Learning techniques applied to detection of Android Malware[1] (by CIST researchers) an internal project was established to build a suitable demonstrator for the technology.  The classifier was implemented on Android handsets using on-board GPU processors where available, and is now available for further commercialisation.

The deep neural network for malware classification takes the sequence of op-codes from a disassembled Android application as input (the .apk file) and looks for patterns of assembly instructions that are indicative of malware or benign code. The network has been trained using a large dataset of real android malware and benign software.  We use a custom-designed convolutional network architecture, derived from natural language processing research, to learn the relevant op-code sequences. This architecture can be efficiently implemented on a GPU, allowing all the applications on a mobile device to be scanned in a matter of seconds.  We have also shown that additional information and features such as the permissions requested by the application, or API calls used by applications can be incorporated into our architecture to further improve accuracy.  Our neural network has been tested against datasets of previously unseen malware, where it was shown to accurately detect new malware.  This suggests that deep learning is a promising approach to effective protection against zero-day malware attacks.

[1] Deep Android Malware Detection. / McLaughlin, Niall; Martinez del Rincon, Jesus; Kang, BooJoong; Yerima, Suleiman; Miller, Paul; Sezer, Sakir; Safaeisemnani, Yeganeh; Trickel, Erik; Zhao, Ziming; Doupé, Adam; Joon Ahn, Gail.

Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY) 2017. Association for Computing Machinery (ACM), 2017.