A novel preprocessing method for solving long sequence problem in android malware detection

Traditional machine learning mostly uses N-gram methods for serialization data prediction, which is not only time-consuming in the pre-processing but also computationally expensive for the model. For the current common malware detection methods, a variety of features such as API, system call, control flow, and permissions are used for machine learning analysis. However, these features depend on expert analysis and to extract multiple features is also time-consuming. This study uses Dalvik opcode as a feature, which is information rich and easy to extract. However, for the time series features of the opcode, the LSTM model and other sequence models will need effective dimension reduction approach because of the long sequence problem and variable feature length, resulting in poor training performance and long training time. Some study uses the training Embedding layer and Autoencoder to reduce the feature dimension. This method requires a layer of network training time. Another method is through feature selection. This method will result in different results as long as the data set changes or the sequence semantic is lost after feature selection. Therefore, in order to solve the above problems, this paper proposes a new preprocessing method to solve the long sequence problem that the LSTM model will encounter, so as to achieve fast training and high accuracy. This study uses a new pre-processing approach combined with an LSTM model to detect malware and achieve 95.58% accuracy on Drebin 10 family and only take 45 seconds to train a model. In addition, in the face of the small training sample problems common to deep learning, this research experiment also proved effective.