DroidRL: Reinforcement Learning Driven Feature Selection for Android Malware Detection
share
Due to the completely open-source nature of Android, the exploitable vulnerability of malware attacks is increasing. Machine learning has led to a great evolution in Android malware detection in recent years, which is typically applied in the classification phase. Applying neural networks to feature selection phase is another topic worth investigating, while the correlation between features could be ignored in some traditional ranking-based feature selection algorithms. And it is time-consuming for exploring all possible valid feature subsets when processing a large number of Android features using a wrapper-based approach. Attempting to tackle the problem of computational expense and the vulnerability of the syntax integrity of multi-source data, this paper proposed the DroidRL framework. The main idea is to apply Double DQN(DDQN) algorithm to select a subset of features that can be effectively used for malware classification. To select a better subset of features over a larger range, the exploration-exploitation policy is applied in the model training phase. The RNN is used as the decision network of DDQN to give the framework the ability to sequentially select features. Word embedding is applied for feature representation to enhance the framework's ability to find the semantic relevance of features. On one hand, The framework's feature selection exhibits high performance without any human intervention. On the other hand, the proposed framework can easily be ported to other feature selection tasks with some minor changes. The experiment results compared with different classifiers, decision networks, and related work showed a significant effect using the Random Forest classifier, reaching 95.6 features selected.
READ FULL TEXT