Malware Detection by Merging 1D CNN and Bi-directional LSTM Utilizing Sequential Data

Due to the popularity of the android platform, there is a growth in the number of devices and threats. For this reason, it is essential to build reliable tools that can detect malware android application packages (APK) on this platform. Creating effective models requires the use of rich features that are hard to generate. In this work, we extracted the Dalvik executable (.dex) byte-codes from APKs. Android application binaries are opcode sequences. Then, we trained one-dimensional convolutional Neural networks (CNN) using those sequential data. These one-dimensional CNNs detect local features and reduce the feature size. We went even farther to combine one-dimensional CNNs with a bi-directional long-short term memory network (LSTM) to detect malware. Experimental results show that our model, trained on a balanced number of samples, got an error rate of merely 5.4% on a dataset of 20,000.