隨著科技高速發展，人們的生活與網路密不可分。不論是通過電腦、智慧型手機、或是智慧手環等產品，其中又以手機普遍使用頻率最高。然而，伴隨這個現象而來的就是行動裝置惡意程式的日益增長，這會讓行動裝置的使用受到嚴重的威脅。本研究會針對行動裝置作業系統市占率最高的Android作為研究主題，為了應對行動裝置惡意程式快速成長的環境，系統會使用靜態分析的方式，從APK（Android Application Package）檔案中提取出操作碼，並用其建立一個自然語言處理模型，學習操作碼的之間的關係，以增強特徵表示，用更少量的特徵就表達操作碼序列，接下來將操作碼通過自然語言模型轉換成向量，輸入分類器來進行訓練，以判斷APK是否為惡意應用程式，因為用的特徵量更少，訓練速度可以得以提升，訓練成本隨之下降。惡意程式快速成長就會有越來越多未知的樣本，當面對可能的誤報時，只能由研究人員一一檢查，但有限的人力無法應付如此大量的惡意應用程式。因此，本研究會利用可解釋性技術SHAP對訓練好的模型進行分析，產生解釋性資料，再根據這些資料製作成指標，可以篩選出較可能為誤報的樣本，研究人員便可優先分析這些有價值的樣本，增加研究人員的效率，之後分析完這些未知樣本，便可加入訓練集來訓練，以面對這些未知樣本。

With the rapid development of technology, people's lives are closely tied to the internet. Whether it is through computers, smartphones, or smartwatches, among which smartphones have the highest usage frequency. However, this situation has also led to the growing of malicious software on mobile devices. which can put the use of mobile devices at serious risk. This study focuses on Android, the mobile operating system with the highest market share, to address the rapidly growing environment of mobile malware. The system uses static analysis to extract the opcode from the APK file and builds a Natural Language Processing (NLP) Model to learn the relationships between opcodes, enhancing feature representation to express opcode sequences with fewer features. The opcode is then converted into vectors through the NLP model and input into the classifier for training to detect whether the APK is a malicious application. Because fewer features are used, training speed can be improved, and training costs are reduced. As malicious programs grow rapidly, there will be more and more unknown samples. When facing possible false alerts, researchers can only check them one by one. Therefore, this study will use the interpretability technique SHAP to analyze the trained models to generate XAI data, and then make indicators based on these data, which can filter out samples that are more likely to be misreported, so that researchers can analyze these valuable samples first, increasing researchers efficiency.

[1] Kaspersky. （2022）. IT Threat Evolution in Q3 2022. Mobile Statistics. Available: https://securelist.com/it-threat-evolution-in-q3-2022-mobile-statistics/107978/ （accessed 2023）.
[2] Kaspersky. （2022）. The mobile malware threat landscape in 2022. Available: https://securelist.com/mobile-threat-report-2022/108844/ （accessed 2023）.
[3] Statcounter. （2022）. Mobile Operating System Market Share Worldwide Jan 2022 - Jan 2023. Available: https://gs.statcounter.com/os-market-share/mobile/worldwide （accessed 2023）.
[4] Alrawi, Omar, et al., "The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends," USENIX Security Symposium, Vol. 19, 2019.
[5] M. Zheng, M. Sun and J. C. Lui, "Droid analytics: A signature based analytic system to collect extract analyze and associate android malware," Proc. 12th IEEE Int. Conf. Trust Secur. Privacy Comput. Commun., Jul. 2013.
[6] A. Saracino, D. Sgandurra, G. Dini and F. Martinelli, "MADAM: Effective and efficient behavior-based Android malware detection and prevention," IEEE Trans. Depend. Sec. Comput., vol. 15, no. 1, pp. 83-97, Jan. 2018.
[7] E. Mariconti, L. Onwuzurike, P. Andriotis, E. De Cristofaro, G. Ross and G. Stringhini, "MaMaDroid: Detecting Android malware by building Markov chains of behavioral models," Proc. Netw. Distrib. Syst. Secur. Symp., pp. 1-34, 2017.
[8] N. McLaughlin et al., "Deep Android malware detection," Proc. 7th ACM Conf. Data Appl. Security Privacy, pp. 301-308, 2017.
[9] S. Dong et al., "Understanding android obfuscation techniques: A large-scale investigation in the wild," International conference on security and privacy in communication systems, pp. 172–192, 2018.
[10] K. Allix, T. F. Bissyandé, J. Klein and Y. Le Traon, "Are your training datasets yet relevant?", Proc. Int. Symp. Eng. Secure Softw. Syst., pp. 51-67, 2015.
[11] VentureBeat. （2022）. Report: Average time to detect and contain a breach is 287 days. Available:https://venturebeat.com/security/report-average-time-to-detect-and-contain-a-breach-is-287-days/ （accessed 2023）.
[12] A. Adadi and M. Berrada, "Peeking inside the black-box: A survey on explainable artificial intelligence （XAI）," IEEE Access, vol. 6, pp. 52138-52160, 2018.
[13] Arrieta A.B., et al., "Explainable artificial intelligence （XAI）: Concepts, taxonomies, opportunities and challenges toward responsible AI," Information Fusion, vol. 58 , pp. 82-115, 2020.
[14] A. Bacci, A. Bartoli, F. Martinelli, E. Medvet, F. Mercaldo and C. A. Visaggio, "Impact of code obfuscation on android malware detection based on static and dynamic analysis," ICISSP, pp. 379-385, 2018.
[15] B. Kang, S. Y. Yerima, S. Sezer and K. Mclaughlin, "N-gram opcode analysis for android malware detection," Intl. J. Cyber. Situational Awareness, vol. 1, no. 1, pp. 231-254, 2016.
[16] T. Kim, B. Kang, M. Rho, S. Sezer and E. G. Im, "A multimodal deep learning method for android malware detection using various features," IEEE Trans. Inf. Forensics Secur., vol. 14, no. 3, pp. 773-788, Mar. 2019.
[17] M. K. Alzaylaee, S. Y. Yerima and S. Sezer, "DL-droid: Deep learning based Android malware detection using real devices," Comput. Secur., vol. 89, Feb. 2020.
[18] P. Yadav, N. Menon, V. Ravi, S. Vishvanathan and T. D. Pham, "A two-stage deep learning framework for image-based Android malware detection and variant classification," Comput. Intell., May 2022.
[19] Y. Liu, C. Tantithamthavorn, L. Li, and Y. Liu, "Explainable AI for Android Malware Detection: Towards Understanding Why the Models Perform So Well?," 2022 IEEE 33rd International Symposium on Software Reliability Engineering （ISSRE）, pp. 169–180, 2022.
[20] Daniel Arp, Michael Spreitzenbarth, Malte Huebner, Hugo Gascon, and Konrad Rieck, "Drebin: Efficient and Explainable Detection of Android Malware in Your Pocket," presented at the 21th Annual Network and Distributed System Security Symposium （NDSS）, 2014.
[21] Samaneh Mahdavifar, Andi Fitriah Abdul Kadir, Rasool Fatemi, Dima Alhadidi, and A. A. Ghorbani, "Dynamic Android Malware Category Classification using Semi-Supervised Deep Learning," presented at the 18th IEEE International Conference on Dependable, Autonomic, and Secure Computing （DASC）, 2020.
[22] Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon, "AndroZoo: Collecting Millions of Android Apps for the Research Community," in Proceedings of the 13th International Conference on Mining Software Repositories, 2016: ACM, pp. 468-471.
[23] Z. Aung and W. Zaw, "Permission-based Android malware detection", Int. J. Sci. Technol. Res., vol. 2, no. 3, pp. 228-234, 2013.
[24] N. Peiravian and X. Zhu, "Machine Learning for Android Malware Detection Using Permission and API Calls", 2013 IEEE 25th International Conference on Tools with Artificial Intelligence, pp. 300-305, 2013.
[25] M. K. Alzaylaee, S. Y. Yerima and S. Sezer, "DynaLog: An automated dynamic analysis framework for characterizing android applications", 2016 International Conference on Cyber Security and Protection Of Digital Services （Cyber Security）, pp. 1-8, 2016.
[26] V. Sihag, M. Vardhan and P. Singh, "BLADE: Robust malware detection against obfuscation in android", Forensic Sci. Int. Digit. Invest., vol. 38, Sep. 2021.
[27] 張櫻瀞, "整合注意力機制與圖像化操作碼之 Android 惡意程式分析研究", 碩士論文, 資訊管理學系, 國立中央大學, 2021.。
[28] T. Mikolov, K. Chen, G. Corrado and J. Dean, "Efficient estimation of word representations in vector space," arXiv preprint arXiv:1301.3781, 2013.
[29] Q. Le and T. Mikolov, "Distributed representations of sentences and documents," Proc. 31st Int. Conf. Machine Learning, pp. 1188-1196, 2014.
[30] A. Vaswani et al., "Attention is all you need," Proc. Adv. Neural Inf. Process. Syst., pp. 5998-6008, 2017.
[31] M. Mimura, R. Ito, "Applying NLP Techniques to Malware Detection in a Practical Environment," Int. J. Inf. Secur., 21, 279–291, 2022.
[32] Vinay Pandya, "Contextualized Vector Embeddings for Malware Detection," Master’s Theses and Graduate Research, San Jose State University, 2022.
[33] M. T. Ribeiro, S. Singh and C. Guestrin, "‘Why should I trust you?’: Explaining the predictions of any classifier," Proc. 22nd ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining, pp. 1135-1144, 2016.
[34] S. M. Lundberg and S.-I Lee, "A unified approach to interpreting model predictions." Advances in neural information processing systems, 30, 2017.
[35] R. Alenezi and S. A. Ludwig, "Explainability of cybersecurity threats data using SHAP", Proc. IEEE Symp. Comput. Intell. (SSCI), pp. 1-10, Dec. 2021.
[36] M. Fan, W. Wei, X. Xie, Y. Liu, X. Guan and T. Liu, "Can we trust your explanations? sanity checks for interpreters in android malware analysis," IEEE Transactions on Information Forensics and Security, vol. 16, pp. 838-853, 2020.
[37] Chen, Ching-Ju, et al., "Improving CNN-based pest recognition with a post-hoc explanation of XAI," preprint, In Review, 26 Aug. 2021.
[38] A. Kapishnikov, T. Bolukbasi, F. Viégas, and M. Terry, "XRAI: Better attributions through regions," in Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 4948–4957, 2019.
[39] E. Lee, Y. Lee, and T. Lee. "Automatic False Alarm Detection Based on XAI and Reliability Analysis," Applied Sciences, vol. 12,13, 6761, 2022.
[40] "Apktool." https://ibotpeaches.github.io/Apktool/ (accessed 2022).