Table of Contents
Fetching ...

MalVis: A Large-Scale Image-Based Framework and Dataset for Advancing Android Malware Classification

Saleh J. Makkawy, Michael J. De Lucia, Kenneth E. Barner

TL;DR

MalVis addresses Android malware detection by transforming Dalvik bytecode into RGB images that encode both entropy and byte-sequence structure. The authors introduce a large-scale MalVis dataset (>1.3M images across ten classes) and propose two visualization approaches, MalVis-A (Classbyte) and MalVis-B (N-gram), evaluated on multiple CNNs and ensembles. Across binary and multiclass tasks, MalVis-B achieves state-of-the-art performance with high accuracy, F1, and ROC-AUC, while undersampling and ensemble techniques further boost robustness in imbalanced settings. The framework enhances interpretability by linking color channels to concrete malware behaviors such as obfuscation and structural irregularities, providing a valuable resource for researchers and security applications. The work has practical implications for scalable, explainable malware detection and sets the stage for further improvements in dataset breadth, visualization fidelity, and adversarial resilience.

Abstract

As technology advances, Android malware continues to pose significant threats to devices and sensitive data. The open-source nature of the Android OS and the availability of its SDK contribute to this rapid growth. Traditional malware detection techniques, such as signature-based, static, and dynamic analysis, struggle to detect obfuscated threats that use encryption, packing, or compression. While deep learning (DL)-based visualization methods have been proposed, they often fail to highlight the critical malicious features effectively. This research introduces MalVis, a unified visualization framework that integrates entropy and N-gram analysis to emphasize structural and anomalous patterns in malware bytecode. MalVis addresses key limitations of prior methods, including insufficient feature representation, poor interpretability, and limited data accessibility. The framework leverages a newly introduced large-scale dataset, the MalVis dataset, containing over 1.3 million visual samples across nine malware classes and one benign class. We evaluate MalVis against state-of-the-art visualization techniques using leading CNN models: MobileNet-V2, DenseNet201, ResNet50, and Inception-V3. To enhance performance and reduce overfitting, we implement eight ensemble learning strategies. Additionally, an undersampling technique mitigates class imbalance in the multiclass setting. MalVis achieves strong results: 95.19% accuracy, 90.81% F1-score, 92.58% precision, 89.10% recall, 87.58% MCC, and 98.06% ROC-AUC. These findings demonstrate the effectiveness of MalVis in enabling accurate, interpretable malware detection and providing a valuable resource for security research and applications.

MalVis: A Large-Scale Image-Based Framework and Dataset for Advancing Android Malware Classification

TL;DR

MalVis addresses Android malware detection by transforming Dalvik bytecode into RGB images that encode both entropy and byte-sequence structure. The authors introduce a large-scale MalVis dataset (>1.3M images across ten classes) and propose two visualization approaches, MalVis-A (Classbyte) and MalVis-B (N-gram), evaluated on multiple CNNs and ensembles. Across binary and multiclass tasks, MalVis-B achieves state-of-the-art performance with high accuracy, F1, and ROC-AUC, while undersampling and ensemble techniques further boost robustness in imbalanced settings. The framework enhances interpretability by linking color channels to concrete malware behaviors such as obfuscation and structural irregularities, providing a valuable resource for researchers and security applications. The work has practical implications for scalable, explainable malware detection and sets the stage for further improvements in dataset breadth, visualization fidelity, and adversarial resilience.

Abstract

As technology advances, Android malware continues to pose significant threats to devices and sensitive data. The open-source nature of the Android OS and the availability of its SDK contribute to this rapid growth. Traditional malware detection techniques, such as signature-based, static, and dynamic analysis, struggle to detect obfuscated threats that use encryption, packing, or compression. While deep learning (DL)-based visualization methods have been proposed, they often fail to highlight the critical malicious features effectively. This research introduces MalVis, a unified visualization framework that integrates entropy and N-gram analysis to emphasize structural and anomalous patterns in malware bytecode. MalVis addresses key limitations of prior methods, including insufficient feature representation, poor interpretability, and limited data accessibility. The framework leverages a newly introduced large-scale dataset, the MalVis dataset, containing over 1.3 million visual samples across nine malware classes and one benign class. We evaluate MalVis against state-of-the-art visualization techniques using leading CNN models: MobileNet-V2, DenseNet201, ResNet50, and Inception-V3. To enhance performance and reduce overfitting, we implement eight ensemble learning strategies. Additionally, an undersampling technique mitigates class imbalance in the multiclass setting. MalVis achieves strong results: 95.19% accuracy, 90.81% F1-score, 92.58% precision, 89.10% recall, 87.58% MCC, and 98.06% ROC-AUC. These findings demonstrate the effectiveness of MalVis in enabling accurate, interpretable malware detection and providing a valuable resource for security research and applications.
Paper Structure (29 sections, 5 equations, 15 figures, 5 tables, 1 algorithm)

This paper contains 29 sections, 5 equations, 15 figures, 5 tables, 1 algorithm.

Figures (15)

  • Figure 1: An illustration of the structure of an Android APK file, highlighting key components such as application bytecode, assets, resources, and the manifest file.
  • Figure 2: Comparison of average file sizes in DEX executables vs malVis PNG representations across malware categories (with size reduction percentages)
  • Figure 3: Distribution of malware types and benign in MalVis.
  • Figure 4: Overview of constructing the MalVis-A visualization method, resulting in RGB image representations using the Classbyte encoding in the green channel and encoding entropy in the red and blue channels.
  • Figure 5: Overview of constructing the MalVis-B visualization method using the N-gram encoding in the green RGB channel.
  • ...and 10 more figures