Multimodal Learning with LLM-Fusion Head for Android Malware Detection: Enhancing Cross-Modality Robustness Against Obfuscation and Adversarial Samples
摘要
Multimodal learning provides an effective approach for Android malware detection by integrating heterogeneous data sources such as permissions, intents, and binary content. However, existing fusion algorithms remain simplistic, lacking the capacity to model complex cross-modal relationships. This paper proposes a Large Language Model (LLM)-based feature fusion framework for Android malware classification. The framework combines tabular features (permissions and intents) and visual representations derived from DEX bytecode using a dual-stream architecture with Deep Neural Network (DNN) and Convolutional Neural Network (CNN) backbones. A fusion head inspired by LLMs is employed to capture rich interactions across modalities. Experimental results on the CICMalDroid 2020 dataset show that LLM-based fusion using TinyLLaMA achieves 96.81% accuracy in binary classification and 92.01% in multi-class classification. Under adversarial conditions, the same model reaches 98.24% and 55.74% respectively, outperforming conventional strategies such as self-attention (38.29%, 24.86%) and concatenation (45.10%, 25.87%). Similarly, in obfuscation scenarios, LLM-based fusion (TinyLLaMA and CodeBERT) maintains robust performance, achieving up to 96.66% binary accuracy and 92.83% multi-class accuracy. These results demonstrate improved resilience of the proposed approach against obfuscation and adversarial manipulation.