Multimodal learning provides an effective approach for Android malware detection by integrating heterogeneous data sources such as permissions, intents, and binary content. However, existing fusion algorithms remain simplistic, lacking the capacity to model complex cross-modal relationships. This paper proposes a Large Language Model (LLM)-based feature fusion framework for Android malware classification. The framework combines tabular features (permissions and intents) and visual representations derived from DEX bytecode using a dual-stream architecture with Deep Neural Network (DNN) and Convolutional Neural Network (CNN) backbones. A fusion head inspired by LLMs is employed to capture rich interactions across modalities. Experimental results on the CICMalDroid 2020 dataset show that LLM-based fusion using TinyLLaMA achieves 96.81% accuracy in binary classification and 92.01% in multi-class classification. Under adversarial conditions, the same model reaches 98.24% and 55.74% respectively, outperforming conventional strategies such as self-attention (38.29%, 24.86%) and concatenation (45.10%, 25.87%). Similarly, in obfuscation scenarios, LLM-based fusion (TinyLLaMA and CodeBERT) maintains robust performance, achieving up to 96.66% binary accuracy and 92.83% multi-class accuracy. These results demonstrate improved resilience of the proposed approach against obfuscation and adversarial manipulation.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Multimodal Learning with LLM-Fusion Head for Android Malware Detection: Enhancing Cross-Modality Robustness Against Obfuscation and Adversarial Samples

  • Luong Hoang Minh,
  • Duong The Dat,
  • Bui Tan Hai Dang,
  • Le Duc Thinh,
  • Doan Minh Trung,
  • Phan The Duy

摘要

Multimodal learning provides an effective approach for Android malware detection by integrating heterogeneous data sources such as permissions, intents, and binary content. However, existing fusion algorithms remain simplistic, lacking the capacity to model complex cross-modal relationships. This paper proposes a Large Language Model (LLM)-based feature fusion framework for Android malware classification. The framework combines tabular features (permissions and intents) and visual representations derived from DEX bytecode using a dual-stream architecture with Deep Neural Network (DNN) and Convolutional Neural Network (CNN) backbones. A fusion head inspired by LLMs is employed to capture rich interactions across modalities. Experimental results on the CICMalDroid 2020 dataset show that LLM-based fusion using TinyLLaMA achieves 96.81% accuracy in binary classification and 92.01% in multi-class classification. Under adversarial conditions, the same model reaches 98.24% and 55.74% respectively, outperforming conventional strategies such as self-attention (38.29%, 24.86%) and concatenation (45.10%, 25.87%). Similarly, in obfuscation scenarios, LLM-based fusion (TinyLLaMA and CodeBERT) maintains robust performance, achieving up to 96.66% binary accuracy and 92.83% multi-class accuracy. These results demonstrate improved resilience of the proposed approach against obfuscation and adversarial manipulation.