{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,17]],"date-time":"2025-11-17T14:26:41Z","timestamp":1763389601815,"version":"build-2065373602"},"reference-count":44,"publisher":"MDPI AG","issue":"15","license":[{"start":{"date-parts":[[2022,8,6]],"date-time":"2022-08-06T00:00:00Z","timestamp":1659744000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Currently, Android apps are easily targeted by malicious network traffic because of their constant network access. These threats have the potential to steal vital information and disrupt the commerce, social system, and banking markets. In this paper, we present a malware detection system based on word2vec-based transfer learning and multi-model image representation. The proposed method combines the textual and texture features of network traffic to leverage the advantages of both types. Initially, the transfer learning method is used to extract trained vocab from network traffic. Then, the malware-to-image algorithm visualizes network bytes for visual analysis of data traffic. Next, the texture features are extracted from malware images using a combination of scale-invariant feature transforms (SIFTs) and oriented fast and rotated brief transforms (ORBs). Moreover, a convolutional neural network (CNN) is designed to extract deep features from a set of trained vocab and texture features. Finally, an ensemble model is designed to classify and detect malware based on the combination of textual and texture features. The proposed method is tested using two standard datasets, CIC-AAGM2017 and CICMalDroid 2020, which comprise a total of 10.2K malware and 3.2K benign samples. Furthermore, an explainable AI experiment is performed to interpret the proposed approach.<\/jats:p>","DOI":"10.3390\/s22155883","type":"journal-article","created":{"date-parts":[[2022,8,9]],"date-time":"2022-08-09T04:16:55Z","timestamp":1660018615000},"page":"5883","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":32,"title":["Cyber-Threat Detection System Using a Hybrid Approach of Transfer Learning and Multi-Model Image Representation"],"prefix":"10.3390","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1030-1275","authenticated-orcid":false,"given":"Farhan","family":"Ullah","sequence":"first","affiliation":[{"name":"School of Software, Northwestern Polytechnical University, 127 West Youyi Road, Beilin District, Xi\u2019an 710072, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shamsher","family":"Ullah","sequence":"additional","affiliation":[{"name":"School of Software, Northwestern Polytechnical University, 127 West Youyi Road, Beilin District, Xi\u2019an 710072, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2341-0443","authenticated-orcid":false,"given":"Muhammad Rashid","family":"Naeem","sequence":"additional","affiliation":[{"name":"School of Electronic Information and Artificial Intelligence, Leshan Normal University, Leshan 614000, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8852-8317","authenticated-orcid":false,"given":"Leonardo","family":"Mostarda","sequence":"additional","affiliation":[{"name":"Computer Science Department, Camerino University, 62032 Camerino, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1936-6785","authenticated-orcid":false,"given":"Seungmin","family":"Rho","sequence":"additional","affiliation":[{"name":"Department of Industrial Security, Chung-Ang University, Seoul 06974, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0371-9646","authenticated-orcid":false,"given":"Xiaochun","family":"Cheng","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Middlesex University, London NW4 4BT, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,8,6]]},"reference":[{"key":"ref_1","first-page":"463","article-title":"Android malware detection & protection: A survey","volume":"7","author":"Arshad","year":"2016","journal-title":"Int. J. Adv. Comput. Sci. Appl."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Felt, A.P., Finifter, M., Chin, E., Hanna, S., and Wagner, D. (2011, January 17). A survey of mobile malware in the wild. Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, Chicago, IL, USA.","DOI":"10.1145\/2046614.2046618"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Berman, D.S., Buczak, A.L., Chavis, J.S., and Corbett, C.L. (2019). A survey of deep learning methods for cyber security. Information, 10.","DOI":"10.3390\/info10040122"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"998","DOI":"10.1109\/COMST.2014.2386139","article-title":"Android security: A survey of issues, malware penetration, and defenses","volume":"17","author":"Faruki","year":"2014","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2089125.2089126","article-title":"A survey on automated dynamic malware-analysis techniques and tools","volume":"44","author":"Egele","year":"2008","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.jnca.2017.12.017","article-title":"A remotely keyed file encryption scheme under mobile cloud computing","volume":"106","author":"Yang","year":"2018","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"3115","DOI":"10.1007\/s13042-020-01246-9","article-title":"Clone detection in 5G-enabled social IoT system using graph semantics and deep learning model","volume":"12","author":"Ullah","year":"2021","journal-title":"Int. J. Mach. Learn. Cybern."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.diin.2015.01.001","article-title":"APK Auditor: Permission-based Android malware detection system","volume":"13","author":"Talha","year":"2015","journal-title":"Digit. Investig."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"1869","DOI":"10.1109\/TIFS.2014.2353996","article-title":"Exploring permission-induced risk in Android applications for malicious application detection","volume":"9","author":"Wang","year":"2014","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., and \u00c1lvarez, G. (2013). PUMA: Permission usage to detect malware in Android. International Joint Conference CISIS\u201912-ICEUTE 12-SOCO 12 Special Sessions, Proceedings of the 5th International Conference (CISIS\u201912) and EUropean Transnational Education, 3rd International Conference (ICEUTE\u201912), Ostrava, Czech Republic, 5\u20137 September 2012, Springer.","DOI":"10.1007\/978-3-642-33018-6_30"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"de la Puerta, J.G., Sanz, B., Grueiro, I.S., and Bringas, P.G. (2015, January 15\u201317). The evolution of permission as feature for Android malware detection. Proceedings of the Computational Intelligence in Security for Information Systems Conference, Burgos, Spain.","DOI":"10.1007\/978-3-319-19713-5_33"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Liu, X., and Liu, J. (2014, January 8\u201311). A two-layered permission-based Android malware detection scheme. Proceedings of the 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering, Oxford, UK.","DOI":"10.1109\/MobileCloud.2014.22"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1016\/j.jnca.2018.12.014","article-title":"A mobile malware detection method using behavior features in network traffic","volume":"133","author":"Wang","year":"2019","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., and Giacinto, G. (2015, January 20\u201322). Clustering Android malware families by HTTP traffic. Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, PR, USA.","DOI":"10.1109\/MALWARE.2015.7413693"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Wang, S., Yan, Q., Chen, Z., Yang, B., Zhao, C., and Conti, M. (2017, January 1\u20134). TextDroid: Semantics-based detection of mobile malware using network flows. Proceedings of the 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Atlanta, GA, USA.","DOI":"10.1109\/INFCOMW.2017.8116346"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"1096","DOI":"10.1109\/TIFS.2017.2771228","article-title":"Detecting Android malware leveraging text semantics of network flows","volume":"13","author":"Wang","year":"2017","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_17","unstructured":"Wang, S., Chen, Z., Zhang, L., Yan, Q., Yang, B., Peng, L., and Jia, Z. (2016, January 20\u201321). Trafficav: An effective and explainable detection of mobile malware behavior using network traffic. Proceedings of the 2016 IEEE\/ACM 24th International Symposium on Quality of Service (IWQoS), Beijing, China."},{"key":"ref_18","unstructured":"Vierthaler, J., Kruszelnicki, R., and Sch\u00fctte, J. (2018). Webeye-automated collection of malicious HTTP traffic. arXiv."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Aniceto, R.C., Holanda, M., Castanho, C., and Da Silva, D. (2021, January 13\u201316). Source Code Plagiarism Detection in an Educational Context: A Literature Mapping. Proceedings of the 2021 IEEE Frontiers in Education Conference (FIE), Lincoln, NE, USA.","DOI":"10.1109\/FIE49875.2021.9637155"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3418206","article-title":"IoT-based Cloud Service for Secured Android Markets using PDG-based Deep Learning Classification","volume":"22","author":"Ullah","year":"2021","journal-title":"ACM Trans. Internet Technol. (TOIT)"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"102718","DOI":"10.1016\/j.cose.2022.102718","article-title":"AdStop: Efficient flow-based mobile adware detection using machine learning","volume":"117","author":"Alani","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_22","first-page":"4119500","article-title":"A Low Computational Cost Method for Mobile Malware Detection Using Transfer Learning and Familial Classification Using Topic Modelling","volume":"2022","author":"Acharya","year":"2022","journal-title":"Appl. Comput. Intell. Soft Comput."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Hadiprakoso, R.B., Kabetta, H., and Buana, I.K.S. (2020, January 19\u201320). Hybrid-based malware analysis for effective and efficiency Android malware detection. Proceedings of the 2020 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS), Jakarta, Indonesia.","DOI":"10.1109\/ICIMCIS51567.2020.9354315"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Zhang, W., Luktarhan, N., Ding, C., and Lu, B. (2021). Android malware detection using tcn with bytecode image. Symmetry, 13.","DOI":"10.3390\/sym13071107"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Mahdavifar, S., Kadir, A.F.A., Fatemi, R., Alhadidi, D., and Ghorbani, A.A. (2020, January 17\u201322). Dynamic Android malware category classification using semi-supervised deep learning. Proceedings of the 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC\/PiCom\/CBDCom\/CyberSciTech), Calgary, AB, Canada.","DOI":"10.1109\/DASC-PICom-CBDCom-CyberSciTech49142.2020.00094"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Chen, Z., Yu, B., Zhang, Y., Zhang, J., and Xu, J. (2016, January 23\u201326). Automatic mobile application traffic identification by convolutional neural networks. Proceedings of the 2016 IEEE Trustcom\/BigDataSE\/ISPA, Tianjin, China.","DOI":"10.1109\/TrustCom.2016.0077"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"David, O.E., and Netanyahu, N.S. (2015, January 12\u201317). Deepsign: Deep learning for automatic malware signature generation and classification. Proceedings of the 2015 International Joint Conference on Neural Networks (IJCNN), Killarney, Ireland.","DOI":"10.1109\/IJCNN.2015.7280815"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"600","DOI":"10.1016\/j.ins.2019.11.008","article-title":"Deep and broad URL feature mining for Android malware detection","volume":"513","author":"Wang","year":"2020","journal-title":"Inf. Sci."},{"key":"ref_29","unstructured":"Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., and Dean, J. (2013). Distributed representations of words and phrases and their compositionality. Adv. Neural Inf. Processing Syst., 26."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3436751","article-title":"Malware Classification Based on Multilayer Perception and Word2Vec for IoT Security","volume":"22","author":"Qiao","year":"2021","journal-title":"ACM Trans. Internet Technol. (TOIT)"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Tareen, S.A.K., and Saleem, Z. (2018, January 3\u20134). A comparative analysis of sift, surf, kaze, akaze, orb, and brisk. Proceedings of the 2018 International Conference on Computing, Mathematics and Engineering Technologies (iCoMET), Sukkur, Pakistan.","DOI":"10.1109\/ICOMET.2018.8346440"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Lee, W.Y., Saxe, J., and Harang, R. (2019). SeqDroid: Obfuscated Android malware detection using stacked convolutional and recurrent neural networks. Deep Learning Applications for Cyber Security, Springer.","DOI":"10.1007\/978-3-030-13057-2_9"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"101748","DOI":"10.1016\/j.cose.2020.101748","article-title":"Image-Based malware classification using ensemble of CNN architectures (IMCEC)","volume":"92","author":"Vasan","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Khalilia, M., Chakraborty, S., and Popescu, M. (2011). Predicting disease risks from highly imbalanced data using random forest. BMC Med. Inform. Decis. Mak., 11.","DOI":"10.1186\/1472-6947-11-51"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"e1249","DOI":"10.1002\/widm.1249","article-title":"Ensemble learning: A survey","volume":"8","author":"Sagi","year":"2018","journal-title":"Wiley Interdiscip. Rev. Data Min. Knowl. Discov."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Lashkari, A.H., Kadir, A.F.A., Gonzalez, H., Mbah, K.F., and Ghorbani, A.A. (2017, January 28\u201330). Towards a network-based framework for Android malware detection and characterization. Proceedings of the 2017 15th Annual Conference on Privacy, Security and Trust (PST), Calgary, AB, Canada.","DOI":"10.1109\/PST.2017.00035"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"22","DOI":"10.1007\/s10922-021-09634-4","article-title":"Effective and Efficient Hybrid Android Malware Classification Using Pseudo-Label Stacked Auto-Encoder","volume":"30","author":"Mahdavifar","year":"2022","journal-title":"J. Netw. Syst. Manag."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Wang, S., Chen, Z., Yan, Q., Ji, K., Wang, L., Yang, B., and Conti, M. (2018, January 4\u20136). Deep and broad learning based detection of Android malware via network traffic. Proceedings of the 2018 IEEE\/ACM 26th International Symposium on Quality of Service (IWQoS), Banff, AB, Canada.","DOI":"10.1109\/IWQoS.2018.8624143"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Shyong, Y.-C., Jeng, T.-H., and Chen, Y.-M. (2020, January 26\u201329). Combining static permissions and dynamic packet analysis to improve Android malware detection. Proceedings of the 2020 2nd International Conference on Computer Communication and the Internet (ICCCI), Nagoya, Japan.","DOI":"10.1109\/ICCCI49374.2020.9145994"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Li, Z., Sun, L., Yan, Q., Srisa-an, W., and Chen, Z. (2016, January 10\u201312). Droidclassifier: Efficient adaptive mining of application-layer header for classifying Android malware. Proceedings of the International Conference on Security and Privacy in Communication Systems, Guangzhou, China.","DOI":"10.1007\/978-3-319-59608-2_33"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Al-Fawa\u2019reh, M., Saif, A., Jafar, M.T., and Elhassan, A. (2020, January 8\u201310). Malware detection by eating a whole APK. Proceedings of the 2020 15th International Conference for Internet Technology and Secured Transactions (ICITST), London, UK.","DOI":"10.23919\/ICITST51030.2020.9351333"},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Peng, T., Hu, B., Liu, J., Huang, J., Zhang, Z., He, R., and Hu, X. (2022). A Lightweight Multi-Source Fast Android Malware Detection Model. Appl. Sci., 12.","DOI":"10.3390\/app12115394"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Mathews, S.M. (2019, January 16\u201317). Explainable artificial intelligence applications in NLP, biomedical, and malware classification: A literature review. Proceedings of the Intelligent Computing\u2014Proceedings of the Computing Conference, London, UK.","DOI":"10.1007\/978-3-030-22868-2_90"},{"key":"ref_44","first-page":"2579","article-title":"Visualizing data using t-SNE","volume":"9","author":"Hinton","year":"2008","journal-title":"J. Mach. Learn. Res."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/15\/5883\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:05:08Z","timestamp":1760141108000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/15\/5883"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,8,6]]},"references-count":44,"journal-issue":{"issue":"15","published-online":{"date-parts":[[2022,8]]}},"alternative-id":["s22155883"],"URL":"https:\/\/doi.org\/10.3390\/s22155883","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2022,8,6]]}}}