{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,22]],"date-time":"2026-06-22T23:24:59Z","timestamp":1782170699695,"version":"3.54.5"},"reference-count":46,"publisher":"MDPI AG","issue":"18","license":[{"start":{"date-parts":[[2022,9,7]],"date-time":"2022-09-07T00:00:00Z","timestamp":1662508800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Android has become the leading mobile ecosystem because of its accessibility and adaptability. It has also become the primary target of widespread malicious apps. This situation needs the immediate implementation of an effective malware detection system. In this study, an explainable malware detection system was proposed using transfer learning and malware visual features. For effective malware detection, our technique leverages both textual and visual features. First, a pre-trained model called the Bidirectional Encoder Representations from Transformers (BERT) model was designed to extract the trained textual features. Second, the malware-to-image conversion algorithm was proposed to transform the network byte streams into a visual representation. In addition, the FAST (Features from Accelerated Segment Test) extractor and BRIEF (Binary Robust Independent Elementary Features) descriptor were used to efficiently extract and mark important features. Third, the trained and texture features were combined and balanced using the Synthetic Minority Over-Sampling (SMOTE) method; then, the CNN network was used to mine the deep features. The balanced features were then input into the ensemble model for efficient malware classification and detection. The proposed method was analyzed extensively using two public datasets, CICMalDroid 2020 and CIC-InvesAndMal2019. To explain and validate the proposed methodology, an interpretable artificial intelligence (AI) experiment was conducted.<\/jats:p>","DOI":"10.3390\/s22186766","type":"journal-article","created":{"date-parts":[[2022,9,8]],"date-time":"2022-09-08T04:18:32Z","timestamp":1662610712000},"page":"6766","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":65,"title":["Explainable Malware Detection System Using Transformers-Based Transfer Learning and Multi-Model Visual Representation"],"prefix":"10.3390","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1030-1275","authenticated-orcid":false,"given":"Farhan","family":"Ullah","sequence":"first","affiliation":[{"name":"School of Software, Northwestern Polytechnical University, 127 West Youyi Road, Beilin District, Xi\u2019an 710072, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8145-2575","authenticated-orcid":false,"given":"Amjad","family":"Alsirhani","sequence":"additional","affiliation":[{"name":"College of Computer and Information Sciences, Jouf University, Sakaka 72388, Aljouf, Saudi Arabia"},{"name":"Faculty of Computer Science, Dalhousie University, Halifax, NS B3H 4R2, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mohammed Mujib","family":"Alshahrani","sequence":"additional","affiliation":[{"name":"College of Computing and Information Technology, University of Bisha, Bisha 61361, Saudi Arabia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3866-3048","authenticated-orcid":false,"given":"Abdullah","family":"Alomari","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Albaha University, Albaha 65799, Saudi Arabia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1511-218X","authenticated-orcid":false,"given":"Hamad","family":"Naeem","sequence":"additional","affiliation":[{"name":"School of Computer Science and Technology, Zhoukou Normal University, Zhoukou 466001, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2052-1121","authenticated-orcid":false,"given":"Syed Aziz","family":"Shah","sequence":"additional","affiliation":[{"name":"Faculty Research Centre for Intelligent Healthcare, Coventry University, Coventry CV1 5RW, UK"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2022,9,7]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"64411","DOI":"10.1109\/ACCESS.2019.2916886","article-title":"A Multimodal Malware Detection Technique for Android IoT Devices Using Various Features","volume":"7","author":"Kumar","year":"2019","journal-title":"IEEE Access"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Liu, X., Du, X., Zhang, X., Zhu, Q., Wang, H., and Guizani, M. (2019). Adversarial Samples on Android Malware Detection Systems for IoT Systems. Sensors, 19.","DOI":"10.3390\/s19040974"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Liu, P., Li, L., Zhao, Y., Sun, X., and Grundy, J. (2020, January 29\u201330). Androzooopen: Collecting large-scale open source android apps for the research community. Proceedings of the 17th International Conference on Mining Software Repositories, Seoul, Korea.","DOI":"10.1145\/3379597.3387503"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Shyong, Y.-C., Jeng, T.-H., and Chen, Y.-M. (2020, January 26\u201329). Combining Static Permissions and Dynamic Packet Analysis to Improve Android Malware Detection. Proceedings of the 2020 2nd International Conference on Computer Communication and the Internet (ICCCI), Nagoya, Japan.","DOI":"10.1109\/ICCCI49374.2020.9145994"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"887","DOI":"10.1016\/j.future.2019.03.007","article-title":"Mobile malware attacks: Review, taxonomy & future directions","volume":"97","author":"Qamar","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_6","first-page":"102828","article-title":"Malware classification and composition analysis: A survey of recent developments","volume":"59","author":"Abusitta","year":"2021","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3365001","article-title":"Malware dynamic analysis evasion techniques: A survey","volume":"52","author":"Afianian","year":"2019","journal-title":"ACM Comput. Surv."},{"key":"ref_8","unstructured":"Vinod, P., Jaipur, R., Laxmi, V., and Graur, M. (2009, January 17\u201319). Survey on malware detection methods. Proceedings of the 3rd Hackers\u2019 Workshop on Computer and Internet Security (IITKHACK\u201909), Kanpur, India."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"102154","DOI":"10.1016\/j.adhoc.2020.102154","article-title":"Malware detection in industrial internet of things based on hybrid image visualization and deep learning model","volume":"105","author":"Naeem","year":"2020","journal-title":"Ad Hoc Netw."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1016\/j.jnca.2018.12.014","article-title":"A mobile malware detection method using behavior features in network traffic","volume":"133","author":"Wang","year":"2019","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Ullah, F., Ullah, S., Naeem, M.R., Mostarda, L., Rho, S., and Cheng, X. (2022). Cyber-Threat Detection System Using a Hybrid Approach of Transfer Learning and Multi-Model Image Representation. Sensors, 22.","DOI":"10.3390\/s22155883"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.diin.2015.01.001","article-title":"APK Auditor: Permission-based Android malware detection system","volume":"13","author":"Talha","year":"2015","journal-title":"Digit. Investig."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3418206","article-title":"IoT-based cloud service for secured android markets using PDG-based deep learning classification","volume":"22","author":"Ullah","year":"2021","journal-title":"ACM Trans. Internet Technol."},{"key":"ref_14","unstructured":"Sanz, B., Santos, I., Laorden, C., Ugarte-Paderto, X., Garcia Bringas, P., and Alvarez, G. (2012, January 5\u20137). Puma: Permission usage to detect malware in android. Proceedings of the International Joint Conference CISIS\u201912-ICEUTE 12-SOCO 12 Special Sessions, Ostrava, Czech Republic."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Liu, X., and Liu, J. (2014, January 8\u201311). A two-layered permission-based android malware detection scheme. Proceedings of the 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering, Oxford, UK.","DOI":"10.1109\/MobileCloud.2014.22"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"De la Puerta, J.G., Sanz, B., Santos Grueiro, I., and Garciz Bringas, P. (2015, January 22\u201324). The evolution of permission as feature for Android malware detection. Proceedings of the Computational Intelligence in Security for Information Systems Conference, Bilbao, Spain.","DOI":"10.1007\/978-3-319-19713-5_33"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., and Giacinto, G. (2015, January 20\u201322). Clustering android malware families by http traffic. Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, PR, USA.","DOI":"10.1109\/MALWARE.2015.7413693"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Nataraj, L., Karthikeyan, S., Jacob, G., and Manjunath, B.S. (2011, January 20). Malware images: Visualization and automatic classification. Proceedings of the 8th International Symposium on Visualization for Cyber Security, Pittsburgh, PA, USA.","DOI":"10.1145\/2016904.2016908"},{"key":"ref_19","unstructured":"Wang, W., Zhu, M., Zeng, X., Ye, X., and Sheng, Y. (2017, January 11\u201313). Malware traffic classification using convolutional neural network for representation learning. Proceedings of the 2017 International Conference on Information Networking (ICOIN), Da Nang, Vietnam."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Wang, Y., An, J., and Huang, W. (2018, January 18\u201321). Using CNN-based representation learning method for malicious traffic identification. Proceedings of the 2018 IEEE\/ACIS 17th International Conference on Computer and Information Science (ICIS), Ningbo, China.","DOI":"10.1109\/ICIS.2018.8466404"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Xu, P., Eckert, C., and Zarras, A. (2021, January 14\u201317). Falcon: Malware Detection and Categorization with Network Traffic Images. Proceedings of the 30th International Conference on Artificial Neural Networks, ICANN 2021, Bratislava, Slovakia.","DOI":"10.1007\/978-3-030-86362-3_10"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1155\/2020\/8630748","article-title":"On-Device Detection of Repackaged Android Malware via Traffic Clustering","volume":"2020","author":"He","year":"2020","journal-title":"Secur. Commun. Netw."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"154290","DOI":"10.1109\/ACCESS.2019.2946594","article-title":"Target-Dependent Sentiment Classification With BERT","volume":"7","author":"Gao","year":"2019","journal-title":"IEEE Access"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Yesir, S., and So\u011fukpinar, I. (2021, January 28\u201329). Malware Detection and Classification Using fastText and BERT. Proceedings of the 2021 9th International Symposium on Digital Forensics and Security (ISDFS), Elazig, Turkey.","DOI":"10.1109\/ISDFS52919.2021.9486377"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Sun, C., Qiu, X., Xu, Y., and Huang, Y. (2019). How to fine-tune bert for text classification?. Proceedings of the China National Conference on Chinese Computational Linguistics, Kunming, China, 18\u201329 October 2019, Springer.","DOI":"10.1007\/978-3-030-32381-3_16"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"871","DOI":"10.1016\/j.cose.2018.04.005","article-title":"Malware identification using visualization images and deep learning","volume":"77","author":"Ni","year":"2018","journal-title":"Comput. Secur."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"1188","DOI":"10.1109\/TRO.2012.2197158","article-title":"Bags of Binary Words for Fast Place Recognition in Image Sequences","volume":"28","author":"Tardos","year":"2012","journal-title":"IEEE Trans. Robot."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"863","DOI":"10.1613\/jair.1.11192","article-title":"SMOTE for Learning from Imbalanced Data: Progress and Challenges, Marking the 15-year Anniversary","volume":"61","author":"Fernandez","year":"2018","journal-title":"J. Artif. Intell. Res."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Lee, W.Y., Saxe, J., and Harang, R. (2019). SeqDroid: Obfuscated Android Malware Detection Using Stacked Convolutional and Recurrent Neural Networks, Springer.","DOI":"10.1007\/978-3-030-13057-2_9"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"101748","DOI":"10.1016\/j.cose.2020.101748","article-title":"Image-Based malware classification using ensemble of CNN architectures (IMCEC)","volume":"92","author":"Vasan","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"107903","DOI":"10.1016\/j.compeleceng.2022.107903","article-title":"Mitigating adversarial evasion attacks of ransomware using ensemble learning","volume":"100","author":"Ahmed","year":"2022","journal-title":"Comput. Electr. Eng."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"e1249","DOI":"10.1002\/widm.1249","article-title":"Ensemble learning: A survey","volume":"8","author":"Sagi","year":"2018","journal-title":"Wiley Interdiscip. Rev. Data Min. Knowl. Discov."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Taheri, L., Kadir, A.F.A., and Lashkari, A.H. (2019, January 1\u20133). Extensible Android Malware Detection and Family Classification Using Network-Flows and API-Calls. Proceedings of the 2019 International Carnahan Conference on Security Technology (ICCST), Chennai, India.","DOI":"10.1109\/CCST.2019.8888430"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Mahdavifar, S., Kadir, A.F.A., Fatemi, R., Alhadidi, D., and Ghorbani, A.A. (2020, January 17\u201322). Dynamic Android Malware Category Classification using Semi-Supervised Deep Learning. Proceedings of the 2020 IEEE International Conference on Dependable, Autonomic and Secure Computing, Calgary, AB, Canada.","DOI":"10.1109\/DASC-PICom-CBDCom-CyberSciTech49142.2020.00094"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s10922-021-09634-4","article-title":"Effective and Efficient Hybrid Android Malware Classification Using Pseudo-Label Stacked Auto-Encoder","volume":"30","author":"Mahdavifar","year":"2022","journal-title":"J. Netw. Syst. Manag."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Wang, S., Chen, Z., Yan, Q., Ji, K., Wang, L., Yang, B., and Conti, M. (2018, January 4\u20136). Deep and Broad Learning Based Detection of Android Malware via Network Traffic. Proceedings of the 2018 IEEE\/ACM 26th International Symposium on Quality of Service (IWQoS), Banff, AB, Canada.","DOI":"10.1109\/IWQoS.2018.8624143"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"600","DOI":"10.1016\/j.ins.2019.11.008","article-title":"Deep and broad URL feature mining for android malware detection","volume":"513","author":"Wang","year":"2019","journal-title":"Inf. Sci."},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"El-Sayed, R., El-Ghamry, A., Gaber, T., and Hassanien, A.E. (2021, January 5\u20137). Zero-Day Malware Classification Using Deep Features with Support Vector Machines. Proceedings of the 2021 Tenth International Conference on Intelligent Computing and Information Systems (ICICIS), Cairo, Egypt.","DOI":"10.1109\/ICICIS52592.2021.9694256"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Li, Z., Sun, L., Yan, Q., Srisa-An, W., and Chen, Z. (2017, January 24\u201325). DroidClassifier: Efficient Adaptive Mining of Application-Layer Header for Classifying Android Malware. Proceedings of the International Conference on Security and Privacy in Communication Systems, Orlando, VA, USA.","DOI":"10.1007\/978-3-319-59608-2_33"},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"102718","DOI":"10.1016\/j.cose.2022.102718","article-title":"AdStop: Efficient flow-based mobile adware detection using machine learning","volume":"117","author":"Alani","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_41","first-page":"1","article-title":"A Low Computational Cost Method for Mobile Malware Detection Using Transfer Learning and Familial Classification Using Topic Modelling","volume":"2022","author":"Acharya","year":"2022","journal-title":"Appl. Comput. Intell. Soft Comput."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Al-Fawa\u2019reh, M., Saif, A., Jafar, M.T., and Elhassan, A. (2020, January 8\u201310). Malware detection by eating a whole APK. Proceedings of the 2020 15th International Conference for Internet Technology and Secured Transactions (ICITST), London, UK.","DOI":"10.23919\/ICITST51030.2020.9351333"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Zhang, W., Luktarhan, N., Ding, C., and Lu, B. (2021). Android Malware Detection Using TCN with Bytecode Image. Symmetry, 13.","DOI":"10.3390\/sym13071107"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Peng, T., Hu, B., Liu, J., Huang, J., Zhang, Z., He, R., and Hu, X. (2022). A Lightweight Multi-Source Fast Android Malware Detection Model. Appl. Sci., 12.","DOI":"10.3390\/app12115394"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Hadiprakoso, R.B., Kabetta, H., and Buana, I.K.S. (2020, January 19\u201320). Hybrid-Based Malware Analysis for Effective and Efficiency Android Malware Detection. Proceedings of the 2020 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS), Jakarta, Indonesia.","DOI":"10.1109\/ICIMCIS51567.2020.9354315"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Mathews, S.M. (2019, January 16\u201317). Explainable artificial intelligence applications in NLP, biomedical, and malware classification: A literature review. Proceedings of the Intelligent Computing Conference, London, UK.","DOI":"10.1007\/978-3-030-22868-2_90"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/18\/6766\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T00:25:03Z","timestamp":1760142303000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/18\/6766"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,9,7]]},"references-count":46,"journal-issue":{"issue":"18","published-online":{"date-parts":[[2022,9]]}},"alternative-id":["s22186766"],"URL":"https:\/\/doi.org\/10.3390\/s22186766","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,9,7]]}}}