Open Access

ARTICLE

SCAN: Structural Clustering with Adaptive Thresholds for Intelligent and Robust Android Malware Detection under Concept Drift

Kyoungmin Roh¹, Seungmin Lee², Seong-je Cho^2,*, Youngsup Hwang³, Dongjae Kim⁴

1 Department of Cybersecurity, Dankook University, Yong-in, Republic of Korea
2 Department of Software Science, Dankook University, Yong-in, Republic of Korea
3 Division of Computer Science and Engineering, Sunmoon University, Asan, Republic of Korea
4 Department of AI-Based Convergence, Dankook University, Yong-in, Republic of Korea

* Corresponding Author: Seong-je Cho. Email:

(This article belongs to the Special Issue: Advanced Security and Privacy for Future Mobile Internet and Convergence Applications: A Computer Modeling Approach)

Computer Modeling in Engineering & Sciences 2026, 146(3), 41 https://doi.org/10.32604/cmes.2026.074936

Received 21 October 2025; Accepted 14 January 2026; Issue published 30 March 2026

Abstract

Many machine learning–based Android malware detection often suffers from concept drift, where models trained on historical data fail to generalize to evolving threats. This paper proposes SCAN (Structural Clustering with Adaptive thresholds for iNtelligent Android malware detection), a hybrid intelligent framework designed to mitigate concept drift without retraining. SCAN integrates Gaussian Mixture Models (GMMs)-based clustering with cluster-wise adaptive thresholding and supervised classifiers tailored to each cluster. A key challenge in clustering-based malware detection is cluster-wise class imbalance, where clusters contain disproportionate distributions of benign and malicious samples. SCAN addresses this issue through adaptive thresholding, which dynamically adjusts the decision boundary of each cluster according to its malicious-to-benign ratio. In the final training stage, four supervised learning algorithms—Random Forest (RF), Support Vector Machine (SVM), k-NN, and XGBoost—are applied within the GMM-defined clusters. We train SCAN on Android applications collected from 2014–2017 and test it with applications from 2018–2023. Experimental results demonstrate that SCAN combined with RF consistently achieves superior performance, with both average accuracy and average F1-score exceeding 91%. These findings confirm SCAN’s robustness to concept drift and highlight its potential as a sustainable and intelligent solution for long-term Android malware detection in the real world.

---

Keywords

---