TY  - EJOU
AU  - Yang, Kang 
AU  - Cai, Lizhi 
AU  - Wu, Jianhua 

TI  - Android Software Malicious Detection Based on Dynamic Network Traffic Mixing API Information and Feature Importance Analysis
T2  - Computers, Materials \& Continua

PY  - 
VL  - 
IS  - 
SN  - 1546-2226

AB  - Accurate malware identification and family categorization remain significant challenges in large-scale Android software analysis. Although deep learning has surpassed traditional machine learning in performance, its widespread adoption is hindered by the computational overhead stemming from feature redundancy and the lack of interpretability inherent in its black-box nature. To address these issues, this paper proposes DroidNTA, a DL-based detection model that fuses network traffic and API features. The model first constructs a simplified API Call Graph by extracting the intrinsic structural attributes of applications, and subsequently generates API feature vectors from invocation sequences using a Markov chain algorithm. These are then integrated with dynamic network traffic features to form a final representation vector of the Android instance. To enhance transparency, DroidNTA performs feature contribution analysis by adjusting fusion parameters and employs Shapley values to quantify global feature importance. Experimental results demonstrate that DroidNTA achieves superior performance in both binary and family classification tasks, yielding an accuracy of 99.74% and a gain of over 20%, respectively. We have released our code at <a href="https://github.com/joeyyk/DroidNTA" target="_blank">https://github.com/joeyyk/DroidNTA</a>.
KW  - Android; malware; deep learning; network traffic

DO  - 10.32604/cmc.2026.080632