Fuzzy Integral-Based Multi-Classifiers Ensemble for Android Malware Classification

Abstract

One of the most commonly used operating systems for smartphones is Android. The open-source nature of the Android operating system and the ability to include third-party Android apps from various markets has led to potential threats to user privacy. Malware developers use sophisticated methods that are intentionally designed to bypass the security checks currently used in smartphones. This makes effective detection of Android malware apps a difficult problem and important issue. This paper proposes a novel fuzzy integral-based multi-classifier ensemble to improve the accuracy of Android malware classification. The proposed approach utilizes the Choquet fuzzy integral as an aggregation function for the purpose of combining and integrating the classification results of several classifiers such as XGBoost, Random Forest, Decision Tree, AdaBoost, and LightGBM. Moreover, the proposed approach utilizes an adaptive fuzzy measure to consider the dynamic nature of the data in each classifier and the consistency and coalescence between each possible subset of classifiers. This enables the proposed approach to aggregate the classification results from the multiple classifiers. The experimental results using the dataset, consisting of 9476 Android goodware apps and 5560 malware Android apps, show that the proposed approach for Android malware classification based on the Choquet fuzzy integral technique outperforms the single classifiers and achieves the highest accuracy of 95.08%.

1. Introduction

The use of smartphones is continuously increasing in many aspects of our daily lives. Users are used to storing a considerable amount of their private information on their smartphones. Smartphones are equipped with many sensors that collect valuable information about the user, such as gestures, locations, video, and audio data. The availability of this important information in the smartphones motivates the malware developers and attackers to penetrate the smartphones and steal the private information of the users. The number of smartphone users has increased rapidly in the past few years. Currently, Android is the most widely used smartphone operating system in the world, dominating 70.69% of the market share as of April 2020. [1].

Recent studies suggest that the number of Android apps has increased in recent years due to the open-source nature of Android and the popularity of Android-based smartphones. Moreover, Android-based smartphones have become a widely used control system for the Internet of Things (IoT) [1]. Based on studies by Statista [2], the number of Android apps has grown rapidly since December 2009, and the current number of Android apps existing on Google Play Store in 2020 has reached 2.96 million apps after exceeding 1 million apps in July 2013. This increase in the number of Android apps is due to the key features of Android such as open source nature and ease of use. Privacy issues arose that are of concern to both businesses and users. This is because malware developers intend to deceive users with apps that appear to be useful but have unnoticed malicious intentions. According to GDATA [3], security experts found more than 4.18 million malicious apps in 2019 and the average number of new Android malware is 11,500 apps per day.

Because Android allows users to download and install programs from Google Play, the official store for Android apps, as well as several third-party markets, it has become the most targeted platform by malware software makers. Due to the lack of effective authentication techniques, malware developers can upload their malicious APPs to Google Play and other third-party stores [4], and evade smartphone users by employing various techniques such as repackaging or encryption, dynamic execution, and code obfuscation [5]. Finance charges, changes to user settings, data theft, privilege escalation, and remote control are all examples of damage caused by malicious Android apps. Currently, malware app developers are employing sophisticated ways to create extremely complicated programs that may easily escape detection by the most advanced anti-malware software [6].

Machine learning approaches have been applied successfully in the field of security [7]. Researchers offer many techniques based on machine learning algorithms to identify Android malware apps, which are divided into two categories: static and dynamic analysis [8]. Static analysis can identify malware by extracting significant features from the APK without executing it and using these features to differentiate between malware and goodware applications. In [9,10,11], the authors used static analysis to obtain the app’s key features, such as the required permissions. Compared with dynamic analysis, static analysis can detect malware quickly and prevent it from being installed. The identification of more complex Android malware apps that employ polymorphism, code obfuscation, and repackage methods is a problem for static analysis. Dynamic analysis is based on installing and executing Android applications in an environment and tracing their execution or behavior [12]. DroidDolphin [13], Crowdroid [14], and DroidWard [15] use dynamic analysis to screen runtime activities such as system calls and API calls and utilize supervised learning algorithms to distinguish between malware and goodware apps.

Because the success of a single classifier is dependent to some extent on the Android app’s unique characteristics, it has inherent individual uncertainty and limitations. When compared with a single classifier, the combination of classifiers has the benefit of minimizing the variation of estimated error and improving classification performance. Ensemble learning is a machine learning approach that uses many learning algorithms rather than a single algorithm to generate a single optimal prediction model; it has shown to be an effective solution in a variety of disciplines. Ensemble learning approaches have been shown empirically and theoretically to outperform single weak methods, particularly when dealing with complicated, high-dimensional prediction problems [16]. Bagging [17], Boosting [18], and Stacking [19] are the most often used ensemble learning methods. Stacking is a fusion approach that combines many machine learning algorithms (base models) structured in at least one layer and then employs another machine learning algorithm (meta model) to achieve higher classification performance than any of its basic algorithms [20]. In [21,22], the authors collected a large number of significant features and strings from Android APK files and used these features to create multiple ensemble machine learning techniques to identify Android malware apps.

There are intrinsic interactions between several basic classifiers; these interactions might be positive synergy in nature, in which case the basic classifiers collaborate and strengthen one another. The ensemble system may use the strengths of the different classifiers and overcome their weaknesses to attain a better level of accuracy than any single classifier. The fuzzy integral has the advantages of characterizing the significance of basic classifiers by fuzzy measure and modeling the coalitions and interactions among every possible coalition (subset) of classifiers. This study presents a multi-classifier ensemble based on fuzzy integrals to enhance the accuracy of Android malware classification. The proposed method employs Choquet fuzzy integral as an aggregation function to fuse the prediction results of multiple classifiers, including XGBoost, Random forest, Decision tree, AdaBoost, and LightGBM, by taking into account both the significance of each classifier as well as the consistency and coalition among each possible subset of classifiers based on adaptive fuzzy measures. The proposed approach is able to aggregate more meaningful prediction results from multiple classifiers using the adaptive fuzzy measures. The following are the primary contributions of the suggested approach:

-

Proposes a novel fuzzy integral based multi-classifiers ensemble for Android malware classification. The proposed approach has the capability of aggregating the classification results from multiple classifiers by taking into account both the significance of each classifier as well as the consistency and coalition among each possible subset of classifiers based on fuzzy measures.

-

For successful detection of Android malware apps, the proposed approach presents an adaptive fuzzy measure based on dynamic data in single classifiers and consistency and coalition among each potential subset of classifiers.

-

The proposed approach’s performance was evaluated through a series of experiments, and the results indicate that it outperforms both individual classifiers and other approaches.

The rest of the paper is organized as follows. Section 2 presents the related work on Android malware detection. Section 3 presents the fuzzy measures and Choquet integral. Section 4 explains the proposed approach for Android malware classification. Results and discussion are illustrated in Section 5. Section 6 concludes this paper.

2. Related Work

With the number of Android malware apps growing fast, several researchers have proposed approaches based on machine learning techniques for the classification of Android malware apps.

Arp et al. [22] developed an app called “Drebin” for detecting Android malware apps. They used the API calls, Android permissions, and network addresses as features to differentiate between goodware and malware apps. Their experimental results were based on a dataset consisting of 5560 malware apps and 123,453 goodware apps from numerous app markets. Drebin achieved classification accuracy of 94% and a false positive rate of 1%. Firdaus et al. [23] presented an approach for Android malware apps detection based on features investigation. The features include Android permissions and directory paths. They used three machine learning algorithms: voted perceptron (VP), radial basis function network (RBFN), and multilayer perceptron (MLP) in the conducted experiments based on Drebin and AndroZoo [24] datasets. Their proposed approach based on MLP achieved detection accuracy of 90% and true positive rate of 87%. Hu et al. [25] presented an approach using an ensemble learning classifier with the feature selection algorithm, a sliding window is utilized inside the ensemble classifier. Zhang et al. [26] presented a new approach using the Markov blanket for feature selection, SVM is employed for classification of Android malware apps, and Drebin dataset is used in their experimental results.

Coronado-De-Alba et al. [27] suggested an ensemble-learning approach for Android malware detection. They used a dataset consisting of 1531 malware and 1531 goodware apps; the malware apps were selected from the Drebin dataset [22], and the goodware samples were obtained from the Google Play Store. They used two features selection algorithms, RELIEF and Chi-squared, and the Random Forest algorithm for the detection of Android malware. Peiravian and Zhu [28] introduced a machine-learning-based model for Android malware detection. They used Android app permission and API calls as main features to distinguish between goodware and malware apps.

Wang et al. [29] utilized Decision Tree, Linear SVM, Logistic regression, and Random forest for malware apps detection-based static analysis. They used the apps static features for machine learning training. Based on the experimental results, their proposed approach detects malware apps with false positive rate of 0.06% using the Logistic Regression algorithm based on a dataset containing 217,619 goodware and 18,363 malware apps. Talha et al. [30] suggested a classification approach based on permissions “APK Auditor” to categorize the Android apps as goodware or malware which achieved 88% accuracy with a specificity of 0.925. They used a dataset consisting of 8762 apps including 1853 goodware apps and 6909 malware apps.

DroidDolphin [13] is a dynamic analysis approach that uses machine learning to classify Android malware. It analyzes Android apps based on obtaining the apps details from API calls and activities by running the apps on virtual environments and attained a precision of 86.1% using the SVM algorithm. Milosevic et al. [31] proposed an Android malware classifier based on the ensemble learning model. They used Android permissions and source-code-based features. The ensemble classifier used contained linear regression, Decision Trees, SVM, C.45, Random Tree, and Random Forests algorithms.

In our previous research [32], we proposed a hybrid approach for the classification of Android malware by integrating the fuzzy C-means clustering (FCM) algorithm with the light gradient boosting machine (LightGBM). FCM is used to cluster the Android permissions, while LightGBM is utilized to classify the Android apps based on the app’s permissions and their clusters resulting from FCM. Using a widely used dataset consisting of benign and malware Android apps, the experimental results show that the suggested approach attained an accuracy of 94.63%.

In our previous research [9], we suggested an evolving hybrid neuro-fuzzy classifier (EHNFC) for Android malware classification using permission-based features. We adapted the evolving clustering algorithm to incorporate an adaptive method for updating the radii and centers of clustered permission-based features. The results show that the proposed method classifies Android malware with an accuracy of 90%. In our previous research [10], we introduced an approach for Android malware classification using the adaptive neuro fuzzy inference systems (ANFIS), an information gain method utilized to choose the important Android permissions. The proposed method attained an accuracy of 75%.

In our previous research [11], we introduced an adaptive neuro-fuzzy inference system with fuzzy c-means clustering (FCM-ANFIS) for Android malware classification. The experimental results show that a classification accuracy of 91% was achieved by the proposed method.

Table 1. Summary of the discussed related works.

Approach	Description of Method	Accuracy	Limitations
Altaher [9]	Android permissions and adaptive neuro fuzzy inference systems (ANFIS)	75%	Static analysis method and lacks the dynamic real-time inspection
DroidDolphin [13]	API calls and activities by running the apps on virtual environments and SVM algorithm	86.1%	Dynamic analysis consuming resources and takes a long time
Arp et al. [22]	Used API calls, Android permissions and network addresses as features and support vector machine (SVM) algorithm	94%	Exhibits the inherent limitations of static analysis
Firdaus et al. [23]	Android permissions used as features, and three machine learning algorithms: voted perceptron (VP), radial basis function net-work (RBFN), and multilayer perceptron (MLP)	90%	Static analysis method and lacks the dynamic real-time inspection
Hu et al. [25]	Android permissions, application actions, and API were utilized as features An ensemble learning classifier was used as classifier	96%	Unable to detect new Android malware apps
Talha et al. [30]	Android permissions and machine learning algorithms	88%	Static analysis method and lacks the dynamic real-time inspection
Taha and Malebary [32]	Android permissions and fuzzy C-means clustering (FCM) algorithm with the light gradient boosting machine (LightGBM)	94.63%	Exhibits the inherent limitations of static analysis
Awan et al. [33]	Spatial attention and convolutional neural network (SACNN) based on deep learning framework	97.42%	Lack of exploration in the data augmentation and the feature engineering domains
Hemalatha et al. [34]	Visualization-based method, where malware binaries are depicted as two-dimensional images and classified by a deep learning model	98.23%	Consumes re-sources and takes long time for training
Nisa et al. [35]	The features that are extracted from malware images are then classified using different variants of support vector machine (SVM), k-nearest neighbor (KNN), decision tree (DT), and other classifiers	99.3%	Used a pre-trained model and cannot detect new Android malware apps

summarizes the discussed related works.

3. Choquet Fuzzy Integral

The idea of the Choquet integral was initially presented in capacity theory [36]. It is utilized as a fuzzy integral by considering a fuzzy measure [37]. Then, the Choquet integral is rediscovered in [38,39] by Murofushi and Sugeno. Choquet integral aims to integrate functions based on the fuzzy measures. For Android malware classification, the fuzzy measures based on the Choquet integral were utilized to state a weight for each set of classifiers. Since classifiers can be dependent, therefore, it is possible to enable modeling of the interaction existing between classifiers. The description of the Choquet integral and fuzzy measures is shown in [38] where: C = {c₁, c₂, …, c_N} is a set of N machine learning algorithms, and P(C) represents the performance of C or set of all subsets of C.

Definition 1.

Suppose C is a finite set of machine learning algorithms, the discrete fuzzy measure on C is the mapping:

P(C)→[0, 1], adhering to the requirements below:

(1)

µ (Ø) = 0, l(C) = 1 (requirements limits).

(2)

If A, B ∈ P(C) and A ⊂ Z then µ (A) ≤ µ (B) (monotonicity).

where µ (S) represents the score of the importance of classifier set S. Therefore, weights on any classifiers combination are also considered as well as the standard weights of each classifier taken independently.

Definition 2.

Suppose μ is the fuzzy measure on C = 1; 2; …, n. The Choquet fuzzy integral of the function mapping:

f: C→R with relation to µ is explained by:

$$C{H}_{\mu }\left(f\right)={{\displaystyle \sum }}_{i=1}^n{f}_{\left(i\right)}\left[\mu (A_{\left(i\right)}-\mu \left(A_{\left(i+1\right)}\right)\right],$$

(1)

where (i) denotes a replacement on C thus

$$f_{\left(1\right)} \le f_{\left(2\right)} \le \dots \le f_{\left(n\right)}. \mathrm{Moreover} A_{\left(i\right)}=i,\cdots ,n,A\left(n+1\right)=\varnothing .$$

Because the independency of one classifier from another is not necessary in the fuzzy integral model, it can be utilized in many non-linear situations. The overall evaluation of all possible solutions can be obtained by the fuzzy integral of $f$ with respect to µ. In the case of independent classifiers, the fuzzy measure is additive, and the Choquet integral matches with the weighted arithmetic mean approach. Thus,

$$C{H}_{\mu }\left(f\right)={\displaystyle \sum }_{i=1}^n{f}_i\mu \left(\left\{i\right\}\right)$$

(2)

A Choquet integral is an approach of collection that takes into account both the significance of a classifier and its relations with various classifiers [40]. Suppose G, M ⊂ X and G ⊂ M = Ø, g are known as a λ-fuzzy measure when the following condition is satisfied:

$$\mathrm{g}\left(\mathrm{G}\cup \mathrm{S}\right)=\mathrm{g}\left(\mathrm{G}\right)+\mathrm{g}\left(\mathrm{M}\right)+\lambda \mathrm{g}\left(\mathrm{G}\right)\mathrm{g}\left(\mathrm{M}\right), \lambda ϵ \left(-1,\infty \right)$$

(3)

For the relations between G and M, if λ > 0, then the multiplicative effect exists; if λ < 0, then the substitutive effect exists. λ = 0 shows that G and M are unrelated [41].

Let ${\mathrm{g}}_i$ represent the fuzzy density based on the Choquet fuzzy integral, g($A_j$) is attained by $\lambda$ and ${\mathrm{g}}_j$ as

$$\mathrm{g}\left(A_j\right)={\mathrm{g}}_j+\mathrm{g}\left(A_{j+1}\right)+\lambda {\mathrm{g}}_j\mathrm{g}\left(A_{j+1}\right)=\frac{1}{\lambda }\left[{\displaystyle \prod }_{i=j\cdots n}(1+\lambda {\mathrm{g}}_i)-1\right]$$

(4)

$\lambda$ is computed by solving the following equation:

$$F\left(\lambda \right)={\displaystyle \prod }_{j=1}^n\left(1+\lambda {\mu }_j\right)-\lambda -1=0$$

(5)

In [42], it was proved that for a fixed set of µj, 0 < µj < 1, there exists a unique root of λ > −1, and λ ≠ 0, using Equation (5). In addition, from Equation (5) it can also be seen that if the values of µj are known, then λ can be calculated.

4. The Proposed Fuzzy Integral-Based Multi-Classifiers Ensemble for Android Malware Classification

This research proposes a fuzzy integral-based multi-classifiers ensemble for Android malware classification. The suggested method combines five different basic classifiers, namely XGBoost, Random Forest, Decision Tree, AdaBoost, and LightGBM, with one fusion module based on the Choquet fuzzy integral. The Android app permissions are used as inputs to the five basic classifiers, and the prediction results from all basic classifiers are combined using the Choquet fuzzy integral to determine the final classification results of the Android app. Figure 1 illustrates the proposed approach.

4.1. Dataset and Features Selection

In this study, a dataset containing 9476 Android goodware apps and 5560 malware Android apps was utilized [22]. The Android malware apps in the dataset are from 49 different malware families; examples for the malware families in the dataset included FakeInstaller, DroidKungFu, Goldmaster, and GingerMaster. The dataset is preprocessed and partitioned into training and testing datasets in preparation for evaluation. The dataset includes Android permissions as distinguishing features between goodware and malware applications. The important Android permissions are then carefully determined utilizing the information gain approach to improve classification accuracy. Using essential features that describe the unique dataset characteristics, feature selection algorithms can help improve classification accuracy. As a result, feature selection approaches reduce dataset dimensions by removing Android permissions that aren’t needed for the classification process. Redundant or different characteristics can lead to a variety of issues, including a reduction in the efficacy of machine learning algorithms. To achieve an accurate identification of Android malware apps, it is necessary to use an appropriate feature selection method.

The information gain ratio (IGR) technique [43] is applied to select the essential features for Android malware classification. The IGR technique depends on finding the relationships between the features of an Android app and then calculating and scoring each feature individually. The information gain is utilized to select the important Android apps’ permissions in the suggested approach because of its high efficiency and fast computing. Based on the class (malware or goodware), it assesses the best Android permissions. Figure 2 displays examples for the features employed in the proposed model and their information gain ranks. The information gain ranks for the chosen permissions are reflected in the horizontal axis.

4.2. Single Classifiers

Motivated by our previous research on Android malware classification [9,11,32], the XGBoost, Random forest, Decision tree, AdaBoost, and LightGBM algorithms are employed as single classifiers in this study for the classification of Android malware applications. Then, the classification outputs resulting from these classifiers are combined using the Choquet fuzzy integral.

4.2.1. The eXtreme Gradient Boosting (XGBoost)

The XGBoost algorithm suggested by Dr. Chen Tianqi [44] provides good learning via additive training approaches which fuse all expectations of a set of ‘‘Ineffective’’ learners to reduce the variance by adding regularization terms. It has the capabilities of high accuracy, fast running speed, and low computational complexity regardless of whether the data size is big or small. This method has been successfully applied in classification and prediction approaches.

4.2.2. Random Forest (RF)

Random Forest is an ensemble learning technique that has been very successful as a regression and classification technique. Random forest builds several decision trees that will be utilized by the majority vote to classify a new sample. Each decision tree node uses a subset of features chosen randomly from the entire original set of features [45].

4.2.3. Decision Tree (DT)

DT is a widely employed approach for classification as it is similar to human reasoning and it is simple to explain. Using the decision tree, a new sample can clearly be categorized and the basic idea is to consistently match the corresponding characteristics and associated conditions until a leaf node of the class label has been reached [46].

4.2.4. AdaBoost

Freund and Schapire [47] have proposed AdaBoost, which provides a majority vote over many classifiers. AdaBoost has become one of the most important and powerful classification algorithms in many applications due to its low implementation complexity, high performance, and strong generalization capabilities.

4.2.5. LightGBM

LightGBM is a new GBDT (gradient boosting decision tree) algorithm, suggested by Ke and colleagues in 2017, which has been successfully utilized in several types of data mining operations, such as regression and classification [48]. The LightGBM algorithm includes two novel methods: the gradient-based one-side sampling and the exclusive feature bundling.

The performance of classifiers is influenced by used parameters directly. We utilized the grid search to determine the ideal parameters for each classifier in order to obtain good performance.

Table 2. The used parameters.

Classifier	Parameters
LightGBM	Objective = regression, metric = rmse, num_leaves = 80, learning_rate = 0.09, bagging_fraction = 0.7, feature_fraction = 0.7, bagging_frequency = 5, bagging_seed = 2018, verbosity = 1
Random Forest	n_estimators = 50 and random_state = 1
XGBoost	random_state = 1 and learning_rate = 0.01
AdaBoost	n_estimators = 100
Decision Tree	max_depth = 5, min_samples_leaf = 4

summarizes the used parameters for each classifier.

4.3. Classifiers Fusion Based on Choquet Integral

Any single classifier has benefits and disadvantages. The performance of a single classifier for Android malware classification is to some extent dependent on the sample’s attributes, and there is uncertainty for each classifier. Choquet’s integral fusion may synthesize the classification outputs of several classifiers and achieve the highest consistency of the outputs between the varied and consistent outputs. Under uncertain conditions, the Choquet integral fusion is an efficient reasoning strategy. There are several Android permissions that might be exploited by both Android malware and goodware apps, making it difficult to distinguish between the two. As a result, the classification result of several classifiers fused using the Choquet integral is more accurate and suitable for Android malware classification.

4.4. Adaptive Fuzzy Measure

As shown in Equation (1), the Choquet fuzzy integral works on the fuzzy measures (g), which are computed based on the level of significance of each classifier or the level of significance of a subset of classifiers. Let $\mathrm{C}=\left\{{\mathrm{c}}_1,{\mathrm{c}}_2,\dots ,{\mathrm{c}}_{\mathrm{N}}\right\}$ be the set of N classifiers, T= {M,B} be the set of class-types of Android apps, where M denotes the malware apps and B denotes the benign apps. $\mathrm{P}\left({\mathrm{c}}_{\mathrm{i}}\right)=\left\{\mathrm{p}\left({\mathrm{c}}_{\mathrm{i}}^{\mathrm{M}}\right),\mathrm{p}\left({\mathrm{c}}_{\mathrm{i}}^{\mathrm{B}}\right)\right\}$ represents the output of classifier $c_i$ where $\mathrm{p}\left({\mathrm{x}}_{\mathrm{i}}^{\mathrm{M}}\right)$ represents the classification score assigned by classifier $x_i$ to the class-type malware app and $\mathrm{p}\left({\mathrm{x}}_{\mathrm{i}}^{\mathrm{B}}\right)$ represents the classification score assigned by classifier $c_i$ to the class-type benign app. Generally, the importance of a classifier over a dataset is explained using the confusion matrix as shown in Figure 3.

The confusion matrices are beneficial tools to check the errors that the classifiers are making. Suppose $\mathrm{C}{\mathrm{M}}_{\mathrm{k}}$ is the confusion matrix of classifier ${\mathrm{c}}_{\mathrm{k}}$:

$${\mathrm{CM}}_{\mathrm{k}}=\left[\begin{array}{c}\begin{array}{ccc}{\mathrm{n}}_{11}^{\mathrm{k}}& {\mathrm{n}}_{12}^{\mathrm{k}}& \cdots \\ {\mathrm{n}}_{21}^{\mathrm{k}}& {\mathrm{n}}_{22}^{\mathrm{k}}& \cdots \\ \cdots & \cdots & \cdots \end{array} \begin{array}{c}{\mathrm{n}}_{1\mathrm{N}}^{\mathrm{k}}\\ {\mathrm{n}}_{2\mathrm{N}}^{\mathrm{k}}\\ \cdots \end{array}\\ \begin{array}{ccc}{\mathrm{n}}_{\mathrm{N}1}^{\mathrm{k}}& {\mathrm{n}}_{\mathrm{N}2}^{\mathrm{k}}& \cdots \end{array} \begin{array}{c}{\mathrm{n}}_{\mathrm{NN}}^{\mathrm{k}}\end{array}\end{array}\right]$$

(6)

where i = j, ${\mathrm{n}}_{\mathrm{ij}}^{\mathrm{k}}$ indicates the number of Android apps belonging to class type ${\mathrm{T}}_{\mathrm{M}}$ and are correctly classified by the classifier ${\mathrm{c}}_{\mathrm{k}}$ as class ${\mathrm{T}}_{\mathrm{M}}$. On the other hand, $\mathrm{i}\ne \mathrm{j}$, ${\mathrm{n}}_{\mathrm{ij}}^{\mathrm{k}}$ denotes the number of Android apps with class type ${\mathrm{T}}_{\mathrm{M}}$ but are incorrectly classified as class ${\mathrm{T}}_{\mathrm{B}}$ by classifier ${\mathrm{c}}_{\mathrm{k}}$.

As the circumstances between the classification results and training cannot be very consistent, the fuzzy measure must be adaptively adjusted to appropriately cope with the classification situation. However, after the classifiers training stage, the generated confusion matrix will be fixed. Consequently, if the Android malware classifier is constructed based on the static prior fuzzy density, then the classification accuracy of the fusion classifier may be decreased. It is logical to fine tune the fuzzy measure based on the adaptive details in the single classifier outputs.

To tune the fuzzy measure, two issues were considered: firstly, the confidence of classification results for each classifier, and secondly, the consistency between the classifications results for each classifier. For the confidence of each single classifier result, we considered the confidence improvement factor that is represented by α, which reduces the importance of the classifier when the confidence of the classifier results is less significant [49]. For the consistency between the classifier results, we considered the consistency improvement factor, which is represented by β. It reduces the significance of the classifier when the consistency of the classifier results is less important.

From the confusion matrix, a number of class-wise measures are obtained such as accuracy, precision, recall, and F1-score. In this study, the performance, P, of classifier $i$ is evaluated by considering the two classes simultaneously using the accuracy measure:

For a given Android app, the classification performance by classifier i is

$${\mathrm{P}}_{\mathrm{i}}=\frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{TN}+\mathrm{FP}+\mathrm{FN}}$$

(7)

Let K $\subseteq$ N denote a subset of classifiers with Pk being the performance of classifier K for each I ϵ {1,2, …, n}. Then ${\mathsf{\mu }}_{\mathrm{i}}$ is the mean performance of classifiers S $\subseteq$ N with |S| = i

$${\mathsf{\mu }}_{\mathrm{i}}=\frac{1}{\mathrm{D}}{{\displaystyle \sum }}_{\mathrm{S}\subseteq \mathrm{N},\left|\mathrm{S}\right|=\mathrm{i}}{\mathrm{P}}_{\mathrm{S}}$$

(8)

where D =$\left(\begin{array}{c}\mathrm{n}\\ \mathrm{i}\end{array}\right)$ denotes the number of sets in the level i of measure and ${\mathsf{\mu }}_0$= 0. The confidence improvement factor α and consistency improvement factor β of classifier ck for the Android app $a_i$ are represented as follows:

For single classifiers, the confidence improvement factor is

$${\alpha }_i=p_i$$

(9)

The confidence improvement factor and consistency improvement factor for a sub set of classifiers are calculated using Equations (10) and (11), respectively, in order to consider the diversity between classifiers:

$${\alpha }_i=\frac{1}{n}+\frac{\tanh \left(100\ast \left(P_i-{\mu }_i\right)\right)}{2n}$$

(10)

$${\beta }_i^k={\displaystyle \prod }_{i=1}^k{\gamma }^{ki}$$

(11)

where the ${\gamma }^{ki}$ denote the consistency between the classification results from classifier k and the classification result from classifier i. Assume classifier k divides the Android app $a_i$ as malware app (X) while classifier i classifies the Android app a_i as a goodware app (Y), then the ${\gamma }^{ki}$ is calculated as follows:

$${\gamma }^{ki}=\left\{\begin{array}{cc}1-\left(s_{kX}-S_{iX}\right)\hfill & \hfill X\ne Y\\ 1\hfill & \hfill X=Y\end{array}\right.$$

(12)

The updated fuzzy measure is computed as follows:

$${\mathrm{g}}_i={\alpha }_i\ast {\beta }_i^k$$

(13)

To classify the Android apps using the Choquet fuzzy integral, we used steps in Figure 4.

5. Results and Discussion

To investigate the efficiency of the proposed fuzzy Integral-based multi-classifier ensemble for Android malware classification, in this section we conduct a performance comparison between the proposed approach and the five state-of-the-art single classifiers, i.e., Xgboost, Random Forest, Decision Tree, AdaBoost, and LightGBMM using a real-world dataset. Moreover, we compared the performance of the proposed approach with the other research in the literature for Android malware classification.

The Choquet integral is employed with the fuzzy measures obtained from the single and all possible sets of classifiers to find the final classification of the Android app, either as a malware or goodware app. For further illustration, the classification with the arithmetic mean is considered to demonstrate that utilizing an appropriate fuzzy measure combined with the Choquet integral can achieve classifications that are more accurate.

The results of the classification obtained by each of the classifiers (namely, XGBoost (C1), Random Forest (C2), Decision Tree (C3), AdaBoost (C4), and LightGBM (C5), for 10 Android apps randomly selected from the used dataset are shown in

Table 3. Classification of Android Apps using individual classifiers, the Choquet fuzzy integral, and arithmetic mean.

Android Apps	XGBoost	Random Forest	Decision Tree	AdaBoost	Light-GBM	Actual	$\widehat{\mathit{y}}$C	$\widehat{\mathit{y}}$µ
App1	0.1944	0.0033	0.0032	0.4870	0	0	0	0
App2	0.7831	0.9936	0.9930	0.5072	0.9920	1	1	1
App3	0.2605	0.1132	0.1135	0.4959	0.1135	0	0	0
App4	0	0.2605	0.4984	0.6121	1	1	1	0
App5	0.1944	0.0033	0.0032	0.4870	0.0034	0	0	0
App6	0.6965	0.8627	0.8628	0.5049	0.8606	1	1	1
App7	0.1944	0.0033	0.0032	0.4870	0	0	0	0
App8	0.7831	0.9858	0.9873	0.5133	0.9877	1	1	1
App9	0.7831	0.9858	0.9873	0.5133	0.9877	1	1	1
App10	0.6965	0.8627	0.8628	0.5049	0.8606	1	1	1

. The true labels for the Android apps are provided in column Y, while column $\widehat{y}$µ and $\widehat{y}$ C represent the obtained output based on the Choquet fuzzy integral and arithmetic mean. Each classification result denotes the probability of each Android app belonging to malware class 1 (p(y = 1|x), or goodware class p(y = 0|x) = 1 − p(y = 1|x)).

To build the fuzzy measures, we iterated through all the probable sets of classifiers and calculated their performance. The performance of a set of classifiers is computed using the arithmetic mean of the classification results for the classifiers in the set. Then, each Android app is classified as malware or goodware app by selecting the class that belongs to the greatest aggregated output. Lastly, the performance of the classifier(s) is provided by comparing the classification results of the sub-ensemble with the actual results.

Table 4. Classification performance of single classifier and all possible sets of classifiers.

Sub-Ensemble of Classifiers	Performance Score	Average Performance Score
Decision Tree	0.9477	0.9408
AdaBoost	0.9366
Random Forest	0.9495
XGBoost	0.9224
LightGBM	0.9482
Decision Tree, Random Forest	0.9503	0.9465
Decision Tree, XGBoost	0.9503
Decision Tree, AdaBoost	0.9238
Decision Tree, LightGBM C5	0.9491
Random Forest, Decision Tree	0.9482
Random Forest, AdaBoost	0.9493
Random Forest, LightGBM	0.9491
Decision Tree, AdaBoost	0.9480
Decision Tree, LightGBM	0.9484
AdaBoost, LightGBM	0.9491
Decision Tree, Random Forest, XGBoost	0.9503	0.9493
Decision Tree, Random Forest, AdaBoost	0.9503
Decision Tree, Random Forest, LightGBM	0.9491
Decision Tree, AdaBoost, LightGBM	0.9491
Random Forest, XGBoost, AdaBoost	0.9482
Random Forest, XGBoost, LightGBM	0.9488
Random Forest, AdaBoost, LightGBM	0.9491
XGBoost, Decision Tree, LightGBM	0.9486
XGBoost, Decision Tree, AdaBoost	0.9503
Decision Tree, Random Forest, Decision Tree, AdaBoost	0.9503	0.9495
Decision Tree, Random Forest, XGBoost, LightGBM	0.9488
Decision Tree, Random Forest, XGBoost, AdaBoost, LightGBM	0.9488	0.9488

shows the performances of the single and all possible sets of classifiers.

Considering the data in Table 4 and Equation (12), we can construct the fuzzy measure for the single classifiers and all the possible sets of classifiers as shown in Figure 5.

After constructing the fuzzy measure as shown in Figure 5, we can classify each Android application as malware or goodware using the Choquet integral. For example, we will consider the process of classifying the fourth Android app in Table 3. The probabilities of App4 belonging to malware class given by each classifier are PC1 (y = 1|App4) = 0.0000, PC2 (y = 1|App4) = 0.2605, PC3 (y = 1|App4) = 0.4984, PC4 (y = 1|App4) = 0.6121and PC5 (y = 1|App4) = 1.0000. Since PC3 (y = 1|App4) < PC1 (y = 1|App4) < PC2 (y = 1|App4) < PC4 (y = 1|App4) < PC5 (y = 1|App4), and the coefficients of the fuzzy measures that are significant for the classification of App4 are m({C1,C2, C3, C4,C5}), m({C1,C2, C3, C4}), m({C4, C2, C5}), m({C2, C4}), and m({C2}) (see blue path in Figure 2). Thus, the aggregation of scores for malware class is given by:

Cm(0.0000, 0.2605, 0.4984, 0.6121, 1.0000) = 0.0000 * m({ C1,C2, C3, C4,C5})+ (0.2605 − 0.0000)* m({ C1,C2, C3, C4}) + (0.4984- 0.2605)* m({C4, C2, C5}) + (0.612172 − 0.498429)* m({C2, C4}) + 1.0000* m({C2}) = 0.0000 *(1) + (0.2605 − 0.0000) *(0.8624)+ (0.4984 − 0.2605)*(0.6698)+ (0.612172 − 0.498429) * (0.4268) + (1 − 0.612172) * (0.9495) = 0.8008. Since 0.8008 > 0.5, the proposed approach classifies the fourth Android app as a malware app. The fuzzy measures utilized in the classification of the fourth Android app are illustrated by the blue paths in Figure 5. However, if the arithmetic mean is considered for the classification of the fourth Android app, the result would be (0 + 0.260513 + 0.498429 + 0.612172 + 1)/5 = 0.4742, and since 0.4742 < 0.5, the classification result would be goodware app, which is an incorrect classification result. Noticing that the true class label for the fourth Android app is 1, the proposed approach correctly classified the fourth Android app, due to its ability to consider the interactions among classifiers.

Table 5. Performance comparison between the proposed approach and other approaches.

Classifier	Accuracy	Precision	Recall	F1-Score
Random Forest	0.9495	0.8950	0.9680	0.9301
LGBM	0.9482	0.8921	0.9674	0.9282
Decision Tree	0.9480	0.8950	0.9639	0.9284
AdaBoost	0.9366	0.9251	0.9076	0.9163
XGBoost	0.9224	0.9192	0.8793	0.8988
Arithmetic Average	0.9486	0.9669	0.8940	0.92910
The proposed	0.9508	0.9240	0.9463	0.9350

shows that the proposed Choquet integral-based ensemble of classifiers achieved the highest accuracy of 95.08%, which outperform that of single classifiers and arithmetic mean approach. Moreover, the proposed approach achieved the highest F1-score of 0.9350. It can be seen that the capability of the proposed approach to synthesize various classifiers classification outputs and take the benefits of each single classifier made it more effective, enabling it to achieve better performance and outperform the single classifiers and arithmetic mean approach. In addition to the basic measures listed above, the statistical significance of the proposed approach and other methods was measured. Figure 6 presents the critical difference diagram, where the models with statistically similar values of performance are connected to one another.

The AUC is an important and useful evaluation of the overall performance [50]. An AUC with a high score indicates greater classification performance. As shown in Figure 7, the proposed approach achieved the highest AUC value of 95.0%, which demonstrates the ability of the proposed approach to differentiate between Android malware and goodware apps.

In order to highlight the significance of our proposed approach, we compared its results with other published approaches in terms of accuracy. The suggested approach performs better than all the other approaches listed in

Table 6. Comparison between the proposed approach and other approaches.

Reference Approach	Accuracy
Altaher [9]	90%
Altaher and BaRukab [11]	91%
Abdulla and Altaher [10]	75%
Arp et al. [22]	94%
Firdaus et al. [23]	90%
Talha et al. [30]	88%
Taha and Malebary [32]	94.63%
Salah et al. [51]	99%
Yerima et al. [52]	93.1%
Sanz et al. [53]	85.8%
The proposed approach	95.08%

, including our previous research [9,11,32], due to its ability to leverage the advantages of ensemble learning and adaptive fuzzy measures. Salah et al. [51] proposed the technique that attained the highest accuracy of 99%; however, they employed Android malware app features that differed from the features used in this study.

6. Conclusions

Android malware’s continual growth poses a significant threat to the security of sensitive data and the privacy of smartphone users. It is critical to develop effective and fast methods for distinguishing Android malicious applications from legitimate applications. Android malware classification techniques based on multiple classifier fusion have been a growing trend in this field. This paper proposed a multi-classifier ensemble based on fuzzy integrals for detecting Android malware. The suggested technique combines and integrates the classification results of several classifiers, including XGBoost, Random Forest, Decision Tree, AdaBoost, and LightGBM, using the Choquet fuzzy integral as an aggregation function. The suggested approach can inherit the advantages of basic classifiers while avoiding their drawbacks. Additionally, the suggested technique is capable of taking into account classifier interactions. The experimental results indicate that combining several classifiers based on the Choquet fuzzy integers outperforms individual classifiers and achieves the highest accuracy of 95.08%. The limitation of the proposed approach is its inability to detect obfuscated Android malware apps. For future work, we aim to explore more advanced Android malware apps’ features and techniques for integrating multiple classifiers to classify the Android malware apps.