Abstract
Today, smartphones are used by the majority of internet users worldwide, and Android has become the most popular smartphone operating system on the market. The growth in the use of smartphones in general, and the Android system specifically, results in a stronger requirement to successfully protect Android, as malware developers aim to create advanced and sophisticated malware applications. Cybercriminals utilize fraudulent attack tactics, namely obfuscation or dynamic code triggering, to evade the system. A standard static investigation method failed to recognize such attacks. Mitigating a wide variety of evasive attacks requires a refined, dynamic, and analytical framework. Conventional artificial intelligence (AI), particularly machine learning (ML) methodologies, are no longer effective in detecting all new and complex malware types. A deep learning (DL) model, which is very different from conventional ML models, has a possible solution to the detection issue of each version of malware. In this manuscript, an Approach for Improving Malware Detection Performance Using a Hybrid Deep Learning Framework (IMDP-HDL) is proposed. The primary objective of the IMDP-HDL methodology is to ensure the effective and scalable deployment of malware detection in real-world cybersecurity environments. Initially, the Z-score standardization is utilized to ensure consistent feature scaling and model performance. For the malware detection process, a hybrid model combining a convolutional neural network, bi-directional long short-term memory, and self-attention mechanism (CBiLSTM-SA) is employed. A broad range of experimentation with the IMDP-HDL model is performed using the Android malware dataset. The comparison analysis of the IMDP-HDL model demonstrated a superior accuracy value of 99.22% over existing techniques.
Keywords: Malware detection, Threats, Cybercriminals, Android, Long short-term memory, Deep leaning
Subject terms: Computer science, Information technology
Introduction
In the digital era, Malware has affected numerous computing systems. Malware, or malevolent software, is developed to achieve the harmful intentions of the hacker. Malware attacks networks, smart devices, and computers, damages vital infrastructure, and extracts confidential information1. The concept of the information society has evolved significantly with the advent of the Internet of Things (IoT) and its diverse applications. On the other hand, security issues pose a significant obstacle to achieving the advances of this industrial progress, as malicious actors concentrate on specific computers and systems to obtain confidential data for financial gain and interfere with these systems2. Those malicious actors use malware or malicious software to discover system weaknesses and present possible threats. Computer software developed to damage the operating system is called malware OS. This malware attack has increased significantly as daily communications have undergone a substantial change due to the growth of mobile technology3. Social networking, e-learning, web browsing, online shopping, and online banking are some services that can be accessed through mobile devices when an internet connection is established. Therefore, Mobile devices play a significant role and are an integral part of daily routine4. Cybercriminals frequently employ malware to launch cyberattacks. Malware is any software that performs suspicious and unwanted activities on a target’s system. Malware is classified into several forms, including ransomware, rootkits, Trojans, worms, and viruses. Malware types can steal private information, initiate Distributed Denial of Service (DDoS) attacks, and compromise the computer’s security5. Novel malware types utilize concealing techniques, such as encryption and packing, to remain undetected on the target’s device. These novel types spread through using human trust as a transmission path. For example, opening files, downloading fake applications, and assessing and downloading files from fraudulent websites are standard methods by which malware spreads6.
To safeguard the computer systems, it is necessary to detect malware once it compromises the systems. Malware detection involves inspecting a suspicious file and determining whether it is malware or benign. Malware classification is another step closer. Once the file is recognized as malware, it is classified as a specific family or type of malware, known as malware classification7. ML and DL methodologies have shown their ability to identify malware in numerous research studies, such as Android applications analysis or other cybersecurity domains8. Malware detection investigations employing ML are becoming increasingly popular since they are an effective approach that generates higher detection precision. Earlier research used ML techniques, which make decisions once they learn from the data patterns. ML is the idea of reducing human involvement in computing systems9. The DL-driven approach is employed as a novel model to address the shortcomings of existing malware detection and classification methodologies. Although it hasn’t been widely deployed in cybersecurity, it has been utilized in malware detection. DL is a subset of AI that operates depending on artificial neural networks10. The rapid expansion of connected devices and digital infrastructures has increased the vulnerability of systems to advanced cyber threats. Malicious programs are compromising new entry points and conventional security measures. This growing complexity makes the timely and accurate detection of harmful software significant for safeguarding sensitive data and maintaining system integrity. Addressing these challenges requires advanced detection techniques that can adapt to evolving threats while minimizing false alarms. Therefore, improving malware detection methods is crucial for strengthening cybersecurity in modern digital environments.
In this manuscript, an Approach for Improving Malware Detection Performance Using a Hybrid Deep Learning Framework (IMDP-HDL) is proposed. The primary objective of the IMDP-HDL methodology is to ensure the effective and scalable deployment of malware detection in real-world cybersecurity environments. Initially, the Z-score standardization is utilized to ensure consistent feature scaling and model performance. For the malware detection process, a hybrid model combining a convolutional neural network, bi-directional long short-term memory, and self-attention mechanism (CBiLSTM-SA) is employed. A broad range of experimentation with the IMDP-HDL model is performed using the Android malware dataset. The significant contribution of the IMDP-HDL model is listed below.
The IMDP-HDL method applies Z-score standardization to effectively preprocess the data, ensuring that features are normalized for improved training stability and performance. This step helps mitigate variability and scale the input data appropriately, thereby improving the overall accuracy of the malware detection system.
The IMDP-HDL approach utilizes the SHO technique to effectively select the most relevant features, thereby mitigating dimensionality while preserving crucial data. This process streamlines the dataset, enhancing model training speed and accuracy. By concentrating on key attributes, the approach improves malware detection performance.
The IMDP-HDL methodology effectively performs malware detection by incorporating CNN, BiLSTM, and self-attention mechanisms (CBiLSTM-SA) models for capturing spatial and temporal features. This integration enhances the model’s ability to comprehend intrinsic patterns in malware data. As a result, it significantly improves detection accuracy and robustness.
The IMDP-HDL model integrates a hybrid DL technique, resulting in improved malware detection accuracy and efficiency. This integration enables more effective feature selection, distinguishing it from existing methods. The novelty is in using DL methods to enhance detection performance.
Prior research on malware detection
Anand et al.11 developed MALITE, a lightweight malware analysis system. MALITE transforms a binary into an RGB or grayscale image, requiring low battery and memory consumption, and utilizes computationally efficient malware analysis tactics. The authors developed MALITE-MN, a lightweight NN-aided framework, and MALITE-HRF, an ultra-lightweight Random Forest (RF)-based technique, which employs histogram features extracted through a sliding window. Jeon et al.12 proposed a triple-level malware detection (TMaD) model that utilizes a cloud-fog-edge collaborative design for analyzing multi-view executable file features and detecting malware. TMaD executes signature-based malware detection in the edge device tier and transmits executables identified as benign or unknown to the fog tier. The fog tier performs static analysis on unobscured executables and those transmitted from the earlier tier to identify numerous malwares. Baawi et al.13 introduced a ground-breaking malware detection classifier specially created to rectify the inadequacies of conventional ML procedures, namely SVM and KNN. This introduced procedure relies on Log-spectral distance as a basic measure, enabling an accurate and efficient method for detecting malware. Poornima and Mahalakshmi14 proposed a new MAD in Android through deep belief NETwork (MAD-NET) technique. Within feature extraction, the data is categorized into 2: signature- and behaviour-based data. The extracted features are transformed into a data sequence and passed to the categorization stage. The DBN approach in the classification process categorizes the benign and malevolent data. Kumar and Kumar15 presented a different image-based malware identification scheme deploying an SDN honeypot, an autoencoder (AE), and a CNN. This scheme converts binary programs to grayscale images and removes text features by deep CNN frameworks through TL. Then, the extracted feature dimensions are lowered by an AE. Jo et al.16 proposed a vision transformer (ViT)-based malware recognition technique and malevolent behaviour elimination through attention mapping. Buriro et al.17 proposed an ML-based malware detection approach named MalwD&C. This approach leverages ML classifiers to examine PE files and categorize malware or benign files. Dabas et al.18 recommended an innovative malware detection system for the Windows platform that relies on feature selection, API calls, and ML models. It extracts API call data into three types: API call usage, frequency, and sequences, to generate three feature sets. This feature set is enhanced by the TF-IDF model and merged to produce a broader and stronger set of features.
Al-Ghanem et al.19 developed a lightweight attention-based deep convolutional neural network (DNN-CNN) model. Principal component analysis (PCA) is used for feature extraction, and the synthetic minority oversampling technique (SMOTE) addresses data imbalance. Chen, Wu, and Huang20 proposed a lightweight dual attention module (LDAM) for malware image classification. The model attained high classification accuracies when integrated with EfficientNet. Wajahat et al.21 proposed a robust hybrid DL approach by integrating Convolutional Neural Networks (CNN) and long short-term memory (LSTM) to detect Android malware effectively. Alsumaidaee, Yahya, and Yaseen22 proposed hybrid DL models, CNN-LSTM and 1D-CNN-LSTM, for accurate and real-time malware detection and classification. Qureshi et al.23 developed a thematic taxonomy of network forensic techniques. Alohali et al.24 proposed the Malware Detection Model in the Internet of Vehicles Using DL-Based Explainable Artificial Intelligence (MDMIoV-DLXAI) technique. The model utilizes min-max normalization, reptile search algorithm (RSA)-based feature selection, a hybrid BiLSTM with Multi-Head Self-Attention for classification, and pelican optimization algorithm (PCA) for tuning. Additionally, SHAP is employed for explainability. Wajahat et al.25 presented a DL methodology by utilizing a deep neural decision forest classifier to detect Android malware effectively. Al Ogaili et al.26 proposed AntDroidNet by integrating ant colony optimization (ACO) for feature selection and deep neural networks (DNNs) for classification. Wajahat et al.27 developed an efficient Android malware detection method using data preprocessing, feature selection, and ML classifiers, specifically RF and support vector machine (SVM) models, to achieve high accuracy and reliability. Awwal and Naval28 proposed a hybrid DL-based adversarial malware detection model that utilizes the boundary value-assisted remora-smart flower optimization (BVR-SFO) technique for optimal feature selection and hyperparameter tuning. The model integrates AE, 1DCNN, and bi-directional LSTM (BiLSTM) within an average-based ensemble DL (AEDL) technique.
Existing studies reveal threats associated with handling large-scale and imbalanced datasets, which can lead to potential performance degradation in real-world scenarios. Few models require high resource consumption and computational complexity, which limits their deployment on low-power or mobile devices. Furthermore, few models show reduced efficiency against zero-day attacks and also lack adaptability to growing malware variants. There is also a limited focus on explainability and interpretability, which is crucial for trust and practical deployment. The research gap is in developing lightweight, scalable, and adaptive models that maintain high accuracy while efficiently managing imbalanced data and providing explainable outcomes, all within resource-constrained environments. Moreover, integrating robust feature selection methods with hybrid models remains underexplored, which could enhance detection accuracy, mitigate false positives, and maintain efficiency.
Methodological framework
This paper presents the IMDP-HDL technique. The primary objective of the IMDP-HDL technique is to ensure the effective and scalable deployment of malware detection in real-world cybersecurity environments. It encompasses standardization, feature selection, hybrid malware detection, and hyperparameter tuning. Figure 1 demonstrates the complete process of the IMDP-HDL approach.
Fig. 1.
Complete process of IMDP-HDL technique.
Z-score standardization
At the initial stage, the presented IMDP-HDL method applies Z-score standardization to ensure consistent feature scaling and enhance model performance29. This is chosen for its efficiency in normalizing data by centring features around a mean of zero and scaling to unit variance, which assists in handling datasets with varying scales and distributions. This technique is more effective in outliers by considering the data’s spread, unlike min-max scaling, which compresses data within a fixed range and is sensitive to outliers. This also ensures that each feature contributes equally during model training, enhancing convergence and stability of learning algorithms. It is specifically beneficial for algorithms sensitive to feature scales, such as neural networks and optimization methods. Overall, Z-score standardization improves the model’s performance by providing a consistent and balanced input feature space.
Z-Score Standardisation (Normal Scaling): This model converts the features by subtracting the mean and dividing by the standard deviation, resulting in data with a standard deviation of 
and a mean of 
. It is particularly efficient for methods that typically accept uniformly distributed input features, such as linear and logistic regression.
The 
-score normalization for a feature 
' is computed utilizing the Eq. (1).
 |
1 |
whereas, 
characterizes the new value, 
refers to the standardized value, 
refers to the average feature 
, and 
denotes the standard deviation of 
.
CBiLSTM-SA hybrid technique for malware detection
The hybridization of the CBiLSTM-SA model is employed. CNN is mainly responsible for effectively removing data features30. This model integrates the merits of CNN, BiLSTM, and SA mechanisms to capture both local and long-range dependencies in malware data effectively. CNN extracts spatial features, while BiLSTM processes sequential patterns in both forward and backwards directions, improving context understanding. The SA mechanism further enhances the model by focusing on the most relevant aspects of the input, thereby improving interpretability and accuracy. Compared to standalone models, this hybrid approach presents superior performance in detecting complex and growing malware patterns, making it more robust and reliable for real-world cybersecurity applications. Figure 2 indicates the structure of the CBiLSTM-SA model.
Fig. 2.
Structure of CBiLSTM-SA technique.
By sliding convolutional kernels through input data during convolution processes in its convolutional layers, a CNN can automatically discover local features within the data. Furthermore, CNN demonstrates that translation invariance can successfully identify targeted features, regardless of their location in the input data, making it particularly well-suited for processing grid-structured data. The convolutional layer is a fundamental component of a CNN, and its primary process is the convolution procedure. The convolution process is defined by the succeeding Eq. (2):
 |
2 |
Assume the input mathematical data is 
with sizes 
, whereas 
represents input channel counts, and 
and 
characterize width and height, respectively. The convolutional kernel is denoted as 
, with dimensions 
, where 
represents the number of output channels, and 
and 
denote the width and height of the kernel, respectively. The output feature mapping 
has a size of 
. Here, 
refers to the output channel index, 
characterizes the spatial position on the output feature mapping, 
symbolizes the input channel index, 
represents position inside the kernel, and 
indicates the bias term for the 
output channel. To present nonlinear features, an activation function typically handles the output of the convolutional layer.
 |
3 |
If the input 
, the output is 
; if 
, the output is 
. The ReLU function is computationally efficient and effectively alleviates the problem of vanishing gradients.
Bi-LSTM is a form of LSTM that combines dual LSTM layers: forward and backwards LSTM layers. Bi-LSTM acquires either forward or backwards dependencies of the sequence concurrently, allowing a more complete understanding of the sequence information. LSTM presents the idea of the memory cell that provides it with the capability to preserve longer-term information in input sequences. The mathematical formulation for LSTM is described as demonstrated:
 |
4 |
 |
5 |
 |
6 |
The updating procedure of the cell state is as demonstrated:
 |
7 |
 |
8 |
For every gate, the updating procedure of the cell state is as shown:
 |
9 |
The output of Bi-LSTM is the connection of the outputs from the forward and the backwards LSTM layers:
 |
10 |
and 
characterize the states of the forget gate, output gate, and input gate, correspondingly. 
denotes candidate cell state, 
refers to cell state, 
signifies hidden layer (HL), 
represents the Sigmoid activation function, 
refers to hyperbolic tangent activation function; 
and 
represent networking weights and biased parameters; 
refers to input at time step 
; and 
denote HL from the preceding time step. 
and 
indicate the output of the forward and reverse LSTM layer at time-step 
.
Unlike methods with convolutional or recurrent structures, SA cannot directly utilize positional information sequentially. To address this, complete location encoding is generated using sine and cosine functions, embedding time step information into the input data to identify positional information within the sequence. SA outshines in demonstrating longer-range dependences in data by utilizing SA to take dependence among different locations in the sequence over weighted summation. The input sequence with location encoding is converted into queries, keys, and values utilizing parameter matrices 
and 
, after which the attention vector is computed as designated in Eq. (11):
 |
11 |
Now, 
illustrates the size of the three matrices, and 
acts as the scaling factor.
The SA mechanism is a DL model that captures global dependency by dynamically computing correlation weights among every component and each other in the sequence. Its fundamental steps include: converting the input sequence into queries 
, keys 
, and values 
through linear transformations; calculating the dot product of 
and 
, monitored by scaling; creating attention weights; and then executing a weighted summary on 
to output a reconstructed feature representation.
Experimental results and discussion
The performance analysis of the IMDP-HDL approach is examined using the Android malware dataset from the Kaggle repository31. The dataset comprises 15,036 samples with dual classes, as described in Table 1. It contains 215 attributes, of which 177 are selected. The dataset is employed for developing and evaluating a multi-level fusion method for Android malware detection.
Table 1.
Details on the dataset.
| Classes | No. of samples |
|---|---|
| Malware Apps | 5560 |
| Benign Apps | 9476 |
| Total Samples | 15,036 |
Figure 3 describes a set of confusion matrices formed by the IMDP-HDL model on 500–3000 Epochs. After 500 epochs, the IMDP-HDL model classified 5379 samples as Malware Apps and 9422 samples as Benign Apps. Besides, at 1000 epochs, the IMDP-HDL methodology identified 5,411 instances as Malware Apps and 9,429 instances as Benign Apps. At the same time, on 2000 epochs, the IMDP-HDL methodology recognized 5432 samples as Malware Apps and 9429 samples as Benign Apps. At last, after 3,000 epoch counts, the IMDP-HDL methodology has identified 5,492 samples as Malware Apps and 9,427 samples as Benign Apps.
Fig. 3.
Confusion matrices of IMDP-HDL method (a–f) 500–3000 Epochs.
In Table 2; Fig. 4, the malware detection results of the IMDP-HDL technique are presented for epochs ranging from 500 to 3000. The performances indicated that the IMDP-HDL technique accurately identified both malware and benign app samples. With 500 epochs, the IMDP-HDL technique achieves an average 
of 98.44%, 
of 98.56%, 
of 98.09%, 
of 98.32%, MCC of 96.65%, and Kappa of 96.74%. Also, with 1000 epochs, the IMDP-HDL technique attains an average 
of 98.70%, 
of 98.79%, 
of 98.41%, 
of 98.60%, MCC of 97.20%, and Kappa of 97.26%. At the same time, with 1500 epochs, the IMDP-HDL method reaches an average 
of 98.75%, 
of 98.83%, 
of 98.49%, 
of 98.65%, MCC of 97.32%, and Kappa of 97.26%. Also, with 2000 epochs, the IMDP-HDL method achieves an average 
of 98.84%, 
of 98.90%, 
of 98.60%, 
of 98.75%, MCC of 97.50%, and Kappa of 97.57%. At last, with 3000 epochs, the IMDP-HDL method achieves an average 
of 99.22%, 
of 99.20%, 
of 99.13%, 
of 99.16%, MCC of 98.33%, and Kappa of 98.41%.
Table 2.
Malware detection of the IMDP-HDL method under 500–3000 epochs.
| Class Labels |
|
|
|
|
MCC | Kappa |
|---|---|---|---|---|---|---|
| Epoch − 500 | ||||||
| Malware Apps | 96.74 | 99.01 | 96.74 | 97.86 | 96.65 | 96.74 |
| Benign Apps | 99.43 | 98.12 | 99.43 | 98.77 | 96.65 | 96.74 |
| Average | 98.44 | 98.56 | 98.09 | 98.32 | 96.65 | 96.74 |
| Epoch − 1000 | ||||||
| Malware Apps | 97.32 | 99.14 | 97.32 | 98.22 | 97.20 | 97.26 |
| Benign Apps | 99.50 | 98.44 | 99.50 | 98.97 | 97.20 | 97.27 |
| Average | 98.70 | 98.79 | 98.41 | 98.60 | 97.20 | 97.26 |
| Epoch − 1500 | ||||||
| Malware Apps | 97.50 | 99.10 | 97.50 | 98.30 | 97.32 | 97.26 |
| Benign Apps | 99.48 | 98.55 | 99.48 | 99.01 | 97.32 | 97.27 |
| Average | 98.75 | 98.83 | 98.49 | 98.65 | 97.32 | 97.26 |
| Epoch − 2000 | ||||||
| Malware Apps | 97.70 | 99.14 | 97.70 | 98.41 | 97.50 | 97.59 |
| Benign Apps | 99.50 | 98.66 | 99.50 | 99.08 | 97.50 | 97.56 |
| Average | 98.84 | 98.90 | 98.60 | 98.75 | 97.50 | 97.57 |
| Epoch − 2500 | ||||||
| Malware Apps | 98.26 | 99.17 | 98.26 | 98.71 | 97.96 | 98.02 |
| Benign Apps | 99.51 | 98.98 | 99.51 | 99.25 | 97.96 | 98.03 |
| Average | 99.05 | 99.07 | 98.88 | 98.98 | 97.96 | 98.02 |
| Epoch − 3000 | ||||||
| Malware Apps | 98.78 | 99.12 | 98.78 | 98.95 | 98.33 | 98.42 |
| Benign Apps | 99.48 | 99.28 | 99.48 | 99.38 | 98.33 | 98.39 |
| Average | 99.22 | 99.20 | 99.13 | 99.16 | 98.33 | 98.41 |
Fig. 4.
Average of IMDP-HDL method (a–f) 500–3000 Epochs.
In Fig. 5, the TRA 
(TRAAY) and validation 
(VLAAY) outcomes of the IMDP-HDL technique under 3000 Epochs are shown. The figure highlights that the TRAAY and VLAAY values reveal trends that maximize the proficiency of the IMDP-HDL technique, providing superior outcomes through various iterations. Furthermore, the TRAAY and VLAAY remain adjacent through the epochs, which represents smaller overfitting and reveals improved results of the IMDP-HDL methodology, ensuring reliable prediction on unseen samples.
Fig. 5.
curve of IMDP-HDL technique under 3000 Epochs.
In Fig. 6, the TRA loss (TRALO) and VLA loss (VLALO) graph of the IMDP-HDL technique under 3000 Epochs is exhibited. It is depicted that the TRALO and VLALO values exhibit a lesser trend, indicating the proficiency of the IMDP-HDL approach in balancing the tradeoff between data fitting and generalization. The constant decrease in loss values, moreover, ensures higher results for the IMDP-HDL approach and improves the prediction performance.
Fig. 6.
Loss curve of IMDP-HDL technique under 3000 Epochs.
Figure 7 describes the precision-recall curve inspection of the IMDP-HDL methodology under 3000 Epochs. The figures specified that the IMDP-HDL model achieves capable performances in diverse classes.
Fig. 7.
PR curve of IMDP-HDL method under 3000 Epochs.
Figure 8 illustrates a precise ROC analysis of the IMDP-HDL approach using 3000 Epochs. The figure illustrates how the IMDP-HDL technique yields proficient outcomes with maximum values of the ROC under various labels.
Fig. 8.
ROC curve of IMDP-HDL method under 3000 Epochs.
In Table 3; Fig. 9, an extensive comparison analysis of the IMDP-HDL model is noticeably exemplified19,20,31–34. The comparison study illustrates that the IMDP-HDL model attains the highest performance, with an 
of 99.22%, 
of 99.20%, recall of 99.13%, and 
of 99.16% for all, surpassing other approaches. HAFSO-DLMD also performs competitively with an 
of 99.10% and 
of 99.09%, while HiddenSimGRU attains an 
of 99.11% and 
of 98.41%. Conventional and hybrid models namely GRU, DexCRNN_GRU, and DexCNN exhibit moderate results, with 
of 98.95%, 95.96%, and 93.83%, respectively. The lowest-performing methods, including DNN and GDM, achieve an 
of 93.62% and 94.99%, confirming the superior classification capability and robustness of the IMDP-HDL model.
Table 3.
Comparative study of IMDP-HDL approach with existing models under the android malware dataset19,20,31–34.
| Methods |
|
|
|
|
|---|---|---|---|---|
| IMDP-HDL | 99.22 | 99.20 | 99.13 | 99.16 |
| GDM | 94.99 | 92.77 | 92.40 | 89.36 |
| DNN | 93.62 | 91.25 | 90.82 | 89.44 |
| HAFSO-DLMD | 99.10 | 99.11 | 99.10 | 99.09 |
| DexCNN | 93.83 | 90.18 | 98.68 | 94.01 |
| DexCRNN_GRU | 95.96 | 95.63 | 95.83 | 95.94 |
| Fussy Clustering | 94.63 | 92.54 | 96.26 | 94.37 |
| GRU | 98.95 | 98.47 | 96.62 | 96.20 |
| HiddenSimGRU | 99.11 | 98.61 | 98.38 | 98.41 |
Fig. 9.
Comparative study of IMDP-HDL approach with existing models under the Android malware dataset.
Table 4; Fig. 10 specify the comparison evaluation of the IMDP-HDL methodology with other techniques under the AMD dataset32,37. The IMDP-HDL methodology achieves the highest performance with an 
of 97.74% and an 
of 97.07%, along with a 
of 97.09% and a 
of 97.83% for all, clearly surpassing the other classifiers. RF follows with an 
of 91.48% and an 
of 91.50%, while Decision Tree (DT) and K-NN achieve 
of 89.31% and 88.93%, respectively, with comparable 
of 89.32% and 89.14%. Naïve Bayes (NB) records the lowest results, with an 
of 59.33% and an 
of 70.59%, highlighting the superior accuracy and balanced performance of the IMDP-HDL model across all evaluation metrics.
Table 4.
Comparative study of IMDP-HDL methodology with other techniques under the AMD dataset.
| Ddroid Dataset | ||||
|---|---|---|---|---|
| Methods |
|
|
|
|
| K-NN | 88.93 | 92.51 | 86.00 | 89.14 |
| NB | 59.33 | 96.40 | 54.72 | 70.59 |
| DT | 89.31 | 91.07 | 87.64 | 89.32 |
| RF | 91.48 | 93.36 | 89.70 | 91.50 |
| IMDP-HDL | 97.74 | 97.09 | 97.83 | 97.07 |
Fig. 10.
Comparative study of IMDP-HDL methodology with other techniques under the AMD dataset.
Table 5; Fig. 11 indicate the comparison assessment of the IMDP-HDL model with other methods under the Android_Permission dataset33,38. The IMDP-HDL model illustrates superior performance with an 
of 95.50% and an 
of 95.55%, along with a 
of 96.68% and a 
of 96.31% for all, significantly outperforming the other methods. RF achieves the next best results with an 
of 74.88% and an 
of 61.36%, followed by DT with 
of 72.71% and 59.16% F-Score, and K-NN with an 
of 69.75% and 54.10%. NB illustrates the lowest performance, with an 
of 53.01% and an 
of 58.55%, highlighting the enhancement of the IMDP-HDL approach in terms of 
, 
, 
, and overall classification balance. This demonstrates the robustness and generalization capability of the IMDP-HDL model across varying feature distributions.
Table 5.
Comparative study of IMDP-HDL model with other methods under the Android_Permission dataset.
| Android_Permission Dataset | ||||
|---|---|---|---|---|
| Methods |
|
|
|
|
| K-NN | 69.75 | 53.02 | 55.24 | 54.10 |
| Naive-Bayes | 53.01 | 92.66 | 41.62 | 58.55 |
| Decision-Tree | 72.71 | 58.77 | 59.56 | 59.16 |
| Random-Forest | 74.88 | 59.31 | 63.56 | 61.36 |
| IMDP-HDL | 95.50 | 96.68 | 96.31 | 95.55 |
Fig. 11.
Comparative study of IMDP-HDL model with other methods under the Android_Permission dataset.
The computation time (CT) outcomes of the IMDP-HDL approach are compared to those of other DL methodologies in Table 6; Fig. 12. The CT illustrates that the IMDP-HDL approach presents the most efficient performance with a CT of 4.81 s, significantly faster than all other methods. HiddenSimGRU and DexCNN follow with 8.96 s and 8.99 s, respectively, highlighting relatively lower processing costs. Models such as GDM, DexCRNN_GRU, and Fussy Clustering record moderate CTs of 9.44, 10.27, and 10.73 s, respectively. The highest CTs are observed for DNN, HAFSO-DLMD, and GRU, which require 11.09, 11.89, and 13.76 s, respectively, emphasizing the superior computational efficiency of the IMDP-HDL model. This efficiency indicates that the IMDP-HDL model is more appropriate for real-time or resource-constrained environments. The reduced CT also accentuates the optimized architecture and faster convergence characteristics of the IMDP-HDL model.
Table 6.
CT study of IMDP-HDL model with existing methodologies under the android malware dataset.
| Models | CT (sec) |
|---|---|
| IMDP-HDL | 4.81 |
| GDM | 9.44 |
| DNN | 11.09 |
| HAFSO-DLMD | 11.89 |
| DexCNN | 8.99 |
| DexCRNN_GRU | 10.27 |
| Fussy Clustering | 10.73 |
| GRU | 13.76 |
| HiddenSimGRU | 8.96 |
Fig. 12.
CT study of IMDP-HDL model with existing methodologies under the Android malware dataset.
Conclusion
In this manuscript, the IMDP-HDL technique is proposed. The primary objective of the IMDP-HDL technique is to ensure the effective and scalable deployment of malware detection in real-world cybersecurity environments. At the initial stage, the presented IMDP-HDL technique applies Z-score standardization to ensure consistent feature scaling and enhance model performance. For the malware detection process, the hybridization of the CBiLSTM-SA model is employed. A broad range of experimentation with the IMDP-HDL model is performed using the Android malware dataset. The comparison analysis of the IMDP-HDL model demonstrated a superior accuracy value of 99.22% over existing techniques. The limitations of the IMDP-HDL model comprise its reliance on specific datasets that may not capture the full diversity of malware variants found in real-world scenarios, potentially affecting generalizability. The model is also vulnerable to rapidly growing malware techniques such as polymorphism and zero-day attacks. Furthermore, reduced computational complexity may be a constraint for deployment on resource-limited edge devices in automotive systems. Moreover, larger datasets and their robustness against severe data imbalance are also a key threat to the model. The study emphasizes computational efficiency enhancements, but providing further discussion on the feasibility of deploying the model on mobile or IoT edge devices, where resources are restricted, would improve its practical relevance. Future work should focus on expanding the dataset diversity, integrating adaptive learning mechanisms for handling growing threats, and optimizing the model for real-time detection on embedded hardware. Additionally, future research should address adversarial robustness and the effective deployment of the model on resource-constrained devices. Further exploration into explainable AI techniques could also improve the transparency and trustworthiness of malware classification decisions.
Author contributions
The manuscript was written through the contributions of all authors. All authors have approved the final version of the manuscript.
Funding
None.
Data availability
The data supporting the findings of this study are openly available in the Kaggle dataset [https://www.kaggle.com/datasets/shashwatwork/android-malware-dataset-for-machine-learning? select=dataset-features-categories.csv](https:/www.kaggle.com/datasets/shashwatwork/android-malware-dataset-for-machine-learning? select=dataset-features-categories.csv), https://www.kaggle.com/datasets/subhajournal/android-malware-detection, [https://www.kaggle.com/datasets/saurabhshahane/android-permission-dataset](https:/www.kaggle.com/datasets/saurabhshahane/android-permission-dataset), reference number [31, 32, 33].
Code Availability
1Anuradha Anumolu, “IMDP-HDL: Algorithm Supplementary Document”. Zenodo, Dec. 06, 2025. 10.5281/zenodo.17836199.
Declarations
Competing interests
The authors declare no competing interests.
Ethics approval
This article does not contain any studies with human participants performed by any of the authors.
Consent to participate
Not applicable.
Informed consent
Not applicable.
Footnotes
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
- 1.Harika, T. & Pradeepini, G. Enhanced malware classification: A hybrid model utilizing denoising autoencoder and CNN based on visualization method. J. Cybersecur. Inform. Management16, 1 (2025). [Google Scholar]
- 2.Elayan, O. N. & Mustafa, A. M. Android malware detection using deep learning. Procedia Comput. Sci.184, 847–852 (2021). [Google Scholar]
- 3.Xing, X., Jin, X., Elahi, H., Jiang, H. & Wang, G. A malware detection approach using autoencoder in deep learning. Ieee Access.10, 25696–25706 (2022). [Google Scholar]
- 4.John, T. S. & Thomas, T. Adaptive rank-based mutation for android malware detection under adversarial attacks. J. Cyber Secur. Technol.8, 1–26 (2025). [Google Scholar]
- 5.Hemalatha, J., Roseline, S. A., Geetha, S., Kadry, S. & Damaševičius, R. An efficient densenet-based deep learning model for malware detection. Entropy, 23(3), 344. (2021). [DOI] [PMC free article] [PubMed]
- 6.Alomari, E. S. et al. Malware detection using deep learning and correlation-based feature selection. Symmetry, 15(1), 123. (2023).
- 7.He, K. & Kim, D. S. Malware detection with malware images using deep learning techniques. In 2019 18th IEEE international conference on trust, security and privacy in computing and communications/13th IEEE international conference on big data science and engineering (TrustCom/BigDataSE) (pp. 95–102). IEEE. (2019).
- 8.Akhtar, M. S. & Feng, T. Detection of malware by deep learning as CNN-LSTM machine learning techniques in real time. Symmetry, 14(11), 2308. (2022).
- 9.Zhang, R. & Liu, Y. Ransomware detection with a 2-tier machine learning approach using a novel clustering algorithm. (2024).
- 10.BP, D. S. V. Incremental research on cyber security metrics in android applications by implementing the ML algorithms in malware classification and detection. J. Cybersecur. Inform. Manage.3 (1), 14–20 (2020). [Google Scholar]
- 11.Anand, S. et al. Malite: Lightweight Malware Detection and Classification for Constrained Devices. IEEE Trans. Emerg. Top. Comput. (2025). [DOI] [PMC free article] [PubMed]
- 12.Jeon, J., Jeong, B., Baek, S. & Jeong, Y. S. TMaD: Three-tier malware detection using multi‐view feature for secure convergence ICT environments. Expert Syst.42 (2), e13684 (2025). [Google Scholar]
- 13.Baawi, S. S., Oleiwi, Z. C., Al-Muqarm, A. M. A., Al-Shammary, D. & Sufi, F. Efficient malware detection based on machine learning for enhanced cloud privacy protection. Evol. Syst.16 (1), 1–17 (2025). [Google Scholar]
- 14.Poornima, S. & Mahalakshmi, R. Automated malware detection using machine learning and deep learning approaches for android applications. Sensors 32, 100955 (2024).
- 15.Kumar, S. & Kumar, A. Image-based malware detection based on convolution neural network with autoencoder in Industrial Internet of Things using Software Defined Networking Honeypot. Eng. Appl. Artif. Intell.133, 108374 (2024). [Google Scholar]
- 16.Jo, J., Cho, J. & Moon, J. A malware detection and extraction method for the related information using the ViT attention mechanism on android operating system. Appl. Sc.13(11), 6839 (2023). [Google Scholar]
- 17.Buriro, A., Buriro, A. B., Ahmad, T., Buriro, S. & Ullah, S. MalwD&C: a quick and accurate machine learning-based approach for malware detection and categorization. Appl. Sci.13, 2508 (2023). [Google Scholar]
- 18.Dabas, N., Ahlawat, P. & Sharma, P. An effective malware detection method using hybrid feature selection and machine learning algorithms. Arab. J. Sci. Eng.48 (8), 9749–9767 (2023). [Google Scholar]
- 19.Al-Ghanem, W. K. et al. MAD-ANET: malware detection using Attention-Based deep neural networks. CMES-Computer Model. Eng. Sci.143 (1), 1009–1027 (2025). [Google Scholar]
- 20.Chen, J., Wu, M. & Huang, H. LDAM: A lightweight dual attention module for optimizing automotive malware classification. Array, 26, 100396. (2025).
- 21.Wajahat, A. et al. An adaptive semi-supervised deep learning-based framework for the detection of android malware. J. Intell. Fuzzy Syst.45 (3), 5141–5157 (2023). [Google Scholar]
- 22.Alsumaidaee, Y. A. M., Yahya, M. M. & Yaseen, A. H. Optimizing malware detection and classification in real-time using hybrid deep learning approaches. Int. J. Saf. Secur. Eng.15, 1 (2025). [Google Scholar]
- 23.Qureshi, S. et al. Analysis of challenges in modern network forensic framework. Secur. Commun. Netw. 2021(1), 8871230. (2021).
- 24.Alohali, M. A. et al. Two stage malware detection model in internet of vehicles (IoV) using deep learning-based explainable artificial intelligence with optimization algorithms. Sci. Rep. 15(1), 20615. (2025). [DOI] [PMC free article] [PubMed]
- 25.Wajahat, A. et al. An effective deep learning scheme for android malware detection leveraging performance metrics and computational resources. Intell. Decis. Technol.18 (1), 33–55 (2024). [Google Scholar]
- 26.Al Ogaili, R. R. N. et al. AntDroidNet cybersecurity model: A hybrid integration of ant colony optimization and deep neural networks for android malware detection. Mesopotamian J. Cybersecur.5 (1), 104–120 (2025). [Google Scholar]
- 27.Wajahat, A. et al. Outsmarting android malware with Cutting-Edge feature engineering and machine learning techniques. Comput. Mater. Contin., 79(1). (2024).
- 28.Awwal, P. & Naval, S. Development of heuristic adapted Serial-based deep learning for efficient adversarial malware detection framework in windows. Knowl. Based Syst. 114032. (2025).
- 29.Fu, N., Lee, J. H., Liu, J., Lee, S. & Kim, M. K. Electricity Demand Forecasting for Cultural Institutions: A Comparative Study of Lstm and Cnn-Lstm Models with Three Data Normalization Techniques Using Weather and Price Data–Case Studies from Norwegian Museums. Available at SSRN 5262024.
- 30.Dong, J., Wei, Y., Wang, D. & Chen, Y. Groundwater Level Prediction Based on Ssa-Optimized Self-Attention Mechanism and Bilstm Hybrid Model. Available at SSRN 5246902.
- 31.https://www.kaggle.com/datasets/shashwatwork/android-malware-dataset-for-machine-learning?select=dataset-features-categories.csv
- 32.https://www.kaggle.com/datasets/subhajournal/android-malware-detection
- 33.https://www.kaggle.com/datasets/saurabhshahane/android-permission-dataset
- 34.Al-Khayyat, A., Ahmed, M. A., Azar, A. T., Haider, Z. & Ibraheem, I. K. Hybrid artificial fish swarm optimization with deep Learning-Driven cloud assisted cyberattack detection. Int. J. Intell. Eng. Syst. 17(4). (2024).
- 35.Chimeleze, C., Jamil, N., Alturki, N. & Zain, Z. M. A Lightweight malware detection technique based on hybrid fuzzy simulated annealing clustering in Android apps. Egypt. Inform. J. 28, 100560. (2024).
- 36.Zhou, H., Yang, X., Pan, H. & Guo, W. An android malware detection approach based on SIMGRU. IEEE Access.8, 148404–148410 (2020). [Google Scholar]
- 37.Pathak, A., Barman, U. & Kumar, T. S. Machine learning approach to detect android malware using feature-selection based on feature importance score. J. Eng. Res. (2024).
- 38.Mahindru, A. et al. PermDroid a framework developed using proposed feature selection approach and machine learning techniques for Android malware detection. Sci. Rep. 14(1), 10724. (2024). [DOI] [PMC free article] [PubMed]
Associated Data
This section collects any data citations, data availability statements, or supplementary materials included in this article.
Data Availability Statement
The data supporting the findings of this study are openly available in the Kaggle dataset [https://www.kaggle.com/datasets/shashwatwork/android-malware-dataset-for-machine-learning? select=dataset-features-categories.csv](https:/www.kaggle.com/datasets/shashwatwork/android-malware-dataset-for-machine-learning? select=dataset-features-categories.csv), https://www.kaggle.com/datasets/subhajournal/android-malware-detection, [https://www.kaggle.com/datasets/saurabhshahane/android-permission-dataset](https:/www.kaggle.com/datasets/saurabhshahane/android-permission-dataset), reference number [31, 32, 33].
1Anuradha Anumolu, “IMDP-HDL: Algorithm Supplementary Document”. Zenodo, Dec. 06, 2025. 10.5281/zenodo.17836199.