Next Article in Journal
Review of the Double-Row Pile Supporting Structure and Its Force and Deformation Characteristics
Previous Article in Journal
Remote Sensing for Sustainable Pistachio Cultivation and Improved Quality Traits Evaluation through Thermal and Non-Thermal UAV Vegetation Indices
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 13
Issue 13
10.3390/app13137720
Review Report
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

DroidDetectMW: A Hybrid Intelligent Model for Android Malware Detection

Appl. Sci. 2023, 13(13), 7720; https://doi.org/10.3390/app13137720
by Fatma Taher 1,*, Omar AlFandi 1, Mousa Al-kfairy 1, Hussam Al Hamadi 2 and Saed Alrabaee 3
Reviewer 1: Anonymous
Appl. Sci. 2023, 13(13), 7720; https://doi.org/10.3390/app13137720
Submission received: 1 May 2023 / Revised: 21 June 2023 / Accepted: 23 June 2023 / Published: 29 June 2023

Round 1

Reviewer 1 Report

This paper proposes DroidDetectMV, a framework for Android malware detection and family classification. It collects static features using Apktool and dynamic features using CuckooDroid. In the feature selection phase, the authors try three methods to select optimal feature subset for static features. For dynamic features, this paper proposes a method that combines fuzzy optimization and meta-heuristic optimization. In the classification phase, the authors propose an ANN model with an enhanced Harris Hawks optimizer. 

 

1) Correct the errors in Eq. (1). x(t+1) --> X(t+1).  absolute value symbol.

 

2) What does J in Eq. (4) denote for ?

 

3) Line 219-220: "There are four broad classes of malware in the second level."  The authors use terms 'broad class', 'category', 'subcategory' over the manuscript. It is confusing.

 

4) Line 221-230: Why these four categories? Is there a literature that classifies malware into these four categories? Every malware can be classified into one of the four categories? 

 

5)  The authors need to add a table that shows the number of benign and malware samples collected from each source.

 

6) Line 247-228: SMO appears twice.

 

7) Authors need to improve Figure 1.  Please improve the resolution and correct typo (e.g. Cuckodroid).  In addition, Figure 1 does not include malware family classification.

 

8) LIne 289: "See Algorithm 1": I could not find Algorithm 1.

 

9) LIne 296: "Using experimental results, the chi-square test is the superior technique". To support this, the authors need to provide the experimental results, maybe in Appendix.

 

10) Line 306-307: "each feature's standard deviation (SD) is computed and compared to a threshold value". What is the next? If SD > threshold value, the feature is selected? How is the threshold value determined?

 

11)  Line 309-310: "their ability to categorize Android API calls into ..." This sentence is explaining the proposed dynamic feature selection framework, but API calls is a static feature (Line 238).

 

12) Please add a short explanation of QRL for readers.

 

13) There are many malware families. Authors need to list the names of the 13 malware families. Every malware in the dataset can be classified into one of the 13 families?

 

14) How is a malware sample labeled?  Manually? Or the labels (benign/malware, adware/ransomware/scareware/SMSmalware, family name) are included in the original dataset?

 

15) Table 3,4,6,7,9 do not provide MCC. 

 

16) The experimental results for integrated feature selection for malware family classification is not presented. Why?

 

17) Many reference numbers are incorrect throughout the manuscript. Please check the reference list.

 

Minor English grammatical corrections are required.

Author Response

Correct the errors in Eq. (1). x(t+1) --> X(t+1).  absolute value symbol.

Thank you very much for your appreciated and valuable comments. The equation is corrected and the correct is highlighted.

2) What does J in Eq. (4) denote for ?

Thank you very much for your appreciated and valuable comments. J parameter refers to the varying strength of rabbit during its escape. We added a description of the parameter in the manuscript to explain the parameter.

3) Line 219-220: "There are four broad classes of malware in the second level."  The authors use terms 'broad class', 'category', 'subcategory' over the manuscript. It is confusing.

Thank you very much for your appreciated and valuable comments. It was modified to prevent confusion to unite the terms.

4) Line 221-230: Why these four categories? Is there a literature that classifies malware into these four categories? Every malware can be classified into one of the four categories? 

Thank you very much for your appreciated and valuable comments. We have mentioned the literatures that classify the categories of malware. There are many categories of malware we mentioned in the manuscript page 6 but the used categories were the mentioned four.

5)  The authors need to add a table that shows the number of benign and malware samples collected from each source.

Thank you very much for your appreciated and valuable comments. Based on your valuable comments, we have added a table 2 that represent the number of collected samples from each source Drebin, CICAndMal2017, APKmirror and virusshare sources page 13.

6) Line 247-228: SMO appears twice.

Thank you very much for your appreciated and valuable comments. The manuscript was modified and one term of SMO was removed.

7) Authors need to improve Figure 1.  Please improve the resolution and correct typo (e.g. Cuckodroid).  In addition, Figure 1 does not include malware family classification.

Thank you very much for your appreciated and valuable comments. The manuscript was updated and figure 1 was enhanced in resolution, missed block added and typo was corrected as well.

8) LIne 289: "See Algorithm 1": I could not find Algorithm 1.

Thank you very much for your appreciated and valuable comments. Algorithm 1 was missed so added to the manuscript based on your suggestions page 9.

9) LIne 296: "Using experimental results, the chi-square test is the superior technique". To support this, the authors need to provide the experimental results, maybe in Appendix.

 Thank you very much for your appreciated and valuable comments. Tables  4,5,6 that represent the comparison between different measures used with different classifiers are added to the manuscript page

10) Line 306-307: "each feature's standard deviation (SD) is computed and compared to a threshold value". What is the next? If SD > threshold value, the feature is selected? How is the threshold value determined?

Thank you very much for your appreciated and valuable comments. The details of thresholding process and its comparison with STD of features are added to the manuscript to section 3.2 page 10 and the determined values of threshold which determined via trial and error.

11)  Line 309-310: "their ability to categorize Android API calls into ..." This sentence is explaining the proposed dynamic feature selection framework, but API calls is a static feature (Line 238).

Thank you very much for your appreciated and valuable comments. The manuscript was updated to update the type of API calls features.

12) Please add a short explanation of QRL for readers.

Thank you very much for your appreciated and valuable comments. More details about QRL was added to the manuscript section 3.2 page 10,11

13) There are many malware families. Authors need to list the names of the 13 malware families. Every malware in the dataset can be classified into one of the 13 families?

Thank you very much for your appreciated and valuable comments. There are many classification families of malware but the used are samples belong to these set of families. Also, table 1 was added to describe the 13 families of malware used where each malware in the used sample belong to one of 13 families.

14) How is a malware sample labeled?  Manually? Or the labels (benign/malware, adware/ransomware/scareware/SMSmalware, family name) are included in the original dataset?

Thank you very much for your appreciated and valuable comments. The labels of malware are included in the original collected dataset used.

15) Table 3,4,6,7,9 do not provide MCC. 

Thank you very much for your appreciated and valuable comments. MCC is primarily used for binary classification but tables mentioned are for multiclass classification.

16) The experimental results for integrated feature selection for malware family classification is not presented. Why?

Thank you very much for your appreciated and valuable comments. The manuscript is updated therefore table 15 added to present the results of integrated feature selection for malware family classification.

17) Many reference numbers are incorrect throughout the manuscript. Please check the reference list.

Thank you very much for your appreciated and valuable comments.  All the references in the manuscript are updated.

Author Response File: Author Response.docx

Reviewer 2 Report

In this paper, the authors ANN based model for detecting Android Malware. Their model extends HHO. The paper has some publishable research. However, the following aspects may be considered to enhance the impact of this article:

 

·      I cannot find a strong motivation for this paper. This is because of the lack of state-of-the-art in this field. A thorough literature survey is required to ensure that the authors are not duplicating the work that already exists in this field.

·      It is unclear if this work is based on the features listed in CIC dataset or been evaluated independently? (Especially lines 204-216 needs clarity)

·      Please provide details on your experimental setup; including the sandbox environment; its assumptions etc.

·      Figure 2 is an important step. Explain the fuzzy ranges used for each of the vectors; and the reason for using certain fuzz ranges. A wrong classification at this stage can lead to false-positive and false-negatives.

·      EQN-8; What is the order of the random number? This may play a major role in the list of different features.

Presentation is fine and the paper is readable.

Author Response

In this paper, the authors ANN based model for detecting Android Malware. Their model extends HHO. The paper has some publishable research. However, the following aspects may be considered to enhance the impact of this article:

 

  • I cannot find a strong motivation for this paper. This is because of the lack of state-of-the-art in this field. A thorough literature survey is required to ensure that the authors are not duplicating the work that already exists in this field.

Thank you very much for your appreciated and valuable comments. The manuscript was updated and section 2 is added that represent the related work and literature review which is fully different from our contribution. Our work and contributions is not mentioned in any of literature reviews we have seen.

  • It is unclear if this work is based on the features listed in CIC dataset or been evaluated independently? (Especially lines 204-216 needs clarity)

Thank you very much for your appreciated and valuable comments. The lines mentioned how the dataset was collected from multiple sources that include both benign and malware apps. More details to clarify the collected data is presented in table 2.

  • Please provide details on your experimental setup; including the sandbox environment; its assumptions etc.

Thank you very much for your appreciated and valuable comments. Section 5.1 in the manuscript is updated to include some experimental details therefore section 5 and 5.1 include all needed details about experiments. 

  • Figure 2 is an important step. Explain the fuzzy ranges used for each of the vectors; and the reason for using certain fuzz ranges. A wrong classification at this stage can lead to false-positive and false-negatives.

Thank you very much for your appreciated and valuable comments. More details about figure 2 and fuzzy step is updated in page 10 to mention how the step is performed and values used and range of fuzzy.

  • EQN-8; What is the order of the random number? This may play a major role in the list of different features.

Thank you very much for your appreciated and valuable comments. Missed order and interval for the random variable is added and updated at page 11.

 

Comments on the Quality of English Language

Presentation is fine and the paper is readable.

 

 

Author Response File: Author Response.docx

Round 2

Reviewer 1 Report

1) The authors need to enrich Table 1 with the number of samples and the category (if possible) for each family.

2) The authors need to enrich Table 2 with the number of benign and malicious samples, respectively.

3) I wonder how did you compute MCC for the proposed method (line 579, 600) for multiclass classification problem.

 

 

 

Author Response

 "Please see the attachment."

Author Response File: Author Response.docx

Reviewer 2 Report

The authors have addressed all the concerns I raised in my previous review. It may now be accepted.

The paper is readable and does not contain noticeable language errors.

Author Response

"Please see the attachment." 

Author Response File: Author Response.docx

Back to TopTop