Tuning Deep Learning Performance for Android
Malware Detection
Jarrett Booz, Josh McGiff, William G. Hatcher, Wei Yu, James Nguyen, and Chao Lu
Department of Computer and Information Sciences
Towson University, Maryland, USA
Emails: {jbooz1, jmcgif1, whatch2}@students.towson.edu,{wyu, clu}@towson.edu,
james.huy.nguyen@gmail.com
Abstract—In this paper, we address the issue of Android
malware detection by implementing a deep learning environment
and fine-tune parameters to determine optimal settings for the
classification of Android malware from extracted permission
data. By determining the optimal settings, we demonstrate
the potential performance of a deep learning environment for
Android malware detection. Specifically, we conduct an extensive
study of various hyper-parameters to determine optimal config-
urations, and then carry out a performance evaluation on those
configurations to compare and maximize detection accuracy in
our target networks. Our results achieve approximately 95 %
detection accuracy, with an approximate F1 score of 93 %.
Keywords—Deep Learning, Malware Detection, Performance
Tuning
I. I NTRODUCTION
Recent advances in machine learning have projected neural
networks and deep learning systems into the public con-
sciousness [8], [14]. This is attributable to the significant
strides that deep learning systems continue to make in a
large variety of areas, including image and video analysis
and feature recognition, autonomous vehicles, natural language
processing, the control of robotic systems, and others. Indeed,
deep learning has emerged as an extremely powerful tool
for processing complex data [9]. Deep learning models, and
deep neural networks in particular, have the capacity to learn
and represent extremely complex systems and reveal features
or patterns at a level of abstraction that is not feasible for
simpler algorithms. Encompassing a variety of learning tasks,
from clustering and dimensionality reduction, to classification
and reinforcement learning, deep learning architectures apply
systems of hierarchical layers to fit and generalize large, often
multi-dimensional, feature sets more accurately than their
shallow learning counterparts [5].
For this reason, deep learning has great appeal for appli-
cations in the realm of computer security as well. Truly, a
wide array of security applications exist, which can benefit
from deep learning approaches. For instance, malware and
intrusion detection systems that employ anomaly detection can
benefit immensely from the application of machine learning, as
they require accurate detection of possibly yet unknown threats
in highly complex environments [3], [16]–[18], [20]–[23]. In
addition, mobile malware detection is an area of pressing
concern due to the rapid growth of the smartphone market,
978-1-5386-5889-5/18/$31.00 ©2018 IEEE 140
SNPD 2018, June 27-29, 2018, Busan, Korea
which now encompasses approximately 209 million users in
the U.S., and over 1.9 billion users worldwide [7].
In seeking to address the issues of smartphone security, and
Android malware detection in particular, in this paper we have
make the following contributions:
• We address the utility of deep learning for analyzing
permission data from Android applications in order to
classify apps as malicious or benign. To accomplish this,
we use various python libraries to construct a deep learn-
ing infrastructure, which consists of TensorFlow machine
learning backend, the Keras framework, and Scikit-Learn
utilities, to extract and vectorize the target features, and
then use these dense vectors for deep learning analysis.
Initially attempting only a rudimentary implementation,
our neural network yielded results of about 90 % accu-
racy.
• Once this initial result was extracted and a framework
built, we then targeted mechanisms to optimize the re-
sults. To identify the optimal network hyper-parameters,
we utilized the grid search technique to test many com-
binations of tunable parameters for the deep learning
environment. We also leveraged various neural network
shapes, making some networks deeper or wider, to de-
termine the best shape and size model for our appli-
cation. The results showed that, by tuning six different
parameters, we were able to increase the accuracy of
the classification network, for a maximum accuracy of
approximately 95 % correct classifications.
The remainder of this paper is as follows: In Section II, we
provide background information pertaining to deep learning,
mobile malware, and our testing environment. In Section III,
we describe our approach, including the basic idea, system
workflow, and the parameters and scenarios that were tested.
In Section IV, we present our performance evaluation. Finally,
in Section V, we provide concluding remarks.
II. P RELIMINARY
We now provide background details central to this inves-
tigation, including deep learning, mobile malware, and our
specific testbed environment.

A. Deep Learning
Deep learning, in general, is the term used to describe the
function of neural networks, which feature multiple hidden
layers of many interconnected neurons to process their data.
Though many differing definitions have been given to describe
deep learning, two common elements are: (i) the presence of
multiple, non-linear, layers for data processing, and (ii) the
notion of processing data at an increasingly higher level and
abstract manner throughout the network [4]. Neural networks,
and more specifically, deep neural networks, have emerged
in recent years as highly effective tools when approaching
machine learning problems [8], [14].
Deep learning has been demonstrated for all types of
learning tasks, whether they be directed, undirected, or
reinforcement-based. As a primary goal of learning systems,
the ability to generalize a given data set for prediction on
new and unforeseen data can enable the discovery of new
targets and threats in the wild, but must be tuned to prevent
over-fitting. In deep neural networks, each layer is composed
of many varying neurons, each with different weights and
potentially different activation functions, as well as loss func-
tions and optimizers. As data is applied to the network, the
loss function calculates the error of the prediction, and the
optimizer is used to update weights to progressively reduce
the loss function error and increase accuracy. Deep learning
algorithms incorporate association, classification, regression,
clustering, etc. [13], supporting various tasks, such as prepro-
cessing, prediction, and detection.
B. Malware in Mobile
Android continues to dominate the global market for mobile
operating systems, holding what is estimated to be as high as
87 % of global market share [15], a figure which has remained
relatively stable since 2013. Clearly, as smartphone saturation
continues, the imminent threat of malicious intrusion cannot
be downplayed. Current trends in Android malware include
increasingly nuanced means of evading existing malware de-
tection tools, both on-device and in robust detection systems,
such as the Android marketplace’s Google Bouncer or virtu-
alized detection sandboxes. Such evasion mechanisms include
the repackaging of legitimate applications with malicious code
and the utilization of dynamically loaded code to load in
malware [11]. In addition, Android threats have emerged that
exploit privilege escalation, aggressively target users via drive-
by downloads, implement native code execution and dynamic
payloads, and utilize code obfuscation and the limitations of
mobile device hardware to circumvent commercial detection
systems [6]. As malware strains continue to evolve and develop
invasive techniques, there is a clear and present need to keep
pace in malware analysis and identification [21].
C. Testbed Overview
We now provide a brief overview of key components of
the testbed environment used in our scenario. The testbed
includes the TensorFlow machine learning backend, the Keras
141
2
framework, and Scikit-Learn utilities. TensorFlow is a rela-
tively new machine learning system, compared with Torch,
Caffe, MXNet, CNTK, etc., and was developed by Google
for experimenting with learning models and training on large
datasets. TensorFlow is able to be run on a large scale, on
single and multiple CPU or GPU systems and servers, or on
a small scale, on mobile devices [2].
Keras is a python library that serves as a wrapper for
various deep learning infrastructures (MXNet, TensorFlow,
DeepLearning4J, etc.), providing a higher-level Application
Programming Interface (API) for building and developing with
neural network frameworks. The goal of the Keras project was
to develop an easier way for programmers to take advantage
of neural network technologies [1]. In our work, Keras was to
speed up the development process, allowing us to build various
models faster and easier. In many cases, building a model
in Keras can be done with very few lines of code, whereas
in a native TensorFlow environment, much more code would
be needed, especially for very large and complex learning
systems.
In addition, Scikit-Learn is a python library that allows for
easy use of well-known machine learning algorithms and other
machine learning tools. Scikit-learn provides a python module
for machine learning algorithm implementation. By utilizing
a high-level language, Scikit-learn provides a straightforward
approach to handling machine learning problems [12]. This
library was used to provide a well-known implementation of
several machine learning components.
III. O UR A PPROACH
In this section, we introduce our approach. We first discuss
concepts essential to our approach, then the system workflow,
and finally the specific parameters and scenarios that were
tested.
A. Basic Concepts
Feature Extraction: Feature extraction concerns the pro-
cess of transforming raw data into a format compatible with
machine learning algorithms. From our dataset of Android
APK files, the permission information was extracted through
the use of “aapt” (Android Asset Packaging Tool). The raw text
output of this process contains information on the permissions
for each application.
To carry out feature extraction, the Scikit-learn library was
utilized to transform this text data into feature matrices for
use in training our neural networks. A vectorizer parsed the
input data according to a token defined to recognize android
permission strings. As the vectorizer parsed through the input
data, it built a vocabulary of unique tokens as they were
encountered. Each input source, in this case each line of data,
is represented in a row of the token matrix. Using a regular
expression on our entire dataset yields a sparse m x n matrix,
denoting that, across a data set of m Android applications,
the vectorizer identified a vocabulary of n permissions and
permission contexts. For our particular dataset, this yielded a
48643 x 22300 matrix.

Fig. 1. System Workflow
Neural Network Model: In this particular experiment, we
implemented deep neural networks with both fully-connected
and dropout layers. In dense, or fully-connected, layers each
neuron in the layer is directly connected to every neuron
in the preceding layer. The neurons are initialized with an
activation function and randomized weights, and on each
back propagation step, the weights are updated. The activation
function defines what type of calculations and classifications
the neurons in that layer will complete. In our neural net-
works, two different activation functions were used: the ReLU
(Rectified Linear Unit) activation function, and the Sigmoid
activation function.
The ReLU activation function is an implementation of the
rectifier function, f(x) = max(0,x), where x is the input to the
neuron. The Sigmoid activation function was used as the last
layer in every model. The purpose of using this function as the
last layer is to normalize the output. In addition, in the dropout
layers, a ratio of neurons from the previous layer are prevented
from passing input to the subsequent layer. The purpose of
this type of layer is to prevent over-fitting. A sample neural
network utilizing dense layers with dropout can be seen in
Fig. 1.
Hyper-parameter Tuning: Neural networks often have
many hyper-parameters that are able to be initialized by the
programmer or left at a default value. The Scikit-Learn library
implements a hyper-parameter tuning function, called grid
search, that was utilized here. The tuning function takes as
input, a dictionary of parameter names and values, then runs
a full test using each combination of parameters. The hyper-
parameters that we were concerned with tuning include batch
size, epochs, number of neurons per layer, optimizer, dropout
rate, and weight constraint. The grid search function would
test every possible set of parameters, allowing us to determine
the best combination. We also tested various shapes of neural
networks to determine the best layout for the network.
142
3
B. System Workflow
Because of the quantity of hyper-parameters that we wished
to tune, and the number of models we wished to test, trying
every possible combination of all parameters and models
would have been infeasible due to the amount of computation
time it would take. To circumvent this, hyper-parameters were
tested in pairs. Each pair of hyper-parameters was used to
train and then test one model at a time. The following pairs
of hyper-parameters were tested together: epochs and batch
sizes, number of neurons and optimizer, and dropout rate and
weight constraint.
Each test yielded an optimized pair of hyper-parameters.
This optimized pair was then used in the training of the next
set of tested parameters. Thus, for each new test, the default
values for hyper-parameters set by Keras were replaced with
the optimized values found as a result of the previous tests.
Fig. 1 shows the overall workflow of the system.
• Step 1. In Step 1, we must prepare the data for input
to the neural network. In this phase, we utilize feature
extraction to extract the permissions data from the APK
files. The structure of this list would be a list of permis-
sions for each application, with each application having
its permissions on its own line. Next, we must convert this
list to a dense matrix using Scikit-Learn as described in
Section II-C.
• Step 2. Step 2 of the process is where we use the dense
matrix as input to the neural network for learning and
classification. With the matrix as input, during training,
the neural network will learn which permissions are most
likely associated with benign applications, and which are
most likely associated with malicious applications. After
completion of the neural network training and testing,
we are left with a matrix of all the applications with
their predicted and actual classifications. This can then
be used to determine accuracy and F1 score as described
in Section IV.
C. System Parameters and Scenarios
We now provide a description of the parameters and sce-
narios that were tested. The differences between the various
models tested are described, followed by descriptions of each
of the hyper-parameters that were tuned.
Neural Network Models: The following three different
neural network designs were tested: (i) The first model was
the most simple, containing a single dense layer with a
base number of neurons. (ii) The second model used was a
deeper network that utilized four dense layers, all with the
base number of neurons. (iii) The third model was also four
layers deep; however, the number of neurons in each layer
decreased. Using the first layer the base number of neurons,
the subsequent layers contain the fractions of the base number
and the layer depth (i.e., Layer 1: x neurons, Layer 2: x/2
neurons, Layer 3: x/3 neurons, Layer 4: x/4 neurons). A
sigmoid layer of size 1 was used as the output normalizing
last layer in all model configurations. Also, a dropout layer
was added after each dense layer in all model configurations.

Fig. 2. Batch Size & Epochs vs. Accuracy
Epochs and Batch Size: An epoch is defined as a single
pass over an entire training set. More epochs means that the
model is trained against the same training data more times.
Epochs were tested in a range from 1 epoch to 32 epochs. In
most cases, as the number of epochs was increased, accuracy
increased as well. Although, in some cases the accuracy
declined slightly after 16 epochs. This could be due to the
model over-fitting to the specific features of the training data,
and therefore performing slightly worse on data that it has
never seen before. In addition, as epochs increased, the time
to train the model increased significantly.
Batch size is defined as the number of data points that are
observed at once during training. The model will be fit with
the number of data points defined in the batch size repeatedly
until the entire data set has been trained on for all epochs.
Batch size in our scenario ranged from a very small batch of
size 10 to a large batch of size 5000. Based on the results, it
can be determined that smaller batch sizes lead to the model
taking a longer time to train and test. Additionally, it was seen
that smaller batch sizes leads to higher accuracy.
When examined together, epochs and batch size have an
interesting relationship. Fig. 2 displays that increasing batch
size and epochs tend to lead to higher accuracy. Though, a
small batch size does not see as significant of an improvement
by increasing epochs when comparing to a larger batch size.
It can be seen in Fig. 2 that a small batch tends to achieve
slightly better accuracy than a larger batch with a high number
of epochs. On the contrary, there is a significant difference
in the accuracy achieved by a model with a large batch size
trained over low and high epochs. In addition, in terms of time,
batch size lead to a much larger impact on time than did the
number of epochs.
Number of Neurons: The most successful number of
neurons per layer was tested in a grid search. A neuron in
this sense is the artificial entity, which makes a decision or
classification based on its known criteria. Each model has
its own neuron scheme as defined in the model description
section. Values for the number of neurons were tested as
multiples of 5 ranging from 1 to 50 neurons per layer (1, 5,
10, . . . , 50). For the four layers of the decreasing size model,
integer division was used and the minimum number of neurons
143
4
Fig. 3. Number of Neurons vs. Time
in any given layer was 1. Any division resulting in a quotient
of 0 was assigned to 1 in order to preserve the shape/depth of
the model.
It was evident that increasing the number of neurons in the
model generally led to a slight increase in accuracy. In some
cases, too many neurons could lead to the network over-fitting
model to the training data, and therefore under-performing on
unseen testing data.
The one-layer model showed the least variation in accuracy
with additional neurons added. The best result for this model
was the 45 neuron test. The four layers of the same size
model showed improvement with adding neurons. The one
neuron test produced an average accuracy of approximately
68 %, while the best result produced 94.6 % at both 45 and 50
neurons. The four layers with decreasing size model produced
an accuracy of approximately 65 %, on average, at 1, 5 and
10 neuron tests. The model showed an increase in accuracy at
15 neurons. The best result for this model was the 45 neuron
test with 94.6 % accuracy.
Additionally, as displayed in Fig. 3, it was noticed in all
models that increasing the number of neurons increases the
amount of time taken to train the model. Because there was
only a small increase in accuracy by adding additional neurons,
one may consider using a more simple neural network to
achieve relatively high accuracy if time is a constraining factor.
Optimizer: Several optimizers were chosen based on com-
patibility with the Keras wrapping infrastructure that we were
using. Enumerated, these optimizers are: SGD, RMSprop,
Adagrad, Adadelta, Adam, Adamax, and Nadam. Each of these
optimizers performs slightly different mathematical calcula-
tions to optimize the results produced by the loss function.
It was evident, through this test, that all of the optimizers
tested produce similar results with this data set, in terms
of test accuracy. Fig. 4 illustrates the performance of many
optimizers with tests using different numbers of neurons.
The best result, as displayed by Fig. 4, was the Nadam
optimizer when using 45 neurons. In addition, the biggest
difference in the optimizers was seen with the time taken to
train the model, not the achieved test accuracy. The fastest
optimizer was consistently the SGD optimizer and the slowest
was consistently the Nadam optimizer. Optimizers besides

Fig. 4. Number of Neurons vs. Accuracy for Optimizers
Fig. 6. Training Ratio vs. Accuracy for 3 Fig. 7. Training Ratio vs. F1 Score for 3
Models Models
SGD and Nadam produced similar accuracies, in times falling
between SGD and Nadam.
Dropout Rate and Weight Constraint: The most success-
ful dropout rate and weight constraint were tested together in
a grid search. Dropout rate is the ratio that is passed to the
dropout layers in each model and designate the rate at which
neurons are dropped out of each layer. Weight Constraint
is used together with dropout layers to give the neurons
that remain after the dropout a certain classification weight.
A higher weight means the remaining neurons have more
influence on the ultimate classification. Dropout rate was tested
at 10 % intervals from 0-90 %. Weight constraint is always an
integer value and was tested at values 1-5.
Based on the results of the grid search, it can be determined
that the best values to use for dropout rate and weight
constraint are 30 % and 3, respectively. Results showed an
increase in accuracy as dropout rate was increased up to
30 %. This shows that dropout can help reduce over-fitting
of a model to training data. Nonetheless, after 30 % dropout,
there was a decline in accuracy, showing that dropping out
too many neurons can restrict the network too much. This can
be seen by the dark coloring of the graph in Fig. 5 at the
0.3 dropout rate marker. This is again seen with the weight
constraint. An increase in accuracy is seen with increasing
weight until the weight of 3. After this point, there is a decline
in accuracy, showing that too much weight on the remaining
neurons will give too much influence on the classification,
possibly resulting in over-fitting. Fig. 5 displays that utilizing
appropriate numbers for both weight constraint and dropout
144
5
Fig. 5. Dropout and Weight Constraint vs. Accuracy
Fig. 8. Training Ratio vs. Fit Time
rate can lead to significant increases in accuracy.
IV. P ERFORMANCE E VALUATION
To perform the best-case tests, the best parameters from
each of the previously described searches were combined. The
utilized parameters for this test were: batch size of 10, 16
epochs, 45 neurons, Nadam optimizer, dropout rate of 30 %,
and weight constraint of 3. These parameters were used in
tests of training percentages, 20 %, 40 %, 60 %, and 80 %. A
five-fold cross validation was performed to ensure the validity
of the results. A Stratified Shuffle Split was used to mix the
data and ensure that a different portion of the data was used
for each fold of cross validation.
For scoring this test, accuracy along with the F1 score
were considered. Notice that accuracy is the standard measure
of correct classification percentage. F1 score is a standard
weighted average of precision and recall given by F 1 =
2∗(Precision∗Recall)
Precision+Recall , where Precision = F P +T P , Recall =
TP
F N +T P , T P = True Positives, F P = False Positives, and
TP
F N = False Negatives. Though more concerned with accuracy,
we can more fully determine the effectiveness of the network
classification by also considering the F1 metric.
The results of the test showed that at all training ratios, the
four layers of decreasing size model performed the best. Fig. 6
and Fig. 7 can be used together to display the accuracy and F1
Score results. The four layers of the same size model had the
worst accuracy, but often the best F1 score, as shown by Fig. 6
and Fig. 7. The accuracies for this model were consistently
lower than the other two models. At the 20 % training ratio,
the F1 score was the lowest of the models. Nonetheless, the

F1 scores for this model were ranked the best out of the three
for the 40 %, 60 % and 80 % training ratios, as seen in Fig. 7.
The model that improved the most by increasing the training
ratio was the one layer model. This model showed the largest
increase in accuracy by increasing the training ratio from 20 %
to 80 %. At the 80 % ratio, accuracy was the second best of
the models tested and the F1 score was the best of all tested
ratios and models.
In terms of time, all models performed similarly. This can
be seen in Fig. 8. The fastest time to train was seen in the one
layer model, which took an average of 637 seconds to train
at the 20 % training ratio. The longest time to train a model
was seen in the one layer model, which took an average of
2461 seconds to train at the 80 % training ratio. Based on these
statistics, it can be seen that training ratio and time increase is
approximately linear, as shown in Fig. 8. Thus, doubling the
training ratio will double the amount of time taken to train the
model.
Based on these results, the best model to use for classifi-
cation with this data set is the four layers of decreasing size
model. At all training ratios, this model outperformed the other
two in terms of accuracy. By also considering the F1 score,
this model was the best performer at the 20 % training ratio,
and the second best in all other ratios. Overall, by increasing
the training ratio, the analysis will be able to achieve higher
accuracy, though at the cost of a much higher training time.
By tuning hyper-parameters of the deep learning infrastructure,
we were able to optimize the performance.
V. F INAL R EMARKS
In this paper, we have successfully demonstrated the appli-
cation of deep neural networks for permission-based Android
malware classification. Distinct from similar research efforts,
we examine both core-Android and user-defined permissions,
and distinguish between optional and required permissions,
allowing us to establish a much larger feature vocabulary
for classification. Utilizing the grid search method of hyper-
parameter tuning, we were able to optimize our networks for
the best possible performance in terms of accuracy, precision,
and recall. As ongoing research, we plan to extend our work
to edge computing platform [19] and Internet of Things
applications [10].
ACKNOWLEDGEMENT
This work was supported in part by the US National Sci-
ence Foundation (NSF) under grants: CNS 1350145 (Faculty
CAREER Award), and the University System of Maryland
(USM) Endowed Wilson H. Elkins Professorship Award Fund.
Any opinions, findings and conclusions or recommendations
expressed in this material are those of the authors and do not
necessarily reflect the views of the agencies.
R EFERENCES
[1] Keras: The python deep learning library. https://keras.io/. Accessed:
2018-02-14.
145
6
[2] M. Abadi, A. Agarwal, P. Barham, E. Brevdo, Z. Chen, C. Citro, G. S.
Corrado, A. Davis, J. Dean, M. Devin, et al. Tensorflow: Large-scale
machine learning on heterogeneous distributed systems. arXiv preprint
arXiv: 1603.04467, 2016.
[3] Z. Chen, G. Xu, V. Mahalingam, L. Ge, J. Nguyen, W. Yu, and C. Lu. A
cloud computing based network monitoring and threat detection system
for critical infrastructures. Big Data Research, 3:10–23, 2016.
[4] L. Deng, D. Yu, et al. Deep learning: methods and applications.
Foundations and Trends in Signal Processing, 7(3–4):197–387, 2014.
[5] Z. M. Fadlullah, F. Tang, B. Mao, N. Kato, O. Akashi, T. Inoue,
and K. Mizutani. State-of-the-art deep learning: Evolving machine
intelligence toward tomorrows intelligent network traffic control sys-
tems. IEEE Communications Surveys and Tutorials, 19(4):2432–2455,
Fourthquarter 2017.
[6] P. Faruki, A. Bharmal, V. Laxmi, V. Ganmoor, M. S. Gaur, M. Conti, and
M. Rajarajan. Android security: A survey of issues, malware penetration,
and defenses. IEEE Communications Surveys and Tutorials, 17(2):998–
1022, Secondquarter 2015.
[7] S. GmbH. Number of smartphone users in the United States from
2010 to 2022 (in millions)*. https://www.statista.com/statistics/201182/
forecast-of-smartphone-users-in-the-us/, 2017.
[8] W. G. Hatcher and W. Yu. A survey of deep learning: Platforms,
applications and emerging research trends. IEEE Access, 2018.
[9] Y. LeCun, Y. Bengio, and G. Hinton. Deep learning. Nature,
521(7553):436–444, 2015.
[10] J. Lin, W. Yu, N. Zhang, X. Yang, H. Zhang, and W. Zhao. A survey
on Internet of Things: Architecture, enabling technologies, security and
privacy, and applications. IEEE Internet of Things Journal, 4(5):1125–
1142, Oct 2017.
[11] M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio,
V. Van Der Veen, and C. Platzer. Andrubis–1,000,000 apps later: A view
on current android malware behaviors. In Building Analysis Datasets
and Gathering Experience Returns for Security (BADGERS), 2014 Third
International Workshop on, pages 3–17. IEEE, 2014.
[12] F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion,
O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vander-
plas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duch-
esnay. Scikit-learn: Machine learning in Python. Journal of Machine
Learning Research, 12:2825–2830, 2011.
[13] SAP SE. Data Science and Machine Learning in the Internet of Things
and Predictive Maintenance. https://www.sap.com/documents/2016/10/
8ec7f23f-917c-0010-82c7-eda71af511fa.html, 2017.
[14] J. Schmidhuber. Deep learning in neural networks: An overview. Neural
networks, 61:85–117, 2015.
[15] L. Sui. Global smartphone os market share by region: Q3 2016, 2016.
[16] V. L. L. Thing. IEEE 802.11 network anomaly detection and attack
classification: A deep learning approach. In 2017 IEEE Wireless Com-
munications and Networking Conference (WCNC), pages 1–6, March
2017.
[17] W. Yu, Z. Chen, G. Xu, S. Wei, and N. Ekedebe. A threat monitoring
system for smart mobiles in enterprise networks. In Proceedings of the
2013 Research in Adaptive and Convergent Systems, RACS ’13, pages
300–305, New York, NY, USA, 2013. ACM.
[18] W. Yu, L. Ge, G. Xu, and X. Fu. Towards Neural Network Based
Malware Detection on Android Mobile Devices, pages 99–117. Springer
International Publishing, Cham, 2014.
[19] W. Yu, F. Liang, X. He, W. G. Hatcher, C. Lu, J. Lin, and X. Yang. A
survey on the edge computing for the Internet of Things. IEEE Access,
6:6900–6919, 2018.
[20] W. Yu, G. Xu, Z. Chen, and P. Moulema. A cloud computing based
architecture for cyber security situation awareness. In 2013 IEEE
Conference on Communications and Network Security (CNS), pages
488–492, Oct 2013.
[21] W. Yu, H. Zhang, L. Ge, and R. Hardy. On behavior-based detection of
malware on android platform. In 2013 IEEE Global Communications
Conference (GLOBECOM), pages 814–819, Dec 2013.
[22] Z. Yuan, Y. Lu, Z. Wang, and Y. Xue. Droid-Sec: deep learning in an-
droid malware detection. In ACM SIGCOMM Computer Communication
Review, volume 44, pages 371–372. ACM, 2014.
[23] D. Zhu, H. Jin, Y. Yang, D. Wu, and W. Chen. DeepFlow: deep learning-
based malware detection by mining Android application for abnormal
usage of sensitive data. In 2017 IEEE Symposium on Computers and
Communications (ISCC), pages 438–443, July 2017.