Robust malicious software detection and classification using global whale optimization algorithm with deep learning approach

Abstract

Software malware detection and classification leverage sophisticated procedures and methods from the cybersecurity domain for identifying and categorizing malicious software, generally called malware. This procedure analyses code behaviour, file structures, and other features to distinguish between benign and malicious programs. Machine learning (ML) and artificial intelligence (AI) are vital in this domain, allowing the progress of dynamic and adaptive systems that identify novel and developing malware attacks. By training on massive datasets of benign and malicious instances, these systems learn patterns and signatures indicative of malware. This lets them correctly categorize and respond to potential attacks in real-time. This study presents a Global Whale Optimization Algorithm with Neutrosophic Logic for Software Malware Detection and Classification (GWOANL-SMDC) technique. The GWOANL-SMDC technique secures the software via the Android malware recognition process. Primarily, the GWOANL-SMDC technique employs the Neutrosophic Cognitive Maps (NCM) model for the feature selection process. The GWOANL-SMDC technique uses a convolutional long short-term memory (ConvLSTM) model for software malware detection. At last, the GWOA-based parameter tuning is performed to improve the performance of the ConvLSTM model. The simulation values of the GWOANL-SMDC technique are examined on the malware dataset. The obtained results ensured that the GWOANL-SMDC technique improved capability in detecting software malware.

Introduction

Recently, cyberattacks have been the most severe problem in the domain of modern technology. The term suggests using a system’s errors for malicious activities like altering, stealing, or destroying. Malware is an instance of a cyberattack¹. Malware is a group of instructions or codes developed to affect the user, computer, business, or computer system. The word “malware” comprises extensive attacks such as scareware, viruses, Trojan horses, rogue software, spyware, adware, wipers, ransomware, etc. Malicious software is some part of code that will be executed without user knowledge or permission². Malware detection techniques have been used to evaluate the data, which could be gathered and trained to identify whether a specific section of software or network link finds a security issue. For example, explore a ML method that will demonstrate the principles that inspire the patterns it detected³. Methods are trained using the ML approach, which will increase their capability for prediction, employing feedback about how well they executed prior tasks and utilizing that data to make modifications⁴.

Malware Classification is a method of allocating a malware sample to a particular malware family. Malware within the family exchanges the same features that could be employed for creating signatures for detection and classification⁵. Signatures are considered static or dynamic depending upon how they can be extracted. Major causes for producing a higher volume of malware instances are the wide-ranging usage of malware developer’s obfuscation method that describes that malicious files from a similar malware family (for example, similar code and common origin) have been incessantly adapted and obfuscated. Consequently, a generalized ML-based malware analysis was deliberated as a real-world solution and will be executed well under unnoticed samples⁶. In this context, dynamic and static analysis could be employed for malware detection and classification in training. Static techniques typically analyze the malware’s program (machine or assembly) without its performance⁷. At the same time, the malware’s dynamic technique behaviour is observed in its execution stage. Both categories of analysis have their disadvantages⁸. For instance, in static methods, the susceptibility in the code can be dug out at the correct location. At the same time, the dynamic technique could perform this function better. Alternatively, the benefit of static analysis is that malware must be identified before its execution. Dynamic methods permit recapture control of affected systems that cannot be in static methods⁹. During the malware analysis, malware classification is significant because classifying different types of malware is vital to knowing how they will affect personal computers, the risk level they provide, and how to secure them. In this condition, malware is recognized and could be allocated to the more proper malware family over a classification method¹⁰.

This study presents a Global Whale Optimization Algorithm with Neutrosophic Logic for Software Malware Detection and Classification (GWOANL-SMDC) technique. Primarily, the GWOANL-SMDC technique employs the Neutrosophic Cognitive Maps (NCM) model for the feature selection (FS) process. The GWOANL-SMDC technique uses a convolutional long short-term memory (ConvLSTM) approach for software malware detection. Finally, GWOA-based parameter tuning is performed to improve the performance of the ConvLSTM methodology. The experimental outcomes of the GWOANL-SMDC methodology are examined using the malware dataset.

Literature works

Madhloom et al.¹¹ developed a structure of an innovative packet-filter firewall system that overcomes the restrictions of existing FPN-based filter techniques. The main contribution is to utilize SNPNs as a tool for designing discrete occurrence structures in the region of the firewall packet filter, which can be represented by inexact knowledge. Yasser et al.¹² presented a robust, different, and intelligent analytical tool for automatically recognizing COVID-19 by employing obtainable resources in digital chest X-rays (CXR). The introduced method was a hybrid architecture dependent upon combining two methods such as ML and Neutrosophic techniques (NTs). Classification features have been mined from X-ray images employing principal component analysis (PCA) and morphological features (MFs). In¹³, a hybrid technique of intuitionistic fuzzy set (IFS) and rough set theory has been developed. This technique is a classification model that obtains the benefits of two: one is a rough set, and the other is IFS for handling indiscernibility, vagueness, and intrinsic uncertainty in the database. The method categorizes the data samples, which could be exhibited using natural language. Rahman et al.¹⁴ aimed to develop a new idea of parameterization of fuzzy sets at the hypersoft set background with undefined constituents of neutrosophic set and IFS.

Kadali et al.¹⁵ introduced the game theory model, an analytical technique to evaluate individuals’ diverse criminal behaviour maps. Based on Neutrosophic logic (NL) analysis, game theory encompasses identified individual crimes from randomized crimes, employing clusters of randomization collected. The developed method implemented an assessment of the Intra- or inter-cluster correlation coefficient (ICCC) on criminal data (uncertainty and certainty) for determining the sizes of crime instances. In¹⁶, an innovative approach for categorizing BC employing NTs and ML methods was presented, called the BC Classification Strategy (BC2S), which contains two stages. The major target of the data preprocessing stage is to (1) features extraction, (2) choose the informative features employing an innovative FS technique named Efficient ACO (EACO), and (3) transfer the chosen features from the traditional field into neutrosophic field employing NTs. The developed classification method employed the Deep Neural Network (DNN) technique. Jennifer and Sharmila¹⁷ considered employing NT of categorizing into True (T), False (F), and Indeterminacy (I) set participation. Firstly, the images have been preprocessed by alpha-mean and beta-improvement functions to decrease the Indeterminacy and enrich the image constituents as the ranges of lung opacity range for determining the categories. Subsequently, the NT-improved images have been provided with diverse DL methods such as ConvLSTM, VGG-16, and ResNet-50 for classification. Alomari et al.¹⁸ present a high-performance malware detection system utilizing DL and feature selection. Two malware datasets are preprocessed, and correlation-based feature selection creates various feature-selected datasets.

Şahin et al.¹⁹ introduce a novel Android malware detection system employing filter-based feature selection techniques for static analysis with ML. It utilizes permissions from application files as features and applies eight-dimension reduction models. Four methods are tailored for Android malware detection, while the other four are adapted from text classification. Akhiat et al.²⁰ propose an effectual ensemble feature selection for intrusion detection systems (IDS-EFS) to choose the optimum performing subset for attack detection. Ngo et al.²¹ compare two feature reduction methods. Feature selection usually presents improved detection performance and faster processing as feature count increases, while feature extraction is more reliable with fewer features and less sensitivity to feature count changes. Varzaneh and Hosseini²² present an enhanced equilibrium optimization method called Levy-opposition-equilibrium optimization (LOEO) for feature selection in network IDSs. By integrating opposition-based learning to improve population diversity and the Levy flight method to avert local optima, the binary version, BLOEO, intelligently chooses the most informative features from high-dimensional data. Li et al.²³ compare feature extraction and selection for IoT network intrusion detection. Feature extraction generally accomplishes better with fewer features and less sensitivity to changes. Eljialy, Uddin, and Ahmad²⁴ introduce a multi-step feature selection process followed by classification. It utilizes various feature selection methods to detect high-scoring features for anomaly detection, creating a candidate dataset. Multiple classification algorithms are used later in this dataset to develop the models.

An innovative packet-filter firewall system utilizing SNPNs addresses existing FPN models’ limitations but may face scalability difficulty against evolving threats. A hybrid architecture for COVID-19 recognition integrates ML and Neutrosophic methods, yet its efficiency relies heavily on the quality of available X-ray data. A classification model that integrates IFS and rough set theory encounters threats with high-dimensional data, potentially resulting in computational complexity. The parameterization of fuzzy sets in hypersoft contexts introduces interpretative difficulties. Meanwhile, an Android malware detection system dependent on specific permissions might overlook critical detection features. Lastly, while an IDS-EFS technique improves feature selection, it risks losing crucial data, and comparisons of feature reduction methodologies may need to consider dataset discrepancies adequately. Current malware detection and intrusion systems methodologies often concentrate on specific feature selection or extraction models without adequately addressing the dynamic behaviour of growing threats. Furthermore, there is a lack of comprehensive studies that compare the efficiency of these techniques across various datasets, specifically in real-world scenarios. This gap emphasizes the requirement for more robust, adaptable models incorporating diverse feature selection strategies to improve detection performance.

The proposed method

This study develops a novel GWOANL-SMDC technique. The technique secures the software via the Android malware recognition process. To accomplish that, the GWOANL-SMDC approach involves three different procedures: NCM-based FS, ConvLSTM-based classification, and GWOA-based parameter tuning. Figure 1 demonstrates the entire flow of the GWOANL-SMDC method.

Fig. 1

Overall flow of GWOANL-SMDC approach.

Feature selection using NCM

At the primary stage, the GWOANL-SMDC technique employs NCM for the FS process²⁵. The GWOANL-SMDC technique utilizes the NCM model for the feature selection process because it can efficiently handle uncertainty and imprecision in data. Unlike conventional methods, the NCM model incorporates qualitative and quantitative data, allowing for a more comprehensive understanding of complex feature relationships. This methodology outperforms scenarios where data may be incomplete or ambiguous, making it specifically appropriate for emotion detection tasks. Furthermore, the NCM model facilitates the visualization of feature interdependencies, assisting in detecting key influences on the target variable. Its flexibility and adaptability to diverse contexts additionally improve its merit over other feature selection methodologies, promoting enhanced performance and interpretability of the model. Figure 2 illustrates the NCM model.

Fig. 2

Architecture of NCM model.

NL is an incorporation of paraconsistent logic, intuitionistic logic, three-valued logic, and fuzzy logic. Here, the logical variables, including \(\:F\), \(\:T,\) and \(\:I\), represent the amount of falsehood, truth, and Indeterminacy. The union and intersection of single‐finite elements, subsets, intervals, finite or infinite, real sub‐unitary subsets, continuous or discrete, etc., exemplify the variables. Due to incomplete knowledge, NL attempts to catch the inaccuracy from observers’ vagueness or uncertainty, thus making \(\:T\), \(\:I\), and F subsets. If the edge value of the NL map is from the set \(\:\left\{\text{0,1},\:\text{I}\right\}\), representing truth (0), falsehood (1), and Indeterminacy (I) values. The reasons behind making NL beneficial for detecting leaf diseases are (i) it shows that specific features are useful for the system, which might be false in another system, and (ii) it shows Indeterminacy. The major variation between NL and intuitionistic fuzzy logic lies in the distinguishing relative and absolute truth. NL is used to transform logical statements into 3D neutrosophic space. The definition of NCM is given in the following:

1. (i):

   NCM is a directed graph representing the causal relation among the features.

2. (ii):

   If the node is a fuzzy set, each node in NCM is considered a fuzzy node.

3. (iii):

   Nodes in the graph are said to be a feature. Weight has been allocated to the directed edge between\(\:{\:C}_{i}\) & \(\:{C}_{j}\) nodes. The weight values lie within \(\:\{-\text{1,0},1,\:\text{I}\}\).

4. (iv):

   According to the NCM, the adjacent matrix of neutrosophic \(\:N\)(\(\:E\)) is formed where \(\:N\left(E\right)=\left({e}_{ij}\right)\), and the weight of the directed graph is represented as \(\:{e}_{ij}\) within \(\:\left\{1,\:0,\:-1,\:\text{I}\right\}.\)

5. (v):

   Consider \(\:A=\left({a}_{1},\:{a}_{2}\dots\:{a}_{n}\right)\) as instantaneous state, whereas \(\:{a}_{i}\epsilon\:\left\{\text{0,1},\:\text{I}\right\}\) if \(\:{a}_{i}\) is in off condition, at that time \(\:{a}_{i}=0\); if \(\:{a}_{i}\) is in on condition, at that point \(\:{a}_{i}=1;{a}_{i}=I\) if \(\:{a}_{i}\) is indeterminate.

6. (vi):

   Each edge of NCM is considered as \(\:\overrightarrow{{C}_{1}{C}_{2}},\overrightarrow{{C}_{2}{C}_{3}},\dots\:.\overrightarrow{{C}_{i}{C}_{j}}\). When the NCM possesses a directed cycle followed by it is known as cyclic. Otherwise, it is known as acyclic.

7. (vii):

   In NCM, when there is feedback, viz., causal relationship over the cycle, after that, the system is dynamic.

8. (vii):

   Assume \(\:\overrightarrow{{C}_{1}{C}_{2}},\overrightarrow{{C}_{2}{C}_{3}},\dots\:.\overrightarrow{{C}_{i}{C}_{j}}\) is a cycle, and when \(\:{C}_{i}\) is ON, if the causal relationship is through the edges of the cycle after the dynamic system goes in circles to attain the equilibrium state, it is known as a hidden form.

9. (ix):

   A neutrosophic state is called a set point when the equilibrium state of a dynamic system is a unique state vector.

10. (x):

    The equilibrium state is known as an NCM limit cycle if NCM settles with NL state vector repeated in series of \(\:{A}_{1}\to\:{A}_{2}\to\:\dots\:{A}_{i}\to\:{A}_{1}.\)

11. (xi):

    Grouping of a finite amount of NCMs viz., \(\:N\left(E\right)=N\left({E}_{1}\right)+N\left({E}_{2}\right)+\dots\:+N\left({E}_{n}\right)\) may lead to the joint effect of NCM.

In the NCM approach, the objectives are joined as a single main calculation for giving weight to identify all major significance²⁶. During this work, an FF can be executed an FF that joins both objectives of FS as represented in (1).

$$\:Fitness\left(X\right)=\alpha\:\cdot\:E\left(X\right)+\beta\:*\left(1-\frac{\left|R\right|}{\left|N\right|}\right)$$

(1)

In which \(\:Fitness\left(X\right)\) denotes the fitness rate of subset \(\:X,\)\(\:E\left(X\right)\) implies the classifier errors by employing the selected features from the X separation, \(\:\left|R\right|\) and \(\:\left|N\right|\) denotes the number of elected features and the number of novel features within the data, \(\:\alpha\:\) and \(\:\beta\:\) signifies the weights of the classifier error and reduction ratio, \(\:\alpha\:\in\:\left[\text{0,1}\right]\) and \(\:\beta\:=(1-\alpha\:)\).

ConvLSTM-based classification

The GWOANL-SMDC technique uses the ConvLSTM model²⁷ for software malware detection. The GWOANL-SMDC technique employs the ConvLSTM model for software malware detection due to its unique capability to capture spatial and temporal data patterns. Unlike conventional methods that may concentrate solely on one dimension, the ConvLSTM model incorporates convolutional layers with LSTM units, making it specifically efficient for analyzing sequences of images or binary representations of malware. This dual capability improves the model’s performance in recognizing malware behaviour over time, which is significant for accurate detection. Furthermore, the structure of the ConvLSTM model allows for effectual processing of complex data formats, resulting in enhanced classification outcomes. Its robustness in handling varying input sizes and its adaptability to different malware types justify its selection over conventional methods. Figure 3 portrays the architecture of the ConvLSTM model.

Fig. 3

Architecture of ConvLSTM approach.

The ConvLSTM units combine convolutional to fully connected LSTM (FC-LSTM) by exchanging the weights with convolution filters. This mathematical expression of the ConvLSTM unit is summarized in Eqs. (2–6), but the convolutions were executed at the weighted connections.

$$\:I=\sigma\:\left({W}_{XI}*{X}_{z}+{W}_{HI}*{H}_{z-1}+{W}_{CI}\circ\:{C}_{z-1}+{b}_{I}\right)$$

(2)

$$\:{F}_{z}=\sigma\:\left({W}_{XF}*{X}_{z}+{W}_{HF}*{H}_{z-1}+{W}_{CF}\circ\:{C}_{z-1}+{b}_{F}\right)$$

(3)

$$\:{C}_{z}=F\cdot\:C+{i}_{z}\circ\:\left({W}_{XC}*{x}_{z}+{W}_{HC}*{h}_{z-1}+{b}_{c}\right)$$

(4)

$$\:{O}_{z}=\sigma\:\left({W}_{XO}*{X}_{z}+{W}_{HO}*{H}_{z-1}+{W}_{co}\cdot\:{C}_{z-1}+{b}_{o}\right)$$

(5)

$$\:{H}_{z}=O\circ\:\:\text{t}\text{a}\text{n}\text{h}\:\left({C}_{z}\right)$$

(6)

The output, input, cell, forget, and hidden layers (HLs) of all the timestep are demonstrated by \(\:O\), \(\:I,\:C,\)\(\:F,\) and \(\:H\) correspondingly, the activation by \(\:\sigma\:\), and weight connections among layers by a group of weights, \(\:W\). The resultant layer regulates that several data have been propagated from the prior timestep, where the HL comprises, data obtained by the next timestep and layer. The peephole connections enable the LSTM unit to access and propagate data reported from the cell layer of the prior timestep.

If developing with images, the ConvLSTM network is more valuable than the FC-LSTM because it can propagate spatial features temporally with every ConvLSTM layer. The FC‐LSTM can be regarded as a particular instance of ConvLSTM, but the filters’ dimension is equivalent to the input image, and a single convolution function was executed, such that every ConvLSTM unit shares similar parameters with every timestep.

The resolution of feature maps generated from the input is determined by the convolutional filters of the input-to-hidden connections; the convolution filter sizes of hidden-to‐hidden connections define the aggregate data the ConvLSTM unit gets from the prior timestep. The layer transition among timesteps for the ConvLSTM unit can be taken as action among frames.

Hyperparameter tuning using GWOA

Finally, the GWOA-based parameter tuning method is used to improve the performance of the ConvLSTM model²⁸. The GWOA-based parameter tuning method is utilized to enhance the performance of the ConvLSTM model due to its robust search capabilities and effectiveness in exploring the hyperparameter space. By replicating whales’ social behaviour, the GWOA model efficiently balances exploration and exploitation, leading to the detection of optimal parameter settings that enhance the model’s accuracy. This methodology is advantageous in complex models such as ConvLSTM, where various hyperparameters can substantially impact performance. Moreover, the capability of the GWOA model to escape local optima makes it more reliable than conventional optimization techniques. Incorporating the GWOA technique accelerates the tuning process and results in a more generalized model that can adapt to varying datasets, ultimately improving the efficiency of malware detection tasks. Figure 4 demonstrates the workflow of the GWOA model.

Fig. 4

Workflow of the GWOA model.

To enhance the global search ability and convergence velocity of traditional WOA, an enhanced GSWOA is developed dependent upon three strategies: variable spiral location upgrade, adaptive weight, and optimum neighbourhood perturbation. At initial, the strategy of adaptive weight is to present a weight of adaptive inertia built on the iteration count \(\:t\) into the whale location upgrade, and expressed as below:

$$\:w\left(t\right)=0.2\text{c}\text{o}\text{s}\left(\frac{\pi\:}{2}\cdot\:\left(1-\frac{t}{{t}_{\text{m}\text{a}\text{x}}}\right)\right)$$

(7)

where \(\:t\) refers to the present iteration amount, \(\:{t}_{\text{m}\text{a}\text{x}}\) specifies the highest iteration amount, and \(\:w\left(t\right)\) denotes the weight of adaptive inertia, which has a value of \(\:\left[0\:\text{a}\text{n}\text{d}\:1\right]\).

As per Eq. (7), the weight value is smaller in the initial phase but varies rapidly; in the later phase, with the high growth in the iteration count, the weight is big, but the alteration velocity is reduced low by enhancing the algorithm convergence.

The location upgrade formulation of the enhanced WOA is

$$\:X\left(t+1\right)=\left\{\begin{array}{l}w\left(t\right)\cdot\:{X}^{\text{*}}\left(t\right)-A\cdot\:\left|C\cdot\:{X}^{\text{*}}\left(t\right)-X\left(t\right)\right|,p<0.5\\\:w\left(t\right)\cdot\:{X}^{\text{*}}\left(t\right)+D\cdot\:{e}^{b\text{l}}\text{c}\text{o}\text{s}\left(2\pi\:\text{l}\right),p\ge\:0.5\end{array}\right.$$

(8)

$$\:X\left(t+1\right)=w\left(t\right){X}_{rand}\left(t\right)-A\cdot\:\left|C\cdot\:{X}_{rand}\left(t\right)-X\left(t\right)\right|$$

(9)

Secondly, the strategy of variable spiral location upgrade denotes altering the constant \(\:b,\) which reflects the spiral form within the bubble net attack phase, to an energetically altered variable dependent upon the iteration count, and its mathematical expression is as follows:

$$\:b={e}^{5\cdot\:\text{c}\text{o}\text{s}\left(\pi\:\cdot\:\left(1-\frac{t}{{t}_{\text{m}\text{a}\text{x}}}\right)\right)}$$

(10)

From Eq. (10), it is realized that the spiral shape range is bigger in the system’s initial stage. The whale could hunt for an optimizer in a greater array and has a sturdier global search capability by the growth of iteration count; the spiral shape range turns so small, and then the whale can hunt in the smallest range to enhance the optimizer accuracy. The location upgrade formulation of an improved WOA is

$$\:X\left(t+1\right)=w\left(t\right)\cdot\:{X}^{\text{*}}\left(t\right)+bD\cdot\:{e}^{b\text{l}}\text{c}\text{o}\text{s}\left(2\pi\:1\right)$$

(11)

Lastly, the strategy of optimum neighbourhood perturbation is to enlarge the search range of the best position to the neighbourhood of the present finest position once the whale location can upgrade and hunt the close space concurrently rather than being restricted to an existing optimum position. With this method, the whale search efficacy and the convergence velocity of the process can be improved. A mathematical formulation to generate trouble in the neighbourhood of the present best position and produce a novel position as

$$\:\widehat{\text{X}}\left(t\right)=\left\{\begin{array}{l}{X}^{\text{*}}\left(t\right)+0.5\cdot\:rand1\cdot\:{X}^{\text{*}}\left(t\right),\:rand2<0.5\\\:{X}^{\text{*}}\left(t\right),\:rand2\ge\:0.5\end{array}\right.$$

(12)

Where\(\:\:\:X\left(t\right)\) specifies the produced novel position, \(\:rand1\) and \(\:rand2\) refer to the even random numbers that value zero and one\(\:.\)

The novel position has been saved if the produced novel position is higher or lower than the original location. The formulation has been stated as:

$$\:{X}^{\text{*}}\left(t\right)=\left\{\begin{array}{l}\widehat{\text{X}}\left(t\right),\:f\left(\widehat{\text{X}}\left(t\right)\right)<f\left({X}^{\text{*}}\left(t\right)\right)\\\:{X}^{\text{*}}\left(t\right),f\left({X}^{\text{*}}\left(t\right)\right)\le\:f\left(\widehat{\text{X}}\left(t\right)\right)\end{array}\right.$$

(13)

Here, \(\:f\left(x\right)\) signifies the fitness value if the position is \(\:x.\)

The GWOA approach grows an FF to increase higher classifier results. It expresses a positive integer to suggest a good solution for candidate results. During this case, the decline of classifier errors is supposed to be FF, as provided in Eq. (14).

$$\begin{aligned} fitness\left( {x_{i} } \right) & = Classifier\,Error\,Rate\left( {x_{i} } \right) \\ & = \frac{{No.\:\:of\:misclassified\:Instances}}{{Total\:no.\:of\:Instances}} \times \:100 \\ \end{aligned}$$

(14)

Performance validation

The simulation outcomes of the GWOANL-SMDC approach were assessed on the malware database²⁹. It contains 7500 instances under two classes, as demonstrated in Table 1.

Table 1 Detailed database.

Figure 5 portrays the confusion matrices attained by the GWOANL-SMDC approach under various epochs. The experimental value implied that the GWOANL-SMDC model effectively recognizes the benign and malware instances in 2 classes.

Fig. 5

Confusion matrices of GWOANL-SMDC technique (a-d) Epochs 500–2000.

The malware detection outcome of the GWOANL-SMDC approach is provided in Table 2; Fig. 6. The experimental value demonstrated that the GWOANL-SMDC approach reaches effective outcomes under two classes. With 500 epochs, the GWOANL-SMDC methodology reaches average \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), \(\:{F}_{score}\), and MCC of 99.09%, 98.79%, 99.19%, 98.98%, and 97.98%, correspondingly. In addition, with 1000 epochs, the GWOANL-SMDC method obtains average \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), \(\:{F}_{score}\), and MCC of 99.17%, 98.80%, 99.17%, 98.98%, and 97.97%, correspondingly. Moreover, with 2000 epoch, the GWOANL-SMDC method reaches average \(\:acc{u}_{y}\), \(\:pre{c}_{n}\), \(\:rec{a}_{l}\), \(\:{F}_{score}\), and MCC of 98.84%, 98.39%, 98.84%, 98.61%, and 97.23%, correspondingly.

Table 2 Malware detection result of GWOANL-SMDC technique under various epochs.

Fig. 6

Average result of GWOANL-SMDC technique under various epochs.

The performance of the GWOANL-SMDC approach is projected in Fig. 7 in the procedure of training accuracy (TRAAC) and validation accuracy (VALAC) outcomes at 1000 epochs. The outcome exposes valuable analysis of the GWOANL-SMDC approach under various counts of epochs, depicting its learning method and generalized abilities. Noticeably, the result implies steady development from the TRAAC and VALAC with maximum epochs. It ensures the adaptive nature of the GWOANL-SMDC technique in the pattern detection method on both data. The maximum trend in VALAC reviews the GWOANL-SMDC technique’s ability to fine-tune the TRA data and provide the correct classifier on unnoticed data, representing strong generalization capabilities.

Fig. 7

\(\:Acc{u}_{y}\) curve of GWOANL-SMDC technique under 1000 epochs

Figure 8 illustrates the training loss (TRALS) and validation loss (VALLS) curves of the GWOANL-SMDC technique at 1000 epochs. The progressive decrease in TRALS emphasizes the GWOANL-SMDC technique optimizer of the weights and decreases the classifier error on both data. The outcome inferred precise data as the GWOANL-SMDC approach linked with the TRA data highlighted its ability to capture patterns from both data. The GWOANL-SMDC approach continually enhances its parameters to diminish the differences between the predictive and actual TRA class labels.

Fig. 8

Loss curve of GWOANL-SMDC technique under 1000 epochs.

Analyzing the PR curve, as represented in Fig. 9, the outcomes assured that the GWOANL-SMDC approach progressively attains improved PR rates with two classes at 1000 epochs. It controls the improved proficiency abilities of the GWOANL-SMDC method in detecting two classes, representing proficiency in the class detections.

Fig. 9

PR curve of GWOANL-SMDC technique at 1000 epochs.

Besides, in Fig. 10, ROC curves attained by the GWOANL-SMDC approach are exposed in the classifier of 2 labels at 1000 epochs. This offers a comprehensive meaning of the tradeoff between TPR and FRP at various detection threshold rates and counts of epochs. The outcome demonstrates the superior classifier outcomes of the GWOANL-SMDC model in two classes, representing the solution for addressing various classifier problems.

Fig. 10

ROC curve of GWOANL-SMDC technique under 1000 epochs.

The comparative malware detection outcome of the GWOANL-SMDC technique is given in Table 3³⁰. Concerning \(\:acc{u}_{y}\), the GWOANL-SMDC technique provides an improved \(\:acc{u}_{y}\) of 99.17%, but the J48, RF, DT, SMO, logistic, and AAMD-OELAC approaches have obtained lesser \(\:acc{u}_{y}\) values of 96.86%, 97.87%, 94.68%, 96.47%, 96.38%, and 98.97%, correspondingly. Additionally, based on \(\:{F}_{score}\), the GWOANL-SMDC methodology provides a higher \(\:{F}_{score}\) of 98.98%. At the same time, the J48, RF, DT, SMO, logistic, and AAMD-OELAC approaches have obtained minimal \(\:{F}_{score}\) values of 97.29%, 96.67%, 97.85%, 96.31%, 96.63%, and 98.44%, respectively.

Table 3 Comparative outcome of GWOANL-SMDC technique with recent models.

Table 4; Fig. 11 give the comparative time cost (TC) analysis of the GWOANL-SMDC methodology. Based on CT, the GWOANL-SMDC methodology provides a lesser TC of 0.52s, while the J48, RF, DT, SMO, logistic, and AAMD-OELAC models have obtained higher TCs of 1.94s, 2.42s, 8.98s, 10.24s, 2.65s, and 1.61s, correspondingly.

Table 4 TC analysis of GWOANL-SMDC methodology with recent methods.

Fig. 11

TC outcome of GWOANL-SMDC methodology with other methods.

These performances ensured the enhanced detection outcomes of the GWOANL-SMDC approach.

Conclusion

In this study, a novel GWOANL-SMDC methodology is developed. The GWOANL-SMDC methodology secures the software via the Android malware recognition process. To accomplish that, the GWOANL-SMDC technique encompasses three different processes: NCM NCM-based FS, ConvLSTM-based classification, and GWOA-based parameter tuning process. Initially, the GWOANL-SMDC methodology employs NCM for the FS process. For software malware detection, the GWOANL-SMDC technique uses the ConvLSTM model. Finally, the GWOA-based parameter tuning procedure is used to boost the performance of the ConvLSTM model. The experimental results of the GWOANL-SMDC methodology can be assessed using the malware dataset. The results ensured that the GWOANL-SMDC technique improved its capability to detect software malware.