TR EN

MSc Thesis Defense: Abdullah Cevizli, ANDROID MALWARE FAMILY CLASSIFICATION WITH LARGE LANGUAGE MODELS OVER DYNAMIC API CALL SEQUENCES, Date & Time: 21 July, 2026 – 2:00 PM, Place: FENS L065

ANDROID MALWARE FAMILY CLASSIFICATION WITH LARGE LANGUAGE MODELS OVER DYNAMIC API CALL SEQUENCES

 

 

Abdullah Cevizli
Computer Science and Engineering, MSc Thesis, 2026

 

Thesis Jury

Asst. Prof. Orçun Çetin (Thesis Advisor)

Prof. Albert Levi

  Assoc. Prof. Julio Hernandez-Castro

 

 

Date & Time: July 21st, 2026 – 02.00 PM

Place: FENS L065

Keywords : Android malware, dynamic analysis, Fine-tuned LLM, JVMTI

instrumentation, open-set recognition

 

Abstract

 

Android malware spreads quickly and uses obfuscation to evade static inspection. Dynamic analysis instead observes how an application behaves at runtime and reveals behavior that static analysis misses. Large language models (LLMs) have recently emerged as a powerful tool for security researchers. In Android malware studies, however, they have mostly been applied to static features, and their use on dynamic execution traces remains limited. This thesis studies how accurately malware families can be classified from dynamic API call sequences with a fine-tuned LLM, in both closed-set and open-set settings. The study rests on a collection and segmentation pipeline we built. A custom JVMTI native agent attaches at runtime and records method calls with their argument values, including Binder calls, without recompiling the Android framework. We then segment each trace into behavioral units pivoted on Binder calls. This cuts trace length by a median of 77.9% and brings 86.4% of applications within a 16,384-token budget, up from 48% unfiltered. We fine-tune four small LLMs (LLaMA 3.2 3B, Gemma 3 4B, Qwen3 4B, and Phi-4-mini) with LoRA on the raw segment text. On 22 families the best model, LLaMA 3.2 3B, reaches 97.81% macro F1. The open-set setting adds an OTHER category for families outside the trained set. Here outlier exposure training on a Gemma 3 4B model gives the strongest detection we measured, 92.95% macro F1 at 98.84% AUROC. These results show that fine-tuned LLMs can classify Android malware families directly from the dynamic traces our pipeline produces.

Home

Orta Mahalle, 34956 Tuzla, İstanbul, Türkiye

Telefon: +90 216 483 90 00

Fax: +90 216 483 90 05

© Sabancı Üniversitesi 2023