FedREVAN: real-time detection of vulnerable android source code through federated neural network with XAI.

Abstract

Adhering to security best practices during the development of Android applications is of paramount importance due to the high prevalence of apps released without proper security measures. While automated tools can be employed to address vulnerabilities during development, they may prove to be inadequate in terms of detecting vulnerabilities. To address this issue, a federated neural network with XAI, named FedREVAN, has been proposed in this study. The initial model was trained on the LVDAndro dataset and can predict potential vulnerabilities with a 96% accuracy and 0.96 F1-Score for binary classification. Moreover, in case the code is vulnerable, FedREVAN can identify the associated CWE category with 93% accuracy and 0.91 F1-Score for multi-class classification. The initial neural network model was released in a federated environment to enable collaborative training and enhancement with other clients. Experimental results demonstrate that the federated neural network model improves accuracy by 2% and F1-Score by 0.04 in multi-class classification. XAI is utilised to present the vulnerability detection results to developers with prediction probabilities for each word in the code. The FedREVAN model has been integrated into an API and further incorporated into Android Studio to provide real-time vulnerability detection. The FedREVAN model is highly efficient, providing prediction probabilities for one code line in an average of 300 ms.