AndroSem-Qwen3-14B-LoRA
This repository provides the LoRA adapter used in the paper:
AndroSem: Semantics-Guided, LLM-based Interpretable Static Android Malware Detection
The adapter is fine-tuned on Qwen3-14B to act as a classifier and explanation engine for AndroSem, a purely static Android malware detection framework.
It is not a standalone malware detector: in the original setting it consumes a structured, human-readable intermediate representation (IR) produced by the AndroSem pipeline (code + manifest + strings), and outputs multi-class / binary decisions together with natural-language rationales.
For full experimental details, dataset description, and pipeline implementation, please refer to:
- the paper: AndroSem: Semantics-Guided, LLM-based Interpretable Static Android Malware Detection
- the code: https://github.com/AlexAshlake/AndroSem
1. Model details
- Base model: Qwen/Qwen3-14B
- Adapter type: LoRA (Low-Rank Adaptation)
- Task (original setting):
- Multi-class Android malware family classification
- Binary benign vs. malicious classification
- Generation of natural-language rationales explaining the decision
- Input format (original setting):
- A textual IR built from:
- decompiled code fragments (Semantic Abstraction),
- manifest fields,
- embedded strings and static features.
- A textual IR built from:
The adapter is designed for research and reproducibility of the AndroSem experiments. Using it outside this context (e.g., as a generic malware detector) will require additional engineering and careful validation.
2. Intended use & limitations
Intended use
- As the LLM backend of AndroSem, for:
- static Android malware classification on the CIC-AndMal2017 APK corpus (and similar datasets),
- producing interpretable rationales based on a structured IR.
Not intended / limitations
- This LoRA does not directly ingest APKs or arbitrary Android projects.
- It should not be used as the only signal for security-critical decisions (e.g., automatic blocking in production) without additional safeguards, traditional detectors, and thorough evaluation.
- The model has been fine-tuned on IRs generated by a specific pipeline (AndroSem). Performance on other domains or input formats is unknown.
3. Training setup (SFT + LoRA)
- Framework: LLaMA-Factory
- Base model: Qwen3-14B
- Fine-tuning paradigm: Supervised Fine-Tuning (SFT)
- Adapter: LoRA
- rank: 24
- alpha: 48
- dropout: 0.15
- Quantization during training: 4-bit (
q4) - Inference configuration:
- Quantization: BitsAndBytes 4-bit nf4
- Context length: 32,768 tokens
- Max new tokens: 512
- Sampling:
- temperature: 0.5
- top_p: 0.9
Additional details about the training data construction (IR design, labeling scheme, and sampling) can be found in the AndroSem paper and the accompanying GitHub repository.
4. How to use
โ ๏ธ This repository contains only the LoRA adapter. You must load the base Qwen3-14B model and apply the adapter (e.g., with
peft) to reproduce the behavior used in AndroSem.
Example (PyTorch, transformers + peft)
from transformers import AutoModelForCausalLM, AutoTokenizer
from peft import PeftModel, PeftConfig
base_model_name = "Qwen/Qwen3-14B"
lora_model_id = "AlexAshlake/AndroSem-Qwen3-14B-LoRA" # this repo
# Load tokenizer from the base model
tokenizer = AutoTokenizer.from_pretrained(base_model_name, trust_remote_code=True)
# Load base model in 4-bit (nf4) if desired
from transformers import BitsAndBytesConfig
bnb_config = BitsAndBytesConfig(
load_in_4bit=True,
bnb_4bit_quant_type="nf4",
bnb_4bit_compute_dtype="bfloat16",
)
base_model = AutoModelForCausalLM.from_pretrained(
base_model_name,
quantization_config=bnb_config,
device_map="auto",
trust_remote_code=True,
)
# Load LoRA adapter
peft_config = PeftConfig.from_pretrained(lora_model_id)
model = PeftModel.from_pretrained(base_model, lora_model_id)
model.eval()
# Example: generate on an AndroSem-like IR prompt
prompt = "### AndroSem IR\n[... intermediate representation of one APK ...]\n### Task: Classify this app and explain why."
inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
with torch.no_grad():
outputs = model.generate(
**inputs,
max_new_tokens=512,
do_sample=True,
temperature=0.5,
top_p=0.9,
)
print(tokenizer.decode(outputs[0], skip_special_tokens=True))
For exact reproduction of the experiments in the paper (including preprocessing, IR construction, and evaluation), please use the full AndroSem repository:
5. Evaluation
The full evaluation (metrics, baselines, ablations, and qualitative case studies) is reported in:
AndroSem: Semantics-Guided, LLM-based Interpretable Static Android Malware Detection
Key points:
Dataset: CIC-AndMal2017 APK corpus (full APK-level evaluation).
Tasks:
- Multi-class malware family classification,
- Binary benign vs. malicious classification,
- Rationale quality (qualitative analysis).
This model card does not duplicate all metrics; please refer to the paper and the GitHub repo for detailed numbers and evaluation scripts.
6. Data & privacy
The LoRA is trained on derived intermediate representations constructed from APKs in the CIC-AndMal2017 dataset, plus associated labels and analysis prompts.
The model may implicitly encode patterns specific to this dataset and task.
Please ensure that your usage complies with:
- the license and terms of use of the base model Qwen3-14B, and
- any restrictions associated with the training data (CIC-AndMal2017 and related artifacts).