**5. Implementation**

In this section, we present the architecture of BrainShield's prototype and the steps of the implementation to perform the prediction. Then, we provide the methodology that brings the detection results.

#### *5.1. BrainShield's Prototype Implementation*

The architecture of BrainShield's prototype, as shown in Figure 1, is divided into two parts: (1) the client; (2) and the server.


In this architecture, we present the nine steps to perform the prediction, as shown in Figure 2: (1) labelling by assigning a class as benign or malicious to each app; (2) training the fully connected neural networks; (3) acquisition of APKs to be able to predict unknown apps; (4) client sends the analysis request to the server; (5) server returns the missing APKS to the client; (6) client sends APKs missing on the server; (7) feature extraction on the server; (8) prediction provided by the neural network for each app; and (9) sending prediction to the client.

**Figure 2.** Steps of BrainShield.

Figure 3 depicts how we train the neural networks. We first load the database and then randomly shuffle it to have different sets of malicious and benign applications between each different training. After choosing the features, setting some parameters, creating our neural network and splitting the database into three groups, the neural network training can take place. The number of iterations can be varied, and then we finish by evaluating the neural network on the test set.

**Figure 3.** Pseudocode for training the neural network.
