Search Results (141)

Traditional malware classification approaches primarily address fixed sets of well-studied malware types and therefore struggle to accommodate the continual emergence of novel or previously unseen malware strains. While visualization-based strategies have shown promise in few-shot malware classification, existing methods often produce representations with limited semantic richness. In parallel, few-shot learning models frequently converge with suboptimal solutions, limiting their ability to generalize effectively to new classes. To address these challenges, we propose MetaWave, a unified framework that jointly optimizes both data representation and model learning for few-shot malware classification. Rather than treating feature representation and learning strategy as largely independent stages, MetaWave is formulated as an explicit representation–adaptation integration framework that combines multi-view malware encoding with meta-learning-based optimization. At the data level, we propose a Wavelet Transform-based Malware Representation method that leverages multi-scale frequency analysis and complementary views to generate semantically enriched representations. At the model level, we adopt Model-Agnostic Meta-Learning (MAML) to optimize model initialization for rapid adaptation to unseen tasks under limited data conditions. Extensive experiments are conducted on two benchmark datasets, EMBER and Malicia, under a 5-way 5-shot protocol with disjoint class splits to ensure evaluation on previously unseen malware families. The proposed framework achieves superior performance, reaching 97.8% accuracy on EMBER and 96.2% on Malicia, consistently outperforming state-of-the-art methods. These results indicate that jointly enhancing representation quality and model adaptability can improve classification accuracy and unseen-family performance under the evaluated 5-way 5-shot protocol. Overall, MetaWave provides an effective framework for few-shot malware classification and offers a promising basis for detecting emerging malware under limited-data conditions, while robustness to adversarial perturbation, obfuscation, and polymorphism remains to be validated through dedicated future evaluation. Full article

Antivirus (AV) solutions remain a core defence mechanism against malicious software. However, many of these engines struggle to detect metamorphic malware, which continually alters its internal form in unpredictable ways. To address this limitation, we present an adversarially oriented approach that automatically generates novel malicious variants of existing malware that evade detection by a substantial proportion of AV systems, thereby providing material for strengthening defensive techniques. In this work, an Evolutionary Algorithm (EA) is used to evolve undetectable variants, guided by three fitness criteria: the evasiveness of the produced samples, and their behavioural and structural similarity to the original malware. The proposed method is assessed across three malware families to evaluate the effectiveness of the EA-generated variants. Results indicate that the EA produces diverse mutant variants capable of evading up to 94% of AV detectors for a given malware family, significantly surpassing the evasion rate of the original malware. Furthermore, we evaluated whether the mutants produced by the EA could enhance the training of machine learning models. In this context, a pretrained Natural Language Processing (NLP) transformer was employed within a transfer learning framework to improve the classification of metamorphic malware. When the evolved variants were incorporated into the training data, the approach achieved classification accuracies of up to 93%. These results highlight the value of using diverse EA-generated samples to strengthen malware classifiers, thereby improving the robustness of security systems against evolving threats. Full article

The increasing deployment of Internet of Things (IoT) devices introduces significant security challenges, while privacy concerns limit centralized data aggregation for intrusion detection. Federated learning (FL) offers a decentralized alternative, yet the interaction between feature representation, model architecture, and data heterogeneity remains insufficiently understood in IoT malware detection. This study provides a controlled comparative analysis of centralized and federated learning, optionally using amino acid encoding, under IID and Non-IID conditions using a 10,000-sample subset of the CTU–IoT–Malware–Capture dataset. First, we evaluate raw tabular features versus amino acid-based feature encoding, followed by a lightweight multi-layer perceptron (2882 parameters) versus a deeper residual network (70,532 parameters), across binary and multi-class classification tasks. In the binary setting, centralized training achieved up to 98.6% accuracy, while federated IID training reached 98.6%, with differences within statistical variance. Under Non-IID conditions, performance decreased modestly (0.1–0.5 percentage points), and accuracy was consistently lower when using encoded features compared with raw features. The degradation is smaller in deeper architectures and may offer improved stability under highly skewed federated conditions. In the four-class setting, the complex network achieved up to 97.8% accuracy with raw features, while amino acid encoding achieves up to 93.3%. The results show that federated learning can achieve performance comparable to centralized training under moderate heterogeneity, that lightweight architectures are sufficient for low-dimensional IoT traffic features, and that feature compression via amino acid encoding does not inherently mitigate Non-IID effects. These findings clarify the relative impact of representation, heterogeneity, and architectural capacity in practical FL-based IoT intrusion detection systems. Full article

Cybercriminals use advanced techniques to launch an attack against organizations, which causes disruption of normal business activities. The traditional signature-based malware detection methods are not effective in the detection of ransomware. Therefore, the use of machine learning and deep learning for malware detection is becoming a major area of research. There are two types of malware detection strategies, namely, static and dynamic. This work investigates the task-dependent effectiveness of static PE header-based detection by systematically evaluating three binary classification problems of increasing difficulty: ransomware vs. benign, malware vs. benign, and ransomware vs. other malware families. An end-to-end machine learning pipeline is implemented, including dataset-specific preprocessing, class imbalance handling, model training, and evaluation using imbalance-aware metrics. Random Forest, Support Vector Machine, and XGBoost models are assessed across all tasks, with SHAP used to analyze feature contribution and explain performance degradation. The experimental results demonstrate that tree-based ensemble models, particularly XGBoost, achieve strong detection performance when class boundaries are structurally distinct, but they struggle when ransomware must be distinguished from structurally similar malware. The results indicate that static analysis based on PE header features can be a viable approach for pre-execution triage, but they exhibit clear limitations for fine-grained ransomware discrimination. Full article

The existing research on Android malware detection using graph neural networks (GNNs) has largely focused on architectural improvements, while input node feature representations have received less systematic attention. This study adopts a representation-centric approach to enhance function call graph (FCG)-based malware classification through interpretability-driven feature engineering. We propose a dual-level structural feature framework integrating local topological patterns with global graph-level properties. The initial feature set comprises 13 dimensions: five local degree profile (LDP) features and eight global structural features capturing community structure, execution flow, and connectivity patterns. To mitigate the curse of dimensionality, we apply an interpretability-driven selection using integrated gradients (IG), gradient-weighted class activation mapping (GradCAM), and Shapley additive explanations (SHAP), yielding an optimized seven-dimensional subset. Experiments on the MalNet-Tiny benchmark demonstrate that the proposed approach achieves 94.47 ± 0.25% accuracy with jumping knowledge GraphSAGE (JK-GraphSAGE), improving the LDP-only baseline by 0.32 percentage points while reducing feature dimensionality by 46%. The selected features exhibit consistent importance across four GNN architectures and multiple message-passing layers, demonstrating model-agnostic effectiveness. The results reveal that aggregation mechanisms critically influence feature utility, highlighting the necessity of interpretability-guided design for robust malware detection. This work provides a systematic methodology for feature engineering in graph-based security applications. Full article

Malware’s proliferation in the Internet of Things (IoT) ecosystem requires precise, efficient detection systems capable of operating on IoT devices. Existing static analysis approaches often fail due to computational inefficiency stemming from high feature dimensionality inherent in raw opcode features. This research addresses this limitation by proposing a novel machine-learning (ML)-driven Intelligent Hybrid Feature Selection (IHFS) framework with two distinct architectures. IHFS1 combines a filter method (variance threshold) with an embedded method (LGBM feature importance). Conversely, IHFS2 integrates variance thresholding with a wrapper method (Recursive Feature Elimination with Cross-Validation using LGBM) for optimal selection. This framework is specifically designed to select an optimally stable and minimal feature subset from the initial 1183 opcode frequency vector extracted from ARM binaries. Applying this framework to a multi-family IoT malware dataset, the IHFS architectures yielded distinct and highly efficient feature subsets: IHFS1 achieved a 95.77% reduction (to 50 features), while IHFS2 attained a 98.06% reduction (to 23 features). Evaluation across eight ML models confirmed that the Random Forest (with IHFS1 subset) and Decision Tree (with IHFS2 subset) classifiers were the best performing, achieving robust classification metrics that outperform current state-of-the-art solutions. The Decision Tree model demonstrated exceptional detection capabilities, with an accuracy of 99.87%, a precision of 99.82%, a recall of 99.88%, and an F1-score of 99.85%. It achieved an average inference time of 0.058 ms per sample. Experimental results attained on a native ARM64 environment validate the deployment feasibility of the proposed system for resource-constrained IoT devices, such as the Raspberry Pi. The proposed system achieves a high-throughput, low-overhead security posture while maintaining host operational stability, processing a single ELF binary in just 3.431 ms. Full article

With the rapid growth and diversification of malware, accurate multi-class detection remains challenging due to severe class imbalance and limited labeled data. This work presents an image-based malware classification framework that converts executable binaries into $64\times 64$ grayscale images, employs class-wise DCGAN augmentation to mitigate severe imbalance (initial imbalance ratio >12 across 31 families, $N\approx 9300$), and trains a hybrid CNN–Transformer model that captures both local texture features and long-range contextual dependencies. The DCGAN generator produces high-fidelity synthetic samples, evaluated using Inception Score (IS) $=3.43$, Fréchet Inception Distance (FID) $=10.99$, and Kernel Inception Distance (KID) $=0.0022$, and is used to equalize class counts before classifier training. On the blended dataset the proposed GAN-balanced CNN–Transformer achieves an overall accuracy of 95% and a macro-averaged F1-score of 0.95; the hybrid model also attains validation accuracy of ≈94% while substantially improving minority-class recognition. Compared to CNN-only and Transformer-only baselines, the hybrid approach yields more stable convergence, reduced overfitting, and stronger per-class performance, while remaining feasible for practical deployment. These results demonstrate that DCGAN-driven balancing combined with CNN–Transformer feature fusion is an effective, scalable solution for robust malware family classification. Full article

Modern malware presents significant challenges to traditional detection methods, often leveraging fileless techniques, in-memory execution, and process injection to evade antivirus and signature-based systems. To address these challenges, alert-driven memory forensics has emerged as a critical capability for uncovering stealthy, persistent, and zero-day threats. This study presents a two-stage host-based malware detection framework, that integrates memory forensics, explainable machine learning, and ensemble classification, designed as a post-alert asynchronous SOC workflow balancing forensic depth and operational efficiency. Utilizing the MemMal-D2024 dataset—comprising rich memory forensic artifacts from Windows systems infected with malware samples whose creation metadata spans 2006–2021—the system performs malware detection, using features extracted from volatile memory. In the first stage, an Attentive and Interpretable Learning for structured Tabular data (TabNet) model is used for binary classification (benign vs. malware), leveraging its sequential attention mechanism and built-in explainability. In the second stage, a Voting Classifier ensemble, composed of Light Gradient Boosting Machine (LGBM), eXtreme Gradient Boosting (XGB), and Histogram Gradient Boosting (HGB) models, is used to identify the specific malware family (Trojan, Ransomware, Spyware). To reduce memory dump extraction and analysis time without compromising detection performance, only a curated subset of 24 memory features—operationally selected to reduce acquisition/extraction time and validated via redundancy inspection, model explainability (SHAP/TabNet), and training data correlation analysis —was used during training and runtime, identifying the best trade-off between memory analysis and detection accuracy. The pipeline, which is triggered from host-based Wazuh Security Information and Event Management (SIEM) alerts, achieved 99.97% accuracy in binary detection and 70.17% multiclass accuracy, resulting in an overall performance of 87.02%, including both global and local explainability, ensuring operational transparency and forensic interpretability. This approach provides an efficient and interpretable detection solution used in combination with conventional security tools as an extra layer of defense suitable for modern threat landscapes. Full article

This paper presents an integrative methodology combining advanced network packet vectorization techniques, parallel processing with Dask, GPU-optimized machine learning models, and the Qdrant vector database. Our approach achieves a 99.9% detection rate for malicious traffic with only a 1% false-positive rate, setting new performance benchmarks for cybersecurity systems. The methodology establishes an average detection time limit not exceeding 10% of the total response time, maintaining high precision even for sophisticated attacks. The system processes 56 GB of PCAP files from Malware-Traffic-Analysis.net (2020–2024) through a five-stage pipeline: distributed packet processing, feature extraction, vectorization, vector database storage, and GPU-accelerated classification using XGBoost, Random Forest, and K-Nearest Neighbors models. Full article

In recent years, Advanced Persistent Threat (APT) malware, with its high stealth, has made it difficult for unimodal detection methods to accurately identify its disguised malicious behaviors. To address this challenge, this paper proposes an APT Malware Detection Model based on Heterogeneous Multimodal Semantic Fusion (HMSF-ADM). By integrating the API call sequence features of APT malware in the operating system and the RGB image features of PE files, the model constructs multimodal representations with stronger discriminability, thus achieving efficient and accurate identification of APT malicious behaviors. First, the model employs two encoders, namely a Transformer encoder equipped with the DPCFTE module and a CAS-ViT encoder, to encode sequence features and image features, respectively, completing local–global collaborative context modeling. Then, the sequence encoding results and image encoding results are interactively fused via two cross-attention mechanisms to generate fused representations. Finally, a TextCNN-based classifier is utilized to perform classification prediction on the fused representations. Experimental results on two APT malware datasets demonstrate that the proposed HMSF-ADM model outperforms various mainstream multimodal comparison models in core metrics such as accuracy, precision, and F1-score. Notably, the F1-score of the model exceeds 0.95 for the vast majority of APT malware families, and its accuracy and F1-score both remain above 0.986 in the task of distinguishing between ordinary malware and APT malware. Full article

Memory resident malware, particularly fileless and heavily obfuscated types, continues to pose a major problem for endpoint defense tools, as these threats often slip past traditional signature-based detection techniques. Deep learning has shown promise in identifying such malicious activity, but its use in real Security Operations Centers (SOCs) is still limited because the internal reasoning of these neural network models is difficult to interpret or verify. In response to this challenge, we present HAGEN, a hierarchical attention architecture designed to combine strong classification performance with explanations that security analysts can understand and trust. HAGEN processes memory artifacts through a series of attention layers that highlight important behavioral cues at different scales, while a gated mechanism controls how information flows through the network. This structure enables the system to expose the basis of its decisions rather than simply output a label. To further support transparency, the final classification step is guided by representative prototypes, allowing predictions to be related back to concrete examples learned during training. When evaluated on the CIC-MalMem-2022 dataset, HAGEN achieved 99.99% accuracy in distinguishing benign programs from major malware classes such as spyware, ransomware, and trojans, all with modest computational requirements suitable for live environments. Beyond accuracy, HAGEN produces clear visual and numeric explanations—such as attention maps and prototype distances—that help investigators understand which memory patterns contributed to each decision, making it a practical tool for both detection and forensic analysis. Full article

The proliferation of Internet of Things (IoT) devices has significantly expanded the threat landscape for malicious software (malware), rendering traditional signature-based detection methods increasingly ineffective in coping with the volume and evolving nature of modern threats. In response, researchers are utilising artificial intelligence (AI) for a more dynamic and robust malware detection solution. An innovative approach utilising AI is focusing on image classification techniques to detect malware on resource-constrained Single-Board Computers (SBCs) such as the Raspberry Pi. In this method the conversion of malware binaries into 2D images is examined, which can be analysed by deep learning models such as convolutional neural networks (CNNs) to classify them as benign or malicious. The results show that the image-based approach demonstrates high efficacy, with many studies reporting detection accuracy rates exceeding 98%. That said, there is a significant challenge in deploying these demanding models on devices with limited processing power and memory, in particular those involving of both calculation and time complexity. Overcoming this issue requires critical model optimisation strategies. Successful approaches include the use of a lightweight CNN architecture and federated learning, which may be used to preserve privacy while training models with decentralised data are processed. This hybrid workflow in which models are trained on powerful servers before the learnt algorithms are deployed on SBCs is an emerging field attacting significant interest in the field of cybersecurity. This paper synthesises the current state of the art, performance compromises, and optimisation techniques contributing to the understanding of how AI and image representation can enable effective low-cost malware detection on resource-constrained systems. Full article

The increasing sophistication of malware has challenged the effectiveness of conventional detection techniques, motivating the adoption of Graph Neural Networks (GNNs) for their ability to model the structural and semantic information embedded in control flow graphs. While GNNs offer high detection performance, their lack of transparency limits their applicability in security-critical domains. To address this, we present an explainable malware detection framework, which contains a dual explainer. This dual explainer integrates a GNN explainer with a neural subgraph matching approach and the VF2 algorithm. The proposed method identifies and verifies discriminative subgraphs during training, which are later used to explain new predictions through efficient matching. To enhance the generalization of the neural subgraph matcher, we train it using curriculum learning, gradually increasing subgraph complexity to improve matching quality. Experimental evaluations on benchmark datasets demonstrate that the proposed framework retains high classification accuracy while significantly improving interpretability. By unifying explainable graph learning techniques with subgraph matching, the proposed framework enables analysts to gain actionable insights, fostering greater trust in GNN-based malware detectors. Full article

With the rapid growth and increasing sophistication of malicious software (malware), traditional detection methods face significant challenges in addressing emerging threats. Machine learning-based detection approaches rely on manual feature engineering, making it difficult for them to adapt to diverse attack patterns. In contrast, while deep learning methods can automatically extract features, they remain vulnerable to data imbalance and sample scarcity, which lead to poor detection performance for minority-class samples. To address these issues, this study proposes a semantic data augmentation approach based on a Conditional Wasserstein Generative Adversarial Network with Gradient Penalty (CWGAN-GP), and designs a malware detection model that combines a Text Convolutional Neural Network (TextCNN) with a Transformer Encoder, termed Mal-CGP-TTN. The proposed model establishes a symmetry between local feature extraction and global semantic representation, where the convolutional and attention-based components complement each other to achieve balanced learning. First, the proposed method enriches the semantic diversity of the training data by generating high-quality synthetic samples. Then, it leverages multi-scale convolution and self-attention mechanisms to extract both local and global features of malicious behaviors, thereby enabling hierarchical semantic modeling and accurate classification of malicious activities. Experimental results on two public datasets demonstrate that the proposed method outperforms traditional machine learning and mainstream deep learning models in terms of accuracy, precision, and F1-score. Notably, it achieves substantial improvements in detecting minority-class samples. Full article

In this paper, we propose the Adaptive Volcano Support Vector Machine (AVSVM)—a novel classification model inspired by the dynamic behavior of volcanic eruptions—for the purpose of enhancing malware detection. Unlike conventional SVMs that rely on static decision boundaries, AVSVM introduces biologically inspired mechanisms such as pressure estimation, eruption-triggered kernel perturbation, lava flow-based margin refinement, and an exponential cooling schedule. These components work synergistically to enable real-time adjustment of the decision surface, allowing the classifier to escape local optima, mitigate class overlap, and stabilize under high-dimensional, noisy, and imbalanced data conditions commonly found in malware detection tasks. Extensive experiments were conducted on the UNSW-NB15 and KDD Cup 1999 datasets, comparing AVSVM to baseline classifiers including traditional SVM, PSO-SVM, and CNN under identical computational settings. On the UNSW-NB15 dataset, AVSVM achieved an accuracy of 96.7%, recall of 95.4%, precision of 96.1%, F₁-score of 95.75%, and a false positive rate of only 3.1%, outperforming all benchmarks. Similar improvements were observed on the KDD dataset. In addition, AVSVM demonstrated smooth convergence behavior and statistically significant gains (p < 0.05) across all pairwise comparisons. These results validate the effectiveness of incorporating biologically motivated adaptivity into classical margin-based classifiers and position AVSVM as a promising tool for intelligent malware detection systems. Full article