Multi-Feature Fusion-Based Detection and Classification of Portable Executable Malware

doi:10.11871/jfdc.issn.2096-742X.2025.06.008

Abstract

Abstract:

[Objective] This paper is to address the limitations of traditional static malware analysis methods which heavily rely on disassembly technology and involve time-consuming feature extraction. [Methods] Unlike prior work that depends on disassembly or dynamic analysis, this method directly extracts entropy, third-order Markov matrices, and import/export-table features from the raw binaries, fusing the three into a unified three-dimensional tensor. Bilinear interpolation is then applied for size normalization, producing fixed-size visualized images that are fed into a convolutional neural network for classification. [Results] The proposed method significantly reduces feature-extraction time while preserving robustness against complex variants. Experiments conducted on the BODMAS dataset demonstrate that the proposed method achieves a high classification accuracy of 97.06%. [Conclusions] The results validate the effectiveness and robustness of the proposed method..

Key words: malicious code, visualization, feature extraction, feature fusion, deep learning

LINGHU Rongwei,ZHANG Yu,SHI Yuanquan,YANG Yujun. Multi-Feature Fusion-Based Detection and Classification of Portable Executable Malware[J]. Frontiers of Data and Computing, 2025, 7(6): 77-91, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2025.06.008.

Figures/Tables 21

Fig.1

Fig.2

Fig.3

Fig.4

Fig.5

Table 1

Fig.6

Table 2

Fig.7

Fig.8

Fig.9

Fig.10

Fig.11

Fig.12

Table 3

Fig.13

Fig.14

Fig.15

Fig.16

Fig.17

Fig.18

References 35

[1]	Kaspersky. 威胁数量上升: 2023年网络罪犯每天释放411,000个恶意文件[EB/OL]. (2023)[2023-07-14]. https://www.kaspersky.com.cn/about/press-relea-ses/rising-threats.
[2]	Federal Office for Information Security. The State of IT Security in Germany 2024[R/OL]. (2024-11-12)[2024-11-12]. https://www.bsi.bund.de/EN/Service-N- avi/Publikationen/Lagebericht/lagebericht_node.html.
[3]	NATARAJ L, KARTHIKEYAN S, JACOB G, et al. Malware Images: Visualization and Automatic Classification[C]. Malicious code classification method based on deep residual network and hybrid attention mechanism for edge s, 2011: 1-7.
[4]	HAN J, ZHANG Y, WANG H. Malware Analysis Using Visualization Images and Entropy Graphs for Detecting and Distinguishing New Malware and Var-iants[J]. International Journal of Information Security, 2015, 10(4): 789-800.
[5]	FU Y, LI M, WANG X. Malware Visualization for Fine-Grained Classification[J]. IEEE Access, 2018, 6: 14510-14523.
[6]	SCHULTZ M G, ESKIN E, ZADOK F, et al. Data Mining Methods for Detection of New Malicious Executables[C]// Proceedings of the IEEE Symposium on Security and Privacy (S&P 2001), 2001: 38-49.
[7]	KOLTER J Z, MALOOF M A. Learning to detect and classify malicious executables in the wild[J]. Jouenal of Machine Learning Research, 2006, 7(12): 2721-2744.
[8]	COULL S E, GARDNER C. Activation analysis of a byte-based deep neural network for malware classification[C]. 2019 IEEE Security and Privacy Workshops (SPW). San Francisco, CA, 2019: 21-27.
[9]	SHAFIQ M Z, TABISH S M, MIRZA F, et al. PE-Miner: Mining structural information to detect malicious executables in realtime[C]. Recent Advances in Intrusion Detection. Intrusion Detect, 2009: 121-141.
[10]	LI B, ROUNDY K, GATES C, et al. Large-scale identification of malicious singleton files[C]. 7th ACM Conf Data and Application Security and Privacy (CODASPY), 2017: 227-238.
[11]	KUMAR A, KUPPUSAMY K S, AGHILA G. A learning model to detect maliciousness of portable executable using integrated feature set[J]. Journal of King Saud University-Computer and Information Sc-iences, 2019, 31(2): 252-265.
[12]	REZAEI T, HAMZEH A. An efficient approach for malware detection using PE header specifications[C]// 2020 6th International Conference on Web Research (ICWR). Tehran, Iran, 2020: 234-239.
[13]	赵晓君, 王小英, 张咏梅, 等. 基于恶意代码行为分析的入侵检测技术研究[J]. 计算机仿真, 2015, 32(4): 277-280.
[14]	GALAL H S, MAHDY Y B, ALLATIEA M. Behavior-based features model for malware detection[J]. Journal Of Computer Virology And Hacking Techniques, 2016, 12(2): 59-67.
[15]	KIM H, KIM J, KIM Y, et al. Improvement of malware detection and classification using API call sequence alignment and visualization[J]. Cluster Computing-the Journal Of Networks Software Tools And Applications, 2019, 22(1): 921-929.
[16]	AMER E, ZELINKA I. A dynamic Windows malware detection and prediction method based on contextual understanding of API call sequence[J]. Computers & Security, 2020, 92: 101760.
[17]	ANDERSON B, QUIST D, NEIL J, et al. Graph-based malware detection using dynamic analysis[J]. Journal of Computer Virology and Hacking Techniques., 2011, 7: 247-258.
[18]	BRIDGES R, JIMÉNEZ J H, NICHOLS J, et al. Towards malware detection via CPU power consumption: Data collection design and analytics[C]. 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). New York: 2018: 1680-1684.
[19]	SAYADI H, PATEL N, SASAN A, et al. Ensemble learning for effective run-time hardware-based malware detection: A comprehensive analysis and classification[C]// Proceedings of the 55th Annual Design Automation Conference. San Francisco, CA: 2018: 1-6.
[20]	BURNAP P, FRENCH R, TURNER F, et al. Malware classification using self organising feature maps and machine activity data[J]. Computers & Security, 2018, 73: 399-410.
[21]	GHANEI H, MANAVI F, HAMZEH A. A novel method for malware detection based on hardware events using deep neural networks[J]. Journal of Computer Virology and Hacking Techniques, 2021, 17: 1-13.
[22]	CHEN J J, PENG B Z, WU P Z. Malicious code detection method based on dynamic behavior and machine learning[J]. Computer Engineering, 2021, 47(3): 166-173.
[23]	NI S, QIAN Q, ZHANG R. Malware identification using visualization and deep learning[J]. Journal of Computer Virology and Hacking Techniques, 2016, 12(3): 173-182.
[24]	WANG J W, CHEN Z J, XIE X, et al. Deep visualization classification method for malicious code based on Ngram-TFIDF[J]. Journal on Communications, 2024, 45(6).
[25]	XIAO X, ZHANG S, MERCALDO F, et al. Android malware detection based on system call sequences and LSTM[J]. Multimedia Tools and Applications, 2018, 78(4): 3979-3999.
[26]	WOJNOWICZ M, CHISHOLM G, WOLFF M, et al. Wavelet decomposition of software entropy reveals symptoms of malicious code[J]. Journal of Innovation in Digital Ecosystems, 2016, 3(2): 130-140.
[27]	LIU L, HE X, LIU L, et al. Capturing the symptoms of malicious code in electronic documents by files entropy signal combined with machine learning[J]. Applied Soft Computing, 2019, 82: 105598.
[28]	YANLI Y S, YANG L, WANG D, et al. Malicious code classification method based on deep residual network and hybrid attention mechanism for edge security[J]. Wireless Communications & Mobile Computing, 2022, 2022: 6243713.
[29]	QI X, LIU W, LOU R, et al. MC-ISA: A multi-channel code visualization method for malware detection[J]. Electronics, 2023, 12(9): 2272.
[30]	LI S, WANG J, SONG Y, et al. Tri-channel visualised malicious code classification based on impr-oved ResNet[J]. Applied Intelligence, 2024, 54: 12-453-12475.
[31]	任卓君, 陈光, 卢文科. 恶意软件的操作码可视化方法研究[J]. 计算机工程与应用, 2021, 57(18): 130-134.
[32]	JIANG L, ZHANG Y, SHI Y. Visual fileless malware classification via few-shot learning[C]// International Conference on Cyber Security, Artificial Intelligence, and Digital Economy (CSAIDE 2023). SPIE, 2023, 12718: 113-124.
[33]	ZILIN Z, SHUMIAN Y, DAWEI Z. A new framework for visual classification of multi-channel malware based on transfer learning[J]. Applied Sciences, 2023, 13(4): 2484.
[34]	MAURO C, SHUBHAM K, P V. A few-shot malware classification approach for unknown family recognition using malware feature visualization[J]. Computers & Security, 2022, 122: 102889.
[35]	SULTANIK E. bin2png:A simple cross-platform script to encode binary files as PNG images[EB/OL]. GitHub. [2023-07-14]. https://github.com/ESultanik/bin2png.

参数	值
操作系统	Windons专业版64bit
随机存取内存	8.00 GB
处理器	Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz 1.80 GHz
硬盘	931GB SSD

方案	BODMAS				PE-Malware
方案	准确率	精度	Recall	F1-Score	准确率	精度	Recall	F1-Score
MTE（本方案）	97.06	97.02	96.85	96.85	96.97	97.04	97.42	97.13
DPP	91.01	91.58	92.82	91.64	92.8	94.74	93.77	93.66
GEM	87.03	89.17	90.76	89.29	88.64	90.25	90.03	90.09
Bin2	85.12	85.67	86.88	85.22	89.52	92.26	89.54	89.83
AHE	94.67	94.96	95.89	94.99	95.83	96.54	96.33	96.18

特征	BODMAS				PE-Malware
特征	准确率	精度	Recall	F1-Score	准确率	精度	Recall	F1-Score
E	86.4	89.76	89.83	87.99	89.52	90.15	91.04	90.35
M	83.82	92.76	88.2	88.18	88.76	92.27	88.95	89.46
T	85.76	89.19	90.5	87.64	83.08	83.98	84.85	78.83
E+M	91.49	91.07	94.44	92.09	91.16	93.88	92.59	92.06
E+T	93.56	92.75	94.4	93.12	94.19	94.4	94.79	94.42
T+M	90.38	90.99	91.74	90.96	92.68	94.31	93.2	93.23
MTE（本方案）	97.06	97.02	96.85	96.85	96.97	97.04	97.42	97.13