Signal-based malware classification using 1D CNNs

Wilkie, Jack and Hindy, Hanan and Andonovic, Ivan and Tachtatzis, Christos and Atkinson, Robert (2026) Signal-based malware classification using 1D CNNs. Cybersecurity, 9. 36. ISSN 2523-3246 (https://doi.org/10.1186/s42400-025-00454-6)

Preview

Text. Filename: Wilkie-etal-Cybersecurity-2025-Signal-based-malware-classification-using-1D-CNNs.pdf Final Published Version License: Download (1MB)| Preview

Abstract

Malware classification is a contemporary and ongoing challenge in cyber-security: modern obfuscation techniques are able to evade traditional static analysis, while dynamic analysis is too resource intensive to be deployed at a large-scale. One prominent line of research addresses these limitations by converting malware binaries into 2D images by heuristically reshaping them into a 2D grid before resizing using Lanczos resampling. These images can then be classified based on their textural information using computer vision approaches. While this approach can detect obfuscated malware more effectively than static analysis; the process of converting files into 2D images results in significant information loss due to both quantisation noise, caused by rounding to integer pixel values, and the introduction of 2D dependencies which do not exist in the original data. This loss of signal limits the classification performance of the downstream model. This work addresses these weaknesses by instead resizing the files into 1D signals which avoids the need for heuristic reshaping, additionally these signals do not suffer from quantisation noise due to being stored in a floating-point format. It is shown that existing 2D CNN architectures can be readily adapted to classify these 1D signals for improved performance. Furthermore, a bespoke 1D convolutional neural network, based on the ResNet architecture and squeeze-and-excitation layers, was developed to classify these signals and evaluated on the MalNet dataset. It was found to achieve state-of-the-art performance on binary, type, and family level classification with F1 scores of 0.874, 0.503, and 0.507, respectively, paving the way for future models to operate on the proposed signal modality.

ORCID iDs

Wilkie, Jack ORCID: https://orcid.org/0009-0009-8046-7770

Andonovic, Ivan ORCID: https://orcid.org/0000-0001-9093-5245

Tachtatzis, Christos ORCID: https://orcid.org/0000-0001-9150-6805

Atkinson, Robert ORCID: https://orcid.org/0000-0002-6206-2229

• Share and Export
  

  HTML CitationJSONAtomRDF+XMLMODSEP3 XMLBibTeXReferMPEG-21 DIDLRIOXX2 XMLRDF+N3ASCII CitationRefWorksData Cite XMLSimple MetadataDublin CoreMultiline CSVOpenURL ContextObjectOpenURL ContextObject in SpanMETSRDF+N-TriplesRIS (EndNote Online, Zotero, Ref manager, etc)EndNote
• Item metadata

  Item type:	Article
  ID code:	94270
  Dates:	Date Event 1 March 2026 Published 15 July 2025 Accepted
  Subjects:	?? QA76-890 ??
  Department:	Faculty of Engineering > Electronic and Electrical Engineering
  Depositing user:	Pure Administrator
  Date deposited:	24 Sep 2025 12:26
  Last modified:	12 Mar 2026 01:58
  Related URLs:	https://www.mal-net.org/ https://arxiv.org/abs/2509.06548 Publisher
  URI:	https://strathprints.strath.ac.uk/id/eprint/94270