Feature-Driven Malware Detection using Cascade Machine Learning Models

Feature-Driven Malware Detection using Cascade Machine Learning Models | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Feature-Driven Malware Detection using Cascade Machine Learning Models Anisha Mahato, Rana Majumdar, Swarup Kr Ghosh This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-5740016/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Malware proliferation continues to jeopardize global data security and user privacy, necessitating robust detection and classification mechanisms. In this research, we propose Malware Detection using Cascade Machine Learning (MDCML) classifier designed to detect anomalies in Portable Executable (PE) files and classify them into malware families with high precision. The model integrates three machine learning algorithms such as Random Forest, Bagging and Boosting, fine-tuned through extensive hyperparameter optimization, significantly enhancing detection and classification performance. To extract features from raw textual data, we have utilized a TF-IDF-based inter-class dispersion architecture, transforming unstructured opcode data into structured feature maps that emphasize contextual importance. The model employs gradient descent with regularization to iteratively minimize the loss function and prevent overfitting, achieving sublinear regret and convergence toward optimal performance.The proposed model is validated using the public Big 2015 dataset, which includes approximately 10,000 files spanning nine malware families. The study included comprehensive experimentation on both binary classification (Malware vs. Benign) and multi-class classification tasks. Performance was evaluated across diverse sample sizes, execution times, and optimization strategies to ensure robust analysis. An accuracy of 98.97% highlights the superior performance of the proposed framework over traditional machine learning models, showcasing significant advancements. This research underscores the concept of the hybrid MDCML classifier in improving malware detection and classification, thereby enhancing data security and privacy. Malware classification Machine Learning Feature Extraction Ensemble learning Cascading Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-5740016","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":398844788,"identity":"163477ef-1bf3-4e75-ab25-2d10436a982c","order_by":0,"name":"Anisha Mahato","email":"","orcid":"","institution":"Sister Nivedita University","correspondingAuthor":false,"prefix":"","firstName":"Anisha","middleName":"","lastName":"Mahato","suffix":""},{"id":398844789,"identity":"f350ed40-177b-453c-b9f4-5dea00146fda","order_by":1,"name":"Rana Majumdar","email":"","orcid":"","institution":"Sister Nivedita University","correspondingAuthor":false,"prefix":"","firstName":"Rana","middleName":"","lastName":"Majumdar","suffix":""},{"id":398844790,"identity":"7a0028e0-8fe7-4a8c-a747-102542501a05","order_by":2,"name":"Swarup Kr Ghosh","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA0UlEQVRIiWNgGAWjYBADHn4QmVBAghYZyQaQFgMStNgYHABRxGiRn5H87DPvjloe4/OrEz88MGCQ5xc7gF+LwY0049m8Z47zmN14u1kC6DDDmbMTCGiRTjBm5m07BtRydgNIS4LBbQJa5GenfwZrMZ5xdvMPorQw3M4B2VLDY8Dfu404WwzuvylmnHvmAI/EDd5tFgkGEoT9It9zfDPD2x119vz9Zzff/FFhI88vTchhIMDYcJiBQQKsUoII5RAtdQwM/AeIVD0KRsEoGAUjDgAAW/VDP2Piv4UAAAAASUVORK5CYII=","orcid":"","institution":"Sister Nivedita University","correspondingAuthor":true,"prefix":"","firstName":"Swarup","middleName":"Kr","lastName":"Ghosh","suffix":""}],"badges":[],"createdAt":"2024-12-31 07:23:21","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-5740016/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-5740016/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":74214091,"identity":"c1ab7ebd-53d3-48cf-b906-601e14283659","added_by":"auto","created_at":"2025-01-20 05:26:31","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":634274,"visible":true,"origin":"","legend":"","description":"","filename":"MDCML.pdf","url":"https://assets-eu.researchsquare.com/files/rs-5740016/v1_covered_a24d6886-86a8-4fb8-8549-f49999b33ecc.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Feature-Driven Malware Detection using Cascade Machine Learning Models","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Malware classification, Machine Learning, Feature Extraction, Ensemble learning, Cascading","lastPublishedDoi":"10.21203/rs.3.rs-5740016/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-5740016/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eMalware proliferation continues to jeopardize global data security and user privacy, necessitating robust detection and classification mechanisms. In this research, we propose Malware Detection using Cascade Machine Learning (MDCML) classifier designed to detect anomalies in Portable Executable (PE) files and classify them into malware families with high precision. The model integrates three machine learning algorithms such as Random Forest, Bagging and Boosting, fine-tuned through extensive hyperparameter optimization, significantly enhancing detection and classification performance. To extract features from raw textual data, we have utilized a TF-IDF-based inter-class dispersion architecture, transforming unstructured opcode data into structured feature maps that emphasize contextual importance. The model employs gradient descent with regularization to iteratively minimize the loss function and prevent overfitting, achieving sublinear regret and convergence toward optimal performance.The proposed model is validated using the public Big 2015 dataset, which includes approximately 10,000 files spanning nine malware families. The study included comprehensive experimentation on both binary classification (Malware vs. Benign) and multi-class classification tasks. Performance was evaluated across diverse sample sizes, execution times, and optimization strategies to ensure robust analysis. An accuracy of 98.97% highlights the superior performance of the proposed framework over traditional machine learning models, showcasing significant advancements. This research underscores the concept of the hybrid MDCML classifier in improving malware detection and classification, thereby enhancing data security and privacy.\u003c/p\u003e","manuscriptTitle":"Feature-Driven Malware Detection using Cascade Machine Learning Models","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-01-09 05:33:27","doi":"10.21203/rs.3.rs-5740016/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"da19f78e-3d40-46d4-82ba-9ff34773b3cf","owner":[],"postedDate":"January 9th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2025-01-20T05:26:09+00:00","versionOfRecord":[],"versionCreatedAt":"2025-01-09 05:33:27","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-5740016","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-5740016","identity":"rs-5740016","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}