1. Introduction

Visualizations have long been instrumental in providing a comprehensive understanding of systems and data. Humans naturally derive more meaning from images than from other forms of expression [1]. This research explores the generation of visual representations for binary files and examines the presence of discernible patterns within these visualizations. Subsequently, it employs these representations to classify malware samples into their respective families or categories.

As summarized in Table 1, existing malware detection methods exhibit distinct strengths, limitations, and research gaps. Signature-based techniques [2] perform well in known scenarios but struggle against zero-day attacks, while anomaly-based methods are effective yet prone to high false-positive rates. Image-based [3] approaches, including our proposed method, leverage structural similarities for scalable and platform-independent detection. By integrating advanced feature extraction using involution kernels [4] to address these shortcomings, our method achieves superior performance and efficiency.

In recent years, convolutional neural networks (CNNs) have achieved significant success in various domains, including malware image classification [8]. However, conventional CNNs are constrained by their limited ability to capture long-range spatial dependencies due to fixed kernel sizes and weight-sharing mechanisms [9]. Additionally, deeper networks often encounter the vanishing gradient problem, which hampers effective training and necessitates the development of advanced architectures like ResNet [10]. This limitation presents a significant challenge in accurately classifying complex malware patterns that require models capable of capturing both local and global features.

To address this problem, we introduce an innovative attention-based malware detection framework that employs a Dynamic Residual Involution Network (DRIN) to effectively classify malware families by visualizing their latent features. The proposed method transforms binary files into image representations, facilitating a platform-independent and computationally efficient classification process. By incorporating involution layers, the model captures long-range spatial dependencies, enhancing feature extraction while preserving computational efficiency [11]. Moreover, the integration of residual connections addresses the vanishing gradient problem, enabling robust learning in deeper neural architectures [12]. The experimental results demonstrate that our method significantly outperforms traditional CNNs and other advanced malware detection techniques, achieving an exceptional classification accuracy of 99.50% on an independent test set.

The primary contributions of this study are as follows:

• This study proposes a novel malware detection approach by transforming binary files into image representations. Unlike traditional platform-dependent methods, this representation is platform-independent and significantly reduces the preprocessing time, enabling efficient and scalable classification.

• A large dataset (Figure 1) of over 40,000 malware samples was constructed by aggregating data from repositories such as Malshare [13], VirusShare [14], and VirusTotal [15]. Rigorous labeling was performed using Microsoft’s antivirus engine, ensuring accurate and consistent classification across multiple malware families.

• A Dynamic Residual Involution Network (DRIN) is introduced as the core architecture, utilizing involution layers to capture long-range spatial dependencies and residual connections to enhance learning stability. This innovative design overcomes the limitations of traditional convolutional layers in feature extraction.

• The proposed method achieves state-of-the-art performance, with a classification accuracy of 99.50%. It also reduces computational complexity by 40%, making it suitable for real-time malware detection in resource-constrained environments.

• By retaining pixel-level information and avoiding spatial downsampling, the model is optimized for practical deployment, ensuring robust and scalable malware detection. This work sets the stage for further advancements in image-based malware analysis.

The remainder of the paper is structured as follows: Section 2 reviews related works, Section 3 provides a detailed explanation of our proposed method, and Section 4 presents a comprehensive evaluation of the experimental results. Section 5 contains an outline of the paper with a summary of limitations of findings and future research directions. Section 6 concludes the study.

2. Related Study

Malware detection has traditionally been addressed using signature-based and anomaly-based approaches. Signature-based methods rely on identifying unique patterns in malicious binaries, making them fast and accurate at identifying known threats. However, they are ineffective against zero-day malware and rely heavily on manually created signature databases [3,4]. Anomaly-based detection, on the other hand, identifies deviations from predefined safe behaviors, which allows for the detection of unknown threats. Despite their effectiveness, these methods are computationally intensive and prone to high false-positive rates.

Machine learning has introduced automated approaches to malware classification. Early works evaluated various machine learning algorithms, such as Naive Bayes [16], Support Vector Machines, and decision trees, achieving high classification accuracy with boosted decision trees. Similarly, [17] demonstrated the potential of static analysis for detecting new malicious executables, but their reliance on handcrafted features limited the scalability of this method. Dynamic analysis-based approaches [18] focused on detecting metamorphic malware by analyzing disassembly similarities, overcoming the limitations of signature-based techniques.

Recent advances have introduced visualization-based malware detection; the authors of [19] pioneered the concept of converting malware binaries into grayscale images for texture-based classification, achieving significant accuracy using global image features. However, this method relied on fixed texture-based characteristics, limiting its ability to capture intricate spatial patterns. Further advancement of such an approach [20] leverages self-organizing maps (SOMs) to visualize and classify executable files, demonstrating the uniqueness of each malware family through viral genomic-like structures. However, recent studies based on lightweight machine-learning models [21] have been proven to have potential in integrating dynamic visualization techniques for malware classification.

Deep learning has revolutionized malware detection by enabling feature extraction directly from data. Convolutional neural networks (CNNs) have been extensively used for image-based malware classification, as demonstrated with ResNet architectures [22]. These networks effectively address the vanishing gradient problem but are constrained by fixed kernel sizes, limiting their capacity to capture long-range dependencies. The introduction of involution layers as an alternative to convolutional kernels [23] offered dynamic feature extraction while reducing computational overhead.

Building on these advancements, the proposed Dynamic Residual Involution Network (DRIN) leverages involution layers to address the limitations of CNNs in capturing long-range spatial dependencies in malware images. By employing residual connections, DRIN enhances training stability and achieves state-of-the-art performance. This innovative design not only improves feature extraction but also ensures computational efficiency, making it suitable for real-time applications.

3. Materials and Methods

This section provides a concise overview of the conventional data gathering process, including the labeling paradigm. Subsequently, we proceed to the conversion of malware files into images. Subsequently, we provide the involution operation and elaborate on the suggested feature-based dynamic kernel generation function. The DRI block and the DRI-based classification scheme are elaborated upon below.

Involution kernels [4] exhibit spatial-specific and channel-agnostic properties, which differ from convolution by dynamically adapting to input images of varying resolutions. This is achieved by creating a kernel for each spatial position based on the incoming feature vector, reducing redundancy through channel sharing. The computational complexity of involution scales linearly with the number of feature channels, enabling broader spatial coverage and efficient modeling. Leveraging these advantages, a ResNet-based backbone architecture powered by involution outperforms traditional convolutional and self-attention-based models in tasks such as image classification and segmentation. Involution-based architectures demonstrate superior efficacy and discriminative capabilities across various vision tasks, making them a robust alternative to convolution.

In contrast to convolution kernels, involution kernels vary across different positions in the spatial domain but may be uniform across the channel domain; thus, they are spatially specific and channel-agnostic kernels [24]. Let H ∈ ℝ (H × W × K × K × G) represent the involution kernels, where G signifies the number of groups. It is important to note that the identical involution kernel is utilized across channels within each group, potentially lowering the parameter count and, thus, the computational complexity. For each point (i,j), we define the associated involution kernel as H(i,j), where g ∈ ℝ (K × K) and g = 1, 2, …, G. Similarly, to derive output feature maps $\mathrm{Y}$ ∈ ℝ (H × W × C), involution kernels are utilized on the input feature maps, followed by multiply–add operations (refer to Figure 2), described as follows:

(1)$\begin{array}{c}{\mathrm{Y}}_{i,j,p}={\displaystyle \sum _{\left(m,n\right)\in \mathsf{\Omega }}}{\mathcal{H}}_{i,j,m+⌊\frac{K}{2}⌋,n+⌊\frac{K}{2}⌋,⌈\frac{pG}{C}⌉}{\mathrm{X}}_{i+m,j+n,p}\end{array}$

3.1. Dataseet

We collected more than 60,000 malware samples from various malware repositories, such as Malshare [13], VirusShare [14], and VirusTotal [15]. These portals collect malware via honeypots, as users worldwide submit files for analysis and the sharing of malware samples. We subsequently removed duplicates from the malware collection by comparing the MD5 hashes of each file. We verified the samples’ validity as malware by utilizing VirusTotal [15], selecting only those recognized as malicious by more than 50% of the antivirus engines in the report. Subsequently, we retained almost forty thousand legitimate malware samples. The percentage of each category is visualized in Figure 3.

As we employed supervised learning for categorization, tagged samples were required. When labeling these samples, we utilized the designation provided by the Microsoft antivirus engine in the VirusTotal [15] report. We were required to submit the MD5 hash of the binary file to VirusTotal [15]. If the file had previously been analyzed by their engine, it would provide a report; otherwise, we needed to upload the file to obtain the report. A few of samples in our dataset were not classified by the Microsoft antivirus engine; hence, we choose to exclude these samples to ensure label consistency (Table 2).

3.2. Malware Binary File to Image Conversion

Binary files can be viewed as a sequence of ones and zeros. We began by converting each binary file into a sequence of ones and zeros. We then divided the content of the string into segments of 8 bits each, corresponding to 8 characters per segment. Each unit is considered a byte, with its upper and lower nibbles functioning as indices for a two-dimensional color map [25] that holds RGB values linked to that byte. By repeating this process for each unit, we obtained a sequence of RGB values (pixel values) corresponding to each byte in the binary file [26]. The sequence of pixel values could then be transformed into a two-dimensional matrix, resulting in an image representation for a binary file (see Figure 4). The detailed procedure is presented in Algorithm 1.

Figure 4 illustrates the process of converting malware binary files into image representations. The process begins with the reading of the binary file; then, its raw binary content is converted into a stream of binary data (a sequence of ones and zeros). This stream is segmented into 8-bit units (bytes), with each byte further divided into two 4-bit segments called nibbles (upper and lower nibbles). Using a predefined color-mapping mechanism, these nibbles are transformed into RGB values, which serve as pixel data. The resulting RGB pixel values are arranged into a 2D matrix with a fixed width (e.g., 256 bytes per row), while the height of the matrix varies based on the file size. The final matrix is visualized as an image, with distinct patterns representing specific malware families. This transformation enables malware classification using image-based machine learning techniques.

3.3. Overview of the Proposed Framework

The proposed approach introduces a lightweight neural network named the Dense Residual Involution Network, which is specifically designed for malware image classification. This network is built upon the architecture of ResNet [10], employing a combination of bottleneck blocks and involution kernels to achieve a balance between accuracy and computational efficiency. The network architecture is divided into two key modules: the feature extraction module and the classification module. The feature extraction module begins by using a convolutional layer to capture low-level features from the input, followed by two bottleneck blocks [27,28] that employ involution kernels to effectively learn high-level features. This setup allows the network to maintain a wide spatial context while utilizing fewer parameters than traditional convolutional layers.

In the feature extraction process (see Figure 5), the input malware images undergo a series of transformations designed to preserve crucial spatial pixel information. Initially, a 1×1 convolutional layer reduces the spatial dimensions of the input, generating feature maps that are then processed through two cascaded Residual Involution (RI) blocks. These blocks consist of 1 × 1 convolutions for spectral dimension reduction and expansion, sandwiching an involution layer with a 9 × 9 kernel that captures long-range spatial interactions. The key advantage of this architecture is that it avoids any spatial downsampling, thereby preserving the resolution necessary for detailed pixel-level pattern recognition.

The classification module utilizes Global Average Pooling (GAP) to convert the extracted features into a fixed-dimensional vector, which is subsequently passed to a fully connected (FC) layer. This FC layer outputs the class probabilities for different malware categories, with the final layer using Softmax activation [29] to provide normalized scores. The network adopts a pyramid structure with increasing channel numbers to efficiently manage computational resources, and ReLU [30] activation functions are used throughout the convolutional layers to introduce non-linearity. The model is trained over 100 epochs using the Adam optimizer, with a learning rate starting at 0.001, and optimized using a categorical cross-entropy loss function. This design ensures that the network is both effective in capturing relevant features and efficient in its computation, making it well suited for malware detection tasks.

3.4. Proposed Network Operation

We propose a unique lightweight architecture, the Dense Residual Involution Network, which constructs a comprehensive network through the stacking of bottleneck blocks and the use of involution kernels, leveraging the successful design of ResNet [10] for various applications. Figure 6 illustrates that the proposed network comprises two components: the feature extraction module and the classification module.

3.4.1. Feature Extraction Module

The feature extraction module is designed to capture both low-level and high-level representations from the input malware images. The process begins with a 1 × 1 convolutional layer to reduce the spatial dimensions of the input images, producing feature maps that retain critical pixel-level information. These feature maps are then passed through two sequential Residual Involution (RI) blocks, each of which is composed of 1 × 1 convolutions for spectral dimension compression and expansion, and a 9 × 9 involution kernel for capturing long-range spatial interactions. The involution operation is designed to encapsulate spatially recurring contextual information while preserving the dimensions of the input feature maps.

Unlike traditional convolutional layers, the RI blocks dynamically parameterize the kernel, enabling adaptive processing of spatial context without altering the resolution of the feature maps. This ensures that the spatiotemporal resolution is maintained, which is crucial for preserving fine-grained malware patterns. Additionally, max pooling is employed to reduce feature map dimensions, balancing computational efficiency and information retention.

3.4.2. Classification Module

The classification module utilizes the extracted features for malware categorization. First, the feature maps from the RI blocks are passed through a Global Average Pooling (GAP) layer, which consolidates information into a fixed-dimensional feature vector, independent of the input image size. This vector is then fed into a fully connected (FC) layer that maps the features to class probabilities corresponding to malware categories.

The softmax activation function normalizes the output of the final layer, representing the likelihood of the input belonging to each malware class. To introduce non-linearity and sparsity, rectified linear units (ReLUs) are employed throughout the network. The training of the network is guided by the categorical cross-entropy loss function, defined as follows:

(2)$\begin{array}{c}\mathsf{𝔏}=-{\displaystyle \sum _{i=1}^c}{y}_i\log \left(p_i\right)\end{array}$

Here, $p_i$ represents the output of the final classification layer, specifically the output of the last fully connected (FC) layer utilizing a softmax function. The variable y_i ∈ {0, 1} indicates the label value (where y_i = 0 signifies that a sample does not belong to the ith category, and y_i = 1 indicates otherwise), while c denotes the total number of malware categories within the dataset. The training regimen of the suggested network extends for 100 epochs, employing the Adam optimizer with a weight decay of 0.0001 and a mini-batch size of 100, commencing with a learning rate of 0.001.

Figure 7 shows two variants of bottleneck blocks used in the proposed framework: the basic residual block (R-block) and the Residual Involution Block (RI-block). These blocks play a crucial role in the feature extraction process by efficiently capturing spatial and spectral information.

The basic residual block follows the standard ResNet architecture, which introduces skip connections to alleviate the vanishing gradient problem in deep networks. Mathematically, the output of a basic residual block can be expressed as follows:

(3)$\mathrm{Y}=\mathcal{F}\left(\mathrm{X},\left\{{\mathrm{W}}_i\right\}\right)+\mathrm{X},$

The RI-block replaces the standard convolutional layers in the residual block with involution kernels. Involution is a channel-agnostic operation designed to dynamically parameterize the kernel based on the spatial context of the input. The input feature map $\mathrm{X}\in {\mathbb{R}}^{H\times W\times C_{\mathrm{i}\mathrm{n}}}$ is compressed along the channel dimension using a 1 × 1 convolution, producing an intermediate feature map ${\mathrm{X}}^{\prime }\in {\mathbb{R}}^{H\times W\times C_{\mathrm{m}\mathrm{i}\mathrm{d}}}$. A dynamically parameterized kernel of size K × K (9 × 9) is applied to each spatial location (h, w) of ${\mathrm{X}}^{\prime }$, resulting in the following output:

(4)$\mathrm{Y}(h,w)={\sum }_{i=1}^K{\sum }_{j=1}^K\mathcal{K}(h,w,i,j)\cdot {\mathrm{X}}^{\prime }(h+i,w+j)$

The key distinction of involution is its ability to adapt the kernel values to the local context, making it more effective for long-range spatial interactions. The output of the involution operation is passed through another 1 × 1 convolution to restore the original channel dimension C_out. Similarly to the basic residual block [33], a skip connection is added to preserve the original input information, resulting in the final output,

(5)$\mathrm{Y}={\mathcal{F}}_{\mathrm{inv}}\left(\mathrm{X},\left\{{\mathrm{W}}_i\right\}\right)+\mathrm{X},$

4. Experimental Results

The experiments were run on a single computer with the following hardware specifications:

• -. CPU: Intel i7-7700K.

• -. Memory: 16 GB RAM.

• -. GPU: NVIDIA GTX 1080 Ti (Santa Clara, CA, USA).

We employed 5-fold cross-validation to assess the generalization performance of our method. The dataset is partitioned into five equally sized folds. Of the five subsamples, one subsample is designated as the test data for model testing, while the other subsamples serve as training data. This technique is executed as many times as there are folds, with each of the five folds utilized precisely once as the validation dataset.

The supplementary evaluation criteria employed to identify the optimal model included precision [34], recall [35], and F1 score [36]. Accuracy can serve as a deceptive metric. At times, it may be advantageous to use a model with less accuracy yet enhanced predictive capability for the issue at hand. This transpires in the presence of a significant class imbalance, wherein a model can forecast the majority class for all forecasts, attaining elevated classification accuracy while erring on the minority or essential classes.

The efficacy of the suggested models is assessed utilizing the following metrics: accuracy, precision, recall, and F1-score.

(6)$Accuracy={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$

Precision [34] is calculated as follows:

(7)$Precision={\displaystyle \frac{TP}{TP+FP}}$

Recall [35] is calculated as follows:

(8)$Recall={\displaystyle \frac{TP}{TP+FN}}$

F1-score [36] is calculated as follows:

(9)$F1-score=2\times {\displaystyle \frac{precision\times recall}{precision+recall}}$

4.1. Experimental Results for CNN

To demonstrate the efficacy of involution mechanism, a fully convolutional network with an identical architecture is trained and evaluated on the same dataset. Table 3 illustrates the precision and recall scores for each class. Despite the favorable results, they lack precision in percentages when juxtaposed with certain prior studies. The accuracy attained was 95.24% under optimal conditions. Given that deeper networks yield superior outcomes, but convolutional neural networks experience the vanishing gradient problem, we transitioned to residual networks. ResNet [10,37] has effectively addressed the vanishing gradient problem and outperforms CNN in picture classification.

The average precision (0.95482), recall (0.952458), and F1-score (0.95338) for all courses demonstrate robust baseline performance. The model has outstanding performance for balanced classes like Class 4, with perfect precision (1.0) and good recall (0.957627). This underscores the efficacy of the CNN kernel in recognizing patterns for classes with ample data. Nevertheless, the model has difficulties with under-represented categories, particularly Class 5, which demonstrates a low F1-score of 0.701031. The underperformance indicates that the CNN kernel struggles to generalize for minority classes because of uneven data distribution.

4.2. Experimental Results for Proposed Residual Involution (RI) Network

We employed a dense residual connection for malware image classification, comprising a three-layer bottleneck block with an involution kernel and a single max pooling layer. This resulted in an accuracy of 98.812%. Table 4 enumerates the precision and recall scores for each class.

The graph (see Figure 8) indicates that the RI module (proposed) attained the highest accuracy (~97.5%) and the lowest loss (~0.35), surpassing the other traditional techniques. As anticipated, models demonstrating greater accuracy displayed reduced loss, with the Genetic Algorithm yielding the poorest performance (90% accuracy and 0.85 loss). Contemporary methodologies such as CNN [38] and Artificial Neural Network (ANN) [39,40] exhibit superior performance compared to previous strategies. The proposed technique exhibits unequivocal superiority in both criteria.

Table 2 demonstrates that the convolution counterpart (Conv-ResNet) [42] has a maximum performance of 95.24% under optimal conditions, which is approximately 3.5% inferior to the involution-based model presented in Table 4. Furthermore, in comparison to the convolution-based framework of identical architecture, our suggested design exhibits approximately a 40% reduction in parameters, making it suitable for implementation on resource-constrained devices. Figure 9 illustrates the accuracy and loss graphs for the training, validation and test sets of the DRIN.

Conversely, Table 4 presents the outcomes of the proposed residual involution (RI) kernel, demonstrating substantial enhancements compared to the CNN kernel. The average F1-score rises to 0.982176, indicating the RI kernel’s enhanced capacity to capture long-range spatial dependencies and improve feature extraction. Class 15 attains optimal metrics (precision, recall, and F1-score = 1.0), underscoring the efficacy of the RI kernel for adequately represented categories. Notwithstanding these enhancements, specific classes such as Class 3 and Class 5 continue to have diminished F1-scores (0.897833 and 0.89426, respectively), signifying that even with the sophisticated kernel, the model may encounter difficulties with under-represented categories. The results indicate the need for supplementary approaches, such as oversampling or tailored loss functions, to improve performance for minority classes.

Table 5 summarizes the results of the N-round evaluation, showing the model’s performance metrics (accuracy, precision, recall, and F1-score) across 10 independent rounds on the test set. The table includes the mean and standard deviation of these metrics, demonstrating the robustness and reliability of the proposed approach under varying data splits.

The suggested dense residual network utilizing an involution kernel demonstrated an enhancement compared to the residual network employing a CNN kernel. The results indicate an enhancement over prior outcomes in the categorization of malware via picture representation. Figure 10 illustrates the confusion matrix associated with the aforementioned experiment. Confusion matrices facilitate a clearer comprehension of results [43,44]; each row denotes an actual class, each column suggests a predicted class, and the count in each cell indicates the number of images predicted.

Figure 11 presents the Receiver Operating Curves (ROCs) for the multi-class classification task involving 25 classes, demonstrating the high efficacy of the proposed model. Both the micro-average and macro-average curves achieve an Area Under the Curve (AUC) of 1.00, highlighting a robust overall performance. Class-specific ROCs show AUC values that are predominantly around 0.99, with several classes achieving a perfect 1.00, reflecting the model’s strong ability to distinguish between individual categories. The model’s ability to achieve high true-positive rates (TPRs) while maintaining low false-positive rates (FPRs) across most classes underscores its reliability in accurately classifying positive instances while minimizing incorrect classifications. Slight variations in the AUC suggest minimal challenges in classifying certain categories, potentially due to feature overlap or sample size disparities. These results validate the model’s ability to handle diverse and imbalanced datasets effectively, providing both class-specific precision and global performance consistency.

The kernel activation heatmap, as illustrated in Figure 12, provides critical insights into the spatial feature extraction capabilities of the proposed DRIN. The X and Y axes represent the spatial dimensions of the feature map, corresponding to the horizontal and vertical indices of the processed input malware image. The intensity of the heatmap reflects the magnitude of activations at each spatial location, where high-intensity regions (yellow/red) indicate significant feature responses, while low-intensity regions (purple/blue) denote less relevant features. The bright core of the heatmap demonstrates the model’s ability to focus on critical spatial patterns unique to malware families, which are instrumental for classification. This concentrated activation highlights the efficacy of involution kernels in capturing long-range spatial dependencies, enabling the model to adapt dynamically to varying feature complexities [45]. Furthermore, the adaptive feature extraction ensures robustness by emphasizing key discriminative patterns while suppressing noise, thus supporting the model’s superior accuracy and generalization capabilities, as reported in the study. This heatmap validates the DRIN architecture’s capacity to efficiently process malware images for precise multi-class classification.

4.3. Ablation Study

The comparative analysis presented in the table highlights the performance of various state-of-the-art deep learning architectures against the proposed DRIN. Models such as ResNet-50 [46], DenseNet201 [47,48], and InceptionV4 [49,50] demonstrate robust classification capabilities, with accuracy metrics ranging from 96.82% to 99.08%. However, the proposed DRIN model outperforms all tested architectures, achieving a remarkable 99.50% accuracy for the final test set. Additionally, DRIN excels in other evaluation metrics, such as precision (0.9932), recall (0.9905), and F1-score (0.9948), indicating superior generalization and classification capability of multi-class classification. The introduction of involution layers in DRIN enhances its ability to capture long-range dependencies in malware image data, which leads to improved feature extraction and discrimination of malware families. These results illustrate the potential of DRIN to not only exceed traditional convolutional architectures [25,51,52] but also to establish itself as an effective model for real-time and resource-efficient malware detection.

The performance of the proposed DRIN model was evaluated using Malimg [41], MaleVis [53], and our dataset, as shown in Table 6. The results highlight the robustness and generalization capability of the model across different datasets. The DRIN model achieved the highest accuracy of 99.50% for our dataset, followed by 99.30% for the Malimg Dataset [41] and 98.90% for the MaleVis Dataset [53]. These results emphasize the effectiveness of the proposed model in malware image classification tasks, with minimal performance degradation when applied to external datasets, such as Malimg and MaleVis, showcasing its adaptability and reliability.

Table 7 presents a comparative examination of the suggested DRIN model against leading architectures. The DRIN model surpassed all competitors, attaining the best accuracy (99.50%), precision (0.9932), recall (0.9905), and F1-score (0.9948). Lightweight models like MobileNetV3 (99.08% accuracy) and computationally intensive designs such as DenseNet201 (98.50% accuracy) underperformed compared to the suggested DRIN in terms of overall efficacy. This illustrates DRIN’s capacity to reconcile computational efficiency with elevated accuracy. Nonetheless, although DRIN demonstrates superior accuracy and generalization, it necessitates greater computational resources than lightweight systems like ShuffleNetV2 [54], SqueezeNet1 [55], and NASNet [56]. These findings emphasize DRIN’s adaptability while also revealing the compromises between efficiency and computational expense.

To empirically validate the reduction in computational complexity, we measured the FLOPs (floating-point operations) and inference time of the DRIN model and compared them against those of standard architectures. The results are summarized in Table 8.

The results validate that the DRIN model achieves significant computational efficiency compared to heavy architectures like ResNet and DenseNet while remaining competitive with lightweight models like MobileNetV3. Its 39.5% reduction in complexity compared to ResNet-50 makes it suitable for resource-constrained applications, demonstrating a balance between performance and efficiency.

5. Limitations

Despite its exceptional performance, the proposed DRIN model has several limitations. First, it struggles with class imbalance, as demonstrated by the lower F1-scores for under-represented classes like Class 5 and Class 22 in Table 4. Techniques such as data augmentation, oversampling, or advanced loss functions could mitigate this issue. Second, the computational cost of the DRIN model, due to the use of residual involution layers, is higher than that of lightweight architectures like MobileNetV3, which may limit its real-time applicability [60]. Third, the model relies heavily on high-quality data preprocessing, making it susceptible to noise and incomplete data, which could affect its robustness [61]. Additionally, its scalability to new malware families or large-scale datasets has not been thoroughly tested, highlighting the need for incremental or transfer learning approaches. Lastly, the model’s interpretability remains limited, despite the use of heatmaps for visualizing kernel [62] activations.

6. Conclusions and Future Directions

Behavioral and static malware analysis methods are inherently platform-dependent, requiring distinct classifiers for each platform. In contrast, the image-based approach demonstrated in this study is platform-independent, classifying files based on similarities among binaries of the same type and differences with binaries of other types. This approach also offers enhanced security over dynamic-based techniques, as binaries are transformed into image format and are never executed, reducing potential risks during analysis.

This paper introduced an involution-powered network for malware image classification. The proposed network captures spatial relationships between pixels using large involution kernels while minimizing memory usage [63]. The dynamically parameterized involution kernel adapts to varying visual patterns, capturing distinct spatial-to-channel relationships. Experimental results on the specified and benchmark datasets demonstrate that the proposed model surpasses convolution-based competitors and other state-of-the-art malware classification techniques in performance metrics, such as accuracy, precision, recall, and F1-score. These findings highlight the model’s robust capability for precise and efficient malware detection.

Despite its strengths, several limitations provide opportunities [64,65,66] for future research. The model’s performance for under-represented classes could be improved through advanced data balancing techniques or specialized loss functions [67]. Additionally, optimizing the model’s architecture to reduce computational complexity will enhance its applicability for real-time detection in resource-constrained environments. Expanding the model’s scalability to accommodate unseen malware families and large-scale datasets is another area of exploration [68]. Techniques such as incremental learning and transfer learning could further improve the model’s adaptability. Furthermore, the interpretability of the model could be enhanced by integrating explainable AI (XAI) [69,70] approaches, fostering trust and transparency in practical deployment scenarios.

Further research may also investigate more refined kernel generation functions to improve the discriminative feature learning capacity of the involution kernel. Exploring more efficient involution-equipped neural networks can pave the way for advancements in malware detection and classification. By addressing these limitations and exploring these directions, the proposed model can evolve into an even more versatile and powerful tool in the fight against malware. The work presented in this paper serves as a significant step forward, leveraging cutting-edge neural network techniques for precise malware analysis and classification.

Footnotes

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Enlarge this image.

Figure 1. Distribution of malware families in the dataset used for the study.

Enlarge this image.

Figure 2. Illustration of the dynamic kernel generation.

Enlarge this image.

Figure 3. Distribution of malware family percentage in the dataset.

Enlarge this image.

Figure 4. Schematic diagram of the binary to image conversion.

Enlarge this image.

Figure 5. Overview representation of the proposed model.

Enlarge this image.

Figure 6. Overview of the proposed DRIN architecture: (a) illustrates the overall pyramidal structure of feature flow extraction module; (b) depicts the bottleneck block; (c) illustrates the modified residual kernel (RI-block).

Enlarge this image.

Figure 7. Construction of bottleneck of residual blocks. (a) Basic R-block; (b) RI block.

Enlarge this image.

Figure 8. Comparison of accuracy and loss metrics between traditional methods [38,39,40,41] and the proposed model.

Enlarge this image.

Figure 9. Accuracy graph of training, validation and test set over multi-class detection module.

Enlarge this image.

Figure 10. Confusion matrix of multi-class classification.

Enlarge this image.

Figure 11. Multi-class ROC of proposed network.

Enlarge this image.

Figure 12. Heatmap representation showing kernel activations.

References

1. Sung, J.A.; Xu, P.C.; Mukkamala, S. Static Analyzer of Vicious Executables (SAVE). Proceedings of the 20th Annual Computer Security Applications; Tucson, AZ, USA, 6–10 December 2004.

2. Alazab, M.; Venkataraman, S.; Watters, P. Towards Understanding Malware Behaviour by the Extraction of API calls. Proceedings of the 2nd CTC 2010 Ballarat (VIC); Ballarat, Australia, 19–20 July 2010.

3. Anderson, B.; Quist, D.; Neil, J.; Storlie, C.; Lane, T. Graph Based Malware Detection Using Dynamic Analysis. J. Comput. Virol.; 2011; 7, pp. 247-258. [DOI: https://dx.doi.org/10.1007/s11416-011-0152-x]

4. Li, D.; Hu, J.; Wang, C.; Li, X.; She, Q.; Zhu, L.; Zhang, T.; Chen, Q. Involution: Inverting the Inherence of Convolution for Visual Recognition. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition; Nashville, TN, USA, 20–25 June 2021.

5. AV-Test. Malware Statistics. 2017; Available online: http://www.av-test.org/en/statistics/malware/ (accessed on 2 December 2023).

6. Bayer, U.; Comparetti, P.; Hlauschek, C.; Kruegel, C. Scalable, Behavior Based Malware Clustering. Proceedings of the 16th Annual Network and Distributed System Security Symposium; San Diego, CA, USA, 8–11 February 2009.

7. Bazrafshan, Z.; Hashemi, H.; Fard, S.M.H.; Hamzeh, A. A survey on heuristic malware detection techniques. Proceedings of the 5th Conference on Information and Knowledge Technology; Shiraz, Iran, 28–30 May 2013.

8. Bengio, Y.; Simard, P.; Frasconi, P. Learning long-term dependencies with gradient descent is difficult. IEEE Trans. Neural Netw.; 1994; 5, pp. 157-166. [DOI: https://dx.doi.org/10.1109/72.279181]

9. Kang, B.; Yerima, S.Y.; McLaughlin, K.; Sezer, S. N-opcode Analysis for Android Malware Classification and Categorization. Proceedings of the 2016 International Conference on Cyber Security and Protection of Digital Services (Cyber Security); London, UK, 13–14 June 2016.

10. Christodorescu, M.; Jha, S.; Kruegel, C. Mining specifications of malicious behavior. Proceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESECFSE); Dubrovnik, Croatia, 3–7 September 2007.

11. Clarify. Convolutional Neural Networks. 2014; Available online: https://www.clarifai.com/technology (accessed on 2 December 2023).

12. Cohen, F. Computer Viruses: Theory and Experiments. 1987; Available online: http://web.eecs.umich.edu/~aprakash/eecs588/handouts/cohen-viruses.html (accessed on 2 December 2023).

13. MalShare. MalShare Project: Malware Repository. Available online: http://malshare.com/ (accessed on 2 December 2023).

14. VirusShare. VirusShare Malware Repository. Available online: https://virusshare.com/ (accessed on 2 December 2023).

15. VirusTotal. VirusTotal-Free Online Virus, Malware, and URL Scanner. Available online: https://www.virustotal.com/ (accessed on 2 December 2023).

16. Maron, M.E. Automatic Indexing: An Experimental Inquiry. J. ACM; 1961; 8, pp. 404-417. [DOI: https://dx.doi.org/10.1145/321075.321084]

17. Helfman, J. Dotplot patterns: A literal look at pattern languages. Theory Pract. Object Syst.; 1995; 2, pp. 31-41. [DOI: https://dx.doi.org/10.1002/(SICI)1096-9942(1996)2:1<31::AID-TAPO3>3.0.CO;2-A]

18. Honkela, A. Nonlinear Switching State-Space Models. 2001; Available online: https://www.cs.helsinki.fi/u/ahonkela/dippa/ (accessed on 2 December 2023).

19. Hubel, D.; Wiesel, T. Receptive fields and functional architecture of monkey striate cortex. J. Physiol.; 1968; 195, pp. 215-243. [DOI: https://dx.doi.org/10.1113/jphysiol.1968.sp008455] [PubMed: https://www.ncbi.nlm.nih.gov/pubmed/4966457]

20. ICT Conference of Statistics. ICT: Facts and Figures. 2016; Available online: http://www.itu.int/en/ITU-D/Statistics/Documents/facts/ICTFactsFigures2016.pdf (accessed on 2 December 2023).

21. Farfoura, M.E.; Mashal, I.; Alkhatib, A.; Batyha, R.M. A lightweight machine learning methods for malware classification. Clust. Comput.; 2025; 28, 1. [DOI: https://dx.doi.org/10.1007/s10586-024-04755-2]

22. Indyk, P.; Motwani, R. Approximate Nearest Neighbor: Towards Removing the Curse of Dimensionality. Proceedings of the 30th Annual ACM Symposium on Theory of Computing; Dallas, TX, USA, 24–26 May 1998.

23. Islam, R.; Tian, R.; Batten, L.M.; Versteeg, S. Classification of malware based on integrated static and dynamic features. J. Netw. Comput. Appl.; 2013; 36, pp. 646-656. [DOI: https://dx.doi.org/10.1016/j.jnca.2012.10.004]

24. Kaspersky. Cybercrime, Inc.: How Profitable Is the Business?. 2014; Available online: https://blog.kaspersky.com/cybercrime-inc-how-profitable-is-the-business/15034 (accessed on 2 December 2023).

25. Ki, Y.; Kim, E.; Kim, H.K. A Novel Approach to Detect Malware Based on API Call Sequence Analysis. Int. J. Distrib. Sens. Netw.; 2015; 11, 659101. [DOI: https://dx.doi.org/10.1155/2015/659101]

26. Kohonen, T. Self-Organizing Maps; Springer: Berlin/Heidelberg, Germany, 1995.

27. Kolbitsch, C. Anubis: Efficient and Comprehensive Mobile App Classification Through Static and Dynamic Analysis. 2011; University of California, Santa Barbara Available online: https://seclab.cs.ucsb.edu/files/publications/Lindorfer2015Marvin_Efficient.pdf (accessed on 12 January 2024).

28. Kolter, J.; Maloof, M. Learning to detect malicious executables in the wild. Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining; Seattle, WA, USA, 22–25 August 2004.

29. Kong, D.; Yan, G. Discriminant malware distance learning on structural information for automated malware classification. Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining; Chicago, IL, USA, 11–14 August 2013; ACM: New York, NY, USA, 2013.

30. Liu, L.; Wang, B.-S.; Yu, B.; Zhong, Q.-X. Automatic Malware Classification and New Malware Detection using Machine Learning. Front. Inf. Technol. Electron. Eng.; 2016; 18, pp. 1336-1347. [DOI: https://dx.doi.org/10.1631/FITEE.1601325]

31. Schultz, M.M.; Eskin, E.Z.; Stolfo, F. Data Mining Methods for Detection of New Malicious Executables. Proceedings of the 22nd IEEE Symposium on Security and Privacy; Oakland, CA, USA, 14–16 May 2001.

32. Makandar, A.; Patrot, A. Malware Analysis and Classification using Artificial Neural Network. Proceedings of the 2015 International Conference on Trends in Automation, Communications and Computing Technology; Bangalore, India, 21–22 December 2015.

33. He, K.; Zhang, X.; Ren, S.; Sun, J. Deep Residual Learning for Image Recognition. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR); Las Vegas, NV, USA, 27–30 June 2016; pp. 770-778.

34. Microsoft Joint Meet on Security. Naming Malware. 2017; Available online: https://www.microsoft.com/en-us/security/portal/mmpc/shared/malwarenaming.aspx (accessed on 2 December 2023).

35. Van Rijsbergen, C.J. Information Retrieval; Butterworth-Heinemann: London, UK, 1979; pp. 25-30.

36. Moser, A.; Kruegel, C.; Kirda, E. Limits of Static Analysis for Malware Detection. Proceedings of the Twenty-Third Annual Computer Security Applications Conference; Miami Beach, FL, USA, 10–14 December 2007.

37. Nari, S.; Ghorbani, A. Automated Malware Classification Based on Network Behaviour. Proceedings of the International Conference on Computing, Networking and Communications (ICNC); San Diego, CA, USA, 28–31 January 2013.

38. Nataraj, L.; Karthikeyan, S.; Jacob, G.; Manjunath, B. Malware Images: Visualization and Automatic Classification. Proceedings of the International Symposium on Visualization for Cyber Security; Pittsburgh, PA, USA, 20 July 2011.

39. Ollmann, G. The Evolution of commercial malware development kits and colour-by-numbers custom malware. Comput. Fraud. Secur.; 2008; 2008, pp. 4-7. [DOI: https://dx.doi.org/10.1016/S1361-3723(08)70135-0]

40. Pandalabs Library Control Centre. Quaterly Report. 2016; Available online: http://www.pandasecurity.com/mediacenter/src/uploads/2016/05/Pandalabs-2016-T1-EN-LR.pdf (accessed on 2 December 2023).

41. Nataraj, L.; Karthikeyan, S.; Jacob, G.; Manjunath, B. MalimgDataset. 2011; Available online: https://vision.ece.ucsb.edu/research/signal-processing-malware-analysis (accessed on 2 December 2023).

42. He, K.; Zhang, X.; Ren, S.; Sun, J. Deep Residual Learning for Image Recognition. arXiv; 2015; arXiv: 1512.03385

43. Tian, R.; Batten, L.; Versteeg, S. Function length as a tool for malware classification. Proceedings of the 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE); Alexandria, VA, USA, 7–8 October 2008.

44. Radu, S.P.; Hansen, S.S.; Larsen, T.M.; Stevanovic, M.; Pedersen, J.M.; Czech, A. Analysis of malware behavior: Type classification using machine learning. Proceedings of the 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA); London, UK, 8–9 June 2015.

45. Raghakot. Deep Residual Learning for Image Recognition ResNet. 2015; Available online: https://github.com/raghakot/keras-resnet (accessed on 2 December 2023).

46. Rieck, K.; Holz, T.; Willems, C.; Dussel, P.; Laskov, P. Learning and classification of Malware behaviour. Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment; Paris, France, 10–11 July 2008.

47. Staniford, V.P.S.; Weaver, N. How to own the internet in your spare time. Proceedings of the 11th USENIX Security Symposium; San Francisco, CA, USA, 5–9 August 2002.

48. Santos, I.; Devesa, J.; Brezo, F.; Nieves, J.; Bringas, P.G. OPEM: A Static-Dynamic Approach for Machine-Learning-Based Malware Detection. International Joint Conference CISIS’12-ICEUTE’12-SOCO’12 Special Sessions; Springer: Berlin/Heidelberg, Germany, 2012.

49. Santos, I.; Nieves, J.; Bringas, P. Semi-Supervised Learning for Unknown Malware Detection. Proceedings of the Symposium on Distributed Computing and Artificial Intelligence Advances in Intelligent and Soft Computing; Salamanca, Spain, 6–8 April 2011.

50. Szegedy, C.; Ioffe, S.; Vanhoucke, V.; Alemi, A.A. Inception-v4, Inception-ResNet and the Impact of Residual Connections on Learning. Proceedings of the Thirty-First AAAI Conference on Artificial Intelligence; San Francisco, CA, USA, 4–9 February 2017; pp. 4278-4284.

51. Siddiqui, M.; Wang, M.C. Detecting Internet Worms Using Data Mining Techniques. J. Syst. Cybern. Inform.; 2009; 6, pp. 48-53.

52. Sikorski, M.; Honig, A. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software; No Starch Press: San Francisco, CA, USA, 2012.

53. Agarwal, D.; Kaushik, S.; Hasteer, N.; Rajput, P.; Khari, M. MaleVis: A Benchmark Dataset for Malware Visualization and Classification. Multimedia Tools Appl.; 2021; 80, pp. 18565-18583. [DOI: https://dx.doi.org/10.1007/s11042-020-10250-8]

54. Szor, P. The Art of Computer Virus Research and Defense. Addison; 2005; 2, pp. 46-51.

55. Torralba, A.; Murphy, K.; Freeman, W.; Rubin, M. Classification of malware based on integrated static and dynamic features. Proceedings of the 9th IEEE International Conference on Computer Vision (ICCV 2003); Nice, France, 14–17 October 2003.

56. Vinod, P.; Laxmi, V.; Gaur, M. Survey on Malware Detection Methods. Proceedings of the 3rd Hacker’s Workshop on Computer and Internet Security (IITKHACK’09); Kanpur, India, 17–19 March 2009; pp. 74-79.

57. Howard, A.; Sandler, M.; Chu, G.; Chen, L.-C.; Chen, B.; Tan, M.; Wang, W.; Zhu, Y.; Pang, R.; Vasudevan, V. et al. Searching for MobileNetV3. Proceedings of the IEEE/CVF International Conference on Computer Vision; Seoul, Republic of Korea, 27 October–2 November 2019; pp. 1314-1324.

58. Hu, J.; Shen, L.; Albanie, S.; Sun, G.; Wu, E. Squeeze-and-Excitation Networks. Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR); Salt Lake City, UT, USA, 18–23 June 2018; pp. 7132-7141.

59. VirusTotal Labs on Security and Detection. Daily Statistics. 2017; Available online: https://www.virustotal.com/en/statistics/ (accessed on 2 December 2023).

60. Wagener, G.; State, R.; Dulaunoy, A. Malware behaviour analysis. J. Comput. Virol.; 2008; 4, pp. 279-287. [DOI: https://dx.doi.org/10.1007/s11416-007-0074-9]

61. Wikipedia. Malware Detection and Types Mirai Malware. 2016; Available online: https://en.wikipedia.org/wiki/Mirai_(malware) (accessed on 2 December 2023).

62. Wikipedia. New Age Malware Detection: Ransomware. 2017; Available online: https://en.wikipedia.org/wiki/Ransomware (accessed on 2 December 2023).

63. Wikipedia. Recent Trends: WannaCry Ransomware. 2017; Available online: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack (accessed on 2 December 2023).

64. Willems, C.; Holz, T.; Freiling, F. Toward Automated Dynamic Malware Analysis Using Cwsandbox. IEEE Secur. Priv.; 2007; 5, pp. 32-39. [DOI: https://dx.doi.org/10.1109/MSP.2007.45]

65. Yoo, I.S. Visualizing windows executable virus using self-organizing maps. Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security; Washington, DC, USA, 29 October 2004; [DOI: https://dx.doi.org/10.1145/1029208.102922]

66. Zeiler, M.D.; Fergus, R. Visualizing and Understanding Convolutional Networks. arXiv; 2013; arXiv: 1311.2901S

67. Zhang, Q.; Reeves, D. Metaware: Identifying Metamorphic Malware. Proceedings of the 23rd Annual Computer Security Applications Conference; Miami Beach, FL, USA, 10–14 December 2007.

68. Zhou, D.; Bousquet, O.; Lal, T.N.; Weston, J.; Schölkopf, B. Learning with Local and Global Consistency. Adv. Neural Inf. Process. Syst.; 2004; 16, pp. 321-328.

69. Doshi-Velez, F.; Kim, B. Towards a Rigorous Science of Interpretable Machine Learning. arXiv; 2017; arXiv: 1702.08608[DOI: https://dx.doi.org/10.48550/arXiv.1702.08608]

70. Samek, W.; Wiegand, T.; Müller, K.R. Explainable Artificial Intelligence: Understanding, Visualizing and Interpreting Deep Learning Models. Digit. Signal Process.; 2017; 73, pp. 1-15. [DOI: https://dx.doi.org/10.1016/j.dsp.2017.10.011]