AA

A. Amalan

info

Please Note

5 records found

CNN-based malware byteplot classifiers achieve high accuracy under clean conditions, but their robustness to input perturbations remains poorly understood. This paper systematically evaluates how a ResNet18 classifier degrades under standard image transformations (rotations, brightness and contrast shifts, and flips) applied to both grayscale and RGB byteplot representations of a 14-class, 20,020 image dataset. Each transformation is grounded in a realistic attacker model via its correspondence to a binary level obfuscation technique. Results show that rotations are catastrophic even at small angles, flips exhibit strong asymmetry driven by the vertical structure of byteplot sections, and photometric shifts are tolerated until a certain threshold. Training on a mixed set that includes 25% distorted images substantially recovers robustness across all categories, with gains being largely self-attributing to their matching transformation type. RGB representations amplify whatever performance trend is already present in grayscale, for better or worse. Together, the findings reveal that CNN byteplot classifiers exploit specific spatial and photometric properties of their input, and that targeted augmented training can harden them against realistic evasion strategies without sacrificing clean image performance. ...
Malware image classification using CNNs has achieved classification accuracies of up to 99%, but the black-box nature of these models limits their trustworthiness. Explainable AI (xAI) methods can highlight which image regions drive a model's predictions, yet prior work has not mapped these regions back to named binary sections or quantitatively validated their importance. This paper addresses both gaps by applying Grad-CAM, LIME, and SHAP to a ResNet-18 classifier. For each test sample, highlighted image regions are mapped to named binary sections, and an occlusion experiment validates that high-attention sections are genuinely critical to classification. All three methods consistently rank .rdata, .data, and .eh_frame as the most important sections for PE binary classification, with attention distributed more broadly across ELF binaries. Occluding the top three sections per family causes accuracy to drop below 50% across all methods, confirming the importance of the identified regions. SHAP identifies the single most important section most precisely, while Grad-CAM achieves comparable overall performance at 50–60 times the speed. Notably, high classifier attention on .eh_frame suggests that the model may exploit tool-specific artifacts, raising concerns that should be accounted for before deploying these classifiers in production. ...

A ScoreCAM and Occlusion Analysis of Necessary Features

Bachelor thesis (2026) - T. Rietveldt, T.J. Viering, A. Amalan, G. Smaragdakis
Accurate and scalable detection has become a challenge in cybersecurity due to an exponential increase in the volume of new malware and its increasing complexity. A promising solution could be using convolutional neural networks to classify malware binaries interpreted as grayscale images. However, malware is frequently packed, which makes classification more difficult. We studied the impact of these packers on classification and what underlying features the models rely on. We trained independent ResNet-18 classifiers and evaluated them using two explainable AI methods: ScoreCAM and occlusion. The experimental setup analysed a synthetic dataset of 19,735 samples subjected to eleven different packers. We have four main results: (1) models perform poorly on large files packed with UPX, (2) models generalise well across structure-preserving packers, but (3) fail on transformations that alter the entire structural layout. Furthermore, (4) models rely more on unaffected binary sections when the main code section is obfuscated. Thus, convolutional neural networks remain highly dependent on file structure. Future research should investigate the efficacy of different explainable AI methods and the effects of resizing malware images. ...

Evaluating the Impact of Interpolation and Spatial Detail on Family-Discriminative Signals

Bachelor thesis (2026) - C. Mitu, A. Amalan, T.J. Viering, G. Smaragdakis
Malware binaries can be represented as grayscale images by placing byte values on a two-dimensional grid. Convolutional neural networks can classify such malware images with high accuracy, but it is less clear why this performance can remain strong when the images are aggressively resized. This paper studies this phenomenon by examining how different interpolation methods affect accuracy, whether information learned by a high-resolution model remains useful after aggressive resizing, and which retained pixel values are most predictive for distinguishing malware families. The results show that all studied interpolation methods remain above 0.99 through 8 × 8. At lower resolutions, nearest-neighbour performs best at 4 × 4 and 2 × 2, whereas bilinear and bicubic unexpectedly perform better at 1 × 1. Blurring reduces accuracy, while a model trained at 224 × 224 does not transfer reliably when test images are downsampled and then restored to the original input size, indicating that broad texture alone is not sufficient for classification and that successful low-resolution models adapt to the resized representation. Decision-tree analysis further reveals that byte values sampled from fixed relative locations can contain family-specific signal, and backmapping shows that influential sampled locations frequently overlap with parsed binary sections, especially executable code. Still, these findings do not demonstrate semantic code understanding.
The results suggest that aggressive resizing preserves malware-family information through coarse byteplot layout, sampled byte values, and contrast patterns, rather than exact semantic binary regions. ...

How Binary-to-Image Encodings Influence CNN-Based Malware Family Classification

Image-based malware classification through binary-to-image encodings has become a popular, quick-to-run and disassembly-free alternative to signature-based methods. Near-perfect accuracies are often reported, alongside weakly substantiated claims of resilience to malware obfuscation by adversaries. We present the first controlled, head-to-head comparison of four such encodings - grayscale and RGB byteplots, Markov bigram plots, and sliding-window Shannon entropy - under a fixed ResNet-18 classifier and a balanced dataset spanning seven packer conditions. To test whether high accuracy reflects genuine family structure or exploitable shortcuts, we pair the comparison with a diagnostic framework combining random- forest feature baselines, TLSH similarity analysis, HiResCAM and occlusion-based explainability methods. No single diagnostic suffices; only their combination separates shortcut-driven scores from genuine learning. We find that encoding performance cannot be judged by accuracy alone; models may fit to shortcuts such as file-size and near-duplicate samples, rather than learning malware structure. Entropy is found to be the dominant and most obfuscation-resilient encoding, while exhibiting the most evidence of genuine family-discriminative learning. ...