Why Does Aggressive Resizing Preserve Malware Image Classification Performance?

Evaluating the Impact of Interpolation and Spatial Detail on Family-Discriminative Signals

Bachelor Thesis (2026)
Author(s)

C. Mitu (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Contributor(s)

A. Amalan – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)

T.J. Viering – Mentor (TU Delft - Electrical Engineering, Mathematics and Computer Science)

G. Smaragdakis – Graduation committee member (TU Delft - Electrical Engineering, Mathematics and Computer Science)

Faculty
Electrical Engineering, Mathematics and Computer Science
More Info
expand_more
Publication Year
2026
Language
English
Graduation Date
26-06-2026
Awarding Institution
Delft University of Technology
Project
CSE3000 Research Project, How is it possible machines can learn from malware images?
Programme
Computer Science and Engineering
Faculty
Electrical Engineering, Mathematics and Computer Science
Downloads counter
15
Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

Malware binaries can be represented as grayscale images by placing byte values on a two-dimensional grid. Convolutional neural networks can classify such malware images with high accuracy, but it is less clear why this performance can remain strong when the images are aggressively resized. This paper studies this phenomenon by examining how different interpolation methods affect accuracy, whether information learned by a high-resolution model remains useful after aggressive resizing, and which retained pixel values are most predictive for distinguishing malware families. The results show that all studied interpolation methods remain above 0.99 through 8 × 8. At lower resolutions, nearest-neighbour performs best at 4 × 4 and 2 × 2, whereas bilinear and bicubic unexpectedly perform better at 1 × 1. Blurring reduces accuracy, while a model trained at 224 × 224 does not transfer reliably when test images are downsampled and then restored to the original input size, indicating that broad texture alone is not sufficient for classification and that successful low-resolution models adapt to the resized representation. Decision-tree analysis further reveals that byte values sampled from fixed relative locations can contain family-specific signal, and backmapping shows that influential sampled locations frequently overlap with parsed binary sections, especially executable code. Still, these findings do not demonstrate semantic code understanding.
The results suggest that aggressive resizing preserves malware-family information through coarse byteplot layout, sampled byte values, and contrast patterns, rather than exact semantic binary regions.

Files

Bachelor_thesis_1_.pdf
(pdf | 6.72 Mb)
License info not available