The rapid evolution of cyber threats poses significant challenges for security analysts, who must continuously process large volumes of unstructured information from threat reports, security blogs, vulnerability databases, and dark-web discussions. Manual analysis of these sources is time-consuming, inconsistent, and unable to keep pace with the increasing frequency and sophistication of emerging attacks. This work presents an automated framework for emerging cyber-threat identification and profiling using Natural Language Processing (NLP). The proposed system collects real-time textual data from multiple cybersecurity intelligence sources and applies advanced NLP techniques—such as entity extraction, topic modeling, semantic similarity, and threat classification—to detect newly emerging vulnerabilities, exploits, malware families, and attack trends. Using machine-learning–based clustering and profiling mechanisms, the system generates structured threat intelligence reports that summarize threat attributes, severity levels, affected platforms, and potential attack vectors. The automated pipeline reduces analyst workload, minimizes detection delays, and provides an adaptive, scalable solution for enterprise threat intelligence. Experimental results show that the NLP-based approach significantly enhances the accuracy and speed of early threat discovery when compared to traditional manual analysis.

Android devices play a central role in both personal and organizational operations, which has made them a primary target for Advanced Persistent Threats (APTs). Unlike traditional attacks, APT attacks are implemented through multiple covert stages, allowing attackers to remain active on a device while avoiding detection models. Existing studies depend on data that captures only a single stage of an attack or focuses mainly on static features. Consequently, detection models trained on such datasets may fail to detect multi-stage APT attacks in real-world environments. In order to address this gap, this paper introduces DEFEAT, a benchmarking dataset built specifically for detecting APT attacks on Android devices. DEFEAT follows the MITRE ATT&CK framework to more accurately reflect multi-stage APT attacks in real-world environments. The dataset generation process includes three main phases: gathering normal activity, simulating multi-stage APT attacks, and preparing the data. The datasets were collected from a real Android smartphone and are provided in two parts: a resource-usage dataset that tracks CPU, RAM, battery, and network activity; and an app-based dataset that logs permissions, sensors, and services used by apps. The dataset captures the active phase of APT attacks, focusing on observable malicious behavior rather than long-term dormant activity. The requirements of a well-structured dataset have been met in the proposed datasets to ensure they are suitable for use by other researchers. Feature contributions have also been examined using SHAP (SHapley Additive exPlanations) to better understand their role in detecting APTs. In addition, statistical t-test analysis is applied to the resource-usage datasets to verify that the collected behavioral features vary significantly across malware families and attack stages, supporting their suitability for behavior-based APT detection. By offering a realistic and publicly accessible representation of multi-stage APTs, DEFEAT addresses an important gap in current Android security research and supports the development of more effective behavioral detection models. The datasets are publicly available and can be reused by other researchers for the tuning, evaluation, and comparison of detection models for multi-stage APT activities on Android devices.

Android malware detection systems face critical challenges including data scarcity for emerging threat families, high-dimensional feature spaces, and concept drift caused by evolving attack techniques. Traditional machine learning approaches require extensive labeled datasets and frequent retraining, limiting their practical deployment against rapidly emerging threats. This paper proposes an adaptive few-shot malware classification framework that integrates CatBoost-based feature selection, prototypical networks with episodic meta-learning, quantum-enhanced classification, concept drift detection, and explainable AI (XAI) analysis using SHAP and LIME. The CatBoost feature selection reduces dimensionality by 99.46% on CCCS-CIC-AndMal-2020 (9,503 to 51 features) and 94.07% on KronoDroid (489 to 29 features) while preserving discriminative information. The prototypical network learns metric-based representations enabling classification with only 5 support samples per class. Extensive experiments demonstrate state-of-the-art performance with 99.70% accuracy on CCCS-CIC-AndMal-2020 (15 malware families) and 99.33% accuracy on KronoDroid (binary classification), outperforming existing methods by 0.70-9.70%. The framework exhibits robust temporal stability with maximum accuracy degradation of 0.24% across evaluation periods. XAI analysis reveals that file descriptor manipulation and file system operations are the most discriminative features for malware detection. These results establish few-shot prototypical learning with intelligent feature selection as an effective paradigm for practical malware detection requiring minimal annotation, interpretable decisions, and stable long-term performance.

The financial impact of fraudulent e-commerce schemes has been increasing steadily. Several research reports demonstrate that some threat actors compromise legitimate websites and deploy malware for black-hat search engine optimization (SEO). This malware facilitates SEO poisoning, causing search engines to display deceptive lure pages as if hosted on the compromised sites, effectively redirecting users to fraudulent e-commerce platforms and increasing the risk of victimization. This study focuses on these threat actors and their tactics. To investigate relationships between malware families employed by these groups, we collected data on 2,852 command and control (C2) servers associated with 10 distinct malware families, alongside 697,816 fake e-commerce sites identified through these servers. We subsequently analyzed this data using Maltego, a widely recognized link analysis tool. Our results suggest the presence of four distinct groups each utilizing a single, unique malware family, and two groups operating multiple families. This analysis also provides valuable insights into the characteristics of these malware families.

Abstract Malware family classification is crucial for threat detection, yet existing methods struggle with generalization, multi-task adaptability, and interpretability. We propose VIMAR, a unified vision–language model that supports classification, similarity detection, and open-world analysis via explanation-rich supervision and a two-stage training pipeline. On the Malimg dataset, VIMAR achieves 94.2% accuracy in family classification, surpassing the best CNN baseline by +3.1%. It also attains 85.2% and 88.0% accuracy in zero-shot and few-shot settings, significantly outperforming vision–language baselines. Moreover, its reasoning outputs align well with human judgments. The codebase and scripts will be released to the community.

Notwithstanding the strong performance shown by the proposed hybrid SVMRF ensemble, we must admit some limitations of the current study. Firstly, the assessment has only been done on static analysis features extracted from Portable Executable (PE) files. Therefore, it is unknown how the model would have performed if it had analyzed runtime behaviors such as dynamic API invocation patterns, memory modifications, and network activities. As a result,the proposed static, only framework may not fully detect certain sophisticated malware variants that employ runtime evasion or file less execution techniques. Secondly, even though two well, known public benchmark datasets (EMBER and BODMAS) have been used to ensure reproducibility and comparability, the feature distributions and labeling quality of these datasets may not fully represent the diversity of malware that one can encounter in operational environments. Differences in malware families, packing techniques, and dataset collection methods may affect the detection performance when the model is used in real, world scenarios. Thirdly, although normalization and balanced sampling methods have been implemented to reduce bias, the very high dimensionality of the hybrid feature space might still lead to redundancy and increased computational cost, especially for the SVM part. Nevertheless, the stacking ensemble lessens the weakening of individual classifiers but the training time is still more than that of simpler single, model approaches, which may be a limiting factor for scalability in resource, constrained environments. Lastly, detailed year, wise or temporally segmented evaluation has largely been overlooked in this work. While working with benchmark datasets possessing temporal features indicates the model's generalizing ability to some extent, a stricter temporal validation would reveal more about the model's sturdiness in the face of changes in malware distribution and new, previously unknown, threats.

Malware is a constant attack to consumer gadgets, and it targets a wide range of file types and operating systems. To combat this, researchers have put much effort into creating malware detection algorithms that utilize Machine Learning (ML) and Deep Learning (DL). Despite these advancements, adversarial attacks can still undermine security with specifically designed inputs and avoid detection. The proposed malware detection methodology improves malware classification accuracy and adversarial attack resistance with multi-stage deep learning. The methodology starts by turning malware binaries into two-dimensional color images for visual inspection. Adversarial examples are generated using the Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and Carlini-Wagner attacks to evaluate model resistance. Genetic Algorithms (GA) are used to hyperparameter optimize the fundamental classification models, such as Xception, Inception V3, and VGG19, guaranteeing the selection of optimal settings. The models are merged into an ensemble to improve detection accuracy and classify malware families efficiently. The proposed approach achieved high detection accuracy of 97.86% and 94.24% using dumpware10 and MaleVis datasets. Results from this study provide a basis for smart home gadgets and smartphones to incorporate enhanced malware detection capabilities, which have far-reaching implications for the consumer electronics market.

Artificial Intelligence (AI) technology has been widely used in malware detection and has significantly improved defense against cyberattacks. Existing deep learning-based methods rely on training with large-scale data and only on predefined categories, making them inadequate for rapidly responding to novel malware attacks. Malware classification based on few-shot learning has made some progress in identifying unknown malware using limited data. However, existing methods struggle to achieve high performance because they typically focus on a single malicious feature, such as a single malware image or an API call sequence, thereby ignoring the multi-dimensional nature of malware. To deal with these challenges, we propose a multi-view few-shot learning method for malware classification. We propose a multi-view malicious feature engineering scheme, which combines domain knowledge and expert experience to analyze the malware from various perspectives. Furthermore, we propose a support-query prototype generation method based on multi-view malicious features to generate higher-quality malware prototypes, which enhances the representation of novel malware family distributions. Extensive experiments show that the proposed method outperforms existing state-of-the-art approaches. With only two samples per family, the accuracy still exceeds 90%. Our method demonstrates superior cross-dataset recognition capabilities, thereby fully illustrating its robustness and generalizability across different data distributions.

Malware has become more challenging to trace as attackers use obfuscation, polymorphism, and automated generation of very similar variants. As a result, security software must not only be able to detect malicious files but also detect their larger families and more specific variants to facilitate effective analysis and correlation. In this paper, we present a three-level deep learning architecture for malware and benign file detection, malware family classification, and subfamily assignment based solely on grayscale images extracted from Windows PE executable files. Each file is statically and dynamically analyzed and then represented as a normalized 224 × 224 grayscale image. The labelled dataset consists of benign samples, the five most prevalent malware families, and 33 subfamilies. We compare the performance of three CNN-based hybrid models under a common multi-output framework: CNN with a Temporal Convolutional Network (TCN) head, CNN with a Capsule Network (CapsNet) block, and CNN with a Bidirectional LSTM (BiLSTM) layer. A single forward pass yields predictions for all levels of the classification hierarchy. Experimental outcomes indicate that CNN + TCN reaches 99% binary accuracy, 98% family accuracy, and 94% subfamily accuracy, while CNN+CapsNet reaches 100%, 97%, and 93%, and CNN+BiLSTM reaches 100%, 98%, and 94%, respectively.

The Mirai botnet is one of the most damaging malware families targeting Internet of Things (IoT) devices. By manipulating weak login ID’s and unpatched vulnerabilities, Mirai converts compromised devices into large scale botnets accomplished to launch distributed denial-of-service attacks. This paper presents a complete study & evaluation of multiple machine learning classifiers such as Random Forest, K-Nearest Neighbors (KNN), Naïve Bayes and XGBoost for detecting Mirai botnet traffic. The models are assessed on three datasets namely real Mirai traffic, Generative AI based synthetic traffic, and a hybrid dataset combining both. Performance is measured using accuracy, precision, recall, and F1-score. The results determine that ensemble models such as Random Forest and XGBoost reliably achieve superior performance, mainly when trained on the hybrid dataset, making them extremely appropriate for real world IoT botnet detection systems.

Honeypots remain critical tools for cyber deception, adversarial observation, and proactive threat intelligence. However, despite decades of development, the field still lacks a standardized and empirically validated framework for assessing deception effectiveness. Existing studies rely heavily on raw connection counts or ad hoc indicators, limiting reproducibility, comparability, and operational relevance. This paper presents a telemetry-driven methodology for evaluating honeypot realism and deception effectiveness across measurable behavioral dimensions. Using both a baseline cloud honeynet and an Enhanced Realism-Driven Honeynet (ERDH) modeled on a healthcare research environment, it's empirically demonstrated that domain-consistent realism significantly increases attacker dwell time, interaction depth, behavioral diversity, and malware family richness

Android malware continues to evolve through obfuscation and polymorphism, posing challenges for both signature-based defenses and machine learning models trained on limited and imbalanced datasets. Synthetic data has been proposed as a remedy for scarcity, yet the role of Large Language Models (LLMs) in generating effective malware data for detection tasks remains underexplored. In this study, we fine-tune GPT-4.1-mini to produce structured records for three malware families: BankBot, Locker/SLocker, and Airpush/StopSMS, using the KronoDroid dataset. After addressing generation inconsistencies with prompt engineering and post-processing, we evaluate multiple classifiers under three settings: training with real data only, real-plus-synthetic data, and synthetic data alone. Results show that real-only training achieves near-perfect detection, while augmentation with synthetic data preserves high performance with only minor degradations. In contrast, synthetic-only training produces mixed outcomes, with effectiveness varying across malware families and fine-tuning strategies. These findings suggest that LLM-generated tabular malware feature records can enhance scarce datasets without compromising detection accuracy, but remain insufficient as a standalone training source.

Malware remains a major cybersecurity concern, which demands effective techniques for accurate detection and classification. This study presents a novel framework that leverages binary image representations of malware to enhance classification performance. The process begins by transforming malware files from their hexadecimal form into binary data, which is then converted to grayscale images serving as input for deep learning models. The study also examines the distinctive visual characteristics of various malware families, revealing how structural patterns in binary images are correlated with classification outcomes. By examining the role of image processing and deep learning, the research provides valuable insight into the intersection of artificial intelligence and cybersecurity. The findings highlight the strength of CNNs for malware classification, while acknowledging the complementary potential of ResNet and Autoencoder-based approaches. As cyber threats become increasingly sophisticated, advancing detection methods is essential. This work demonstrates that combining deep learning with binary image analysis presents a promising approach to developing more resilient malware detection systems and enhanced protection for digital environments. Three architectures—Convolutional Neural Networks (CNN), Residual Networks (ResNet), and Autoencoders—are systematically evaluated using a dataset of 3,240 malware samples categorized into nine families. The dataset is carefully divided into training and testing sets, and all images are resized to maintain consistency between inputs. Among the evaluated models, CNN with image-scaling techniques shows a superior accuracy of 91%, outperforming the ResNet and Autoencoder models, which achieve accuracies of 86% and 85%, respectively.

Classification and detection of zero-day attacks remain a significant challenge within the domain of cybersecurity. Due to the vast types of malware families and the presence of an imbalanced dataset, real-time detection and classification become increasingly complex and inaccurate. Thus, there’s an urgent need to develop an intelligent and adaptive defense mechanism capable of identifying and classifying such attacks with improved precision and robustness. This paper proposed a stacked ensemble federated learning model with an accuracy-aware node weighting scheme to address the challenges posed by inter- and intra-class similarities among different types of malwares. In the initial phase, malware Portable Executable (PE) files are collected from multiple online repositories and validated by three different antivirus programs through VirusTotal to ensure reliability. These validated files are then converted into image form and categorized into 28 families to facilitate feature extraction. In the second phase, deep feature representations are extracted through a transfer learning-based fine-tuned ResNet-50 model, which captures both low-level and high-level patterns that are relevant to malware classification. After feature extraction from multiple distributed nodes, architecture is fed into the novel proposed Ensemble Stacked Federated Model for enhanced generalization and robust classification. The model is tested on both private and publicly available datasets. The experimental results demonstrate that the proposed method outperforms existing baseline approaches in terms of accuracy and computational efficiency. This improvement is achieved because it performs independent training at each federated node separately and then stacks their outputs with a central ensemble model, which enhances the learning rate and reduces overfitting. The code used for the experiments is available here.

The exponential proliferation of sophisticated zero-day malware variants poses critical challenges to traditional signature-based detection systems, necessitating advanced machine learning approaches that combine high-performance classification with transparent decision-making processes. While existing deep learning models achieve remarkable accuracy in malware detection, their black-box nature severely limits adoption in critical cybersecurity applications where interpretability is paramount for threat analysis and incident response. This work presents a novel cross-attention feature fusion architecture integrated with comprehensive explainable artificial intelligence (XAI) techniques for zero-day malware classification and attribution analysis. Our approach employs semantic feature grouping to organize heterogeneous malware characteristics into complementary structural and content-based representations, processed through specialized encoders and fused via multi-head cross-attention mechanisms that enable sophisticated bidirectional information exchange between feature groups. The integrated XAI framework combines Integrated Gradients, SHAP, and LIME techniques to provide both global and local interpretations of classification decisions. Extensive evaluation on large-scale datasets demonstrates exceptional performance: 99.97% accuracy with 0.9999 AUC-ROC on EMBER 2018 (800K samples) and 99.99% accuracy with perfect AUC-ROC on CIC-MalMem-2022 (58.6K samples). Rigorous zero-day evaluation using family-based splitting reveals robust generalization capabilities with minimal performance degradation (0.12% for EMBER 2018, 0.08% for CIC-MalMem-2022) when encountering completely unseen malware families. Ablation studies confirm the critical contribution of cross-attention mechanisms (+0.0277 AUC improvement), while XAI analysis demonstrates high consistency across explanation methods (correlation $>$ 0.84) and provides actionable insights for security analysts. Our approach uniquely combines state-of-the-art detection performance with comprehensive explainability, advancing interpretable cybersecurity AI systems and enabling transparent threat attribution analysis essential for real-world deployment.

Rapid expansion of Industrial Internet of Things (IIoT) systems has heightened the vulnerability of critical infrastructure to sophisticated malware attacks. Traditional signature-based detection methods are ineffective against evolving threats, and many machine learning models fail to capture temporal behavior, offer interpretability, or operate efficiently in resource-constrained environments. This study proposes HMF-Net, a Hierarchical Multi-Feature Network, for accurate, interpretable, and efficient IIoT malware detection. HMF-Net combines hierarchical VT-Tag embedding (HVTE) to model semantic behavioral information, temporal detection ratio analysis (TDRA) to capture confidence variations for polymorphic malware, and static structural binary features. These features are fused using an adaptive attention mechanism that dynamically prioritizes the most informative modalities during classification. The framework is evaluated on an IIoT malware dataset with 2515 samples from six malware families using five-fold cross-validation. Results show HMF-Net achieves 92.47% accuracy, outperforming Gradient Boosting (90.57%), Random Forest (88.52%), DeepMLP (87.26%), and SimpleMLP (84.34%) with p < 0.05. Ablation studies reveal HVTE as the most influential component, while TDRA and adaptive fusion further enhance performance. Attention-weight analysis highlights feature importance, especially for polymorphic behavior. The compact HMF-Net architecture (4.2 MB, 2.1 M parameters) with a 3.5 ms inference time supports real-time deployment in edge environments, balancing precision and recall for security applications.

Obfuscated and fileless malware families evade traditional detection systems by residing exclusively in memory and employing stealthy techniques such as process injection and encrypted communication. Although memory-based detection methods have demonstrated strong performance using host-based features alone, the contribution of network-level information remains underexplored. This study addresses this gap by leveraging the recently released WinMal25 dataset, which comprises approximately 2 TB of ground-truth Windows memory dumps collected under realistic benign activity and obfuscated malicious execution. We extract a small set of socket- and connection-level variables directly from RAM and evaluate their contribution to malware detection using Random Forest and XGBoost classifiers under multiple feature configurations. The experimental results show that network-related structures preserved in memory are highly discriminative on their own and further enhance detection performance when combined with traditional system-level features. These findings demonstrate that communication-related structures preserved in memory constitute a robust and complementary forensic signal, supporting the development of interpretable and generalizable memory-based malware detection systems capable of operating under heavy obfuscation.

Malware persistence enables malicious programs to endure reboots and remain operational across sessions, facilitating prolonged system compromise. This study examines three prominent malware families (njRAT, AsyncRAT, and WannaCry) and discerns their unique persistence methods by integrating static, dynamic, and behavioral analysis. The findings indicate that njRAT relies on registry and startup entries, AsyncRAT adapts its techniques based on privilege levels, and WannaCry establishes persistence by creating services. This study presents a secure, modular C# prototype that simulates registry, file-based, and Image File Execution Options (IFEO) hijacking persistence in a controlled setting, transcending traditional analysis. Complementary PowerShell and CMD simulators replicate authentic persistence strategies for defensive testing and educational purposes. This work's scientific contribution is the integration of real malware reverse engineering with the creation of a secure, modular C# simulation prototype that replicates various persistence techniques-file-based, registry-based, and Image File Execution Options (IFEO) hijacking-within a controlled and observable setting. Complementary simulations with PowerShell and CMD emulate prevalent persistence characteristics for defensive research and analyst training without requiring the implementation of actual payloads. The primary findings indicate that layered persistence augments stealth and resilience, that privilege context directly influences persistence efficacy, and that hybrid analytical approaches integrating static, dynamic, and simulated testing markedly boost detection reliability. The resultant paradigm offers a replicable, ethical, and instructive platform for enhancing research on malware persistence and formulating protective strategies.

This paper proposes an Android-oriented zero-day malware detection method named ”Android Zero-Day Guard.” By integrating deep neural networks with zero-shot learning, this approach is capable of identifying emerging threats without prior exposure to malicious samples. The method converts APK files into images and extracts deep features, enabling effective capture of behavioral malware patterns. Experimental results demonstrate that the proposed method achieves a precision of 94.93%, a recall of 93.75%, and an F1-score of 94.28% across multiple malware families. Without relying on dynamic analysis, it exhibits strong detection capability and generalization performance, making it well-suited for the early identification of emerging threats. While the model performs strongly on benchmark datasets, continuous validation on the latest families is essential for deployment in a rapidly evolving threat landscape.

Classification and detection of zero-day attacks remain a significant challenge within the domain of cybersecurity. Due to the vast types of malware families and the presence of an imbalanced dataset, real-time detection and classification become increasingly complex and inaccurate. Thus, there's an urgent need to develop an intelligent and adaptive defense mechanism capable of identifying and classifying such attacks with improved precision and robustness. This paper proposed a stacked ensemble federated learning model with an accuracy-aware node weighting scheme to address the challenges posed by inter- and intra-class similarities among different types of malwares. In the initial phase, malware Portable Executable (PE) files are collected from multiple online repositories and validated by three different antivirus programs through VirusTotal to ensure reliability. These validated files are then converted into image form and categorized into 28 families to facilitate feature extraction. In the second phase, deep feature representations are extracted through a transfer learning-based fine-tuned ResNet-50 model, which captures both low-level and high-level patterns that are relevant to malware classification. After feature extraction from multiple distributed nodes, architecture is fed into the novel proposed Ensemble Stacked Federated Model for enhanced generalization and robust classification. The model is tested on both private and publicly available datasets. The experimental results demonstrate that the proposed method outperforms existing baseline approaches in terms of accuracy and computational efficiency. This improvement is achieved because it performs independent training at each federated node separately and then stacks their outputs with a central ensemble model, which enhances the learning rate and reduces overfitting. The code used for the experiments is available here.