Skip to Main Content

Modelling and Data Analysis
2026. Vol. 16, no. 1, 7–26
doi:10.17759/mda.2026160101
ISSN: 2219-3758 / 2311-9454 (online)

Increasing the effectiveness of threat detection: machine-learning–based methods for malware classification

 
Audio is AI-generated
0

,

PDF (RUS)
Online translation in english
GS
Information
in Google Scholar
Metrics

Abstract

Signature-based detection and lightweight heuristics increasingly struggle with rapidly evolving malware, while running every file in a sandbox is too costly; therefore, practical malware triage requires automated decisions under a strict false-alarm budget. This study aims to improve threat detection efficiency by developing a transferable machine-learning classifier that preserves high malware recall while explicitly controlling false positives and keeping the sandbox workload manageable. We hypothesize that decision thresholds should be selected not by optimizing an average metric on a held-out test split, but via an explicit error budget: using out-of-fold predictions on benign files to set a blocking threshold such that the number of false positives does not exceed K, and then deploying a three-zone policy («block / send for review / allow»). Experiments were conducted on the UCI dataset «Malware static and dynamic features VxHeaven and Virus Total» (6,248 files; 1,084 features; reduced to 244 after removing constant features), with evaluation performed not only under a standard random split but also under two cross-source transfer scenarios (train on VxHeaven, test on VirusTotal, and vice versa), which emulate real-world domain shifts. We compared linear models and tree-based ensembles and additionally examined score calibration (mapping raw model scores to better-behaved probabilities) to support robust thresholding. To provide a conservative and evidence-based assessment of false positives under small benign test samples, we reported exact binomial confidence intervals for the false-positive rate. The main gain was achieved by the proposed Stage12 policy (K-based thresholding from out-of-fold benign predictions): in the VxHeaven – VirusTotal scenario, recall reached 0.8227 with a sandbox review rate of 0.2092 and zero observed false positives; compared to the baseline gray-zone policy, recall increased by +0.2816 while the review load decreased by 2.29×. In the VirusTotal – VxHeaven scenario, recall reached 0.9670 with a review rate of 0.0735 and an observed false-positive rate of 0.0084; relative to the gray-zone baseline, recall increased by +0.1234 and the review load decreased by 2.61× at the same observed false-positive level. These results demonstrate that K-budgeted, out-of-fold threshold selection enables an operationally controlled detection regime under domain shift: it improves recall and reduces the need for expensive sandboxing while maintaining a defensible false-alarm control. The scientific novelty is an evidence-backed integration of transfer evaluation, explicit false-positive budgeting, and a three-zone decision policy, where the operating point is determined by a formal error constraint rather than by optimizing a single average score.

General Information

Keywords: malware detection, machine learning, threat classification, transferability, false-positive control, threshold selection, sandbox triage, confidence intervals, learning with rejection

Journal rubric: Data Analysis

Article type: scientific article

DOI: https://doi.org/10.17759/mda.2026160101

Received 26.12.2025

Revised 15.01.2026

Accepted

Published

For citation: Abedalhussain, A.A., Lyapuntsova, E.V. (2026). Increasing the effectiveness of threat detection: machine-learning–based methods for malware classification. Modelling and Data Analysis, 16(1), 7–26. (In Russ.). https://doi.org/10.17759/mda.2026160101

© Abedalhussain A.A., Lyapuntsova E.V., 2026

License: CC BY-NC 4.0

References

  1. Архипов, А.Н., Кондаков, С.Е. (2024). Обнаружение обфусцированных эксплоитов в файлах неисполняемых форматов. Вопросы кибербезопасности, 6(64), 65–75. https://doi.org/10.21681/2311-3456-2024-6-65-75
    Arkhipov, A.N., Kondakov, S.E. (2024). Detecting obfuscated exploits in non-executable format files. Cybersecurity issues, 6(64), 65–75. (In Russ.). https://doi.org/10.21681/2311-3456-2024-6-65-75
  2. Калинкин, С.А., Голуб, М.С., Коркин, Д.А., Пятовский, И.В. (2022). Детектирование программ-шифровальщиков с использованием трассировки событий и методов машинного обучения. Безопасность информационных технологий, 29(3), 82–93. https://doi.org/10.26583/bit.2022.3.07
    Kalinkin, S.A., Golub, M.S., Korkin, D.A., Pyatovskii, I.V. (2022). Detecting ransomware using event tracing and machine learning methods. Information Technology Security, 29(3), 82–93. (In Russ.). https://doi.org/10.26583/bit.2022.3.07
  3. Костогрызов, А.И., Нистратов, А.А. (2023). Анализ угроз злонамеренной модификации модели машинного обучения для систем с искусственным интеллектом. Вопросы кибербезопасности, 5(57), 9–24. https://doi.org/10.21681/2311-3456-2023-5-9-24
    Kostogryzov, A.I., Nistratov, A.A. (2023). Threat analysis of malicious modification of a machine learning model for artificial intelligence systems. Cybersecurity issues, 5(57), 9–24. (In Russ.). https://doi.org/10.21681/2311-3456-2023-5-9-24
  4. Котенко, И.В., Хмыров, В.Д. (2022). Анализ моделей и методов обнаружения и атрибуции атак на основе искусственного интеллекта и машинного обучения. Вопросы кибербезопасности, 4(50), 52–79. https://doi.org/10.21681/2311-3456-2022-4-52-79
    Kotenko, I.V., Khmyrov, V.D. (2022). Analysis of models and methods for attack detection and attribution based on artificial intelligence and machine learning. Cybersecurity issues, 4(50), 52–79. (In Russ.). https://doi.org/10.21681/2311-3456-2022-4-52-79
  5. Лапина, М.А., Мовзалевская, В.В., Токмакова, М.Е., Бабенко, М.Г., Саджид, М. (2024). Применение технологий машинного обучения для обнаружения веб-атак. Вопросы кибербезопасности, 4(62), 92–103. https://doi.org/10.21681/2311-3456-2024-4-92-103
    Lapina, M.A., Movzalevskaya, V.V., Tokmakova, M.E., Babenko, M.G., Sajid, M. (2024). Detecting web attacks using machine learning algorithms. Cybersecurity issues, 4(62), 92–103. (In Russ.). https://doi.org/10.21681/2311-3456-2024-4-92-103
  6. Павлычев, А.В., Стародубов, М.И., Галимов, А.Д. (2022). Использование алгоритма машинного обучения Random Forest для выявления сложных компьютерных инцидентов. Вопросы кибербезопасности, 5(51), 74–81. https://doi.org/10.21681/2311-3456-2022-5-74-81
    Pavlychev, A.V., Starodubov, M.I., Galimov, A.D. (2022). Using the Random Forest machine learning algorithm to identify complex computer incidents. Cybersecurity issues, 5(51), 74–81. (In Russ.). https://doi.org/10.21681/2311-3456-2022-5-74-81
  7. Стародубов, М.И., Артемьева, О.А., Селин, Н.А. (2024). Анализ отчетов о вредоносных программах-шифровальщиках с использованием методов машинного обучения. Вопросы кибербезопасности, 3(61), 85–89. https://doi.org/10.21681/2311-3456-2024-3-85-89
    Starodubov, M.I., Artem’eva, O.A., Selin, N.A. (2024). Analysis of ransomware reports using machine learning methods. Cybersecurity issues, 3(61), 85–89. (In Russ.). https://doi.org/10.21681/2311-3456-2024-3-85-89
  8. Стародубов, М.И., Атомов, В.В., Ерофеев, В.А. (2025). Генерация синтетических данных для обучения моделей машинного обучения в задаче обнаружения вредоносного ПО. Вопросы кибербезопасности, 2(66), 105–113. https://doi.org/10.21681/2311-3456-2025-2-105-113
    Starodubov, M.I., Atomov, V.V., Erofeev, V.A. (2025). Synthetic data generation for training machine learning models in malware detection. Cybersecurity issues, 2(66), 105–113. (In Russ.). https://doi.org/10.21681/2311-3456-2025-2-105-113
  9. Bhardwaj, A., Esiere, R.C., Melenwane, L. (2024). Domain adaptation for malware detection: An adversarial approach (MD-ADA). Computers & Security, 137, Article 103588. https://doi.org/10.1016/j.cose.2024.103588
  10. Botacin, M., Gomes, H. (2024). Cross-Regional Malware Detection via Model Distilling and Federated Learning. In: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2024) (pp. 97–113). ACM. https://doi.org/10.1145/3678890.3678893
  11. Escudero García, D., Hemberg, E., Harang, R., Rudd, E.M., O’Reilly, U.-M. (2023). Transfer learning for malware classification under concept drift. Expert Systems with Applications, 212, Article 118724. https://doi.org/10.1016/j.eswa.2022.118724
  12. Gaber, M.G., Ahmed, M., Janicke, H. (2024). Malware Detection with Artificial Intelligence: A Systematic Literature Review. ACM Computing Surveys, 56(6), Article 148, 148:1–148:33. https://doi.org/10.1145/3638552
  13. Hasan, M.A.M., Abdar, M., Rahman, M.S., et al. (2025). The Case of Reject Option and Post-Training Processing: A Systematic Review of Recent Advances. ACM Computing Surveys, 57(9), 1–35. https://doi.org/10.1145/3727633
  14. Hendrickx, L., Perini, L., Bronzi, M., Davis, J. (2024). Machine Learning with a Reject Option: a survey. Machine Learning, 113, 3073–3110. https://doi.org/10.1007/s10994-024-06534-x
  15. Kan, Z., McFadden, S., Arp, D., et al. (2024). TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time (Extended Version). arXiv preprint arXiv:2402.01359. https://doi.org/10.48550/arXiv.2402.01359
  16. Liang, H., Peng, L., Sun, J. (2024). Selective classification under distribution shifts. Transactions on Machine Learning Research. URL: https://openreview.net/forum?id=dmxMGW6J7N (viewed: 25.01.2026).
  17. Malware static and dynamic features VxHeaven and Virus Total: Dataset. (2019, January 30). UCI Machine Learning Repository. https://doi.org/10.24432/C58K6H
  18. Maniriho, P., Mahoro, L.J., Niyigena, J.-P., Ahmad, A., Niyonzima, I., Nduwayo, G., Bizimana, Z. (2023). API-MalDetect: A novel approach for Windows malware detection using API call sequence analysis. Journal of Network and Computer Applications, 218, Article 103704. https://doi.org/10.1016/j.jnca.2023.103704
  19. Molina-Coronado, J., Hernández-Álvarez, M., Manzano, M., Aparicio-Navarro, F.J., Bessani, A. (2023). Handling concept drift in batch Android malware detection models. Pervasive and Mobile Computing, 96, Article 101849. https://doi.org/10.1016/j.pmcj.2023.101849
  20. Nguyen, D.C., Ding, M., Pathirana, P.N., et al. (2024). AutoML-based malware detection: A systematic review. Computers & Security, 137, Article 103582. https://doi.org/10.1016/j.cose.2023.103582
  21. Ojeda, F.M., Keplinger, K., LoHuis, A.M., et al. (2023). Calibration approaches for probability predictions: A systematic evaluation. Statistics in Medicine, 42(29), 5451–5478. https://doi.org/10.1002/sim.9921
  22. Scikit-learn. (n.d.). sklearn.calibration.CalibratedClassifierCV. Scikit-learn documentation. URL: https://scikit-learn.org/stable/modules/generated/sklearn.calibration.CalibratedClassifierCV.html (viewed: 25.01.2026).
  23. Scikit-learn. (n.d.). sklearn.ensemble.RandomForestClassifier. Scikit-learn documentation. URL: https://scikit-learn.org/stable/modules/generated/sklearn.ensemble.RandomForestClassifier.html (viewed: 25.01.2026).
  24. Scikit-learn. (n.d.). sklearn.ensemble.HistGradientBoostingClassifier. Scikit-learn documentation. URL: https://scikit-learn.org/stable/modules/generated/sklearn.ensemble.HistGradientBoostingClassifier.html (viewed: 25.01.2026).
  25. Shaker, M.H., Hüllermeier, E. (2025). Random forest calibration. Knowledge-Based Systems, 328, Article 114143. https://doi.org/10.1016/j.knosys.2025.114143
  26. Wallis, S. (2013). Binomial confidence intervals and contingency tests: mathematical fundamentals and the evaluation of alternative methods. Journal of Quantitative Linguistics, 20(2), 178–208. https://doi.org/10.1080/09296174.2013.799918

Information About the Authors

Ahmed A. Abedalhussain, graduate student, National University of Science and Technology "MISIS", Moscow, Russian Federation, e-mail: m2000009@edu.misis.ru

Elena V. Lyapuntsova, Doctor of Engineering, Professor of the Department of Computer-Aided Design and Engineering, National University of Science and Technology "MISIS", Professor, Bauman Moscow State Technical University, Moscow, Russian Federation, ORCID: https://orcid.org/0000-0002-3420-3805, e-mail: lev86@bmstu.ru

Contribution of the authors

All authors participated in the discussion of the results and approved the final text of the manuscript.

Conflict of interest

The authors declare no conflict of interest.

Metrics

 Web Views

Whole time: 1
Previous month: 0
Current month: 1

 PDF Downloads

Whole time: 0
Previous month: 0
Current month: 0

 Total

Whole time: 1
Previous month: 0
Current month: 1