A.A. Abedalhussain1, E.V. Liapuntsova2
1, 2 National University of Science and Technology “MISIS” (Moscow, Russia)

1 m2000009@edu.misis.ru, 2 liapuntsova.ev@misis.ru

The paper addresses the problem of static detection of malicious software based on features extracted from executable files. The growing volume and diversity of malware families, together with strict performance requirements in security operation centers, make it necessary to rely on static analysis that can process large streams of files without executing them in isolated environments. In this setting, classifiers must not only achieve high accuracy, but also provide calibrated probability estimates and meaningful uncertainty information, since their outputs are often integrated into multi-stage decision pipelines and incident triage procedures.

The aim of the study is to develop and experimentally justify a domain-invariant malware classification method that combines multiview representation learning with mechanisms for probability calibration.

The proposed approach, MV-DAFT (Multi View, Distribution Aware Feature Transformer), is a transformer-based architecture that jointly processes several complementary views of an executable file: byte histograms, header characteristics, aggregated statistics of byte sequences and string-related features. A special adversarial “domain head” is used to encourage invariance of latent representations across different datasets, while an additional regularization term penalizes discrepancies between feature distributions in the shared latent space. This design is intended to increase robustness to distribution shifts that arise when models are deployed on data from new time periods or alternative collection pipelines.

The experimental setup includes two types of data. The first is a large synthetic corpus with controlled separation between classes, which allows us to isolate the contribution of depth, regularization and calibration procedures. The second is a representative sample of real executable files used to evaluate transferability and practical performance. MV-DAFT is compared with competitive baselines, including gradient boosting, random forest, logistic regression, fully connected neural networks and a popular neural architecture for tabular data. Quality is assessed using the F1 score, the area under the receiver operating characteristic curve and the area under the precision–recall curve. Reliability of probabilistic outputs is analyzed through calibration plots and the expected calibration error, while confusion matrices are used to study typical failure modes.

The results show that the proposed method consistently outperforms strong baseline models on the synthetic corpus, achieving near-perfect classification quality together with noticeably improved calibration of probabilities. On the real-world dataset, the gain in accuracy is more moderate, but MV-DAFT provides a better balance between predictive performance, calibration and model size, maintaining low response times suitable for high-throughput environments. Practical significance lies in the possibility of integrating the domain-invariant transformer into malware detection and security monitoring systems, where more reliable risk estimates for each file reduce the number of missed threats and unnecessary manual checks, and facilitate safer automation of incident response workflows.

Abedalhussain A.A., Liapuntsova E.V. Domain-invariant malware classification method based on a multiview transformer. Neurocomputers. 2026. V. 28. № 2. P. 34–43. DOI: https://doi.org/10.18127/j19998554-202602-03 (in Russian)

1. Brownlee J. Stacking ensemble machine learning with Python. Machine Learning Mastery. 2021 [Elektronnyj resurs]. URL: https://ma­chinelearningmastery.com/stacking-ensemble-machine-learning-with-python/ (data obrashcheniya: 28.07.2025).
2. Ganin Y., Lempitsky V. Domain-adversarial training of neural networks. Journal of Machine Learning Research. 2016. V. 17. P. 1–35. DOI: 10.48550/arXiv.1505.07818.
3. Ghiasi G., Lin T.-Y., Le Q.V. DropBlock: A regularization method for convolutional networks. arXiv. 2018 [Elektronnyj resurs]. URL: https://arxiv.org/abs/1810.12890 (data obrashcheniya: 28.07.2025).
4. Gretton A., Borgwardt K.M., Rasch M.J. et al. A kernel two-sample test. Journal of Machine Learning Research. 2012. V. 13. P. 723–773.
5. Huang G., Li Y., Pleiss G. et al. Snapshot ensembles: Train 1, get M for free. arXiv. 2017 [Elektronnyj resurs]. URL: https://arxiv.org/ abs/1704.00109 (data obrashcheniya: 28.07.2025).
6. Lin T.-Y., Goyal P., Girshick R. et al. Focal loss for dense object detection. arXiv. 2017 [Elektronnyj resurs]. URL: https://arxiv.org/abs/ 1708.02002 (data obrashcheniya: 28.07.2025).
7. Marsja E. Seaborn confusion matrix: How to plot and visualize in Python. 2023 [Elektronnyj resurs]. URL: https://www.marsja.se/seaborn-confusion-matrix-how-to-plot-and-visualize-in-python/ (data obrashcheniya: 28.07.2025).
8. PyTorch.torch.optim.lr_scheduler.CosineAnnealingLR. Ofitsial'naya dokumentatsiya PyTorch. 2025 [Elektronnyj resurs]. URL: https://pytorch.org/ docs/stable/generated/torch.optim.lr_scheduler.CosineAnnealingLR.html (data obrashcheniya: 28.07.2025).
9. Scikit-learn. Probability calibration curves (sklearn.calibration.calibration_curve). Scikit-learn User Guide. 2025 [Elektronnyj resurs]. URL: https://scikit-learn.org/stable/auto_examples/calibration/plot_calibration_curve.html (data obrashcheniya: 28.07.2025).
10. Huang Y., Pepe M.S., Longton G. et al. A tutorial on calibration measurements and calibration models for clinical practice. Journal of the American Medical Informatics Association. 2020. V. 27. № 4. P. 621–633. DOI: 10.1093/jamia/ocz228.
11. Le D.Ch., Fam M.Kh., Din' Ch.Z., Do Kh.F. Primenenie algoritmov mashinnogo obucheniya dlya obnaruzheniya vredonosnykh programm v operatsionnoj sisteme Windows s pomoshch'yu PE-zagolovka. Informatsionno-upravlyayushchie sistemy. 2022. № 4. S. 44–57. DOI: 10.31799/1684-8853-2022-4-44-57. (in Russian)
12. Vybornova O.N., Pidchenko I.A. Sistema obnaruzheniya vredonosnogo programmnogo obespecheniya na osnove tekhnologii mashinnogo obucheniya. Modelirovanie, optimizatsiya i informatsionnye tekhnologii. 2020. T. 8. № 3. DOI: 10.26102/2310-6018/2020.30.3.042. (in Russian)