Adaptive malware identification via integrated SimCLR and GRU networks

Faisal S Alsubaei; Abdulwahab Ali Almazroi; Walid Said Atwa; Abdulaleem Ali Almazroi; Nasir Ayub; N Z Jhanjhi

doi:10.1038/s41598-025-08556-4

. 2025 Jul 13;15:25309. doi: 10.1038/s41598-025-08556-4

Adaptive malware identification via integrated SimCLR and GRU networks

Faisal S Alsubaei ^1,^✉, Abdulwahab Ali Almazroi ², Walid Said Atwa ^2,⁶, Abdulaleem Ali Almazroi ³, Nasir Ayub ⁴, N Z Jhanjhi ⁵

PMCID: PMC12256613 PMID: 40653529

Abstract

Malware has become a big issue for digital infrastructure with the growing complexity and frequency of intrusions; it usually avoids conventional detection systems via obfuscation and dynamic behaviour patterns. Existing methods, particularly those relying on signature-based techniques, struggle to detect emerging threats, leading to significant vulnerabilities in enterprise and institutional environments. This study aims to develop an adaptive and efficient malware detection framework that addresses these limitations while supporting real-time analysis. To this end, we introduce SimCLR-GRU, a novel ensemble architecture that integrates SimCLR-based contrastive learning for feature extraction and a GRU module to capture sequential behavioural patterns. The framework also incorporates graph neural network (GNN)-based feature selection to reduce redundancy and optimise Fish School Search (FSS) to fine-tune key hyperparameters for improved learning performance. Experiments using a comprehensive Portable Executable (PE) malware dataset show that SimCLR-GRU achieves a classification accuracy of 99%, exceeding many baseline models with a 15% increase. An AUC of 98.2%, an F1-score of 96.8%, and a false positive rate of only 0.02% underline the model’s generalizability, accuracy, and resilience. Moreover, the low inference latency of the model qualifies for implementation in real-time and resource-limited surroundings. SimCLR-GRU provides a scalable and decisive answer to modern cyberspace’s changing malware detection problem.

Subject terms: Computational science, Computer science, Information technology, Scientific data

Introduction

Society is digitizing, changing how people, corporations, and governments work and increasing cybersecurity dangers. Malware, a persistent threat, grows in complexity and size. Malware-driven cybercrime increasingly outweighs conventional crime in terms of technology and cost. Cybercrime is expected to reach a limit more than the previous years¹. Increasing polymorphic malware, multi-stage attack routes, and sophisticated, persistent threats make traditional detection approaches ineffective². Furthermore, current malware persists and grows. Malicious software packages are being developed at an alarming rate each day, leading to substantial financial losses worldwide^3,4. According to Kingsoft, numerous computer attacks occur daily, underscoring the urgent need for more effective malware detection systems⁵. The global economic impact of malware is projected to reach trillions of dollars as attackers increasingly target emerging platforms and environments⁶.

COVID-19 Machine learning models are increasingly used across high-stakes domains—not only in healthcare for heart disease survival analysis⁷—but also in networked environments where compromised or malware-infected systems can jeopardize critical decision-making processes and even risk human lives. The modern malware landscape includes ransomware, Android-based malware, Trojan horses, spyware, rootkits, and other sophisticated threats⁸. A visual overview of malware types and classifications is shown in Figure 1.

Much like signature-based malware detectors fail to catch evolving threats, rule-based systems for content filtering also fall short in identifying dynamic and misleading information, such as clickbait⁹. Even heuristic and rule-based models have trouble generalizing to new varieties. Additionally, dynamic analytic methods need a lot of system resources and may not be deployable in real-time. Current malware detection research uses hybrid models. These methods enable flexibility and pattern recognition, but they have drawbacks. Challenges include high-dimensional feature spaces, labelled data reliance, overfitting, and computational overhead. Conventional machine learning methods are useless against contemporary attacks as they may find sequential behaviour or temporal links in malware execution traces difficultly^10,11. Recently, there’s been growing interest in explainable detection models, as they help make cybersecurity decisions more transparent and easier for analysts to interpret. Researcher introduced a detection framework that focuses on input-output interpretability, underscoring how crucial explainability is in building trust and clarity within malware detection systems¹². As cybersecurity systems grow increasingly complex and distributed, models like CBRFL offer a blueprint for building resilient federated learning frameworks capable of withstanding adversarial interference during collaborative detection tasks¹³.

Driven by the limitations of existing malware detection methods-especially their struggle to adapt to evolving and sophisticated threats-this study introduces SimCLR-GRU. This hybrid framework uses GRU to combine self-supervised feature learning through SimCLR and temporal pattern modelling. To strengthen its performance, the model incorporates GNN-based feature selection to minimize noise and redundancy and uses the Fish School Search algorithm for efficient hyperparameter optimization. These combined innovations enable SimCLR-GRU to deliver high accuracy, handle imbalanced data effectively, and support real-time deployment. The paper details the development, evaluation, and comparative performance of SimCLR-GRU across various experiments. Malware detection frameworks that are adaptive to evolving and obfuscated malware behaviours, efficient for real-time processing, able to learn from limited or weakly labelled data, and scalable to handle large, heterogeneous cybersecurity datasets are in demand to address these limitations. These characteristics must be met for reliable, generalizable, and deployable detection technologies. This study proposes the SimCLR-GRU (SimCLR-GRU) architecture. This ensemble deep learning framework combines contrastive learning (SimCLR) for robust feature extraction with Gated Recurrent Units (GRU) to address these pressing challenges for modelling sequential malware behaviour. Improve detection accuracy, decrease false positives, and optimize computation with this hybrid approach. A large PE malware dataset is used to assess the SimCLR-GRU model against other state-of-the-art techniques. The findings show better accuracy, AUC, processing speed, and generalization across dynamic threat patterns. This project aims to provide a scalable and viable next-generation malware detection system.

This research presents a comprehensive approach to addressing long-standing challenges in malware detection through a lightweight and effective hybrid framework. Our efforts primarily contribute in the following ways:

This study tackles the common issue of high-dimensional and redundant features in malware datasets by introducing a graph neural network (GNN)–b-based feature selection technique. This approach helps isolate the most relevant structural attributes while filtering out noise, leading to a more efficient model with better generalization capabilities.
Recognizing the scarcity and inconsistency of labelled data in real-world malware detection, we incorporate SimCLR-based contrastive learning into our model. This allows for self-supervised representation learning directly from raw PE file features, making the model more resilient to missing or noisy labels and capable of extracting high-quality semantic patterns.
This study includes a gated recurrent unit (GRU) layer to capture the sequential character of malware behaviour-a feature often disregarded in static models. This helps the model identify sophisticated, polymorphic, and behaviorally evasive malware by understanding temporal relations and dynamic execution patterns.
Given the computational demands of hyperparameter tuning in ensemble architectures, we employ the Fish School Search (FSS) algorithm to optimize both SimCLR and GRU components simultaneously. This strategy ensures efficient parameter space exploration, fast convergence, and improved performance without significant resource consumption.
Beyond the technical design, our work contributes a deployable malware detection framework that balances accuracy, speed, and resource efficiency. The SimCLR-GRU model is well-suited for real-time cybersecurity applications because of low inference time and modular design, particularly in systems with limited processing capability, including IoT devices and edge networks.

This paper’s organization is as follows: Section Related work summarises recent research in malware detection, noting present developments and highlighting critical limits in current machine learning-based systems. Section Problem statement introduces the proposed SimCLR-GRU framework, explaining how SimCLR and GRU are integrated, how GNNs are used for feature selection, and how the Fish School Search algorithm helps optimize performance. Along with thorough data, comparisons, and statistical analysis to show the model’s efficacy, Section Proposed system framework offers the experimental design. Finally, Section Simulation results wraps up the study and addresses future prospects, including real-world implementation and the framework’s scalability with changing cybersecurity problems.

Related work

Several studies address the increase in malicious programs through the analysis of malware. The detection of malware has adopted the employing deep learning-based approaches. Still, ensuring that models produced using artificial neural networks are generalizable is challenging. Table 1 presents the consolidated perspective of the body of work.

Table 1.

Existing work in malware detection.

Ref	Methodology	Objectives Met	Limitations
¹⁴	Exploration of Static and Dynamic Malware Search Algorithms	Categorized Malware search approaches based on information collection methods.	The study lacks empirical comparison between static and dynamic methods, making it challenging to determine the superior approach without real-world testing.
^15,16	Malicious Code Transformation and Neural Network Classification	Transformed malicious code into visuals using SVM-GS methodas existing and employed neural networks (Inception-v3, AlexNetDenseNet201-KNN) forclassification.	Incomplete details on SVM-GS method parameters hinder reproducibility, and insufficient information on neural network architectures limits a comprehensive evaluation.
¹⁷	Ensemble Methods in IoT and WSN Environments	Utilized random forest and extremely randomized trees for malware detection in IoT and WSN.	Lack of transparency regarding dataset characteristics raises concerns about the model’s applicability to diverse scenarios. More details on dataset diversity would enhance credibility.
¹⁸	Efficient Malware Detection with DenseNet	Explored DenseNet for efficient malware detection.	Lack of explicit identification of potential challenges associated with DenseNet. Discussion on scalability and adaptability to diverse malware types is essential.
¹⁹	Optimized Decision Tree with AdaBoost	Developed a decision-tree-based framework for IoT malware detection using NSL-KDD and CICIDS2017 datasets.	Focused on limited network-level features and lacked evaluation on more diverse or real-world datasets.
²⁰	Feature Extraction and Malware Recognition with Attention Model	Condensed features for malware recognition with 95% accuracy with attention model.	Incomplete disclosure of selected features and their generalization to new malware variants. Bias in feature choice needs addressing.
²¹	Determining malcicious .exe files based on PE headers using deep reinforcement learning	Distinguished between malicious and safe .exe files based on MS-Windows PE headers.	Effectiveness may diminish with emerging malware variants. Addressing potential challenges associated with evolving malware characteristics is necessary.
²²	Emphasizing Attribute Relevance for Packed Executables	Focused on detecting packed executables through attribute analysis.	Limited exploration of adaptability to evolving packing techniques. Discussion on sensitivity to emerging obfuscation strategies is needed.
²³	Data Mining and Machine Learning for New Malware	Recognized new malware using data mining and machine learning.	Lack of diversity in dataset discussions raises concerns about overfitting. More extensive dataset analysis and discussion would strengthen applicability.
²⁴	Fuzzy Classification and Static Analysis	Focused on obfuscation strategies, fuzzy classification, and static analysis for malware detection.	Lack of specific details on obfuscation techniques discussed. A more detailed exploration of different obfuscation strategies is needed.
²⁵	Precise Malware Classification through Feature Extraction	Prioritized precise malware classification through feature extraction.	Insufficient details on machine learning algorithms and their sensitivity to dataset characteristics. A more comprehensive analysis of algorithmic limitations is necessary.
²⁶	Accurate Classification of Harmful and Benign Files	Used Madras-net technique to accurately classify harmful and benign files.	Lack of explicit information on machine learning techniques raises uncertainties about consistency across scenarios. Detailed discussion on algorithmic choices is needed.
²⁷	Dynamic malware analysis of PE files using API-based feature scoring and multiple ML classifiers	Developed a five-level framework including dataset curation, feature scoring (Chi², Gini), and evaluation using six ML models; achieved high accuracy with Random Forest (96%) and F1-score (0.96).	Focused on static PE features and limited to 582 malware samples; broader malware variety and deep model integration could improve generalizability.
²⁸	Self-supervised learning using Masked Autoencoder (MAE) for malware traffic classification	Proposed a transformer-based MAE framework that learns robust features from unlabeled traffic data and fine-tunes for downstream classification tasks.	Relies on fine-tuning with labeled data for task-specific adaptation; lacks discussion on real-time deployment and adversarial robustness.
²⁹	Autoencoder-based visual feature extraction and ML-based malware classification	Proposed DroidEncoder using ANN, CNN, and VGG19 autoencoders to extract features from image-based Android malware data and trained multiple ML classifiers.	Limited generalizability due to dataset of only 6000 samples; lacks evaluation on real-world or obfuscated Android malware variants.

Open in a new tab

Malware detection techniques are often categorized into two broad approaches: static and dynamic, depending on how the system gathers and interprets behavioral data. Static analysis involves inspecting code and structural attributes without executing the file, whereas dynamic analysis observes how a program behaves in real-time, including its impact on system resources. To improve detection performance, one study¹⁴ introduced a hybrid approach that leveraged API call information—specifically usage patterns, frequency, and sequences—and refined it using the TF-IDF technique to generate a rich feature set. Combined with a selective feature optimization strategy, this method enabled traditional machine learning models to achieve remarkably high accuracy, reaching up to 99.9% on Windows malware datasets. Building on the idea of innovative representations, another study¹⁵ converted malware binaries into two-dimensional images and applied deep learning for classification. By using transfer learning with InceptionV3, the model delivered exceptional results, achieving 99.6% accuracy on training data and 98.76% on the test set—outperforming other models like CNN and LSTM. Notably, researchers in¹⁶ used a novel technique, DenseNet201-KNN, to transform malicious code into visuals and identify characteristics using segmentation-based temporal pattern analysis. Subsequently, extensive neural networks, such as Inception-v3 and AlexNet, were employed for classification. During recent years, wireless sensing networks (WSN) and Internet of Things (IoT) environments have consistently improved recognition of malware usefulness when using combined methods like random forest structures, and very randomized trees¹⁷ and proposed model ENS-IDS.

DenseNet method was used by the author to build an efficient malware detection method¹⁸. Utilizing N-gram and API call capabilities, researchers looked at adjustments to parameters to boost malware identification precision. It outscored various approaches in scientific assessment, demonstrating the efficacy and dependability of our suggested method. Multi-feature integration will remain the focus of further research to lessen inaccurate results and improve accuracy.

As IoT ecosystems grow, so does the potential for malware infiltration, necessitating robust detection strategies. A promising approach explored in¹⁹ uses optimized decision trees with AdaBoost, showing high accuracy in classifying network-based malware using benchmark datasets. The research community has focused on machine learning algorithm techniques as conventional defences cannot maintain up against continually shifting threats. On an insufficient dataset, the decision tree technique provided the lowest false positive rate (FPR; 0.021%) and the highest precision (92%) among the three different ML algorithm methods evaluated in this study, providing a mechanism for protection. The DT method’s remarkable 90.2% success rate for evaluating and determining accuracy in detection using a static assessment of PE information was highlighted by the author when they examined three ML classifiers. The research study highlighted the possible use of static examination to increase malware appearance and detection performance.

In an effort to make AI-driven malware detection more transparent and effective, the study in²⁰ introduced an attention-based approach that highlights the most critical API system calls contributing to malicious behavior. This not only enhanced the model’s interpretability but also led to noticeable performance gains—achieving up to 12% and 5% higher accuracy than traditional CNN and LSTM-based methods, respectively. Author in²¹ presented a new approach of deep reinforcement learning for determining between malicious and safe.exe files by handling the features of MS-Windows PE headers. The method presented an in-depth three-step plan and contained dataset gathering, extraction of features, and icon evaluation.

Prioritizing for the recognition of packaged executables, attribute relevance in PE files has been emphasized in ²². The research primarily examined packaged executables, extracting and examining attributes to ascertain the packing status of a binary file. Malware detection has evolved to feature data mining, as²³ asserts. With an 89.6% rate of success in identifying new malware, the detection algorithm-which included a little under 200 characteristics from portable executable files-achieved an astounding 92.1% accuracy. By examining obfuscation strategies,²⁴ highlighted traditional techniques’ declining efficacy, such as signature scanning. To recognize malware and packed files, the research effort focused on fuzzy classification methods and static assessment characteristics.

Prioritizing precise malware classification,²⁵ focused on machine learning feature extraction. Highlighting the association with potential packet history, the study intended to develop algorithms capable of evaluating, avoiding, and identifying malicious connections. A novel method named Madras-net was essential in²⁶’s capacity to precisely and effectively categorize files as harmful or benign. Using several machine learning techniques with executable header areas, unprocessed and derived information produced an astounding accuracy of 98.4%. In²⁷, the authors introduced a structured five-stage pipeline for dynamically classifying malware using Windows PE files obtained from the MalwareBazaar repository. Their methodology involved curating a custom dataset, scoring features based on Chi² and Gini importance, and evaluating six widely used machine learning models such as Random Forest and XGBoost. Among these, the Random Forest classifier stood out with an impressive 96% accuracy and an F1-score of 0.96. Additionally, the framework provided valuable insights by categorizing 23 types of API behaviors commonly associated with malware activity.

Building on the need for scalable malware detection, the study in²⁸ proposed MTC-MAE—a self-supervised learning framework designed for traffic-based malware classification. By leveraging a masked autoencoder with a transformer backbone, the model was able to extract meaningful representations from large volumes of unlabeled network data. Fine-tuning on smaller labeled datasets enabled the approach to generalize effectively across various classification tasks, offering a promising solution that reduces reliance on manual labeling.

In a separate effort, the researchers in²⁹ developed DroidEncoder, a specialized deep learning framework for Android malware detection. Their approach converted Android application binaries into image representations and used three types of autoencoders—ANN-based, CNN-based, and VGG19-based—to extract discriminative features. These features were then classified using multiple machine learning algorithms, including Random Forest, LightGBM, and SVM. Tested on a balanced dataset of 6000 applications, DroidEncoder demonstrated high accuracy across all evaluation metrics, emphasizing the value of autoencoder-driven visual analysis in identifying malicious apps.

In addition, researcher tackled the growing challenge of low-rate denial-of-service (DoS) attacks insoftware-defined networks by developing a mitigation strategy that considers both port activity and traffic patterns. Their work highlightshow adaptive models can play a vital role in identifying and managing evolving network-level threats³⁰.

According to³¹, a machine learning-based technique may identify obfuscated malware in memory dumps, particularly in sophisticated cybersecurity settings. Analyzing volatile memory properties yielded good detection accuracy. It does not test sequential malware or static PE file formats.

The author presented GA-mADAM-IIoT, a lightweight threat detection system for Industrial IoT via a genetic algorithm, attention process, and LSTM on multiple variables time series sensor data in³². For edge-level deployment, the model remained efficient but showed enhanced detection accuracy. Author in³³ presented a modified genetic algorithm and a refined LSTM for IoT network intrusion detection. Though scalability on large-scale networks remains a difficulty, the method attained low latency and great accuracy with the use of edge computing in mind. Analyzing new methods, datasets, and assessment criteria, the paper³⁴ offered a thorough systematic analysis of intrusion detection systems (IDS) for network security. The article highlighted essential research needs, particularly model interpretability and deployment efficiency. Yang et al. proposed LLM-AE-MP, a web attack detection model combining a large language model with an autoencoder and MLP for improved accuracy³⁵. While effective, its reliance on heavy LLMs may limit use in real-time or low-resource settings. Author in³⁶ introduced a machine learning-based intrusion detection model designed to catch zero-day attacks, even in unfamiliar or unseen data. Their approach emphasizes adaptability to a wide range of threat patterns, making it effective in handling unpredictable cyberattacks. However, the model still faces challenges when dealing with imbalanced datasets and real-time processing demands, which leaves room for future improvement.

Recently developed hybrid and intelligent malware detection systems may overcome previous restrictions. HGDetector, developed by Feng et al., uses graph embedding to combine static function call graphs, dynamic network traffic characteristics, and behavioural representations to identify malware. The hybrid feature fusion approach improves malware detection accuracy by 21-26% when network characteristics alone are inadequate³⁷. Author intensively compared feature selection and scaling approaches to improve detection accuracy across several machine learning models. Preprocessing is crucial for malware classification tasks, as shown by the enhanced performance of Light Gradient Boosting Machine (LGBM) with 97.16% accuracy when paired with PCA and min-max scaling³⁸. Researcher presented IMCMK, a CNN-based image classification model that captures malware variation patterns, using multi-scale kernel convolution and advanced squeeze-and-excitation (SE) methods. IMCMK obtained 99.25% malware family classification accuracy, proving multi-scale feature extraction’s efficiency in visual malware analysis³⁹. One author created GENOME, a malware sample compression methodology using DNA encoding. Using standard and compressed encoding, GENOME reduces data size and improves edge computing detection accuracy. Results from Edge-IIoTset and CIC-IoT-23 datasets show GENOME’s flexibility and efficiency in resource-constrained real-time contexts⁴⁰. These findings show the trend toward hybrid, optimized, and context-aware malware detection, which inspired our SimCLR-GRU system, which combines contrastive learning, temporal sequence modelling, and optimization-driven tuning.

Though some fundamental issues still exist, malware detection utilizing hybrid models has advanced. Obfuscation, polymorphism, and time-dependent execution techniques fail to adapt to current malware’s fast evolution. Static and dynamic analytic approaches are frequently used, yet they often fail to detect emerging risks. Current feature selection approaches usually keep noisy or redundant features, which may cause overfitting and computational complexity. Hybrid models and ensemble classifiers have shown potential, but few systems combine strong semantic feature extraction with temporal behaviour modelling to capture minor harmful activity patterns. Hyperparameter tuning is typically neglected or handled using inefficient grid search methods that may not provide optimum results. Many models are hardly scalable or deployable, which makes them inappropriate for IoT and edge devices or resource-limited scenarios like real-time applications. Recent research has offered optimization methods and lightweight designs, but generality, interpretability, and real-world application remain. These limitations inspired our SimCLR-GRU architecture, which addresses previous approaches’ flaws to enable robust, efficient, and scalable malware detection. In light of these existing methods and their limitations, we have proposed a strong, lightweight framework to handle the dynamic nature of malware and a large amount of data with less time complexity. The subsequent section describes the proposed framework.

Problem statement

Malware, particularly spyware and complex, covert assaults, is growing rapidly as our digital world gets more linked. Traditional cybersecurity technologies, such as signature-based detection, are falling behind. Systems that use predetermined patterns to detect threats are useless against evolving malware, such as obfuscation, polymorphism, and zero-day exploitation^19,21. In addition to traditional threats, modern malware often leverages covert channel techniques that take advantage of system synchronization to bypass detection. The rise of sophisticated covert channels such as Write+Sync, which stealthily exploit delays in software cache synchronization to transmit data, underscores a growing concern in cybersecurity—malicious activities that can easily slip past traditional monitoring and detection systems⁴¹. Conventional approaches frequently become outdated when a virus changes structure or behaviour. By letting models learn patterns from data and adapt to new hazards, ML offers a convincing substitute²¹. Most ML-based detection models cannot handle contemporary malware’s fast-changing and complicated nature. Attackers may modify static elements like PE headers, which they commonly rely on²⁶. The lack of clarity on crucial elements makes models less accurate when applied to emerging threats²². Dataset quality and management are also significant challenges. Many studies lack specifics on data collection, balancing, and preprocessing, leading to worries about overfitting and poor performance^23,25. While recent models such as MTC-MAE²⁸ and DroidEncoder²⁹ have achieved strong performance on controlled datasets, their effectiveness in real-world settings remains limited. MTC-MAE, despite leveraging self-supervised learning, still requires fine-tuning with labeled data and has not been evaluated under real-time or adversarial conditions. Similarly, DroidEncoder relies on a relatively small and static image-based dataset, without addressing challenges like obfuscation, polymorphism, or dynamic behavioral variation—factors common in real-world malware environments. These models are computationally demanding, sensitive to skewed data, and seldom validated under actual deployment situations. These issues demonstrate the urgent need for a new generation of malware detection frameworks that are precise, fast, adaptive, and able to learn from developing cyber threats. This unmet need drives this research’s methodology.

Proposed system framework

SimCLR-GRU is introduced as a lightweight and adaptive deep-learning framework designed to address key challenges in modern malware detection. It specifically targets the limitations of existing methods, such as their inability to adapt to evolving threats and the difficulty of managing high-dimensional feature spaces. As illustrated in Fig. 2, the framework follows a structured process beginning with collecting a real-world malware dataset composed of static attributes from PE files. Binary unpacking, missing value management, feature scaling, and class balancing using the SMOTE approach are all part of the preprocessing stages that these files go through. This ensures that both benign and malicious samples are fairly represented. Graph Neural Networks (GNNs) refine the feature space by identifying structurally significant attributes and eliminating noise and redundancy to enhance learning efficiency. This helps reduce model complexity and improve generalization across diverse malware types.

The SimCLR-GRU hybrid model, which combines a Gated Recurrent Unit (GRU) module typically seen in malware behaviour with SimCLR-a contrastive learning method for deriving meaningful representations from unlabeled data-lays the groundwork for the framework. This combination enables the model to understand both structural and temporal patterns in malware. Fish School Search (FSS), a bio-inspired optimization method that fine-tunes fundamental hyperparameters like learning rate, temperature, and the number of hidden units for both SimCLR and GRU modules, improves model performance even further. Comprehensive measures assess the final model, including accuracy, precision, recall, F1-score, AUC, and Matthews Correlation Coefficient (MCC). SimCLR-GRU is tested against numerous state-of-the-art baseline models using statistical and empirical analysis to confirm its resilience and real-world application.

Data set description

This study utilizes Kaggle⁴², a big dataset with 157 attributes across 20,000 occurrences. These PE file properties are essential to malware detection and include various aspects. See Fig. 3 for visual categorizations of dataset features. The characteristics include PE file dimensions, structure, and other analysis-relevant information. The dataset’s many properties help us understand PE files. Important file attributes include architectural type, number of sections, creation date, and memory allocation. Entry point, size, and header data might reveal the file’s structure. Information regarding the component, OS version, and image properties aids the investigation. Additionally, indications of malevolent behaviour are presented. These properties, such as “SuspiciousImportFunctions” and “SuspiciousNameSection,” may reveal malware tendencies. The dataset’s target column, “Malware,” indicates if an instance has malware. Since it captures many PE file properties, the dataset allows for intensive malware recognition analysis. This broad feature collection underpins analytical and predictive machine learning methods to differentiate harmful and benign files. This dataset was selected because it matches real-world virus detection. PE files, the basic Windows executable format, are often targeted by malware. The dataset contains benign and malicious cases from a broad distribution, making it appropriate for generalizing models. It also exhibits structural and behavioural traits in business security solutions, making the results valid. The dataset is also used in academic research to evaluate new detection methods. The dataset’s target column, “Malware,” indicates if an instance has malware. Of the 20,000 samples, 13,474 are benign, and 6,526 are malware. The 2:1 class imbalance is typical of real-world malware datasets, where benign software outnumbers proven harmful files. This imbalance risks model bias and malware class underrepresentation during training.

Fig. 3 — Dataset feature categorization.

Data preprocessing

The files were unprocessed executables, and their information was saved in a file system as binary code. All of them were prepared as we started the search. The executables needed to be unzipped in a secure environment. Efficient unpacking of zipped programs using PEiD software⁴³. The dataset has a class imbalance, with fewer malware-labeled cases than benign ones. The Synthetic Minority Over-sampling Technique (SMOTE) interpolates across surrounding samples to provide synthetic minority class instances to reduce bias in learning. This balancing step increased malware detection without overfitting, improving recall and generalization. Furthermore, after getting the data, we apply other methods like incorporating missing values, data normalization, data scaling, and data balancing through the SMOTE algorithm.

Many changes were made to prepare SimCLR-GRU model input characteristics. Continuous variables were mean replaced to impute missing values. To standardize the input space, Min-Max normalization scaled all numeric characteristics to [0, 1]. Label encoding converted categorical variables to numbers. The normalized feature vector was reshaped into a 2D tensor for GRU to imitate sequential input and organize PE characteristics as pseudo-temporal steps. This lets GRU layers represent inter-feature relationships across an artificial temporal sequence. SimCLR needed two enhanced images of the same input for contrastive learning. These views were created using stochastic treatments, including Gaussian noise addition and random feature subset masking. This taught SimCLR to develop PE feature set representations resilient to modest perturbations. These transformation tactics guaranteed that SimCLR and GRU got structured inputs customized to their learning processes.

This work used the Synthetic Minority Oversampling Technique (SMOTE) to simulate the minority class due to the class imbalance, where benign cases outweigh harmful ones⁴⁴. SMOTE interpolates across minority class instances to create synthetic samples to assist the model in learning decision limits. This method works well for binary classification problems like malware detection, where minority class recall is crucial to reducing false negatives. SMOTE increased the SimCLR-GRU model robustness, generalization, and balance across both classes. Figure 4 graphically illustrates the preparation stage.

Feature extraction using Graph Neural Networks (GNNs)

The number of characteristics in many current data sets is in the thousands. Overfitting of the related machine-learning model has been more apparent in recent years due to the rising frequency of attributes. When solving this issue, this study employed GNNs to create minor characteristics based on more prominent attributes. This strategy is frequently applied to use fewer parameters while retaining equal precision. The present study aimed toward enhancing the current dynamic and static feature dataset by eliminating characteristics that did not prove helpful for the data analysis and retaining features that were most useful⁴⁵.Another sutdy also explored a similar direction by applying temporally evolving graph neural networks to detect phishing scams, demonstrating how GNNs can effectively adapt to changing threat patterns and scale across diverse cybersecurity scenarios⁴⁶.

Classification with SimCLR-GRU

This work presents a novel ensemble model for malware classification called SimCLR-GRU, which employs the complementary attributes of GRU (Gated Recurrent Unit)⁴⁷ and SimCLR (Contrastive Learning)⁴⁸. The SimCLR-GRU ensemble was explicitly built to use the unique characteristics of GRU’s proficiency in predicting linear relationships seen in Portable Executable (PE) files and SimCLR’s robust feature extraction capability. The process is shown in Fig. 5. SimCLR’s major factor behaves as an efficient feature extraction unit, widely recognized for its ability to identify significant models from unlabeled data. The mathematical framework is influenced by putting identical situations closer together and keeping dissimilar instances distant by the SimCLR loss coefficient, which is expressed by the glyph Inline graphic . In mathematical notation, that is^47,48:

In this case, Inline graphic is the environmental temperature variable controlling the comparable expansion, and and are the representations of both enhanced viewpoints of the same occurrence. GRU-the second fundamental component-enters the frame as a recurrent neural network proficient at recognizing sequential relationships in binary code. Represented by an assortment of formulations controlling the alteration of the inside states^47,48:

GRU has two recurrent layers with 64 hidden units in the SimCLR-GRU model. A ReLU activation function after each layer improves non-linearity and learning. Each GRU layer is followed by a 0.2 dropout layer to reduce overfitting and increase generalization. A flattening layer links the GRU’s output to a densely connected fully connected layer using a softmax activation function to generate the probability distribution for binary classification. Equation (2) combines the GRU output Inline graphic with the SimCLR feature representation using a weighted ensemble technique.

The input condition is signified by Inline graphic at time , the concealed state can be determined by at period , and the initialization gate, refresh gate, and alternative hidden state are expressed by , , and , as well, in the equations above. The assembled variable originates by integrating the resultants of SimCLR and GRU:

The estimates from SimCLR and GRU are shown as Inline graphic and in this case, and is a hyperparameter that determines the weighted distribution in the ensembles.

The SimCLR-GRU model utilizes GRU’s ability in the sequential evaluation and SimCLR’s semantic representational learning to attain the most effective combination. Extensive testing on PE files seeks to highlight SimCLR-GRU’s ability to enhance malware’s ability to be classified.

The complementing representational learning procedures of SimCLR and GRU make them theoretically beneficial. SimCLR, trained with contrastive loss, creates a feature space where semantically similar samples are closer and dissimilar samples are further away :

In this equation, In this formulation, ziand zjrefer to the learned feature embeddings of an anchor sample and its contrasting counterpart.These embeddings are generated by combining the strengths of SimCLR's projection mechanism with the sequential modeling capabilitiesof a GRU. The temperature parameter rhelps adjust how sharply the model distinguishes between similar and dissimilar pairs. Byencouraging semantically and temporally related samples to stay close in the representation space—and pushing unrelated ones apart—this contrastive approach makes the learned features more distinct and easier to classify.

However, GRU models sequential dependencies by learning evolving hidden states. GRU can discover temporal correlations among malware traits using update equations that capture short- and long-term memory. Likewise, Gu et al. introduced a semantic malware classification approach that combines Siamese networks with LSTM layers, demonstrating how capturing temporal relationships can play a crucial role in uncovering hidden or obfuscated malicious behaviors⁴⁹. The GRU output Inline graphic shows dynamic relationships in the input feature sequence u. Linearly mixing SimCLR and GRU outputs:

In SimCLR-GRU, high-level semantic representations and learnt temporal patterns are combined. This fusion produces richer feature embeddings that better represent malware’s structure and behaviour, enhancing classification accuracy and resilience.

Swarm-based optimization of SimCLR-GRU

The Fish School Search (FSS) technique optimized critical hyperparameters to improve the SimCLR-GRU ensemble’s malware detection⁵⁰. Before applying FSS, SimCLR and GRU baseline values were chosen based on existing research, empirical heuristics, and first testing. SimCLR’s temperature parameter ( Inline graphic ) was set to 0.5, a standard contrastive learning value that balances separation and similarity sensitivity. The projection head dimension was 128, and the batch size was 256, which enabled steady representation learning with low memory utilization. Similarly, Hleveraged unsupervised federated hypernetworks to detect anomalies in multivariate time-series data, highlighting the effectiveness of decentralized optimization techniques for high-dimensional and evolving patterns^51,52. The first GRU setup included 64 hidden units, ReLU activation, and a 0.001 learning rate. These selections are prevalent in sequential data processing and produce reliable convergence throughout early testing. Starting with these initial parameters, the FSS algorithm quickly searched hyperparameter space to minimize loss and optimize classification performance. FSS increased SimCLR-GRU ensemble accuracy, convergence speed, and flexibility by concurrently modifying SimCLR and GRU settings. Fish School Search (FSS) used 30 virtual fish to represent candidate hyperparameters. The search space included GRU learning rate, hidden unit count, SimCLR temperature ( Inline graphic ), and ensemble fusion weight (). Our method converged when any of these criteria were met: (i) 100 iterations were achieved, or (ii) the best solution did not improve for 15 iterations (early ending). FSS was chosen above other metaheuristics because of its minimal weight and quick convergence. Its easy vector operations and lack of gradient computations make it ideal for pre-training hyperparameter tuning. In our tests, FSS searched on an NVIDIA RTX 2080 GPU and 32 GB RAM PC in under three minutes. Offline optimization does not increase runtime costs during model deployment. Figure 6 illustrates the swarm-based tuning procedure.

A search space was constructed during optimization for each SimCLR and GRU hyperparameter. The Si mCLR experiment included varying the temperature parameter ( Inline graphic ) from 0.1 to 1.0, the projection head size from 64 to 256, and the learning rate from 0.0001 to 0.01. GRU explored 32–256 hidden units and changed the learning rate from 0.0001 to 0.01. The ensemble fusion coefficient () was also tuned between [0.1, 0.9] to manage the weighted combination of SimCLR and GRU outputs. These parameter ranges were chosen based on empirical investigations, neural architecture tuning techniques, training time and model complexity limitations.

Performance evaluation

This study used various well-acknowledged performance measures to assess the efficacy of the proposed SimCLR-GRU system. Given the skewed character of malware detection datasets, these measures provide a thorough knowledge of the model’s predictive capacity. Our study guarantees a fair assessment of the suggested approach, thereby evaluating the dependability and resilience of both aspects. Accura cy measures the overall correctness of predictions and is defined as:

Precision measures the true malicious count among the samples predicted as malware:

Recall, also referred to as sensitivity, shows the model’s degree of genuine malware instance capture:

The harmonic mean of Precision and Recall, the F1-Score, balances false positives and false negatives:

To evaluate performance in the presence of class imbalance, we use the Matthews Correlation Coefficient (MCC), which takes into account all correct and incorrect predictions:

where Inline graphic , , , and .

Finally, Cohen’s Kappa statistic measures the level of agreement between the predicted and true classes, correcting for agreement by chance, and is computed as:

Cohen’s Kappa is denoted by Inline graphic ; the observed agreement rate between projected and actual classifications is ; the anticipated agreement rate resulting from random chance is . Particularly in cases of skewed class distributions and real-world fluctuation in malware data, these measures taken together provide a consistent and complete evaluation of the accuracy, dependability, and resilience of the SimCLR-GRU model.

Simulation results

To fulfil the research objective, the framework is simulated in a controlled environment using the Anaconda Spyder IDE and the Python programming language. Various packages, such as pandas and TensorFlow, are employed for data manipulation and training. Initially, the data is loaded into the IDE environment, and the preprocessing step is performed. Table 2 shows the top 40 selected features among 127.

Table 2.

Features selected by GNNS.

Group 1	Group 2	Group 3	Group 4
e_cblp	e_cp	e_minalloc	e_maxalloc
e_sp	e_ip	e_ovno	e_oemid
e_oeminfo	e_lfanew	SizeOf Optional Header	Characteristics
Magic	Major LinkerVersion	Minor Linker Version	SizeOfCode
Address Of EntryPoint	BaseOfCode	ImageBase	Section Alignment
File Alignment	MajorOperating SystemVersion	MinorOperating SystemVersion	Major ImageVersion
Minor ImageVersion	MajorSub systemVersion	Minor SubsystemVersion	SizeOfHeaders
CheckSum	SizeOfImage	Subsystem	Dll Characteristics
SizeOf StackReserve	SizeOf HeapReserve	SizeOf HeapCommit	NumberOf RvaAndSizes
Suspicious Import Functions	Section MinEntropy	Section MinRawsize	SectionMin Virtualsize

Open in a new tab

Figure 7 displays the correlation matrix heatmap of the 10 selected characteristics for malware identification. Each heatmap box shows the correlation between two attributes ranging from -1 to 1. A high correlation (near 1) suggests a direct association, whereas a negative correlation (closer to -1) indicates a reversal relationship. Colour intensity and category values show these relationships’ magnitude and pattern. This examination reveals the relationships between chosen characteristics and their possible variability or reliance. Figure 7 illustrates the top 10 PE file header attribute correlation matrix. Many malware developers target or manipulate these low-level executable structural elements. The last page’s bytes and the file’s 512-byte pages are often changed in packed or disguised malware. Anomalies in e_cparhdr may indicate paragraph header size modification. Malware may use atypical memory demands, such as e_minalloc and e_maxalloc, to escape detection or alter runtime behaviour. Stack and instruction pointers (e_sp and e_ip) control program execution and may be modified by malicious code. Malware may employ unused fields like e_ovno, e_oemid, and e_oeminfo to conceal data or confuse analysis tools. Understanding these variables’ relationships helps find unusual patterns that signal malevolent conduct and choose features for classification.

Fig. 7 — Correlation matrix of the selected features.

The comparative relevance of the top 10 chosen characteristics in the dataset can be seen in Fig. 8. This visualization provides information about the relative significance of each attribute within the context of the examined data. The feature importance numbers, shown in the figure, indicate how much each of these attributes influences the algorithm’s overall accuracy in predicting the characteristics of the dataset that is being examined. The graphical representation of feature importance provides an essential perspective for evaluating the value and impact of individual features, assisting in identifying which variables within the data contribute more heavily to the observed trends.

Table 3 compares SimCLR-GRU-FSS against different baseline classifiers on the PE malware dataset. SimCLR -GRU-FSS has the greatest ROC (0.976), AUC (0.982), F1-Score (0.968), Precision (0.957), Accuracy (99%), MCC (0.97), Recall (0.97), and Log Loss (0.07). Traditional approaches like CNN and SVM-GS perform poorly, with ROC values of 0.609 and 0.620 and accuracies of 75.2% and 69.7%. DenseN et and AutoEncoders perform better than other advanced models, with AUC values of 0.927 and 0.942 and accuracies of 87.6% and 87.8%. Their accuracy and MCC results are much lower than those of SimCLR-GRU-FSS, demonstrating its strong ability to categorize benign and malicious samples. This detailed investigation shows that SimCLR-GRU-FSS is better at identifying malware than previous approaches, making it suitable for cybersecurity deployments.

Table 3.

Performance assessment on PE malware data.

Techniques	Precision	MCC	AUC	Recall	Accuracy	ROC	Log Loss	F1-Score
ENS-IDS	0.867	0.868	0.884	0.889	0.867	0.871	0.654	0.867
DenseNet¹⁸	0.842	0.808	0.927	0.881	0.876	0.887	0.275	0.888
AutoEncoders²⁵	0.857	0.816	0.942	0.891	0.878	0.899	0.255	0.891
MadrasNet	0.768	0.741	0.768	0.789	0.789	0.784	0.911	0.70
Random Forest²⁷	0.631	0.382	0.732	0.631	0.724	0.675	1.076	0.701
DroidEncoder²⁹	0.764	0.505	0.788	0.767	0.789	0.784	0.99	0.777
LSTM	0.589	0.332	0.691	0.580	0.803	0.632	1.257	0.609
SVM-GS¹⁵	0.812	0.745	0.890	0.848	0.860	0.845	0.381	0.839
AlexNet¹⁵	0.805	0.730	0.875	0.832	0.848	0.833	0.405	0.822
ENS-IDS¹⁷	0.690	0.520	0.767	0.701	0.800	0.712	0.950	0.710
MTC-MAE²⁸	0.89	0.938	0.91	0.924	0.92	0.89	0.88	0.27
GA-mADAM-IIoT³²	0.752	0.670	0.834	0.780	0.855	0.792	0.710	0.784
IMCMK-CNN³⁹	0.882	0.825	0.942	0.915	0.900	0.915	0.240	0.908
GENOME (RF/LR)⁴⁰	0.830	0.780	0.902	0.860	0.880	0.870	0.320	0.865
SimCLR-GRU-FSS (Ours)	0.957	0.970	0.982	0.970	0.990	0.976	0.070	0.968

Open in a new tab

Table 4 compares SimCLR-GRU-FSS to several malware classification models, both traditional and current. These tests evaluate each model’s malware classification accuracy, consistency, reliability, and statistical significance. The Si mCLR-GRU-FSS model beats baseline techniques in most statistical metrics. It has a high Pearson’s correlation (0.642) and a Mann-Whitney score of 14.792, showing considerable distributional changes from baseline outputs. SimCLR -GRU-FSS’s Kappa value 0.975 shows its near-perfect ground truth agreement, surpassing all comparison models. These results demonstrate the method’s reliability and accuracy even with unbalanced and high-dimensional data. Although DenseNet, MadrasNet, attention model and hybrid ensembles like GA-mADAM-IIoT and IMCMK-CNN perform well, SimCLR-GRU-FSS has better statistical reliability. GNN-ba sed feature selection and contrastive-temporal modelling provide SimCLR-GRU with great statistical validity, proving its usefulness in real-world cybersecurity scenarios.

Table 4.

Statistical analysis results (average).

Techniques	Pearson’s	Mann Whitney	Kendall’s	Paired Student’s	ANOVA	Kruskal	Spearman’s	Chi-Squared	Student’s	Kappa
LSTM	0.502	10.992	0.452	1.492	4.792	10.992	0.602	13.992	1.992	0.65
MadrasNet	0.752	17.692	0.772	2.842	7.892	17.692	0.802	19.792	3.492	0.79
DNN²⁷	0.692	18.592	0.722	2.492	7.992	18.592	0.752	22.492	3.092	0.78
DenseNet¹⁸	0.582	13.692	0.532	1.792	5.892	13.692	0.672	17.092	2.392	0.71
CNN	0.462	8.992	0.402	1.192	3.892	8.992	0.572	11.592	1.592	0.58
DroidEncoder²⁹	0.722	15.892	0.732	2.492	7.192	15.892	0.752	18.192	3.092	0.76
AutoEncoders²⁵	0.462	9.492	0.402	1.292	4.092	9.492	0.572	12.192	1.692	0.64
SVM-GS¹⁵	0.688	14.892	0.702	2.312	6.692	14.892	0.728	17.492	2.792	0.74
AlexNet	0.498	11.392	0.472	1.452	5.092	11.392	0.582	13.092	1.692	0.65
ENS-IDS	0.712	15.692	0.728	2.482	6.992	15.692	0.748	18.292	3.092	0.76
Extremely Randomized Trees	0.492	10.192	0.482	1.422	4.592	10.192	0.572	12.492	1.792	0.67
Decision Tree + Adaboost¹⁹	0.482	9.892	0.472	1.342	4.492	9.892	0.562	12.092	1.692	0.66
MTC-MAE²⁸	0.728	16.192	0.742	2.612	7.192	16.192	0.762	18.692	3.192	0.77
LightGBM	0.622	14.492	0.682	2.162	6.392	14.492	0.712	17.092	2.592	0.74
Logistic Regression	0.472	8.692	0.452	1.212	4.292	8.692	0.532	10.492	1.492	0.63
Obfuscated ML (MemDump)³¹	0.622	13.292	0.582	1.622	5.392	13.292	0.642	16.092	2.192	0.72
GA-mADAM-IIoT³²	0.672	14.392	0.692	2.362	6.792	14.392	0.742	17.392	2.992	0.73
Modified GA + LSTM³³	0.702	15.892	0.722	2.492	7.092	15.892	0.762	18.092	3.092	0.75
ResNet-ViT³⁴	0.742	17.092	0.752	2.692	7.492	17.092	0.792	19.092	3.392	0.76
HGDetector³⁷	0.732	16.492	0.742	2.792	7.292	16.492	0.782	18.792	3.092	0.77
LGBM (with PCA & Scaling)³⁸	0.712	15.092	0.722	2.492	6.792	15.092	0.762	17.492	2.992	0.75
IMCMK-CNN³⁹	0.762	17.492	0.782	2.892	7.692	17.492	0.802	19.492	3.592	0.78
GENOME (RF/LR)⁴⁰	0.742	16.892	0.762	2.782	7.392	16.892	0.792	18.392	3.292	0.77
SimCLR-GRU-FSS (Ours)	0.642	14.792	0.672	1.992	6.292	14.792	0.712	18.292	2.592	0.975

Open in a new tab

Figure 11 compares the SimCLR-GRU-FSS model’s detection performance to state-of-the-art approaches using ROC curves. The RO C analysis shows the conflict between the True Positive Rate (TPR) and False Positive Rate (FPR) and each classifier’s discriminating capacity. The Si mCLR-GRU-FSS model has the maximum TPR even at low FPR values, indicating its resistance to false alarms. This is shown by its 98.8% Area Under the Curve (AUC), which outperforms DenseNet, ENS-IDS, SVM-GS, MadrasNet AutoEncoders, and standard machine learning algorithms. SimCLR -GRU-FSS’s ability to effectively identify malware threats makes it ideal for real-time cybersecurity settings where reduced false positives and increased detection sensitivity are crucial.

Fig. 11 — Execution time analysis (average).

Table 5 compares SimCLR-GRU model performance before and after GNN-based feature selection. The model obtained 86.0% accuracy, 84.2% F1-score, and 86.1% AUC when trained on the complete set of 127 characteristics. Feature redundancy and noise affect these middling outcomes. Following GNN-based selection to focus on 40 structurally relevant features, the SimCLR-GRU model improved across all measures, achieving 99.0% accuracy, 97.8% F1-score, and 98.8% AUC. These results demonstrate that the GNN-based selection procedure saves computing costs and improves model generalization and prediction by removing irrelevant or weakly informative features.

Table 5.

Performance comparison before and after GNN-based feature selection.

Metric	Before GNN Selection	After GNN Selection (SimCLR-GRU)
Accuracy	86.0%	99.0%
F1-Score	84.2%	97.8%
AUC	86.1%	98.8%
Precision	82.9%	95.7%
Recall	85.6%	97.0%
Log Loss	0.41	0.07

Open in a new tab

Figure 9 shows the ROC curve having the most significant AUC for the SimCLR-GRU Model. Based on this ROC figure, the Si mCLR-GRU-FSS model surpasses all models examined when identifying between malware and regular conditions. This finding is derived using the ROC curves; a higher AUC implies more remarkable selective ability-The approach with the highest AUC is most effective in this scenario.

Figure 10 demonstrates an evaluation of the confusion matrix between the proposed model and the different methods covered in previous studies. In particular, our novel approach improves malware detection accuracy over conventional approaches and maintains quicker processing times, which is essential to timely response in real-world scenarios. Our methodology’s efficient handling of PE processing constitutes one of its key characteristics. This study provides faster and more effective malware identification thanks to our effective reduction of the overall processing rate. This is accomplished by improving the process of collecting data from Windows programs and shortening the time necessary to analyze the system.

Fig. 10 — Comparison of confusion matrix.

The average execution time (in seconds) per epoch for classical machine learning models, deep learning architectures, hybrid detection frameworks, and SimCLR-GRU-FSS system is shown in Fig. 11. Real-world, time-sensitive malware detection systems depend on model training computation cost (execution time). Every model takes longer than SimCLR-GRU-FSS, which averages 138 seconds. GNN-selected features reduce input space dimensionality and training computation. Self-supervised contrastive learning with SimCLR accelerates feature representation learning with pretext tasks and removes human labelling. Deep models like DenseNet, SVM-GS, and droidEncoder train in 600–900 seconds/epoch. Deeper and more complicated convolutional layers use more parameter space and memory, lengthening periods. Due to their larger convolutional stacks and graph-based embeddings, hybrid approaches like IMCMK-CNN and HGDetector take 600–750 seconds per epoch with multi-scale kernels or fused behavioural features. At 700 seconds, ResNet-ViT and Obfuscated ML (MemDump) demonstrate attention mechanism and memory-based analytical resource needs. Ensemble machine learning algorithms like XGBoost, LightGBM, and Extremely Randomized Trees have reasonable training durations (250–500 seconds). Still, they cannot capture temporal relationships or latent semantic representations of malware activity, limiting their detection usefulness. Fast ( 250 seconds) Logistic Regression and Decision Tree fail to generalize on unknown and obscure data. SimCLR-GRU-FSS enhances computation and detection. It handles additional datasets without the exponential execution time increase of deeper models due to its simplified design. Fish School Search (FSS) optimization guides hyperparameter search to optimum configurations with fewer iterations, accelerating training convergence. SimCLR-GRU-FSS is appropriate for edge computing, corporate security appliances, and real-time detection systems that need speed and accuracy. SimCLR-GRU-FSS’s good performance shows its versatility as a lightweight yet powerful malware detection system that can overcome several operational restrictions.

Table 6 compares training and inference times for all models researched. SimCLR-GRU-FSS beats ENS-IDS, MadrasNet, and DenseNet with 3.7 ms per 1,000 samples inference time. Real-time malware detection in installations demands fast inference. DenseNet (16.5 s) and droidEncoder (15.3 s) train each epoch slower than SimCLR-GRU-FSS (8.9 seconds). SimCLR-GRU hybrid architecture is lightweight and efficient, and GNN-based feature selection reduces input dimensionality. These results demonstrate that SimCLR-GRU-FSS is accurate and efficient, making it appropriate for fast, reliable real-world applications.

Table 6.

Training and inference time comparison across models.

Model	Avg. Training Time (sec/epoch)	Inference Time (ms per 1000 samples)
MadrasNet	9.8	4.2
Random Forest²⁷	6.7	4.3
CNN	10.2	5.0
LSTM	12.9	6.4
driod encoder	13.4	5.4
DenseNet¹⁸	16.5	5.6
AutoEncoders²⁵	13.7	5.8
Inception-v3	18.1	7.2
SVM-GS¹⁵	6.2	4.2
ENS-IDS	7.8	4.9
Extremely Randomized Trees	4.3	3.9
Optimized Decision Tree with AdaBoost¹⁹	3.1	3.7
MTC-MAE²⁸	17.2	6.6
LightGBM	5.1	3.8
Logistic Regression	2.9	3.2
Obfuscated ML (MemDump)³¹	7.4	5.2
GA-mADAM-IIoT³²	10.5	4.4
Modified GA + LSTM³³	11.7	5.1
ResNet-ViT³⁴	17.8	6.8
HGDetector³⁷	13.9	5.6
LGBM (with PCA & Scaling)³⁸	5.2	3.7
IMCMK-CNN³⁹	14.6	5.3
GENOME (RF/LR)⁴⁰	6.1	3.5
SimCLR-GRU-FSS (Ours)	8.9	3.7

Open in a new tab

Conclusion and future work

This research investigated Hybrid and Soslo methods for dynamic cybersecurity malware detection. SimCLR -GRU, an adaptive, lightweight architecture that integrates SimCLR for self-supervised feature learning, GRU for sequential behaviour modelling, GNNs for feature selection, and FSS for efficient hyperparameter tuning, was developed to address the limitations of traditional ML-based methods. SimCLR-GRU achieves 99% classification accuracy and outperforms baseline models by an average margin of 15% in experiments. These enhancements fulfil the primary aims of the research by validating SimCLR-GRU as a strong system capable of accurately and efficiently detecting sophisticated malware with few false positives. This makes it ideal for enterprise-level endpoint security, cloud-based threat analysis, and healthcare or financial systems that need fast and precise reactions. When resources are limited, such as on Internet of Things (IoT) devices or edge computing platforms, SimCLR-GRU may still do its work. GNN-based dimensionality reduction speeds training and decreases computational cost, supporting the framework’s scalability. SimCLR improves generalization on big, unlabeled datasets, whereas GRU detects complicated or staged malware. For real-time cybersecurity applications, SimCLR-GRU is excellent because its components enable it to grow horizontally and vertically for more significant datasets and complex threat patterns.

While the SimCLR-GRU framework shows strong potential in accurately detecting malware, a few limitations deserve attention. Although the model performs efficiently during inference, its training phase can introduce moderate computational overhead due to the combination of SimCLR, GRU, and FSS components-mainly when applied to large or continuous data streams. Moreover, since SimCLR-GRU has been developed and tested on static PE malware datasets, its adaptability to other formats, such as memory dumps, Android applications, or dynamic execution logs, has yet to be evaluated. The mo del’s interpretability and ease of deployment in distributed or resource-constrained environments also present areas for future improvement. To address these challenges, we plan to investigate explainable AI techniques, behavioural malware analysis, and federated learning approaches to improve transparency, robustness, and scalability. Despite these limitations, SimCLR-GRU offers a strong and flexible foundation for building next-generation malware detection systems that can evolve with the threat landscape.

Acknowledgements

This work was funded by the University of Jeddah, Jeddah, Saudi Arabia, under grant No. (UJ-23-SRP-11). The authors, therefore, acknowledge with thanks the University of Jeddah for its technical and financial support.

Author contributions

Conceptualization, Abdulwahab Almazroi; Data curation, N.Z; Formal analysis, Abdulwahab Almazroi and Walid Atwa; Funding acquisition, Faisal Alsubaei; Investigation, Abdulaleem Almazroi, Nasir Ayub and N.Z; Methodology, Faisal Alsubaei, Abdulwahab Almazroi, Nasir Ayub and N.Z; Project administration, Abdulwahab Almazroi; Resources, Faisal Alsubaei, Walid Atwa and Nasir Ayub; Software, Walid Atwa and N.Z; Supervision, N.Z; Validation, Abdulaleem Almazroi; Visualization, Walid Atwa; Writing – original draft, Faisal Alsubaei; Writing – review & editing, Abdulwahab Almazroi, Abdulaleem Almazroi and Nasir Ayub. All authors have read and agreed to the published version of the manuscript.

Data availability

The data used in this study is publicly available at https://www.kaggle.com/datasets/amauricio/pe-files-malwares/data.

Declarations

Competing interests

The authors declare no competing interests.

Footnotes

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Change history

1/11/2026

The original online version of this Article was revised: In the original version of this Article the names for Affiliation 1, 2 and 3 were incorrect. The correct Affiliation names are given here: ‘Department of Cybersecurity, College of Computer Science and Engineering, University of Jeddah, Jeddah, 21959, Saudi Arabia’, ‘College of Computing and Information Technology at Khulais, Department of Information Technology, University of Jeddah, Jeddah, 21959, Saudi Arabia’ and ‘Department of Information Technology, Faculty of Computing and Information Technology in Rabigh, King Abdulaziz University, Rabigh, 21911, Saudi Arabia’.

References

1.Falowo, O. I., Ozer, M., Li, C. & Abdo, J. B. Evolving malware & ddos attacks: Decadal longitudinal study. IEEE Access (2024).
2.Qureshi, S. U. et al. Systematic review of deep learning solutions for malware detection and forensic analysis in iot. J.King Saud Univ. Inf. Sci. 102164 (2024).
3.Iakovakis, G., Xarhoulacos, C. G., Giovas, K. & Gritzalis, D. Analysis and classification of mitigation tools against cyberattacks in covid-19 era. Secur. Commun. Networks2021, 1–21 (2021). [Google Scholar]
4.Owoh, N. et al. Malware detection based on api call sequence analysis: a gated recurrent unit-generative adversarial network model approach. Futur. Internet16, 369 (2024). [Google Scholar]
5.Almazroi, A. A. & Ayub, N. Enhancing smart iot malware detection: A ghostnet-based hybrid approach. Systems11, 547 (2023). [Google Scholar]
6.Nilupul, S. Evolution and impact of malware: A comprehensive analysis from the first known malware to modern-day cyber threats. Cyber Secur. (2024).
7.Almazroi, A. A. Survival prediction among heart patients using machine learning techniques. Math. Biosci. Eng.19, 134–145 (2022). [DOI] [PubMed] [Google Scholar]
8.Islam, R., Ferdous, J., Mahboubi, A. & Islam, Z. A survey on ml techniques for multi-platform malware detection: Securing pc, mobile devices, iot, and cloud environments. Sensors (Switzerland)25 (2025). [DOI] [PMC free article] [PubMed]
9.Ahmad, I., Alqarni, M. A., Almazroi, A. A. & Tariq, A. Experimental evaluation of clickbait detection using machine learning models. Intell. Autom. Soft. Comput.26, 1335–1344 (2020). [Google Scholar]
10.Maniriho, P., Mahmood, A. N. & Chowdhury, M. J. M. Memaldet: A memory analysis-based malware detection framework using deep autoencoders and stacked ensemble under temporal evaluations. Comput. Secur.142, 103864 (2024). [Google Scholar]
11.Al Hwaitat, A. K. et al. Overview of mobile attack detection and prevention techniques using machine learning. Int. J.Interact. Mob. Technol.18 (2024).
12.Liu, X., Liu, P., Yang, B. & Chen, Y. One multi-receiver certificateless searchable public key encryption scheme for iomt assisted by llm. J. Inf. Secur. Appl.90, 104011. 10.1016/j.jisa.2025.104011 (2025). [Google Scholar]
13.Xu, G. et al. Cbrfl: A framework for committee-based byzantine-resilient federated learning. J. Netw. Comput. Appl.238, 104165. 10.1016/j.jnca.2025.104165 (2025). [Google Scholar]
14.Dabas, N., Ahlawat, P. & Sharma, P. An effective malware detection method using hybrid feature selection and machine learning algorithms. Arab. J. for Sci. Eng.48, 9749–9767 (2023). [Google Scholar]
15.Ahmed, M., Afreen, N., Ahmed, M., Sameer, M. & Ahamed, J. An inception v3 approach for malware classification using machine learning and transfer learning. Int. J. Intell. Networks4, 11–18 (2023). [Google Scholar]
16.Abdulazeez, F. A., Ahmed, I. T. & Hammad, B. T. Examining the performance of various pretrained convolutional neural network models in malware detection. Appl. Sci.14, 2614 (2024). [Google Scholar]
17.Kumar, V., Wahi, C., Sagar, B. B. & Manjul, M. Ensemble learning based intrusion detection for wireless sensor network environment. Int. J. Perform. Eng.20 (2024).
18.Khalid, C. & El Hakouni, R. Advancing malware classification with hybrid deep learning: A comprehensive analysis using densenet and lstm. In The Art of Cyber Defense, 25–39 (CRC Press, 2024).
19.Jones, A. & Omar, M. Optimized decision trees to detect iot malware. In 2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE), 1761–1765 (IEEE, 2023).
20.Choi, S., Bae, J., Lee, C., Kim, Y. & Kim, J. Attention-based automated feature extraction for malware analysis. Sensors20, 2893 (2020). [DOI] [PMC free article] [PubMed] [Google Scholar]
21.Deng, X., Cen, M., Jiang, M. & Lu, M. Ransomware early detection using deep reinforcement learning on portable executable header. Clust. Comput.27, 1867–1881 (2024). [Google Scholar]
22.Al-Khshali, H. H. & Ilyas, M. Impact of portable executable header features on malware detection accuracy. Comput. Mater. Contin.75 (2023).
23.Ijaz, A. et al. Innovative machine learning techniques for malware detection. J. Comput. & Biomed. Informatics7, 403–424 (2024). [Google Scholar]
24.Faiz, A., Fuzail, M., Aftab, A., Aslam, N. & Akbar, A. J. A multimodal machine learning approach for android malware detection: Static code analysis. Int. J. Inf. Syst. Comput. Technol.4, 20–35 (2024). [Google Scholar]
25.Thakur, P., Kansal, V. & Rishiwal, V. Hybrid deep learning approach based on lstm and cnn for malware detection. Wirel.Pers. Commun.136, 1879–1901 (2024). [Google Scholar]
26.Wang, Y. & Jia, S. Madras-net: A deep learning approach for detecting and classifying android malware using linknet. Meas. Sensors33, 101113 (2024).
27.Syeda, D. Z. & Asghar, M. N. Dynamic malware classification and api categorisation of windows portable executable files using machine learning. Applied Sciences14, 1015 (2024). [Google Scholar]
28.Xu, K. et al. Self-supervised learning malware traffic classification based on masked autoencoder. IEEE Internet Things J.11, 17330–17340 (2024). [Google Scholar]
29.Bakir, H. & Bakir, R. Droidencoder: Malware detection using auto-encoder based feature extractor and machine learning algorithms. Comput. Electr. Eng.110, 108804 (2023). [Google Scholar]
30.Tang, D. et al. A low-rate dos attack mitigation scheme based on port and traffic state in sdn. IEEE Transactions Comput. 1–13, 10.1109/TC.2025.3541143 (2025).
31.Hossain, M. A. & Islam, M. S. Enhanced detection of obfuscated malware in memory dumps: a machine learning approach for advanced cybersecurity. Cybersecurity7, 16 (2024). [Google Scholar]
32.Saheed, Y. K., Omole, A. I. & Sabit, M. O. GA-mADAM-IIoT: A new lightweight threats detection in the industrial IoT via genetic algorithm with attention mechanism and LSTM on multivariate time series sensor data. Sensors Int.6, 100297 (2025). [Google Scholar]
33.Saheed, Y. K., Abdulganiyu, O. H. & Tchakoucht, T. A. Modified genetic algorithm and fine-tuned long short-term memory network for intrusion detection in the internet of things networks with edge capabilities. Appl. Soft Comput.155, 111434 (2024). [Google Scholar]
34.Abdulganiyu, O. H., Tchakoucht, T. A. & Saheed, Y. K. Towards an efficient model for network intrusion detection system (ids): systematic literature review. Wirel. Networks30, 453–482 (2024). [Google Scholar]
35.Yang, J. et al. Llm-ae-mp: Web attack detection using a large language model with autoencoder and multilayer perceptron. Expert. Syst. with Appl.274, 126982 (2025). [Google Scholar]
36.Dai, Z. et al. An intrusion detection model to detect zero-day attacks in unseen data using machine learning. PloS one19, e0308469 (2024). [DOI] [PMC free article] [PubMed] [Google Scholar]
37.Feng, J., Shen, L., Chen, Z., Lei, Y. & Li, H. Hgdetector: A hybrid android malware detection method using network traffic and function call graph. Alex. Eng. J.114, 30–45 (2025). [Google Scholar]
38.Hasan, R. et al. Enhancing malware detection with feature selection and scaling techniques using machine learning models. Sci. Rep.15, 9122 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]
39.Zhang, D., Song, Y., Xiang, Q. & Wang, Y. Imcmk-cnn: A lightweight convolutional neural network with multi-scale kernels for image-based malware classification. Alex. Eng. J.111, 203–220 (2025). [Google Scholar]
40.Choi, S. H. & Park, K. W. Genome: Genetic encoding for novel optimization of malware detection and classification in edge computing. Comput. Mater. & Continua82 (2025).
41.Chen, C., Cui, J., Qu, G. & Zhang, J. Write+sync: Software cache write covert channels exploiting memory-disk synchronization. IEEE Transactions on Inf. Forensics Secur.19, 8066–8078. 10.1109/TIFS.2024.3414255 (2024). [Google Scholar]
42.Malware dataset. Kaggle, Available: https://www.kaggle.com/datasets/amauricio/pe-files-malwares/data. Last accessed: 07-01-2024.
43.Chauhan, A., Ailawalia, P., & Mehra, C. (2024). Advancements in Automated Malware Analysis Techniques: A Comprehensive Study. Grenze International Journal of Engineering & Technology (GIJET), 10
44.Chawla, N. V., Bowyer, K. W., Hall, L. O. & Kegelmeyer, W. P. Smote: synthetic minority over-sampling technique. Journal of artificial intelligence research16, 321–357 (2002). [Google Scholar]
45.Corso, G., Stark, H., Jegelka, S., Jaakkola, T. & Barzilay, R. Graph neural networks. Nat. Rev. Methods Primers4, 17 (2024). [Google Scholar]
46.Zhang, J. et al. Grabphisher: Phishing scams detection in ethereum via temporally evolving gnns. IEEE Transactions onServ. Comput.17, 3727–3741. 10.1109/TSC.2024.3411449 (2024). [Google Scholar]
47.Zhang, Y., Wu, R., Dascalu, S. M., & Harris Jr, F. C. A novel extreme adaptive GRU for multivariate time series forecasting. Scientific Reports, 14(1), 2991 (2024). [DOI] [PMC free article] [PubMed]
48.Li, C., Li, F., Zhang, L., Yang, A., Hu, Z., & He, M. Intrusion detection for industrial control systems based on improved contrastive learning SimCLR. Applied Sciences, 13(16), 9227 (2023).
49.Gu, X. et al. Simalstm-snp: novel semantic relatedness learning model preserving both siamese networks and membrane computing. J. Supercomput.80, 3382–3411. 10.1007/s11227-023-05592-7 (2024). [Google Scholar]
50.Zhang, W., Zhao, J., Liu, H. & Tu, L. Cleaner fish optimization algorithm: a new bio-inspired meta-heuristic optimization algorithm. J. Supercomput.80, 17338–17376 (2024). [Google Scholar]
51.Hao, J., Chen, P., Chen, J. & Li, X. Effectively detecting and diagnosing distributed multivariate time series anomalies via unsupervised federated hypernetwork. Inf. Process. Manag.62, 104107. 10.1016/j.ipm.2025.104107 (2025). [Google Scholar]
52.Bohang, L. et al. Image steganalysis using active learning and hyperparameter optimization. Sci. Rep.15, 7340 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Data Availability Statement

The data used in this study is publicly available at https://www.kaggle.com/datasets/amauricio/pe-files-malwares/data.

[CR1] 1.Falowo, O. I., Ozer, M., Li, C. & Abdo, J. B. Evolving malware & ddos attacks: Decadal longitudinal study. IEEE Access (2024).

[CR2] 2.Qureshi, S. U. et al. Systematic review of deep learning solutions for malware detection and forensic analysis in iot. J.King Saud Univ. Inf. Sci. 102164 (2024).

[CR3] 3.Iakovakis, G., Xarhoulacos, C. G., Giovas, K. & Gritzalis, D. Analysis and classification of mitigation tools against cyberattacks in covid-19 era. Secur. Commun. Networks2021, 1–21 (2021). [Google Scholar]

[CR4] 4.Owoh, N. et al. Malware detection based on api call sequence analysis: a gated recurrent unit-generative adversarial network model approach. Futur. Internet16, 369 (2024). [Google Scholar]

[CR5] 5.Almazroi, A. A. & Ayub, N. Enhancing smart iot malware detection: A ghostnet-based hybrid approach. Systems11, 547 (2023). [Google Scholar]

[CR6] 6.Nilupul, S. Evolution and impact of malware: A comprehensive analysis from the first known malware to modern-day cyber threats. Cyber Secur. (2024).

[CR7] 7.Almazroi, A. A. Survival prediction among heart patients using machine learning techniques. Math. Biosci. Eng.19, 134–145 (2022). [DOI] [PubMed] [Google Scholar]

[CR8] 8.Islam, R., Ferdous, J., Mahboubi, A. & Islam, Z. A survey on ml techniques for multi-platform malware detection: Securing pc, mobile devices, iot, and cloud environments. Sensors (Switzerland)25 (2025). [DOI] [PMC free article] [PubMed]

[CR9] 9.Ahmad, I., Alqarni, M. A., Almazroi, A. A. & Tariq, A. Experimental evaluation of clickbait detection using machine learning models. Intell. Autom. Soft. Comput.26, 1335–1344 (2020). [Google Scholar]

[CR10] 10.Maniriho, P., Mahmood, A. N. & Chowdhury, M. J. M. Memaldet: A memory analysis-based malware detection framework using deep autoencoders and stacked ensemble under temporal evaluations. Comput. Secur.142, 103864 (2024). [Google Scholar]

[CR11] 11.Al Hwaitat, A. K. et al. Overview of mobile attack detection and prevention techniques using machine learning. Int. J.Interact. Mob. Technol.18 (2024).

[CR12] 12.Liu, X., Liu, P., Yang, B. & Chen, Y. One multi-receiver certificateless searchable public key encryption scheme for iomt assisted by llm. J. Inf. Secur. Appl.90, 104011. 10.1016/j.jisa.2025.104011 (2025). [Google Scholar]

[CR13] 13.Xu, G. et al. Cbrfl: A framework for committee-based byzantine-resilient federated learning. J. Netw. Comput. Appl.238, 104165. 10.1016/j.jnca.2025.104165 (2025). [Google Scholar]

[CR14] 14.Dabas, N., Ahlawat, P. & Sharma, P. An effective malware detection method using hybrid feature selection and machine learning algorithms. Arab. J. for Sci. Eng.48, 9749–9767 (2023). [Google Scholar]

[CR15] 15.Ahmed, M., Afreen, N., Ahmed, M., Sameer, M. & Ahamed, J. An inception v3 approach for malware classification using machine learning and transfer learning. Int. J. Intell. Networks4, 11–18 (2023). [Google Scholar]

[CR16] 16.Abdulazeez, F. A., Ahmed, I. T. & Hammad, B. T. Examining the performance of various pretrained convolutional neural network models in malware detection. Appl. Sci.14, 2614 (2024). [Google Scholar]

[CR17] 17.Kumar, V., Wahi, C., Sagar, B. B. & Manjul, M. Ensemble learning based intrusion detection for wireless sensor network environment. Int. J. Perform. Eng.20 (2024).

[CR18] 18.Khalid, C. & El Hakouni, R. Advancing malware classification with hybrid deep learning: A comprehensive analysis using densenet and lstm. In The Art of Cyber Defense, 25–39 (CRC Press, 2024).

[CR19] 19.Jones, A. & Omar, M. Optimized decision trees to detect iot malware. In 2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE), 1761–1765 (IEEE, 2023).

[CR20] 20.Choi, S., Bae, J., Lee, C., Kim, Y. & Kim, J. Attention-based automated feature extraction for malware analysis. Sensors20, 2893 (2020). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR21] 21.Deng, X., Cen, M., Jiang, M. & Lu, M. Ransomware early detection using deep reinforcement learning on portable executable header. Clust. Comput.27, 1867–1881 (2024). [Google Scholar]

[CR22] 22.Al-Khshali, H. H. & Ilyas, M. Impact of portable executable header features on malware detection accuracy. Comput. Mater. Contin.75 (2023).

[CR23] 23.Ijaz, A. et al. Innovative machine learning techniques for malware detection. J. Comput. & Biomed. Informatics7, 403–424 (2024). [Google Scholar]

[CR24] 24.Faiz, A., Fuzail, M., Aftab, A., Aslam, N. & Akbar, A. J. A multimodal machine learning approach for android malware detection: Static code analysis. Int. J. Inf. Syst. Comput. Technol.4, 20–35 (2024). [Google Scholar]

[CR25] 25.Thakur, P., Kansal, V. & Rishiwal, V. Hybrid deep learning approach based on lstm and cnn for malware detection. Wirel.Pers. Commun.136, 1879–1901 (2024). [Google Scholar]

[CR26] 26.Wang, Y. & Jia, S. Madras-net: A deep learning approach for detecting and classifying android malware using linknet. Meas. Sensors33, 101113 (2024).

[CR27] 27.Syeda, D. Z. & Asghar, M. N. Dynamic malware classification and api categorisation of windows portable executable files using machine learning. Applied Sciences14, 1015 (2024). [Google Scholar]

[CR28] 28.Xu, K. et al. Self-supervised learning malware traffic classification based on masked autoencoder. IEEE Internet Things J.11, 17330–17340 (2024). [Google Scholar]

[CR29] 29.Bakir, H. & Bakir, R. Droidencoder: Malware detection using auto-encoder based feature extractor and machine learning algorithms. Comput. Electr. Eng.110, 108804 (2023). [Google Scholar]

[CR30] 30.Tang, D. et al. A low-rate dos attack mitigation scheme based on port and traffic state in sdn. IEEE Transactions Comput. 1–13, 10.1109/TC.2025.3541143 (2025).

[CR31] 31.Hossain, M. A. & Islam, M. S. Enhanced detection of obfuscated malware in memory dumps: a machine learning approach for advanced cybersecurity. Cybersecurity7, 16 (2024). [Google Scholar]

[CR32] 32.Saheed, Y. K., Omole, A. I. & Sabit, M. O. GA-mADAM-IIoT: A new lightweight threats detection in the industrial IoT via genetic algorithm with attention mechanism and LSTM on multivariate time series sensor data. Sensors Int.6, 100297 (2025). [Google Scholar]

[CR33] 33.Saheed, Y. K., Abdulganiyu, O. H. & Tchakoucht, T. A. Modified genetic algorithm and fine-tuned long short-term memory network for intrusion detection in the internet of things networks with edge capabilities. Appl. Soft Comput.155, 111434 (2024). [Google Scholar]

[CR34] 34.Abdulganiyu, O. H., Tchakoucht, T. A. & Saheed, Y. K. Towards an efficient model for network intrusion detection system (ids): systematic literature review. Wirel. Networks30, 453–482 (2024). [Google Scholar]

[CR35] 35.Yang, J. et al. Llm-ae-mp: Web attack detection using a large language model with autoencoder and multilayer perceptron. Expert. Syst. with Appl.274, 126982 (2025). [Google Scholar]

[CR36] 36.Dai, Z. et al. An intrusion detection model to detect zero-day attacks in unseen data using machine learning. PloS one19, e0308469 (2024). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR37] 37.Feng, J., Shen, L., Chen, Z., Lei, Y. & Li, H. Hgdetector: A hybrid android malware detection method using network traffic and function call graph. Alex. Eng. J.114, 30–45 (2025). [Google Scholar]

[CR38] 38.Hasan, R. et al. Enhancing malware detection with feature selection and scaling techniques using machine learning models. Sci. Rep.15, 9122 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]

[CR39] 39.Zhang, D., Song, Y., Xiang, Q. & Wang, Y. Imcmk-cnn: A lightweight convolutional neural network with multi-scale kernels for image-based malware classification. Alex. Eng. J.111, 203–220 (2025). [Google Scholar]

[CR40] 40.Choi, S. H. & Park, K. W. Genome: Genetic encoding for novel optimization of malware detection and classification in edge computing. Comput. Mater. & Continua82 (2025).

[CR41] 41.Chen, C., Cui, J., Qu, G. & Zhang, J. Write+sync: Software cache write covert channels exploiting memory-disk synchronization. IEEE Transactions on Inf. Forensics Secur.19, 8066–8078. 10.1109/TIFS.2024.3414255 (2024). [Google Scholar]

[CR42] 42.Malware dataset. Kaggle, Available: https://www.kaggle.com/datasets/amauricio/pe-files-malwares/data. Last accessed: 07-01-2024.

[CR43] 43.Chauhan, A., Ailawalia, P., & Mehra, C. (2024). Advancements in Automated Malware Analysis Techniques: A Comprehensive Study. Grenze International Journal of Engineering & Technology (GIJET), 10

[CR44] 44.Chawla, N. V., Bowyer, K. W., Hall, L. O. & Kegelmeyer, W. P. Smote: synthetic minority over-sampling technique. Journal of artificial intelligence research16, 321–357 (2002). [Google Scholar]

[CR45] 45.Corso, G., Stark, H., Jegelka, S., Jaakkola, T. & Barzilay, R. Graph neural networks. Nat. Rev. Methods Primers4, 17 (2024). [Google Scholar]

[CR46] 46.Zhang, J. et al. Grabphisher: Phishing scams detection in ethereum via temporally evolving gnns. IEEE Transactions onServ. Comput.17, 3727–3741. 10.1109/TSC.2024.3411449 (2024). [Google Scholar]

[CR47] 47.Zhang, Y., Wu, R., Dascalu, S. M., & Harris Jr, F. C. A novel extreme adaptive GRU for multivariate time series forecasting. Scientific Reports, 14(1), 2991 (2024). [DOI] [PMC free article] [PubMed]

[CR48] 48.Li, C., Li, F., Zhang, L., Yang, A., Hu, Z., & He, M. Intrusion detection for industrial control systems based on improved contrastive learning SimCLR. Applied Sciences, 13(16), 9227 (2023).

[CR49] 49.Gu, X. et al. Simalstm-snp: novel semantic relatedness learning model preserving both siamese networks and membrane computing. J. Supercomput.80, 3382–3411. 10.1007/s11227-023-05592-7 (2024). [Google Scholar]

[CR50] 50.Zhang, W., Zhao, J., Liu, H. & Tu, L. Cleaner fish optimization algorithm: a new bio-inspired meta-heuristic optimization algorithm. J. Supercomput.80, 17338–17376 (2024). [Google Scholar]

[CR51] 51.Hao, J., Chen, P., Chen, J. & Li, X. Effectively detecting and diagnosing distributed multivariate time series anomalies via unsupervised federated hypernetwork. Inf. Process. Manag.62, 104107. 10.1016/j.ipm.2025.104107 (2025). [Google Scholar]

[CR52] 52.Bohang, L. et al. Image steganalysis using active learning and hyperparameter optimization. Sci. Rep.15, 7340 (2025). [DOI] [PMC free article] [PubMed] [Google Scholar]

PERMALINK

Adaptive malware identification via integrated SimCLR and GRU networks

Faisal S Alsubaei

Abdulwahab Ali Almazroi

Walid Said Atwa

Abdulaleem Ali Almazroi

Nasir Ayub

N Z Jhanjhi

Abstract

Introduction

Fig. 1.

Related work

Table 1.

Problem statement

Proposed system framework

Fig. 2.

Data set description

Fig. 3.

Data preprocessing

Fig. 4.

Feature extraction using Graph Neural Networks (GNNs)

Classification with SimCLR-GRU

Fig. 5.

Swarm-based optimization of SimCLR-GRU

Fig. 6.

Performance evaluation

Simulation results

Table 2.

Fig. 7.

Fig. 8.

Table 3.

Table 4.

Fig. 11.

Table 5.

Fig. 9.

Fig. 10.

Table 6.

Conclusion and future work

Acknowledgements

Author contributions

Data availability

Declarations

Competing interests

Footnotes

References

Associated Data

Data Availability Statement

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases