1

Malware Image Classification Using Mashine

Learning And Deep Learning Techniques
Manan Patel, Nirma University

Abstract—The abstract goes here. models that have already been trained are often offered in
Index Terms—Malware Image Classification, ML/DL Tech- a range of various configurations, with differing numbers
niques, Image Classification of layers and levels of complexity. These models may be
improved by retraining the network’s higher layers on a
fresh dataset with a slower learning rate or by using them
I. I NTRODUCTION as fixed feature extractors to provide picture features for
Malware image classification is a crucial task in the field of subsequent tasks like object identification or image captioning.
computer security, as it involves identifying and categorizing
malicious software into different classes based on behavior and
functionality. Since that malware assaults are always becoming
more sophisticated and common, this work is crucial, and tra-
ditional signature-based detection methods are becoming less
effective in keeping up with the evolving threat landscape.With
the advancement of deep learning techniques, it has become
possible to leverage computer vision algorithms to automati-
cally classify malware images into various categories, such as
Trojans, worms, viruses, and spyware. These techniques have
shown promising results in detecting malware in an efficient
and scalable manner, without requiring a prior knowledge of
the specific signatures of each malware family.
There are several pre-trained deep learning models that can
be used for malware image classification. Some of the most
popular ones are:
1) ResNet
2) InceptionNet
3) VGGNet
4) DenseNet Fig. 1. fig:ResNetNet Architecture

A. ResNet There are several different versions of the ResNet architec-

ture, ranging from ResNet-18, which has 18 layers, to ResNet-
ResNet is a deep neural network architecture that has 152, which has 152 layers. The deeper versions of ResNet are
been trained on large image datasets, such as ImageNet, capable of achieving higher accuracy on image classification
using a technique called supervised learning. The weights tasks, but they require more computational resources and may
and biases of the network have been optimized to perform be more difficult to train.
well on a specific task, such as image classification, by
minimizing a loss function.The pre-trained ResNet model
can be used as a starting point for new image recognition B. InceptionNet
tasks, as the lower layers of the network have learned A deep convolutional neural network (CNN) architecture
to detect low-level features like edges and corners that are called InceptionNet was developed for image categorization
common to many different types of images.This can hasten the applications. One of the most widely used CNN designs
training process and enhance the model’s overall performance. was initially presented by Google researchers in 2014 and
has subsequently gained popularity.The basic idea behind
The idea of ”bottleneck layers,” which are employed to InceptionNet is to use multiple levels of feature extraction
lessen the amount of parameters in the network, is also in parallel to capture different aspects of the input image,
introduced by ResNet. A bottleneck layer is made up of and then concatenate the resulting feature maps to form a
a 1x1 convolutional layer, a 3x3 convolutional layer, and single, high-dimensional representation that can be used for
a subsequent 1x1 convolutional layer (which increases the classification. This is achieved by using a series of ”inception”
number of channels back to the original value). ResNet modules, which consist of multiple convolutional and pooling
 2

layers arranged in a parallel fashion. known as VGGNet (short for Visual Geometry Group Net-
work) for image categorization in 2014. VGGNet achieved
The InceptionNet architecture is divided into several stages, state-of-the-art performance on the ImageNet Large Scale Vi-
each of which contains multiple inception modules. The basic sual Recognition Challenge (ILSVRC) 2014 dataset.VGGNet
building block of an inception module is the ”inception block”, has a very simple architecture with all layers using very
which consists of several convolutional and pooling layers in small filters (3x3), followed by a max pooling layer. The
parallel. Each parallel path in the inception block performs network consists of a series of convolutional and pooling
a different type of convolution operation (e.g. 1x1, 3x3, or layers, followed by three fully connected (FC) layers at the
5x5), which allows the network to capture features at different end. The architecture can be divided into two main parts: the
scales. The output of each path is then concatenated along the feature extractor and the classifier.
channel dimension to form a single output tensor.

Fig. 3. fig:VGGNet Architecture

Fig. 2. fig:InceptionNet Architecture

1) Feature Extractor: VGGNet’s feature extractor is built
the InceptionNet architecture has undergone several updates up of convolutional layers. Each block of convolutional
and revisions. Here are the different versions of InceptionNet: layers has a number of convolutional layers, followed by
a max pooling layer. Each of the five convolutional layer
1) Inception v1: This was the first version of InceptionNet
blocks in the design features two or three convolutional
introduced by Google researchers in 2014. It contains
layers, followed by a max pooling layer. Each convo-
multiple inception modules with different kernel sizes
lutional layer has 64, 128, 256, 512, and 512 filters,
to extract features at different scales.
respectively.
2) Inception v2: Inception v2 was introduced in 2015
2) Classifier: Three fully connected (FC) layers with a total
and includes several improvements over the original
of 4096 neurons each make up the VGGNet classifier.
architecture, such as the use of batch normalization
These layers are followed by a softmax layer with 1000
and factorized convolutions to reduce the number of
output neurons, which corresponds to the 1000 classes in
parameters and improve performance.
the ILSVRC 2014 dataset. The FC layers take the output
3) Inception v3: Inception v3 was released in 2016 and
of the last convolutional block as input and progressively
includes even more improvements, such as the use of
reduce the spatial dimensions until a one-dimensional
”reduction modules” to reduce the dimensionality of the
vector is obtained, which is then fed into the softmax
input feature maps, and ”auxiliary classifiers” to improve
layer for classification.
the training of the network.
4) Inception v4: Inception v4 was released in 2016 and in-
cludes several enhancements over Inception v3, such as D. DenseNet
the use of ”stem” modules to reduce the computational Convolutional neural network (CNN) architecture known as
cost of the network, and the incorporation of residual DenseNet (Densely Connected Convolutional Networks) was
connections to improve the gradient flow during training. first presented in 2017 by Huang et al. The vanishing gradient
issue, which can arise in deep neural networks with several
layers, is what DenseNet is meant to solve. In DenseNet,
C. VGGNet
each layer is connected to every other layer in a feed-forward
The Visual Geometry Group at the University of Oxford fashion. This is achieved by concatenating the feature maps
developed the deep convolutional neural network architecture of all preceding layers and passing the result as input to the
 3

current layer. This leads to very deep networks with a high

degree of connectivity between layers, which in turn allows
the network to better propagate information across layers and
learn more complex representations.

Dataset : Malimg
ClassName Train Test
Adialer.c 97 25
Agent.FYI 91 25
Allaple.A 2824 125
Allaple.L 1491 100
Alueron.gen!J 173 25
Fig. 4. fig:DenseNet Architecture
Autorun.K 81 25
C2LOP.P 121 25
DenseNet is composed of several blocks called ”Dense C2LOP.gen!g 175 25
Blocks”, where each block consists of a series of convolutional Dialplatform.B 152 25
Dontovo.A 137 25
layers, batch normalization, and activation functions. These Fakerean 306 75
blocks are connected to each other by transition layers, which Instantaccess 356 75
reduce the dimensionality of the feature maps by applying a Lolyda.AA1 153 60
combination of pooling and convolutional operations. Lolyda.AA2 159 25
Lolyda.AA3 98 25
The main advantage of DenseNet is that each layer has Lolyda.AT 134 25
direct access to the feature maps of all preceding layers, Malen.gen!j 111 25
allowing for more effective parameter utilisation. As a result, Obfuscator.AD 117 25
Rbot!gen 133 25
there are far less parameters required than in other deep Skittrim.N 55 25
neural network topologies. Moreover, it has been demonstrated Swissor.gen!E 103 25
that DenseNet performs at the cutting edge on a number Swissor.gen!I 107 25
of computer vision tasks, including object identification and VB.AT 383 25
Wintrim.Bx 72 25
picture categorization. DenseNet is a strong and successful Yuner.A 775 25
design for deep neural networks, notably in the domain of
computer vision.
B. Microsoft Big 2015
II. DATASETS The Microsoft Malware Classification Challenge (BIG
There are several malware image datasets available.Here are 2015) dataset is a collection of color images of malware used
the information which we used for the training models. in a machine learning competition organized by Microsoft in
2015. The competition was aimed at developing algorithms for
malware classification and detection.The BIG 2015 dataset has
A. MalImg Dataset been used in several research studies, including the develop-
ment of machine learning models for malware classification
The Malimg dataset is a collection of grayscale images
and detection.
of malware taken from different sources, including viruses,
worms, and trojans.It contains 9339 images of size 256 x 256
pixels, and each image is associated with a malware family
C. MalImg Dataset
label. The dataset includes 25 different malware families.we
used 8404 images for training and 935 images for testing.The The BIG 2015 dataset contains 9,360 images of size 64 x
dataset is available for download from the following link: 64 pixels, and each image is associated with a malware family
https://www.kaggle.com/datasets/keerthicheepurupalli/malimg- label. The dataset includes 9 different malware families,we
dataset9010 used 8684 images for training and 2176 for testing.
 4

Dataset : Malevis
ClassName Train Test
Adposhel 350 144
Agent 350 120
Allaple 350 128
Amonetize 350 147
Androm 350 150
Autorun 350 146
Browser Fox 350 143
Dinwod 350 149
Elex 350 150
Expiro 350 151
Fasong 350 150
HackKMS 350 149
Hlux 350 150
Injector 350 145
InstallCore 350 150
MultiPlug 350 149
Neoreklami 350 150
Neshta 350 147
Regrun 350 135
Sality 350 149
Snarasite 350 150
Dataset : Microsoft Big 2015 Stantinko 350 150
ClassName Train Test VBA 350 150
Gatak 810 203 VBKrypt 350 146
Kelihos ver1 318 80 Vilsel 350 146
Kelihos ver3 2353 589
Lollipop 1982 496
Obfuscator.ACY 982 246
Ramnit 1226 307
Simda 33 9
Tracur 600 151
Vundo 380 95

D. Malevis Dataset
The ”MALEVIS Malware Image Classification Dataset” is a
dataset of malware images that can be used for classification
tasks. It consists of 12394 malware images divided into 25
different classes. for training we used 8750 and 3644 images
for testing.

engineering, to improve the classification performance. Data

augmentation techniques like image rotation, flipping, and
zooming have been used to improve the model’s robustness
against variations in the malware images. Transfer learning
has been used to train the model on a large-scale image
dataset and then fine-tune it on the malware dataset. To
extract features from the photos and enhance the
III. L ITERATURE R EVIEW classification performance, feature engineering approaches
The recent literature on malware image classification including Local Binary Patterns (LBP), gray-level
shows that researchers have explored various approaches, co-occurrence matrix (GLCM), and Histogram of Oriented
including data augmentation, transfer learning, and feature Gradients (HOG) have been utilised.
 5

Title Year Dataset Pre Trained Model Approch Accuracy

An inception V3 approach for Transfer Learning
Microsoft
malware classification using 2023 InceptionV3 with 98.76%
Big 2015
machine learning and transfer learning InceptionV3
”Malware Classification using
Malimg VGG16, Pre-Trained Models
Pre-Trained Models with Binary 2022 98.97%
dataset ResNet50 with Binary Tree Structure
Tree Structure” by Lu et al.
”Malware Image Classification
Malimg ResNet50, Hybrid Networks with
using Hybrid Networks with 2022 98.65%
dataset InceptionV3 Transfer Learning
Pre-Trained Models” by Xu et al.
”Markov Image with Transfer
Microsoft Transfer Learning
Learning for Malware Detection 2022 VGG19 98.70%
Big 2015 and CNNs
and Classification” by Lok Man Kwan
”Malware Image Classification
Malimg Transfer Learning
using Deep Learning and 2021 ResNet50 98.76%
dataset and CNNs
Transfer Learning” by Kim et al.
”Malware Classification using
Malimg Transfer Learning
Deep Convolutional Neural Networks 2021 InceptionV3 98.85%
dataset and CNNs
and Transfer Learning” by Liu et al.
”Malware Image Classification using VGG16,
Malimg Multi-Task Learning
Multi-Task Learning with Pre-Trained 2021 ResNet50, 98.91%
dataset with CNNs
Models” by Liu et al. InceptionV3
”DeepMalware: A Deep Learning VGG16,
Malimg
based Malware Images Classification” 2021 ResNet50, Custom CNN 98.90%
dataset
by Mehmood Alam InceptionV3