EXPLAINABLE MACHINE LEARNING-BASED MALWARE DETECTION USING PORTABLE EXECUTABLE STRUCTURAL FEATURES AND HYBRID VOTING ENSEMBLE

Malware detection Machine learning Hybrid ensemble learning Portable Executables (PE) Explainable AI (XAI)

Authors

July 1, 2026

Downloads

Objective: While evolving technologies have introduced advanced threat intelligence, traditional threats such as malware attacks continue to be a potential risk for contemporary computer systems and cybersecurity infrastructures and thus, it is of utmost importance that intelligent methods are developed in order to detect malware. Detecting malware variants is very difficult for traditional signature-based detection methods, especially for new and advanced malware. Thus, in this research work involves an explainable hybrid ensemble framework on machine learning approach with utilizing of Portable Executables (PE) file features for malware detection. Method: Our dataset is composed of 62,485 executable samples on the pre-processed and feature cleaning PE structures reduced to a domain matrix into 16 numerical features. We have implemented and evaluated multiple machine learning algorithms such as, Logistic Regression, Decision Tree, Random Forests, Support Vector Machine and Extreme Gradient Boosting. Voting Classifier was created for a robustness against classification and detection in addition to the hybrid ensemble model. Furthermore, we utilized SHAP analysis to understand model predictions and detect the most important features that contribute to malware classification. Results: Output from our practical experiments demonstrated some superior scores on all types of metrics measured. The Random Forest classifier has the best accuracy (99.64%) and the proposed Hybrid Voting model achieved an accuracy of 99.53%, precision: 99.68, recall: 99.24 and F1-score of 99.46 which confirms that our algorithm yielded very strong rumors and results are strongly stable across all compared datasets as well as high stability between individual classifiers (Fig From this analysis, we found that Dll Characteristics, Debug Size and Debug RVA stood out as the most significant features overall for our malware detection task, which showed how informative variations in executable structural characteristics can be to classification. Novelty: The findings demonstrate the potential of using ensemble learning in conjunction with explainable artificial intelligence techniques to enhance malware detection systems and cybersecurity applications.