{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,8]],"date-time":"2026-03-08T23:49:13Z","timestamp":1773013753924,"version":"3.50.1"},"reference-count":72,"publisher":"Institution of Engineering and Technology (IET)","issue":"1","license":[{"start":{"date-parts":[[2025,5,28]],"date-time":"2025-05-28T00:00:00Z","timestamp":1748390400000},"content-version":"vor","delay-in-days":147,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/doi.wiley.com\/10.1002\/tdm_license_1.1"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U19B2044"],"award-info":[{"award-number":["U19B2044"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2021YFB2700600"],"award-info":[{"award-number":["2021YFB2700600"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004761","name":"Natural Science Foundation of Hainan Province","doi-asserted-by":"publisher","award":["621MS017"],"award-info":[{"award-number":["621MS017"]}],"id":[{"id":"10.13039\/501100004761","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["ietresearch.onlinelibrary.wiley.com"],"crossmark-restriction":true},"short-container-title":["IET Information Security"],"published-print":{"date-parts":[[2025,1]]},"abstract":"<jats:p>Malware can greatly compromise the integrity and trustworthiness of information and is in a constant state of evolution. Existing feature fusion\u2010based detection methods generally overlook the correlation between features. And mere concatenation of features will reduce the model\u2019s characterization ability, lead to low detection accuracy. Moreover, these methods are susceptible to concept drift and significant degradation of the model. To address those challenges, we introduce a feature graph\u2010based malware detection method, malware feature graph (MFGraph), to characterize applications by learning feature\u2010to\u2010feature relationships to achieve improved detection accuracy while mitigating the impact of concept drift. In MFGraph, we construct a feature graph using static features extracted from binary PE files, then apply a deep graph convolutional network to learn the representation of the feature graph. Finally, we employ the representation vectors obtained from the output of a three\u2010layer perceptron to differentiate between benign and malicious software. We evaluated our method on the EMBER dataset, and the experimental results demonstrate that it achieves an AUC score of 0.98756 on the malware detection task, outperforming other baseline models. Furthermore, the AUC score of MFGraph decreases by only 5.884% in 1 year, indicating that it is the least affected by concept drift.<\/jats:p>","DOI":"10.1049\/ise2\/6687383","type":"journal-article","created":{"date-parts":[[2025,5,28]],"date-time":"2025-05-28T12:49:21Z","timestamp":1748436561000},"update-policy":"https:\/\/doi.org\/10.1002\/crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Feature Graph Construction With Static Features for Malware Detection"],"prefix":"10.1049","volume":"2025","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4279-9562","authenticated-orcid":false,"given":"Binghui","family":"Zou","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9439-8256","authenticated-orcid":false,"given":"Chunjie","family":"Cao","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1135-6251","authenticated-orcid":false,"given":"Longjuan","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Yinan","family":"Cheng","sequence":"additional","affiliation":[]},{"given":"Chenxi","family":"Dang","sequence":"additional","affiliation":[]},{"given":"Ying","family":"Liu","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6961-6677","authenticated-orcid":false,"given":"Jingzhang","family":"Sun","sequence":"additional","affiliation":[]}],"member":"265","published-online":{"date-parts":[[2025,5,28]]},"reference":[{"key":"e_1_2_12_1_2","unstructured":"Instinct D 2020 Cyber Threat Landscape Report; 2021 https:\/\/www.ibm.com\/downloads\/cas\/M1X3B7QG\/."},{"key":"e_1_2_12_2_2","doi-asserted-by":"crossref","unstructured":"Security I. X-Force Threat Intelligence Index 2021 2021 https:\/\/www.ibm.com\/security\/data-breach\/threat-intelligence\/.","DOI":"10.1016\/S1353-4858(21)00026-X"},{"key":"e_1_2_12_3_2","doi-asserted-by":"crossref","unstructured":"JangJ. BrumleyD. andVenkataramanS. Bitshred: Feature Hashing Malware for Scalable Triage and Semantic Analysis Proceedings of the 18th ACM Conference on Computer and Communications Security 2011 ACM 309\u2013320.","DOI":"10.1145\/2046707.2046742"},{"key":"e_1_2_12_4_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2771228"},{"key":"e_1_2_12_5_2","doi-asserted-by":"crossref","unstructured":"BabaagbaK. O.andAdesanyaS. O. A Study on the Effect of Feature Selection on Malware Analysis Using Machine Learning Proceedings of the 2019 8th International Conference on Educational and Information Technology 2019 ACM 51\u201355.","DOI":"10.1145\/3318396.3318448"},{"key":"e_1_2_12_6_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103126"},{"key":"e_1_2_12_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2884928"},{"key":"e_1_2_12_8_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101740"},{"key":"e_1_2_12_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2018.2876857"},{"key":"e_1_2_12_10_2","doi-asserted-by":"crossref","unstructured":"MaY. LiuS. JiangJ. ChenG. andLiK. A Comprehensive Study on Learning-Based PE Malware Family Classification Methods Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering 2021 ACM 1314\u20131325.","DOI":"10.1145\/3468264.3473925"},{"key":"e_1_2_12_11_2","doi-asserted-by":"crossref","unstructured":"BarberoF. PendleburyF. PierazziF. andCavallaroL. Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift 2022 IEEE Symposium on Security and Privacy (SP) 2022 IEEE 805\u2013823.","DOI":"10.1109\/SP46214.2022.9833659"},{"key":"e_1_2_12_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2013.2251352"},{"key":"e_1_2_12_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2011.58"},{"key":"e_1_2_12_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313391"},{"key":"e_1_2_12_15_2","doi-asserted-by":"publisher","DOI":"10.1155\/2017\/4956386"},{"key":"e_1_2_12_16_2","doi-asserted-by":"crossref","unstructured":"DengA.andHooiB. Graph Neural Network-Based Anomaly Detection in Multivariate Time Series Proceedings of the AAAI Conference on Artificial Intelligence 2021 Association for the Advancement of Artificial Intelligence 4027\u20134035.","DOI":"10.1609\/aaai.v35i5.16523"},{"key":"e_1_2_12_17_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3535101","article-title":"Graph Neural Networks in Recommender Systems: A Survey","volume":"55","author":"Wu S.","year":"2022","journal-title":"ACM Computing Surveys"},{"key":"e_1_2_12_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2017.2754499"},{"key":"e_1_2_12_19_2","first-page":"1","article-title":"Graph Convolutional Policy Network for Goal-Directed Molecular Graph Generation","volume":"31","author":"You J.","year":"2018","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_2_12_20_2","doi-asserted-by":"crossref","unstructured":"HouS. YeY. SongY. andAbdulhayogluM. HinDroid: An Intelligent Android Malware Detection System Based on Structured Heterogeneous Information Network Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining 2017 ACM 1507\u20131515.","DOI":"10.1145\/3097983.3098026"},{"key":"e_1_2_12_21_2","doi-asserted-by":"crossref","unstructured":"LingX. WuL. andDengW. et al.MalGraph: Hierarchical Graph Neural Networks for Robust Windows Malware Detection IEEE INFOCOM 2022 - IEEE Conference on Computer Communications 2022 London United Kingdom IEEE 1998\u20132007.","DOI":"10.1109\/INFOCOM48880.2022.9796786"},{"key":"e_1_2_12_22_2","doi-asserted-by":"crossref","unstructured":"YanJ. YanG. andJinD. Classifying Malware Represented as Control Flow Graphs Using Deep Graph Convolutional Neural Network Proceedings of the 49th IEEE\/IFIP International Conference on Dependable Systems and Networks 2019 IEEE 52\u201363.","DOI":"10.1109\/DSN.2019.00020"},{"key":"e_1_2_12_23_2","doi-asserted-by":"crossref","unstructured":"SunQ. AbdukhamidovE. AbuhmedT. andAbuhamadM. Leveraging Spectral Representations of Control Flow Graphs for Efficient Analysis of Windows Malware Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security 2022 ACM 1240\u20131242.","DOI":"10.1145\/3488932.3527294"},{"key":"e_1_2_12_24_2","unstructured":"ZouB. CaoC. andWangL. et al.Feature Graph Construction With Static Features for Malware Detection 2024 arXiv preprint arXiv: 2404.16362."},{"key":"e_1_2_12_25_2","unstructured":"Quarkslab LIEF: Library for Instrumenting Executable Files; 2021 https:\/\/lief.quarkslab.com\/."},{"key":"e_1_2_12_26_2","doi-asserted-by":"crossref","unstructured":"ZhangM. CuiZ. NeumannM. andChenY. An End-to End Deep Learning Architecture for Graph Classification Proceedings of the AAAI Conference on Artificial Intelligence 2018 Association for the Advancement of Artificial Intelligence 4438\u20134445.","DOI":"10.1609\/aaai.v32i1.11782"},{"key":"e_1_2_12_27_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-016-0274-2"},{"key":"e_1_2_12_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-018-0415-3"},{"key":"e_1_2_12_29_2","doi-asserted-by":"crossref","unstructured":"DavidO. E.andNetanyahuN. S. DeepSign: Deep Learning for Automatic Malware Signature Generation and Classification 2015 International Joint Conference on Neural Networks (IJCNN) 2015 IEEE 1\u20138.","DOI":"10.1109\/IJCNN.2015.7280815"},{"key":"e_1_2_12_30_2","doi-asserted-by":"crossref","unstructured":"FarukiP. GanmoorV. LaxmiV. GaurM. S. andBharmalA. AndroSimilar: Robust Statistical Feature Signature for Android Malware Detection Proceedings of the 6th International Conference on Security of Information and Networks 2013 ACM 152\u2013159.","DOI":"10.1145\/2523514.2523539"},{"key":"e_1_2_12_31_2","doi-asserted-by":"crossref","unstructured":"KiratD.andVignaG. Automatic Extraction of Malware Analysis Evasion Signature Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security 2015 ACM 769\u2013780.","DOI":"10.1145\/2810103.2813642"},{"key":"e_1_2_12_32_2","unstructured":"RaffE. BarkerJ. SylvesterJ. BrandonR. CatanzaroB. andNicholasC. K. Malware Detection by Eating a Whole Exe Workshops at the Thirty-Second AAAI Conference on Artificial Intelligence 2018 Association for the Advancement of Artificial Intelligence 268\u2013276."},{"key":"e_1_2_12_33_2","doi-asserted-by":"crossref","unstructured":"HouS. SaasA. ChenL. andYeY. Deep4MalDroid: A Deep Learning Framework for Android Malware Detection Based on Linux Kernel System Call Graphs Proceedings of the 2016 IEEE\/WIC\/ACM International Conference on Web Intelligence Workshops 2016 IEEE 104\u2013111.","DOI":"10.1109\/WIW.2016.040"},{"key":"e_1_2_12_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-008-0082-4"},{"key":"e_1_2_12_35_2","doi-asserted-by":"publisher","DOI":"10.1155\/2015\/659101"},{"key":"e_1_2_12_36_2","doi-asserted-by":"publisher","DOI":"10.1049\/iet-ifs.2017.0430"},{"key":"e_1_2_12_37_2","doi-asserted-by":"crossref","unstructured":"RabadiD.andTeoS. G. Advanced Windows Methods on Malware Detection and Classification Annual Computer Security Applications Conference 2020 ACM 54\u201368.","DOI":"10.1145\/3427228.3427242"},{"key":"e_1_2_12_38_2","doi-asserted-by":"crossref","unstructured":"ZhangZ. QiP. andWangW. Dynamic Malware Analysis With Feature Engineering and Feature Learning Proceedings of the AAAI Conference on Artificial Intelligence 2020 Association for the Advancement of Artificial Intelligence 1210\u20131217.","DOI":"10.1609\/aaai.v34i01.5474"},{"key":"e_1_2_12_39_2","doi-asserted-by":"crossref","unstructured":"AlsulamiB. SrinivasanA. DongH. andMancoridisS. Lightweight Behavioral Malware Detection for Windows Platforms Proceedings of the 2017 12th International Conference on Malicious and Unwanted Software (MALWARE) 2017 IEEE 75\u201381.","DOI":"10.1109\/MALWARE.2017.8323959"},{"key":"e_1_2_12_40_2","doi-asserted-by":"crossref","unstructured":"NatarajL. KarthikeyanS. JacobG. andManjunathB. S. Malware Images: Visualization and Automatic Classification Proceedings of the 8th International Symposium on Visualization for Cyber Security 2011 IEEE 1\u20137.","DOI":"10.1145\/2016904.2016908"},{"key":"e_1_2_12_41_2","doi-asserted-by":"publisher","DOI":"10.1002\/ett.3789"},{"key":"e_1_2_12_42_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102400"},{"key":"e_1_2_12_43_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-021-05816-y"},{"key":"e_1_2_12_44_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2021.06.029"},{"key":"e_1_2_12_45_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2020.107138"},{"key":"e_1_2_12_46_2","doi-asserted-by":"crossref","unstructured":"WuY. ZouD. YangW. LiX. andJinH. HomDroid: Detecting Android Covert Malware by Social-Network Homophily Analysis Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis 2021 ACM 216\u2013229.","DOI":"10.1145\/3460319.3464833"},{"key":"e_1_2_12_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442588"},{"key":"e_1_2_12_48_2","doi-asserted-by":"crossref","unstructured":"FanY. HouS. ZhangY. YeY. andAbdulhayogluM. Gotcha - Sly Malware!: Scorpion A Metagraph2vec Based Malware Detection System Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining 2018 ACM 253\u2013262.","DOI":"10.1145\/3219819.3219862"},{"key":"e_1_2_12_49_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.02.002"},{"key":"e_1_2_12_50_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2019.113022"},{"key":"e_1_2_12_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3152360"},{"key":"e_1_2_12_52_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101748"},{"key":"e_1_2_12_53_2","doi-asserted-by":"crossref","unstructured":"SaxeJ.andBerlinK. Deep Neural Network Based Malware Detection Using Two Dimensional Binary Program Features 2015 10th International Conference on Malicious and Unwanted Software (MALWARE) 2015 IEEE 11\u201320.","DOI":"10.1109\/MALWARE.2015.7413680"},{"key":"e_1_2_12_54_2","doi-asserted-by":"crossref","unstructured":"LiY. YaoH. DuanL. YaoH. andXuC. Adaptive Feature Fusion via Graph Neural Network for Person ReIdentification Proceedings of the 27th ACM International Conference on Multimedia (MM) 2019 ACM 2115\u20132123.","DOI":"10.1145\/3343031.3350982"},{"key":"e_1_2_12_55_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.inffus.2021.01.008"},{"key":"e_1_2_12_56_2","unstructured":"AndersonH. S.andRothP. Ember: An Open Dataset for Training Static Pe Malware Machine Learning Models 2018 arXiv preprint arXiv: 180404637."},{"key":"e_1_2_12_57_2","first-page":"2539","article-title":"Weisfeiler-Lehman Graph Kernels","volume":"12","author":"Shervashidze N.","year":"2011","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_2_12_58_2","unstructured":"RongY. HuangW. XuT. andDropedgeHuang J. Towards Deep Graph Convolutional Networks on Node Classification 2019 arXiv preprint arXiv: 190710903."},{"key":"e_1_2_12_59_2","doi-asserted-by":"crossref","unstructured":"XuX. LiuC. FengQ. YinH. SongL. andSongD. Neural Network-Based Graph Embedding for Cross-Platform Binary Code Similarity Detection Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security 2017 ACM 363\u2013376.","DOI":"10.1145\/3133956.3134018"},{"key":"e_1_2_12_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/72.159058"},{"key":"e_1_2_12_61_2","unstructured":"HintonG. E. SrivastavaN. KrizhevskyA. SutskeverI. andSalakhutdinovR. R. Improving Neural Networks by Preventing Co-Adaptation of Feature Detectors 2012 arXiv preprint arXiv: 12070580."},{"key":"e_1_2_12_62_2","doi-asserted-by":"crossref","unstructured":"WangS. ChenZ. andYuX. et al.Heterogeneous Graph Matching Networks for Unknown Malware Detection Proceedings of the 28th International Joint Conference on Artificial Intelligence 2019 3762\u20133770.","DOI":"10.24963\/ijcai.2019\/522"},{"key":"e_1_2_12_63_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2020.102483"},{"key":"e_1_2_12_64_2","doi-asserted-by":"crossref","unstructured":"Yeboah-OforiA.andBoachieC. Malware Attack Predictive Analytics in a Cyber Supply Chain Context Using Machine Learning 2019 International Conference on Cyber Security and Internet of Things 2019 IEEE 66\u201373.","DOI":"10.1109\/ICSIoT47925.2019.00019"},{"key":"e_1_2_12_65_2","doi-asserted-by":"crossref","unstructured":"HanH. LimS. SuhK. ParkS. SjCho andParkM. Enhanced Android Malware Detection: An SVM-Based Machine Learning Approach 2020 IEEE International Conference on Big Data and Smart Computing 2020 IEEE 75\u201381.","DOI":"10.1109\/BigComp48618.2020.00-96"},{"key":"e_1_2_12_66_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2022.08.002"},{"key":"e_1_2_12_67_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSMC.2019.2958382"},{"key":"e_1_2_12_68_2","doi-asserted-by":"publisher","DOI":"10.1145\/3436751"},{"key":"e_1_2_12_69_2","doi-asserted-by":"publisher","DOI":"10.1155\/2023\/9544481"},{"key":"e_1_2_12_70_2","doi-asserted-by":"crossref","unstructured":"SinghP. BorgohainS. K. andKumarJ. Investigation and Preprocessing of CLaMP Malware Dataset for Machine Learning Models 2022 6th International Conference on Electronics Communication and Aerospace Technology 2022 IEEE 891\u2013895.","DOI":"10.1109\/ICECA55336.2022.10009153"},{"key":"e_1_2_12_71_2","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.6992"},{"key":"e_1_2_12_72_2","doi-asserted-by":"crossref","unstructured":"SinghP. BorgohainS. K. andKumarJ. Performance Enhancement of SVM-Based ML Malware Detection Model Using Data Preprocessing 2022 2nd International Conference on Emerging Frontiers in Electrical and Electronic Technologies 2022 IEEE 1\u20134.","DOI":"10.1109\/ICEFEET51821.2022.9848192"}],"container-title":["IET Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/pdf\/10.1049\/ise2\/6687383","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/full-xml\/10.1049\/ise2\/6687383","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/pdf\/10.1049\/ise2\/6687383","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,8]],"date-time":"2026-03-08T22:34:14Z","timestamp":1773009254000},"score":1,"resource":{"primary":{"URL":"https:\/\/ietresearch.onlinelibrary.wiley.com\/doi\/10.1049\/ise2\/6687383"}},"subtitle":[],"editor":[{"given":"Stelvio","family":"Cimato","sequence":"additional","affiliation":[]}],"short-title":[],"issued":{"date-parts":[[2025,1]]},"references-count":72,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1]]}},"alternative-id":["10.1049\/ise2\/6687383"],"URL":"https:\/\/doi.org\/10.1049\/ise2\/6687383","archive":["Portico"],"relation":{},"ISSN":["1751-8709","1751-8717"],"issn-type":[{"value":"1751-8709","type":"print"},{"value":"1751-8717","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,1]]},"assertion":[{"value":"2023-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-04-02","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-05-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"6687383"}}