• A distributed framework for ze...

Treffer: A distributed framework for zero-day malware detection using federated ensemble models.

Title:
A distributed framework for zero-day malware detection using federated ensemble models.
Authors:
Ishfaq H; Department of Computer Science, COMSATS University Islamabad, Wah Cantt, Pakistan., Shah JH; Department of Computer Science, COMSATS University Islamabad, Wah Cantt, Pakistan., Saleem R; Department of Computer Science, Government College University, Faisalabad, Pakistan., Afzal M; Department of Computer Science, COMSATS University Islamabad, Wah Cantt, Pakistan.
Source:
PloS one [PLoS One] 2026 Jan 07; Vol. 21 (1), pp. e0339907. Date of Electronic Publication: 2026 Jan 07 (Print Publication: 2026).
Publication Type:
Journal Article
Language:
English
Journal Info:
Publisher: Public Library of Science Country of Publication: United States NLM ID: 101285081 Publication Model: eCollection Cited Medium: Internet ISSN: 1932-6203 (Electronic) Linking ISSN: 19326203 NLM ISO Abbreviation: PLoS One Subsets: MEDLINE
Imprint Name(s):
Original Publication: San Francisco, CA : Public Library of Science
MeSH Terms:
Computer Security* , Models, Theoretical*, Algorithms ; Machine Learning ; Humans
Entry Date(s):
Date Created: 20260107 Date Completed: 20260107 Latest Revision: 20260110
Update Code:
20260110
PubMed Central ID:
PMC12779155
DOI:
10.1371/journal.pone.0339907
PMID:
41499601
Database:
MEDLINE

Weitere Informationen

Classification and detection of zero-day attacks remain a significant challenge within the domain of cybersecurity. Due to the vast types of malware families and the presence of an imbalanced dataset, real-time detection and classification become increasingly complex and inaccurate. Thus, there's an urgent need to develop an intelligent and adaptive defense mechanism capable of identifying and classifying such attacks with improved precision and robustness. This paper proposed a stacked ensemble federated learning model with an accuracy-aware node weighting scheme to address the challenges posed by inter- and intra-class similarities among different types of malwares. In the initial phase, malware Portable Executable (PE) files are collected from multiple online repositories and validated by three different antivirus programs through VirusTotal to ensure reliability. These validated files are then converted into image form and categorized into 28 families to facilitate feature extraction. In the second phase, deep feature representations are extracted through a transfer learning-based fine-tuned ResNet-50 model, which captures both low-level and high-level patterns that are relevant to malware classification. After feature extraction from multiple distributed nodes, architecture is fed into the novel proposed Ensemble Stacked Federated Model for enhanced generalization and robust classification. The model is tested on both private and publicly available datasets. The experimental results demonstrate that the proposed method outperforms existing baseline approaches in terms of accuracy and computational efficiency. This improvement is achieved because it performs independent training at each federated node separately and then stacks their outputs with a central ensemble model, which enhances the learning rate and reduces overfitting. The code used for the experiments is available here.
(Copyright: © 2026 Ishfaq et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.)

The authors have declared that no competing interests exist.