Graph Neural Networks for Malware Classification: Comparing Graph-Structured and Sequence-Based Representations
DOI:
https://doi.org/10.25195/ijci.v52i1.680Keywords:
malware detection, API, GAT, GCN, PE FilesAbstract
Malware detection is one of the most important cybersecurity issues because the traditional signature-based methods cannot resist polymorphic threats and obfuscated ones. This paper explores the dynamic API call sequences as behavioral characteristics and contrasts the two representation methods, integer-based feature encoding into the traditional machine learning models and graph-based models using Graph Convolutional Networks (GCN) and Graph Attention Networks (GAT). Unlike prior studies, this paper conducts a systematic head-to-head comparison of these approachs and introduces a newly collected balanced dataset of 2,000 malware and 2,000 benign sampels, for this paper Two datasets were employed, one of which was a large public dataset with 42,797 malware and 1,079 benign samples, and the other was a novel developed dataset consisting of 2,000 malware and 2,000 benign samples that were collected according to this research by means of sandboxed execution. To facilitate 10-fold cross-validation, API calls were pre-encoded into fixed length sequences of integers and call graphs directed to allow fair evaluation. The findings indicate that ensemble and tree-based models achieved competitive results (≈92% on the public dataset and ≈90% on the novel dataset), but the graph-based ones were more accurate with GCN coming to 98.76% and GAT at 98.33%. Because graph neural networks can capture relational dependence and contextual patterns in API call behavior, they generate a richer representation and stronger categorization than integer encodings also the best feature of graph-based models is that they learn not only features but also the connectivity of API calls, which gives much richer and more accurate representation than integer-only encodings. Unlike prior studies, this work conducts a systematic head-to-head comparison of these approaches and introduces a newly collected balanced dataset of 2,000 malware and 2,000 benign samples.
Downloads
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Iraqi Journal for Computers and Informatics
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
IJCI applies the Creative Commons Attribution (CC BY) license to articles. The author of the submitted paper for publication by IJCI has the CC BY license. Under this Open Access license, the author gives an agreement to any author to reuse the article in whole or part for any purpose, even for commercial purposes. Anyone may copy, distribute, or reuse the content as long as the author and source are properly cited. This facility helps in re-use and ensures that journal content is available for the needs of research.
If the manuscript contains photos, images, figures, tables, audio files, videos, etc., that the author or the co-authors do not own, IJCI will require the author to provide the journal with proof that the owner of that content has given the author written permission to use it, and the owner has approved that the CC BY license being applied to content. IJCI provides a form that the author can use to ask for permission from the owner. If the author does not have owner permission, IJCI will ask the author to remove that content and/or replace it with other content that the author owns or has such permission to use.
Many authors assume that if they previously published a paper through another publisher, they have the right to reuse that content in their PLOS paper, but that is not necessarily the case – it depends on the license that covers the other paper. The author must ascertain the rights he/she has of a specific license (a license that enables the author to use the content). The author must obtain written permission from the publisher to use the content in the IJCI paper. The author should not include any content in her/his IJCI paper without having the right to use it, and always give proper attribution.
The accompanying submitted data should be stated with licensing policies, the policies should not be more restrictive than CC BY.
IJCI has the right to remove photos, captures, images, figures, tables, illustrations, audio, and video files, from a paper before or after publication, if these contents were included in the author's paper without permission from the owner of the content.
