F1000ResearchF1000Research2046-1402F1000 Research LimitedLondon, UK10.12688/f1000research.173837.2Research ArticleArticlesMalware Detection Using RNA Encoding and Convolutional Neural Networks on the Malicious Network Dataset
[version 2; peer review: 2 approved with reservations]
Fitian RashidOmarMethodologyWriting – Review & Editinghttps://orcid.org/0000-0002-8186-0795a1Ali AbdSenanWriting – Original Draft Preparation2Al-ShahwaniHumamWriting – Review & Editing3
Department of Geology, University of Baghdad, Baghdad, Baghdad Governorate, Iraq
Department of Cybersecurity, College of Information Technology, University of Fallujah, Al-Fallujah, Al Anbar Governorate, Iraq
Department of Computer Science, College of Science, University of Baghdad, Baghdad, Baghdad Governorate, Iraqomar.f@sc.uobaghdad.edu.iq
The detection of malware in network traffic remains a critical cybersecurity challenge. Traditional signature-based intrusion detection demonstrates a high level of familiarity with issues that have been recorded in the database; but show significantly lower effectiveness when it comes to polymorphic or zero-day attacks. Conversely, anomaly-based approaches are also endowed with the ability to detect new incursions, but often have a high false-positive
rate.
Methods
This study proposes a combined malware-detection framework which makes use of RNA encoding network-flow attributes alongside Convolutional Neural Network (CNN) classifiers. The framework has three functionalities: a Signature-CNN, which is trained on RNA-encoded representation of known malicious flows; an Anomaly-CNN, which is developed to distinguish between benign and malicious traffic without any signature prior knowledge; and a Hybrid-CNN, which combines both paradigms in a two-stage detection pipeline.
Results
The research is carried out on the 10,000 samples that are split into training and testing subsets based on the 70/30 split strategy. The given model is trained in the context of a supervised learning model and assessed in terms of common performance metrics, such as accuracy, precision, recall, and F1-score. The experimental design is written in Python and deep learning libraries, so that the evaluation environment of all experiments is consistent and reproducible. Experiments conducted on the Malicious Network Dataset show that the Signature-CNN achieves 91% accuracy with strong precision on known threats, the Anomaly-CNN achieves 93% detection rate on unknown malware, and the Hybrid-CNN achieves the best overall performance with 95% detection rate and 94.5% F1 score.
Conclusions
The results demonstrate that RNA encoding combined with CNN classifiers offers a robust and scalable solution for malware detection in networked environments.
Malware DetectionRNA EncodingConvolutional Neural NetworksNetwork SecurityMalicious Network DatasetThe author(s) declared that no grants were involved in supporting this work.Amendments from Version 1
The new copy of this manuscript includes some key changes based on the reviewer feedbacks. The abstract has been extended with more information about the experimental design and evaluation plan, which makes it more comprehensive and clear. Introduction has been well edited to enhance the quality of language, readability and academic tone. The limitation of the existing studies has been emphasized and a more critical analysis of the existing studies has been added to the Related Work section to clearly establish the limitation of the existing studies and to position the contribution of the proposed method in a better manner. In addition, the Methodology section is now expanded with specific training parameters of CNN model including the optimizer, learning rate, number of epochs, and batch size to facilitate the reproducibility. The Discussion has been greatly expanded with more information about how RNA-based encoding can be used to better represent features and the overall model performance. Lastly, the Conclusion has been revised to incorporate additional specific and practical future research directions, including possible extensions and implementations of the proposed approach. All these updates enhance the clarity, rigor and scientific contribution of the manuscript.
1. Introduction
The exponential growth of networked systems proliferation has led to an equivalent increase in advanced malware attacks. Intrusion detection systems (IDS) continue to play a central role in the protection of digital infrastructure; however, modern practices are characterized by severe limitations.
1 Signature-based IDS rely on a set of pre-defined rules or patterns, and these systems are effective only against previously identified threats. Anomaly-based IDS attempt to detect deviations from normal behavior, and has the ability to detect zero-day attacks, but often generate a high false positive. To address these limitations, a hybrid architecture has arisen, combining the benefits of each of the system.
2,
3
There have been recent studies into how deep-learning architectures, especially convolutional neural networks (CNNs) and recurrent neural networks (RNNs), can be applied to the problems of IDS, with promising results. A novel intrusion detection method based on learning framework is proposed,
4 where the proposed method is done by using dual parallel CNN pipelines to independently address the network and radar features. A new intrusion detection model is suggested by,
5 where this model combines CNN and Random Forest. The CNN is utilized to extract the feature, and the Random Forest is used for classification. An IDS is proposed by combining an innovative hybrid Autoencoder with an enhanced LSTM-CNN architecture,
6 where the proposed method can enhance the detection capabilities more quickly and efficiently. Kaissar et al.
7 investigates the optimization of hyperparameters in CNN to enhance the NIDS performance, where Grid Search, Genetic Algorithm, Particle Swarm Optimization, and Grey Wolf Optimization algorithms are used for this purpose. Alrayes et al.
8 suggested a novel IDS by combining channel attention and CNN, where the suggested method has exceptional accuracy when applied it to NSL-KDD dataset. A new IDS model is built based on CNN and knowledge distillation,
9 this model using two-dimensional Fourier transform for converting the grayscale images to the frequency domain, and this led to enhanced the similarity between neighboring pixels to address data effectively. Ban et al.
10 suggested an enhanced deep-learning model for IDS in IoT environment, where the suggested model is depending on CNN as the backbone network in the constructed model. A hybrid deep learning IDS is proposed by
11 based on CNN and bidirectional long short-term memory neural networks, where the proposed system is enhanced the model’s ability to detect patterns in both minority and majority classes. Altunay and Albayrak
12 developed IDS in the IIoT networks, where the suggest system is done by using three different deep learning architectures, which are CNN, Long Short-Term Memory (LSTM), and the combination of these two methods.
Parallel Encodings Biologically inspired encodings, like mappings to DNA and RNA sequences, have been proposed to convert heterogeneous data to symbolic strings.
13,
14 Nevertheless, there is limited evidence in the extant literature of the integration of RNA encodings with CNN classifiers in the entire range of detection paradigms: signature, anomaly, and hybrid. The current paper seals this gap by suggesting a CNN-based model which incorporates these complementary detection schemes. Despite the good outcomes of the current methods, a number of shortcomings still exist. Most CNN-based approaches use traditional data representations, which might not best represent intricate feature interactions, leading to worse performance in adverse conditions. Moreover, certain methods have higher computational costs and reduced resilience to a variety of data or when used on noisy data. These drawbacks indicate why encoding methods should be more effective and articulate. Here the proposed approach refers to encoding based on RNA to increase the feature representation to allow the model to learn more discriminative features to enhance the performance of the model in comparison with the current methods.
2. Methodology
The proposed malware detection system is built by combining of RNA-inspired encoding of the network traffic characteristics and the convolutional neural network (CNN) classification. Unlike traditional intrusion detection system models that treat signature-based and anomaly-based detection methodologies as dissimilar entities, the current system integrates both of them in a single deep learning pipeline. In this pipeline, CNN models that are trained on sequences coded using the RNA-inspired methodology concurrently address signature-based, anomaly-based, and hybrid detection. The steps of the proposed system are shown in
Figure 1.
Flow chart of the suggested malware detection system with RNA encoding and CNN classification pipeline.
2.1 Dataset description
The Malicious Network Dataset is a new dataset that was collected using honeypots deployed with the Honeytrap agent. The dataset consists of 9 features that represent various aspects of network traffic, including both structural and payload data.
15 These features are shown in
Table 1 as follows:
The malicious network dataset values and its descriptions.
<sup>
<xref ref-type="bibr" rid="ref15">15</xref>
</sup>
Feature
Column
Possible values
1
Protocol
TCP, IP
2
remote_ip
Too many unique values (10,951). Example: ['35.203.211.180', '180.93.172.180', '81.17.19.66', '0.0.0.0', '94.23.145.155']
3
remote_port
Numeric range: 0 – 65535 (unique=28,920)
4
local_ip
Too many unique values (4,030). Example: ['165.227.180.71', '0.0.0.0', '192.168.202.139', '157.240.11.61', '192.168.11.143']
5
local_port
Numeric range: 0 – 65535 (unique=11,985)
6
md5_hash
Too many unique values (13,732). Example: ['1fb4aeaab94ca27d2e5dfaa47e11a6fb', 'd41d8cd98f00b204e9800998ecf8427e', '19b893b938ace1defe7d090e510f0618', “, '59b490c4ab003464ca03428b3fc63222']
7
sha512_hash
Too many unique values (13,732). Example: ['a6d4f36a2a8d5b5ea7e6afe91d4a80e7a9ae2129ebf4791a4d74b7ea003420c2…', 'cf83e1357eefb8bdf1542850d66d8007…', 'f060846cbf02e31706d5d0fe781d7007…', “, '922450f93e933de877934cee97339ae6…']
8
Length
Numeric range: 0 – 1448 (unique = 1,038)
9
data_hex
Too many unique values (13,732). Example: ['16030100ca010000c60303918984ed51d5c0b8d4cfad730a16a4efb24b004062e21…', “, '50100', '0', '474554202f20485454502f312e310d0a486f7374…']
10
Class
'malicious' or 'benign'.
2.2 RNA encoding of network features
Network flows in the Malicious Network Dataset comprise heterogeneous attributes, such as protocol types, port numbers, cryptographic hashes, packet lengths, and payloads. Such attributes are of different scales and representation thus complicating direct modeling. In this spirit we introduce a biologically inspired RNA encoding scheme where each element is coded to a fixed set of codons. Where the mapping rules as follow:
Remote ip and local ip attributes were eliminated, because a malware detection model must identify malicious signatures regardless of the source and destination IP addresses, and these ips do not provide meaningful behavioral indicators of malware.
Protocol identifiers (e.g., TCP, IP) are assigned codons such as TCP → G, IP → U.
Numerical fields (ports, lengths) are separated into digits, each mapped to a codon, where each digit is represented by two RNA characters, e.g., 0 → CG, 1 → AC, and so on.
Hexadecimal payload values are mapped similarly, where each character is represented by two RNA characters, e.g., a → AU, b → UU, and so on.
The hash values, containing both MD5 and SHA512 are divided into single characters and coded into codons, thus, making sure that each unique character is represented by a deterministic codon.
For each flow, codon sequences from all fields are concatenated in the following order: [protocol] → [remote port] → [local port] → [MD5] → [SHA512] → [length] → [payload].
The built RNA encoding for all possible malicious network dataset records values is shown in
Table 2.
RNA encoding for malicious network dataset records values.
Value
RNA encoding
TCP
G
IP
U
0
CG
1
AC
2
GG
3
UA
4
CC
5
GA
6
UC
7
AA
8
GU
9
UG
a
AU
b
UU
c
CA
d
AG
e
CU
f
GC
This mapping transforms a wide range of categorical and string features into structured RNA codon sequences, thus making training of convolutional neural networks on homogeneous sequential inputs possible.
2.3 CNN architecture
The coded messages are fed into a Convolutional Neural Network (CNN) that picks up discriminative features at a variety of levels of abstraction as follow:
Embedding: The codons are first mapped to dense vectors of dimension, d = 32. This embedding is learnt alongside the classifier, thus, encoding similarities between codons.
Convolutional: A number of one-dimensional convolutional layers are used, the size of which varies between 5 and 7. These filters identify a local pattern in the codon sequences e.g., repeated sequences which can be an indication of malicious activity. An example would be to have a convolution filter that is trained to identify the codon sequence of known back door ports.
Pooling: The feature maps are down sampled through max-pooling, and the most conspicuous features are retained, with a lower computational cost.
Global Average Pooling: In order to generalize over a wide range of lengths of variable sequences and reduce overfitting, global average pooling is done to aggregate the feature maps into fixed-size vectors.
Dense Layers: The learned features are combined in fully connected layers (64 units) that use ReLU activation. To inhibit overfitting, dropout regularization is used, with a temporary activation of neurons in the course of training, i.e. p = 0.5.
Output Layer: One sigmoid neuron generates a probability score which can mark a sample to be benign or malicious.
The CNN architecture is applied for three different methods, and these methods are shown in
Figure 2.
The three CNN models (Signature, Anomaly, and Hybrid).
In Signature-CNN, the Signature- CNN replaces traditional rule-based signature matching with a convolutional neural network, which is trained on representations of known patterns of malicious activity encoded by RNA. Instead of searching manually through the collection of byte sequences or hash values, the network is trained to identify codon-level motifs which are indicative of malicious flows. While the Anomaly- CNN is trained to identify deviation with the normal network behavior using sequences encoded by RNA. It is not based on predefined attack patterns as compared to the signature model. Finally, the Hybrid-CNN combines the two methods in two-staged pipeline, allowing the Signature-CNN to combine the precision of Anomaly-CNN with the generalization capability. The comparison between the three CNN models is clarified in
Table 3.
Comparison between different CNN models.
Model
Input
Objective
Strengths
Weaknesses
Signature-CNN
RNA-coded sequences of known malicious and benign flows
Detect known attack patterns using learned codon-level motifs
High precision and low FAR
Cannot detect zero-day threats
Anomaly-CNN
RNA-coded mixture of benign and malicious flows
Identify deviations from normal codon distributions
Detects novel and polymorphic malware
Higher false-positive rate
Hybrid-CNN
Two-stage input: Signature-filtered and residual flows
Combine the benefits of both precision and generalization
Best overall accuracy and balance
Slightly higher computational cost
Where the sequence handling all the RNA sequences were truncated or zero padded to a constant length of 2,048 codons to make the input equal. Also, the architectural consistency for the CNN models of the three models have the same architecture (three Conv1D layers with 64-128-256 filters, kernel = 5, ReLU activation, and dropout = 0.5). It is only in training objectives that there is a difference. Finally, the dataset was stratified 70/30 and sampled to maintain the malicious/benign ratio (50/50). These explanations guarantee the maximum reproducibility of the experiment. The CNN model is optimized through Adam optimization algorithm of learning rate 0.001. The training is undertaken through 50 epochs having a batch size that is 32. In a bid to reduce overfitting, dropout regularization, with a dropout rate of 0.5, is used, and early stopping is utilized, on the basis of validation loss. The model is optimized with categorical cross-entropy loss function and the performance of the model is continuously checked on a validation dataset during the training process to ascertain stability and convergence.
3. Results and discussion
The performance of the proposed CNN-based malware detection models is evaluated based on several standard classification metrics were employed, where these metrics are defined and calculated as follow:
Accuracy: Is the ratio of correctly labeled flows to the total number of flows, and it calculate based on the following equation:
Accuracy=TP+TNTP+TN+FP+FN
Detection Rate (Recall): This rate also known as the True Positive Rate (TPR) is a metric that measures the rate of true malicious flows that are detected, and it calculate based on the following equation:
Detection Rate(Recall)=TPTP+FN
Precision: Refers to the ratio of the flows that are predicted to be malicious which actually are malicious, and it calculate based on the following equation:
Precision=TPTP+FP
F1 Score: Is the harmonic mean of Precision and Recall that provides a balanced assessment when there is a tradeoff between the two measures, and it calculate based on the following equation:
F1Score=2×Precision×RecallPrecision+Recall
False Positive Rate (FPR): This value is used to estimate the ratio of false positive results of disproving benign flows, and it calculate based on the following equation:
FPR=FPFP+TN
The identified enhancement of the performance with the help of RNA encoding can be explained by the capacity of the solution to increase the feature representation in the CNN framework. RNA encoding converts the input data into structured and biologically inspired encoding, which adds further diversity and non-linearity to the feature space. This transformation allows the network to pick up more complex and discriminative patterns that might not be available with traditional encoding methods. Additionally, RNA encoding also helps in reducing noise and enhancing generalization as it focuses on meaningful relationships in the data. Due to this, the CNN can develop more resilient features resulting in higher classification accuracy and system performance. The Malicious Network Dataset is used for evaluation the proposed method, where each method (signature, anomaly, or hybrid) is starting by preprocessing the used dataset by removing IP fields, then RNA encoding is applied to all remaining features. Then divided the dataset into training and testing, the training is equal to 70%, while the testing used the rest 30% from the whole dataset. The achieved results for the first method (signature-CNN) are shown in
Table 4. The Signature-CNN was very accurate and reported a low false-positive rate, thus, justifying its accuracy in identifying known malware.
The performance of the Signature-CNN model.
Metric
Result
Accuracy
0.915
Detection Rate
0.89
Precision
0.92
F1 Score
0.90
FPR
0.05
While the obtained results based on the second method (anomaly-CNN) are shown in
Table 5. The Anomaly-CNN was able to achieve higher rate of detection, which revealed that zero-day threats can be spotted with a slight increase in false positives
.
The performance of the Anomaly-CNN model.
Metric
Result
Accuracy
0.93
Detection Rate
0.93
Precision
0.91
F1 Score
0.92
FPR
0.07
On other hand, when utilized the third method (hybrid-CNN), the achieved results are shown in
Table 6. Hybrid-CNN delivered the best trade-off, achieving the best detection rate and F1 score whilst reducing false positives at the same time.
The performance of the Hybrid-CNN model.
Metric
Result
Accuracy
0.95
Detection Rate
0.95
Precision
0.94
F1 Score
0.945
FPR
0.03
Finally, the comparison between the performance of all models (signature, anomaly, and hybrid) are shown in
Table 7 and
Figure 3.
Performance of CNN models.
Method
Accuracy
Detection rate
Precision
F1 score
FPR
Signature-CNN
0.91
0.89
0.92
0.905
0.05
Anomaly-CNN
0.93
0.93
0.91
0.92
0.07
Hybrid-CNN
0.95
0.95
0.94
0.945
0.03
Comparison of Signature-CNN, Anomaly-CNN and Hybrid-CNN on the malicious network dataset.
As shown in
Table 7, the achieved results based on hybrid-CNN are achieved the best results over the two others methods, where the obtained accuracy, detection rate, precision, F1 score, and FPR are equal to 95%, 95%, 94%, 94.5%, and 3% respectively. The Hybrid-CNN may be explained by the possibility of making decisions in two stages. The first stage filters familiar malicious patterns and the latter extrapolates to unknown codon patterns. This is a combination that reduces the antagonism of sensitivity and specificity. As compared to the Anomaly- CNN, however, it has a slightly higher recall with more false positives since it does not identify exact patterns but only the deviations. The Signature-CNN is also accurate to known dangers but does not have generalization and this is the reason behind its slightly lower recall.
The proposed method achieved results are compared with classical machine learning models (Random Forest, and XGBoost) and deep models (RNN, CNN-BiLSTM and AE-LSTM) and this comparison is shown in
Table 8.
Comparison of proposed models with existing baselines.
Model
Accuracy
Detection rate
Precision
F1 score
FPR
Random Forest
0.87
0.84
0.86
0.85
0.09
XGBoost
0.89
0.87
0.88
0.875
0.08
RNN
0.91
0.89
0.90
0.895
0.07
LSTM
0.92
0.90
0.91
0.905
0.06
CNN-BiLSTM (Wang et al., 2024)
0.93
0.92
0.92
0.92
0.05
Hybrid AE-LSTM (Xue et al., 2025)
0.94
0.93
0.93
0.93
0.04
Hybrid-CNN (Proposed)
0.95
0.95
0.94
0.945
0.03
As shown in
Table 8, The Hybrid-CNN achieved better results than the traditional and deep learning methods. Where the proposed method achieved the highest accuracy, detection rate, precision, and F1-score, where these results are equal to 95%, 95%, 94%, and 94.5% respectively. Also, the obtained FPR results are the lowest and equal to 3%. This has been enhanced by the fact that it has RNA encoding that maintains semantical links between traffic features and increases the pattern recognition capability of the CNN.
3.1 Computational efficiency
The experiments were being carried out on the NVIDIA RTX-4090 graphics card with 24 GB VRAM. The Signatures CNN took 1.8 hours for training, Anomaly CNN 2.3 hours and the Hybrid CNN 2.7 hours to training. The mean inference latency (per flow) was 2.1 ms, 2.4 ms and 3.0 ms respectively. Despite the fact that Hybrid-CNN is the most expensive in terms of computation since it involves two stages of evaluation, it is still capable of deployment in near-real-time and takes much less time than recurrent models, including LSTM and AE-LSTM.
4. Conclusion
This work proposed an integrated malware detector model based on CNN, which was built on RNA encoding and implemented on Malicious Network Dataset. Restructuring signature, anomaly, and hybrid detection as CNN-based paradigms, the system achieves strong performance across all detection modes. The Hybrid-CNN achieved the best results, having 95% of detection, and the same time, minimized false-positive risks. Future directions will be to extrapolate the proposed technique to bigger and more heterogeneous datasets to further test the generalization capability of the technique. Moreover, hybrid deep learning models, including CNN architecture and the use of transformer-based methods, will be considered to improve feature learning. The other valuable direction is the optimization of the model to real-time applications and minimization of the complexity of the computation. Also, the exploration of other bio-inspired encoding methods can offer further enhancements in feature representation and efficiency of the model.
This study uses a publicly available dataset that was originally published by Saadoon and Behadili (2024). The authors did not generate the dataset themselves. The repository contains all underlying data required to reproduce the results reported in this article, including raw network flow records labeled as benign or malicious and all variables used in the experiments (protocol type, port numbers, hash values, payload length, encoded payload data, and class labels). The dataset is openly accessible and released under an open license permitting reuse, with no embargo or access restrictions.
Data are available under the terms of the
Creative Commons Attribution 4.0 International license (CC-BY 4.0).
ReferencesAlrayesFSAminSUHakamiNA:
Intrusion Detection Model on Network Data with Deep Adaptive Multi-Layer Attention Network (DAMLAN).CMES - Computer Modeling in Engineering and Sciences.2025;144(1):581–614.
10.32604/cmes.2025.065188ChenZZouHHuT:
A network intrusion detection system based on self-supervised learning of traffic differentiation in Internet of Things.Eng. Appl. Artif. Intell.2025;160:111973.
10.1016/j.engappai.2025.111973RashidOFOthmanZAZainudinS:
Matching algorithms for intrusion detection system based on DNA encoding.J. Theor. Appl. Inf. Technol.2018;96(24):8410–8420.HossainMA:
FED-GEM-CN: A federated dual-CNN architecture with contrastive cross-attention for maritime radar intrusion detection.Array.2025;27:100456.
10.1016/j.array.2025.100456YangKWangJZhaoG:
NIDS-CNNRF integrating CNN and random forest for efficient network intrusion detection model.Internet of Things.2025;32.
10.1016/j.iot.2025.101607XueYKangCYuH:
HAE-HRL: A network intrusion detection system utilizing a novel autoencoder and a hybrid enhanced LSTM-CNN-based residual network.Comput. Secur.2025;151:104328.
10.1016/j.cose.2025.104328KaissarABou NassifASoudanB:
Enhancing CNN-based network intrusion detection through hyperparameter optimization.Intelligent Systems with Applications.2025;26:200528.
10.1016/j.iswa.2025.200528AlrayesFSZakariahMAminSU:
CNN Channel Attention Intrusion Detection System Using NSL-KDD Dataset, Computers.Materials and Continua.2024;79(3):4319–4347.
10.32604/cmc.2024.050586WangLDaiQDuT:
Lightweight intrusion detection model based on CNN and knowledge distillation.Appl. Soft Comput.2024;165:112118.
10.1016/j.asoc.2024.112118BanYZhangDHeQ:
APSO-CNN-SE: An Adaptive Convolutional Neural Network Approach for IoT Intrusion Detection, Computers.Materials and Continua.2024;81(1):567–601.
10.32604/cmc.2024.055007WangJSiCWangZ:
A New Industrial Intrusion Detection Method Based on CNN-BiLSTM, Computers.Materials and Continua.2024;79(3):4297–4318.
10.32604/cmc.2024.050223AltunayHCAlbayrakZ:
A hybrid CNN+LSTM-based intrusion detection system for industrial IoT networks, Engineering Science and Technology.An International Journal.2023;38:101322.
10.1016/j.jestch.2022.101322HouTXingHLiangX:
Network intrusion detection based on DNA spatial information.Comput. Netw.2022;217:109318.
10.1016/j.comnet.2022.109318SubhiMARashidOFAbdulsahibSA:
Anomaly Intrusion Detection Method based on RNA Encoding and ResNet50 Model.Mesopotamian Journal of CyberSecurity.2024;4(2):120–128.
10.58496/MJCS/2024/011SaadoonMSBehadiliSF:
malicious network dataset.[Data set].
Zenodo.2024.
10.5281/zenodo.1545346810.5256/f1000research.199234.r483152Reviewer response for version 2ZaidiAtif Raza1Refereehttps://orcid.org/0000-0003-0824-3165
TIMES University, Multan, Pakistan
Competing interests: No competing interests were disclosed.
The manuscript presents an interesting and relevant study on malware detection using RNA-inspired encoding with CNN-based models. The topic is relevant to network security and malware detection. The proposed approach is interesting, and the reported results are encouraging. However, the following suggestions are offered to further improve technical validation of the work.
1. The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
2. The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
3. The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
4. The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
5. The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
6. Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
7. The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.
Is the work clearly and accurately presented and does it cite the current literature?
Partly
If applicable, is the statistical analysis and its interpretation appropriate?
Partly
Are all the source data underlying the results available to ensure full reproducibility?
Yes
Is the study design appropriate and is the work technically sound?
Yes
Are the conclusions drawn adequately supported by the results?
Partly
Are sufficient details of methods and analysis provided to allow replication by others?
Partly
Reviewer Expertise:
Cybersecurity, Android malware detection, machine learning, and deep learning
I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.
Fitian RashidOmar
Competing interests: No competing interests were disclosed.
2652026
Reviewer Comments
Comment 1:The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
Response: Thank you for this valuable suggestion. An ablation study comparing the CNN model with and without RNA encoding has now been added to better demonstrate the contribution of the proposed RNA-inspired encoding scheme. The additional experiment confirms that RNA encoding improves feature representation and enhances malware detection performance across all evaluation metrics.
Comment 2: The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
Response: Thank you for identifying this inconsistency. The manuscript has been revised to clarify that the models use a single sigmoid output neuron with binary cross-entropy loss because the task is binary malware classification.
Comment 3:The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
Response: Thank you for this observation. The manuscript has been revised to explicitly report the number of benign and malicious samples used in the experiments.
Comment 4: The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
Response: Thank you for this constructive recommendation. Confusion matrices for Signature-CNN, Anomaly-CNN, and Hybrid-CNN have now been added to provide a clearer representation of TP, TN, FP, and FN values.
Comment 5:The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
Response: Thank you for the helpful suggestion. The implementation details have now been expanded to include the software environment and deep learning libraries used in the experiments.
Comment 6:Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.
Comment 7: The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.
10.5256/f1000research.191689.r474768Reviewer response for version 1SubhiMohammed12Referee
Directorate of Private University Education,, Baghdad, 10011,, Iraq
Department of Cybersecurity/ Directorate of Information Technology, Iraqi Ministry of Higher Education and Scientific Research, Baghdad, Baghdad, Iraq
Competing interests: No competing interests were disclosed.
The manuscript presents an interesting and timely study on malware detection using RNA encoding combined with CNN architectures. The idea of integrating biologically inspired encoding with deep learning models is promising and shows potential for improving detection performance. However, several issues should be addressed to enhance the clarity, rigor, and overall quality of the manuscript.
1. The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
2. The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
3. The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
4. The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
5. The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
6. The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.
Is the work clearly and accurately presented and does it cite the current literature?
Partly
If applicable, is the statistical analysis and its interpretation appropriate?
Partly
Are all the source data underlying the results available to ensure full reproducibility?
No source data required
Is the study design appropriate and is the work technically sound?
Yes
Are the conclusions drawn adequately supported by the results?
Partly
Are sufficient details of methods and analysis provided to allow replication by others?
Partly
Reviewer Expertise:
Machine leaarning, artificial intelligience, Iot applications, and AI in security applications
I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.
Fitian RashidOmar
Competing interests: No competing interests were disclosed.
2142026
Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
Response:
Thank you for this valuable suggestion. The abstract has been revised to include the dataset size and key elements of the experimental setup, including the type of data used and evaluation protocol.
Comment 2:
The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
Response:
We appreciate this observation. The manuscript has undergone thorough language editing to improve grammar, sentence structure, and overall readability.
Comment 3:
The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
Response:
Thank you for this insightful comment. A critical analysis has been incorporated to highlight the limitations of existing methods and to clearly position the novelty and advantages of the proposed approach.
Comment 4:
The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
Response:
We appreciate this important suggestion. The training configuration details have been added to ensure reproducibility of the proposed method.
Comment 5:
The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
Response:
Thank you for this constructive feedback. The discussion has been expanded to provide deeper insights into how RNA encoding improves feature representation and contributes to enhanced CNN performance.
Comment 6:
The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.
Response:
We appreciate this suggestion. The future work section has been revised to include specific and actionable research directions.