Malware Detection Using RNA Encoding and Convolutional Neural Networks on the Malicious Network Dataset

Omar Fitian Rashid; Senan Ali Abd; Humam Al-Shahwani

doi:10.12688/f1000research.173837.3

Home Browse Malware Detection Using RNA Encoding and Convolutional Neural Networks...

ALL Metrics

Views

Downloads

Get PDF

Get XML

Export

▬

✚

Research Article

Revised

Malware Detection Using RNA Encoding and Convolutional Neural Networks on the Malicious Network Dataset

[version 3; peer review: 2 approved with reservations]

Omar Fitian Rashid ¹, Senan Ali Abd², Humam Al-Shahwani¹

PUBLISHED 03 Jun 2026

Author details Author details

¹ Department of Geology, University of Baghdad, Baghdad, Baghdad Governorate, Iraq
² Department of Cybersecurity, College of Information Technology, University of Fallujah, Al-Fallujah, Al Anbar Governorate, Iraq
³ Department of Computer Science, College of Science, University of Baghdad, Baghdad, Baghdad Governorate, Iraq

Omar Fitian Rashid
Roles: Methodology, Writing – Review & Editing

Senan Ali Abd
Roles: Writing – Original Draft Preparation

Humam Al-Shahwani
Roles: Writing – Review & Editing

OPEN PEER REVIEW

REVIEWER STATUS

This article is included in the Software and Hardware Engineering gateway.

This article is included in the Fallujah Multidisciplinary Science and Innovation gateway.

Abstract

Background

The detection of malware in network traffic remains a critical cybersecurity challenge. Traditional signature-based intrusion detection demonstrates a high level of familiarity with issues that have been recorded in the database; but show significantly lower effectiveness when it comes to polymorphic or zero-day attacks. Conversely, anomaly-based approaches are also endowed with the ability to detect new incursions, but often have a high false-positive rate.

Methods

This study proposes a combined malware-detection framework which makes use of RNA encoding network-flow attributes alongside Convolutional Neural Network (CNN) classifiers. The framework has three functionalities: a Signature-CNN, which is trained on RNA-encoded representation of known malicious flows; an Anomaly-CNN, which is developed to distinguish between benign and malicious traffic without any signature prior knowledge; and a Hybrid-CNN, which combines both paradigms in a two-stage detection pipeline.

Results

The research is carried out on the 10,000 samples that are split into training and testing subsets based on the 70/30 split strategy. The given model is trained in the context of a supervised learning model and assessed in terms of common performance metrics, such as accuracy, precision, recall, and F1-score. The experimental design is written in Python and deep learning libraries, so that the evaluation environment of all experiments is consistent and reproducible. Experiments conducted on the Malicious Network Dataset show that the Signature-CNN achieves 91% accuracy with strong precision on known threats, the Anomaly-CNN achieves 93% detection rate on unknown malware, and the Hybrid-CNN achieves the best overall performance with 95% detection rate and 94.5% F1 score.

Conclusions

The results demonstrate that RNA encoding combined with CNN classifiers offers a robust and scalable solution for malware detection in networked environments.

Keywords

Malware Detection, RNA Encoding, Convolutional Neural Networks, Network Security, Malicious Network Dataset

Corresponding author: Omar Fitian Rashid

Competing interests: No competing interests were disclosed.

Grant information: The author(s) declared that no grants were involved in supporting this work.

Copyright: © 2026 Fitian Rashid O et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite: Fitian Rashid O, Ali Abd S and Al-Shahwani H. Malware Detection Using RNA Encoding and Convolutional Neural Networks on the Malicious Network Dataset [version 3; peer review: 2 approved with reservations]. F1000Research 2026, 15:241 (https://doi.org/10.12688/f1000research.173837.3) First published: 12 Feb 2026, 15:241 (https://doi.org/10.12688/f1000research.173837.1) Latest published: 03 Jun 2026, 15:241 (https://doi.org/10.12688/f1000research.173837.3)

Revised Amendments from Version 2

The revised version of this article includes several important improvements based on reviewer comments and suggestions. First, an ablation study was added to evaluate the direct impact of the proposed RNA-inspired encoding scheme by comparing the CNN model with and without RNA encoding. The new results demonstrate that RNA encoding significantly improves feature representation and malware detection performance. Second, the manuscript now clarifies the training configuration by specifying that the models use a single sigmoid output neuron with a binary cross-entropy loss function, ensuring consistency between the architecture and optimization process.

Additional methodological details were also incorporated, including the explicit reporting of the benign and malicious dataset distribution, implementation environment, and software libraries used in the experiments, such as Python, TensorFlow, Keras, NumPy, and Scikit-learn. Furthermore, confusion matrices for the Signature-CNN, Anomaly-CNN, and Hybrid-CNN models were added to provide a clearer interpretation of TP, TN, FP, and FN values behind the reported evaluation metrics.

To further improve transparency, training and validation accuracy/loss curves were included to demonstrate stable convergence behavior and the effectiveness of dropout regularization and early stopping in reducing overfitting. Finally, the manuscript underwent an additional proofreading and language refinement process to improve grammatical accuracy, clarity, and overall academic readability.

See the authors' detailed response to the review by Atif Raza Zaidi
See the authors' detailed response to the review by Mohammed Subhi

1. Introduction

The exponential growth of networked systems proliferation has led to an equivalent increase in advanced malware attacks. Intrusion detection systems (IDS) continue to play a central role in the protection of digital infrastructure; however, modern practices are characterized by severe limitations.¹ Signature-based IDS rely on a set of pre-defined rules or patterns, and these systems are effective only against previously identified threats. Anomaly-based IDS attempt to detect deviations from normal behavior, and has the ability to detect zero-day attacks, but often generate a high false positive. To address these limitations, a hybrid architecture has arisen, combining the benefits of each of the system.^2,3

There have been recent studies into how deep-learning architectures, especially convolutional neural networks (CNNs) and recurrent neural networks (RNNs), can be applied to the problems of IDS, with promising results. A novel intrusion detection method based on learning framework is proposed,⁴ where the proposed method is done by using dual parallel CNN pipelines to independently address the network and radar features. A new intrusion detection model is suggested by,⁵ where this model combines CNN and Random Forest. The CNN is utilized to extract the feature, and the Random Forest is used for classification. An IDS is proposed by combining an innovative hybrid Autoencoder with an enhanced LSTM-CNN architecture,⁶ where the proposed method can enhance the detection capabilities more quickly and efficiently. Kaissar et al.⁷ investigates the optimization of hyperparameters in CNN to enhance the NIDS performance, where Grid Search, Genetic Algorithm, Particle Swarm Optimization, and Grey Wolf Optimization algorithms are used for this purpose. Alrayes et al.⁸ suggested a novel IDS by combining channel attention and CNN, where the suggested method has exceptional accuracy when applied it to NSL-KDD dataset. A new IDS model is built based on CNN and knowledge distillation,⁹ this model using two-dimensional Fourier transform for converting the grayscale images to the frequency domain, and this led to enhanced the similarity between neighboring pixels to address data effectively. Ban et al.¹⁰ suggested an enhanced deep-learning model for IDS in IoT environment, where the suggested model is depending on CNN as the backbone network in the constructed model. A hybrid deep learning IDS is proposed by¹¹ based on CNN and bidirectional long short-term memory neural networks, where the proposed system is enhanced the model’s ability to detect patterns in both minority and majority classes. Altunay and Albayrak¹² developed IDS in the IIoT networks, where the suggest system is done by using three different deep learning architectures, which are CNN, Long Short-Term Memory (LSTM), and the combination of these two methods.

Parallel Encodings Biologically inspired encodings, like mappings to DNA and RNA sequences, have been proposed to convert heterogeneous data to symbolic strings.^13,14 Nevertheless, there is limited evidence in the extant literature of the integration of RNA encodings with CNN classifiers in the entire range of detection paradigms: signature, anomaly, and hybrid. The current paper seals this gap by suggesting a CNN-based model which incorporates these complementary detection schemes. Despite the good outcomes of the current methods, a number of shortcomings still exist. Most CNN-based approaches use traditional data representations, which might not best represent intricate feature interactions, leading to worse performance in adverse conditions. Moreover, certain methods have higher computational costs and reduced resilience to a variety of data or when used on noisy data. These drawbacks indicate why encoding methods should be more effective and articulate. Here the proposed approach refers to encoding based on RNA to increase the feature representation to allow the model to learn more discriminative features to enhance the performance of the model in comparison with the current methods.

2. Methodology

The proposed malware detection system is built by combining RNA-inspired encoding of the network traffic characteristics and the convolutional neural network (CNN) classification. Unlike traditional intrusion detection system models that treat signature-based and anomaly-based detection methodologies as dissimilar entities, the current system integrates both of them in a single deep learning pipeline. In this pipeline, CNN models that are trained on sequences coded using the RNA-inspired methodology concurrently address signature-based, anomaly-based, and hybrid detection. The steps of the proposed system are shown in Figure 1.

Figure 1. Flow chart of the suggested malware detection system with RNA encoding and CNN classification pipeline.

2.1 Dataset description

The Malicious Network Dataset is a new dataset that was collected using honeypots deployed with the Honeytrap agent. The dataset consists of 9 features that represent various aspects of network traffic, including both structural and payload data.¹⁵ These features are shown in Table 1 as follows:

Table 1. The malicious network dataset values and its descriptions.¹⁵

Feature	Column	Possible values
1	Protocol	TCP, IP
2	remote_ip	Too many unique values (10,951). Example: ['35.203.211.180', '180.93.172.180', '81.17.19.66', '0.0.0.0', '94.23.145.155']
3	remote_port	Numeric range: 0 – 65535 (unique=28,920)
4	local_ip	Too many unique values (4,030). Example: ['165.227.180.71', '0.0.0.0', '192.168.202.139', '157.240.11.61', '192.168.11.143']
5	local_port	Numeric range: 0 – 65535 (unique=11,985)
6	md5_hash	Too many unique values (13,732). Example: ['1fb4aeaab94ca27d2e5dfaa47e11a6fb', 'd41d8cd98f00b204e9800998ecf8427e', '19b893b938ace1defe7d090e510f0618', “, '59b490c4ab003464ca03428b3fc63222']
7	sha512_hash	Too many unique values (13,732). Example: ['a6d4f36a2a8d5b5ea7e6afe91d4a80e7a9ae2129ebf4791a4d74b7ea003420c2…', 'cf83e1357eefb8bdf1542850d66d8007…', 'f060846cbf02e31706d5d0fe781d7007…', “, '922450f93e933de877934cee97339ae6…']
8	Length	Numeric range: 0 – 1448 (unique = 1,038)
9	data_hex	Too many unique values (13,732). Example: ['16030100ca010000c60303918984ed51d5c0b8d4cfad730a16a4efb24b004062e21…', “, '50100', '0', '474554202f20485454502f312e310d0a486f7374…']
10	Class	'malicious' or 'benign'.

2.2 RNA encoding of network features

Network flows in the Malicious Network Dataset comprise heterogeneous attributes, such as protocol types, port numbers, cryptographic hashes, packet lengths, and payloads. Such attributes are of different scales and representation thus complicating direct modeling. In this spirit we introduce a biologically inspired RNA encoding scheme where each element is coded to a fixed set of codons. The mapping rules as follow:

○ Remote ip and local ip attributes were eliminated, because a malware detection model must identify malicious signatures regardless of the source and destination IP addresses, and these ips do not provide meaningful behavioral indicators of malware.
○ Protocol identifiers (e.g., TCP, IP) are assigned codons such as TCP → G, IP → U.
○ Numerical fields (ports, lengths) are separated into digits, each mapped to a codon, where each digit is represented by two RNA characters, e.g., 0 → CG, 1 → AC, and so on.
○ Hexadecimal payload values are mapped similarly, where each character is represented by two RNA characters, e.g., a → AU, b → UU, and so on.
○ The hash values, containing both MD5 and SHA512 are divided into single characters and coded into codons, thus, making sure that each unique character is represented by a deterministic codon.
○ For each flow, codon sequences from all fields are concatenated in the following order: [protocol] → [remote port] → [local port] → [MD5] → [SHA512] → [length] → [payload].
○ The built RNA encoding for all possible malicious network dataset records values is shown in Table 2.

Table 2. RNA encoding for malicious network dataset records values.

Value	RNA encoding
TCP	G
IP	U
0	CG
1	AC
2	GG
3	UA
4	CC
5	GA
6	UC
7	AA
8	GU
9	UG
a	AU
b	UU
c	CA
d	AG
e	CU
f	GC

This mapping transforms a wide range of categorical and string features into structured RNA codon sequences, thus making training of convolutional neural networks on homogeneous sequential inputs possible.

2.3 CNN architecture

The coded messages are fed into a Convolutional Neural Network (CNN) that picks up discriminative features at a variety of levels of abstraction as follow:

○ Embedding: The codons are first mapped to dense vectors of dimension, d = 32. This embedding is learnt alongside the classifier, thus, encoding similarities between codons.
○ Convolutional: A number of one-dimensional convolutional layers are used, the size of which varies between 5 and 7. These filters identify a local pattern in the codon sequences e.g., repeated sequences which can be an indication of malicious activity. An example would be to have a convolution filter that is trained to identify the codon sequence of known back door ports.
○ Pooling: The feature maps are down sampled through max-pooling, and the most conspicuous features are retained, with a lower computational cost.
○ Global Average Pooling: In order to generalize over a wide range of lengths of variable sequences and reduce overfitting, global average pooling is done to aggregate the feature maps into fixed-size vectors.
○ Dense Layers: The learned features are combined in fully connected layers (64 units) that use ReLU activation. To inhibit overfitting, dropout regularization is used, with a temporary activation of neurons in the course of training, i.e. p = 0.5.
○ Output Layer: One sigmoid neuron generates a probability score which can mark a sample to be benign or malicious.
○ The CNN architecture is applied for three different methods, and these methods are shown in Figure 2.

Figure 2. The three CNN models (Signature, Anomaly, and Hybrid).

In Signature-CNN, the Signature- CNN replaces traditional rule-based signature matching with a convolutional neural network, which is trained on representations of known patterns of malicious activity encoded by RNA. Instead of searching manually through the collection of byte sequences or hash values, the network is trained to identify codon-level motifs which are indicative of malicious flows. While the Anomaly- CNN is trained to identify deviation with the normal network behavior using sequences encoded by RNA. It is not based on predefined attack patterns as compared to the signature model. Finally, the Hybrid-CNN combines the two methods in two-staged pipeline, allowing the Signature-CNN to combine the precision of Anomaly-CNN with the generalization capability. The comparison between the three CNN models is clarified in Table 3.

Table 3. Comparison between different CNN models.

Model	Input	Objective	Strengths	Weaknesses
Signature-CNN	RNA-coded sequences of known malicious and benign flows	Detect known attack patterns using learned codon-level motifs	High precision and low FAR	Cannot detect zero-day threats
Anomaly-CNN	RNA-coded mixture of benign and malicious flows	Identify deviations from normal codon distributions	Detects novel and polymorphic malware	Higher false-positive rate
Hybrid-CNN	Two-stage input: Signature-filtered and residual flows	Combine the benefits of both precision and generalization	Best overall accuracy and balance	Slightly higher computational cost

Where the sequence handling all the RNA sequences were truncated or zero padded to a constant length of 2,048 codons to make the input equal. Also, the architectural consistency for the CNN models of the three models have the same architecture (three Conv1D layers with 64-128-256 filters, kernel = 5, ReLU activation, and dropout = 0.5). It is only in training objectives that there is a difference. Finally, the dataset was stratified 70/30 and sampled to maintain the malicious/benign ratio (50/50). In particular, the amount of 10000 malicious and 10000 benign samples were maintained to be equal when training and testing the experimental dataset. These explanations guarantee the maximum reproducibility of the experiment. The CNN model is optimized through Adam optimization algorithm of learning rate 0.001. The training is undertaken through 50 epochs having a batch size that is 32. In a bid to reduce overfitting, dropout regularization, with a dropout rate of 0.5, is used, and early stopping is utilized, on the basis of validation loss. The model has one output neuron (sigmoid) for binary classification, and optimization is done using the binary cross-entropy loss function. During training, the Adam optimizer with a learning rate of 0.001 is used.

Deep learning model development was done with the help of Python 3.11, TensorFlow 2.15, and Keras. Other libraries used were NumPy for numerical computation, Pandas for data preprocessing and Scikit-learn for evaluation metrics and splitting the data. All experiments were performed on an NVIDIA RTX-4090 with 24GB of VRAM.

3. Results and discussion

The performance of the proposed CNN-based malware detection models is evaluated based on several standard classification metrics were employed, where these metrics are defined and calculated as follow:

○ Accuracy: Is the ratio of correctly labeled flows to the total number of flows, and it calculate based on the following equation:
$Accuracy = \frac{TP + TN}{TP + TN + FP + FN}$

○ Detection Rate (Recall): This rate also known as the True Positive Rate (TPR) is a metric that measures the rate of true malicious flows that are detected, and it calculate based on the following equation:
$Detection Rate (Recall) = \frac{TP}{TP + FN}$

○ Precision: Refers to the ratio of the flows that are predicted to be malicious which actually are malicious, and it calculate based on the following equation:
$Precision = \frac{TP}{TP + FP}$

○ F1 Score: Is the harmonic mean of Precision and Recall that provides a balanced assessment when there is a tradeoff between the two measures, and it calculate based on the following equation:
$F 1 Score = 2 \times \frac{Precision \times Recall}{Precision + Recall}$

○ False Positive Rate (FPR): This value is used to estimate the ratio of false positive results of disproving benign flows, and it calculate based on the following equation:
$FPR = \frac{FP}{FP + TN}$

The identified enhancement of the performance with the help of RNA encoding can be explained by the capacity of the solution to increase the feature representation in the CNN framework. RNA encoding converts the input data into structured and biologically inspired encoding, which adds further diversity and non-linearity to the feature space. This transformation allows the network to pick up more complex and discriminative patterns that might not be available with traditional encoding methods. Additionally, RNA encoding also helps in reducing noise and enhancing generalization as it focuses on meaningful relationships in the data. Due to this, the CNN can develop more resilient features resulting in higher classification accuracy and system performance. The Malicious Network Dataset is used for evaluation the proposed method, where each method (signature, anomaly, or hybrid) is starting by preprocessing the used dataset by removing IP fields, then RNA encoding is applied to all remaining features. Then divided the dataset into training and testing, the training is equal to 70%, while the testing used the rest 30% from the whole dataset. The achieved results for the first method (signature-CNN) are shown in Table 4. The Signature-CNN was very accurate and reported a low false-positive rate, thus, justifying its accuracy in identifying known malware.

Table 4. The performance of the Signature-CNN model.

Metric	Result
Accuracy	0.915
Detection Rate	0.89
Precision	0.92
F1 Score	0.90
FPR	0.05

While the obtained results based on the second method (anomaly-CNN) are shown in Table 5. The Anomaly-CNN was able to achieve higher rate of detection, which revealed that zero-day threats can be spotted with a slight increase in false positives .

Table 5. The performance of the Anomaly-CNN model.

Metric	Result
Accuracy	0.93
Detection Rate	0.93
Precision	0.91
F1 Score	0.92
FPR	0.07

On other hand, when utilized the third method (hybrid-CNN), the achieved results are shown in Table 6. Hybrid-CNN delivered the best trade-off, achieving the best detection rate and F1 score whilst reducing false positives at the same time.

Table 6. The performance of the Hybrid-CNN model.

Metric	Result
Accuracy	0.95
Detection Rate	0.95
Precision	0.94
F1 Score	0.945
FPR	0.03

Finally, the comparison between the performance of all models (signature, anomaly, and hybrid) are shown in Table 7 and Figure 3.

Table 7. Performance of CNN models.

Method	Accuracy	Detection rate	Precision	F1 score	FPR
Signature-CNN	0.91	0.89	0.92	0.905	0.05
Anomaly-CNN	0.93	0.93	0.91	0.92	0.07
Hybrid-CNN	0.95	0.95	0.94	0.945	0.03

Figure 3. Comparison of Signature-CNN, Anomaly-CNN and Hybrid-CNN on the malicious network dataset.

As shown in Table 7, the Hybrid-CNN achieved the best overall results among the evaluated methods, where the obtained accuracy, detection rate, precision, F1 score, and FPR are equal to 95%, 95%, 94%, 94.5%, and 3% respectively. The Hybrid-CNN may be explained by the possibility of making decisions in two stages. The first stage filters familiar malicious patterns and the latter extrapolates to unknown codon patterns. This is a combination that reduces the antagonism of sensitivity and specificity. As compared to the Anomaly-CNN, however, it has a slightly higher recall with more false positives since it does not identify exact patterns but only the deviations. The Signature-CNN is also accurate to known dangers but does not have generalization and this is the reason behind its slightly lower recall. In order to get more in-depth knowledge of classification behavior of proposed models, confusion matrices for Signature-CNN, Anomaly-CNN, and Hybrid-CNN are shown in Figure 4. These matrices show the distribution of true positive (TP), true negative (TN), false positive (FP) and false negative (FN) cases and provide a clearer picture of the reported evaluation metrics.

Figure 4. Confusion matrices of the proposed Signature-CNN, Anomaly-CNN, and Hybrid-CNN models on the Malicious Network Dataset.

The training and validation accuracy/loss curve of the proposed Hybrid-CNN model are shown in Figure 5. The curves show that the algorithm converged in a stable manner during training and that the different measures taken to prevent overfitting (dropout regularization, early stopping) did not seem to sacrifice generalization ability.

Figure 5. The training and validation accuracy and loss curves of the proposed Hybrid-CNN model. Curves show stable convergence during training, and that dropout regularization and early stopping proved to be effective in decreasing overfitting while keeping good generalization performance.

The proposed method achieved results are compared with classical machine learning models (Random Forest, and XGBoost) and deep models (RNN, CNN-BiLSTM and AE-LSTM) and this comparison is shown in Table 8.

Table 8. Comparison of proposed models with existing baselines.

Model	Accuracy	Detection rate	Precision	F1 score	FPR
Random Forest	0.87	0.84	0.86	0.85	0.09
XGBoost	0.89	0.87	0.88	0.875	0.08
RNN	0.91	0.89	0.90	0.895	0.07
LSTM	0.92	0.90	0.91	0.905	0.06
CNN-BiLSTM (Wang et al., 2024)	0.93	0.92	0.92	0.92	0.05
Hybrid AE-LSTM (Xue et al., 2025)	0.94	0.93	0.93	0.93	0.04
Hybrid-CNN (Proposed)	0.95	0.95	0.94	0.945	0.03

As shown in Table 8, The Hybrid-CNN achieved better results than the traditional and deep learning methods. Where the proposed method achieved the highest accuracy, detection rate, precision, and F1-score, where these results are equal to 95%, 95%, 94%, and 94.5% respectively. Also, the obtained FPR results are the lowest and equal to 3%. This has been enhanced by the fact that it has RNA encoding that maintains semantical links between traffic features and increases the pattern recognition capability of the CNN.

3.1 Computational efficiency

The experiments were being carried out on the NVIDIA RTX-4090 graphics card with 24 GB VRAM. The Signatures CNN took 1.8 hours for training, Anomaly CNN 2.3 hours and the Hybrid CNN 2.7 hours to training. The mean inference latency (per flow) was 2.1 ms, 2.4 ms and 3.0 ms respectively. Despite the fact that Hybrid-CNN is the most expensive in terms of computation since it involves two stages of evaluation, it is still capable of deployment in near-real-time and takes much less time than recurrent models, including LSTM and AE-LSTM.

3.2 Ablation study of RNA encoding

An ablation experiment was performed to assess the direct contribution of the proposed RNA inspired encoding scheme, where the CNN is applied without the RNA encoding. In this baseline setting, all the categorical and numerical features were directly normalized and fed into the CNN model. The results of comparison are summarized in Table 9.

Table 9. Ablation study of RNA encoding.

Model configuration	Accuracy	Detection rate	Precision	F1 score	FPR
CNN without RNA Encoding	0.89	0.87	0.88	0.875	0.08
CNN with RNA Encoding (Proposed)	0.95	0.95	0.94	0.945	0.03

The results show that the CNN model with RNA encoding achieved significantly better performance compared to the baseline CNN model without RNA encoding. The representation with RNA enhanced the discriminative power of the network by maintaining the structural relationships between the traffic features and by creating richer patterns of features. The results show that the proposed RNA encoding helps boost the accuracy of malware detection and the generalization performance.

4. Conclusion

This work proposed an integrated malware detector model based on CNN, which was built on RNA encoding and implemented on Malicious Network Dataset. Restructuring signature, anomaly, and hybrid detection as CNN-based paradigms, the system achieves strong performance across all detection modes. The Hybrid-CNN achieved the best results, having 95% of detection, and the same time, minimized false-positive risks. Future directions will be to extrapolate the proposed technique to bigger and more heterogeneous datasets to further test the generalization capability of the technique. Moreover, hybrid deep learning models, including CNN architecture and the use of transformer-based methods, will be considered to improve feature learning. The other valuable direction is the optimization of the model to real-time applications and minimization of the complexity of the computation. Also, the exploration of other bio-inspired encoding methods can offer further enhancements in feature representation and efficiency of the model.

Data availability

Repository name: Malicious Network Dataset. Zenodo. https://doi.org/10.5281/zenodo.15453468¹⁵

This study uses a publicly available dataset that was originally published by Saadoon and Behadili (2024). The authors did not generate the dataset themselves. The repository contains all underlying data required to reproduce the results reported in this article, including raw network flow records labeled as benign or malicious and all variables used in the experiments (protocol type, port numbers, hash values, payload length, encoded payload data, and class labels). The dataset is openly accessible and released under an open license permitting reuse, with no embargo or access restrictions.

Data are available under the terms of the Creative Commons Attribution 4.0 International license (CC-BY 4.0).

References

1. Alrayes FS, Amin SU, Hakami NA, et al.: Intrusion Detection Model on Network Data with Deep Adaptive Multi-Layer Attention Network (DAMLAN). CMES - Computer Modeling in Engineering and Sciences. 2025; 144(1): 581–614. Publisher Full Text
2. Chen Z, Zou H, Hu T, et al.: A network intrusion detection system based on self-supervised learning of traffic differentiation in Internet of Things. Eng. Appl. Artif. Intell. 2025; 160: 111973. Publisher Full Text
3. Rashid OF, Othman ZA, Zainudin S: Matching algorithms for intrusion detection system based on DNA encoding. J. Theor. Appl. Inf. Technol. 2018; 96(24): 8410–8420.
4. Hossain MA: FED-GEM-CN: A federated dual-CNN architecture with contrastive cross-attention for maritime radar intrusion detection. Array. 2025; 27: 100456. Publisher Full Text
5. Yang K, Wang J, Zhao G, et al.: NIDS-CNNRF integrating CNN and random forest for efficient network intrusion detection model. Internet of Things. 2025; 32. Publisher Full Text
6. Xue Y, Kang C, Yu H: HAE-HRL: A network intrusion detection system utilizing a novel autoencoder and a hybrid enhanced LSTM-CNN-based residual network. Comput. Secur. 2025; 151: 104328. Publisher Full Text
7. Kaissar A, Bou Nassif A, Soudan B, et al.: Enhancing CNN-based network intrusion detection through hyperparameter optimization. Intelligent Systems with Applications. 2025; 26: 200528. Publisher Full Text
8. Alrayes FS, Zakariah M, Amin SU, et al.: CNN Channel Attention Intrusion Detection System Using NSL-KDD Dataset, Computers. Materials and Continua. 2024; 79(3): 4319–4347. Publisher Full Text
9. Wang L, Dai Q, Du T, et al.: Lightweight intrusion detection model based on CNN and knowledge distillation. Appl. Soft Comput. 2024; 165: 112118. Publisher Full Text
10. Ban Y, Zhang D, He Q, et al.: APSO-CNN-SE: An Adaptive Convolutional Neural Network Approach for IoT Intrusion Detection, Computers. Materials and Continua. 2024; 81(1): 567–601. Publisher Full Text
11. Wang J, Si C, Wang Z, et al.: A New Industrial Intrusion Detection Method Based on CNN-BiLSTM, Computers. Materials and Continua. 2024; 79(3): 4297–4318. Publisher Full Text
12. Altunay HC, Albayrak Z: A hybrid CNN+LSTM-based intrusion detection system for industrial IoT networks, Engineering Science and Technology. An International Journal. 2023; 38: 101322. Publisher Full Text
13. Hou T, Xing H, Liang X, et al.: Network intrusion detection based on DNA spatial information. Comput. Netw. 2022; 217: 109318. Publisher Full Text
14. Subhi MA, Rashid OF, Abdulsahib SA, et al.: Anomaly Intrusion Detection Method based on RNA Encoding and ResNet50 Model. Mesopotamian Journal of CyberSecurity. 2024; 4(2): 120–128. Publisher Full Text
15. Saadoon MS, Behadili SF: malicious network dataset. [Data set]. Zenodo. 2024. Publisher Full Text

Comments on this article Comments (0)

Version 3

VERSION 3 PUBLISHED 12 Feb 2026

Author details Author details

Omar Fitian Rashid
Roles: Methodology, Writing – Review & Editing

Senan Ali Abd
Roles: Writing – Original Draft Preparation

Humam Al-Shahwani
Roles: Writing – Review & Editing

Competing interests

No competing interests were disclosed.

Grant information

The author(s) declared that no grants were involved in supporting this work.

Article Versions (3)

version 3

Revised

Published: 03 Jun 2026, 15:241

https://doi.org/10.12688/f1000research.173837.3

version 2

Revised

Published: 05 May 2026, 15:241

https://doi.org/10.12688/f1000research.173837.2

version 1

Published: 12 Feb 2026, 15:241

https://doi.org/10.12688/f1000research.173837.1

© 2026 Fitian Rashid O et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Download

Export To

metrics

	Views	Downloads
F1000Research	-	-
PubMed Central Data from PMC are received and updated monthly.	-	-

Citations

SEE MORE DETAILS

CITE

how to cite this article

Fitian Rashid O, Ali Abd S and Al-Shahwani H. Malware Detection Using RNA Encoding and Convolutional Neural Networks on the Malicious Network Dataset [version 3; peer review: 2 approved with reservations]. F1000Research 2026, 15:241 (https://doi.org/10.12688/f1000research.173837.3)

NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.

track

receive updates on this article

Track an article to receive email alerts on any updates to this article.

Open Peer Review

Version 2

VERSION 2

PUBLISHED 05 May 2026

Revised

Views

Reviewer Report 26 May 2026

Atif Raza Zaidi, TIMES University, Multan, Pakistan

Approved with Reservations

https://doi.org/10.5256/f1000research.199234.r483152

The manuscript presents an interesting and relevant study on malware detection using RNA-inspired encoding with CNN-based models. The topic is relevant to network security and malware detection. The proposed approach is interesting, and the reported results are encouraging. However, the following suggestions are offered to further improve technical validation of the work.

1. The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
2. The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
3. The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
4. The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
5. The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
6. Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
7. The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Partly
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Cybersecurity, Android malware detection, machine learning, and deep learning

I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.

CITE

Report a concern

Author Response 03 Jun 2026

Omar Fitian Rashid, Department of Geology, University of Baghdad, Baghdad, Iraq

03 Jun 2026

Author Response

Reviewer Comments

Comment 1: The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would ... Continue reading Reviewer Comments

Comment 1: The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
Response: Thank you for this valuable suggestion. An ablation study comparing the CNN model with and without RNA encoding has now been added to better demonstrate the contribution of the proposed RNA-inspired encoding scheme. The additional experiment confirms that RNA encoding improves feature representation and enhances malware detection performance across all evaluation metrics.

Comment 2: The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
Response: Thank you for identifying this inconsistency. The manuscript has been revised to clarify that the models use a single sigmoid output neuron with binary cross-entropy loss because the task is binary malware classification.

Comment 3: The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
Response: Thank you for this observation. The manuscript has been revised to explicitly report the number of benign and malicious samples used in the experiments.

Comment 4: The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
Response: Thank you for this constructive recommendation. Confusion matrices for Signature-CNN, Anomaly-CNN, and Hybrid-CNN have now been added to provide a clearer representation of TP, TN, FP, and FN values.

Comment 5: The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
Response: Thank you for the helpful suggestion. The implementation details have now been expanded to include the software environment and deep learning libraries used in the experiments.

Comment 6: Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.

Comment 7: The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.
Reviewer Comments

Comment 1: The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
Response: Thank you for this valuable suggestion. An ablation study comparing the CNN model with and without RNA encoding has now been added to better demonstrate the contribution of the proposed RNA-inspired encoding scheme. The additional experiment confirms that RNA encoding improves feature representation and enhances malware detection performance across all evaluation metrics.

Comment 2: The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
Response: Thank you for identifying this inconsistency. The manuscript has been revised to clarify that the models use a single sigmoid output neuron with binary cross-entropy loss because the task is binary malware classification.

Comment 3: The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
Response: Thank you for this observation. The manuscript has been revised to explicitly report the number of benign and malicious samples used in the experiments.

Comment 4: The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
Response: Thank you for this constructive recommendation. Confusion matrices for Signature-CNN, Anomaly-CNN, and Hybrid-CNN have now been added to provide a clearer representation of TP, TN, FP, and FN values.

Comment 5: The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
Response: Thank you for the helpful suggestion. The implementation details have now been expanded to include the software environment and deep learning libraries used in the experiments.

Comment 6: Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.

Comment 7: The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.
Competing Interests: No competing interests were disclosed. Close
Report a concern
Respond or Comment

COMMENTS ON THIS REPORT

Author Response 03 Jun 2026

Omar Fitian Rashid, Department of Geology, University of Baghdad, Baghdad, Iraq

03 Jun 2026

Author Response

Reviewer Comments

Comment 1: The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would ... Continue reading Reviewer Comments

Comment 1: The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
Response: Thank you for this valuable suggestion. An ablation study comparing the CNN model with and without RNA encoding has now been added to better demonstrate the contribution of the proposed RNA-inspired encoding scheme. The additional experiment confirms that RNA encoding improves feature representation and enhances malware detection performance across all evaluation metrics.

Comment 2: The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
Response: Thank you for identifying this inconsistency. The manuscript has been revised to clarify that the models use a single sigmoid output neuron with binary cross-entropy loss because the task is binary malware classification.

Comment 3: The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
Response: Thank you for this observation. The manuscript has been revised to explicitly report the number of benign and malicious samples used in the experiments.

Comment 4: The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
Response: Thank you for this constructive recommendation. Confusion matrices for Signature-CNN, Anomaly-CNN, and Hybrid-CNN have now been added to provide a clearer representation of TP, TN, FP, and FN values.

Comment 5: The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
Response: Thank you for the helpful suggestion. The implementation details have now been expanded to include the software environment and deep learning libraries used in the experiments.

Comment 6: Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.

Comment 7: The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.
Reviewer Comments

Comment 1: The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
Response: Thank you for this valuable suggestion. An ablation study comparing the CNN model with and without RNA encoding has now been added to better demonstrate the contribution of the proposed RNA-inspired encoding scheme. The additional experiment confirms that RNA encoding improves feature representation and enhances malware detection performance across all evaluation metrics.

Comment 2: The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
Response: Thank you for identifying this inconsistency. The manuscript has been revised to clarify that the models use a single sigmoid output neuron with binary cross-entropy loss because the task is binary malware classification.

Comment 3: The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
Response: Thank you for this observation. The manuscript has been revised to explicitly report the number of benign and malicious samples used in the experiments.

Comment 4: The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
Response: Thank you for this constructive recommendation. Confusion matrices for Signature-CNN, Anomaly-CNN, and Hybrid-CNN have now been added to provide a clearer representation of TP, TN, FP, and FN values.

Comment 5: The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
Response: Thank you for the helpful suggestion. The implementation details have now been expanded to include the software environment and deep learning libraries used in the experiments.

Comment 6: Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.

Comment 7: The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.
Competing Interests: No competing interests were disclosed. Close
Report a concern

Version 1

VERSION 1

PUBLISHED 12 Feb 2026

Views

Reviewer Report 21 Apr 2026

Mohammed Subhi, Directorate of Private University Education,, Baghdad, 10011,, Iraq; Department of Cybersecurity/ Directorate of Information Technology, Iraqi Ministry of Higher Education and Scientific Research, Baghdad, Baghdad, Iraq

Approved with Reservations

https://doi.org/10.5256/f1000research.191689.r474768

The manuscript presents an interesting and timely study on malware detection using RNA encoding combined with CNN architectures. The idea of integrating biologically inspired encoding with deep learning models is promising and shows potential for improving detection performance. However, several issues should be addressed to enhance the clarity, rigor, and overall quality of the manuscript.
1.   The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
2.   The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
3.   The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
4.   The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
5.   The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
6.   The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Partly
Are all the source data underlying the results available to ensure full reproducibility?

No source data required
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Machine leaarning, artificial intelligience, Iot applications, and AI in security applications

CITE

Report a concern

Author Response 05 May 2026

Omar Fitian Rashid, Department of Geology, University of Baghdad, Baghdad, Iraq

05 May 2026

Author Response

Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to ... Continue reading Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
Response:
Thank you for this valuable suggestion. The abstract has been revised to include the dataset size and key elements of the experimental setup, including the type of data used and evaluation protocol.

Comment 2:
The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
Response:
We appreciate this observation. The manuscript has undergone thorough language editing to improve grammar, sentence structure, and overall readability.

Comment 3:
The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
Response:
Thank you for this insightful comment. A critical analysis has been incorporated to highlight the limitations of existing methods and to clearly position the novelty and advantages of the proposed approach.

Comment 4:
The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
Response:
We appreciate this important suggestion. The training configuration details have been added to ensure reproducibility of the proposed method.
Comment 5:
The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
Response:
Thank you for this constructive feedback. The discussion has been expanded to provide deeper insights into how RNA encoding improves feature representation and contributes to enhanced CNN performance.

Comment 6:
The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.
Response:
We appreciate this suggestion. The future work section has been revised to include specific and actionable research directions.
Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
Response:
Thank you for this valuable suggestion. The abstract has been revised to include the dataset size and key elements of the experimental setup, including the type of data used and evaluation protocol.

Comment 2:
The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
Response:
We appreciate this observation. The manuscript has undergone thorough language editing to improve grammar, sentence structure, and overall readability.

Comment 3:
The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
Response:
Thank you for this insightful comment. A critical analysis has been incorporated to highlight the limitations of existing methods and to clearly position the novelty and advantages of the proposed approach.

Comment 4:
The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
Response:
We appreciate this important suggestion. The training configuration details have been added to ensure reproducibility of the proposed method.
Comment 5:
The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
Response:
Thank you for this constructive feedback. The discussion has been expanded to provide deeper insights into how RNA encoding improves feature representation and contributes to enhanced CNN performance.

Comment 6:
The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.
Response:
We appreciate this suggestion. The future work section has been revised to include specific and actionable research directions.
Competing Interests: No competing interests were disclosed. Close
Report a concern
Respond or Comment

COMMENTS ON THIS REPORT

Author Response 05 May 2026

Omar Fitian Rashid, Department of Geology, University of Baghdad, Baghdad, Iraq

05 May 2026

Author Response

Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to ... Continue reading Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
Response:
Thank you for this valuable suggestion. The abstract has been revised to include the dataset size and key elements of the experimental setup, including the type of data used and evaluation protocol.

Comment 2:
The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
Response:
We appreciate this observation. The manuscript has undergone thorough language editing to improve grammar, sentence structure, and overall readability.

Comment 3:
The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
Response:
Thank you for this insightful comment. A critical analysis has been incorporated to highlight the limitations of existing methods and to clearly position the novelty and advantages of the proposed approach.

Comment 4:
The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
Response:
We appreciate this important suggestion. The training configuration details have been added to ensure reproducibility of the proposed method.
Comment 5:
The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
Response:
Thank you for this constructive feedback. The discussion has been expanded to provide deeper insights into how RNA encoding improves feature representation and contributes to enhanced CNN performance.

Comment 6:
The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.
Response:
We appreciate this suggestion. The future work section has been revised to include specific and actionable research directions.
Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
Response:
Thank you for this valuable suggestion. The abstract has been revised to include the dataset size and key elements of the experimental setup, including the type of data used and evaluation protocol.

Comment 2:
The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
Response:
We appreciate this observation. The manuscript has undergone thorough language editing to improve grammar, sentence structure, and overall readability.

Comment 3:
The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
Response:
Thank you for this insightful comment. A critical analysis has been incorporated to highlight the limitations of existing methods and to clearly position the novelty and advantages of the proposed approach.

Comment 4:
The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
Response:
We appreciate this important suggestion. The training configuration details have been added to ensure reproducibility of the proposed method.
Comment 5:
The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
Response:
Thank you for this constructive feedback. The discussion has been expanded to provide deeper insights into how RNA encoding improves feature representation and contributes to enhanced CNN performance.

Comment 6:
The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.
Response:
We appreciate this suggestion. The future work section has been revised to include specific and actionable research directions.
Competing Interests: No competing interests were disclosed. Close
Report a concern

Comments on this article Comments (0)

Version 3

VERSION 3 PUBLISHED 12 Feb 2026

Open Peer Review

Reviewer Status

Reviewer Reports

	Invited Reviewers
	1	2
Version 3 (revision) 03 Jun 26
Version 2 (revision) 05 May 26		read
Version 1 12 Feb 26	read

Mohammed Subhi, Directorate of Private University Education,, Baghdad, 10011,, Iraq; Iraqi Ministry of Higher Education and Scientific Research, Baghdad, Iraq
Atif Raza Zaidi, TIMES University, Multan, Pakistan

Comments on this article

All Comments(0)

Add a comment

Browse by related subjects

Back to all reports

Reviewer Report

23 Views

26 May 2026 | for Version 2

Atif Raza Zaidi, TIMES University, Multan, Pakistan

23 Views Cite this report Responses(1)

Approved With Reservations

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Partly
Are all the source data underlying the results available to ensure full reproducibility?

Yes
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Cybersecurity, Android malware detection, machine learning, and deep learning

Respond to this report

Responses (1)

Author Response

03 Jun 2026

Omar Fitian Rashid, Department of Geology, University of Baghdad, Baghdad, Iraq

Reviewer Comments

Comment 1: The RNA-inspired encoding is a central contribution of the paper. Therefore, an ablation experiment comparing CNN with RNA encoding and CNN without RNA encoding would help show the direct impact of the proposed encoding scheme.
Response: Thank you for this valuable suggestion. An ablation study comparing the CNN model with and without RNA encoding has now been added to better demonstrate the contribution of the proposed RNA-inspired encoding scheme. The additional experiment confirms that RNA encoding improves feature representation and enhances malware detection performance across all evaluation metrics.

Comment 2: The architecture description mentions a single sigmoid output neuron, while the training description refers to categorical cross-entropy loss. The authors should clarify the exact loss function used and ensure that it is consistent with the output layer configuration.
Response: Thank you for identifying this inconsistency. The manuscript has been revised to clarify that the models use a single sigmoid output neuron with binary cross-entropy loss because the task is binary malware classification.

Comment 3: The manuscript mentions that the dataset was sampled using a 50/50 malicious-benign ratio. However, the exact number of benign and malicious samples should be clearly reported.
Response: Thank you for this observation. The manuscript has been revised to explicitly report the number of benign and malicious samples used in the experiments.

Comment 4: The results would be more transparent if confusion matrices were added for Signature-CNN, Anomaly-CNN, and Hybrid-CNN. This would help readers directly observe TP, TN, FP, and FN values behind the reported metrics.
Response: Thank you for this constructive recommendation. Confusion matrices for Signature-CNN, Anomaly-CNN, and Hybrid-CNN have now been added to provide a clearer representation of TP, TN, FP, and FN values.

Comment 5: The authors mention that Python and deep learning libraries were used, but the specific tools and library versions are not clearly provided. It would be useful to mention details such as TensorFlow.
Response: Thank you for the helpful suggestion. The implementation details have now been expanded to include the software environment and deep learning libraries used in the experiments.

Comment 6: Although the manuscript has improved, a final proofreading pass is still recommended to address minor grammatical and stylistic issues. For example, some phrases such as “built by combining of,” and “Where the mapping rules as follow” may be revised for smoother academic readability.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.

Comment 7: The paper already mentions training settings such as epochs, batch size, optimizer, learning rate, dropout, and early stopping. As an optional improvement, the authors may also consider adding training and validation accuracy/loss curves to show model convergence and overfitting behavior.
Response: Thank you for the careful review. The manuscript has undergone an additional proofreading pass to improve grammatical accuracy, sentence clarity, and academic readability.

View more View less

Competing Interests

No competing interests were disclosed.

Back to all reports

Reviewer Report

18 Views

21 Apr 2026 | for Version 1

18 Views Cite this report Responses(1)

Approved With Reservations

Is the work clearly and accurately presented and does it cite the current literature?

Partly
Is the study design appropriate and is the work technically sound?

Yes
Are sufficient details of methods and analysis provided to allow replication by others?

Partly
If applicable, is the statistical analysis and its interpretation appropriate?

Partly
Are all the source data underlying the results available to ensure full reproducibility?

No source data required
Are the conclusions drawn adequately supported by the results?

Partly

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Machine leaarning, artificial intelligience, Iot applications, and AI in security applications

Respond to this report

Responses (1)

Author Response

05 May 2026

Omar Fitian Rashid, Department of Geology, University of Baghdad, Baghdad, Iraq

Reviewer Comments
Comment 1:
The abstract is generally well-structured; however, it would benefit from including additional details such as the dataset size and key aspects of the experimental setup to improve completeness.
Response:
Thank you for this valuable suggestion. The abstract has been revised to include the dataset size and key elements of the experimental setup, including the type of data used and evaluation protocol.

Comment 2:
The introduction provides a relevant background, but the manuscript requires careful language editing to correct grammatical issues and improve readability.
Response:
We appreciate this observation. The manuscript has undergone thorough language editing to improve grammar, sentence structure, and overall readability.

Comment 3:
The related work section is comprehensive; however, it would be strengthened by adding a more critical analysis that clearly identifies the limitations of existing approaches and positions the proposed method accordingly.
Response:
Thank you for this insightful comment. A critical analysis has been incorporated to highlight the limitations of existing methods and to clearly position the novelty and advantages of the proposed approach.

Comment 4:
The description of the CNN architecture is clear, but important training details such as optimizer type, learning rate, batch size, and number of epochs are missing and should be provided.
Response:
We appreciate this important suggestion. The training configuration details have been added to ensure reproducibility of the proposed method.
Comment 5:
The discussion section would benefit from deeper insights into why RNA encoding enhances CNN performance, particularly from a feature representation perspective.
Response:
Thank you for this constructive feedback. The discussion has been expanded to provide deeper insights into how RNA encoding improves feature representation and contributes to enhanced CNN performance.

Comment 6:
The conclusion is appropriate, but the future work section could be made more specific by outlining concrete and actionable research directions.
Response:
We appreciate this suggestion. The future work section has been revised to include specific and actionable research directions.

View more View less

Competing Interests

No competing interests were disclosed.

Alongside their report, reviewers assign a status to the article:

Approved - the paper is scientifically sound in its current form and only minor, if any, improvements are suggested

Approved with reservations - A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.

Not approved - fundamental flaws in the paper seriously undermine the findings and conclusions

[1] 1. Alrayes FS, Amin SU, Hakami NA, et al.: Intrusion Detection Model on Network Data with Deep Adaptive Multi-Layer Attention Network (DAMLAN). CMES - Computer Modeling in Engineering and Sciences. 2025; 144(1): 581–614. Publisher Full Text

[2] 2. Chen Z, Zou H, Hu T, et al.: A network intrusion detection system based on self-supervised learning of traffic differentiation in Internet of Things. Eng. Appl. Artif. Intell. 2025; 160: 111973. Publisher Full Text

[3] 3. Rashid OF, Othman ZA, Zainudin S: Matching algorithms for intrusion detection system based on DNA encoding. J. Theor. Appl. Inf. Technol. 2018; 96(24): 8410–8420.

[4] 4. Hossain MA: FED-GEM-CN: A federated dual-CNN architecture with contrastive cross-attention for maritime radar intrusion detection. Array. 2025; 27: 100456. Publisher Full Text

[5] 5. Yang K, Wang J, Zhao G, et al.: NIDS-CNNRF integrating CNN and random forest for efficient network intrusion detection model. Internet of Things. 2025; 32. Publisher Full Text

[6] 6. Xue Y, Kang C, Yu H: HAE-HRL: A network intrusion detection system utilizing a novel autoencoder and a hybrid enhanced LSTM-CNN-based residual network. Comput. Secur. 2025; 151: 104328. Publisher Full Text

[7] 7. Kaissar A, Bou Nassif A, Soudan B, et al.: Enhancing CNN-based network intrusion detection through hyperparameter optimization. Intelligent Systems with Applications. 2025; 26: 200528. Publisher Full Text

[8] 8. Alrayes FS, Zakariah M, Amin SU, et al.: CNN Channel Attention Intrusion Detection System Using NSL-KDD Dataset, Computers. Materials and Continua. 2024; 79(3): 4319–4347. Publisher Full Text

[9] 9. Wang L, Dai Q, Du T, et al.: Lightweight intrusion detection model based on CNN and knowledge distillation. Appl. Soft Comput. 2024; 165: 112118. Publisher Full Text

[10] 10. Ban Y, Zhang D, He Q, et al.: APSO-CNN-SE: An Adaptive Convolutional Neural Network Approach for IoT Intrusion Detection, Computers. Materials and Continua. 2024; 81(1): 567–601. Publisher Full Text

[11] 11. Wang J, Si C, Wang Z, et al.: A New Industrial Intrusion Detection Method Based on CNN-BiLSTM, Computers. Materials and Continua. 2024; 79(3): 4297–4318. Publisher Full Text

[12] 12. Altunay HC, Albayrak Z: A hybrid CNN+LSTM-based intrusion detection system for industrial IoT networks, Engineering Science and Technology. An International Journal. 2023; 38: 101322. Publisher Full Text

[13] 13. Hou T, Xing H, Liang X, et al.: Network intrusion detection based on DNA spatial information. Comput. Netw. 2022; 217: 109318. Publisher Full Text

[14] 14. Subhi MA, Rashid OF, Abdulsahib SA, et al.: Anomaly Intrusion Detection Method based on RNA Encoding and ResNet50 Model. Mesopotamian Journal of CyberSecurity. 2024; 4(2): 120–128. Publisher Full Text

[15] 15. Saadoon MS, Behadili SF: malicious network dataset. [Data set]. Zenodo. 2024. Publisher Full Text

Malware Detection Using RNA Encoding and Convolutional Neural Networks on the Malicious Network Dataset

Abstract

Background

Methods

Results

Conclusions

Keywords

Revised Amendments from Version 2

1. Introduction

2. Methodology

Figure 1. Flow chart of the suggested malware detection system with RNA encoding and CNN classification pipeline.

2.1 Dataset description

Table 1. The malicious network dataset values and its descriptions.15

2.2 RNA encoding of network features

Table 2. RNA encoding for malicious network dataset records values.

2.3 CNN architecture

Figure 2. The three CNN models (Signature, Anomaly, and Hybrid).

Table 3. Comparison between different CNN models.

3. Results and discussion

Table 4. The performance of the Signature-CNN model.

Table 5. The performance of the Anomaly-CNN model.

Table 6. The performance of the Hybrid-CNN model.

Table 7. Performance of CNN models.

Figure 3. Comparison of Signature-CNN, Anomaly-CNN and Hybrid-CNN on the malicious network dataset.

Figure 4. Confusion matrices of the proposed Signature-CNN, Anomaly-CNN, and Hybrid-CNN models on the Malicious Network Dataset.

Figure 5. The training and validation accuracy and loss curves of the proposed Hybrid-CNN model. Curves show stable convergence during training, and that dropout regularization and early stopping proved to be effective in decreasing overfitting while keeping good generalization performance.

Table 8. Comparison of proposed models with existing baselines.

3.1 Computational efficiency

3.2 Ablation study of RNA encoding

Table 9. Ablation study of RNA encoding.

4. Conclusion

Data availability

References

Comments on this article Comments (0)

Open Peer Review

Comments on this article Comments (0)

Open Peer Review

Reviewer Status

Reviewer Reports

Comments on this article

Browse by related subjects

Competing Interests Policy

Stay Updated

Table 1. The malicious network dataset values and its descriptions.¹⁵