Random Forest over Semantic PDF Object Graphs for MalwareDetection

Authors

  • Mahesh Kumar Bagwani Sanjeev Agrawal Global Educational University Bhopal

Keywords:

PDF malware detection, Random Forest, PDFObj2Vec, object reference graph, semantic embedding, BERT, graph representation, cybersecurity, adversarial robustness, static analysis

Abstract

Portable Document Format (PDF) malware remains a practical attack vector because document objects, embedded actions,
streams, and parser-dependent structures can conceal malicious behaviour. This paper presents an IJAICET-formatted empirical
study of Random Forest classification over semantic PDF object-graph embeddings. Each PDF is represented as an Object Reference
Graph and its BERT-65k PDFObj2Vec node embeddings are transformed into a fixed-length feature vector using mean, maximum,
minimum, and standard-deviation pooling together with graph-level structural statistics. A 200-tree Random Forest classifier is
trained on the public PDFObj2Vec evaluation dataset. The proposed baseline achieves 99.97% accuracy on the baseline test split and
96.10% accuracy on the extended split, close to the reported BERT-65k+GIN extended accuracy of 96.62%. The results show that
semantic object embeddings retain strong discriminative evidence even when graph message passing is replaced by an interpretable
classical ensemble model.

References

[1] CISA, "Phishing guidance and cyber hygiene resources," Cybersecurity and Infrastructure Security Agency, 2022.

[2] P. Laskov and N. Srndic, "Static detection of malicious JavaScript-bearing PDF documents," ACSAC, 2011.

[3] C. Smutz and A. Stavrou, "Malicious PDF detection using metadata and structural features," ACSAC, 2012.

[4] N. Srndic and P. Laskov, "Hidost: a static machine-learning-based detector of malicious files," EURASIP Journal on Information Security, 2016.

[5] D. Maiorca, G. Giacinto, and I. Corona, "A pattern recognition system for malicious PDF files detection," MLDM, 2012.

[6] D. Maiorca et al., "Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection," ASIACCS, 2013.

[7] W. Xu, Y. Qi, and D. Evans, "Automatically evading classifiers: A case study on PDF malware classifiers," NDSS, 2016.

[8] N. Srndic and P. Laskov, "Practical evasion of a learning-based classifier: A case study," IEEE Symposium on Security and Privacy, 2014.

[9] L. Tong et al., "Improving robustness of ML classifiers against realizable evasion attacks using conserved features," USENIX Security, 2019.

[10] Y. Chen et al., "Robust PDF malware detection with adversarial training and static features," security literature, 2020.

[11] A. Jordaney et al., "Transcend: Detecting concept drift in malware classification models," USENIX Security, 2017.

[12] F. Barbero et al., "Transcending Transcend: Revisiting malware concept drift detection," security literature, 2022.

[13] S. Chua et al., "Neural nets can learn function type signatures from binaries," USENIX Security, 2017.

[14] S. Ding et al., "Asm2Vec: Boosting static representation robustness for binary clone search," IEEE S&P, 2019.

[15] X. Li et al., "PalmTree: Learning an assembly language model for instruction embedding," CCS, 2021.

[16] J. Devlin et al., "BERT: Pre-training of deep bidirectional transformers for language understanding," NAACL, 2019.

[17] K. Xu et al., "How powerful are graph neural networks?" ICLR, 2019.

[18] L. Breiman, "Random forests," Machine Learning, vol. 45, no. 1, pp. 5-32, 2001.

[19] Adobe Systems, "PDF Reference and ISO 32000-1 portable document format specification," 2008.

[20] PDF Association, "Stressful PDF corpus and PDF parser robustness resources," 2020.

[21] A. Kantchelian et al., "Evasion and hardening of tree ensemble classifiers," ICML, 2016.

[22] A. Biggio and F. Roli, "Wild patterns: Ten years after the rise of adversarial machine learning," Pattern Recognition, 2018.

[23] T. Chen and C. Guestrin, "XGBoost: A scalable tree boosting system," KDD, 2016.

[24] L. Akoglu, H. Tong, and D. Koutra, "Graph based anomaly detection and description," Data Mining and Knowledge Discovery, 2015.

[25] M. Newman, Networks, Oxford University Press, 2018.

[26] DGL Team, "Deep Graph Library," software documentation, 2024.

[27] A. Anantharaman et al., "PolyDoc: A corpus for PDF parser differential analysis," 2023.

[28] QPDF Project, "QPDF manual and PDF transformation tools," 2024.

[29] M. K. Bagwani, V. K. Tiwari, A. Gangwar, and K. Vishwakarma, "Real-time signature-based detection and prevention of DDOS attacks in cloud environments," International Journal of Science and Research Archive, vol. 12, no. 2, pp. 2929-2935, 2024.

[30] M. Bagwani, "Deploying a web application on AWS Amplify: A comprehensive guide," International Journal of Progressive Research in Engineering Management and Science, 2024.

[31] A. M. K. Bagwani and V. K. Tiwari, "Implementing GrapesJS in educational platforms for web development training on AWS," International Journal of Scientific Research in Multidisciplinary Studies, vol. 10, 2024.

[32] A. M. K. Bagwani and V. K. Tiwari, "Optimizing face detection performance with cloud machine learning services," Journal of Engineering and Technology Management, vol. 73, pp. 1167-1180, 2024.

[33] P. G. K. S. Mahesh Kumar Bagwani, "Performance comparison of REST API and GraphQL in a micro services architecture," International Conference on Data Science, Artificial Intelligence and Advanced Computing, 2024.

[34] M. K. Bagwani and G. K. Shrivastava, "Comparative analysis of microservices architectures: Evaluating performance, scalability, and maintenance," International Journal on Advances in Engineering Technology and Science, vol. 5, 2023.

[35] M. K. Bagwani, S. Dwivedi, V. Kumar, and P. Koshti, "Transmitting malware through QR codes: Risk analysis and a hybrid detection method," International Journal for Multidisciplinary Research, vol. 8, no. 3, pp. 1-25, 2026.

[36] A. M. K. Bagwani and V. K. Tiwari, "Preventing malware spread through QR codes: A detection and analysis approach," Journal of Engineering and Technology Management, vol. 73, pp. 1260-1268, 2024.

[37] A. M. K. Bagwani, V. K. Tiwari, and N. Singh, "Integrating GrapesJS with AWS: Building an educational platform for web development training," An Overview of Literature, Language and Education Research, vol. 10, pp. 106-124, 2025.

[38] M. Bagwani, "Building a cloud-native microservices based web application with GraphQL and Docker," School of Advanced Computing, Sanjeev Agrawal Global Educational University, 2024.

Downloads

Published

2026-07-10

Issue

Section

Original Research Articles

How to Cite

Random Forest over Semantic PDF Object Graphs for MalwareDetection. (2026). IJAICET - International Journal of Artificial Intelligence, Cybersecurity and Emerging Technologies, 1(1), 1-5. https://ijaicet.com/index.php/ijaicet/article/view/9