Random Forest over Semantic PDF Object Graphs for MalwareDetection
Keywords:
PDF malware detection, Random Forest, PDFObj2Vec, object reference graph, semantic embedding, BERT, graph representation, cybersecurity, adversarial robustness, static analysisAbstract
Portable Document Format (PDF) malware remains a practical attack vector because document objects, embedded actions,
streams, and parser-dependent structures can conceal malicious behaviour. This paper presents an IJAICET-formatted empirical
study of Random Forest classification over semantic PDF object-graph embeddings. Each PDF is represented as an Object Reference
Graph and its BERT-65k PDFObj2Vec node embeddings are transformed into a fixed-length feature vector using mean, maximum,
minimum, and standard-deviation pooling together with graph-level structural statistics. A 200-tree Random Forest classifier is
trained on the public PDFObj2Vec evaluation dataset. The proposed baseline achieves 99.97% accuracy on the baseline test split and
96.10% accuracy on the extended split, close to the reported BERT-65k+GIN extended accuracy of 96.62%. The results show that
semantic object embeddings retain strong discriminative evidence even when graph message passing is replaced by an interpretable
classical ensemble model.
References
[1] CISA, "Phishing guidance and cyber hygiene resources," Cybersecurity and Infrastructure Security Agency, 2022.
[2] P. Laskov and N. Srndic, "Static detection of malicious JavaScript-bearing PDF documents," ACSAC, 2011.
[3] C. Smutz and A. Stavrou, "Malicious PDF detection using metadata and structural features," ACSAC, 2012.
[4] N. Srndic and P. Laskov, "Hidost: a static machine-learning-based detector of malicious files," EURASIP Journal on Information Security, 2016.
[5] D. Maiorca, G. Giacinto, and I. Corona, "A pattern recognition system for malicious PDF files detection," MLDM, 2012.
[6] D. Maiorca et al., "Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection," ASIACCS, 2013.
[7] W. Xu, Y. Qi, and D. Evans, "Automatically evading classifiers: A case study on PDF malware classifiers," NDSS, 2016.
[8] N. Srndic and P. Laskov, "Practical evasion of a learning-based classifier: A case study," IEEE Symposium on Security and Privacy, 2014.
[9] L. Tong et al., "Improving robustness of ML classifiers against realizable evasion attacks using conserved features," USENIX Security, 2019.
[10] Y. Chen et al., "Robust PDF malware detection with adversarial training and static features," security literature, 2020.
[11] A. Jordaney et al., "Transcend: Detecting concept drift in malware classification models," USENIX Security, 2017.
[12] F. Barbero et al., "Transcending Transcend: Revisiting malware concept drift detection," security literature, 2022.
[13] S. Chua et al., "Neural nets can learn function type signatures from binaries," USENIX Security, 2017.
[14] S. Ding et al., "Asm2Vec: Boosting static representation robustness for binary clone search," IEEE S&P, 2019.
[15] X. Li et al., "PalmTree: Learning an assembly language model for instruction embedding," CCS, 2021.
[16] J. Devlin et al., "BERT: Pre-training of deep bidirectional transformers for language understanding," NAACL, 2019.
[17] K. Xu et al., "How powerful are graph neural networks?" ICLR, 2019.
[18] L. Breiman, "Random forests," Machine Learning, vol. 45, no. 1, pp. 5-32, 2001.
[19] Adobe Systems, "PDF Reference and ISO 32000-1 portable document format specification," 2008.
[20] PDF Association, "Stressful PDF corpus and PDF parser robustness resources," 2020.
[21] A. Kantchelian et al., "Evasion and hardening of tree ensemble classifiers," ICML, 2016.
[22] A. Biggio and F. Roli, "Wild patterns: Ten years after the rise of adversarial machine learning," Pattern Recognition, 2018.
[23] T. Chen and C. Guestrin, "XGBoost: A scalable tree boosting system," KDD, 2016.
[24] L. Akoglu, H. Tong, and D. Koutra, "Graph based anomaly detection and description," Data Mining and Knowledge Discovery, 2015.
[25] M. Newman, Networks, Oxford University Press, 2018.
[26] DGL Team, "Deep Graph Library," software documentation, 2024.
[27] A. Anantharaman et al., "PolyDoc: A corpus for PDF parser differential analysis," 2023.
[28] QPDF Project, "QPDF manual and PDF transformation tools," 2024.
[29] M. K. Bagwani, V. K. Tiwari, A. Gangwar, and K. Vishwakarma, "Real-time signature-based detection and prevention of DDOS attacks in cloud environments," International Journal of Science and Research Archive, vol. 12, no. 2, pp. 2929-2935, 2024.
[30] M. Bagwani, "Deploying a web application on AWS Amplify: A comprehensive guide," International Journal of Progressive Research in Engineering Management and Science, 2024.
[31] A. M. K. Bagwani and V. K. Tiwari, "Implementing GrapesJS in educational platforms for web development training on AWS," International Journal of Scientific Research in Multidisciplinary Studies, vol. 10, 2024.
[32] A. M. K. Bagwani and V. K. Tiwari, "Optimizing face detection performance with cloud machine learning services," Journal of Engineering and Technology Management, vol. 73, pp. 1167-1180, 2024.
[33] P. G. K. S. Mahesh Kumar Bagwani, "Performance comparison of REST API and GraphQL in a micro services architecture," International Conference on Data Science, Artificial Intelligence and Advanced Computing, 2024.
[34] M. K. Bagwani and G. K. Shrivastava, "Comparative analysis of microservices architectures: Evaluating performance, scalability, and maintenance," International Journal on Advances in Engineering Technology and Science, vol. 5, 2023.
[35] M. K. Bagwani, S. Dwivedi, V. Kumar, and P. Koshti, "Transmitting malware through QR codes: Risk analysis and a hybrid detection method," International Journal for Multidisciplinary Research, vol. 8, no. 3, pp. 1-25, 2026.
[36] A. M. K. Bagwani and V. K. Tiwari, "Preventing malware spread through QR codes: A detection and analysis approach," Journal of Engineering and Technology Management, vol. 73, pp. 1260-1268, 2024.
[37] A. M. K. Bagwani, V. K. Tiwari, and N. Singh, "Integrating GrapesJS with AWS: Building an educational platform for web development training," An Overview of Literature, Language and Education Research, vol. 10, pp. 106-124, 2025.
[38] M. Bagwani, "Building a cloud-native microservices based web application with GraphQL and Docker," School of Advanced Computing, Sanjeev Agrawal Global Educational University, 2024.
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Mahesh Kumar Bagwani

This work is licensed under a Creative Commons Attribution 4.0 International License.
Articles published in the International Journal of Artificial Intelligence, Cybersecurity and Emerging Technologies (IJAICET) are licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).
Under this license, users are free to share, copy, redistribute, adapt, and build upon the published material for any purpose, including commercial use, provided appropriate credit is given to the original author(s) and the source, a link to the license is provided, and any changes made are indicated.
Authors retain copyright of their work while granting IJAICET the right to publish, archive, distribute, and index the article. The journal supports the free exchange of scientific knowledge through open access publishing and encourages the widest possible dissemination of research.