Machine learning-based detection method for malicious PDF files: A temporal classification approach
- Authors
- Choi, Doo-Seop; Kim, Taeguen; Kang, Boojoong; Im, Eul Gyu
- Issue Date
- Mar-2026
- Publisher
- ELSEVIER
- Keywords
- Analysis of temporal feature evolution; Machine learning; Malware detection; Non-executable malware; PDF malware
- Citation
- Applied Soft Computing, v.189, pp 1 - 22
- Pages
- 22
- Indexed
- SCIE
SCOPUS
- Journal Title
- Applied Soft Computing
- Volume
- 189
- Start Page
- 1
- End Page
- 22
- URI
- https://scholarworks.bwise.kr/hanyang/handle/2021.sw.hanyang/210734
- DOI
- 10.1016/j.asoc.2025.114461
- ISSN
- 1568-4946
1872-9681
- Abstract
- Cybercriminals increasingly exploit non-executable files that can bypass antivirus software detection and are often opened by users without suspicion. In particular, PDF files have become a primary attack vector for adversaries due to their platform-independent nature and ability to preserve document components across different systems. Malicious PDF files continuously evolve to avoid detection, and traditional detection methods, which rely primarily on static features from older PDF datasets, show limitations in identifying evolving malicious PDF files. This paper identifies temporal evolution in feature distributions and proposes a novel framework to detect malicious PDF files by introducing temporal classification and addressing the evolved characteristics of recent threats. Through in-depth statistical analysis, we revealed that recent malicious PDF files closely mimic the structural characteristics of legitimate files, exhibiting an 11-fold increase in graphic components and a 21-fold increase in hyperlinks compared to older samples. This finding indicates a significant shift in attack methodologies from traditional script injection to social engineering techniques. To address this challenge, we enhanced the basic feature set, comprising 31 structural and metadata-based features initially defined in the CIC-Evasive-PDFMal2022 dataset, by integrating 12 newly identified features, resulting in an enhanced set of 43 features. Experimental results demonstrate that our framework with the enhanced feature set achieves 97.80 % detection accuracy using the random forest algorithm, representing a 4.12 % improvement over the basic feature set. The framework maintains balanced performance across all metrics with a recall of 0.96, a precision of 0.98, an F1-score of 0.97, and an AUC of 0.99. Additionally, the framework reduced the false positive rate (FPR) from 2.84 % to 1.12 %, a 1.72 percentage points reduction, which is critical for practical deployment in real-world security environments. The proposed enhanced feature set provides an effective approach for strengthening real-world detection systems, including email attachment scanners and antivirus engines, against evolving PDF-based attacks
- Files in This Item
-
Go to Link
- Appears in
Collections - 서울 공과대학 > 서울 미래자동차공학과 > 1. Journal Articles
- 서울 공과대학 > 서울 컴퓨터소프트웨어학부 > 1. Journal Articles

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.