The researchers overcame three key limitations of existing approaches: the lack of cross-architecture adaptability (using Pcode as a unified representation), limited feature extraction (combining structural, statistical, and semantic features), and poor multimodal fusion (using dynamic weighting and multi-layer encoders), achieving 1.37 % higher F1 scores than current methods.
The integration of IoT devices such as smart meters and sensors has made EV charging stations more intelligent and efficient. However, this connectivity introduces critical security vulnerabilities, as attackers can exploit IoT weaknesses to implant malware, steal user data, or manipulate power distribution, potentially causing grid overloads or equipment failure.
Existing IoT malware detection methods face three major gaps: poor adaptability across multiple central processing unit (CPU) architectures, limited feature extraction that fails to capture structural and behavioral characteristics, and simplistic multimodal fusion without dynamic weighting.
To address these gaps, the paper proposes a deep learning-based approach that unifies cross-architecture binaries via Ghidra’s Pcode representation, extracts three complementary feature types (global structural, statistical, and semantic), and fuses them using a dynamic weighting mechanism with a transformer encoder, improving detection accuracy.
Framework of the Proposed IoT Malware Detection Approach
The suggested approach consists of four main components.
First, a global structural feature analysis model converts the malware’s binary code into grayscale images and then uses a convolutional neural network to extract spatial patterns and structural characteristics from these images.
Second, to handle multiple CPU architectures uniformly, the framework employs the Ghidra decompiler to convert opcodes from different architectures into a unified intermediate language called Pcode. A statistical feature analysis model then applies term frequency-inverse document frequency (TF-IDF) to build a feature dictionary based on Pcode sequence frequencies. A feedforward neural network then processes these statistical vectors.
Third, a semantic feature analysis model removes redundant patterns from the Pcode sequences to reduce noise and improve relevance. It then uses a long short-term memory network to capture contextual dependencies and behavioral semantics within the instruction sequences, producing semantic feature vectors that reflect deeper malware behavior.
Finally, a multimodal feature analysis model fuses the three types of features (global structural, statistical, and semantic). This model integrates a one-dimensional convolutional neural network (CNN) with a transformer encoder architecture. The multi-head attention mechanism dynamically assigns importance weights to each feature type based on its relevance, while the CNN extracts local patterns. A multi-layer encoder then performs deep interactive analysis of the fused features.
The complete framework operates as a static detection system, analyzing executables before deployment to ensure only safe software reaches IoT devices. Experiments on public datasets across five CPU architectures validate the approach’s effectiveness.
Testbed Experiment and Numerical Results
The experiments used a combined public dataset from Yokohama National University and VirusShare, covering five common CPU architectures. After merging and cleaning, the dataset included both benign and malicious samples across 12 malware families.
Four experiments were conducted. First, parameter tuning showed that optimal detection performance was achieved with a grayscale image size of 512, a TF-IDF threshold of 1.1, and 10 attention heads, yielding an F1 score of 95.89 %.
The second step involved comparing different feature combinations, which revealed that using all three feature types together - global structural, Pcode statistical, and Pcode semantic - performed best. Using only structural features gave an F1 of just 63.69 %, while adding semantic features improved this significantly. The proposed multimodal fusion model combining a transformer encoder with a one-dimensional CNN (1DCNN) outperformed simpler fusion methods, such as basic concatenation.
Third, malware family classification experiments showed that the approach consistently achieved higher accuracy across all 12 families compared to other parameter settings, with more attention heads improving fine-grained discrimination.
Fourth, comparison with four existing detection approaches demonstrated that the proposed method achieved the highest F1 score at 95.89 % and the lowest false positive rate at 5.29 %. While its computational complexity was higher than some alternatives, this trade-off is acceptable for centralized detection scenarios in which accuracy is prioritized.
Conclusion
The discussed paper presents a deep learning-based IoT malware detection approach for EV charging stations that addresses three key limitations: poor cross-architecture adaptability, limited feature extraction, and ineffective multimodal fusion.
By unifying binaries via Ghidra’s Pcode and combining structural, statistical, and semantic features with a dynamic weighting mechanism, the method achieves a 1.37 % higher F1 score than existing approaches.
A limitation is its reliance on static features, making it vulnerable to obfuscated or packed malware. Future work will integrate dynamic behavioral features from sandbox execution and evaluate performance on resource-constrained edge devices.
Download the PDF of this page
Journal Reference
Xia, L., Chen, Y., & Han, L. (2026). A deep learning-based IoT malware detection approach for electric vehicle charging stations. Scientific Reports, 16(1). DOI:10.1038/s41598-026-45220-x
https://www.nature.com/articles/s41598-026-45220-x
Disclaimer: The views expressed here are those of the author expressed in their private capacity and do not necessarily represent the views of AZoM.com Limited T/A AZoNetwork the owner and operator of this website. This disclaimer forms part of the Terms and conditions of use of this website.