ARCHIVES

Notwithstanding the strong performance shown by the proposed hybrid SVMRF ensemble, we must admit some limitations of the current study. Firstly, the assessment has only been done on static analysis features extracted from Portable Executable (PE) files. Therefore, it is unknown how the model would have performed if it had analyzed runtime behaviors such as dynamic API invocation patterns, memory modifications, and network activities. As a result,the proposed static, only framework may not fully detect certain sophisticated malware variants that employ runtime evasion or file less execution techniques. Secondly, even though two well, known public benchmark datasets (EMBER and BODMAS) have been used to ensure reproducibility and comparability, the feature distributions and labeling quality of these datasets may not fully represent the diversity of malware that one can encounter in operational environments. Differences in malware families, packing techniques, and dataset collection methods may affect the detection performance when the model is used in real, world scenarios. Thirdly, although normalization and balanced sampling methods have been implemented to reduce bias, the very high dimensionality of the hybrid feature space might still lead to redundancy and increased computational cost, especially for the SVM part. Nevertheless, the stacking ensemble lessens the weakening of individual classifiers but the training time is still more than that of simpler single, model approaches, which may be a limiting factor for scalability in resource, constrained environments. Lastly, detailed year, wise or temporally segmented evaluation has largely been overlooked in this work. While working with benchmark datasets possessing temporal features indicates the model's generalizing ability to some extent, a stricter temporal validation would reveal more about the model's sturdiness in the face of changes in malware distribution and new, previously unknown, threats.