XAI-1DSig: Explainable and Robust 1D Signal-Based IoT Malware Classification

Malware classification in Internet of Things (IoT) environments presents significant challenges due to device heterogeneity, resource constraints, and the rapid emergence of new malware families. Effective detection methods must therefore be accurate, explainable, and robust against adversarial attacks. Although recent studies have explored 1D signal-based representations of malware preserving the original byte sequence and avoiding information loss associated with 2D image transformations, this approach has not been extensively evaluated in IoT-specific malware ecosystems and lacks explainability and robustness analysis. Hence, this study proposes XAI-1DSig, an explainable 1D signal-based malware classification framework that integrates a hybrid CNN–BiLSTM architecture with SHAP-based byte-level explainability and adversarial robustness evaluation. Experiments on three IoT benchmark datasets (IoT-23, N-BaIoT, and CICIoT2023) achieve an F1-score of 81.21%, outperforming a 1D-CNN baseline by 30.74 percentage points. SHAP analysis identifies sparse, interpretable byte-level features, with only 6.8% of bytes influencing classification. Adversarial training further improves PGD-40 robustness from 58.32% to 74.88% with minimal accuracy loss. The results demonstrate the effectiveness and generalizability of explainable 1D signal-based malware classification for IoT security.