Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Binary-30K: A Heterogeneous Dataset for Deep Learning in Binary Analysis and Malware Detection

Michael J. Bommarito

TL;DR

Binary-30K addresses a critical gap in binary analysis by delivering the first heterogeneous, transformer-ready binary dataset that spans Windows, Linux, macOS, and Android across 15+ architectures with a realistic malware proportion. It pairs 29,793 pre-tokenized binaries with rich metadata and official Hugging Face splits, enabling cross-platform transfer learning and long-context modeling without heavy preprocessing. The dataset emphasizes education and reproducible research through accessible size, standardized tokenization, and platform-first sampling, while highlighting IoT security and cross-architecture research opportunities. While it acknowledges limitations (no iOS, no dynamic traces, and platform label confounding on macOS/Android subsets), Binary-30K lays a practical foundation for next-generation binary security research and pedagogy.

Abstract

Deep learning research for binary analysis faces a critical infrastructure gap. Today, existing datasets target single platforms, require specialized tooling, or provide only hand-engineered features incompatible with modern neural architectures; no single dataset supports accessible research and pedagogy on realistic use cases. To solve this, we introduce Binary-30K, the first heterogeneous binary dataset designed for sequence-based models like transformers. Critically, Binary-30K covers Windows, Linux, macOS, and Android across 15+ CPU architectures. With 29,793 binaries and approximately 26.93% malware representation, Binary-30K enables research on platform-invariant detection, cross-target transfer learning, and long-context binary understanding. The dataset provides pre-computed byte-level BPE tokenization alongside comprehensive structural metadata, supporting both sequence modeling and structure-aware approaches. Platform-first stratified sampling ensures representative coverage across operating systems and architectures, while distribution via Hugging Face with official train/validation/test splits enables reproducible benchmarking. The dataset is publicly available at https://huggingface.co/datasets/mjbommar/binary-30k, providing an accessible resource for researchers, practitioners, and students alike.

Binary-30K: A Heterogeneous Dataset for Deep Learning in Binary Analysis and Malware Detection

TL;DR

Binary-30K addresses a critical gap in binary analysis by delivering the first heterogeneous, transformer-ready binary dataset that spans Windows, Linux, macOS, and Android across 15+ architectures with a realistic malware proportion. It pairs 29,793 pre-tokenized binaries with rich metadata and official Hugging Face splits, enabling cross-platform transfer learning and long-context modeling without heavy preprocessing. The dataset emphasizes education and reproducible research through accessible size, standardized tokenization, and platform-first sampling, while highlighting IoT security and cross-architecture research opportunities. While it acknowledges limitations (no iOS, no dynamic traces, and platform label confounding on macOS/Android subsets), Binary-30K lays a practical foundation for next-generation binary security research and pedagogy.

Abstract

Deep learning research for binary analysis faces a critical infrastructure gap. Today, existing datasets target single platforms, require specialized tooling, or provide only hand-engineered features incompatible with modern neural architectures; no single dataset supports accessible research and pedagogy on realistic use cases. To solve this, we introduce Binary-30K, the first heterogeneous binary dataset designed for sequence-based models like transformers. Critically, Binary-30K covers Windows, Linux, macOS, and Android across 15+ CPU architectures. With 29,793 binaries and approximately 26.93% malware representation, Binary-30K enables research on platform-invariant detection, cross-target transfer learning, and long-context binary understanding. The dataset provides pre-computed byte-level BPE tokenization alongside comprehensive structural metadata, supporting both sequence modeling and structure-aware approaches. Platform-first stratified sampling ensures representative coverage across operating systems and architectures, while distribution via Hugging Face with official train/validation/test splits enables reproducible benchmarking. The dataset is publicly available at https://huggingface.co/datasets/mjbommar/binary-30k, providing an accessible resource for researchers, practitioners, and students alike.

Paper Structure

This paper contains 85 sections, 2 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Motivation and Research Gaps
  3. Platform Imbalance in Existing Datasets
  4. Architectural Diversity for Internet of Things (IoT) Security
  5. Accessibility for Education and Novel Research
  6. Tokenization and Preprocessing Standardization
  7. Contributions
  8. Paper Organization
  9. Related Work
  10. Malware-Focused Datasets
  11. Cross-Platform and Benign Datasets
  12. Positioning Binary-30K
  13. Dataset Construction
  14. Temporal Coverage Summary
  15. Linux Distribution Packages
  16. ...and 70 more sections

Figures (2)

  • Figure 1: Architecture distribution in the Binary-30K dataset (excluding Unknown and Not-Applicable). The dataset includes comprehensive coverage of common architectures: x86-64 (16,802 samples, 56.40%), x86-32 (3,302 samples, 11.08%), ARM (2,799 samples, 9.39%), and ARM64 (1,761 samples, 5.91%) shown in orange. Exotic architectures shown in green include MIPS (679 samples, 2.28%), PowerPC (385 samples, 1.29%), SH (117 samples), m68k (100 samples), SPARC (77 samples and 1 SPARC-v9), RISC-V (40 samples), ARCompact (59 samples), and s390 (40 samples), totaling 1,498 exotic architecture samples. This fills a significant gap in existing binary analysis datasets and enables research on architecture-specific malware and cross-architecture analysis.
  • Figure 2: File size distribution by platform with log-scale x-axis. Each subplot shows the interquartile range (IQR, shaded blue region) and median (red dashed line) for a specific platform. Android binaries are significantly larger (median: 2.87 MB) due to APK packaging, while Linux binaries are smallest (median: 53.5 KB) due to the prevalence of small utility programs. The wide range of file sizes within each platform (spanning 3-4 orders of magnitude) demonstrates the diversity of binary types included in the dataset, from small embedded firmware to large application bundles.