To address the lack of semantic representation and poor interpretability in PE-format malware detection, this paper introduces PE-MalOnt—the first reusable malware ontology specifically designed for Windows executables. PE-MalOnt unifies modeling of PE file structure, behavioral semantics, and malicious patterns, thereby bridging symbolic reasoning and machine learning. Leveraging this ontology, we construct a semantically enriched EMBER dataset and its hierarchical subsets, enabling fine-grained semantic annotation and knowledge graph representation. Experimental results show that ontology-based interpretable discriminators achieve slightly lower accuracy than state-of-the-art black-box models but offer transparent rule-based logic, traceable terminology, auditable inference, and full experimental reproducibility. Our core contributions are: (1) the first PE-specific malware ontology; (2) a semantically annotated benchmark dataset; and (3) a novel paradigm for interpretable static malware detection.

Ontologies are a standard tool for creating semantic schemata in many knowledge intensive domains of human interest. They are becoming increasingly important also in the areas that have been until very recently dominated by subsymbolic knowledge representation and machine-learning (ML) based data processing. One such area is information security, and specifically, malware detection. We thus propose PE Malware Ontology that offers a reusable semantic schema for Portable Executable (PE - the Windows binary format) malware files. This ontology is inspired by the structure of the EMBER dataset, which focuses on the static malware analysis of PE files. With this proposal, we hope to provide a unified semantic representation for the existing and future PE-malware datasets and facilitate the application of symbolic, neuro-symbolic, or otherwise explainable approaches in the PE-malware-detection domain, which may produce interpretable results described by the terms defined in our ontology. In addition, we also publish semantically treated EMBER data, including fractional datasets, to support the reproducibility of experiments on EMBER. We supplement our work with a preliminary case study, conducted using concept learning, to show the general feasibility of our approach. While we were not able to match the precision of the state-of-the-art ML tools, the learned malware discriminators were interesting and highly interpretable.