The proliferation of edge devices has created an urgent need for security solutions capable of detecting malware in real time while operating under strict computational and memory constraints. Recently, Large Language Models (LLMs) have demonstrated remarkable capabilities in recognizing complex patterns, yet their deployment on edge devices remains impractical due to their resource demands. However, in edge malware detection, static or centrally retrained models degrade under evolving threats and heterogeneous traffic; locally trained models become siloed and fail to transfer across domains. To overcome these limitations, in this paper, we present a continuous learning architecture for edge-based malware detection that combines local adaptation on each device with global knowledge sharing through parameter-efficient LoRA adapters. Lightweight transformer models (DistilBERT, DistilGPT-2, TinyT5) run on edge nodes and are incrementally fine-tuned on device-specific traffic; only the resulting LoRA modules are aggregated by a lightweight coordinator and redistributed, enabling cross-device generalization without exchanging raw data. We evaluate on two public IoT security datasets, Edge-IIoTset and TON-IoT, under multi-round learning to simulate evolving threats. Compared to isolated fine-tuning, the LoRA-based exchange yields up to 20-25% accuracy gains when models encounter previously unseen attacks from another domain, while maintaining stable loss and F1 across rounds. LoRA adds less than 1% to model size (~0.6-1.8 MB), making updates practical for constrained edge hardware.

翻译：边缘设备的激增催生了对能够在严格计算和内存约束下实时检测恶意软件的安全解决方案的迫切需求。近年来，大语言模型（LLMs）在识别复杂模式方面展现出卓越能力，但其资源需求使得在边缘设备上的部署仍不切实际。然而，在边缘恶意软件检测中，静态或集中式重训练的模型在面对不断演变的威胁和异构流量时性能下降；本地训练的模型则形成信息孤岛，难以跨域迁移。为克服这些限制，本文提出一种用于边缘恶意软件检测的持续学习架构，该架构通过参数高效的LoRA适配器，将各设备的本地自适应与全局知识共享相结合。轻量级Transformer模型（DistilBERT、DistilGPT-2、TinyT5）在边缘节点运行，并基于设备特定流量进行增量微调；仅将生成的LoRA模块通过轻量级协调器聚合后重新分发，实现在不交换原始数据前提下的跨设备泛化。我们在两个公开物联网安全数据集（Edge-IIoTset和TON-IoT）上通过多轮学习模拟演化威胁进行评估。与孤立微调相比，当模型遭遇来自其他域的先前未见攻击时，基于LoRA的交换机制可获得高达20-25%的准确率提升，同时在各轮次中保持稳定的损失值和F1分数。LoRA仅增加不足1%的模型体积（约0.6-1.8 MB），使得更新在受限的边缘硬件上具有可行性。