In applying deep learning for malware classification, it is crucial to account for the prevalence of malware evolution, which can cause trained classifiers to fail on drifted malware. Existing solutions to address concept drift use active learning. They select new samples for analysts to label and then retrain the classifier with the new labels. Our key finding is that the current retraining techniques do not achieve optimal results. These techniques overlook that updating the model with scarce drifted samples requires learning features that remain consistent across pre-drift and post-drift data. The model should thus be able to disregard specific features that, while beneficial for the classification of pre-drift data, are absent in post-drift data, thereby preventing prediction degradation. In this paper, we propose a new technique for detecting and classifying drifted malware that learns drift-invariant features in malware control flow graphs by leveraging graph neural networks with adversarial domain adaptation. We compare it with existing model retraining methods in active learning-based malware detection systems and other domain adaptation techniques from the vision domain. Our approach significantly improves drifted malware detection on publicly available benchmarks and real-world malware databases reported daily by security companies in 2024. We also tested our approach in predicting multiple malware families drifted over time. A thorough evaluation shows that our approach outperforms the state-of-the-art approaches.

翻译：在应用深度学习进行恶意软件分类时，必须考虑恶意软件持续演变的普遍现象，这可能导致训练好的分类器在漂移恶意软件上失效。现有解决概念漂移的方案采用主动学习方法，通过选择新样本供分析人员标注，再利用新标签重新训练分类器。我们的核心发现是：当前的重训练技术未能达到最优效果。这些技术忽略了在稀缺漂移样本上更新模型时，需要学习在漂移前后数据中保持一致的特性。模型应能摒弃那些虽对漂移前数据分类有益、但在漂移后数据中缺失的特定特征，从而避免预测性能退化。本文提出一种新的漂移恶意软件检测与分类技术，通过结合图神经网络与对抗性域自适应，从恶意软件控制流图中学习漂移不变特征。我们将该方法与现有主动学习恶意软件检测系统中的模型重训练方法，以及视觉领域的其他域自适应技术进行了比较。在公开基准数据集和2024年安全公司每日报告的真实恶意软件数据库上，我们的方法显著提升了漂移恶意软件的检测性能。我们还测试了该方法在预测随时间漂移的多个恶意软件家族时的表现。全面评估表明，我们的方法优于当前最先进的技术。