Malware classification models often face performance degradation due to concept drift, arising from evolving threat landscapes and the emergence of novel malware families. This paper presents FARM (Few-shot Adaptive Recognition of Malware), a framework designed to detect and adapt to both covariate and label drift in Windows Portable Executable (PE) malware classification. FARM leverages a triplet autoencoder to project samples into a discriminative latent space, enabling unsupervised drift detection via DBSCAN clustering and dynamic thresholding. For rapid adaptation, it employs few-shot learning using prototype-based classification, requiring only a handful of labeled samples. FARM also supports full retraining when enough drifted samples accumulate, updating the latent space for long-term integration. Experiments on the BenchMFC dataset demonstrate that FARM improves classification performance under covariate drift by 5.6\%, and achieves an average F1 score of 0.85 on unseen malware families using only few-shot adaptation, which further increases to 0.94 after retraining. These results highlight FARM's robustness and adaptability in dynamic malware detection environments under limited supervision.

翻译：恶意软件分类模型常因威胁环境演变及新型恶意软件家族出现导致的概念漂移而面临性能退化。本文提出FARM（恶意软件少样本自适应识别）框架，旨在检测并适应Windows可移植可执行（PE）恶意软件分类中的协变量漂移与标签漂移。FARM利用三元组自编码器将样本映射至判别性潜在空间，通过DBSCAN聚类与动态阈值实现无监督漂移检测。为快速适应，该框架采用基于原型分类的少样本学习，仅需少量标注样本。当积累足够漂移样本时，FARM支持通过全量重训练更新潜在空间以实现长期整合。在BenchMFC数据集上的实验表明，FARM将协变量漂移下的分类性能提升5.6%，仅通过少样本适应即在未见恶意软件家族上获得0.85的平均F1分数，重训练后进一步提升至0.94。这些结果凸显了FARM在有限监督条件下动态恶意软件检测环境中的鲁棒性与自适应能力。