In the application of deep learning for malware classification, it is crucial to account for the prevalence of malware evolution, which can cause trained classifiers to fail on drifted malware. Existing solutions to combat concept drift use active learning: they select new samples for analysts to label, and then retrain the classifier with the new labels. Our key finding is, the current retraining techniques do not achieve optimal results. These models overlook that updating the model with scarce drifted samples requires learning features that remain consistent across pre-drift and post-drift data. Furthermore, the model should be capable of disregarding specific features that, while beneficial for classification of pre-drift data, are absent in post-drift data, thereby preventing prediction degradation. In this paper, we propose a method that learns retained information in malware control flow graphs post-drift by leveraging graph neural network with adversarial domain adaptation. Our approach considers drift-invariant features within assembly instructions and flow of code execution. We further propose building blocks for more robust evaluation of drift adaptation techniques that computes statistically distant malware clusters. Our approach is compared with the previously published training methods in active learning systems, and the other domain adaptation technique. Our approach demonstrates a significant enhancement in predicting unseen malware family in a binary classification task and predicting drifted malware families in a multi-class setting. In addition, we assess alternative malware representations. The best results are obtained when our adaptation method is applied to our graph representations.

翻译：在深度学习应用于恶意软件分类时，必须考虑恶意软件演变的普遍性，这种演变可能导致训练好的分类器在发生漂移的恶意软件上失效。现有应对概念漂移的解决方案采用主动学习策略：选择新样本供分析人员标注，随后利用新标签重新训练分类器。我们的核心发现是，当前的重训练技术未能达到最优效果。这些模型忽略了以下关键点：使用稀缺的漂移样本更新模型时，需要学习在漂移前与漂移后数据中保持一致的特性。此外，模型应具备忽略特定特征的能力——这些特征虽对漂移前数据的分类有益，却在漂移后数据中缺失，从而避免预测性能下降。本文提出一种方法，通过结合图神经网络与对抗域适应技术，学习恶意软件控制流图在漂移后保留的信息。我们的方法关注汇编指令与代码执行流程中具有漂移不变性的特征。我们进一步提出了构建模块，用于通过计算统计距离上离散的恶意软件集群来更稳健地评估漂移适应技术。我们将所提方法与先前发表的主动学习系统训练方法及其他域适应技术进行比较。实验表明，在二分类任务中对未见恶意软件家族的预测，以及多分类场景中对漂移恶意软件家族的预测，我们的方法均展现出显著提升。此外，我们评估了多种恶意软件表征形式。当将我们的适应方法应用于我们提出的图表征时，获得了最佳结果。