High-dimensional malware datasets often exhibit feature redundancy, instability, and scalability limitations, which hinder the effectiveness and interpretability of machine learning-based malware detection systems. Although feature selection is commonly employed to mitigate these issues, many existing approaches lack robustness when applied to large-scale and heterogeneous malware data. To address this gap, this paper proposes CAFE-GB (Chunk-wise Aggregated Feature Estimation using Gradient Boosting), a scalable feature selection framework designed to produce stable and globally consistent feature rankings for high-dimensional malware detection. CAFE-GB partitions training data into overlapping chunks, estimates local feature importance using gradient boosting models, and aggregates these estimates to derive a robust global ranking. Feature budget selection is performed separately through a systematic k-selection and stability analysis to balance detection performance and robustness. The proposed framework is evaluated on two large-scale malware datasets: BODMAS and CIC-AndMal2020, representing large and diverse malware feature spaces. Experimental results show that classifiers trained on CAFE-GB -selected features achieve performance parity with full-feature baselines across multiple metrics, including Accuracy, F1-score, MCC, ROC-AUC, and PR-AUC, while reducing feature dimensionality by more than 95\%. Paired Wilcoxon signed-rank tests confirm that this reduction does not introduce statistically significant performance degradation. Additional analyses demonstrate low inter-feature redundancy and improved interpretability through SHAP-based explanations. Runtime and memory profiling further indicate reduced downstream classification overhead. Overall, CAFE-GB provides a stable, interpretable, and scalable feature selection strategy for large-scale malware detection.

翻译：高维恶意软件数据集通常存在特征冗余、不稳定性和可扩展性限制，这阻碍了基于机器学习的恶意软件检测系统的有效性和可解释性。尽管特征选择常被用于缓解这些问题，但许多现有方法在应用于大规模异构恶意软件数据时缺乏鲁棒性。为弥补这一不足，本文提出CAFE-GB（基于梯度提升的分块聚合特征估计），这是一种可扩展的特征选择框架，旨在为高维恶意软件检测生成稳定且全局一致的特征排序。CAFE-GB将训练数据划分为重叠的数据块，使用梯度提升模型估计局部特征重要性，并通过聚合这些估计值来获得鲁棒的全局排序。特征预算选择则通过系统化的k值选择与稳定性分析独立执行，以平衡检测性能与鲁棒性。所提框架在两个大规模恶意软件数据集上进行评估：BODMAS和CIC-AndMal2020，它们代表了庞大且多样化的恶意软件特征空间。实验结果表明，基于CAFE-GB所选特征训练的分类器在准确率、F1分数、MCC、ROC-AUC和PR-AUC等多个指标上均能达到与全特征基线相当的性能，同时将特征维度降低了95%以上。配对Wilcoxon符号秩检验证实，这种降维不会引入统计意义上显著的性能下降。进一步分析显示，所选特征间冗余度较低，且通过基于SHAP的解释提升了可解释性。运行时间和内存分析进一步表明下游分类开销得以降低。总体而言，CAFE-GB为大规模恶意软件检测提供了一种稳定、可解释且可扩展的特征选择策略。