Saved in:
Bibliographic Details
Main Authors: Rahman, Mohammad Saidur, Coull, Scott, Yu, Qi, Wright, Matthew
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.05760
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909793765031936
author Rahman, Mohammad Saidur
Coull, Scott
Yu, Qi
Wright, Matthew
author_facet Rahman, Mohammad Saidur
Coull, Scott
Yu, Qi
Wright, Matthew
contents Millions of new pieces of malicious software (i.e., malware) are introduced each year. This poses significant challenges for antivirus vendors, who use machine learning to detect and analyze malware, and must keep up with changes in the distribution while retaining knowledge of older variants. Continual learning (CL) holds the potential to address this challenge by reducing the storage and computational costs of regularly retraining over all the collected data. Prior work, however, shows that CL techniques, which are designed primarily for computer vision tasks, fare poorly when applied to malware classification. To address these issues, we begin with an exploratory analysis of a typical malware dataset, which reveals that malware families are diverse and difficult to characterize, requiring a wide variety of samples to learn a robust representation. Based on these findings, we propose $\underline{M}$alware $\underline{A}$nalysis with $\underline{D}$istribution-$\underline{A}$ware $\underline{R}$eplay (MADAR), a CL framework that accounts for the unique properties and challenges of the malware data distribution. Through extensive evaluation on large-scale Windows and Android malware datasets, we show that MADAR significantly outperforms prior work. This highlights the importance of understanding domain characteristics when designing CL techniques and demonstrates a path forward for the malware classification domain.
format Preprint
id arxiv_https___arxiv_org_abs_2502_05760
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle MADAR: Efficient Continual Learning for Malware Analysis with Distribution-Aware Replay
Rahman, Mohammad Saidur
Coull, Scott
Yu, Qi
Wright, Matthew
Cryptography and Security
Millions of new pieces of malicious software (i.e., malware) are introduced each year. This poses significant challenges for antivirus vendors, who use machine learning to detect and analyze malware, and must keep up with changes in the distribution while retaining knowledge of older variants. Continual learning (CL) holds the potential to address this challenge by reducing the storage and computational costs of regularly retraining over all the collected data. Prior work, however, shows that CL techniques, which are designed primarily for computer vision tasks, fare poorly when applied to malware classification. To address these issues, we begin with an exploratory analysis of a typical malware dataset, which reveals that malware families are diverse and difficult to characterize, requiring a wide variety of samples to learn a robust representation. Based on these findings, we propose $\underline{M}$alware $\underline{A}$nalysis with $\underline{D}$istribution-$\underline{A}$ware $\underline{R}$eplay (MADAR), a CL framework that accounts for the unique properties and challenges of the malware data distribution. Through extensive evaluation on large-scale Windows and Android malware datasets, we show that MADAR significantly outperforms prior work. This highlights the importance of understanding domain characteristics when designing CL techniques and demonstrates a path forward for the malware classification domain.
title MADAR: Efficient Continual Learning for Malware Analysis with Distribution-Aware Replay
topic Cryptography and Security
url https://arxiv.org/abs/2502.05760