Saved in:
Bibliographic Details
Main Authors: Amalapuram, Suresh Kumar, Shresta, Bikraj, Chebiyam, Siva Ram murthy, Tamma, Bheemarjuna Reddy, Channappayya, Sumohana S
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.24903
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910252407980032
author Amalapuram, Suresh Kumar
Shresta, Bikraj
Chebiyam, Siva Ram murthy
Tamma, Bheemarjuna Reddy
Channappayya, Sumohana S
author_facet Amalapuram, Suresh Kumar
Shresta, Bikraj
Chebiyam, Siva Ram murthy
Tamma, Bheemarjuna Reddy
Channappayya, Sumohana S
contents Machine learning based malware detectors become obsolete over time due to concept drift in benign and malware applications. Recent methods rely on fully labeled data and use hierarchical contrastive loss (HCL) with active learning to improve robustness against drift by exploiting semantic structure in malware representations. However, obtaining labeled data in the security domain is difficult. Under partially labeled settings, HCL suffers significant performance degradation in detecting unseen malware, especially on datasets such as BODMAS where strong semantic structure may not exist. In this paper, we propose SEED, a semantic-structure-agnostic method for malware detection under limited supervision. SEED combines a tailored binary cross-entropy objective with semi-supervised continual learning and active learning. For partially labeled seen tasks, unlabeled samples are projected into a representation space constructed from previously seen data using singular value decomposition, and paired with suitable labeled samples to encourage representation consistency. For unseen tasks with fully unlabeled data, uncertainty is quantified using cosine distance in representation space, and the most uncertain samples are selected for analyst labeling. We evaluate SEED on both Windows and Android malware datasets. Using only 20% labeled data on seen tasks, SEED achieves average AUT improvements of 40% on BODMAS and 14% on AndroZoo for unseen malware detection compared to HCL* (the semi-supervised adaptation of HCL), while remaining competitive on APIGraph. Finally, we introduce a delayed buffer update strategy to reduce label noise propagation during replay and improve learning stability.
format Preprint
id arxiv_https___arxiv_org_abs_2605_24903
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle SEED: Semi-supervised Continual MalwarE Detection for Tackling ConcEpt Drift on a BuDget
Amalapuram, Suresh Kumar
Shresta, Bikraj
Chebiyam, Siva Ram murthy
Tamma, Bheemarjuna Reddy
Channappayya, Sumohana S
Cryptography and Security
Machine Learning
Machine learning based malware detectors become obsolete over time due to concept drift in benign and malware applications. Recent methods rely on fully labeled data and use hierarchical contrastive loss (HCL) with active learning to improve robustness against drift by exploiting semantic structure in malware representations. However, obtaining labeled data in the security domain is difficult. Under partially labeled settings, HCL suffers significant performance degradation in detecting unseen malware, especially on datasets such as BODMAS where strong semantic structure may not exist. In this paper, we propose SEED, a semantic-structure-agnostic method for malware detection under limited supervision. SEED combines a tailored binary cross-entropy objective with semi-supervised continual learning and active learning. For partially labeled seen tasks, unlabeled samples are projected into a representation space constructed from previously seen data using singular value decomposition, and paired with suitable labeled samples to encourage representation consistency. For unseen tasks with fully unlabeled data, uncertainty is quantified using cosine distance in representation space, and the most uncertain samples are selected for analyst labeling. We evaluate SEED on both Windows and Android malware datasets. Using only 20% labeled data on seen tasks, SEED achieves average AUT improvements of 40% on BODMAS and 14% on AndroZoo for unseen malware detection compared to HCL* (the semi-supervised adaptation of HCL), while remaining competitive on APIGraph. Finally, we introduce a delayed buffer update strategy to reduce label noise propagation during replay and improve learning stability.
title SEED: Semi-supervised Continual MalwarE Detection for Tackling ConcEpt Drift on a BuDget
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2605.24903