Robust Machine Learning for Malware Detection over Time

TL;DR

This paper introduces a framework for analyzing concept drift in malware detection data and proposes a time-aware SVM classifier that maintains performance better over time by understanding data evolution.

Contribution

It presents a novel drift-analysis framework and a time-aware SVM classifier that together improve malware detection robustness against concept drift.

Findings

SVM-CB outperforms standard classifiers over time

The drift-analysis framework identifies key data characteristics causing drift

Time-aware models better resist distribution changes in malware data

Abstract

The presence and persistence of Android malware is an on-going threat that plagues this information era, and machine learning technologies are now extensively used to deploy more effective detectors that can block the majority of these malicious programs. However, these algorithms have not been developed to pursue the natural evolution of malware, and their performances significantly degrade over time because of such concept-drift. Currently, state-of-the-art techniques only focus on detecting the presence of such drift, or they address it by relying on frequent updates of models. Hence, there is a lack of knowledge regarding the cause of the concept drift, and ad-hoc solutions that can counter the passing of time are still under-investigated. In this work, we commence to address these issues as we propose (i) a drift-analysis framework to identify which characteristics of data are causing the drift, and (ii) SVM-CB, a time-aware classifier that leverages the drift-analysis information to slow down the performance drop. We highlight the efficacy of our contribution by comparing its degradation over time with a state-of-the-art classifier, and we show that SVM-CB better withstands the distribution changes that naturally characterize the malware domain. We conclude by discussing the limitations of our approach and how our contribution can be taken as a first step towards more time-resistant classifiers that not only tackle, but also understand the concept drift that affects data.