PromptSAM+: Malware Detection based on Prompt Segment Anything Model

TL;DR

PromptSAM+ introduces a visual malware detection framework leveraging the Segment Anything Model, achieving high accuracy, robustness over time, and reduced labeling effort across Windows and Android malware datasets.

Contribution

The paper presents PromptSAM+, a novel visual malware detection approach based on a large segmentation model, addressing practicality, aging, and label scarcity issues in existing ML/DL methods.

Findings

High detection accuracy on multiple datasets

Effective reduction of false positives and negatives

Mitigates classifier aging and reduces labeling effort

Abstract

Machine learning and deep learning (ML/DL) have been extensively applied in malware detection, and some existing methods demonstrate robust performance. However, several issues persist in the field of malware detection: (1) Existing work often overemphasizes accuracy at the expense of practicality, rarely considering false positive and false negative rates as important metrics. (2) Considering the evolution of malware, the performance of classifiers significantly declines over time, greatly reducing the practicality of malware detectors. (3) Prior ML/DL-based efforts heavily rely on ample labeled data for model training, largely dependent on feature engineering or domain knowledge to build feature databases, making them vulnerable if correct labels are scarce. With the development of computer vision, vision-based malware detection technology has also rapidly evolved. In this paper, we propose a visual malware general enhancement classification framework, `PromptSAM+', based on a large visual network segmentation model, the Prompt Segment Anything Model(named PromptSAM+). Our experimental results indicate that 'PromptSAM+' is effective and efficient in malware detection and classification, achieving high accuracy and low rates of false positives and negatives. The proposed method outperforms the most advanced image-based malware detection technologies on several datasets. 'PromptSAM+' can mitigate aging in existing image-based malware classifiers, reducing the considerable manpower needed for labeling new malware samples through active learning. We conducted experiments on datasets for both Windows and Android platforms, achieving favorable outcomes. Additionally, our ablation experiments on several datasets demonstrate that our model identifies effective modules within the large visual network.