Learning Temporal Invariance in Android Malware Detectors

TL;DR

This paper introduces TIF, a novel temporal invariant training framework that improves Android malware detectors' robustness over time by learning stable features across temporal distribution shifts, outperforming existing methods.

Contribution

The paper presents the first temporal invariant training framework for malware detection, addressing challenges of distribution drift without prior environment labels.

Findings

TIF significantly improves detection stability over a decade-long dataset.

TIF outperforms state-of-the-art methods, especially in early deployment stages.

The framework effectively learns stable representations across temporal environments.

Abstract

Learning-based Android malware detectors degrade over time due to natural distribution drift caused by malware variants and new families. This paper systematically investigates the challenges classifiers trained with empirical risk minimization (ERM) face against such distribution shifts and attributes their shortcomings to their inability to learn stable discriminative features. Invariant learning theory offers a promising solution by encouraging models to generate stable representations crossing environments that expose the instability of the training set. However, the lack of prior environment labels, the diversity of drift factors, and low-quality representations caused by diverse families make this task challenging. To address these issues, we propose TIF, the first temporal invariant training framework for malware detection, which aims to enhance the ability of detectors to learn stable representations across time. TIF organizes environments based on application observation dates to reveal temporal drift, integrating specialized multi-proxy contrastive learning and invariant gradient alignment to generate and align environments with high-quality, stable representations. TIF can be seamlessly integrated into any learning-based detector. Experiments on a decade-long dataset show that TIF excels, particularly in early deployment stages, addressing real-world needs and outperforming state-of-the-art methods.