MADAR: Efficient Continual Learning for Malware Analysis with Distribution-Aware Replay

TL;DR

MADAR is a novel continual learning framework tailored for malware analysis that effectively handles the diverse and evolving nature of malware data, outperforming existing methods on large-scale datasets.

Contribution

This paper introduces MADAR, a distribution-aware replay method specifically designed for malware classification, addressing the limitations of prior CL techniques in this domain.

Findings

MADAR significantly outperforms prior continual learning methods on malware datasets.

Understanding malware data distribution is crucial for designing effective CL techniques.

MADAR demonstrates robustness across Windows and Android malware datasets.

Abstract

Millions of new pieces of malicious software (i.e., malware) are introduced each year. This poses significant challenges for antivirus vendors, who use machine learning to detect and analyze malware, and must keep up with changes in the distribution while retaining knowledge of older variants. Continual learning (CL) holds the potential to address this challenge by reducing the storage and computational costs of regularly retraining over all the collected data. Prior work, however, shows that CL techniques, which are designed primarily for computer vision tasks, fare poorly when applied to malware classification. To address these issues, we begin with an exploratory analysis of a typical malware dataset, which reveals that malware families are diverse and difficult to characterize, requiring a wide variety of samples to learn a robust representation. Based on these findings, we propose $\underline{M}$alware $\underline{A}$nalysis with $\underline{D}$istribution-$\underline{A}$ware $\underline{R}$eplay (MADAR), a CL framework that accounts for the unique properties and challenges of the malware data distribution. Through extensive evaluation on large-scale Windows and Android malware datasets, we show that MADAR significantly outperforms prior work. This highlights the importance of understanding domain characteristics when designing CL techniques and demonstrates a path forward for the malware classification domain.