Regression-aware Continual Learning for Android Malware Detection

TL;DR

This paper introduces a regression-aware continual learning approach for Android malware detection, addressing security regressions that threaten detection reliability during model updates, and demonstrates its effectiveness across multiple datasets.

Contribution

It formalizes security regression in continual learning for malware detection and adapts Positive Congruent Training to mitigate regressions without sacrificing detection accuracy.

Findings

Reduces security regressions in malware detection models

Maintains high detection performance over time

Effective across multiple datasets and scenarios

Abstract

Malware evolves rapidly, forcing machine learning (ML)-based detectors to adapt continuously. With antivirus vendors processing hundreds of thousands of new samples daily, datasets can grow to billions of examples, making full retraining impractical. Continual learning (CL) has emerged as a scalable alternative, enabling incremental updates without full data access while mitigating catastrophic forgetting. In this work, we analyze a critical yet overlooked issue in this context: security regression. Unlike forgetting, which manifests as a general performance drop on previously seen data, security regression captures harmful prediction changes at the sample level, such as a malware sample that was once correctly detected but evades detection after a model update. Although often overlooked, regressions pose serious risks in security-critical applications, as the silent reintroduction of previously detected threats in the system may undermine users' trust in the whole updating process. To address this issue, we formalize and quantify security regression in CL-based malware detectors and propose a regression-aware penalty to mitigate it. Specifically, we adapt Positive Congruent Training (PCT) to the CL setting, preserving prior predictive behavior in a model-agnostic manner. Experiments on the ELSA, Tesseract, and AZ-Class datasets show that our method effectively reduces regression across different CL scenarios while maintaining strong detection performance over time.