Retrofit: Continual Learning with Controlled Forgetting for Binary Security Detection and Analysis

TL;DR

RETROFIT introduces a continual learning method for binary security analysis that controls forgetting without needing historical data, improving malware detection and binary summarization performance.

Contribution

It proposes a novel knowledge consolidation approach with controlled forgetting via parameter merging and confidence-guided arbitration, enhancing continual learning in security tasks.

Findings

Significantly improves malware detection retention scores from 20.2% to 38.6%.

Over 2x BLEU score improvement in binary summarization over transfer learning.

Outperforms all baselines in cross-representation generalization.

Abstract

Binary security has increasingly relied on deep learning to reason about malware behavior and program semantics. However, the performance often degrades as threat landscapes evolve and code representations shift. While continual learning (CL) offers a natural solution through sequential updates, most existing approaches rely on data replay or unconstrained updates, limiting their applicability and effectiveness in data-sensitive security environments. We propose RETROFIT, which regulates knowledge retention and adaptation with controlled forgetting at each update, without requiring historical data. Our key idea is to consolidate previously trained and newly fine-tuned models, serving as teachers of legacy and emergent knowledge, through retrospective-free parameter merging. Forgetting control is achieved by 1) constraining parameter changes to low-rank and sparse subspaces for approximate orthogonality, and 2) employing a confidence-guided arbitration mechanism to dynamically aggregate knowledge from both teachers. Our evaluation on two representative applications demonstrates that RETROFIT consistently mitigates forgetting while maintaining adaptability. In malware detection under temporal drift, it substantially improves the retention score, from 20.2% to 38.6% over CL baselines, and exceeds the oracle upper bound on new data. In binary summarization across decompilation levels, where analyzing stripped binaries is especially challenging, RETROFIT achieves over 2x the BLEU score of transfer learning used in prior work and surpasses all baselines in cross-representation generalization.