Memory-Based Malware Detection under Limited Data Conditions: A Comparative Evaluation of TabPFN and Ensemble Models

TL;DR

This paper evaluates TabPFN, a learning-free model, for malware detection in low-data scenarios, comparing it to traditional ensemble methods, and finds it generally outperforms them with some computational trade-offs.

Contribution

It provides a comparative analysis of TabPFN against established models like Random Forest and XGBoost for malware detection under limited data conditions.

Findings

TabPFN outperforms baseline models by 2-6% in low-data regimes

Performance gains come with increased computation time in some cases

Results demonstrate potential of TabPFN for cybersecurity with data scarcity

Abstract

Artificial intelligence and machine learning have significantly advanced malware research by enabling automated threat detection and behavior analysis. However, the availability of exploitable data is limited, due to the absence of large datasets with real-world data. Despite the progress of AI in cybersecurity, malware analysis still suffers from this data scarcity, which limits model generalization. In order to tackle this difficulty, this workinvestigates TabPFN, a learning-free model designed for low-data regimes. We evaluate its performance against established baselines such as Random Forest, LightGBM and XGBoost, across multiple class configurations. Our experimental results indicate that TabPFN surpasses all other models in low-data regimes, with a 2% to 6% improvement observed across multiple performance metrics. However, this increase in performance has an impact on its computation time in a particular case. These findings highlight both the promise and the practical limitations of integrating TabPFN into cybersecurity workflows.