FARM: Few-shot Adaptive Malware Family Classification under Concept Drift

TL;DR

FARM is a framework that enhances malware family classification by detecting concept drift and rapidly adapting to new malware with minimal labeled data, maintaining high accuracy in evolving threat landscapes.

Contribution

The paper introduces FARM, a novel unified framework that combines unsupervised drift detection and few-shot learning for adaptive malware classification under concept drift.

Findings

Improves classification accuracy under covariate drift by 5.6%.

Achieves an average F1 score of 0.85 on unseen malware families with few-shot adaptation.

Reaches an F1 score of 0.94 after retraining with accumulated drifted samples.

Abstract

Malware classification models often suffer performance degradation under concept drift due to evolving threat landscapes and the emergence of novel malware families. This paper presents FARM (Few-shot Adaptive Recognition of Malware), a unified framework for detecting and adapting to both covariate drift and label drift in Windows Portable Executable (PE) malware family classification. FARM uses a triplet autoencoder to project samples into a discriminative latent space, enabling unsupervised drift detection through DBSCAN clustering and dynamic thresholding. To enable rapid adaptation, the framework employs a few-shot strategy that can incorporate new classes from only a small number of labeled samples. FARM also supports full retraining when sufficient drifted samples accumulate, allowing longer-term model updating. Experiments on the BenchMFC dataset show that FARM improves classification performance under covariate drift by 5.6%, and achieves an average F1 score of 0.85 on unseen malware families using few-shot adaptation, increasing to 0.94 after retraining. These results indicate that FARM provides an effective approach for drift-aware malware family classification in dynamic environments with limited supervision.