Detecting and Explaining Malware Family Evolution Using Rule-Based Drift Analysis

TL;DR

This paper introduces an interpretable, rule-based method for detecting and explaining malware family evolution over time, enhancing cybersecurity defenses by identifying feature changes that enable malware to evade detection.

Contribution

It presents a novel, human-readable approach to detect and explain concept drift in malware, improving understanding of malware evolution and aiding in adaptive detection strategies.

Findings

Accurately detects malware family drift

Provides clear explanations of feature changes

Supports threat analysis and adaptive detection

Abstract

Malware detection and classification into families are critical tasks in cybersecurity, complicated by the continual evolution of malware to evade detection. This evolution introduces concept drift, in which the statistical properties of malware features change over time, reducing the effectiveness of static machine learning models. Understanding and explaining this drift is essential for maintaining robust and trustworthy malware detectors. In this paper, we propose an interpretable approach to concept drift detection. Our method uses a rule-based classifier to generate human-readable descriptions of both original and evolved malware samples belonging to the same malware family. By comparing the resulting rule sets using a similarity function, we can detect and quantify concept drift. Crucially, this comparison also identifies the specific features and feature values that have changed, providing clear explanations of how malware has evolved to bypass detection. Experimental results demonstrate that the proposed method not only accurately detects drift but also provides actionable insights into the behavior of evolving malware families, supporting both detection and threat analysis.