FreeMOCA: Memory-Free Continual Learning for Malicious Code Analysis

TL;DR

FreeMOCA introduces a memory-efficient continual learning method for malware analysis that maintains prior knowledge through adaptive parameter interpolation, outperforming existing methods on large-scale benchmarks.

Contribution

It proposes a novel warm-started interpolation approach in parameter space for continual malware detection, reducing forgetting without replay.

Findings

Outperforms 11 baselines on EMBER and AZ benchmarks.

Achieves up to 42% and 37% accuracy improvements on EMBER and AZ.

Significantly reduces catastrophic forgetting in malware classification.

Abstract

As over 200 million new malware samples are identified each year, antivirus systems must continuously adapt to the evolving threat landscape. However, retraining solely on new samples leads to catastrophic forgetting and exploitable blind spots, while retraining on the entire dataset incurs substantial computational cost. We propose FreeMOCA, a memory- and compute-efficient continual learning framework for malicious code analysis that preserves prior knowledge via adaptive layer-wise interpolation between consecutive task updates, leveraging the fact that warm-started task optima are connected by low-loss paths in parameter space. We evaluate FreeMOCA in both class-incremental (Class-IL) and domain-incremental (Domain-IL) settings on large-scale Windows (EMBER) and Android (AZ) malware benchmarks. FreeMOCA achieves substantial gains in Class-IL, outperforming 11 baselines on both EMBER and AZ benchmarks. It also significantly reduces forgetting, achieving the best retention across baselines, and improving accuracy by up to 42% and 37% on EMBER and AZ, respectively. These results demonstrate that warm-started interpolation in parameter space provides a scalable and effective alternative to replay for continual malware detection. Code is available at: https://github.com/IQSeC-Lab/FreeMOCA.