Low-Resource Malware Family Detection by Cross-Family Knowledge Transfer

Abstract

Low-resource malware families are highly susceptible to being overlooked when using machine learning models or deep learning models for automated detection because of the small amount of data samples. When we target to train a classifier for a low-resource malware family, the training data using the family itself is not sufficient to train a good classifier. In this work, we study the relationship between different malware families and improve the performance of the malware detection model based on machine learning method in low-resource malware family detection. First, we propose an empirical supportive score to measure the transfer quality and find that transferring performance varies a lot between different malware families. Second, we propose a Sequential Family Selection (SFS) algorithm to select multiple families as the training data. With SFS, we only transfer knowledge from several supportive families to target low-resource families. We conduct experiments on 16 families and 4 malware detection models, the results show that our model could outperform best baselines by 2.29% on average and our algorithm achieves 14.16% improvement in accuracy at the highest. Third, we study the transferred knowledge and find that our algorithm could capture the common characteristics between different malware families by proposing a supportive score and achieve good detection performance in the low-resource malware family. Our algorithm could also be applicable to image detection and signal detection.