Malware Detection Using an Improved Active Learning Approach

Machine learning techniques have been applied in malware detection widely. Variants or zero-day malwares might escape the detection of passive learning models. The annotation would be time-consuming and laborious if we maintain a passive learning model through updating its training data manually. To make the maintenance become automated and less-annotation-required, this paper proposes an active learning approach for malware detection. As the core of active learning, a selector is designed to select incremental training samples from open environment. It uses multiple criterions, including age, uncertainty, informativity and diversity of Portable Executable (PE) files, for selecting critical samples. We also evaluated the all-round static features of PE files for malicious detection and adopted 973-dim features according to their importance. Experimental results shows that the proposed active learning approach requires very less annotated training samples than passive learning methods, achieving high accuracy and efficiency. Existing sampling strategies using single criterion were also compared experimentally and performed inferior to this method.