Towards Open-Set APT Malware Classification under Few-Shot Setting

Advanced Persistent Threat (APT) malware group classification has attracted more attention recently. Previous methods have two downsides. First, most use conventional classifiers ignoring the bias caused by the sparse number of revealed malware. Second, they conducted on closed-set without considering the constant stream of novel APT groups. In this paper, we propose a framework for open-set APT malware classification under a few-shot setting. First, the pre-trained encoder extracts the dynamic behavioral features of APT malware. Then the prototypes of known APT groups are calculated. Based on these prototypes the classification probability of the test sample is calculated. Finally, we devise plug-and-play open-set loss and dynamic triplet threshold modules to construct clear boundaries of known categories to achieve open-set recognition. Experimental results conducted on two datasets show that our approach achieves state-of-the-art performance, enabling the detection of known APT malware and recognition of unknown malware with few known APT-labelled malware.