CITADEL: A Semi-Supervised Active Learning Framework for Malware Detection Under Continuous Distribution Drift
Md Ahsanul Haque, Md Mahmuduzzaman Kamol, Ismail Hossain, Suresh Kumar Amalapuram, Vladik Kreinovich, Mohammad Saidur Rahman
TL;DR
The paper addresses long-term concept drift in Android malware detection under limited labeling budgets. It presents CITADEL, a semi-supervised active learning framework that blends malware-specific augmentations (Bernoulli bit flip and Bernoulli feature mask) with a joint objective comprising supervised, unsupervised, and supervised-contrastive losses, guided by a multi-criteria sample selection strategy. Across APIGraph, Chen-AZ, MaMaDroid, and LAMDA, CITADEL yields notable F1 gains with only 40% labeled data and achieves substantial efficiency improvements (up to 24× faster training and 13× fewer operations) compared to prior methods. The work demonstrates robust drift adaptation and practical viability for scalable, up-to-date Android malware detection, while acknowledging potential vulnerabilities to adversarial labeling and evasion worthy of future research.
Abstract
Android malware evolves rapidly, leading to concept drift that degrades the performance of traditional machine learning (ML)-based detection systems. While recent approaches incorporate active learning and hierarchical contrastive loss to handle this drift, they remain fully supervised, computationally expensive, and perform poorly on real-world datasets with long temporal spans. In particular, our evaluation highlights these limitations, particularly on LAMDA, a 12-year longitudinal dataset exhibiting substantial distributional shifts. Moreover, manual expert labeling cannot scale with the daily emergence of over 450,000 new malware samples, leaving most samples unlabeled and underutilized. To address these challenges, we propose CITADEL, a robust semi-supervised active learning framework for Android malware detection. To bridge the gap between image-domain semi-supervised learning and binary feature representations of malware, we introduce malware-specific augmentations, Bernoulli bit flips and masking, that simulate realistic drift behaviors. CITADEL further integrates supervised contrastive loss to improve boundary sample discrimination and combines it with a multi-criteria active learning strategy based on prediction confidence, $L_p$-norm distance, and boundary uncertainty, enabling effective adaptation under limited labeling budgets. Extensive evaluation on four large-scale Android malware benchmarks -- APIGraph, Chen-AZ, MaMaDroid, and LAMDA demonstrates that CITADEL outperforms prior work, achieving F1 score of over 1%, 3%, 7%, and 14% respectively, using only 40% labeled samples. Furthermore, CITADEL shows significant efficiency over prior work incurring $24\times$ faster training and $13\times$ fewer operations.