Detecting and Explaining Malware Family Evolution Using Rule-Based Drift Analysis
Olha Jurečková, Martin Jureček
TL;DR
The paper tackles concept drift in evolving malware by introducing an interpretable drift-detection framework that uses a rule-based classifier (RIPPER) to describe original and evolved samples and a rule-set distance to quantify drift. By generating adversarial variants via MAB-malware and comparing the resulting rule sets, the method provides both drift detection and explicit explanations of which features and values have changed. Experiments on six malware families with EMBER/LIEF features demonstrate robust drift detection (overall accuracy $92.08\%$) and yield actionable insights into evolution patterns. This approach enhances detection robustness and analyst trust by translating drift into human-readable rules and highlightable feature changes.
Abstract
Malware detection and classification into families are critical tasks in cybersecurity, complicated by the continual evolution of malware to evade detection. This evolution introduces concept drift, in which the statistical properties of malware features change over time, reducing the effectiveness of static machine learning models. Understanding and explaining this drift is essential for maintaining robust and trustworthy malware detectors. In this paper, we propose an interpretable approach to concept drift detection. Our method uses a rule-based classifier to generate human-readable descriptions of both original and evolved malware samples belonging to the same malware family. By comparing the resulting rule sets using a similarity function, we can detect and quantify concept drift. Crucially, this comparison also identifies the specific features and feature values that have changed, providing clear explanations of how malware has evolved to bypass detection. Experimental results demonstrate that the proposed method not only accurately detects drift but also provides actionable insights into the behavior of evolving malware families, supporting both detection and threat analysis.
