Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors

Zhi Chen; Zhenning Zhang; Zeliang Kan; Limin Yang; Jacopo Cortellazzi; Feargus Pendlebury; Fabio Pierazzi; Lorenzo Cavallaro; Gang Wang

doi:10.1109/SPW59333.2023.00007

Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors

Zhi Chen, Zhenning Zhang, Zeliang Kan, Limin Yang, Jacopo Cortellazzi, Feargus Pendlebury, Fabio Pierazzi, Lorenzo Cavallaro, Gang Wang

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Concept drift is a major challenge faced by machine learning-based malware detectors when deployed in practice. While existing works have investigated methods to detect concept drift, it is not yet well understood regarding the main causes behind the drift. In this paper, we design experiments to empirically analyze the impact of feature-space drift (new features introduced by new samples) and compare it with data-space drift (data distribution shift over existing features). Surprisingly, we find that data-space drift is the dominating contributor to the model degradation over time while feature-space drift has little to no impact. This is consistently observed over both Android and PE malware detectors, with different feature types and feature engineering methods, across different settings. We further validate this observation with recent online learning based malware detectors that incrementally update the feature space. Our result indicates the possibility of handling concept drift without frequent feature updating, and we further discuss the open questions for future research.

Original language	English (US)
Title of host publication	Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	21-28
Number of pages	8
ISBN (Electronic)	9798350312362
DOIs	https://doi.org/10.1109/SPW59333.2023.00007
State	Published - 2023
Event	44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 - San Francisco, United States Duration: May 22 2023 → May 25 2023

Publication series

Name	Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023

Conference

Conference	44th IEEE Symposium on Security and Privacy Workshops, SPW 2023
Country/Territory	United States
City	San Francisco
Period	5/22/23 → 5/25/23

Keywords

concept-drift
machine-learning
malware-classifier

ASJC Scopus subject areas

Artificial Intelligence
Computer Networks and Communications
Information Systems
Signal Processing
Safety, Risk, Reliability and Quality

Online availability

10.1109/SPW59333.2023.00007

Library availability

Discover UIUC Full Text

Cite this

Chen, Z., Zhang, Z., Kan, Z., Yang, L., Cortellazzi, J., Pendlebury, F., Pierazzi, F., Cavallaro, L., & Wang, G. (2023). Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors. In Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 (pp. 21-28). (Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SPW59333.2023.00007

Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors. / Chen, Zhi; Zhang, Zhenning; Kan, Zeliang et al.
Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023. Institute of Electrical and Electronics Engineers Inc., 2023. p. 21-28 (Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Chen, Z, Zhang, Z, Kan, Z, Yang, L, Cortellazzi, J, Pendlebury, F, Pierazzi, F, Cavallaro, L & Wang, G 2023, Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors. in Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023. Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023, Institute of Electrical and Electronics Engineers Inc., pp. 21-28, 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023, San Francisco, United States, 5/22/23. https://doi.org/10.1109/SPW59333.2023.00007

Chen Z, Zhang Z, Kan Z, Yang L, Cortellazzi J, Pendlebury F et al. Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors. In Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023. Institute of Electrical and Electronics Engineers Inc. 2023. p. 21-28. (Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023). doi: 10.1109/SPW59333.2023.00007

@inproceedings{42c830af7dd64e6b86b5da5764986767,

title = "Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors",

abstract = "Concept drift is a major challenge faced by machine learning-based malware detectors when deployed in practice. While existing works have investigated methods to detect concept drift, it is not yet well understood regarding the main causes behind the drift. In this paper, we design experiments to empirically analyze the impact of feature-space drift (new features introduced by new samples) and compare it with data-space drift (data distribution shift over existing features). Surprisingly, we find that data-space drift is the dominating contributor to the model degradation over time while feature-space drift has little to no impact. This is consistently observed over both Android and PE malware detectors, with different feature types and feature engineering methods, across different settings. We further validate this observation with recent online learning based malware detectors that incrementally update the feature space. Our result indicates the possibility of handling concept drift without frequent feature updating, and we further discuss the open questions for future research.",

keywords = "concept-drift, machine-learning, malware-classifier",

author = "Zhi Chen and Zhenning Zhang and Zeliang Kan and Limin Yang and Jacopo Cortellazzi and Feargus Pendlebury and Fabio Pierazzi and Lorenzo Cavallaro and Gang Wang",

note = "On the flip side, what{\textquoteright}s the benefit of not updating features frequently? First, during model re-training, if a brand new feature set is used, it means the model will need to be either re-trained from scratch on the new feature space (costly) or use simpler linear models (less accurate) for incremental updating like DroidEvolver. In comparison, with a fixed feature set, there is more flexibility in model choices and incremental updating methods. Second, frequent feature updating may take on features that are only temporally useful (i.e., due to short-term drift), but hurt the models{\textquoteright} long-term performance (e.g., Fig. 2). We believe more work is needed to understand the impact of feature-space updating. Acknowledgment. This work was supported in part by NSF grants CNS-2055233 and CNS-1955719, C3.AI Research, IBM-Illinois Discovery Accelerator Institute, and a gift from AVAST.; 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023 ; Conference date: 22-05-2023 Through 25-05-2023",

year = "2023",

doi = "10.1109/SPW59333.2023.00007",

language = "English (US)",

series = "Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "21--28",

booktitle = "Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023",

address = "United States",

}

TY - GEN

T1 - Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors

AU - Chen, Zhi

AU - Zhang, Zhenning

AU - Kan, Zeliang

AU - Yang, Limin

AU - Cortellazzi, Jacopo

AU - Pendlebury, Feargus

AU - Pierazzi, Fabio

AU - Cavallaro, Lorenzo

AU - Wang, Gang

N1 - On the flip side, what’s the benefit of not updating features frequently? First, during model re-training, if a brand new feature set is used, it means the model will need to be either re-trained from scratch on the new feature space (costly) or use simpler linear models (less accurate) for incremental updating like DroidEvolver. In comparison, with a fixed feature set, there is more flexibility in model choices and incremental updating methods. Second, frequent feature updating may take on features that are only temporally useful (i.e., due to short-term drift), but hurt the models’ long-term performance (e.g., Fig. 2). We believe more work is needed to understand the impact of feature-space updating. Acknowledgment. This work was supported in part by NSF grants CNS-2055233 and CNS-1955719, C3.AI Research, IBM-Illinois Discovery Accelerator Institute, and a gift from AVAST.

PY - 2023

Y1 - 2023

N2 - Concept drift is a major challenge faced by machine learning-based malware detectors when deployed in practice. While existing works have investigated methods to detect concept drift, it is not yet well understood regarding the main causes behind the drift. In this paper, we design experiments to empirically analyze the impact of feature-space drift (new features introduced by new samples) and compare it with data-space drift (data distribution shift over existing features). Surprisingly, we find that data-space drift is the dominating contributor to the model degradation over time while feature-space drift has little to no impact. This is consistently observed over both Android and PE malware detectors, with different feature types and feature engineering methods, across different settings. We further validate this observation with recent online learning based malware detectors that incrementally update the feature space. Our result indicates the possibility of handling concept drift without frequent feature updating, and we further discuss the open questions for future research.

AB - Concept drift is a major challenge faced by machine learning-based malware detectors when deployed in practice. While existing works have investigated methods to detect concept drift, it is not yet well understood regarding the main causes behind the drift. In this paper, we design experiments to empirically analyze the impact of feature-space drift (new features introduced by new samples) and compare it with data-space drift (data distribution shift over existing features). Surprisingly, we find that data-space drift is the dominating contributor to the model degradation over time while feature-space drift has little to no impact. This is consistently observed over both Android and PE malware detectors, with different feature types and feature engineering methods, across different settings. We further validate this observation with recent online learning based malware detectors that incrementally update the feature space. Our result indicates the possibility of handling concept drift without frequent feature updating, and we further discuss the open questions for future research.

KW - concept-drift

KW - machine-learning

KW - malware-classifier

UR - http://www.scopus.com/inward/record.url?scp=85164894891&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85164894891&partnerID=8YFLogxK

U2 - 10.1109/SPW59333.2023.00007

DO - 10.1109/SPW59333.2023.00007

M3 - Conference contribution

AN - SCOPUS:85164894891

T3 - Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023

SP - 21

EP - 28

BT - Proceeding - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 44th IEEE Symposium on Security and Privacy Workshops, SPW 2023

Y2 - 22 May 2023 through 25 May 2023

ER -

Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this