Empirical Evaluation of Concept Drift in ML-Based Android Malware Detection
This work addresses the problem of model degradation due to evolving malware for cybersecurity practitioners, but it is incremental as it primarily confirms known challenges without novel solutions.
This study evaluated the impact of concept drift on Android malware detection models, finding that it is widespread and significantly degrades performance across various algorithms and feature types, with no strong link to algorithm type and limited mitigation from balancing or LLMs.
Despite outstanding results, machine learning-based Android malware detection models struggle with concept drift, where rapidly evolving malware characteristics degrade model effectiveness. This study examines the impact of concept drift on Android malware detection, evaluating two datasets and nine machine learning and deep learning algorithms, as well as Large Language Models (LLMs). Various feature types--static, dynamic, hybrid, semantic, and image-based--were considered. The results showed that concept drift is widespread and significantly affects model performance. Factors influencing the drift include feature types, data environments, and detection methods. Balancing algorithms helped with class imbalance but did not fully address concept drift, which primarily stems from the dynamic nature of the malware landscape. No strong link was found between the type of algorithm used and concept drift, the impact was relatively minor compared to other variables since hyperparameters were not fine-tuned, and the default algorithm configurations were used. While LLMs using few-shot learning demonstrated promising detection performance, they did not fully mitigate concept drift, highlighting the need for further investigation.