Detecting and Explaining Malware Family Evolution Using Rule-Based Drift Analysis

Malware detection and classification into families are critical tasks in cybersecurity, complicated by the continual evolution of malware to evade detection. This evolution introduces concept drift, in which the statistical properties of malware features change over time, reducing the effectiveness of static machine learning models. Understanding and explaining this drift is essential for maintaining robust and trustworthy malware detectors. In this paper, we propose an interpretable approach to concept drift detection. Our method uses a rule-based classifier to generate human-readable descriptions of both original and evolved malware samples belonging to the same malware family. By comparing the resulting rule sets using a similarity function, we can detect and quantify concept drift. Crucially, this comparison also identifies the specific features and feature values that have changed, providing clear explanations of how malware has evolved to bypass detection. Experimental results demonstrate that the proposed method not only accurately detects drift but also provides actionable insights into the behavior of evolving malware families, supporting both detection and threat analysis.

💡 Research Summary

The paper addresses the pressing problem of concept drift in malware family detection, where continuous evolution of malicious code—through packing, obfuscation, API changes, and other tactics—causes the statistical properties of features to shift over time, degrading the performance of static machine‑learning detectors. To both detect this drift and provide clear, actionable explanations, the authors propose an interpretable, rule‑based framework.

The core of the approach is the use of the RIPPER algorithm (Repeated Incremental Pruning to Produce Error Reduction) to learn a compact set of human‑readable IF‑THEN rules for each malware family at a given point in time. A rule is a conjunction of conditions of the form “feature x operator ⊙ value h”, and the full model is a disjunction of such rules. Because the output is explicit logical statements, analysts can directly see which features (e.g., specific API calls, section sizes, byte‑value ranges) characterize a family.

To assess drift, the same rule learner is applied to a later dataset containing evolved variants of the same family. The resulting rule set is compared to the original rule set using a similarity function based on Jaccard‑like overlap of conditions. A low similarity score signals significant drift, while the specific mismatched conditions pinpoint exactly which features have changed. Thus, drift detection is coupled with an immediate, fine‑grained explanation of the evolution.

For generating realistic evolved samples, the authors employ MAB‑Malware, a reinforcement‑learning adversarial generator that treats binary modifications as independent arms of a multi‑armed bandit. It iteratively applies macro‑ and micro‑manipulations (e.g., adding benign sections, renaming sections, corrupting header checks) until the target classifier mislabels the sample as benign, then prunes unnecessary changes. This process yields variants that mimic real‑world attacker behavior while preserving the original family label, providing a robust testbed for drift analysis.

The experimental evaluation covers six well‑known malware families: Agensla, DCRat, Makoo, Mokes (Smoke Loader), Strab, and Taskun. For each family, the authors construct an original dataset and a set of MAB‑generated evolved samples. RIPPER models are trained on both sets, and the similarity‑based drift detector is applied. The framework achieves an average drift detection accuracy of 92.08 %, with particularly strong performance on families that exhibit substantial structural changes (e.g., DCRat and Mokes). The analysis also surfaces concrete feature changes such as new API usage patterns, added sections, or altered numeric thresholds, which are presented as human‑readable rule differences.

In the related‑work discussion, the paper contrasts its method with statistical drift detectors like Transcend and ADClust, which rely on black‑box models and cannot explain why drift occurs, and with ensemble‑based disagreement approaches that require continuous labeled streams. The rule‑based approach uniquely provides both quantitative drift measurement and qualitative insight, addressing the growing demand for explainability in security tools where analyst trust is paramount.

Limitations are acknowledged: RIPPER’s reliance on discretized features can lead to overly complex rule sets if the feature space is high‑dimensional; the similarity threshold must be carefully tuned to avoid missing subtle drifts; and the method has been evaluated only on static datasets rather than live data streams. The authors suggest future work on rule compression techniques (e.g., minimal covering sets), multi‑time‑point continuous comparison, and adaptive threshold learning for real‑time deployment.

Overall, the paper makes a compelling contribution by demonstrating that a simple, interpretable rule learner, when paired with a systematic rule‑set comparison, can effectively detect and explain malware family evolution. This bridges the gap between high detection accuracy and the need for transparent, actionable intelligence in modern cyber‑defense operations.