Small Effect Sizes in Malware Detection? Make Harder Train/Test Splits!

Thumbnail Image

Files

2312.15813.pdf (875.64 KB)

Links to Files

https://arxiv.org/abs/2312.15813

Permanent Link

https://doi.org/10.48550/arXiv.2312.15813
 http://hdl.handle.net/11603/31274

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

https://orcid.org/0009-0003-3212-8156
 https://orcid.org/0000-0001-9494-7139
 https://orcid.org/0000-0003-1383-8120

Date

2023-12-25

Type of Work

conference papers and proceedings
preprints
Text

Department

Program

Citation of Original Publication

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
CC BY 4.0 DEED Attribution 4.0 International

Subjects

Abstract

Industry practitioners care about small improvements in malware detection accuracy because their models are deployed to hundreds of millions of machines, meaning a 0.1\% change can cause an overwhelming number of false positives. However, academic research is often restrained to public datasets on the order of ten thousand samples and is too small to detect improvements that may be relevant to industry. Working within these constraints, we devise an approach to generate a benchmark of configurable difficulty from a pool of available samples. This is done by leveraging malware family information from tools like AVClass to construct training/test splits that have different generalization rates, as measured by a secondary model. Our experiments will demonstrate that using a less accurate secondary model with disparate features is effective at producing benchmarks for a more sophisticated target model that is under evaluation. We also ablate against alternative designs to show the need for our approach.