Detection of Data Scarce Malware Using One-Shot Learning With Relation Network

Malware has evolved to pose a major threat to information security. Efficient anti-malware software is essential in safeguarding confidential information from these threats. However, identifying malware continues to be a challenging task. Signature-based detection methods are quick but fail to detect unknown malware. Additionally, the traditional machine learning archetype requires a large amount of data to be effective, which hinders the ability of an anti-malware system to quickly learn about new threats with limited training samples. In a real-world setting, the majority of malware is found in the form of Portable Executable (PE) files. While there are various formats of PE files, samples of all formats such as ocx, acm, com, scr, etc., are not readily available in large numbers. Therefore, building a conventional Machine Learning (ML) model with greater generalization for data-scarce PE formats becomes a hefty task. Consequently, in such a scenario, Few-Shot learning (FSL) is helpful in detecting the presence of malware, even with a very small number of training samples. FSL techniques help to make predictions based on an insufficient number of samples. In this paper, we propose a novel architecture based on the Relation Network for FSL implementation. We propose a Discriminative Feature Embedder for feature extraction. These extracted features are passed to our proposed Relation Module (RM) for similarity measure. RM produces the relation scores that lead to improved classification. We use PE file formats, i.e., ocx, acm, com, and scr, after transforming them into images. We employ five-shot learning and then one-shot learning, which produces 94% accuracy with only one training instance. We observe that the proposed architecture outpaces the baseline method and provides enhanced accuracy by up to 94% with only one sample.