FewM-HGCL : Few-Shot Malware Variants Detection Via Heterogeneous Graph Contrastive Learning

Malware variant attacks have been becoming serious threats in the Internet ecosystem. However, prior arts on malware variants detection over-rely on the supervised learning methods to identify the malware variants using a large number of labeled samples, resulting in their inability to detect the few-shot malware without sufficient samples and ground-truth labels. In this paper, we propose FewM-HGCL, a self-supervised Few -shot M alware variants detection framework based on H eterogeneous G raph C ontrastive L earning, which models the execution behavior of each malware variant as a heterogeneous graph and performs graph instance-based discrimination. Particularly, FewM-HGCL first models the execution behavior of each malware variant with a fine-grained attribute heterogeneous graph, which effectively depicts the interactive relationships between malware objects ( e.g. , API, process, etc). Then three types of heterogeneous graph data augmentations are proposed, i.e. , API attribute masking, interaction enhancing, and meth-path sampling, to generate more robust positive and negative samples for each instance, incorporating semantic prior or structural prior, respectively. Afterward, FewM-HGCL utilizes heterogeneous graph contrastive learning to empower graph attention networks (GATs) to learn the graph-level representations for few-shot malware variants in a self-supervised manner. Experimental results show that the proposed FewM-HGCL on diverse datasets can achieve 70.47% $\sim$ 98.65% accuracy, which are 0.45% $\sim$ 8.46% improvements over previous state-of-the-art methods on the few-shot malware variants detection tasks.