Continual Malware Classification with GAN-Based Generative Replay
Advanced machine learning approach using Conditional GANs to combat catastrophic forgetting in malware classification. Achieving 72% mean accuracy across 100 malware families.
Mean Accuracy
Malware Classes
CL Tasks
Above Target
Malware threats evolve continuously, requiring detection models to learn new malware families while retaining previously acquired knowledge. Traditional machine learning models suffer from catastrophic forgettingβthey forget older malware patterns when trained with new data.
MalCL addresses this challenge using conditional GANs to generate synthetic samples of previously learned malware families. These generated samples are combined with new malware data to train a CNN classifier, improving malware classification while reducing the need to store large historical datasets.
11 sequential tasks with dynamic classifier head expansion
28.6% forgetting rate compared to 84.3% without replay
100 malware families with 1,000 samples per class
| Metric | Paper Method | Our cGAN | Improvement |
|---|---|---|---|
| Mean Accuracy | 41.2% | 72.0% | +30.8pp |
| Forgetting Rate | 67.1% | 28.6% | -38.5pp |
| Replay Strategy | Unconditional GAN + L1_C_Mean | Conditional GAN | Simplified |
Malware evolves continuously. When classifiers learn new malware families, they forget previously learned ones β a phenomenon called catastrophic forgetting. Replay-based methods generate synthetic samples of old classes to counteract this.
Threat actors continuously develop new malware variants. A classifier must learn these new families without losing access to a retraining corpus.
Training on new classes overwrites the model weights that encoded old class boundaries β catastrophic forgetting.
A GAN generates synthetic samples of old classes. These are replayed during new task training, preserving prior knowledge.
Without class conditioning, generated samples may belong to any class. Assigning incorrect labels actively harms classification.
β οΈ Accuracy collapses from 91% β 8% across 11 tasks
β Accuracy maintained at 70-90% across all tasks
The root cause of poor performance with unconditional GANs: unlabeled samples are assigned class labels post-hoc via centroid proximity. At 100 classes, centroids overlap significantly, causing mislabeled replay samples that actively teach wrong associations. Conditional GANs solve this by generating class-labeled samples at generation time.
Interactive architecture explorer. Click any component to explore its role in the cGAN replay pipeline.
Generates synthetic malware feature vectors that resemble real samples from a given class.
3-layer MLP (256β512β256). BatchNorm + LeakyReLU. Class embedding concatenated to noise in cGAN variant.
All experiments evaluated on 100 malware classes across 11 sequential continual learning tasks.
π― Paper Target: 54.5%
β cGAN achieves 2.3Γ lower forgetting
| Attribute | Paper (AAAI 2025) | Our cGAN Method |
|---|---|---|
| Generator Input | Noise z only | Noise z + class c |
| Discriminator Input | Feature x only | Feature x + class c |
| Replay Strategy | Unconditional β filter | Class-conditioned |
| Filtering Requirement | L1_C_Mean required | None required |
| Class Ambiguity | High (100 classes) | None |
| Scalability | Degrades at scale | Scales well |
| Mean Accuracy | 41.2% (our repro) | 72.0% |
| Forgetting Rate | 67.1% | 28.6% |
Problem:
Large discriminator exceeded 15GB VRAM on Colab T4
Solution:
Reduced discriminator dimensions + gradient checkpointing
β Enabled training on 100 classes
Problem:
Full EMBER dataset made each task epoch take 45+ minutes
Solution:
Stratified subsampling: 1,000 samples per class per task
β Reduced per-task time from 45min to ~8min
Problem:
Unconditional GAN generates unlabeled samples; L1_C_Mean fails at 100 classes
Solution:
Designed conditional GAN with class embedding concatenation
β Mean accuracy improved from 41.2% to 72.0%
Problem:
Standard GAN loss caused mode collapse at >50 classes
Solution:
Switched to WGAN-GP + spectral normalization
β Consistent convergence across all 11 tasks
Major Project Β· Keshav Memorial Institute of Technology (KMIT) Β· 2025
Researcher
24BD1A056B
Researcher
24BD1A057J
Researcher
24BD1A057W
Researcher
24BD1A05K2
Researcher
24BD1A051T
Faculty Mentor
KMIT
8-phase SDLC from initial planning through final evaluation
Requirements gathering and project scope definition
System architecture and algorithm design
cGAN and classifier implementation
Paper reproduction and baseline evaluation
Identified class ambiguity issue
Conditional GAN design and implementation
Complete evaluation and results analysis
KMIT
Keshav Memorial Institute of Technology, Hyderabad
AAAI 2025
MalCL: Leveraging GAN-Based Generative Replay
cGAN Replay
Conditional GAN for improved continual learning