This work addresses the vulnerability of malware detection models to concept drift and their performance degradation under label scarcity and weak semantic structure. To overcome these challenges, the authors propose SEED, a method that eschews reliance on malware semantics by constructing a representation space via singular value decomposition. SEED integrates binary cross-entropy loss with semi-supervised continual learning and active learning, employing cosine distance to quantify prediction uncertainty for informative sample selection. A delayed buffer update strategy is further introduced to mitigate label noise propagation during replay. Evaluated with only 20% labeled data, SEED achieves average improvements of 40% and 14% in area under the time-aware ROC curve (AUT) on the BODMAS and AndroZoo datasets for unseen malware, respectively, while maintaining competitive performance on APIGraph.

Machine learning based malware detectors become obsolete over time due to concept drift in benign and malware applications. Recent methods rely on fully labeled data and use hierarchical contrastive loss (HCL) with active learning to improve robustness against drift by exploiting semantic structure in malware representations. However, obtaining labeled data in the security domain is difficult. Under partially labeled settings, HCL suffers significant performance degradation in detecting unseen malware, especially on datasets such as BODMAS where strong semantic structure may not exist. In this paper, we propose SEED, a semantic-structure-agnostic method for malware detection under limited supervision. SEED combines a tailored binary cross-entropy objective with semi-supervised continual learning and active learning. For partially labeled seen tasks, unlabeled samples are projected into a representation space constructed from previously seen data using singular value decomposition, and paired with suitable labeled samples to encourage representation consistency. For unseen tasks with fully unlabeled data, uncertainty is quantified using cosine distance in representation space, and the most uncertain samples are selected for analyst labeling. We evaluate SEED on both Windows and Android malware datasets. Using only 20% labeled data on seen tasks, SEED achieves average AUT improvements of 40% on BODMAS and 14% on AndroZoo for unseen malware detection compared to HCL* (the semi-supervised adaptation of HCL), while remaining competitive on APIGraph. Finally, we introduce a delayed buffer update strategy to reduce label noise propagation during replay and improve learning stability.