A new research framework applies a divide-and-conquer approach to malware detection — and it handles obfuscated samples better than single-model systems.
The paper, posted to arXiv, proposes a Mixture of Experts (MoE) architecture that runs three tasks at once: identifying whether a file is malware or benign, detecting whether it has been "packed" (a common obfuscation technique), and attributing it to a known malware family. The system works across two input types — structured feature sets from the EMBER dataset and raw byte arrays pulled directly from Windows executable files. Among three architectural variants tested, the Multi-Gate MoE model performed best, posting a combined detection rate of 0.9744 and a 2.56% failure rate, including against deliberately mutated samples designed to fool classifiers.
Packed malware has long been a weak spot for detection systems. A binary that conceals its true code at rest can slip past classifiers trained on static signatures, which is why real-world evasion so often starts there. A model that treats packing detection as a parallel, specialized task — rather than an afterthought — addresses that gap more directly than bolt-on heuristics.
The MoE approach is not new to AI broadly, but applying it to the layered problem of malware analysis is a reasonable extension of a pattern that has shown up in large language models and recommendation systems. Whether it holds up outside controlled benchmark conditions — against novel packers or adversarial actors who know the architecture — is the question any deployment team would need to answer before trusting it in production.