The rapid evolution of malware families poses significant challenges for cybersecurity systems, particularly when newly emerging threats lack sufficient labeled data. Although image-based deep learning approaches have achieved strong performance under fully supervised conditions, their dependence on retraining limits adaptability in dynamic environments. To address this issue, we propose a Retrieval-Augmented Few-Shot Malware Detection Framework that integrates binary-to-image visualization, multimodal embedding using a frozen Vision–Language Model (Qwen2.5-VL), and similarity-based external memory retrieval. Malware binaries are converted into grayscale images and embedded into a semantic vector space without task-specific fine-tuning. During inference, query samples retrieve similar support embeddings from a vector database, and predictions are generated through similarity-weighted aggregation, enabling adaptation without parameter updates. Evaluated on the MalImg dataset with 25 malware families under 1-shot to 10-shot settings, the framework achieves 0.886 accuracy in the 10-shot configuration. Ablation results demonstrate that combining VLM embeddings with retrieval mechanisms provides consistent improvements over individual components. These findings highlight the effectiveness of decoupling representation learning from adaptation for scalable few-shot malware detection.
Jung et al. (Wed,) studied this question.