Generally, multimodal feature fusion can benefit both unimodal tasks, e.g., image classification assisted by text^[40,41], and multimodal tasks such as visual question answering (VQA)^[42] and image caption generation^[43,44]. In early studies, Antol et al.^[42] utilized VGGNet^[45] and LSTM^[46] to extract visual and textual features respectively and fused them with simple mechanisms such as addition, concatenation, and multiplication. Stacked attention network (SAN)^[47] designed for VQA is to progressively search for related image regions using question semantic representations. Based on low-rank bilinear pooling, bilinear attention network (BAN)^[48] generates bilinear attention maps to fuse multimodal features. These two fusion methods are also employed in this work. Recently, Transformer^[49] based vision-and-language fusion becomes a popular paradigm. A typical process is to extract text features with BERT^[50] and fuse them with visual features via the self-attention mechanism. In this paper, we tailor Transformer-based architecture for fusing multimodal representations of malware.

We construct two datasets for few-shot malware classification: VirusShare-M and LargePE-M. Both contain Windows PE malware samples with associated grayscale images and API call sequences.

VirusShare-M: Malware samples are downloaded from VirusShare and labeled using AVClass based on VirusTotal reports. We select multiple families and split them into meta-training, meta-validation, and meta-test sets with disjoint family labels. Detailed family names are provided in the Supplementary Materials.

LargePE-M: Samples are collected from a large in-house repository of Windows PE malware. Families with sufficient samples that executed successfully (i.e., those that generated API sequences in the Cuckoo sandbox) are selected and split into disjoint training, validation, and test sets by family. Detailed family names are provided in the Supplementary Materials.

Data Leakage Prevention: To ensure valid few-shot evaluation, we take three precautions: (1) training, validation, and test sets contain completely disjoint malware families; (2) all preprocessing steps [term frequency-inverse document frequency (TF-IDF) calculation, word2vec training] are performed solely on the training set; (3) N-gram vocabulary and TF-IDF weights are derived exclusively from training samples. These measures prevent information leakage and ensure that evaluation reflects generalization to unseen families.

Detailed family names and class distributions for both datasets are provided in the Supplementary Tables 1 and 2.

Static grayscale image features of malware have been extensively utilized in related research on malware detection and classification^[2,51,52]. We follow the approach proposed by Nataraj et al., wherein each byte (8 bits) of malware binary code is transformed into an integer within the range of 0-255^[51]. Subsequently, the width of the image is determined based on the size of the malware sample (as outlined in Table 1). To minimize information loss, we add zeros to the last row of pixels when the required length is not achieved. Finally, the images are resized to a standardized dimension of 256 × 256 pixels, and the pixel values are normalized to obtain the final grayscale images (as depicted in Figure 1 left).

To capture the behavioral characteristics of malicious software, we extract API invocation sequences from malware samples using a feature extraction process similar to the one described by Wang et al.^[6]. Specifically, we executed malware samples within a virtual environment using the Cuckoo sandbox (https://cuckoosandbox.org/). This execution generated a detailed report, which includes the API invocation sequences, as illustrated in Figure 1 (right). Within these Cuckoo-generated reports, we selectively retain only the API names (e.g. “LdrLoadDll”, “LdrGetProcedureAddress”, “LdrGetDllHandle”), while disregarding both the parameters and returned values associated with each API invocation. Given that malware may initiate multiple processes concurrently, we concatenate APIs invoked by different processes to linearize the API sequence. Malware samples with sequence lengths less than 10 are excluded, which often indicates that the malware failed to run properly within the virtual environment.

Following the acquisition of malware API invocation sequences, refinement is necessary to eliminate redundant features resulting from repeated executions, such as file loading or execution loops. Consistent with the preprocessing methodology outlined in Wang et al., we omit redundant API subsequences wherein the same API appears more than twice consecutively^[6].

For tokenizing API sequences tailored for extracting textual features, we adopt an N-gram approach, which employs a sliding window operation of size N on the API sequence. Specifically, we divide the API sequence of length a into (a - N + 1) N-gram items, treating the resultant N-gram items as new sequence features. This expansion increases the scale of the sequence’s word dictionary from α to α^N if there are α unique APIs in the original sequences. Subsequently, we compute the importance of each N-gram using the TF-IDF method [Equation (1)].

(1) $$ TF-IDF(\alpha_i)=TF(\alpha_i)\cdot IDF(\alpha_i)=\frac{n_i}{\sum_jn_j}\cdot\log\left(\frac{n}{f(\alpha_i)+1}\right) $$

Here, α_i represents the i-th N-gram item, n_i denotes the frequency of occurrence of the i-th N-gram, and f(α_i) signifies the count of malware samples containing the i-th N-gram item. Following the computation of the importance of each N-gram item, we filter out the top-k N-grams based on their weights. Subsequently, for each sample’s N-gram sequence, we truncate the first l N-gram items to extract the sample’s features. Finally, we employ the widely used word2vec technique from the field of natural language processing (NLP) to embed these N-gram items. Specifically, we utilize a skip-gram model for pretraining, and the parameters of the word2vec model, along with the hyperparameters of the aforementioned feature extraction process, are detailed in Table 2.

While our datasets are specifically designed for few-shot evaluation - where each class contains a limited number of samples - we acknowledge that real-world malware ecosystems are more complex. In practice, malware families exhibit long-tailed distributions, temporal evolution, and concept drift. Our current datasets, derived from curated families with balanced samples, do not fully capture these dynamics. However, they provide a controlled benchmark for evaluating few-shot learning algorithms under class-disjoint settings.

The goal of few-shot learning is to make accurate predictions when provided with only a limited amount of labeled data. This is particularly suitable for the classification of malware, as in most cases, it is difficult to obtain a large number of malware samples. To achieve this, we adopt the widely used meta-learning paradigm^[53,54]. Given a malware dataset $$ \mathcal{D} $$, we split it into three parts meta-training $$ \mathcal{D} $$^train, meta-validation $$ \mathcal{D} $$^val, and meta-test $$ \mathcal{D} $$^test with disjoint classes. The task in each part comprises a support set S and a query set Q that share the same label space.

The objective of meta-learning is to correctly classify samples in query set Q based on labeled samples in support set S into N classes. When support set S has N families in total and each family possesses K samples, this few-shot classification task is called N-way K-shot task. Generally, we employ meta-training $$ \mathcal{D} $$^train to train the model and meta-validation $$ \mathcal{D} $$^val to fine-tune hyperparameters and assess the model’s generalization performance, and test the model’s performance on unseen classes/families through meta-test $$ \mathcal{D} $$^test.

The schematic representation of our proposed framework is depicted in Figure 2. When an image-API pair (x_I, x_A) is derived from a malware file using the methodologies outlined in Section 3, it is processed by dual encoders for feature extraction. Specifically, we propose employing a visual encoder f_I(·) to extract features from the image x_I, and a textual encoder f_A(·) for the API sequence x_A. Subsequently, a multimodal feature fusion module is employed to integrate the feature information extracted from the grayscale image and API invocation sequence. For feature fusion, we segment the normalized features, apply a GNN to integrate them, and finally employ a prototypical network^[8] for classification.

Support and Query Set Processing: For each task, support set samples S are encoded (E_I^S, E_A^S), normalized using support set statistics, segmented, and fused via GNN to produce V^S, which are aggregated into prototypes p_k. Query set samples Q undergo the same encoding, normalization (using same statistics), and fusion to produce V^Q, which are compared with prototypes via Euclidean distance: $$ \hat{y} $$ = argmin_k ||V^Q - p_k||₂.

To address the limited data in few-shot scenarios, we design two lightweight feature extractors for two modalities, with the expectation of reducing overfitting.

The preceding section describes the extraction methods for grayscale image features and API call sequence characteristics of malicious software. This section delineates the design of our devised lightweight feature fusion module based on GNNs. First, we normalize the pooled features independently and then segment them into discrete chunks, each representing a node in a graph. We then establish edges between nodes and perform message passing across the graph to achieve feature fusion. Finally, we employ a prototype network to calculate the distances within the fused feature space between samples and prototypes, thereby enabling classification. The pseudo code for training our proposed GNN-based feature fusion module over a single epoch is presented in Algorithm 1.

Complexity Analysis: The computational complexity of Algorithm 1 is dominated by the feature extraction and GNN fusion steps. For a batch with N support samples and M query samples, the image encoder f_I has complexity O((N + M)·C_I) where C_I is the CNN4 complexity (O(H·W·D)). The API encoder f_A has complexity O((N + M)·L·D·H) where L is sequence length and H is number of attention heads. The GNN fusion module operates on 2N segments (where N is the number of segments per modality) with complexity O(N²·D) for attention computation and O(N·D²) for message passing. Overall, the per-epoch complexity is O((N + M)·(C_I + L·D·H) + N²·D + N·D²), which scales linearly with batch size and quadratically with the number of segments. In practice, with N = 4 segments and D = 512, the fusion overhead is negligible compared to feature extraction.

We then use the fused multimodal features for few-shot malware classification. We have opted to utilize foundational and typical prototypical networks^[8]. As shown in Figure 2, after obtaining the fused feature V′, we generate the prototype for each class as:

(11) $$ p_k=\frac{1}{|S_k|}\sum_{V^S_i\in S_k}V^S_i $$

Here, S_k denotes the set of samples belonging to class k, and V_i^S represents the features of the i-th sample within the support set.

Subsequently, we compute the probability corresponding to each class for a given query vector V_i^Q as follows:

(12) $$ \mathrm{prob}(y=k|V_i^Q)=\frac{\exp(-d(V_i^Q,p_k))}{\sum_{k^{'}}\exp(-d(V_i^Q,p_{k^{'}}))} $$

where d is the distance function, for which we have selected the Euclidean distance. The class receiving the highest probability will be designated as the final malware classification category.

The training model’s loss function is composed of three parts: besides the cross-entropy loss of the predicted probabilities in the prototypical network using multimodal features L_M, it also includes the losses L_I and L_A for the predicted probabilities in the prototypical network using unimodal features, respectively (as shown in Figure 2). The composite loss function is expressed as:

(13) $$ L = \lambda_0 L_M + \lambda_1 L_I + \lambda_2 L_A $$

The calculations for L_M, L_I and L_A are analogous; here, L_M is provided as an example:

(14) $$ L_M = -\sum_{k=1}^Cy_k\log(\mathrm{prob}(y=k|V^Q)) $$

The baseline models for the comparison of our methods are shown below, including methods that only use API sequences and images as well as simple multimodal feature fusion methods.

• ProtoNet^[8] is a classic few-shot learning method that learns a prototype representation for each class. Applicable to both API and image modalities.

• HybridAttentionNet^[56] uses instance-level and feature attention modules to better weight query-related samples and feature dimensions. Applicable to both modalities.

• API Frequency Histogram^[57] counts API invocation frequencies as feature vectors for malware samples.

• Pixel k-NN classifies malware based on image pixels using the k-nearest neighbors algorithm.

• Early fusion concatenates features from different modalities before feeding into prototypical network.

• Late fusion averages the final logits from all modalities.

• Butterfly Vision Transformer (BViT)^[58]: A ViT architecture for visualization-based malware classification that captures both local and global spatial representations via butterfly construction enabling parallel patch processing. We evaluate BViT/B16 (174.2 M params) and BViT/L16 (425.6 M params).

• DREAM^[38]: A concept drift detection system that embeds malware behavioral concepts in a contrastive autoencoder latent space, enabling model-sensitive drift detection without training data access during testing. We adapted DREAM to work with our grayscale images.

• MalFSCIL^[39]: A few-shot class-incremental learning framework using VAE for feature enhancement and graph attention networks for dynamic prototype-based boundary delineation to address catastrophic forgetting. It converts binaries to grayscale images using a ResNet18 backbone.

Following the paradigm in most few-shot experiments, we set N = [5, 10] and K = [5, 10] (notations in Section 4.1) resulting in 4 combinations for the VirusShare-M dataset, and N = [5, 10] and K = 5 for LargePE-M due to the limited number of samples. We use Adam optimizer with a learning rate of 5e^-5 for multimodal and API sequences only models and 1e^-4 for images only models, weight decay is set to 1e^-4. All the networks are trained for 5 × 10⁴ epochs and are saved when achieving the lowest loss on the meta-validation set for testing. All methods are implemented in PyTorch^[59] and we use a machine with an Intel(R) Core(TM) i9-10900X CPU with four NVIDIA GeForce RTX 2080Ti GPUs for all the experiments.

We present the main results of our method and baselines in Table 3. We train the models with three different random seeds (0, 1, and 2) and report the average as the overall performance.

We find that simple few-shot learning frameworks such as the prototypical network (ProtoNet) can provide consistent performance across different modalities, proving the effectiveness of ProtoNet as the backbone.

For unimodal models, we find that API sequences can provide more effective features compared with malware grayscale images. For example, ProtoNet applied to images can only achieve 83.27% accuracy in the 5-way 5-shot setting on VirusShare-M dataset while the same model based on API sequences can reach 85.32%. Recently proposed vision transformer-based methods, such as BViT/B16 and BViT/L16, significantly improve image-based performance, achieving 88.47% and 89.82% respectively on the same task. This confirms the advantage of transformer architectures in capturing spatial representations of malware images.

More recent advances in malware concept drift detection and few-shot class-incremental learning have demonstrated even stronger performance. DREAM^[38], a concept-based drift detection system for Android malware, achieves 90.15% accuracy when adapted to our image-based few-shot setting. Its model-sensitive concept learning approach enables more effective detection of new malware families. MalFSCIL^[39], a few-shot class-incremental learning framework specifically designed for malware detection, further improves image-based performance to 90.58% on VirusShare-M 5-way 5-shot. This method’s decoupled training strategy and VAE-based feature enhancement effectively mitigate catastrophic forgetting, making it particularly suitable for incremental learning scenarios.

It should be noted that our evaluation is conducted under a class-disjoint meta-learning protocol, where the training, validation, and test sets contain disjoint malware families. This setup simulates the scenario where new families emerge, and the model must generalize to them with limited support samples. However, this evaluation does not fully capture real-world zero-day scenarios, which may involve significant distribution shifts, concept drift, or entirely novel attack behaviors that differ substantially from training data. Therefore, while our results demonstrate strong performance in few-shot settings, further evaluation under more challenging conditions - such as open-set recognition, domain adaptation, or temporal drift - would be valuable future work.

For multimodal baselines, we observe that even the simplest methods of multimodal integration - early fusion via concatenation and late fusion at the decision-making stage - significantly outperform models that utilize unimodal information alone. This observation substantiates the effectiveness of leveraging multimodal information for few-shot malware classification tasks. When combining BViT/L16 with API features via late fusion, accuracy further improves to 94.68%, demonstrating that even strong unimodal encoders benefit from multimodal integration. DREAM and MalFSCIL, when combined with API features via late fusion, achieve 94.92% and 95.23% accuracy respectively, approaching the performance of our proposed GNN fusion method.

Our proposed GNN fusion module achieves superior performance compared to methods that rely on simple feature fusion. Our method reaches 95.73% accuracy on VirusShare-M 5-way 5-shot, outperforming both BViT-based fusion approaches (94.68%) and the more recent DREAM (94.92%) and MalFSCIL (95.23%) fusion variants. This suggests that while advanced single-modality methods like DREAM and MalFSCIL continue to push the boundaries of image-based malware classification, our GNN fusion module’s ability to model fine-grained cross-modal correlations at the segment level provides advantages over simple late fusion, even when using state-of-the-art image encoders. Notably, MalFSCIL’s VAE-based feature enhancement and DREAM’s concept reliability detection offer complementary strengths that could potentially be integrated with our fusion approach in future work. The subsequent section on ablation studies and analysis will discuss how the GNN fusion module operates and provide a comparative evaluation of the training costs associated with various fusion methodologies.

To understand how our GNN fusion module leverages cross-modal correlations, we analyze the attention weights learned during message passing for representative malware samples.

Case Study: Zbot Family. For a Zbot (Zeus) malware sample, the API sequence contains N-gram segments related to registry operations (e.g., “RegOpenKeyEx”-“RegSetValueEx”) and file writes (e.g., “CreateFile”-“WriteFile”). The GNN assigns high attention weights between these API segments and specific image patches from the binary’s code and data sections, where corresponding registry key strings and configuration data are stored. This alignment indicates that the GNN learns to associate behavioral patterns (API calls) with structural evidence (binary content) serving the same malicious purpose.

Quantitative Analysis. Across all correctly classified samples in the VirusShare-M test set, registry-related API segments show an average attention weight of 0.342 to code section image patches, compared to 0.156 to other sections (119% higher). For correctly classified samples of the visually similar Swizzor.gen!E and Swizzor.gen!I families, the top-3 attention weights account for 67.3% of total attention, whereas for misclassified samples they account for only 41.8%. Additionally, attention patterns remain stable across different few-shot tasks, with a standard deviation of only 0.042, indicating transferable cross-modal relationships rather than sample-specific overfitting.

Contrast with Unimodal Models. An API-only model detects registry manipulation but lacks structural context; an image-only model sees suspicious strings but cannot verify their runtime usage. The GNN fusion bridges this gap by explicitly modeling cross-modal relationships, enabling more robust classification.

Differentiating Similar Families. For visually similar families like Swizzor.gen!E and Swizzor.gen!I, correctly classified samples show GNN attention focused on discriminative segment pairs (e.g., unique network API patterns aligned with corresponding API hashes in the binary), while misclassified samples exhibit diffuse attention across many segments.

Implications for Few-Shot Learning. The GNN’s ability to capture consistent cross-modal correlations provides additional supervisory signal beyond limited labeled examples, improving generalization in few-shot scenarios.

In summary, the GNN fusion module enhances interpretability by revealing how behavioral and structural evidence complement each other, supporting both model understanding and analyst trust.