Abstract
Zero-day malware still slips past the best detection systems because most models need thousands of labeled examples before they learn anything useful. That dependency is exactly the weak point: by the time enough samples accumulate, the damage is already spreading. Traditional few-shot approaches promise quicker adaptation, yet they often reduce rich forensic evidence into flat feature vectors and end up overfitting to byte-level quirks rather than behavioral signals. This work takes a different path and develops a systematic pipeline that treats malware traces as structured evidence, feeding them through a sequence of five meta-learning extensions designed to survive the scarcity of zero-day samples. We begin with EpiForge, which fabricates realistic few-shot episodes from evidence-graphs and injects controlled novelties without breaking causal consistency, ensuring the training tasks resemble true zero-day strangeness. These episodes drive BayesMAML-E, a hierarchical Bayesian meta-learner that encodes evidence-type priors, producing task-conditioned initializations and calibrated uncertainty estimates. The output then flows into CoShaRE, which sparsifies decisions by learning counterfactual Shapley-regularized masks retaining only causally sufficient evidence and generating counter-examples that test decision stability. From there, OptiQuill decides how to spend scarce resources, balancing sandbox runs and labeling efforts using a budget-aware Lagrangian bandit that targets maximum downstream meta-learning gains. Finally, CausalFADE distills the learned behavior into compact automata and executable rules, turning black-box predictions into forensic signatures that analysts can trust and re-use for the process. Across all five stages, we see evidence of measurable impact: 5-shot accuracy improves by more than 10% points over standard MAML, calibration error falls to near 2%, and label and compute budgets are cut substantially. The result is not just faster adaptation but also auditable, causally grounded signatures that close the loop between evidence collection, learning, and deployment. This work appears to offer a path toward zero-day detection that is both technically feasible and operationally sustainable in process.
Similar content being viewed by others
Abbreviations
- AI:
-
Artificial intelligence
- APT:
-
Advanced persistent threat
- API:
-
Application programming interface
- AHEDNet:
-
Adaptive hybrid exploit detection network
- AWPA:
-
Adaptive WavePCA-autoencoder
- CNN:
-
Convolutional neural network
- CoShaRE:
-
Counterfactual Shapley-regularized evidence selector
- DNN:
-
Deep neural network
- DSL:
-
Domain specific language
- DEFENDIFY:
-
Defense amplified with transfer learning for obfuscated malware
- ECE:
-
Expected calibration error
- EMBER:
-
Endgame malware benchmark for research
- EML-AMD:
-
Explainable machine learning for adaptive android malware detection
- EpiForge:
-
Evidence-graph episodic forger with novelty injection
- FPR:
-
False positive rate
- FEdroid:
-
Federated android malware detection
- GAN:
-
Generative adversarial network
- GIN:
-
Graph isomorphism network
- GNN:
-
Graph neural network
- GRU:
-
Gated recurrent unit
- IoT:
-
Internet of things
- MADESANT:
-
Malware detection and severity analysis in industrial environments
- MAML:
-
Model-agnostic meta-learning
- BayesMAML-E:
-
Hierarchical Bayesian MAML with evidence-type priors
- ML:
-
Machine learning
- NLP:
-
Natural language processing
- PE:
-
Portable executable
- PRAU-GIN:
-
GIN-based malware classifier with traffic refinement and node augmentation
- RNN:
-
Recurrent neural network
- SDN:
-
Software-defined networking
- SVM:
-
Support vector machine
- ViT:
-
Vision transformer
- ViTGuard:
-
Vision transformer and genetic algorithm optimized detection
- VAE:
-
Variational autoencoder
- ZeSAI:
-
Zero-shot AI vigilant malware detection
- AUROC:
-
Area under receiver operating characteristic curve
- OptiQuill:
-
Budget-aware active quarantine with evidence-utility Lagrangian
- CausalFADE:
-
Causal forensic automata with differentiable explanations
- XAI:
-
Explainable Artificial Intelligence
Funding
Open access funding provided by Manipal University Jaipur.
Author information
Authors and Affiliations
Corresponding authors
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.
About this article
Cite this article
Beg, R., Nigam, N., Sharma, Y.K. et al. Design of an integrated evidence-driven few-shot meta-learning for zero-day malware detection and forensic attributions. Sci Rep (2026). https://doi.org/10.1038/s41598-026-43745-9
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s41598-026-43745-9
