A Feedback-Driven Federated Zero-Shot Learning Framework for Adaptive Detection of Evolving Banking Malware

The rise of digital banking has increased the frequency and sophistication of banking malware attacks, highlighting the need for privacy-preserving and adaptive detection frameworks. While Federated Learning (FL) offers a promising alternative to centralized detection by enabling collaborative model training without raw data sharing, its performance declines in the presence of evolving, previously unseen malware behaviors, especially under non-IID (non-independent and identically distributed) conditions. To address these challenges, we propose a hybrid FL and Zero-Shot Learning (ZSL) framework enhanced with a feedback-driven continual learning loop for resilient malware detection. Our approach assigns three federated clients disjoint banking malware datasets comprising Zeus, Emotet, TrickBot, and benign samples under a non-IID setting, simulating real-world institutional threat exposure. Two additional datasets: one with malware variants and another synthetically generated to reflect evolved behavior are used exclusively for testing. Among multiple deep learning architectures evaluated, a Multilayer Perceptron (MLP) is selected as the best-performing model and personalized at each client. ZSL operates during inference to reclassify low-confidence samples using semantic embeddings, and those with high cosine similarity are selectively reintegrated into FL training, supporting continual adaptation through feedback, without compromising data privacy. Experimental results show that the proposed FL-ZSL-feedback pipeline achieves an average improvement of 8.49% in correctly classifying samples with high confidence over baseline FL model across all clients and datasets. These findings validate the effectiveness of our framework in delivering privacy-aware, adaptive banking malware detection in dynamic, distributed environments.