A cybersecurity firm is developing an AI system to detect zero-day malware using behavior analysis. The team collects a dataset of 1,000 malware samples and 10,000 benign files from corporate endpoints. The model is a random forest classifier. After deployment, the false positive rate is 5%, which is acceptable, but the detection rate for new malware variants drops to 30%. The security analyst suspects the model is overfitting to the specific malware families in the training set. Which improvement should the team implement first?
Generic features (e.g., process creation frequency, registry changes) help the model learn behaviors common to malware, improving detection of new variants.
Why this answer
The core issue is that the model has overfitted to the specific malware families in the training set, causing poor generalization to unseen zero-day variants. Engineering features that capture generic behavioral patterns (e.g., API call sequences, file system interactions, network connection anomalies) reduces reliance on family-specific signatures, improving detection of novel malware. This directly addresses the root cause of the 30% detection rate drop without introducing new model complexity or data imbalance issues.
Exam trap
CompTIA often tests the misconception that more complex models (boosting, DNNs) automatically improve performance, when in reality, feature engineering to address the specific failure mode (overfitting to training families) is the most effective first step.
How to eliminate wrong answers
Option A is wrong because boosting ensembles (e.g., AdaBoost, XGBoost) are more prone to overfitting on noisy data than bagging (Random Forest), which would exacerbate the existing overfitting problem. Option B is wrong because collecting more samples from the same families reinforces the model's bias toward those specific patterns, worsening generalization to new variants. Option C is wrong because replacing Random Forest with a deep neural network (DNN) typically requires significantly more data to avoid overfitting, and with only 1,000 malware samples, a DNN would likely perform worse, not better.