defense arXiv Aug 10, 2025 · Aug 2025
Pierre-Francois Gimenez, Sarath Sivaprasad, Mario Fritz · Univ Rennes · INRIA +3 more
Certifiably robust malware detection architecture proving every robust detector decomposes into a specific structure resistant to evasion attacks
Input Manipulation Attack
Malware analysis involves analyzing suspicious software to detect malicious payloads. Static malware analysis, which does not require software execution, relies increasingly on machine learning techniques to achieve scalability. Although such techniques obtain very high detection accuracy, they can be easily evaded with adversarial examples where a few modifications of the sample can dupe the detector without modifying the behavior of the software. Unlike other domains, such as computer vision, creating an adversarial example of malware without altering its functionality requires specific transformations. We propose a new model architecture for certifiably robust malware detection by design. In addition, we show that every robust detector can be decomposed into a specific structure, which can be applied to learn empirically robust malware detectors, even on fragile features. Our framework ERDALT is based on this structure. We compare and validate these approaches with machine-learning-based malware detection methods, allowing for robust detection with limited reduction of detection performance.
traditional_ml Univ Rennes · INRIA · IRISA +2 more
defense arXiv Aug 8, 2025 · Aug 2025
Andrii Yermakov, Jan Cech, Jiri Matas et al. · Czech Technical University in Prague · CISPA Helmholtz Center for Information Security
Proposes GenD, a parameter-efficient deepfake detector fine-tuning only LayerNorm weights with hyperspherical metric learning for SOTA cross-dataset generalization
Output Integrity Attack vision
The generalization of deepfake detectors to unseen manipulation techniques remains a challenge for practical deployment. Although many approaches adapt foundation models by introducing significant architectural complexity, this work demonstrates that robust generalization is achievable through a parameter-efficient adaptation of one of the foundational pre-trained vision encoders. The proposed method, GenD, fine-tunes only the Layer Normalization parameters (0.03% of the total) and enhances generalization by enforcing a hyperspherical feature manifold using L2 normalization and metric learning on it. We conducted an extensive evaluation on 14 benchmark datasets spanning from 2019 to 2025. The proposed method achieves state-of-the-art performance, outperforming more complex, recent approaches in average cross-dataset AUROC. Our analysis yields two primary findings for the field: 1) training on paired real-fake data from the same source video is essential for mitigating shortcut learning and improving generalization, and 2) detection difficulty on academic datasets has not strictly increased over time, with models trained on older, diverse datasets showing strong generalization capabilities. This work delivers a computationally efficient and reproducible method, proving that state-of-the-art generalization is attainable by making targeted, minimal changes to a pre-trained foundational image encoder model. The code is at: https://github.com/yermandy/GenD
transformer Czech Technical University in Prague · CISPA Helmholtz Center for Information Security
ML Security Papers