defense 2025

Certifiably robust malware detectors by design

Pierre-Francois Gimenez 1,2,3,4, Sarath Sivaprasad 5, Mario Fritz 5

1 Univ Rennes

2 Inria

3 IRISA

4 CentraleSupélec

5 CISPA Helmholtz Center for Information Security

0 citations
α

Published on arXiv

2508.10038

Input Manipulation Attack

OWASP ML Top 10 — ML01

Key Finding

Certifiably and empirically robust malware detectors are achieved with only limited reduction in detection performance compared to non-robust baselines.

ERDALT

Novel technique introduced

Malware analysis involves analyzing suspicious software to detect malicious payloads. Static malware analysis, which does not require software execution, relies increasingly on machine learning techniques to achieve scalability. Although such techniques obtain very high detection accuracy, they can be easily evaded with adversarial examples where a few modifications of the sample can dupe the detector without modifying the behavior of the software. Unlike other domains, such as computer vision, creating an adversarial example of malware without altering its functionality requires specific transformations. We propose a new model architecture for certifiably robust malware detection by design. In addition, we show that every robust detector can be decomposed into a specific structure, which can be applied to learn empirically robust malware detectors, even on fragile features. Our framework ERDALT is based on this structure. We compare and validate these approaches with machine-learning-based malware detection methods, allowing for robust detection with limited reduction of detection performance.

Key Contributions

  • New model architecture for certifiably robust malware detection by design, leveraging the constraint that malware-preserving transformations are limited
  • Decomposition theorem showing every robust detector can be expressed in a specific structural form, enabling empirical robustness even on fragile features
  • ERDALT framework instantiating this structure for empirically robust ML-based static malware detection with limited accuracy trade-off

🛡️ Threat Analysis

Input Manipulation Attack

The paper defends against adversarial examples (evasion attacks) crafted to fool ML-based static malware detectors at inference time without altering malware functionality. The primary contributions — a certifiably robust model architecture by design and the ERDALT empirical robustness framework — are certified robustness defenses explicitly targeting input manipulation attacks.

Details

Model Types
traditional_ml
Threat Tags
white_boxinference_timedigital
Applications
malware detectionstatic malware analysis
Read PDF arXiv

Similar Papers

defense

Adversarial generalization of unfolding (model-based) networks

2025 0 cit.
Input Manipulation Attack
78%
defense

Kernel Learning with Adversarial Features: Numerical Efficiency and Adaptive Regularization

2025 1 cit.
Input Manipulation Attack
78%
defense

Tracking Finite-Time Lyapunov Exponents to Robustify Neural ODEs

2026 0 cit.
Input Manipulation Attack
78%
defense

Enhancing Adversarial Robustness of IoT Intrusion Detection via SHAP-Based Attribution Fingerprinting

2025 0 cit.
Input Manipulation Attack
73%
defense

FeatureLens: A Highly Generalizable and Interpretable Framework for Detecting Adversarial Examples Based on Image Features

2025 0 cit.
Input Manipulation Attack
73%
defense

Robust Bidirectional Associative Memory via Regularization Inspired by the Subspace Rotation Algorithm

2025 0 cit.
Input Manipulation Attack
73%
defense

ROAST: Risk-aware Outlier-exposure for Adversarial Selective Training of Anomaly Detectors Against Evasion Attacks

2026 0 cit.
Input Manipulation Attack
70%
defense

Differentiable Architecture Search for Adversarially Robust Quantum Computer Vision

2026 0 cit.
Input Manipulation Attack
70%