ML Security PapersByteShield: Adversarially Robust End-to-End Malware Detection through Byte Masking
Daniel Gibert 1,2, Felip Manyà 1,2
Published on arXiv
2512.09883
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
ByteShield outperforms randomized and de-randomized smoothing defenses against a wide range of functionality-preserving adversarial manipulations on EMBER and BODMAS while maintaining high clean accuracy, with deterministic coverage guaranteeing full payload occlusion in at least one masked version.
ByteShield
Novel technique introduced
Research has proven that end-to-end malware detectors are vulnerable to adversarial attacks. In response, the research community has proposed defenses based on randomized and (de)randomized smoothing. However, these techniques remain susceptible to attacks that insert large adversarial payloads. To address these limitations, we propose a novel defense mechanism designed to harden end-to-end malware detectors by leveraging masking at the byte level. This mechanism operates by generating multiple masked versions of the input file, independently classifying each version, and then applying a threshold-based voting mechanism to produce the final classification. Key to this defense is a deterministic masking strategy that systematically strides a mask across the entire input file. Unlike randomized smoothing defenses, which randomly mask or delete bytes, this structured approach ensures coverage of the file over successive versions. In the best-case scenario, this strategy fully occludes the adversarial payload, effectively neutralizing its influence on the model's decision. In the worst-case scenario, it partially occludes the adversarial payload, reducing its impact on the model's predictions. By occluding the adversarial payload in one or more masked versions, this defense ensures that some input versions remain representative of the file's original intent, allowing the voting mechanism to suppress the influence of the adversarial payload. Results achieved on the EMBER and BODMAS datasets demonstrate the suitability of our defense, outperforming randomized and (de)randomized smoothing defenses against adversarial examples generated with a wide range of functionality-preserving manipulations while maintaining high accuracy on clean examples.
Key Contributions
- ByteShield: a deterministic sliding-window byte masking strategy that generates multiple masked versions of an input executable, classifying each independently to occlude adversarial payloads wherever they reside
- Threshold-based voting mechanism that aggregates masked-version predictions, ensuring at least one version has the adversarial payload fully occluded when mask size exceeds payload size
- Empirical demonstration on EMBER and BODMAS that ByteShield outperforms randomized and de-randomized smoothing defenses against large adversarial payloads while preserving high clean-example accuracy
🛡️ Threat Analysis
Proposes a defense specifically against adversarial input manipulation: attackers inject byte payloads into malware executables at inference time to cause ML classifiers to misclassify them as benign. ByteShield's masking+voting mechanism directly neutralizes these adversarial examples, fitting squarely in the input purification/adversarial defense category.