Papers
Topics
Authors
Recent
Search
2000 character limit reached

Can Drift-Adaptive Malware Detectors Be Made Robust? Attacks and Defenses Under White-Box and Black-Box Threats

Published 8 Apr 2026 in cs.CR | (2604.06599v1)

Abstract: Concept drift and adversarial evasion are two major challenges for deploying machine learning-based malware detectors. While both have been studied separately, their combination, the adversarial robustness of drift-adaptive detectors, remains unexplored. We address this problem with AdvDA, a recent malware detector that uses adversarial domain adaptation to align a labeled source domain with a target domain with limited labels. The distribution shift between domains poses a unique challenge: robustness learned on the source may not transfer to the target, and existing defenses assume a fixed distribution. To address this, we propose a universal robustification framework that fine-tunes a pretrained AdvDA model on adversarially transformed inputs, agnostic to the attack type and choice of transformations. We instantiate it with five defense variants spanning two threat models: white-box PGD attacks in the feature space and black-box MalGuise attacks that modify malware binaries via functionality-preserving control-flow mutations. Across nine defense configurations, five monthly adaptation windows on Windows malware, and three false-positive-rate operating points, we find the undefended AdvDA completely vulnerable to PGD (100% attack success) and moderately to MalGuise (13%). Our framework reduces these rates to as low as 3.2% and 5.1%, respectively, but the optimal strategy differs: source adversarial training is essential for PGD defenses yet counterproductive for MalGuise defenses, where target-only training suffices. Furthermore, robustness does not transfer across these two threat models. We provide deployment recommendations that balance robustness, detection accuracy, and computational cost.

Summary

  • The paper demonstrates that baseline drift-adaptive detectors are highly vulnerable, showing 100% ASR under PGD attacks and significant evasion under MalGuise attacks.
  • The study introduces a universal robustification framework that fine-tunes detectors with attack-specific adversarial training, reducing ASR to as low as 3.2%.
  • The analysis highlights tradeoffs between robust defenses and detection accuracy, emphasizing that defense strategies must be tailored to specific threat models.

Robustness in Drift-Adaptive Malware Detection: Attacks and Defenses Under White-Box and Black-Box Threats

Motivation and Problem Setting

Concept drift and adversarial evasion are pervasive challenges in contemporary ML-based malware detection. As malware evolves, detectors trained on earlier instances suffer from performance degradation due to non-stationary distributions (drift), while adversarial evasion—by which black-hat authors craft samples that elude detection—constitutes a persistent, orthogonal threat vector. The intersection of these phenomena, specifically the robustness of drift-adaptive detectors to adaptive adversarial threats, has not received systematic study. This work provides the first detailed analysis of this intersection, targeting the adversarial robustness of AdvDA, a state-of-the-art adversarial domain adaptation (DA) detector, under both white-box (PGD) and black-box (MalGuise) attack scenarios.

Threat Models and Attack Surfaces

Two fundamentally distinct adversaries are considered:

  • White-box (PGD): The attacker possesses full knowledge of model architecture, parameters, and gradients, and applies \ell_\infty feature-space perturbations via iterative projected gradient descent, a canonical threat model in adversarial robustness literature.
  • Black-box (MalGuise): The attacker has oracle access and applies functionality-preserving control-flow modifications to the binary code using MCTS-based search, requiring only query access to prediction confidence.

The crux of robustness in drift-adaptive systems lies in the transferability of adversarial defenses through source-target distributional shifts present in DA, and in the efficacy of such defenses under these two attack spaces, which are non-equivalent.

Universal Robustification Framework

The core proposal is a universal robustification protocol that fine-tunes pretrained AdvDA detectors on adversarially perturbed data. This framework is attack-agnostic and encompasses existing adversarial DA defenses as special cases by parameterizing the transformations applied to source (X~S\tilde{X}_S) and target (X~T\tilde{X}_T) domains. Defenses are instantiated in two families:

  • DART-based (PGD): Three variants differing in source perturbation objective—identity (clean), PGD classification loss ("adv"), and KL-divergence ("kl"). Target perturbation is always adversarial.
  • MalGuise-based: Two variants—target-only adversarial training ("clean") and both source and target adversarial training ("adv")—using features extracted from binaries transformed by the MalGuise attack.

All models are evaluated under strong operating constraints: five temporal adaptation windows on a contemporary, real-world Windows malware dataset (MB-24+) with limited labeled target samples, three detection thresholds (FPR control), and reporting on clean TPR, ASR, and wall-time cost.

Empirical Analysis and Results

Vulnerability of Baseline AdvDA

AdvDA without additional robustness is catastrophically vulnerable to both attack types: 100% ASR under PGD (Figure 1) and mean 13% ASR under MalGuise-based control-flow attacks (Figure 2). Figure 1

Figure 1

Figure 1: PGD attack (ε=2/255\varepsilon = 2/255) results showing complete failure of the baseline detector and varying reduction in ASR across DART defense variants and perturbation strengths.

Defense Efficacy and Transferability

  • DART-based (PGD): With source adversarial training, DART (adv, kl) reduces PGD ASR to as low as 3.2% (at ε=2/255\varepsilon=2/255; Table, main text). Increasing robustness budget to ε=8/255\varepsilon=8/255 further reduces ASR but increases clean TPR drop. Source adversarial training is essential; target-only (clean) variants remain much less robust.
  • MalGuise-based: Target-only adversarial training reduces MalGuise ASR to 5.1% with minimal TPR cost; adding source MalGuise adversarial samples provides only a marginal improvement (to 3.2%) but incurs severe detection performance and computational penalties (TPR drop up to 44%, 76.8×76.8\times overhead; Table, main text). Figure 2

    Figure 2: ASR of AdvDA and MalGuise-based defenses against the black-box MCTS-guided MalGuise attack, averaged across adaptation windows and FPRs.

Cross-Attack and Source Robustness Transfer

  • Robustness is not transferable across PGD and MalGuise threats: MalGuise-based defenses yield no improvement under PGD attacks and vice versa, even when adversarial training is performed on both distributions (Figure 3). Figure 3

    Figure 3: Cross-attack ASR for all defense variants, showing non-transferability of robustness between PGD and MalGuise threat models.

Practical Cost of Robustification

  • DART and MalGuise (clean) adversarial training increase training time by \sim3x relative to AdvDA; MalGuise (adv) increases cost by over two orders of magnitude.
  • Clean TPR is largely maintained except under aggressive source-side adversarial MalGuise augmentation, which yields substantial accuracy degradation (Figure 4). Figure 4

    Figure 4: Visualization of average clean TPR across defense models; blue indicates higher TPR, red indicates severity of loss.

Implications and Deployment Recommendations

The results demonstrate that:

  • Adversarial training effect is highly paired to attack and data distribution: Source adversarial training is indispensable for PGD/feature perturbation defenses but detrimental for real-world binary modifications. Thus, threat-specific specialization is necessary.
  • No universal defense was effective across both attack vectors: Model robustness is contingent on the alignment between training perturbation and operational threat.
  • A simple ensemble ("multi-view architecture") combining both defense types is posited as a potential avenue for comprehensive protection; this increases attacker effort but may impact calibration and FPR.

Deployment should prefer DART (kl) for gradient-based robustness and MalGuise (clean) for control-flow attack settings, with perturbation budget matched to realistic attacker strength. Source adversarial training is discouraged for binary-level attacks due to accuracy and cost impact.

Theoretical and Practical Outlook

This study rigorously exposes how conventional adversarial defense paradigms from vision or domain adaptation cannot be transliterated to the concept drift + adversarial malware context without careful re-evaluation. Key takeaways for future work include:

  • Robust multi-view or ensemble-based architectures are needed for broad threat resistance but present calibration challenges.
  • Further analysis of feature and representation-level transferability under adversarial shift is warranted to guide detector design.

This work establishes robust empirical ground truth for subsequent evaluations of adversarial robustness under drift adaptation, highlighting the need for tailored, threat-aware defense schemes in ML-based malware detection.

Conclusion

A formalized robustification of drift-adaptive detectors reveals that effectiveness and cost tradeoffs are intrinsic to the threat domain and perturbation family. General defenses are ineffective—robustness must be paired to the operational attacker. Practical defenders should adopt threat-specific adversarial fine-tuning, prioritize source-side robustness only when defending against norm-bounded feature-space attacks, and anticipate the necessity of architectural ensembles for broad-spectrum protection.


Reference: “Can Drift-Adaptive Malware Detectors Be Made Robust? Attacks and Defenses Under White-Box and Black-Box Threats” (2604.06599).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.