- The paper demonstrates that baseline drift-adaptive detectors are highly vulnerable, showing 100% ASR under PGD attacks and significant evasion under MalGuise attacks.
- The study introduces a universal robustification framework that fine-tunes detectors with attack-specific adversarial training, reducing ASR to as low as 3.2%.
- The analysis highlights tradeoffs between robust defenses and detection accuracy, emphasizing that defense strategies must be tailored to specific threat models.
Robustness in Drift-Adaptive Malware Detection: Attacks and Defenses Under White-Box and Black-Box Threats
Motivation and Problem Setting
Concept drift and adversarial evasion are pervasive challenges in contemporary ML-based malware detection. As malware evolves, detectors trained on earlier instances suffer from performance degradation due to non-stationary distributions (drift), while adversarial evasion—by which black-hat authors craft samples that elude detection—constitutes a persistent, orthogonal threat vector. The intersection of these phenomena, specifically the robustness of drift-adaptive detectors to adaptive adversarial threats, has not received systematic study. This work provides the first detailed analysis of this intersection, targeting the adversarial robustness of AdvDA, a state-of-the-art adversarial domain adaptation (DA) detector, under both white-box (PGD) and black-box (MalGuise) attack scenarios.
Threat Models and Attack Surfaces
Two fundamentally distinct adversaries are considered:
- White-box (PGD): The attacker possesses full knowledge of model architecture, parameters, and gradients, and applies ℓ∞ feature-space perturbations via iterative projected gradient descent, a canonical threat model in adversarial robustness literature.
- Black-box (MalGuise): The attacker has oracle access and applies functionality-preserving control-flow modifications to the binary code using MCTS-based search, requiring only query access to prediction confidence.
The crux of robustness in drift-adaptive systems lies in the transferability of adversarial defenses through source-target distributional shifts present in DA, and in the efficacy of such defenses under these two attack spaces, which are non-equivalent.
Universal Robustification Framework
The core proposal is a universal robustification protocol that fine-tunes pretrained AdvDA detectors on adversarially perturbed data. This framework is attack-agnostic and encompasses existing adversarial DA defenses as special cases by parameterizing the transformations applied to source (X~S) and target (X~T) domains. Defenses are instantiated in two families:
- DART-based (PGD): Three variants differing in source perturbation objective—identity (clean), PGD classification loss ("adv"), and KL-divergence ("kl"). Target perturbation is always adversarial.
- MalGuise-based: Two variants—target-only adversarial training ("clean") and both source and target adversarial training ("adv")—using features extracted from binaries transformed by the MalGuise attack.
All models are evaluated under strong operating constraints: five temporal adaptation windows on a contemporary, real-world Windows malware dataset (MB-24+) with limited labeled target samples, three detection thresholds (FPR control), and reporting on clean TPR, ASR, and wall-time cost.
Empirical Analysis and Results
Vulnerability of Baseline AdvDA
AdvDA without additional robustness is catastrophically vulnerable to both attack types: 100% ASR under PGD (Figure 1) and mean 13% ASR under MalGuise-based control-flow attacks (Figure 2).

Figure 1: PGD attack (ε=2/255) results showing complete failure of the baseline detector and varying reduction in ASR across DART defense variants and perturbation strengths.
Defense Efficacy and Transferability
Cross-Attack and Source Robustness Transfer
Practical Cost of Robustification
Implications and Deployment Recommendations
The results demonstrate that:
- Adversarial training effect is highly paired to attack and data distribution: Source adversarial training is indispensable for PGD/feature perturbation defenses but detrimental for real-world binary modifications. Thus, threat-specific specialization is necessary.
- No universal defense was effective across both attack vectors: Model robustness is contingent on the alignment between training perturbation and operational threat.
- A simple ensemble ("multi-view architecture") combining both defense types is posited as a potential avenue for comprehensive protection; this increases attacker effort but may impact calibration and FPR.
Deployment should prefer DART (kl) for gradient-based robustness and MalGuise (clean) for control-flow attack settings, with perturbation budget matched to realistic attacker strength. Source adversarial training is discouraged for binary-level attacks due to accuracy and cost impact.
Theoretical and Practical Outlook
This study rigorously exposes how conventional adversarial defense paradigms from vision or domain adaptation cannot be transliterated to the concept drift + adversarial malware context without careful re-evaluation. Key takeaways for future work include:
- Robust multi-view or ensemble-based architectures are needed for broad threat resistance but present calibration challenges.
- Further analysis of feature and representation-level transferability under adversarial shift is warranted to guide detector design.
This work establishes robust empirical ground truth for subsequent evaluations of adversarial robustness under drift adaptation, highlighting the need for tailored, threat-aware defense schemes in ML-based malware detection.
Conclusion
A formalized robustification of drift-adaptive detectors reveals that effectiveness and cost tradeoffs are intrinsic to the threat domain and perturbation family. General defenses are ineffective—robustness must be paired to the operational attacker. Practical defenders should adopt threat-specific adversarial fine-tuning, prioritize source-side robustness only when defending against norm-bounded feature-space attacks, and anticipate the necessity of architectural ensembles for broad-spectrum protection.
Reference: “Can Drift-Adaptive Malware Detectors Be Made Robust? Attacks and Defenses Under White-Box and Black-Box Threats” (2604.06599).