Windows PE malware is still considered a major threat in the cybersecurity landscape despite the amazing accuracy recently achieved in malware detection thanks to the use of Artificial Intelligence (AI). In fact, recent advances in Adversarial Learning have definitely shown that adversarial attacks can evade AI-powered decision models trained for Windows PE malware detection. These are malware created by leveraging AI vulnerabilities to fool AI-based malware detection systems. Adversarial Training is one of the fundamental strategies for defending an AI-based decision model against adversarial attacks. So, in this paper, we focus particularly on Adversarial Training as a method for both gaining accuracy and improving the robustness of a deep neural model trained for Windows PE malware detection. To this aim, we analyse the accuracy performance of a deep neural model trained with adversarial samples generated with Fast Gradient Sign Method (FGSM) against real Windows Portable Executable (PE) goodware and malware, as well as realistic Windows PE adversarial malware produced with state-of-the-art techniques.
Adversarial Training [
The paper is organized as follows. Section 2 describes the background of this work. Section 3 illustrates the Adversarial Training method deployed in this study. Section 4 illustrates the results of the evaluation study. Finally, Section 5 draws conclusions and sketches future research directions.
Since its conception adversarial learning has widely investigated the “ofensive" scope of AI by defining
several evasion methods to identify vulnerabilities in AI-based decision models [
These general-purpose evasion methods are commonly used in cybersecurity problems, although
they can be applied to a feature vector representation of cyber objects. Both [14] and [15] have recently
published an extensive survey to describe how general-purpose attack methods have been used in
cybersecurity. This survey highlights that the majority of cybersecurity studies still use general-purpose
attack methods applied to a tabular representation of cyber objects obtained after a feature engineering
step (e.g., static analysis of codes, dynamic analysis of behaviours). In particular, several studies use
the Adversarial Training strategy as a means of gaining generality in the decision model development,
achieving higher accuracy on real malicious behaviours in the evaluation phase. However, these studies
often leave aside the problem of producing realistic evasive objects in cybersecurity domains where,
unlike images, there is no clear inverse mapping to the feature space [16]. For example, the authors of
[17] use adversarial samples generated with FGSM to mitigate the overfitting phenomenon in a deep
neural model trained with Adversarial Training using the guidance of eXplainable AI-based knowledge.
Similarly, the authors of [
On the other hand, the generation of realistic adversarial cyber objects in the problem space has
recently attracted significant attention in the cybersecurity literature [
Finally, the authors of [
In this Section, we describe the Adversarial Training method considered in this study to train a Windows
PE malware detection model. This decision model is trained in the feature space extracted using the
Library to Instrument Executable Formats (LIEF) [22] This is done according to a few recent studies
[
As a decision model, we consider a Deep Neural Network DNN model trained with LIEF features for Windows PE malware detection according to the description reported by [24]. The choice of this DNN model as the target model of the evaluation work is based on the evaluation results illustrated by [24]. In fact, their study shows that such DNN model allows us to achieve higher detection accuracy than several AI-based malware detection methods analysed. In our study, the DNN model is trained with the Adversarial Training strategy using a general-purpose evasion method to generate the adversarial samples for the model development.
As a general-purpose evasion method, we use the FGSM [
In short, the proposed method takes as input a training set = {(xi, )}=1 of Windows PE ifles, where each xi ∈ {0, 1, . . . , 255}* is the binary code of a windows PE file and is the real class (goodware or malware) associated with xi. The method, as schematized in Figure 1, learns the DNN-based Windows PE malware detection model in four steps: 1. The LIEF-extracted representation of is obtained. To this aim, LIEF is used to generate a tabular example xilief ∈ R2381 for each Windows PE file xi with (xi, ) ∈ . Formally, = {(xliief , ) ∈ R2381 × { , }|∀(xi, ) ∈ }. 2. The initial DNN model : R2381 ↦→ {, } is trained with parameter estimated on . 3. The adversarial set is produced by using FGSM with the data perturbation threshold .
Specifically, the adversarial samples of are produced from the malicious samples of that are originally labelled as malware to evade .
↦→ {, } is trained with parameter
In the experimentation of this study, we evaluate the accuracy performance of both and
on the collection of real Windows PE files collected in [
The performance of the Adversarial Training method was evaluated on a repository that collects both Windows PE files and adversarial Windows PE files. These experiments mainly aimed to explore the ability of Adversarial Training performed with FGSM of gaining accuracy in disentangling real Windows PE goodware from real Windows PE malware, as well as robustness in the presence of realistic adversarial Windows PE malware that were produced with state-of-the-art Windows PE attack methods such as FGSM (padding + slack), Full DOS, Extend, Shift and GAMMA. The Windows PE file repository and the adopted experimental set-up are presented in Sections 4.1 and 4.2, respectively. The implementation details of the proposed Adversarial Training method are reported in Section 4.3. The results are illustrated in Section 4.4.
We considered two distinct Windows PE file repositories for the training and evaluation stages. In particular, the training stage was performed with the BODMAS repository [25]. This is a publicly available repository of Windows PE files with around one hundred and thirty-four thousand samples collected between 2019 and 2020 from a security company’s internal database. Specifically, the BODMAS repository contains 57,293 Windows PE malware and 77,142 Windows PE goodware. The binary files are available in the repository for malware only. However, the pre-extracted features obtained through the static analyser LIEF are publicly available for all the collected samples recorded in the BODMAS repository.
The evaluation stage was performed with the Windows PE repository that has been recently created
in [
For the experimentation, we used all Windows PE files recorded in the BODMAS repository (along their LIEF-extracted features) to train the initial DNN, create the adversarial set, and train the DNN with Adversarial Training. In the following, we denote the DNN trained with the sample created for the real Windows PE files only as DNN, while the DNN trained with the Adversarial Training method by accounting for the adversarial samples produced with FGSM as DNNfgsm. According to [26], the FGSM method should be used with the perturbation value set as a small value (tentatively between 0 and 1). In this study, we set the perturbation threshold equal to 0.025, in order to scale the noise and ensure that perturbations are small enough to remain undetected to the human eye, but large enough to fool the attacked neural model.
For evaluating the accuracy and robustnesses of both DNN and DNNfgsm we measured the Overall
Accuracy (OA), Precision (P), Recall (R) and F1 score (F1) of both models on the version of the evaluation
repository populated with the real Windows PE goodware and malware, as well as the version of the
same evaluation repository augmented with the realistic adversarial Windows PE malware as described
in [
The code1 used to perform the experimental study was implemented in Python 3 using the high-level neural network API PyTorch. LIEF (version 0.9)2 was used to extract the feature input space of the deep neural architecture. This architecture was implemented with three Fully Connected (FC) layers with 512, 128 and 8 neurons and one output layer with 2 neurons, respectively. The output probabilities were obtained using the softmax activation function in the last layer. The Tanh activation function was used in all the other layers. Two Batch Normalization layers were placed before the 1st FC layer and between the 2nd and 3rd FC layers. The DNN was trained with a batch size equal to 1024 and a maximum number of epochs equal to 150. An early-stopping approach was used to stop the model earlier than the maximum number of epochs allowed if it did not improve the validation loss. All the architecture parameters described above were set as described by [24], who showed that this architecture outperforms several AI-based decision models in Windows PE malware detection problems. The input space was transformed with Quantile Transformer as implemented in Scikit-learn library 3 to obtain features that follow a normal distribution and reduce the impact of outliers. Finally, the FGSM algorithm was used as implemented in the Adversarial Robustness Toolbox library4.
Table 1 reports the accuracy performance of both DNN and DNNfgsm models as they were measured in
the evaluation settings: REAL, REAL + FGSM (padding + slack), REAL + Full DOS, REAL + Extend, REAL
+ Shift and REAL + GAMMA, respectively. These results support the conclusions already reported in
1The code is available at https://github.com/ll2909/lobascioITASEC25
2https://lief.re/
3https://scikit-learn.org/dev/modules/generated/sklearn.preprocessing.QuantileTransformer.html
4https://adversarial-robustness-toolbox.readthedocs.io/
[
To complete this evaluation study, we used SHAP [27] to explain how the Adversarial Training
method changed the efect of LIEF-extracted input features on decisions produced with both DNN and
DNNfgsm, respectively. SHAP is a well-known, post-hoc, XAI technique that has been recently used in
several cybersecurity domains to gain accuracy [17] or explain decision model behaviours [
In particular, Figure 2 shows that the DNN model is mainly driven by the LIEF-extracted features Data Directory 9 and Imports 103. Both are the top-two features seen to recognize real Windows PE 5Shapley values were obtained with shap.DeepExplainer https://shap.readthedocs.io/en/latest/generated/shap.DeepExplainer. html malware, as well as adversarial Windows PE malware produced with FGSM (padding + slack), Full DOS and GAMMA. On the other hand, Data Directory 9 falls to fourth, while Header info 41 and Header info 1 rise to first and second place, respectively, in the SHAP ranking of the adversarial Windows PE malware produced with both Extend and Shift . Instead, neither Header info 41 nor Header info 1 appear in the top-ten features seen to recognize real Windows PE malware and realistic adversarial Windows PE malware produced by FGSM (padding + slack), Full DOS and GAMMA. Focusing the attention on Extend and Shift , we note that there is a high intersection in the top-ten features seen by the DNN model for both categories of adversarial malware except for the LIEF-extracted feature Headers info 9 that appears in the top-ten ranking of Extend and the LIEF-extracted feature General File Info 7 that appears in the top-ten ranking of Shift . This suggests that the DNN was trained seeing high similarity between adversarial Windows PE malware generated by both these two evasion methods.
On the other hand, Figure 3 shows that the Adversarial Training methods actually changed the decision model by allowing the LIEF-extracted feature Header Info 11 to gain importance in all decisions regarding both real Windows PE malware and all categories of adversarial Windows PE malware considered in this study. The only exception is observed with FGSM (padding + slack), where the top-ranked LIEF-extracted feature is Imports 103, but the LIEF-extracted feature Header Info 11 is still the runner-up. On the other hand, the LIEF-extracted feature Data Directory 9 is still important, but it falls to the second on third position. Another interesting consideration regards the SHAP feature rankings of DNNfgsm for Extend and Shift . These two rankings have more diferences between them than their counterparts shown in Figure 2 for DNN. This suggests that the Adversarial Training method allows DNNfgsm to see better the diferences between the adversarial Windows PE malware produced with these two evasion methods. Finally, we note that the Shapley values computed for decisions produced with DNNfgsm range in smaller intervals with a lower number of Shapley value outliers than the Shapley values computed for the counterpart decisions produced with DNN. The relationship between this behaviour and a possible higher robustness of explanations produced for deep neural models trained with the Adversarial Training method deserve further investigation in future works.
Over the past decade, recent achievements in adversarial learning have shown that adversarial malware create an additional attack vector to the robustness of AI methods developed for anti-malware systems. In this paper, we illustrate the results of an evaluation study of the performance of a deep neural model trained with an Adversarial Training method against five state-of-the-art attack methods defined in literature to produce realistic adversarial Windows PE malware.
The study shows that the Adversarial Training method can take advantage of a general-purpose evasion method – FGSM – that is commonly used with imagery and tabular data to generate adversarial samples in a powerful feature-vector representation of Windows PE files. It uses these samples to train a deep neural model that gains accuracy and robustness in the Windows PE malware detection task. In particular, we show that the deep neural model trained with the Adversarial Training method outperforms the counterpart model trained without Adversarial Training, gaining accuracy on real Windows PE malware and robustness against realistic Windows PE adversarial malware. In addition, we use a post-hoc XAI technique – SHAP – to explain how Adversarial Training changed the ability of the deep neural models to recognize malicious behaviours.
As reported [28], the efectiveness of adversarial training is afected by multiple variables (e.g., classifiers, feature representations). For this reason, we plan to extend this study to explore the performance of further general-purpose evasion methods in the training stage, as well as to additional Windows PE adversarial evasion methods in the evaluation stage. Also, we plan to start the investigation of ofensive and defensive strategies for poisoning in Windows PE malware detection, as well as the robustness of explanations produced with defensive strategies. Finally, considering the large number of active Android devices worldwide, which has led to a growing interest in developing solutions to identify malicious applications [29, 30, 31], we plan to extend our work in order to investigate the impact of adversarial training in Android malware detection models.
Luca Lobascio and Giuseppina Andresini are supported by the project FAIR - Future AI Research (PE00000013), Spoke 6 - Symbiotic AI (CUP H97G22000210007), under the NRRP MUR program funded by the NextGenerationEU. Annalisa Appice and Donato Malerba are partially supported by project SERICS (PE00000014) under the NRRP MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU. The research objectives of this paper are in partial fulfilment of the project AI-CREED (CUP H93C23000880005).
The author(s) have not employed any Generative AI tools. [14] N. Martins, J. M. Cruz, T. Cruz, P. Henriques Abreu, Adversarial machine learning applied to intrusion and malware scenarios: A systematic review, IEEE Access 8 (2020) 35403–35419. doi:10.1109/ACCESS.2020.2974752. [15] M. Macas, C. Wu, W. Fuertes, Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systems, Expert Syst. Appl. 238 (2024) 1–33. doi:10.1016/j. eswa.2023.122223. [16] F. Pierazzi, F. Pendlebury, J. Cortellazzi, L. Cavallaro, Intriguing properties of adversarial ML attacks in the problem space, in: SP 2020, IEEE, 2020, pp. 1332–1349. doi:10.1109/SP40000. 2020.00073. [17] M. Al-Essa, G. Andresini, A. Appice, D. Malerba, An XAI-based adversarial training approach for cyber-threat detection, in: CyberSciTech 2023, IEEE, 2022, pp. 1–8. doi:10.1109/DASC/PiCom/ CBDCom/Cy55231.2022.9927842. [18] F. Kreuk, A. Barak, S. Aviv-Reuven, M. Baruch, B. Pinkas, J. Keshet, Adversarial examples on discrete sequences for beating whole-binary malware detection, CoRR (2018). doi:https: //doi.org/10.48550/arXiv.1802.04528. [19] E. Raf, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, C. K. Nicholas, Malware detection by eating a whole EXE, in: AAAI 2018 Workshops, 2018, pp. 1–8. URL: https://cdn.aaai.org/ocs/ws/ ws0432/16422-75958-1-PB.pdf. [20] M. Kozák, M. Jurecek, M. Stamp, F. D. Troia, Creating valid adversarial examples of malware, J
Comput Virol Hack Tech (2024) 1–15. doi:10.1007/s11416-024-00516-2. [21] L. Demetrio, B. Biggio, G. Lagorio, F. Roli, A. Armando, Functionality-preserving black-box optimization of adversarial Windows malware, IEEE Trans. Inf. Forensics Secur. 16 (2021) 3469– 3478. doi:10.1109/TIFS.2021.3082330. [22] M. Şandor, R. M. Portase, A. Coleşa, Ember feature dataset analysis for malware detection, in:
ICCP 2023, 2023, pp. 203–210. doi:10.1109/ICCP60212.2023.10398693. [23] O. Barut, T. Zhang, Y. Luo, P. Li, A comprehensive study on eficient and accurate machine learningbased malicious PE detection, in: CCNC 2023, 2023, pp. 632–635. doi:10.1109/CCNC51644.2023. 10060214. [24] C. Connors, D. Sarkar, Machine learning for detecting malware in pe files, 2022. doi: 10.48550/ arXiv.2212.13988. [25] L. Yang, A. Ciptadi, I. Laziuk, A. Ahmadzadeh, G. Wang, Bodmas: An open dataset for learning based temporal analysis of pe malware, in: 2021 IEEE Security and Privacy Workshops (SPW), IEEE, 2021, pp. 78–84. doi:10.1109/SPW53761.2021.00020. [26] T. Bai, J. Luo, J. Zhao, B. Wen, Q. Wang, Recent advances in adversarial training for adversarial robustness, in: 30th International Joint Conference on Artificial Intelligence, IJCAI 2021, IJCAI.ORG, 2021, pp. 4312–4321. doi:10.24963/ijcai.2021/591. [27] S. M. Lundberg, S.-I. Lee, A unified approach to interpreting model predictions, in: 31st International Conference on Neural Information Processing Systems, NIPS 2017, NIPS, Curran Associates Inc., 2017, pp. 4768–4777. doi:10.5555/3295222.3295230. [28] H. Bostani, J. Cortellazzi, D. Arp, F. Pierazzi, V. Moonsamy, L. Cavallaro, On the efectiveness of adversarial training on malware classifiers, 2024. doi: https://doi.org/10.48550/arXiv. 2412.18218. arXiv:2412.18218. [29] A. Guerra-Manzanares, Machine learning for android malware detection: Mission accomplished? a comprehensive review of open challenges and future perspectives, Computers & Security 138 (2024) 103654. doi:https://doi.org/10.1016/j.cose.2023.103654. [30] S. McFadden, Z. Kan, L. Cavallaro, F. Pierazzi, The impact of active learning on availability data poisoning for android malware classifiers, in: Proc. of the 2nd Workshop on Recent Advances in Resilient and Trustworthy MAchine learning-driveN systems (ARTMAN), 2024. [31] G. Andresini, A. Appice, D. Malerba, Dealing with Class Imbalance in Android Malware Detection by Cascading Clustering and Classification, Springer International Publishing, Cham, 2020, pp. 173–187. doi:10.1007/978-3-030-36617-9_11.
(a) DNN - malware
(b) DNN - FGSM (padding + slack) (c) DNN - Full DOS (d) DNN - Extend (e) DNN - Shift (f) DNN - GAMMA (a) DNNfgsm - malware (d) DNNfgsm - Extend
(e) DNNfgsm - Shift (f) DNNfgsm - GAMMA