Attackers have learned how to trick machine learning malware detectors with small but clever code changes, and researchers say they may finally have an answer.
In a new paper, academics from Inria and the CISPA Helmholtz Center for Information Security describe a framework that can withstand these kinds of evasion attempts. Their work focuses on adversarial examples in malware detection, where attackers alter software in ways that preserve its function but confuse the model into thinking it is safe.
Why machine learning models fail
Traditional antivirus tools depend on signatures such as file hashes or known indicators, which leaves them weak against new variants. Machine learning promised a fix by spotting broader patterns across malware families, but attackers quickly learned how to outmaneuver those models too. By making functionality-preserving tweaks, such as swapping API calls or padding binaries with junk instructions, they can flip a detector’s decision without changing what the program actually does.
The researchers argue that defenses borrowed from computer vision do not hold up in this setting. In images, an adversarial example usually means a tiny change that a human eye would miss. Malware authors face no such constraint. As long as the program still runs, the changes can be large, and that breaks most standard defenses.
ERDALT framework
Inside the ERDALT framework
To counter this, the team introduces ERDALT, short for “Empirically Robust by Design with Adversarial Linear Transformation.” Instead of assuming attackers will make only small changes, ERDALT is trained with real adversarial examples and focuses on features that are difficult to manipulate. It learns which characteristics of malware remain stable under common transformations and builds resilience around them.
One illustration is the use of API substitutions. An attacker might replace one system call with another that does the same thing. To a detector, this can make the program look benign even though its behavior is unchanged. ERDALT is designed to catch such substitutions by filtering out fragile features and combining stronger ones in ways that attackers cannot easily bypass.
Testing robustness
Tests showed ERDALT outperformed defenses such as adversarial training and manual feature selection alone. While it did not eliminate the trade-off between accuracy and robustness, the results suggest it can strengthen models without the steep performance penalties seen in other methods.
A view from industry
To connect the research to real-world attacks, we asked Aditya Sood, VP of security engineering and AI strategy at Aryaka, whether these tricks are showing up outside the lab.
“We have encountered the use of these techniques in real-world malware. For example, TrickBot, PlugX Remote Access Trojan employed API hashing and function obfuscation tactics to evade detection,” Sood said.
In these cases, the malicious code does not store function names in clear text. Instead, it hashes them and matches the computed hashes at runtime before loading the function addresses into memory. That makes reverse engineering harder and allows malware to slip past signature-based antivirus tools.
Sood added that families like Mirai variants and Ryuk ransomware have used polymorphic techniques to insert junk instructions and benign sections into code. These changes confuse static analysis tools but do not alter the malicious payload.
He sees ERDALT as a step forward. “Frameworks like ERDALT improve the capability to detect this kind of malicious behaviour, but we believe that it can’t be considered a foolproof solution. We still believe ERDALT should be treated as an additional layer to a potential defence-in-depth strategy to tackle threats of this kind.”
The study highlights a shift in malware research: building detectors that assume attackers will try to manipulate features, rather than hoping they will not. If frameworks like ERDALT can be integrated into practice, the balance may tilt back, at least temporarily, in favor of defenders.
Source link
