{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,20]],"date-time":"2026-04-20T22:23:35Z","timestamp":1776723815208,"version":"3.51.2"},"reference-count":42,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2024,4,6]],"date-time":"2024-04-06T00:00:00Z","timestamp":1712361600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,4,6]],"date-time":"2024-04-06T00:00:00Z","timestamp":1712361600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001823","name":"Ministerstvo \u0161kolstv\u00ed, Ml\u00e1de\u017ee a T\u011blo\u00fdchovy","doi-asserted-by":"publisher","award":["SGS23\/211\/OHK3\/3T\/18"],"award-info":[{"award-number":["SGS23\/211\/OHK3\/3T\/18"]}],"id":[{"id":"10.13039\/501100001823","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001823","name":"Ministerstvo \u0161kolstv\u00ed, Ml\u00e1de\u017ee a T\u011blo\u00fdchovy","doi-asserted-by":"publisher","award":["SGS23\/211\/OHK3\/3T\/18"],"award-info":[{"award-number":["SGS23\/211\/OHK3\/3T\/18"]}],"id":[{"id":"10.13039\/501100001823","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100018240","name":"Research Center for Informatics, Czech Technical University in Prague","doi-asserted-by":"publisher","award":["CZ.02.1.01\/0.0\/0.0\/16 019\/0000765"],"award-info":[{"award-number":["CZ.02.1.01\/0.0\/0.0\/16 019\/0000765"]}],"id":[{"id":"10.13039\/100018240","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Comput Virol Hack Tech"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Machine learning has proven to be a valuable tool for automated malware detection, but machine learning systems have also been shown to be subject to adversarial attacks. This paper summarizes and compares related work on generating adversarial malware samples, specifically malicious Windows Portable Executable files. In contrast with previous research, we not only compare generators of adversarial malware examples theoretically, but we also provide an experimental comparison and evaluation for practical usability. We use gradient-based, evolutionary-based, and reinforcement-based approaches to create adversarial samples, which we test against selected antivirus products. The results show that applying optimized modifications to previously detected malware can lead to incorrect classification of the file as benign. Moreover, generated malicious samples can be effectively employed against detection models other than those used to produce them, and combinations of methods can construct new instances that avoid detection. Based on our findings, the Gym-malware generator, which uses reinforcement learning, has the greatest practical potential. This generator has the fastest average sample production time of 5.73\u00a0s and the highest average evasion rate of 44.11%. Using the Gym-malware generator in combination with itself further improved the evasion rate to 58.35%. However, other tested methods scored significantly lower in our experiments than reported in the original publications, highlighting the importance of a standardized evaluation environment.<\/jats:p>","DOI":"10.1007\/s11416-024-00519-z","type":"journal-article","created":{"date-parts":[[2024,4,6]],"date-time":"2024-04-06T13:01:47Z","timestamp":1712408507000},"page":"623-639","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["A comparison of adversarial malware generators"],"prefix":"10.1007","volume":"20","author":[{"given":"Pavla","family":"Louth\u00e1nov\u00e1","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8329-7572","authenticated-orcid":false,"given":"Matou\u0161","family":"Koz\u00e1k","sequence":"additional","affiliation":[]},{"given":"Martin","family":"Jure\u010dek","sequence":"additional","affiliation":[]},{"given":"Mark","family":"Stamp","sequence":"additional","affiliation":[]},{"given":"Fabio","family":"Di Troia","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,4,6]]},"reference":[{"key":"519_CR1","unstructured":"AV-TEST: Malware Statistics & Trends Report | AV-TEST. AV-TEST (2022). https:\/\/www.av-test.org\/en\/statistics\/malware"},{"key":"519_CR2","doi-asserted-by":"publisher","unstructured":"Al-Asli, M., Ghaleb, T.A.: Review of signature-based techniques in antivirus products. In: 2019 International Conference on Computer and Information Sciences (ICCIS), pp. 1\u20136. IEEE (2019). https:\/\/doi.org\/10.1109\/ICCISci.2019.8716381","DOI":"10.1109\/ICCISci.2019.8716381"},{"key":"519_CR3","first-page":"100","volume":"7","author":"J Singh","year":"2018","unstructured":"Singh, J., Singh, J.: Challenge of malware analysis: malware obfuscation techniques. Int. J. Inf. Secur. Sci. 7, 100\u2013110 (2018)","journal-title":"Int. J. Inf. Secur. Sci."},{"issue":"2","key":"519_CR4","doi-asserted-by":"publisher","first-page":"271","DOI":"10.1016\/j.eij.2022.01.004","volume":"23","author":"S Al-Janabi","year":"2022","unstructured":"Al-Janabi, S., Alkaim, A.: A novel optimization algorithm (lion-ayad) to find optimal dna protein synthesis. Egypt. Inform. J. 23(2), 271\u2013290 (2022). https:\/\/doi.org\/10.1016\/j.eij.2022.01.004","journal-title":"Egypt. Inform. J."},{"key":"519_CR5","doi-asserted-by":"publisher","DOI":"10.1016\/j.rineng.2022.100847","volume":"17","author":"ZA Kadhuim","year":"2023","unstructured":"Kadhuim, Z.A., Al-Janabi, S.: Codon-mrna prediction using deep optimal neurocomputing technique (dlstm-dsn-woa) and multivariate analysis. Results Eng. 17, 100847 (2023). https:\/\/doi.org\/10.1016\/j.rineng.2022.100847","journal-title":"Results Eng."},{"key":"519_CR6","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2020.101861","volume":"112","author":"J Singh","year":"2021","unstructured":"Singh, J., Singh, J.: A survey on machine learning-based malware detection in executable files. J. Syst. Architect. 112, 101861 (2021). https:\/\/doi.org\/10.1016\/j.sysarc.2020.101861","journal-title":"J. Syst. Architect."},{"key":"519_CR7","doi-asserted-by":"publisher","unstructured":"Dolej\u0161, J., Jure\u010dek, M.: Interpretability of machine learning-based results of malware detection using a set of rules, 107\u2013136 (2022). https:\/\/doi.org\/10.1007\/978-3-030-97087-1_5","DOI":"10.1007\/978-3-030-97087-1_5"},{"issue":"5","key":"519_CR8","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3453158","volume":"54","author":"I Rosenberg","year":"2021","unstructured":"Rosenberg, I., Shabtai, A., Elovici, Y., Rokach, L.: Adversarial machine learning attacks and defense methods in the cyber security domain. ACM Comput. Surv. (CSUR) 54(5), 1\u201336 (2021). https:\/\/doi.org\/10.1145\/3453158","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"519_CR9","doi-asserted-by":"publisher","unstructured":"Aryal, K., Gupta, M., Abdelsalam, M.: A survey on adversarial attacks for malware analysis. arXiv preprint arXiv:2111.08223 (2022). https:\/\/doi.org\/10.48550\/arXiv.2111.08223","DOI":"10.48550\/arXiv.2111.08223"},{"issue":"1","key":"519_CR10","doi-asserted-by":"publisher","first-page":"467","DOI":"10.1109\/COMST.2022.3225137","volume":"25","author":"S Yan","year":"2023","unstructured":"Yan, S., Ren, J., Wang, W., Sun, L., Zhang, W., Yu, Q.: A survey of adversarial attack and defense methods for malware classification in cyber security. IEEE Commun. Surv. Tutor. 25(1), 467\u2013496 (2023). https:\/\/doi.org\/10.1109\/COMST.2022.3225137","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"519_CR11","doi-asserted-by":"publisher","DOI":"10.1145\/3484491","author":"D Li","year":"2021","unstructured":"Li, D., Li, Q., Ye, Y.F., Xu, S.: Arms race in adversarial malware detection: a survey. ACM Comput. Surv. (2021). https:\/\/doi.org\/10.1145\/3484491","journal-title":"ACM Comput. Surv."},{"key":"519_CR12","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2023.122223","volume":"238","author":"M Macas","year":"2024","unstructured":"Macas, M., Wu, C., Fuertes, W.: Adversarial examples: a survey of attacks and defenses in deep learning-enabled cybersecurity systems. Expert Syst. Appl. 238, 122223 (2024). https:\/\/doi.org\/10.1016\/j.eswa.2023.122223","journal-title":"Expert Syst. Appl."},{"key":"519_CR13","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103134","volume":"128","author":"X Ling","year":"2023","unstructured":"Ling, X., Wu, L., Zhang, J., Qu, Z., Deng, W., Chen, X., Qian, Y., Wu, C., Ji, S., Luo, T., Wu, J., Wu, Y.: Adversarial attacks against windows pe malware detection: a survey of the state-of-the-art. Comput. Secur. 128, 103134 (2023). https:\/\/doi.org\/10.1016\/j.cose.2023.103134","journal-title":"Comput. Secur."},{"key":"519_CR14","doi-asserted-by":"publisher","unstructured":"Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2015). https:\/\/doi.org\/10.48550\/arXiv.1412.6572","DOI":"10.48550\/arXiv.1412.6572"},{"key":"519_CR15","doi-asserted-by":"publisher","unstructured":"Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: 2016 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 372\u2013387. IEEE (2016). https:\/\/doi.org\/10.1109\/EuroSP.2016.36","DOI":"10.1109\/EuroSP.2016.36"},{"key":"519_CR16","doi-asserted-by":"publisher","unstructured":"Goodfellow, I.J., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., Bengio, Y.: Generative adversarial networks. arXiv preprint arXiv:1406.2661 (2014). https:\/\/doi.org\/10.48550\/ARXIV.1406.2661","DOI":"10.48550\/ARXIV.1406.2661"},{"key":"519_CR17","doi-asserted-by":"publisher","unstructured":"Dutta, I.K., Ghosh, B., Carlson, A., Totaro, M., Bayoumi, M.: Generative adversarial networks in security: a survey. In: 2020 11th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), pp. 0399\u20130405. IEEE (2020). https:\/\/doi.org\/10.1109\/UEMCON51285.2020.9298135","DOI":"10.1109\/UEMCON51285.2020.9298135"},{"issue":"4","key":"519_CR18","doi-asserted-by":"publisher","first-page":"588","DOI":"10.1109\/JAS.2017.7510583","volume":"4","author":"K Wang","year":"2017","unstructured":"Wang, K., Gou, C., Duan, Y., Lin, Y., Zheng, X., Wang, F.-Y.: Generative adversarial networks: introduction and outlook. IEEE\/CAA J. Automatica Sinica 4(4), 588\u2013598 (2017). https:\/\/doi.org\/10.1109\/JAS.2017.7510583","journal-title":"IEEE\/CAA J. Automatica Sinica"},{"key":"519_CR19","doi-asserted-by":"publisher","unstructured":"Sutton, R.S., Barto, A.G.: Reinforcement learning: an introduction (2018). https:\/\/doi.org\/10.1016\/S1364-6613(99)01331-5","DOI":"10.1016\/S1364-6613(99)01331-5"},{"key":"519_CR20","doi-asserted-by":"publisher","unstructured":"Demetrio, L., Biggio, B., Lagorio, G., Roli, F., Armando, A.: Explaining vulnerabilities of deep learning to adversarial malware binaries. arXiv preprint arXiv:1901.03583 (2019). https:\/\/doi.org\/10.48550\/arXiv.1901.03583","DOI":"10.48550\/arXiv.1901.03583"},{"key":"519_CR21","doi-asserted-by":"publisher","unstructured":"Demetrio, L., Coull, S.E., Biggio, B., Lagorio, G., Armando, A., Roli, F.: Adversarial exemples: a survey and experimental evaluation of practical attacks on machine learning for windows malware detection. arXiv preprint arXiv:2008.07125 (2020). https:\/\/doi.org\/10.1145\/3473039","DOI":"10.1145\/3473039"},{"key":"519_CR22","doi-asserted-by":"publisher","first-page":"3469","DOI":"10.1109\/TIFS.2021.3082330","volume":"16","author":"L Demetrio","year":"2021","unstructured":"Demetrio, L., Biggio, B., Lagorio, G., Roli, F., Armando, A.: Functionality-preserving black-box optimization of adversarial windows malware. IEEE Trans. Inf. Forensics Secur. 16, 3469\u20133478 (2021). https:\/\/doi.org\/10.1109\/TIFS.2021.3082330","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"519_CR23","doi-asserted-by":"publisher","unstructured":"Anderson, H.S., Kharkar, A., Filar, B., Evans, D., Roth, P.: Learning to evade static pe machine learning malware models via reinforcement learning. arXiv preprint arXiv:1801.08917 (2018). https:\/\/doi.org\/10.48550\/arXiv.1801.08917","DOI":"10.48550\/arXiv.1801.08917"},{"key":"519_CR24","doi-asserted-by":"publisher","unstructured":"Castro, R.L., Schmitt, C., Dreo, G.: Aimed: evolving malware with genetic programming to evade detection. In: 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications\/13th IEEE International Conference On Big Data Science And Engineering (TrustCom\/BigDataSE), pp. 240\u2013247. IEEE (2019). https:\/\/doi.org\/10.1109\/TrustCom\/BigDataSE.2019.00040","DOI":"10.1109\/TrustCom\/BigDataSE.2019.00040"},{"key":"519_CR25","doi-asserted-by":"publisher","unstructured":"Wang, X., Miikkulainen, R.: Mdea: Malware detection with evolutionary adversarial learning. In: 2020 IEEE Congress on Evolutionary Computation (CEC), pp. 1\u20138. IEEE (2020). https:\/\/doi.org\/10.1109\/CEC48606.2020.9185810","DOI":"10.1109\/CEC48606.2020.9185810"},{"key":"519_CR26","doi-asserted-by":"publisher","unstructured":"Song, W., Li, X., Afroz, S., Garg, D., Kuznetsov, D., Yin, H.: Mab-malware: a reinforcement learning framework for attacking static malware classifiers. arXiv preprint arXiv:2003.03100 (2020). https:\/\/doi.org\/10.48550\/arXiv.2003.03100","DOI":"10.48550\/arXiv.2003.03100"},{"key":"519_CR27","doi-asserted-by":"publisher","first-page":"48867","DOI":"10.1109\/ACCESS.2019.2908033","volume":"7","author":"Z Fang","year":"2019","unstructured":"Fang, Z., Wang, J., Li, B., Wu, S., Zhou, Y., Huang, H.: Evading anti-malware engines with deep reinforcement learning. IEEE 7, 48867\u201348879 (2019). https:\/\/doi.org\/10.1109\/ACCESS.2019.2908033","journal-title":"IEEE"},{"key":"519_CR28","doi-asserted-by":"publisher","unstructured":"Labaca-Castro, R., Franz, S., Rodosek, G.D.: Aimed-rl: exploring adversarial malware examples with reinforcement learning. In: Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pp. 37\u201352. Springer (2021). https:\/\/doi.org\/10.1007\/978-3-030-86514-6_3","DOI":"10.1007\/978-3-030-86514-6_3"},{"key":"519_CR29","doi-asserted-by":"publisher","unstructured":"Kolosnjaji, B., Demontis, A., Biggio, B., Maiorca, D., Giacinto, G., Eckert, C., Roli, F.: Adversarial malware binaries: evading deep learning for malware detection in executables. arXiv preprint arXiv:1804.04637 (2018).https:\/\/doi.org\/10.48550\/arXiv.1803.04173","DOI":"10.48550\/arXiv.1803.04173"},{"key":"519_CR30","doi-asserted-by":"publisher","unstructured":"Kreuk, F., Barak, A., Aviv-Reuven, S., Baruch, M., Pinkas, B., Keshet, J.: Deceiving end-to-end deep learning malware detectors using adversarial examples. arXiv preprint arXiv:1802.04528 (2018). https:\/\/doi.org\/10.48550\/arXiv.1802.04528","DOI":"10.48550\/arXiv.1802.04528"},{"key":"519_CR31","doi-asserted-by":"publisher","unstructured":"Suciu, O., Coull, S.E., Johns, J.: Exploring adversarial examples in malware detection. arXiv preprint arXiv:1810.08280 (2018). https:\/\/doi.org\/10.48550\/arXiv.1810.08280","DOI":"10.48550\/arXiv.1810.08280"},{"key":"519_CR32","doi-asserted-by":"publisher","unstructured":"Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983 (2017). https:\/\/doi.org\/10.48550\/arXiv.1702.05983","DOI":"10.48550\/arXiv.1702.05983"},{"key":"519_CR33","doi-asserted-by":"publisher","unstructured":"Kawai, M., Ota, K., Dong, M.: Improved malgan: avoiding malware detector by leaning cleanware features. In: 2019 International Conference on Artificial Intelligence in Information and Communication (ICAIIC), pp. 040\u2013045. IEEE (2019). https:\/\/doi.org\/10.1109\/ICAIIC.2019.8669079","DOI":"10.1109\/ICAIIC.2019.8669079"},{"key":"519_CR34","doi-asserted-by":"publisher","unstructured":"Yuan, J., Zhou, S., Lin, L., Wang, F., Cui, J.: Black-box adversarial attacks against deep learning based malware binaries detection with gan, 2536\u20132542 (2020). https:\/\/doi.org\/10.3233\/FAIA200388","DOI":"10.3233\/FAIA200388"},{"key":"519_CR35","doi-asserted-by":"publisher","unstructured":"Anderson, H.S., Roth, P.: Ember: an open dataset for training static pe malware machine learning models. arXiv preprint arXiv:1804.04637 (2018). https:\/\/doi.org\/10.48550\/ARXIV.1804.04637","DOI":"10.48550\/ARXIV.1804.04637"},{"key":"519_CR36","doi-asserted-by":"publisher","unstructured":"Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., Nicholas, C.: Malware detection by eating a whole exe. arXiv preprint arXiv:1710.09435 (2017). https:\/\/doi.org\/10.48550\/ARXIV.1710.09435","DOI":"10.48550\/ARXIV.1710.09435"},{"key":"519_CR37","unstructured":"VirusShare: VirusShare. https:\/\/www.virusshare.com\/ (2023)"},{"key":"519_CR38","unstructured":"AV-Comparatives: Malware Protection Test September 2022. https:\/\/www.av-comparatives.org\/tests\/malware-protection-test-september-2022\/ (2022)"},{"key":"519_CR39","unstructured":"VirusTotal: VirusTotal. https:\/\/www.virustotal.com\/ (2023)"},{"key":"519_CR40","doi-asserted-by":"publisher","unstructured":"Koz\u00e1k, M., Jure\u010dek, M.: Combining generators of adversarial malware examples to increase evasion rate. In: Proceedings of the 20th International Conference on Security and Cryptography - SECRYPT, pp. 778\u2013786 (2023). https:\/\/doi.org\/10.5220\/0012127700003555","DOI":"10.5220\/0012127700003555"},{"key":"519_CR41","unstructured":"Thomas, R.: LIEF - Library to Instrument Executable Formats (2017). https:\/\/lief.quarkslab.com\/"},{"key":"519_CR42","doi-asserted-by":"publisher","unstructured":"Koz\u00e1k, M., Jurecek, M., Stamp, M., Troia, F.D.: Creating valid adversarial examples of malware. arXiv preprint arXiv:2306.13587 (2023). https:\/\/doi.org\/10.48550\/arXiv.2306.13587","DOI":"10.48550\/arXiv.2306.13587"}],"container-title":["Journal of Computer Virology and Hacking Techniques"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-024-00519-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11416-024-00519-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-024-00519-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,15]],"date-time":"2024-10-15T15:08:03Z","timestamp":1729004883000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11416-024-00519-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,6]]},"references-count":42,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2024,11]]}},"alternative-id":["519"],"URL":"https:\/\/doi.org\/10.1007\/s11416-024-00519-z","relation":{},"ISSN":["2263-8733"],"issn-type":[{"value":"2263-8733","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,6]]},"assertion":[{"value":"8 September 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"21 February 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 April 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no relevant financial or non-financial interests to disclose.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}