{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,21]],"date-time":"2026-05-21T17:14:29Z","timestamp":1779383669427,"version":"3.53.1"},"reference-count":38,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2021,9,2]],"date-time":"2021-09-02T00:00:00Z","timestamp":1630540800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"ALHOA","award":["780788"],"award-info":[{"award-number":["780788"]}]},{"name":"RexLearn","award":["2017TWNMH2"],"award-info":[{"award-number":["2017TWNMH2"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2021,11,30]]},"abstract":"<jats:p>\n            Recent work has shown that adversarial Windows malware samples\u2014referred to as adversarial\n            <jats:italic>EXE<\/jats:italic>\n            mples in this article\u2014can bypass machine learning-based detection relying on static code analysis by perturbing relatively few input bytes. To preserve malicious functionality, previous attacks either add bytes to existing non-functional areas of the file, potentially limiting their effectiveness, or require running computationally demanding validation steps to discard malware variants that do not correctly execute in sandbox environments. In this work, we overcome these limitations by developing a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks based on practical, functionality-preserving manipulations to the Windows Portable Executable file format. These attacks, named\n            <jats:italic>Full DOS<\/jats:italic>\n            ,\n            <jats:italic>Extend<\/jats:italic>\n            , and\n            <jats:italic>Shift<\/jats:italic>\n            , inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section. Our experimental results show that these attacks outperform existing ones in both white-box and black-box scenarios, achieving a better tradeoff in terms of evasion rate and size of the injected payload, while also enabling evasion of models that have been shown to be robust to previous attacks. To facilitate reproducibility of our findings, we open source our framework and all the corresponding attack implementations as part of the secml-malware Python library. We conclude this work by discussing the limitations of current machine learning-based malware detectors, along with potential mitigation strategies based on embedding domain knowledge coming from subject-matter experts directly into the learning process.\n          <\/jats:p>","DOI":"10.1145\/3473039","type":"journal-article","created":{"date-parts":[[2021,9,2]],"date-time":"2021-09-02T10:52:54Z","timestamp":1630579974000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":115,"title":["Adversarial EXEmples"],"prefix":"10.1145","volume":"24","author":[{"given":"Luca","family":"Demetrio","sequence":"first","affiliation":[{"name":"Universit\u00c3 degli studi di Cagliari, ITA, Cagliari, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Scott E.","family":"Coull","sequence":"additional","affiliation":[{"name":"FireEye, Inc., Milpitas, CA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Battista","family":"Biggio","sequence":"additional","affiliation":[{"name":"Universit\u00c3 degli studi di Cagliari, ITA and Pluribus One, ITA, Cagliari, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Giovanni","family":"Lagorio","sequence":"additional","affiliation":[{"name":"Universit\u00c3 degli Studi di Genova, ITA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alessandro","family":"Armando","sequence":"additional","affiliation":[{"name":"Universit\u00c3 degli Studi di Genova, ITA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Fabio","family":"Roli","sequence":"additional","affiliation":[{"name":"Universit\u00e0 degli Studi di Cagliari, ITA and Pluribus One, ITA, Cagliari, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2021,9,2]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24310"},{"key":"e_1_2_1_2_1","volume-title":"Evading machine learning malware detection. Black Hat","author":"Anderson Hyrum S.","year":"2017"},{"key":"e_1_2_1_3_1","volume-title":"Anderson and Phil Roth","author":"Hyrum","year":"2018"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2013.57"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_2_1_7_1","unstructured":"Raphael Labaca Castro Corinna Schmitt and Gabi Dreo. 2019. AIMED: Evolving malware with genetic programming to evade detection. In Proceedings of the 18th IEEE International Conference on Trust Security and Privacy in Computing And Communications\/13th IEEE International Conference on Big Data Science And Engineering (TrustCom\/BigDataSE\u201919). IEEE 240\u2013247.  Raphael Labaca Castro Corinna Schmitt and Gabi Dreo. 2019. AIMED: Evolving malware with genetic programming to evade detection. In Proceedings of the 18th IEEE International Conference on Trust Security and Privacy in Computing And Communications\/13th IEEE International Conference on Big Data Science And Engineering (TrustCom\/BigDataSE\u201919). IEEE 240\u2013247."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the 2019 IEEE Security and Privacy Workshops (SPW). IEEE, 21\u201327","author":"Scott"},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 2015 International Joint Conference on Neural Networks (IJCNN). IEEE, 1\u20138.","author":"Omid"},{"key":"e_1_2_1_11_1","unstructured":"Luca Demetrio and Battista Biggio. 2021. secml-malware: A Python Library for adversarial robustness evaluation of Windows malware classifiers. arXiv:cs.CR\/2104.12848. Retrieved from https:\/\/arxiv.org\/abs\/cs.CR\/2104.12848.  Luca Demetrio and Battista Biggio. 2021. secml-malware: A Python Library for adversarial robustness evaluation of Windows malware classifiers. arXiv:cs.CR\/2104.12848. Retrieved from https:\/\/arxiv.org\/abs\/cs.CR\/2104.12848."},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the 3rd Italian Conference on CyberSecurity (ITASEC\u201919)","author":"Demetrio Luca","year":"2019"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3082330"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.5555\/3361338.3361361"},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the 3th International Conference on Learning Representations (ICLR\u201915)","author":"Goodfellow Ian J.","year":"2014"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the International Conference on Data Mining (DMIN\u201916)","author":"Hardy William","year":"2016"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"e_1_2_1_18_1","volume-title":"Proceedings of the 35th International Conference on Machine Learning (ICML\u201918)","volume":"80","author":"Ilyas Andrew","year":"2018"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180445.3180449"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.5555\/3294771.3294864"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.23919\/EUSIPCO.2018.8553214"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-50127-7_11"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the 6th International Conference on Learning Representations (ICLR\u201918)","author":"Kr\u010d\u00e1l Marek","year":"2018"},{"key":"e_1_2_1_24_1","volume-title":"Workshop on Security in Machine Learning (NeurIPS).","author":"Kreuk Felix","year":"2018"},{"key":"e_1_2_1_25_1","unstructured":"Stefano Melacci Gabriele Ciravegna Angelo Sotgiu Ambra Demontis Battista Biggio Marco Gori and Fabio Roli. 2020. Can domain knowledge alleviate adversarial attacks in multi-label classifiers? arXiv:cs.LG\/2006.03833. Retrieved from https:\/\/arxiv.org\/abs\/cs.LG\/2006.03833.  Stefano Melacci Gabriele Ciravegna Angelo Sotgiu Ambra Demontis Battista Biggio Marco Gori and Fabio Roli. 2020. Can domain knowledge alleviate adversarial attacks in multi-label classifiers? arXiv:cs.LG\/2006.03833. Retrieved from https:\/\/arxiv.org\/abs\/cs.LG\/2006.03833."},{"key":"e_1_2_1_26_1","unstructured":"Marco Melis Ambra Demontis Maura Pintor Angelo Sotgiu and Battista Biggio. 2019. secml: A Python library for secure and explainable machine learning. arXiv:cs.LG\/1912.10013. Retrieved from https:\/\/arxiv.org\/abs\/cs.LG\/1912.10013.  Marco Melis Ambra Demontis Maura Pintor Angelo Sotgiu and Battista Biggio. 2019. secml: A Python library for secure and explainable machine learning. arXiv:cs.LG\/1912.10013. Retrieved from https:\/\/arxiv.org\/abs\/cs.LG\/1912.10013."},{"key":"e_1_2_1_27_1","unstructured":"Nicolas Papernot Patrick McDaniel and Ian Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv:1605.07277. Retrieved from https:\/\/arxiv.org\/abs\/1605.07277.  Nicolas Papernot Patrick McDaniel and Ian Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv:1605.07277. Retrieved from https:\/\/arxiv.org\/abs\/1605.07277."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00073"},{"key":"e_1_2_1_30_1","volume-title":"Proceedings of the Workshops at the 32nd AAAI Conference on Artificial Intelligence.","author":"Raff Edward"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2015.7413680"},{"key":"e_1_2_1_32_1","unstructured":"Mahmood Sharif Keane Lucas Lujo Bauer Michael K. Reiter and Saurabh Shintre. 2019. Optimization-guided binary diversification to mislead neural networks for malware detection. arXiv:1912.09064. Retrieved from https:\/\/arxiv.org\/abs\/1912.09064.  Mahmood Sharif Keane Lucas Lujo Bauer Michael K. Reiter and Saurabh Shintre. 2019. Optimization-guided binary diversification to mislead neural networks for malware detection. arXiv:1912.09064. Retrieved from https:\/\/arxiv.org\/abs\/1912.09064."},{"key":"e_1_2_1_33_1","unstructured":"Wei Song Xuezixiang Li Sadia Afroz Deepali Garg Dmitry Kuznetsov and Heng Yin. 2020. Automatic generation of adversarial examples for interpreting malware classifiers. arXiv:2003.03100. Retrieved from https:\/\/arxiv.org\/abs\/2003.03100.  Wei Song Xuezixiang Li Sadia Afroz Deepali Garg Dmitry Kuznetsov and Heng Yin. 2020. Automatic generation of adversarial examples for interpreting malware classifiers. arXiv:2003.03100. Retrieved from https:\/\/arxiv.org\/abs\/2003.03100."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00015"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.5555\/3277203.3277301"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the International Conference on Learning Representations.","author":"Szegedy Christian","year":"2014"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3316415"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.5555\/2627435.2638566"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3473039","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3473039","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:11:58Z","timestamp":1750191118000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3473039"}},"subtitle":["A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection"],"short-title":[],"issued":{"date-parts":[[2021,9,2]]},"references-count":38,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2021,11,30]]}},"alternative-id":["10.1145\/3473039"],"URL":"https:\/\/doi.org\/10.1145\/3473039","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,9,2]]},"assertion":[{"value":"2020-08-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-06-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-09-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}