Towards Certified Malware Detection: Provable Guarantees Against Evasion Attacks

Nandakrishna Giri; Asmitha K. A.; Serena Nicolazzo; Antonino Nocera; Vinod P

✨ TL;DR

This paper proposes a certifiably robust malware detection framework using randomized smoothing through feature ablation and noise injection to provide formal guarantees against adversarial evasion attacks. The approach achieves provable robustness without modifying the underlying ML classifier.

01 · Problem

Machine learning-based static malware detectors are vulnerable to adversarial evasion techniques, particularly metamorphic engine mutations that modify malware binaries while preserving functionality. Traditional detectors lack formal guarantees of robustness against such attacks, making them unreliable for security-critical applications. Existing defenses either require architectural changes or provide only empirical robustness without provable guarantees.

02 · Approach

The framework employs randomized smoothing via feature ablation and targeted noise injection. During inference, the system generates multiple ablated variants of an executable, classifies each using a smoothed classifier, and determines the final label through majority voting. The approach derives formal robustness certificates by analyzing the top-class voting distribution and computing Wilson score intervals, which provide a certified radius within which the classifier is guaranteed to maintain its prediction against feature-space perturbations.

03 · Key insights

What the paper shows.

01Randomized smoothing through feature ablation can provide certified robustness guarantees for malware detection without requiring changes to the base classifier architecture

02The voting distribution from multiple ablated variants enables derivation of formal certificates using Wilson score intervals

03Certifiable robustness can be achieved against metamorphic evasion attacks, a practical threat model in malware detection

04The approach maintains compatibility with existing ML-based malware detectors, enabling easy integration into deployed systems

04 · Results

The smoothed classifier successfully provides certifiable robustness against metamorphic evasion attacks generated using PyMetaEngine. The evaluation demonstrates that the approach maintains detection performance on clean executables while providing formal guarantees of robustness within a specific radius against feature-space perturbations, without requiring modifications to the underlying machine learning architecture.

05 · Limitations

The paper does not provide detailed quantitative results comparing robustness radius sizes, computational overhead of generating multiple ablated variants, or scalability analysis for large-scale deployment. The evaluation is limited to PyMetaEngine-generated variants, and the approach's effectiveness against other evasion techniques or adaptive attacks that account for the smoothing mechanism is not thoroughly explored. The practical impact of the certified robustness radius on real-world malware detection scenarios remains unclear.

✨ Generated by Claude · Apr 25, 2026 · Read the PDF for authoritative content.

What the paper shows.

↘ Related papers