Adversarial examples for malware detection

Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, Michael Backes, Patrick McDaniel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

327 Scopus citations


Machine learning models are known to lack robustness against inputs crafted by an adversary. Such adversarial examples can, for instance, be derived from regular inputs by introducing minor—yet carefully selected—perturbations. In this work, we expand on existing adversarial example crafting algorithms to construct a highly-effective attack that uses adversarial examples against malware detection models. To this end, we identify and overcome key challenges that prevent existing algorithms from being applied against malware detection: our approach operates in discrete and often binary input domains, whereas previous work operated only in continuous and differentiable domains. In addition, our technique guarantees the malware functionality of the adversarially manipulated program. In our evaluation, we train a neural network for malware detection on the DREBIN data set and achieve classification performance matching state-of-the-art from the literature. Using the augmented adversarial crafting algorithm we then manage to mislead this classifier for 63% of all malware samples. We also present a detailed evaluation of defensive mechanisms previously introduced in the computer vision contexts, including distillation and adversarial training, which show promising results.

Original languageEnglish (US)
Title of host publicationComputer Security – ESORICS 2017 - 22nd European Symposium on Research in Computer Security, Proceedings
EditorsSimon N. Foley, Dieter Gollmann, Einar Snekkenes
PublisherSpringer Verlag
Number of pages18
ISBN (Print)9783319663982
StatePublished - 2017
Event22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway
Duration: Sep 11 2017Sep 15 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10493 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other22nd European Symposium on Research in Computer Security, ESORICS 2017

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Adversarial examples for malware detection'. Together they form a unique fingerprint.

Cite this