MalGEN: A Testbed for Modeling and Evaluating Malware Behaviors

TL;DR

MalGEN is a modular testbed that generates diverse, multi-stage malware behaviors to evaluate and improve cybersecurity detection systems against evolving threats.

Contribution

It introduces a novel framework for synthesizing executable malware samples with complex behaviors, addressing limitations of existing repositories.

Findings

45.71% of generated samples remain undetected by current detection engines.

MalGEN produces 977 executable samples across multiple platforms and objectives.

Generated artifacts exhibit a wide range of malicious techniques and attack patterns.

Abstract

Modern cybersecurity requires systematic ways to evaluate how detection systems respond to evolving and previously unseen attack behaviors. Existing malware repositories largely capture known patterns and provide limited support for stress-testing defenses against novel threats. To address this, we present MalGEN, a modular testbed that models adversarial workflows and generates executable artifacts in a controlled environment. The framework decomposes high-level attack objectives into structured stages, enabling the synthesis of diverse and multi-stage behaviors. We evaluate MalGEN across 1,920 benchmark settings covering multiple platforms and behavioral objectives, resulting in 977 executable samples. Analysis shows that the generated artifacts exhibit a wide range of malicious techniques and multi-stage attack patterns. However, 45.71% of these samples remain undetected by existing detection engines, which reveals notable gaps in current defenses. These findings provide practical insights into the limitations of widely used detection approaches and support the development of more robust security evaluation and testing practices.