Towards Certified Malware Detection: Provable Guarantees Against Evasion Attacks

TL;DR

This paper introduces a certifiably robust malware detection framework using randomized smoothing, providing formal guarantees against evasion attacks by analyzing multiple ablated variants of executables.

Contribution

It presents a novel malware detection method that offers provable robustness through feature ablation and noise injection, without altering the base classifier architecture.

Findings

Successfully certifies robustness against metamorphic evasion attacks

Outperforms baseline classifiers on both clean and ablated executables

Provides formal guarantees within a specific feature-space perturbation radius

Abstract

Machine learning-based static malware detectors remain vulnerable to adversarial evasion techniques, such as metamorphic engine mutations. To address this vulnerability, we propose a certifiably robust malware detection framework based on randomized smoothing through feature ablation and targeted noise injection. During evaluation, our system analyzes an executable by generating multiple ablated variants, classifies them by using a smoothed classifier, and identifies the final label based on the majority vote. By analyzing the top-class voting distribution and the Wilson score interval, we derive a formal certificate that guarantees robustness within a specific radius against feature-space perturbations. We evaluate our approach by comparing the performance of the base classifier and the smoothed classifier on both clean executables and ablated variants generated using PyMetaEngine. Our results demonstrate that the proposed smoothed classifier successfully provides certifiable robustness against metamorphic evasion attacks without requiring modifications to the underlying machine learning architecture.