XAdv: Robust Explanations for Malware Detection
Lead Research Organisation:
King's College London
Department Name: Informatics
Abstract
Malware (short for "malicious software") refers to any software that perform malicious activities, such as stealing information (e.g., spyware) and damaging systems (e.g., ransomware). Malware authors constantly update their attack strategies to evade detection of antivirus systems, and automatically generate multiple variants of the same malware that are harder to recognize than the original. Traditional malware detection methods relying on manually defined patterns (e.g., sequences of bytes) are time consuming and error prone. Hence, academic and industry researchers have started exploring how Machine Learning (ML) can help in detecting new, unseen malware types. In this context, explaining ML decisions is fundamental for security analysts to verify correctness of a certain decision, and develop patches and remediations faster. However, it has been shown that attackers can induce arbitrary, wrong explanations in ML systems; this is achieved by carefully modifying a few bytes of their malware.
This project, XAdv ("X" for explanation, and "Adv" for adversarial robustness), aims to design "robust explanations" for malware detection, i.e., explanations of model decisions which are easy to understand and visualize for security analysts (to support faster verification of maliciousness, and development of patches), and which are trustworthy and reliable even in presence of malware evolution over time and evasive malware authors.
Moreover, this project will explore how robust explanations can be used to automatically adapt ML-based malware detection models to new threats over time, as well as to integrate domain knowledge from security analysts' feedback from robust explanations to improve detection accuracy.
This project, XAdv ("X" for explanation, and "Adv" for adversarial robustness), aims to design "robust explanations" for malware detection, i.e., explanations of model decisions which are easy to understand and visualize for security analysts (to support faster verification of maliciousness, and development of patches), and which are trustworthy and reliable even in presence of malware evolution over time and evasive malware authors.
Moreover, this project will explore how robust explanations can be used to automatically adapt ML-based malware detection models to new threats over time, as well as to integrate domain knowledge from security analysts' feedback from robust explanations to improve detection accuracy.
Organisations
- King's College London (Lead Research Organisation, Project Partner)
- Avast Software s.r.o (Collaboration)
- Texas A&M University (Collaboration)
- University of California, Santa Barbara (Collaboration)
- University of Maryland, College Park (Collaboration)
- University of Leuven (Collaboration)
- University of California, Berkeley (Collaboration)
- Technical Univ of Braunschweig (replace) (Project Partner)
- Uni of Illinois at Urbana Champaign (Project Partner)
- Avast Software s.r.o. (Project Partner)
- NCC Group (Project Partner)
- University of Cagliari (Project Partner)
Publications

Giovanni Apruzzese
(2024)
When Adversarial Perturbations meet Concept Drift: an Exploratory Analysis on ML-NIDS

McFadden S.
(2024)
WENDIGO: Deep Reinforcement Learning for Denial-of-Service Query Discovery in GraphQL
in Proceedings - 45th IEEE Symposium on Security and Privacy Workshops, SPW 2024

McFadden S.
(2023)
Poster: RPAL-Recovering Malware Classifiers from Data Poisoning using Active Learning
in CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security


Theo Chow
(2023)
Drift Forensics of Malware Classifiers

Tsingenopoulos I
(2024)
How to Train your Antivirus: RL-based Hardening through the Problem-Space

Tsingenopoulos I
(2024)
How to Train your Antivirus: RL-based Hardening through the Problem Space

Yigitcan Kaya
(2025)
ML-Based Behavioral Malware Detection Is Far From a Solved Problem
Related Projects
Project Reference | Relationship | Related To | Start | End | Award Value |
---|---|---|---|---|---|
EP/X015971/1 | 30/09/2023 | 31/10/2024 | £315,128 | ||
EP/X015971/2 | Transfer | EP/X015971/1 | 01/11/2024 | 29/09/2026 | £259,068 |
Title | Drift Forensics of Malware Classifiers |
Description | Prototype of the work on using explanation methods to identify potential root causes of detection performance decay over time of malware classifiers. The code allows reproducibility of the work. |
Type Of Material | Improvements to research infrastructure |
Year Produced | 2023 |
Provided To Others? | Yes |
Impact | Not yet identified. |
URL | https://github.com/isneslab/DriftAnalysis |
Title | RPAL |
Description | Code for evaluating recovery over time from poisoning of malware detection model. This repository is the official release of the code used for the 'The Impact of Active Learning on Availability Data Poisoning for Android Malware Classifiers' Paper published in the Workshop on Recent Advances in Resilient and Trustworthy Machine Learning (ARTMAN) 2024, co-located with ACSAC. |
Type Of Material | Improvements to research infrastructure |
Year Produced | 2024 |
Provided To Others? | Yes |
Impact | Not yet identified. |
URL | https://github.com/s2labres/RPAL |
Title | AutoRobust |
Description | This dataset is comprised of the dynamic analysis reports generated by CAPEv2, from both malware and goodware. We source the goodware as they do in Dambra et al. (https://arxiv.org/abs/2307.14657), where trough the community-maintained packages of Chocolatey they create a dataset that spans 2012 to 2020. The malware are sourced from VirusTotal, namely samples of Portable Executable from 2017 - 2020 that they release for academic purposes. In total, the dataset we assembled contains 26,200 PE samples: 8,600 (33%) goodware and 17,675 (67%) malware. All samples were executed in a series of Windows 7 VMware virtual machines and without network connectivity due to policy/ethical constraints. These were orchestrated through CAPEv2, a maintained open-source successor of Cuckoo. This framework is widely used for analyzing and detecting potentially malicious binaries by executing them in an isolated environment and observing their behavior without risking the security of the host system. Every sample was executed for 150 seconds, an empirical lower bound on the time required to gather the full behavior of samples. We tried to mitigate evasive checks by running the VMwareCloak script to remove well-known artifacts introduced by VMware. Moreover, we populated the filesystem with documents and other common types of files, to resemble a legitimate desktop workstation that malware may identify as a valuable target. The dynamic analysis output is a detailed report with information on the syscalls invoked by the binary and all the relative flags and arguments, as well as all interactions with the file system, registry, network, and other key elements of the operating system. The final dataset contains only the dynamic analysis reports, without the original binaries. |
Type Of Material | Database/Collection of data |
Year Produced | 2024 |
Provided To Others? | Yes |
Impact | Not yet identified. |
URL | https://paperswithcode.com/dataset/autorobust |
Description | Adversarial Training for Robust Windows Malware Detection |
Organisation | Avast Software s.r.o |
Country | Czech Republic |
Sector | Private |
PI Contribution | We provided expertise in the problem-space reformulation of adversarial ML, and adapted it to an explanation-based modification of dynamic analysis reports for Windows. After bypassing an ML component of a commercial antivirus, we realized a hardening method which prevents attacks within a certain threat model. |
Collaborator Contribution | Our partners provided insights from explainer and multi-instance learning algorithms used in a component of a commercial antivirus, and on the reinforcement learning pattern we integrated with the explainer to harden the ML component for Windows malware detection. |
Impact | We published a paper at RAID24, and released publicly a dataset of dynamic analysis reports. |
Start Year | 2023 |
Description | Adversarial Training for Robust Windows Malware Detection |
Organisation | University of Leuven |
Country | Belgium |
Sector | Academic/University |
PI Contribution | We provided expertise in the problem-space reformulation of adversarial ML, and adapted it to an explanation-based modification of dynamic analysis reports for Windows. After bypassing an ML component of a commercial antivirus, we realized a hardening method which prevents attacks within a certain threat model. |
Collaborator Contribution | Our partners provided insights from explainer and multi-instance learning algorithms used in a component of a commercial antivirus, and on the reinforcement learning pattern we integrated with the explainer to harden the ML component for Windows malware detection. |
Impact | We published a paper at RAID24, and released publicly a dataset of dynamic analysis reports. |
Start Year | 2023 |
Description | Investigating Limitations on Current Behavior-based Malware Detection |
Organisation | Texas A&M University |
Country | United States |
Sector | Academic/University |
PI Contribution | We provided our expertise on ML-based malware detection, as well as implications related to concept drift in this domain. |
Collaborator Contribution | Our partners had access to a dataset of real-world analysis traces, and compared detection effectiveness when training on sandbox-derived dynamic analysis traces, as is commonly done in security literature. It became clear that sandbox analysis traces are insufficient in most cases to generalize to in-the-wild traces, and the collaboration results in a publication that discusses trade-offs in this scenarios, and way forwards for the community. |
Impact | Publication: Yigitcan Kaya, Yizheng Chen, Marcus Botacin, Shoumik Saha, Fabio Pierazzi, Lorenzo Cavallaro, David Wagner, and Tudor Dumitras , "ML-Based Behavioral Malware Detection Is Far From a Solved Problem" , In IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2025 Leaderboard website for comparing effectiveness of different security solutions: malwaredetectioninthewild.github.io |
Start Year | 2023 |
Description | Investigating Limitations on Current Behavior-based Malware Detection |
Organisation | University of California, Berkeley |
Country | United States |
Sector | Academic/University |
PI Contribution | We provided our expertise on ML-based malware detection, as well as implications related to concept drift in this domain. |
Collaborator Contribution | Our partners had access to a dataset of real-world analysis traces, and compared detection effectiveness when training on sandbox-derived dynamic analysis traces, as is commonly done in security literature. It became clear that sandbox analysis traces are insufficient in most cases to generalize to in-the-wild traces, and the collaboration results in a publication that discusses trade-offs in this scenarios, and way forwards for the community. |
Impact | Publication: Yigitcan Kaya, Yizheng Chen, Marcus Botacin, Shoumik Saha, Fabio Pierazzi, Lorenzo Cavallaro, David Wagner, and Tudor Dumitras , "ML-Based Behavioral Malware Detection Is Far From a Solved Problem" , In IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2025 Leaderboard website for comparing effectiveness of different security solutions: malwaredetectioninthewild.github.io |
Start Year | 2023 |
Description | Investigating Limitations on Current Behavior-based Malware Detection |
Organisation | University of California, Santa Barbara |
Country | United States |
Sector | Academic/University |
PI Contribution | We provided our expertise on ML-based malware detection, as well as implications related to concept drift in this domain. |
Collaborator Contribution | Our partners had access to a dataset of real-world analysis traces, and compared detection effectiveness when training on sandbox-derived dynamic analysis traces, as is commonly done in security literature. It became clear that sandbox analysis traces are insufficient in most cases to generalize to in-the-wild traces, and the collaboration results in a publication that discusses trade-offs in this scenarios, and way forwards for the community. |
Impact | Publication: Yigitcan Kaya, Yizheng Chen, Marcus Botacin, Shoumik Saha, Fabio Pierazzi, Lorenzo Cavallaro, David Wagner, and Tudor Dumitras , "ML-Based Behavioral Malware Detection Is Far From a Solved Problem" , In IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2025 Leaderboard website for comparing effectiveness of different security solutions: malwaredetectioninthewild.github.io |
Start Year | 2023 |
Description | Investigating Limitations on Current Behavior-based Malware Detection |
Organisation | University of Maryland, College Park |
Country | United States |
Sector | Academic/University |
PI Contribution | We provided our expertise on ML-based malware detection, as well as implications related to concept drift in this domain. |
Collaborator Contribution | Our partners had access to a dataset of real-world analysis traces, and compared detection effectiveness when training on sandbox-derived dynamic analysis traces, as is commonly done in security literature. It became clear that sandbox analysis traces are insufficient in most cases to generalize to in-the-wild traces, and the collaboration results in a publication that discusses trade-offs in this scenarios, and way forwards for the community. |
Impact | Publication: Yigitcan Kaya, Yizheng Chen, Marcus Botacin, Shoumik Saha, Fabio Pierazzi, Lorenzo Cavallaro, David Wagner, and Tudor Dumitras , "ML-Based Behavioral Malware Detection Is Far From a Solved Problem" , In IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2025 Leaderboard website for comparing effectiveness of different security solutions: malwaredetectioninthewild.github.io |
Start Year | 2023 |
Description | ACSAC - Artifacts Competition and Impact Award Finalists Presentation |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Postgraduate students |
Results and Impact | The prototype for time-aware evaluation of ML classifiers, Tesseract, which we released on GitHub in 2024, was shortlisted as a finalist for the "Artifacts Competition and Impact Award Finalists Presentation" for the ACSAC 2024 conference. The Project Lead, Dr. Fabio Pierazzi, gave a talk presenting the findings and impact of the Tesseract paper connected to this project at the ACSAC conference, in front of the conference attendees, which included academics, Ph.D. students, postgraduate students, and practitioners from industry. |
Year(s) Of Engagement Activity | 2024 |
URL | https://www.acsac.org/2024/program/artifacts_competition/ |
Description | KU Leuven Summer School |
Form Of Engagement Activity | A talk or presentation |
Part Of Official Scheme? | No |
Geographic Reach | International |
Primary Audience | Postgraduate students |
Results and Impact | Invited research presentation at Ph.D. Summer School on "Security & Privacy in the Age of AI", on bridging the gap between academia and industry by creating more realistic evaluations on ML for systems security and malware detection |
Year(s) Of Engagement Activity | 2024 |
URL | https://cybersecurity-research.be/summer-school-on-security-privacy-in-the-age-of-ai-2024 |