Pavla Louthánová,Matouš Kozák,Martin Jureček,Mark Stamp

DOI: https://doi.org/10.1007/s11416-024-00519-z

2023-08-19

Abstract:Machine learning has proven to be a useful tool for automated malware detection, but machine learning models have also been shown to be vulnerable to adversarial attacks. This article addresses the problem of generating adversarial malware samples, specifically malicious Windows Portable Executable files. We summarize and compare work that has focused on adversarial machine learning for malware detection. We use gradient-based, evolutionary algorithm-based, and reinforcement-based methods to generate adversarial samples, and then test the generated samples against selected antivirus products. We compare the selected methods in terms of accuracy and practical applicability. The results show that applying optimized modifications to previously detected malware can lead to incorrect classification of the file as benign. It is also known that generated malware samples can be successfully used against detection models other than those used to generate them and that using combinations of generators can create new samples that evade detection. Experiments show that the Gym-malware generator, which uses a reinforcement learning approach, has the greatest practical potential. This generator achieved an average sample generation time of 5.73 seconds and the highest average evasion rate of 44.11%. Using the Gym-malware generator in combination with itself improved the evasion rate to 58.35%.

Cryptography and Security,Machine Learning

Junkun Yuan,Shaofang Zhou,Lanfen Lin,Feng Wang,Jia Cui

DOI: https://doi.org/10.3233/faia200388

2020-01-01

Abstract:For efficient malware detection, there are more and more deep learning methods based on raw software binaries. Recent studies show that deep learning models can easily be fooled to make a wrong decision by introducing subtle perturbations to inputs, which attracts a large influx of work in adversarial attacks. However, most of the existing attack methods are based on manual features (e.g., API calls) or in the white-box setting, making the attacks impractical in current real-world scenarios. In this work, we propose a novel attack framework called GAPGAN, which generates adversarial payloads (padding bytes) with generative adversarial networks (GANs). To the best of our knowledge, it is the first work that performs endto-end black-box attacks at the byte-level against deep learning based malware binaries detection. In our attack framework, we map input discrete malware binaries to continuous space, then feed it to the generator of GAPGAN to generate adversarial payloads. We append payloads to the original binaries to craft an adversarial sample while preserving its functionality. We propose to use a dynamic threshold for reducing the loss of the effectiveness of the payloads when mapping it from continuous format back to the original discrete format. For balancing the attention of the generator to the payloads and the adversarial samples, we use an automatic weight tuning strategy. We train GAPGAN with both malicious and benign software. Once the training is finished, the generator can generate an adversarial sample with only the input malware in less than twenty milliseconds. We apply GAPGAN to attack the state-of-the-art detector MalConv and achieve 100% attack success rate with only appending payloads of 2.5% of the total length of the data for detection. We also attack deep learning models with different structures under different defense methods. The experiments show that GAPGAN outperforms other state-of-the-art attack models in efficiency and effectiveness.

Fangtian Zhong,Pengfei Hu,Guoming Zhang,Hong Li,Xiuzhen Cheng

DOI: https://doi.org/10.1016/j.cose.2022.102869

IF: 5.105

2022-01-01

Computers & Security

Abstract:Recent advances in machine learning offer attractive tools for sophisticated adversaries. An attacker could transform malware into its adversarial version but retain its malicious functionality by employing a ded-icated perturbation method. These adversarial malware examples have demonstrated the effectiveness to bypass antivirus engines. However, recent works only leverage a single perturbation method to gen-erate adversarial examples, which cannot defeat advanced detectors. In this paper, we propose a rein-forcement learning-based framework called MalInfo, which could generate powerful adversarial malware examples to evade the third-party detectors via an adaptive selection of a perturbation path for each malware in our collected dataset with 10 0 0 diverse malware. To cope with limited computation, MalInfo applies either dynamic programming or temporal difference learning to choose the optimal perturbation path where each path is formed by the combination of Obfusmal, Stealmal, and Hollowmal. We pro-vide a proof-of-concept implementation and extensive evaluation of our framework. Both the detection rate and evasive rate have substantially been improved compared with the state-of-art research MalFox Zhong et al. (2021). To be specific, The average detection rates for dynamic programming and temporal difference learning are 23 . 2% ( 21 . 9% lower than MalFox) and 27 . 5% ( 7 . 4% lower than MalFox), respectively, and the average evasive rates are 65 . 8% ( 17 . 1% higher than MalFox) and 59 . 4% ( 5 . 7% higher than MalFox), respectively.(c) 2022 Elsevier Ltd. All rights reserved.

Bojan Kolosnjaji,Ambra Demontis,Battista Biggio,Davide Maiorca,Giorgio Giacinto,Claudia Eckert,Fabio Roli

DOI: https://doi.org/10.23919/eusipco.2018.8553214

2018-09-01

Abstract:Machine learning has already been exploited as a useful tool for detecting malicious executable files. Data retrieved from malware samples, such as header fields, instruction sequences, or even raw bytes, is leveraged to learn models that discriminate between benign and malicious software. However, it has also been shown that machine learning and deep neural networks can be fooled by evasion attacks (also known as adversarial examples), i.e., small changes to the input data that cause misclassification at test time. In this work, we investigate the vulnerability of malware detection methods that use deep networks to learn from raw bytes. We propose a gradient-based attack that is capable of evading a recently-proposed deep network suited to this purpose by only changing few specific bytes at the end of each mal ware sample, while preserving its intrusive functionality. Promising results show that our adversarial malware binaries evade the targeted network with high probability, even though less than 1 % of their bytes are modified.

Daniel Gibert,Jordi Planes,Quan Le,Giulio Zizzo

DOI: https://doi.org/10.1109/EuroSPW59978.2023.00052

2023-06-16

Abstract:Malware detectors based on machine learning (ML) have been shown to be susceptible to adversarial malware examples. However, current methods to generate adversarial malware examples still have their limits. They either rely on detailed model information (gradient-based attacks), or on detailed outputs of the model - such as class probabilities (score-based attacks), neither of which are available in real-world scenarios. Alternatively, adversarial examples might be crafted using only the label assigned by the detector (label-based attack) to train a substitute network or an agent using reinforcement learning. Nonetheless, label-based attacks might require querying a black-box system from a small number to thousands of times, depending on the approach, which might not be feasible against malware detectors. This work presents a novel query-free approach to craft adversarial malware examples to evade ML-based malware detectors. To this end, we have devised a GAN-based framework to generate adversarial malware examples that look similar to benign executables in the feature space. To demonstrate the suitability of our approach we have applied the GAN-based attack to three common types of features usually employed by static ML-based malware detectors: (1) Byte histogram features, (2) API-based features, and (3) String-based features. Results show that our model-agnostic approach performs on par with MalGAN, while generating more realistic adversarial malware examples without requiring any query to the malware detectors. Furthermore, we have tested the generated adversarial examples against state-of-the-art multimodal and deep learning malware detectors, showing a decrease in detection performance, as well as a decrease in the average number of detections by the anti-malware engines in VirusTotal.

Cryptography and Security

Xintong Li,Qi Li

DOI: https://doi.org/10.1016/j.cose.2020.102118

2021-05-01

Abstract:<p>In order to reduce the risk of malware, researchers proposed various malware detection methods, in which the machine learning-based method has been paid more and more attention. However, malware developers used a variety of countermeasures to evade detection. For example, they may generate so-called adversarial examples to interfere with machine-learning-based detectors. An adversarial example is one that makes changes to the malware so that the generated malware can evade detection while retaining the malicious functionality. In the complex adversarial environment, only the in-depth analysis of the adversarial code can comprehensively improve the detection level of the detector. In this work, we used improved reinforcement learning to generate adversarial examples. The method accepts malicious code samples as input, and takes detection engine and feature extractor as the environment, to output several malicious samples that can avoid the detection by adjusting each detection results. Compared with the existing methods based on reinforcement learning, our method can generate reward function automatically without manual setting, which greatly improves the flexibility of the model. We compared the effectiveness of our algorithm with other methods in some of the literature on a set of portable executable files (PEs). Experimental results show that our algorithm is more flexible and effective.</p>

computer science, information systems

Weiwei Hu,Ying Tan

DOI: https://doi.org/10.1007/978-981-19-8991-9_29

2022-01-01

Abstract:Machine learning has been used to detect new malware in recent years, while malware authors have strong motivation to attack such algorithms. Malware authors usually have no access to the detailed structures and parameters of the machine learning models used by malware detection systems, and therefore they can only perform black-box attacks. This paper proposes a generative adversarial network (GAN) based algorithm named MalGAN to generate adversarial malware examples, which are able to bypass black-box machine learning based detection models. MalGAN uses a substitute detector to fit the black-box malware detection system. A generative network is trained to minimize the generated adversarial examples' malicious probabilities predicted by the substitute detector. The superiority of MalGAN over traditional gradient based adversarial example generation algorithms is that MalGAN is able to decrease the detection rate to nearly zero and make the retraining based defensive method against adversarial examples hard to work.

Rayan Mosli,Thomas J. Slota,Yin Pan

DOI: https://doi.org/10.1109/hst53381.2021.9619825

2021-01-01

Abstract:Malconv is considered the state-of-the-art in mal-ware detection for Windows PE executables. It is a Convolutional Deep Learning model that is capable of consuming executable byte code to detect malware with high accuracy. Attacks have been created that can effectively generate adversarial examples to evade the detection of Malconv. However, these attacks generate adversarial examples by inserting benign bytes to maintain the malware’s malicious functionalities, an approach that is presumed to be easily detectable. In this paper, a novel black-box attack is proposed to create adversarial examples against Malconv, where functionally-equivalent instruction replacements are combined with Particle Swarm Optimization to create adversarial examples. The overall goal is to demonstrate that Malconv is prone to sophisticated attacks that interact with the executable portions of the malware.

Shuai He,Cai Fu,Hong Hu,Jiahe Chen,Jianqiang Lv,Shuai Jiang

DOI: https://doi.org/10.1145/3597503.3639141

2024-01-01

Abstract:Recent methods have demonstrated that machine learning (ML) based static malware detection models are vulnerable to adversarial attacks. However, the generated malware often fails to generalize to production-level anti-malware software (AMS), as they usually involve multiple detection methods. This calls for universal solutions to the problem of malware variants generation. In this work, we demonstrate how the proposed method, MalwareTotal, has allowed malware variants to continue to abound in ML-based, signature-based, and hybrid anti-malware software. Given a malicious binary, we develop sequential bypass tactics that enable malicious behavior to be concealed within multi-faceted manipulations. Through 12 experiments on real-world malware, we demonstrate that an attacker can consistently bypass detection (98.67%, and 100% attack success rate against ML-based methods EMBER and MalConv, respectively; 95.33%, 92.63%, and 98.52% attack success rate against production-level anti-malware software ClamAV, AMS A, and AMS B, respectively) without modifying the malware functionality. We further demonstrate that our approach outperforms state-of-the-art adversarial malware generation techniques both in attack success rate and query consumption (the number of queries to the target model). Moreover, the samples generated by our method have demonstrated transferability in the real-world integrated malware detector, VirusTotal. In addition, we show that common mitigation such as adversarial training on known attacks cannot effectively defend against the proposed attack. Finally, we investigate the value of the generated adversarial examples as a means of hardening victim models through an adversarial training procedure, and demonstrate that the accuracy of the retrained model against generated adversarial examples increases by 88.51 percentage points.

James Lee Hu,Mohammadreza Ebrahimi,Hsinchun Chen

DOI: https://doi.org/10.48550/arXiv.2112.01724

2021-12-03

Cryptography and Security

Abstract:Deep Learning (DL)-based malware detectors are increasingly adopted for early detection of malicious behavior in cybersecurity. However, their sensitivity to adversarial malware variants has raised immense security concerns. Generating such adversarial variants by the defender is crucial to improving the resistance of DL-based malware detectors against them. This necessity has given rise to an emerging stream of machine learning research, Adversarial Malware example Generation (AMG), which aims to generate evasive adversarial malware variants that preserve the malicious functionality of a given malware. Within AMG research, black-box method has gained more attention than white-box methods. However, most black-box AMG methods require numerous interactions with the malware detectors to generate adversarial malware examples. Given that most malware detectors enforce a query limit, this could result in generating non-realistic adversarial examples that are likely to be detected in practice due to lack of stealth. In this study, we show that a novel DL-based causal language model enables single-shot evasion (i.e., with only one query to malware detector) by treating the content of the malware executable as a byte sequence and training a Generative Pre-Trained Transformer (GPT). Our proposed method, MalGPT, significantly outperformed the leading benchmark methods on a real-world malware dataset obtained from VirusTotal, achieving over 24.51\% evasion rate. MalGPT enables cybersecurity researchers to develop advanced defense capabilities by emulating large-scale realistic AMG.

Abdullah Al-Dujaili,Alex Huang,Erik Hemberg,Una-May O'Reilly

DOI: https://doi.org/10.48550/arXiv.1801.02950

2018-03-25

Abstract:Malware is constantly adapting in order to avoid detection. Model based malware detectors, such as SVM and neural networks, are vulnerable to so-called adversarial examples which are modest changes to detectable malware that allows the resulting malware to evade detection. Continuous-valued methods that are robust to adversarial examples of images have been developed using saddle-point optimization formulations. We are inspired by them to develop similar methods for the discrete, e.g. binary, domain which characterizes the features of malware. A specific extra challenge of malware is that the adversarial examples must be generated in a way that preserves their malicious functionality. We introduce methods capable of generating functionally preserved adversarial malware examples in the binary domain. Using the saddle-point formulation, we incorporate the adversarial examples into the training of models that are robust to them. We evaluate the effectiveness of the methods and others in the literature on a set of Portable Execution~(PE) files. Comparison prompts our introduction of an online measure computed during training to assess general expectation of robustness.

Cryptography and Security,Machine Learning

Rahim Taheri,Reza Javidan,Mohammad Shojafar,Vinod P,Mauro Conti

DOI: https://doi.org/10.48550/arXiv.1904.09433

2020-02-29

Abstract:The widespread adoption of smartphones dramatically increases the risk of attacks and the spread of mobile malware, especially on the Android platform. Machine learning-based solutions have been already used as a tool to supersede signature-based anti-malware systems. However, malware authors leverage features from malicious and legitimate samples to estimate statistical difference in-order to create adversarial examples. Hence, to evaluate the vulnerability of machine learning algorithms in malware detection, we propose five different attack scenarios to perturb malicious applications (apps). By doing this, the classification algorithm inappropriately fits the discriminant function on the set of data points, eventually yielding a higher misclassification rate. Further, to distinguish the adversarial examples from benign samples, we propose two defense mechanisms to counter attacks. To validate our attacks and solutions, we test our model on three different benchmark datasets. We also test our methods using various classifier algorithms and compare them with the state-of-the-art data poisoning method using the Jacobian matrix. Promising results show that generated adversarial samples can evade detection with a very high probability. Additionally, evasive variants generated by our attack models when used to harden the developed anti-malware system improves the detection rate up to 50% when using the Generative Adversarial Network (GAN) method.

Cryptography and Security,Artificial Intelligence,Computational Complexity,Machine Learning

Daniel Gibert,Carles Mateu,Jordi Planes,Joao Marques-Silva

DOI: https://doi.org/10.1016/j.cose.2020.102159

2021-03-01

Abstract:Malicious software is one of the most serious cyber threats on the Internet today. Traditional malware detection has proven unable to keep pace with the sheer number of malware because of their growing complexity, new attacks and variants. Most malware implement various metamorphic techniques in order to disguise themselves, therefore preventing successful analysis and thwarting the detection by signature-based anti-malware engines. During the past decade, there has been an increase in the research and deployment of anti-malware engines powered by machine learning, and in particular deep learning, due to their ability to handle huge volumes of malware and generalize to never-before-seen samples. However, there is little research about the vulnerability of these models to adversarial examples. To fill this gap, this paper presents an exhaustive evaluation of the state-of-the-art approaches for malware classification against common metamorphic attacks. Given the limitations found in deep learning approaches, we present a simple architecture that increases 14.95% the classification performance with respect to MalConv's architecture. Furthermore, the use of the metamorphic techniques to augment the training set is investigated and results show that it significantly improves the classification of malware belonging to families with few samples.

computer science, information systems

Jun Chen,Jingfei Jiang,Rongchun Li,Yong Dou

DOI: https://doi.org/10.1088/1742-6596/1575/1/012011

2020-01-01

Abstract:Machine learning technology has been applied in filed of malware detection; it can improve efficiency of malware detection to deal with more and more increasing malware variants. However, malware detection model based on machine learning also has weakness which can be cheated by adversarial examples. Researching on method of generating adversarial examples could be benefit to exposing vulnerability of malware detection model and designing better malware detector. In this paper, we propose a reinforcement learning environment named gym-malware-mini based on gym-malware through which we generate adversarial examples using DQN and A2C deep reinforcement learning algorithm. As a result, DQN agent learned better policy of generating adversarial examples in gym-malware-mini, Success rate is increased by 18% compared with gym-malware. Success rate of DQN agent and A2C agent is increased by 20% and 15% compared with random agent in gym-malware-mini environment.

Mohammadreza Ebrahimi,Ning Zhang,James Hu,Muhammad Taqi Raza,Hsinchun Chen

DOI: https://doi.org/10.48550/arXiv.2012.07994

2020-12-15

Abstract:Anti-malware engines are the first line of defense against malicious software. While widely used, feature engineering-based anti-malware engines are vulnerable to unseen (zero-day) attacks. Recently, deep learning-based static anti-malware detectors have achieved success in identifying unseen attacks without requiring feature engineering and dynamic analysis. However, these detectors are susceptible to malware variants with slight perturbations, known as adversarial examples. Generating effective adversarial examples is useful to reveal the vulnerabilities of such systems. Current methods for launching such attacks require accessing either the specifications of the targeted anti-malware model, the confidence score of the anti-malware response, or dynamic malware analysis, which are either unrealistic or expensive. We propose MalRNN, a novel deep learning-based approach to automatically generate evasive malware variants without any of these restrictions. Our approach features an adversarial example generation process, which learns a language model via a generative sequence-to-sequence recurrent neural network to augment malware binaries. MalRNN effectively evades three recent deep learning-based malware detectors and outperforms current benchmark methods. Findings from applying our MalRNN on a real dataset with eight malware categories are discussed.

Cryptography and Security,Machine Learning

Yanchen Qiao,Weizhe Zhang,Zhicheng Tian,Laurence T. Yang,Yang Liu,Mamoun Alazab

DOI: https://doi.org/10.1016/j.cose.2022.102762

IF: 5.105

2022-01-01

Computers & Security

Abstract:The deep learning methods had been proved to be effective for malware detection in the past. However, the recent studies show that deep learning models are vulnerable to adversarial attacks. Thus, the malware detection models based on deep learning face the threat of adversarial examples. As a popular case of adversarial examples, adversarial images are usually generated by adding unrecognizable perturbations to original pictures. When applying the same method to the windows PE (Portable Executable) malware, the original structure cannot be destroyed and the original functions of PE malware need to be preserved. Most existing windows adversarial malware generation works are derived from adversarial image methods with some adaptive modifications such as inserting perturbations in the slack space of the PE file. The both generation methods have some similarities but also many differences. Thus, directly using the methods of adversarial images to create malware effects the efficiency and fooling rate. In this paper, we overcome these issues by proposing a method for generating windows adversarial malware in PE format based on prototype samples of deep learning models. The prototype samples are the most typical ones of a certain category of the classification models. With the characteristic of the prototype samples, the bytes of the prototype samples are added as perturbations to the malware samples. This way can fast generate adversarial malware that could fool the target model. The proposed method is evaluated on a real world dataset of malware. Promising results show that the method can fool the deep learning based malware detection models with a high rate.(c) 2022 Elsevier Ltd. All rights reserved.

Jianhua Wang,Xiaolin Chang,Jelena Misic,Vojislav B. Misic,Yixiang Wang,Jianan Zhang

DOI: https://doi.org/10.1109/globecom46510.2021.9685442

2021-01-01

Abstract:Various Machine Learning (ML) models have been developed for malware detection. But their widespread application is challenged by adversarial attacks using adversarial malware examples. Generative Adversarial Networks (GAN) is one of the effective approaches to help build possible unknown attacks and expose the vulnerability of targeted systems. The existing GAN-based ML models have the weaknesses of unstable training and low-quality adversarial examples. In this paper, we propose a novel Mal-LSGAN model to tackle these weaknesses. By using a Least Square (LS) loss function and new activation function combinations, Mal-LSGAN achieves a higher Attack Success Rate (ASR) and a lower True Positive Rate (TPR) in 6 ML detectors, compared with the existing MalGAN and Imp-MalGAN. In Multi-Layer Perceptron (MLP), Mal-LSGAN can even decrease TPR from 97.81% of original examples to 2.92% of adversarial examples. The experimental results also demonstrate that Mal-Lsgangets the preferable transferability of adversarial malware examples.

Jack W. Stokes,De Wang,Mady Marinescu,Marc Marino,Brian Bussone

DOI: https://doi.org/10.48550/arXiv.1712.05919

2017-12-16

Cryptography and Security

Abstract:Recently researchers have proposed using deep learning-based systems for malware detection. Unfortunately, all deep learning classification systems are vulnerable to adversarial attacks. Previous work has studied adversarial attacks against static analysis-based malware classifiers which only classify the content of the unknown file without execution. However, since the majority of malware is either packed or encrypted, malware classification based on static analysis often fails to detect these types of files. To overcome this limitation, anti-malware companies typically perform dynamic analysis by emulating each file in the anti-malware engine or performing in-depth scanning in a virtual machine. These strategies allow the analysis of the malware after unpacking or decryption. In this work, we study different strategies of crafting adversarial samples for dynamic analysis. These strategies operate on sparse, binary inputs in contrast to continuous inputs such as pixels in images. We then study the effects of two, previously proposed defensive mechanisms against crafted adversarial samples including the distillation and ensemble defenses. We also propose and evaluate the weight decay defense. Experiments show that with these three defensive strategies, the number of successfully crafted adversarial samples is reduced compared to a standard baseline system without any defenses. In particular, the ensemble defense is the most resilient to adversarial attacks. Importantly, none of the defenses significantly reduce the classification accuracy for detecting malware. Finally, we demonstrate that while adding additional hidden layers to neural models does not significantly improve the malware classification accuracy, it does significantly increase the classifier's robustness to adversarial attacks.

K. A. Asmitha,Vinod Puthuvath,K. A. Rafidha Rehiman,S. L. Ananth

DOI: https://doi.org/10.1007/s10586-024-04397-4

2024-04-19

Cluster Computing

Abstract:The proliferation of malware variants has shown a steep increase, attributed to their enhanced sophistication and the utilization of the latest technologies. This constitutes a severe menace to smart gadgets and IT infrastructure. Malware visualization has emerged as an exceptionally attractive technique, primarily because it obviates the need for disassembly or code execution. In this approach, malicious executables are transformed into visual representations resembling images. This visual representation allows for the extraction of textural features using the Local Binary Pattern (LBP) technique. Subsequently, classification models are constructed using ResNet50, VGG16, and customized models tailored to the specific task. These model undergoes extensive evaluation through two benchmark datasets: the MalImg dataset (consisting of 9,342 instances of malware across 25 families) and the Malware Classification Challenge dataset (BIG2015) (with 10,868 labeled malware instances across nine families). Additionally, the model is validated on a self-made dataset, which we named Malhub, consisting of 26,452 executables comprising 20 families. Furthermore, we implemented a white-box adversarial attack using additive noise (Gaussian, Local Variable, Poisson, Salt and Pepper, Speckle). We observed an F1 score in the range of 0.992 0.993 for MalImg, 0.874 0.878 for BIG2015, and 0.014 0.992 for Malhub dataset. This proves that efforts are required to tune machine learning models to detect adversarial examples.

computer science, information systems, theory & methods

Zhiyang Fang,Junfeng Wang,Jiaxuan Geng,Yingjie Zhou,Xuan Kan

DOI: https://doi.org/10.1016/j.asoc.2021.107505

IF: 8.7

2021-01-01

Applied Soft Computing

Abstract:Machine learning algorithms have been proved to be vulnerable to adversarial attacks. The potential adversary is able to force the model to produce deliberate errors by elaborately modifying the training samples. For malware analysis, most of the existing research on evasion attacks focuses on a detection scenario, while less attention is paid to the classification scenario which is vital to decide a suitable system response in time. To fulfill this gap, this paper tries to address the misclassification problem in malware analysis. A reinforcement learning model named A3CMal is proposed. This adversarial model aims to generate adversarial samples which can fool the target classifier. As a core component of A3CMal, the self-learning agent constantly takes optimal actions to confuse the classification by slightly modifying samples on the basis of the observed states. Extensive experiments are performed to test the validity of A3CMal. The results show that the proposed A3CMal can force the target classifier to make wrong predictions while preserving the malicious functionality of the malware. Remarkably, not only can it cause the system to indicate an incorrect classification, but also can mislead the target model to classify malware into a specific category. Furthermore, our experiments demonstrate that the PE-based classifier is vulnerable to the adversarial samples generated by A3CMal. (C) 2021 Elsevier B.V. All rights reserved.