arxiv: 2604.22639 · v1 · submitted 2026-04-24 · 💻 cs.CR · cs.LG

Recognition: unknown

Adversarial Malware Generation in Linux ELF Binaries via Semantic-Preserving Transformations

Luk\'a\v{s} Hrdonka , Martin Jure\v{c}ek

Authors on Pith no claims yet

Pith reviewed 2026-05-08 11:37 UTC · model grok-4.3

classification 💻 cs.CR cs.LG

keywords adversarial malwareELF binariessemantic-preserving transformationsMalConvevasion rateLinux malwarestring injection

0 comments

The pith

Semantic-preserving string modifications let ELF malware evade MalConv at a 67.74 percent rate.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents a generator that creates adversarial variants of Linux ELF malware through transformations that keep the original malicious behavior intact. It focuses on MalConv as the target classifier and shows that replacing or inserting strings drawn from benign files produces the strongest evasion results. The evaluation reports a 67.74 percent evasion rate together with a mean drop of 0.50 in the classifier's malware confidence score. Experiments further indicate that MalConv decisions are driven by string content irrespective of where those strings sit inside the executable. The work therefore establishes that current string-sensitive models leave ELF binaries open to simple, functionality-preserving attacks.

Core claim

An adversarial generator for Linux ELF binaries applies semantic-preserving transformations, chiefly the insertion of strings typical of benign files, to produce variants that evade the MalConv classifier. On the evaluated dataset these modifications achieve a 67.74 percent evasion rate while shifting mean classifier is 0.50 lower; the same experiments demonstrate that MalConv remains sensitive to string content at any file offset.

What carries the argument

The adversarial ELF malware generator that performs semantic-preserving string substitutions drawn from benign executables while leaving program semantics unchanged.

If this is right

Detectors that rely on MalConv-style models will remain vulnerable to string-content attacks unless they incorporate location-agnostic or context-aware string analysis.
The demonstrated sensitivity to any embedded string implies that feature-extraction pipelines must treat textual data as a first-class, position-independent signal.
Adversarial training that includes string-augmented ELF samples could raise the bar for this class of evasion.
The same transformation set can be applied to other ML-based ELF detectors to measure how widely the string sensitivity generalizes.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar string-injection tactics may succeed against non-MalConv ELF detectors that also treat embedded text as a discriminative feature.
Linux-specific malware defenses will need techniques distinct from those developed for Windows PE files.
Measuring evasion after retraining MalConv on adversarial ELF samples would test whether the observed vulnerability is an artifact of the original training distribution.

Load-bearing premise

The chosen string transformations keep the original malicious functionality, preserve executability, and introduce no new artifacts that a detector could use.

What would settle it

Execute the generated binaries on a clean Linux system and verify that they still perform their original malicious actions without crashing or altering behavior.

Figures

Figures reproduced from arXiv: 2604.22639 by Luk\'a\v{s} Hrdonka, Martin Jure\v{c}ek.

**Figure 1.** Figure 1: Experiment 1 – Dependency of Extended Evasion view at source ↗

**Figure 2.** Figure 2: Experiment 2 – Dependency of Extended Evasion view at source ↗

read the original abstract

Malware development and detection have undergone significant changes in recent years as modern concepts, such as machine learning, have been used for both adversarial attacks and defense. Despite intensive research on Windows Portable Executable (PE) files, there is minimal work on Linux Executable and Linkable Format (ELF). In this work, we summarize the academic papers submitted in this field and develop a new adversarial malware generator for the ELF format. Using a variety of metrics, we thoroughly evaluated our generator and achieved an Evasion Rate of 67.74 % while changing the confidence of the malware detector by -0.50 in the mean case for the dataset used. In our approach, we chose MalConv as the target classifier. Using this classifier, we found that the most successful modifications used strings typical of benign files as a data source. We conducted a variety of experiments and concluded that the target classifier appears sensitive to strings at any location within the executable file.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper gives a concrete generator for evading MalConv on ELF binaries via benign string insertions, but the 67% evasion claim rests on unverified semantic preservation.

read the letter

The main takeaway is a practical generator for Linux ELF adversarial malware that pulls strings from benign files and inserts them to drop MalConv . The work is new in a thin area—most adversarial malware papers stay on Windows PE—so the summary of prior ELF efforts plus the reported 67.74 % evasion rate and -0.5 mean drop is worth noting. They also show the model reacts to strings anywhere in the file, which is a clean observation from their experiments.

Referee Report

2 major / 1 minor

Summary. The paper develops an adversarial malware generator for Linux ELF binaries that applies semantic-preserving transformations (e.g., string insertions drawn from benign files) to sections and string tables. Targeting the MalConv classifier, the authors report an evasion rate of 67.74% together with a mean detector confidence change of -0.50 on the dataset used, summarize prior ELF-related work, and conclude that the target classifier is sensitive to strings at any location within the executable.

Significance. If the transformations are verifiably semantic-preserving and the evaluation supplies the missing controls, the work would usefully extend adversarial malware research from the well-studied PE format to the comparatively under-explored ELF format. The reported string-sensitivity observation could, if substantiated, guide improvements to ML-based Linux malware detectors.

major comments (2)

[Abstract] Abstract: the reported evasion rate of 67.74% and mean confidence change of -0.50 are given without dataset size, number of transformed samples, baseline attack methods, error bars, or statistical significance tests, preventing assessment of result reliability.
[Methods/Evaluation] Methods/Evaluation: the central claim that the transformations preserve malicious functionality (required to interpret the evasion rate as meaningful) lacks any reported verification such as sandbox execution traces, behavioral differential analysis, or dynamic checks that the modified ELF binaries continue to execute as intended malware.

minor comments (1)

[Abstract] Abstract: the phrases 'a variety of metrics' and 'a variety of experiments' are used without enumeration, reducing immediate clarity for readers.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each major comment point by point below, indicating the revisions we intend to incorporate.

read point-by-point responses

Referee: [Abstract] Abstract: the reported evasion rate of 67.74% and mean confidence change of -0.50 are given without dataset size, number of transformed samples, baseline attack methods, error bars, or statistical significance tests, preventing assessment of result reliability.

Authors: We agree that the abstract would benefit from these supporting details to allow readers to assess reliability. In the revised manuscript we will expand the abstract to report the dataset size, the number of transformed samples, any baseline comparisons performed, and note the presence of error bars or significance testing (with full details moved to the evaluation section while keeping the abstract concise). revision: yes
Referee: [Methods/Evaluation] Methods/Evaluation: the central claim that the transformations preserve malicious functionality (required to interpret the evasion rate as meaningful) lacks any reported verification such as sandbox execution traces, behavioral differential analysis, or dynamic checks that the modified ELF binaries continue to execute as intended malware.

Authors: The referee is correct that we have not reported explicit dynamic verification. Our transformations are constructed to be semantic-preserving by operating exclusively on non-executable sections and the string table, inserting strings drawn from benign files without altering code segments, data references, or control flow. We will add a dedicated subsection in the revision that explains these structural guarantees based on ELF format analysis and, where feasible, include limited dynamic checks on a subset of samples to further substantiate the claim. revision: partial

Circularity Check

0 steps flagged

No circularity: purely empirical evaluation of transformations against external classifier

full rationale

The paper reports an empirical generator for ELF adversarial examples, measures evasion rate (67.74 %) and confidence shift (-0.50) on a fixed external MalConv model, and concludes string sensitivity from those runs. No equations, no fitted parameters renamed as predictions, no self-citation chains supporting the central claims, and no self-definitional steps appear in the abstract or described methodology. The evaluation is a direct measurement against an independent classifier; semantic-preservation assumptions are stated but do not reduce any reported result to the inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that the applied transformations preserve malicious semantics and functionality. No free parameters or invented entities are described in the abstract.

axioms (1)

domain assumption Semantic-preserving transformations maintain the original malicious behavior and executability of the ELF malware.
Invoked in the description of the generator approach and evaluation.

pith-pipeline@v0.9.0 · 5470 in / 1155 out tokens · 52072 ms · 2026-05-08T11:37:09.811171+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

17 extracted references · 3 canonical work pages

[1]

write newline

" write newline "" before.all 'output.state := FUNCTION fin.entry add.period write newline FUNCTION new.block output.state before.all = 'skip after.block 'output.state := if FUNCTION new.sentence output.state after.block = 'skip output.state before.all = 'skip after.sentence 'output.state := if if FUNCTION not #0 #1 if FUNCTION and 'skip pop #0 if FUNCTIO...
[2]

S., Kharkar, A., Filar, B., Evans, D., and Roth, P

Anderson, H. S., Kharkar, A., Filar, B., Evans, D., and Roth, P. (2018). L earning to E vade S tatic P E M achine L earning M alware M odels via R einforcement L earning

2018
[3]

Cozzi, E., Graziano, M., Fratantonio, Y., and Balzarotti, D. (2018). U nderstanding L inux M alware. In 2018 IEEE Symposium on Security and Privacy (SP) , pages 161--175

2018
[4]

Guesmi, H., Khalfallah, A., and Bouallegue, B. (2025). L ightweight E L F H eader A nalysis M odel for I o T M alwares D etection B ased on M achine L earning. Engineering Research Express , 7(2):025213

2025
[5]

Kosikowski, A., Cho, D., Ninan, M., Ralescu, A., and Wang, B. (2023). E vil E L F : E vasion A ttacks on D eep- L earning M alware D etection over E L F F iles. In 2023 International Conference on Machine Learning and Applications (ICMLA) , pages 1702--1709

2023
[6]

Koz \'a k, M., Jure c ek, M., Stamp, M., and Troia, F. D. (2024). C reating V alid A dversarial E xamples of M alware. Journal of Computer Virology and Hacking Techniques , 20(4):607--621

2024
[7]

Kreuk, F., Barak, A., Aviv-Reuven, S., Baruch, M., Pinkas, B., and Keshet, J. (2018). A dversarial E xamples on D iscrete S equences for B eating W hole- B inary M alware D etection. arXiv preprint arXiv:1802.04528 , pages 490--510

work page arXiv 2018
[8]

Louth \'a nov \'a , P., Koz \'a k, M., Jure c ek, M., Stamp, M., and Di Troia, F. (2024). A C omparison of A dversarial M alware G enerators. Journal of Computer Virology and Hacking Techniques , 20(4):623--639

2024
[9]

K., and Shintre, S

Lucas, K., Sharif, M., Bauer, L., Reiter, M. K., and Shintre, S. (2021). M alware M akeover: B reaking M L - B ased S tatic A nalysis by M odifying E xecutable B ytes. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security , ASIA CCS '21, page 744–758, New York, NY, USA. Association for Computing Machinery

2021
[10]

T., Liu, Y., and Alazab, M

Qiao, Y., Zhang, W., Tian, Z., Yang, L. T., Liu, Y., and Alazab, M. (2023). A dversarial E L F M alware D etection M ethod U sing M odel I nterpretation. IEEE Transactions on Industrial Informatics , 19(1):605--615

2023
[11]

Quertier, T., Marais, B., Morucci, S., and Fournel, B. (2022). M E R L I N -- M alware E vasion with R einforcement L earn I N g. arXiv preprint arXiv:2203.12980

work page arXiv 2022
[12]

Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., and Nicholas, C. (2017). M alware D etection by E ating a W hole E X E . arXiv preprint arXiv:1710.09435

work page arXiv 2017
[13]

K., and Varol, C

Ramamoorthy, J., Shashidhar, N. K., and Varol, C. (2025). A utomated S tatic A nalysis of L inux E L F M alware: F ramework and A pplication. In 2025 13th International Symposium on Digital Forensics and Security (ISDFS) , pages 1--5

2025
[14]

Ravi, A., Chaturvedi, V., and Shafique, M. (2025). A D V e R L - E L F : A D V ersarial E L F M alware G eneration using R einforcement L earning. In 2025 62nd ACM/IEEE Design Automation Conference (DAC) , pages 1--7

2025
[15]

Song, W., Li, X., Afroz, S., Garg, D., Kuznetsov, D., and Yin, H. (2022). M A B - M alware: A R einforcement L earning F ramework for B lackbox G eneration of A dversarial M alware. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security , ASIA CCS '22, page 990–1003, New York, NY, USA. Association for Computing Machinery

2022
[16]

T ool Interface Standard T I S - E xecutable a nd L inkable F ormat ( E L F ) S pecificatoin --- linuxfoundation.org

TIS Committee (2000). T ool Interface Standard T I S - E xecutable a nd L inkable F ormat ( E L F ) S pecificatoin --- linuxfoundation.org. https://refspecs.linuxfoundation.org/elf/elf.pdf. [Accessed 16-07-2025]

2000
[17]

Y., Zhang, Y., and Liu, W

Xue, M., Fu, J., Li, Z., Ni, S., Wu, H., Zhang, L. Y., Zhang, Y., and Liu, W. (2024). A R einforcement L earning- B ased E L F A dversarial M alicious S ample G eneration M ethod. IEEE Journal on Emerging and Selected Topics in Circuits and Systems , 14(4):743--757

2024