Saved in:
Bibliographic Details
Main Authors: Nasr, Milad, Fratantonio, Yanick, Invernizzi, Luca, Albertini, Ange, Farah, Loua, Petit-Bianco, Alex, Terzis, Andreas, Thomas, Kurt, Bursztein, Elie, Carlini, Nicholas
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2510.01676
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915530670080000
author Nasr, Milad
Fratantonio, Yanick
Invernizzi, Luca
Albertini, Ange
Farah, Loua
Petit-Bianco, Alex
Terzis, Andreas
Thomas, Kurt
Bursztein, Elie
Carlini, Nicholas
author_facet Nasr, Milad
Fratantonio, Yanick
Invernizzi, Luca
Albertini, Ange
Farah, Loua
Petit-Bianco, Alex
Terzis, Andreas
Thomas, Kurt
Bursztein, Elie
Carlini, Nicholas
contents As deep learning models become widely deployed as components within larger production systems, their individual shortcomings can create system-level vulnerabilities with real-world impact. This paper studies how adversarial attacks targeting an ML component can degrade or bypass an entire production-grade malware detection system, performing a case study analysis of Gmail's pipeline where file-type identification relies on a ML model. The malware detection pipeline in use by Gmail contains a machine learning model that routes each potential malware sample to a specialized malware classifier to improve accuracy and performance. This model, called Magika, has been open sourced. By designing adversarial examples that fool Magika, we can cause the production malware service to incorrectly route malware to an unsuitable malware detector thereby increasing our chance of evading detection. Specifically, by changing just 13 bytes of a malware sample, we can successfully evade Magika in 90% of cases and thereby allow us to send malware files over Gmail. We then turn our attention to defenses, and develop an approach to mitigate the severity of these types of attacks. For our defended production model, a highly resourced adversary requires 50 bytes to achieve just a 20% attack success rate. We implement this defense, and, thanks to a collaboration with Google engineers, it has already been deployed in production for the Gmail classifier.
format Preprint
id arxiv_https___arxiv_org_abs_2510_01676
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Evaluating the Robustness of a Production Malware Detection System to Transferable Adversarial Attacks
Nasr, Milad
Fratantonio, Yanick
Invernizzi, Luca
Albertini, Ange
Farah, Loua
Petit-Bianco, Alex
Terzis, Andreas
Thomas, Kurt
Bursztein, Elie
Carlini, Nicholas
Cryptography and Security
Machine Learning
As deep learning models become widely deployed as components within larger production systems, their individual shortcomings can create system-level vulnerabilities with real-world impact. This paper studies how adversarial attacks targeting an ML component can degrade or bypass an entire production-grade malware detection system, performing a case study analysis of Gmail's pipeline where file-type identification relies on a ML model. The malware detection pipeline in use by Gmail contains a machine learning model that routes each potential malware sample to a specialized malware classifier to improve accuracy and performance. This model, called Magika, has been open sourced. By designing adversarial examples that fool Magika, we can cause the production malware service to incorrectly route malware to an unsuitable malware detector thereby increasing our chance of evading detection. Specifically, by changing just 13 bytes of a malware sample, we can successfully evade Magika in 90% of cases and thereby allow us to send malware files over Gmail. We then turn our attention to defenses, and develop an approach to mitigate the severity of these types of attacks. For our defended production model, a highly resourced adversary requires 50 bytes to achieve just a 20% attack success rate. We implement this defense, and, thanks to a collaboration with Google engineers, it has already been deployed in production for the Gmail classifier.
title Evaluating the Robustness of a Production Malware Detection System to Transferable Adversarial Attacks
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2510.01676