WinAPI-AdvMal: A Six-Class Windows API Import Dataset for Adversarial Malware

Windows API imports dataset for adversarial malware sample generation and malware detection evasion experiments (6 classes: office, development, multimedia, security, administration, malware (collected using MalwareBazaar database)). Data was obtained by parsing IAT (import address table). The dataset consists of 3,799 samples, from which 2,713 unique features were extracted. Each feature is binary (0 – Win32 API not imported, 1 – Win32 API imported).

Proposed dataset can be used for adversarial malware generation by making malicious samples look like a specific benign class. These adversarial samples can be used to test the robustness of existing malware classifiers or be used to train new malware classifiers that can detect adversarial attacks.

Furthermore, this approach can also be used for malware detection as malware changes quite rapidly (new malware techniques emerge, while other become obsolete), whereas benign software is more stable and does not change that often (benign software authors have no need to evade detections).

PE file names are anonymized for ethical purposes.

FUNDING:

This work has received funding from the Research Council of Lithuania (LMTLT), agreement No S-MIP-24-116.

RELATED PUBLICATION

This dataset accompanies: J. Dautartas, O. Kurasova, J. R. Čypas, and V. Medvedev, "Learning to Look Benign: Targeted Evasion of Malware Detectors via API Import Injection," submitted to IEEE Transactions on Information Forensics and Security, 2026.