Adversarial training (AT) is widely adopted for robust malware detection, yet its true robustness gains against realistic evasion attacks—while preserving high clean-sample accuracy—remain poorly understood and often overestimated. Method: We propose a comprehensive evaluation framework that decouples the coupled effects of data quality, feature representation, model architecture, and optimization strategy. It integrates static and dynamic features, multi-stage PGD/FGSM attacks, and realistic attack modeling. Contribution/Results: Our analysis reveals that AT’s effectiveness critically depends on synergistic interactions among multiple factors. We identify five common evaluation pitfalls and formulate ten reproducible, interpretable best practices for robust training. Empirically, our approach achieves >95% clean-sample accuracy while delivering significant and differentiated robustness improvements against strong, realistic evasion attacks—establishing a theoretically rigorous and engineering-practical paradigm for evaluating and optimizing security-critical AI systems.

Adversarial Training (AT) has been widely applied to harden learning-based classifiers against adversarial evasive attacks. However, its effectiveness in identifying and strengthening vulnerable areas of the model's decision space while maintaining high performance on clean data of malware classifiers remains an under-explored area. In this context, the robustness that AT achieves has often been assessed against unrealistic or weak adversarial attacks, which negatively affect performance on clean data and are arguably no longer threats. Previous work seems to suggest robustness is a task-dependent property of AT. We instead argue it is a more complex problem that requires exploring AT and the intertwined roles played by certain factors within data, feature representations, classifiers, and robust optimization settings, as well as proper evaluation factors, such as the realism of evasion attacks, to gain a true sense of AT's effectiveness. In our paper, we address this gap by systematically exploring the role such factors have in hardening malware classifiers through AT. Contrary to recent prior work, a key observation of our research and extensive experiments confirm the hypotheses that all such factors influence the actual effectiveness of AT, as demonstrated by the varying degrees of success from our empirical analysis. We identify five evaluation pitfalls that affect state-of-the-art studies and summarize our insights in ten takeaways to draw promising research directions toward better understanding the factors' settings under which adversarial training works at best.