[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84973-en":3,"doc-seo-84973-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84973,7971461740909,"Levi","https://ap-avatar.wpscdn.com/davatar_155a257f0dc6eb9ab79c44ca47cae57d",8,"Research & Report","Evaluating Endpoint Detection Robustness Against Genetic Algorithm Driven Code Transformations","Post-compromise test variants are used for endpoint robustness benchmarking, yet modern AV and EDR combine signature- and behavior-based detection, limiting the reliability of conventional evaluation pipelines under adaptive code variation. The study presents ShellForge, a Genetic Algorithm (GA)-driven framework that evolves post-compromise remote command execution variants while preserving functionality via semantic-preserving transformations. Multi-objective fitness uses AV/EDR feedback to guide syntactic, encoding, and structural permutations, and compares against baseline frameworks in controlled sandboxes to quantify robustness gaps and propose a reproducible benchmark.","Evaluating Endpoint Detection Robustness Against Genetic Algorithm Driven Code Transformations  \nAlvina Rwaichi Minja  \nCollege of Engineering Carnegie Mellon University Africa Kigali, Rwanda [aminja@andrew.cmu.edu](aminja@andrew.cmu.edu)  \nJema David Ndibwile  \nCollege of Engineering Carnegie Mellon University Africa Kigali, Rwanda [jndibwil@andrew.cmu.edu](jndibwil@andrew.cmu.edu)  \narXiv :2607 .07 19 1v 1 [ cs .CR] 8 Jul 2026  \nAbstract—Post-compromise test variants are widely used in controlled security evaluation and endpoint robustness benchmarking. However, modern Antivirus (AV) and Endpoint Detection and Response (EDR) systems increasingly combine signature- and behavior-based detection, challenging the reliability of conventional detection pipelines under adaptive variation. This study introduces ShellForge, a Genetic Algorithm (GA)-driven framework that evolves post-compromise variants representative of remote command execution to generate functionally equivalent variants for systematic detection evaluation. ShellForge applies syntactic transformations, encoding schemes, and structural permutations guided by a multi-objective fitness function informed by AV and EDR detection feedback. We compare ShellForge against representative baseline transformation frameworks under identical sandbox configurations. Our findings highlight measurable robustness gaps in baseline signature- and behavior-oriented detection pipelines under controlled variant generation. In addition, we propose a reproducible benchmark for endpoint detection robustness evaluation, motivating the need for robustness-aware defensive monitoring and behavioral correlation.  \nIndex Terms—Endpoint Detection and Response (EDR), Detection Robustness Benchmarking, Genetic Algorithms, Defensive Robustness Testing, Semantic-Preserving transformations, PostCompromise Telemetry  \nI. INTRODUCTION  \nModern Endpoint protection platforms increasingly rely on a combination of signature-based antivirus scanning and behavioral telemetry [1] . While these defenses have significantly improved, their robustness against adaptive and automatically mutated code variants remains insufficiently understood. This work investigates the detection boundaries of common defensive mechanisms by systematically generating functionally equivalent test variants in a controlled laboratory environment. Such benchmarking supports the development of more resilient signature and behavioral correlation mechanisms, particularly for post-compromise monitoring [2] .  \nPost-compromise variants are widely used in controlled security evaluations to study endpoint monitoring and response behaviors [3] . Reverse-shell mechanisms are commonly used as representative post-compromise behaviors in controlled security evaluations [4] . The effectiveness of shells and backdoors has been demonstrated in high-profile breaches such as the Hafnium campaign, where operators used outbound callback mechanisms to maintain persistent remote access.  \nDespite their routine usage, systematic evaluation of detection robustness against these post-compromise variants remains limited.  \nRecent reports indicate that automatically transformed code variants may lead to inconsistent responses across endpoint detection layers. This motivates the need for controlled robustness benchmarking frameworks that help defenders assess coverage gaps under semantic-preserving transformations [5] .  \nObfuscation techniques for payload generation have evolved over the years. Machine Learning (ML) and Large Language Model (LLM)-based approaches are increasingly used to automate payload generation and obfuscation. A growing landscape of techniques is used in these concepts, such as LLMbased code generation [6], [7] and dynamic-programming guided mutation of instructions [8], which show significant improvements in payload generation. However, these approaches remain constrained by template dependencies, data constraints, reproducibility concerns, a","cbCaiqp08BC90EOx","https://ap.wps.com/l/cbCaiqp08BC90EOx","pdf",284465,1,9,"English","en",105,"# Introduction\n## Motivation and Background\n## Related Techniques for Payload Generation\n## Evolutionary Computation and GA-Based Mutation\n## Research Aim and Evaluation Design","[{\"question\":\"What problem does the paper address in endpoint detection evaluation?\",\"answer\":\"It targets the reliability limits of conventional detection pipelines when AV and EDR face adaptive, semantic-preserving code variations.\"},{\"question\":\"How does ShellForge generate test variants for robustness evaluation?\",\"answer\":\"ShellForge uses a Genetic Algorithm to evolve functionally equivalent post-compromise variants through syntactic transformations, encoding schemes, and structural permutations guided by multi-objective fitness from AV/EDR feedback.\"},{\"question\":\"What is the paper’s evaluation scope and what question does it answer?\",\"answer\":\"Variants representing remote command execution are evaluated against both static AV and behavioral EDR detection, aiming to determine how effective a GA-driven approach is at producing functionally equivalent AV/EDR robustness test cases.\"}]",1784199876,23,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"evaluating-endpoint-detection-robustness-against-genetic-algorithm-driven-code-transformations","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/evaluating-endpoint-detection-robustness-against-genetic-algorithm-driven-code-transformations/84973/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"What problem does the paper address in endpoint detection evaluation?","Question",{"text":75,"@type":76},"It targets the reliability limits of conventional detection pipelines when AV and EDR face adaptive, semantic-preserving code variations.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does ShellForge generate test variants for robustness evaluation?",{"text":80,"@type":76},"ShellForge uses a Genetic Algorithm to evolve functionally equivalent post-compromise variants through syntactic transformations, encoding schemes, and structural permutations guided by multi-objective fitness from AV/EDR feedback.",{"name":82,"@type":73,"acceptedAnswer":83},"What is the paper’s evaluation scope and what question does it answer?",{"text":84,"@type":76},"Variants representing remote command execution are evaluated against both static AV and behavioral EDR detection, aiming to determine how effective a GA-driven approach is at producing functionally equivalent AV/EDR robustness test cases.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,127,130,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":125,"slug":126},"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]