“…The classification approaches evaluated in this work are based on methods that learn straight from the raw bytes of the file, ranging from methodologies that reinterpret the sample as a grayscale image up to preprocessing each sample as a 1D vector in their execution [9,[11][12][13][14][15][16][17][18][19][20]. We want to evaluate the vulnerability of these variants to the already known adversarial examples [21], which is an approach with increasing popularity in the literature, especially in the context of malware [10,12,19,20,[22][23][24][25]. There are some limitations that must be observed, though, since the perturbations added to malware samples must be drawn from a discrete domain.…”