Question about evading performance 

I would like to ask a question regarding evasion performance. Since ProvNinja only replaces malicious process nodes and ignores other types of nodes, I am concerned whether malicious nodes—other than process nodes, such as socket nodes—could evade detection after ProvNinja is deployed. I would appreciate your insights on this matter. Thank you!