{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T22:48:12Z","timestamp":1774392492189,"version":"3.50.1"},"reference-count":67,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,10,23]],"date-time":"2021-10-23T00:00:00Z","timestamp":1634947200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,10,23]],"date-time":"2021-10-23T00:00:00Z","timestamp":1634947200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"funder":[{"DOI":"10.13039\/501100003407","name":"Ministero dell\u2019Istruzione, dell\u2019Universit\u00e0 e della Ricerca","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003407","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100012416","name":"Bundesministerium f\u00fcr Digitalisierung und Wirtschaftsstandort","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100012416","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004956","name":"Bundesministerium f\u00fcr Verkehr, Innovation und Technologie","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004956","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Mach. Learn. & Cyber."],"published-print":{"date-parts":[[2022,1]]},"DOI":"10.1007\/s13042-021-01393-7","type":"journal-article","created":{"date-parts":[[2021,10,23]],"date-time":"2021-10-23T17:02:31Z","timestamp":1635008551000},"page":"217-232","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":19,"title":["Do gradient-based explanations tell anything about adversarial robustness to android malware?"],"prefix":"10.1007","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3641-2093","authenticated-orcid":false,"given":"Marco","family":"Melis","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michele","family":"Scalas","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ambra","family":"Demontis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Davide","family":"Maiorca","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Battista","family":"Biggio","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Giorgio","family":"Giacinto","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fabio","family":"Roli","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,10,23]]},"reference":[{"key":"1393_CR1","doi-asserted-by":"publisher","unstructured":"Aafer Y, Du W, Yin H (2013) DroidAPIMiner: mining API-level features for robust malware detection in android. In: Proc. of international conference on security and privacy in communication networks (SecureComm). https:\/\/doi.org\/10.1007\/978-3-319-04283-1_6","DOI":"10.1007\/978-3-319-04283-1_6"},{"key":"1393_CR2","doi-asserted-by":"publisher","first-page":"52138","DOI":"10.1109\/ACCESS.2018.2870052","volume":"6","author":"A Adadi","year":"2018","unstructured":"Adadi A, Berrada M (2018) Peeking inside the black-box: a survey on explainable artificial intelligence (xai). IEEE Access 6:52138\u201352160","journal-title":"IEEE Access"},{"key":"1393_CR3","doi-asserted-by":"crossref","unstructured":"Allix K, Bissyand\u00e9 TF, Klein J, Le\u00a0Traon Y (2016) Androzoo: collecting millions of android apps for the research community. In: 2016 IEEE\/ACM 13th working conference on mining software repositories (MSR), pp 468\u2013471, IEEE","DOI":"10.1145\/2901739.2903508"},{"key":"1393_CR4","doi-asserted-by":"crossref","unstructured":"Arp D, Spreitzenbarth M, H\u00fcbner M, Gascon H, Rieck K (2014) Drebin: efficient and explainable detection of android malware in your pocket. In: Proc. 21st annual network & distributed system security symposium (NDSS). The Internet Society","DOI":"10.14722\/ndss.2014.23247"},{"key":"1393_CR5","doi-asserted-by":"publisher","unstructured":"Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, Le Traon Y, Octeau D, McDaniel P (2013) FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: Proceedings of the 35th ACM SIGPLAN conference on programming language design and implementation\u2014PLDI \u201914, pp 259\u2013269. ACM Press. https:\/\/doi.org\/10.1145\/2594291.2594299, http:\/\/dl.acm.org\/citation.cfm?doid=2594291.2594299","DOI":"10.1145\/2594291.2594299"},{"key":"1393_CR6","first-page":"1803","volume":"11","author":"D Baehrens","year":"2010","unstructured":"Baehrens D, Schroeter T, Harmeling S, Kawanabe M, Hansen K, M\u00fcller KR (2010) How to explain individual classification decisions. J Mach Learn Res 11:1803\u20131831","journal-title":"J Mach Learn Res"},{"key":"1393_CR7","doi-asserted-by":"publisher","first-page":"121","DOI":"10.1007\/s10994-010-5188-5","volume":"81","author":"M Barreno","year":"2010","unstructured":"Barreno M, Nelson B, Joseph A, Tygar J (2010) The security of machine learning. Mach Learn 81:121\u2013148","journal-title":"Mach Learn"},{"key":"1393_CR8","doi-asserted-by":"crossref","unstructured":"Barreno M, Nelson B, Sears R, Joseph AD, Tygar JD (2006) Can machine learning be secure? In: Proc. ACM Symp. information, computer and comm. Sec., ASIACCS \u201906, pp 16\u201325. ACM, New York","DOI":"10.1145\/1128817.1128824"},{"key":"1393_CR9","first-page":"387","volume-title":"Machine learning and knowledge discovery in databases (ECML PKDD), Part III, LNCS","author":"B Biggio","year":"2013","unstructured":"Biggio B, Corona I, Maiorca D, Nelson B, \u0160rndi\u0107 N, Laskov P, Giacinto G, Roli F (2013) Evasion attacks against machine learning at test time. In: Blockeel H, Kersting K, Nijssen S, \u017delezn\u00fd F (eds) Machine learning and knowledge discovery in databases (ECML PKDD), Part III, LNCS, vol 8190. Springer, Berlin, Heidelberg, pp 387\u2013402"},{"issue":"1","key":"1393_CR10","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1007\/s13042-010-0007-7","volume":"1","author":"B Biggio","year":"2010","unstructured":"Biggio B, Fumera G, Roli F (2010) Multiple classifier systems for robust classifier design in adversarial environments. Int J Mach Learn Cybern 1(1):27\u201341","journal-title":"Int J Mach Learn Cybern"},{"issue":"4","key":"1393_CR11","doi-asserted-by":"publisher","first-page":"984","DOI":"10.1109\/TKDE.2013.57","volume":"26","author":"B Biggio","year":"2014","unstructured":"Biggio B, Fumera G, Roli F (2014) Security evaluation of pattern classifiers under attack. IEEE Trans Knowl Data Eng 26(4):984\u2013996","journal-title":"IEEE Trans Knowl Data Eng"},{"key":"1393_CR12","unstructured":"Biggio B, Nelson B, Laskov P (2012) Poisoning attacks against support vector machines. In: Langford J, Pineau J (eds) 29th Int\u2019l Conf. on Machine Learning, pp 1807\u20131814, Omnipress"},{"key":"1393_CR13","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1016\/j.patcog.2018.07.023","volume":"84","author":"B Biggio","year":"2018","unstructured":"Biggio B, Roli F (2018) Wild patterns: ten years after the rise of adversarial machine learning. Pattern Recogn 84:317\u2013331","journal-title":"Pattern Recogn"},{"issue":"6","key":"1393_CR14","doi-asserted-by":"publisher","first-page":"1455","DOI":"10.1109\/TIFS.2018.2879302","volume":"14","author":"H Cai","year":"2018","unstructured":"Cai H, Meng N, Ryder B, Yao D (2018) Droidcat: effective android malware detection and categorization via app-level profiling. IEEE Trans Inf Forensics Secur 14(6):1455\u20131470","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"1393_CR15","doi-asserted-by":"publisher","first-page":"113","DOI":"10.1016\/j.eswa.2017.11.032","volume":"95","author":"A Calleja","year":"2018","unstructured":"Calleja A, Martin A, Menendez HD, Tapiador J, Clark D (2018) Picking on the family: disrupting android malware triage by forcing misclassification. Expert Syst Appl 95:113\u2013126","journal-title":"Expert Syst Appl"},{"issue":"9","key":"1393_CR16","doi-asserted-by":"publisher","first-page":"433","DOI":"10.3390\/info11090433","volume":"11","author":"F Cara","year":"2020","unstructured":"Cara F, Scalas M, Giacinto G, Maiorca D (2020) On the feasibility of adversarial sample creation using the android system api. Information 11(9):433","journal-title":"Information"},{"key":"1393_CR17","doi-asserted-by":"publisher","unstructured":"Chen J, Wang C, Zhao Z, Chen K, Du R, Ahn GJ (2018) Uncovering the Face of Android Ransomware: characterization and real-time detection. IEEE Trans Inf Forensics Secur 13(5):1286\u20131300. https:\/\/doi.org\/10.1109\/TIFS.2017.2787905, http:\/\/ieeexplore.ieee.org\/document\/8241433\/","DOI":"10.1109\/TIFS.2017.2787905"},{"key":"1393_CR18","unstructured":"Chen J, Wu X, Rastogi V, Liang Y, Jha S (2019) Robust attribution regularization. Adv Neural Inf Process Syst 2019:14300\u201314310"},{"key":"1393_CR19","doi-asserted-by":"publisher","unstructured":"Chen L, Hou S, Ye Y, Xu S (2018) Droideye: fortifying security of learning-based classifier against adversarial android malware attacks. In: Proceedings of the 2018 IEEE\/ACM international conference on advances in social networks analysis and mining, ASONAM 2018, pp. 782\u2013789. Institute of Electrical and Electronics Engineers Inc. https:\/\/doi.org\/10.1109\/ASONAM.2018.8508284","DOI":"10.1109\/ASONAM.2018.8508284"},{"key":"1393_CR20","doi-asserted-by":"crossref","unstructured":"Chen S, Xue M, Tang Z, Xu L, Zhu H (2016) Stormdroid: a streaminglized machine learning-based system for detecting android malware. In: Proceedings of the 11th ACM on Asia conference on computer and communications security, pp 377\u2013388","DOI":"10.1145\/2897845.2897860"},{"key":"1393_CR21","doi-asserted-by":"publisher","unstructured":"Chen YM, Yang CH, Chen GC (2021) Using generative adversarial networks for data augmentation in android malware detection. In: 2021 IEEE conference on dependable and secure computing (DSC), pp 1\u20138, IEEE. https:\/\/doi.org\/10.1109\/DSC49826.2021.9346277, https:\/\/ieeexplore.ieee.org\/document\/9346277\/","DOI":"10.1109\/DSC49826.2021.9346277"},{"key":"1393_CR22","doi-asserted-by":"crossref","unstructured":"Dalvi N, Domingos P, Mausam G, Sanghai S, Verma D (2004) Adversarial classification. In: Tenth ACM SIGKDD international conference on knowledge discovery and data mining (KDD), pp 99\u2013108. Seattle","DOI":"10.1145\/1014052.1014066"},{"key":"1393_CR23","doi-asserted-by":"publisher","unstructured":"Demontis A, Melis M, Biggio B, Maiorca D, Arp D, Rieck K, Corona I, Giacinto G, Roli F (2017) Yes, machine learning can be more secure! a case study on android malware detection. In: IEEE transactions on dependable and secure computing, pp 1\u20131. https:\/\/doi.org\/10.1109\/TDSC.2017.2700270","DOI":"10.1109\/TDSC.2017.2700270"},{"key":"1393_CR24","unstructured":"Demontis A, Melis, M., Pintor M, Jagielski M, Biggio B, Oprea A, Nita-Rotaru C, Roli F (2019) Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In: 28th USENIX Security Symposium (USENIX Security 19), pp 321\u2013338. USENIX Association, Santa Clara"},{"key":"1393_CR25","doi-asserted-by":"publisher","first-page":"322","DOI":"10.1007\/978-3-319-49055-7_29","volume-title":"Joint IAPR Int\u2019l workshop on structural, syntactic, and statistical pattern recognition, LNCS","author":"A Demontis","year":"2016","unstructured":"Demontis A, Russu P, Biggio B, Fumera G, Roli F (2016) On security and sparsity of linear classifiers for adversarial settings. In: Robles-Kelly A, Loog M, Biggio B, Escolano F, Wilson R (eds) Joint IAPR Int\u2019l workshop on structural, syntactic, and statistical pattern recognition, LNCS, vol 10029. Springer International Publishing, Cham, pp 322\u2013332"},{"key":"1393_CR26","unstructured":"Dombrowski AK, Alber M, Anders CJ, Ackermann M, M\u00fcller KR, Kessel P (2019) Explanations can be manipulated and geometry is to blame. arXiv:1906.07983"},{"key":"1393_CR27","doi-asserted-by":"publisher","unstructured":"Feng Y, Anand S, Dillig I, Aiken A (2014) Apposcopy: semantics-based detection of Android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT international symposium on foundations of software engineering\u2014FSE 2014, pp 576\u2013587. ACM Press. https:\/\/doi.org\/10.1145\/2635868.2635869, http:\/\/dl.acm.org\/citation.cfm?doid=2635868.2635869","DOI":"10.1145\/2635868.2635869"},{"key":"1393_CR28","doi-asserted-by":"crossref","unstructured":"Fidel G, Bitton R, Shabtai A (2020) When explainability meets adversarial learning: Detecting adversarial examples using shap signatures. In: 2020 international joint conference on neural networks (IJCNN), pp 1\u20138, IEEE","DOI":"10.1109\/IJCNN48605.2020.9207637"},{"key":"1393_CR29","unstructured":"Goodfellow IJ, Shlens J, Szegedy C (2015) Explaining and harnessing adversarial examples. In: International conference on learning representations"},{"key":"1393_CR30","doi-asserted-by":"crossref","unstructured":"Goodman B, Flaxman S (2016) European Union regulations on algorithmic decision-making and a \u201cright to explanation\u201d. In: AI magazine, vol 38, pp 50\u201357","DOI":"10.1609\/aimag.v38i3.2741"},{"key":"1393_CR31","doi-asserted-by":"crossref","unstructured":"Grosse K, Papernot N, Manoharan P, Backes M, McDaniel PD (2017) Adversarial examples for malware detection. In: ESORICS (2), LNCS, vol 10493, pp 62\u201379. Springer","DOI":"10.1007\/978-3-319-66399-9_4"},{"key":"1393_CR32","doi-asserted-by":"crossref","unstructured":"Guo W, Mu D, Xu J, Su P, Wang G, Xing X (2018) Lemna: explaining deep learning based security applications. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 364\u2013379","DOI":"10.1145\/3243734.3243792"},{"key":"1393_CR33","doi-asserted-by":"publisher","unstructured":"Hijawi W, Alqatawna J, Al-Zoubi AM, Hassonah MA, Faris H (2021) Android botnet detection using machine learning models based on a comprehensive static analysis approach. J Inf Secur Appl 58:102735. https:\/\/doi.org\/10.1016\/j.jisa.2020.102735, https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2214212620308711","DOI":"10.1016\/j.jisa.2020.102735"},{"key":"1393_CR34","unstructured":"Kim B, Wattenberg M, Gilmer J, Cai C, Wexler J, Viegas F, Sayres R (2018) Interpretability beyond feature attribution: quantitative testing with concept activation vectors (TCAV). In: 35th international conference on machine learning (ICML 2018), vol\u00a080, pp 2668\u20132677, Stockholm"},{"key":"1393_CR35","unstructured":"Koh PW, Liang P (2017) Understanding black-box predictions via influence functions. In: International conference on machine learning (ICML)"},{"key":"1393_CR36","unstructured":"Koh PW, Nguyen T, Tang YS, Mussmann S, Pierson E, Kim B, Liang P (2020) Concept bottleneck models. In: III HD, Singh A (eds) Proceedings of the 37th international conference on machine learning, Proceedings of Machine Learning Research, vol 119, pp 5338\u20135348, PMLR. http:\/\/proceedings.mlr.press\/v119\/koh20a.html"},{"key":"1393_CR37","unstructured":"Kolcz A, Teo CH (2009) Feature weighting for improved classifier robustness. In: Sixth conference on email and anti-spam (CEAS). Mountain View"},{"key":"1393_CR38","doi-asserted-by":"publisher","unstructured":"Li Q, Hu Q, Qi Y, Qi S, Liu X, Gao P. (2021)Semi-supervised two-phase familial analysis of Android malware with normalized graph embedding. Knowl Based Syst 218:106802. https:\/\/doi.org\/10.1016\/j.knosys.2021.106802, https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0950705121000654","DOI":"10.1016\/j.knosys.2021.106802"},{"key":"1393_CR39","doi-asserted-by":"crossref","unstructured":"Lindorfer M, Neugschwandtner M, Platzer C (2015) Marvin: efficient and comprehensive mobile app classification through static and dynamic analysis. In: Proceedings of the 39th annual international computers, software & applications conference (COMPSAC)","DOI":"10.1109\/COMPSAC.2015.103"},{"key":"1393_CR40","doi-asserted-by":"crossref","unstructured":"Lindorfer M, Neugschwandtner M, Platzer C (2015) MARVIN: efficient and comprehensive mobile app classification through static and dynamic analysis. In: 2015 IEEE 39th annual computer software and applications conference, vol\u00a02, pp 422\u2013433","DOI":"10.1109\/COMPSAC.2015.103"},{"key":"1393_CR41","doi-asserted-by":"crossref","unstructured":"Lowd D, Meek C (2005) Adversarial learning. In: Proc. 11th ACM sigkdd international conference on knowledge discovery and data mining (KDD), pp 641\u2013647. ACM Press, Chicago","DOI":"10.1145\/1081870.1081950"},{"key":"1393_CR42","doi-asserted-by":"publisher","unstructured":"Lundberg SM, Erion G, Chen H, DeGrave A, Prutkin JM, Nair B, Katz R, Himmelfarb J, Bansal N, Lee SI (2020) From local explanations to global understanding with explainable AI for trees. Nature Mach Intell 2(1): 56\u201367. https:\/\/doi.org\/10.1038\/s42256-019-0138-9, http:\/\/www.nature.com\/articles\/s42256-019-0138-9","DOI":"10.1038\/s42256-019-0138-9"},{"key":"1393_CR43","unstructured":"Lundberg SM, Lee SI (2017) A unified approach to interpreting model predictions. In: Advances in neural information processing systems, pp 4765\u20134774"},{"issue":"10","key":"1393_CR44","doi-asserted-by":"publisher","first-page":"5183","DOI":"10.1007\/s00521-020-05309-4","volume":"33","author":"A Mahindru","year":"2021","unstructured":"Mahindru A, Sangal AL (2021) MLDroid-framework for Android malware detection using machine learning techniques. Neural Comput Appl 33(10):5183\u20135240. https:\/\/doi.org\/10.1007\/s00521-020-05309-4","journal-title":"Neural Comput Appl"},{"issue":"5","key":"1393_CR45","doi-asserted-by":"publisher","first-page":"1369","DOI":"10.1007\/s13042-020-01238-9","volume":"12","author":"A Mahindru","year":"2021","unstructured":"Mahindru A, Sangal AL (2021) SemiDroid: a behavioral malware detector based on unsupervised machine learning techniques using feature selection approaches. Int J Mach Learn Cybern 12(5):1369\u20131411. https:\/\/doi.org\/10.1007\/s13042-020-01238-9","journal-title":"Int J Mach Learn Cybern"},{"issue":"4","key":"1393_CR46","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3332184","volume":"52","author":"D Maiorca","year":"2019","unstructured":"Maiorca D, Biggio B, Giacinto G (2019) Towards adversarial malware detection: lessons learned from pdf-based attacks. ACM Comput Surv (CSUR) 52(4):1\u201336","journal-title":"ACM Comput Surv (CSUR)"},{"key":"1393_CR47","doi-asserted-by":"publisher","unstructured":"Maiorca D, Mercaldo F, Giacinto G, Visaggio CA, Martinelli F (2017) R-packdroid: Api package-based characterization and detection of mobile ransomware. In: Proceedings of the symposium on applied computing, SAC \u201917, pp 1718\u20131723. ACM, New York. https:\/\/doi.org\/10.1145\/3019612.3019793","DOI":"10.1145\/3019612.3019793"},{"key":"1393_CR48","doi-asserted-by":"crossref","unstructured":"Mariconti E, Onwuzurike L, Andriotis P, Cristofaro ED, Ross GJ, Stringhini G (2017) Mamadroid: Detecting android malware by building markov chains of behavioral models. In: NDSS. The Internet Society","DOI":"10.14722\/ndss.2017.23353"},{"key":"1393_CR49","doi-asserted-by":"crossref","unstructured":"Melis M, Demontis A, Biggio B, Brown G, Fumera G, Roli F (2017) Is deep learning safe for robot vision? Adversarial examples against the icub humanoid. In: ICCV workshop on vision in practice on autonomous robots (ViPAR)","DOI":"10.1109\/ICCVW.2017.94"},{"key":"1393_CR50","unstructured":"Melis M, Demontis A, Pintor M, Sotgiu A, Biggio B (2019) secml: a python library for secure and explainable machine learning. arXiv:1912.10013"},{"key":"1393_CR51","doi-asserted-by":"crossref","unstructured":"Melis M, Maiorca D, Biggio B, Giacinto G, Roli F (2018) Explaining black-box android malware detection. In: 2018 26th european signal processing conference (EUSIPCO), pp 524\u2013528, IEEE","DOI":"10.23919\/EUSIPCO.2018.8553598"},{"key":"1393_CR52","unstructured":"Pendlebury F, Pierazzi F, Jordaney R, Kinder J, Cavallaro L (2019) $$\\{$$TESSERACT$$\\}$$: Eliminating experimental bias in malware classification across space and time. In: 28th $$\\{$$USENIX$$\\}$$ Security Symposium ($$\\{$$USENIX$$\\}$$ Security 19), pp 729\u2013746"},{"key":"1393_CR53","doi-asserted-by":"crossref","unstructured":"Peng H, Gates C, Sarma B, Li N, Qi Y, Potharaju R, Nita-Rotaru C, Molloy I (2012) Using probabilistic generative models for ranking risks of android apps. In: Proceedings of the 2012 ACM conference on computer and communications security","DOI":"10.1145\/2382196.2382224"},{"key":"1393_CR54","doi-asserted-by":"crossref","unstructured":"Pierazzi F, Pendlebury F, Cortellazzi J, Cavallaro L (2020) Intriguing properties of adversarial ml attacks in the problem space. In: 2020 IEEE symposium on security and privacy (SP), pp 1332\u20131349, IEEE","DOI":"10.1109\/SP40000.2020.00073"},{"key":"1393_CR55","doi-asserted-by":"crossref","unstructured":"Ribeiro MT, Singh S, Guestrin C (2016) \u201cwhy should i trust you?\u201d: explaining the predictions of any classifier. In: 22nd ACM SIGKDD Int\u2019l Conf. Knowl. Disc. Data Mining, KDD \u201916, pp 1135\u20131144. ACM, New York","DOI":"10.1145\/2939672.2939778"},{"key":"1393_CR56","doi-asserted-by":"crossref","unstructured":"Rosenberg I, Meir S, Berrebi J, Gordon I, Sicard G, David EO (2020) Generating end-to-end adversarial examples for malware classifiers using explainability. In: 2020 international joint conference on neural networks (IJCNN), pp 1\u201310, IEEE","DOI":"10.1109\/IJCNN48605.2020.9207168"},{"key":"1393_CR57","doi-asserted-by":"publisher","first-page":"168","DOI":"10.1016\/j.cose.2019.06.004","volume":"86","author":"M Scalas","year":"2019","unstructured":"Scalas M, Maiorca D, Mercaldo F, Visaggio CA, Martinelli F, Giacinto G (2019) On the effectiveness of system api-related information for android ransomware detection. Comput Secur 86:168\u2013182","journal-title":"Comput Secur"},{"key":"1393_CR58","doi-asserted-by":"publisher","unstructured":"Scalas M, Rieck K, Giacinto G (2021) Explanation-driven characterization of android ransomware. In: ICPR\u20192020 workshop on explainable deep learning\u2014AI, pp 228\u2013242. Springer, Cham. https:\/\/doi.org\/10.1007\/978-3-030-68796-0_17","DOI":"10.1007\/978-3-030-68796-0_17"},{"key":"1393_CR59","unstructured":"Shrikumar A, Greenside P, Shcherbina A, Kundaje A (2016) Not just a black box: learning important features through propagating activation differences"},{"key":"1393_CR60","unstructured":"Sundararajan M, Taly A, Yan Q (2017) Axiomatic attribution for deep networks. In: Proceedings of the 34th international conference on machine learning-vol 70, pp 3319\u20133328. JMLR. org"},{"key":"1393_CR61","unstructured":"Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2014) Intriguing properties of neural networks. In: International conference on learning representations. arxiv:1312.6199"},{"key":"1393_CR62","doi-asserted-by":"crossref","unstructured":"Tam K, Khan SJ, Fattori A, Cavallaro L (2015) CopperDroid: automatic reconstruction of android malware behaviors. In: Proc. 22nd annual network & distributed system security symposium (NDSS). The Internet Society","DOI":"10.14722\/ndss.2015.23145"},{"key":"1393_CR63","unstructured":"Tramer F, Carlini N, Brendel W, Madry A (2020) On adaptive attacks to adversarial example defenses. In: Larochelle H, Ranzato M, Hadsell R, Balcan MF, Lin H (eds) Advances in neural information processing systems, vol\u00a033, pp 1633\u20131645. Curran Associates, Inc. https:\/\/proceedings.neurips.cc\/paper\/2020\/file\/11f38f8ecd71867b42433548d1078e38-Paper.pdf"},{"key":"1393_CR64","doi-asserted-by":"crossref","unstructured":"\u0160rndic N, Laskov P (2014) Practical evasion of a learning-based classifier: a case study. In: Proc. 2014 IEEE symp. security and privacy, SP \u201914, pp 197\u2013211. IEEE CS, Washington, DC","DOI":"10.1109\/SP.2014.20"},{"key":"1393_CR65","doi-asserted-by":"publisher","unstructured":"Warnecke A, Arp D, Wressnegger C, Rieck K (2020) Evaluating explanation methods for deep learning in security. In: 2020 IEEE european symposium on security and privacy (EuroS&P), pp 158\u2013174. IEEE, Genova. https:\/\/doi.org\/10.1109\/EuroSP48549.2020.00018","DOI":"10.1109\/EuroSP48549.2020.00018"},{"key":"1393_CR66","doi-asserted-by":"crossref","unstructured":"Yang W, Kong D, Xie T, Gunter CA (2017) Malware detection in adversarial settings: exploiting feature evolutions and confusions in android apps. In: ACSAC, pp 288\u2013302. ACM","DOI":"10.1145\/3134600.3134642"},{"key":"1393_CR67","doi-asserted-by":"publisher","unstructured":"Zhang X, Zhang Y, Zhong M, Ding D, Cao Y, Zhang Y, Zhang M, Yang M (2020) Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp 757\u2013770. ACM, New York. https:\/\/doi.org\/10.1145\/3372297.3417291","DOI":"10.1145\/3372297.3417291"}],"container-title":["International Journal of Machine Learning and Cybernetics"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s13042-021-01393-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s13042-021-01393-7\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s13042-021-01393-7.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,1,6]],"date-time":"2022-01-06T09:19:35Z","timestamp":1641460775000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s13042-021-01393-7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,23]]},"references-count":67,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,1]]}},"alternative-id":["1393"],"URL":"https:\/\/doi.org\/10.1007\/s13042-021-01393-7","relation":{},"ISSN":["1868-8071","1868-808X"],"issn-type":[{"value":"1868-8071","type":"print"},{"value":"1868-808X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,10,23]]},"assertion":[{"value":"5 December 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 July 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"23 October 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}]}}