{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,6]],"date-time":"2026-06-06T13:01:50Z","timestamp":1780750910546,"version":"3.54.1"},"reference-count":28,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,10,1]],"date-time":"2026-10-01T00:00:00Z","timestamp":1790812800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Information Sciences"],"published-print":{"date-parts":[[2026,10]]},"DOI":"10.1016\/j.ins.2026.123600","type":"journal-article","created":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T16:17:59Z","timestamp":1778084279000},"page":"123600","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["RobCert: Certifying robustness of malicious PDF detection against structure-aware evasion attacks"],"prefix":"10.1016","volume":"752","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9000-9257","authenticated-orcid":false,"given":"Lijun","family":"Gao","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9697-2108","authenticated-orcid":false,"given":"Zheng","family":"Yan","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9688-2201","authenticated-orcid":false,"given":"Erol","family":"Gelenbe","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"key":"10.1016\/j.ins.2026.123600_bib0005","unstructured":"PDF statistics & usage in 2025, https:\/\/smallpdf.com\/pdf-statistics"},{"key":"10.1016\/j.ins.2026.123600_bib0010","series-title":"Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC \u201912","first-page":"239","article-title":"Malicious PDF detection using metadata and structural features","author":"Smutz","year":"2012"},{"key":"10.1016\/j.ins.2026.123600_bib0015","series-title":"Proceedings of the 20th Annual Network & Distributed System Security Symposium","first-page":"1","article-title":"Detection of malicious PDF files based on hierarchical document structure","author":"\u0160rndic","year":"2013"},{"issue":"1","key":"10.1016\/j.ins.2026.123600_bib0020","article-title":"Hidost: a static machine-learning-based detector of malicious files","volume":"2016","author":"\u017aRndi\u0107","year":"2016","journal-title":"EURASIP J. Inf. Secur."},{"issue":"C","key":"10.1016\/j.ins.2026.123600_bib0025","article-title":"uitPDF-MalDe: malicious portable document format files detection using multi machine learning models","volume":"143","author":"Cam","year":"2025","journal-title":"Eng. Appl. Artif. Intell."},{"issue":"4","key":"10.1016\/j.ins.2026.123600_bib0030","doi-asserted-by":"crossref","DOI":"10.1145\/3332184","article-title":"Towards adversarial malware detection: lessons learned from PDF-based attacks","volume":"52","author":"Maiorca","year":"2019","journal-title":"ACM Comput. Surv."},{"key":"10.1016\/j.ins.2026.123600_bib0035","article-title":"Adversarial perturbations against deep neural networks for malware classification","author":"Grosse","year":"2016","journal-title":"CoRR"},{"key":"10.1016\/j.ins.2026.123600_bib0040","first-page":"409","article-title":"Generating adversarial malware examples for black-box attacks based on GAN","author":"Hu","year":"2022"},{"key":"10.1016\/j.ins.2026.123600_bib0045","series-title":"Machine Learning and Knowledge Discovery in Databases","first-page":"387","article-title":"Evasion attacks against machine learning at test time","author":"Biggio","year":"2013"},{"key":"10.1016\/j.ins.2026.123600_bib0050","series-title":"2014 IEEE Symposium on Security and Privacy","first-page":"197","article-title":"Practical evasion of a learning-based classifier: a case study","author":"\u0160rndi\u0107","year":"2014"},{"key":"10.1016\/j.ins.2026.123600_bib0055","series-title":"23rd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21\u201324, 2016","article-title":"Automatically evading classifiers: a case study on PDF malware classifiers","author":"Xu","year":"2016"},{"key":"10.1016\/j.ins.2026.123600_bib0060","series-title":"Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS \u201913","first-page":"119","article-title":"Looking at the bag is not enough to find the bomb: an evasion of structural methods for malicious PDF files detection","author":"Maiorca","year":"2013"},{"key":"10.1016\/j.ins.2026.123600_bib0065","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104775","article-title":"SETPA: structural evasion techniques for PDF malware detection systems","volume":"161","author":"Iqbal","year":"2026","journal-title":"Comput. Secur."},{"issue":"2","key":"10.1016\/j.ins.2026.123600_bib0070","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1080\/17517571003763380","article-title":"On the principle of design of resilient systems \u2013 application to enterprise information systems","volume":"4","author":"Zhang","year":"2010","journal-title":"Enterp. Inf. Syst."},{"key":"10.1016\/j.ins.2026.123600_bib0075","series-title":"Proceedings of the Fourth ACM International Workshop on Security and Privacy Analytics, IWSPA \u201918","first-page":"54","article-title":"Adversarially robust malware detection using monotonic classification","author":"\u00cdncer Romeo","year":"2018"},{"key":"10.1016\/j.ins.2026.123600_bib0080","author":"Tong"},{"issue":"11","key":"10.1016\/j.ins.2026.123600_bib0085","doi-asserted-by":"crossref","first-page":"2466","DOI":"10.1109\/TNNLS.2016.2593488","article-title":"Randomized prediction games for adversarial machine learning","volume":"28","author":"Rota Bul\u00f2","year":"2017","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"10.1016\/j.ins.2026.123600_bib0090","series-title":"34th USENIX Security Symposium (USENIX Security 25)","first-page":"4759","article-title":"VAPD: an anomaly detection model for PDF malware forensics with adversarial robustness","author":"Liu","year":"2025"},{"key":"10.1016\/j.ins.2026.123600_bib0095","series-title":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, CCS \u201925","first-page":"1334","article-title":"Analyzing PDFs like binaries: adversarially robust PDF malware analysis via intermediate representation and language model","author":"Liu","year":"2025"},{"key":"10.1016\/j.ins.2026.123600_bib0100","doi-asserted-by":"crossref","DOI":"10.1016\/j.asoc.2025.113537","article-title":"Unveiling evasive portable documents with explainable Kolmogorov-Arnold networks resilient to generative adversarial attacks","volume":"182","author":"Sharmila","year":"2025","journal-title":"Appl. Soft Comput."},{"key":"10.1016\/j.ins.2026.123600_bib0105","first-page":"1","article-title":"AdvDetector: PDF adversarial sample detection based on path entropy and perturbation sensitivity","author":"Gao","year":"2026","journal-title":"IEEE Trans. Consum. Electron."},{"key":"10.1016\/j.ins.2026.123600_bib0110","series-title":"29th USENIX Security Symposium (USENIX Security 20)","first-page":"2343","article-title":"On training robust PDF malware classifiers","author":"Chen","year":"2020"},{"key":"10.1016\/j.ins.2026.123600_bib0115","series-title":"Proceedings of the 36th International Conference on Machine Learning, Volume 97 of Proceedings of Machine Learning Research","first-page":"1310","article-title":"Certified adversarial robustness via randomized smoothing","author":"Cohen","year":"2019"},{"key":"10.1016\/j.ins.2026.123600_bib0120","series-title":"Proceedings of the 37th International Conference on Machine Learning, Volume 119 of Proceedings of Machine Learning Research","first-page":"1003","article-title":"Efficient robustness certificates for discrete data: sparsity-aware randomized smoothing for graphs, images and more","author":"Bojchevski","year":"2020"},{"key":"10.1016\/j.ins.2026.123600_bib0125","series-title":"28th USENIX Security Symposium (USENIX Security 19)","first-page":"285","article-title":"Improving robustness of ML classifiers against realizable evasion attacks using conserved features","author":"Tong","year":"2019"},{"key":"10.1016\/j.ins.2026.123600_bib0130","article-title":"Towards robust detection of adversarial infection vectors: lessons learned in PDF malware","author":"Maiorca","year":"2018","journal-title":"CoRR"},{"key":"10.1016\/j.ins.2026.123600_bib0135","series-title":"Proceedings of the 33rd International Conference on Neural Information Processing Systems","first-page":"4910","article-title":"Tight certificates of adversarial robustness for randomly smoothed classifiers","author":"Lee","year":"2019"},{"key":"10.1016\/j.ins.2026.123600_bib0140","unstructured":"PDF-malware-parser, https:\/\/github.com\/mzweilin\/pdfrw"}],"container-title":["Information Sciences"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0020025526005311?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0020025526005311?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,6,6]],"date-time":"2026-06-06T12:45:33Z","timestamp":1780749933000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0020025526005311"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,10]]},"references-count":28,"alternative-id":["S0020025526005311"],"URL":"https:\/\/doi.org\/10.1016\/j.ins.2026.123600","relation":{},"ISSN":["0020-0255"],"issn-type":[{"value":"0020-0255","type":"print"}],"subject":[],"published":{"date-parts":[[2026,10]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"RobCert: Certifying robustness of malicious PDF detection against structure-aware evasion attacks","name":"articletitle","label":"Article Title"},{"value":"Information Sciences","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.ins.2026.123600","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Inc. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"123600"}}