{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T16:14:06Z","timestamp":1774541646031,"version":"3.50.1"},"reference-count":109,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"4","license":[{"start":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T00:00:00Z","timestamp":1751328000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T00:00:00Z","timestamp":1751328000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T00:00:00Z","timestamp":1751328000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2025,7]]},"DOI":"10.1109\/tdsc.2025.3542237","type":"journal-article","created":{"date-parts":[[2025,2,13]],"date-time":"2025-02-13T13:53:35Z","timestamp":1739454815000},"page":"3885-3900","source":"Crossref","is-referenced-by-count":5,"title":["Effectiveness of Moving Target Defenses for Adversarial Attacks in ML-Based Malware Detection"],"prefix":"10.1109","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3416-6861","authenticated-orcid":false,"given":"Aqib","family":"Rashid","sequence":"first","affiliation":[{"name":"Department of Informatics, King&#x0027;s College London, London, U.K."}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6041-178X","authenticated-orcid":false,"given":"Jose","family":"Such","sequence":"additional","affiliation":[{"name":"Department of Informatics, King&#x0027;s College London, London, U.K."}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.123"},{"key":"ref2","volume-title":"Machine Learning and Security: Protecting Systems With Data and Algorithms","author":"Chio","year":"2018"},{"key":"ref3","article-title":"Intriguing properties of neural networks","author":"Szegedy","year":"2014"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_23"},{"key":"ref6","article-title":"Adversarial attacks and defences: A survey","author":"Chakraborty","year":"2018"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"ref8","article-title":"Ensemble adversarial training: Attacks and defenses","author":"Tram\u00e8r","year":"2017"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23198"},{"key":"ref10","article-title":"Random feature nullification for adversary resistant deep architecture","author":"Wang","year":"2016"},{"key":"ref11","article-title":"Mitigating adversarial effects through randomization","author":"Xie","year":"2017"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-32430-8_28"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/3453158"},{"key":"ref14","article-title":"On evaluating adversarial robustness","author":"Carlini","year":"2019"},{"key":"ref15","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Athalye"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-37231-6_22"},{"key":"ref17","article-title":"StratDef: Strategic defense against adversarial attacks in ML-based malware detection","volume-title":"Comput. Secur.","volume":"134","author":"Rashid","year":"2023"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3517806"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485899"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/3469032"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2963791"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1038\/nature14539"},{"key":"ref23","first-page":"5505","article-title":"DVERGE: Diversifying vulnerabilities for enhanced robust generation of ensembles","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Yang"},{"key":"ref24","first-page":"4970","article-title":"Improving adversarial robustness via promoting ensemble diversity","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Pang"},{"key":"ref25","article-title":"Improving adversarial robustness of ensembles with diversity training","author":"Kariyappa","year":"2019"},{"key":"ref26","article-title":"Adversarial perturbations against deep neural networks for malware classification","author":"Grosse","year":"2016"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00020"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00035"},{"key":"ref29","article-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models","author":"Brendel","year":"2017"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3385003.3410925"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00045"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427230"},{"key":"ref33","first-page":"2137","article-title":"Black-box adversarial attacks with limited queries and information","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Ilyas"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00130"},{"key":"ref35","first-page":"1332","article-title":"Intriguing properties of adversarial ML attacks in the problem space","volume-title":"Proc. IEEE Symp. Secur. Privacy","author":"Li"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-01258-8_10"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134642"},{"key":"ref38","first-page":"895","article-title":"Playing games for security: An efficient exact algorithm for solving Bayesian Stackelberg games","volume-title":"Proc. 7th Int. Joint Conf. Auton. Agents Multiagent Syst.","author":"Paruchuri"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9780511973031"},{"key":"ref40","article-title":"Survey of cyber moving targets second edition","author":"Ward","year":"2018"},{"key":"ref41","doi-asserted-by":"crossref","DOI":"10.1007\/978-1-4614-5416-8","volume-title":"Moving Target Defense II - Application of Game Theory and Adversarial Modeling","volume":"100","author":"Jajodia","year":"2013"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2013.137"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/ISGT.2017.8085954"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/2995272.2995281"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/ISRCS.2013.6623770"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/2995272.2995283"},{"key":"ref47","first-page":"178","article-title":"A game theoretic approach to strategy generation for moving target defense in web applications","volume-title":"Proc. 16th Conf. Auton. Agents MultiAgent Syst.","author":"Sengupta"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66402-6_11"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1609\/aimag.v40i2.2847"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1145\/3318216.3363338"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3474370.3485661"},{"issue":"1","key":"ref52","first-page":"98","article-title":"Comparative analysis of voting schemes for ensemble-based malware detection","volume":"4","author":"Shahzad","year":"2013","journal-title":"J. Wireless Mobile Netw., Ubiquitous Comput., Dependable Appl."},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"ref54","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow","year":"2014"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66399-9_4"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/TNSE.2021.3051354"},{"key":"ref57","first-page":"197","article-title":"Practical evasion of a learning-based classifier: A case study","volume-title":"Proc. IEEE Symp. Secur. Privacy","author":"Laskov"},{"key":"ref58","article-title":"Delving into transferable adversarial examples and black-box attacks","author":"Liu","year":"2016"},{"key":"ref59","article-title":"On the (statistical) detection of adversarial examples","author":"Grosse","year":"2017"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2017.17"},{"key":"ref61","article-title":"Universal adversarial perturbations for malware","author":"Labaca-Castro","year":"2021"},{"key":"ref62","first-page":"3971","article-title":"Dos and don\u2019ts of machine learning in computer security","volume-title":"Proc. USENIX Secur. Symp.","author":"Arp"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2963724"},{"key":"ref64","first-page":"16246","article-title":"Robust learning against relational adversaries","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","author":"Wang"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/3503463"},{"key":"ref66","first-page":"625","article-title":"Transcend: Detecting concept drift in malware classification models","volume-title":"Proc. 26th USENIX Secur. Symp.","author":"Jordaney"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833659"},{"key":"ref68","first-page":"729","article-title":"TESSERACT: Eliminating experimental bias in malware classification across space and time","volume-title":"Proc. 28th USENIX Conf. Secur. Symp.","author":"Pendlebury"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"ref71","article-title":"Lief - library to instrument executable formats","author":"Thomas","year":"2017"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_7"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2017.2700270"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00981"},{"key":"ref75","first-page":"7045","article-title":"Hierarchically structured meta-learning","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Yao"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.14"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/TCYB.2017.2777960"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.5555\/1953048.2078195"},{"key":"ref79","article-title":"Keras","author":"Chollet","year":"2015"},{"key":"ref80","article-title":"TensorFlow: Large-scale machine learning on heterogeneous systems","author":"Abadi","year":"2015"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1201\/9781351251389-8"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1109\/NCA.2017.8171381"},{"key":"ref83","first-page":"1487","article-title":"Explanation-guided backdoor poisoning attacks against malware classifiers","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Severi"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.21"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1109\/milcom.2018.8599855"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/3484491"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"ref88","first-page":"2117","article-title":"Blacklight: Scalable defense for neural networks against query-based black-box attacks","volume-title":"Proc. 31st USENIX Secur. Symp.","author":"Li"},{"key":"ref89","first-page":"321","article-title":"Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks","volume-title":"Proc. 28th USENIX Secur. Symp.","author":"Demontis"},{"key":"ref90","article-title":"Transferability in machine learning: From phenomena to black-box attacks using adversarial samples","author":"Papernot","year":"2016"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3082330"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241142"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"ref95","article-title":"Adversarial machine learning in network intrusion detection domain: A systematic review","author":"Alatwi","year":"2021"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/3474369.3486875"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/ase.2019.00080"},{"key":"ref98","first-page":"2705","article-title":"Defeating DNN-based traffic analysis systems in real-time with blind adversarial perturbations","volume-title":"Proc. 30th USENIX Secur. Symp.","author":"Nasr"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23288"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1145\/3183440.3195004"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion.2019.00110"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04342-0_2"},{"issue":"3","key":"ref103","article-title":"A survey of attacks against twitter spam detectors in an adversarial environment","volume-title":"Robotics","volume":"8","author":"Imam","year":"2019"},{"key":"ref104","article-title":"Adversarial example defense: Ensembles of weak defenses are not strong","volume-title":"Proc. 11th USENIX Workshop Offensive Technol.","author":"He"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1109\/SPW54247.2022.9833895"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM52596.2021.9652915"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243829"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00039"},{"key":"ref109","article-title":"Enhancing deep neural networks against adversarial malware examples","author":"Li","year":"2020"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/8858\/11077775\/10887112.pdf?arnumber=10887112","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,11]],"date-time":"2025-07-11T22:48:45Z","timestamp":1752274125000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10887112\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7]]},"references-count":109,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2025.3542237","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7]]}}}