{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T18:00:19Z","timestamp":1773511219838,"version":"3.50.1"},"reference-count":90,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2023]]},"DOI":"10.1109\/tifs.2023.3293959","type":"journal-article","created":{"date-parts":[[2023,7,10]],"date-time":"2023-07-10T18:56:32Z","timestamp":1689015392000},"page":"4361-4376","source":"Crossref","is-referenced-by-count":15,"title":["MalProtect: Stateful Defense Against Adversarial Query Attacks in ML-Based Malware Detection"],"prefix":"10.1109","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3416-6861","authenticated-orcid":false,"given":"Aqib","family":"Rashid","sequence":"first","affiliation":[{"name":"Department of Informatics, King&#x2019;s College London, Strand Campus, London, U.K"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6041-178X","authenticated-orcid":false,"given":"Jose","family":"Such","sequence":"additional","affiliation":[{"name":"Department of Informatics, King&#x2019;s College London, Strand Campus, London, U.K"}]}],"member":"263","reference":[{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00073"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2019.2963724"},{"key":"ref12","first-page":"2137","article-title":"Black-box adversarial attacks with limited queries and information","author":"ilyas","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref56","first-page":"3971","article-title":"Dos and don&#x2019;ts of machine learning in computer security","author":"arp","year":"2022","journal-title":"Proc Usenix Secur Symp"},{"key":"ref15","article-title":"The malicious use of artificial intelligence: Forecasting, prevention, and mitigation","author":"brundage","year":"2018","journal-title":"arXiv 1802 07228"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3503463"},{"key":"ref14","article-title":"Unsolved problems in ML safety","author":"hendrycks","year":"2021","journal-title":"arXiv 2109 13916"},{"key":"ref58","first-page":"16246","article-title":"Robust learning against relational adversaries","author":"wang","year":"2022","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3439950"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2014.09.003"},{"key":"ref11","first-page":"479","article-title":"MTDeep: Boosting the security of deep neural nets against adversarial attacks with moving target defense","author":"sengupta","year":"2018","journal-title":"Proc 32nd AAAI Conf Artif Intell"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1287\/opre.15.3.537"},{"key":"ref10","article-title":"Ensemble adversarial training: Attacks and defenses","author":"tram\u00e8r","year":"2017","journal-title":"arXiv 1705 07204"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00179"},{"key":"ref17","first-page":"2117","article-title":"Blacklight: Scalable defense for neural networks against query-based black-box attacks","author":"li","year":"2022","journal-title":"Proc 31st USENIX Secur Symp"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1145\/3385003.3410925"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR42600.2020.00085"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"ref51","doi-asserted-by":"crossref","first-page":"88","DOI":"10.1080\/00031305.1994.10476030","article-title":"The three sigma rule","volume":"48","author":"pukelsheim","year":"1994","journal-title":"Amer Statistician"},{"key":"ref50","article-title":"How to build realistic machine learning systems for security?","author":"afroz","year":"2020"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.3390\/robotics8030050"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3433667.3433669"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1109\/TNSE.2021.3051354"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04342-0_2"},{"key":"ref48","first-page":"399","article-title":"SoK: Security and privacy in machine learning","author":"papernot","year":"2018","journal-title":"Proc IEEE Symp Privacy Secur"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.20"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134642"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00039"},{"key":"ref41","first-page":"1487","article-title":"Explanation-guided backdoor poisoning attacks against malware classifiers","author":"severi","year":"2021","journal-title":"Proc 30th USENIX Secur Symp"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243829"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-37231-6_22"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion.2019.00110"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00015"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/3183440.3195004"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_7"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427230"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00045"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.41"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"ref3","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2013","journal-title":"arXiv 1312 6199"},{"key":"ref6","article-title":"Decision-based adversarial attacks: Reliable attacks against black-box machine learning models","author":"brendel","year":"2017","journal-title":"arXiv 1712 04248"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_23"},{"key":"ref82","first-page":"1633","article-title":"On adaptive attacks to adversarial example defenses","volume":"33","author":"tramer","year":"2020","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref81","first-page":"1","article-title":"A unified approach to interpreting model predictions","volume":"30","author":"lundberg","year":"2017","journal-title":"Proc Adv Neural Inf Process Syst"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/3379443"},{"key":"ref83","article-title":"Attack and defense of dynamic analysis-based, adversarial neural malware classification models","author":"stokes","year":"2017","journal-title":"arXiv 1712 05919"},{"key":"ref80","article-title":"SoK: Explainable machine learning for computer security applications","author":"nadeem","year":"2022","journal-title":"arXiv 2208 10605"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3010274"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3560830.3563727"},{"key":"ref78","article-title":"Gradient similarity: An explainable approach to detect adversarial attacks against deep learning","author":"dhaliwal","year":"2018","journal-title":"arXiv 1806 10707"},{"key":"ref37","article-title":"Improving adversarial robustness of ensembles with diversity training","author":"kariyappa","year":"2019","journal-title":"arXiv 1901 09981"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.17487\/rfc1636"},{"key":"ref31","first-page":"98","article-title":"Comparative analysis of voting schemes for ensemble-based malware detection","volume":"4","author":"shahzad","year":"2013","journal-title":"J Wireless Mobile Netw Ubiquitous Comput Dependable Appl"},{"key":"ref75","article-title":"Adversarial examples in the physical world","author":"kurakin","year":"2016","journal-title":"Proc 5th ICLR Worshop Track"},{"key":"ref30","article-title":"StratDef: Strategic defense against adversarial attacks in ML-based malware detection","author":"rashid","year":"2022","journal-title":"arXiv 2202 07568"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.21"},{"key":"ref33","first-page":"274","article-title":"Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples","author":"athalye","year":"2018","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref77","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2014","journal-title":"arXiv 1412 6572"},{"key":"ref32","article-title":"On evaluating adversarial robustness","author":"carlini","year":"2019","journal-title":"arXiv 1902 06705"},{"key":"ref76","article-title":"On the (statistical) detection of adversarial examples","author":"grosse","year":"2017","journal-title":"arXiv 1702 06280"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24178"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/SaTML54575.2023.00031"},{"key":"ref39","first-page":"1","article-title":"Policy-driven attack: Learning to query for hard-label black-box adversarial examples","author":"yan","year":"2021","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref38","doi-asserted-by":"crossref","first-page":"251","DOI":"10.1007\/3-540-45748-8_24","article-title":"The Sybil attack","author":"douceur","year":"2002","journal-title":"Proc of the 1st Int Workshop on Peer-to-Peer Syst"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/3128572.3140448"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1016\/S1532-0464(03)00034-0"},{"key":"ref73","article-title":"A framework for enhancing deep neural networks against adversarial malware","author":"li","year":"2020","journal-title":"arXiv 2004 07919"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1109\/NCA.2017.8171381"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66399-9_4"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/TCYB.2017.2777960"},{"key":"ref23","first-page":"387","article-title":"Evasion attacks against machine learning at test time","author":"biggio","year":"2013","journal-title":"Proc Eur Conf Mach Learn Knowl Discovery Databases"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.14"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00020"},{"key":"ref25","article-title":"Adversarial perturbations against deep neural networks for malware classification","author":"grosse","year":"2016","journal-title":"arXiv 1606 04435"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485899"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-62144-5_4"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"ref63","first-page":"468","article-title":"AndroZoo: Collecting Millions of Android Apps for the Research Community","author":"allix","year":"2016","journal-title":"2016 IEEE\/ACM 13th Conference on Mining Software Repositories (MSR)"},{"key":"ref22","article-title":"Stateful detection of model extraction attacks","author":"pal","year":"2021","journal-title":"arXiv 2107 05166"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2019.00981"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/3474369.3486863"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01040"},{"key":"ref28","first-page":"4970","article-title":"Improving adversarial robustness via promoting ensemble diversity","author":"pang","year":"2019","journal-title":"Proc Int Conf Mach Learn"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2017.2700270"},{"key":"ref29","article-title":"Voting based ensemble improves robustness of defensive models","author":"cheng","year":"2020","journal-title":"arXiv 2011 14031"},{"key":"ref60","first-page":"625","article-title":"Transcend: Detecting concept drift in malware classification models","author":"jordaney","year":"2017","journal-title":"Proc 26th USENIX Secur Symp"},{"key":"ref62","first-page":"729","article-title":"TESSERACT: Eliminating experimental bias in malware classification across space and time","author":"pendlebury","year":"2019","journal-title":"Proc 28th USENIX Conf Secur Symp"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833659"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9970396\/10177782.pdf?arnumber=10177782","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,23]],"date-time":"2024-10-23T22:43:13Z","timestamp":1729723393000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10177782\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"references-count":90,"URL":"https:\/\/doi.org\/10.1109\/tifs.2023.3293959","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023]]}}}