{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,29]],"date-time":"2026-06-29T15:26:44Z","timestamp":1782746804128,"version":"3.54.5"},"reference-count":99,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2022,4,9]],"date-time":"2022-04-09T00:00:00Z","timestamp":1649462400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key R&D Program of China","doi-asserted-by":"crossref","award":["2020AAA0109400"],"award-info":[{"award-number":["2020AAA0109400"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62072007, 61832009, 61620106007"],"award-info":[{"award-number":["62072007, 61832009, 61620106007"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Canada CIFAR AI Program"},{"name":"NSERC Discovery Grant of Natural Sciences and Engineering Research Council of Canada"},{"name":"JSPS KAKENHI","award":["20H04168"],"award-info":[{"award-number":["20H04168"]}]},{"DOI":"10.13039\/501100020959","name":"JST-Mirai Program","doi-asserted-by":"crossref","award":["JPMJMI20B8"],"award-info":[{"award-number":["JPMJMI20B8"]}],"id":[{"id":"10.13039\/501100020959","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2022,7,31]]},"abstract":"<jats:p>Deep learning (DL) has recently been widely applied to diverse source code processing tasks in the software engineering (SE) community, which achieves competitive performance (e.g., accuracy). However, the robustness, which requires the model to produce consistent decisions given minorly perturbed code inputs, still lacks systematic investigation as an important quality indicator. This article initiates an early step and proposes a framework CARROT for robustness detection, measurement, and enhancement of DL models for source code processing. We first propose an optimization-based attack technique CARROT<jats:sub>A<\/jats:sub>to generate valid adversarial source code examples effectively and efficiently. Based on this, we define the robustness metrics and propose robustness measurement toolkit CARROT<jats:sub>M<\/jats:sub>, which employs the worst-case performance approximation under the allowable perturbations. We further propose to improve the robustness of the DL models by adversarial training (CARROT<jats:sub>T<\/jats:sub>) with our proposed attack techniques. Our in-depth evaluations on three source code processing tasks (i.e., functionality classification, code clone detection, defect prediction) containing more than 3 million lines of code and the classic or SOTA DL models, including GRU, LSTM, ASTNN, LSCNN, TBCNN, CodeBERT, and CDLH, demonstrate the usefulness of our techniques for \u2776 effective and efficient adversarial example detection, \u2777 tight robustness estimation, and \u2778 effective robustness enhancement.<\/jats:p>","DOI":"10.1145\/3511887","type":"journal-article","created":{"date-parts":[[2022,1,31]],"date-time":"2022-01-31T17:28:25Z","timestamp":1643650105000},"page":"1-40","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":54,"title":["Towards Robustness of Deep Program Processing Models\u2014Detection, Estimation, and Enhancement"],"prefix":"10.1145","volume":"31","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0324-4591","authenticated-orcid":false,"given":"Huangzhao","family":"Zhang","sequence":"first","affiliation":[{"name":"Peking University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0260-6404","authenticated-orcid":false,"given":"Zhiyi","family":"Fu","sequence":"additional","affiliation":[{"name":"Peking University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5828-0186","authenticated-orcid":false,"given":"Ge","family":"Li","sequence":"additional","affiliation":[{"name":"Peking University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8621-2420","authenticated-orcid":false,"given":"Lei","family":"Ma","sequence":"additional","affiliation":[{"name":"University of Alberta, Canada"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6975-8352","authenticated-orcid":false,"given":"Zhehao","family":"Zhao","sequence":"additional","affiliation":[{"name":"Peking University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8502-7760","authenticated-orcid":false,"given":"Hua\u2019an","family":"Yang","sequence":"additional","affiliation":[{"name":"Peking University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5500-0858","authenticated-orcid":false,"given":"Yizhe","family":"Sun","sequence":"additional","affiliation":[{"name":"Peking University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7300-9215","authenticated-orcid":false,"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1087-226X","authenticated-orcid":false,"given":"Zhi","family":"Jin","sequence":"additional","affiliation":[{"name":"Peking University, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2022,4,9]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/3212695"},{"key":"e_1_3_2_3_2","first-page":"2091","volume-title":"Proceedings of the 33rd International Conference on Machine Learning","author":"Allamanis Miltiadis","year":"2016","unstructured":"Miltiadis Allamanis, Hao Peng, and Charles A. Sutton. 2016. A convolutional attention network for extreme summarization of source code. In Proceedings of the 33rd International Conference on Machine Learning. JMLR.org, 2091\u20132100. Retrieved from http:\/\/proceedings.mlr.press\/v48\/allamanis16.html."},{"key":"e_1_3_2_4_2","volume-title":"Proceedings of the 7th International Conference on Learning Representations","author":"Alon Uri","year":"2019","unstructured":"Uri Alon, Shaked Brody, Omer Levy, and Eran Yahav. 2019. code2seq: Generating sequences from structured representations of code. In Proceedings of the 7th International Conference on Learning Representations. OpenReview.net. Retrieved from https:\/\/openreview.net\/forum?id=H1gKYo09tX."},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3290353"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/d18-1316"},{"key":"e_1_3_2_7_2","first-page":"102","volume-title":"Proceedings of the 5th International Conference on Electronic Commerce Research (ICECR\u201902)","author":"Arboit Genevieve","year":"2002","unstructured":"Genevieve Arboit. 2002. A method for watermarking Java programs via opaque predicates. In Proceedings of the 5th International Conference on Electronic Commerce Research (ICECR\u201902). Citeseer, 102\u2013110."},{"key":"e_1_3_2_8_2","volume-title":"Proceedings of the 3rd International Conference on Learning Representations","author":"Bahdanau Dzmitry","year":"2015","unstructured":"Dzmitry Bahdanau, Kyunghyun Cho, and Yoshua Bengio. 2015. Neural machine translation by jointly learning to align and translate. In Proceedings of the 3rd International Conference on Learning Representations. Retrieved from http:\/\/arxiv.org\/abs\/1409.0473."},{"key":"e_1_3_2_9_2","article-title":"Security evaluation of support vector machines in adversarial environments","volume":"1401","author":"Biggio Battista","year":"2014","unstructured":"Battista Biggio, Igino Corona, Blaine Nelson, Benjamin I. P. Rubinstein, Davide Maiorca, Giorgio Fumera, Giorgio Giacinto, and Fabio Roli. 2014. Security evaluation of support vector machines in adversarial environments. CoRR abs\/1401.7727 (2014).","journal-title":"CoRR"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/s13042-010-0007-7"},{"key":"e_1_3_2_11_2","article-title":"Security evaluation of pattern classifiers under attack","volume":"1709","author":"Biggio Battista","year":"2017","unstructured":"Battista Biggio, Giorgio Fumera, and Fabio Roli. 2017. Security evaluation of pattern classifiers under attack. CoRR abs\/1709.00609 (2017).","journal-title":"CoRR"},{"key":"e_1_3_2_12_2","first-page":"97","volume-title":"Proceedings of the 3rd Asian Conference on Machine Learning","author":"Biggio Battista","year":"2011","unstructured":"Battista Biggio, Blaine Nelson, and Pavel Laskov. 2011. Support vector machines under adversarial label noise. In Proceedings of the 3rd Asian Conference on Machine Learning. JMLR.org, 97\u2013112. Retrieved from http:\/\/proceedings.mlr.press\/v20\/biggio11\/biggio11.pdf."},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.5555\/2503308.2503326"},{"key":"e_1_3_2_15_2","first-page":"831","volume-title":"Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"97","author":"Bubeck S\u00e9bastien","year":"2019","unstructured":"S\u00e9bastien Bubeck, Yin Tat Lee, Eric Price, and Ilya P. Razenshteyn. 2019. Adversarial examples from computational constraints. In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.), Vol. 97. PMLR, 831\u2013840. Retrieved from http:\/\/proceedings.mlr.press\/v97\/bubeck19a.html."},{"key":"e_1_3_2_16_2","article-title":"Piecewise linear neural network verification: A comparative study","volume":"1711","author":"Bunel Rudy","year":"2017","unstructured":"Rudy Bunel, Ilker Turkaslan, Philip H. S. Torr, Pushmeet Kohli, and M. Pawan Kumar. 2017. Piecewise linear neural network verification: A comparative study. CoRR abs\/1711.00455 (2017).","journal-title":"CoRR"},{"key":"e_1_3_2_17_2","article-title":"Extracting training data from large language models","volume":"2012","author":"Carlini Nicholas","year":"2020","unstructured":"Nicholas Carlini, Florian Tram\u00e8r, Eric Wallace, Matthew Jagielski, Ariel Herbert-Voss, Katherine Lee, Adam Roberts, Tom B. Brown, Dawn Song, \u00dalfar Erlingsson, Alina Oprea, and Colin Raffel. 2020. Extracting training data from large language models. CoRR abs\/2012.07805 (2020).","journal-title":"CoRR"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00009"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1016\/S0164-1212(02)00066-3"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3363562"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-68167-2_18"},{"issue":"4","key":"e_1_3_2_23_2","doi-asserted-by":"crossref","first-page":"327","DOI":"10.1080\/00031305.1995.10476177","article-title":"Understanding the Metropolis-Hastings algorithm","volume":"49","author":"Chib Siddhartha","year":"1995","unstructured":"Siddhartha Chib and Edward Greenberg. 1995. Understanding the Metropolis-Hastings algorithm. Amer. Statist. 49, 4 (1995), 327\u2013335.","journal-title":"Amer. Statist."},{"key":"e_1_3_2_24_2","volume-title":"A Taxonomy of Obfuscating Transformations","author":"Collberg Christian","year":"1997","unstructured":"Christian Collberg, Clark Thomborson, and Douglas Low. 1997. A Taxonomy of Obfuscating Transformations. Technical Report. Citeseer."},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCES.2010.5674830"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/C-M.1978.218136"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338954"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/P18-2006"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2020.findings-emnlp.139"},{"key":"e_1_3_2_30_2","unstructured":"BooFuzz Framework. 2021. Retrieved from https:\/\/github.com\/jtpereyda\/boofuzz."},{"key":"e_1_3_2_31_2","unstructured":"Sulley Fuzzing Framework. 2017. Retrieved from https:\/\/github.com\/OpenRCE\/sulley."},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-013-9299-z"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1145\/2483760.2483773"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115618"},{"key":"e_1_3_2_35_2","volume-title":"Proceedings of the 3rd International Conference on Learning Representations","author":"Goodfellow Ian J.","year":"2015","unstructured":"Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. In Proceedings of the 3rd International Conference on Learning Representations. Retrieved from http:\/\/arxiv.org\/abs\/1412.6572."},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950334"},{"key":"e_1_3_2_37_2","first-page":"11861","volume-title":"Proceedings of the Conference on Neural Information Processing Systems","author":"Gupta Rahul","year":"2019","unstructured":"Rahul Gupta, Aditya Kanade, and Shirish K. Shevade. 2019. Neural attribution for semantic bug-localization in student programs. In Proceedings of the Conference on Neural Information Processing Systems. 11861\u201311871. Retrieved from http:\/\/papers.nips.cc\/paper\/9358-neural-attribution-for-semantic-bug-localization-in-student-programs."},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1977.231145"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1093\/biomet\/57.1.97"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236051"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196321.3196334"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D19-1419"},{"key":"e_1_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2017\/265"},{"key":"e_1_3_2_44_2","article-title":"CodeSearchNet challenge: Evaluating the state of semantic code search","volume":"1909","author":"Husain Hamel","year":"2019","unstructured":"Hamel Husain, Ho-Hsiang Wu, Tiferet Gazit, Miltiadis Allamanis, and Marc Brockschmidt. 2019. CodeSearchNet challenge: Evaluating the state of semantic code search. CoRR abs\/1909.09436 (2019).","journal-title":"CoRR"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/d17-1215"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-63387-9_5"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00108"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.5555\/2503308.2503359"},{"key":"e_1_3_2_49_2","series-title":"Proceedings of the 36th International Conference on Machine Learning","first-page":"3468","volume":"97","author":"Ko Ching-Yun","year":"2019","unstructured":"Ching-Yun Ko, Zhaoyang Lyu, Lily Weng, Luca Daniel, Ngai Wong, and Dahua Lin. 2019. POPQORN: Quantifying robustness of recurrent neural networks. In Proceedings of the 36th International Conference on Machine Learning. (Proceedings of Machine Learning Research), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.), Vol. 97. PMLR, 3468\u20133477. Retrieved from http:\/\/proceedings.mlr.press\/v97\/ko19a.html."},{"key":"e_1_3_2_50_2","volume-title":"Proceedings of the 5th International Conference on Learning Representations","author":"Kurakin Alexey","year":"2017","unstructured":"Alexey Kurakin, Ian J. Goodfellow, and Samy Bengio. 2017. Adversarial examples in the physical world. In Proceedings of the 5th International Conference on Learning Representations. OpenReview.net. Retrieved from https:\/\/openreview.net\/forum?id=HJGU3Rodl."},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594334"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/2814270.2814319"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3417926"},{"key":"e_1_3_2_54_2","article-title":"Code completion with neural attention and pointer networks","volume":"1711","author":"Li Jian","year":"2017","unstructured":"Jian Li, Yue Wang, Irwin King, and Michael R. Lyu. 2017. Code completion with neural attention and pointer networks. CoRR abs\/1711.09573 (2017).","journal-title":"CoRR"},{"key":"e_1_3_2_55_2","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-018-0002-y"},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1145\/2737924.2737986"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.01168"},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948149"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/332084.332092"},{"key":"e_1_3_2_60_2","article-title":"CodeXGLUE: A machine learning benchmark dataset for code understanding and generation","volume":"2102","author":"Lu Shuai","year":"2021","unstructured":"Shuai Lu, Daya Guo, Shuo Ren, Junjie Huang, Alexey Svyatkovskiy, Ambrosio Blanco, Colin B. Clement, Dawn Drain, Daxin Jiang, Duyu Tang, Ge Li, Lidong Zhou, Linjun Shou, Long Zhou, Michele Tufano, Ming Gong, Ming Zhou, Nan Duan, Neel Sundaresan, Shao Kun Deng, Shengyu Fu, and Shujie Liu. 2021. CodeXGLUE: A machine learning benchmark dataset for code understanding and generation. CoRR abs\/2102.04664 (2021).","journal-title":"CoRR"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238202"},{"key":"e_1_3_2_62_2","doi-asserted-by":"publisher","DOI":"10.1063\/1.1699114"},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.5555\/3015812.3016002"},{"key":"e_1_3_2_64_2","first-page":"1293","article-title":"Query strategies for evading convex-inducing classifiers","volume":"13","author":"Nelson Blaine","year":"2012","unstructured":"Blaine Nelson, Benjamin I. P. Rubinstein, Ling Huang, Anthony D. Joseph, Steven J. Lee, Satish Rao, and J. D. Tygar. 2012. Query strategies for evading convex-inducing classifiers. J. Mach. Learn. Res. 13 (2012), 1293\u20131332. Retrieved from http:\/\/dl.acm.org\/citation.cfm?id=2343688.","journal-title":"J. Mach. Learn. Res."},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/2896941.2896944"},{"key":"e_1_3_2_66_2","first-page":"4901","volume-title":"Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"97","author":"Odena Augustus","year":"2019","unstructured":"Augustus Odena, Catherine Olsson, David G. Andersen, and Ian J. Goodfellow. 2019. TensorFuzz: Debugging neural networks with coverage-guided fuzzing. In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.), Vol. 97. PMLR, 4901\u20134911. Retrieved from http:\/\/proceedings.mlr.press\/v97\/odena19a.html."},{"key":"e_1_3_2_67_2","doi-asserted-by":"publisher","DOI":"10.1145\/1022494.1022529"},{"key":"e_1_3_2_68_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.1145\/3132747.3132785"},{"key":"e_1_3_2_70_2","volume-title":"Proceedings of the 16th USENIX Security Symposium","author":"Popov Igor V.","year":"2007","unstructured":"Igor V. Popov, Saumya K. Debray, and Gregory R. Andrews. 2007. Binary obfuscation using signals. In Proceedings of the 16th USENIX Security Symposium. USENIX Association. Retrieved from https:\/\/www.usenix.org\/conference\/16th-usenix-security-symposium\/binary-obfuscation-using-signals."},{"key":"e_1_3_2_71_2","first-page":"5231","volume-title":"Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"97","author":"Qin Yao","year":"2019","unstructured":"Yao Qin, Nicholas Carlini, Garrison W. Cottrell, Ian J. Goodfellow, and Colin Raffel. 2019. Imperceptible, robust, and targeted adversarial examples for automatic speech recognition. In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.), Vol. 97. PMLR, 5231\u20135240. Retrieved from http:\/\/proceedings.mlr.press\/v97\/qin19a.html."},{"key":"e_1_3_2_72_2","article-title":"Not all bytes are equal: Neural byte sieve for fuzzing","volume":"1711","author":"Rajpal Mohit","year":"2017","unstructured":"Mohit Rajpal, William Blum, and Rishabh Singh. 2017. Not all bytes are equal: Neural byte sieve for fuzzing. CoRR abs\/1711.04596 (2017).","journal-title":"CoRR"},{"key":"e_1_3_2_73_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Sharif Monirul I.","year":"2008","unstructured":"Monirul I. Sharif, Andrea Lanzi, Jonathon T. Giffin, and Wenke Lee. 2008. Impeding malware analysis using conditional code obfuscation. In Proceedings of the Network and Distributed System Security Symposium. The Internet Society. Retrieved from https:\/\/www.ndss-symposium.org\/ndss2008\/impeding-malware-analysis-using-conditional-code-obfuscation\/."},{"key":"e_1_3_2_74_2","doi-asserted-by":"publisher","DOI":"10.1145\/2983990.2984038"},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","DOI":"10.21437\/Interspeech.2018-1247"},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238172"},{"key":"e_1_3_2_77_2","volume-title":"Proceedings of the 2nd International Conference on Learning Representations","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian J. Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In Proceedings of the 2nd International Conference on Learning Representations. Retrieved from http:\/\/arxiv.org\/abs\/1312.6199."},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.3115\/v1\/p15-1150"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180220"},{"key":"e_1_3_2_80_2","first-page":"5998","volume-title":"Proceedings of the Annual Conference on Neural Information Processing Systems","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Lukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Proceedings of the Annual Conference on Neural Information Processing Systems. 5998\u20136008. Retrieved from https:\/\/proceedings.neurips.cc\/paper\/2017\/hash\/3f5ee243547dee91fbd053c1c4a845aa-Abstract.html."},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3240474"},{"key":"e_1_3_2_82_2","first-page":"6555","volume-title":"Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"97","author":"Wang Dilin","year":"2019","unstructured":"Dilin Wang, ChengYue Gong, and Qiang Liu. 2019. Improving neural language modeling via adversarial training. In Proceedings of the 36th International Conference on Machine Learning (Proceedings of Machine Learning Research), Kamalika Chaudhuri and Ruslan Salakhutdinov (Eds.), Vol. 97. PMLR, 6555\u20136565. Retrieved from http:\/\/proceedings.mlr.press\/v97\/wang19f.html."},{"key":"e_1_3_2_83_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/522"},{"key":"e_1_3_2_84_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER48275.2020.9054857"},{"key":"e_1_3_2_85_2","article-title":"Information laundering for model privacy","volume":"2009","author":"Wang Xinran","year":"2020","unstructured":"Xinran Wang, Yu Xiang, Jun Gao, and Jie Ding. 2020. Information laundering for model privacy. CoRR abs\/2009.06112 (2020).","journal-title":"CoRR"},{"key":"e_1_3_2_86_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2017\/423"},{"key":"e_1_3_2_87_2","first-page":"5273","volume-title":"Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"80","author":"Weng Tsui-Wei","year":"2018","unstructured":"Tsui-Wei Weng, Huan Zhang, Hongge Chen, Zhao Song, Cho-Jui Hsieh, Luca Daniel, Duane S. Boning, and Inderjit S. Dhillon. 2018. Towards fast computation of certified robustness for ReLU networks. In Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research), Jennifer G. Dy and Andreas Krause (Eds.), Vol. 80. PMLR, 5273\u20135282. Retrieved from http:\/\/proceedings.mlr.press\/v80\/weng18a.html."},{"key":"e_1_3_2_88_2","unstructured":"Fuzzing with Spike. 2017. Retrieved from https:\/\/samsclass.info\/127\/proj\/p18-spike.htm."},{"key":"e_1_3_2_89_2","first-page":"5283","volume-title":"Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research)","volume":"80","author":"Wong Eric","year":"2018","unstructured":"Eric Wong and J. Zico Kolter. 2018. Provable defenses against adversarial examples via the convex outer adversarial polytope. In Proceedings of the 35th International Conference on Machine Learning (Proceedings of Machine Learning Research), Jennifer G. Dy and Andreas Krause (Eds.), Vol. 80. PMLR, 5283\u20135292. Retrieved from http:\/\/proceedings.mlr.press\/v80\/wong18a.html."},{"key":"e_1_3_2_90_2","unstructured":"Gregory Wroblewski. 2002. General method of program code obfuscation. (2002)."},{"key":"e_1_3_2_91_2","article-title":"Verification for machine learning, autonomy, and neural networks survey","volume":"1810","author":"Xiang Weiming","year":"2018","unstructured":"Weiming Xiang, Patrick Musau, Ayana A. Wild, Diego Manzanas Lopez, Nathaniel Hamilton, Xiaodong Yang, Joel A. Rosenfeld, and Taylor T. Johnson. 2018. Verification for machine learning, autonomy, and neural networks survey. CoRR abs\/1810.01989 (2018).","journal-title":"CoRR"},{"key":"e_1_3_2_92_2","doi-asserted-by":"publisher","DOI":"10.1145\/3293882.3330579"},{"key":"e_1_3_2_93_2","article-title":"On secure and usable program obfuscation: A survey","volume":"1710","author":"Xu Hui","year":"2017","unstructured":"Hui Xu, Yangfan Zhou, Yu Kang, and Michael R. Lyu. 2017. On secure and usable program obfuscation: A survey. CoRR abs\/1710.01139 (2017).","journal-title":"CoRR"},{"key":"e_1_3_2_94_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i01.5469"},{"key":"e_1_3_2_95_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/p19-1559"},{"key":"e_1_3_2_96_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00086"},{"key":"e_1_3_2_97_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2019.2962027"},{"key":"e_1_3_2_98_2","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238187"},{"key":"e_1_3_2_99_2","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE5003.2020.00035"},{"key":"e_1_3_2_100_2","first-page":"208","volume-title":"Proceedings of the IASTED International Conference on Communication, Network and Information Security","author":"Zhu William","year":"2005","unstructured":"William Zhu and Clark Thomborson. 2005. A provable scheme for homomorphic obfuscation in software security. In Proceedings of the IASTED International Conference on Communication, Network and Information Security. 208\u2013212."}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3511887","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3511887","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3511887","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:48:50Z","timestamp":1750182530000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3511887"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,9]]},"references-count":99,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2022,7,31]]}},"alternative-id":["10.1145\/3511887"],"URL":"https:\/\/doi.org\/10.1145\/3511887","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,4,9]]},"assertion":[{"value":"2020-10-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-04-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}