{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,14]],"date-time":"2026-05-14T20:08:21Z","timestamp":1778789301194,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":61,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,2,6]],"date-time":"2024-02-06T00:00:00Z","timestamp":1707177600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,2,6]]},"DOI":"10.1145\/3597503.3623325","type":"proceedings-article","created":{"date-parts":[[2024,2,6]],"date-time":"2024-02-06T20:53:16Z","timestamp":1707252796000},"page":"1-13","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["DEMISTIFY: Identifying On-device Machine Learning Models Stealing and Reuse Vulnerabilities in Mobile Apps"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-2041-087X","authenticated-orcid":false,"given":"Pengcheng","family":"Ren","sequence":"first","affiliation":[{"name":"Shandong University, Jinan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3581-1500","authenticated-orcid":false,"given":"Chaoshun","family":"Zuo","sequence":"additional","affiliation":[{"name":"Ohio State University, Columbus, Ohio, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-6147-7119","authenticated-orcid":false,"given":"Xiaofeng","family":"Liu","sequence":"additional","affiliation":[{"name":"Shandong University, Jinan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0916-8806","authenticated-orcid":false,"given":"Wenrui","family":"Diao","sequence":"additional","affiliation":[{"name":"Shandong University, Jinan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0163-2846","authenticated-orcid":false,"given":"Qingchuan","family":"Zhao","sequence":"additional","affiliation":[{"name":"City University of Hong Kong, Hong Kong, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3367-0951","authenticated-orcid":false,"given":"Shanqing","family":"Guo","sequence":"additional","affiliation":[{"name":"Shandong University, Jinan, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,2,6]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2017. UI\/Application Exerciser Monkey. https:\/\/developer.android.com\/tools\/help\/monkey.html."},{"key":"e_1_3_2_1_2_1","volume-title":"27th {USENIX} Security Symposium ({USENIX} Security 18). 1615--1631.","author":"Adi Yossi","unstructured":"Yossi Adi, Carsten Baum, Moustapha Cisse, Benny Pinkas, and Joseph Keshet. 2018. Turning your weakness into a strength: Watermarking deep neural networks by backdooring. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 1615--1631."},{"key":"e_1_3_2_1_3_1","volume-title":"d.]. A tool for reverse engineering 3rd party, closed, binary Android apps. https:\/\/ibotpeaches.github.io\/Apktool\/","unstructured":"Apktool. [n. d.]. A tool for reverse engineering 3rd party, closed, binary Android apps. https:\/\/ibotpeaches.github.io\/Apktool\/."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"},{"key":"e_1_3_2_1_5_1","volume-title":"CSI neural network: Using side-channels to recover your artificial neural network information. arXiv preprint arXiv:1810.09076","author":"Batina Lejla","year":"2018","unstructured":"Lejla Batina, Shivam Bhasin, Dirmanto Jap, and Stjepan Picek. 2018. CSI neural network: Using side-channels to recover your artificial neural network information. arXiv preprint arXiv:1810.09076 (2018)."},{"key":"e_1_3_2_1_6_1","unstructured":"Keras Bidirectional. [n. d.]. https:\/\/keras.io\/api\/layers\/recurrent_layers\/bidirectional\/."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133982"},{"key":"e_1_3_2_1_8_1","volume-title":"Towards Black-box Attacks on Deep Learning Apps. arXiv preprint arXiv:2107.12732","author":"Cao Hongchen","year":"2021","unstructured":"Hongchen Cao, Shuai Li, Yuming Zhou, Ming Fan, Xuejiao Zhao, and Yutian Tang. 2021. Towards Black-box Attacks on Deep Learning Apps. arXiv preprint arXiv:2107.12732 (2021)."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3007787.3001177"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2785956.2790003"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2018.8489592"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3559388"},{"key":"e_1_3_2_1_13_1","unstructured":"JNI Doc. [n. d.]. https:\/\/docs.oracle.com\/javase\/7\/docs\/technotes\/guides\/jni\/spec\/design.html#wp16696."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_3_2_1_15_1","unstructured":"Frida. [n. d.]. A world-class dynamic instrumentation framework. https:\/\/frida.re\/."},{"key":"e_1_3_2_1_16_1","volume-title":"International conference on machine learning. PMLR, 201--210","author":"Gilad-Bachrach Ran","year":"2016","unstructured":"Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. 2016. Cryptonets: Applying neural networks to encrypted data with high throughput and accuracy. In International conference on machine learning. PMLR, 201--210."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.122653799"},{"key":"e_1_3_2_1_18_1","volume-title":"Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572","author":"Goodfellow Ian J","year":"2014","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014)."},{"key":"e_1_3_2_1_19_1","volume-title":"Ian Rackow, Kevin Kulda, Dana Dachman-Soled, and Tudor Dumitra\u015f.","author":"Hong Sanghyun","year":"2018","unstructured":"Sanghyun Hong, Michael Davinroy, Yi\u01e7itcan Kaya, Stuart Nevans Locke, Ian Rackow, Kevin Kulda, Dana Dachman-Soled, and Tudor Dumitra\u015f. 2018. Security analysis of deep neural networks operating in the presence of cache side-channel attacks. arXiv preprint arXiv:1810.03487 (2018)."},{"key":"e_1_3_2_1_20_1","volume-title":"MMGuard: Automatically Protecting On-Device Deep Learning Models in Android Apps. In 2021 IEEE Security and Privacy Workshops (SPW). IEEE, 71--77","author":"Hua Jiayi","year":"2021","unstructured":"Jiayi Hua, Yuanchun Li, and Haoyu Wang. 2021. MMGuard: Automatically Protecting On-Device Deep Learning Models in Android Apps. In 2021 IEEE Security and Privacy Workshops (SPW). IEEE, 71--77."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2022.3172213"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP52600.2021.00019"},{"key":"e_1_3_2_1_23_1","volume-title":"Chiron: Privacy-preserving machine learning as a service. arXiv preprint arXiv:1803.05961","author":"Hunt Tyler","year":"2018","unstructured":"Tyler Hunt, Congzheng Song, Reza Shokri, Vitaly Shmatikov, and Emmett Witchel. 2018. Chiron: Privacy-preserving machine learning as a service. arXiv preprint arXiv:1803.05961 (2018)."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCVW.2019.00447"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560640"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00044"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274740"},{"key":"e_1_3_2_1_28_1","volume-title":"On-device neural net inference with mobile gpus. arXiv preprint arXiv:1907.01989","author":"Lee Juhyun","year":"2019","unstructured":"Juhyun Lee, Nikolay Chirkov, Ekaterina Ignasheva, Yury Pisarchyk, Mogan Shieh, Fabio Riccardi, Raman Sarokin, Andrei Kulik, and Matthias Grundmann. 2019. On-device neural net inference with mobile gpus. arXiv preprint arXiv:1907.01989 (2019)."},{"key":"e_1_3_2_1_29_1","unstructured":"TensorFlow Lite. [n. d.]. ML for Mobile and Edge Devices. https:\/\/www.tensorflow.org\/lite."},{"key":"e_1_3_2_1_30_1","volume-title":"Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation","author":"Liu Bin","year":"2014","unstructured":"Bin Liu, Suman Nath, Ramesh Govindan, and Jie Liu. 2014. DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (Seattle, WA) (NSDI'14). USENIX Association, Berkeley, CA, USA, 57--70. http:\/\/dl.acm.org\/citation.cfm?id=2616448.2616455"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2014.05.248"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV.2015.425"},{"key":"e_1_3_2_1_33_1","unstructured":"Mace. [n. d.]. Convert a model to c++ code. https:\/\/mace.readthedocs.io\/en\/latest\/micro-controllers\/basic_usage.html#convert-a-model-to-c-code."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491450"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00039"},{"key":"e_1_3_2_1_36_1","volume-title":"Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.12"},{"key":"e_1_3_2_1_38_1","unstructured":"ObfDetector. [n. d.]. https:\/\/github.com\/CirQ\/ObfDetector."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00509"},{"key":"e_1_3_2_1_40_1","volume-title":"A framework for the extraction of deep neural networks by leveraging public data. arXiv preprint arXiv:1905.09165","author":"Pal Soham","year":"2019","unstructured":"Soham Pal, Yash Gupta, Aditya Shukla, Aditya Kanade, Shirish Shevade, and Vinod Ganapathy. 2019. A framework for the extraction of deep neural networks by leveraging public data. arXiv preprint arXiv:1905.09165 (2019)."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053009"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2435349.2435379"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594368.2594377"},{"key":"e_1_3_2_1_44_1","unstructured":"Soot. [n. d.]. A Java optimization framework. https:\/\/github.com\/Sable\/soot."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23205"},{"key":"e_1_3_2_1_46_1","volume-title":"Basics of qualitative research","author":"Strauss Anselm","unstructured":"Anselm Strauss and Juliet Corbin. 1990. Basics of qualitative research. Sage publications."},{"key":"e_1_3_2_1_47_1","volume-title":"Long Lu, and Somesh Jha.","author":"Sun Zhichuang","year":"2020","unstructured":"Zhichuang Sun, Ruimin Sun, Changming Liu, Amrita Roy Chowdhury, Long Lu, and Somesh Jha. 2020. Shadownet: A secure and efficient on-device model inference system for convolutional neural networks. arXiv preprint arXiv:2011.05905 (2020)."},{"key":"e_1_3_2_1_48_1","volume-title":"30th {USENIX} Security Symposium ({USENIX} Security 21).","author":"Sun Zhichuang","unstructured":"Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. 2021. Mind your weight (s): A large-scale study on insufficient machine learning model protection in mobile apps. In 30th {USENIX} Security Symposium ({USENIX} Security 21)."},{"key":"e_1_3_2_1_49_1","volume-title":"25th USENIX security symposium (USENIX Security 16). 601--618.","author":"Tram\u00e8r Florian","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction {APIs}. In 25th USENIX security symposium (USENIX Security 16). 601--618."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2591971.2592003"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00038"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660357"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274696"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313591"},{"key":"e_1_3_2_1_55_1","volume-title":"29th {USENIX} Security Symposium ({USENIX} Security 20). 2003--2020.","author":"Yan Mengjia","unstructured":"Mengjia Yan, Christopher W Fletcher, and Josep Torrellas. 2020. Cache telepathy: Leveraging shared resource attacks to learn {DNN} architectures. In 29th {USENIX} Security Symposium ({USENIX} Security 20). 2003--2020."},{"key":"e_1_3_2_1_56_1","unstructured":"Honggang Yu Kaichen Yang Teng Zhang Yun-Yun Tsai Tsung-Yi Ho and Yier Jin. 2020. CloudLeak: Large-Scale Deep Learning Models Stealing Through Adversarial Examples.. In NDSS."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196550"},{"key":"e_1_3_2_1_58_1","volume-title":"NNSplitter: An Active Defense Solution to DNN Model via Automated Weight Obfuscation. arXiv preprint arXiv:2305.00097","author":"Zhou Tong","year":"2023","unstructured":"Tong Zhou, Yukui Luo, Shaolei Ren, and Xiaolin Xu. 2023. NNSplitter: An Active Defense Solution to DNN Model via Automated Weight Obfuscation. arXiv preprint arXiv:2305.00097 (2023)."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038912.3052609"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00009"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134089"}],"event":{"name":"ICSE '24: IEEE\/ACM 46th International Conference on Software Engineering","location":"Lisbon Portugal","acronym":"ICSE '24","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS","Faculty of Engineering of University of Porto"]},"container-title":["Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3597503.3623325","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3597503.3623325","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:48:45Z","timestamp":1750182525000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3597503.3623325"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,2,6]]},"references-count":61,"alternative-id":["10.1145\/3597503.3623325","10.1145\/3597503"],"URL":"https:\/\/doi.org\/10.1145\/3597503.3623325","relation":{},"subject":[],"published":{"date-parts":[[2024,2,6]]},"assertion":[{"value":"2024-02-06","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}