{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,8]],"date-time":"2026-05-08T00:25:24Z","timestamp":1778199924749,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":74,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T00:00:00Z","timestamp":1701302400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3611643.3616309","type":"proceedings-article","created":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T23:14:38Z","timestamp":1701386078000},"page":"1573-1585","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["Mate! Are You Really Aware? An Explainability-Guided Testing Framework for Robustness of Malware Detectors"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-5404-8550","authenticated-orcid":false,"given":"Ruoxi","family":"Sun","sequence":"first","affiliation":[{"name":"CSIRO's Data61, Adelaide, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9172-4252","authenticated-orcid":false,"given":"Minhui","family":"Xue","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Sydney, Australia \/ Cybersecurity CRC, Sydney, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3010-791X","authenticated-orcid":false,"given":"Gareth","family":"Tyson","sequence":"additional","affiliation":[{"name":"Hong Kong University of Science and Technology (GZ), Guangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-6442-8716","authenticated-orcid":false,"given":"Tian","family":"Dong","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1491-4319","authenticated-orcid":false,"given":"Shaofeng","family":"Li","sequence":"additional","affiliation":[{"name":"Peng Cheng Laboratory, Shenzhen, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8938-2364","authenticated-orcid":false,"given":"Shuo","family":"Wang","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Sydney, Australia \/ Cybersecurity CRC, Sydney, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5079-4556","authenticated-orcid":false,"given":"Haojin","family":"Zhu","sequence":"additional","affiliation":[{"name":"Shanghai Jiao Tong University, Shanghai, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6353-8359","authenticated-orcid":false,"given":"Seyit","family":"Camtepe","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Sydney, Australia \/ Cybersecurity CRC, Sydney, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3289-6599","authenticated-orcid":false,"given":"Surya","family":"Nepal","sequence":"additional","affiliation":[{"name":"CSIRO's Data61, Sydney, Australia \/ Cybersecurity CRC, Sydney, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,11,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"[n. d.]. AI and machine learning. https:\/\/www.avast.com\/en-us\/technology\/ai-and-machine-learning"},{"key":"e_1_3_2_2_2_1","unstructured":"[n. d.]. Androguard documentation. https:\/\/androguard.readthedocs.io\/en\/latest\/"},{"key":"e_1_3_2_2_3_1","unstructured":"[n. d.]. Apktool - A tool for reverse engineering Android APK files. https:\/\/androguard.readthedocs.io\/en\/latest\/"},{"key":"e_1_3_2_2_4_1","unstructured":"[n. d.]. Cyber security statistics. https:\/\/purplesec.us\/resources\/cyber-security-statistics\/"},{"key":"e_1_3_2_2_5_1","unstructured":"[n. d.]. ESET smart security. https:\/\/www.eset.com\/"},{"key":"e_1_3_2_2_6_1","unstructured":"[n. d.]. How anti-virus software works. https:\/\/cs.stanford.edu\/people\/eroberts\/cs201\/projects\/viruses\/anti-virus.html"},{"key":"e_1_3_2_2_7_1","unstructured":"[n. d.]. Kaspersky cyber security solutions for home & business. https:\/\/www.kaspersky.com.au\/"},{"key":"e_1_3_2_2_8_1","unstructured":"[n. d.]. Kiteshield. https:\/\/github.com\/GunshipPenguin\/kiteshield"},{"key":"e_1_3_2_2_9_1","unstructured":"[n. d.]. More than free antivirus. https:\/\/www.avast.com"},{"key":"e_1_3_2_2_10_1","unstructured":"pefile. https:\/\/github.com\/erocarrera\/pefile"},{"key":"e_1_3_2_2_11_1","unstructured":"[n. d.]. RelocBonus. https:\/\/github.com\/nickcano\/RelocBonus"},{"key":"e_1_3_2_2_12_1","unstructured":"Smali. https:\/\/github.com\/JesusFreke\/smali"},{"key":"e_1_3_2_2_13_1","volume-title":"d.]. Sonicwall research malware attacks","year":"2019","unstructured":"[n. d.]. Sonicwall research malware attacks 2019. https:\/\/www.msspalert.com\/cybersecurity-research\/sonicwall-research-malware-attacks-2019\/"},{"key":"e_1_3_2_2_14_1","unstructured":"Virbox protector. https:\/\/www.sense.com.cn\/VirboxProtector.html"},{"key":"e_1_3_2_2_15_1","unstructured":"VirusShare. https:\/\/www.virusshare.com"},{"key":"e_1_3_2_2_16_1","unstructured":"VirusTotal. https:\/\/www.virustotal.com"},{"key":"e_1_3_2_2_17_1","unstructured":"[n. d.]. VMProject software protection. https:\/\/vmpsoft.com\/"},{"key":"e_1_3_2_2_18_1","unstructured":"2021. Global antivirus software market report 2021: COVID-19 growth and change. https:\/\/www.researchandmarkets.com\/reports\/5505347\/global-antivirus-software-market-report-2021"},{"key":"e_1_3_2_2_19_1","unstructured":"2022. As tanks rolled into Ukraine so did malware. https:\/\/www.nytimes.com\/2022\/02\/28\/us\/politics\/ukraine-russia-microsoft.html"},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_2_21_1","unstructured":"Hyrum S Anderson Anant Kharkar Bobby Filar David Evans and Phil Roth. 2018. Learning to evade static PE machine learning malware models via reinforcement learning. arXiv preprint arXiv:1801.08917."},{"key":"e_1_3_2_2_22_1","volume-title":"Ember: An open dataset for training static PE malware machine learning models. arXiv preprint arXiv:1804.04637.","author":"Anderson Hyrum S","year":"2018","unstructured":"Hyrum S Anderson and Phil Roth. 2018. Ember: An open dataset for training static PE malware machine learning models. arXiv preprint arXiv:1804.04637."},{"key":"e_1_3_2_2_23_1","volume-title":"Luca Verderame, and Alessio Merlo.","author":"Aonzo Simone","year":"2020","unstructured":"Simone Aonzo, Gabriel Claudiu Georgiu, Luca Verderame, and Alessio Merlo. 2020. Obfuscapk: An open-source black-box obfuscation tool for Android apps. SoftwareX."},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_3_2_2_25_1","volume-title":"When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Avllazagaj Erin","year":"2021","unstructured":"Erin Avllazagaj, Ziyun Zhu, Leyla Bilge, Davide Balzarotti, and Tudor Dumitra\u0219. 2021. When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World. In 30th USENIX Security Symposium (USENIX Security 21). 3487\u20133504."},{"key":"e_1_3_2_2_26_1","volume-title":"IEEE Symposium on Security and Privacy (SP).","author":"Barbero Federico","year":"2022","unstructured":"Federico Barbero, Feargus Pendlebury, Fabio Pierazzi, and Lorenzo Cavallaro. 2022. Transcending transcend: Revisiting malware classification with conformal evaluation. In IEEE Symposium on Security and Privacy (SP)."},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3371924"},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179383"},{"key":"e_1_3_2_2_29_1","unstructured":"Nicholas Carlini Anish Athalye Nicolas Papernot Wieland Brendel Jonas Rauber Dimitris Tsipras Ian Goodfellow Aleksander Madry and Alexey Kurakin. 2019. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705."},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/AI4Mobile.2019.8672691"},{"key":"e_1_3_2_2_32_1","volume-title":"29th $USENIX$ Security Symposium ($USENIX$ Security 20). 2343\u20132360.","author":"Chen Yizheng","unstructured":"Yizheng Chen, Shiqi Wang, Dongdong She, and Suman Jana. 2020. On training robust $PDF$ malware classifiers. In 29th $USENIX$ Security Symposium ($USENIX$ Security 20). 2343\u20132360."},{"key":"e_1_3_2_2_33_1","first-page":"17212","article-title":"Understanding global feature contributions with additive importance measures","volume":"33","author":"Covert Ian","year":"2020","unstructured":"Ian Covert, Scott M Lundberg, and Su-In Lee. 2020. Understanding global feature contributions with additive importance measures. Advances in Neural Information Processing Systems, 33 (2020), 17212\u201317223.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3082330"},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3082330"},{"key":"e_1_3_2_2_36_1","article-title":"Yes, machine learning can be more secure! A case study on Android malware detection","author":"Demontis Ambra","year":"2017","unstructured":"Ambra Demontis, Marco Melis, Battista Biggio, Davide Maiorca, Daniel Arp, Konrad Rieck, Igino Corona, Giorgio Giacinto, and Fabio Roli. 2017. Yes, machine learning can be more secure! A case study on Android malware detection. IEEE Transactions on Dependable and Secure Computing.","journal-title":"IEEE Transactions on Dependable and Secure Computing."},{"key":"e_1_3_2_2_37_1","volume-title":"USENIX Security Symposium (USENIX Security).","author":"Demontis Ambra","year":"2019","unstructured":"Ambra Demontis, Marco Melis, Maura Pintor, Matthew Jagielski, Battista Biggio, Alina Oprea, Cristina Nita-Rotaru, and Fabio Roli. 2019. Why do adversarial attacks transfer? Explaining transferability of evasion and poisoning attacks. In USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_2_38_1","volume-title":"Third Theory of Cryptography Conference (TCC).","author":"Dwork Cynthia","unstructured":"Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam D. Smith. 2006. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography, Third Theory of Cryptography Conference (TCC)."},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2018.00175"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3162625"},{"key":"e_1_3_2_2_41_1","volume-title":"International Conference on Learning Representations.","author":"Goodfellow Ian J","year":"2015","unstructured":"Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and harnessing adversarial examples. International Conference on Learning Representations."},{"key":"e_1_3_2_2_42_1","unstructured":"Kathrin Grosse Nicolas Papernot Praveen Manoharan Michael Backes and Patrick McDaniel. 2016. Adversarial perturbations against deep neural networks for malware classification. arXiv preprint arXiv:1606.04435."},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66399-9_4"},{"key":"e_1_3_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180228"},{"key":"e_1_3_2_2_45_1","volume-title":"Rudd","author":"Harang Richard","year":"2020","unstructured":"Richard Harang and Ethan M. Rudd. 2020. SOREL-20M: A large scale benchmark dataset for malicious PE detection. arXiv preprint arXiv:2012.07634."},{"key":"e_1_3_2_2_46_1","volume-title":"Adversarial examples are not bugs, they are features. Advances in neural information processing systems, 32","author":"Ilyas Andrew","year":"2019","unstructured":"Andrew Ilyas, Shibani Santurkar, Dimitris Tsipras, Logan Engstrom, Brandon Tran, and Aleksander Madry. 2019. Adversarial examples are not bugs, they are features. Advances in neural information processing systems, 32 (2019)."},{"key":"e_1_3_2_2_47_1","volume-title":"AVPASS: Leaking and bypassing antivirus detection model automatically. In Black Hat USA Briefings (Black Hat USA).","author":"Jung Jinho","year":"2017","unstructured":"Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim. 2017. AVPASS: Leaking and bypassing antivirus detection model automatically. In Black Hat USA Briefings (Black Hat USA)."},{"key":"e_1_3_2_2_48_1","unstructured":"Guolin Ke Qi Meng Thomas Finley Taifeng Wang Wei Chen Weidong Ma Qiwei Ye and Tie-Yan Liu. 2017. LightGBM: A highly efficient gradient boosting decision tree. Advances in Neural Information Processing Systems."},{"key":"e_1_3_2_2_49_1","article-title":"A multimodal deep learning method for Android malware detection using various features","author":"Kim TaeGuen","year":"2018","unstructured":"TaeGuen Kim, BooJoong Kang, Mina Rho, Sakir Sezer, and Eul Gyu Im. 2018. A multimodal deep learning method for Android malware detection using various features. IEEE Transactions on Information Forensics and Security.","journal-title":"IEEE Transactions on Information Forensics and Security."},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813642"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00044"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485832.3485916"},{"key":"e_1_3_2_2_53_1","volume-title":"International Conference on Neural Information Processing Systems.","author":"Lundberg Scott M","year":"2017","unstructured":"Scott M Lundberg and Su-In Lee. 2017. A unified approach to interpreting model predictions. In International Conference on Neural Information Processing Systems."},{"key":"e_1_3_2_2_54_1","volume-title":"the Network and Distributed System Security Symposium (NDSS).","author":"Ma Wanlun","year":"2023","unstructured":"Wanlun Ma, Derui Wang, Ruoxi Sun, Minhui Xue, Sheng Wen, and Yang Xiang. 2023. The \u201cBeatrix\u201d resurrections: Robust backdoor detection via Gram matrices. In the Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_2_55_1","volume-title":"International Conference on Learning Representations.","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations."},{"key":"e_1_3_2_2_56_1","doi-asserted-by":"crossref","unstructured":"Davide Maiorca Davide Ariu Igino Corona Marco Aresu and Giorgio Giacinto. 2015. Stealth attacks: An extended insight into the obfuscation effects on Android malware. Computers & Security.","DOI":"10.1016\/j.cose.2015.02.007"},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23353"},{"key":"e_1_3_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00073"},{"key":"e_1_3_2_2_59_1","volume-title":"A study on obfuscation techniques for Android malware","author":"Pomilia Matteo","unstructured":"Matteo Pomilia. 2016. A study on obfuscation techniques for Android malware. Sapienza University of Rome."},{"key":"e_1_3_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939778"},{"key":"e_1_3_2_2_61_1","volume-title":"USENIX Security Symposium (USENIX Security).","author":"Severi Giorgio","year":"2021","unstructured":"Giorgio Severi, Jim Meyer, Scott Coull, and Alina Oprea. 2021. Explanation-guided backdoor poisoning attacks against malware classifiers. In USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_2_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/AI4Mobile.2019.8672711"},{"key":"e_1_3_2_2_63_1","unstructured":"SkyLight. [n. d.]. Cylance I kill you!. https:\/\/skylightcyber.com\/2019\/07\/18\/cylance-i-kill-you\/"},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3488932.3497768"},{"key":"e_1_3_2_2_65_1","volume-title":"27th USENIX Security Symposium. 1299\u20131316","author":"Suciu Octavian","year":"2018","unstructured":"Octavian Suciu, Radu Marginean, Yigitcan Kaya, Hal Daume III, and Tudor Dumitras. 2018. When does machine learning FAIL? generalized transferability for evasion and poisoning attacks. In 27th USENIX Security Symposium. 1299\u20131316."},{"key":"e_1_3_2_2_66_1","volume-title":"An Empirical Assessment of Global COVID-19 Contact Tracing Applications. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). 1085\u20131097","author":"Sun Ruoxi","unstructured":"Ruoxi Sun, Wei Wang, Minhui Xue, Gareth Tyson, Seyit Camtepe, and Damith C. Ranasinghe. 2021. An Empirical Assessment of Global COVID-19 Contact Tracing Applications. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). 1085\u20131097."},{"key":"e_1_3_2_2_67_1","volume-title":"International Conference on Machine Learning.","author":"Sundararajan Mukund","year":"2017","unstructured":"Mukund Sundararajan, Ankur Taly, and Qiqi Yan. 2017. Axiomatic attribution for deep networks. In International Conference on Machine Learning."},{"key":"e_1_3_2_2_68_1","unstructured":"Microsoft Defender Security Research Team. 2019. New machine learning model sifts through the good to unearth the bad in evasive malware. https:\/\/www.microsoft.com\/security\/blog\/2019\/07\/25\/new-machine-learning-model-sifts-through-the-good-to-unearth-the-bad-in-evasive-malware\/"},{"key":"e_1_3_2_2_69_1","unstructured":"Romain Thomas. 2017. LIEF - Library to instrument executable formats. https:\/\/lief.quarkslab.com\/"},{"key":"e_1_3_2_2_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.46"},{"key":"e_1_3_2_2_71_1","volume-title":"Enigma 2018 (Enigma","author":"Vigna Giovanni","year":"2018","unstructured":"Giovanni Vigna and Davide Balzarotti. 2018. When Malware is $Packin\u2019$ Heat. In Enigma 2018 (Enigma 2018)."},{"key":"e_1_3_2_2_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2016.2523912"},{"key":"e_1_3_2_2_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00040"},{"key":"e_1_3_2_2_74_1","volume-title":"Network and Distributed Systems Symposium.","author":"Xu Weilin","year":"2016","unstructured":"Weilin Xu, Yanjun Qi, and David Evans. 2016. Automatically evading classifiers. In Network and Distributed Systems Symposium."}],"event":{"name":"ESEC\/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"San Francisco CA USA","acronym":"ESEC\/FSE '23","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3616309","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3611643.3616309","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:04Z","timestamp":1750178164000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3616309"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,30]]},"references-count":74,"alternative-id":["10.1145\/3611643.3616309","10.1145\/3611643"],"URL":"https:\/\/doi.org\/10.1145\/3611643.3616309","relation":{},"subject":[],"published":{"date-parts":[[2023,11,30]]},"assertion":[{"value":"2023-11-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}