{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T04:31:45Z","timestamp":1780633905626,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"name":"Maof Prize for Outstanding Young Scientists"},{"DOI":"10.13039\/501100006374","name":"Army Research Office","doi-asserted-by":"publisher","award":["MURI grant W911NF2110317"],"award-info":[{"award-number":["MURI grant W911NF2110317"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100006374","name":"Intel Corporation","doi-asserted-by":"publisher","award":["Rising Star Faculty Award"],"award-info":[{"award-number":["Rising Star Faculty Award"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100006374","name":"Defence Science and Technology Agency - Singapore","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Ministry of Innovation, Science & Technology, Israel","award":["0603870071"],"award-info":[{"award-number":["0603870071"]}]},{"DOI":"10.13039\/501100006374","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2338301 and 2338302"],"award-info":[{"award-number":["2338301 and 2338302"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100006374","name":"United States-Israel Binational Science Foundation","doi-asserted-by":"publisher","award":["2023641"],"award-info":[{"award-number":["2023641"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3690208","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"124-138","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Training Robust ML-based Raw-Binary Malware Detectors in Hours, not Months"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4705-3412","authenticated-orcid":false,"given":"Keane","family":"Lucas","sequence":"first","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, Pennsylvania, United States"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-6759-6499","authenticated-orcid":false,"given":"Weiran","family":"Lin","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, Pennsylvania, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8209-6792","authenticated-orcid":false,"given":"Lujo","family":"Bauer","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, Pennsylvania, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7007-8274","authenticated-orcid":false,"given":"Michael K.","family":"Reiter","sequence":"additional","affiliation":[{"name":"Duke University, Durham, North Carolina, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7661-2220","authenticated-orcid":false,"given":"Mahmood","family":"Sharif","sequence":"additional","affiliation":[{"name":"Tel Aviv University, Tel Aviv, Israel"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proc. AISTATS","author":"Aha D. W.","year":"1995","unstructured":"D. W. Aha and R. L. Bankert. A comparative evaluation of sequential feature selection algorithms. In Proc. AISTATS, 1995."},{"key":"e_1_3_2_1_2_1","volume-title":"Black Hat","author":"Anderson H. S.","year":"2017","unstructured":"H. S. Anderson, A. Kharkar, B. Filar, and P. Roth. Evading machine learning malware detection. Black Hat, 2017."},{"key":"e_1_3_2_1_3_1","volume-title":"Ember: An open dataset for training static PE malware machine learning models. arXiv preprint","author":"Anderson H. S.","year":"2018","unstructured":"H. S. Anderson and P. Roth. Ember: An open dataset for training static PE malware machine learning models. arXiv preprint, 2018."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_3_2_1_5_1","volume-title":"Proc. AAAI","author":"Baluja S.","year":"2018","unstructured":"S. Baluja and I. Fischer. Adversarial transformation networks: Learning to generate adversarial examples. In Proc. AAAI, 2018."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442188.3445922"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40994-3_25"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2018.07.023"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_1_10_1","volume-title":"Proc. USENIX Security","author":"Chen Y.","year":"2023","unstructured":"Y. Chen, Z. Ding, and D. Wagner. Continuous learning for android malware detection. In Proc. USENIX Security, 2023."},{"key":"e_1_3_2_1_11_1","volume-title":"https:\/\/www.virustotal.com\/","year":"2004","unstructured":"Chronicle. Virustotal. https:\/\/www.virustotal.com\/, 2004--. Accessed 6\/17\/2019."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447548.3470806"},{"key":"e_1_3_2_1_13_1","volume-title":"Proc. ITASEC","author":"Demetrio L.","year":"2019","unstructured":"L. Demetrio, B. Biggio, G. Lagorio, F. Roli, and A. Armando. Explaining vulnerabilities of deep learning to adversarial malware binaries. In Proc. ITASEC, 2019."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v37i12.26727"},{"key":"e_1_3_2_1_15_1","volume-title":"Jun","author":"Feizollah A.","year":"2015","unstructured":"A. Feizollah, N. B. Anuar, R. Salleh, and A. W. A. Wahab. A review on feature selection in mobile malware detection. Digit. Investig., 13(C):22--37, Jun 2015."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2018.12.010"},{"key":"e_1_3_2_1_17_1","volume-title":"Proc. NeurIPSW","author":"Galovic M.","year":"2021","unstructured":"M. Galovic, B. Bosansk\u00fd, and V. Lis\u00fd. Improving robustness of malware classifiers using adversarial strings generated from perturbed latent representations. In Proc. NeurIPSW, 2021."},{"key":"e_1_3_2_1_18_1","volume-title":"Proc. ICLR","author":"Goodfellow I. J.","year":"2015","unstructured":"I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. In Proc. ICLR, 2015."},{"key":"e_1_3_2_1_19_1","volume-title":"Proc. NeurIPS","author":"Heo J.","year":"2019","unstructured":"J. Heo, S. Joo, and T. Moon. Fooling neural network interpretations via adversarial model manipulation. In Proc. NeurIPS, 2019."},{"key":"e_1_3_2_1_20_1","volume-title":"Proc. NeurIPS","author":"Huang Z.","year":"2023","unstructured":"Z. Huang, N. G. Marchant, K. Lucas, L. Bauer, O. Ohrimenko, and B. I. P. Rubinstein. Rs-del: Edit distance robustness certificates for sequence classifiers via randomized deletion. In Proc. NeurIPS, 2023."},{"key":"e_1_3_2_1_21_1","volume-title":"Proc. IWSPA","author":"Incer I.","year":"2018","unstructured":"I. Incer, M. Theodorides, S. Afroz, and D. Wagner. Adversarially robust malware detection using monotonic classification. In Proc. IWSPA, 2018."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.23919\/EUSIPCO.2018.8553214"},{"key":"e_1_3_2_1_23_1","volume-title":"Journal of Machine Learning Research","author":"Kolter J. Z.","year":"2006","unstructured":"J. Z. Kolter and M. A. Maloof. Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research, 2006."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897863"},{"key":"e_1_3_2_1_25_1","volume-title":"Proc. ICLRW","author":"Krc\u00e1l M.","year":"2018","unstructured":"M. Krc\u00e1l, O. vec, M. B\u00e1lek, and O. Jaek. Deep convolutional malware classifiers can learn from raw executables and labels only. In Proc. ICLRW, 2018."},{"key":"e_1_3_2_1_26_1","volume-title":"Proc. NeurIPSW","author":"Kreuk F.","year":"2018","unstructured":"F. Kreuk, A. Barak, S. Aviv-Reuven, M. Baruch, B. Pinkas, and J. Keshet. Adversarial examples on discrete sequences for beating whole-binary malware detection. In Proc. NeurIPSW, 2018."},{"key":"e_1_3_2_1_27_1","volume-title":"Proc. USENIX Security","author":"Lucas K.","year":"2023","unstructured":"K. Lucas, S. Pai, W. Lin, L. Bauer, M. K. Reiter, and M. Sharif. Adversarial training for raw-binary malware classifiers. In Proc. USENIX Security, 2023."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453086"},{"key":"e_1_3_2_1_29_1","volume-title":"Proc. ICLR","author":"Madry A.","year":"2018","unstructured":"A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. Towards deep learning models resistant to adversarial attacks. In Proc. ICLR, 2018."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.41"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.5555\/1953048.2078195"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00073"},{"key":"e_1_3_2_1_34_1","volume-title":"Proc. AAAIW","author":"Raff E.","year":"2018","unstructured":"E. Raff, J. Barker, J. Sylvester, R. Brandon, B. Catanzaro, and C. K. Nicholas. Malware detection by eating a whole exe. In Proc. AAAIW, 2018."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2001.924286"},{"key":"e_1_3_2_1_36_1","volume-title":"NeurIPS","author":"Shafahi A.","year":"2019","unstructured":"A. Shafahi, M. Najibi, A. Ghiasi, Z. Xu, J. Dickerson, C. Studer, L. S. Davis, G. Taylor, and T. Goldstein. Adversarial training for free! In Proc. NeurIPS, 2019."},{"key":"e_1_3_2_1_37_1","volume-title":"Optimization-guided binary diversification to mislead neural networks for malware detection. arXiv preprint","author":"Sharif M.","year":"2019","unstructured":"M. Sharif, K. Lucas, L. Bauer, M. K. Reiter, and S. Shintre. Optimization-guided binary diversification to mislead neural networks for malware detection. arXiv preprint, 2019."},{"key":"e_1_3_2_1_38_1","volume-title":"Proc. ICLRW","author":"Simonyan K.","year":"2014","unstructured":"K. Simonyan, A. Vedaldi, and A. Zisserman. Deep inside convolutional networks: Visualising image classification models and saliency maps. In Proc. ICLRW, 2014."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.5555\/2627435.2670313"},{"key":"e_1_3_2_1_40_1","volume-title":"Proc. AAAIW","author":"Suciu O.","year":"2018","unstructured":"O. Suciu, S. E. Coull, and J. Johns. Exploring adversarial examples in malware detection. In Proc. AAAIW, 2018."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3616309"},{"key":"e_1_3_2_1_42_1","volume-title":"Proc. ICML","author":"Sundararajan M.","year":"2017","unstructured":"M. Sundararajan, A. Taly, and Q. Yan. Axiomatic attribution for deep networks. Proc. ICML, 2017."},{"key":"e_1_3_2_1_43_1","volume-title":"Proc. ICLR","author":"Szegedy C.","year":"2014","unstructured":"C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus. Intriguing properties of neural networks. In Proc. ICLR, 2014."},{"key":"e_1_3_2_1_44_1","volume-title":"Proc. USENIX Security","author":"Tong L.","year":"2019","unstructured":"L. Tong, B. Li, C. Hajaj, C. Xiao, N. Zhang, and Y. Vorobeychik. Improving robustness of ml classifiers against realizable evasion attacks using conserved features. In Proc. USENIX Security, 2019."},{"key":"e_1_3_2_1_45_1","unstructured":"Z. Wang. On the Feature Alignment of Deep Vision Models: Explainability and Robustness Connected At Hip. PhD thesis Carnegie Mellon University 2023."},{"key":"e_1_3_2_1_46_1","volume-title":"Proc. ICML","author":"Wang Z.","year":"2021","unstructured":"Z. Wang, M. Fredrikson, and A. Datta. Robust models are more interpretable because attributions look normal. In Proc. ICML, 2021."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW50498.2020.00013"},{"key":"e_1_3_2_1_48_1","volume-title":"Proc. ICLR","author":"Wong E.","year":"2020","unstructured":"E. Wong, L. Rice, and J. Z. Kolter. Fast is better than free: Revisiting adversarial training. In Proc. ICLR, 2020."},{"issue":"43","key":"e_1_3_2_1_49_1","first-page":"1","article-title":"Greedy attack and gumbel attack: Generating adversarial examples for discrete data","volume":"21","author":"Yang P.","year":"2020","unstructured":"P. Yang, J. Chen, C.-J. Hsieh, J.-L. Wang, and M. I. Jordan. Greedy attack and gumbel attack: Generating adversarial examples for discrete data. Journal of Machine Learning Research, 21(43):1--36, 2020.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_2_1_50_1","volume-title":"Proc. USENIX Security","author":"Zhang X.","year":"2020","unstructured":"X. Zhang, N. Wang, H. Shen, S. Ji, X. Luo, and T. Wang. Interpretable deep learning under fire. In Proc. USENIX Security, 2020."}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690208","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3690208","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:15:39Z","timestamp":1755843339000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3690208"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":50,"alternative-id":["10.1145\/3658644.3690208","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3690208","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}