{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:37:47Z","timestamp":1775745467601,"version":"3.50.1"},"reference-count":87,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2025,2,22]],"date-time":"2025-02-22T00:00:00Z","timestamp":1740182400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62406240"],"award-info":[{"award-number":["62406240"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100003246","name":"Dutch Research Council","doi-asserted-by":"crossref","award":["NWA.1215.18.014"],"award-info":[{"award-number":["NWA.1215.18.014"]}],"id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"crossref"}]},{"name":"TTW PREDATOR","award":["19782"],"award-info":[{"award-number":["19782"]}]},{"name":"CiCS project of the research program Gravitation","award":["024.006.037"],"award-info":[{"award-number":["024.006.037"]}]},{"name":"Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany\u2019s Excellence Strategy\u2013","award":["EXC 2092 CASA\u2013390781972"],"award-info":[{"award-number":["EXC 2092 CASA\u2013390781972"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,5,31]]},"abstract":"<jats:p>Machine Learning (ML) promises to enhance the efficacy of Android Malware Detection (AMD); however, ML models are vulnerable to realistic evasion attacks\u2014crafting realizable Adversarial Examples (AEs) that satisfy Android malware domain constraints. To eliminate ML vulnerabilities, defenders aim to identify susceptible regions in the feature space where ML models are prone to deception. The primary approach to identifying vulnerable regions involves investigating realizable AEs, but generating these feasible apps poses a challenge. For instance, previous work has relied on generating either feature-space norm-bounded AEs or problem-space realizable AEs in adversarial hardening. The former is efficient but lacks full coverage of vulnerable regions, whereas the latter can uncover these regions by satisfying domain constraints but is known to be time consuming. To address these limitations, we propose an approach to facilitate the identification of vulnerable regions. Specifically, we introduce a new interpretation of Android domain constraints in the feature space, followed by a novel technique that learns them. Our empirical evaluations across various evasion attacks indicate effective detection of AEs using learned domain constraints, with an average of 89.6%. Furthermore, extensive experiments on different Android malware detectors demonstrate that utilizing our learned domain constraints in adversarial training outperforms other adversarial training based defenses that rely on norm-bounded AEs or state-of-the-art non-uniform perturbations. Finally, we show that retraining a malware detector with a wide variety of feature-space realizable AEs results in a 77.9% robustness improvement against realizable AEs generated by unknown problem-space transformations, with up to 70\u00d7 faster training than using problem-space realizable AEs.<\/jats:p>\n          <jats:p\/>","DOI":"10.1145\/3711899","type":"journal-article","created":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T11:33:51Z","timestamp":1736768031000},"page":"1-32","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Level Up with ML Vulnerability Identification: Leveraging Domain Constraints in Feature Space for Robust Android Malware Detection"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2097-5521","authenticated-orcid":false,"given":"Hamid","family":"Bostani","sequence":"first","affiliation":[{"name":"Digital Security Group, Institute for Computing and Information Sciences, Radboud University, Nijmegen, Netherlands"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0745-4294","authenticated-orcid":false,"given":"Zhengyu","family":"Zhao","sequence":"additional","affiliation":[{"name":"Faculty of Electronic and Information Engineering, Xi'an Jiaotong University, Xi'an, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0049-7080","authenticated-orcid":false,"given":"Zhuoran","family":"Liu","sequence":"additional","affiliation":[{"name":"Digital Security Group, Institute for Computing and Information Sciences, Radboud University, Nijmegen, Netherlands"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6296-2182","authenticated-orcid":false,"given":"Veelasha","family":"Moonsamy","sequence":"additional","affiliation":[{"name":"Horst G\u00f6rtz Institute for IT Security, Ruhr University Bochum, Bochum, Germany"}]}],"member":"320","published-online":{"date-parts":[[2025,2,22]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2017.07.030"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1109\/TST.2016.7399288"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313391"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"issue":"3","key":"e_1_3_2_6_2","first-page":"228","article-title":"Permission-based Android malware detection","volume":"2","author":"Aung Win Zaw Zarni","year":"2013","unstructured":"Win Zaw Zarni Aung. 2013. Permission-based Android malware detection. International Journal of Scientific & Technology Research 2, 3 (2013), 228\u2013234.","journal-title":"International Journal of Scientific & Technology Research"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04283-1_6"},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517315"},{"key":"e_1_3_2_9_2","first-page":"62","volume-title":"Proceedings of the 2012 7th Asia Joint Conference on Information Security","author":"Wu Dong-Jie","year":"2012","unstructured":"Dong-Jie Wu, Ching-Hao Mao, Te-En Wei, Hahn-Ming Lee, and Kuo-Ping Wu. 2012. DroidMat: Android malware detection through manifest and API calls tracing. In Proceedings of the 2012 7th Asia Joint Conference on Information Security. IEEE, 62\u201369."},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3186282"},{"key":"e_1_3_2_11_2","volume-title":"Proceedings of the International Conference on Learning Representations (ICLR\u201914)","author":"Szegedy Christian","year":"2014","unstructured":"Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. 2014. Intriguing properties of neural networks. In Proceedings of the International Conference on Learning Representations (ICLR\u201914)."},{"key":"e_1_3_2_12_2","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/SPW.2018.00020","volume-title":"Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW\u201918)","author":"Al-Dujaili Abdullah","year":"2018","unstructured":"Abdullah Al-Dujaili, Alex Huang, Erik Hemberg, and Una-May O\u2019Reilly. 2018. Adversarial deep learning for robust detection of binary encoded malware. In Proceedings of the 2018 IEEE Security and Privacy Workshops (SPW\u201918). IEEE, 76\u201382."},{"key":"e_1_3_2_13_2","volume-title":"Proceedings of the European Conference on Computer Vision Workshops","author":"Carrara Fabio","year":"2018","unstructured":"Fabio Carrara, Rudy Becarelli, Roberto Caldelli, Fabrizio Falchi, and Giuseppe Amato. 2018. Adversarial examples detection in features distance spaces. In Proceedings of the European Conference on Computer Vision Workshops(ECCV\u201918)."},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3474370.3485655"},{"key":"e_1_3_2_15_2","article-title":"On the (statistical) detection of adversarial examples","author":"Grosse Kathrin","year":"2017","unstructured":"Kathrin Grosse, Praveen Manoharan, Nicolas Papernot, Michael Backes, and Patrick McDaniel. 2017. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280 (2017).","journal-title":"arXiv preprint arXiv:1702.06280"},{"key":"e_1_3_2_16_2","volume-title":"Proceedings of the 2018 International Conference on Learning Representations (ICLR\u201918)","author":"Madry Aleksander","year":"2018","unstructured":"Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards deep learning models resistant to adversarial attacks. In Proceedings of the 2018 International Conference on Learning Representations (ICLR\u201918)."},{"key":"e_1_3_2_17_2","doi-asserted-by":"crossref","first-page":"582","DOI":"10.1109\/SP.2016.41","volume-title":"Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP\u201916)","author":"Papernot Nicolas","year":"2016","unstructured":"Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP\u201916). IEEE, 582\u2013597."},{"key":"e_1_3_2_18_2","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1145\/3180445.3180449","volume-title":"Proceedings of the 4th ACM International Workshop on Security and Privacy Analytics","author":"Romeo \u00cd\u00f1igo \u00cdncer","year":"2018","unstructured":"\u00cd\u00f1igo \u00cdncer Romeo, Michael Theodorides, Sadia Afroz, and David Wagner. 2018. Adversarially robust malware detection using monotonic classification. In Proceedings of the 4th ACM International Workshop on Security and Privacy Analytics. 54\u201363."},{"key":"e_1_3_2_19_2","volume-title":"Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP\u201923)","author":"Dyrmishi Salijona","year":"2023","unstructured":"Salijona Dyrmishi, Salah Ghamizi, Thibault Simonetto, Yves Le Traon, and Maxime Cordy. 2023. On the empirical effectiveness of unrealistic adversarial hardening against realistic adversarial attacks. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP\u201923)."},{"key":"e_1_3_2_20_2","first-page":"1313","volume-title":"Proceedings of the 31st International Joint Conference on Artificial Intelligence (IJCAI\u201922)","author":"Simonetto Thibault","year":"2022","unstructured":"Thibault Simonetto, Salijona Dyrmishi, Salah Ghamizi, Maxime Cordy, and Yves Le Traon. 2022. A unified framework for adversarial attack and defense in constrained feature space. In Proceedings of the 31st International Joint Conference on Artificial Intelligence (IJCAI\u201922). 1313\u20131319."},{"key":"e_1_3_2_21_2","article-title":"Adversarial examples in constrained domains","author":"Sheatsley Ryan","year":"2020","unstructured":"Ryan Sheatsley, Nicolas Papernot, Michael Weisman, Gunjan Verma, and Patrick McDaniel. 2020. Adversarial examples in constrained domains. arXiv preprint arXiv:2011.01183 (2020).","journal-title":"arXiv preprint arXiv:2011.01183"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00073"},{"issue":"4","key":"e_1_3_2_23_2","doi-asserted-by":"crossref","first-page":"711","DOI":"10.1109\/TDSC.2017.2700270","article-title":"Yes, machine learning can be more secure! A case study on Android malware detection","volume":"16","author":"Demontis Ambra","year":"2017","unstructured":"Ambra Demontis, Marco Melis, Battista Biggio, Davide Maiorca, Daniel Arp, Konrad Rieck, Igino Corona, Giorgio Giacinto, and Fabio Roli. 2017. Yes, machine learning can be more secure! A case study on Android malware detection. IEEE Transactions on Dependable and Secure Computing 16, 4 (2017), 711\u2013724.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10796-020-10083-8"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134636"},{"key":"e_1_3_2_26_2","first-page":"782","volume-title":"Proceedings of the 2018 IEEE\/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM\u201918)","author":"Chen Lingwei","year":"2018","unstructured":"Lingwei Chen, Shifu Hou, Yanfang Ye, and Shouhuai Xu. 2018. DroidEye: Fortifying security of learning-based classifier against adversarial Android malware attacks. In Proceedings of the 2018 IEEE\/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM\u201918). IEEE, 782\u2013789."},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.3390\/s19040974"},{"key":"e_1_3_2_28_2","article-title":"OFEI: A semi-black-box Android adversarial sample attack framework against DLaaS","author":"Xu Guangquan","year":"2021","unstructured":"Guangquan Xu, GuoHua Xin, Litao Jiao, Jian Liu, Shaoying Liu, Meiqi Feng, and Xi Zheng. 2021. OFEI: A semi-black-box Android adversarial sample attack framework against DLaaS. arXiv preprint arXiv:2105.11593 (2021).","journal-title":"arXiv preprint arXiv:2105.11593"},{"key":"e_1_3_2_29_2","volume-title":"Proceedings of the 37th AAAI Conference on Artificial Intelligence, the 35th Conference on Innovative Applications of Artificial Intelligence, and the 13th Symposium on Educational Advances in Artificial Intelligence (AAAI\u201923\/IAAI\u201923\/EAAI\u201923)","author":"Doan Bao Gia","year":"2023","unstructured":"Bao Gia Doan, Shuiqiao Yang, Paul Montague, Olivier De Vel, Tamas Abraham, Seyit Camtepe, Salil S. Kanhere, Ehsan Abbasnejad, and Damith C. Ranasinghe. 2023. Feature-space Bayesian adversarial learning improved malware detector robustness. In Proceedings of the 37th AAAI Conference on Artificial Intelligence, the 35th Conference on Innovative Applications of Artificial Intelligence, and the 13th Symposium on Educational Advances in Artificial Intelligence (AAAI\u201923\/IAAI\u201923\/EAAI\u201923). 14783\u201314791."},{"key":"e_1_3_2_30_2","article-title":"Realizable universal adversarial perturbations for malware","author":"Labaca-Castro Raphael","year":"2021","unstructured":"Raphael Labaca-Castro, Luis Mu\u00f1oz-Gonz\u00e1lez, Feargus Pendlebury, Gabi Dreo Rodosek, Fabio Pierazzi, and Lorenzo Cavallaro. 2021. Realizable universal adversarial perturbations for malware. arXiv preprint arXiv:2102.06747 (2021).","journal-title":"arXiv preprint arXiv:2102.06747"},{"key":"e_1_3_2_31_2","article-title":"Do you think you can hold me? The real challenge of problem-space evasion attacks","author":"Berger Harel","year":"2022","unstructured":"Harel Berger, Amit Dvir, Chen Hajaj, and Rony Ronen. 2022. Do you think you can hold me? The real challenge of problem-space evasion attacks. arXiv preprint arXiv:2205.04293 (2022).","journal-title":"arXiv preprint arXiv:2205.04293"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNSE.2021.3051354"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66399-9_4"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134642"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103676"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2932228"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.3390\/info11090433"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453086"},{"key":"e_1_3_2_39_2","first-page":"490","volume-title":"Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses","author":"Rosenberg Ishai","year":"2018","unstructured":"Ishai Rosenberg, Asaf Shabtai, Lior Rokach, and Yuval Elovici. 2018. Generic black-box end-to-end attack against state of the art API call based malware classifiers. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses. 490\u2013510."},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1002\/ima.20188"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450044"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.06.004"},{"key":"e_1_3_2_43_2","first-page":"19147","article-title":"Adversarial robustness with non-uniform perturbations","volume":"34","author":"Erdemir Ecenaz","year":"2021","unstructured":"Ecenaz Erdemir, Jeffrey Bickford, Luca Melis, and Sergul Aydore. 2021. Adversarial robustness with non-uniform perturbations. Advances in Neural Information Processing Systems 34 (2021), 19147\u201319159.","journal-title":"Advances in Neural Information Processing Systems"},{"key":"e_1_3_2_44_2","first-page":"109","volume-title":"Proceedings of the 10th ACM Conference on Data and Application Security and Privacy","author":"Chen Jiyu","year":"2020","unstructured":"Jiyu Chen, David Wang, and Hao Chen. 2020. Explore the transformation space for adversarial images. In Proceedings of the 10th ACM Conference on Data and Application Security and Privacy. 109\u2013120."},{"key":"e_1_3_2_45_2","first-page":"103359","article-title":"GenDroid: A query-efficient black-box Android adversarial attack framework","author":"Xu Guangquan","year":"2023","unstructured":"Guangquan Xu, Hongfei Shao, Jingyi Cui, Hongpeng Bai, Jiliang Li, Guangdong Bai, Shaoying Liu, Weizhi Meng, and Xi Zheng. 2023. GenDroid: A query-efficient black-box Android adversarial attack framework. Computers & Security (2023), 103359.","journal-title":"Computers & Security"},{"key":"e_1_3_2_46_2","first-page":"629","volume-title":"Proceedings of the 2021 IEEE 27th International Conference on Parallel and Distributed Systems (ICPADS\u201921)","author":"Zhang Jin","year":"2021","unstructured":"Jin Zhang, Chennan Zhang, Xiangyu Liu, Yuncheng Wang, Wenrui Diao, and Shanqing Guo. 2021. ShadowDroid: Practical black-box attack against ML-based Android malware detection. In Proceedings of the 2021 IEEE 27th International Conference on Parallel and Distributed Systems (ICPADS\u201921). IEEE, 629\u2013636."},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3003571"},{"key":"e_1_3_2_48_2","article-title":"Sparse-RS: A versatile framework for query-efficient sparse black-box adversarial attacks","author":"Croce Francesco","year":"2020","unstructured":"Francesco Croce, Maksym Andriushchenko, Naman D Singh, Nicolas Flammarion, and Matthias Hein. 2020. Sparse-RS: A versatile framework for query-efficient sparse black-box adversarial attacks. arXiv preprint arXiv:2006.12834 (2020).","journal-title":"arXiv preprint arXiv:2006.12834"},{"key":"e_1_3_2_49_2","first-page":"533","volume-title":"Proceedings of the 2018 26th European Signal Processing Conference (EUSIPCO\u201918)","author":"Kolosnjaji Bojan","year":"2018","unstructured":"Bojan Kolosnjaji, Ambra Demontis, Battista Biggio, Davide Maiorca, Giorgio Giacinto, Claudia Eckert, and Fabio Roli. 2018. Adversarial malware binaries: Evading deep learning for malware detection in executables. In Proceedings of the 2018 26th European Signal Processing Conference (EUSIPCO\u201918). IEEE, 533\u2013537."},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.49"},{"key":"e_1_3_2_51_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.36"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3567980"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3469659"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484570"},{"key":"e_1_3_2_55_2","doi-asserted-by":"crossref","first-page":"301","DOI":"10.1007\/978-3-030-57321-8_17","volume-title":"Proceedings of the International Cross-Domain Conference for Machine Learning and Knowledge Extraction","author":"Teuffenbach Martin","year":"2020","unstructured":"Martin Teuffenbach, Ewa Piatkowska, and Paul Smith. 2020. Subverting network intrusion detection: Crafting adversarial examples accounting for domain-specific constraints. In Proceedings of the International Cross-Domain Conference for Machine Learning and Knowledge Extraction. 301\u2013320."},{"key":"e_1_3_2_56_2","article-title":"FENCE: Feasible evasion attacks on neural networks in constrained environments","author":"Chernikova Alesia","year":"2019","unstructured":"Alesia Chernikova and Alina Oprea. 2019. FENCE: Feasible evasion attacks on neural networks in constrained environments. arXiv preprint arXiv:1909.10480 (2019).","journal-title":"arXiv preprint arXiv:1909.10480"},{"key":"e_1_3_2_57_2","first-page":"285","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919)","author":"Tong Liang","year":"2019","unstructured":"Liang Tong, Bo Li, Chen Hajaj, Chaowei Xiao, Ning Zhang, and Yevgeniy Vorobeychik. 2019. Improving robustness of ML classifiers against realizable evasion attacks using conserved features. In Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919). 285\u2013302."},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1145\/3379443"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098026"},{"key":"e_1_3_2_60_2","first-page":"473","volume-title":"Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P\u201918)","author":"Xu Ke","year":"2018","unstructured":"Ke Xu, Yingjiu Li, Robert H. Deng, and Kai Chen. 2018. DeepRefiner: Multi-layer Android malware detection system applying deep neural networks. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P\u201918). IEEE, 473\u2013487."},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2866319"},{"key":"e_1_3_2_62_2","first-page":"3817","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security\u201923)","author":"Eykholt Kevin","unstructured":"Kevin Eykholt, Taesung Lee, Douglas Schales, Jiyong Jang, and Ian Molloy. 2023. URET: Universal robustness evaluation toolkit (for evasion). In Proceedings of the 32nd USENIX Security Symposium (USENIX Security\u201923). 3817\u20133833."},{"key":"e_1_3_2_63_2","first-page":"430","volume-title":"Proceedings of the 2020 IEEE 26th International Conference on Parallel and Distributed Systems (ICPADS)","author":"Tian Yunzhe","year":"2020","unstructured":"Yunzhe Tian, Yingdi Wang, Endong Tong, Wenjia Niu, Liang Chang, Qi Alfred Chen, Gang Li, and Jiqiang Liu. 2020. Exploring data correlation between feature pairs for generating constraint-based adversarial examples. In Proceedings of the 2020 IEEE 26th International Conference on Parallel and Distributed Systems (ICPADS). IEEE, 430\u2013437."},{"key":"e_1_3_2_64_2","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), USENIX Association, Boston, MA","author":"Quiring E","year":"2022","unstructured":"E Quiring, F Pendlebury, A Warnecke, F Pierazzi, C Wressnegger, L Cavallaro, and K Rieck. 2022. Dos and don\u2019ts of machine learning in computer security. In Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), USENIX Association, Boston, MA."},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/2771783.2771796"},{"key":"e_1_3_2_66_2","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1007\/978-3-030-49785-9_11","volume-title":"Proceedings of the International Symposium on Cyber Security Cryptography and Machine Learning","author":"Berger Harel","year":"2020","unstructured":"Harel Berger, Chen Hajaj, and Amit Dvir. 2020. Evasion is not enough: A case study of Android malware. In Proceedings of the International Symposium on Cyber Security Cryptography and Machine Learning. 167\u2013174."},{"key":"e_1_3_2_67_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2020.10.009"},{"issue":"2","key":"e_1_3_2_68_2","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1002\/ima.20191","article-title":"Data clustering as an optimum-path forest problem with applications in image analysis","volume":"19","author":"Rocha Leonardo Marques","year":"2009","unstructured":"Leonardo Marques Rocha, F\u00e1bio A. M. Cappabianco, and Alexandre Xavier Falc\u00e3o. 2009. Data clustering as an optimum-path forest problem with applications in image analysis. International Journal of Imaging Systems and Technology 19, 2 (2009), 50\u201368.","journal-title":"International Journal of Imaging Systems and Technology"},{"key":"e_1_3_2_69_2","doi-asserted-by":"publisher","DOI":"10.1145\/3134599"},{"key":"e_1_3_2_70_2","first-page":"10815","volume-title":"Proceedings of the AAAI Conference on Artificial Intelligence","volume":"35","author":"Zeng Huimin","year":"2021","unstructured":"Huimin Zeng, Chen Zhu, Tom Goldstein, and Furong Huang. 2021. Are adversarial examples created equal? A learnable weighted minimax risk for robustness under non-uniform attacks. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 35. 10815\u201310823."},{"key":"e_1_3_2_71_2","article-title":"A2-CLM: Few-shot malware detection based on adversarial heterogeneous graph augmentation","author":"Liu Chen","year":"2023","unstructured":"Chen Liu, Bo Li, Jun Zhao, Weiwei Feng, Xudong Liu, and Chunpei Li. 2023. A2-CLM: Few-shot malware detection based on adversarial heterogeneous graph augmentation. IEEE Transactions on Information Forensics and Security 19 (2023), 2023\u20132038.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"issue":"2","key":"e_1_3_2_72_2","first-page":"920","article-title":"PAD: Towards principled adversarial malware detection against evasion attacks","volume":"21","author":"Li Deqiang","year":"2023","unstructured":"Deqiang Li, Shicheng Cui, Yun Li, Jia Xu, Fu Xiao, and Shouhuai Xu. 2023. PAD: Towards principled adversarial malware detection against evasion attacks. IEEE Transactions on Dependable and Secure Computing 21, 2 (2023), 920\u2013936.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_73_2","article-title":"Adversarial training and robustness for multiple perturbations","volume":"32","author":"Tramer Florian","year":"2019","unstructured":"Florian Tramer and Dan Boneh. 2019. Adversarial training and robustness for multiple perturbations. Advances in Neural Information Processing Systems 32 (2019), 1\u201311.","journal-title":"Advances in Neural Information Processing Systems"},{"issue":"43","key":"e_1_3_2_74_2","first-page":"1","article-title":"Greedy attack and Gumbel attack: Generating adversarial examples for discrete data","volume":"21","author":"Yang Puyudi","year":"2020","unstructured":"Puyudi Yang, Jianbo Chen, Cho-Jui Hsieh, Jane-Ling Wang, and Michael I. Jordan. 2020. Greedy attack and Gumbel attack: Generating adversarial examples for discrete data. Journal of Machine Learning Research 21, 43 (2020), 1\u201336.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_2_75_2","doi-asserted-by":"publisher","DOI":"10.1145\/3591227"},{"key":"e_1_3_2_76_2","doi-asserted-by":"publisher","DOI":"10.1145\/3503463"},{"key":"e_1_3_2_77_2","first-page":"1","volume-title":"Proceedings of the 2018 16th Annual Conference on Privacy, Security, and Trust (PST\u201918)","author":"Onwuzurike Lucky","year":"2018","unstructured":"Lucky Onwuzurike, Mario Almeida, Enrico Mariconti, Jeremy Blackburn, Gianluca Stringhini, and Emiliano De Cristofaro. 2018. A family of Droids-Android malware detection via behavioral modeling: Static vs dynamic analysis. In Proceedings of the 2018 16th Annual Conference on Privacy, Security, and Trust (PST\u201918). IEEE, 1\u201310."},{"key":"e_1_3_2_78_2","first-page":"468","volume-title":"Proceedings of the 2016 IEEE\/ACM 13th Working Conference on Mining Software Repositories (MSR\u201916)","author":"Allix Kevin","year":"2016","unstructured":"Kevin Allix, Tegawend\u00e9 F. Bissyand\u00e9, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting millions of Android apps for the research community. In Proceedings of the 2016 IEEE\/ACM 13th Working Conference on Mining Software Repositories (MSR\u201916). IEEE, 468\u2013471."},{"key":"e_1_3_2_79_2","first-page":"729","volume-title":"Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919)","author":"Pendlebury Feargus","unstructured":"Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro. 2019. TESSERACT: Eliminating experimental bias in malware classification across space and time. In Proceedings of the 28th USENIX Security Symposium (USENIX Security\u201919). 729\u2013746."},{"key":"e_1_3_2_80_2","unstructured":"David Freedman Robert Pisani and Roger Purves. 2007. Statistics. Fourth International Student Edition. WW Norton & Company New York NY USA."},{"key":"e_1_3_2_81_2","first-page":"1","volume-title":"Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research","author":"Vall\u00e9e-Rai Raja","year":"1999","unstructured":"Raja Vall\u00e9e-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot\u2014A Java bytecode optimization framework. In Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research(CASCON\u201999). 1\u201311."},{"key":"e_1_3_2_82_2","unstructured":"Apktool. 2010. Apktool: A Tool for Reverse Engineering Android apk Files. Retrieved August 17 2024 from https:\/\/ibotpeaches.github.io\/Apktool\/"},{"key":"e_1_3_2_83_2","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1007\/978-3-030-87839-9_4","volume-title":"Proceedings of the 2nd International Workshop on Deployable Machine Learning for Security Defense (MLHat\u201921)","author":"Daoudi Nadia","year":"2021","unstructured":"Nadia Daoudi, Jordan Samhi, Abdoul Kader Kabore, Kevin Allix, Tegawend\u00e9 F. Bissyand\u00e9, and Jacques Klein. 2021. DexRay: A simple, yet effective deep learning approach to Android malware detection based on image representation of bytecode. In Proceedings of the 2nd International Workshop on Deployable Machine Learning for Security Defense (MLHat\u201921). 81\u2013106."},{"key":"e_1_3_2_84_2","first-page":"914","volume-title":"Proceedings of the 2014 IEEE International Conference on Communications (ICC\u201914)","author":"Jerome Quentin","year":"2014","unstructured":"Quentin Jerome, Kevin Allix, Radu State, and Thomas Engel. 2014. Using opcode-sequences to detect malicious Android applications. In Proceedings of the 2014 IEEE International Conference on Communications (ICC\u201914). IEEE, 914\u2013919."},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10618-015-0448-4"},{"key":"e_1_3_2_86_2","first-page":"524","volume-title":"Proceedings of the 2018 26th European Signal Processing Conference (EUSIPCO\u201918)","author":"Melis Marco","year":"2018","unstructured":"Marco Melis, Davide Maiorca, Battista Biggio, Giorgio Giacinto, and Fabio Roli. 2018. Explaining black-box Android malware detection. In Proceedings of the 2018 26th European Signal Processing Conference (EUSIPCO\u201918). IEEE, 524\u2013528."},{"key":"e_1_3_2_87_2","unstructured":"S2Lab. 2020. Intriguing properties of adversarial ML problem-space attacks. Retrieved August 17 2024 from https:\/\/s2lab.cs.ucl.ac.uk\/projects\/intriguing"},{"key":"e_1_3_2_88_2","first-page":"23063","article-title":"Indicators of attack failure: Debugging and improving optimization of adversarial examples","volume":"35","author":"Pintor Maura","year":"2022","unstructured":"Maura Pintor, Luca Demetrio, Angelo Sotgiu, Ambra Demontis, Nicholas Carlini, Battista Biggio, and Fabio Roli. 2022. Indicators of attack failure: Debugging and improving optimization of adversarial examples. Advances in Neural Information Processing Systems 35 (2022), 23063\u201323076.","journal-title":"Advances in Neural Information Processing Systems"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3711899","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3711899","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:09Z","timestamp":1750295889000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3711899"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,22]]},"references-count":87,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2025,5,31]]}},"alternative-id":["10.1145\/3711899"],"URL":"https:\/\/doi.org\/10.1145\/3711899","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,22]]},"assertion":[{"value":"2024-04-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-02","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-02-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}