{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:22:16Z","timestamp":1766442136807,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":82,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T00:00:00Z","timestamp":1763769600000},"content-version":"vor","delay-in-days":3,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000006","name":"Office of Naval Research","doi-asserted-by":"publisher","award":["N00014-23-1-2157"],"award-info":[{"award-number":["N00014-23-1-2157"]}],"id":[{"id":"10.13039\/100000006","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3765144","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:33:16Z","timestamp":1763854396000},"page":"201-215","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Hardening Deep Neural Network Binaries against Reverse Engineering Attacks"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-0498-6035","authenticated-orcid":false,"given":"Zheng","family":"Zhong","sequence":"first","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1450-6240","authenticated-orcid":false,"given":"Ruoyu","family":"Wu","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-9948-7163","authenticated-orcid":false,"given":"Junpeng","family":"Wan","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-7623-0850","authenticated-orcid":false,"given":"Muqi","family":"Zou","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7506-9593","authenticated-orcid":false,"given":"Dave (Jing)","family":"Tian","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"volume-title":"2025-09-09","author":"SageMaker Neo Amazon","unstructured":"Amazon SageMaker Neo. Accessed: 2025-09-09. Amazon SageMaker Neo. https:\/\/docs.aws.amazon.com\/sagemaker\/latest\/dg\/neo.html.","key":"e_1_3_2_1_1_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_2_1","DOI":"10.1145\/1179509.1179521"},{"unstructured":"angr Project. Accessed: 2025-09-09. Next-generation binary analysis framework. https:\/\/github.com\/angr.","key":"e_1_3_2_1_3_1"},{"unstructured":"Apache TVM. Accessed: 2025-09-09 a. Apache TVM: An Open Machine Learning Compiler Framework. https:\/\/tvm.apache.org\/.","key":"e_1_3_2_1_4_1"},{"unstructured":"Apache TVM. Accessed: 2025-09-09 b. Relay Operator Strategy. https:\/\/tvm.apache.org\/docs\/v0.9.0\/arch\/relay_op_strategy.html.","key":"e_1_3_2_1_5_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_6_1","DOI":"10.1109\/JSYST.2013.2260617"},{"key":"e_1_3_2_1_7_1","first-page":"633","volume-title":"Backward-Bounded DSE: Targeting Infeasibility Questions on Obfuscated Codes. In IEEE Symposium on Security and Privacy, SP","author":"Bardin S\u00e9bastien","year":"2017","unstructured":"S\u00e9bastien Bardin, Robin David, and Jean-Yves Marion. 2017. Backward-Bounded DSE: Targeting Infeasibility Questions on Obfuscated Codes. In IEEE Symposium on Security and Privacy, SP 2017. 633-651."},{"unstructured":"BinDiff. Accessed: 2025-09-09. BinDiff: Binary Diffing Tool. https:\/\/github.com\/google\/bindiff.","key":"e_1_3_2_1_8_1"},{"key":"e_1_3_2_1_9_1","first-page":"643","article-title":"Syntia: Synthesizing the Semantics of Obfuscated Code","volume":"2017","author":"Blazytko Tim","year":"2017","unstructured":"Tim Blazytko, Moritz Contag, Cornelius Aschermann, and Thorsten Holz. 2017. Syntia: Synthesizing the Semantics of Obfuscated Code. In USENIX Security 2017. 643-659.","journal-title":"USENIX Security"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_10_1","DOI":"10.1145\/1866870.1866877"},{"key":"e_1_3_2_1_11_1","volume-title":"ACNS 2019, Proceedings (Lecture Notes in Computer Science","volume":"174","author":"Cheng Xiaoyang","year":"2019","unstructured":"Xiaoyang Cheng, Yan Lin, Debin Gao, and Chunfu Jia. 2019. DynOpVm: VM-Based Software Obfuscation with Dynamic Opcode Mapping. In Applied Cryptography and Network Security - 17th International Conference, ACNS 2019, Proceedings (Lecture Notes in Computer Science, Vol. 11464). Springer, 155-174."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_12_1","DOI":"10.1145\/3570361.3592501"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_13_1","DOI":"10.1145\/268946.268962"},{"key":"e_1_3_2_1_14_1","first-page":"131","volume-title":"Reverse Engineering Self-Modifying Code: Unpacker Extraction. In 17th Working Conference on Reverse Engineering, WCRE","author":"Saumya","year":"2010","unstructured":"Saumya K. Debray and Jay Patel. 2010. Reverse Engineering Self-Modifying Code: Unpacker Extraction. In 17th Working Conference on Reverse Engineering, WCRE 2010. IEEE Computer Society, 131-140."},{"key":"e_1_3_2_1_15_1","first-page":"299","volume-title":"Challenges of the Dynamic Detection of Functionally Similar Code Fragments. In 16th European Conference on Software Maintenance and Reengineering, CSMR","author":"Deissenboeck Florian","year":"2012","unstructured":"Florian Deissenboeck, Lars Heinemann, Benjamin Hummel, and Stefan Wagner. 2012. Challenges of the Dynamic Detection of Functionally Similar Code Fragments. In 16th European Conference on Software Maintenance and Reengineering, CSMR 2012. IEEE Computer Society, 299-308."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_16_1","DOI":"10.1145\/3548606.3559388"},{"key":"e_1_3_2_1_17_1","first-page":"303","volume-title":"Proceedings of the 23rd USENIX Security Symposium","author":"Egele Manuel","year":"2014","unstructured":"Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. 2014. Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components. In Proceedings of the 23rd USENIX Security Symposium, 2014, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 303-317."},{"key":"e_1_3_2_1_18_1","volume-title":"ICLR","author":"Elsken Thomas","year":"2019","unstructured":"Thomas Elsken, Jan Hendrik Metzen, and Frank Hutter. 2019a. Efficient Multi-Objective Neural Architecture Search via Lamarckian Evolution. In ICLR 2019."},{"key":"e_1_3_2_1_19_1","article-title":"Neural Architecture Search: A Survey","volume":"20","author":"Elsken Thomas","year":"2019","unstructured":"Thomas Elsken, Jan Hendrik Metzen, and Frank Hutter. 2019b. Neural Architecture Search: A Survey. The Journal of Machine Learning Research, Vol. 20 (2019), 55:1-55:21.","journal-title":"The Journal of Machine Learning Research"},{"key":"e_1_3_2_1_20_1","volume-title":"14th International Conference, ISC 2011. Proceedings (Lecture Notes in Computer Science","volume":"181","author":"Fang Hui","year":"2011","unstructured":"Hui Fang, Yongdong Wu, Shuhong Wang, and Yin Huang. 2011. Multi-stage Binary Code Obfuscation Using Improved Virtual Machine. In Information Security, 14th International Conference, ISC 2011. Proceedings (Lecture Notes in Computer Science, Vol. 7001). Springer, 168-181."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_21_1","DOI":"10.1145\/3575693.3576933"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_22_1","DOI":"10.1109\/JETCAS.2021.3076151"},{"unstructured":"Google Chrome Team. Accessed: 2025-09-09. On-Device Gemini Nano in Chrome. https:\/\/developer.chrome.com\/docs\/ai.","key":"e_1_3_2_1_23_1"},{"key":"e_1_3_2_1_24_1","volume-title":"Smith","author":"Gururangan Suchin","year":"2020","unstructured":"Suchin Gururangan, Ana Marasovic, Swabha Swayamdipta, Kyle Lo, Iz Beltagy, Doug Downey, and Noah A. Smith. 2020. Don't Stop Pretraining: Adapt Language Models to Domains and Tasks. In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, ACL 2020. Association for Computational Linguistics, 8342-8360."},{"unstructured":"Hex-Rays. Accessed: 2025-09-09. IDA Pro: Interactive Disassembler. https:\/\/hex-rays.com\/ida-pro\/.","key":"e_1_3_2_1_25_1"},{"key":"e_1_3_2_1_26_1","first-page":"1345","article-title":"High Accuracy and High Fidelity Extraction of Neural Networks","volume":"2020","author":"Jagielski Matthew","year":"2020","unstructured":"Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High Accuracy and High Fidelity Extraction of Neural Networks. In USENIX Security 2020. 1345-1362.","journal-title":"USENIX Security"},{"key":"e_1_3_2_1_27_1","first-page":"3","volume-title":"Obfuscator-LLVM - Software Protection for the Masses. In 1st IEEE\/ACM International Workshop on Software Protection, SPRO","author":"Junod Pascal","year":"2015","unstructured":"Pascal Junod, Julien Rinaldini, Johan Wehrli, and Julie Michielin. 2015. Obfuscator-LLVM - Software Protection for the Masses. In 1st IEEE\/ACM International Workshop on Software Protection, SPRO 2015. IEEE Computer Society, 3-9."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_28_1","DOI":"10.1145\/1314389.1314399"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_29_1","DOI":"10.1016\/j.cose.2018.01.008"},{"key":"e_1_3_2_1_30_1","first-page":"1","article-title":"Exploit dynamic data flows to protect software against semantic attacks. In 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation, SmartWorld\/SCALCOM\/UIC\/ATC\/CBDCom\/IOP\/SCI 2017","author":"Kuang Kaiyuan","year":"2017","unstructured":"Kaiyuan Kuang, Zhanyong Tang, Xiaoqing Gong, Dingyi Fang, Xiaojiang Chen, Heng Zhang, Jie Liu, and Zheng Wang. 2017. Exploit dynamic data flows to protect software against semantic attacks. In 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation, SmartWorld\/SCALCOM\/UIC\/ATC\/CBDCom\/IOP\/SCI 2017. IEEE, 1-6.","journal-title":"IEEE"},{"key":"e_1_3_2_1_31_1","volume-title":"ALBERT: A Lite BERT for Self-supervised Learning of Language Representations. In 8th International Conference on Learning Representations, ICLR","author":"Lan Zhenzhong","year":"2020","unstructured":"Zhenzhong Lan, Mingda Chen, Sebastian Goodman, Kevin Gimpel, Piyush Sharma, and Radu Soricut. 2020. ALBERT: A Lite BERT for Self-supervised Learning of Language Representations. In 8th International Conference on Learning Representations, ICLR 2020."},{"key":"e_1_3_2_1_32_1","first-page":"2","volume-title":"MLIR: Scaling Compiler Infrastructure for Domain Specific Computation. In IEEE\/ACM International Symposium on Code Generation and Optimization, CGO","author":"Lattner Chris","year":"2021","unstructured":"Chris Lattner, Mehdi Amini, Uday Bondhugula, Albert Cohen, Andy Davis, Jacques A. Pienaar, River Riddle, Tatiana Shpeisman, Nicolas Vasilache, and Oleksandr Zinenko. 2021. MLIR: Scaling Compiler Infrastructure for Domain Specific Computation. In IEEE\/ACM International Symposium on Code Generation and Optimization, CGO 2021. IEEE, 2-14."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_33_1","DOI":"10.1145\/3576915.3623186"},{"key":"e_1_3_2_1_34_1","volume-title":"WISA","volume":"145","author":"Lee Jae-Yung","year":"2018","unstructured":"Jae-Yung Lee, Jae Hyuk Suk, and Dong Hoon Lee. 2018. VODKA: Virtualization Obfuscation Using Dynamic Key Approach. In Information Security Applications - 19th International Conference, WISA 2018, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 11402). Springer, 131-145."},{"key":"e_1_3_2_1_35_1","first-page":"28","article-title":"DeepObfuscator: Obfuscating Intermediate Representations with Privacy-Preserving Adversarial Learning on Smartphones. In IoTDI '21: International Conference on Internet-of-Things Design and Implementation, 2021","author":"Li Ang","year":"2021","unstructured":"Ang Li, Jiayi Guo, Huanrui Yang, Flora D. Salim, and Yiran Chen. 2021a. DeepObfuscator: Obfuscating Intermediate Representations with Privacy-Preserving Adversarial Learning on Smartphones. In IoTDI '21: International Conference on Internet-of-Things Design and Implementation, 2021. ACM, 28-39.","journal-title":"ACM"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_36_1","DOI":"10.1109\/HOST49136.2021.9702279"},{"key":"e_1_3_2_1_37_1","first-page":"7357","article-title":"Decompiling x86 Deep Neural Network Executables","volume":"2023","author":"Liu Zhibo","year":"2023","unstructured":"Zhibo Liu, Yuanyuan Yuan, Shuai Wang, Xiaofei Xie, and Lei Ma. 2023. Decompiling x86 Deep Neural Network Executables. In USENIX Security 2023. 7357-7374.","journal-title":"USENIX Security"},{"unstructured":"llvm-cbe. Accessed: 2025-09-09. LLVM C Backend. https:\/\/github.com\/JuliaHubOSS\/llvm-cbe.","key":"e_1_3_2_1_38_1"},{"unstructured":"LLVM Project. Accessed: 2025-09-09. MLIR Affine Dialect Documentation. https:\/\/mlir.llvm.org\/docs\/Dialects\/Affine\/.","key":"e_1_3_2_1_39_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_40_1","DOI":"10.1145\/3238147.3238202"},{"key":"e_1_3_2_1_41_1","volume-title":"Forty-first International Conference on Machine Learning, ICML","author":"Mai Peihua","year":"2024","unstructured":"Peihua Mai, Ran Yan, Zhe Huang, Youjia Yang, and Yan Pang. 2024. Split-and-Denoise: Protect large language model inference with local differential privacy. In Forty-first International Conference on Machine Learning, ICML 2024."},{"unstructured":"MLC LLM. Accessed: 2025-09-09. Universal LLM Deployment Engine With ML Compilation. https:\/\/llm.mlc.ai.","key":"e_1_3_2_1_42_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_43_1","DOI":"10.1145\/3386901.3388946"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_44_1","DOI":"10.1109\/TCSI.2024.3397925"},{"key":"e_1_3_2_1_45_1","volume-title":"ASGARD: Protecting On-Device Deep Neural Networks with Virtualization-Based Trusted Execution Environments. In 32nd Annual Network and Distributed System Security Symposium, NDSS","author":"Moon Myungsuk","year":"2025","unstructured":"Myungsuk Moon, Minhee Kim, Joonkyo Jung, and Dokyung Song. 2025. ASGARD: Protecting On-Device Deep Neural Networks with Virtualization-Based Trusted Execution Environments. In 32nd Annual Network and Distributed System Security Symposium, NDSS 2025."},{"key":"e_1_3_2_1_46_1","volume-title":"Daniele Ferla, and Lorenzo Cavallaro.","author":"Nakanishi Fukutomo","year":"2020","unstructured":"Fukutomo Nakanishi, Giulio De Pasquale, Daniele Ferla, and Lorenzo Cavallaro. 2020. Intertwining ROP Gadgets and Opaque Predicates for Robust Obfuscation. CoRR, Vol. abs\/2012.09163 (2020). arXiv:2012.09163"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_47_1","DOI":"10.1145\/3458817.3476209"},{"unstructured":"O-MVLL. Accessed: 2025-09-09. O-MVLL: An Open-Source Obfuscator Based on LLVM. https:\/\/github.com\/open-obfuscator\/o-mvll.","key":"e_1_3_2_1_48_1"},{"doi-asserted-by":"crossref","unstructured":"OctoML. Accessed: 2025-09-09. Optimizing machine learning using machine learning. https:\/\/github.com\/octoml.","key":"e_1_3_2_1_49_1","DOI":"10.55041\/IJSREM50094"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_50_1","DOI":"10.1145\/3359789.3359812"},{"unstructured":"ONNX. Accessed: 2025-09-09. Open Neural Network Exchange. https:\/\/onnx.ai\/.","key":"e_1_3_2_1_51_1"},{"unstructured":"OpenXLA. Accessed: 2025-09-09. OpenXLA: Open and Modular ML Compiler Infrastructure. https:\/\/openxla.org\/.","key":"e_1_3_2_1_52_1"},{"key":"e_1_3_2_1_53_1","volume-title":"DIMVA 2016, Proceedings (Lecture Notes in Computer Science","volume":"185","author":"Pawlowski Andre","year":"2016","unstructured":"Andre Pawlowski, Moritz Contag, and Thorsten Holz. 2016. Probfuscation: An Obfuscation Approach Using Probabilistic Control Flows. In Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Proceedings (Lecture Notes in Computer Science, Vol. 9721), Juan Caballero, Urko Zurutuza, and Ricardo J. Rodr\u00edguez (Eds.). Springer, 165-185."},{"unstructured":"PyTorch. Accessed: 2025-09-09. PyTorch: An Open Source Deep Learning Framework. https:\/\/pytorch.org\/.","key":"e_1_3_2_1_54_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_55_1","DOI":"10.1073\/pnas.2016239118"},{"key":"e_1_3_2_1_56_1","volume-title":"Glow: Graph Lowering Compiler Techniques for Neural Networks. CoRR","author":"Rotem Nadav","year":"2018","unstructured":"Nadav Rotem, Jordan Fix, Saleem Abdulrasool, Summer Deng, Roman Dzhabarov, James Hegeman, Roman Levenstein, Bert Maher, Nadathur Satish, Jakob Olesen, Jongsoo Park, Artem Rakhov, and Misha Smelyanskiy. 2018. Glow: Graph Lowering Compiler Techniques for Neural Networks. CoRR, Vol. abs\/1805.00907 (2018)."},{"key":"e_1_3_2_1_57_1","first-page":"3055","article-title":"Loki","volume":"2022","author":"Schloegel Moritz","year":"2022","unstructured":"Moritz Schloegel, Tim Blazytko, Moritz Contag, Cornelius Aschermann, Julius Basler, Thorsten Holz, and Ali Abbasi. 2022. Loki: Hardening Code Obfuscation Against Automated Attacks. In USENIX Security 2022. 3055-3073.","journal-title":"Hardening Code Obfuscation Against Automated Attacks. In USENIX Security"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_58_1","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_3_2_1_59_1","first-page":"3","volume-title":"Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy, SP","author":"Shokri Reza","year":"2017","unstructured":"Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership Inference Attacks Against Machine Learning Models. In IEEE Symposium on Security and Privacy, SP 2017. 3-18."},{"unstructured":"StableHLO. Accessed: 2025-09-09. A High-Level Operation Set for ML Models. https:\/\/github.com\/openxla\/stablehlo.","key":"e_1_3_2_1_60_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_61_1","DOI":"10.1109\/ACCESS.2020.3012684"},{"key":"e_1_3_2_1_62_1","volume-title":"ACNS 2025, Proceedings, Part III (Lecture Notes in Computer Science","volume":"414","author":"Sun Yulian","year":"2025","unstructured":"Yulian Sun, Vedant Bonde, Li Duan, and Yong Li. 2025. Obfuscation for Deep Neural Networks Against Model Extraction: Attack Taxonomy and Defense Optimization. In Applied Cryptography and Network Security - 23rd International Conference, ACNS 2025, Proceedings, Part III (Lecture Notes in Computer Science, Vol. 15827). Springer, 391-414."},{"key":"e_1_3_2_1_63_1","first-page":"1955","article-title":"Mind Your Weight(s)","volume":"2021","author":"Sun Zhichuang","year":"2021","unstructured":"Zhichuang Sun, Ruimin Sun, Long Lu, and Alan Mislove. 2021. Mind Your Weight(s): A Large-scale Study on Insufficient Machine Learning Model Protection in Mobile Apps. In USENIX Security 2021. 1955-1972.","journal-title":"In USENIX Security"},{"unstructured":"TensorFlow Lite. Accessed: 2025-09-09. TensorFlow Lite: Lightweight Solution for Mobile and Embedded ML. https:\/\/www.tensorflow.org\/lite\/guide\/.","key":"e_1_3_2_1_64_1"},{"unstructured":"Themida. Accessed: 2025-09-09. Themida: Advanced Windows Software Protection System. https:\/\/oreans.com\/themida.php.","key":"e_1_3_2_1_65_1"},{"unstructured":"Tigress. Accessed: 2025-09-09. The Tigress C Obfuscator. https:\/\/tigress.wtf.","key":"e_1_3_2_1_66_1"},{"key":"e_1_3_2_1_67_1","first-page":"601","article-title":"Stealing machine learning models via prediction {APIs}","volume":"2016","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction {APIs}. In USENIX Security 2016. 601-618.","journal-title":"USENIX Security"},{"key":"e_1_3_2_1_68_1","first-page":"659","volume-title":"SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers. In IEEE Symposium on Security and Privacy, SP","author":"Ugarte-Pedrero Xabier","year":"2015","unstructured":"Xabier Ugarte-Pedrero, Davide Balzarotti, Igor Santos, and Pablo Garc\u00eda Bringas. 2015. SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers. In IEEE Symposium on Security and Privacy, SP 2015. 659-673."},{"unstructured":"VMProtect. Accessed: 2025-09-09. VMProtect: Complete solution to software protection. https:\/\/vmpsoft.com\/products\/vmprotect.","key":"e_1_3_2_1_69_1"},{"unstructured":"Chenxi Wang Jonathan Hill John Knight and Jack Davidson. 2000. Software tamper resistance: Obstructing static analysis of programs. (2000).","key":"e_1_3_2_1_70_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_71_1","DOI":"10.1145\/2556464.2556468"},{"key":"e_1_3_2_1_72_1","first-page":"479","volume-title":"NISLVMP: Improved Virtual Machine-Based Software Protection. In Ninth International Conference on Computational Intelligence and Security, CIS","author":"Wang Huaijun","year":"2013","unstructured":"Huaijun Wang, Dingyi Fang, Guanghui Li, Xiaoyan Yin, Bo Zhang, and Yuanxiang Gu. 2013. NISLVMP: Improved Virtual Machine-Based Software Protection. In Ninth International Conference on Computational Intelligence and Security, CIS 2013. IEEE Computer Society, 479-483."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_73_1","DOI":"10.1109\/ICCC56324.2022.10065748"},{"key":"e_1_3_2_1_74_1","first-page":"2135","article-title":"DnD","volume":"2022","author":"Wu Ruoyu","year":"2022","unstructured":"Ruoyu Wu, Taegyu Kim, Dave (Jing) Tian, Antonio Bianchi, and Dongyan Xu. 2022. DnD: A Cross-Architecture Deep Neural Network Decompiler. In USENIX Security 2022. 2135-2152.","journal-title":"A Cross-Architecture Deep Neural Network Decompiler. In USENIX Security"},{"key":"e_1_3_2_1_75_1","first-page":"666","volume-title":"Manufacturing Resilient Bi-Opaque Predicates Against Symbolic Execution. In 48th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks, DSN","author":"Xu Hui","year":"2018","unstructured":"Hui Xu, Yangfan Zhou, Yu Kang, Fengzhi Tu, and Michael R. Lyu. 2018. Manufacturing Resilient Bi-Opaque Predicates Against Symbolic Execution. In 48th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks, DSN 2018. 666-677."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_76_1","DOI":"10.1109\/PADSW.2018.8644535"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_77_1","DOI":"10.1109\/SP.2015.47"},{"key":"e_1_3_2_1_78_1","volume-title":"USENIX Security","author":"Yan Yifan","year":"2023","unstructured":"Yifan Yan, Xudong Pan, Mi Zhang, and Min Yang. 2023. Rethinking White-Box Watermarks on Deep Learning Models under Neural Structural Obfuscation. In USENIX Security 2023, Joseph A. Calandrino and Carmela Troncoso (Eds.). 2347-2364."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_79_1","DOI":"10.18653\/v1\/2023.emnlp-main.276"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_80_1","DOI":"10.1145\/3579990.3580007"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_81_1","DOI":"10.1145\/3597926.3598113"},{"key":"e_1_3_2_1_82_1","volume-title":"8th International Workshop","volume":"75","author":"Zhou Yongxin","year":"2007","unstructured":"Yongxin Zhou, Alec Main, Yuan Xiang Gu, and Harold Johnson. 2007. Information Hiding in Software with Mixed Boolean-Arithmetic Transforms. In Information Security Applications, 8th International Workshop, 2007, Revised Selected Papers (Lecture Notes in Computer Science, Vol. 4867). Springer, 61-75."}],"event":{"sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"acronym":"CCS '25","name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","location":"Taipei Taiwan"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765144","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3765144","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:19:17Z","timestamp":1766441957000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3765144"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":82,"alternative-id":["10.1145\/3719027.3765144","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3765144","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}