{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T16:03:22Z","timestamp":1780589002786,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":63,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"France National Research Agency","award":["ANR-22-PECY-0007"],"award-info":[{"award-number":["ANR-22-PECY-0007"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1145\/3779208.3785392","type":"proceedings-article","created":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T15:21:58Z","timestamp":1780586518000},"page":"1555-1569","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["The Role of Domain-Specific Features in Malware Detection: A macOS Case Study"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-6870-8075","authenticated-orcid":false,"given":"Biagio","family":"Montaruli","sequence":"first","affiliation":[{"name":"SAP Security Research, SAP Labs France, EURECOM, Biot, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7820-1927","authenticated-orcid":false,"given":"Andrea","family":"Oliveri","sequence":"additional","affiliation":[{"name":"EURECOM, Biot, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0988-9366","authenticated-orcid":false,"given":"Savino","family":"Dambra","sequence":"additional","affiliation":[{"name":"GenDigital, Biot, France"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5957-6213","authenticated-orcid":false,"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"EURECOM, Biot, France"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,6,4]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Anderson and Phil Roth","author":"Hyrum","year":"2018","unstructured":"Hyrum S. Anderson and Phil Roth. 2018. EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. ArXiv e-prints (April 2018). arXiv:1804.04637"},{"key":"e_1_3_2_1_2_1","volume-title":"App code signing process in macOS. https:\/\/support.apple.com\/en-gb\/guide\/security\/sec3ad8e6e53\/web Accessed","year":"2026","unstructured":"Apple. 2021. App code signing process in macOS. https:\/\/support.apple.com\/en-gb\/guide\/security\/sec3ad8e6e53\/web Accessed: January 7, 2026."},{"key":"e_1_3_2_1_3_1","volume-title":"https:\/\/developer.apple.com\/documentation\/securitty\/app-sandbox Accessed","author":"Sandbox App","year":"2026","unstructured":"Apple. 2025. App Sandbox. https:\/\/developer.apple.com\/documentation\/securitty\/app-sandbox Accessed: January 7, 2026."},{"key":"e_1_3_2_1_4_1","volume-title":"https:\/\/developer.apple.com\/documentation\/ Accessed","author":"Documentation Apple","year":"2026","unstructured":"Apple. 2025. Apple Documentation. https:\/\/developer.apple.com\/documentation\/ Accessed: January 7, 2026."},{"key":"e_1_3_2_1_5_1","volume-title":"Apple Platform Security. https:\/\/support.apple.com\/en-us\/102149 Accessed","year":"2026","unstructured":"Apple. 2025. Apple Platform Security. https:\/\/support.apple.com\/en-us\/102149 Accessed: January 7, 2026."},{"key":"e_1_3_2_1_6_1","volume-title":"Bundle Programming Guide. https:\/\/developer.apple.com\/library\/archive\/documentation\/CoreFoundation\/Conceptual\/CFBundles\/BundleTypes\/BundleTypes.html#\/\/apple_ref\/doc\/uid\/10000123i-CH101-SW1 Accessed","year":"2026","unstructured":"Apple. 2025. Bundle Programming Guide. https:\/\/developer.apple.com\/library\/archive\/documentation\/CoreFoundation\/Conceptual\/CFBundles\/BundleTypes\/BundleTypes.html#\/\/apple_ref\/doc\/uid\/10000123i-CH101-SW1 Accessed: January 7, 2026."},{"key":"e_1_3_2_1_7_1","volume-title":"https:\/\/developer.apple.com\/documentation\/bundleresources\/entitlements Accessed","year":"2026","unstructured":"Apple. 2025. Entitlements. https:\/\/developer.apple.com\/documentation\/bundleresources\/entitlements Accessed: January 7, 2026."},{"key":"e_1_3_2_1_8_1","volume-title":"Gatekeeper and runtime protection in macOS. https:\/\/support.apple.com\/en-gb\/guide\/security\/sec5599b66df\/web Accessed","year":"2026","unstructured":"Apple. 2025. Gatekeeper and runtime protection in macOS. https:\/\/support.apple.com\/en-gb\/guide\/security\/sec5599b66df\/web Accessed: January 7, 2026."},{"key":"e_1_3_2_1_9_1","volume-title":"https:\/\/developer.apple.com\/documentation\/security\/hardened-runtime Accessed","author":"Runtime Hardened","year":"2026","unstructured":"Apple. 2025. Hardened Runtime. https:\/\/developer.apple.com\/documentation\/security\/hardened-runtime Accessed: January 7, 2026."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_3_2_1_11_1","volume-title":"Pattern Recognition and Machine Learning (Information Science and Statistics)","author":"Bishop Christopher M.","unstructured":"Christopher M. Bishop. 2006. Pattern Recognition and Machine Learning (Information Science and Statistics). Springer-Verlag, Berlin, Heidelberg."},{"key":"e_1_3_2_1_12_1","volume-title":"Proceedings of the Eleventh Symposium on Conformal and Probabilistic Prediction and Applications (Proceedings of Machine Learning Research","author":"Bostr\u00f6m Henrik","year":"2022","unstructured":"Henrik Bostr\u00f6m. 2022. crepes: a Python Package for Generating Conformal Regressors and Predictive Systems. In Proceedings of the Eleventh Symposium on Conformal and Probabilistic Prediction and Applications (Proceedings of Machine Learning Research, Vol. 179), Ulf Johansson, Henrik Bostr\u00f6m, Khuong An Nguyen, Zhiyuan Luo, and Lars Carlsson (Eds.). PMLR."},{"key":"e_1_3_2_1_13_1","volume-title":"Random forests. Machine learning 45","author":"Breiman Leo","year":"2001","unstructured":"Leo Breiman. 2001. Random forests. Machine learning 45 (2001), 5\u201332."},{"key":"e_1_3_2_1_14_1","unstructured":"Jason Brownlee. 2024. XGBoost Best Feature Importance Score. https:\/\/xgboosting.com\/xgboost-best-feature-importance-score\/"},{"key":"e_1_3_2_1_15_1","volume-title":"Multi-platform Pythonmodule to parse and work with Portable Executable (PE) files. https:\/\/github.com\/erocarrera\/pefile Accessed","year":"2026","unstructured":"EroCarrera.2025. Multi-platform Pythonmodule to parse and work with Portable Executable (PE) files. https:\/\/github.com\/erocarrera\/pefile Accessed: January 7, 2026."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.5555\/1622407.1622416"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-74753-4_14"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2939672.2939785"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00054"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616589"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3082330"},{"key":"e_1_3_2_1_22_1","unstructured":"Jonny Evans. 2023. Three-quarters of large US firms now using more Apple devices - survey. https:\/\/www.computerworld.com\/article\/1634358\/three-quarters-of-large-us-firms-now-using-more-apple-devices-survey.html"},{"key":"e_1_3_2_1_23_1","volume-title":"Through the Cortex XDR Lens: macOS Pirrit Adware. https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/through-the-cortex-xdr-lens-macos-pirrit-adware\/ Accessed","author":"Fakterman Tom","year":"2026","unstructured":"Tom Fakterman. 2023. Through the Cortex XDR Lens: macOS Pirrit Adware. https:\/\/www.paloaltonetworks.com\/blog\/security-operations\/through-the-cortex-xdr-lens-macos-pirrit-adware\/ Accessed: January 7, 2026."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-74753-4_13"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-66245-4_6"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.52202\/068431-0037"},{"key":"e_1_3_2_1_27_1","unstructured":"Robert J. Joyce Edward Raff Charles Nicholas and James Holt. 2023. MalDICT: Benchmark Datasets on Malware Behaviors Platforms Exploitation and Packers. arXiv:2310.11706 [cs.CR]"},{"key":"e_1_3_2_1_28_1","unstructured":"Kaspersky Team. 2023. Are Macs safe? Threats to macOS users. https:\/\/www.kaspersky.com\/blog\/macos-users-cyberthreats-2023\/50018\/"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133958"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-50127-7_11"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"crossref","unstructured":"Matous Kozak Luca Demetrio Dmitrijs Trizna and Fabio Roli. 2024. Updating Windows Malware Detectors: Balancing Robustness and Regression against Adversarial EXEmples. https:\/\/arxiv.org\/abs\/2405.02646","DOI":"10.1016\/j.cose.2025.104466"},{"key":"e_1_3_2_1_32_1","volume-title":"Awesome macOS open source applications. https:\/\/github.com\/serhii-londar\/open-source-mac-os-apps Accessed","author":"Londar Serhii","year":"2024","unstructured":"Serhii Londar. 2025. Awesome macOS open source applications. https:\/\/github.com\/serhii-londar\/open-source-mac-os-apps Accessed: July 30, 2024."},{"key":"e_1_3_2_1_33_1","volume-title":"https:\/\/bazaar.abuse.ch Accessed","author":"Team MalwareBazaar","year":"2024","unstructured":"MalwareBazaar Team. 2025. MalwareBazaar. https:\/\/bazaar.abuse.ch Accessed: July 30, 2024."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2021.301221"},{"key":"e_1_3_2_1_35_1","volume-title":"The Missing Package Manager for macOS (or Linux). https:\/\/brew.sh\/ Accessed","author":"Max Howell","year":"2024","unstructured":"Howell Max. 2025. The Missing Package Manager for macOS (or Linux). https:\/\/brew.sh\/ Accessed: July 30, 2024."},{"key":"e_1_3_2_1_36_1","volume-title":"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/debug\/pe-format Accessed","author":"Format PE","year":"2026","unstructured":"Microsoft. 2025. PE Format. https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/debug\/pe-format Accessed: January 7, 2026."},{"key":"e_1_3_2_1_37_1","volume-title":"https:\/\/attack.mitre.org\/versions\/v15\/software\/S0482\/ Accessed","author":"Bundlore MITRE.","year":"2026","unstructured":"MITRE. 2025. Bundlore. https:\/\/attack.mitre.org\/versions\/v15\/software\/S0482\/ Accessed: January 7, 2026."},{"key":"e_1_3_2_1_38_1","unstructured":"Christoph Molnar. 2022. Interpretable Machine Learning (2 ed.). Lulu.com. https:\/\/christophm.github.io\/interpretable-ml-book"},{"key":"e_1_3_2_1_39_1","unstructured":"Biagio Montaruli Andrea Oliveri Savino Dambra and Davide Balzarotti. 2025. The Role of Domain-Specific Features in Malware Detection: A macOS Case Study - Dataset. https:\/\/github.com\/eurecom-s3\/macos-malware-dataset"},{"key":"e_1_3_2_1_40_1","unstructured":"Moonlock Lab Team. 2024. Moonlock's 2024 macOS threat report. https:\/\/moonlock.com\/moonlock-2024-macos-threat-report"},{"key":"e_1_3_2_1_41_1","volume-title":"macOS Malware Collection. https:\/\/github.com\/objective-see\/Malware Accessed","author":"Foundation Objective-See","year":"2024","unstructured":"Objective-See Foundation. 2025. macOS Malware Collection. https:\/\/github.com\/objective-see\/Malware Accessed: July 30, 2024."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-017-0307-5"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.5555\/1953048.2078195"},{"key":"e_1_3_2_1_44_1","volume-title":"Ivan Tesfai Ogbu, and Fabio Roli","author":"Ponte Andrea","year":"2024","unstructured":"Andrea Ponte, Dmitrijs Trizna, Luca Demetrio, Battista Biggio, Ivan Tesfai Ogbu, and Fabio Roli. 2024. SLIFER: Investigating Performance and Robustness of Malware Detection Pipelines. https:\/\/arxiv.org\/abs\/2405.14478"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v35i11.17131"},{"key":"e_1_3_2_1_46_1","unstructured":"Sebastian Raschka. 2018. Model Evaluation Model Selection and Algorithm Selection in Machine Learning. http:\/\/arxiv.org\/abs\/1811.12808"},{"key":"e_1_3_2_1_47_1","unstructured":"Raffaele Sabato Phil Stokes and Tom Hegel. 2025. BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence. https:\/\/www.sentinelone.com\/labs\/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence\/ Accessed: January 7 2026."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-74753-4_11"},{"key":"e_1_3_2_1_49_1","volume-title":"OS X ABI Mach-O File Format Reference. https:\/\/github.com\/aidansteele\/osx-abi-macho-file-format-reference Accessed","author":"Steele Aidan","year":"2026","unstructured":"Aidan Steele. 2025. OS X ABI Mach-O File Format Reference. https:\/\/github.com\/aidansteele\/osx-abi-macho-file-format-reference Accessed: January 7, 2026."},{"key":"e_1_3_2_1_50_1","volume-title":"Massive New AdLoad Campaign Goes Entirely Undetected By Apple's XProtect. https:\/\/www.sentinelone.com\/labs\/massive-new-adload-campaign-goes-entirely-undetected-by-apples-xprotect\/ Accessed","author":"Stokes Phil","year":"2026","unstructured":"Phil Stokes. 2021. Massive New AdLoad Campaign Goes Entirely Undetected By Apple's XProtect. https:\/\/www.sentinelone.com\/labs\/massive-new-adload-campaign-goes-entirely-undetected-by-apples-xprotect\/ Accessed: January 7, 2026."},{"key":"e_1_3_2_1_51_1","unstructured":"Phil Stokes. 2025. macOS Adload: Prolific Adware Pivots Just Days After Apple's XProtect Clampdown. https:\/\/www.sentinelone.com\/blog\/macos-adload-prolific-adware-pivots-just-days-after-apples-xprotect-clampdown\/ Accessed: January 7 2026."},{"key":"e_1_3_2_1_52_1","unstructured":"Phil Stokes. 2025. macOS Cuckoo Stealer | Ensuring Detectionand Defenseas New Samples Rapidly Emerge. https:\/\/www.sentinelone.com\/blog\/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge\/ Accessed: January 7 2026."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/CAMAD59638.2023.10478430"},{"key":"e_1_3_2_1_54_1","unstructured":"Romain Thomas. 2017. LIEF - Library to Instrument Executable Formats. https:\/\/lief.quarkslab.com\/"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3409083"},{"key":"e_1_3_2_1_56_1","volume-title":"MacOS Malware Samples - A Collection of MacOS Malware Binaries. https:\/\/github.com\/MalwareSamples\/Macos-Malware-Samples Accessed","author":"Team VirusSamples","year":"2024","unstructured":"VirusSamples Team. 2025. MacOS Malware Samples - A Collection of MacOS Malware Binaries. https:\/\/github.com\/MalwareSamples\/Macos-Malware-Samples Accessed: July 30, 2024."},{"key":"e_1_3_2_1_57_1","volume-title":"https:\/\/virusshare.com Accessed","author":"Team VirusShare","year":"2026","unstructured":"VirusShare Team. 2025. VirusShare.com - Because Sharing is Caring. https:\/\/virusshare.com Accessed: January 7, 2026."},{"key":"e_1_3_2_1_58_1","volume-title":"VirusTotal - Free Online Virus, Malware and URL Scanner. https:\/\/www.virustotal.com\/ Accessed","year":"2026","unstructured":"VirusTotal. 2025. VirusTotal - Free Online Virus, Malware and URL Scanner. https:\/\/www.virustotal.com\/ Accessed: January 7, 2026."},{"key":"e_1_3_2_1_59_1","unstructured":"Elizabeth Walkup. 2014. Mac Malware Detection via Static File Structure Analysis. https:\/\/cs229.stanford.edu\/proj2014\/Elizabeth%20Walkup %20MacMalware.pdf"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2024.3367329"},{"key":"e_1_3_2_1_61_1","unstructured":"Patrick Wardle. 2022. The Art of Mac Malware: The Guide to Analyzing Malicious Software. No Starch Press. https:\/\/taomm.org\/vol1\/read.html"},{"key":"e_1_3_2_1_62_1","unstructured":"Patrick Wardle. 2025. The Art of Mac Malware Volume 2: Detecting Malicious Software. No Starch Press. https:\/\/taomm.org\/vol2\/read.html"},{"key":"e_1_3_2_1_63_1","volume-title":"DIMVA 2017, Bonn, Germany, July 6-7, 2017, Proceedings 14","author":"Webster George D","year":"2017","unstructured":"George D Webster, Bojan Kolosnjaji, Christian von Pentz, Julian Kirsch, Zachary D Hanif, Apostolis Zarras, and Claudia Eckert. 2017. Finding the needle: A study of the pe32 rich header and respective malware triage. In Detection of Intrusions and Malware, and Vulnerability Assessment: 14th International Conference, DIMVA 2017, Bonn, Germany, July 6-7, 2017, Proceedings 14. Springer, 119\u2013138."}],"event":{"name":"ASIA CCS '26: ACM Asia Conference on Computer and Communications Security","location":"Bangalore India","acronym":"ASIA CCS '26","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3779208.3785392","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T15:36:10Z","timestamp":1780587370000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3779208.3785392"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6]]},"references-count":63,"alternative-id":["10.1145\/3779208.3785392","10.1145\/3779208"],"URL":"https:\/\/doi.org\/10.1145\/3779208.3785392","relation":{},"subject":[],"published":{"date-parts":[[2026,6]]},"assertion":[{"value":"2026-06-04","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}