pith. sign in

arxiv: 2312.06423 · v3 · submitted 2023-12-11 · 💻 cs.CR · cs.AI· cs.LG

MalPurifier: Enhancing Android Malware Detection with Adversarial Purification against Evasion Attacks

Yuyang Zhou , Guang Cheng , Zongyao Chen , Shui Yu This is my paper

Pith reviewed 2026-05-24 05:31 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG
keywords Android malware detectionadversarial purificationevasion attacksdenoising autoencodermachine learning securityperturbation mechanismrobust accuracy
0
0 comments X

The pith

MalPurifier purifies Android malware samples with a denoising autoencoder to defend detectors against 37 evasion attacks at over 90.91% robust accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents MalPurifier as a framework that purifies potentially manipulated Android app samples before they reach a machine learning malware classifier. It combines a diversified perturbation mechanism to build robustness, protective noise injection to preserve clean data behavior, and a denoising autoencoder trained with a dual-objective loss that supports both accurate cleaning and classification. This setup addresses the weaknesses of prior defenses that often lose effectiveness across attack types or degrade performance on normal apps. A reader would care because it offers a way to keep detection reliable even when attackers apply small changes to hide malicious code. The approach is positioned as lightweight and easy to add to existing detectors without retraining the core model.

Core claim

MalPurifier integrates a diversified adversarial perturbation mechanism for robustness and generalizability, a protective noise injection strategy for benign data integrity, and a Denoising AutoEncoder with dual-objective loss for accurate purification and classification. On two large-scale datasets this yields consistent robust accuracies above 90.91% against a set of 37 perturbation-based evasion attacks while outperforming prior defenses and preserving clean-data performance.

What carries the argument

MalPurifier, an adversarial purification framework that combines diversified perturbation, protective noise injection, and a dual-objective denoising autoencoder to clean inputs before classification.

If this is right

  • ML-based Android malware detectors achieve robust accuracy above 90.91% against a comprehensive set of 37 perturbation-based evasion attacks.
  • The framework remains effective across two large-scale datasets without loss of generalization.
  • Existing detectors gain defense capability while keeping high accuracy on unmodified benign and malicious apps.
  • The module can be added to detectors as a lightweight, model-agnostic component without retraining the underlying classifier.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Security teams could insert the purification step into production pipelines to handle new evasion attempts without rebuilding the main detector each time.
  • The dual-objective loss design might serve as a pattern for balancing cleaning and decision quality in other input-purification settings.
  • Because the method is plug-and-play, it could shorten the time between discovering an attack family and deploying protection.

Load-bearing premise

The three components can be combined to deliver high purification accuracy and maintained classification performance on clean data without introducing new vulnerabilities or requiring dataset-specific tuning.

What would settle it

An experiment on a held-out dataset or new attack variants where robust accuracy falls below 90% or clean-data accuracy drops noticeably after MalPurifier is applied.

Figures

Figures reproduced from arXiv: 2312.06423 by Guang Cheng, Shui Yu, Yuyang Zhou, Zongyao Chen.

Figure 1
Figure 1. Figure 1: Illustration of MalPurifier pre-processing samples via adversarial [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of MalPurifier architecture. In the training phase, feature vectors are extracted from Android apps in Step 1. Then, a detection [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The accuracy of different detectors against black-box attacks on [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The accuracy of different detectors against gradient-based grey-box attacks on Drebin (top panel) and Androzoo (bottom panel) datasets, [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: The accuracy of different purification algorithms when equipped with the DNN-based classifier in the absence and presence of evasion [PITH_FULL_IMAGE:figures/full_fig_p012_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The accuracy of different detectors against various evasion attacks when equipped with (w/) or without (w/o) the DAE-based purification [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
read the original abstract

Machine learning (ML) has gained significant adoption in Android malware detection to address the escalating threats posed by the rapid proliferation of malware attacks. However, recent studies have revealed the inherent vulnerabilities of ML-based detection systems to evasion attacks. While efforts have been made to address this critical issue, many of the existing defensive methods encounter challenges such as lower effectiveness or reduced generalization capabilities. In this paper, we introduce MalPurifier, a novel adversarial purification framework specifically engineered for Android malware detection. Specifically, MalPurifier integrates three key innovations: a diversified adversarial perturbation mechanism for robustness and generalizability, a protective noise injection strategy for benign data integrity, and a Denoising AutoEncoder (DAE) with a dual-objective loss for accurate purification and classification. Extensive experiments on two large-scale datasets demonstrate that MalPurifier significantly outperforms state-of-the-art defenses. It robustly defends against a comprehensive set of 37 perturbation-based evasion attacks, consistently achieving robust accuracies above 90.91%. As a lightweight, model-agnostic, and plug-and-play module, MalPurifier offers a practical and effective solution to bolster the security of ML-based Android malware detectors.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces MalPurifier, an adversarial purification framework for Android malware detection. It combines a diversified adversarial perturbation mechanism, protective noise injection for benign samples, and a Denoising AutoEncoder (DAE) trained with a dual-objective loss. Experiments on two large-scale datasets claim that MalPurifier outperforms prior defenses and achieves robust accuracy above 90.91% against a set of 37 perturbation-based evasion attacks while remaining lightweight and model-agnostic.

Significance. If the central claims hold under adaptive evaluation, the work would supply a practical, plug-and-play defense module that improves robustness of ML-based Android malware detectors without retraining the underlying classifier. The scale of the attack suite and the reported clean-data performance preservation would be notable contributions to the adversarial robustness literature in security applications.

major comments (2)
  1. [Experiments / Evaluation (around the description of the 37 attacks and robust accuracy results)] The evaluation does not appear to test adaptive attacks that optimize perturbations end-to-end through the full MalPurifier pipeline (diversified perturbation + protective noise + DAE). If the 37 attacks are generated only against the base classifier, the reported >90.91% robust accuracy does not directly support the claim that the integrated components defend without introducing new vulnerabilities.
  2. [Discussion of attack generation and threat model] The paper should provide an explicit statement and, if possible, results on whether white-box adaptive attacks against the purification module itself can reduce performance below the claimed threshold. This is load-bearing for the assertion that the three components together deliver both high purification accuracy and maintained classification performance.
minor comments (2)
  1. [Abstract and §4] Dataset descriptions, attack generation parameters, and statistical significance tests are referenced in the abstract but should be expanded with concrete numbers (e.g., dataset sizes, feature counts, exact attack hyperparameters) in the main text for reproducibility.
  2. [Method description of the DAE] Clarify the exact form of the dual-objective loss in the DAE (weights, terms) and whether any hyper-parameters require dataset-specific tuning, as this affects the claimed generality.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments highlighting the importance of adaptive attack evaluation. We address each major comment below and indicate planned revisions to clarify the threat model and evaluation scope.

read point-by-point responses

  1. Referee: The evaluation does not appear to test adaptive attacks that optimize perturbations end-to-end through the full MalPurifier pipeline (diversified perturbation + protective noise + DAE). If the 37 attacks are generated only against the base classifier, the reported >90.91% robust accuracy does not directly support the claim that the integrated components defend without introducing new vulnerabilities.

    Authors: We acknowledge that the 37 attacks were generated against the base classifier, consistent with common evaluation practices in Android malware robustness papers. This does not constitute a full adaptive evaluation through the entire pipeline. In the revised version we will add an explicit threat-model subsection stating the non-adaptive nature of the reported experiments and include a discussion of how the diversified perturbation, protective noise, and dual-loss DAE are intended to limit transfer of adaptive perturbations. We will also report any available bounds or qualitative analysis on adaptive attack difficulty without performing new end-to-end optimization experiments. revision: partial

  2. Referee: The paper should provide an explicit statement and, if possible, results on whether white-box adaptive attacks against the purification module itself can reduce performance below the claimed threshold. This is load-bearing for the assertion that the three components together deliver both high purification accuracy and maintained classification performance.

    Authors: We will insert a clear statement in the threat-model section that the current results concern non-adaptive attacks. We do not currently possess white-box adaptive results against the purification module; the manuscript focuses on the 37 existing evasion attacks. The design rationale for the three components is to raise the bar for such attacks, yet we agree that direct empirical evidence would be stronger. The revision will therefore add this point as an explicit limitation and direction for future work rather than new experimental results. revision: partial

Circularity Check

0 steps flagged

No significant circularity; empirical framework with independent experimental validation

full rationale

The paper proposes an empirical adversarial purification framework (MalPurifier) combining three stated innovations: diversified perturbation, protective noise injection, and dual-objective DAE. No equations, derivations, or first-principles results appear that reduce any claimed outcome to fitted inputs or self-citations by construction. Claims rest on experimental results across two datasets against 37 attacks, which are externally falsifiable and not forced by the method definition itself. This is a standard non-circular empirical ML defense paper.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review yields no explicit free parameters, axioms, or invented entities. The dual-objective loss and protective noise strategy are described at high level without numerical fitting details or unstated background assumptions.

pith-pipeline@v0.9.0 · 5741 in / 1142 out tokens · 28315 ms · 2026-05-24T05:31:17.703511+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

58 extracted references · 58 canonical work pages · 1 internal anchor

  1. [1]

    2022 global mobile threat report

    Zimperium. 2022 global mobile threat report. [Online]. Available: https://www.zimperium.com/global-mobile-threat-report/ SUBMITTED TO IEEE FOR PEER REVIEW. 16

    work page 2022

  2. [2]

    Shishkova

    T. Shishkova. The mobile malware threat land- scape in 2022. [Online]. Available: https://securelist.com/ mobile-threat-report-2022/108844/

    work page 2022

  3. [3]

    Sedmdroid: An enhanced stacking ensemble framework for android malware detection,

    H. Zhu, Y. Li, R. Li, J. Li, Z. You, and H. Song, “Sedmdroid: An enhanced stacking ensemble framework for android malware detection,” IEEE Transactions on Network Science and Engineering , vol. 8, no. 2, pp. 984–994, 2021

    work page 2021

  4. [4]

    Sdac: A slow-aging solution for android malware detection using semantic distance based api clustering,

    J. Xu, Y. Li, R. H. Deng, and K. Xu, “Sdac: A slow-aging solution for android malware detection using semantic distance based api clustering,” IEEE Transactions on Dependable and Secure Computing , vol. 19, no. 2, pp. 1149–1163, 2022

    work page 2022

  5. [5]

    Cyber code intelligence for android malware detection,

    J. Qiu, Q.-L. Han, W. Luo, L. Pan, S. Nepal, J. Zhang, and Y. Xiang, “Cyber code intelligence for android malware detection,” IEEE Transactions on Cybernetics, vol. 53, no. 1, pp. 617–627, 2022

    work page 2022

  6. [6]

    A hybrid deep network framework for android malware detection,

    H.-J. Zhu, L.-M. Wang, S. Zhong, Y. Li, and V . S. Sheng, “A hybrid deep network framework for android malware detection,” IEEE Transactions on Knowledge and Data Engineering, vol. 34, no. 12, pp. 5558–5570, 2022

    work page 2022

  7. [7]

    Comprehensive android malware detection based on federated learning architecture,

    W. Fang, J. He, W. Li, X. Lan, Y. Chen, T. Li, J. Huang, and L. Zhang, “Comprehensive android malware detection based on federated learning architecture,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 3977–3990, 2023

    work page 2023

  8. [8]

    Intrigu- ing properties of adversarial ml attacks in the problem space,

    F. Pierazzi, F. Pendlebury, J. Cortellazzi, and L. Cavallaro, “Intrigu- ing properties of adversarial ml attacks in the problem space,” in 2020 IEEE symposium on security and privacy (SP) . IEEE, 2020, pp. 1332–1349

    work page 2020

  9. [9]

    Black-box adversarial example attack towards fcg based android malware detection under incomplete feature information,

    H. Li, Z. Cheng, B. Wu, L. Yuan, C. Gao, W. Yuan, and X. Luo, “Black-box adversarial example attack towards fcg based android malware detection under incomplete feature information,” in 32rd USENIX Security Symposium (USENIX Security 23) , 2023

    work page 2023

  10. [10]

    Yes, machine learning can be more secure! a case study on android malware detection,

    A. Demontis, M. Melis, B. Biggio, D. Maiorca, D. Arp, K. Rieck, I. Corona, G. Giacinto, and F. Roli, “Yes, machine learning can be more secure! a case study on android malware detection,” IEEE transactions on dependable and secure computing , vol. 16, no. 4, pp. 711–724, 2019

    work page 2019

  11. [11]

    Android hiv: A study of repackaging malware for evad- ing machine-learning detection,

    X. Chen, C. Li, D. Wang, S. Wen, J. Zhang, S. Nepal, Y. Xiang, and K. Ren, “Android hiv: A study of repackaging malware for evad- ing machine-learning detection,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 987–1001, 2020

    work page 2020

  12. [12]

    Adversarial deep ensemble: Evasion attacks and defenses for malware detection,

    D. Li and Q. Li, “Adversarial deep ensemble: Evasion attacks and defenses for malware detection,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3886–3900, 2020

    work page 2020

  13. [13]

    Backdoor attack on machine learning based android malware detectors,

    C. Li, X. Chen, D. Wang, S. Wen, M. E. Ahmed, S. Camtepe, and Y. Xiang, “Backdoor attack on machine learning based android malware detectors,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 5, pp. 3357–3370, 2022

    work page 2022

  14. [14]

    {Explanation- Guided} backdoor poisoning attacks against malware classifiers,

    G. Severi, J. Meyer, S. Coull, and A. Oprea, “ {Explanation- Guided} backdoor poisoning attacks against malware classifiers,” in 30th USENIX security symposium (USENIX security 21), 2021, pp. 1487–1504

    work page 2021

  15. [15]

    When does machine learning {FAIL}? generalized transferability for evasion and poisoning attacks,

    O. Suciu, R. Marginean, Y. Kaya, H. Daume III, and T. Dumitras, “When does machine learning {FAIL}? generalized transferability for evasion and poisoning attacks,” in 27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 1299–1316

    work page 2018

  16. [16]

    Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks,

    A. Demontis, M. Melis, M. Pintor, M. Jagielski, B. Biggio, A. Oprea, C. Nita-Rotaru, and F. Roli, “Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks,” in 28th USENIX security symposium (USENIX security 19) , 2019, pp. 321–338

    work page 2019

  17. [17]

    A framework for enhancing deep neural networks against adversarial malware,

    D. Li, Q. Li, Y. Ye, and S. Xu, “A framework for enhancing deep neural networks against adversarial malware,” IEEE Transactions on Network Science and Engineering, vol. 8, no. 1, pp. 736–750, 2021

    work page 2021

  18. [18]

    Adversarial elf malware detection method using model interpre- tation,

    Y. Qiao, W. Zhang, Z. Tian, L. T. Yang, Y. Liu, and M. Alazab, “Adversarial elf malware detection method using model interpre- tation,” IEEE Transactions on Industrial Informatics , vol. 19, no. 1, pp. 605–615, 2023

    work page 2023

  19. [19]

    Pad: Towards principled adversarial malware detection against evasion attacks,

    D. Li, S. Cui, Y. Li, J. Xu, F. Xiao, and S. Xu, “Pad: Towards principled adversarial malware detection against evasion attacks,” IEEE Transactions on Dependable and Secure Computing, 2023

    work page 2023

  20. [20]

    Boosting fast ad- versarial training with learnable adversarial initialization,

    X. Jia, Y. Zhang, B. Wu, J. Wang, and X. Cao, “Boosting fast ad- versarial training with learnable adversarial initialization,” IEEE Transactions on Image Processing, vol. 31, pp. 4417–4430, 2022

    work page 2022

  21. [21]

    Interpolated joint space adversarial training for robust and generalizable defenses,

    C. P . Lau, J. Liu, H. Souri, W.-A. Lin, S. Feizi, and R. Chel- lappa, “Interpolated joint space adversarial training for robust and generalizable defenses,” IEEE Transactions on Pattern Analysis and Machine Intelligence, 2023

    work page 2023

  22. [22]

    Robust android malware detection against adversarial example attacks,

    H. Li, S. Zhou, W. Yuan, X. Luo, C. Gao, and S. Chen, “Robust android malware detection against adversarial example attacks,” in Proceedings of the Web Conference 2021, 2021, pp. 3603–3612

    work page 2021

  23. [23]

    A self- supervised approach for adversarial robustness,

    M. Naseer, S. Khan, M. Hayat, F. S. Khan, and F. Porikli, “A self- supervised approach for adversarial robustness,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 262–271

    work page 2020

  24. [24]

    Adversarial purification with score-based generative models,

    J. Yoon, S. J. Hwang, and J. Lee, “Adversarial purification with score-based generative models,” in International Conference on Ma- chine Learning. PMLR, 2021, pp. 12 062–12 072

    work page 2021

  25. [25]

    Evaluating the adversarial robustness of adaptive test- time defenses,

    F. Croce, S. Gowal, T. Brunner, E. Shelhamer, M. Hein, and T. Cemgil, “Evaluating the adversarial robustness of adaptive test- time defenses,” in International Conference on Machine Learning . PMLR, 2022, pp. 4421–4435

    work page 2022

  26. [26]

    Privacy preserving defense for black box classifiers against on-line adversarial attacks,

    R. Theagarajan and B. Bhanu, “Privacy preserving defense for black box classifiers against on-line adversarial attacks,” IEEE Transactions on Pattern Analysis and Machine Intelligence , vol. 44, no. 12, pp. 9503–9520, 2022

    work page 2022

  27. [27]

    Diffusion models for adversarial purification,

    W. Nie, B. Guo, Y. Huang, C. Xiao, A. Vahdat, and A. Anandkumar, “Diffusion models for adversarial purification,” in International Conference on Machine Learning. PMLR, 2022, pp. 16 805–16 827

    work page 2022

  28. [28]

    Ofei: A semi-black-box android adversarial sample attack framework against dlaas,

    G. Xu, G. Xin, L. Jiao, J. Liu, S. Liu, M. Feng, and X. Zheng, “Ofei: A semi-black-box android adversarial sample attack framework against dlaas,” IEEE Transactions on Computers, 2023

    work page 2023

  29. [29]

    Drebin: Effective and explainable detection of android malware in your pocket

    D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, “Drebin: Effective and explainable detection of android malware in your pocket.” in Ndss, vol. 14, 2014, pp. 23– 26

    work page 2014

  30. [30]

    Androzoo: Collecting millions of android apps for the research community,

    K. Allix, T. F. Bissyand ´e, J. Klein, and Y. Le Traon, “Androzoo: Collecting millions of android apps for the research community,” in Proceedings of the 13th international conference on mining software repositories, 2016, pp. 468–471

    work page 2016

  31. [31]

    Practical evasion of a learning-based classifier: A case study,

    N. ˇSrndi´c and P . Laskov, “Practical evasion of a learning-based classifier: A case study,” in 2014 IEEE symposium on security and privacy. IEEE, 2014, pp. 197–211

    work page 2014

  32. [32]

    Avpass: Leaking and bypassing antivirus detection model automatically,

    C. Jeon, I. Yun, J. Jung, M. Wolotsky, and T. Kim, “Avpass: Leaking and bypassing antivirus detection model automatically,” in Black Hat USA 2017. Black Hat, 2017

    work page 2017

  33. [33]

    Towards deep learning models resistant to adversarial attacks,

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in International Conference on Learning Representations, 2018

    work page 2018

  34. [34]

    Interpreting adversarially trained convo- lutional neural networks,

    T. Zhang and Z. Zhu, “Interpreting adversarially trained convo- lutional neural networks,” in International conference on machine learning. PMLR, 2019, pp. 7502–7511

    work page 2019

  35. [35]

    Ad- versarial deep learning for robust detection of binary encoded malware,

    A. Al-Dujaili, A. Huang, E. Hemberg, and U.-M. O’Reilly, “Ad- versarial deep learning for robust detection of binary encoded malware,” in 2018 IEEE Security and Privacy Workshops (SPW) . IEEE, 2018, pp. 76–82

    work page 2018

  36. [36]

    Generating adversarial malware examples for black-box attacks based on gan,

    W. Hu and Y. Tan, “Generating adversarial malware examples for black-box attacks based on gan,” in International Conference on Data Mining and Big Data. Springer, 2022, pp. 409–423

    work page 2022

  37. [37]

    Query efficient decision based sparse attacks against black-box deep learning models,

    V . Vo, E. M. Abbasnejad, and D. Ranasinghe, “Query efficient decision based sparse attacks against black-box deep learning models,” in International Conference on Learning Representations , 2021

    work page 2021

  38. [38]

    Reliable evaluation of adversarial ro- bustness with an ensemble of diverse parameter-free attacks,

    F. Croce and M. Hein, “Reliable evaluation of adversarial ro- bustness with an ensemble of diverse parameter-free attacks,” in International conference on machine learning. PMLR, 2020, pp. 2206– 2216

    work page 2020

  39. [39]

    PBP: post- training backdoor purification for malware classifiers,

    D. T. Nguyen, N. N. Tran, T. T. Johnson, and K. Leach, “PBP: post- training backdoor purification for malware classifiers,” in 32nd Annual Network and Distributed System Security Symposium, NDSS 2025, San Diego, California, USA, February 24-28, 2025. The Internet Society, 2025

    work page 2025

  40. [40]

    A multi- modal deep learning method for android malware detection using various features,

    T. Kim, B. Kang, M. Rho, S. Sezer, and E. G. Im, “A multi- modal deep learning method for android malware detection using various features,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 3, pp. 773–788, 2019

    work page 2019

  41. [41]

    Adversarial examples for malware detection,

    K. Grosse, N. Papernot, P . Manoharan, M. Backes, and P . Mc- Daniel, “Adversarial examples for malware detection,” in Euro- pean symposium on research in computer security , 2017, pp. 62–79

    work page 2017

  42. [42]

    On the (Statistical) Detection of Adversarial Examples

    K. Grosse, P . Manoharan, N. Papernot, M. Backes, and P . Mc- Daniel, “On the (statistical) detection of adversarial examples,” arXiv preprint arXiv:1702.06280, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  43. [43]

    Towards robust detection of adversarial examples,

    T. Pang, C. Du, Y. Dong, and J. Zhu, “Towards robust detection of adversarial examples,” Advances in neural information processing systems, vol. 31, 2018. SUBMITTED TO IEEE FOR PEER REVIEW. 17

    work page 2018

  44. [44]

    Enhancing robustness of deep neural networks against adversarial malware samples: Principles, framework, and application to aics’2019 challenge,

    D. Li and Q. Li, “Enhancing robustness of deep neural networks against adversarial malware samples: Principles, framework, and application to aics’2019 challenge,” in The AAAI-19 Workshop on Artificial Intelligence for Cyber Security (AICS), 2019

    work page 2019

  45. [45]

    Evading adversarial example detection defenses with orthogonal projected gradient descent,

    O. Bryniarski, N. Hingun, P . Pachuca, V . Wang, and N. Carlini, “Evading adversarial example detection defenses with orthogonal projected gradient descent,” in International Conference on Learning Representations, 2022

    work page 2022

  46. [46]

    Semantics-preserving node injection attacks against gnn-based acfg malware classifiers,

    D. Zapzalka, S. Salem, and D. Mohaisen, “Semantics-preserving node injection attacks against gnn-based acfg malware classifiers,” IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 1, pp. 549–560, 2025

    work page 2025

  47. [47]

    Dl-fhmc: Deep learning- based fine-grained hierarchical learning approach for robust mal- ware classification,

    A. Abusnaina, M. Abuhamad, H. Alasmary, A. Anwar, R. Jang, S. Salem, D. Nyang, and D. Mohaisen, “Dl-fhmc: Deep learning- based fine-grained hierarchical learning approach for robust mal- ware classification,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 5, pp. 3432–3447, 2022

    work page 2022

  48. [48]

    Mamadroid: Detecting android mal- ware by building markov chains of behavioral models (extended version),

    L. Onwuzurike, E. Mariconti, P . Andriotis, E. D. Cristofaro, G. Ross, and G. Stringhini, “Mamadroid: Detecting android mal- ware by building markov chains of behavioral models (extended version),” ACM Transactions on Privacy and Security (TOPS), vol. 22, no. 2, pp. 1–34, 2019

    work page 2019

  49. [49]

    Efficient query-based attack against ml-based android malware detection under zero knowl- edge setting,

    P . He, Y. Xia, X. Zhang, and S. Ji, “Efficient query-based attack against ml-based android malware detection under zero knowl- edge setting,” in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 90–104

    work page 2023

  50. [50]

    Mab-malware: A reinforcement learning framework for blackbox generation of adversarial malware,

    W. Song, X. Li, S. Afroz, D. Garg, D. Kuznetsov, and H. Yin, “Mab-malware: A reinforcement learning framework for blackbox generation of adversarial malware,” in Proceedings of the 2022 ACM on Asia conference on computer and communications security, 2022, pp. 990–1003

    work page 2022

  51. [51]

    Evadedroid: A practical evasion attack on machine learning for black-box android malware detec- tion,

    H. Bostani and V . Moonsamy, “Evadedroid: A practical evasion attack on machine learning for black-box android malware detec- tion,” Computers & Security, vol. 139, p. 103676, 2024

    work page 2024

  52. [52]

    Structural attack against graph based android mal- ware detection,

    K. Zhao, H. Zhou, Y. Zhu, X. Zhan, K. Zhou, J. Li, L. Yu, W. Yuan, and X. Luo, “Structural attack against graph based android mal- ware detection,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 3218–3235

    work page 2021

  53. [53]

    Dl-droid: Deep learning based android malware detection using real devices,

    M. K. Alzaylaee, S. Y. Yerima, and S. Sezer, “Dl-droid: Deep learning based android malware detection using real devices,” Computers & Security, vol. 89, p. 101663, 2020

    work page 2020

  54. [54]

    Familial clustering for weakly-labeled android malware using hybrid representation learning,

    Y. Zhang, Y. Sui, S. Pan, Z. Zheng, B. Ning, I. Tsang, and W. Zhou, “Familial clustering for weakly-labeled android malware using hybrid representation learning,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3401–3414, 2019

    work page 2019

  55. [55]

    Boosting adversarial attacks with momentum,

    Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,” in Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 9185– 9193

    work page 2018

  56. [56]

    Feature-space bayesian adversarial learning improved malware detector robustness,

    B. G. Doan, S. Yang, P . Montague, O. De Vel, T. Abraham, Yuyang Zhou received the B.S. degree in Elec- tronic Information Engineering from Nanjing Uni- versity of Science and Technology in 2016 and the Ph.D. degree in Cyberspace Security from Southeast University in 2021. He is currently working as a postdoc with the School of Cyber Science and Engineeri...

    work page 2016

  57. [57]

    Malware analysis by combining multiple detectors and observation windows,

    M. Ficco, “Malware analysis by combining multiple detectors and observation windows,” IEEE Transactions on Computers , vol. 71, no. 6, pp. 1276–1290, 2022. Guang Cheng received the B.S. degree in Traf- fic Engineering from Southeast University in 1994, the M.S. degree in Computer Application from Hefei University of Technology in 2000, and the Ph.D. degre...

    work page 2022

  58. [58]

    His major research interests include moving target defense, Android malware detection, and reverse engineering

    He is currently pursuing the master degree with the School of Cyber Science and Engineer- ing, Southeast University. His major research interests include moving target defense, Android malware detection, and reverse engineering. Shui Yu obtained his PhD from Deakin Univer- sity, Australia, in 2004. He currently is a Profes- sor of School of Computer Scien...

    work page 2004