{"id":"https://openalex.org/W4411505063","doi":"https://doi.org/10.1145/3742895","title":"Intriguing Properties of Adversarial ML Attacks in the Problem Space [Extended Version]","display_name":"Intriguing Properties of Adversarial ML Attacks in the Problem Space [Extended Version]","publication_year":2025,"publication_date":"2025-06-21","ids":{"openalex":"https://openalex.org/W4411505063","doi":"https://doi.org/10.1145/3742895"},"language":"en","primary_location":{"id":"doi:10.1145/3742895","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3742895","pdf_url":null,"source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://doi.org/10.1145/3742895","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5025184689","display_name":"Jacopo Cortellazzi","orcid":null},"institutions":[{"id":"https://openalex.org/I183935753","display_name":"King's College London","ror":"https://ror.org/0220mzb33","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I183935753"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Jacopo Cortellazzi","raw_affiliation_strings":["King's College London"],"affiliations":[{"raw_affiliation_string":"King's College London","institution_ids":["https://openalex.org/I183935753"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5085852581","display_name":"Erwin Quiring","orcid":"https://orcid.org/0009-0004-7170-1274"},"institutions":[{"id":"https://openalex.org/I1297971548","display_name":"International Computer Science Institute","ror":"https://ror.org/01ewh7m12","country_code":"US","type":"nonprofit","lineage":["https://openalex.org/I1297971548"]},{"id":"https://openalex.org/I904495901","display_name":"Ruhr University Bochum","ror":"https://ror.org/04tsk2644","country_code":"DE","type":"education","lineage":["https://openalex.org/I904495901"]}],"countries":["DE","US"],"is_corresponding":false,"raw_author_name":"Erwin Quiring","raw_affiliation_strings":["International Computer Science Institute (ICSI)","Ruhr-Universitat Bochum"],"affiliations":[{"raw_affiliation_string":"International Computer Science Institute (ICSI)","institution_ids":["https://openalex.org/I1297971548"]},{"raw_affiliation_string":"Ruhr-Universitat Bochum","institution_ids":["https://openalex.org/I904495901"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5029169901","display_name":"Daniel J. Arp","orcid":"https://orcid.org/0000-0003-3628-794X"},"institutions":[{"id":"https://openalex.org/I145847075","display_name":"TU Wien","ror":"https://ror.org/04d836q62","country_code":"AT","type":"education","lineage":["https://openalex.org/I145847075"]}],"countries":["AT"],"is_corresponding":false,"raw_author_name":"Daniel Arp","raw_affiliation_strings":["Technische Universit\u00e4t Wien"],"affiliations":[{"raw_affiliation_string":"Technische Universit\u00e4t Wien","institution_ids":["https://openalex.org/I145847075"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090260871","display_name":"Feargus Pendlebury","orcid":"https://orcid.org/0000-0003-1140-322X"},"institutions":[{"id":"https://openalex.org/I45129253","display_name":"University College London","ror":"https://ror.org/02jx3x895","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I45129253"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Feargus Pendlebury","raw_affiliation_strings":["University College London"],"affiliations":[{"raw_affiliation_string":"University College London","institution_ids":["https://openalex.org/I45129253"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072597369","display_name":"Fabio Pierazzi","orcid":"https://orcid.org/0000-0002-1254-1758"},"institutions":[{"id":"https://openalex.org/I45129253","display_name":"University College London","ror":"https://ror.org/02jx3x895","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I45129253"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Fabio Pierazzi","raw_affiliation_strings":["University College London"],"affiliations":[{"raw_affiliation_string":"University College London","institution_ids":["https://openalex.org/I45129253"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5036908366","display_name":"Lorenzo Cavallaro","orcid":"https://orcid.org/0000-0002-3878-2680"},"institutions":[{"id":"https://openalex.org/I45129253","display_name":"University College London","ror":"https://ror.org/02jx3x895","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I45129253"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Lorenzo Cavallaro","raw_affiliation_strings":["University College London"],"affiliations":[{"raw_affiliation_string":"University College London","institution_ids":["https://openalex.org/I45129253"]}]}],"institutions":[],"countries_distinct_count":4,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5025184689"],"corresponding_institution_ids":["https://openalex.org/I183935753"],"apc_list":null,"apc_paid":null,"fwci":1.4361,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.81806963,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":95},"biblio":{"volume":"28","issue":"4","first_page":"1","last_page":"37"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.9896000027656555,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.8800480365753174},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7316306233406067},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.643179178237915},{"id":"https://openalex.org/keywords/android-malware","display_name":"Android malware","score":0.558642566204071},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5377175807952881},{"id":"https://openalex.org/keywords/feature-vector","display_name":"Feature vector","score":0.48889270424842834},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.48164811730384827},{"id":"https://openalex.org/keywords/adversarial-machine-learning","display_name":"Adversarial machine learning","score":0.46182140707969666},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.42949479818344116},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3017483353614807}],"concepts":[{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.8800480365753174},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7316306233406067},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.643179178237915},{"id":"https://openalex.org/C2989133298","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android malware","level":3,"score":0.558642566204071},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5377175807952881},{"id":"https://openalex.org/C83665646","wikidata":"https://www.wikidata.org/wiki/Q42139305","display_name":"Feature vector","level":2,"score":0.48889270424842834},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.48164811730384827},{"id":"https://openalex.org/C2778403875","wikidata":"https://www.wikidata.org/wiki/Q20312394","display_name":"Adversarial machine learning","level":3,"score":0.46182140707969666},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.42949479818344116},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3017483353614807}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3742895","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3742895","pdf_url":null,"source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},{"id":"pmh:oai:eprints.ucl.ac.uk.OAI2:10209792","is_oa":false,"landing_page_url":"https://discovery.ucl.ac.uk/id/eprint/10209792/","pdf_url":null,"source":{"id":"https://openalex.org/S4306400024","display_name":"UCL Discovery (University College London)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I45129253","host_organization_name":"University College London","host_organization_lineage":["https://openalex.org/I45129253"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"ACM Transactions on Privacy and Security (TOPS)       (2025)     (In press).","raw_type":"Article"}],"best_oa_location":{"id":"doi:10.1145/3742895","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3742895","pdf_url":null,"source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},"sustainable_development_goals":[{"score":0.5199999809265137,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":41,"referenced_works":["https://openalex.org/W9657784","https://openalex.org/W1557561422","https://openalex.org/W1730099161","https://openalex.org/W1988146703","https://openalex.org/W1996374694","https://openalex.org/W2014466911","https://openalex.org/W2026258420","https://openalex.org/W2075335084","https://openalex.org/W2080696000","https://openalex.org/W2095577883","https://openalex.org/W2144906988","https://openalex.org/W2166743230","https://openalex.org/W2180612164","https://openalex.org/W2350778671","https://openalex.org/W2535873859","https://openalex.org/W2599823825","https://openalex.org/W2744095836","https://openalex.org/W2754131115","https://openalex.org/W2775261393","https://openalex.org/W2789983203","https://openalex.org/W2800912855","https://openalex.org/W2849849680","https://openalex.org/W2902314211","https://openalex.org/W2946344298","https://openalex.org/W2962718684","https://openalex.org/W2963564844","https://openalex.org/W2970044827","https://openalex.org/W2973628901","https://openalex.org/W2984666763","https://openalex.org/W2995671208","https://openalex.org/W3011711787","https://openalex.org/W3202406575","https://openalex.org/W4254636208","https://openalex.org/W4281385582","https://openalex.org/W4290189254","https://openalex.org/W4298074398","https://openalex.org/W4301329292","https://openalex.org/W4301702891","https://openalex.org/W4301880089","https://openalex.org/W4385080319","https://openalex.org/W4388867283"],"related_works":["https://openalex.org/W3048732067","https://openalex.org/W4383468834","https://openalex.org/W2560361988","https://openalex.org/W2507113366","https://openalex.org/W4283221438","https://openalex.org/W2900159906","https://openalex.org/W4384648009","https://openalex.org/W4287828318","https://openalex.org/W3200508744","https://openalex.org/W3025122950"],"abstract_inverted_index":{"Recent":[0],"research":[1],"efforts":[2],"on":[3,13,79,91,135,145,163,211,246],"adversarial":[4,62,196,206,241,257],"machine":[5,214],"learning":[6,215],"(ML)":[7],"have":[8,159],"investigated":[9],"problem-space":[10,45,131,143],"attacks,":[11],"focusing":[12],"the":[14,32,38,67,71,92,103,109,112,128,176,193,212],"generation":[15],"of":[16,44,73,77,105,111,130,154,179,195,237],"real":[17],"evasive":[18],"objects":[19],"in":[20,66,152],"domains":[21],"where,":[22],"unlike":[23],"images,":[24],"there":[25],"is":[26,228],"no":[27],"clear":[28],"inverse":[29,113],"mapping":[30],"to":[31,119,202,254],"feature":[33,95],"space":[34,96],"(e.g.,":[35],"software).":[36],"However,":[37],"design,":[39],"comparison,":[40],"and":[41,86,97,100,121,124,156,172,239],"real-world":[42],"implications":[43],"attacks":[46,65],"remain":[47],"underexplored.":[48],"This":[49,116],"article":[50],"makes":[51],"three":[52],"major":[53],"contributions.":[54],"Firstly,":[55],"we":[56,101,139,191,233],"propose":[57,140],"a":[58,74,141,164,181,199,226,229,251],"general":[59,137],"formalization":[60],"for":[61,127],"ML":[63],"evasion":[64],"problem-space,":[68],"which":[69,174],"includes":[70],"definition":[72],"comprehensive":[75],"set":[76],"constraints":[78],"available":[80],"transformations,":[81],"preserved":[82],"semantics,":[83],"absent":[84],"artifacts,":[85],"plausibility.":[87],"We":[88,158],"shed":[89],"light":[90],"relationship":[93],"between":[94],"problem":[98],"space,":[99],"introduce":[102],"concept":[104],"side-effect":[106],"features":[107],"as":[108,198,225,232],"by-product":[110],"feature-mapping":[114],"problem.":[115],"enables":[117],"us":[118],"define":[120],"prove":[122],"necessary":[123],"sufficient":[125],"conditions":[126],"existence":[129],"attacks.":[132],"Secondly,":[133],"building":[134],"our":[136,161],"formalization,":[138],"novel":[142],"attack":[144],"Android":[146,168],"malware":[147,183],"that":[148,223],"overcomes":[149],"past":[150],"limitations":[151],"terms":[153],"semantics":[155],"artifacts.":[157],"tested":[160],"approach":[162,201],"dataset":[165],"with":[166,186],"150K":[167],"apps":[169],"from":[170],"2016":[171],"2018":[173],"show":[175],"practical":[177],"feasibility":[178],"evading":[180],"state-of-the-art":[182],"classifier":[184],"along":[185],"its":[187,209],"hardened":[188],"version.":[189],"Thirdly,":[190],"explore":[192],"effectiveness":[194,210],"training":[197],"possible":[200],"enforce":[203],"robustness":[204],"against":[205],"samples,":[207],"evaluating":[208],"considered":[213],"models":[216],"under":[217],"different":[218],"scenarios.":[219],"Our":[220],"results":[221],"demonstrate":[222],"\u201cadversarial-malware":[224],"service\u201d":[227],"realistic":[230,238],"threat,":[231],"automatically":[234],"generate":[235,255],"thousands":[236],"inconspicuous":[240],"applications":[242],"at":[243],"scale,":[244],"where":[245],"average":[247],"it":[248],"takes":[249],"only":[250],"few":[252],"minutes":[253],"an":[256],"instance.":[258]},"counts_by_year":[{"year":2025,"cited_by_count":1}],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2025-10-10T00:00:00"}