Interview with the Inaugural TOSEM Outstanding Paper (TOP) Award Recipient, Prof. Haipeng Cai
Interview conducted by Ruijie Meng and Damian Tamburri,
ACM TOSEM Social Media Editors
The ACM TOSEM Outstanding Paper Award, or TOP Award in brief, is a new award from ACM Transactions on Software Engineering and Methodology (TOSEM). The award will be given out annually to a paper which is deemed to be showing the most promising research direction from papers published five years ago. An emphasis on a medium-term period like five years helps us identify papers which are showing outstanding promise and discuss them as a community. For the inaugural award in 2025, journal first papers in 2019–20 were considered. The committee for the first year was chaired by Cristian Cadar and Dongmei Zhang, and the committee members were Silvia Abrahao, Shing-Chi Cheung and Foutse Khomh.
Prof. Haipeng Cai from the University at Buffalo, SUNY, received the first TOP Award for the paper Assessing and Improving Malware Detection Sustainability through App Evolution Studies, published in TOSEM 29(2), March 2020. Prof. Cai is the sole author of the award winning paper.
1. Congratulations on receiving the Outstanding Paper Award! Could you begin by telling us about your broader research interests? What initially inspired you to investigate the sustainability of malware detection, particularly through the lens of app evolution?
My broader research interests span software engineering and software security, with a focus on using program analysis and testing techniques to improve software correctness and security. These problems manifest in diverse domains, including distributed systems and mobile applications.
The idea for this work was sparked by a simple but troubling observation: despite an ever-growing number of malware detection tools and techniques in both academia and industry, the prevalence of malware, particularly on Android, was not meaningfully declining. That led me to ask: Are the existing detection methods truly effective over time, or is there a deeper issue with their long-term viability?
This question evolved into the concept of sustainability in malware detection. If a detection method successfully identifies today’s malware but fails tomorrow, then it’s not truly effective. I hypothesized that the root issue might be the evolving nature of malware and benign apps — features that once differentiated malware from benign software may no longer hold up. That led me to study app evolution over time and assess how the effectiveness of malware detection techniques degrades, with a view toward building more robust and future-proof methods.
2. What do you see as the most promising research directions in this area going forward? Are you currently working on any follow-up projects?
Around the same time as my study, other researchers also began exploring this problem, though from the different lens of concept drift, even if they didn’t frame it in terms of sustainability per se. Their later work introduced conformal prediction-based rejection frameworks to help models adapt to new malware behaviors — Barbero et al. (S&P 2022) is a notable example.
Another promising direction is continual learning. Recent work, such as the hierarchical contrastive learning and active learning framework (Chen et al., USENIX Security 2023), shows exciting potential in adapting to evolving malware landscapes.
In my own recent research, I’ve continued exploring this theme, particularly through the lens of uncertainty quantification, in collaboration with AI/ML colleagues. Our aim is to better understand when and how detection models may become unreliable and to adapt them accordingly.
3. Did you anticipate that this paper would be recognized with the TOP Award? In your view, what aspects of the work do you think resonated most with the reviewers and the broader research community?
Not at all. I was genuinely surprised and humbled. In recent years, TOSEM has risen significantly in journal rankings and has published many exceptional papers. I feel incredibly lucky to have received this recognition.
I think what may have resonated with the community is the introduction of sustainability as a novel evaluation criterion for malware detectors. The idea of measuring not just short-term effectiveness, but long-term resilience, is particularly relevant in a domain where attackers are continuously evolving. By showing that some techniques fail to generalize as apps and malware evolve, the paper helped shift how we think about evaluating and designing malware detection systems and other cybersecurity solutions.
4. Could you share any behind-the-scenes stories from the submission or review process? For example, was the paper accepted on the first submission, or did it undergo significant revisions?
The paper was originally submitted to TOSEM in 2019 and went through a thorough review process. It required a major revision and then a minor revision. The revisions primarily focused on clarifying the problem space and deepening the discussion of the limitations and implications of our findings.
Overall, I found the review process to be constructive and rigorous. It certainly helped improve the clarity and completeness of the paper.
5. Looking ahead, what kind of impact — whether in real-world applications or academic research — do you hope your work will have?
My hope is that this work, along with other related efforts, continues to inspire the community to treat sustainability as a first-class concern when developing and evaluating security solutions. As cyber threats continue to evolve, we need defenses that are not just effective today but resilient tomorrow.
If we succeed in doing that, our detection models will become outdated much more slowly, and we’ll be in a better position to identify zero-day threats early. Ultimately, I hope the field moves toward more proactive, adaptive defenses — ones that can keep pace with the adversaries.
6. Being the sole author of this paper is a notable accomplishment. What were some of the challenges you faced working independently, and what advice would you give to others considering a solo research endeavor?
This work came at a time early in my faculty career. I had just completed my postdoc, where I began working on Android malware detection, and I didn’t have any graduate students yet. My first student joined in late 2017 but wasn’t interested in this topic, and my second student didn’t join until 2019, after the paper was already submitted.
As a result, I had to carry out the entire project myself, much like an extended postdoc. The work involved dynamic profiling of tens of thousands of Android apps and required a tremendous amount of infrastructure and experimentation, many thousands of hours spread over 1–2 years. It was especially challenging to balance this work with the demands of starting a faculty career.
Solo research can be empowering when resources are limited and you’re passionate about a topic. But collaboration, when possible, often brings richer perspectives and more robust outcomes. So while I’m proud of this work, I generally encourage collaboration when the opportunity is there.
7. What advice would you offer to junior researchers who are navigating the early stages of their careers in computer security or software engineering?
I’ve now been a faculty member for some years, but in many ways, I still feel like a junior researcher, especially when it comes to charting impactful research directions.
The best advice I can offer is advice I received from others: pursue problems that you believe are important, even if they’re not currently popular, and with necessary perseverance.
8. Lastly, outside of research, is there anything you’re passionate about that helps you recharge and maintain a healthy work-life balance?
Absolutely. I believe strongly in the importance of work-life balance. Burnout is real, and sustained productivity requires time to recharge.
For me, that means staying active,I try to make time to exercise daily, whether indoors or outdoors, and spending time exploring nature or simply enjoying what life outside of work has to offer. Just like in research, sustainability is key in life, too, not only for malware detection!
Disclaimer: The posts in the SIGSOFT Blog are written by individual contributors and any views or opinions represented in their posts are personal, belong solely to the blog authors and do not necessarily represent those of ACM SIGSOFT or ACM.
