{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,19]],"date-time":"2025-12-19T09:16:47Z","timestamp":1766135807415},"publisher-location":"Berlin, Heidelberg","reference-count":53,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783540360148"},{"type":"electronic","value":"9783540360179"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2006]]},"DOI":"10.1007\/11790754_4","type":"book-chapter","created":{"date-parts":[[2006,11,27]],"date-time":"2006-11-27T13:02:37Z","timestamp":1164632557000},"page":"54-73","source":"Crossref","is-referenced-by-count":51,"title":["Network\u2013Level Polymorphic Shellcode Detection Using Emulation"],"prefix":"10.1007","author":[{"given":"Michalis","family":"Polychronakis","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kostas G.","family":"Anagnostakis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Evangelos P.","family":"Markatos","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","reference":[{"key":"4_CR1","unstructured":"sk: History and advances in windows shellcode. Phrack\u00a011(62) (July 2004)"},{"key":"4_CR2","unstructured":"Kim, H.-A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, pp. 271\u2013286 (2004)"},{"key":"4_CR3","unstructured":"Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th Symposium on Operating Systems Design & Implementation (OSDI) (December 2004)"},{"key":"4_CR4","doi-asserted-by":"crossref","unstructured":"Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: Proceedings of the IEEE Security & Privacy Symposium, May 2005, pp. 226\u2013241 (2005)","DOI":"10.1109\/SP.2005.15"},{"key":"4_CR5","unstructured":"Tang, Y., Chen, S.: Defending against internet worms: a signature-based approach. In: Proceedings of the 24th Annual Joint Conference of IEEE Computer and Communication societies (INFOCOM) (2005)"},{"key":"4_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1007\/978-3-540-30143-1_11","volume-title":"Recent Advances in Intrusion Detection","author":"K. Wang","year":"2004","unstructured":"Wang, K., Stolfo, S.J.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 203\u2013222. Springer, Heidelberg (2004)"},{"key":"4_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/11663812_11","volume-title":"Recent Advances in Intrusion Detection","author":"C. Kr\u00fcgel","year":"2006","unstructured":"Kr\u00fcgel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 207\u2013226. Springer, Heidelberg (2006)"},{"key":"4_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"284","DOI":"10.1007\/11663812_15","volume-title":"Recent Advances in Intrusion Detection","author":"R. Chinchani","year":"2006","unstructured":"Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 284\u2013308. Springer, Heidelberg (2006)"},{"key":"4_CR9","unstructured":"Sz\u00f6r, P., Ferrie, P.: Hunting for metamorphic. In: Proceedings of the Virus Bulletin Conference, September 2001, pp. 123\u2013144 (2001)"},{"key":"4_CR10","unstructured":"Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (Security 2003) (August 2003)"},{"key":"4_CR11","unstructured":"Bania, P.: TAPiON (2005), http:\/\/pb.specialised.info\/all\/tapion\/"},{"key":"4_CR12","unstructured":"Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of USENIX LISA 1999 (November 1999), software available from: http:\/\/www.snort.org\/"},{"issue":"6","key":"4_CR13","first-page":"55","volume":"30","author":"C. Jordan","year":"2005","unstructured":"Jordan, C.: Writing detection signatures. USENIX; login:\u00a030(6), 55\u201361 (2005)","journal-title":"USENIX ;login:"},{"key":"4_CR14","unstructured":"K2, ADMmutate (2001), http:\/\/www.ktwo.ca\/ADMmutate-0.8.4.tar.gz"},{"key":"4_CR15","unstructured":"Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.: Polymorphic shellcode engine using spectrum analysis. Phrack\u00a011(61) (August 2003)"},{"key":"4_CR16","unstructured":"Rix: Writing ia32 alphanumeric shellcodes. Phrack\u00a011(57) (August 2001)"},{"key":"4_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1007\/3-540-36084-0_15","volume-title":"Recent Advances in Intrusion Detection","author":"T. T\u00f3th","year":"2002","unstructured":"T\u00f3th, T., Kr\u00fcgel, C.: Accurate Buffer Overflow Detection via Abstract Payload Execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol.\u00a02516, p. 274. Springer, Heidelberg (2002)"},{"key":"4_CR18","doi-asserted-by":"crossref","unstructured":"Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.: STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis. In: Proceedings of the 20th IFIP International Information Security Conference (IFIP\/SEC) (June 2005)","DOI":"10.1007\/0-387-25660-1_25"},{"key":"4_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1007\/11506881_3","volume-title":"Intrusion and Malware Detection and Vulnerability Assessment","author":"J.R. Crandall","year":"2005","unstructured":"Crandall, J.R., Wu, S.F., Chong, F.T.: Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities. In: Julisch, K., Kr\u00fcgel, C. (eds.) DIMVA 2005. LNCS, vol.\u00a03548, pp. 32\u201350. Springer, Heidelberg (2005)"},{"key":"4_CR20","doi-asserted-by":"crossref","unstructured":"Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, J., Fan, K.: Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities. In: Proceedings of the Network Operations and Management Symposium (NOMS), April 2004, pp. 235\u2013248 (2004)","DOI":"10.1109\/NOMS.2004.1317662"},{"key":"4_CR21","doi-asserted-by":"crossref","unstructured":"Kreibich, C., Crowcroft, J.: Honeycomb \u2013 creating intrusion detection signatures using honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II) (November 2003)","DOI":"10.1145\/972374.972384"},{"key":"4_CR22","unstructured":"Kolesnikov, O., Dagon, D., Lee, W.: Advanced polymorphic worms: Evading IDS by blending in with normal traffic, College of Computing, Georgia Institute of Technology, Atlanta, GA 30332 (2004), http:\/\/www.cc.gatech.edu\/~ok\/w\/ok_pw.pdf"},{"key":"4_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"19","DOI":"10.1007\/11506881_2","volume-title":"Intrusion and Malware Detection and Vulnerability Assessment","author":"U. Payer","year":"2005","unstructured":"Payer, U., Teufl, P., Lamberger, M.: Hybrid Engine for Polymorphic Shellcode Detection. In: Julisch, K., Kr\u00fcgel, C. (eds.) DIMVA 2005. LNCS, vol.\u00a03548, pp. 19\u201331. Springer, Heidelberg (2005)"},{"key":"4_CR24","doi-asserted-by":"crossref","unstructured":"Linn, C., Debray, S.: Obfuscation of executable code to improve resistance to static disassembly. In: Proceedings of the 10th ACM conference on Computer and communications security (CCS), pp. 290\u2013299 (2003)","DOI":"10.1145\/948109.948149"},{"key":"4_CR25","unstructured":"Aycock, J., de Graaf, R., Jacobson, M.: Anti-disassembly using cryptographic hash functions. Department of Computer Science, University of Calgary, Tech. Rep. 2005-793-24"},{"key":"4_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/11506881_1","volume-title":"Intrusion and Malware Detection and Vulnerability Assessment","author":"M. Venable","year":"2005","unstructured":"Venable, M., Chouchane, M.R., Karim, M.E., Lakhotia, A.: Analyzing Memory Accesses in Obfuscated x86 Executables. In: Julisch, K., Kr\u00fcgel, C. (eds.) DIMVA 2005. LNCS, vol.\u00a03548, pp. 1\u201318. Springer, Heidelberg (2005)"},{"issue":"8","key":"4_CR27","doi-asserted-by":"publisher","first-page":"735","DOI":"10.1109\/TSE.2002.1027797","volume":"28","author":"C.S. Collberg","year":"2002","unstructured":"Collberg, C.S., Thomborson, C.: Watermarking, tamper-proffing, and obfuscation: tools for software protection. IEEE Transactions on Software Engineering\u00a028(8), 735\u2013746 (2002)","journal-title":"IEEE Transactions on Software Engineering"},{"key":"4_CR28","unstructured":"Wang, C., Hill, J., Knight, J., Davidson, J.: Software tamper resistance: Obstructing static analysis of programs. University of Virginia, Tech. Rep. CS-2000-12 (2000)"},{"key":"4_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"194","DOI":"10.1007\/11604938_15","volume-title":"Information Security Applications","author":"M. Madou","year":"2006","unstructured":"Madou, M., Anckaert, B., Moseley, P., Debray, S., De Sutter, B., De Bosschere, K.: Software protection through dynamic code mutation. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol.\u00a03786, pp. 194\u2013206. Springer, Heidelberg (2006)"},{"key":"4_CR30","doi-asserted-by":"crossref","unstructured":"Schwarz, B., Debray, S., Andrews, G.: Disassembly of executable code revisited. In: Proceedings of the Ninth Working Conference on Reverse Engineering (WCRE) (2002)","DOI":"10.1109\/WCRE.2002.1173063"},{"key":"4_CR31","unstructured":"Prasad, M., cker Chiueh, T.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the USENIX Annual Technical Conference (June 2003)"},{"key":"4_CR32","unstructured":"Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the USENIX Security Symposium, August 2004, pp. 255\u2013270 (2004)"},{"issue":"6","key":"4_CR33","doi-asserted-by":"publisher","first-page":"565","DOI":"10.1016\/0167-4048(93)90054-9","volume":"12","author":"F.B. Cohen","year":"1993","unstructured":"Cohen, F.B.: Operating system protection through program evolution. Computer and Security\u00a012(6), 565\u2013584 (1993)","journal-title":"Computer and Security"},{"key":"4_CR34","unstructured":"Metasploit Project (2006), http:\/\/www.metasploit.com\/"},{"issue":"7","key":"4_CR35","doi-asserted-by":"publisher","first-page":"811","DOI":"10.1002\/spe.4380250706","volume":"25","author":"C. Cifuentes","year":"1995","unstructured":"Cifuentes, C., Gough, K.J.: Decompilation of binary programs. Software\u2014Practice and Experience\u00a025(7), 811\u2013829 (1995)","journal-title":"Software\u2014Practice and Experience"},{"key":"4_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"5","DOI":"10.1007\/978-3-540-24723-4_2","volume-title":"Compiler Construction","author":"G. Balakrishnan","year":"2004","unstructured":"Balakrishnan, G., Reps, T.: Analyzing Memory Accesses in x86 Executables. In: Duesterwald, E. (ed.) CC 2004. LNCS, vol.\u00a02985, pp. 5\u201323. Springer, Heidelberg (2004)"},{"key":"4_CR37","unstructured":"Noir, GetPC code (was: Shellcode from ASCII) (June 2003), http:\/\/www.securityfocus.com\/archive\/82\/327100\/2006-01-03\/1"},{"key":"4_CR38","unstructured":"Ionescu, C.: GetPC code (was: Shellcode from ASCII) (July 2003), http:\/\/www.securityfocus.com\/archive\/82\/327348\/2006-01-03\/1"},{"key":"4_CR39","unstructured":"Wever, B.-J.: Alpha 2 (2004), http:\/\/www.edup.tudelft.nl\/~bjwever\/src\/alpha2.c"},{"key":"4_CR40","unstructured":"Perriot, F., Ferrie, P., Sz\u00f6r, P.: Striking similarities. Virus Bulletin, 4\u20136 (May 2002)"},{"key":"4_CR41","unstructured":"Obscou: Building ia32 \u2019unicode-proof\u2019 shellcodes. Phrack\u00a011(61) (August 2003)"},{"key":"4_CR42","doi-asserted-by":"crossref","unstructured":"Tubella, J., Gonz\u00e1lez, A.: Control speculation in multithreaded processors through dynamic loop detection. In: Proceedings of the 4th International Symposium on High-Performance Computer Architecture (HPCA) (1998)","DOI":"10.1109\/HPCA.1998.650542"},{"key":"4_CR43","unstructured":"McCanne, S., Leres, C., Jacobson, V.: Libpcap (2006), http:\/\/www.tcpdump.org\/"},{"key":"4_CR44","unstructured":"Wojtczuk, R.: Libnids (2006), http:\/\/libnids.sourceforge.net\/"},{"key":"4_CR45","unstructured":"jt: Libdasm (2006), http:\/\/www.klake.org\/~jt\/misc\/libdasm-1.4.tar.gz"},{"key":"4_CR46","unstructured":"Apache Chunked Encoding Overflow (2002), http:\/\/www.osvdb.org\/838"},{"key":"4_CR47","unstructured":"Microsoft Windows RPC DCOM Interface Overflow (2003), http:\/\/www.osvdb.org\/2100"},{"key":"4_CR48","unstructured":"Microsoft Windows LSASS Remote Overflow (2004), http:\/\/www.osvdb.org\/5248"},{"issue":"6","key":"4_CR49","doi-asserted-by":"publisher","first-page":"370","DOI":"10.1145\/362248.362270","volume":"16","author":"J.R. Bell","year":"1973","unstructured":"Bell, J.R.: Threaded code. Comm. of the ACM\u00a016(6), 370\u2013372 (1973)","journal-title":"Comm. of the ACM"},{"key":"4_CR50","unstructured":"Bellard, F.: QEMU, a Fast and Portable Dynamic Translator. In: Proceedings of the USENIX Annual Technical Conference, FREENIX Track, pp. 41\u201346 (2005)"},{"key":"4_CR51","unstructured":"Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: Proceedings of the 12th USENIX Security Symposium (2003)"},{"key":"4_CR52","unstructured":"Anagnostakis, K., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., Keromytis, A.D.: Detecting Targeted Attacks Using Shadow Honeypots. In: Proceedings of the 14th USENIX Security Symposium, August 2005, pp. 129\u2013144 (2005)"},{"key":"4_CR53","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"206","DOI":"10.1007\/11506881_13","volume-title":"Intrusion and Malware Detection and Vulnerability Assessment","author":"H. Dreger","year":"2005","unstructured":"Dreger, H., Kreibich, C., Paxson, V., Sommer, R.: Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context. In: Julisch, K., Kr\u00fcgel, C. (eds.) DIMVA 2005. LNCS, vol.\u00a03548, pp. 206\u2013221. Springer, Heidelberg (2005)"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware &amp; Vulnerability Assessment"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/11790754_4.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,4,27]],"date-time":"2021-04-27T07:23:14Z","timestamp":1619508194000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/11790754_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006]]},"ISBN":["9783540360148","9783540360179"],"references-count":53,"URL":"https:\/\/doi.org\/10.1007\/11790754_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2006]]}}}