{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T10:50:57Z","timestamp":1776941457137,"version":"3.51.4"},"publisher-location":"Berlin, Heidelberg","reference-count":39,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783540397236","type":"print"},{"value":"9783540397250","type":"electronic"}],"license":[{"start":{"date-parts":[[2006,1,1]],"date-time":"2006-01-01T00:00:00Z","timestamp":1136073600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2006]]},"DOI":"10.1007\/11856214_12","type":"book-chapter","created":{"date-parts":[[2006,9,16]],"date-time":"2006-09-16T07:12:21Z","timestamp":1158390741000},"page":"226-248","source":"Crossref","is-referenced-by-count":171,"title":["Anagram: A Content Anomaly Detector Resistant to Mimicry Attack"],"prefix":"10.1007","author":[{"given":"Ke","family":"Wang","sequence":"first","affiliation":[]},{"given":"Janak J.","family":"Parekh","sequence":"additional","affiliation":[]},{"given":"Salvatore J.","family":"Stolfo","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"12_CR1","unstructured":"Kolesnikov, O., Dagon, D., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. In: USENIX Security Symposium, Vancouver, BC, Canada (2006)"},{"key":"12_CR2","unstructured":"Moore, D., et al.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: INFOCOM (2003)"},{"key":"12_CR3","unstructured":"Staniford-Chen, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: USENIX Security (2002)"},{"key":"12_CR4","unstructured":"Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: USENIX Security Symposium, Washington, D.C. (2003)"},{"key":"12_CR5","unstructured":"Vargiya, R., Chan, P.: Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection. In: ICDM Workshop on Data Mining for Computer Security (DMSEC), Melbourne, FL (2003)"},{"key":"12_CR6","doi-asserted-by":"crossref","unstructured":"Kruegel, C., et al.: Polymorphic Worm Detection Using Structural Information of Executables. In: Symposium on Recent Advances in Intrusion Detection, Seattle, WA (2005)","DOI":"10.1007\/11663812_11"},{"key":"12_CR7","doi-asserted-by":"crossref","unstructured":"Sekar, R., et al.: Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In: ACM Conference on Computer and Communications Security, Washington, D.C (2002)","DOI":"10.1145\/586143.586146"},{"key":"12_CR8","doi-asserted-by":"crossref","unstructured":"Kruegel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Symposium on Applied Computing (SAC), Madrid, Spain (2002)","DOI":"10.1145\/508791.508835"},{"key":"12_CR9","unstructured":"Wang, X., et al.: SigFree: A Signature-free Buffer Overflow Attack Blocker. In: USENIX Security, Boston, MA (2006)"},{"key":"12_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1007\/978-3-540-30143-1_11","volume-title":"Recent Advances in Intrusion Detection","author":"K. Wang","year":"2004","unstructured":"Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 203\u2013222. Springer, Heidelberg (2004)"},{"key":"12_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1007\/11663812_12","volume-title":"Recent Advances in Intrusion Detection","author":"K. Wang","year":"2006","unstructured":"Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 227\u2013246. Springer, Heidelberg (2006)"},{"key":"12_CR12","unstructured":"SourceFire Inc. Snort rulesets (2006), [cited April 4, 2006 ], Available from: \n                      \n                        http:\/\/www.snort.org\/pub-bin\/downloads.cgi"},{"key":"12_CR13","unstructured":"Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Application Communities: Using Monoculture for Dependability. In: HotDep (2005)"},{"key":"12_CR14","unstructured":"Locasto, M.E., Sidiroglou, S., Keromytis, A.D.: Software Self-Healing Using Collaborative Application Communities. In: Internet Society (ISOC) Symposium on Network and Distributed Systems Security, San Diego, CA (2006)"},{"key":"12_CR15","doi-asserted-by":"crossref","unstructured":"Marceau, C.: Characterizing the Behavior of a Program Using Multiple-Length N-grams. In: New Security Paradigms Workshop, Cork, Ireland (2000)","DOI":"10.1145\/366173.366197"},{"key":"12_CR16","unstructured":"Forrest, S., et al.: A Sense of Self for Unix Processes. In: IEEE Symposium on Security and Privacy (1996)"},{"key":"12_CR17","unstructured":"Tan, K.M.C., Maxion, R.A.: Why 6? Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector. In: IEEE Symposium on Security and Privacy, Berkeley, CA (2002)"},{"key":"12_CR18","doi-asserted-by":"crossref","unstructured":"Crandall, J.R., et al.: On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)","DOI":"10.1145\/1102120.1102152"},{"key":"12_CR19","unstructured":"Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. IEEE Security and Privacy, Oakland, CA (2005)"},{"key":"12_CR20","unstructured":"Singh, S., et al.: Automated Worm Fingerprinting. In: 6th Symposium on Operating Systems Design and Implementation (OSDI 2004), San Francisco, CA (2004)"},{"issue":"7","key":"12_CR21","doi-asserted-by":"publisher","first-page":"422","DOI":"10.1145\/362686.362692","volume":"13","author":"B.H. Bloom","year":"1970","unstructured":"Bloom, B.H.: Space\/time trade-offs in Hash Coding with Allowable Errors. Communications of the ACM\u00a013(7), 422\u2013426 (1970)","journal-title":"Communications of the ACM"},{"key":"12_CR22","doi-asserted-by":"crossref","unstructured":"Naor, M., Yung, M.: Universal One-Way Hash Functions and their Cryptographic Applications. In: ACM Symposium on Theory of Computing, Seattle, WA (1989)","DOI":"10.1145\/73007.73011"},{"key":"12_CR23","doi-asserted-by":"crossref","unstructured":"Parekh, J.J., Wang, K., Stolfo, S.J.: Privacy-Preserving Payload-Based Correlation for Accurate Malicious Traffic Detection. In: Large-Scale Attack Detection, Workshop at SIGCOMM, Pisa, Italy (2006)","DOI":"10.1145\/1162666.1162667"},{"key":"12_CR24","unstructured":"Detristan, T., et al.: Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack (2003), [cited March 28, 2006 ], Available from: \n                      \n                        http:\/\/www.phrack.org\/show.php?p=61&a=9"},{"key":"12_CR25","doi-asserted-by":"crossref","unstructured":"Barreno, M., et al.: Can Machine Learning Be Secure? In: ASIACCS (2006)","DOI":"10.1145\/1128817.1128824"},{"key":"12_CR26","unstructured":"Cowan, C., et al.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: USENIX Security Symposium, San Antonio, TX (1998)"},{"key":"12_CR27","unstructured":"Sidiroglou, S., et al.: Building a Reactive Immune System for Software Services. In: USENIX, Anaheim, CA (2005)"},{"key":"12_CR28","doi-asserted-by":"crossref","unstructured":"Sidiroglou, S., Giovanidis, G., Keromytis, A.D.: A Dynamic Mechanism for Recovering from Buffer Overflow Attacks. In: 8th Information Security Conference, Singapore (2005)","DOI":"10.1007\/11556992_1"},{"key":"12_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"82","DOI":"10.1007\/11663812_5","volume-title":"Recent Advances in Intrusion Detection","author":"M.E. Locasto","year":"2006","unstructured":"Locasto, M.E., Wang, K., Keromytis, A.D., Stolfo, S.J.: FLIPS: Hybrid adaptive intrusion prevention. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 82\u2013101. Springer, Heidelberg (2006)"},{"key":"12_CR30","volume-title":"Bloodhound: Searching Out Malicious Input in Network Flows for Automatic Repair Validation","author":"M.E. Locasto","year":"2006","unstructured":"Locasto, M.E., Burnside, M., Keromytis, A.D.: Bloodhound: Searching Out Malicious Input in Network Flows for Automatic Repair Validation. Columbia University Department of Computer Science, New York, NY (2006)"},{"key":"12_CR31","doi-asserted-by":"crossref","unstructured":"Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)","DOI":"10.1145\/972374.972384"},{"key":"12_CR32","unstructured":"Singh, S., et al.: The EarlyBird System for Real-Time Detection of Unknown Worms. In: ACM Workshop on Hot Topics in Networks, Boston, MA (2003)"},{"key":"12_CR33","unstructured":"Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: USENIX Security Symposium, San Diego, CA (2004)"},{"key":"12_CR34","doi-asserted-by":"crossref","unstructured":"Wang, H.J., et al.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: ACM SIGCOMM (2004)","DOI":"10.1145\/1015467.1015489"},{"key":"12_CR35","doi-asserted-by":"crossref","unstructured":"Liang, Z., Sekar, R.: Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecing Servers. In: ACM Conference on Computer and Communications Security, Alexandria, VA (2005)","DOI":"10.1145\/1102120.1102150"},{"key":"12_CR36","unstructured":"K2. ADMmutate (2001), [cited March 29, 2006 ], Available from: \n                      \n                        http:\/\/www.ktwo.ca\/security.html"},{"key":"12_CR37","unstructured":"Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. IEEE Security and Privacy, Oakland, CA (2001)"},{"key":"12_CR38","doi-asserted-by":"crossref","unstructured":"Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: ACM CCS (2002)","DOI":"10.1145\/586110.586145"},{"key":"12_CR39","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/3-540-36084-0_4","volume-title":"Recent Advances in Intrusion Detection","author":"K.M.C. Tan","year":"2002","unstructured":"Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol.\u00a02516, p. 54. Springer, Heidelberg (2002)"}],"container-title":["Lecture Notes in Computer Science","Recent Advances in Intrusion Detection"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/11856214_12","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,19]],"date-time":"2019-05-19T17:56:17Z","timestamp":1558288577000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/11856214_12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006]]},"ISBN":["9783540397236","9783540397250"],"references-count":39,"URL":"https:\/\/doi.org\/10.1007\/11856214_12","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2006]]}}}