{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T19:13:48Z","timestamp":1771701228735,"version":"3.50.1"},"publisher-location":"Cham","reference-count":25,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030220372","type":"print"},{"value":"9783030220389","type":"electronic"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-22038-9_10","type":"book-chapter","created":{"date-parts":[[2019,6,9]],"date-time":"2019-06-09T23:02:31Z","timestamp":1560121351000},"page":"197-218","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["How Does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement"],"prefix":"10.1007","author":[{"given":"Yoshihiro","family":"Oyama","sequence":"first","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2019,6,6]]},"reference":[{"key":"10_CR1","unstructured":"Al-Khaser. https:\/\/github.com\/LordNoteworthy\/al-khaser\/"},{"key":"10_CR2","unstructured":"Andriesse, D., Chen, X., van der Veen, V., Slowinska, A., Bos, H.: An in-depth analysis of disassembly on full-scale x86\/x64 binaries. In: Proceedings of the 25th USENIX Security Symposium, pp. 583\u2013600 (2016)"},{"key":"10_CR3","unstructured":"Branco, R.R., Barbosa, G.N., Neto, P.D.: Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-VM technologies. Black Hat USA 2012 (2012)"},{"key":"10_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/978-3-319-40667-1_11","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"M Brengel","year":"2016","unstructured":"Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodr\u00edguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207\u2013227. Springer, Cham (2016). https:\/\/doi.org\/10.1007\/978-3-319-40667-1_11"},{"key":"10_CR5","doi-asserted-by":"crossref","unstructured":"Cheng, B., et al.: Towards paving the way for large-scale Windows malware analysis: generic binary unpacking with orders-of-magnitude performance boost. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 395\u2013411 (2018)","DOI":"10.1145\/3243734.3243771"},{"key":"10_CR6","unstructured":"Forcepoint Security Labs Blog: Locky returned with a new anti-VM trick (2016). https:\/\/www.forcepoint.com\/blog\/security-labs\/locky-returned-new-anti-vm-trick"},{"key":"10_CR7","series-title":"Advances in Information Security","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1007\/978-0-387-68768-1_5","volume-title":"Botnet Detection","author":"J Franklin","year":"2008","unstructured":"Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Doorn, L.: Towards sound detection of virtual machines. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. ADIS, vol. 36, pp. 89\u2013116. Springer, Boston (2008). https:\/\/doi.org\/10.1007\/978-0-387-68768-1_5"},{"key":"10_CR8","doi-asserted-by":"crossref","unstructured":"Kawakoya, Y., Iwamura, M., Itoh, M.: Memory behavior-based automatic malware unpacking in stealth debugging environment. In: Proceedings of the 5th IEEE International Conference on Malicious and Unwanted Software, pp. 39\u201346 (2010)","DOI":"10.1109\/MALWARE.2010.5665794"},{"key":"10_CR9","doi-asserted-by":"crossref","unstructured":"Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: Proceedings of the 40th IEEE Symposium on Security and Privacy (2019)","DOI":"10.1109\/SP.2019.00002"},{"key":"10_CR10","unstructured":"Lastline Labs: Not so fast my friend - using inverted timing attacks to bypass dynamic analysis (2014). https:\/\/www.lastline.com\/labsblog\/not-so-fast-my-friend-using-inverted-timing-attacks-to-bypass-dynamic-analysis\/"},{"key":"10_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"338","DOI":"10.1007\/978-3-642-23644-0_18","volume-title":"Recent Advances in Intrusion Detection","author":"M Lindorfer","year":"2011","unstructured":"Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338\u2013357. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-23644-0_18"},{"key":"10_CR12","unstructured":"Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: Proceedings of the 27th USENIX Security Symposium (2018)"},{"key":"10_CR13","doi-asserted-by":"crossref","unstructured":"Martin, R., Demme, J., Sethumadhavan, S.: TimeWarp: rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In: Proceedings of the 39th Annual International Symposium on Computer Architecture, pp. 118\u2013129 (2012)","DOI":"10.1109\/ISCA.2012.6237011"},{"key":"10_CR14","unstructured":"Ning, Z., Zhang, F.: Ninja: towards transparent tracing and debugging on ARM. In: Proceedings of the 26th USENIX Security Symposium, pp. 33\u201349 (2017)"},{"issue":"1","key":"10_CR15","doi-asserted-by":"publisher","first-page":"69","DOI":"10.1007\/s11416-017-0290-x","volume":"14","author":"Yoshihiro Oyama","year":"2017","unstructured":"Oyama, Y.: Trends of anti-analysis operations of malwares observed in API call logs. J. Comput. Virol. Hacking Tech. 14, 69\u201385 (2017)","journal-title":"Journal of Computer Virology and Hacking Techniques"},{"key":"10_CR16","unstructured":"Pafish (Paranoid Fish). https:\/\/github.com\/a0rtega\/pafish\/"},{"key":"10_CR17","doi-asserted-by":"crossref","unstructured":"P\u00e9k, G., Bencs\u00e1th, B., Butty\u00e1n, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the 4th European Workshop on System Security (2011)","DOI":"10.1145\/1972551.1972554"},{"key":"10_CR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-75496-1_1","volume-title":"Information Security","author":"T Raffetseder","year":"2007","unstructured":"Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1\u201318. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-75496-1_1"},{"key":"10_CR19","unstructured":"Rutkowska, J., Tereshkin, A.: IsGameOver() anyone? Black Hat USA (2007)"},{"key":"10_CR20","unstructured":"Saudel, F., Salwan, J.: Triton: a dynamic symbolic execution framework. In: Symposium sur la s\u00e9curit\u00e9 des technologies de l\u2019information et des communications, pp. 31\u201354 (2015)"},{"issue":"1","key":"10_CR21","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3139292","volume":"21","author":"Hao Shi","year":"2017","unstructured":"Shi, H., Mirkovic, J., Alwabel, A.: Handling anti-virtual machine techniques in malicious software. ACM Trans. Priv. Secur. 21(1), 2 (2017)","journal-title":"ACM Transactions on Privacy and Security"},{"key":"10_CR22","doi-asserted-by":"crossref","unstructured":"Shoshitaishvili, Y., et al.: (State of) the art of war: offensive techniques in binary analysis. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy, pp. 138\u2013157 (2016)","DOI":"10.1109\/SP.2016.17"},{"key":"10_CR23","doi-asserted-by":"crossref","unstructured":"Stephens, J., Yadegari, B., Collberg, C., Debray, S., Scheidegger, C.: Probabilistic obfuscation through covert channels. In: Proceedings of the 3rd IEEE European Symposium on Security and Privacy, pp. 243\u2013257 (2018)","DOI":"10.1109\/EuroSP.2018.00025"},{"key":"10_CR24","unstructured":"Vasudevan, A., Yerraballi, R.: Stealth breakpoints. In: Proceedings of the 21st Annual Computer Security Applications Conference (2005)"},{"key":"10_CR25","doi-asserted-by":"crossref","unstructured":"Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)","DOI":"10.1109\/SP.2006.9"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-22038-9_10","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,11,28]],"date-time":"2019-11-28T06:58:32Z","timestamp":1574924312000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-22038-9_10"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030220372","9783030220389"],"references-count":25,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-22038-9_10","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"6 June 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Gothenburg","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Sweden","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 June 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 June 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2019","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.dimva2019.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"dimca2019.hotcrp.com","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"80","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"23","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"29% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"6","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}}]}}