{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T02:56:07Z","timestamp":1775271367918,"version":"3.50.1"},"publisher-location":"Cham","reference-count":37,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030884178","type":"print"},{"value":"9783030884185","type":"electronic"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"DOI":"10.1007\/978-3-030-88418-5_12","type":"book-chapter","created":{"date-parts":[[2021,9,29]],"date-time":"2021-09-29T21:04:30Z","timestamp":1632949470000},"page":"240-260","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":35,"title":["Peeler: Profiling Kernel-Level Events to Detect Ransomware"],"prefix":"10.1007","author":[{"given":"Muhammad Ejaz","family":"Ahmed","sequence":"first","affiliation":[]},{"given":"Hyoungshick","family":"Kim","sequence":"additional","affiliation":[]},{"given":"Seyit","family":"Camtepe","sequence":"additional","affiliation":[]},{"given":"Surya","family":"Nepal","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,9,30]]},"reference":[{"key":"12_CR1","unstructured":"About Event Tracing. https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/etw\/about-event-tracing"},{"key":"12_CR2","unstructured":"Global Ransomware Damage Costs Predicted To Reach \\$20 Billion (USD) By 2021. https:\/\/cybersecurityventures.com\/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021\/"},{"key":"12_CR3","unstructured":"Krabsetw. https:\/\/github.com\/microsoft\/krabsetw"},{"key":"12_CR4","unstructured":"A Live Malware Repository. https:\/\/github.com\/ytisf\/theZoo"},{"key":"12_CR5","unstructured":"Malware samples. https:\/\/github.com\/fabrimagic72\/malware-samples"},{"key":"12_CR6","unstructured":"MalwareBazaar. https:\/\/bazaar.abuse.ch\/"},{"key":"12_CR7","unstructured":"Pretrained models. https:\/\/huggingface.co\/transformers\/pretrained_models.html"},{"key":"12_CR8","unstructured":"VirtualBox. https:\/\/www.virtualbox.org"},{"key":"12_CR9","unstructured":"VirusTotal. https:\/\/www.virustotal.com\/"},{"key":"12_CR10","unstructured":"What systems have you seen infected by ransomware? https:\/\/www.statista.com\/statistics\/701020\/major-operating-systems-targeted-by-ransomware\/"},{"key":"12_CR11","doi-asserted-by":"crossref","unstructured":"Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: A 0-day aware crypto-ransomware early behavioral detection framework. In: International Conference of Reliable Information and Communication Technology, pp. 758\u2013766 (2017)","DOI":"10.1007\/978-3-319-59427-9_78"},{"key":"12_CR12","doi-asserted-by":"crossref","unstructured":"Continella, A., et al.: Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336\u2013347 (2016)","DOI":"10.1145\/2991079.2991110"},{"key":"12_CR13","unstructured":"Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)"},{"key":"12_CR14","doi-asserted-by":"publisher","first-page":"389","DOI":"10.1016\/j.cose.2017.11.019","volume":"73","author":"J G\u00f3mez-Hern\u00e1ndez","year":"2018","unstructured":"G\u00f3mez-Hern\u00e1ndez, J., \u00c1lvarez-Gonz\u00e1lez, L., Garc\u00eda-Teodoro, P.: R-Locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389\u2013398 (2018)","journal-title":"Comput. Secur."},{"key":"12_CR15","doi-asserted-by":"crossref","unstructured":"Hendler, D., Kels, S., Rubin, A.: Detecting malicious powershell commands using deep neural networks. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 187\u2013197 (2018)","DOI":"10.1145\/3196494.3196511"},{"key":"12_CR16","doi-asserted-by":"crossref","unstructured":"Hendler, D., Kels, S., Rubin, A.: Amsi-based detection of malicious powershell code using contextual embeddings. In: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, pp. 679\u2013693 (2020)","DOI":"10.1145\/3320269.3384742"},{"key":"12_CR17","doi-asserted-by":"crossref","unstructured":"Hirano, M., Kobayashi, R.: Machine learning based ransomware detection using storage access patterns obtained from live-forensic hypervisor. In: Sixth IEEE International Conference on Internet of Things: Systems, Management and Security (IOTSMS), pp. 1\u20136 (2019)","DOI":"10.1109\/IOTSMS48152.2019.8939214"},{"key":"12_CR18","unstructured":"Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE transactions on emerging topics in computing (2017)"},{"key":"12_CR19","doi-asserted-by":"crossref","unstructured":"Huang, J., Xu, J., Xing, X., Liu, P., Qureshi, M.K.: Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 2231\u20132244 (2017)","DOI":"10.1145\/3133956.3134035"},{"key":"12_CR20","doi-asserted-by":"crossref","unstructured":"Jin, B., Choi, J., Kim, H., Hong, J.B.: Fumvar: a practical framework for generating fully-working and unseen malware variants. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing (SAC) (2021)","DOI":"10.1145\/3412841.3442039"},{"key":"12_CR21","unstructured":"Kharaz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. In: 25th USENIX Security Symposium (USENIX Security 16), pp. 757\u2013772 (2016)"},{"key":"12_CR22","doi-asserted-by":"crossref","unstructured":"Kharraz, A., Kirda, E.: Redemption: real-time protection against ransomware at end-hosts. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 98\u2013119 (2017)","DOI":"10.1007\/978-3-319-66332-6_5"},{"key":"12_CR23","doi-asserted-by":"crossref","unstructured":"Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., Kirda, E.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 3\u201324 (2015)","DOI":"10.1007\/978-3-319-20550-2_1"},{"key":"12_CR24","doi-asserted-by":"crossref","unstructured":"Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: defense against cryptographic ransomware. In: Proceedings ACM on Asia Conference on Computer and Communications Security, pp. 599\u2013611 (2017)","DOI":"10.1145\/3052973.3053035"},{"key":"12_CR25","unstructured":"Lab, E.M.: The State of Ransomware in the US. https:\/\/blog.emsisoft.com\/en\/34822\/the-state-of-ransomware-in-the-us-report-and-statistics-2019\/"},{"key":"12_CR26","unstructured":"Lelonek, B., Rogers, N.: Make ETW greate again. https:\/\/ruxcon.org.au\/assets\/2016\/slides\/ETW_16_RUXCON_NJR_no_notes.pdf"},{"key":"12_CR27","doi-asserted-by":"crossref","unstructured":"Mehnaz, S., Mudgerikar, A., Bertino, E.: RWGuard: a real-time detection system against cryptographic ransomware. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 114\u2013136 (2018)","DOI":"10.1007\/978-3-030-00470-5_6"},{"key":"12_CR28","doi-asserted-by":"crossref","unstructured":"Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security, pp. 1795\u20131812 (2019)","DOI":"10.1145\/3319535.3363217"},{"key":"12_CR29","doi-asserted-by":"crossref","unstructured":"Miramirkhani, N., Appini, M.P., Nikiforakis, N., Polychronakis, M.: Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: IEEE Symposium on Security and Privacy (SP), pp. 1009\u20131024 (2017)","DOI":"10.1109\/SP.2017.42"},{"key":"12_CR30","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1016\/j.jnca.2018.09.013","volume":"124","author":"D Morato","year":"2018","unstructured":"Morato, D., Berrueta, E., Maga\u00f1a, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Network Comput. Appl. 124, 14\u201332 (2018)","journal-title":"J. Network Comput. Appl."},{"key":"12_CR31","unstructured":"Nieuwenhuizen, D.: A behavioural-based approach to ransomware detection. Whitepaper, MWR Labs Whitepaper (2017)"},{"key":"12_CR32","doi-asserted-by":"crossref","unstructured":"Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 36th IEEE International Conference on Distributed Computing Systems (ICDCS), pp. 303\u2013312 (2016)","DOI":"10.1109\/ICDCS.2016.46"},{"key":"12_CR33","unstructured":"Sgandurra, D., Mu\u00f1oz-Gonz\u00e1lez, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)"},{"key":"12_CR34","doi-asserted-by":"crossref","unstructured":"Sivakorn, S., et al.: Countering malicious processes with process-dns association. In: Network and Distributed Systems Security (2019)","DOI":"10.14722\/ndss.2019.23012"},{"key":"12_CR35","doi-asserted-by":"crossref","unstructured":"Wang, Q., et al.: You are what you do: Hunting stealthy malware via data provenance analysis. In: Symposium on Network and Distributed System Security (NDSS) (2020)","DOI":"10.14722\/ndss.2020.24167"},{"key":"12_CR36","doi-asserted-by":"crossref","unstructured":"WatchGuard: Internet Security Report - Q4 2020. https:\/\/www.watchguard.com\/wgrd-resource-center\/security-report-q4-2020","DOI":"10.1016\/S1353-4858(20)30039-8"},{"key":"12_CR37","doi-asserted-by":"crossref","unstructured":"Zhao, L., Mannan, M.: TEE-aided write protection against privileged data tampering. arXiv preprint arXiv:1905.10723 (2019)","DOI":"10.14722\/ndss.2019.23197"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2021"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-88418-5_12","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,9,29]],"date-time":"2021-09-29T21:18:49Z","timestamp":1632950329000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-88418-5_12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783030884178","9783030884185"],"references-count":37,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-88418-5_12","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"30 September 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Darmstadt","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Germany","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2021","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4 October 2021","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"8 October 2021","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2021","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/esorics2021.athene-center.de\/index.php","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"351","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"71","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"20% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3.07","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"6.06","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"The conference was held virtually due to the COVID-19 pandemic.","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}