{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,18]],"date-time":"2025-10-18T00:33:31Z","timestamp":1760747611017,"version":"build-2065373602"},"publisher-location":"Cham","reference-count":51,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032078933","type":"print"},{"value":"9783032078940","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,10,18]],"date-time":"2025-10-18T00:00:00Z","timestamp":1760745600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,10,18]],"date-time":"2025-10-18T00:00:00Z","timestamp":1760745600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-07894-0_26","type":"book-chapter","created":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T19:06:59Z","timestamp":1760728019000},"page":"505-525","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["The Polymorphism Maze: Understanding Diversities and\u00a0Similarities in\u00a0Malware Families"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-8452-4532","authenticated-orcid":false,"given":"Antonino","family":"Vitale","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9547-3502","authenticated-orcid":false,"given":"Simone","family":"Aonzo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0988-9366","authenticated-orcid":false,"given":"Savino","family":"Dambra","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1255-5284","authenticated-orcid":false,"given":"Nanda","family":"Rani","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-7978-6777","authenticated-orcid":false,"given":"Lorenzo","family":"Ippolito","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3375-6069","authenticated-orcid":false,"given":"Platon","family":"Kotzias","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2962-1348","authenticated-orcid":false,"given":"Juan","family":"Caballero","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5957-6213","authenticated-orcid":false,"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,10,18]]},"reference":[{"key":"26_CR1","unstructured":"Find malware detection names for Microsoft Defender for Endpoint. https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/intelligence\/malware-naming. Accessed 17 Sept 2025"},{"key":"26_CR2","unstructured":"Hash and family of each sample. https:\/\/raw.githubusercontent.com\/eurecom-s3\/DecodingMLSecretsOfWindowsMalwareClassification\/main\/dataset\/malware. Accessed 17 Sept 2025"},{"key":"26_CR3","unstructured":"MOTIF Dataset. https:\/\/github.com\/boozallen\/MOTIF. Accessed 17 Sept 2025"},{"key":"26_CR4","unstructured":"PEdiff. https:\/\/github.com\/im-overlord04\/PEDiff. Accessed 17 Sept 2025"},{"key":"26_CR5","unstructured":"PEfile. https:\/\/github.com\/erocarrera\/pefile. Accessed 17 Sept 2025"},{"key":"26_CR6","doi-asserted-by":"crossref","unstructured":"Aghakhani, H., et al.: When malware is Packin\u2019 Heat; limits of machine learning classifiers based on static analysis features. In: Network and Distributed Systems Security Symposium (2020)","DOI":"10.14722\/ndss.2020.24310"},{"issue":"4","key":"26_CR7","doi-asserted-by":"publisher","DOI":"10.1002\/cpe.6652","volume":"34","author":"A Arfeen","year":"2022","unstructured":"Arfeen, A., Khan, Z.A., Uddin, R., Ahsan, U.: Toward accurate and intelligent detection of malware. Concurrency Comput. Pract. Experience 34(4), e6652 (2022)","journal-title":"Concurrency Comput. Pract. Experience"},{"key":"26_CR8","doi-asserted-by":"crossref","unstructured":"Azab, A., Layton, R., Alazab, M., Oliver, J.: Mining malware to detect variants. In: Cybercrime and Trustworthy Computing Conference (2014)","DOI":"10.1109\/CTC.2014.11"},{"key":"26_CR9","doi-asserted-by":"crossref","unstructured":"Bak, M., Papp, D., Tam\u00e1s, C., Butty\u00e1n, L.: Clustering IoT malware based on binary similarity. In: IEEE\/IFIP Network Operations and Management Symposium (2020)","DOI":"10.1109\/NOMS47738.2020.9110432"},{"key":"26_CR10","unstructured":"Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, Behavior-Based Malware Clustering. In: Network and Distributed System Security Symposium (2009)"},{"key":"26_CR11","volume":"38","author":"M Botacin","year":"2021","unstructured":"Botacin, M., Moia, V.H.G., Ceschin, F., Henriques, M.A.A., Gr\u00e9gio, A.: Understanding uses and misuses of similarity hashing functions for malware detection and family clustering in actual scenarios. Forensic Sci. Int. Digit. Invest. 38, 301220 (2021)","journal-title":"Forensic Sci. Int. Digit. Invest."},{"key":"26_CR12","doi-asserted-by":"crossref","unstructured":"Breitinger, F., Baier, H.: Similarity preserving hashing: eligible properties and a new algorithm MRSH-v2. In: International Conference on Digital Forensics and Cyber Crime (2013)","DOI":"10.1007\/978-3-642-39891-9_11"},{"issue":"6","key":"26_CR13","doi-asserted-by":"publisher","first-page":"1193","DOI":"10.1109\/TC.2012.65","volume":"62","author":"S Cesare","year":"2012","unstructured":"Cesare, S., Xiang, Y., Zhou, W.: Malwise\u2013an effective and efficient classification system for packed and polymorphic malware. IEEE Trans. Comput. 62(6), 1193\u20131206 (2012)","journal-title":"IEEE Trans. Comput."},{"key":"26_CR14","doi-asserted-by":"crossref","unstructured":"Cozzi, E., Vervier, P.A., Dell\u2019Amico, M., Shen, Y., Bilge, L., Balzarotti, D.: The tangled genealogy of IoT malware. In: Annual Computer Security Applications Conference (2020)","DOI":"10.1145\/3427228.3427256"},{"key":"26_CR15","doi-asserted-by":"crossref","unstructured":"Dambra, S., et al.: Decoding the secrets of machine learning in malware classification: a deep dive into datasets, feature extraction, and model performance. In: ACM Conference on Computer and Communications Security. ACM, November 2023","DOI":"10.1145\/3576915.3616589"},{"key":"26_CR16","doi-asserted-by":"crossref","unstructured":"Drew, J., Moore, T., Hahsler, M.: Polymorphic malware detection using sequence classification methods. In: IEEE Security and Privacy Workshops (2016)","DOI":"10.1109\/SPW.2016.30"},{"key":"26_CR17","unstructured":"Egele, M., Woo, M., Chapman, P., Brumley, D.: Blanket execution: dynamic similarity testing for program binaries and components. In: USENIX Security Symposium (2014)"},{"key":"26_CR18","unstructured":"Google: BinDiff. https:\/\/github.com\/google\/bindiff. Accessed 17 Sept 2025"},{"key":"26_CR19","doi-asserted-by":"publisher","first-page":"347","DOI":"10.1016\/j.cose.2018.07.012","volume":"78","author":"IU Haq","year":"2018","unstructured":"Haq, I.U., Chica, S., Caballero, J., Jha, S.: Malware lineage in the wild. Comput. Secur. 78, 347\u2013363 (2018)","journal-title":"Comput. Secur."},{"key":"26_CR20","unstructured":"horsicq: Detect It Easy. https:\/\/github.com\/horsicq\/Detect-It-Easy. 17 Sept 2025"},{"key":"26_CR21","doi-asserted-by":"crossref","unstructured":"Hu, X., Chiueh, T., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: ACM Conference on Computer and Communications Security (2009)","DOI":"10.1145\/1653662.1653736"},{"key":"26_CR22","unstructured":"Hu, X., Shin, K.G., Bhatkar, S., Griffin, K.: MutantX-S: scalable malware clustering based on static features. In: USENIX Annual Technical Conference (2013)"},{"key":"26_CR23","doi-asserted-by":"crossref","unstructured":"Jang, J., Brumley, D., Venkataraman, S.: BitShred: feature hashing malware for scalable triage and semantic analysis. In: ACM conference on Computer and Communications Security (2011)","DOI":"10.1145\/2046707.2046742"},{"key":"26_CR24","unstructured":"Jang, J., Woo, M., Brumley, D.: Towards automatic software lineage inference. In: USENIX Security Symposium (2013)"},{"key":"26_CR25","doi-asserted-by":"crossref","unstructured":"Joyce, R.J., Amlani, D., Nicholas, C., Raff, E.: MOTIF: a large malware reference dataset with ground truth family labels. In: Workshop on Artificial Intelligence for Cyber Security (2022)","DOI":"10.1016\/j.cose.2022.102921"},{"key":"26_CR26","doi-asserted-by":"crossref","unstructured":"Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digit. Invest. 3 (2006)","DOI":"10.1016\/j.diin.2006.06.015"},{"key":"26_CR27","doi-asserted-by":"crossref","unstructured":"Li, S., et al.: PackGenome: automatically generating robust YARA rules for accurate malware packer detection. In: ACM SIGSAC Conference on Computer and Communications Security (2023)","DOI":"10.1145\/3576915.3616625"},{"key":"26_CR28","doi-asserted-by":"crossref","unstructured":"Lindorfer, M., Di\u00a0Federico, A., Maggi, F., Comparetti, P.M., Zanero, S.: Lines of malicious code: insights into the malicious software industry. In: Annual Computer Security Applications Conference (2012)","DOI":"10.1145\/2420950.2421001"},{"key":"26_CR29","doi-asserted-by":"crossref","unstructured":"Liu, B., et al.: $$\\alpha $$Diff: cross-version binary code similarity detection with DNN. In: ACM\/IEEE International Conference on Automated Software Engineering (2018)","DOI":"10.1145\/3238147.3238199"},{"key":"26_CR30","unstructured":"Microsoft: PE format (2023). https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/debug\/pe-format"},{"key":"26_CR31","doi-asserted-by":"crossref","unstructured":"Naik, N., Jenkins, P., Savage, N.: A ransomware detection method using fuzzy hashing for mitigating the risk of occlusion of information systems. In: International Symposium on Systems Engineering (2019)","DOI":"10.1109\/ISSE46696.2019.8984540"},{"key":"26_CR32","doi-asserted-by":"crossref","unstructured":"Naik, N., et al.: Fuzzy hashing aided enhanced YARA rules for malware triaging. In: IEEE Symposium Series on Computational Intelligence (2020)","DOI":"10.1109\/SSCI47803.2020.9308189"},{"issue":"1","key":"26_CR33","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1007\/s10207-014-0248-7","volume":"14","author":"A Nappa","year":"2015","unstructured":"Nappa, A., Rafique, M.Z., Caballero, J.: The MALICIA dataset: identification and analysis of drive-by download operations. Int. J. Inf. Secur. 14(1), 15\u201333 (2015)","journal-title":"Int. J. Inf. Secur."},{"key":"26_CR34","doi-asserted-by":"crossref","unstructured":"Oliver, J., Cheng, C., Chen, Y.: TLSH\u2013a locality sensitive hash. In: Cybercrime and Trustworthy Computing Workshop (2013)","DOI":"10.1109\/CTC.2013.9"},{"key":"26_CR35","unstructured":"Osorio, F.C.C., Qiu, H., Arrott, A.: Segmented sandboxing-a novel approach to malware polymorphism detection. In: International Conference on Malicious and Unwanted Software (2015)"},{"key":"26_CR36","doi-asserted-by":"crossref","unstructured":"Pagani, F., Dell\u2019Amico, M., Balzarotti, D.: Beyond precision and recall: understanding uses (and misuses) of similarity hashes in binary analysis. In: ACM Conference on Data and Application Security and Privacy (2018)","DOI":"10.1145\/3176258.3176306"},{"key":"26_CR37","unstructured":"Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: USENIX Symposium on Networked Systems Design and Implementation (2010)"},{"key":"26_CR38","unstructured":"Quiring, E., Pirch, L., Reimsbach, M., Arp, D., Rieck, K.: Against all odds: winning the defense challenge in an evasion competition with diversification. Technical report (2020)"},{"key":"26_CR39","doi-asserted-by":"crossref","unstructured":"Rafique, M.Z., Caballero, J.: FIRMA: malware clustering and network signature generation with mixed network behaviors. In: Symposium on Research in Attacks, Intrusions and Defenses (2013)","DOI":"10.1007\/978-3-642-41284-4_8"},{"key":"26_CR40","doi-asserted-by":"crossref","unstructured":"Roussev, V.: Data fingerprinting with similarity digests. In: IFIP International Conference on Digital Forensics (2010)","DOI":"10.1007\/978-3-642-15506-2_15"},{"key":"26_CR41","doi-asserted-by":"publisher","first-page":"S60","DOI":"10.1016\/j.diin.2012.05.012","volume":"9","author":"V Roussev","year":"2012","unstructured":"Roussev, V., Quates, C.: Content triage with similarity digests: the M57 case study. Digit. Investig. 9, S60\u2013S68 (2012)","journal-title":"Digit. Investig."},{"key":"26_CR42","doi-asserted-by":"crossref","unstructured":"Sebasti\u00e1n, M., Rivera, R., Kotzias, P., Caballero, J.: AVClass: a tool for massive malware labeling. In: International Symposium on Research in Attacks, Intrusions, and Defenses (2016)","DOI":"10.1007\/978-3-319-45719-2_11"},{"key":"26_CR43","doi-asserted-by":"crossref","unstructured":"Seo, K., Lim, K., Choi, J., Chang, K., Lee, S.: Detecting similar files based on hash and statistical analysis for digital forensic investigation. In: International Conference on Computer Science and Its Applications (2009)","DOI":"10.1109\/CSA.2009.5404198"},{"key":"26_CR44","doi-asserted-by":"publisher","first-page":"S88","DOI":"10.1016\/j.diin.2019.01.018","volume":"28","author":"I Shiel","year":"2019","unstructured":"Shiel, I., O\u2019Shaughnessy, S.: Improving file-level fuzzy hashes for malware variant classification. Digit. Investig. 28, S88\u2013S94 (2019)","journal-title":"Digit. Investig."},{"issue":"7","key":"26_CR45","doi-asserted-by":"publisher","first-page":"1044","DOI":"10.3390\/app8071044","volume":"8","author":"A Tajoddin","year":"2018","unstructured":"Tajoddin, A., Jalili, S.: HM3alD: polymorphic malware detection using program behavior-aware hidden Markov model. Appl. Sci. 8(7), 1044 (2018)","journal-title":"Appl. Sci."},{"issue":"4","key":"26_CR46","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3017427","volume":"49","author":"K Tam","year":"2017","unstructured":"Tam, K., Feizollah, A., Anuar, N.B., Salleh, R., Cavallaro, L.: The evolution of android malware and android analysis techniques. ACM Comput. Surv. (CSUR) 49(4), 1\u201341 (2017)","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"26_CR47","doi-asserted-by":"crossref","unstructured":"Upchurch, J., Zhou, X.: Variant: a malware similarity testing framework. In: International Conference on Malicious and Unwanted Software (2015)","DOI":"10.1109\/MALWARE.2015.7413682"},{"key":"26_CR48","doi-asserted-by":"crossref","unstructured":"Upchurch, J., Zhou, X.: Malware provenance: code reuse detection in malicious software at scale. In: International Conference on Malicious and Unwanted Software (2016)","DOI":"10.1109\/MALWARE.2016.7888735"},{"key":"26_CR49","doi-asserted-by":"crossref","unstructured":"van Liebergen, K., Caballero, J., Kotzias, P., Gates, C.: A deep dive into the VirusTotal file feed. In: Conference on Detection of Intrusions and Malware & Vulnerability Assessment (2023)","DOI":"10.1007\/978-3-031-35504-2_8"},{"key":"26_CR50","doi-asserted-by":"crossref","unstructured":"Webster, G.D., et al.: Finding the needle: a study of the PE32 rich header and respective malware triage. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (2017)","DOI":"10.1007\/978-3-319-60876-1_6"},{"key":"26_CR51","doi-asserted-by":"crossref","unstructured":"You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: International Conference on Broadband, Wireless Computing, Communication and Applications (2010)","DOI":"10.1109\/BWCCA.2010.85"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2025"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-07894-0_26","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T19:07:11Z","timestamp":1760728031000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-07894-0_26"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,18]]},"ISBN":["9783032078933","9783032078940"],"references-count":51,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-07894-0_26","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,18]]},"assertion":[{"value":"18 October 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Toulouse","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 September 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24 September 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.esorics2025.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}