{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T18:52:33Z","timestamp":1771699953953,"version":"3.50.1"},"publisher-location":"Cham","reference-count":37,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319281650","type":"print"},{"value":"9783319281667","type":"electronic"}],"license":[{"start":{"date-parts":[[2015,1,1]],"date-time":"2015-01-01T00:00:00Z","timestamp":1420070400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2015,1,1]],"date-time":"2015-01-01T00:00:00Z","timestamp":1420070400000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015]]},"DOI":"10.1007\/978-3-319-28166-7_24","type":"book-chapter","created":{"date-parts":[[2016,1,8]],"date-time":"2016-01-08T15:29:04Z","timestamp":1452266944000},"page":"497-517","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":14,"title":["Replacement Attacks: Automatically Impeding Behavior-Based Malware Specifications"],"prefix":"10.1007","author":[{"given":"Jiang","family":"Ming","sequence":"first","affiliation":[]},{"given":"Zhi","family":"Xin","sequence":"additional","affiliation":[]},{"given":"Pengwei","family":"Lan","sequence":"additional","affiliation":[]},{"given":"Dinghao","family":"Wu","sequence":"additional","affiliation":[]},{"given":"Peng","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Bing","family":"Mao","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2016,1,9]]},"reference":[{"key":"24_CR1","unstructured":"Cybercriminals sell access to tens of thousands of malware-infected Russian hosts. http:\/\/www.webroot.com\/blog\/2013\/09\/23\/. Accessed 03 October 2014"},{"key":"24_CR2","unstructured":"Getting started with the llvm system using Microsoft Visual Studio. http:\/\/llvm.org\/docs\/GettingStartedVS.html. Accessed 03 October 2014"},{"key":"24_CR3","unstructured":"Malicious software and its underground economy. https:\/\/www.coursera.org\/course\/malsoftware. Accessed 03 October 2014"},{"key":"24_CR4","unstructured":"Windows registry persistence, part 2: The run keys and search-order. http:\/\/blog.cylance.com. Accessed 03 October 2014"},{"issue":"1","key":"24_CR5","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1145\/1327452.1327494","volume":"51","author":"A Andoni","year":"2008","unstructured":"Andoni, A., Indyk, P.: Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions. Commun. ACM 51(1), 117\u2013122 (2008)","journal-title":"Commun. ACM"},{"key":"24_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1007\/978-3-642-22110-1_10","volume-title":"Computer Aided Verification","author":"D Babi\u0107","year":"2011","unstructured":"Babi\u0107, D., Reynaud, D., Song, D.: Malware analysis with tree automata inference. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 116\u2013131. Springer, Heidelberg (2011)"},{"key":"24_CR7","unstructured":"Bayer, U., Comparetti, P. M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior based malware clustering. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2009)"},{"key":"24_CR8","doi-asserted-by":"crossref","unstructured":"Bayer, U., Kirda, E., Kruegel, C.: Improving the efficiency of dynamic malware analysis. In: Proceedings of the 2010 ACM Symposium on Applied Computing (SAC) (2010)","DOI":"10.1145\/1774088.1774484"},{"key":"24_CR9","doi-asserted-by":"crossref","unstructured":"Biggio, B., Pillai, I., Rota Bul\u00f2, S., Ariu, D., Pelillo, M., Roli, F.: Is data clustering in adversarial settings secure? In: Proceedings of the 6th ACM Workshop on Artificial Intelligence and Security (AISec) (2013)","DOI":"10.1145\/2517312.2517321"},{"key":"24_CR10","doi-asserted-by":"crossref","unstructured":"Biggio, B., Rieck, K., Ariu, D., Wressnegger, C., Corona, I., Giacinto, G., Rol, F.: Poisoning behavioral malware clustering. In: Proceedings of the 7th ACM Workshop on Artificial Intelligence and Security (AISec) (2014)","DOI":"10.1145\/2666652.2666666"},{"key":"24_CR11","doi-asserted-by":"crossref","unstructured":"Broder, A.Z., Glassman, S.C., Manasse, M.S., Zweig, G.: Syntactic clustering of the web. In: Proceedings of the Sixth International Conference on World Wide Web (1997)","DOI":"10.1016\/S0169-7552(97)00031-7"},{"key":"24_CR12","doi-asserted-by":"crossref","unstructured":"Bruschi, D., Martignoni, L., Monga, M.: Detecting self-mutating malware using control-flow graph matching. In: Buschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 129\u2013143. Springer, Heidelberg (2006)","DOI":"10.1007\/11790754_8"},{"issue":"3\u20134","key":"24_CR13","doi-asserted-by":"publisher","first-page":"255","DOI":"10.1016\/S0167-8655(97)00179-7","volume":"19","author":"H Bunke","year":"1998","unstructured":"Bunke, H., Shearer, K.: A graph distance metric based on the maximal common subgraph. Pattern Recogn. Lett. 19(3\u20134), 255\u2013259 (1998)","journal-title":"Pattern Recogn. Lett."},{"key":"24_CR14","unstructured":"Chen, X., Andersen, J., Mao, Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN) (2008)"},{"key":"24_CR15","doi-asserted-by":"crossref","unstructured":"Christodorescu, M., Jha, S., Kruegel, C.: Mining specifications of malicious behavior. In: ESEC-FSE 2007 Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (2007)","DOI":"10.1145\/1287624.1287628"},{"key":"24_CR16","doi-asserted-by":"crossref","unstructured":"Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS) (2011)","DOI":"10.1145\/2046707.2046739"},{"key":"24_CR17","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2008)","DOI":"10.1145\/1455770.1455779"},{"key":"24_CR18","doi-asserted-by":"crossref","unstructured":"Fredrikson, M., Jha, S., Christodorescu, M., Sailer, R., Yan, X.: Synthesizing near-optimal malware specifications from suspicious behaviors. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (2010)","DOI":"10.1109\/SP.2010.11"},{"key":"24_CR19","doi-asserted-by":"crossref","unstructured":"Kang, M.G., Yin, H., Hanna, S., McCamant, S., Song, D.: Emulating emulation-resistant malware. In: Proceedings of the Workshop on Virtual Machine Security (VMSec) (2009)","DOI":"10.1145\/1655148.1655151"},{"key":"24_CR20","unstructured":"Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zho, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th USENIX Security Symposium (2009)"},{"key":"24_CR21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/11663812_11","volume-title":"Recent Advances in Intrusion Detection","author":"C Kruegel","year":"2006","unstructured":"Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207\u2013226. Springer, Heidelberg (2006)"},{"key":"24_CR22","unstructured":"Lattner, C., Adve, V.: LLVM: a compilation framework for lifelong program analysis and transformation. In: Proceedings of the International Symposium on Code Generation and Optimization (CGO) (2004)"},{"key":"24_CR23","doi-asserted-by":"crossref","unstructured":"Lindorfer, M., Di Federico, A., Maggi, F., Comparetti, P.M., Zanero, S.: Lines of malicious code: insights into the malicious software industry. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC) (2012)","DOI":"10.1145\/2420950.2421001"},{"issue":"1\u20132","key":"24_CR24","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s11416-011-0157-5","volume":"8","author":"W Ma","year":"2012","unstructured":"Ma, W., Duan, P., Liu, S., Gu, G., Liu, J.-C.: Shadow attacks: automatically evading system-call-behavior based malware detection. Comput. Virol. 8(1\u20132), 1\u201313 (2012)","journal-title":"Comput. Virol."},{"key":"24_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1007\/978-3-540-87403-4_5","volume-title":"Recent Advances in Intrusion Detection","author":"L Martignoni","year":"2008","unstructured":"Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A layered architecture for detecting malicious behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78\u201397. Springer, Heidelberg (2008)"},{"key":"24_CR26","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of the 23th Annual Computer Security Applications Conference (ACSA), December 2007","DOI":"10.1109\/ACSAC.2007.4413008"},{"key":"24_CR27","doi-asserted-by":"crossref","unstructured":"Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of red-pills: how to automatically generate procedures to detect cpu emulators. In: Proceedings of the USENIX Workshop on Offensive Technologies (WOOT) (2009)","DOI":"10.1145\/1572272.1572303"},{"key":"24_CR28","doi-asserted-by":"crossref","unstructured":"Park, Y., Reeves, D.: Deriving common malware behavior through graph clustering. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2011)","DOI":"10.1145\/1966913.1966986"},{"key":"24_CR29","doi-asserted-by":"crossref","unstructured":"Park, Y., Reeves, D., Mulukutla, V., Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research (2010)","DOI":"10.1145\/1852666.1852716"},{"issue":"4","key":"24_CR30","doi-asserted-by":"crossref","first-page":"639","DOI":"10.3233\/JCS-2010-0410","volume":"19","author":"K Rieck","year":"2011","unstructured":"Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639\u2013668 (2011)","journal-title":"J. Comput. Secur."},{"issue":"1","key":"24_CR31","doi-asserted-by":"publisher","first-page":"4","DOI":"10.1145\/2522968.2522972","volume":"46","author":"KA Roundy","year":"2013","unstructured":"Roundy, K.A., Miller, B.P.: Binary-code obfuscations in prevalent packer tools. ACM Comput. Surv. 46(1), 4 (2013)","journal-title":"ACM Comput. Surv."},{"key":"24_CR32","unstructured":"Russinovich, M.: Inside the native API. http:\/\/netcode.cz\/img\/83\/nativeapi.html. Accessed 03 October 2014"},{"key":"24_CR33","volume-title":"Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software","author":"M Sikorski","year":"2012","unstructured":"Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)"},{"key":"24_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"214","DOI":"10.1007\/978-3-642-22424-9_13","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"A Srivastava","year":"2011","unstructured":"Srivastava, A., Lanzi, A., Giffin, J., Balzarotti, D.: Operating system interface obfuscation and the revealing of hidden operations. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 214\u2013233. Springer, Heidelberg (2011)"},{"key":"24_CR35","doi-asserted-by":"crossref","unstructured":"Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS) (2002)","DOI":"10.1145\/586110.586145"},{"key":"24_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1007\/978-3-642-23822-2_12","volume-title":"Computer Security \u2013 ESORICS 2011","author":"Z Wang","year":"2011","unstructured":"Wang, Z., Ming, J., Jia, C., Gao, D.: Linear obfuscation to combat symbolic execution. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 210\u2013226. Springer, Heidelberg (2011)"},{"key":"24_CR37","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-24861-0_1","volume-title":"Information Security","author":"Z Xin","year":"2011","unstructured":"Xin, Z., Chen, H., Wang, X., Liu, P., Zhu, S., Mao, B., Xie, L.: Replacement attacks on behavior based software birthmark. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 1\u201316. Springer, Heidelberg (2011)"}],"container-title":["Lecture Notes in Computer Science","Applied Cryptography and Network Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-28166-7_24","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,2,3]],"date-time":"2021-02-03T01:12:26Z","timestamp":1612314746000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-28166-7_24"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015]]},"ISBN":["9783319281650","9783319281667"],"references-count":37,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-28166-7_24","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015]]},"assertion":[{"value":"9 January 2016","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}