{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,25]],"date-time":"2025-03-25T14:31:19Z","timestamp":1742913079116,"version":"3.40.3"},"publisher-location":"Cham","reference-count":50,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319406664"},{"type":"electronic","value":"9783319406671"}],"license":[{"start":{"date-parts":[[2016,1,1]],"date-time":"2016-01-01T00:00:00Z","timestamp":1451606400000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2016]]},"DOI":"10.1007\/978-3-319-40667-1_6","type":"book-chapter","created":{"date-parts":[[2016,6,11]],"date-time":"2016-06-11T11:19:03Z","timestamp":1465643943000},"page":"101-121","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["Comprehensive Analysis and Detection of Flash-Based Malware"],"prefix":"10.1007","author":[{"given":"Christian","family":"Wressnegger","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fabian","family":"Yamaguchi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"Arp","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Konrad","family":"Rieck","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2016,6,12]]},"reference":[{"key":"6_CR1","unstructured":"Adobe Systems Incooperated: ActionScript virtual machine 2 (AVM2) overview. Technical report, Adobe System Incooperated (2007)"},{"key":"6_CR2","unstructured":"Adobe Systems Incooperated: SWF file format specification. Technical report, Adobe System Incooperated (2013)"},{"key":"6_CR3","volume-title":"Compilers Principles, Techniques, and Tools","author":"AV Aho","year":"2006","unstructured":"Aho, A.V., Sethi, R., Ullman, J.D.: Compilers Principles, Techniques, and Tools, 2nd edn. Addison-Wesley, Reading (2006)","edition":"2"},{"key":"6_CR4","unstructured":"Baecher, P., Koetter, M.: libemu - x86 Shellcode Emulation (2008)"},{"key":"6_CR5","unstructured":"Biggio, B., Nelson, B., Laskov, P.: Poisoning attacks against support vector machines. In: Proceedings of International Conference on Machine Learning (ICML) (2012)"},{"key":"6_CR6","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1007\/978-0-387-68768-1_4","volume-title":"Botnet Detection","author":"D Brumley","year":"2008","unstructured":"Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection, pp. 65\u201388. Springer, US (2008)"},{"key":"6_CR7","doi-asserted-by":"crossref","unstructured":"Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the International World Wide Web Conference (WWW), pp. 197\u2013206, April 2011","DOI":"10.1145\/1963405.1963436"},{"key":"6_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"143","DOI":"10.1007\/978-3-540-70542-0_8","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"L Cavallaro","year":"2008","unstructured":"Cavallaro, L., Saxena, P., Sekar, R.: On the limits of information flow techniques for malware analysis and containment. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 143\u2013163. Springer, Heidelberg (2008)"},{"key":"6_CR9","unstructured":"Cavnar, W., Trenkle, J.: N-gram-based text categorization. In: Proceedings of SDAIR, Las Vegas, pp. 161\u2013175, NV, USA, April 1994"},{"key":"6_CR10","unstructured":"Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Proceedings of Conference on Dependable Systems and Networks (DSN), pp. 177\u2013186 (2008)"},{"key":"6_CR11","volume-title":"Introduction to Algorithms","author":"TH Cormen","year":"2009","unstructured":"Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C.: Introduction to Algorithms, 3rd edn. MIT Press, Cambridge (2009)","edition":"3"},{"key":"6_CR12","doi-asserted-by":"crossref","unstructured":"Cova, M., Felmetsger, V., Banks, G., Vigna, G.: Static detection of vulnerabilities in x86 executables. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 269\u2013278 (2006)","DOI":"10.1109\/ACSAC.2006.50"},{"key":"6_CR13","doi-asserted-by":"crossref","unstructured":"Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious JavaScript code. In: Proceedings of the International World Wide Web Conference (WWW), pp. 281\u2013290 (2010)","DOI":"10.1145\/1772690.1772720"},{"key":"6_CR14","doi-asserted-by":"crossref","unstructured":"Crandall, J.R., Wassermann, G., Oliveira, D.A.S., Su, Z., Wu, S.F., Chong, F.T.: Temporal search: detecting hidden malware timebombs with virtual machines. In: Proceedings of International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 25\u201336 (2006)","DOI":"10.1145\/1168917.1168862"},{"key":"6_CR15","doi-asserted-by":"crossref","unstructured":"Cretu, G., Stavrou, A., Locasto, M., Stolfo, S., Keromytis, A.: Casting out demons: Sanitizing training data for anomaly sensors. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 81\u201395 (2008)","DOI":"10.1109\/SP.2008.11"},{"key":"6_CR16","unstructured":"Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: fast and precise in-browser JavaScript malware detection. In: Proceedings of USENIX Security Symposium, pp. 33\u201348 (2011)"},{"key":"6_CR17","doi-asserted-by":"crossref","unstructured":"Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 59\u201368 (2006)","DOI":"10.1145\/1180405.1180414"},{"key":"6_CR18","unstructured":"Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of USENIX Security Symposium, pp. 241\u2013256 (2006)"},{"key":"6_CR19","doi-asserted-by":"crossref","unstructured":"Ford, S., Cova, M., Kruegel, C., Vigna, G.: Analyzing and detecting malicious flash advertisements. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 363\u2013372 (2009)","DOI":"10.1109\/ACSAC.2009.41"},{"key":"6_CR20","unstructured":"gnash. GNU Gnash. https:\/\/www.gnu.org\/software\/gnash. Accessed April 2016"},{"key":"6_CR21","unstructured":"Hirvonen, T.: Dynamic flash instrumentation for fun and profit. In: Proceedings of Black Hat USA (2014)"},{"key":"6_CR22","unstructured":"httparchive. http:\/\/www.httparchive.org. Accessed April 2016"},{"key":"6_CR23","doi-asserted-by":"crossref","unstructured":"Huang, L., Joseph, A.D., Nelson, B., Rubinstein, B.I.P., Tygar, J.D.: Adversarial machine learning. In: Proceedings of ACM Workshop on Artificial Intelligence and Security (AISEC), pp. 43\u201358 (2011)","DOI":"10.1145\/2046684.2046692"},{"key":"6_CR24","doi-asserted-by":"crossref","unstructured":"Jang, J., Agrawal, A., Brumley, D.: ReDeBug: finding unpatched code clones in entire os distributions. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 48\u201362 (2012)","DOI":"10.1109\/SP.2012.13"},{"key":"6_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1007\/978-3-642-22424-9_6","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"M Johns","year":"2011","unstructured":"Johns, M., Lekies, S.: Biting the hand that serves you: a closer look at client-side flash proxies for cross-domain requests. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 85\u2013103. Springer, Heidelberg (2011)"},{"key":"6_CR26","unstructured":"Kapravelos, A., Shoshitaishvili, Y., Cova, M., Kruegel, C., Vigna, G.: Revolver: an automated approach to the detection of evasive web-based malware. In: Proceedings of USENIX Security Symposium, pp. 637\u2013651, August 2013"},{"key":"6_CR27","doi-asserted-by":"crossref","unstructured":"Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 443\u2013457 (2012)","DOI":"10.1109\/SP.2012.48"},{"key":"6_CR28","doi-asserted-by":"crossref","unstructured":"Laskov, P., \u0160rndi\u0107, N.: Static detection of malicious javascript-bearing PDF documents. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 373\u2013382 (2011)","DOI":"10.1145\/2076732.2076785"},{"key":"6_CR29","unstructured":"Louw, M.T., Thotta, K., Venkatakrishnan, V.N.: AdJail: practical enforcement of confidentiality and integrity policies on web advertisments. In: Proceedings of USENIX Security Symposium, pp. 371\u2013388 (2010)"},{"key":"6_CR30","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 231\u2013245 (2007)","DOI":"10.1109\/SP.2007.17"},{"issue":"1","key":"6_CR31","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1016\/j.entcs.2007.10.010","volume":"197","author":"SK Nair","year":"2008","unstructured":"Nair, S.K., Simpson, P.N.D., Crispo, B., Tanenbaum, A.S.: A virtual machine based information flow control system for policy enforcement. Electron. Notes Theor. Comput. Sci. (ENTCS) 197(1), 3\u201316 (2008)","journal-title":"Electron. Notes Theor. Comput. Sci. (ENTCS)"},{"key":"6_CR32","unstructured":"\u00d6zkan, S.: CVE Details. http:\/\/www.cvedetails.com. Accessed April 2016"},{"issue":"6","key":"6_CR33","doi-asserted-by":"publisher","first-page":"864","DOI":"10.1016\/j.comnet.2008.11.011","volume":"5","author":"R Perdisci","year":"2009","unstructured":"Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 5(6), 864\u2013881 (2009)","journal-title":"Comput. Netw."},{"key":"6_CR34","unstructured":"Pignotti, A.: Lightspark. https:\/\/github.com\/lightspark. Accessed April 2016"},{"key":"6_CR35","unstructured":"Ratanaworabhan, P., Livshits, B., Zorn, B.: Nozzle: a defense against heap-spraying code injection attacks. In: Proceedings of USENIX Security Symposium, pp. 169\u2013186 (2009)"},{"key":"6_CR36","doi-asserted-by":"crossref","unstructured":"Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for javascript. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 513\u2013528 (2010)","DOI":"10.1109\/SP.2010.38"},{"key":"6_CR37","volume-title":"Learning with Kernels","author":"B Sch\u00f6lkopf","year":"2002","unstructured":"Sch\u00f6lkopf, B., Smola, A.J.: Learning with Kernels. MIT Press, Cambridge (2002)"},{"key":"6_CR38","volume-title":"Algorithms","author":"R Sedgewick","year":"2011","unstructured":"Sedgewick, R., Wayne, K.: Algorithms, 4th edn. Addison-Wesley, Boston (2011)","edition":"4"},{"key":"6_CR39","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"88","DOI":"10.1007\/978-3-540-70542-0_5","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"MZ Shafiq","year":"2008","unstructured":"Shafiq, M.Z., Khayam, S.A., Farooq, M.: Embedded malware detection using markov n-grams. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 88\u2013107. Springer, Heidelberg (2008)"},{"key":"6_CR40","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1007\/978-0-387-44599-1_11","volume-title":"Malware Detection","author":"SJ Stolfo","year":"2007","unstructured":"Stolfo, S.J., Wang, K., Li, W.-J.: Towards stealthy malware detection. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection, pp. 231\u2013249. Springer, USA (2007)"},{"issue":"2","key":"6_CR41","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1109\/TPAMI.1979.4766902","volume":"1","author":"C Suen","year":"1979","unstructured":"Suen, C.: N-gram statistics for natural language understanding, text processing. IEEE Trans. Pattern Anal. Mach. Intell. 1(2), 164\u2013172 (1979)","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"6_CR42","unstructured":"Systems, A.: Adobe Flash runtimes: Statistics. http:\/\/www.adobe.com\/products\/flashruntimes\/statistics.html. Accessed April 2016"},{"key":"6_CR43","doi-asserted-by":"crossref","unstructured":"van Acker, S., Nikiforakis, N., Desmet, L., Joosen, W., Piessens, F.: FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications. In: Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2012)","DOI":"10.1145\/2414456.2414462"},{"key":"6_CR44","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"274","DOI":"10.1007\/978-3-642-33338-5_14","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"T Van Overveldt","year":"2012","unstructured":"Van Overveldt, T., Kruegel, C., Vigna, G.: FlashDetect: actionscript 3 malware detection. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 274\u2013293. Springer, Heidelberg (2012)"},{"key":"6_CR45","unstructured":"\u0160rndi\u0107, N., Laskov, P.: Detection of malicious PDF files based on hierarchical document structure. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2013)"},{"key":"6_CR46","doi-asserted-by":"crossref","unstructured":"Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 255\u2013264 (2002)","DOI":"10.1145\/586110.586145"},{"key":"6_CR47","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1007\/11856214_12","volume-title":"Recent Advances in Intrusion Detection","author":"K Wang","year":"2006","unstructured":"Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226\u2013248. Springer, Heidelberg (2006)"},{"key":"6_CR48","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"219","DOI":"10.1007\/978-3-540-74320-0_12","volume-title":"Recent Advances in Intrusion Detection","author":"J Wilhelm","year":"2007","unstructured":"Wilhelm, J., Chiueh, T.: A forced sampled execution approach to kernel rootkit identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219\u2013235. Springer, Heidelberg (2007)"},{"key":"6_CR49","unstructured":"Wook Oh, J.: AVM inception - how we can use AVM instrumentation in a beneficial way. In: Shmoocon (2012)"},{"key":"6_CR50","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1007\/978-3-642-41284-4_9","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"C Wressnegger","year":"2013","unstructured":"Wressnegger, C., Boldewin, F., Rieck, K.: Deobfuscating embedded malware using probable-plaintext attacks. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 164\u2013183. Springer, Heidelberg (2013)"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-40667-1_6","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,13]],"date-time":"2024-03-13T10:24:43Z","timestamp":1710325483000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-40667-1_6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016]]},"ISBN":["9783319406664","9783319406671"],"references-count":50,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-40667-1_6","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2016]]},"assertion":[{"value":"12 June 2016","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}