{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,28]],"date-time":"2025-03-28T06:06:49Z","timestamp":1743142009052,"version":"3.40.3"},"publisher-location":"Cham","reference-count":35,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319584683"},{"type":"electronic","value":"9783319584690"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-58469-0_13","type":"book-chapter","created":{"date-parts":[[2017,5,3]],"date-time":"2017-05-03T11:34:53Z","timestamp":1493811293000},"page":"189-204","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["HyBIS: Advanced Introspection for Effective Windows Guest Protection"],"prefix":"10.1007","author":[{"given":"Roberto","family":"Di Pietro","sequence":"first","affiliation":[]},{"given":"Federico","family":"Franzoni","sequence":"additional","affiliation":[]},{"given":"Flavio","family":"Lombardi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,5,4]]},"reference":[{"key":"13_CR1","unstructured":"Kvm. http:\/\/www.linux-kvm.org. Accessed 20 Feb 2017"},{"key":"13_CR2","unstructured":"Rekall memory forensic framework. http:\/\/www.rekall-forensic.com. Accessed 20 Feb 2017"},{"key":"13_CR3","unstructured":"The volatilty foundation. http:\/\/www.volatilityfoundation.org. Accessed 20 Feb 2017"},{"key":"13_CR4","unstructured":"The xen project. http:\/\/xenproject.org. Accessed 20 Feb 2017"},{"key":"13_CR5","unstructured":"Rekall profiles, February 2014. http:\/\/rekall-forensic.blogspot.it\/2014\/02\/rekall-profiles.html. Accessed 20 Feb 2017"},{"key":"13_CR6","unstructured":"Windows Virtual Address Translation (2015). http:\/\/www.rekall-forensic.com\/posts\/2015-08-03-address_translation.html. Accessed 20 Feb 2017"},{"issue":"S1","key":"13_CR7","doi-asserted-by":"publisher","first-page":"S16","DOI":"10.1016\/j.diin.2015.05.010","volume":"14","author":"D Balzarotti","year":"2015","unstructured":"Balzarotti, D., Di Pietro, R., Villani, A.: The impact of GPU-assisted malware on memory forensics. Digit. Investig. 14(S1), S16\u2013S24 (2015)","journal-title":"Digit. Investig."},{"key":"13_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"352","DOI":"10.1007\/978-3-540-30108-0_22","volume-title":"Computer Security \u2013 ESORICS 2004","author":"R Battistoni","year":"2004","unstructured":"Battistoni, R., Gabrielli, E., Mancini, L.V.: A host intrusion prevention system for windows operating systems. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 352\u2013368. Springer, Heidelberg (2004). doi:10.1007\/978-3-540-30108-0_22"},{"key":"13_CR9","doi-asserted-by":"crossref","unstructured":"Deng, Z., Zhang, X., Xu, D.: Spider: stealthy binary program instrumentation and debugging via hardware virtualization. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 289\u2013298. ACM, New York (2013)","DOI":"10.1145\/2523649.2523675"},{"key":"13_CR10","doi-asserted-by":"crossref","unstructured":"Di Pietro, R., Lombardi, F., Villani, A.: CUDA Leaks: a detailed hack for CUDA and a (Partial) fix. ACM Trans. Embed. Comput. Syst. 15(1), 15:1\u201315:25 (2016)","DOI":"10.1145\/2801153"},{"key":"13_CR11","volume-title":"Intrusion Detection Systems","author":"R Di Pietro","year":"2008","unstructured":"Di Pietro, R., Mancini, L.V.: Intrusion Detection Systems, 1st edn. Springer Publishing Company, Incorporated (2008)","edition":"1"},{"key":"13_CR12","doi-asserted-by":"crossref","unstructured":"Gu, Y., Lin, Z.: Derandomizing kernel address space layout for memory introspection and forensics. In: Proceedings of the 6th Conference on Data and Application Security and Privacy, CODASPY 2016, pp. 62\u201372. ACM, New York (2016)","DOI":"10.1145\/2857705.2857707"},{"key":"13_CR13","unstructured":"Harrison, C.B.: ODinn: An In-Vivo Hypervisor-based Intrusion Detection System for the Cloud. Ph.D. thesis, Auburn University (2014)"},{"key":"13_CR14","doi-asserted-by":"crossref","unstructured":"Hebbal, Y., Laniepce, S., Menaud, J.-M.: Virtual machine introspection: Techniques and applications. In: 10th International Conference on Availability, Reliability and Security (ARES), pp. 676\u2013685, August 2015","DOI":"10.1109\/ARES.2015.43"},{"key":"13_CR15","doi-asserted-by":"crossref","unstructured":"Henderson, A., Prakash, A., Yan, L.K., Hu, X., Wang, X., Zhou, R., Yin, H.: Make it work, make it right, make it fast: Building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the International Symposium on Software Testing and Analysis, ISSTA 2014, pp. 248\u2013258. ACM, New York (2014)","DOI":"10.1145\/2610384.2610407"},{"key":"13_CR16","doi-asserted-by":"crossref","unstructured":"Hizver, J., Chiueh, T.-C.: Real-time deep virtual machine introspection and its applications. In: ACM SIGPLAN Notices, vol. 49, pp. 3\u201314. ACM (2014)","DOI":"10.1145\/2674025.2576196"},{"key":"13_CR17","volume-title":"Rootkits: Subverting the Windows Kernel","author":"G Hoglund","year":"2005","unstructured":"Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Boston (2005)"},{"key":"13_CR18","unstructured":"Ionescu, A.: How control flow guard drastically caused windows 8.1 address space and behavior changes (2015). http:\/\/www.alex-ionescu.com\/?p=246. Accessed 20 Feb 2017"},{"issue":"1","key":"13_CR19","first-page":"1","volume":"5","author":"JD Kornblum","year":"2006","unstructured":"Kornblum, J.D.: Exploiting the rootkit paradox with windows memory analysis. Int. J. Digital Evid. 5(1), 1\u20135 (2006)","journal-title":"Int. J. Digital Evid."},{"key":"13_CR20","doi-asserted-by":"crossref","unstructured":"Lengyel, T.K., Maresca, S., Payne, B.D., Webster, G.D., Vogl, S., Kiayias, A.: Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference (2014)","DOI":"10.1145\/2664243.2664252"},{"issue":"4","key":"13_CR21","doi-asserted-by":"publisher","first-page":"1113","DOI":"10.1016\/j.jnca.2010.06.008","volume":"34","author":"F Lombardi","year":"2011","unstructured":"Lombardi, F., Di Pietro, R.: Secure virtualization for cloud computing. J. Netw. Comput. Appl. 34(4), 1113\u20131122 (2011)","journal-title":"J. Netw. Comput. Appl."},{"issue":"4","key":"13_CR22","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1988997.1989022","volume":"36","author":"C Mahapatra","year":"2011","unstructured":"Mahapatra, C., Selvakumar, S.: An online cross view difference and behavior based kernel rootkit detector. SIGSOFT Softw. Eng. Notes 36(4), 1\u20139 (2011)","journal-title":"SIGSOFT Softw. Eng. Notes"},{"key":"13_CR23","doi-asserted-by":"crossref","unstructured":"Mulfari, D., Celesti, A., Puliafito, A., Villari, M.: How cloud computing can support on-demand assistive services. In: Proceedings of the 10th International Cross-Disciplinary Conference on Web Accessibility, W4A 2013, pp. 27:1\u201327:4. ACM, New York (2013)","DOI":"10.1145\/2461121.2461140"},{"key":"13_CR24","unstructured":"Oracle Corp. Oracle vm virtualbox programming guide and reference (2016). http:\/\/download.virtualbox.org\/virtualbox\/SDKRef.pdf. Accessed 20 Feb 2017"},{"key":"13_CR25","unstructured":"Rutkowska, J.: Beyond the CPU: Defeating Hardware-based RAM acquisition. Black Hat Briefings (2006). Accessed 20 Feb 2017"},{"key":"13_CR26","unstructured":"M. Tech. Intercepting all system calls by hooking kifastsystemcall, April 2015. http:\/\/www.malwaretech.com\/2015\/04\/intercepting-all-system-calls-by.html. Accessed 20 Feb 2017"},{"key":"13_CR27","unstructured":"M. TechNet. What\u2019s changed in security technologies in windows 8.1, July 2013. https:\/\/technet.microsoft.com\/it-it\/library\/dn344918.aspx. Accessed 20 Feb 2017"},{"key":"13_CR28","unstructured":"Tsaur, W., Yeh, L.: Identifying rootkit infections using a new windows hidden-driver-based rootkit. In: International Conference on Security and Management, Las Vegas, USA, pp. 16\u201319, July 2012"},{"issue":"2","key":"13_CR29","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1016\/j.diin.2012.04.005","volume":"9","author":"S V\u00f6mel","year":"2012","unstructured":"V\u00f6mel, S., Freiling, F.C.: Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition. Digital Invest. 9(2), 125\u2013137 (2012)","journal-title":"Digital Invest."},{"key":"13_CR30","doi-asserted-by":"crossref","unstructured":"Win, T.Y., Tianfield, H., Mair, Q., Said, T.A., Rana, O.F.: Virtual machine introspection. In: Proceedings of the 7th International Conference on Security of Information and Networks, SIN 2014, pp. 405:405\u2013405:410. ACM, New York (2014)","DOI":"10.1145\/2659651.2659710"},{"key":"13_CR31","unstructured":"Wyke, J.: What is Zeus? Sophos Technical report, Sophos, May 2011"},{"key":"13_CR32","unstructured":"Wyke, J.: Zeroaccess. Technical report, April 2012"},{"key":"13_CR33","doi-asserted-by":"crossref","unstructured":"Zhang, F., Leach, K., Sun, K., Stavrou, A.: SPECTRE: a dependable introspection framework via System Management Mode. In: Proceedings of the 43rd IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), DSN 2013, pp. 1\u201312. IEEE Computer Society, Washington, DC (2013)","DOI":"10.1109\/DSN.2013.6575343"},{"key":"13_CR34","doi-asserted-by":"crossref","unstructured":"Zhang, N., Sun, K., Lou, W., Hou, Y.T., Jajodia, S.: Now you see me: Hide and seek in physical address space. In: Proceedings of the 10th Symposium on Information, Computer and Communications Security, ASIACCS 2015, pp. 321\u2013331. ACM, New York (2015)","DOI":"10.1145\/2714576.2714600"},{"issue":"3","key":"13_CR35","doi-asserted-by":"publisher","first-page":"455","DOI":"10.1007\/s10766-013-0285-2","volume":"43","author":"X Zhong","year":"2015","unstructured":"Zhong, X., Xiang, C., Yu, M., Qi, Z., Guan, H.: A virtualization based monitoring system for mini-intrusive live forensics. Int. J. Parallel Program. 43(3), 455\u2013471 (2015)","journal-title":"Int. J. Parallel Program."}],"container-title":["IFIP Advances in Information and Communication Technology","ICT Systems Security and Privacy Protection"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-58469-0_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,5,22]],"date-time":"2021-05-22T00:05:54Z","timestamp":1621641954000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-58469-0_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319584683","9783319584690"],"references-count":35,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-58469-0_13","relation":{},"ISSN":["1868-4238","1868-422X"],"issn-type":[{"type":"print","value":"1868-4238"},{"type":"electronic","value":"1868-422X"}],"subject":[],"published":{"date-parts":[[2017]]},"assertion":[{"value":"4 May 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SEC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"IFIP International Conference on ICT Systems Security and Privacy Protection","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Rome","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Italy","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2017","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29 May 2017","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"31 May 2017","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"32","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"sec2017","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/ifipsec.org\/2017\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}