{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T18:56:53Z","timestamp":1774465013881,"version":"3.50.1"},"publisher-location":"Cham","reference-count":40,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319663319","type":"print"},{"value":"9783319663326","type":"electronic"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-66332-6_4","type":"book-chapter","created":{"date-parts":[[2017,10,11]],"date-time":"2017-10-11T07:58:05Z","timestamp":1507708685000},"page":"73-97","source":"Crossref","is-referenced-by-count":9,"title":["Lens on the Endpoint: Hunting for Malicious Software Through Endpoint Data Analysis"],"prefix":"10.1007","author":[{"given":"Ahmet Salih","family":"Buyukkayhan","sequence":"first","affiliation":[]},{"given":"Alina","family":"Oprea","sequence":"additional","affiliation":[]},{"given":"Zhou","family":"Li","sequence":"additional","affiliation":[]},{"given":"William","family":"Robertson","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,10,12]]},"reference":[{"key":"4_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"178","DOI":"10.1007\/978-3-540-74320-0_10","volume-title":"Recent Advances in Intrusion Detection","author":"M Bailey","year":"2007","unstructured":"Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178\u2013197. Springer, Heidelberg (2007). doi: 10.1007\/978-3-540-74320-0_10"},{"key":"4_CR2","unstructured":"Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Proceedings of Network and Distributed System Security Symposium, NDSS, vol. 9, pp. 8\u201311 (2009)"},{"key":"4_CR3","doi-asserted-by":"crossref","unstructured":"Bianchi, A., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Blacksheep: detecting compromised hosts in homogeneous crowds. In: Proceedings of ACM Conference on Computer and Communications Security, CCS, pp. 341\u2013352. ACM (2012)","DOI":"10.1145\/2382196.2382234"},{"key":"4_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1007\/978-3-319-11379-1_3","volume-title":"Research in Attacks, Intrusions and Defenses","author":"KD Bowers","year":"2014","unstructured":"Bowers, K.D., Hart, C., Juels, A., Triandopoulos, N.: PillarBox: combating next-generation malware with fast forward-secure logging. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 46\u201367. Springer, Cham (2014). doi: 10.1007\/978-3-319-11379-1_3"},{"key":"4_CR5","doi-asserted-by":"crossref","unstructured":"Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: A quantitative study of accuracy in system call-based malware detection. In: Proceedings of International Symposium on Software Testing and Analysis, pp. 122\u2013132. ACM (2012)","DOI":"10.1145\/2338965.2336768"},{"key":"4_CR6","doi-asserted-by":"crossref","unstructured":"Chau, D.H., Nachenberg, C., Wilhelm, J., Wright, A., Faloutsos, C.: Polonium: tera-scale graph mining and inference for malware detection. In: Proceedings of SIAM International Conference on Data Mining, SDM, SIAM (2011)","DOI":"10.1137\/1.9781611972818.12"},{"key":"4_CR7","unstructured":"Damballa: first zeus, now spyeye. look at the source code now! (2011). https:\/\/www.damballa.com\/first-zeus-now-spyeye-look-the-source-code-now\/"},{"key":"4_CR8","unstructured":"Dash, M., Choi, K., Scheuermann, P., Liu, H.: Feature selection for clustering - a filter solution. In: Proceedings of International Conference on Data Mining, ICDM, pp. 115\u2013122. IEEE (2002)"},{"key":"4_CR9","unstructured":"Ester, M., Kriegel, H.P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proceedings of 2nd ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD, pp. 226\u2013231. ACM (1996)"},{"key":"4_CR10","doi-asserted-by":"crossref","unstructured":"Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of IEEE Symposium on Security and Privacy, S&P, pp. 62\u201375. IEEE (2003)","DOI":"10.1109\/SECPRI.2003.1199328"},{"key":"4_CR11","doi-asserted-by":"crossref","unstructured":"Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: Proceedings of ACM Conference on Computer and Communications Security, CCS, pp. 318\u2013329. ACM (2004)","DOI":"10.1145\/1030083.1030126"},{"key":"4_CR12","unstructured":"Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: BotHunter: detecting malware infection through IDS-driven dialog correlation. In: Proceedings of USENIX Security Symposium, SECURITY, pp. 12:1\u201312:16. USENIX Association (2007)"},{"key":"4_CR13","doi-asserted-by":"crossref","unstructured":"Gu, Z., Pei, K., Wang, Q., Si, L., Zhang, X., Xu, D.: LEAPS: detecting camouflaged attacks with statistical learning guided by program analysis. In: Proceedings of International Conference on Dependable Systems and Networks, DSN, pp. 57\u201368. IEEE\/IFIP (2015)","DOI":"10.1109\/DSN.2015.34"},{"key":"4_CR14","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-84858-7","volume-title":"The Elements of Statistical Learning: Data Mining, Inference, and Prediction","author":"T Hastie","year":"2009","unstructured":"Hastie, T., Tibshirani, R., Friedman, J.: The Elements of Statistical Learning: Data Mining, Inference, and Prediction. Springer, New York (2009). doi: 10.1007\/978-0-387-84858-7"},{"key":"4_CR15","unstructured":"He, X., Cai, D., Niyogi, P.: Laplacian score for feature selection. In: Proceedings of Advances in Neural Information Processing Systems, NIPS, pp. 507\u2013514 (2005)"},{"issue":"3","key":"4_CR16","doi-asserted-by":"crossref","first-page":"151","DOI":"10.3233\/JCS-980109","volume":"6","author":"SA Hofmeyr","year":"1998","unstructured":"Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. J. Comput. Secur. 6(3), 151\u2013180 (1998)","journal-title":"J. Comput. Secur."},{"key":"4_CR17","doi-asserted-by":"crossref","unstructured":"Hu, X., Shin, K.G.: DUET: integration of dynamic and static analyses for malware clustering with cluster ensembles. In: Proceedings of 29th Annual Computer Security Applications Conference, ACSAC, pp. 79\u201388 (2013)","DOI":"10.1145\/2523649.2523677"},{"key":"4_CR18","unstructured":"Hu, X., Shin, K.G., Bhatkar, S., Griffin, K.: MutantX-S: scalable malware clustering based on static features. In: Proceedings of USENIX Annual Technical Conference, ATC, pp. 187\u2013198. USENIX Association (2013)"},{"key":"4_CR19","unstructured":"Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of USENIX Security Symposium, SECURITY, pp. 351\u2013366. USENIX Association (2009)"},{"key":"4_CR20","doi-asserted-by":"crossref","unstructured":"Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: AccessMiner: using system-centric models for malware protection. In: Proceedings of ACM Conference on Computer and Communications Security, CCS, pp. 399\u2013412. ACM (2010)","DOI":"10.1145\/1866307.1866353"},{"key":"4_CR21","unstructured":"Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Proceedings of USENIX Security Symposium, SECURITY. USENIX Association (1998)"},{"key":"4_CR22","unstructured":"Lee, W., Stolfo, S.J., Chan, P.K.: Learning patterns from UNIX process execution traces for intrusion detection. In: Proceedings of AAAI Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 50\u201356. AAAI (1997)"},{"key":"4_CR23","unstructured":"MANDIANT: APT1: Exposing one of China\u2019s cyber espionage units. Report available from (2013). www.mandiant.com"},{"key":"4_CR24","unstructured":"Mandiant Consulting: M-TRENDS 2016 (2016). https:\/\/www2.fireeye.com\/rs\/848-DID-242\/images\/Mtrends2016.pdf"},{"key":"4_CR25","unstructured":"McAfee Labs: Diary of a \u201cRAT\u201d (Remote Access Tool) (2011). https:\/\/kc.mcafee.com\/resources\/sites\/MCAFEE\/content\/live\/PRODUCT_DOCUMENTATION\/23000\/PD23258\/en_US\/Diary_of_a_RAT_datasheet.pdf"},{"key":"4_CR26","unstructured":"McAfee Labs: ZeroAccess Rootkit. (2013). https:\/\/kc.mcafee.com\/resources\/sites\/MCAFEE\/content\/live\/PRODUCT_DOCUMENTATION\/23000\/PD23412\/en_US\/McAfee"},{"key":"4_CR27","doi-asserted-by":"crossref","unstructured":"Neugschwandtner, M., Comparetti, P.M., Jacob, G., Kruegel, C.: Forecast: skimming off the malware cream. In: Proceedings of 27th Annual Computer Security Applications Conference, ACSAC, pp. 11\u201320 (2011)","DOI":"10.1145\/2076732.2076735"},{"key":"4_CR28","doi-asserted-by":"crossref","unstructured":"Oprea, A., Li, Z., Yen, T., Chin, S.H., Alrwais, S.A.: Detection of early-stage enterprise infection by mining large-scale log data. In: Proceedings of 45th Annual International Conference on Dependable Systems and Networks, DSN, pp. 45\u201356. IEEE\/IFIP (2015)","DOI":"10.1109\/DSN.2015.14"},{"key":"4_CR29","unstructured":"Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: Proceedings of Symposium on Networked Systems Design and Implementation, NSDI, pp. 391\u2013404. USENIX Association (2010)"},{"key":"4_CR30","doi-asserted-by":"crossref","unstructured":"Rahbarinia, B., Balduzzi, M., Perdisci, R.: Real-time detection of malware downloads via large-scale URL $$\\rightarrow $$ file $$\\rightarrow $$ machine graph mining. In: Proceedings of ACM Asia Conference on Computer and Communications Security, AsiaCCS, pp. 1117\u20131130. ACM (2016)","DOI":"10.1145\/2897845.2897918"},{"issue":"4","key":"4_CR31","doi-asserted-by":"crossref","first-page":"639","DOI":"10.3233\/JCS-2010-0410","volume":"19","author":"K Rieck","year":"2011","unstructured":"Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639\u2013668 (2011)","journal-title":"J. Comput. Secur."},{"key":"4_CR32","doi-asserted-by":"crossref","unstructured":"Sekar, R., Bendre, M., Dhurjati, D., Bollineni, P.: A fast automaton-based method for detecting anomalous program behaviors. In: Proceedings of IEEE Symposium on Security and Privacy, S&P, pp. 144\u2013155. IEEE (2001)","DOI":"10.1109\/SECPRI.2001.924295"},{"issue":"13","key":"4_CR33","doi-asserted-by":"crossref","first-page":"2628","DOI":"10.1016\/j.comnet.2013.05.010","volume":"57","author":"S Shin","year":"2013","unstructured":"Shin, S., Xu, Z., Gu, G.: EFFORT: a new host-network cooperated framework for efficient and effective bot malware detection. Comput. Networks (Elsevier) 57(13), 2628\u20132642 (2013)","journal-title":"Comput. Networks (Elsevier)"},{"key":"4_CR34","unstructured":"Symantec: The Rebirth Of Endpoint Security. http:\/\/www.darkreading.com\/endpoint\/the-rebirth-of-endpoint-security\/d\/d-id\/1322775"},{"key":"4_CR35","doi-asserted-by":"crossref","unstructured":"Tamersoy, A., Roundy, K., Chau, D.H.: Guilt by association: large scale malware detection by mining file-relation graphs. In: Proceedings of ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD, pp. 1524\u20131533. ACM (2014)","DOI":"10.1145\/2623330.2623342"},{"key":"4_CR36","unstructured":"Verizon: 2015 data breach investigations report (2015). http:\/\/www.verizonenterprise.com\/DBIR\/2015\/"},{"key":"4_CR37","unstructured":"Wicherski, G.: peHash: a novel approach to fast malware clustering. In: 2nd Workshop on Large-Scale Exploits and Emergent Threats. LEET, USENIX Association (2009)"},{"key":"4_CR38","doi-asserted-by":"crossref","unstructured":"Yen, T.F., Heorhiadi, V., Oprea, A., Reiter, M.K., Juels, A.: An epidemiological study of malware encounters in a large enterprise. In: Proceedings of ACM Conference on Computer and Communications Security, CCS, pp. 1117\u20131130. ACM (2014)","DOI":"10.1145\/2660267.2660330"},{"key":"4_CR39","doi-asserted-by":"crossref","unstructured":"Yen, T.F., Oprea, A., Onarlioglu, K., Leetham, T., Robertson, W., Juels, A., Kirda, E.: Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of 29th Annual Computer Security Applications Conference, ACSAC, pp. 199\u2013208 (2013)","DOI":"10.1145\/2523649.2523670"},{"key":"4_CR40","unstructured":"Zeng, Y., Hu, X., Shin, K.G.: Detection of botnets using combined host- and network-level information. In: Proceedings of International Conference on Dependable Systems and Networks, DSN, pp. 291\u2013300. IEEE\/IFIP (2010)"}],"container-title":["Lecture Notes in Computer Science","Research in Attacks, Intrusions, and Defenses"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-66332-6_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,10,4]],"date-time":"2019-10-04T09:17:55Z","timestamp":1570180675000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-66332-6_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319663319","9783319663326"],"references-count":40,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-66332-6_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017]]}}}