{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,1]],"date-time":"2025-07-01T04:09:15Z","timestamp":1751342955394,"version":"3.41.0"},"publisher-location":"Cham","reference-count":50,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319751597"},{"type":"electronic","value":"9783319751603"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-319-75160-3_22","type":"book-chapter","created":{"date-parts":[[2018,2,3]],"date-time":"2018-02-03T03:37:15Z","timestamp":1517629035000},"page":"362-382","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["An Improved Method to Unveil Malware\u2019s Hidden Behavior"],"prefix":"10.1007","author":[{"given":"Qiang","family":"Li","sequence":"first","affiliation":[]},{"given":"Yunan","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Liya","family":"Su","sequence":"additional","affiliation":[]},{"given":"Yang","family":"Wu","sequence":"additional","affiliation":[]},{"given":"Xinjian","family":"Ma","sequence":"additional","affiliation":[]},{"given":"Zeming","family":"Yang","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,2,4]]},"reference":[{"key":"22_CR1","unstructured":"Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS 2010, 17th Annual Network and Distributed System Security Symposium, February 2010"},{"issue":"1","key":"22_CR2","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/s11416-006-0012-2","volume":"2","author":"U Bayer","year":"2006","unstructured":"Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67\u201377 (2006)","journal-title":"J. Comput. Virol."},{"key":"22_CR3","doi-asserted-by":"crossref","unstructured":"Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 833\u2013844. ACM, New York (2012)","DOI":"10.1145\/2382196.2382284"},{"key":"22_CR4","unstructured":"Brumley, D., Hartwig, C., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Song, D., Yin, H.: Bitscope: automatically dissecting malicious binaries. Technical report, In CMU-CS-07-133 (2007)"},{"key":"22_CR5","doi-asserted-by":"publisher","unstructured":"Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36. Springer, Boston (2008). https:\/\/doi.org\/10.1007\/978-0-387-68768-1_4","DOI":"10.1007\/978-0-387-68768-1_4"},{"key":"22_CR6","unstructured":"Cadar, C., Dunbar, D., Engler, D.R.: Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In: OSDI, vol. 8, pp. 209\u2013224 (2008)"},{"key":"22_CR7","doi-asserted-by":"crossref","unstructured":"Cha, S.K., Avgerinos, T., Rebert, A., Brumley, D.: Unleashing mayhem on binary code. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 380\u2013394. IEEE Computer Society, Washington, DC (2012)","DOI":"10.1109\/SP.2012.31"},{"key":"22_CR8","unstructured":"Chen, X., Andersen, J., Mao, Z.M., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pp. 177\u2013186, June 2008"},{"key":"22_CR9","doi-asserted-by":"crossref","unstructured":"Comparetti, P.M., Salvaneschi, G., Kirda, E., Kolbitsch, C., Kruegel, C., Zanero, S.: Identifying dormant functionality in malware programs. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 61\u201376. IEEE (2010)","DOI":"10.1109\/SP.2010.12"},{"key":"22_CR10","unstructured":"Cuckoo: Automated malware analysis - cuckoo sandbox (2016). http:\/\/www.cuckoosandbox.org\/"},{"key":"22_CR11","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS 2008, pp. 51\u201362. ACM (2008)","DOI":"10.1145\/1455770.1455779"},{"key":"22_CR12","unstructured":"Ferrie, T.L.: Win32.netsky.c. https:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2004-022417-4628-99"},{"key":"22_CR13","doi-asserted-by":"crossref","unstructured":"Fleck, D., Tokhtabayev, A., Alarif, A., Stavrou, A., Nykodym, T.: Pytrigger: a system to trigger & extract user-activated malware behavior. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 92\u2013101. IEEE (2013)","DOI":"10.1109\/ARES.2013.16"},{"key":"22_CR14","unstructured":"GeorgiaTech: Open malware (2016). http:\/\/www.offensivecomputing.net\/"},{"key":"22_CR15","unstructured":"Gettis, S.: W32.mydoom.b@mm. https:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2004-022011-2447-99"},{"key":"22_CR16","doi-asserted-by":"crossref","unstructured":"Godefroid, P.: Compositional dynamic test generation. In: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2007, pp. 47\u201354. ACM, New York (2007)","DOI":"10.1145\/1190216.1190226"},{"key":"22_CR17","unstructured":"Google: Virustotal (2016). https:\/\/www.virustotal.com\/"},{"key":"22_CR18","doi-asserted-by":"crossref","unstructured":"Graziano, M., Leita, C., Balzarotti, D.: Towards network containment in malware analysis systems. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC 2012, pp. 339\u2013348. ACM, New York (2012)","DOI":"10.1145\/2420950.2421000"},{"key":"22_CR19","unstructured":"Hindocha, N.: Win32.netsky.d. https:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2004-030110-0232-99"},{"key":"22_CR20","unstructured":"Kaspersky: Duqu (2016). http:\/\/www.kaspersky.com\/about\/press\/major_malware_outbreaks\/duqu"},{"key":"22_CR21","unstructured":"Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the 23rd USENIX conference on Security Symposium (SEC 2014), pp. 287\u2013301. USENIX Association, Berkeley (2014)"},{"key":"22_CR22","unstructured":"Kolbitsch, C., Comparetti, P.M., Kruegel, C., Kirda, E., Zhou, X., Wang, X.: Effective and efficient malware detection at the end host. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 351\u2013366. USENIX Association, Berkeley (2009)"},{"key":"22_CR23","doi-asserted-by":"crossref","unstructured":"Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code (2011)","DOI":"10.1145\/2046707.2046740"},{"key":"22_CR24","doi-asserted-by":"crossref","unstructured":"Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: de-cloaking internet malware. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 212, pp. 443\u2013457. IEEE Computer Society, Washington, DC (2012)","DOI":"10.1109\/SP.2012.48"},{"key":"22_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"338","DOI":"10.1007\/978-3-642-23644-0_18","volume-title":"Recent Advances in Intrusion Detection","author":"M Lindorfer","year":"2011","unstructured":"Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338\u2013357. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-23644-0_18"},{"key":"22_CR26","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: IEEE Symposium on Security and Privacy, SP 2007, pp. 231\u2013245 (2007)","DOI":"10.1109\/SP.2007.17"},{"key":"22_CR27","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 421\u2013430 (2007)","DOI":"10.1109\/ACSAC.2007.21"},{"key":"22_CR28","doi-asserted-by":"crossref","unstructured":"Nappa, A., Xu, Z., Rafique, M.Z., Caballero, J., Gu, G.: Cyberprobe: towards internet-scale active detection of malicious servers. In: Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS 2014), pp. 1\u201315 (2014)","DOI":"10.14722\/ndss.2014.23218"},{"key":"22_CR29","unstructured":"NetSky (2016). https:\/\/en.wikipedia.org\/wiki\/Netsky_(computer_worm)"},{"key":"22_CR30","unstructured":"Peng, F., Deng, Z., Zhang, X., Xu, D., Lin, Z., Su, Z.: X-force: force-executing binary programs for security applications. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 829\u2013844. USENIX Association, Berkeley (2014)"},{"key":"22_CR31","unstructured":"Porras, P., Sa\u00efdi, H., Yegneswaran, V.: A foray into conficker\u2019s logic and rendezvous points. In: Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More, LEET 2009, p. 7. USENIX Association, Berkeley (2009)"},{"key":"22_CR32","doi-asserted-by":"crossref","unstructured":"Shin, S., Xu, Z., Gu, G.: Effort: efficient and effective bot malware detection. In: 2012 Proceedings IEEE INFOCOM, pp. 2846\u20132850, March 2012","DOI":"10.1109\/INFCOM.2012.6195713"},{"key":"22_CR33","unstructured":"Song, C., Royal, P., Lee, W.: Impeding automated malware analysis with environmentsensitive malware. In: USENIX Workshop on Hot Topics in Security (2012)"},{"key":"22_CR34","unstructured":"Symantec: Bifrost (2016). http:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2004-101214-5358-99"},{"key":"22_CR35","unstructured":"Symantec: Koobface (2016). http:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2008-080315-0217-99&tabid=2"},{"key":"22_CR36","unstructured":"Symantec: Sality (2016). http:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2006-011714-3948-99"},{"key":"22_CR37","unstructured":"Symantec: Symantec intelligence quarterly (2016). http:\/\/www.symantec.com\/threatreport\/quarterly.jsp"},{"key":"22_CR38","unstructured":"Symantec: Triage analysis of targeted attacks (2016). http:\/\/www.symantec.com\/threatreport\/topic.jsp?id=malicious_code_trend"},{"key":"22_CR39","unstructured":"Symantec: Trojan.neloweg (2016). http:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2012-020609-4221-99"},{"key":"22_CR40","unstructured":"Symantec: Zeus Trojan Horse (2016). http:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2010-011016-3514-99"},{"key":"22_CR41","unstructured":"UCSB: Angr (2016). https:\/\/github.com\/angr\/angr"},{"key":"22_CR42","unstructured":"Unicorn: The ultimate CPU emulator (2016). http:\/\/www.unicorn-engine.org\/"},{"key":"22_CR43","unstructured":"Wikipedia: Flame (2016). http:\/\/en.wikipedia.org\/wiki\/Flame_malware"},{"key":"22_CR44","unstructured":"Wikipedia: Stuxnet (2016). http:\/\/en.wikipedia.org\/wiki\/Stuxnet"},{"key":"22_CR45","unstructured":"Wikipedia: Trojan backdoor.flashback (2016). http:\/\/en.wikipedia.org\/wiki\/Trojan_BackDoor.Flashback"},{"key":"22_CR46","unstructured":"Wilhelm, J., Chiueh, T.C.: A forced sampled execution approach to kernel rootkit identification (2007)"},{"issue":"2","key":"22_CR47","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1109\/MSP.2007.45","volume":"5","author":"C Willems","year":"2007","unstructured":"Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Privacy 5(2), 32\u201339 (2007)","journal-title":"IEEE Secur. Privacy"},{"key":"22_CR48","doi-asserted-by":"crossref","unstructured":"Xu, Z., Zhang, J., Gu, G., Lin, Z.: Autovac: automatically extracting system resource constraints and generating vaccines for malware immunization. In: 2013 IEEE 33rd International Conference on Distributed Computing Systems (ICDCS), pp. 112\u2013123, July 2013","DOI":"10.1109\/ICDCS.2013.69"},{"key":"22_CR49","doi-asserted-by":"crossref","unstructured":"Xu, Z., Chen, L., Gu, G., Kruegel, C.: Peerpress: utilizing enemies\u2019 P2P strength against them. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 212, pp. 581\u2013592. ACM, New York (2012)","DOI":"10.1145\/2382196.2382257"},{"key":"22_CR50","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"22","DOI":"10.1007\/978-3-319-11379-1_2","volume-title":"Research in Attacks, Intrusions and Defenses","author":"Z Xu","year":"2014","unstructured":"Xu, Z., Zhang, J., Gu, G., Lin, Z.: GoldenEye: efficiently and effectively unveiling malware\u2019s targeted environment. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 22\u201345. Springer, Cham (2014). https:\/\/doi.org\/10.1007\/978-3-319-11379-1_2"}],"container-title":["Lecture Notes in Computer Science","Information Security and Cryptology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-75160-3_22","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T14:03:51Z","timestamp":1751292231000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-75160-3_22"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783319751597","9783319751603"],"references-count":50,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-75160-3_22","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"4 February 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"Inscrypt","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security and Cryptology","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Xi'an","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2017","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"3 November 2017","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5 November 2017","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"13","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"cisc2017","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.inscrypt.cn\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}