{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T05:34:31Z","timestamp":1769924071400,"version":"3.49.0"},"publisher-location":"Cham","reference-count":36,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319934105","type":"print"},{"value":"9783319934112","type":"electronic"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-319-93411-2_1","type":"book-chapter","created":{"date-parts":[[2018,6,7]],"date-time":"2018-06-07T07:49:28Z","timestamp":1528357768000},"page":"3-23","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":19,"title":["Malrec: Compact Full-Trace Malware Recording for Retrospective Deep Analysis"],"prefix":"10.1007","author":[{"given":"Giorgio","family":"Severi","sequence":"first","affiliation":[]},{"given":"Tim","family":"Leek","sequence":"additional","affiliation":[]},{"given":"Brendan","family":"Dolan-Gavitt","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,6,8]]},"reference":[{"key":"1_CR1","unstructured":"Volatility command reference - GUI. \n                      https:\/\/github.com\/volatilityfoundation\/volatility\/wiki\/Command-Reference-Gui"},{"key":"1_CR2","unstructured":"Abadi, M.N., Agarwal, A., Barham, P., Brevdo, E., Chen, Z., Citro, C., Corrado, G.S., Davis, A., Dean, J., Devin, M., Ghemawat, S., Goodfellow, I., Harp, A., Irving, G., Isard, M., Jia, Y., Jozefowicz, R., Kaiser, L., Kudlur, M., Levenberg, J., Mane, D., Monga, R., Moore, S., Murray, D., Olah, C., Schuster, M., Shlens, J., Steiner, B., Sutskever, I., Talwar, K., Tucker, P., Vanhoucke, V., Vasudevan, V., Viegas, F., Vinyals, O., Warden, P., Wattenberg, M., Wicke, M., Yu, Y., Zheng, X.: TensorFlow: Large-Scale Machine Learning on Heterogeneous Distributed Systems. \n                      arXiv: 1603.04467\n                      \n                     [cs], March 2016"},{"key":"1_CR3","doi-asserted-by":"crossref","unstructured":"Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (2005)","DOI":"10.1145\/1102120.1102165"},{"key":"1_CR4","unstructured":"Balzarotti, D., Cova, M., Karlberger, C., Kirda, E., Kruegel, C., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS (2010)"},{"key":"1_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/3-540-44647-8_1","volume-title":"Advances in Cryptology \u2014 CRYPTO 2001","author":"B Barak","year":"2001","unstructured":"Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1\u201318. Springer, Heidelberg (2001). \n                      https:\/\/doi.org\/10.1007\/3-540-44647-8_1"},{"key":"1_CR6","unstructured":"Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS, vol. 9, pp. 8\u201311. Citeseer (2009)"},{"key":"1_CR7","unstructured":"Bruening, D., Garnett, T., Amarasinghe, S.: An infrastructure for adaptive dynamic optimization. In: International Symposium on Code Generation and Optimization, CGO 2003, pp. 265\u2013275. IEEE (2003)"},{"issue":"2","key":"1_CR8","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2790077","volume":"48","author":"Y Chen","year":"2015","unstructured":"Chen, Y., Zhang, S., Guo, Q., Li, L., Wu, R., Chen, T.: Deterministic replay: a survey. ACM Comput. Surv. 48(2), 1\u201347 (2015)","journal-title":"ACM Comput. Surv."},{"key":"1_CR9","unstructured":"Chow, J., Garfinkel, T., Chen, P.M.: Decoupling dynamic program analysis from execution in virtual environments. In: USENIX 2008 Annual Technical Conference on Annual Technical Conference, pp. 1\u201314 (2008)"},{"key":"1_CR10","doi-asserted-by":"crossref","unstructured":"Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 51\u201362. ACM (2008)","DOI":"10.1145\/1455770.1455779"},{"key":"1_CR11","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with PANDA. In: Program Protection and Reverse Engineering Workshop (PPREW), pp. 1\u201311. ACM Press (2015)","DOI":"10.1145\/2843859.2843867"},{"key":"1_CR12","doi-asserted-by":"crossref","unstructured":"Dolan-Gavitt, B., Leek, T., Hodosh, J., Lee, W.: Tappan zee (north) bridge: mining memory accesses for introspection. In: ACM Conference on Computer and Communications Security (CCS), pp. 839\u2013850. ACM Press (2013)","DOI":"10.1145\/2508859.2516697"},{"issue":"SI","key":"1_CR13","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1145\/844128.844148","volume":"36","author":"GW Dunlap","year":"2002","unstructured":"Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev. 36(SI), 211\u2013224 (2002)","journal-title":"SIGOPS Oper. Syst. Rev."},{"key":"1_CR14","doi-asserted-by":"crossref","unstructured":"Iyyer, M., Manjunatha, V., Boyd-Graber, J., Daum\u00e9 III, H.: Deep unordered composition rivals syntactic methods for text classification. In: Proceedings of the 53rd Annual Meeting of the Association for Computational Linguistics and the 7th International Joint Conference on Natural Language Processing (vol. 1: Long Papers), pp. 1681\u20131691 (2015)","DOI":"10.3115\/v1\/P15-1162"},{"key":"1_CR15","doi-asserted-by":"crossref","unstructured":"Kantchelian, A., Tschantz, M.C., Afroz, S., Miller, B., Shankar, V., Bachwani, R., Joseph, A.D., Tygar, J.D.: Better malware ground truth: techniques for weighting anti-virus vendor labels. In: ACM Workshop on Artificial Intelligence and Security (AISEC), pp. 45\u201356. ACM Press (2015)","DOI":"10.1145\/2808769.2808780"},{"issue":"1","key":"1_CR16","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1145\/1047915.1047918","volume":"23","author":"ST King","year":"2005","unstructured":"King, S.T., Chen, P.M.: Backtracking intrusions. ACM Trans. Comput. Syst. (TOCS) 23(1), 51\u201376 (2005)","journal-title":"ACM Trans. Comput. Syst. (TOCS)"},{"key":"1_CR17","unstructured":"King, S.T., Dunlap, G.W., Chen, P.M.: Debugging operating systems with time-traveling virtual machines. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, p. 1 (2005)"},{"issue":"4","key":"1_CR18","doi-asserted-by":"publisher","first-page":"471","DOI":"10.1109\/TC.1987.1676929","volume":"36","author":"TJ LeBlanc","year":"1987","unstructured":"LeBlanc, T.J., Mellor-Crummey, J.M.: Debugging parallel programs with instant replay. IEEE Trans. Comput. 36(4), 471\u2013482 (1987)","journal-title":"IEEE Trans. Comput."},{"key":"1_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"238","DOI":"10.1007\/978-3-642-15512-3_13","volume-title":"Recent Advances in Intrusion Detection","author":"P Li","year":"2010","unstructured":"Li, P., Liu, L., Gao, D., Reiter, M.K.: On challenges in evaluating malware clustering. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 238\u2013255. Springer, Heidelberg (2010). \n                      https:\/\/doi.org\/10.1007\/978-3-642-15512-3_13"},{"issue":"6","key":"1_CR20","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1145\/1064978.1065034","volume":"40","author":"Chi-Keung Luk","year":"2005","unstructured":"Luk, C.K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM SIGPLAN Notices, vol. 40, pp. 190\u2013200. ACM (2005)","journal-title":"ACM SIGPLAN Notices"},{"key":"1_CR21","unstructured":"Mandl, T., Bayer, U., Nentwich, F.: ANUBIS ANalyzing unknown BInarieS the automatic way. In: Virus Bulletin Conference, vol. 1, p. 2 (2009)"},{"key":"1_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"112","DOI":"10.1007\/978-3-319-08509-8_7","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"A Mohaisen","year":"2014","unstructured":"Mohaisen, A., Alrawi, O.: AV-meter: an evaluation of antivirus scans and labels. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 112\u2013131. Springer, Cham (2014). \n                      https:\/\/doi.org\/10.1007\/978-3-319-08509-8_7"},{"key":"1_CR23","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 421\u2013430. IEEE (2007)","DOI":"10.1109\/ACSAC.2007.21"},{"issue":"6","key":"1_CR24","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1145\/1273442.1250746","volume":"42","author":"Nicholas Nethercote","year":"2007","unstructured":"Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. In: ACM SIGPLAN Notices, vol. 42, pp. 89\u2013100. ACM (2007)","journal-title":"ACM SIGPLAN Notices"},{"key":"1_CR25","unstructured":"Newsome, J.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symposium (NDSS) (2005)"},{"key":"1_CR26","doi-asserted-by":"crossref","unstructured":"Prakash, A., Yin, H., Liang, Z.: Enforcing system-wide control flow integrity for exploit detection and diagnosis. In: ACM SIGSAC Symposium on Information, Computer and Communications Security (2013)","DOI":"10.1145\/2484313.2484352"},{"key":"1_CR27","unstructured":"Quynh, N.A.: Capstone: Next-Gen Disassembly Framework. Black Hat USA (2014)"},{"key":"1_CR28","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"230","DOI":"10.1007\/978-3-319-45719-2_11","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"M Sebasti\u00e1n","year":"2016","unstructured":"Sebasti\u00e1n, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230\u2013253. Springer, Cham (2016). \n                      https:\/\/doi.org\/10.1007\/978-3-319-45719-2_11"},{"key":"1_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-89862-7_1","volume-title":"Information Systems Security","author":"D Song","year":"2008","unstructured":"Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1\u201325. Springer, Heidelberg (2008). \n                      https:\/\/doi.org\/10.1007\/978-3-540-89862-7_1"},{"key":"1_CR30","doi-asserted-by":"crossref","unstructured":"Tian, K., Yao, D., Ryder, B.G., Tan, G.: Analysis of code heterogeneity for high-precision classification of repackaged malware. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 262\u2013271, May 2016","DOI":"10.1109\/SPW.2016.33"},{"key":"1_CR31","doi-asserted-by":"crossref","unstructured":"Upchurch, J., Zhou, X.: Malware provenance: code reuse detection in malicious software at scale. In: 2016 11th International Conference on Malicious and Unwanted Software (MALWARE), pp. 1\u20139, October 2016","DOI":"10.1109\/MALWARE.2016.7888735"},{"key":"1_CR32","unstructured":"VMWare: Enhanced Execution Record\/Replay in Workstation 6.5, April 2008"},{"key":"1_CR33","unstructured":"Walters, A.: The Volatility framework: Volatile memory artifact extraction utility framework. \n                      https:\/\/www.volatilesystems.com\/default\/volatility"},{"issue":"2","key":"1_CR34","doi-asserted-by":"publisher","first-page":"32","DOI":"10.1109\/MSP.2007.45","volume":"5","author":"C Willems","year":"2007","unstructured":"Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32\u201339 (2007)","journal-title":"IEEE Secur. Priv."},{"issue":"7","key":"1_CR35","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1145\/2365864.2151053","volume":"47","author":"LK Yan","year":"2012","unstructured":"Yan, L.K., Jayachandra, M., Zhang, M., Yin, H.: V2E: combining hardware virtualization and software emulation for transparent and extensible malware analysis. ACM SIGPLAN Not. 47(7), 227\u2013238 (2012)","journal-title":"ACM SIGPLAN Not."},{"key":"1_CR36","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95\u2013109, May 2012","DOI":"10.1109\/SP.2012.16"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-93411-2_1","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,3,3]],"date-time":"2020-03-03T03:18:05Z","timestamp":1583205485000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-93411-2_1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783319934105","9783319934112"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-93411-2_1","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"8 June 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Saclay","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"France","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2018","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28 June 2018","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"29 June 2018","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2018","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.dimva2018.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}