{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T10:00:33Z","timestamp":1771668033163,"version":"3.50.1"},"reference-count":54,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2018,6,29]],"date-time":"2018-06-29T00:00:00Z","timestamp":1530230400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2019,6]]},"DOI":"10.1007\/s10207-018-0415-3","type":"journal-article","created":{"date-parts":[[2018,6,29]],"date-time":"2018-06-29T10:25:19Z","timestamp":1530267919000},"page":"257-284","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":45,"title":["Dynamic malware detection and phylogeny analysis using process mining"],"prefix":"10.1007","volume":"18","author":[{"given":"Mario Luca","family":"Bernardi","sequence":"first","affiliation":[]},{"given":"Marta","family":"Cimitile","sequence":"additional","affiliation":[]},{"given":"Damiano","family":"Distante","sequence":"additional","affiliation":[]},{"given":"Fabio","family":"Martinelli","sequence":"additional","affiliation":[]},{"given":"Francesco","family":"Mercaldo","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2018,6,29]]},"reference":[{"key":"415_CR1","unstructured":"Androguard. \n                    https:\/\/code.google.com\/p\/androguard\/\n                    \n                  , last visit 24 November 2014"},{"key":"415_CR2","doi-asserted-by":"crossref","unstructured":"Anderson, B., Storlie, C., Lane, T.: Improving malware classification: bridging the static\/dynamic gap. In: Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence, AISec \u201912, pp. 3\u201314, New York, NY, USA. ACM (2012)","DOI":"10.1145\/2381896.2381900"},{"key":"415_CR3","doi-asserted-by":"crossref","unstructured":"Arora, A., Garg, S., Peddoju, S.K.: Malware detection using network traffic analysis in android based mobile devices. In: 2014 Eighth International Conference on Next Generation Mobile Apps, Services and Technologies (NGMAST), pp. 66\u201371 (Sept 2014)","DOI":"10.1109\/NGMAST.2014.57"},{"key":"415_CR4","doi-asserted-by":"crossref","unstructured":"Arp, D., Spreitzenbarth, M., Huebner, M., Gascon, H., Rieck, K.: DREBIN: efficient and explainable detection of android malware in your pocket. In: Proceedings of 21th Annual Network and Distributed System Security Symposium (NDSS) (2014)","DOI":"10.14722\/ndss.2014.23247"},{"key":"415_CR5","doi-asserted-by":"crossref","unstructured":"Battista, P., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Identification of android malware families with model checking. In: International Conference on Information Systems Security and Privacy. SCITEPRESS (2016)","DOI":"10.5220\/0005809205420547"},{"key":"415_CR6","doi-asserted-by":"publisher","first-page":"42","DOI":"10.1016\/j.is.2016.06.002","volume":"62","author":"ML Bernardi","year":"2016","unstructured":"Bernardi, M.L., Cimitile, M., Di Francescomarino, C., Maggi, F.M.: Do activity lifecycles affect the validity of a business rule in a business process? Inf. Syst. 62, 42\u201359 (2016)","journal-title":"Inf. Syst."},{"key":"415_CR7","unstructured":"Bernardi, M.L., Cimitile, M., Di Lucca, G.A., Maggi, F.M.: Using declarative workflow languages to develop process-centric web applications. In: 16th IEEE International Enterprise Distributed Object Computing Conference Workshops, EDOC Workshops, Beijing, China, September 10\u201314, 2012, pp. 56\u201365 (2012)"},{"key":"415_CR8","doi-asserted-by":"crossref","unstructured":"Bernardi, M.L., Cimitile, M., Mercaldo, F., Distante, D.: A constraint-driven approach for dynamic malware detection. In: 14th IEEE Annual Conference on Privacy Security and Trust (2016)","DOI":"10.1109\/PST.2016.7907009"},{"key":"415_CR9","doi-asserted-by":"crossref","unstructured":"Bose, R.P., Maggi, F.M., Aalst, W.M.P.: Enhancing Declare Maps Based on Event Correlations, chapter Business Process Management: 11th International Conference, BPM 2013, Beijing, China, August 26\u201330, 2013. Proceedings, pp. 97\u2013112. Springer, Berlin (2013)","DOI":"10.1007\/978-3-642-40176-3_9"},{"issue":"6","key":"415_CR10","doi-asserted-by":"publisher","first-page":"833","DOI":"10.1109\/TSC.2015.2459703","volume":"8","author":"A Burattin","year":"2015","unstructured":"Burattin, A., Cimitile, M., Maggi, F.M., Sperduti, A.: Online discovery of declarative process models from event streams. IEEE Trans. Serv. Comput. 8(6), 833\u2013846 (2015)","journal-title":"IEEE Trans. Serv. Comput."},{"key":"415_CR11","doi-asserted-by":"crossref","unstructured":"Canfora, G., Mercaldo, F., Visaggio, C.A.: A classifier of malicious android applications. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 607\u2013614 (Sept 2013)","DOI":"10.1109\/ARES.2013.80"},{"key":"415_CR12","doi-asserted-by":"crossref","unstructured":"Canfora, G., Di Sorbo, A., Mercaldo, F., Visaggio, C.A.: Obfuscation techniques against signature-based detection: a case study. In: 2015 Mobile Systems Technologies Workshop (MST), pp. 21\u201326. IEEE (2015)","DOI":"10.1109\/MST.2015.8"},{"key":"415_CR13","unstructured":"Canfora, G., Medvet, E., Mercaldo, F., Visaggio, C.A.: Availability, Reliability, and Security in Information Systems: IFIP WG 8.4, 8.9, TC 5 International Cross-Domain Conference, CD-ARES 2014 and 4th International Workshop on Security and Cognitive Informatics for Homeland Defense, SeCIHD 2014, Fribourg, Switzerland, September 8\u201312, 2014. Proceedings, chapter Detection of Malicious Web Pages Using System Calls Sequences, pp. 226\u2013238. Springer, Cham (2014)"},{"key":"415_CR14","unstructured":"Canfora, G., Medvet, E., Mercaldo, F., Visaggio, C.A.: Detecting android malware using sequences of system calls. In: Proceedings of the 3rd International Workshop on Software Development Lifecycle for Mobile, DeMobile 2015, pp. 13\u201320, New York, NY, USA, 2015. ACM (2015)"},{"key":"415_CR15","unstructured":"Carrera, E., Erd\u00e9lyi, G.: Digital genome mapping\u2014advanced binary malware analysis. In: Virus Bulletin Conference, Vol. 11 (2004)"},{"key":"415_CR16","unstructured":"Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services, MobiSys \u201911, pp. 239\u2013252, New York, NY, USA, 2011. ACM (2011)"},{"key":"415_CR17","unstructured":"Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, SEC\u201911, pp. 21\u201321, Berkeley, CA, USA, 2011. USENIX Association (2011)"},{"key":"415_CR18","unstructured":"Gartner Report of February 2017. \n                    http:\/\/www.gartner.com\/newsroom\/id\/3609817\n                    \n                   (2017)"},{"issue":"4","key":"415_CR19","doi-asserted-by":"publisher","first-page":"335","DOI":"10.1007\/s11416-008-0100-6","volume":"5","author":"M Hayes","year":"2008","unstructured":"Hayes, M., Walenstein, A., Lakhotia, A.: Evaluation of malware phylogeny modelling systems using automated variant generation. J. Comput. Virol. 5(4), 335\u2013343 (2008)","journal-title":"J. Comput. Virol."},{"key":"415_CR20","unstructured":"Holmes, G., Donkin, A., Witten, I.H.: Weka: A machine learning workbench. In: Proceedings of the Second Australia and New Zealand Conference on Intelligent Information Systems, pp. 357\u2013361. Citeseer (1994)"},{"key":"415_CR21","unstructured":"Isohara, T., Takemori, K., Kubota, A.: Kernel-based behavior analysis for android malware detection. In: Proceedings of the 2011 Seventh International Conference on Computational Intelligence and Security, CIS \u201911, pp. 1011\u20131015, Washington, DC, USA, 2011. IEEE Computer Society (2011)"},{"issue":"3","key":"415_CR22","doi-asserted-by":"publisher","first-page":"264","DOI":"10.1145\/331499.331504","volume":"31","author":"AK Jain","year":"1999","unstructured":"Jain, A.K., Murty, M.N., Flynn, P.J.: Data clustering: a review. ACM Comput. Surv. 31(3), 264\u2013323 (1999)","journal-title":"ACM Comput. Surv."},{"key":"415_CR23","unstructured":"Jang, J., Brumley, D., Venkataraman, S.: BitShred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS \u201911, pp. 309\u2013320, New York, NY, USA, 2011. ACM (2011)"},{"key":"415_CR24","unstructured":"Jeong, Y., Lee, H., Cho, S., Han, S., Park, M.: A kernel-based monitoring approach for analyzing malicious behavior on android. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, SAC \u201914, pp. 1737\u20131738, New York, NY, USA, 2014. ACM (2014)"},{"key":"415_CR25","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4614-7394-7","volume-title":"Android Malware","author":"X Jiang","year":"2013","unstructured":"Jiang, X., Zhou, Y.: Android Malware. Springer, New York (2013)"},{"issue":"1\u20132","key":"415_CR26","doi-asserted-by":"publisher","first-page":"13","DOI":"10.1007\/s11416-005-0002-9","volume":"1","author":"ME Karim","year":"2005","unstructured":"Karim, M.E., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation using permutations of code. J. Comput. Virol. 1(1\u20132), 13\u201323 (2005)","journal-title":"J. Comput. Virol."},{"key":"415_CR27","doi-asserted-by":"crossref","unstructured":"Khoo, W.M., Li\u00f3, P.: Unity in diversity: phylogenetic-inspired techniques for reverse engineering and detection of malware families. In: 2011 First SysSec Workshop (SysSec), pp. 3\u201310. IEEE (2011)","DOI":"10.1109\/SysSec.2011.24"},{"key":"415_CR28","unstructured":"Ma, J., Dunagan, J., Wang, H.J., Savage, S., Voelker, G.M.: Finding diversity in remote code injection exploits. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC \u201906, pp. 53\u201364, New York, NY, USA, 2006. ACM (2006)"},{"key":"415_CR29","unstructured":"Mobile Threat Report. \n                    https:\/\/www.f-secure.com\/documents\/996508\/1030743\/Threat_Report_H1_2014.pdf\n                    \n                  , last visit 26 February 2016"},{"key":"415_CR30","doi-asserted-by":"crossref","unstructured":"Mario, F.M., Bernardi, L., Cimitile, M.: Process mining meets malware evolution: a study of the behavior of malicious code. In: 2015 Fourth International Symposium on Computing and Networking (CANDAR) (Dec 2016)","DOI":"10.1109\/CANDAR.2016.0111"},{"key":"415_CR31","doi-asserted-by":"crossref","unstructured":"Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Download malware? No, thanks. How formal methods can block update attacks. In: Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, pp. 22\u201328. ACM (2016)","DOI":"10.1145\/2897667.2897673"},{"key":"415_CR32","doi-asserted-by":"crossref","unstructured":"Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Ransomware steals your phone. Formal methods rescue it. In: International Conference on Formal Techniques for Distributed Objects, Components, and Systems, pp. 212\u2013221. Springer (2016)","DOI":"10.1007\/978-3-319-39570-8_14"},{"key":"415_CR33","unstructured":"Oberheide, J., Mille, C.: Dissecting the android bouncer. In: SummerCon (2012)"},{"key":"415_CR34","first-page":"287","volume":"2007","author":"M Pesic","year":"2007","unstructured":"Pesic, M., Schonenberg, H., van der Aalst, W.M.P.: Declare: full support for loosely-structured processes. EDOC 2007, 287\u2013300 (2007)","journal-title":"EDOC"},{"issue":"3","key":"415_CR35","doi-asserted-by":"publisher","first-page":"1072","DOI":"10.1109\/7.395235","volume":"31","author":"B Picinbono","year":"1995","unstructured":"Picinbono, B.: On deflection as a performance criterion in detection. IEEE Trans. Aerosp. Electron. Syst. 31(3), 1072\u20131081 (1995)","journal-title":"IEEE Trans. Aerosp. Electron. Syst."},{"issue":"1","key":"415_CR36","doi-asserted-by":"publisher","first-page":"99","DOI":"10.1109\/TIFS.2013.2290431","volume":"9","author":"V Rastogi","year":"2014","unstructured":"Rastogi, V., Chen, Y., Jiang, X.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99\u2013108 (2014)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"415_CR37","unstructured":"Rastogi, V., Chen, Y., Jiang, X.: DroidChameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS \u201913, pp. 329\u2013334, New York, NY, USA, 2013. ACM (2013)"},{"key":"415_CR38","unstructured":"Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of EuroSec (2013)"},{"key":"415_CR39","doi-asserted-by":"crossref","unstructured":"Sahs, J., Khan, L.: A machine learning approach to android malware detection. In: Proceedings of the European Intelligence and Security Informatics Conference (2012)","DOI":"10.1109\/EISIC.2012.34"},{"key":"415_CR40","unstructured":"Schmidt, A.-D., Schmidt, H.-G., Clausen, J., Yuksel, K.A., Kiraz, O., Camtepe, A., Albayrak, S.: Enhancing security of linux-based android devices. In: Proceedings of 15th International Linux Kongress (2008)"},{"key":"415_CR41","unstructured":"Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into android applications. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, SAC \u201913, pp. 1808\u20131815, New York, NY, USA, 2013. ACM (2013)"},{"issue":"9","key":"415_CR42","first-page":"669","volume":"2","author":"F Tchakount\u00e9","year":"2013","unstructured":"Tchakount\u00e9, F., Dayang, P.: System calls analysis of malwares on android. Int. J. Sci. Tecnol. (IJST) 2(9), 669\u2013674 (2013)","journal-title":"Int. J. Sci. Tecnol. (IJST)"},{"key":"415_CR43","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-19345-3","volume-title":"Process Mining: Discovery, Conformance and Enhancement of Business Processes","author":"W Aalst van der","year":"2011","unstructured":"van der Aalst, W.: Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer, Berlin (2011)"},{"key":"415_CR44","unstructured":"van Dongen, B.F., de Medeiros,A.K.A., Verbeek, H.M.W., Weijters, A.J.M.M., van der Aalst, W.M.P.: The prom framework: a new era in process mining tool support. In: Proceedings of the 26th International Conference on Applications and Theory of Petri Nets, ICATPN\u201905, pp. 444\u2013454, Berlin, Heidelberg, 2005. Springer (2005)"},{"key":"415_CR45","unstructured":"Virustotal. \n                    https:\/\/www.virustotal.com\/\n                    \n                  , last visit 1 March 2016"},{"key":"415_CR46","doi-asserted-by":"crossref","unstructured":"Walenstein, A., Lakhotia, A.: A transformation-based model of malware derivation. In: 2012 7th International Conference on Malicious and Unwanted Software (MALWARE), pp. 17\u201325 (Oct 2012)","DOI":"10.1109\/MALWARE.2012.6461003"},{"key":"415_CR47","unstructured":"Wang, X., Jhi, Y.-C., Zhu, S., Liu, P.: Detecting software theft via system call based birthmarks. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC \u201909, pp. 149\u2013158, Washington, DC, USA, 2009. IEEE Computer Society (2009)"},{"key":"415_CR48","unstructured":"Wei, T.-E., Mao, C.-H., Jeng, A.B., Lee, H.-M., Wang, H.-T., Wu, D.-J.: Android malware detection via a latent network behavior analysis. In: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, TRUSTCOM \u201912, pp. 1251\u20131258, Washington, DC, USA, 2012. IEEE Computer Society (2012)"},{"key":"415_CR49","doi-asserted-by":"crossref","unstructured":"Xiao, X., Zhang, S., Mercaldo, F., Hu, G., Sangaiah, A.K.: Android malware detection based on system call sequences and LSTM. Multimedia Tools and Applications (Sept 2017)","DOI":"10.1007\/s11042-017-5104-0"},{"key":"415_CR50","unstructured":"Yan, L.K., Yin, H.: DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security\u201912, pp. 29\u201329, Berkeley, CA, USA, 2012. USENIX Association (2012)"},{"key":"415_CR51","doi-asserted-by":"crossref","unstructured":"Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: an automatic and extensible platform to stress test android anti-virus systems. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 82\u2013101. Springer (2012)","DOI":"10.1007\/978-3-642-37300-8_5"},{"key":"415_CR52","unstructured":"Zheng, M., Sun, M., Lui, J.C.S.: Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In: Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TRUSTCOM \u201913, pp. 163\u2013171, Washington, DC, USA, 2013. IEEE Computer Society (2013)"},{"key":"415_CR53","unstructured":"Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, CODASPY \u201912, pp. 317\u2013326, New York, NY, USA, 2012. ACM (2012)"},{"key":"415_CR54","unstructured":"Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP \u201912, pp. 95\u2013109, Washington, DC, USA, 2012. IEEE Computer Society (2012)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-018-0415-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10207-018-0415-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-018-0415-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,28]],"date-time":"2019-06-28T23:30:05Z","timestamp":1561764605000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10207-018-0415-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,6,29]]},"references-count":54,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,6]]}},"alternative-id":["415"],"URL":"https:\/\/doi.org\/10.1007\/s10207-018-0415-3","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,6,29]]},"assertion":[{"value":"29 June 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}