{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T15:49:08Z","timestamp":1775922548033,"version":"3.50.1"},"reference-count":49,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100010712","name":"Viet Nam National University Ho Chi Minh City","doi-asserted-by":"publisher","award":["NCM2025-26-01"],"award-info":[{"award-number":["NCM2025-26-01"]}],"id":[{"id":"10.13039\/501100010712","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Journal of Information Security and Applications"],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1016\/j.jisa.2026.104412","type":"journal-article","created":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T13:38:53Z","timestamp":1771940333000},"page":"104412","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["A multimodal approach for windows malware detection using comprehensive analysis on called APIs"],"prefix":"10.1016","volume":"99","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9387-7909","authenticated-orcid":false,"given":"Do Thi Thu","family":"Hien","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-7841-3300","authenticated-orcid":false,"given":"Bao","family":"Pham-Thai","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1489-2826","authenticated-orcid":false,"given":"Nguyen Tan","family":"Cam","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3147-3356","authenticated-orcid":false,"given":"Van-Hau","family":"Pham","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"78","reference":[{"key":"10.1016\/j.jisa.2026.104412_bib0001","unstructured":"StationX. 65+ Malware statistics for 2025. 2025. [Accessed 2025]; https:\/\/www.stationx.net\/malware-statistics\/."},{"key":"10.1016\/j.jisa.2026.104412_bib0002","unstructured":"CrowdStrike. 2025 Global threat report. 2025. [Accessed 2025]; https:\/\/static.poder360.com.br\/2025\/03\/CrowdStrikeGlobalThreatReport2025.pdf."},{"key":"10.1016\/j.jisa.2026.104412_bib0003","unstructured":"MixMode. State of AI in cybersecurity report 2024. 2024. [Accessed 2025]; https:\/\/mixmode.ai\/state-of-ai-in-cybersecurity-2024\/."},{"key":"10.1016\/j.jisa.2026.104412_bib0004","doi-asserted-by":"crossref","DOI":"10.7717\/peerj-cs.1319","article-title":"Windows malware detection based on static analysis with multiple features","volume":"9","author":"Yousuf","year":"2023","journal-title":"PeerJ Comput Sci"},{"key":"10.1016\/j.jisa.2026.104412_bib0005","first-page":"1","article-title":"PROUD-MAL: Static analysis-based progressive framework for deep unsupervised malware classification of windows portable executable","author":"Rizvi","year":"2022","journal-title":"Complex & Intelligent Systems"},{"key":"10.1016\/j.jisa.2026.104412_bib0006","series-title":"Proceedings of international conference on information technology and applications: ICITA 2021","first-page":"619","article-title":"Malware detection using machine learning algorithms for windows platform","author":"Hussain","year":"2022"},{"key":"10.1016\/j.jisa.2026.104412_bib0007","series-title":"23rd annual computer security applications conference (ACSAC 2007)","article-title":"Limits of static analysis for malware detection","author":"Moser","year":"2007"},{"key":"10.1016\/j.jisa.2026.104412_bib0008","unstructured":"Shokouhinejad H., Razavi-Far R., Mohammadian H., Rabbani M., Ansong S., Higgins G., et al. Recent advances in malware detection: Graph learning and explainability. 2025. arXiv: 250210556."},{"issue":"7","key":"10.1016\/j.jisa.2026.104412_bib0009","doi-asserted-by":"crossref","DOI":"10.12700\/APH.19.7.2022.7.10","article-title":"Using machine learning algorithms to detect malware by applying static and dynamic analysis methods","volume":"19","author":"Pal\u0161a","year":"2022","journal-title":"Acta Polytech Hungarica"},{"key":"10.1016\/j.jisa.2026.104412_bib0010","doi-asserted-by":"crossref","DOI":"10.1007\/s11416-015-0261-z","article-title":"A comparison of static, dynamic, and hybrid analysis for malware detection","volume":"13","author":"Damodaran","year":"2017","journal-title":"J Comput Virol Hack Tech"},{"key":"10.1016\/j.jisa.2026.104412_bib0011","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2022.102686","article-title":"A novel deep framework for dynamic malware detection based on API sequence intrinsic features","volume":"116","author":"Li","year":"2022","journal-title":"Computers Security"},{"key":"10.1016\/j.jisa.2026.104412_bib0012","doi-asserted-by":"crossref","DOI":"10.1109\/TIFS.2022.3152360","article-title":"Cruparamer: Learning on parameter-augmented api sequences for malware detection","volume":"17","author":"Chen","year":"2022","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"10.1016\/j.jisa.2026.104412_bib0013","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2023.103518","article-title":"CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters","volume":"136","author":"Chen","year":"2024","journal-title":"Computers Security"},{"issue":"11","key":"10.1016\/j.jisa.2026.104412_bib0014","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3664649","article-title":"A survey on malware detection with graph representation learning","volume":"56","author":"Bilot","year":"2024","journal-title":"ACM Comput Surv"},{"key":"10.1016\/j.jisa.2026.104412_bib0015","doi-asserted-by":"crossref","first-page":"111830","DOI":"10.1109\/ACCESS.2022.3215267","article-title":"Malware detection by control-flow graph level representation learning with graph isomorphism network","volume":"10","author":"Gao","year":"2022","journal-title":"IEEE Access"},{"issue":"1","key":"10.1016\/j.jisa.2026.104412_bib0016","doi-asserted-by":"crossref","first-page":"95","DOI":"10.1007\/s11416-023-00498-7","article-title":"Mal2GCN: A robust malware detection approach using deep graph convolutional networks with non-negative weights","volume":"20","author":"Kargarnovin","year":"2024","journal-title":"J Comput Virol Hack Tech"},{"key":"10.1016\/j.jisa.2026.104412_bib0017","doi-asserted-by":"crossref","DOI":"10.1016\/j.eswa.2024.124776","article-title":"MDGraph: A novel malware detection method based on memory dump and graph neural network","volume":"255","author":"Li","year":"2024","journal-title":"Expert Syst Appl"},{"key":"10.1016\/j.jisa.2026.104412_bib0018","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.103788","article-title":"DawnGNN: Documentation augmented windows malware detection using graph neural network","author":"Feng","year":"2024","journal-title":"Computers Security"},{"key":"10.1016\/j.jisa.2026.104412_bib0019","series-title":"2019 4th ISCON","first-page":"400","article-title":"Malware detection based on API calls frequency","author":"Garg","year":"2019"},{"key":"10.1016\/j.jisa.2026.104412_bib0020","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2020.101760","article-title":"A dynamic windows malware detection and prediction method based on contextual understanding of API call sequence","volume":"92","author":"Amer","year":"2020","journal-title":"Computers Security"},{"key":"10.1016\/j.jisa.2026.104412_bib0021","doi-asserted-by":"crossref","first-page":"53788","DOI":"10.1109\/ACCESS.2023.3276902","article-title":"System API vectorization for malware detection","volume":"11","author":"Shin","year":"2023","journal-title":"IEEE Access"},{"key":"10.1016\/j.jisa.2026.104412_bib0022","series-title":"2017 Siberian symposium on data science and engineering (SSDSE)","first-page":"1","article-title":"Malware detection using machine learning based on word2vec embeddings of machine code instructions","author":"Popov","year":"2017"},{"key":"10.1016\/j.jisa.2026.104412_bib0023","series-title":"2020\u202fIEEE ICAIIS","first-page":"126","article-title":"Detection and classification of malware based on FastText","author":"Feng","year":"2020"},{"key":"10.1016\/j.jisa.2026.104412_bib0024","series-title":"2018 17th IEEE ICMLA","first-page":"1029","article-title":"DLGraph: Malware detection using deep learning and graph embedding","author":"Jiang","year":"2018"},{"key":"10.1016\/j.jisa.2026.104412_bib0025","series-title":"Proceedings of the 32nd ACM SIGSOFT international symposium on software testing and analysis","first-page":"261","article-title":"Api2vec: Learning representations of api sequences for malware detection","author":"Cui","year":"2023"},{"key":"10.1016\/j.jisa.2026.104412_bib0026","series-title":"2018\u202fIEEE International conference on acoustics, speech and signal processing (ICASSP)","first-page":"2656","article-title":"Neural sequential malware detection with parameters","author":"Agrawal","year":"2018"},{"key":"10.1016\/j.jisa.2026.104412_bib0027","doi-asserted-by":"crossref","DOI":"10.1145\/3545572","article-title":"A review on methods and applications in multimodal deep learning","volume":"19","author":"Jabeen","year":"2023","journal-title":"ACM Trans Multimedia Comput Commun Appl"},{"key":"10.1016\/j.jisa.2026.104412_bib0028","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2020.101873","article-title":"HYDRA: A multimodal deep learning framework for malware classification","volume":"95","author":"Gibert","year":"2020","journal-title":"Computers Security"},{"key":"10.1016\/j.jisa.2026.104412_bib0029","series-title":"2024 International conference on multimedia analysis and pattern recognition (MAPR)","article-title":"A multimodal windows malware detection method based on hybrid analysis and graph representations","author":"Bao","year":"2024"},{"key":"10.1016\/j.jisa.2026.104412_bib0030","doi-asserted-by":"crossref","unstructured":"Maniriho P., Mahmood A.N., Chowdhury M.J.M.. Maldetconv: Automated behaviour-based malware detection framework based on natural language processing and deep learning techniques2022. arXiv: 220903547.","DOI":"10.1016\/j.jnca.2023.103704"},{"key":"10.1016\/j.jisa.2026.104412_bib0031","doi-asserted-by":"crossref","first-page":"S77","DOI":"10.1016\/j.diin.2019.01.017","article-title":"Maldy: portable, data-driven malware detection using natural language processing and machine learning techniques on behavioral analysis reports","volume":"28","author":"Karbab","year":"2019","journal-title":"Digital Invest"},{"key":"10.1016\/j.jisa.2026.104412_bib0032","series-title":"2017 21St asia pacific symposium on intelligent and evolutionary systems (IES)","first-page":"101","article-title":"NLP-based approaches for malware classification from API sequences","author":"Tran","year":"2017"},{"key":"10.1016\/j.jisa.2026.104412_bib0033","doi-asserted-by":"crossref","DOI":"10.1155\/2015\/659101","article-title":"A novel approach to detect malware based on API call sequence analysis","volume":"11","author":"Ki","year":"2015","journal-title":"Int J Distrib Sens Netw"},{"key":"10.1016\/j.jisa.2026.104412_bib0034","article-title":"Malware analysis using APIs pattern mining","volume":"7","author":"Obeis","year":"2018","journal-title":"Int J Eng & Technol"},{"key":"10.1016\/j.jisa.2026.104412_bib0035","series-title":"Proceedings of the 35th annual computer security applications conference","first-page":"444","article-title":"Neurlux: dynamic malware analysis without feature engineering","author":"Jindal","year":"2019"},{"key":"10.1016\/j.jisa.2026.104412_bib0036","series-title":"Proceedings of the 15th ACM workshop on artificial intelligence and security","article-title":"Quo vadis: hybrid machine learning meta-model based on contextual and behavioral malware representations","author":"Trizna","year":"2022"},{"key":"10.1016\/j.jisa.2026.104412_bib0037","doi-asserted-by":"crossref","DOI":"10.1109\/TIFS.2024.3409083","article-title":"Nebula: Self-attention for dynamic malware analysis","author":"Trizna","year":"2024","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"10.1016\/j.jisa.2026.104412_bib0038","article-title":"A2-CLM: Few-shot malware detection based on adversarial heterogeneous graph augmentation","author":"Liu","year":"2023","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"10.1016\/j.jisa.2026.104412_bib0039","series-title":"2023\u202fIEEE 13th international conference on RFID technology and applications (RFID-TA)","first-page":"111","article-title":"Early malware detection and next-action prediction","author":"Jamadi","year":"2023"},{"issue":"1","key":"10.1016\/j.jisa.2026.104412_bib0040","first-page":"423","article-title":"Development of a classification technique for API calls in automated teller machine","volume":"1","author":"Maxwell-Chigozie","year":"2022","journal-title":"Adeleke Univ J Sci"},{"key":"10.1016\/j.jisa.2026.104412_bib0041","first-page":"2349","article-title":"An optimized KNN model for signature-based malware detection","author":"Assegie","year":"2021","journal-title":"Int J Comp Eng In Res Trends (IJCERT)"},{"key":"10.1016\/j.jisa.2026.104412_bib0042","unstructured":"Microsoft Learn. Programming reference for the win32 API. 2026. Accessed January 21, 2026; https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/."},{"key":"10.1016\/j.jisa.2026.104412_bib0043","unstructured":"m417z. Ntdoc: Native windows API documentation. 2026. Accessed January 21, 2026; https:\/\/ntdoc.m417z.com\/."},{"key":"10.1016\/j.jisa.2026.104412_bib0044","unstructured":"Cuckoo Sandbox Project. Hooked apis and categories. 2015. Accessed January 21, 2026; https:\/\/github.com\/cuckoosandbox\/cuckoo\/wiki\/Hooked-APIs-and-Categories."},{"key":"10.1016\/j.jisa.2026.104412_bib0045","doi-asserted-by":"crossref","DOI":"10.1016\/j.jnca.2023.103704","article-title":"API-MalDetect: Automated malware detection framework for windows based on API calls and deep learning techniques","volume":"218","author":"Maniriho","year":"2023","journal-title":"J Netw Comput Appl"},{"key":"10.1016\/j.jisa.2026.104412_bib0046","article-title":"Windows pe API calls for malicious and benign programs","volume":"3","author":"Allan","year":"2019","journal-title":"Int J Technol Manag"},{"key":"10.1016\/j.jisa.2026.104412_bib0047","article-title":"Behavioral malware detection using deep graph convolutional neural networks","author":"de Oliveira","year":"2023","journal-title":"Authorea Preprints"},{"key":"10.1016\/j.jisa.2026.104412_bib0048","unstructured":"kericwy1337 and brooomisname. Datacon2019-Malicious-Code-DataSet-Stage1. 2019. Accessed January 21, 2026; dataset repository for malicious code classification; https:\/\/github.com\/kericwy1337\/Datacon2019-Malicious-Code-DataSet-Stage1."},{"key":"10.1016\/j.jisa.2026.104412_bib0049","unstructured":"Sakellariou G.. Cyber threat intelligence (CTI) quality metrics datasets. 2023. 10.21227\/fk3m-j666."}],"container-title":["Journal of Information Security and Applications"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2214212626000426?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S2214212626000426?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T15:26:50Z","timestamp":1775921210000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S2214212626000426"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6]]},"references-count":49,"alternative-id":["S2214212626000426"],"URL":"https:\/\/doi.org\/10.1016\/j.jisa.2026.104412","relation":{},"ISSN":["2214-2126"],"issn-type":[{"value":"2214-2126","type":"print"}],"subject":[],"published":{"date-parts":[[2026,6]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"A multimodal approach for windows malware detection using comprehensive analysis on called APIs","name":"articletitle","label":"Article Title"},{"value":"Journal of Information Security and Applications","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.jisa.2026.104412","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"104412"}}