{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T02:06:56Z","timestamp":1777860416601,"version":"3.51.4"},"reference-count":40,"publisher":"Oxford University Press (OUP)","issue":"4","license":[{"start":{"date-parts":[[2024,9,5]],"date-time":"2024-09-05T00:00:00Z","timestamp":1725494400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/pages\/standard-publication-reuse-rights"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,7,25]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Cybersecurity technology has the ability to detect malware through a variety of methods, such as signature recognition, logical rules or the identification of known malware stored in a database or public source. However, threat actors continuously try to create new variants of existing malware by obfuscating or altering parts of the code to evade detection by antivirus engines. Infostealers are one of the most common malicious programs aimed at obtaining personal or banking information from an infected system and exfiltrating it. In addition, they are the precursors of potentially high-security incidents because attackers gain a entry into companies\u2019 internal systems and may even access them with administrator permissions. This article demonstrates how a feature vector can be obtained from the assembly code of a Windows binary and how a a Graph Neural Network can be used to determine, with ninety percent accuracy, whether it is an infostealer.<\/jats:p>","DOI":"10.1093\/jigpal\/jzae105","type":"journal-article","created":{"date-parts":[[2024,8,16]],"date-time":"2024-08-16T10:55:09Z","timestamp":1723805709000},"source":"Crossref","is-referenced-by-count":1,"title":["Study of infostealers using Graph Neural Networks"],"prefix":"10.1093","volume":"33","author":[{"given":"\u00c1lvaro","family":"Bustos-Tabernero","sequence":"first","affiliation":[{"name":"University of Salamanca , Plaza de los Ca\u00eddos, 37008 Salamanca, Spain, alvarob97@usal.es"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"L\u00f3pez-S\u00e1nchez","sequence":"additional","affiliation":[{"name":"University of Salamanca , Plaza de los Ca\u00eddos, 37008 Salamanca, Spain, lope@usal.es"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ang\u00e9lica","family":"Gonz\u00e1lez-Arrieta","sequence":"additional","affiliation":[{"name":"University of Salamanca , Plaza de los Ca\u00eddos, 37008 Salamanca, Spain, angelica@usal.es"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Paulo","family":"Novais","sequence":"additional","affiliation":[{"name":"University of Minho , Gualtar Campus, 4710-057 Braga, Portugal, paulitinho@gmail.com"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2024,9,5]]},"reference":[{"key":"2026042920470138900_ref1","article-title":"Hacker hijacks orange spain ripe account to cause bgp havoc","author":"Abrams"},{"key":"2026042920470138900_ref2","article-title":"Malware analysis","author":"Baker"},{"key":"2026042920470138900_ref3","article-title":"Malwarebazaar \u2014 sha256","author":"Bazaar","year":"2023"},{"key":"2026042920470138900_ref4","article-title":"Rhadamanthys malware analysis: how infostealers use vms to avoid analysis","author":"Catalan"},{"key":"2026042920470138900_ref5","article-title":"Similarity-based malware classification using graph neural networks","volume":"12","author":"Chen","year":"2022","journal-title":"Applied Sciences"},{"key":"2026042920470138900_ref6","article-title":"Stellargraph\u2014machine learning on graphs","author":"CSIRO","year":"2020"},{"key":"2026042920470138900_ref7","article-title":"BERT: pre-training of deep bidirectional transformers for language understanding","volume-title":"NAACL HLT 2019\u20142019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies\u2014Proceedings of the Conference","author":"Devlin","year":"2019"},{"key":"2026042920470138900_ref8","doi-asserted-by":"crossref","first-page":"472","DOI":"10.1109\/SP.2019.00003","article-title":"Asm2vec: boosting static representation robustness for binary clone search against code obfuscation and compiler optimization","volume-title":"Proceedings\u2014IEEE Symposium on Security and Privacy, 2019-May","author":"Ding","year":"2019"},{"key":"2026042920470138900_ref9","doi-asserted-by":"crossref","first-page":"175","DOI":"10.1109\/TrustCom56396.2022.00034","article-title":"Mal-bert-gcn: malware detection by combining bert and gcn","volume-title":"2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","author":"Ding","year":"2022"},{"key":"2026042920470138900_ref10","article-title":"Inductive representation learning on large graphs","author":"Hamilton","year":"2017","journal-title":"Advances in Neural Information Processing Systems"},{"key":"2026042920470138900_ref11","article-title":"From hidden bee to rhadamanthys\u2014the evolution of custom executable formats","author":"hasherezade"},{"key":"2026042920470138900_ref12","article-title":"Adam: a method for stochastic optimization","volume-title":"3rd International Conference on Learning Representations, ICLR 2015\u2014Conference Track Proceedings","author":"Kingma","year":"2015"},{"key":"2026042920470138900_ref13","article-title":"Semi-supervised classification with graph convolutional networks","volume-title":"5th International Conference on Learning Representations, ICLR 2017\u2014Conference Track Proceedings","author":"Kipf","year":"2016"},{"key":"2026042920470138900_ref14","doi-asserted-by":"crossref","DOI":"10.1007\/978-1-4614-6849-3","volume-title":"Applied Predictive Modeling","author":"Kuhn","year":"2013"},{"key":"2026042920470138900_ref15","article-title":"Github\u2014lancern\/asm2vec: an unofficial implementation of asm2vec as a standalone python package","author":"Lancern","year":"2020"},{"key":"2026042920470138900_ref16","doi-asserted-by":"crossref","first-page":"102872","DOI":"10.1016\/j.cose.2022.102872","article-title":"Dmalnet: dynamic malware analysis based on api feature engineering and graph learning","volume":"122","author":"Li","year":"2022","journal-title":"Computers & Security"},{"key":"2026042920470138900_ref17","doi-asserted-by":"crossref","first-page":"3236","DOI":"10.1145\/3460120.3484587","article-title":"Palmtree: learning an assembly language model for instruction embedding","volume-title":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","author":"Li","year":"2021"},{"key":"2026042920470138900_ref18","article-title":"Raccoon stealer","author":"Malpedia"},{"key":"2026042920470138900_ref19","article-title":"Redline stealer","author":"Malpedia"},{"key":"2026042920470138900_ref20","article-title":"Malwarebazaar","author":"MalwareBazaar","year":"2023"},{"key":"2026042920470138900_ref21","article-title":"Definition: threat intelligence","author":"McMillan","year":"2013"},{"key":"2026042920470138900_ref22","article-title":"Yara rules parent topic","author":"Micro","year":"2019"},{"key":"2026042920470138900_ref23","article-title":"Efficient estimation of word representations in vector space","volume-title":"1st International Conference on Learning Representations, ICLR 2013\u2014Workshop Track Proceedings","author":"Mikolov","year":"2013"},{"key":"2026042920470138900_ref24","article-title":"Ripe ncc access: security breach investigation","author":"RIPE NCC"},{"key":"2026042920470138900_ref25","article-title":"Networkx\u2014network analysis in python","author":"NetworkX","year":"2021"},{"key":"2026042920470138900_ref26","article-title":"Learning convolutional neural networks for graphs","volume-title":"33rd International Conference on Machine Learning, ICML 2016","author":"Niepert","year":"2016"},{"key":"2026042920470138900_ref27","article-title":"Rhadamanthys malware detection: new infostealer spread via google ads & spam emails to target crypto wallets and dump sensitive information","author":"Olyniychuk"},{"key":"2026042920470138900_ref28","first-page":"680","volume-title":"Evaluation of Classifier Models Using Stratified Tenfold Cross Validation Techniques","author":"Purushotham","year":"2011"},{"key":"2026042920470138900_ref29","article-title":"Radare2","author":"Radare2","year":"2023"},{"key":"2026042920470138900_ref30","article-title":"Any.run: interactive misc malware analysis sandbox","author":"App Any Run","year":"2023"},{"key":"2026042920470138900_ref31","doi-asserted-by":"crossref","first-page":"1020","DOI":"10.1145\/1774088.1774303","article-title":"Malware detection based on mining api calls","volume-title":"Proceedings of the 2010 ACM Symposium on Applied Computing","author":"Sami","year":"2010"},{"key":"2026042920470138900_ref32","article-title":"Automated malware analysis\u2014joe sandbox cloud basic","author":"Sandbox","year":"2023"},{"key":"2026042920470138900_ref33","doi-asserted-by":"crossref","first-page":"1972","DOI":"10.35940\/ijeat.F7941.088619","article-title":"Botnet detection on the analysis of zeus panda financial botnet","volume":"8","author":"Sarojini","year":"2019","journal-title":"International Journal of Engineering and Advanced Technology"},{"key":"2026042920470138900_ref34","article-title":"The graph neural network model","volume":"20","author":"Scarselli","year":"2009","journal-title":"IEEE Transactions on Neural Networks"},{"key":"2026042920470138900_ref35","doi-asserted-by":"crossref","first-page":"104","DOI":"10.1109\/MSP.2012.39","article-title":"How changing technology affects security","volume":"10","author":"Schneier","year":"2012","journal-title":"IEEE Security Privacy"},{"key":"2026042920470138900_ref36","article-title":"Zeus malware: threat banking industry","author":"Unisys Stealth Solution Team","year":"2010"},{"key":"2026042920470138900_ref37","article-title":"Virustotal","author":"VirusTotal"},{"key":"2026042920470138900_ref38","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2020.24167","article-title":"You are what you do: hunting stealthy malware via data provenance analysis","volume-title":"27th Annual Network and Distributed System Security Symposium, NDSS 2020, 27th Annual Network and Distributed System Security Symposium, NDSS 2020","author":"Wang","year":"2020"},{"key":"2026042920470138900_ref39","article-title":"Offical implementation for palmtree","author":"Li"},{"key":"2026042920470138900_ref40","article-title":"An end-to-end deep learning architecture for graph classification","author":"Zhang","year":"2018","journal-title":"The Thirty-Second AAAI Conference on Artificial Intelligence (AAAI-18)"}],"container-title":["Logic Journal of the IGPL"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/jigpal\/article-pdf\/33\/4\/jzae105\/59029372\/jzae105.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/jigpal\/article-pdf\/33\/4\/jzae105\/59029372\/jzae105.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T00:47:36Z","timestamp":1777510056000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/jigpal\/article\/doi\/10.1093\/jigpal\/jzae105\/7748391"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,5]]},"references-count":40,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,7,25]]}},"URL":"https:\/\/doi.org\/10.1093\/jigpal\/jzae105","relation":{},"ISSN":["1367-0751","1368-9894"],"issn-type":[{"value":"1367-0751","type":"print"},{"value":"1368-9894","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025,8]]},"published":{"date-parts":[[2024,9,5]]},"article-number":"jzae105"}}