{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T21:05:36Z","timestamp":1773435936483,"version":"3.50.1"},"reference-count":73,"publisher":"IEEE","license":[{"start":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T00:00:00Z","timestamp":1765152000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T00:00:00Z","timestamp":1765152000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,12,8]]},"DOI":"10.1109\/acsac67867.2025.00100","type":"proceedings-article","created":{"date-parts":[[2026,2,24]],"date-time":"2026-02-24T20:54:58Z","timestamp":1771966498000},"page":"1288-1302","source":"Crossref","is-referenced-by-count":0,"title":["Fooling Machine's Eyes: Unicode Modifier Letter Evasion Attack"],"prefix":"10.1109","author":[{"given":"Chao","family":"Gao","sequence":"first","affiliation":[{"name":"Harbin University of Science and Technology,China"}]},{"given":"Guanglu","family":"Sun","sequence":"additional","affiliation":[{"name":"Harbin University of Science and Technology,China"}]},{"given":"Xin","family":"Liu","sequence":"additional","affiliation":[{"name":"Harbin University of Science and Technology,China"}]},{"given":"Feiyan","family":"Liu","sequence":"additional","affiliation":[{"name":"Harbin University of Science and Technology,China"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3045514"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2014.103"},{"key":"ref4","article-title":"Sigma - Generic Signature Format for SIEM Systems - GitHub","volume-title":"Sigma Contributors","year":"2023"},{"key":"ref5","volume-title":"Insertion, evasion, and denial of service: Eluding network intrusion detection","author":"Ptacek","year":"1998"},{"key":"ref6","article-title":"The increased use of Powershell in attacks","volume-title":"Symantec","year":"2016"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00047"},{"key":"ref8","volume-title":"Old Phishing Attacks Deploy a New Methodology: Verclsid.exe","author":"Haag","year":"2017"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.42"},{"key":"ref10","article-title":"A process was executed with a command line obfuscated by Unicode character substitution","volume-title":"CORTEX","year":"2023"},{"key":"ref11","volume-title":"Host\/Split: Exploitable Antipatterns in Unicode Normalization","author":"Birch","year":"2019"},{"key":"ref12","volume-title":"Windows Command Line Obfuscation","author":"Beukema","year":"2016"},{"key":"ref13","article-title":"The Unicode Standard, Version 13.0","volume-title":"The Unicode Consortium","year":"2020"},{"key":"ref14","volume-title":"Wanted: Process Command Lines","author":"Moe","year":"2020"},{"key":"ref15","article-title":"What is EDR Endpoint Detection Response","volume-title":"Microsoft","year":"2024"},{"key":"ref16","volume-title":"OS Credential Dumping: Security Account Manager, MITRE","author":"Williams","year":"2024"},{"key":"ref17","article-title":"Unicode Bidirectional Algorithm, Uni-code Technical Report #9","volume-title":"The Unicode Consortium","year":"2020"},{"key":"ref18","article-title":"Internationalization for Windows Applications","volume-title":"Microsoft Learn","year":"2023"},{"key":"ref19","volume-title":"CompareStringW function (stringapiset.h)","author":"Learn","year":"2022"},{"key":"ref20","article-title":"Unicode Security Considerations, Uni-code Technical Report #36","volume-title":"The Unicode Consortium","year":"2014"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/1143120.1143132"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-24434-6_1"},{"key":"ref23","first-page":"6507","article-title":"Trojan source: Invisible vulnerabilities","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Boucher"},{"key":"ref24","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-65722-2_11","volume-title":"Possible Instant Messaging Malware Attack Using Unicode Right-To-Left Override","author":"Yosifova","year":"2021"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/3474369.3486871"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833641"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/3607199.3607220"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/503124.503156"},{"key":"ref29","first-page":"24","article-title":"Cutting through the confusion: a measurement study of homograph attacks","volume-title":"Proceedings of the Annual Conference on USENIX \u201906 Annual Technical Conference, ser. ATEC \u201906","author":"Holgers"},{"issue":"3","key":"ref30","doi-asserted-by":"crossref","DOI":"10.3390\/jsan11030054","article-title":"Homo glyph attack detection model using machine learning and hash function","volume":"11","author":"Almuhaideb","year":"2022","journal-title":"Journal of Sensor and Actuator Networks"},{"key":"ref31","volume-title":"Handling Internationalized Domain Names","author":"Learn","year":"2021"},{"key":"ref32","article-title":"IDN Display Algorithm","volume-title":"Mozilla","year":"2024"},{"key":"ref33","article-title":"Network.IDN_show_punycode","volume-title":"Mozillazine","year":"2024"},{"key":"ref34","article-title":"Internationalized Domain Names (IDN) in Google Chrome","volume-title":"Chromium","year":"2024"},{"key":"ref35","volume-title":"Apple Safari for Mac OS X Multiple Vulnerabil-ities","author":"Hongkong","year":"2012"},{"key":"ref36","volume-title":"Internationalizing Do-main Names in Applications (IDNA). RFC 3490","author":"Faltstrom","year":"2003"},{"key":"ref37","volume-title":"Punycode: A bootstring encoding of Unicode for internationalized domain names in applications (IDNA). RFC 3492","author":"Costello","year":"2003"},{"key":"ref38","first-page":"449","article-title":"Shamfinder: An automated framework for detecting idn homographs","volume-title":"Proceedings of the Internet Measurement Conference, ser. IMC \u201919","author":"Suzuki"},{"key":"ref39","first-page":"3739","article-title":"Assessing browser-level defense against IDN-based phishing","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Hu"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66332-6_4"},{"key":"ref41","first-page":"35","article-title":"Malicious behavior detection using windows audit logs","volume-title":"Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security, ser. AISec \u201915","author":"Berlin"},{"key":"ref42","first-page":"442","article-title":"Living-off-the-land command detection using active learning","volume-title":"Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, ser. RAID \u201921","author":"Ongun"},{"key":"ref43","first-page":"1831","article-title":"Effective and light-weight deobfuscation and semantic-aware attack detection for powershell scripts","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS \u201919","author":"Li"},{"key":"ref44","first-page":"187","article-title":"Detecting malicious powershell commands using deep neural networks","volume-title":"Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ser. ASIACCS \u201818","author":"Hendler"},{"key":"ref45","first-page":"2276","article-title":"Ast-based deep learning for detecting malicious powershell","volume-title":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS \u201818","author":"Rusak"},{"key":"ref46","first-page":"4539","article-title":"Powerpeeler: A precise and general dynamic deobfuscation method for powershell scripts","volume-title":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, ser. CCS \u201924","author":"Li"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SURV.2011.092311.00082"},{"key":"ref48","first-page":"59","article-title":"Evading network anomaly detection systems: formal reasoning and practical techniques","volume-title":"Proceedings of the 13th ACM Conference on Computer and Communications Security, ser. CCS \u201906","author":"Fogla"},{"key":"ref49","article-title":"AVLeak: Fingerprinting antivirus emulators through Black-Box testing","volume-title":"10th USENIX Workshop on Offensive Technologies (WOOT 16)","author":"Blackthorne","year":"2016"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3003571"},{"key":"ref51","doi-asserted-by":"crossref","first-page":"249","DOI":"10.1016\/j.jnca.2017.10.004","article-title":"Countering cyber threats for industrial applications: An automated approach for malware evasion detection and analysis","volume":"103","author":"Noor","year":"2018","journal-title":"Journal of Network and Computer Applications"},{"key":"ref52","article-title":"You cannot escape me: Detecting evasions of siem rules in enterprise networks","author":"Uetz","year":"2024","journal-title":"USENIX Security 2024"},{"key":"ref53","article-title":"x64 calling convention","volume-title":"Microsoft","year":"2022"},{"key":"ref54","article-title":"PE Format","volume-title":"Microsoft Learn","year":"2024"},{"key":"ref55","article-title":"CURL","volume-title":"CURL Contributors","year":"1998"},{"key":"ref56","article-title":"IdnToAscii function (winnls.h)","volume-title":"Microsoft Learn","year":"2022"},{"key":"ref57","article-title":"Kaspersky Downloads","volume-title":"KasperskyLab","year":"2024"},{"key":"ref58","article-title":"Huorong 6.0.43","volume-title":"Huorong","year":"2021"},{"key":"ref59","article-title":"Open Source EDR for Windows","volume-title":"RawSec","year":"2021"},{"key":"ref60","article-title":"AI-driven SIEM Solution & Security Analytics-Elastic Security-Elastic SIEM","volume-title":"Elastic","year":"2024"},{"key":"ref61","article-title":"wazuh: The Open Source Security Platform","volume-title":"wazuh","year":"2025"},{"key":"ref62","article-title":"Credential Acquisition via Registry Hive Dumping","volume-title":"Elastic","year":"2024"},{"issue":"1","key":"ref63","first-page":"80","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","volume-title":"Leading Issues in Information Warfare & Security Research","volume":"1","author":"Hutchins","year":"2011"},{"key":"ref64","article-title":"Living off the land and fileless attack techniques","volume-title":"Symantec","year":"2017"},{"key":"ref65","volume-title":"Invoke-DOSfuscation","author":"Bohannon","year":"2018"},{"key":"ref66","article-title":"Living Off The Land Binaries and Scripts","volume-title":"LOLBAS Project","year":"2021"},{"key":"ref67","volume-title":"Command-line obfuscation detection using small language models","author":"Outrata","year":"2024"},{"key":"ref68","article-title":"Technical Reports: Unicode Normalization Forms, Unicode Technical Report #36","volume-title":"The Unicode Consortium","year":"2023"},{"key":"ref69","article-title":"Information technology-Security techniques-Vulner-ability disclosure","volume-title":"ISO\/IEC","year":"2018"},{"key":"ref70","article-title":"Microsoft Security Response Center","volume-title":"Microsoft","year":"2022"},{"key":"ref71","article-title":"About the CVE Program","volume-title":"MITRE","year":"2021"},{"key":"ref72","article-title":"Introduction of China National Vulnerability Database","volume-title":"CNVD","year":"2010"},{"key":"ref73","article-title":"China National Vulnerability Database of Information Security","volume-title":"CNNVD","year":"2014"}],"event":{"name":"2025 IEEE Annual Computer Security Applications Conference (ACSAC)","location":"Honolulu, HI, USA","start":{"date-parts":[[2025,12,8]]},"end":{"date-parts":[[2025,12,12]]}},"container-title":["2025 IEEE Annual Computer Security Applications Conference (ACSAC)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11391636\/11391706\/11391715.pdf?arnumber=11391715","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T19:51:09Z","timestamp":1773431469000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11391715\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,8]]},"references-count":73,"URL":"https:\/\/doi.org\/10.1109\/acsac67867.2025.00100","relation":{},"subject":[],"published":{"date-parts":[[2025,12,8]]}}}