{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T05:53:57Z","timestamp":1773381237377,"version":"3.50.1"},"reference-count":174,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"2","license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"am","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation, NSF","doi-asserted-by":"publisher","award":["IIS-1320956"],"award-info":[{"award-number":["IIS-1320956"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Commun. Surv. Tutorials"],"published-print":{"date-parts":[[2017]]},"DOI":"10.1109\/comst.2016.2636078","type":"journal-article","created":{"date-parts":[[2016,12,8]],"date-time":"2016-12-08T19:13:25Z","timestamp":1481224405000},"page":"1145-1172","source":"Crossref","is-referenced-by-count":119,"title":["A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions"],"prefix":"10.1109","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8831-5514","authenticated-orcid":false,"given":"Ethan M.","family":"Rudd","sequence":"first","affiliation":[]},{"given":"Andras","family":"Rozsa","sequence":"additional","affiliation":[]},{"given":"Manuel","family":"Gunther","sequence":"additional","affiliation":[]},{"given":"Terrance E.","family":"Boult","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref170","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2013.13"},{"key":"ref172","article-title":"Developing a high-accuracy cross platform host-based intrusion detection system capable of reliably detecting zero-day attacks","author":"creech","year":"2014"},{"key":"ref171","doi-asserted-by":"publisher","DOI":"10.1109\/WCNC.2013.6555301"},{"key":"ref174","year":"0","journal-title":"Microsoft Windows Library Files"},{"key":"ref173","year":"0","journal-title":"IndexedDB API"},{"key":"ref168","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15558-1_35"},{"key":"ref169","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2012.6248021"},{"key":"ref39","year":"0","journal-title":"Hooks Overview"},{"key":"ref38","year":"0","journal-title":"SetWindowsHookEx Function (Windows)"},{"key":"ref33","year":"1999","journal-title":"Detours"},{"key":"ref32","year":"0","journal-title":"Introduction to x64 Assembly Intel Software"},{"key":"ref31","author":"leitch","year":"2011","journal-title":"IAT hooking revisited"},{"key":"ref30","year":"2007","journal-title":"What is a DLL?"},{"key":"ref37","year":"2013","journal-title":"Using CreateRemoteThread for DLL Injection on Windows"},{"key":"ref36","year":"2013","journal-title":"Using SetWindowsHookEx for DLL Injection on Windows"},{"key":"ref35","year":"2013","journal-title":"API Hooking and DLL Injection on Windows"},{"key":"ref34","article-title":"Detours: Binary interception of Win32 functions","volume":"3","author":"hunt","year":"1999","journal-title":"Proc 3rd Usenix Windows NT Symp"},{"key":"ref28","author":"matrosov","year":"2012","journal-title":"Olmasco Bootkit Next Circle of TDL4 Evolution (or Not?)"},{"key":"ref27","author":"rodionov","year":"0","journal-title":"Mind the Gapz The Most Complex Rootkit Ever Analyzed?"},{"key":"ref29","article-title":"VICE—Catch the hookers!","author":"butler","year":"0"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2014.2386139"},{"key":"ref22","first-page":"13","article-title":"Copilot—A coprocessor-based kernel runtime integrity monitor","author":"petroni","year":"2004","journal-title":"Proc 13th Conf USENIX Security Symp (SSYM '04)"},{"key":"ref21","first-page":"57","article-title":"Ups and downs of UNIX\/Linux host-based security solutions","volume":"28","author":"chuvakin","year":"2003","journal-title":"Login The Magazine of USENIX and SAGE"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/191177.191183"},{"key":"ref23","article-title":"Windows rootkits of 2005, part one","author":"butler","year":"2005"},{"key":"ref26","author":"szor","year":"2005","journal-title":"The Art of Computer Virus Research and Defense"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1109\/VIZSEC.2005.1532061"},{"key":"ref25","author":"hoglund","year":"2005","journal-title":"Rootkits Subverting the Windows Kernel"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/MNET.2015.7340429"},{"key":"ref50","first-page":"368","article-title":"Detecting stealth software with strider Ghostbuster","author":"wang","year":"2005","journal-title":"Proc Int Conf Depend Syst Netw"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2010.38"},{"key":"ref154","first-page":"475","article-title":"An adaptive weighted one-class SVM for robust outlier detection","author":"yang","year":"2015","journal-title":"Proceedings of the 2015 Chinese Intelligent Systems Conference"},{"key":"ref153","doi-asserted-by":"publisher","DOI":"10.1145\/2500853.2500857"},{"key":"ref156","first-page":"358","article-title":"Anomaly intrusion detection using one-class SVM","author":"wang","year":"2004","journal-title":"Proc Annual IEEE SMC Inf Assur Workshop"},{"key":"ref155","article-title":"One class support vector machines for detecting anomalous windows registry accesses","author":"heller","year":"2003","journal-title":"Workshop on Data Mining for Computer Security"},{"key":"ref150","article-title":"Outlier detection in large-scale traffic data by Naïve Bayes method and Gaussian mixture model method","author":"lam","year":"2015"},{"key":"ref152","doi-asserted-by":"publisher","DOI":"10.1016\/S0031-3203(02)00026-2"},{"key":"ref151","doi-asserted-by":"publisher","DOI":"10.1023\/B:DAMI.0000023676.72185.7c"},{"key":"ref146","doi-asserted-by":"crossref","first-page":"385","DOI":"10.1109\/ICPR.2002.1047476","article-title":"Parzen-window network intrusion detectors","volume":"4","author":"yeung","year":"2002","journal-title":"Proc 16th Int Conf Pattern Recognit"},{"key":"ref147","doi-asserted-by":"publisher","DOI":"10.1109\/IWMN.2015.7322980"},{"key":"ref148","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41299-8_35"},{"key":"ref149","doi-asserted-by":"publisher","DOI":"10.1109\/ICAwST.2015.7314046"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26450-9_20"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom.2014.54"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-009-0121-9"},{"key":"ref56","first-page":"70","article-title":"Metamorphism, formal grammars and undecidable code mutation","volume":"2","author":"filiol","year":"2007","journal-title":"Int J Comput Sci"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-012-0174-z"},{"key":"ref54","first-page":"194","article-title":"Advanced polymorphic techniques","volume":"2","author":"beaucamps","year":"2007","journal-title":"Int J Comput Sci"},{"key":"ref53","first-page":"123","article-title":"Hunting for metamorphic","author":"sz\u00f6r","year":"2001","journal-title":"Proc Virus Bull Conf"},{"key":"ref52","article-title":"Fourth-generation rootkits","author":"seifried","year":"2008","journal-title":"Linux Mag"},{"key":"ref40","author":"harley","year":"2011","journal-title":"TDL4 Rebooted"},{"key":"ref167","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2013.6706768"},{"key":"ref166","doi-asserted-by":"publisher","DOI":"10.1109\/TCYB.2013.2247592"},{"key":"ref165","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2000.861503"},{"key":"ref164","doi-asserted-by":"publisher","DOI":"10.1142\/S0218539307002568"},{"key":"ref163","doi-asserted-by":"crossref","first-page":"203","DOI":"10.1007\/978-3-540-30143-1_11","article-title":"Anomalous payload-based network intrusion detection","author":"wang","year":"2004","journal-title":"Proc Int l Symp Recent Advances in Intrusion Detection"},{"key":"ref162","first-page":"1","article-title":"Adaptive network intrusion detection system using a hybrid approach","author":"karthick","year":"2012","journal-title":"Proc Int Conf Commun Syst Netw"},{"key":"ref161","first-page":"259","article-title":"Approaches to online learning and concept drift for user identification in computer security","author":"lane","year":"1998","journal-title":"Proc 4th Int Conf Knowl Disc Data Min"},{"key":"ref160","article-title":"The extreme value machine","author":"rudd","year":"2015"},{"key":"ref4","author":"shields","year":"2008","journal-title":"Survey of Rootkit Technologies and Their Impact on Digital Forensics"},{"key":"ref3","first-page":"134","article-title":"A brief survey on rootkit techniques in malicious codes","volume":"3","author":"kim","year":"2012","journal-title":"J Internet Serv Inf Security"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1145\/2716260"},{"key":"ref5","article-title":"Intrusion detection systems: A survey and taxonomy","author":"axelsson","year":"2000"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2009.05.029"},{"key":"ref159","doi-asserted-by":"publisher","DOI":"10.1162\/089976601750264965"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1186\/s40537-015-0013-4"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-22424-9_13"},{"key":"ref157","first-page":"3077","article-title":"Improving one-class SVM for anomaly detection","volume":"5","author":"li","year":"2003","journal-title":"Proc Int Conf Mach Learn Cybern"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2008.08.003"},{"key":"ref158","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2006.165"},{"key":"ref46","author":"tanenbaum","year":"2007","journal-title":"Modern Operating Systems"},{"key":"ref45","year":"0","journal-title":"Hooking IDT—InfoSec Resources"},{"key":"ref48","article-title":"Remote windows kernel exploitation: Step into ring 0","author":"jack","year":"2005"},{"key":"ref47","year":"0","journal-title":"PsSetLoadImageNotifyRoutine Routine (Windows Drivers)"},{"key":"ref42","author":"ferrie","year":"0","journal-title":"The Curse of Necurs—Part 1"},{"key":"ref41","year":"2005","journal-title":"Sony’s DRM Rootkit The Real Story"},{"key":"ref44","year":"0","journal-title":"Hooking the System Service Dispatch Table (SSDT)—InfoSec Resources"},{"key":"ref43","author":"li","year":"0","journal-title":"RTF Attack Takes Advantage of Multiple Exploits"},{"key":"ref127","first-page":"519","article-title":"Feature selection of intrusion detection data using a hybrid genetic algorithm\/KNN approach","author":"middlemiss","year":"2003","journal-title":"Design and Application of Hybrid Intelligent Systems"},{"key":"ref126","first-page":"1790","article-title":"Feature reduction using principal component analysis for effective anomaly-based intrusion detection on NSL-KDD","volume":"2","author":"lakhina","year":"2010","journal-title":"Int J Eng Sci Technol"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2010.70"},{"key":"ref124","first-page":"75","article-title":"Feature subset selection for network intrusion detection mechanism using genetic eigenvectors","author":"ahmad","year":"2011","journal-title":"Proc Int Conf Telecommun Technol Appl"},{"key":"ref73","article-title":"System virginity verifier—Defining the roadmap for malware detection on windows systems","author":"rutkowska","year":"2005","journal-title":"Proceedings of the Hack in the Box Security Conference"},{"key":"ref72","article-title":"A virtual machine introspection based architecture for intrusion detection","author":"garfinkel","year":"2003","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref129","doi-asserted-by":"publisher","DOI":"10.3141\/1822-05"},{"key":"ref71","article-title":"sKyWIper (a.k.a Flame a.k.a Flamer): A complex malware for targeted attacks","author":"bencs\u00e1th","year":"2012"},{"key":"ref128","first-page":"1","article-title":"Feature engineering and classifier ensemble for KDD cup 2010","author":"yu","year":"2010","journal-title":"Proc KDD Cup Workshop"},{"key":"ref70","article-title":"Gauss: Abnormal distribution","year":"2012"},{"key":"ref76","article-title":"Windows rootkits of 2005, part three","author":"butler","year":"2005"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.1145\/1167253.1167288"},{"key":"ref77","article-title":"RootkitRevealer","volume":"1","author":"cogswell","year":"2006","journal-title":"Rootkit Detection Tool by Microsoft"},{"key":"ref74","author":"rutkowska","year":"2004","journal-title":"Detecting Windows Server Compromises with Patchfinder 2"},{"key":"ref75","author":"rutkowska","year":"2005","journal-title":"Thoughts about Cross-View based Rootkit Detection"},{"key":"ref133","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2006.05.003"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2006.10.146"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1109\/SAINT.2003.1183050"},{"key":"ref78","article-title":"RAIDE: Rootkit analysis identification elimination","volume":"47","author":"butler","year":"2006","journal-title":"Black Hat USA"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2010.02.102"},{"key":"ref79","first-page":"20","article-title":"An architecture for specification-based detection of semantic integrity violations in kernel dynamic data","volume":"2","author":"petroni","year":"2006","journal-title":"Proc 15th Conf USENIX Security Symp"},{"key":"ref136","doi-asserted-by":"publisher","DOI":"10.1109\/ICNC.2008.900"},{"key":"ref135","doi-asserted-by":"publisher","DOI":"10.1109\/ICOCI.2006.5276609"},{"key":"ref138","article-title":"Intriguing properties of neural networks","author":"szegedy","year":"2014","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref137","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298640"},{"key":"ref60","doi-asserted-by":"crossref","first-page":"971","DOI":"10.3390\/fi4040971","article-title":"The cousins of Stuxnet: Duqu, flame, and Gauss","volume":"4","author":"bencs\u00e1th","year":"2012","journal-title":"Future Internet"},{"key":"ref139","article-title":"Explaining and harnessing adversarial examples","author":"goodfellow","year":"2015","journal-title":"Proc Int Conf Learn Represent"},{"key":"ref62","year":"0","journal-title":"An Encounter With Trojan Nap"},{"key":"ref61","year":"0","journal-title":"Apple IDs Targeted by Kelihos Botnet Phishing Campaign"},{"key":"ref63","author":"bennett","year":"2013","journal-title":"Poison Ivy Assessing Damage and Extracting Intelligence"},{"key":"ref64","year":"0","journal-title":"Trojan Upclicker Ties Malware to the Mouse"},{"key":"ref140","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-68282-2"},{"key":"ref65","author":"singh","year":"2013","journal-title":"Hot Knives Through Butter Evading File-based Sandboxes"},{"key":"ref141","doi-asserted-by":"publisher","DOI":"10.1142\/p191"},{"key":"ref66","first-page":"81","volume":"21","year":"2016","journal-title":"Internet Security Threat Report Trends for 2016"},{"key":"ref142","doi-asserted-by":"crossref","first-page":"2481","DOI":"10.1016\/j.sigpro.2003.07.018","article-title":"Novelty detection: A review—Part 1: Statistical approaches","volume":"83","author":"markou","year":"2003","journal-title":"Signal Process"},{"key":"ref67","article-title":"Point-of-sale system breaches: Threats to the retail and hospitality industries","author":"micro","year":"2014"},{"key":"ref143","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2014.2321392"},{"key":"ref68","year":"0","journal-title":"Darkhotel’s Attacks in 2015—Securelist"},{"key":"ref2","first-page":"68","article-title":"Survey on android rootkit","volume":"32","author":"li","year":"2011","journal-title":"CNKI—Microprocess"},{"key":"ref144","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-10578-9_26"},{"key":"ref69","first-page":"6","article-title":"W32.Stuxnet dossier","volume":"5","author":"falliere","year":"2011"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"ref145","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2015.7298799"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-980109"},{"key":"ref109","doi-asserted-by":"crossref","DOI":"10.31979\/etd.rnm3-sdfc","article-title":"Analysis and detection of metamorphic computer viruses","author":"wong","year":"2006"},{"key":"ref94","first-page":"61","article-title":"Detecting manipulated remote call streams","author":"giffin","year":"2002","journal-title":"Proc 11th Usenix Security Symp"},{"key":"ref108","doi-asserted-by":"crossref","DOI":"10.31979\/etd.z942-squp","article-title":"Towards an undetectable computer virus","author":"desai","year":"2008"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1996.502675"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-010-0148-y"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2003.1199328"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-012-0160-5"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.06.010"},{"key":"ref105","doi-asserted-by":"crossref","DOI":"10.31979\/etd.j6tm-a5pd","article-title":"Detecting undetectable computer viruses","author":"venkatachalam","year":"2010"},{"key":"ref90","first-page":"22","article-title":"Shredding your garbage: Reducing data lifetime through secure deallocation","author":"chow","year":"2005","journal-title":"Proc 14th Conf USENIX Security Symp"},{"key":"ref104","doi-asserted-by":"crossref","DOI":"10.31979\/etd.ez5v-x8jc","article-title":"Code obfuscation and virus detection","author":"venkatesan","year":"2008"},{"key":"ref103","author":"o\u2019gorman","year":"2012","journal-title":"Ransomware A Growing Menace"},{"key":"ref102","author":"bishop","year":"2006","journal-title":"Pattern Recognition and Machine Learning"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-008-0105-1"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1145\/967900.967988"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-006-0028-7"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2001.924295"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/TC.2013.191"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/1323293.1294293"},{"key":"ref97","first-page":"1","article-title":"Exploiting execution context for the detection of anomalous system calls","author":"mutz","year":"2007","journal-title":"Proc Int l Symp the Recent Advances in Intrusion Detection"},{"key":"ref10","first-page":"120","article-title":"A data mining framework for building intrusion detection models","author":"lee","year":"1999","journal-title":"Proc IEEE Symp Security Privacy"},{"key":"ref11","article-title":"Kaspersky security bulletin","year":"2015"},{"key":"ref12","article-title":"HPE security research cyber risk report","year":"2015"},{"key":"ref13","article-title":"HPE security research cyber risk report","year":"2016"},{"key":"ref14","article-title":"IBM X-force threat intelligence report 2016","year":"2016"},{"key":"ref15","article-title":"Internet security threat report","year":"2015"},{"key":"ref16","article-title":"Internet security threat report","year":"2016"},{"key":"ref82","doi-asserted-by":"crossref","first-page":"335","DOI":"10.1145\/1323293.1294294","article-title":"SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes","volume":"41","author":"seshadri","year":"2007","journal-title":"SIGOPS Oper Syst Rev"},{"key":"ref118","first-page":"5","article-title":"Intrusion detection with unlabeled data using clustering","author":"portnoy","year":"2001","journal-title":"Proc ACM CSS Workshop on Data Mining Applied to Security"},{"key":"ref17","article-title":"McAfee labs threats report","year":"2016"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653730"},{"key":"ref117","first-page":"6","article-title":"Data mining approaches for intrusion detection","author":"lee","year":"1998","journal-title":"The Proceedings of the 7th USENIX Security Symposium"},{"key":"ref18","article-title":"Microsoft security intelligence report","year":"2015"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/1273442.1250746"},{"key":"ref19","article-title":"M-Trends","year":"2016"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_1"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611972733.3"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2010.61"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.2012.256"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1145\/1593105.1593239"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1016\/j.compeleceng.2012.05.013"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1109\/IJCNN.2002.1007774"},{"key":"ref89","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1007\/11961635_19","article-title":"New malicious code detection using variable length n-grams","author":"reddy","year":"2006","journal-title":"Proc 2nd Int Conf Inform Syst Security"},{"key":"ref120","article-title":"The MINDS—Minnesota intrusion detection system","author":"ert\u00f6z","year":"2004","journal-title":"Next Generation Data Mining"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1109\/MIS.2009.42"},{"key":"ref122","volume":"31","author":"aggarwal","year":"2007","journal-title":"Data Streams—Models and Algorithms"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1109\/IT.1998.713396"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1145\/1519065.1519072"},{"key":"ref86","first-page":"330","article-title":"Automatic placement of authorization hooks in the Linux security modules framework","author":"ganapathy","year":"2005","journal-title":"Proc 12th ACM Conf Comput Commun Security"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1186\/s40064-016-1861-x"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1109\/CMPSAC.2004.1342667"}],"container-title":["IEEE Communications Surveys & Tutorials"],"original-title":[],"link":[{"URL":"http:\/\/ieeexplore.ieee.org\/ielaam\/9739\/7936707\/7778160-aam.pdf","content-type":"application\/pdf","content-version":"am","intended-application":"syndication"},{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9739\/7936707\/07778160.pdf?arnumber=7778160","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,4,8]],"date-time":"2022-04-08T18:51:49Z","timestamp":1649443909000},"score":1,"resource":{"primary":{"URL":"http:\/\/ieeexplore.ieee.org\/document\/7778160\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"references-count":174,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.1109\/comst.2016.2636078","relation":{},"ISSN":["1553-877X"],"issn-type":[{"value":"1553-877X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017]]}}}