{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T10:08:47Z","timestamp":1777543727936,"version":"3.51.4"},"reference-count":76,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"3","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U1936215"],"award-info":[{"award-number":["U1936215"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2022,5,1]]},"DOI":"10.1109\/tdsc.2020.3032570","type":"journal-article","created":{"date-parts":[[2020,10,21]],"date-time":"2020-10-21T17:34:07Z","timestamp":1603301647000},"page":"1621-1638","source":"Crossref","is-referenced-by-count":19,"title":["RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on Windows"],"prefix":"10.1109","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4183-4568","authenticated-orcid":false,"given":"Runqing","family":"Yang","sequence":"first","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9201-3893","authenticated-orcid":false,"given":"Xutong","family":"Chen","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0353-3879","authenticated-orcid":false,"given":"Haitao","family":"Xu","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6277-340X","authenticated-orcid":false,"given":"Yueqiang","family":"Cheng","sequence":"additional","affiliation":[{"name":"Baidu Security, CA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4426-3585","authenticated-orcid":false,"given":"Chunlin","family":"Xiong","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1934-3057","authenticated-orcid":false,"given":"Linqi","family":"Ruan","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mohammad","family":"Kavousi","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7712-0292","authenticated-orcid":false,"given":"Zhenyuan","family":"Li","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Liheng","family":"Xu","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4103-1498","authenticated-orcid":false,"given":"Yan","family":"Chen","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","article-title":"Shocking new reveals from sony hack","year":"2020"},{"key":"ref2","article-title":"Sony pictures hack","year":"2020"},{"key":"ref3","article-title":"Targets data breach: The commercialization of APT","year":"2020"},{"key":"ref4","article-title":"Plague in (security) software drivers","year":"2020"},{"key":"ref5","article-title":"KHOBE \u2013 8.0 earthquake for Windows desktop security software","year":"2020"},{"key":"ref6","article-title":"Captain hook: Pirating AVS to bypass exploit mitigations","year":"2020"},{"key":"ref7","article-title":"Kernel patch protection \u2014 Wikipedia, the free encyclopedia","year":"2020"},{"key":"ref8","article-title":"High accuracy attack provenance via binary-based execution partition","volume-title":"Proc. Annu. Netw. Distrib. Syst. Secur. Symp.","author":"Lee"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"ref10","first-page":"1111","article-title":"MPI: Multiple perspective attack investigation with semantic aware execution partitioning","volume-title":"Proc. 26th USENIX Conf. Secur. Symp.","author":"Ma"},{"key":"ref11","article-title":"Taintgrind: A Valgrind taint analysis tool","year":"2020"},{"key":"ref12","article-title":"VOLATILITY","year":"2020"},{"key":"ref13","article-title":"PANDA","year":"2020"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.48"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23254"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23141"},{"key":"ref17","first-page":"113","article-title":"AIQL: Enabling efficient attack investigation from system monitoring data","volume-title":"Proc. USENIX Conf. Usenix Annu. Tech. Conf.","author":"Gao"},{"key":"ref18","first-page":"487","article-title":"SLEUTH: Real-time attack scenario reconstruction from COTS audit data","volume-title":"Proc. 26th USENIX Conf. Secur. Symp.","author":"Hossain"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991122"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818039"},{"key":"ref21","first-page":"1005","article-title":"LogGC: Garbage collecting audit log","volume-title":"Proc. ACM SIGSAC Conf. Comput. Commun. Secur.","author":"Hyung"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866314"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23306"},{"key":"ref24","first-page":"351","article-title":"Effective and efficient malware detection at the end host","volume-title":"Proc. 18th Conf. USENIX Secur. Symp.","author":"Kolbitsch"},{"key":"ref25","article-title":"Adwind has resurfaced targeting enterprises in the Aerospace industries worldwide","year":"2020"},{"key":"ref26","article-title":"Adwind resurfaces, targeting danish companies","year":"2020"},{"key":"ref27","article-title":"APT-C-27 (Goldmouse): Suspected target attack against the middle east with WinRAR exploit","year":"2020"},{"key":"ref28","article-title":"Simple njRAT fuels nascent middle east cybercrime scene","year":"2020"},{"key":"ref29","article-title":"Quantum of surveillance: Familiar actors and possible false flags in syrian malware campaigns"},{"key":"ref30","article-title":"HackForums.net","year":"2020"},{"key":"ref31","article-title":"Hellbound hackers","year":"2020"},{"key":"ref32","article-title":"Offensive community","year":"2020"},{"key":"ref33","article-title":"Researchers uncover RSA phishing attack, hding in plain sight","year":"2020"},{"key":"ref34","article-title":"Hackers used \u201cPoison Ivy\u201d malware to steal chemical, defense secrets","year":"2020"},{"key":"ref35","article-title":"DarkComet RAT used in new attack on Syrian activists","year":"2020"},{"key":"ref36","article-title":"How hackers are using JeSuisCharlie to spread malware","year":"2020"},{"key":"ref37","article-title":"New xtreme RAT attacks US, Israel, and other foreign Governments","year":"2020"},{"key":"ref38","article-title":"Malware spy network targeted Israelis, Palestinians","year":"2020"},{"key":"ref39","article-title":"XtremeRAT: Nuisance or threat?","year":"2020"},{"key":"ref40","article-title":"Program for determining types of files for Windows, Linux and MacOS","year":"2020"},{"key":"ref41","article-title":"DirectX.Capture class library","year":"2020"},{"key":"ref42","article-title":"Atomic red team","year":"2020"},{"key":"ref43","article-title":"CALDERA plugin: Adversary","year":"2020"},{"key":"ref44","article-title":"Red team automation (RTA)","year":"2020"},{"key":"ref45","article-title":"Metta","year":"2020"},{"key":"ref46","article-title":"Empire: A PowerShell and python post-exploitation agent","year":"2020"},{"key":"ref47","article-title":"Desktop operating system market share worldwide","year":"2020"},{"key":"ref48","article-title":"Windows-10-Mitigation-Improvement","year":"2020"},{"key":"ref49","article-title":"Hardening Windows 10 with zero-day exploit mitigations","year":"2020"},{"key":"ref50","article-title":"SAQL: A stream-based query system for real-time abnormal system behavior detection","volume-title":"Proc. USENIX Secur. Symp.","author":"Gao"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"ref52","article-title":"Enriching intrusion alerts through multi-host causality","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","author":"King"},{"key":"ref53","article-title":"Retrieving event data using TDH","year":"2020"},{"key":"ref54","article-title":"KrabsETW: A modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions","year":"2020"},{"key":"ref55","article-title":"TraceEvent: A library designed to make controlling and parsing event tracing for Windows (ETW) events easy","year":"2020"},{"key":"ref56","article-title":"Common fields in ETW events","year":"2020"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945467"},{"key":"ref58","article-title":"Debugging with symbols","year":"2020"},{"key":"ref59","article-title":"Trojan hidden in fake revolutionary documents targets syrian activists","year":"2020"},{"key":"ref60","article-title":"Syrian malware, the ever-evolving threat","year":"2020"},{"key":"ref61","article-title":"The Syrian spyware to target the opposition activists","year":"2020"},{"key":"ref62","first-page":"729","article-title":"TESSERACT: Eliminating experimental bias in malware classification across space and time","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Pendlebury"},{"key":"ref63","article-title":"New Mac backdoor using antiquated code","year":"2020"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"ref65","article-title":"ATT&CK in practice primer to improve your cyber defense","year":"2020"},{"key":"ref66","article-title":"NjRAT source code","year":"2020"},{"key":"ref67","article-title":"Is there a new njRAT out there","year":"2020"},{"key":"ref68","article-title":"AForge.NET framework","year":"2020"},{"key":"ref69","article-title":"Global keyboard and mouse listeners for Java","year":"2020"},{"key":"ref70","article-title":"Global keyboard and mouse listeners for C#","year":"2020"},{"key":"ref71","article-title":"Signatures of RATs","year":"2020"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586145"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.20"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1109\/AINA.2015.257"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-49151-6_8"},{"key":"ref76","article-title":"Schr\u00f6dingers RAT: Profiling the stakeholders in the remote access trojan ecosystem","volume-title":"Proc. USENIX Conf. Secur. Symp.","author":"Rezaeirad"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8858\/9773152\/09234076.pdf?arnumber=9234076","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,1,9]],"date-time":"2024-01-09T23:48:30Z","timestamp":1704844110000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9234076\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5,1]]},"references-count":76,"journal-issue":{"issue":"3"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2020.3032570","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,5,1]]}}}