{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:41:29Z","timestamp":1750308089119,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":36,"publisher":"ACM","license":[{"start":{"date-parts":[[2005,11,11]],"date-time":"2005-11-11T00:00:00Z","timestamp":1131667200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2005,11,11]]},"DOI":"10.1145\/1103626.1103641","type":"proceedings-article","created":{"date-parts":[[2006,2,6]],"date-time":"2006-02-06T15:52:40Z","timestamp":1139241160000},"page":"72-80","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":26,"title":["Host-based detection of worms through peer-to-peer cooperation"],"prefix":"10.1145","author":[{"given":"David J.","family":"Malan","sequence":"first","affiliation":[{"name":"Harvard University, Cambridge, Massachusetts"}]},{"given":"Michael D.","family":"Smith","sequence":"additional","affiliation":[{"name":"Harvard University, Cambridge, Massachusetts"}]}],"member":"320","published-online":{"date-parts":[[2005,11,11]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Anderson and Jun Li. Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX","author":"Eric","year":"2004","unstructured":"Eric Anderson and Jun Li. Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX , June 2004 . Eric Anderson and Jun Li. Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX, June 2004."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1064979.1065005"},{"key":"e_1_3_2_1_3_1","volume-title":"Undocumented Windows NT. M&T Books","author":"Dabak Prasad","year":"1999","unstructured":"Prasad Dabak , Sandeep Phadke , and Milind Borate . Undocumented Windows NT. M&T Books , 1999 . Prasad Dabak, Sandeep Phadke, and Milind Borate. Undocumented Windows NT. M&T Books, 1999."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1029618.1029625"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.5555\/525080.884258"},{"key":"e_1_3_2_1_6_1","unstructured":"Grisoft Inc. http:\/\/www.grisoft.com\/.  Grisoft Inc. http:\/\/www.grisoft.com\/."},{"key":"e_1_3_2_1_7_1","volume-title":"August","author":"Gulbrandsen John","year":"2004","unstructured":"John Gulbrandsen . How Do Windows NT System Calls REALLY Work? http:\/\/www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8035\/ , August 2004 . John Gulbrandsen. How Do Windows NT System Calls REALLY Work? http:\/\/www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8035\/, August 2004."},{"key":"e_1_3_2_1_8_1","unstructured":"John Gulbrandsen. System Call Optimization with the SYSENTER Instruction. http:\/\/www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8223\/ October 2004.  John Gulbrandsen. System Call Optimization with the SYSENTER Instruction. http:\/\/www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8223\/ October 2004."},{"key":"e_1_3_2_1_9_1","volume-title":"October","author":"Herath Nishad P.","year":"1998","unstructured":"Nishad P. Herath . Adding Services To The NT Kernel. microsoft.public.win32.programmer.kernel , October 1998 . Nishad P. Herath. Adding Services To The NT Kernel. microsoft.public.win32.programmer.kernel, October 1998."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-980109"},{"key":"e_1_3_2_1_12_1","first-page":"271","volume-title":"Distributed Worm Signature Detection. In USENIX Security Symposium","author":"Kim Hyang-Ah","year":"2004","unstructured":"Hyang-Ah Kim and Brad Karp . Autograph : Toward Automated , Distributed Worm Signature Detection. In USENIX Security Symposium , pages 271 -- 286 , 2004 . Hyang-Ah Kim and Brad Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In USENIX Security Symposium, pages 271--286, 2004."},{"key":"e_1_3_2_1_14_1","unstructured":"PC Magazine. WebBench 5.0. http:\/\/www.pcmag.com\/benchmarks\/.  PC Magazine. WebBench 5.0. http:\/\/www.pcmag.com\/benchmarks\/."},{"key":"e_1_3_2_1_15_1","unstructured":"McAfee Inc. http:\/\/www.mcafee.com\/.  McAfee Inc. http:\/\/www.mcafee.com\/."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1219056"},{"key":"e_1_3_2_1_17_1","unstructured":"Gary Nebbett. Windows NT\/2000 Native API Reference. MTP 2000.   Gary Nebbett. Windows NT\/2000 Native API Reference. MTP 2000."},{"key":"e_1_3_2_1_18_1","volume-title":"Dawn Song. Polygraph: Automatically Generating Signatures For Polymorphic Worms. In USENIX Security Symposium","author":"Newsome James","year":"2005","unstructured":"James Newsome , Brad Karp , and Dawn Song. Polygraph: Automatically Generating Signatures For Polymorphic Worms. In USENIX Security Symposium , 2005 . James Newsome, Brad Karp, and Dawn Song. Polygraph: Automatically Generating Signatures For Polymorphic Worms. In USENIX Security Symposium, 2005."},{"key":"e_1_3_2_1_19_1","unstructured":"PC World Communications Inc. WorldBench 5. http:\/\/www.worldbench.com\/.  PC World Communications Inc. WorldBench 5. http:\/\/www.worldbench.com\/."},{"key":"e_1_3_2_1_20_1","article-title":"Poking Around Under the Hood","author":"Pietrek Matt","year":"1996","unstructured":"Matt Pietrek . Poking Around Under the Hood : A Programmer's View of Windows NT 4.0. Microsoft Systems Journal , August 1996 . http:\/\/www.microsoft.com\/msj\/archive\/s413.aspx. Matt Pietrek. Poking Around Under the Hood: A Programmer's View of Windows NT 4.0. Microsoft Systems Journal, August 1996. http:\/\/www.microsoft.com\/msj\/archive\/s413.aspx.","journal-title":"A Programmer's View of Windows NT 4.0. Microsoft Systems Journal"},{"key":"e_1_3_2_1_21_1","first-page":"257","volume-title":"Provos. Improving Host Security with System Call Policies. In USENIX Security Symposium","author":"Niels","year":"2003","unstructured":"Niels Provos. Improving Host Security with System Call Policies. In USENIX Security Symposium , pages 257 -- 272 , 2003 . Niels Provos. Improving Host Security with System Call Policies. In USENIX Security Symposium, pages 257--272, 2003."},{"key":"e_1_3_2_1_22_1","unstructured":"Tim J. Robbins. Windows NT System Service Table Hooking. http:\/\/www.wiretapped.net\/~fyre\/sst.html.  Tim J. Robbins. Windows NT System Service Table Hooking. http:\/\/www.wiretapped.net\/~fyre\/sst.html."},{"key":"e_1_3_2_1_23_1","unstructured":"Paul Roberts. Mydoom Sets Speed Records. http:\/\/www.pcworld.com\/news\/article\/0 aid 114461 00.asp.  Paul Roberts. Mydoom Sets Speed Records. http:\/\/www.pcworld.com\/news\/article\/0 aid 114461 00.asp."},{"key":"e_1_3_2_1_24_1","unstructured":"Mark Russinovich. Inside the Native API. http:\/\/www.sysinternals.com\/Information\/NativeApi.html 1998.  Mark Russinovich. Inside the Native API. http:\/\/www.sysinternals.com\/Information\/NativeApi.html 1998."},{"key":"e_1_3_2_1_25_1","unstructured":"Todd Sabin. Personal correspondence.  Todd Sabin. Personal correspondence."},{"key":"e_1_3_2_1_26_1","unstructured":"Todd Sabin. Strace for NT. http:\/\/www.bindview.com\/Services\/RAZOR\/Utilities\/Windows\/strace_readme.cfm.  Todd Sabin. Strace for NT. http:\/\/www.bindview.com\/Services\/RAZOR\/Utilities\/Windows\/strace_readme.cfm."},{"key":"e_1_3_2_1_27_1","unstructured":"Sana Security Inc. http:\/\/www.sanasecurity.com\/.  Sana Security Inc. http:\/\/www.sanasecurity.com\/."},{"key":"e_1_3_2_1_28_1","volume-title":"Berger. Fast Detection of Scanning Worm Infections. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID)","author":"Schechter Stuart","year":"2004","unstructured":"Stuart Schechter , Jaeyeon Jung , and Arthur W . Berger. Fast Detection of Scanning Worm Infections. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID) , French Riviera, France , September 2004 . Stuart Schechter, Jaeyeon Jung, and Arthur W. Berger. Fast Detection of Scanning Worm Infections. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID), French Riviera, France, September 2004."},{"key":"e_1_3_2_1_29_1","first-page":"45","volume-title":"OSDI","author":"Singh Sumeet","year":"2004","unstructured":"Sumeet Singh , Cristian Estan , George Varghese , and Stefan Savage . Automated Worm Fingerprinting . In OSDI , pages 45 -- 60 , 2004 . Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage. Automated Worm Fingerprinting. In OSDI, pages 45--60, 2004."},{"key":"e_1_3_2_1_30_1","volume-title":"April","author":"Smirnov Vadim","year":"2002","unstructured":"Vadim Smirnov . Re: Hooking system call from driver. NTDEV -- Windows System Software Developers List , April 2002 . Vadim Smirnov. Re: Hooking system call from driver. NTDEV -- Windows System Software Developers List, April 2002."},{"key":"e_1_3_2_1_31_1","volume-title":"Somayaji and Stephanie Forrest. Automated Response Using System-Call Delays. In Proceedings of 9th Usenix Security Symposium","author":"Anil","year":"2000","unstructured":"Anil Somayaji and Stephanie Forrest. Automated Response Using System-Call Delays. In Proceedings of 9th Usenix Security Symposium , August 2000 . Anil Somayaji and Stephanie Forrest. Automated Response Using System-Call Delays. In Proceedings of 9th Usenix Security Symposium, August 2000."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1029618.1029624"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.5555\/647253.720288"},{"key":"e_1_3_2_1_35_1","unstructured":"Symantec Corporation. http:\/\/www.symantec.com\/.  Symantec Corporation. http:\/\/www.symantec.com\/."},{"key":"e_1_3_2_1_36_1","first-page":"123","volume-title":"Sz\u00f6r and Peter Ferrie. Hunting for Metamorphic. In Proceedings of Virus Bulletin Conference","author":"P\u00e9ter","year":"2001","unstructured":"P\u00e9ter Sz\u00f6r and Peter Ferrie. Hunting for Metamorphic. In Proceedings of Virus Bulletin Conference , pages 123 -- 1144 , September 2001 . P\u00e9ter Sz\u00f6r and Peter Ferrie. Hunting for Metamorphic. In Proceedings of Virus Bulletin Conference, pages 123 -- 144, September 2001."},{"key":"e_1_3_2_1_37_1","unstructured":"Bill Tucker. SoBig.F breaks virus speed records. http:\/\/www.cnn.com\/2003\/TECH\/internet\/08\/21\/sobig.virus\/.  Bill Tucker. SoBig.F breaks virus speed records. http:\/\/www.cnn.com\/2003\/TECH\/internet\/08\/21\/sobig.virus\/."},{"key":"e_1_3_2_1_38_1","first-page":"285","volume-title":"USENIX Security Symposium","author":"Twycross Jamie","year":"2003","unstructured":"Jamie Twycross and Matthew M. Williamson . Implementing and Testing a Virus Throttle . In USENIX Security Symposium , pages 285 -- 294 , 2003 . Jamie Twycross and Matthew M. Williamson. Implementing and Testing a Virus Throttle. In USENIX Security Symposium, pages 285--294, 2003."},{"key":"e_1_3_2_1_39_1","first-page":"29","volume-title":"Vern Paxson. Very Fast Containment of Scanning Worms. In USENIX Security Symposium","author":"Weaver Nicholas","year":"2004","unstructured":"Nicholas Weaver , Stuart Staniford , and Vern Paxson. Very Fast Containment of Scanning Worms. In USENIX Security Symposium , pages 29 -- 44 , 2004 . Nicholas Weaver, Stuart Staniford, and Vern Paxson. Very Fast Containment of Scanning Worms. In USENIX Security Symposium, pages 29--44, 2004."}],"event":{"name":"CCS05: 12th ACM Conference on Computer and Communications Security 2005","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control","ACM Association for Computing Machinery"],"location":"Fairfax VA USA","acronym":"CCS05"},"container-title":["Proceedings of the 2005 ACM workshop on Rapid malcode"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1103626.1103641","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1103626.1103641","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T16:07:52Z","timestamp":1750262872000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1103626.1103641"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2005,11,11]]},"references-count":36,"alternative-id":["10.1145\/1103626.1103641","10.1145\/1103626"],"URL":"https:\/\/doi.org\/10.1145\/1103626.1103641","relation":{},"subject":[],"published":{"date-parts":[[2005,11,11]]},"assertion":[{"value":"2005-11-11","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}