{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:53:05Z","timestamp":1750308785333,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2006,11,3]],"date-time":"2006-11-03T00:00:00Z","timestamp":1162512000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2006,11,3]]},"DOI":"10.1145\/1179542.1179548","type":"proceedings-article","created":{"date-parts":[[2007,1,17]],"date-time":"2007-01-17T01:15:56Z","timestamp":1168996556000},"page":"25-32","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms"],"prefix":"10.1145","author":[{"given":"David J.","family":"Malan","sequence":"first","affiliation":[{"name":"Harvard University, Cambridge, Massachusetts"}]},{"given":"Michael D.","family":"Smith","sequence":"additional","affiliation":[{"name":"Harvard University, Cambridge, Massachusetts"}]}],"member":"320","published-online":{"date-parts":[[2006,11,3]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Advanced Micro Devices Inc. AMD's Virtualization Solutions. enterprise.amd.com\/us-en\/Solutions\/Consolidation\/virtualization.aspx.  Advanced Micro Devices Inc. AMD's Virtualization Solutions. enterprise.amd.com\/us-en\/Solutions\/Consolidation\/virtualization.aspx."},{"key":"e_1_3_2_1_2_1","volume-title":"Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX","author":"Anderson E.","year":"2004","unstructured":"E. Anderson and J. Li . Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX , June 2004 . E. Anderson and J. Li. Aggregating Detectors for New Worm Identification. In USENIX 2004 Work-in-Progress Reports. USENIX, June 2004."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.5555\/1754701.1754705"},{"key":"e_1_3_2_1_4_1","unstructured":"Intel Corp. Intel Virtualization Technology. www.intel.com\/technology\/computing\/vptech\/.  Intel Corp. Intel Virtualization Technology. www.intel.com\/technology\/computing\/vptech\/."},{"key":"e_1_3_2_1_5_1","volume-title":"Undocumented Windows NT. M&T Books","author":"Dabak P.","year":"1999","unstructured":"P. Dabak , S. Phadke , and M. Borate . Undocumented Windows NT. M&T Books , 1999 . P. Dabak, S. Phadke, and M. Borate. Undocumented Windows NT. M&T Books, 1999."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1029618.1029625"},{"key":"e_1_3_2_1_7_1","volume-title":"Proc. of the 17th International Conference on Machine Learning","author":"Eskin E.","year":"2000","unstructured":"E. Eskin . Anomaly Detection over Noisy Data Using Learned Probability Distributions . In Proc. of the 17th International Conference on Machine Learning , 2000 . E. Eskin. Anomaly Detection over Noisy Data Using Learned Probability Distributions. In Proc. of the 17th International Conference on Machine Learning, 2000."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.5555\/1947337.1947356"},{"key":"e_1_3_2_1_9_1","unstructured":"Grisoft Inc. www.grisoft.com.  Grisoft Inc. www.grisoft.com."},{"key":"e_1_3_2_1_10_1","volume-title":"August","author":"Gulbrandsen J.","year":"2004","unstructured":"J. Gulbrandsen . How Do Windows NT System Calls REALLY Work? www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8035\/ , August 2004 . J. Gulbrandsen. How Do Windows NT System Calls REALLY Work? www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8035\/, August 2004."},{"key":"e_1_3_2_1_11_1","volume-title":"October","author":"Gulbrandsen J.","year":"2004","unstructured":"J. Gulbrandsen . System Call Optimization with the SYSENTER Instruction. www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8223\/ , October 2004 . J. Gulbrandsen. System Call Optimization with the SYSENTER Instruction. www.codeguru.com\/Cpp\/W-P\/system\/devicedriverdevelopment\/article.php\/c8223\/, October 2004."},{"key":"e_1_3_2_1_12_1","unstructured":"J. Harris. YAC: Yet Another Caller ID Program. sunflowerhead.com\/software\/yac\/.  J. Harris. YAC: Yet Another Caller ID Program. sunflowerhead.com\/software\/yac\/."},{"key":"e_1_3_2_1_13_1","unstructured":"B. Henderson. XML-RPC for C and C++. xmlrpc-c.sourceforge.net.  B. Henderson. XML-RPC for C and C++. xmlrpc-c.sourceforge.net."},{"key":"e_1_3_2_1_14_1","volume-title":"October","author":"Herath N. P.","year":"1998","unstructured":"N. P. Herath . Adding Services To The NT Kernel . microsoft.public.win32.programmer.kernel , October 1998 . N. P. Herath. Adding Services To The NT Kernel. microsoft.public.win32.programmer.kernel, October 1998."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.5555\/1298081.1298084"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30143-1_5"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.2004.1301325"},{"key":"e_1_3_2_1_19_1","first-page":"271","volume-title":"Distributed Worm Signature Detection. In USENIX Security Symposium","author":"Kim H.","year":"2004","unstructured":"H. Kim and B. Karp . Autograph: Toward Automated , Distributed Worm Signature Detection. In USENIX Security Symposium , pages 271 -- 286 , 2004 . H. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In USENIX Security Symposium, pages 271--286, 2004."},{"key":"e_1_3_2_1_20_1","first-page":"50","volume-title":"Learning Patterns from Unix Process Execution Traces for Intrusion Detection","author":"Lee W.","year":"1997","unstructured":"W. Lee , S. J. Stolfo , and P. K. Chan . Learning Patterns from Unix Process Execution Traces for Intrusion Detection , pages 50 -- 56 . AAAI Press , 1997 . W. Lee, S. J. Stolfo, and P. K. Chan. Learning Patterns from Unix Process Execution Traces for Intrusion Detection, pages 50--56. AAAI Press, 1997."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1103626.1103641"},{"key":"e_1_3_2_1_22_1","unstructured":"McAfee Inc. www.mcafee.com.  McAfee Inc. www.mcafee.com."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1219056"},{"key":"e_1_3_2_1_24_1","unstructured":"G. Nebbett. Windows NT\/2000 Native API Reference. MTP 2000.   G. Nebbett. Windows NT\/2000 Native API Reference. MTP 2000."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.15"},{"key":"e_1_3_2_1_26_1","unstructured":"PC World Communications Inc. WorldBench 5. www.worldbench.com.  PC World Communications Inc. WorldBench 5. www.worldbench.com."},{"key":"e_1_3_2_1_27_1","volume-title":"Microsoft Systems Journal","author":"Pietrek M.","year":"1996","unstructured":"M. Pietrek . Poking Around Under the Hood : A Programmer's View of Windows NT 4.0 . Microsoft Systems Journal , August 1996 . www.microsoft.com\/msj\/archive\/s413.aspx. M. Pietrek. Poking Around Under the Hood: A Programmer's View of Windows NT 4.0. Microsoft Systems Journal, August 1996. www.microsoft.com\/msj\/archive\/s413.aspx."},{"key":"e_1_3_2_1_28_1","unstructured":"The Metasploit Project. Windows System Call Table (NT\/2000\/XP\/2003). www.metasploit.com\/users\/opcode\/syscalls.html.  The Metasploit Project. Windows System Call Table (NT\/2000\/XP\/2003). www.metasploit.com\/users\/opcode\/syscalls.html."},{"key":"e_1_3_2_1_29_1","first-page":"257","volume-title":"Improving Host Security with System Call Policies. In USENIX Security Symposium","author":"Provos N.","year":"2003","unstructured":"N. Provos . Improving Host Security with System Call Policies. In USENIX Security Symposium , pages 257 -- 272 , 2003 . N. Provos. Improving Host Security with System Call Policies. In USENIX Security Symposium, pages 257--272, 2003."},{"key":"e_1_3_2_1_30_1","unstructured":"T. J. Robbins. Windows NT System Service Table Hooking. www.wiretapped.net\/~fyre\/sst.html.  T. J. Robbins. Windows NT System Service Table Hooking. www.wiretapped.net\/~fyre\/sst.html."},{"key":"e_1_3_2_1_31_1","unstructured":"P. Roberts. Mydoom Sets Speed Records. www.pcworld.com\/news\/article\/0 aid 114461 00.asp.  P. Roberts. Mydoom Sets Speed Records. www.pcworld.com\/news\/article\/0 aid 114461 00.asp."},{"key":"e_1_3_2_1_32_1","volume-title":"Inside the Native API. www.sysinternals.com\/Information\/NativeApi.html","author":"Russinovich M.","year":"1998","unstructured":"M. Russinovich . Inside the Native API. www.sysinternals.com\/Information\/NativeApi.html , 1998 . M. Russinovich. Inside the Native API. www.sysinternals.com\/Information\/NativeApi.html, 1998."},{"key":"e_1_3_2_1_33_1","unstructured":"T. Sabin. Personal correspondence.  T. Sabin. Personal correspondence."},{"key":"e_1_3_2_1_34_1","unstructured":"T. Sabin. Strace for NT. www.bindview.com\/Services\/RAZOR\/Utilities\/Windows\/strace_readme.cfm.  T. Sabin. Strace for NT. www.bindview.com\/Services\/RAZOR\/Utilities\/Windows\/strace_readme.cfm."},{"key":"e_1_3_2_1_35_1","unstructured":"Sana Security Inc. www.sanasecurity.com.  Sana Security Inc. www.sanasecurity.com."},{"key":"e_1_3_2_1_36_1","volume-title":"French Riviera","author":"Schechter S.","year":"2004","unstructured":"S. Schechter , J. Jung , and A. W. Berger . Fast Detection of Scanning Worm Infections. In 7th Int'l Symposium on Recent Advances in Intrusion Detection , French Riviera , France , September 2004 . S. Schechter, J. Jung, and A. W. Berger. Fast Detection of Scanning Worm Infections. In 7th Int'l Symposium on Recent Advances in Intrusion Detection, French Riviera, France, September 2004."},{"key":"e_1_3_2_1_37_1","first-page":"45","volume-title":"OSDI","author":"Singh S.","year":"2004","unstructured":"S. Singh , C. Estan , G. Varghese , and S. Savage . Automated Worm Fingerprinting . In OSDI , pages 45 -- 60 , 2004 . S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In OSDI, pages 45--60, 2004."},{"key":"e_1_3_2_1_38_1","volume-title":"April","author":"Smirnov V.","year":"2002","unstructured":"V. Smirnov . Re: Hooking system call from driver. NTDEV -- Windows System Software Developers List , April 2002 . V. Smirnov. Re: Hooking system call from driver. NTDEV -- Windows System Software Developers List, April 2002."},{"key":"e_1_3_2_1_39_1","volume-title":"Proc. of the 9th USENIX Security Symposium","author":"Somayaji A.","year":"2000","unstructured":"A. Somayaji and S. Forrest . Automated Response Using System-Call Delays . In Proc. of the 9th USENIX Security Symposium , August 2000 . A. Somayaji and S. Forrest. Automated Response Using System-Call Delays. In Proc. of the 9th USENIX Security Symposium, August 2000."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1029618.1029624"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.5555\/647253.720288"},{"key":"e_1_3_2_1_43_1","author":"Stolfo S. J.","year":"2005","unstructured":"S. J. Stolfo , F. Apap , E. Eskin , K. Heller , S. Hershkop , A. Honig , and K. Svore . A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection, volume~13 of Journal of Computer Security, pages 659--693. 2005 . S. J. Stolfo, F. Apap, E. Eskin, K. Heller, S. Hershkop, A. Honig, and K. Svore. A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection, volume~13 of Journal of Computer Security, pages 659--693. 2005.","journal-title":"A Comparative Evaluation of Two Algorithms for Windows Registry Anomaly Detection, volume~13 of Journal of Computer Security, pages 659--693."},{"key":"e_1_3_2_1_44_1","unstructured":"Symantec Corporation. www.symantec.com.  Symantec Corporation. www.symantec.com."},{"key":"e_1_3_2_1_45_1","unstructured":"B. Tucker. SoBig.F breaks virus speed records. www.cnn.com\/2003\/TECH\/internet\/08\/21\/sobig.virus\/.  B. Tucker. SoBig.F breaks virus speed records. www.cnn.com\/2003\/TECH\/internet\/08\/21\/sobig.virus\/."},{"key":"e_1_3_2_1_46_1","first-page":"285","volume-title":"USENIX Security Symposium","author":"Twycross J.","year":"2003","unstructured":"J. Twycross and M. M. Williamson . Implementing and Testing a Virus Throttle . In USENIX Security Symposium , pages 285 -- 294 , 2003 . J. Twycross and M. M. Williamson. Implementing and Testing a Virus Throttle. In USENIX Security Symposium, pages 285--294, 2003."},{"key":"e_1_3_2_1_47_1","unstructured":"UserLand Software Inc. XML-RPC Home Page. www.xmlrpc.com.  UserLand Software Inc. XML-RPC Home Page. www.xmlrpc.com."},{"key":"e_1_3_2_1_48_1","first-page":"29","volume-title":"Very Fast Containment of Scanning Worms. In USENIX Security Symposium","author":"Weaver N.","year":"2004","unstructured":"N. Weaver , S. Staniford , and V. Paxson . Very Fast Containment of Scanning Worms. In USENIX Security Symposium , pages 29 -- 44 , 2004 . N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In USENIX Security Symposium, pages 29--44, 2004."}],"event":{"name":"CCS06: 13th ACM Conference on Computer and Communications Security 2006","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control","ACM Association for Computing Machinery"],"location":"Alexandria Virginia USA","acronym":"CCS06"},"container-title":["Proceedings of the 4th ACM workshop on Recurring malcode"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1179542.1179548","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1179542.1179548","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T20:22:46Z","timestamp":1750278166000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1179542.1179548"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,11,3]]},"references-count":46,"alternative-id":["10.1145\/1179542.1179548","10.1145\/1179542"],"URL":"https:\/\/doi.org\/10.1145\/1179542.1179548","relation":{},"subject":[],"published":{"date-parts":[[2006,11,3]]},"assertion":[{"value":"2006-11-03","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}