{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T18:52:47Z","timestamp":1771699967504,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":32,"publisher":"ACM","license":[{"start":{"date-parts":[[2009,4,1]],"date-time":"2009-04-01T00:00:00Z","timestamp":1238544000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2009,4]]},"DOI":"10.1145\/1519065.1519072","type":"proceedings-article","created":{"date-parts":[[2009,4,6]],"date-time":"2009-04-06T16:34:53Z","timestamp":1239035693000},"page":"47-60","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":61,"title":["Multi-aspect profiling of kernel rootkit behavior"],"prefix":"10.1145","author":[{"given":"Ryan","family":"Riley","sequence":"first","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]},{"given":"Xuxian","family":"Jiang","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, NC, USA"}]},{"given":"Dongyan","family":"Xu","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]}],"member":"320","published-online":{"date-parts":[[2009,4]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102165"},{"key":"e_1_3_2_1_2_1","first-page":"41","volume-title":"Bellard. QEMU: A Fast and Portable Dynamic Translator. In Proceedings of the USENIX Annual Technical Conference, FREENIX Track","author":"Fabrice","year":"2005","unstructured":"Fabrice Bellard. QEMU: A Fast and Portable Dynamic Translator. In Proceedings of the USENIX Annual Technical Conference, FREENIX Track , pages 41 -- 46 , 2005 . Fabrice Bellard. QEMU: A Fast and Portable Dynamic Translator. In Proceedings of the USENIX Annual Technical Conference, FREENIX Track, pages 41--46, 2005."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.4380180902"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455776"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_8"},{"key":"e_1_3_2_1_6_1","first-page":"255","volume-title":"OSDI","author":"Cozzie Anthony","year":"2008","unstructured":"Anthony Cozzie , Frank Stratton , Hui Xue , and Samuel T. King . Digging for data structures . In OSDI , pages 255 -- 266 , 2008 . Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King. Digging for data structures. In OSDI, pages 255--266, 2008."},{"key":"e_1_3_2_1_7_1","unstructured":"Free Software Foundation. GDB: The GNU Project Debugger. http:\/\/www.gnu.org\/software\/gdb\/. Last accessed October 2008.  Free Software Foundation. GDB: The GNU Project Debugger. http:\/\/www.gnu.org\/software\/gdb\/. Last accessed October 2008."},{"key":"e_1_3_2_1_8_1","volume-title":"Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI)","author":"Garfinkel Tal","year":"2007","unstructured":"Tal Garfinkel , Keith Adams , Andrew Warfield , and Jason Franklin . Compatibility is Not Transparency: VMM Detection Myths and Realities . In Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI) , May 2007 . Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. Compatibility is Not Transparency: VMM Detection Myths and Realities. In Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS-XI), May 2007."},{"key":"e_1_3_2_1_9_1","volume-title":"Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symposium (NDSS 2003)","author":"Tal","year":"2003","unstructured":"Tal Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symposium (NDSS 2003) , February 2003 . Tal Garfinkel and Mendel Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symposium (NDSS 2003), February 2003."},{"key":"e_1_3_2_1_10_1","unstructured":"Greg Hoglund. Kernel object hooking rootkits (KOH rootkits). http:\/\/www.rootkit.com\/newsread.php?newsid=501 2006. Last accessed November 2008.  Greg Hoglund. Kernel object hooking rootkits (KOH rootkits). http:\/\/www.rootkit.com\/newsread.php?newsid=501 2006. Last accessed November 2008."},{"key":"e_1_3_2_1_11_1","volume-title":"http:\/\/www.virtualbox.org\/. Last accessed","year":"2009","unstructured":"Innotek. Virtualbox. http:\/\/www.virtualbox.org\/. Last accessed January 2009 . Innotek. Virtualbox. http:\/\/www.virtualbox.org\/. Last accessed January 2009."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315262"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.19"},{"key":"e_1_3_2_1_14_1","volume-title":"Wenke Lee. K-Tracer: A System for Extracting Kernel Malware Behavior. In Network and Distributed System Security Symposium","author":"Lanzi Andrea","year":"2009","unstructured":"Andrea Lanzi , Monirul Sharif , and Wenke Lee. K-Tracer: A System for Extracting Kernel Malware Behavior. In Network and Distributed System Security Symposium , February 2009 . Andrea Lanzi, Monirul Sharif, and Wenke Lee. K-Tracer: A System for Extracting Kernel Malware Behavior. In Network and Distributed System Security Symposium, February 2009."},{"key":"e_1_3_2_1_15_1","unstructured":"libdisasm. x86 Disassembler Library. http:\/\/bastard.sourceforge.net\/libdisasm.html. Last accessed September 2008.  libdisasm. x86 Disassembler Library. http:\/\/bastard.sourceforge.net\/libdisasm.html. Last accessed September 2008."},{"key":"e_1_3_2_1_16_1","unstructured":"Microsoft. Driver Signing for Windows. http:\/\/technet.microsoft.com\/en-us\/library\/cc784714.aspx. Last accessed November 2008.  Microsoft. Driver Signing for Windows. http:\/\/technet.microsoft.com\/en-us\/library\/cc784714.aspx. Last accessed November 2008."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.10"},{"key":"e_1_3_2_1_19_1","first-page":"179","volume-title":"Proceedings of the 13th USENIX Security Symposium","author":"Petroni Nick L.","year":"2004","unstructured":"Nick L. Petroni , Timothy Fraser , Jesus Molina , and William A. Arbaugh . Copilot: A Coprocessor-based Kernel Runtime Integrity Monitor . In Proceedings of the 13th USENIX Security Symposium , pages 179 -- 194 , 2004 . Nick L. Petroni, Timothy Fraser, Jesus Molina, and William A. Arbaugh. Copilot: A Coprocessor-based Kernel Runtime Integrity Monitor. In Proceedings of the 13th USENIX Security Symposium, pages 179--194, 2004."},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the 15th USENIX Security Symposium","author":"Petroni Nick L.","year":"2006","unstructured":"Nick L. Petroni , Jr., Timothy Fraser , A Aron Walters , and William A. Arbaugh . An Architecture for Specification-based Detection of Semantic Integrity Violations in Kernel Dynamic Data . In Proceedings of the 15th USENIX Security Symposium , 2006 . Nick L. Petroni, Jr., Timothy Fraser, AAron Walters, and William A. Arbaugh. An Architecture for Specification-based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In Proceedings of the 15th USENIX Security Symposium, 2006."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315260"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1352592.1352622"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.5555\/1433006.1433008"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294294"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_3_2_1_26_1","unstructured":"Peter Silberman and C.H.A.O.S. FUTo. Uninformed 2006. http:\/\/uninformed.org\/?v=3&a=7&t=sumry.  Peter Silberman and C.H.A.O.S. FUTo. Uninformed 2006. http:\/\/uninformed.org\/?v=3&a=7&t=sumry."},{"key":"e_1_3_2_1_27_1","unstructured":"VMware. Vmware workstation multiple operating systems including linux on windows. http:\/\/www.vmware.com\/products\/ws\/. Last accessed January 2009.  VMware. Vmware workstation multiple operating systems including linux on windows. http:\/\/www.vmware.com\/products\/ws\/. Last accessed January 2009."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2005.39"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_2"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.5555\/1776434.1776451"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"},{"key":"e_1_3_2_1_32_1","volume-title":"Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08)","author":"Yin Heng","year":"2008","unstructured":"Heng Yin , Zhenkai Liang , and Dawn Song . HookFinder : Identifying and understanding malware hooking behaviors . In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08) , February 2008 . Heng Yin, Zhenkai Liang, and Dawn Song. HookFinder: Identifying and understanding malware hooking behaviors. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008."}],"event":{"name":"EuroSys '09: Fourth EuroSys Conference 2009","location":"Nuremberg Germany","acronym":"EuroSys '09","sponsor":["SIGOPS ACM Special Interest Group on Operating Systems"]},"container-title":["Proceedings of the 4th ACM European conference on Computer systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1519065.1519072","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1519065.1519072","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T13:29:53Z","timestamp":1750253393000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1519065.1519072"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009,4]]},"references-count":32,"alternative-id":["10.1145\/1519065.1519072","10.1145\/1519065"],"URL":"https:\/\/doi.org\/10.1145\/1519065.1519072","relation":{},"subject":[],"published":{"date-parts":[[2009,4]]},"assertion":[{"value":"2009-04-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}