{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,28]],"date-time":"2026-01-28T11:37:35Z","timestamp":1769600255461,"version":"3.49.0"},"reference-count":63,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2010,2,1]],"date-time":"2010-02-01T00:00:00Z","timestamp":1264982400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000144","name":"Division of Computer and Network Systems","doi-asserted-by":"publisher","award":["CNS-0716376CNS-0716444CNS-0546173"],"award-info":[{"award-number":["CNS-0716376CNS-0716444CNS-0546173"]}],"id":[{"id":"10.13039\/100000144","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2010,2]]},"abstract":"<jats:p>An alarming trend in recent malware incidents is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based antimalware systems is that they run inside the very hosts they are protecting (\u201cin-the-box\u201d), making them vulnerable to counter detection and subversion by malware. To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM (\u201cout-of-the-box\u201d). However, they gain tamper resistance at the cost of losing the internal semantic view of the host, which is enjoyed by \u201cin-the-box\u201d approaches. This poses a technical challenge known as the semantic gap.<\/jats:p>\n          <jats:p>\n            In this article, we present the design, implementation, and evaluation of\n            <jats:italic>VMwatcher<\/jats:italic>\n            \u2014an \u201cout-of-the-box\u201d approach that overcomes the semantic gap challenge. A new technique called guest view casting is developed to reconstruct internal semantic views (e.g., files, processes, and kernel modules) of a VM nonintrusively from the outside. More specifically, the new technique casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states, so that the semantic view can be reconstructed. Furthermore, we extend guest view casting to reconstruct details of system call events (e.g., the process that makes the system call as well as the system call number, parameters, and return value) in the VM, enriching the semantic view. With the semantic gap effectively narrowed, we identify three unique malware detection and monitoring capabilities: (i) view comparison-based malware detection and its demonstration in rootkit detection; (ii) \u201cout-of-the-box\u201d deployment of off-the-shelf anti malware software with improved detection accuracy and tamper-resistance; and (iii) nonintrusive system call monitoring for malware and intrusion behavior observation. We have implemented a proof-of-concept VMwatcher prototype on a number of VMM platforms. Our evaluation experiments with real-world malware, including elusive kernel-level rootkits, demonstrate VMwatcher's practicality and effectiveness.\n          <\/jats:p>","DOI":"10.1145\/1698750.1698752","type":"journal-article","created":{"date-parts":[[2010,3,9]],"date-time":"2010-03-09T16:34:59Z","timestamp":1268152499000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":65,"title":["Stealthy malware detection and monitoring through VMM-based \u201cout-of-the-box\u201d semantic view reconstruction"],"prefix":"10.1145","volume":"13","author":[{"given":"Xuxian","family":"Jiang","sequence":"first","affiliation":[{"name":"North Carolina State University, Raleigh, NC"}]},{"given":"Xinyuan","family":"Wang","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, VA"}]},{"given":"Dongyan","family":"Xu","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN"}]}],"member":"320","published-online":{"date-parts":[[2010,3,5]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Adore-ng Rootkit. 2004. Homepage. http:\/\/stealth.openwall.net\/rootkits\/.  Adore-ng Rootkit. 2004. Homepage. http:\/\/stealth.openwall.net\/rootkits\/."},{"key":"e_1_2_1_2_1","unstructured":"Agobot. 2004. Description. http:\/\/www.f-secure.com\/v-descs\/agobot.shtml.  Agobot. 2004. Description. http:\/\/www.f-secure.com\/v-descs\/agobot.shtml."},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the 14th USENIX Security Symposium. USENIX","author":"Anagnostakis K. G.","unstructured":"Anagnostakis , K. G. , Sidiroglou , S. , Akritidis , P. , Xinidis , K. , Markatos , E. , and Keromytis , A. D . 2005. Detecting targeted attacks using shadow honey-pots . In Proceedings of the 14th USENIX Security Symposium. USENIX , Berkeley, CA. Anagnostakis, K. G., Sidiroglou, S., Akritidis, P., Xinidis, K., Markatos, E., and Keromytis, A. D. 2005. Detecting targeted attacks using shadow honey-pots. In Proceedings of the 14th USENIX Security Symposium. USENIX, Berkeley, CA."},{"key":"e_1_2_1_4_1","unstructured":"Apache. 2007. The Apache HTTP Server Project. http:\/\/httpd.apache.org.  Apache. 2007. The Apache HTTP Server Project. http:\/\/httpd.apache.org."},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE","author":"Arbaugh W. A.","unstructured":"Arbaugh , W. A. , Farbert , D. J. , and Smith , J. M . 1997. A secure and reliable bootstrap architecture . In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE , Los Alamitos, CA. Arbaugh, W. A., Farbert, D. J., and Smith, J. M. 1997. A secure and reliable bootstrap architecture. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945462"},{"key":"e_1_2_1_7_1","volume-title":"Proceedings of USENIX Annual Technical Conference 2005 (FREENIX Track). USENIX","author":"Bellard F.","year":"2005","unstructured":"Bellard , F. 2005 . QEMU, a fast and portable dynamic translator . In Proceedings of USENIX Annual Technical Conference 2005 (FREENIX Track). USENIX , Berkeley, CA. Bellard, F. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of USENIX Annual Technical Conference 2005 (FREENIX Track). USENIX, Berkeley, CA."},{"key":"e_1_2_1_8_1","unstructured":"Bellard F. 2006. QEMU accelerator user documentation. http:\/\/fabrice.bellard.free.fr\/qemu\/kqemudoc.html.  Bellard F. 2006. QEMU accelerator user documentation. http:\/\/fabrice.bellard.free.fr\/qemu\/kqemudoc.html."},{"key":"e_1_2_1_9_1","unstructured":"Blacklight. 2007. Homepage. http:\/\/www.f-secure.com\/blacklight\/.  Blacklight. 2007. Homepage. http:\/\/www.f-secure.com\/blacklight\/."},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 19th Annual Computer Security Applications Conference. IEEE","author":"Bryant E.","unstructured":"Bryant , E. , Early , J. , Gopalakrishna , R. , Roth , G. , Spafford , E. H. , Watson , K. , Williams , P. , and Yost , S . 2003. Poly2 Paradigm: A secure network service architecture . In Proceedings of the 19th Annual Computer Security Applications Conference. IEEE , Los Alamitos, CA. Bryant, E., Early, J., Gopalakrishna, R., Roth, G., Spafford, E. H., Watson, K., Williams, P., and Yost, S. 2003. Poly2 Paradigm: A secure network service architecture. In Proceedings of the 19th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA."},{"key":"e_1_2_1_11_1","volume-title":"GREPEXEC: Grepping executive objects from pool memory","author":"Bugcheck","year":"2006","unstructured":"Bugcheck . 2006 . GREPEXEC: Grepping executive objects from pool memory . http:\/\/www. uninformed.org\/?v=4&a=2&t=sumry. Bugcheck. 2006. GREPEXEC: Grepping executive objects from pool memory. http:\/\/www. uninformed.org\/?v=4&a=2&t=sumry."},{"key":"e_1_2_1_12_1","unstructured":"Chen P. M. and Noble B. D. 2001. When virtual is better than real. HotOS VIII Schoss Elmau Germany.   Chen P. M. and Noble B. D. 2001. When virtual is better than real. HotOS VIII Schoss Elmau Germany."},{"key":"e_1_2_1_13_1","first-page":"7","article-title":"Local honey-pot identification","volume":"62","author":"Corey J.","year":"2004","unstructured":"Corey , J. 2004 . Local honey-pot identification . Phrack 62 , 7 . Corey, J. 2004. Local honey-pot identification. Phrack 62, 7.","journal-title":"Phrack"},{"key":"e_1_2_1_14_1","unstructured":"Dike J. 2002. User mode Linux. http:\/\/user-mode-linux.sourceforge.net.  Dike J. 2002. User mode Linux. http:\/\/user-mode-linux.sourceforge.net."},{"key":"e_1_2_1_15_1","volume-title":"Proceedings of the 5th Annual IEEE Information Assurance Workshop. IEEE","author":"Dornseif M.","unstructured":"Dornseif , M. , Holz , T. , and Klein , C . 2004. NoSEBrEaK - Attacking honey-nets . In Proceedings of the 5th Annual IEEE Information Assurance Workshop. IEEE , Los Alamitos, CA. Dornseif, M., Holz, T., and Klein, C. 2004. NoSEBrEaK - Attacking honey-nets. In Proceedings of the 5th Annual IEEE Information Assurance Workshop. IEEE, Los Alamitos, CA."},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI). USENIX","author":"Dunlap G. W.","unstructured":"Dunlap , G. W. , King , S. T. , Cinar , S. , Basrai , M. A. , and Chen , P. M . 2002. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay . In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI). USENIX , Berkeley, CA. Dunlap, G. W., King, S. T., Cinar, S., Basrai, M. A., and Chen, P. M. 2002. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI). USENIX, Berkeley, CA."},{"key":"e_1_2_1_17_1","unstructured":"Fu. 2005. Rootkit. http:\/\/www.rootkit.com\/board_project_fused.php?did=proj12.  Fu. 2005. Rootkit. http:\/\/www.rootkit.com\/board_project_fused.php?did=proj12."},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945464"},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the 2003 Network and Distributed System Security Symposium. IEEE","author":"Garfinkel T.","unstructured":"Garfinkel , T. and Rosenblum , M . 2003. A virtual machine introspection-based architecture for intrusion detection . In Proceedings of the 2003 Network and Distributed System Security Symposium. IEEE , Los Alamitos, CA. Garfinkel, T. and Rosenblum, M. 2003. A virtual machine introspection-based architecture for intrusion detection. In Proceedings of the 2003 Network and Distributed System Security Symposium. IEEE, Los Alamitos, CA."},{"key":"e_1_2_1_20_1","unstructured":"Honeynet. 2008. Homepage. http:\/\/www.honeynet.org.  Honeynet. 2008. Homepage. http:\/\/www.honeynet.org."},{"key":"e_1_2_1_21_1","unstructured":"hxdef. http:\/\/hxdef.czweb.org.  hxdef. http:\/\/hxdef.czweb.org."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315262"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the 13th USENIX Security Symposium. USENIX","author":"Jiang X.","unstructured":"Jiang , X. and Xu , D . 2004. Collapsar: A VM-based architecture for network attack detention center . In Proceedings of the 13th USENIX Security Symposium. USENIX , Berkeley, CA. Jiang, X. and Xu, D. 2004. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium. USENIX, Berkeley, CA."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/11663812_1"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095820"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the Systems Administration, Networking and Security Conference III. USENIX","author":"Kim G. H.","unstructured":"Kim , G. H. and Spafford , E. H . 1994. Experiences with tripwire: Using integrity checkers for intrusion detection . In Proceedings of the Systems Administration, Networking and Security Conference III. USENIX , Berkeley, CA. Kim, G. H. and Spafford, E. H. 1994. Experiences with tripwire: Using integrity checkers for intrusion detection. In Proceedings of the Systems Administration, Networking and Security Conference III. USENIX, Berkeley, CA."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945467"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.38"},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the 2005 Annual USENIX Technical Conference. USENIX","author":"King S. T.","unstructured":"King , S. T. , Dunlap , G. W. , and Chen , P. M . 2005. Debugging operating systems with time-traveling virtual machines . In Proceedings of the 2005 Annual USENIX Technical Conference. USENIX , Berkeley, CA. King, S. T., Dunlap, G. W., and Chen, P. M. 2005. Debugging operating systems with time-traveling virtual machines. In Proceedings of the 2005 Annual USENIX Technical Conference. USENIX, Berkeley, CA."},{"key":"e_1_2_1_30_1","unstructured":"Klein T. 2003. Scooby Doo-VMware Fingerprint Suite. http:\/\/www.trapkit.de\/research\/vmm\/scoopydoo\/.  Klein T. 2003. Scooby Doo-VMware Fingerprint Suite. http:\/\/www.trapkit.de\/research\/vmm\/scoopydoo\/."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1064979.1064992"},{"key":"e_1_2_1_32_1","volume-title":"Honey-pots: Counter measures to VMware fingerprinting","author":"Kortchinsky K.","year":"2004","unstructured":"Kortchinsky , K. 2004 . Honey-pots: Counter measures to VMware fingerprinting . http:\/\/seclists. org\/lists\/honeypots\/2004\/Jan-Mar\/0015.html. Kortchinsky, K. 2004. Honey-pots: Counter measures to VMware fingerprinting. http:\/\/seclists. org\/lists\/honeypots\/2004\/Jan-Mar\/0015.html."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1064979.1065006"},{"key":"e_1_2_1_34_1","unstructured":"Lion. 2001. Lion worm. http:\/\/www.sans.com\/y2k\/lion.htm.  Lion. 2001. Lion worm. http:\/\/www.sans.com\/y2k\/lion.htm."},{"key":"e_1_2_1_35_1","unstructured":"Liston T. and Skoudis E. 2006. On the cutting edge: Thwarting virtual machine detection. http:\/\/handlers.sans.org\/tliston\/ThwartingVMDetection Liston Skoudis.pdf.  Liston T. and Skoudis E. 2006. On the cutting edge: Thwarting virtual machine detection. http:\/\/handlers.sans.org\/tliston\/ThwartingVMDetection Liston Skoudis.pdf."},{"key":"e_1_2_1_36_1","unstructured":"Meushaw R. and Simard D. 2000. NetTop: Commercial technology in high assurance applications. Tech Trend Notes.  Meushaw R. and Simard D. 2000. NetTop: Commercial technology in high assurance applications. Tech Trend Notes."},{"key":"e_1_2_1_37_1","unstructured":"Microsoft. 2003. Volume shadow copy service. http:\/\/technet2.microsoft.com\/WindowsServer\/en\/library\/2b0d2457-b7d8-42c3-b6c9-59c145b7765f1033.mspx?mfr=true.  Microsoft. 2003. Volume shadow copy service. http:\/\/technet2.microsoft.com\/WindowsServer\/en\/library\/2b0d2457-b7d8-42c3-b6c9-59c145b7765f1033.mspx?mfr=true."},{"key":"e_1_2_1_38_1","unstructured":"Miller J. V. 2003. SHV4 root-kit analysis. https:\/\/tms.symantec.com\/members\/AnalystReports\/030929-Analysis-SHV4Rootkit.pdf.  Miller J. V. 2003. SHV4 root-kit analysis. https:\/\/tms.symantec.com\/members\/AnalystReports\/030929-Analysis-SHV4Rootkit.pdf."},{"key":"e_1_2_1_39_1","unstructured":"NTRootkit. http:\/\/www.megasecurity.org\/Tools\/Nt rootkit all.html.  NTRootkit. http:\/\/www.megasecurity.org\/Tools\/Nt rootkit all.html."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the 12th USENIX Security Symposium. USENIX","author":"Pennington A. G.","year":"2003","unstructured":"Pennington , A. G. , Strunk , J. D. , Griffin , J. L. , Soules , C. A. N. , Goodson , G. R. , and Ganger ., G. R. 2003 . Storage-based intrusion detection: Watching storage activity for suspicious behavior . In Proceedings of the 12th USENIX Security Symposium. USENIX , Berkeley, CA. Pennington, A. G., Strunk, J. D., Griffin, J. L., Soules, C. A. N., Goodson, G. R., and Ganger., G. R. 2003. Storage-based intrusion detection: Watching storage activity for suspicious behavior. In Proceedings of the 12th USENIX Security Symposium. USENIX, Berkeley, CA."},{"key":"e_1_2_1_42_1","volume-title":"Proceedings of the 15th USENIX Security Symposium. USENIX","author":"Petroni N.","unstructured":"Petroni , N. , Fraser , T. , Walters , A. , and Arbaugh , W . 2006. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data . In Proceedings of the 15th USENIX Security Symposium. USENIX , Berkeley, CA. Petroni, N., Fraser, T., Walters, A., and Arbaugh, W. 2006. An architecture for specification-based detection of semantic integrity violations in kernel dynamic data. In Proceedings of the 15th USENIX Security Symposium. USENIX, Berkeley, CA."},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the 13th USENIX Security Symposium. USENIX","author":"Petroni N. L.","unstructured":"Petroni , N. L. , Fraser , T. , Molina , J. , and Arbaugh , W. A . 2004. Copilot - A coprocessor-based kernel runtime integrity monitor . In Proceedings of the 13th USENIX Security Symposium. USENIX , Berkeley, CA. Petroni, N. L., Fraser, T., Molina, J., and Arbaugh, W. A. 2004. Copilot - A coprocessor-based kernel runtime integrity monitor. In Proceedings of the 13th USENIX Security Symposium. USENIX, Berkeley, CA."},{"key":"e_1_2_1_44_1","volume-title":"Proceedings of the 12th USENIX Security Symposium. USENIX","author":"Provos N.","year":"2003","unstructured":"Provos , N. 2003 . Improving host security with system call policies . In Proceedings of the 12th USENIX Security Symposium. USENIX , Berkeley, CA. Provos, N. 2003. Improving host security with system call policies. In Proceedings of the 12th USENIX Security Symposium. USENIX, Berkeley, CA."},{"key":"e_1_2_1_45_1","unstructured":"Rbot. http:\/\/research.sunbelt-software.com\/threatdisplay.aspx?name=Rbot&threatid=14953.  Rbot. http:\/\/research.sunbelt-software.com\/threatdisplay.aspx?name=Rbot&threatid=14953."},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.5555\/1433006.1433008"},{"key":"e_1_2_1_47_1","unstructured":"RootKitRevealer. 2007. RootkitRevealer. http:\/\/www.microsoft.com\/technet\/sysinternals\/utilities\/RootkitRevealer.mspx.  RootKitRevealer. 2007. RootkitRevealer. http:\/\/www.microsoft.com\/technet\/sysinternals\/utilities\/RootkitRevealer.mspx."},{"key":"e_1_2_1_48_1","unstructured":"Rutkowska J. 2004. Red pill: Detect VMM using (almost) one CPU instruction. http:\/\/invisiblethings.org\/papers\/redpill.html.  Rutkowska J. 2004. Red pill: Detect VMM using (almost) one CPU instruction. http:\/\/invisiblethings.org\/papers\/redpill.html."},{"key":"e_1_2_1_49_1","unstructured":"Rutkowska J. 2006. Subverting vista kernel for fun and profit. http:\/\/www.blackhat.com\/presentations\/bh-usa-06\/BH-US-06-Rutkowska.pdf.  Rutkowska J. 2006. Subverting vista kernel for fun and profit. http:\/\/www.blackhat.com\/presentations\/bh-usa-06\/BH-US-06-Rutkowska.pdf."},{"key":"e_1_2_1_50_1","unstructured":"Sailer R. Valdez E. Jaeger T. Perez R. Van Doorn L. Griffin J. L. and Berger S. 2005. sHype: Secure hypervisor approach to trusted virtualized systems. IBM Research Report RC23511.  Sailer R. Valdez E. Jaeger T. Perez R. Van Doorn L. Griffin J. L. and Berger S. 2005. sHype: Secure hypervisor approach to trusted virtualized systems. IBM Research Report RC23511."},{"key":"e_1_2_1_51_1","unstructured":"Sebek. 2008. http:\/\/www.honeynet.org\/tools\/sebek\/.  Sebek. 2008. http:\/\/www.honeynet.org\/tools\/sebek\/."},{"key":"e_1_2_1_52_1","unstructured":"Secunia. 2003. Linux kernel Ptrace privilege escalation vulnerability. http:\/\/www.secunia.com\/advisories\/8337\/.  Secunia. 2003. Linux kernel Ptrace privilege escalation vulnerability. http:\/\/www.secunia.com\/advisories\/8337\/."},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294294"},{"key":"e_1_2_1_54_1","unstructured":"Snort. 2008. Homepage. http:\/\/www.snort.org.  Snort. 2008. Homepage. http:\/\/www.snort.org."},{"key":"e_1_2_1_55_1","unstructured":"SucKit Rootkit. 2001. Linux on-the-fly kernel patching without LKM. http:\/\/www.phrack.com\/issues.html?issue=58&id=7#article  SucKit Rootkit. 2001. Linux on-the-fly kernel patching without LKM. http:\/\/www.phrack.com\/issues.html?issue=58&id=7#article"},{"key":"e_1_2_1_56_1","unstructured":"Trango. 2008. The Real-Time Embedded Hypervisor. http:\/\/www.trango-systems.com\/.  Trango. 2008. The Real-Time Embedded Hypervisor. http:\/\/www.trango-systems.com\/."},{"key":"e_1_2_1_57_1","unstructured":"UnixBench. 2007. UnixBench. http:\/\/www.tux.org\/pub\/tux\/benchmarks\/System\/unixbench.  UnixBench. 2007. UnixBench. http:\/\/www.tux.org\/pub\/tux\/benchmarks\/System\/unixbench."},{"key":"e_1_2_1_58_1","unstructured":"VMware. 2008. Homepage. http:\/\/www.vmware.com\/.  VMware. 2008. Homepage. http:\/\/www.vmware.com\/."},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2005.39"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/1216919.1216952"},{"key":"e_1_2_1_61_1","volume-title":"Proceedings of USENIX OSDI","author":"Whitaker A.","year":"2004","unstructured":"Whitaker , A. , Cox , R. S. , and Gribble , S. D . 2004. Configuration debugging as search: Finding the needle in the haystack . In Proceedings of USENIX OSDI 2004 . USENIX, Berkeley, CA. Whitaker, A., Cox, R. S., and Gribble, S. D. 2004. Configuration debugging as search: Finding the needle in the haystack. In Proceedings of USENIX OSDI 2004. USENIX, Berkeley, CA."},{"key":"e_1_2_1_62_1","unstructured":"Xen. 2004. Interface manual. http:\/\/www.xensource.com\/files\/xen interface.pdf 2004.  Xen. 2004. Interface manual. http:\/\/www.xensource.com\/files\/xen interface.pdf 2004."},{"key":"e_1_2_1_63_1","unstructured":"Zovi D. D. 2006. Hardware virtualization based rootkits. http:\/\/www.blackhat.com\/presentations\/bh-usa-06\/BH-US-06-Zovi.pdf.  Zovi D. D. 2006. Hardware virtualization based rootkits. http:\/\/www.blackhat.com\/presentations\/bh-usa-06\/BH-US-06-Zovi.pdf."}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1698750.1698752","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1698750.1698752","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T20:22:58Z","timestamp":1750278178000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1698750.1698752"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2010,2]]},"references-count":63,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2010,2]]}},"alternative-id":["10.1145\/1698750.1698752"],"URL":"https:\/\/doi.org\/10.1145\/1698750.1698752","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2010,2]]},"assertion":[{"value":"2008-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2010-03-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}