{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T23:14:22Z","timestamp":1763507662652,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":39,"publisher":"ACM","license":[{"start":{"date-parts":[[2011,12,5]],"date-time":"2011-12-05T00:00:00Z","timestamp":1323043200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2011,12,5]]},"DOI":"10.1145\/2076732.2076734","type":"proceedings-article","created":{"date-parts":[[2011,12,13]],"date-time":"2011-12-13T15:46:00Z","timestamp":1323791160000},"page":"1-10","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Understanding the prevalence and use of alternative plans in malware with network games"],"prefix":"10.1145","author":[{"given":"Yacin","family":"Nadji","sequence":"first","affiliation":[{"name":"College of Computing, Georgia Institute of Technology, Atlanta, GA"}]},{"given":"Manos","family":"Antonakakis","sequence":"additional","affiliation":[{"name":"Damballa Inc., Atlanta, GA"}]},{"given":"Roberto","family":"Perdisci","sequence":"additional","affiliation":[{"name":"University of Georgia, Atlanta, GA"}]},{"given":"Wenke","family":"Lee","sequence":"additional","affiliation":[{"name":"College of Computing, Georgia Institute of Technology, Atlanta, GA"}]}],"member":"320","published-online":{"date-parts":[[2011,12,5]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Alexa. Top sites. http:\/\/www.alexa.com\/topsites (Retrieved) March 2011.  Alexa. Top sites. http:\/\/www.alexa.com\/topsites (Retrieved) March 2011."},{"key":"e_1_3_2_1_2_1","volume-title":"Proceedings of the 19th USENIX Security Symposium","author":"Antonakakis M.","year":"2010","unstructured":"M. Antonakakis , R. Perdisci , D. Dagon , and W. Lee . Building a dynamic reputation system for DNS . In Proceedings of the 19th USENIX Security Symposium , 2010 . M. Antonakakis, R. Perdisci, D. Dagon, and W. Lee. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Security Symposium, 2010."},{"key":"e_1_3_2_1_3_1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Balzarotti D.","year":"2010","unstructured":"D. Balzarotti , M. Cova , C. Karlberger , C. Kruegel , and E. Kirda . Efficient detection of split personalities in malware . In Proceedings of the Symposium on Network and Distributed System Security , 2010 . D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, and E. Kirda. Efficient detection of split personalities in malware. In Proceedings of the Symposium on Network and Distributed System Security, 2010."},{"key":"e_1_3_2_1_4_1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Bilge L.","year":"2011","unstructured":"L. Bilge , E. Kirda , C. Kruegel , and M. Balduzzi . EXPOSURE: Finding malicious domains using passive DNS analysis . In Proceedings of the Symposium on Network and Distributed System Security , Jan 2011 . L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Symposium on Network and Distributed System Security, Jan 2011."},{"key":"e_1_3_2_1_5_1","volume-title":"http:\/\/www.secdev.org\/projects\/scapy\/, (Retrieved)","author":"Biondi P.","year":"2011","unstructured":"P. Biondi . Scapy. http:\/\/www.secdev.org\/projects\/scapy\/, (Retrieved) March 2011 . P. Biondi. Scapy. http:\/\/www.secdev.org\/projects\/scapy\/, (Retrieved) March 2011."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-68768-1_4"},{"key":"e_1_3_2_1_7_1","volume-title":"Information Security and Cryptology","author":"Bursztein E.","year":"2011","unstructured":"E. Bursztein and J. C. Mitchell . Using strategy objectives for network security analysis . Information Security and Cryptology , Jan 2011 . E. Bursztein and J. C. Mitchell. Using strategy objectives for network security analysis. Information Security and Cryptology, Jan 2011."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCN.2009.5235344"},{"key":"e_1_3_2_1_9_1","volume-title":"Proceedings of the International Conference on Dependable Systems and Networks DSN","author":"Chen X.","year":"2008","unstructured":"X. Chen , J. Andersen , Z. M. Mao , M. Bailey , and J. Nazario . Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware . In Proceedings of the International Conference on Dependable Systems and Networks DSN , 2008 . X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the International Conference on Dependable Systems and Networks DSN, 2008."},{"key":"e_1_3_2_1_10_1","volume-title":"Proceedings of the USENIX Security Symposium","author":"Cheswick B.","year":"1990","unstructured":"B. Cheswick . An evening with berferd in which a cracker is lured, endured, and studied . In Proceedings of the USENIX Security Symposium , Jan 1990 . B. Cheswick. An evening with berferd in which a cracker is lured, endured, and studied. In Proceedings of the USENIX Security Symposium, Jan 1990."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/IAW.2004.1437794"},{"key":"e_1_3_2_1_12_1","unstructured":"A. D. Correa. Malware patrol. http:\/\/malwarepatrol.com\/ 2010.  A. D. Correa. Malware patrol. http:\/\/malwarepatrol.com\/ 2010."},{"key":"e_1_3_2_1_13_1","volume-title":"http:\/\/www.cymru.com\/Documents\/bogon-bn-nonagg.txt","author":"Cymru T.","year":"2010","unstructured":"T. Cymru . Bogons. http:\/\/www.cymru.com\/Documents\/bogon-bn-nonagg.txt , 2010 . T. Cymru. Bogons. http:\/\/www.cymru.com\/Documents\/bogon-bn-nonagg.txt, 2010."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"e_1_3_2_1_15_1","unstructured":"DNS-BH. Malware prevention through DNS redirection (black hole DNS sinkhole). http:\/\/www.malwaredomains.com 2010.  DNS-BH. Malware prevention through DNS redirection (black hole DNS sinkhole). http:\/\/www.malwaredomains.com 2010."},{"key":"e_1_3_2_1_16_1","unstructured":"dnsbl.abuse.ch. dnsbl.abuse.ch. http:\/\/dnsbl.abuse.ch 2010.  dnsbl.abuse.ch. dnsbl.abuse.ch. http:\/\/dnsbl.abuse.ch 2010."},{"key":"e_1_3_2_1_17_1","unstructured":"dnswl. DNS whitelist - protect against false positives. http:\/\/www.dnswl.org (Retrieved) March 2011.  dnswl. DNS whitelist - protect against false positives. http:\/\/www.dnswl.org (Retrieved) March 2011."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.5555\/1558977.1558997"},{"key":"e_1_3_2_1_19_1","unstructured":"M. D. List. Malware domain list. http:\/\/www.malwaredomainlist.com 2010.  M. D. List. Malware domain list. http:\/\/www.malwaredomainlist.com 2010."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866356"},{"key":"e_1_3_2_1_21_1","unstructured":"malc0de. Malc0de DNS blacklist. http:\/\/malc0de.com 2010.  malc0de. Malc0de DNS blacklist. http:\/\/malc0de.com 2010."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_3_2_1_23_1","unstructured":"netfilter team. The netfilter.org \"iptables\" project. http:\/\/www.netfilter.org\/projects\/iptables\/index.html (Retrieved) March 2011.  netfilter team. The netfilter.org \"iptables\" project. http:\/\/www.netfilter.org\/projects\/iptables\/index.html (Retrieved) March 2011."},{"key":"e_1_3_2_1_24_1","volume-title":"Proceedings of the USENIX Symposium on Networked Systems Design and Implementation","author":"Perdisci R.","year":"2010","unstructured":"R. Perdisci , W. Lee , and N. Feamster . Behavioral clustering of HTTP-based malware and signature generation using malicious network traces . In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation , 2010 . R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation, 2010."},{"key":"e_1_3_2_1_25_1","unstructured":"H. S. Phillip Porras and V. Yegneswaran. An analysis of conficker's logic and rendezvous points. http:\/\/mtc.sri.com\/Conficker\/ 2009.  H. S. Phillip Porras and V. Yegneswaran. An analysis of conficker's logic and rendezvous points. http:\/\/mtc.sri.com\/Conficker\/ 2009."},{"key":"e_1_3_2_1_26_1","volume-title":"http:\/\/labs.snort.org\/iplists\/","author":"Project S.","year":"2011","unstructured":"S. Project . Snort DNS\/IP\/URL lists. http:\/\/labs.snort.org\/iplists\/ , 2011 . S. Project. Snort DNS\/IP\/URL lists. http:\/\/labs.snort.org\/iplists\/, 2011."},{"key":"e_1_3_2_1_27_1","unstructured":"T. S. Project. Spamhaus drop list. http:\/\/www.spamhaus.org\/drop\/drop.lasso 2011.  T. S. Project. Spamhaus drop list. http:\/\/www.spamhaus.org\/drop\/drop.lasso 2011."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.5555\/2396231.2396233"},{"key":"e_1_3_2_1_29_1","unstructured":"C. Report. CIDR report bogons. http:\/\/www.cidr-report.org 2011.  C. Report. CIDR report bogons. http:\/\/www.cidr-report.org 2011."},{"key":"e_1_3_2_1_30_1","volume-title":"http:\/\/www.honeynet.org\/node\/132","author":"Riden J.","year":"2008","unstructured":"J. Riden . How fast-flux service networks work. http:\/\/www.honeynet.org\/node\/132 , 2008 . J. Riden. How fast-flux service networks work. http:\/\/www.honeynet.org\/node\/132, 2008."},{"key":"e_1_3_2_1_31_1","author":"Rowe N.","year":"2007","unstructured":"N. Rowe , E. Custy , and B. T. Duong . Defending cyberspace with fake honeypots. Journal of Computers , Jan 2007 . N. Rowe, E. Custy, and B. T. Duong. Defending cyberspace with fake honeypots. Journal of Computers, Jan 2007.","journal-title":"Journal of Computers"},{"key":"e_1_3_2_1_32_1","unstructured":"J. Rutkowska. Red pill... or how to detect VMM using (almost) one CPU instruction. http:\/\/invisiblethings.org\/papers\/redpill.html 2004.  J. Rutkowska. Red pill... or how to detect VMM using (almost) one CPU instruction. http:\/\/invisiblethings.org\/papers\/redpill.html 2004."},{"key":"e_1_3_2_1_33_1","unstructured":"M. Sharif A. Lanzi J. Giffin and W. Lee. Rotalume: A tool for automatic reverse engineering of malware emulators.  M. Sharif A. Lanzi J. Giffin and W. Lee. Rotalume: A tool for automatic reverse engineering of malware emulators."},{"key":"e_1_3_2_1_34_1","volume-title":"Proceedings of the Symposium on Network and Distributed System Security","author":"Sharif M.","year":"2008","unstructured":"M. Sharif , A. Lanzi , J. Giffin , and W. Lee . Impeding malware analysis using conditional code obfuscation . In Proceedings of the Symposium on Network and Distributed System Security , Jan 2008 . M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proceedings of the Symposium on Network and Distributed System Security, Jan 2008."},{"volume-title":"Spyeye tracker. https:\/\/spyeyetracker.abuse.ch","year":"2010","key":"e_1_3_2_1_35_1","unstructured":"spyeyetracker.abuse.ch. Spyeye tracker. https:\/\/spyeyetracker.abuse.ch , 2010 . spyeyetracker.abuse.ch. Spyeye tracker. https:\/\/spyeyetracker.abuse.ch, 2010."},{"key":"e_1_3_2_1_36_1","volume-title":"Introduction to Data Mining","author":"Tan P.-N.","year":"2006","unstructured":"P.-N. Tan , M. Steinbach , and V. Kumar . Introduction to Data Mining . Addison Wesley , 2006 . P.-N. Tan, M. Steinbach, and V. Kumar. Introduction to Data Mining. Addison Wesley, 2006."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-05118-0_51"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.5555\/1776434.1776451"},{"key":"e_1_3_2_1_39_1","unstructured":"J. Wolf. Technical details of srizbi's domain generation algorithm. http:\/\/blog.fireeye.com\/research\/2008\/11\/technical-details-of-srizbis-domain-generation-algorithm. html 2008.  J. Wolf. Technical details of srizbi's domain generation algorithm. http:\/\/blog.fireeye.com\/research\/2008\/11\/technical-details-of-srizbis-domain-generation-algorithm. html 2008."}],"event":{"name":"ACSAC '11: Annual Computer Security Applications Conference","sponsor":["ACSA Applied Computing Security Assoc"],"location":"Orlando Florida USA","acronym":"ACSAC '11"},"container-title":["Proceedings of the 27th Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2076732.2076734","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2076732.2076734","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T09:54:45Z","timestamp":1750240485000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2076732.2076734"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2011,12,5]]},"references-count":39,"alternative-id":["10.1145\/2076732.2076734","10.1145\/2076732"],"URL":"https:\/\/doi.org\/10.1145\/2076732.2076734","relation":{},"subject":[],"published":{"date-parts":[[2011,12,5]]},"assertion":[{"value":"2011-12-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}