{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:10:39Z","timestamp":1763968239667,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":65,"publisher":"ACM","license":[{"start":{"date-parts":[[2017,4,2]],"date-time":"2017-04-02T00:00:00Z","timestamp":1491091200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100002347","name":"Bundesministerium f\u00fcr Bildung und Forschung","doi-asserted-by":"publisher","award":["16KIS0307,16KIS0534"],"award-info":[{"award-number":["16KIS0307,16KIS0534"]}],"id":[{"id":"10.13039\/501100002347","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2017,4,2]]},"DOI":"10.1145\/3052973.3053002","type":"proceedings-article","created":{"date-parts":[[2017,3,31]],"date-time":"2017-03-31T12:22:54Z","timestamp":1490962974000},"page":"587-598","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":30,"title":["Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks"],"prefix":"10.1145","author":[{"given":"Christian","family":"Wressnegger","sequence":"first","affiliation":[{"name":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"}]},{"given":"Kevin","family":"Freeman","sequence":"additional","affiliation":[{"name":"University of G\u00f6ttingen, G\u00f6ttingen, Germany"}]},{"given":"Fabian","family":"Yamaguchi","sequence":"additional","affiliation":[{"name":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"}]},{"given":"Konrad","family":"Rieck","sequence":"additional","affiliation":[{"name":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"}]}],"member":"320","published-online":{"date-parts":[[2017,4,2]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/360825.360855"},{"key":"e_1_3_2_1_2_1","volume-title":"The death of AV defense in depth? Revisiting anti-virus software. Presentation at CanSecWest","author":"Alvarez S.","year":"2008","unstructured":"S. Alvarez and T. Zoller . The death of AV defense in depth? Revisiting anti-virus software. Presentation at CanSecWest , 2008 . S. Alvarez and T. Zoller. The death of AV defense in depth? Revisiting anti-virus software. Presentation at CanSecWest, 2008."},{"key":"e_1_3_2_1_3_1","volume-title":"Computer Viruses and Malware","author":"Aycock J.","year":"2006","unstructured":"J. Aycock . Computer Viruses and Malware . Springer , 2006 . J. Aycock. Computer Viruses and Malware. Springer, 2006."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.5555\/1776434.1776449"},{"key":"e_1_3_2_1_5_1","unstructured":"M. K. Base. Importing and exporting your mail. http:\/\/kb.mozillazine.org\/Importing_and_exporting_your_mail#Mbox_files visited Feb. 2017.  M. K. Base. Importing and exporting your mail. http:\/\/kb.mozillazine.org\/Importing_and_exporting_your_mail#Mbox_files visited Feb. 2017."},{"key":"e_1_3_2_1_6_1","volume-title":"Proc. of USENIX Workshop on Offensive Technologies (WOOT)","author":"Blackthorne J.","year":"2016","unstructured":"J. Blackthorne , A. Bulazel , A. Fasano , P. Biernat , and B. Yener . AVLeak: Fingerprinting antivirus emulators through black-box testing . In Proc. of USENIX Workshop on Offensive Technologies (WOOT) , 2016 . J. Blackthorne, A. Bulazel, A. Fasano, P. Biernat, and B. Yener. AVLeak: Fingerprinting antivirus emulators through black-box testing. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2016."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2020408.2020495"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.41"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1007512.1007518"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.20"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1287624.1287628"},{"key":"e_1_3_2_1_12_1","volume-title":"Software transformations to improve malware detection. Journal in Computer Virology (JICV), 3 (4): 253--265","author":"Christodorescu M.","year":"2007","unstructured":"M. Christodorescu , J. Kinder , S. Jha , S. Katzenbeisser , and H. Veith . Software transformations to improve malware detection. Journal in Computer Virology (JICV), 3 (4): 253--265 , 2007 . M. Christodorescu, J. Kinder, S. Jha, S. Katzenbeisser, and H. Veith. Software transformations to improve malware detection. Journal in Computer Virology (JICV), 3 (4): 253--265, 2007."},{"key":"e_1_3_2_1_13_1","volume-title":"Proc. of USENIX Security Symposium","author":"Curtsinger C.","year":"2011","unstructured":"C. Curtsinger , B. Livshits , B. Zorn , and C. Seifert . Zozzle: Fast and precise in-browser JavaScript malware detection . In Proc. of USENIX Security Symposium , 2011 . C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert. Zozzle: Fast and precise in-browser JavaScript malware detection. In Proc. of USENIX Security Symposium, 2011."},{"key":"e_1_3_2_1_14_1","volume-title":"Anti-unpacker tricks 1. Virus Bulletin","author":"Ferrie P.","year":"2008","unstructured":"P. Ferrie . Anti-unpacker tricks 1. Virus Bulletin , 2008 . P. Ferrie. Anti-unpacker tricks 1. Virus Bulletin, 2008."},{"key":"e_1_3_2_1_15_1","volume-title":"Malware pattern scanning schemes secure against black-box analysis. 2 (1): 35--50","author":"Filiol E.","year":"2016","unstructured":"E. Filiol . Malware pattern scanning schemes secure against black-box analysis. 2 (1): 35--50 , 2016 . E. Filiol. Malware pattern scanning schemes secure against black-box analysis. 2 (1): 35--50, 2016."},{"key":"e_1_3_2_1_16_1","volume-title":"Popular security software came under relentless NSA and GCHQ attacks. https:\/\/theintercept.com\/2015\/06\/22\/nsa-gchq-targeted-kaspersky","author":"Fishman A.","year":"2015","unstructured":"A. Fishman and M. Marquis-Boire . Popular security software came under relentless NSA and GCHQ attacks. https:\/\/theintercept.com\/2015\/06\/22\/nsa-gchq-targeted-kaspersky , 2015 , visited Feb. 2017. A. Fishman and M. Marquis-Boire. Popular security software came under relentless NSA and GCHQ attacks. https:\/\/theintercept.com\/2015\/06\/22\/nsa-gchq-targeted-kaspersky, 2015, visited Feb. 2017."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180414"},{"key":"e_1_3_2_1_18_1","volume-title":"Proc. of USENIX Security Symposium","author":"Fogla P.","year":"2006","unstructured":"P. Fogla , M. Sharif , R. Perdisci , O. Kolesnikov , and W. Lee . Polymorphic blending attacks . In Proc. of USENIX Security Symposium , 2006 . P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic blending attacks. In Proc. of USENIX Security Symposium, 2006."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04342-0_6"},{"key":"e_1_3_2_1_20_1","volume-title":"Proc. of USENIX Security Symposium","author":"Gu G.","year":"2008","unstructured":"G. Gu , R. Perdisci , J. Zhang , and W. Lee . BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection . In Proc. of USENIX Security Symposium , 2008 . G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Proc. of USENIX Security Symposium, 2008."},{"key":"e_1_3_2_1_21_1","volume-title":"Proc. of Network and Distributed System Security Symposium (NDSS)","author":"Gu G.","year":"2008","unstructured":"G. Gu , J. Zhang , and W. Lee . BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic . In Proc. of Network and Distributed System Security Symposium (NDSS) , 2008 . G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Proc. of Network and Distributed System Security Symposium (NDSS), 2008."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.5555\/262228"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"e_1_3_2_1_24_1","volume-title":"Intel\u00ae architecture instruction set extensions programming reference. Technical report","author":"Intel Corporation","year":"2013","unstructured":"Intel Corporation . Intel\u00ae architecture instruction set extensions programming reference. Technical report , Intel Corporation , 2013 . Intel Corporation. Intel\u00ae architecture instruction set extensions programming reference. Technical report, Intel Corporation, 2013."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.15"},{"key":"e_1_3_2_1_26_1","unstructured":"C. Jaquier and A. Busleiman. Fail2ban. http:\/\/www.fail2ban.org visited Feb. 2017.  C. Jaquier and A. Busleiman. Fail2ban. http:\/\/www.fail2ban.org visited Feb. 2017."},{"key":"e_1_3_2_1_27_1","volume-title":"Proc. of USENIX Security Symposium","author":"Kirda E.","year":"2006","unstructured":"E. Kirda , C. Kruegel , G. Banks , G. Vigna , and R. A. Kemmerer . Behavior-based spyware detection . In Proc. of USENIX Security Symposium , 2006 . E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. A. Kemmerer. Behavior-based spyware detection. In Proc. of USENIX Security Symposium, 2006."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.5555\/1855768.1855790"},{"key":"e_1_3_2_1_29_1","volume-title":"Breaking antivirus software. Presentation at SYSCAN","author":"Koret J.","year":"2014","unstructured":"J. Koret . Breaking antivirus software. Presentation at SYSCAN , 2014 . J. Koret. Breaking antivirus software. Presentation at SYSCAN, 2014."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.40"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866353"},{"issue":"4","key":"e_1_3_2_1_32_1","first-page":"845","article-title":"Binary codes capable of correcting deletions, insertions, and reversals","volume":"163","author":"Levenshtein V. I.","year":"1966","unstructured":"V. I. Levenshtein . Binary codes capable of correcting deletions, insertions, and reversals . Doklady Akademii Nauk SSSR , 163 ( 4 ): 845 -- 848 , 1966 . V. I. Levenshtein. Binary codes capable of correcting deletions, insertions, and reversals. Doklady Akademii Nauk SSSR, 163 (4): 845--848, 1966.","journal-title":"Doklady Akademii Nauk SSSR"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.18"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948149"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2695664.2695683"},{"key":"e_1_3_2_1_36_1","volume-title":"Proc. of USENIX Workshop on Offensive Technologies (WOOT)","author":"Mohan V.","year":"2012","unstructured":"V. Mohan and K. W. Hamlen . Frankenstein: Stitching malware from benign binaries . In Proc. of USENIX Workshop on Offensive Technologies (WOOT) , 2012 . V. Mohan and K. W. Hamlen. Frankenstein: Stitching malware from benign binaries. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2012."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2007.21"},{"key":"e_1_3_2_1_38_1","volume-title":"Proc. of the AusCERT Asia Pacific Information Technology Security Conference","author":"Mutz D.","year":"2005","unstructured":"D. Mutz , C. Kruegel , W. Robertson , G. Vigna , and R. A. Kemmerer . Reverse engineering of network signatures . In Proc. of the AusCERT Asia Pacific Information Technology Security Conference , 2005 . D. Mutz, C. Kruegel, W. Robertson, G. Vigna, and R. A. Kemmerer. Reverse engineering of network signatures. In Proc. of the AusCERT Asia Pacific Information Technology Security Conference, 2005."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1016\/0022-2836(70)90057-4"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.15"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_5"},{"key":"e_1_3_2_1_42_1","volume-title":"Proc. of Black Hat USA","author":"Ormandy T.","year":"2011","unstructured":"T. Ormandy . Sophail : A critical analysis of sophos antivirus . In Proc. of Black Hat USA , 2011 . T. Ormandy. Sophail: A critical analysis of sophos antivirus. In Proc. of Black Hat USA, 2011."},{"key":"e_1_3_2_1_43_1","unstructured":"T. Ormandy. Analysis and exploitation of an eset vulnerability. http:\/\/googleprojectzero.blogspot.de\/2015\/06\/analysis-and-exploitation-of-eset.html 2015 visited Feb. 2017.  T. Ormandy. Analysis and exploitation of an eset vulnerability. http:\/\/googleprojectzero.blogspot.de\/2015\/06\/analysis-and-exploitation-of-eset.html 2015 visited Feb. 2017."},{"key":"e_1_3_2_1_44_1","unstructured":"T. Ormandy. Kaspersky: Mo unpackers mo problems. http:\/\/googleprojectzero.blogspot.de\/2015\/09\/kaspersky-mo-unpackers-mo-problems.html 2015 visited Feb. 2017.  T. Ormandy. Kaspersky: Mo unpackers mo problems. http:\/\/googleprojectzero.blogspot.de\/2015\/09\/kaspersky-mo-unpackers-mo-problems.html 2015 visited Feb. 2017."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"crossref","unstructured":"T. Ormandy. Fireeye exploitation: Project zero's vulnerability of the beast. http:\/\/googleprojectzero.blogspot.de\/2015\/12\/fireeye-exploitation-project-zeros.html 2015 visited Feb. 2017.  T. Ormandy. Fireeye exploitation: Project zero's vulnerability of the beast. http:\/\/googleprojectzero.blogspot.de\/2015\/12\/fireeye-exploitation-project-zeros.html 2015 visited Feb. 2017.","DOI":"10.1016\/S0969-4765(15)30081-3"},{"key":"e_1_3_2_1_46_1","volume-title":"Web TuneUP\" extension multiple critical vulnerabilities. s:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=675","author":"Ormandy T.","year":"2015","unstructured":"T. Ormandy . AVG : \" Web TuneUP\" extension multiple critical vulnerabilities. s:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=675 , 2015 , visited Feb. 2017. T. Ormandy. AVG: \"Web TuneUP\" extension multiple critical vulnerabilities. s:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=675, 2015, visited Feb. 2017."},{"key":"e_1_3_2_1_47_1","volume-title":"https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=820","author":"Ormandy T.","year":"2016","unstructured":"T. Ormandy . Symantec\/norton antivirus aspack remote heap\/pool memory corruption vulnerability cve-2016--2208. https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=820 , 2016 , visited Feb. 2017. T. Ormandy. Symantec\/norton antivirus aspack remote heap\/pool memory corruption vulnerability cve-2016--2208. https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=820, 2016, visited Feb. 2017."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.26"},{"key":"e_1_3_2_1_49_1","volume-title":"ReCon","author":"Porst S.","year":"2010","unstructured":"S. Porst . How to really obfuscate your pdf malware . ReCon , 2010 . S. Porst. How to really obfuscate your pdf malware. ReCon, 2010."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/1190216.1190270"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/1387673.1387674"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2484313.2484355"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2013.2290431"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_11"},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.9"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.10"},{"key":"e_1_3_2_1_57_1","volume-title":"Creating signatures for ClamAV. Technical report","author":"Research Team Sourcefire Vulnerability","year":"2015","unstructured":"Sourcefire Vulnerability Research Team . Creating signatures for ClamAV. Technical report , Sourcefire Inc ., 2015 . Sourcefire Vulnerability Research Team. Creating signatures for ClamAV. Technical report, Sourcefire Inc., 2015."},{"key":"e_1_3_2_1_58_1","volume-title":"Symantec Press","author":"Szor P.","year":"2005","unstructured":"P. Szor . The art of computer virus research and defense . Symantec Press , 2005 . P. Szor. The art of computer virus research and defense. Symantec Press, 2005."},{"key":"e_1_3_2_1_59_1","volume-title":"Proc. of Network and Distributed System Security Symposium (NDSS)","author":"Venkataraman S.","year":"2008","unstructured":"S. Venkataraman , A. Blum , and D. Song . Limits of learning-based signature generation with adversaries . In Proc. of Network and Distributed System Security Symposium (NDSS) , 2008 . S. Venkataraman, A. Blum, and D. Song. Limits of learning-based signature generation with adversaries. In Proc. of Network and Distributed System Security Symposium (NDSS), 2008."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/1030083.1030088"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.20"},{"key":"e_1_3_2_1_62_1","volume-title":"https:\/\/en.bitcoin.it\/wiki\/DOS\/STONED_incident, visited","author":"Wiki B.","year":"2017","unstructured":"B. Wiki . Dos\/stoned incident. https:\/\/en.bitcoin.it\/wiki\/DOS\/STONED_incident, visited Feb. 2017 . B. Wiki. Dos\/stoned incident. https:\/\/en.bitcoin.it\/wiki\/DOS\/STONED_incident, visited Feb. 2017."},{"key":"e_1_3_2_1_63_1","volume-title":"OMG WTF PDF. Presentation at Chaos Computer Congress","author":"Wolf J.","year":"2010","unstructured":"J. Wolf . OMG WTF PDF. Presentation at Chaos Computer Congress , 2010 . J. Wolf. OMG WTF PDF. Presentation at Chaos Computer Congress, 2010."},{"key":"e_1_3_2_1_64_1","volume-title":"Proc. of Black Hat Europe","author":"Xue F.","year":"2008","unstructured":"F. Xue . Attacking antivirus . In Proc. of Black Hat Europe , 2008 . F. Xue. Attacking antivirus. In Proc. of Black Hat Europe, 2008."},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37300-8_5"}],"event":{"name":"ASIA CCS '17: ACM Asia Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Abu Dhabi United Arab Emirates","acronym":"ASIA CCS '17"},"container-title":["Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3052973.3053002","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3052973.3053002","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T03:36:57Z","timestamp":1750217817000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3052973.3053002"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,4,2]]},"references-count":65,"alternative-id":["10.1145\/3052973.3053002","10.1145\/3052973"],"URL":"https:\/\/doi.org\/10.1145\/3052973.3053002","relation":{},"subject":[],"published":{"date-parts":[[2017,4,2]]},"assertion":[{"value":"2017-04-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}