{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,20]],"date-time":"2025-10-20T10:25:50Z","timestamp":1760955950508,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":37,"publisher":"ACM","license":[{"start":{"date-parts":[[2019,6,12]],"date-time":"2019-06-12T00:00:00Z","timestamp":1560297600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Key R&D Program of China","award":["2018YFB1004701"],"award-info":[{"award-number":["2018YFB1004701"]}]},{"name":"National Natural Science Foundation of China","award":["61632013, 61822205, 61432002, 61632020"],"award-info":[{"award-number":["61632013, 61822205, 61432002, 61632020"]}]},{"name":"Key R&D Program of Zhejiang Province","award":["2018C01088"],"award-info":[{"award-number":["2018C01088"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2019,6,12]]},"DOI":"10.1145\/3307334.3326083","type":"proceedings-article","created":{"date-parts":[[2019,6,17]],"date-time":"2019-06-17T12:56:45Z","timestamp":1560776205000},"page":"482-493","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":46,"title":["Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud"],"prefix":"10.1145","author":[{"given":"Fan","family":"Dang","sequence":"first","affiliation":[{"name":"Tsinghua University, Beijing, China"}]},{"given":"Zhenhua","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}]},{"given":"Yunhao","family":"Liu","sequence":"additional","affiliation":[{"name":"Michigan State University & Tsinghua University, East Lansing, MI, USA"}]},{"given":"Ennan","family":"Zhai","sequence":"additional","affiliation":[{"name":"Alibaba Group, Seattle, WA, USA"}]},{"given":"Qi Alfred","family":"Chen","sequence":"additional","affiliation":[{"name":"University of California, Irvine, Irvine, CA, USA"}]},{"given":"Tianyin","family":"Xu","sequence":"additional","affiliation":[{"name":"University of Illinois Urbana-Champaign, Urbana and Champaign, IL, USA"}]},{"given":"Yan","family":"Chen","sequence":"additional","affiliation":[{"name":"Northwestern University, Evanston, IL, USA"}]},{"given":"Jingyu","family":"Yang","sequence":"additional","affiliation":[{"name":"Tencent Anti-Virus Lab, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2019,6,12]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"http:\/\/www.nsfocus.com.cn\/u pload\/contents\/2017\/12\/20171205171653_35944.pdf. (Accessed on","author":"Things Security Research Report Internet","year":"2019","unstructured":"Internet of Things Security Research Report , 2017. http:\/\/www.nsfocus.com.cn\/u pload\/contents\/2017\/12\/20171205171653_35944.pdf. (Accessed on Mar. 15, 2019 ). Internet of Things Security Research Report, 2017. http:\/\/www.nsfocus.com.cn\/u pload\/contents\/2017\/12\/20171205171653_35944.pdf. (Accessed on Mar. 15, 2019)."},{"key":"e_1_3_2_1_2_1","volume-title":"https:\/\/unix.stackexchange.com\/questions\/89714\/easy-way-to-deter mine-virtualization-technology. (Accessed on","author":"Easy Linux","year":"2017","unstructured":"Linux - Easy Way to Determine Virtualization Technology - Unix & Linux Stack Exchange . https:\/\/unix.stackexchange.com\/questions\/89714\/easy-way-to-deter mine-virtualization-technology. (Accessed on Dec. 26, 2017 ). Linux - Easy Way to Determine Virtualization Technology - Unix & Linux Stack Exchange. https:\/\/unix.stackexchange.com\/questions\/89714\/easy-way-to-deter mine-virtualization-technology. (Accessed on Dec. 26, 2017)."},{"key":"e_1_3_2_1_3_1","unstructured":"McAfee Labs: Cybercriminal Tactics Shifting From External Malware Threats to 'fileless' Attacks. https:\/\/www.dqindia.com\/mcafee-labs-cybercriminal-tacticsshifting- external-malware-threats-fileless-attacks\/. (Accessed on Dec. 13 2018).  McAfee Labs: Cybercriminal Tactics Shifting From External Malware Threats to 'fileless' Attacks. https:\/\/www.dqindia.com\/mcafee-labs-cybercriminal-tacticsshifting- external-malware-threats-fileless-attacks\/. (Accessed on Dec. 13 2018)."},{"key":"e_1_3_2_1_4_1","volume-title":"http:\/\/blog.malwaremustdie.org\/2017\/02\/mmd-0062--2017-ssh-direct -tcp-forward-attack.html. (Accessed on","author":"Forward Credential Harvesting","year":"2017","unstructured":"MMD-0062--2017 - Credential Harvesting by SSH Direct TCP Forward Attack via IoT Botnet . http:\/\/blog.malwaremustdie.org\/2017\/02\/mmd-0062--2017-ssh-direct -tcp-forward-attack.html. (Accessed on Dec. 26, 2017 ). MMD-0062--2017 - Credential Harvesting by SSH Direct TCP Forward Attack via IoT Botnet. http:\/\/blog.malwaremustdie.org\/2017\/02\/mmd-0062--2017-ssh-direct -tcp-forward-attack.html. (Accessed on Dec. 26, 2017)."},{"key":"e_1_3_2_1_5_1","volume-title":"https:\/\/securelist.com\/new-trends-in-t he-world-of-iot-threats\/87991\/. (Accessed on","author":"Threats New Trends","year":"2019","unstructured":"New Trends in the World of IoT Threats . https:\/\/securelist.com\/new-trends-in-t he-world-of-iot-threats\/87991\/. (Accessed on Mar. 15, 2019 ). New Trends in the World of IoT Threats. https:\/\/securelist.com\/new-trends-in-t he-world-of-iot-threats\/87991\/. (Accessed on Mar. 15, 2019)."},{"key":"e_1_3_2_1_6_1","volume-title":"Exposing Fileless Malware -- Microsoft Secure. https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/01\/24\/now-yousee- me-exposing-fileless-malware\/. (Accessed on","author":"Me","year":"2018","unstructured":"Now You See Me : Exposing Fileless Malware -- Microsoft Secure. https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/01\/24\/now-yousee- me-exposing-fileless-malware\/. (Accessed on Sep. 01, 2018 ). Now You See Me: Exposing Fileless Malware -- Microsoft Secure. https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/01\/24\/now-yousee- me-exposing-fileless-malware\/. (Accessed on Sep. 01, 2018)."},{"key":"e_1_3_2_1_7_1","volume-title":"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-0143. (Accessed on","author":"NVD","year":"2018","unstructured":"NVD - CVE-2017-0143. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-0143. (Accessed on Sep. 18, 2018 ). NVD - CVE-2017-0143. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-0143. (Accessed on Sep. 18, 2018)."},{"key":"e_1_3_2_1_8_1","volume-title":"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018--7262. (Accessed on","author":"NVD","year":"2018","unstructured":"NVD - CVE-2018--7262. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018--7262. (Accessed on Sep. 11, 2018 ). NVD - CVE-2018--7262. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018--7262. (Accessed on Sep. 11, 2018)."},{"key":"e_1_3_2_1_9_1","volume-title":"https:\/\/wiki.koeln.ccc.de\/images\/d\/d5\/Openchaos_ qemudetect.pdf. (Accessed on","author":"Emulation Detection QEMU","year":"2017","unstructured":"QEMU Emulation Detection . https:\/\/wiki.koeln.ccc.de\/images\/d\/d5\/Openchaos_ qemudetect.pdf. (Accessed on Dec. 26, 2017 ). QEMU Emulation Detection. https:\/\/wiki.koeln.ccc.de\/images\/d\/d5\/Openchaos_ qemudetect.pdf. (Accessed on Dec. 26, 2017)."},{"key":"e_1_3_2_1_10_1","volume-title":"http:\/\/www.govtech.com\/security\/Tips-for-Guarding-Against-Untraceab le-Fileless-Cyberattacks.html. (Accessed on","author":"Guarding Against Untraceable Tips","year":"2018","unstructured":"Tips for Guarding Against Untraceable , 'Fileless\" Cyberattacks. http:\/\/www.govtech.com\/security\/Tips-for-Guarding-Against-Untraceab le-Fileless-Cyberattacks.html. (Accessed on Sep. 18, 2018 ). Tips for Guarding Against Untraceable, 'Fileless\" Cyberattacks. http:\/\/www.govtech.com\/security\/Tips-for-Guarding-Against-Untraceab le-Fileless-Cyberattacks.html. (Accessed on Sep. 18, 2018)."},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of USENIX Security","author":"Antonakakis Manos","year":"2017","unstructured":"Manos Antonakakis , Tim April , Michael Bailey , Matt Bernhard , Elie Bursztein , 2017 . Understanding the Mirai Botnet . In Proceedings of USENIX Security . Vancouver, BC, Canada. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, et al. 2017. Understanding the Mirai Botnet. In Proceedings of USENIX Security. Vancouver, BC, Canada."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_9"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2018.2853114"},{"key":"e_1_3_2_1_14_1","volume-title":"DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation. Security and Communication Networks (Feb","author":"Donno Michele De","year":"2018","unstructured":"Michele De Donno , Nicola Dragoni , Alberto Giaretta , and Angelo Spognardi . 2018. DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation. Security and Communication Networks (Feb . 2018 ), 7178164:1--7178164:30. Michele De Donno, Nicola Dragoni, Alberto Giaretta, and Angelo Spognardi. 2018. DDoS-Capable IoT Malwares: Comparative Analysis and Mirai Investigation. Security and Communication Networks (Feb. 2018), 7178164:1--7178164:30."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11277-018-5307-3"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.4236\/jis.2014.52006"},{"volume-title":"Black Hat.","author":"Graeber Matt","key":"e_1_3_2_1_17_1","unstructured":"Matt Graeber . 2015. Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor . In Black Hat. Las Vegas, NV, USA . Matt Graeber. 2015. Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor. In Black Hat. Las Vegas, NV, USA."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3218584"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196511"},{"key":"e_1_3_2_1_20_1","volume-title":"http:\/\/www.honeynet.org\/. (Accessed on","author":"Project The Honeynet","year":"2017","unstructured":"The Honeynet Project . http:\/\/www.honeynet.org\/. (Accessed on Dec. 26, 2017 ). The Honeynet Project. http:\/\/www.honeynet.org\/. (Accessed on Dec. 26, 2017)."},{"key":"e_1_3_2_1_21_1","unstructured":"ISO\/IEC 20922:2016 Information technology -- Message Queuing Telemetry Transport (MQTT) v3.1.1. http:\/\/www.iso.org.  ISO\/IEC 20922:2016 Information technology -- Message Queuing Telemetry Transport (MQTT) v3.1.1. http:\/\/www.iso.org."},{"volume-title":"Zen and the Art of the Internet","author":"Kehoe Brendan P.","key":"e_1_3_2_1_22_1","unstructured":"Brendan P. Kehoe . 1992. Zen and the Art of the Internet . Prentice-Hall, Inc. , Upper Saddle River, NJ, USA. Brendan P. Kehoe. 1992. Zen and the Art of the Internet. Prentice-Hall, Inc., Upper Saddle River, NJ, USA."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/972374.972384"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3139937.3139938"},{"key":"e_1_3_2_1_25_1","volume-title":"Proceedings of USENIX LEET","author":"Nazario Jose","year":"2009","unstructured":"Jose Nazario . 2009 . PhoneyC: A Virtual Client Honeypot . In Proceedings of USENIX LEET . Boston, MA, USA. Jose Nazario. 2009. PhoneyC: A Virtual Client Honeypot. In Proceedings of USENIX LEET. Boston, MA, USA."},{"key":"e_1_3_2_1_26_1","volume-title":"Honeyd Detection via Packet Fragmentation. (Jul","author":"Oberheide Jon","year":"2010","unstructured":"Jon Oberheide and Manish Karir . 2010. Honeyd Detection via Packet Fragmentation. (Jul . 2010 ). Jon Oberheide and Manish Karir. 2010. Honeyd Detection via Packet Fragmentation. (Jul. 2010)."},{"key":"e_1_3_2_1_27_1","volume-title":"Proceedings of USENIX WOOT. Washington, D.C., USA.","author":"Pa Pa Yin Minn","year":"2015","unstructured":"Yin Minn Pa Pa , Shogo Suzuki , Katsunari Yoshioka , Tsutomu Matsumoto , Takahiro Kasama , 2015 . IoTPOT: Analysing the Rise of IoT Compromises . In Proceedings of USENIX WOOT. Washington, D.C., USA. Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, et al. 2015. IoTPOT: Analysing the Rise of IoT Compromises. In Proceedings of USENIX WOOT. Washington, D.C., USA."},{"key":"e_1_3_2_1_28_1","volume-title":"Proceedings of USENIX Security","author":"Provos Niels","year":"2004","unstructured":"Niels Provos . 2004 . A Virtual Honeypot Framework . In Proceedings of USENIX Security . San Diego, CA, USA. Niels Provos. 2004. A Virtual Honeypot Framework. In Proceedings of USENIX Security. San Diego, CA, USA."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-75496-1_1"},{"key":"e_1_3_2_1_30_1","volume-title":"Veitch","author":"Santry Douglas J.","year":"1999","unstructured":"Douglas J. Santry , Michael J. Feeley , Norman C. Hutchinson , and Alistair C . Veitch . 1999 . Elephant : The File System That Never Forgets. In Proceedings of ACM HotOS. Rio Rico, AZ, USA. Douglas J. Santry, Michael J. Feeley, Norman C. Hutchinson, and Alistair C. Veitch. 1999. Elephant: The File System That Never Forgets. In Proceedings of ACM HotOS. Rio Rico, AZ, USA."},{"key":"e_1_3_2_1_31_1","volume-title":"Honeypots: Tracking Hackers.","author":"Spitzner Lance","year":"2003","unstructured":"Lance Spitzner . 2003 . Honeypots: Tracking Hackers. Vol. 1 . Addison-Wesley Reading . Lance Spitzner. 2003. Honeypots: Tracking Hackers. Vol. 1. Addison-Wesley Reading."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(11)70086-1"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095825"},{"volume-title":"AVAR.","author":"Yang Jingyu","key":"e_1_3_2_1_35_1","unstructured":"Jingyu Yang and Fan Dang . 2017. An IoT Honeypot Device for Malware Forensics . In AVAR. Beijing, China . Jingyu Yang and Fan Dang. 2017. An IoT Honeypot Device for Malware Forensics. In AVAR. Beijing, China."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/TST.2015.7040509"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660296"},{"key":"e_1_3_2_1_38_1","first-page":"12","article-title":"HoneyBow: An Automated Malware Collection Tool based on the High- Interaction Honeypot Principle","volume":"28","year":"2007","unstructured":"Jian-wei Zhuge, Xin-hui Han, Yong-lin Zhou, Cheng-yu Song, Jin-peng Guo, 2007 . HoneyBow: An Automated Malware Collection Tool based on the High- Interaction Honeypot Principle . Journal of China Institute of Communications 28 , 12 (Dec. 2007), 8. Jian-wei Zhuge, Xin-hui Han, Yong-lin Zhou, Cheng-yu Song, Jin-peng Guo, et al. 2007. HoneyBow: An Automated Malware Collection Tool based on the High- Interaction Honeypot Principle. Journal of China Institute of Communications 28, 12 (Dec. 2007), 8.","journal-title":"Journal of China Institute of Communications"}],"event":{"name":"MobiSys '19: The 17th Annual International Conference on Mobile Systems, Applications, and Services","sponsor":["SIGMOBILE ACM Special Interest Group on Mobility of Systems, Users, Data and Computing","SIGOPS ACM Special Interest Group on Operating Systems"],"location":"Seoul Republic of Korea","acronym":"MobiSys '19"},"container-title":["Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3307334.3326083","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3307334.3326083","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:13:20Z","timestamp":1750202000000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3307334.3326083"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,6,12]]},"references-count":37,"alternative-id":["10.1145\/3307334.3326083","10.1145\/3307334"],"URL":"https:\/\/doi.org\/10.1145\/3307334.3326083","relation":{},"subject":[],"published":{"date-parts":[[2019,6,12]]},"assertion":[{"value":"2019-06-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}