{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,18]],"date-time":"2026-04-18T16:49:11Z","timestamp":1776530951136,"version":"3.51.2"},"reference-count":103,"publisher":"Association for Computing Machinery (ACM)","issue":"5","license":[{"start":{"date-parts":[[2019,9,13]],"date-time":"2019-09-13T00:00:00Z","timestamp":1568332800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2020,9,30]]},"abstract":"<jats:p>Although malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for\u2014especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based anti-virus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.<\/jats:p>","DOI":"10.1145\/3329786","type":"journal-article","created":{"date-parts":[[2019,9,13]],"date-time":"2019-09-13T12:28:56Z","timestamp":1568377736000},"page":"1-48","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":281,"title":["Dynamic Malware Analysis in the Modern Era\u2014A State of the Art Survey"],"prefix":"10.1145","volume":"52","author":[{"given":"Ori","family":"Or-Meir","sequence":"first","affiliation":[{"name":"Ben-Gurion University of the Negev, Beer-Sheva, Israel"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0652-8861","authenticated-orcid":false,"given":"Nir","family":"Nissim","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev, Beer-Sheva, Israel"}]},{"given":"Yuval","family":"Elovici","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev, Beer-Sheva, Israel"}]},{"given":"Lior","family":"Rokach","sequence":"additional","affiliation":[{"name":"Ben-Gurion University of the Negev, Beer-Sheva, Israel"}]}],"member":"320","published-online":{"date-parts":[[2019,9,13]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/318774.318944"},{"key":"e_1_2_1_2_1","first-page":"103","article-title":"Basic survey on malware analysis, tools and techniques","volume":"4","author":"Uppal D.","year":"2014","journal-title":"Int. J. Comput. Sci. Appl."},{"key":"e_1_2_1_3_1","first-page":"2007","article-title":"A survey of malware detection techniques","volume":"48","author":"Idika N.","year":"2007","journal-title":"Purdue University"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.4236\/jis.2014.52006"},{"key":"e_1_2_1_5_1","first-page":"422","article-title":"A survey on techniques in detection and analyzing malware executables","volume":"3","author":"Mathur K.","year":"2013","journal-title":"Int. J. Adv. Res. Comput. Sci. Softw. Eng."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/2089125.2089126"},{"key":"e_1_2_1_7_1","first-page":"10","article-title":"A survey on malware propagation, analysis and detection","volume":"2","author":"Damshenas M.","year":"2013","journal-title":"Int. J. Cyber-Security Digit. Forens."},{"key":"e_1_2_1_8_1","first-page":"61","article-title":"Malware and malware detection techniques: A survey","volume":"2","author":"Landage J.","year":"2013","journal-title":"Int. J. Eng. Res."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3073559"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2103799.2103807"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 1997 IEEE Information Survivability Workshop. 2--5.","author":"Oppenheimer D. L."},{"key":"e_1_2_1_12_1","volume-title":"Proceedings of the European Workshop on Systems Security.","author":"Vogl S."},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the USENIX Workshop on Health Information Technology. 221--236","author":"Clark S. S.","year":"2013"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2463209.2488831"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508148.2485970"},{"key":"e_1_2_1_16_1","volume-title":"International Workshop on Recent Advances in Intrusion Detection. Springer, Cham, 109--129","author":"Tang A."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2011.06.002"},{"key":"e_1_2_1_18_1","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIXSecur\u201915)","author":"Graziano M."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.5555\/2011216.2011217"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACT.2010.33"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/CEC.2006.1688720"},{"key":"e_1_2_1_22_1","volume-title":"Zero days, thousands of nights: The life and times of zero-day vulnerabilities and their exploits","author":"Ablon L."},{"key":"e_1_2_1_23_1","first-page":"2016","article-title":"Regulation (EU) 2016\/679 of the European Parliament and of the Council","volume":"679","author":"Regulation P.","year":"2016","journal-title":"REGULATION (EU)"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3172869"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/361268.361275"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2689702.2689703"},{"key":"e_1_2_1_27_1","volume-title":"Rootkits: Subverting the Windows Kernel","author":"Hoglund B. G.","year":"2005"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2014.44"},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the 9th International Conference on Appl. Inf. Commun. Technol. (AICT\u201915)","author":"Sergeev A."},{"key":"e_1_2_1_30_1","unstructured":"H. Fritsch. 2008. Analysis and detection of virtualization-based rootkits. Technische Universitat Munchen. H. Fritsch. 2008. Analysis and detection of virtualization-based rootkits. Technische Universitat Munchen."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.38"},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the Black Hat USA Conference (BHUSA\u201909)","author":"Tereshkin A."},{"key":"e_1_2_1_33_1","unstructured":"M. Gorobets O. Bazhaniuk A. Matrosov A. Furtak and Y. Bulygin. 2015. Attacking hypervisors via firmware and hardware. Black Hat USA. M. Gorobets O. Bazhaniuk A. Matrosov A. Furtak and Y. Bulygin. 2015. Attacking hypervisors via firmware and hardware. Black Hat USA."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.08.002"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37300-8_2"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the 3rd USENIX Conference on Offensive Technology. 2.","author":"Paleari R."},{"key":"e_1_2_1_37_1","volume-title":"Redpill: Detect VMM using (almost) One CPU Instruction","author":"Rutkowska J.","year":"2004"},{"key":"e_1_2_1_38_1","unstructured":"P. Ferrie. 2007. Attacks on more virtual machine emulators. Symantec Technol. Exch. 55. P. Ferrie. 2007. Attacks on more virtual machine emulators. Symantec Technol. Exch. 55."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.63"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/BWCCA.2010.85"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1774088.1774484"},{"key":"e_1_2_1_42_1","unstructured":"P. Deshpande. 2013. Metamorphic Detection Using Function Call Graph Analysis. Master's Projects. 336. P. Deshpande. 2013. Metamorphic Detection Using Function Call Graph Analysis. Master's Projects. 336."},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the 14th International Conference on Advances in Communications Technology (ICACT\u201912)","author":"Marpaung J. A P.","year":"2012"},{"key":"e_1_2_1_44_1","unstructured":"B. S. Rivera and R. U. 2015. Inocencio. Doing More with Less: A Study of Fileless Infection Attacks. B. S. Rivera and R. U. 2015. Inocencio. Doing More with Less: A Study of Fileless Infection Attacks."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/EC2ND.2011.12"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSN.2011.19"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the International Conference on Graph. Image Process (ICGIP\u201913)","author":"Zhu Y."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2018.04.033"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2018.02.039"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076790"},{"key":"e_1_2_1_51_1","volume-title":"Proceedings of the Netw. Distrib. Syst. Secur. Symposium. 21--24","author":"Chen D. D."},{"key":"e_1_2_1_52_1","volume-title":"Proceedings of the Black Hat DC. 1--49","author":"Rutkowska J.","year":"2007"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420962"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.06.012"},{"key":"e_1_2_1_55_1","volume-title":"Proceedings of the 8th International Conference on Cloud Comput. Data Sci. Eng. 14--15","author":"Agarwal S."},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-006-0012-2"},{"key":"e_1_2_1_57_1","volume-title":"Virus Bulletin Conference","volume":"1","author":"Mandl T."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.45"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2007.06.003"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2008.44"},{"key":"e_1_2_1_61_1","volume-title":"Proceedings of the Detect. Intrusions Malware, Vulnerability Assess. 41--60","author":"Neugschwandtner M."},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_2_1_64_1","volume-title":"Proceedings of the Conference on Netw. Distrib. Syst. Secur.","author":"Balzarotti D."},{"key":"e_1_2_1_65_1","unstructured":"D. Bruening. 2004. Efficient transparent and comprehensive runtime code manipulation. Electr. Eng. 306. D. Bruening. 2004. Efficient transparent and comprehensive runtime code manipulation. Electr. Eng. 306."},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.52"},{"key":"e_1_2_1_67_1","first-page":"311","article-title":"SPiKE: Engineering malware analysis tools using unobtrusive binary-instrumentation. In Proceedings of the Conference on Res","volume":"48","author":"Vasudevan A.","year":"2006","journal-title":"Pract. Inf. Technol. Ser."},{"key":"e_1_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.9"},{"key":"e_1_2_1_69_1","volume-title":"Proceedings of the Conference on Botnet Detect. 65--88","author":"Brumley D."},{"key":"e_1_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_4"},{"key":"e_1_2_1_72_1","volume-title":"Proceedings of the Conference on Res. Pract. Inf. Technol. Ser. 107","author":"Cesare S.","year":"2010"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/1095810.1095824"},{"key":"e_1_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315261"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273463.1273490"},{"key":"e_1_2_1_76_1","volume-title":"Usenix Conference. 233--246","author":"Egele M."},{"key":"e_1_2_1_77_1","volume-title":"Proceedings of the Conference on Digit. Forensics, Secur. Law, 115--142","author":"Korkin I."},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2015.01.010"},{"key":"e_1_2_1_79_1","unstructured":"Z. Liang H. Yin and D. Song. 2008. HookFinder: Identifying and understanding malware hooking behaviors. Dep. Electr. Comput. Eng. 41 (2008). Z. Liang H. Yin and D. Song. 2008. HookFinder: Identifying and understanding malware hooking behaviors. Dep. Electr. Comput. Eng. 41 (2008)."},{"key":"e_1_2_1_80_1","first-page":"178","article-title":"Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory","volume":"6307","author":"Rhee J.","year":"2010","journal-title":"Lect. Notes Comput. Sci. (Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics)"},{"key":"e_1_2_1_81_1","volume-title":"Symposium on Self-Stabilizing Systems. Springer","author":"Gorecki C."},{"key":"e_1_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2012.04.002"},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41284-4_2"},{"key":"e_1_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2015.04.001"},{"key":"e_1_2_1_85_1","first-page":"23","article-title":"A lightweight live memory forensic approach based on hardware virtualization. Info","volume":"379","author":"Cheng Y.","year":"2017","journal-title":"Sci."},{"key":"e_1_2_1_86_1","volume-title":"Proceedings of the International Carnahan Conference Secur. Technol. 299--303","author":"Lin C. H."},{"key":"e_1_2_1_87_1","doi-asserted-by":"crossref","unstructured":"C. H. Lin H. K. Pao and J. W. Liao. 2018. Efficient dynamic malware analysis using virtual time control mechanics. Comput. Secur. 73 359\u2014373. C. H. Lin H. K. Pao and J. W. Liao. 2018. Efficient dynamic malware analysis using virtual time control mechanics. Comput. Secur. 73 359\u2014373.","DOI":"10.1016\/j.cose.2017.11.010"},{"key":"e_1_2_1_88_1","volume-title":"Proceedings of 40th IEEE Symposium on Security and Privacy (S&P'''19)","author":"Das S."},{"key":"e_1_2_1_89_1","unstructured":"E. Buchanan R. Roemer S. Savage and H. Shacham. 2008. Return-oriented programming: Exploitation without Code Injection. Black Hat 8. E. Buchanan R. Roemer S. Savage and H. Shacham. 2008. Return-oriented programming: Exploitation without Code Injection. Black Hat 8."},{"key":"e_1_2_1_90_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196494.3196515"},{"key":"e_1_2_1_91_1","unstructured":"C. Smith and S. S. Consultant. 2008. Creating code obfuscation virtual machines. Tutorial in RECON08. C. Smith and S. S. Consultant. 2008. Creating code obfuscation virtual machines. Tutorial in RECON08."},{"key":"e_1_2_1_92_1","doi-asserted-by":"publisher","DOI":"10.1145\/1314389.1314399"},{"key":"e_1_2_1_93_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.38"},{"key":"e_1_2_1_94_1","unstructured":"R.O.C.U. 2005. United. Generic Unpacking\u2014How to Handle Modified or Unknown PE Compression Engines. Retrieved from https:\/\/www.virusbulletin.com\/conference\/vb2005\/abstracts\/generic-unpacking-how-handle-modified-or-unknown-pe-compression-engines\/. R.O.C.U. 2005. United. Generic Unpacking\u2014How to Handle Modified or Unknown PE Compression Engines. Retrieved from https:\/\/www.virusbulletin.com\/conference\/vb2005\/abstracts\/generic-unpacking-how-handle-modified-or-unknown-pe-compression-engines\/."},{"key":"e_1_2_1_95_1","volume-title":"Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP\u201915). 1916","author":"Pascanu R.","year":"1920"},{"key":"e_1_2_1_96_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium. 23--26","author":"Rasthofer S."},{"key":"e_1_2_1_97_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-011-0023-x"},{"key":"e_1_2_1_98_1","doi-asserted-by":"publisher","DOI":"10.1145\/3079856.3080223"},{"key":"e_1_2_1_99_1","doi-asserted-by":"publisher","DOI":"10.1145\/1065010.1065034"},{"key":"e_1_2_1_100_1","doi-asserted-by":"publisher","DOI":"10.1145\/945445.945462"},{"key":"e_1_2_1_101_1","doi-asserted-by":"publisher","DOI":"10.5555\/1247360.1247401"},{"key":"e_1_2_1_102_1","doi-asserted-by":"crossref","unstructured":"H. Yin and D. Song. 2012. Automatic Malware Analysis: An Emulator Based Approach. Springer Science 8 Business Media. H. Yin and D. Song. 2012. Automatic Malware Analysis: An Emulator Based Approach. Springer Science 8 Business Media.","DOI":"10.1007\/978-1-4614-5523-3"},{"key":"e_1_2_1_103_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-89862-7_1"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3329786","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3329786","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T00:26:23Z","timestamp":1750206383000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3329786"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,9,13]]},"references-count":103,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2020,9,30]]}},"alternative-id":["10.1145\/3329786"],"URL":"https:\/\/doi.org\/10.1145\/3329786","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,9,13]]},"assertion":[{"value":"2018-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-05-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-09-13","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}