{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:24:11Z","timestamp":1750220651005,"version":"3.41.0"},"reference-count":25,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2020,8,4]],"date-time":"2020-08-04T00:00:00Z","timestamp":1596499200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100006602","name":"Air Force Research Laboratory","doi-asserted-by":"publisher","award":["FA8750-15-C-0017, FA8750-18-C-0140"],"award-info":[{"award-number":["FA8750-15-C-0017, FA8750-18-C-0140"]}],"id":[{"id":"10.13039\/100006602","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2020,9,30]]},"abstract":"<jats:p>Modern cyber attacks are often conducted by distributing digital documents that contain malware. The approach detailed herein, which consists of a classifier that uses features derived from dynamic analysis of a document viewer as it renders the document in question, is capable of classifying the disposition of digital documents with greater than 98% accuracy even when its model is trained on just small amounts of data. To keep the classification model itself small and thereby to provide scalability, we employ an entity resolution strategy that merges syntactically disparate features that are thought to be semantically equivalent but vary due to programmatic randomness. Entity resolution enables construction of a comprehensive model of benign functionality using relatively few training documents, and the model does not improve significantly with additional training data. In particular, we describe and quantitatively evaluate a fully automated, document format--agnostic approach for learning a classification model that provides efficacious malicious document detection.<\/jats:p>","DOI":"10.1145\/3379505","type":"journal-article","created":{"date-parts":[[2020,7,7]],"date-time":"2020-07-07T12:32:18Z","timestamp":1594125138000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Automated Model Learning for Accurate Detection of Malicious Digital Documents"],"prefix":"10.1145","volume":"1","author":[{"given":"Daniel","family":"Scofield","sequence":"first","affiliation":[{"name":"Assured Information Security, Suite, Portland, OR"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8648-803X","authenticated-orcid":false,"given":"Craig","family":"Miles","sequence":"additional","affiliation":[{"name":"Assured Information Security, Suite, Portland, OR"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stephen","family":"Kuhn","sequence":"additional","affiliation":[{"name":"Air Force Research Laboratory, Rome, NY"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,8,4]]},"reference":[{"volume-title":"The Economics of Information Security and Privacy","author":"Anderson Ross","key":"e_1_2_1_1_1","unstructured":"Ross Anderson , Chris Barton , Rainer B\u00f6hme , Richard Clayton , Michel J. G. Van Eeten , Michael Levi , Tyler Moore , and Stefan Savage . 2013. Measuring the cost of cybercrime . In The Economics of Information Security and Privacy . Springer , 265--300. Ross Anderson, Chris Barton, Rainer B\u00f6hme, Richard Clayton, Michel J. G. Van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. 2013. Measuring the cost of cybercrime. In The Economics of Information Security and Privacy. Springer, 265--300."},{"key":"e_1_2_1_2_1","volume-title":"Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 178--197","author":"Bailey Michael","year":"2007","unstructured":"Michael Bailey , Jon Oberheide , Jon Andersen , Z. Morley Mao , Farnam Jahanian , and Jose Nazario . 2007 . Automated classification and analysis of internet malware . In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 178--197 . Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian, and Jose Nazario. 2007. Automated classification and analysis of internet malware. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 178--197."},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the Asia-Pacific Network Operations and Management Symposium (APNOMS\u201913)","author":"Bazzi Ahmad","year":"2013","unstructured":"Ahmad Bazzi and Yoshikuni Onozato . 2013 . IDS for detecting malicious non-executable files using dynamic analysis . In Proceedings of the Asia-Pacific Network Operations and Management Symposium (APNOMS\u201913) . 1--3. Ahmad Bazzi and Yoshikuni Onozato. 2013. IDS for detecting malicious non-executable files using dynamic analysis. In Proceedings of the Asia-Pacific Network Operations and Management Symposium (APNOMS\u201913). 1--3."},{"key":"e_1_2_1_4_1","first-page":"2","article-title":"The S2E platform: Design, implementation, and applications","volume":"30","author":"Chipounov Vitaly","year":"2012","unstructured":"Vitaly Chipounov , Volodymyr Kuznetsov , and George Candea . 2012 . The S2E platform: Design, implementation, and applications . ACM Trans. Comput. Syst. 30 , 1 (2012), 2 . Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2012. The S2E platform: Design, implementation, and applications. ACM Trans. Comput. Syst. 30, 1 (2012), 2.","journal-title":"ACM Trans. Comput. Syst."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.2005.844059"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"e_1_2_1_7_1","unstructured":"M. Engleberth Carsten Willems and Thorsten Holz. 2009. Detecting malicious documents with combined static and dynamic analysis (PowerPoint presentation). Virus Bull. (2009). https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference_slides\/2009\/Willems-VB2009.pdf  M. Engleberth Carsten Willems and Thorsten Holz. 2009. Detecting malicious documents with combined static and dynamic analysis (PowerPoint presentation). Virus Bull. (2009). https:\/\/www.virusbulletin.com\/uploads\/pdf\/conference_slides\/2009\/Willems-VB2009.pdf"},{"key":"e_1_2_1_8_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201903)","volume":"3","author":"Garfinkel Tal","unstructured":"Tal Garfinkel , Mendel Rosenblum et al. 2003. A virtual machine introspection based architecture for intrusion detection . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201903) , Vol. 3 . 191--206. Tal Garfinkel, Mendel Rosenblum et al. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201903), Vol. 3. 191--206."},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 101--120","author":"Griffin Kent","year":"2009","unstructured":"Kent Griffin , Scott Schneider , Xin Hu , and Tzi-Cker Chiueh . 2009 . Automatic generation of string signatures for malware detection . In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 101--120 . Kent Griffin, Scott Schneider, Xin Hu, and Tzi-Cker Chiueh. 2009. Automatic generation of string signatures for malware detection. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection. Springer, 101--120."},{"key":"e_1_2_1_10_1","volume-title":"Proceedings of the 3rd USENIX Windows NT Symposium.","author":"Hunt Galen","year":"1999","unstructured":"Galen Hunt and Doug Brubacher . 1999 . Detours: Binary interception of Win 32 functions . In Proceedings of the 3rd USENIX Windows NT Symposium. Galen Hunt and Doug Brubacher. 1999. Detours: Binary interception of Win 32 functions. In Proceedings of the 3rd USENIX Windows NT Symposium."},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop (CTC\u201910)","author":"Islam Rafiqul","year":"2010","unstructured":"Rafiqul Islam , Ronghua Tian , Lynn Batten , and Steve Versteeg . 2010 . Classification of malware based on string and function feature selection . In Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop (CTC\u201910) . IEEE, 9--17. Rafiqul Islam, Ronghua Tian, Lynn Batten, and Steve Versteeg. 2010. Classification of malware based on string and function feature selection. In Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop (CTC\u201910). IEEE, 9--17."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046742"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2009.03.007"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076785"},{"key":"e_1_2_1_16_1","first-page":"707","article-title":"Binary codes capable of correcting deletions, insertions and reversals","volume":"10","author":"Levenshtein Vladimir I.","year":"1966","unstructured":"Vladimir I. Levenshtein . 1966 . Binary codes capable of correcting deletions, insertions and reversals . In Soviet Phys. Dokl. , Vol. 10. 707 . Vladimir I. Levenshtein. 1966. Binary codes capable of correcting deletions, insertions and reversals. In Soviet Phys. Dokl., Vol. 10. 707.","journal-title":"Soviet Phys. Dokl."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2008.10.011"},{"key":"e_1_2_1_18_1","volume-title":"Vijay Janapa Reddi, and Kim Hazelwood","author":"Luk Chi-Keung","year":"2005","unstructured":"Chi-Keung Luk , Robert Cohn , Robert Muth , Harish Patil , Artur Klauser , Geoff Lowney , Steven Wallace , Vijay Janapa Reddi, and Kim Hazelwood . 2005 . Pin : Building customized program analysis tools with dynamic instrumentation. In ACM Sigplan Notices, Vol. 40 . ACM , 190--200. Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Geoff Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. 2005. Pin: Building customized program analysis tools with dynamic instrumentation. In ACM Sigplan Notices, Vol. 40. ACM, 190--200."},{"key":"e_1_2_1_19_1","first-page":"78","article-title":"Towards adversarial malware detection: Lessons learned from PDF-based attacks","volume":"52","author":"Maiorca Davide","year":"2019","unstructured":"Davide Maiorca , Battista Biggio , and Giorgio Giacinto . 2019 . Towards adversarial malware detection: Lessons learned from PDF-based attacks . ACM Comput. Surv. 52 , 4 (2019), 78 . Davide Maiorca, Battista Biggio, and Giorgio Giacinto. 2019. Towards adversarial malware detection: Lessons learned from PDF-based attacks. ACM Comput. Surv. 52, 4 (2019), 78.","journal-title":"ACM Comput. Surv."},{"key":"e_1_2_1_20_1","volume-title":"Proceedings of the International Workshop on Machine Learning and Data Mining in Pattern Recognition. Springer, 510--524","author":"Maiorca Davide","year":"2012","unstructured":"Davide Maiorca , Giorgio Giacinto , and Igino Corona . 2012 . A pattern recognition system for malicious PDF files detection . In Proceedings of the International Workshop on Machine Learning and Data Mining in Pattern Recognition. Springer, 510--524 . Davide Maiorca, Giorgio Giacinto, and Igino Corona. 2012. A pattern recognition system for malicious PDF files detection. In Proceedings of the International Workshop on Machine Learning and Data Mining in Pattern Recognition. Springer, 510--524."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.10.014"},{"key":"e_1_2_1_22_1","article-title":"Entropy and n-gram analysis of malicious PDF documents","volume":"2","author":"Pareek Himanshu","year":"2013","unstructured":"Himanshu Pareek , P. Eswari , N. Sarat Chandra Babu , and C. Bangalore . 2013 . Entropy and n-gram analysis of malicious PDF documents . Int. J. Eng. Res. Tech. 2 , 2 (2013). Himanshu Pareek, P. Eswari, N. Sarat Chandra Babu, and C. Bangalore. 2013. Entropy and n-gram analysis of malicious PDF documents. Int. J. Eng. Res. Tech. 2, 2 (2013).","journal-title":"Int. J. Eng. Res. Tech."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3151137.3151142"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420987"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 20th Annual Network 8 Distributed System Security Symposium.","author":"\u0160rndic Nedim","year":"2013","unstructured":"Nedim \u0160rndic and Pavel Laskov . 2013 . Detection of malicious PDF files based on hierarchical document structure . In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium. Nedim \u0160rndic and Pavel Laskov. 2013. Detection of malicious PDF files based on hierarchical document structure. In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-012-0166-z"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3379505","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3379505","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3379505","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:23Z","timestamp":1750197743000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3379505"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,8,4]]},"references-count":25,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2020,9,30]]}},"alternative-id":["10.1145\/3379505"],"URL":"https:\/\/doi.org\/10.1145\/3379505","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2020,8,4]]},"assertion":[{"value":"2019-09-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-08-04","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}