{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T10:47:33Z","timestamp":1778150853950,"version":"3.51.4"},"reference-count":86,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2020,12,23]],"date-time":"2020-12-23T00:00:00Z","timestamp":1608681600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2020,12,31]]},"abstract":"<jats:p>Despite the deployment of preventive security mechanisms to protect the assets and computing platforms of users, intrusions eventually occur. We propose a novel intrusion survivability approach to withstand ongoing intrusions. Our approach relies on an orchestration of fine-grained recovery and per-service responses (e.g., privileges removal). Such an approach may put the system into a degraded mode. This degraded mode prevents attackers to reinfect the system or to achieve their goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. We devised a cost-sensitive response selection process to ensure that while the service is in a degraded mode, its core functions are still operating. We built a Linux-based prototype and evaluated the effectiveness of our approach against different types of intrusions. The results show that our solution removes the effects of the intrusions, that it can select appropriate responses, and that it allows services to survive when reinfected. In terms of performance overhead, in most cases, we observed a small overhead, except in the rare case of services that write many small files asynchronously in a burst, where we observed a higher but acceptable overhead.<\/jats:p>","DOI":"10.1145\/3419471","type":"journal-article","created":{"date-parts":[[2020,12,24]],"date-time":"2020-12-24T02:25:44Z","timestamp":1608776744000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Intrusion Survivability for Commodity Operating Systems"],"prefix":"10.1145","volume":"1","author":[{"given":"Ronny","family":"Chevalier","sequence":"first","affiliation":[{"name":"HP Labs and CentraleSup\u00e9lec, Inria, CNRS, IRISA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Plaquin","sequence":"additional","affiliation":[{"name":"HP Labs"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chris","family":"Dalton","sequence":"additional","affiliation":[{"name":"HP Labs"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Guillaume","family":"Hiet","sequence":"additional","affiliation":[{"name":"CentraleSup\u00e9lec, Inria, CNRS, IRISA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2020,12,23]]},"reference":[{"key":"e_1_2_1_2_1","unstructured":"Android Developers. 2019. Understand the Activity Lifecycle. Retrieved from https:\/\/developer.android.com\/guide\/components\/activities\/activity-lifecycle.  Android Developers. 2019. Understand the Activity Lifecycle. Retrieved from https:\/\/developer.android.com\/guide\/components\/activities\/activity-lifecycle."},{"key":"e_1_2_1_3_1","doi-asserted-by":"crossref","first-page":"497","DOI":"10.1111\/j.1539-6924.2008.01030.x","article-title":"What\u2019s wrong with risk matrices","volume":"28","author":"Tony Cox Louis Anthony","year":"2008","unstructured":"Louis Anthony Tony Cox . 2008 . What\u2019s wrong with risk matrices ? Risk Anal. 28 , 2 (2008), 497 -- 512 . DOI:https:\/\/doi.org\/10.1111\/j.1539-6924.2008.01030.x Louis Anthony Tony Cox. 2008. What\u2019s wrong with risk matrices? Risk Anal. 28, 2 (2008), 497--512. DOI:https:\/\/doi.org\/10.1111\/j.1539-6924.2008.01030.x","journal-title":"Risk Anal."},{"key":"e_1_2_1_4_1","unstructured":"Apache. 2019. Apache HTTP Server. Retrieved from https:\/\/httpd.apache.org\/.  Apache. 2019. Apache HTTP Server. Retrieved from https:\/\/httpd.apache.org\/."},{"key":"e_1_2_1_5_1","unstructured":"Audit. 2019. The Linux Audit Project. Retrieved from https:\/\/github.com\/linux-audit\/.  Audit. 2019. The Linux Audit Project. Retrieved from https:\/\/github.com\/linux-audit\/."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2004.2"},{"key":"e_1_2_1_7_1","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201914)","author":"Azab Ahmed M.","year":"2014","unstructured":"Ahmed M. Azab , Peng Ning , Jitesh Shah , Quan Chen , Rohan Bhutkar , Guruprasad Ganesh , Jia Ma , and Wenbo Shen . 2014 . Hypervision across worlds: Real-time kernel protection from the ARM trustzone secure world . In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201914) . ACM, 90--102. DOI:https:\/\/doi.org\/10.1145\/2660267.2660350 Ahmed M. Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the ARM trustzone secure world. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201914). ACM, 90--102. DOI:https:\/\/doi.org\/10.1145\/2660267.2660350"},{"key":"e_1_2_1_8_1","volume-title":"Recent Advances in Intrusion Detection","author":"Balepin Ivan","unstructured":"Ivan Balepin , Sergei Maltsev , Jeff Rowe , and Karl Levitt . 2003. Using specification-based intrusion detection for automated response . In Recent Advances in Intrusion Detection . Springer Berlin Heidelberg , 136--154. DOI:https:\/\/doi.org\/10.1007\/978-3-540-45248-5_8 Ivan Balepin, Sergei Maltsev, Jeff Rowe, and Karl Levitt. 2003. Using specification-based intrusion detection for automated response. In Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 136--154. DOI:https:\/\/doi.org\/10.1007\/978-3-540-45248-5_8"},{"key":"e_1_2_1_9_1","unstructured":"Sean Barnum. 2014. Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE. Retrieved from https:\/\/stixproject.github.io\/about\/STIX_Whitepaper_v1.1.pdf.  Sean Barnum. 2014. Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX). MITRE. Retrieved from https:\/\/stixproject.github.io\/about\/STIX_Whitepaper_v1.1.pdf."},{"key":"e_1_2_1_10_1","unstructured":"Beanstalkd. 2019. beanstalkd. Retrieved from https:\/\/kr.github.io\/beanstalkd\/.  Beanstalkd. 2019. beanstalkd. Retrieved from https:\/\/kr.github.io\/beanstalkd\/."},{"key":"e_1_2_1_11_1","unstructured":"CERT C Coding Standard. 2019. ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy. Retrieved from https:\/\/wiki.sei.cmu.edu\/confluence\/display\/c\/ERR00-C.+Adopt+and+implement+a+consistent+and+comprehensive+error-handling+policy.  CERT C Coding Standard. 2019. ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy. Retrieved from https:\/\/wiki.sei.cmu.edu\/confluence\/display\/c\/ERR00-C.+Adopt+and+implement+a+consistent+and+comprehensive+error-handling+policy."},{"key":"e_1_2_1_12_1","unstructured":"CERT C Coding Standard. 2019. EXP12-C. Do not ignore values returned by functions. Retrieved from https:\/\/wiki.sei.cmu.edu\/confluence\/display\/c\/EXP12-C.+Do+not+ignore+values+returned+by+functions.  CERT C Coding Standard. 2019. EXP12-C. Do not ignore values returned by functions. Retrieved from https:\/\/wiki.sei.cmu.edu\/confluence\/display\/c\/EXP12-C.+Do+not+ignore+values+returned+by+functions."},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the 38th IEEE\/IFIP International Conference on Dependable Systems and Networks. 177--186","author":"Chen Xu","year":"2008","unstructured":"Xu Chen , Jon Andersen , Z. Morley Mao , Michael Bailey , and Jose Nazario . 2008 . Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware . In Proceedings of the 38th IEEE\/IFIP International Conference on Dependable Systems and Networks. 177--186 . DOI:https:\/\/doi.org\/10.1109\/DSN.2008.4630086 Xu Chen, Jon Andersen, Z. Morley Mao, Michael Bailey, and Jose Nazario. 2008. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the 38th IEEE\/IFIP International Conference on Dependable Systems and Networks. 177--186. DOI:https:\/\/doi.org\/10.1109\/DSN.2008.4630086"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134622"},{"key":"e_1_2_1_15_1","volume-title":"Seccomp and sandboxing. LWN (13","author":"Corbet Jonathan","year":"2009","unstructured":"Jonathan Corbet . 2009. Seccomp and sandboxing. LWN (13 May 2009 ). Retrieved from https:\/\/lwn.net\/Articles\/332974\/. Jonathan Corbet. 2009. Seccomp and sandboxing. LWN (13 May 2009). Retrieved from https:\/\/lwn.net\/Articles\/332974\/."},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP\u201918)","author":"Cozzi Emanuele","year":"2018","unstructured":"Emanuele Cozzi , Mariano Graziano , Yannick Fratantonio , and Davide Balzarotti . 2018 . Understanding Linux malware . In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201918) . 161--175. DOI:https:\/\/doi.org\/10.1109\/SP.2018.00054 Emanuele Cozzi, Mariano Graziano, Yannick Fratantonio, and Davide Balzarotti. 2018. Understanding Linux malware. In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201918). 161--175. DOI:https:\/\/doi.org\/10.1109\/SP.2018.00054"},{"key":"e_1_2_1_17_1","unstructured":"CRIU. 2018. CRIU. Retrieved from https:\/\/criu.org\/.  CRIU. 2018. CRIU. Retrieved from https:\/\/criu.org\/."},{"key":"e_1_2_1_18_1","unstructured":"CryptoDrop LLC. 2019. CryptoDrop. Retrieved from https:\/\/www.cryptodrop.org\/.  CryptoDrop LLC. 2019. CryptoDrop. Retrieved from https:\/\/www.cryptodrop.org\/."},{"key":"e_1_2_1_19_1","unstructured":"Dbus 2019. D-Bus. Retrieved from https:\/\/www.freedesktop.org\/wiki\/Software\/dbus\/.  Dbus 2019. D-Bus. Retrieved from https:\/\/www.freedesktop.org\/wiki\/Software\/dbus\/."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2011.06.018"},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 118--131","author":"Denning Dorothy E.","year":"1986","unstructured":"Dorothy E. Denning . 1986 . An intrusion-detection model . In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 118--131 . DOI:https:\/\/doi.org\/10.1109\/SP.1986.10010 Dorothy E. Denning. 1986. An intrusion-detection model. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 118--131. DOI:https:\/\/doi.org\/10.1109\/SP.1986.10010"},{"key":"e_1_2_1_22_1","unstructured":"Dr. Web. 2015. Linux.Encoder.1. Retrieved from https:\/\/vms.drweb.com\/virus\/?i&equals;7703983.  Dr. Web. 2015. Linux.Encoder.1. Retrieved from https:\/\/vms.drweb.com\/virus\/?i&equals;7703983."},{"key":"e_1_2_1_23_1","unstructured":"Dr. Web. 2016. Linux.Rex.1. Retrieved from https:\/\/vms.drweb.com\/virus\/?i&equals;8436299.  Dr. Web. 2016. Linux.Rex.1. Retrieved from https:\/\/vms.drweb.com\/virus\/?i&equals;8436299."},{"key":"e_1_2_1_24_1","unstructured":"Dr. Web. 2018. Linux.BackDoor.Fgt.1430. Retrieved from https:\/\/vms.drweb.com\/virus\/?i&equals;17573534.  Dr. Web. 2018. Linux.BackDoor.Fgt.1430. Retrieved from https:\/\/vms.drweb.com\/virus\/?i&equals;17573534."},{"key":"e_1_2_1_25_1","unstructured":"Eclipse Foundation. 2019. Mosquitto. Retrieved from https:\/\/mosquitto.org\/.  Eclipse Foundation. 2019. Mosquitto. Retrieved from https:\/\/mosquitto.org\/."},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the International Conference on Dependable Systems and Networks (DSN\u201905)","author":"Foo Bingrui","year":"2005","unstructured":"Bingrui Foo , Yu-Sung Wu , Yu-Chun Mao , Saurabh Bagchi , and Eugene H. Spafford . 2005. ADEPTS: Adaptive intrusion response using attack graphs in an E-commerce environment . In Proceedings of the International Conference on Dependable Systems and Networks (DSN\u201905) . 508--517. DOI:https:\/\/doi.org\/10.1109\/DSN. 2005 .17 Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, and Eugene H. Spafford. 2005. ADEPTS: Adaptive intrusion response using attack graphs in an E-commerce environment. In Proceedings of the International Conference on Dependable Systems and Networks (DSN\u201905). 508--517. DOI:https:\/\/doi.org\/10.1109\/DSN.2005.17"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID\u201904)","author":"Gehani Ashish","year":"2004","unstructured":"Ashish Gehani and Gershon Kedem . 2004 . RheoStat: Real-time risk management . In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID\u201904) . 296--314. DOI:https:\/\/doi.org\/10.1007\/978-3-540-30143-1_16 Ashish Gehani and Gershon Kedem. 2004. RheoStat: Real-time risk management. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID\u201904). 296--314. DOI:https:\/\/doi.org\/10.1007\/978-3-540-30143-1_16"},{"key":"e_1_2_1_29_1","unstructured":"Gitea 2019. Gitea. Retrieved from https:\/\/gitea.io\/.  Gitea 2019. Gitea. Retrieved from https:\/\/gitea.io\/."},{"key":"e_1_2_1_30_1","unstructured":"GitHub Inc. 2019. GitHub. Retrieved from https:\/\/github.com\/.  GitHub Inc. 2019. GitHub. Retrieved from https:\/\/github.com\/."},{"key":"e_1_2_1_31_1","volume-title":"Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP\u201905)","author":"Goel Ashvin","year":"2005","unstructured":"Ashvin Goel , Kenneth Po , Kamran Farhadi , Zheng Li , and Eyal de Lara . 2005 . The taser intrusion recovery system . In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP\u201905) . 163--176. DOI:https:\/\/doi.org\/10.1145\/1095810.1095826 Ashvin Goel, Kenneth Po, Kamran Farhadi, Zheng Li, and Eyal de Lara. 2005. The taser intrusion recovery system. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP\u201905). 163--176. DOI:https:\/\/doi.org\/10.1145\/1095810.1095826"},{"key":"e_1_2_1_32_1","unstructured":"Tejun Heo. 2015. Control Group v2. Retrieved from https:\/\/www.kernel.org\/doc\/Documentation\/cgroup-v2.txt.  Tejun Heo. 2015. Control Group v2. Retrieved from https:\/\/www.kernel.org\/doc\/Documentation\/cgroup-v2.txt."},{"key":"e_1_2_1_33_1","unstructured":"Daniel Hodson. 2017. Remote LD_PRELOAD Exploitation. Retrieved from https:\/\/www.elttam.com.au\/blog\/goahead\/.  Daniel Hodson. 2017. Remote LD_PRELOAD Exploitation. Retrieved from https:\/\/www.elttam.com.au\/blog\/goahead\/."},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the 22nd Computer Security Applications Conference (ACSAC\u201906)","author":"Hsu Francis","year":"2006","unstructured":"Francis Hsu , Hao Chen , Thomas Ristenpart , Jason Li , and Zhendong Su . 2006 . Back to the future: A framework for automatic malware removal and system repair . In Proceedings of the 22nd Computer Security Applications Conference (ACSAC\u201906) . 257--268. DOI:https:\/\/doi.org\/10.1109\/ACSAC.2006.16 Francis Hsu, Hao Chen, Thomas Ristenpart, Jason Li, and Zhendong Su. 2006. Back to the future: A framework for automatic malware removal and system repair. In Proceedings of the 22nd Computer Security Applications Conference (ACSAC\u201906). 257--268. DOI:https:\/\/doi.org\/10.1109\/ACSAC.2006.16"},{"key":"e_1_2_1_36_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. 618--635","author":"Huang Zhen","year":"2016","unstructured":"Zhen Huang , Mariana D Angelo , Dhaval Miyani , and David Lie . 2016 . Talos: Neutralizing vulnerabilities with security workarounds for rapid response . In Proceedings of the IEEE Symposium on Security and Privacy. 618--635 . DOI:https:\/\/doi.org\/10.1109\/SP.2016.43 Zhen Huang, Mariana DAngelo, Dhaval Miyani, and David Lie. 2016. Talos: Neutralizing vulnerabilities with security workarounds for rapid response. In Proceedings of the IEEE Symposium on Security and Privacy. 618--635. DOI:https:\/\/doi.org\/10.1109\/SP.2016.43"},{"key":"e_1_2_1_37_1","unstructured":"IT-ISAC. 2019. FAQ. Retrieved from https:\/\/www.it-isac.org\/faq.  IT-ISAC. 2019. FAQ. Retrieved from https:\/\/www.it-isac.org\/faq."},{"key":"e_1_2_1_38_1","unstructured":"Mirek Jahoda Ioanna Gkioka Robert Kr\u00e1tk\u00fd Martin Prpi\u010d Tom\u00e1\u0161 \u010capek Stephen Wadeley Yoana Ruseva and Miroslav Svoboda. 2017. System auditing. In Red Hat Enterprise Linux 7 Security Guide. 185--204.  Mirek Jahoda Ioanna Gkioka Robert Kr\u00e1tk\u00fd Martin Prpi\u010d Tom\u00e1\u0161 \u010capek Stephen Wadeley Yoana Ruseva and Miroslav Svoboda. 2017. System auditing. In Red Hat Enterprise Linux 7 Security Guide. 185--204."},{"key":"e_1_2_1_39_1","volume-title":"Postmark: A New File System Benchmark. Technical Report 3022. Network Appliance.","author":"Katcher Jeffrey","year":"1997","unstructured":"Jeffrey Katcher . 1997 . Postmark: A New File System Benchmark. Technical Report 3022. Network Appliance. Jeffrey Katcher. 1997. Postmark: A New File System Benchmark. Technical Report 3022. Network Appliance."},{"key":"e_1_2_1_40_1","volume-title":"Namespaces in operation, part 1: Namespaces overview. LWN (4","author":"Kerrisk Michael","year":"2013","unstructured":"Michael Kerrisk . 2013. Namespaces in operation, part 1: Namespaces overview. LWN (4 Jan. 2013 ). Retrieved from https:\/\/lwn.net\/Articles\/531114\/. Michael Kerrisk. 2013. Namespaces in operation, part 1: Namespaces overview. LWN (4 Jan. 2013). Retrieved from https:\/\/lwn.net\/Articles\/531114\/."},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_1"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.5555\/1888881.1888929"},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the International Conference on Network and Service Security.","author":"Kheir Nizar","year":"2009","unstructured":"Nizar Kheir , Herv\u00e9 Debar , Nora Cuppens-Boulahia , Fr\u00e9d\u00e9ric Cuppens , and Jouni Viinikka . 2009 . Cost evaluation for intrusion response using dependency graphs . In Proceedings of the International Conference on Network and Service Security. Nizar Kheir, Herv\u00e9 Debar, Nora Cuppens-Boulahia, Fr\u00e9d\u00e9ric Cuppens, and Jouni Viinikka. 2009. Cost evaluation for intrusion response using dependency graphs. In Proceedings of the International Conference on Network and Service Security."},{"key":"e_1_2_1_44_1","volume-title":"Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201910)","author":"Kim Taesoo","unstructured":"Taesoo Kim , Xi Wang , Nickolai Zeldovich , and M. Frans Kaashoek . 2010. Intrusion recovery using selective re-execution . In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201910) . USENIX Association, 89--104. Taesoo Kim, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2010. Intrusion recovery using selective re-execution. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI\u201910). USENIX Association, 89--104."},{"key":"e_1_2_1_45_1","volume-title":"Proceedings of the 41st International Symposium on Computer Architecture (ISCA\u201914)","author":"Kim Yoongu","year":"2014","unstructured":"Yoongu Kim , Ross Daly , Jeremie Kim , Chris Fallin , Ji Hye Lee , Donghyuk Lee , Chris Wilkerson , Konrad Lai , and Onur Mutlu . 2014 . Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors . In Proceedings of the 41st International Symposium on Computer Architecture (ISCA\u201914) . IEEE Press, 361--372. DOI:https:\/\/doi.org\/10.1109\/ISCA. 2014.6853210 Yoongu Kim, Ross Daly, Jeremie Kim, Chris Fallin, Ji Hye Lee, Donghyuk Lee, Chris Wilkerson, Konrad Lai, and Onur Mutlu. 2014. Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors. In Proceedings of the 41st International Symposium on Computer Architecture (ISCA\u201914). IEEE Press, 361--372. DOI:https:\/\/doi.org\/10.1109\/ISCA.2014.6853210"},{"key":"e_1_2_1_46_1","unstructured":"Ivan Kirillov Desiree Beck Penny Chase and Robert Martin. 2011. Malware Attribute Enumeration and Characterization. MITRE. Retrieved from https:\/\/www.researchgate.net\/profile\/Robert_Martin10\/publication\/267691330_Malware_Attribute_Enumeration_and_Characterization\/links\/54bd188e0cf218d4a169ee0c\/Malware-Attribute-Enumeration-and-Characterization.pdf.  Ivan Kirillov Desiree Beck Penny Chase and Robert Martin. 2011. Malware Attribute Enumeration and Characterization. MITRE. Retrieved from https:\/\/www.researchgate.net\/profile\/Robert_Martin10\/publication\/267691330_Malware_Attribute_Enumeration_and_Characterization\/links\/54bd188e0cf218d4a169ee0c\/Malware-Attribute-Enumeration-and-Characterization.pdf."},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the 3rd DARPA Information Survivability Conference and Exposition","volume":"1","author":"Knight John C.","year":"2003","unstructured":"John C. Knight , Elisabeth A. Strunk , and Kevin J. Sullivan . 2003. Towards a rigorous definition of information system survivability . In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition , Vol. 1 . IEEE, 78--89. DOI:https:\/\/doi.org\/10.1109\/DISCEX. 2003 .1194874 John C. Knight, Elisabeth A. Strunk, and Kevin J. Sullivan. 2003. Towards a rigorous definition of information system survivability. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition, Vol. 1. IEEE, 78--89. DOI:https:\/\/doi.org\/10.1109\/DISCEX.2003.1194874"},{"key":"e_1_2_1_48_1","volume-title":"Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P\u2019\u201919)","author":"Kocher Paul","year":"2019","unstructured":"Paul Kocher , Jann Horn , Anders Fogh , Daniel Genkin , Daniel Gruss , Werner Haas , Mike Hamburg , Moritz Lipp , Stefan Mangard , Thomas Prescher , Michael Schwarz , and Yuval Yarom . 2019 . Spectre attacks: Exploiting speculative execution . In Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P\u2019\u201919) . Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre attacks: Exploiting speculative execution. In Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P\u2019\u201919)."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2006.27"},{"key":"e_1_2_1_50_1","unstructured":"Michael Larabel and Matthew Tippett. 2019. Phoronix Test Suite. Retrieved from https:\/\/www.phoronix-test-suite.com\/.  Michael Larabel and Matthew Tippett. 2019. Phoronix Test Suite. Retrieved from https:\/\/www.phoronix-test-suite.com\/."},{"key":"e_1_2_1_51_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918)","author":"Lipp Moritz","year":"2018","unstructured":"Moritz Lipp , Michael Schwarz , Daniel Gruss , Thomas Prescher , Werner Haas , Anders Fogh , Jann Horn , Stefan Mangard , Paul Kocher , Daniel Genkin , Yuval Yarom , and Mike Hamburg . 2018 . Meltdown: Reading kernel memory from user space . In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918) . USENIX Association, 973--990. Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown: Reading kernel memory from user space. In Proceedings of the 27th USENIX Security Symposium (USENIX Security\u201918). USENIX Association, 973--990."},{"key":"e_1_2_1_52_1","unstructured":"Mariadb 2019. mariadb. Retrieved from https:\/\/mariadb.org\/.  Mariadb 2019. mariadb. Retrieved from https:\/\/mariadb.org\/."},{"key":"e_1_2_1_53_1","first-page":"6","article-title":"Survey of multi-objective optimization methods for engineering","volume":"26","author":"Timothy Marler R.","year":"2004","unstructured":"R. Timothy Marler and Jasbir S. Arora . 2004 . Survey of multi-objective optimization methods for engineering . Struct. Multidisc. Optim. 26 , 6 (Apr. 2004), 369--395. DOI:https:\/\/doi.org\/10.1007\/s00158-003-0368-6 R. Timothy Marler and Jasbir S. Arora. 2004. Survey of multi-objective optimization methods for engineering. Struct. Multidisc. Optim. 26, 6 (Apr. 2004), 369--395. DOI:https:\/\/doi.org\/10.1007\/s00158-003-0368-6","journal-title":"Struct. Multidisc. Optim."},{"key":"e_1_2_1_54_1","unstructured":"Chris Mason. 2008. Compilebench. Retrieved from https:\/\/oss.oracle.com\/ mason\/compilebench\/.  Chris Mason. 2008. Compilebench. Retrieved from https:\/\/oss.oracle.com\/ mason\/compilebench\/."},{"key":"e_1_2_1_55_1","unstructured":"Microsoft. 2017. Windows Integrity Mechanism Design. Retrieved from https:\/\/msdn.microsoft.com\/en-us\/library\/bb625963.aspx.  Microsoft. 2017. Windows Integrity Mechanism Design. Retrieved from https:\/\/msdn.microsoft.com\/en-us\/library\/bb625963.aspx."},{"key":"e_1_2_1_56_1","unstructured":"Microsoft. 2018. Job Objects. Retrieved from https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms684161(v&equals;vs.85).aspx  Microsoft. 2018. Job Objects. Retrieved from https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms684161(v&equals;vs.85).aspx"},{"key":"e_1_2_1_57_1","unstructured":"Microsoft. 2018. Protect important folders with controlled folder access. Retrieved from https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-exploit-guard\/controlled-folders-exploit-guard?ocid&equals;cx-blog-mmpc.  Microsoft. 2018. Protect important folders with controlled folder access. Retrieved from https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/windows-defender-exploit-guard\/controlled-folders-exploit-guard?ocid&equals;cx-blog-mmpc."},{"key":"e_1_2_1_58_1","unstructured":"Microsoft. 2018. Restricted Tokens. Retrieved from https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa379316(v&equals;vs.85).aspx.  Microsoft. 2018. Restricted Tokens. Retrieved from https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa379316(v&equals;vs.85).aspx."},{"key":"e_1_2_1_59_1","unstructured":"MITRE. 2014. Malware Capabilities. Retrieved from https:\/\/github.com\/MAECProject\/schemas\/wiki\/Malware-Capabilities.  MITRE. 2014. Malware Capabilities. Retrieved from https:\/\/github.com\/MAECProject\/schemas\/wiki\/Malware-Capabilities."},{"key":"e_1_2_1_60_1","unstructured":"MITRE. 2019. ATT8CK. Retrieved from https:\/\/attack.mitre.org\/.  MITRE. 2019. ATT8CK. Retrieved from https:\/\/attack.mitre.org\/."},{"key":"e_1_2_1_61_1","volume-title":"Encyclopedia of Malware Attributes.","author":"MITRE.","unstructured":"MITRE. 2019. Encyclopedia of Malware Attributes. Retrieved from https:\/\/collaborate.mitre.org\/ema\/. MITRE. 2019. Encyclopedia of Malware Attributes. Retrieved from https:\/\/collaborate.mitre.org\/ema\/."},{"key":"e_1_2_1_62_1","doi-asserted-by":"crossref","unstructured":"Alexander Motzek Gustavo Gonzalez-Granadillo Herv\u00e9 Debar Joaquin Garcia-Alfaro and Ralf M\u00f6ller. 2017. Selection of Pareto-efficient response plans based on financial and operational assessments. EURASIP J. Inf. Secur. (2017) 12. DOI:https:\/\/doi.org\/10.1186\/s13635-017-0063-6  Alexander Motzek Gustavo Gonzalez-Granadillo Herv\u00e9 Debar Joaquin Garcia-Alfaro and Ralf M\u00f6ller. 2017. Selection of Pareto-efficient response plans based on financial and operational assessments. EURASIP J. Inf. Secur. (2017) 12. DOI:https:\/\/doi.org\/10.1186\/s13635-017-0063-6","DOI":"10.1186\/s13635-017-0063-6"},{"key":"e_1_2_1_63_1","unstructured":"Nginx 2019. nginx. Retrieved from https:\/\/nginx.org\/.  Nginx 2019. nginx. Retrieved from https:\/\/nginx.org\/."},{"key":"e_1_2_1_64_1","unstructured":"Ruchna Nigam. 2018. Unit 42 Finds New Mirai and Gafgyt IoT\/Linux Botnet Campaigns. Retrieved from https:\/\/researchcenter.paloaltonetworks.com\/2018\/07\/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns\/.  Ruchna Nigam. 2018. Unit 42 Finds New Mirai and Gafgyt IoT\/Linux Botnet Campaigns. Retrieved from https:\/\/researchcenter.paloaltonetworks.com\/2018\/07\/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns\/."},{"key":"e_1_2_1_65_1","unstructured":"NSA and Red Hat. 2019. SELinux. Retrieved from https:\/\/selinuxproject.org\/.  NSA and Red Hat. 2019. SELinux. Retrieved from https:\/\/selinuxproject.org\/."},{"key":"e_1_2_1_66_1","volume-title":"Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT\u201909)","author":"Paleari Roberto","year":"2009","unstructured":"Roberto Paleari , Lorenzo Martignoni , Giampaolo Fresi Roglia , and Danilo Bruschi . 2009 . A fistful of red-pills: How to automatically generate procedures to detect CPU emulators . In Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT\u201909) . USENIX Association, 7. Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the 3rd USENIX Conference on Offensive Technologies (WOOT\u201909). USENIX Association, 7."},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/2501620.2501623"},{"key":"e_1_2_1_68_1","volume-title":"Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine","author":"Ruan Xiaoyu","unstructured":"Xiaoyu Ruan . 2014. Boot with integrity, or don\u2019t boot . In Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine . Apress , 143--163. DOI:https:\/\/doi.org\/10.1007\/978-1-4302-6572-6_6 Xiaoyu Ruan. 2014. Boot with integrity, or don\u2019t boot. In Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine. Apress, 143--163. DOI:https:\/\/doi.org\/10.1007\/978-1-4302-6572-6_6"},{"key":"e_1_2_1_69_1","volume-title":"Part 2","author":"Russinovich Mark E.","unstructured":"Mark E. Russinovich , David A. Solomon , and Alex Ionescu . 2012. Windows Internals , Part 2 ( 6 th ed.). Microsoft Press . Mark E. Russinovich, David A. Solomon, and Alex Ionescu. 2012. Windows Internals, Part 2 (6th ed.). Microsoft Press.","edition":"6"},{"key":"e_1_2_1_70_1","unstructured":"Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Retrieved from https:\/\/googleprojectzero.blogspot.com\/2015\/03\/exploiting-dram-rowhammer-bug-to-gain.html.  Mark Seaborn and Thomas Dullien. 2015. Exploiting the DRAM rowhammer bug to gain kernel privileges. Retrieved from https:\/\/googleprojectzero.blogspot.com\/2015\/03\/exploiting-dram-rowhammer-bug-to-gain.html."},{"key":"e_1_2_1_71_1","unstructured":"Tom\u00e1s Senart. 2019. Vegeta. Retrieved from https:\/\/github.com\/tsenart\/vegeta.  Tom\u00e1s Senart. 2019. Vegeta. Retrieved from https:\/\/github.com\/tsenart\/vegeta."},{"key":"e_1_2_1_72_1","volume-title":"Taxonomy of intrusion risk assessment and response system. 45 (Sept","author":"Shameli-Sendi Alireza","year":"2014","unstructured":"Alireza Shameli-Sendi , Mohamed Cheriet , and Abdelwahab Hamou-Lhadj . 2014. Taxonomy of intrusion risk assessment and response system. 45 (Sept . 2014 ), 1--16. DOI:https:\/\/doi.org\/10.1016\/j.cose.2014.04.009 Alireza Shameli-Sendi, Mohamed Cheriet, and Abdelwahab Hamou-Lhadj. 2014. Taxonomy of intrusion risk assessment and response system. 45 (Sept. 2014), 1--16. DOI:https:\/\/doi.org\/10.1016\/j.cose.2014.04.009"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2016.2615622"},{"key":"e_1_2_1_74_1","volume-title":"Malware clearance for secure commitment of OS-level virtual machines. 10, 2 (Mar","author":"Shan Zhiyong","year":"2013","unstructured":"Zhiyong Shan , Xin Wang , and Tzi-cker Chiueh. 2013. Malware clearance for secure commitment of OS-level virtual machines. 10, 2 (Mar . 2013 ), 70--83. DOI:https:\/\/doi.org\/10.1109\/TDSC.2012.88 Zhiyong Shan, Xin Wang, and Tzi-cker Chiueh. 2013. Malware clearance for secure commitment of OS-level virtual machines. 10, 2 (Mar. 2013), 70--83. DOI:https:\/\/doi.org\/10.1109\/TDSC.2012.88"},{"key":"e_1_2_1_75_1","unstructured":"Snapper 2018. snapper. Retrieved from http:\/\/snapper.io\/.  Snapper 2018. snapper. Retrieved from http:\/\/snapper.io\/."},{"key":"e_1_2_1_76_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916)","author":"Song Chengyu","year":"2016","unstructured":"Chengyu Song , Byoungyoung Lee , Kangjie Lu , William R. Harris , Taesoo Kim , and Wenke Lee . 2016 . Enforcing kernel security invariants with data flow integrity . In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916) . DOI:https:\/\/doi.org\/10.14722\/ndss.2016.23218 Chengyu Song, Byoungyoung Lee, Kangjie Lu, William R. Harris, Taesoo Kim, and Wenke Lee. 2016. Enforcing kernel security invariants with data flow integrity. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201916). DOI:https:\/\/doi.org\/10.14722\/ndss.2016.23218"},{"key":"e_1_2_1_77_1","unstructured":"Systemd 2019. systemd System and Service Manager. Retrieved from https:\/\/www.freedesktop.org\/wiki\/Software\/systemd\/.  Systemd 2019. systemd System and Service Manager. Retrieved from https:\/\/www.freedesktop.org\/wiki\/Software\/systemd\/."},{"key":"e_1_2_1_78_1","unstructured":"Kacper Szurek. 2018. Gitea 1.4.0 Unauthenticated Remote Code Execution. Retrieved from https:\/\/security.szurek.pl\/gitea-1-4-0-unauthenticated-rce.html.  Kacper Szurek. 2018. Gitea 1.4.0 Unauthenticated Remote Code Execution. Retrieved from https:\/\/security.szurek.pl\/gitea-1-4-0-unauthenticated-rce.html."},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.5555\/784592.784788"},{"key":"e_1_2_1_80_1","unstructured":"Trend Micro Cyber Safety Solutions Team. 2018. Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability Targets Linux Servers. Retrieved from https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers\/.  Trend Micro Cyber Safety Solutions Team. 2018. Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability Targets Linux Servers. Retrieved from https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers\/."},{"key":"e_1_2_1_81_1","unstructured":"UEFI Forum. 2019. Unified Extensible Firmware Interface Specification. Retrieved from https:\/\/uefi.org\/sites\/default\/files\/resources\/UEFI_Spec_2_8_final.pdf Version 2.8.  UEFI Forum. 2019. Unified Extensible Firmware Interface Specification. Retrieved from https:\/\/uefi.org\/sites\/default\/files\/resources\/UEFI_Spec_2_8_final.pdf Version 2.8."},{"key":"e_1_2_1_82_1","unstructured":"United States Computer Emergency Readiness Team. 2013. Automated Indicator Sharing (AIS). Retrieved from https:\/\/www.us-cert.gov\/sites\/default\/files\/ais_files\/AIS_fact_sheet.pdf.  United States Computer Emergency Readiness Team. 2013. Automated Indicator Sharing (AIS). Retrieved from https:\/\/www.us-cert.gov\/sites\/default\/files\/ais_files\/AIS_fact_sheet.pdf."},{"key":"e_1_2_1_83_1","volume-title":"SELinux Cookbook","author":"Vermeulen Sven","unstructured":"Sven Vermeulen . 2014. Handling SELinux-aware applications . In SELinux Cookbook . Packt Publishing . Sven Vermeulen. 2014. Handling SELinux-aware applications. In SELinux Cookbook. Packt Publishing."},{"key":"e_1_2_1_84_1","volume-title":"Proceedings of the 27th USENIX Security Symposium. USENIX Association, 1199--1211","author":"Webster Ashton","year":"2018","unstructured":"Ashton Webster , Ryan Eckenrod , and James Purtilo . 2018 . Fast and service-preserving recovery from malware infections using CRIU . In Proceedings of the 27th USENIX Security Symposium. USENIX Association, 1199--1211 . Ashton Webster, Ryan Eckenrod, and James Purtilo. 2018. Fast and service-preserving recovery from malware infections using CRIU. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, 1199--1211."},{"key":"e_1_2_1_85_1","volume-title":"Security Risk management: Building an Information Security Risk Management Program from the Ground up","author":"Wheeler Evan","unstructured":"Evan Wheeler . 2011. Risky business . In Security Risk management: Building an Information Security Risk Management Program from the Ground up ( 1 st ed.). Syngress Publishing , 37--40. Evan Wheeler. 2011. Risky business. In Security Risk management: Building an Information Security Risk Management Program from the Ground up (1st ed.). Syngress Publishing, 37--40.","edition":"1"},{"key":"e_1_2_1_86_1","unstructured":"Ric Wheeler. 2016. fs-mark. Retrieved from https:\/\/sourceforge.net\/projects\/fsmark\/.  Ric Wheeler. 2016. fs-mark. Retrieved from https:\/\/sourceforge.net\/projects\/fsmark\/."},{"key":"e_1_2_1_87_1","volume-title":"Proceedings of the 25th Computer Security Applications Conference (ACSAC\u201909)","author":"Xiong Xi","year":"2009","unstructured":"Xi Xiong , Xiaoqi Jia , and Peng Liu . 2009 . SHELF: Preserving business continuity and availability in an intrusion recovery system . In Proceedings of the 25th Computer Security Applications Conference (ACSAC\u201909) . IEEE Computer Society, 484--493. DOI:https:\/\/doi.org\/10.1109\/ACSAC. 2009.52 Xi Xiong, Xiaoqi Jia, and Peng Liu. 2009. SHELF: Preserving business continuity and availability in an intrusion recovery system. In Proceedings of the 25th Computer Security Applications Conference (ACSAC\u201909). IEEE Computer Society, 484--493. DOI:https:\/\/doi.org\/10.1109\/ACSAC.2009.52"},{"key":"e_1_2_1_88_1","volume-title":"Zimmer","author":"Yao Jiewen","year":"2015","unstructured":"Jiewen Yao and Vincent J . Zimmer . 2015 . A Tour Beyond BIOS Supporting an SMM Resource Monitor Using the EFI Developer Kit II. Technical Report. Intel. Retrieved from https:\/\/firmware.intel.com\/sites\/default\/files\/resources\/A_Tour_Beyond_BIOS_Supporting_SMM_Resource_Monitor_using_the_EFI_Developer_Kit_II.pdf. Jiewen Yao and Vincent J. Zimmer. 2015. A Tour Beyond BIOS Supporting an SMM Resource Monitor Using the EFI Developer Kit II. Technical Report. Intel. Retrieved from https:\/\/firmware.intel.com\/sites\/default\/files\/resources\/A_Tour_Beyond_BIOS_Supporting_SMM_Resource_Monitor_using_the_EFI_Developer_Kit_II.pdf."},{"key":"e_1_2_1_89_1","volume-title":"Zimmer","author":"Yao Jiewen","year":"2017","unstructured":"Jiewen Yao and Vincent J . Zimmer . 2017 . A Tour beyond BIOS\u2014Memory Protection in UEFI BIOS. Technical Report. Intel. Retrieved from https:\/\/edk2-docs.gitbooks.io\/a-tour-beyond-bios-memory-protection-in-uefi-bios\/content\/. Jiewen Yao and Vincent J. Zimmer. 2017. A Tour beyond BIOS\u2014Memory Protection in UEFI BIOS. Technical Report. Intel. Retrieved from https:\/\/edk2-docs.gitbooks.io\/a-tour-beyond-bios-memory-protection-in-uefi-bios\/content\/."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3419471","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3419471","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:01:42Z","timestamp":1750197702000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3419471"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,23]]},"references-count":86,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,12,31]]}},"alternative-id":["10.1145\/3419471"],"URL":"https:\/\/doi.org\/10.1145\/3419471","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,12,23]]},"assertion":[{"value":"2020-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-12-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}