{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T00:29:27Z","timestamp":1766449767599,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":94,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,13]],"date-time":"2022-11-13T00:00:00Z","timestamp":1668297600000},"content-version":"vor","delay-in-days":366,"URL":"http:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["1755721, 1916550"],"award-info":[{"award-number":["1755721, 1916550"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000006","name":"Office of Naval Research","doi-asserted-by":"publisher","award":["N00014-19-1-2179, N00014-18-1-2662"],"award-info":[{"award-number":["N00014-19-1-2179, N00014-18-1-2662"]}],"id":[{"id":"10.13039\/100000006","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484537","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"3352-3365","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":8,"title":["C3PO: Large-Scale Study Of Covert Monitoring of C&C Servers via Over-Permissioned Protocol Infiltration"],"prefix":"10.1145","author":[{"given":"Jonathan","family":"Fuller","sequence":"first","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Ranjita Pai","family":"Kasturi","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Amit","family":"Sikder","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Haichuan","family":"Xu","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Berat","family":"Arik","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Vivek","family":"Verma","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Ehsan","family":"Asdar","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Brendan","family":"Saltaformaggio","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_1_1_1","first-page":"97","volume-title":"CA","author":"Rossow C.","year":"2013","unstructured":"C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. J. Dietrich, and H. Bos, \"SoK: P2pwned-modeling and Evaluating the Resilience of Peer-to-peer Botnets,\" in Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 2013, pp. 97--111."},{"key":"e_1_3_2_1_2_1","unstructured":"B. Krebs U.s. cyber command behind trickbot tricks [Accessed: 2020-08--22]. [Online]. Available: https:\/\/krebsonsecurity.com\/2020\/10\/report-u-s-cyber-command-behind-trickbot-tricks\/."},{"key":"e_1_3_2_1_3_1","first-page":"121","volume-title":"Beheading Hydras: Performing Effective Botnet Takedowns,\" in Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS)","author":"Nadji Y.","year":"2013","unstructured":"Y. Nadji, M. Antonakakis, R. Perdisci, D. Dagon, and W. Lee, \"Beheading Hydras: Performing Effective Botnet Takedowns,\" in Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, Oct. 2013, pp. 121--132."},{"key":"e_1_3_2_1_4_1","first-page":"2","author":"Wainwright R.","year":"2075","unstructured":"R. Wainwright and F. J. Cilluffo, Responding to cybercrime at scale: Operation avalanche - a case study. [Online]. Available: http:\/\/www.jstor.org\/stable\/resrep20752.","journal-title":"[Online]. Available: http:\/\/www.jstor.org\/stable\/resrep"},{"key":"e_1_3_2_1_5_1","unstructured":"New action to disrupt world's largest online criminal network https:\/\/blogs.microsoft.com\/on-the-issues\/2020\/03\/10\/necurs-botnet-cyber-crime-disrupt\/ [Accessed: 2020-03--12]."},{"key":"e_1_3_2_1_6_1","volume-title":"Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS)","author":"Pochat V. Le","year":"2020","unstructured":"V. Le Pochat, S. Maroofi, T. Van Goethem, D. Preuveneers, A. Duda, W. Joosen, M. Korczy'ski, et al., \"A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints,\" in Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2020."},{"key":"e_1_3_2_1_7_1","unstructured":"Avast and French police take over malware botnet and disinfect 850 000 computers https:\/\/www.zdnet.com\/article\/avast-and-f rench-police-take-over-malware-botnet-and-disinf ect-850000-computers\/ [Accessed: 2020-03--29]."},{"key":"e_1_3_2_1_8_1","first-page":"590","volume-title":"MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware,\" in Proceedings of the 4th European Symposium on Security and Privacy (EuroS&P)","author":"Sebastian W.","year":"2019","unstructured":"W. Sebastian and C. Rossow, \"MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware,\" in Proceedings of the 4th European Symposium on Security and Privacy (EuroS&P), Stockholm, Sweden, Jun. 2019, pp. 590--605."},{"key":"e_1_3_2_1_9_1","unstructured":"Zeus-p2p monitoring and analysis [Accessed: 2020--12--10]. [Online]. Available: https:\/\/www.cert.pl\/wp-content\/uploads\/2015\/12\/2013-06-p2p-rap_en.pdf ."},{"key":"e_1_3_2_1_10_1","first-page":"23","volume-title":"Computer and Communications Security (ASIACCS)","author":"Kang B. B.","year":"2009","unstructured":"B. B. Kang, E. Chan-Tin, C. P. Lee, J. Tyra, H. J. Kang, C. Nunnery, Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, et al., \"Towards Complete Node Enumeration in a Peer-to-peer Botnet,\" in Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Sydney, Australia, Mar. 2009, pp. 23--34."},{"key":"e_1_3_2_1_11_1","first-page":"129","volume-title":"Reliable Recon in Adversarial Peer-to-peer Botnets,\" in Proceedings of the Internet Measurement Conference (IMC)","author":"Andriesse D.","year":"2015","unstructured":"D. Andriesse, C. Rossow, and H. Bos, \"Reliable Recon in Adversarial Peer-to-peer Botnets,\" in Proceedings of the Internet Measurement Conference (IMC), Tokyo, Japan, Oct. 2015, pp. 129--140."},{"key":"e_1_3_2_1_12_1","first-page":"241","volume-title":"Active Botnet Probing to Identify Obscure Command and Control Channels,\" in Proceedings of the Annual Computer Security Applications Conference (ACSAC)","author":"Gu G.","year":"2009","unstructured":"G. Gu, V. Yegneswaran, P. Porras, J. Stoll, and W. Lee, \"Active Botnet Probing to Identify Obscure Command and Control Channels,\" in Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2009, pp. 241--253."},{"key":"e_1_3_2_1_13_1","first-page":"799","volume-title":"TX","author":"Zuo C.","year":"2017","unstructured":"C. Zuo, Q. Zhao, and Z. Lin, \"Authscope: Towards Automatic Discovery of Vulnerable Authorizations in Online Services,\" in Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS), Dallas, TX, Oct. 2017, pp. 799--813."},{"key":"e_1_3_2_1_14_1","first-page":"1","volume-title":"CA","author":"Nappa A.","year":"2014","unstructured":"A. Nappa, Z. Xu, M. Z. Rafique, J. Caballero, and G. Gu, \"Cyberprobe: Towards Internet-scale Active Detection of Malicious Servers,\" in Proceedings of the 2014 Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2014, pp. 1--15."},{"key":"e_1_3_2_1_15_1","first-page":"179","volume-title":"AZ","author":"Xu Z.","year":"2014","unstructured":"Z. Xu, A. Nappa, R. Baykov, G. Yang, J. Caballero, and G. Gu, \"Autoprobe: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis,\" in Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, AZ, Nov. 2014, pp. 179--190."},{"key":"e_1_3_2_1_16_1","first-page":"605","volume-title":"DC","author":"Durumeric Z.","year":"2013","unstructured":"Z. Durumeric, E. Wustrow, and J. A. Halderman, \"ZMap: Fast Internet-wide Scanning and its Security Applications,\" in Proceedings of the 22th USENIX Security Symposium (Security), Washington, DC, Aug. 2013, pp. 605--620."},{"key":"e_1_3_2_1_17_1","first-page":"635","volume-title":"Your Botnet is my Botnet: Analysis of a Botnet Takeover,\" in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS)","author":"Stone-Gross B.","year":"2009","unstructured":"B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna, \"Your Botnet is my Botnet: Analysis of a Botnet Takeover,\" in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Chicago, Illinois, Nov. 2009, pp. 635--647."},{"key":"e_1_3_2_1_18_1","unstructured":"Trickbot botnet survives takedown attempt but microsoft sets new legal precedent [Accessed: 2020--12--10]. [Online]. Available: https:\/\/www.zdnet.com\/article\/trickbot-botnet-survives-takedown-attempt-but-microsof t-sets-new-legal-precedent\/."},{"key":"e_1_3_2_1_19_1","unstructured":"An update on disruption of trickbot [Accessed: 2020--12--10]. [Online]. Available: https:\/\/blogs.microsof t.com\/on-the-issues\/2020\/10\/20\/trickbot-ransomware-disruption-update."},{"key":"e_1_3_2_1_20_1","unstructured":"Kelihos\/hlux botnet returns with new techniques [Accessed: 2020--12--10]. [Online]. Available: https:\/\/securelist.com\/kelihoshlux-botnet-returns-with-new-techniques\/32021\/."},{"key":"e_1_3_2_1_21_1","unstructured":"I. Arghire Trickbot botnet survives takedown attempt [Accessed: 2020--12--10]. [Online]. Available: https:\/\/www.securityweek.com\/trickbot-botnet-survives-takedown-attempt."},{"key":"e_1_3_2_1_22_1","first-page":"283","volume-title":"A Tutorial on Software Obfuscation","author":"Banescu S.","year":"2018","unstructured":"S. Banescu and A. Pretschner, \"A Tutorial on Software Obfuscation,\" vol. 108, Elsevier, 2018, pp. 283--353."},{"key":"e_1_3_2_1_23_1","unstructured":"Carbanak APT: The Great Bank Robbery https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2018\/03\/08064518\/Carbanak_APT_eng.pdf [Accessed: 2020-04--16]."},{"key":"e_1_3_2_1_24_1","unstructured":"A. Mandal Thick Client Application Security http:\/\/www.infosecwriters.com\/Papers\/AMandal_Thick_Client_Application_Security.pdf [Accessed: 2020-04--18]."},{"key":"e_1_3_2_1_25_1","first-page":"551","volume-title":"CA","author":"Alrawi O.","year":"2019","unstructured":"O. Alrawi, C. Zuo, R. Duan, R. P. Kasturi, Z. Lin, and B. Saltaformaggio, \"The Betrayal at Cloud City: An Empirical Analysis of Cloud-based Mobile Backends,\" in Proceedings of the 28th USENIX Security Symposium (Security), Santa Clara, CA, Aug. 2019, pp. 551--566."},{"key":"e_1_3_2_1_26_1","unstructured":"Command and Control Used in Sanny APT Attacks Shut Down [Accessed: 2021-01-09]. [Online]. Available: https:\/\/threatpost.com\/command- and- control-used-sanny-apt-attacks-shut-down-032213\/77658\/."},{"key":"e_1_3_2_1_27_1","unstructured":"Sanny Malware Updates Delivery Method [Accessed: 2021-01-09]. [Online]. Available: https:\/\/threatpost.com\/sanny-malware-updates-delivery-method\/130803\/."},{"key":"e_1_3_2_1_28_1","first-page":"395","volume-title":"ON","author":"Cheng B.","year":"2018","unstructured":"B. Cheng, J. Ming, J. Fu, G. Peng, T. Chen, X. Zhang, and J.-Y. Marion, \"Towards Paving the Way for Large-scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-magnitude Performance Boost,\" in Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS), Toronto, ON, Canada, Oct. 2018, pp. 395--411."},{"key":"e_1_3_2_1_29_1","first-page":"659","volume-title":"CA","author":"Ugarte-Pedrero X.","year":"2015","unstructured":"X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas, \"SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-time Packers,\" in Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P), San Jose, CA, May 2015, pp. 659--673."},{"key":"e_1_3_2_1_30_1","volume-title":"Virtual Conference","author":"Alrawi O.","year":"2021","unstructured":"O. Alrawi, M. Ike, M. Pruett, R. P. Kasturi, S. Barua, T. Hirani, B. Hill, and B. Saltaformaggio, \"Forecasting Malware Capabilities From Cyber Attack Memory Images,\" in Proceedings of the 30th USENIX Security Symposium (Security), Virtual Conference, Aug. 2021."},{"key":"e_1_3_2_1_31_1","unstructured":"Mandiant APT1: Exposing One of China's Cyber Espionage Units https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/services\/pdfs\/mandiant-apt1-report.pdf [Accessed: 2020-05--23]."},{"key":"e_1_3_2_1_32_1","unstructured":"Attack matrix for enterprise https:\/\/attack.mitre.org\/ [Accessed: 2020-06-09]."},{"key":"e_1_3_2_1_33_1","first-page":"1","volume-title":"CARVE: Practical Security-focused Software Debloating using Simple Feature Set Mappings,\" in Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation (FEAST)","author":"Brown M. D.","year":"2019","unstructured":"M. D. Brown and S. Pande, \"CARVE: Practical Security-focused Software Debloating using Simple Feature Set Mappings,\" in Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software Transformation (FEAST), London, United Kingdom, 2019, pp. 1--7."},{"key":"e_1_3_2_1_34_1","unstructured":"Microsoft Documentation [Accessed: 2021-01-09]. [Online]. Available: https:\/\/docs.microsof t.com\/en-us\/."},{"key":"e_1_3_2_1_35_1","volume-title":"Client protocol,\" RFC Editor","author":"Kalt C.","year":"2000","unstructured":"C. Kalt, \"Internet relay chat: Client protocol,\" RFC Editor, RFC 2812, Apr. 2000. [Online]. Available: https:\/\/tools.ietf .org\/html\/rf c2812."},{"key":"e_1_3_2_1_36_1","unstructured":"MRFC 1350 - The TFTP Protocol [Accessed: 2021-01-09]. [Online]. Available: https:\/\/tools.ietf .org\/html\/rf c1350."},{"key":"e_1_3_2_1_37_1","unstructured":"MySQL Documentation [Accessed: 2021-01-09]. [Online]. Available: https:\/\/dev.mysql.com\/doc\/."},{"key":"e_1_3_2_1_38_1","unstructured":"MongoDB C Driver [Accessed: 2021-01-09]. [Online]. Available: https:\/\/docs.mongodb.com\/drivers\/c."},{"key":"e_1_3_2_1_39_1","unstructured":"Malpedia: Free and Open Malware Reverse Engineering Resource offered by Fraunhofer FKIE https:\/\/malpedia.caad.f kie.f raunhof er.de [Accessed: 2020-05--29]."},{"key":"e_1_3_2_1_40_1","volume-title":"WA","author":"Hunt G.","year":"1999","unstructured":"G. Hunt and D. Brubacher, \"Detours: Binary Interception of Win32 Functions,\" in Proceedings of the 3rd USENIX Windows NT Symposium, Seattle, WA, Jul. 1999."},{"key":"e_1_3_2_1_41_1","first-page":"138","volume-title":"CA","author":"Shoshitaishvili Y.","year":"2016","unstructured":"Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna, \"SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis,\" in Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P), San Jose, CA, May 2016, pp. 138--157."},{"key":"e_1_3_2_1_42_1","first-page":"42","volume-title":"Virtual Conference","author":"Sebasti\u00e1n S.","year":"2020","unstructured":"S. Sebasti\u00e1n and J. Caballero, \"AVclass2: Massive Malware Tag Extraction from AV Labels,\" in Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC), Virtual Conference, Dec. 2020, pp. 42--53."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_11"},{"key":"e_1_3_2_1_44_1","first-page":"788","volume-title":"CA","author":"Lever C.","year":"2017","unstructured":"C. Lever, P. Kotzias, D. Balzarotti, J. Caballero, and M. Antonakakis, \"A Lustrum of Malware Network Communication: Evolution and Insights,\" in Proceedings of the 38th IEEE Symposium on Security and Privacy (S&P), San Jose, CA, May 2017, pp. 788--804."},{"key":"e_1_3_2_1_45_1","first-page":"739","volume-title":"TX","author":"Kotzias P.","year":"2016","unstructured":"P. Kotzias, L. Bilge, and J. Caballero, \"Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services,\" in Proceedings of the 25th USENIX Security Symposium (Security), Austin, TX, Aug. 2016, pp. 739--756."},{"key":"e_1_3_2_1_46_1","first-page":"1185","volume-title":"CA","author":"Mi X.","year":"2019","unstructured":"X. Mi, X. Feng, X. Liao, B. Liu, X. Wang, F. Qian, Z. Li, S. Alrwais, L. Sun, and Y. Liu, \"Resident Evil: Understanding Residential IP Proxy as a Dark Service,\" in Proceedings of the 40th IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 2019, pp. 1185--1201."},{"key":"e_1_3_2_1_47_1","first-page":"851","volume-title":"MD","author":"Kim D.","year":"2018","unstructured":"D. Kim, B. J. Kwon, K. Koz\u00e1k, C. Gates, and T. Dumitras, , \"The Broken Shield: Measuring Revocation Effectiveness in the Windows Code-Signing PKI,\" in Proceedings of the 27th USENIX Security Symposium (Security), Baltimore, MD, Aug. 2018, pp. 851--868."},{"key":"e_1_3_2_1_48_1","volume-title":"Behavioral Clustering of HTTP-based Malware and Signature Generation using Malicious Network Traces,\" in Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI)","author":"Perdisci R.","year":"2010","unstructured":"R. Perdisci, W. Lee, and N. Feamster, \"Behavioral Clustering of HTTP-based Malware and Signature Generation using Malicious Network Traces,\" in Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI), San Jose, CA, Apr. 2010."},{"key":"e_1_3_2_1_49_1","first-page":"27","volume-title":"Machine Learning for HTTP Botnet Detection Using Classifier Algorithms","author":"Dollah R. F. M.","year":"2018","unstructured":"R. F. M. Dollah, M. Faizal, F. Arif, M. Z. Mas'ud, and L. K. Xin, \"Machine Learning for HTTP Botnet Detection Using Classifier Algorithms,\" vol. 10, Universiti Teknikal Malaysia Melaka, 2018, pp. 27--30."},{"key":"e_1_3_2_1_50_1","volume-title":"DC","author":"Nelms T.","year":"2013","unstructured":"T. Nelms, R. Perdisci, and M. Ahamad, \"Execscent: Mining for new C&C Domains in Live Networks with Adaptive Control Protocol Templates,\" in Proceedings of the 22th USENIX Security Symposium (Security), Washington, DC, Aug. 2013."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274710"},{"key":"e_1_3_2_1_52_1","unstructured":"New Chrome Password Stealer Sends Stolen Data to a MongoDB Database https:\/\/www.bleepingcomputer.com\/news\/security\/new-chrome-password-stealer-sends-stolen-data-to-a-mongodb-database\/ [Accessed: 2020-02-06]."},{"key":"e_1_3_2_1_53_1","unstructured":"X. Lin Expiro malware is back and even harder to remove https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/expiro-infects-encrypts-files-to-complicate-repair\/ [Accessed: 2020-08--14]."},{"key":"e_1_3_2_1_54_1","unstructured":"Packerid [Accessed: 2021-04-03]. [Online]. Available: https:\/\/www.aldeid.com\/wiki\/Packerid."},{"key":"e_1_3_2_1_55_1","first-page":"199","volume-title":"Get Off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds,\" in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS)","author":"Ristenpart T.","year":"2009","unstructured":"T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, \"Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds,\" in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Chicago, Illinois, Nov. 2009, pp. 199--212."},{"key":"e_1_3_2_1_56_1","first-page":"1033","volume-title":"TX","author":"Li F.","year":"2016","unstructured":"F. Li, Z. Durumeric, J. Czyz, M. Karami, M. Bailey, D. McCoy, S. Savage, and V. Paxson, \"You've got Vulnerability: Exploring Effective Vulnerability Notifications,\" in Proceedings of the 25th USENIX Security Symposium (Security), Austin, TX, Aug. 2016, pp. 1033--1050."},{"key":"e_1_3_2_1_57_1","first-page":"1","volume-title":"Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET)","volume":"8","author":"Burstein A. J.","year":"2008","unstructured":"A. J. Burstein, \"Conducting Cybersecurity Research Legally and Ethically,\" in Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), vol. 8, San Francisco, CA, Apr. 2008, pp. 1--8."},{"key":"e_1_3_2_1_58_1","unstructured":"Moulton vs. VC3] http:\/\/www.internetlibrary.com\/pdf \/Moulton- VC3.pdf \/ [Accessed: 2020-08--14]."},{"key":"e_1_3_2_1_59_1","unstructured":"Latest steam malware shows signs of rat activity https:\/\/blog.malwarebytes.com\/cybercrime\/2016\/03\/latest-steam-malware-shows-sign-of -rat-activity\/ [Accessed: 2020-08--20]."},{"key":"e_1_3_2_1_60_1","unstructured":"Virustotal [Accessed: 2021-01--11]. [Online]. Available: https:\/\/www.virustotal.com\/."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_24"},{"key":"e_1_3_2_1_62_1","first-page":"1","volume-title":"Reggio Calabria","author":"Karuppayah S.","year":"2017","unstructured":"S. Karuppayah, L. B\u00f6ck, T. Grube, S. Manickam, M. M\u00fchlh\u00e4user, and M. Fischer, \"Sensorbuster: On Identifying Sensor Nodes in P2P Botnets,\" in Proceedings of the 12th International Conference on Availability, Reliability and Security (ARES), Reggio Calabria, Italy, Oct. 2017, pp. 1--6."},{"key":"e_1_3_2_1_63_1","first-page":"291","volume-title":"Communication and Aerospace Technology (ICECA), IEEE","volume":"1","author":"Pondkule P. M.","year":"2017","unstructured":"P. M. Pondkule and B. Padmavathi, \"BotShark-Detection and Prevention of Peer-to-peer Botnets by Tracking Conversation using CART,\" in Proceedings of the International Conference of Electronics, Communication and Aerospace Technology (ICECA), IEEE, vol. 1, 2017, pp. 291--295."},{"key":"e_1_3_2_1_64_1","first-page":"871","author":"Karuppayah S.","year":"2014","unstructured":"S. Karuppayah, M. Fischer, C. Rossow, and M. M\u00fchlh\u00e4user, \"On Advanced Monitoring in Resilient and Unstructured P2P Botnets,\" IEEE, 2014, pp. 871--877.","journal-title":"\"On Advanced Monitoring in Resilient and Unstructured P2P Botnets,\" IEEE"},{"key":"e_1_3_2_1_65_1","first-page":"621","volume-title":"Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-engineering,\" in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS)","author":"Caballero J.","year":"2009","unstructured":"J. Caballero, P. Poosankam, C. Kreibich, and D. Song, \"Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-engineering,\" in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Chicago, Illinois, Nov. 2009, pp. 621--634."},{"key":"e_1_3_2_1_66_1","first-page":"1","volume-title":"CA","author":"Cho C. Y.","year":"2010","unstructured":"C. Y. Cho, J. Caballero, C. Grier, V. Paxson, and D. Song, \"Insights from the Inside: A View of Botnet Management from Infiltration,\" in Proceedings of the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), vol. 10, San Jose, CA, Apr. 2010, pp. 1--1."},{"key":"e_1_3_2_1_67_1","first-page":"313","volume-title":"Proceedings of the Internet Measurement Conference (IMC), Rio de Janeiro","author":"Ma J.","year":"2006","unstructured":"J. Ma, K. Levchenko, C. Kreibich, S. Savage, and G. M, \"Unexpected Means of Protocol Inference,\" in Proceedings of the Internet Measurement Conference (IMC), Rio de Janeiro, Brazil, Oct. 2006, pp. 313--326."},{"key":"e_1_3_2_1_68_1","first-page":"1","volume-title":"BC","author":"Cui W.","year":"2017","unstructured":"W. Cui, J. Kannan, and H. J. Wang, \"Discoverer: Automatic Protocol Reverse Engineering from Network Traces,\" in Proceedings of the 26th USENIX Security Symposium (Security), Vancouver, BC, Canada, Aug. 2017, pp. 1--14."},{"key":"e_1_3_2_1_69_1","unstructured":"The protocol informatics project. [Online]. Available: http:\/\/www.baselineresearch.net\/PI\/."},{"key":"e_1_3_2_1_70_1","first-page":"257","volume-title":"Dynamic Application-layer Protocol Analysis for Network Intrusion Detection,\" in Proceedings of the 15th USENIX Security Symposium (Security)","author":"Dreger H.","year":"2006","unstructured":"H. Dreger, A. Feldmann, M. Mai, V. Paxson, and R. Sommer, \"Dynamic Application-layer Protocol Analysis for Network Intrusion Detection,\" in Proceedings of the 15th USENIX Security Symposium (Security), Vancouver, Canada, Jul. 2006, pp. 257--272."},{"key":"e_1_3_2_1_71_1","first-page":"317","volume-title":"VA","author":"Caballero J.","year":"2007","unstructured":"J. Caballero, H. Yin, Z. Liang, and D. Song, \"Polyglot: Automatic Extraction of Protocol Message Format Using Dynamic Binary Analysis,\" in Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, Nov. 2007, pp. 317--329."},{"key":"e_1_3_2_1_72_1","first-page":"1","volume-title":"CA","author":"Lin Z.","year":"2008","unstructured":"Z. Lin, X. Jiang, D. Xu, and X. Zhang, \"Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution,\" in Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS), vol. 8, San Diego, CA, Feb. 2008, pp. 1--15."},{"key":"e_1_3_2_1_73_1","first-page":"110","volume-title":"CA","author":"Comparetti P. M.","year":"2009","unstructured":"P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda, \"Prospex: Protocol Specification Extraction,\" in Proceedings of the 30th IEEE Symposium on Security and Privacy (S&P), Oakland, CA, May 2009, pp. 110--125."},{"key":"e_1_3_2_1_74_1","first-page":"2","volume-title":"Execution Generated Test Cases: How to Make Systems Code Crash Itself,\" in Proceedings of the International SPIN Workshop on Model Checking of Software","author":"Cadar C.","year":"2005","unstructured":"C. Cadar and D. Engler, \"Execution Generated Test Cases: How to Make Systems Code Crash Itself,\" in Proceedings of the International SPIN Workshop on Model Checking of Software, Springer, San Francisco, CA, USA, Aug. 2005, pp. 2--23."},{"key":"e_1_3_2_1_75_1","volume-title":"Estoril","author":"Chipounov V.","year":"2009","unstructured":"V. Chipounov, V. Georgescu, C. Zamfir, and G. Candea, \"Selective Symbolic Execution,\" in Proceedings of the 5th Workshop on Hot Topics in System Dependability (HotDep), Estoril, Portugal, Jun. 2009."},{"key":"e_1_3_2_1_76_1","first-page":"380","volume-title":"CA","author":"Cha S. K.","year":"2012","unstructured":"S. K. Cha, T. Avgerinos, A. Rebert, and D. Brumley, \"Unleashing Mayhem on Binary Code,\" in Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, May 2012, pp. 380--394."},{"key":"e_1_3_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/360248.360252"},{"key":"e_1_3_2_1_78_1","first-page":"234","volume-title":"ACM","author":"Boyer R. S.","year":"1975","unstructured":"R. S. Boyer, B. Elspas, and K. N. Levitt, \"SELECT - A Formal System for Testing and Debugging Programs by Symbolic Execution,\" 6, vol. 10, ACM, 1975, pp. 234--245."},{"key":"e_1_3_2_1_79_1","first-page":"215","author":"Clarke L. A.","year":"1976","unstructured":"L. A. Clarke, \"A System to Generate Test Data and Symbolically Execute Programs,\" 3, IEEE, 1976, pp. 215--222.","journal-title":"IEEE"},{"key":"e_1_3_2_1_80_1","first-page":"829","volume-title":"CA","author":"Peng F.","year":"2014","unstructured":"F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su, \"X-force: Force-executing Binary Programs for Security Applications,\" in Proceedings of the 23rd USENIX Security Symposium (Security), San Diego, CA, Aug. 2014, pp. 829--844."},{"key":"e_1_3_2_1_81_1","first-page":"897","volume-title":"Perth","author":"Kim K.","year":"2017","unstructured":"K. Kim, I. L. Kim, C. H. Kim, Y. Kwon, Y. Zheng, X. Zhang, and D. Xu, \"J-force: Forced Execution on Javascript,\" in Proceedings of the 26th International World Wide Web Conference (WWW), Perth, Australia, 2017, pp. 897--906."},{"key":"e_1_3_2_1_82_1","first-page":"1849","volume-title":"UK","author":"Naderi-Afooshteh A.","year":"2011","unstructured":"A. Naderi-Afooshteh, Y. Kwon, A. Nguyen-Tuong, A. Razmjoo-Qalaei, M.-R. Zamiri-Gourabi, and J. W. Davidson, \"MalMax: Multi-Aspect Execution for Automated Dynamic Web Server Malware Analysis,\" in Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS), London, UK, Nov. 2011, pp. 1849--1866."},{"key":"e_1_3_2_1_83_1","first-page":"867","volume-title":"Perth","author":"Zuo C.","year":"2017","unstructured":"C. Zuo and Z. Lin, \"Smartgen: Exposing Server Urls of Mobile Apps with Selective Symbolic Execution,\" in Proceedings of the 26th International World Wide Web Conference (WWW), Perth, Australia, 2017, pp. 867--876."},{"key":"e_1_3_2_1_84_1","first-page":"78","volume-title":"Intrusions and Defenses (RAID)","author":"Martignoni L.","year":"2008","unstructured":"L. Martignoni, E. Stinson, M. Fredrikson, S. Jha, and J. C. Mitchell, \"A Layered Architecture for Detecting Malicious Behaviors,\" in Proceedings of the 11th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), Cambridge, Massachusetts, Sep. 2008, pp. 78--97."},{"key":"e_1_3_2_1_85_1","volume-title":"Behavior-based Spyware Detection,\" in Proceedings of the 15th USENIX Security Symposium (Security)","author":"Kirda E.","year":"2006","unstructured":"E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer, \"Behavior-based Spyware Detection,\" in Proceedings of the 15th USENIX Security Symposium (Security), Vancouver, Canada, Jul. 2006, p. 694."},{"key":"e_1_3_2_1_86_1","first-page":"89","volume-title":"CH","author":"Stinson E.","year":"2007","unstructured":"E. Stinson and J. C. Mitchell, \"Characterizing Bots' Remote Control Behavior,\" in Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Lucerne, CH, Jul. 2007, pp. 89--108."},{"key":"e_1_3_2_1_87_1","first-page":"351","volume-title":"Montreal","author":"Kolbitsch C.","year":"2009","unstructured":"C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X.-y. Zhou, and X. Wang, \"Effective and Efficient Malware Detection at the End Host,\" in Proceedings of the 18th USENIX Security Symposium (Security), vol. 4, Montreal, Canada, Aug. 2009, pp. 351--366."},{"key":"e_1_3_2_1_88_1","first-page":"86","volume-title":"Droidapiminer: Mining Api-level Features for Robust Malware Detection in Android,\" in International Conference on Security and Privacy in Communication Systems","author":"Aafer Y.","year":"2013","unstructured":"Y. Aafer, W. Du, and H. Yin, \"Droidapiminer: Mining Api-level Features for Robust Malware Detection in Android,\" in International Conference on Security and Privacy in Communication Systems, Springer, 2013, pp. 86--103."},{"key":"e_1_3_2_1_89_1","first-page":"110","volume-title":"Proceedings of the International Workshop on Information and Operational Technology and Security (IOSec)","author":"Sz\u00e9les G. J.","year":"2018","unstructured":"G. J. Sz\u00e9les and A. Cole?a, \"Malware Clustering Based on Called API During Runtime,\" in Proceedings of the International Workshop on Information and Operational Technology and Security (IOSec), Crete, GR, Sep. 2018, pp. 110--121."},{"key":"e_1_3_2_1_90_1","volume-title":"MD","author":"Deng X.","year":"2018","unstructured":"X. Deng and J. Mirkovic, \"Malware Analysis Through High-level Behavior,\" in Proceedings of the 11th USENIX Workshop on Cyber Security Experimentation and Test (CSET), Baltimore, MD, Aug. 2018."},{"key":"e_1_3_2_1_91_1","volume-title":"MA","author":"Bayer U.","year":"2009","unstructured":"U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel, \"A View on Current Malware Behaviors,\" in Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), Boston, MA, Apr. 2009."},{"key":"e_1_3_2_1_92_1","first-page":"29","volume-title":"CA","author":"Kolbitsch C.","year":"2010","unstructured":"C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda, \"Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries,\" in Proceedings of the 31th IEEE Symposium on Security and Privacy (S&P), Oakland, CA, May 2010, pp. 29--44."},{"key":"e_1_3_2_1_93_1","first-page":"491","volume-title":"WA","author":"Antonakakis M.","year":"2012","unstructured":"M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon, \"From Throw-away Traffic to Bots: Detecting the Rise of DGA-based Malware,\" in Proceedings of the 21st USENIX Security Symposium (Security), Bellevue, WA, Aug. 2012, pp. 491--506."},{"key":"e_1_3_2_1_94_1","unstructured":"Donot team leverages new modular malware framework in south asia https:\/\/www.netscout.com\/blog\/asert\/donot-team-leverages-new-modular-malware-framework-south-asia [Accessed: 2020-08--22]."}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Virtual Event Republic of Korea","acronym":"CCS '21"},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484537","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484537","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484537","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:52:55Z","timestamp":1763499175000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484537"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":94,"alternative-id":["10.1145\/3460120.3484537","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484537","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}