{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T19:14:54Z","timestamp":1776885294461,"version":"3.51.2"},"publisher-location":"New York, NY, USA","reference-count":84,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,11,12]],"date-time":"2021-11-12T00:00:00Z","timestamp":1636675200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National ScienceFoundation Graduate Research Fellowship","award":["DGE-203965"],"award-info":[{"award-number":["DGE-203965"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2021,11,12]]},"DOI":"10.1145\/3460120.3484759","type":"proceedings-article","created":{"date-parts":[[2021,11,13]],"date-time":"2021-11-13T12:05:34Z","timestamp":1636805134000},"page":"3053-3069","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":48,"title":["An Inside Look into the Practice of Malware Analysis"],"prefix":"10.1145","author":[{"given":"Miuyin","family":"Yong Wong","sequence":"first","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Matthew","family":"Landen","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Manos","family":"Antonakakis","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Douglas M.","family":"Blough","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"Elissa M.","family":"Redmiles","sequence":"additional","affiliation":[{"name":"Max Planck Institute for Software Systems, Saarbr\u00fccken, Germany"}]},{"given":"Mustaque","family":"Ahamad","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]}],"member":"320","published-online":{"date-parts":[[2021,11,13]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"Capev2. https:\/\/github.com\/kevoreilly\/CAPEv2."},{"key":"e_1_3_2_2_2_1","unstructured":"Virustotal. https:\/\/virustotal.com."},{"key":"e_1_3_2_2_3_1","unstructured":"al-khaser. URL https:\/\/github.com\/LordNoteworthy\/al-khaser."},{"key":"e_1_3_2_2_4_1","unstructured":"Any-run - interactive online malware sandbox. https:\/\/any.run."},{"key":"e_1_3_2_2_5_1","unstructured":"How antivirus softwares are evolving with behaviour-based malware detection algorithms. https:\/\/analyticsindiamag.com\/how-antivirus-softwares-are-evolving-with-behaviour-based-malware-detection-algorithms."},{"key":"e_1_3_2_2_6_1","unstructured":"Equifax says cyberattack may have affected 143 million in the u.s. https:\/\/nytimes.com\/2017\/09\/07\/business\/equifax-cyberattack.html."},{"key":"e_1_3_2_2_7_1","unstructured":"Free automated malware analysis service. https:\/\/hybrid-analysis.com."},{"key":"e_1_3_2_2_8_1","unstructured":"]malpediaMalpedia a . https:\/\/malpedia.caad.fkie.fraunhofer.de\/."},{"key":"e_1_3_2_2_9_1","unstructured":"]malshareMalshare b . https:\/\/malshare.com."},{"key":"e_1_3_2_2_10_1","unstructured":"]malwareBazaarMalware bazaar c . https:\/\/bazaar.abuse.ch."},{"key":"e_1_3_2_2_11_1","unstructured":"Mitre att&ck. https:\/\/attack.mitre.org\/matrices\/enterprise\/."},{"key":"e_1_3_2_2_12_1","unstructured":"ollydbg. http:\/\/www.ollydbg.de\/."},{"key":"e_1_3_2_2_13_1","unstructured":"Openioc: Back to the basics. https:\/\/www.fireeye.com\/blog\/threat-research\/2013\/10\/openioc-basics.html."},{"key":"e_1_3_2_2_14_1","unstructured":"Pyramid of pain. https:\/\/detect-respond.blogspot.com\/2013\/03\/the-pyramid-of-pain.html."},{"key":"e_1_3_2_2_15_1","unstructured":"Reversing labs. https:\/\/reversinglabs.com."},{"key":"e_1_3_2_2_16_1","unstructured":"Target missed warnings in epic hack of credit card data. https:\/\/bloom.bg\/2KjElxM."},{"key":"e_1_3_2_2_17_1","unstructured":"thezoo - a live malware repository. https:\/\/github.com\/ytisf\/theZoo."},{"key":"e_1_3_2_2_18_1","unstructured":"Twitter. https:\/\/twitter.com."},{"key":"e_1_3_2_2_19_1","unstructured":"Unpacme. https:\/\/unpac.me."},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177086"},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.25"},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2017.24"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2001420.2001423"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-74320-0_10"},{"key":"e_1_3_2_2_25_1","volume-title":"A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 51 (3): 1--39","author":"Baldoni R.","year":"2018","unstructured":"R. Baldoni, E. Coppa, D. C. D'elia, C. Demetrescu, and I. Finocchi. A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 51 (3): 1--39, 2018."},{"key":"e_1_3_2_2_26_1","volume-title":"Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS)","author":"Balzarotti D.","year":"2010","unstructured":"D. Balzarotti, M. Cova, C. Karlberger, E. Kirda, C. Kruegel, and G. Vigna. Efficient detection of split personalities in malware. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb.--Mar. 2010."},{"key":"e_1_3_2_2_27_1","volume-title":"Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS)","author":"Bayer U.","year":"2009","unstructured":"U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2009."},{"key":"e_1_3_2_2_28_1","volume-title":"Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS)","author":"Bilge L.","year":"2011","unstructured":"L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, Feb. 2011."},{"key":"e_1_3_2_2_29_1","first-page":"643","volume-title":"Proceedings of the 25th USENIX Security Symposium (Security)","author":"Blazytko T.","year":"2017","unstructured":"T. Blazytko, M. Contag, C. Aschermann, and T. Holz. Syntia: Synthesizing the semantics of obfuscated code. In Proceedings of the 25th USENIX Security Symposium (Security), pages 643--659, Vancouver, BC, Canada, Aug. 2017."},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-68768-1_4"},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866354"},{"key":"e_1_3_2_2_32_1","volume-title":"Proceedings of the 20th USENIX Security Symposium (Security)","author":"Caballero J.","year":"2011","unstructured":"J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring pay-per-install: the commoditization of malware distribution. In Proceedings of the 20th USENIX Security Symposium (Security), San Francisco, CA, Aug. 2011."},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2015.7413681"},{"key":"e_1_3_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243771"},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1287624.1287628"},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.12"},{"key":"e_1_3_2_2_37_1","first-page":"601","volume-title":"Proceedings of the 21st USENIX Security Symposium (Security)","author":"Cui W.","year":"2012","unstructured":"W. Cui, M. Peinado, Z. Xu, and E. Chan. Tracking rootkit footprints with a practical memory analysis system. In Proceedings of the 21st USENIX Security Symposium (Security), pages 601--615, Bellevue, WA, Aug. 2012."},{"key":"e_1_3_2_2_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2523649.2523675"},{"key":"e_1_3_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"e_1_3_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/CHASE.2015.19"},{"key":"e_1_3_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2421000"},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/SSCI.2017.8285426"},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1201\/9781410607775"},{"key":"e_1_3_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/IBCAST.2019.8667136"},{"key":"e_1_3_2_2_45_1","volume-title":"Proceedings of the 20th USENIX Security Symposium (Security)","author":"Jacob G.","year":"2011","unstructured":"G. Jacob, R. Hund, C. Kruegel, and T. Holz. Jackstraws: Picking command and control connections from bot traffic. In Proceedings of the 20th USENIX Security Symposium (Security), San Francisco, CA, Aug. 2011."},{"key":"e_1_3_2_2_46_1","first-page":"6","article-title":"Writing interview protocols and conducting interviews: tips for students new to the field of qualitative research","volume":"17","author":"Jacob S. A.","year":"2012","unstructured":"S. A. Jacob and S. P. Furgerson. Writing interview protocols and conducting interviews: tips for students new to the field of qualitative research. Qualitative Report, 17: 6, 2012.","journal-title":"Qualitative Report"},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.5555\/2831143.2831180"},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664250"},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950304"},{"key":"e_1_3_2_2_50_1","first-page":"757","volume-title":"Proceedings of the 24th USENIX Security Symposium (Security)","author":"Kharaz A.","year":"2015","unstructured":"A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda. $$UNVEIL$$: A large-scale, automated approach to detecting ransomware. In Proceedings of the 24th USENIX Security Symposium (Security), pages 757--772, Washington, DC, Aug. 2015."},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-60876-1_5"},{"key":"e_1_3_2_2_52_1","first-page":"769","volume-title":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security","author":"Kirat D.","year":"2014","unstructured":"D. Kirat and G. Vigna. Malgene: Automatic extraction of malware analysis evasion signature. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 769--780, 2014."},{"key":"e_1_3_2_2_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076790"},{"key":"e_1_3_2_2_54_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (Security)","author":"Kirat D.","year":"2014","unstructured":"D. Kirat, G. Vigna, and C. Kruegel. Barecloud: bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX Security Symposium (Security), San Diego, CA, Aug. 2014."},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.10"},{"key":"e_1_3_2_2_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046740"},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.2307\/2529786"},{"key":"e_1_3_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_18"},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3238147.3238199"},{"key":"e_1_3_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2007.41"},{"key":"e_1_3_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_5"},{"key":"e_1_3_2_2_62_1","first-page":"253","volume-title":"Proceedings of the 25th USENIX Security Symposium (Security)","author":"Ming J.","year":"2017","unstructured":"J. Ming, D. Xu, Y. Jiang, and D. Wu. Binsim: Trace-based semantic binary diffing via system call sliced segment equivalence checking. In Proceedings of the 25th USENIX Security Symposium (Security), pages 253--270, Vancouver, BC, Canada, Aug. 2017."},{"key":"e_1_3_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076734"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076736"},{"key":"e_1_3_2_2_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/2523649.2523659"},{"key":"e_1_3_2_2_67_1","first-page":"829","volume-title":"Proceedings of the 23rd USENIX Security Symposium (Security)","author":"Peng F.","year":"2014","unstructured":"F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 23rd USENIX Security Symposium (Security), pages 829--844, San Diego, CA, Aug. 2014."},{"key":"e_1_3_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_6"},{"key":"e_1_3_2_2_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2006.38"},{"key":"e_1_3_2_2_70_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.26"},{"key":"e_1_3_2_2_71_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23121"},{"key":"e_1_3_2_2_72_1","doi-asserted-by":"publisher","DOI":"10.1177\/160940690900800107"},{"key":"e_1_3_2_2_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/2413176.2413217"},{"key":"e_1_3_2_2_74_1","first-page":"186","volume-title":"Proceedings of the 13th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA)","author":"Ugarte-Pedrero X.","year":"2017","unstructured":"X. Ugarte-Pedrero, D. Balzarotti, I. Santos, and P. G. Bringas. Rambo: Run-time packer analysis with multiple branch observation. In Proceedings of the 13th Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), pages 186--206, 2017."},{"key":"e_1_3_2_2_75_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00003"},{"key":"e_1_3_2_2_76_1","first-page":"1875","volume-title":"29th $$USENIX$$ Security Symposium ($$USENIX$$ Security 20)","author":"Votipka D.","year":"2020","unstructured":"D. Votipka, S. Rabin, K. Micinski, J. S. Foster, and M. L. Mazurek. An observational investigation of reverse engineers' processes. In 29th $$USENIX$$ Security Symposium ($$USENIX$$ Security 20), pages 1875--1892, 2020."},{"key":"e_1_3_2_2_77_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2017.8115645"},{"key":"e_1_3_2_2_78_1","first-page":"271","volume-title":"Proceedings of the 25th USENIX Security Symposium (Security)","author":"Xu M.","year":"2017","unstructured":"M. Xu and T. Kim. Platpal: Detecting malicious documents with platform diversity. In Proceedings of the 25th USENIX Security Symposium (Security), pages 271--287, Vancouver, BC, Canada, Aug. 2017."},{"key":"e_1_3_2_2_79_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11379-1_2"},{"key":"e_1_3_2_2_80_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813663"},{"key":"e_1_3_2_2_81_1","doi-asserted-by":"publisher","DOI":"10.1145\/2151024.2151053"},{"key":"e_1_3_2_2_82_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_11"},{"key":"e_1_3_2_2_83_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2013.6575343"},{"key":"e_1_3_2_2_84_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.11"}],"event":{"name":"CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security","location":"Virtual Event Republic of Korea","acronym":"CCS '21","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484759","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3460120.3484759","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T20:50:07Z","timestamp":1763499007000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3460120.3484759"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,12]]},"references-count":84,"alternative-id":["10.1145\/3460120.3484759","10.1145\/3460120"],"URL":"https:\/\/doi.org\/10.1145\/3460120.3484759","relation":{},"subject":[],"published":{"date-parts":[[2021,11,12]]},"assertion":[{"value":"2021-11-13","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}