{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T15:10:01Z","timestamp":1755961801323,"version":"3.44.0"},"reference-count":61,"publisher":"Association for Computing Machinery (ACM)","issue":"3","funder":[{"name":"Mercedes project","award":["639.023.710"],"award-info":[{"award-number":["639.023.710"]}]},{"DOI":"10.13039\/501100003246","name":"Netherlands Organisation for Scientific Research","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2025,8,31]]},"abstract":"<jats:p>Despite significant effort put into research and development of defense mechanisms, new malware is continuously developed rapidly, making it still one of the major threats on the Internet. For malware to be successful, it is in the developer\u2019s best interest to evade detection as long as possible. One method in achieving this is using Code Injection, where malicious code is injected into another benign process, making it do something it was not intended to do.<\/jats:p>\n          <jats:p>Automated detection and characterization of Code Injection is difficult. Many injection techniques depend solely on system calls that in isolation look benign and can easily be confused with other background system activity. There is therefore a need for models that can consider the context in which a single system event resides, such that relevant activity can be distinguished easily.<\/jats:p>\n          <jats:p>In previous work, we conducted the first systematic study on code injection to gain more insights into the different techniques available to malware developers on the Windows platform. This paper extends this work by introducing and formalizing Behavior Nets: A novel, reusable, context-aware modeling language that expresses malicious software behavior in observable events and their general interdependence. This allows for matching on system calls, even if those system calls are typically used in a benign context. We evaluate Behavior Nets and experimentally confirm that introducing event context into behavioral signatures yields better results in characterizing malicious behavior than the state of the art. We conclude with valuable insights on how future malware research based on dynamic analysis should be conducted.<\/jats:p>","DOI":"10.1145\/3729228","type":"journal-article","created":{"date-parts":[[2025,4,10]],"date-time":"2025-04-10T07:38:54Z","timestamp":1744270734000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Behavior Nets: Context-Aware Behavior Modeling for Code Injection-Based Windows Malware"],"prefix":"10.1145","volume":"28","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0138-0861","authenticated-orcid":false,"given":"Jerre","family":"Starink","sequence":"first","affiliation":[{"name":"Semantics, Cybersecurity & Services, University Twente Faculty EEMCS","place":["Enschede, Netherlands"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4467-072X","authenticated-orcid":false,"given":"Marieke","family":"Huisman","sequence":"additional","affiliation":[{"name":"Formal Methods and Tools, University Twente Faculty EEMCS","place":["Enschede, Netherlands"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2929-5001","authenticated-orcid":false,"given":"Andreas","family":"Peter","sequence":"additional","affiliation":[{"name":"Departement of Computer Science, Carl von Ossietzky Universit\u00e4t Oldenburg","place":["Oldenburg, Germany"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0329-1830","authenticated-orcid":false,"given":"Andrea","family":"Continella","sequence":"additional","affiliation":[{"name":"Semantics, Cybersecurity & Services, University Twente Faculty EEMCS","place":["Enschede, Netherlands"]}]}],"member":"320","published-online":{"date-parts":[[2025,8,23]]},"reference":[{"key":"e_1_3_3_2_2","unstructured":"2013. BPKT - ARM compiler toolchain assembler reference. https:\/\/developer.arm.com\/documentation\/dui0489\/c\/arm-and-thumb-instructions\/miscellaneous-instructions\/bkpt"},{"key":"e_1_3_3_3_2","unstructured":"2024. ANY.RUN - Interactive malware hunting service. https:\/\/any.run\/"},{"key":"e_1_3_3_4_2","unstructured":"2024. CAPA - The FLARE team\u2019s open-source tool to identify capabilities in executable files.https:\/\/github.com\/mandiant\/capa"},{"key":"e_1_3_3_5_2","unstructured":"2024. CAPE Sandbox. https:\/\/capesandbox.com\/"},{"key":"e_1_3_3_6_2","unstructured":"2024. Cuckoo Sandbox. https:\/\/cuckoosandbox.org\/"},{"key":"e_1_3_3_7_2","unstructured":"2024. Haskell language. https:\/\/www.haskell.org\/"},{"key":"e_1_3_3_8_2","unstructured":"2024. Joe Sandbox - Deep malware analysis. https:\/\/www.joesandbox.com\/"},{"key":"e_1_3_3_9_2","unstructured":"2024. Sigma - Generic signature format for SIEM systems. https:\/\/sigmahq.io\/"},{"key":"e_1_3_3_10_2","unstructured":"2024. The DOT language. https:\/\/www.graphviz.org\/doc\/info\/lang.html"},{"key":"e_1_3_3_11_2","unstructured":"2024. YARA - The pattern matching Swiss knife for malware researchers. https:\/\/virustotal.github.io\/yara\/"},{"key":"e_1_3_3_12_2","volume-title":"Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201920)","author":"Aghakhani Hojjat","year":"2020","unstructured":"Hojjat Aghakhani, Fabio Gritti, Francesco Mecca, Martina Lindorfer, Stefano Ortolani, Davide Balzarotti, Giovanni Vigna, and Christopher Kruegel. 2020. When malware is packin\u2019 heat; Limits of machine learning classifiers based on static analysis features. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201920)."},{"key":"e_1_3_3_13_2","volume-title":"Proceedings of the USENIX Security Symposium","author":"Alrawi Omar","year":"2021","unstructured":"Omar Alrawi, Moses Ike, Matthew Pruett, Ranjita Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, and Brendan Saltaformaggio. 2021. Forecasting malware capabilities from cyber attack memory images. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_3_14_2","unstructured":"AVTest. 2021. Malware Statistics & Trends Report. https:\/\/www.av-test.org\/en\/statistics\/malware\/"},{"key":"e_1_3_3_15_2","volume-title":"Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201917)","author":"Barabosch Thomas","year":"2017","unstructured":"Thomas Barabosch, Niklas Bergmann, Adrian Dombeck, and Elmar Padilla. 2017. Quincy: Detecting host-based code injection attacks in memory dumps. In Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201917)."},{"key":"e_1_3_3_16_2","volume-title":"Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201914)","author":"Barabosch Thomas","year":"2014","unstructured":"Thomas Barabosch, Sebastian Eschweiler, and Elmar Gerhards-Padilla. 2014. Bee master: Detecting host-based code injection attacks. In Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA\u201914)."},{"key":"e_1_3_3_17_2","volume-title":"Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE\u201914)","author":"Barabosch Thomas","year":"2014","unstructured":"Thomas Barabosch and Elmar Gerhards-Padilla. 2014. Host-based code injection attacks: A popular technique used by malware. In Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE\u201914)."},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-019-00333-y"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/1287624.1287628"},{"key":"e_1_3_3_20_2","article-title":"The geneology of malware","author":"Cuadra Fernando de la","year":"2007","unstructured":"Fernando de la Cuadra. 2007. The geneology of malware. Network Security (2007).","journal-title":"Network Security"},{"key":"e_1_3_3_21_2","unstructured":"Dejan Lukan. 2013. Using CreateRemoteThread for DLL injection on Windows. https:\/\/resources.infosecinstitute.com\/topic\/using-createremotethread-for-dll-injection-on-windows\/"},{"key":"e_1_3_3_22_2","unstructured":"Dejan Lukan. 2013. Using SetWindowsHookEx for DLL injection on Windows. https:\/\/resources.infosecinstitute.com\/topic\/using-setwindowshookex-for-dll-injection-on-windows\/"},{"key":"e_1_3_3_23_2","volume-title":"Proceedings of the ACM International Conference on Information & Knowledge Management","author":"Du Min","year":"2021","unstructured":"Min Du, Wenjun Hu, and William Hewlett. 2021. AutoCombo: Automatic malware signature generation through combination rule mining. In Proceedings of the ACM International Conference on Information & Knowledge Management."},{"key":"e_1_3_3_24_2","unstructured":"Elastic Security. 2019. Hunting in memory. https:\/\/www.elastic.co\/blog\/hunting-memory"},{"key":"e_1_3_3_25_2","unstructured":"F-Secure. 2018. Hunting for Application Shim databases. https:\/\/blog.f-secure.com\/hunting-for-application-shim-databases\/"},{"key":"e_1_3_3_26_2","article-title":"W32.Stuxnet Dossier","author":"Falliere Nicolas","year":"2011","unstructured":"Nicolas Falliere, Liam O. Murchu, and Eric Chien. 2011. W32.Stuxnet Dossier. White paper, Symantec Corp., Security Response (2011).","journal-title":"White paper, Symantec Corp., Security Response"},{"key":"e_1_3_3_27_2","unstructured":"Hasherezade. 2018. PE-Sieve. https:\/\/github.com\/hasherezade\/pe-sieve"},{"key":"e_1_3_3_28_2","volume-title":"Intel 64 and IA-32 Architectures Software Developer\u2019s Manual","author":"Intel","year":"2022","unstructured":"Intel 2022. Intel 64 and IA-32 Architectures Software Developer\u2019s Manual. Intel. Volume 2 (2A, 2B, 2C & 2D): Instruction Set Reference, A-Z."},{"key":"e_1_3_3_29_2","unstructured":"iRed.team. 2020. Import Adress Table (IAT) Hooking. https:\/\/www.ired.team\/offensive-security\/code-injection-process-injection\/import-adress-table-iat-hooking"},{"key":"e_1_3_3_30_2","volume-title":"Proceedings of the USENIX Security Symposium","author":"Kharaz Amin","year":"2016","unstructured":"Amin Kharaz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. 2016. UNVEIL: A large-scale, automated approach to detecting ransomware. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_3_31_2","volume-title":"USENIX Security Symposium","author":"Kolbitsch Clemens","year":"2009","unstructured":"Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiao-yong Zhou, Xiao Feng Wang, et\u00a0al. 2009. Effective and efficient malware detection at the end host.. In USENIX Security Symposium, Vol. 4."},{"key":"e_1_3_3_32_2","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201917)","author":"Korczynski David","year":"2017","unstructured":"David Korczynski and Heng Yin. 2017. Capturing malware propagations with code injections and code-reuse attacks. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201917)."},{"key":"e_1_3_3_33_2","volume-title":"Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201921)","author":"K\u00fcchler Alexander","year":"2021","unstructured":"Alexander K\u00fcchler, Alessandro Mantovani, Yufei Han, Leyla Bilge, and Davide Balzarotti. 2021. Does every second count? Time-based evolution of malware behavior in sandboxes. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201921)."},{"key":"e_1_3_3_34_2","volume-title":"Proceedings of the Annual Computer Security Applications Conference (ACSAC\u201914)","author":"Lengyel Tamas K.","year":"2014","unstructured":"Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In Proceedings of the Annual Computer Security Applications Conference (ACSAC\u201914)."},{"key":"e_1_3_3_35_2","article-title":"Shadow attacks: Automatically evading system-call-behavior based malware detection","author":"Ma Weiqin","year":"2012","unstructured":"Weiqin Ma, Pu Duan, Sanmin Liu, Guofei Gu, and Jyh-Charn Liu. 2012. Shadow attacks: Automatically evading system-call-behavior based malware detection. Journal in Computer Virology (2012).","journal-title":"Journal in Computer Virology"},{"key":"e_1_3_3_36_2","volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID\u201908)","author":"Martignoni Lorenzo","year":"2008","unstructured":"Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, and John C. Mitchell. 2008. A layered architecture for detecting malicious behaviors. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID\u201908)."},{"key":"e_1_3_3_37_2","unstructured":"Microsoft. 2012. Understanding shims. https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-7\/dd837644(v=ws.10)"},{"key":"e_1_3_3_38_2","unstructured":"MITRE ATT&CK. 0220. Process injection: Thread execution hijacking. https:\/\/attack.mitre.org\/techniques\/T1055\/011\/"},{"key":"e_1_3_3_39_2","unstructured":"MITRE ATT&CK. 2020. Process injection: Asynchronous procedure call. https:\/\/attack.mitre.org\/techniques\/T1055\/004\/"},{"key":"e_1_3_3_40_2","unstructured":"MITRE ATT&CK. 2020. Event triggered execution: AppCert DLLs. https:\/\/attack.mitre.org\/techniques\/T1546\/009\/"},{"key":"e_1_3_3_41_2","unstructured":"MITRE ATT&CK. 2020. Event triggered execution: AppInit DLLs. https:\/\/attack.mitre.org\/techniques\/T1546\/010\/"},{"key":"e_1_3_3_42_2","unstructured":"MITRE ATT&CK. 2020. Event triggered execution: Component object model hijacking. https:\/\/attack.mitre.org\/techniques\/T1546\/015\/"},{"key":"e_1_3_3_43_2","unstructured":"MITRE ATT&CK. 2020. Process injection: Dynamic-link library injection. https:\/\/attack.mitre.org\/techniques\/T1055\/001\/"},{"key":"e_1_3_3_44_2","unstructured":"MITRE ATT&CK. 2020. Process injection: Extra Window memory injection. https:\/\/attack.mitre.org\/techniques\/T1055\/011\/"},{"key":"e_1_3_3_45_2","unstructured":"MITRE ATT&CK. 2020. Process injection: Process hollowing. https:\/\/attack.mitre.org\/techniques\/T1055\/012\/"},{"key":"e_1_3_3_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/5.24143"},{"key":"e_1_3_3_47_2","volume-title":"Proceedings of the International Cyber Resilience Conference (CRC\u201921)","author":"Olaimat Mohammad N.","year":"2021","unstructured":"Mohammad N. Olaimat, Mohd Aizaini Maarof, and Bander Ali S. Al-Rimy. 2021. Ransomware anti-analysis and evasion techniques: A survey and research directions. In Proceedings of the International Cyber Resilience Conference (CRC\u201921)."},{"key":"e_1_3_3_48_2","volume-title":"Proceedings of the USENIX Workshop on Offensive Technologies (WOOT\u201919)","author":"Pavithran Jithin","year":"2019","unstructured":"Jithin Pavithran, Milan Patnaik, and Chester Rebeiro. 2019. D-TIME: Distributed threadless independent malware execution for runtime obfuscation. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT\u201919)."},{"key":"e_1_3_3_49_2","unstructured":"Pieter Arntz. 2015. An introduction to Image File Execution Options. https:\/\/blog.malwarebytes.com\/101\/2015\/12\/an-introduction-to-image-file-execution-options\/"},{"key":"e_1_3_3_50_2","unstructured":"CERT Polska. 2012. More Human than Human - Flame\u2019s Code Injection Techniques. https:\/\/cert.pl\/en\/posts\/2012\/08\/more-human-than-human-flames-code-injection-techniques\/"},{"key":"e_1_3_3_51_2","volume-title":"Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA\u201918)","author":"Quarta Davide","year":"2018","unstructured":"Davide Quarta, Federico Salvioni, Andrea Continella, and Stefano Zanero. 2018. Toward systematically exploring antivirus engines. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA\u201918) (Paris, France)."},{"key":"e_1_3_3_52_2","volume-title":"Proceedings of the International Workshop on Ethics in Computer Security (EthiCS\u201923)","author":"Reidsma Dennis","year":"2023","unstructured":"Dennis Reidsma, Jeroen van der Ham, and Andrea Continella. 2023. Operationalizing cybersecurity research ethics review: From principles and guidelines to practice. In Proceedings of the International Workshop on Ethics in Computer Security (EthiCS\u201923)."},{"key":"e_1_3_3_53_2","volume-title":"Proceedings of the IEEE Symposium on Security & Privacy (S&P\u201912)","author":"Rossow Christian","year":"2012","unstructured":"Christian Rossow, Christian J. Dietrich, Chris Grier, Christian Kreibich, Vern Paxson, Norbert Pohlmann, Herbert Bos, and Maarten Van Steen. 2012. Prudent practices for designing malware experiments: Status quo and outlook. In Proceedings of the IEEE Symposium on Security & Privacy (S&P\u201912)."},{"key":"e_1_3_3_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/353323.353382"},{"key":"e_1_3_3_55_2","volume-title":"Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID\u201916)","author":"Sebasti\u00e1n Marcos","year":"2016","unstructured":"Marcos Sebasti\u00e1n, Richard Rivera, Platon Kotzias, and Juan Caballero. 2016. AVclass: A tool for massive malware labeling. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID\u201916), Fabian Monrose, Marc Dacier, Gregory Blanc, and Joaquin Garcia-Alfaro (Eds.). Cham."},{"key":"e_1_3_3_56_2","unstructured":"Sevagas. 2014. PE injection explained. https:\/\/blog.sevagas.com\/PE-injection-explained"},{"key":"e_1_3_3_57_2","volume-title":"Proceedings of the International Conference on Security and Privacy in Communication Networks (SecureComm\u201923)","author":"Starink Jerre","year":"2023","unstructured":"Jerre Starink, Marieke Huisman, Andreas Peter, and Andrea Continella. 2023. Understanding and measuring inter-process code injection in Windows malware. In Proceedings of the International Conference on Security and Privacy in Communication Networks (SecureComm\u201923)."},{"key":"e_1_3_3_58_2","unstructured":"statcounter. 2024. Desktop Operating System Market Share Worldwide. https:\/\/gs.statcounter.com\/os-market-share\/desktop\/worldwide\/"},{"key":"e_1_3_3_59_2","unstructured":"VirusTotal. 2021. VirusTotal Malware Academic Dataset. https:\/\/www.virustotal.com\/"},{"key":"e_1_3_3_60_2","volume-title":"Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201920)","author":"Wang Qi","year":"2020","unstructured":"Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, et\u00a0al. 2020. You are what you do: Hunting stealthy malware via data provenance analysis. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS\u201920)."},{"key":"e_1_3_3_61_2","article-title":"The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain","author":"Wyke James","year":"2012","unstructured":"James Wyke. 2012. The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain. Sophos Technical Paper (2012).","journal-title":"Sophos Technical Paper"},{"key":"e_1_3_3_62_2","volume-title":"Proceedings of the USENIX Security Symposium","author":"Zhu Shuofei","year":"2020","unstructured":"Shuofei Zhu, Jianjun Shi, Limin Yang, Boqin Qin, Ziyi Zhang, Linhai Song, and Gang Wang. 2020. Measuring and modeling the label dynamics of online anti-malware engines. In Proceedings of the USENIX Security Symposium."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3729228","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,23]],"date-time":"2025-08-23T14:47:57Z","timestamp":1755960477000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3729228"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,23]]},"references-count":61,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2025,8,31]]}},"alternative-id":["10.1145\/3729228"],"URL":"https:\/\/doi.org\/10.1145\/3729228","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"type":"print","value":"2471-2566"},{"type":"electronic","value":"2471-2574"}],"subject":[],"published":{"date-parts":[[2025,8,23]]},"assertion":[{"value":"2024-07-26","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-03-20","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-08-23","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}