{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,15]],"date-time":"2026-03-15T15:30:36Z","timestamp":1773588636159,"version":"3.50.1"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"2","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2026,5,31]]},"abstract":"<jats:p>\n                    Malware authors increasingly exploit API Hashing to create \u201cinvisible\u201d system calls, replacing explicit function names with dynamically computed hashes that evade detection systems. This sophisticated obfuscation technique poses three critical challenges: accurately identifying hash functions within obfuscated code, linking computed hashes to their corresponding API calls, and detecting the growing diversity of hash algorithm variants. Existing rule-based approaches fail against these adaptive threats and cannot identify modern hash variants. We propose\n                    <jats:monospace>GAEDM<\/jats:monospace>\n                    , a novel framework that combines deep learning with program analysis to address these challenges. Our key innovation integrates static taint analysis with a genetic algorithm-enhanced assembly language model that generates diverse training variants, enabling robust detection of previously unseen obfuscation patterns. Experimental evaluation demonstrates that\n                    <jats:monospace>GAEDM<\/jats:monospace>\n                    achieves 91.9% MRR and 94.6% Recall@k in hash function identification, representing improvements of 18.4% and 8.2% respectively over state-of-the-art methods.\n                    <jats:monospace>GAEDM<\/jats:monospace>\n                    detects sophisticated obfuscation patterns that completely evade existing approaches, enabling security analysts to uncover previously undetectable threats and significantly advancing malware defense capabilities.\n                  <\/jats:p>","DOI":"10.1145\/3793198","type":"journal-article","created":{"date-parts":[[2026,1,26]],"date-time":"2026-01-26T12:02:23Z","timestamp":1769428943000},"page":"1-31","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["GAEDM: Genetic Algorithm-Enhanced Static Analysis for Detection of API Hashing Obfuscation in Malware"],"prefix":"10.1145","volume":"29","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-3326-6378","authenticated-orcid":false,"given":"Yang","family":"Lan","sequence":"first","affiliation":[{"name":"Key Laboratory of Cyberspace Security, Ministry of Education, China., Key Laboratory of Cyberspace Security, Ministry of Education","place":["Zhengzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2797-1355","authenticated-orcid":false,"given":"Hui","family":"Shu","sequence":"additional","affiliation":[{"name":"Key Laboratory of Cyberspace Security, Ministry of Education, China., Key Laboratory of Cyberspace Security, Ministry of Education, China.","place":["Zhengzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1020-9006","authenticated-orcid":false,"given":"Zihan","family":"Sha","sequence":"additional","affiliation":[{"name":"Key Laboratory of Cyberspace Security, Ministry of Education, China., Key Laboratory of Cyberspace Security, Ministry of Education, China.","place":["Zhengzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2545-4079","authenticated-orcid":false,"given":"Fei","family":"Kang","sequence":"additional","affiliation":[{"name":"Key Laboratory of Cyberspace Security, Ministry of Education, China., Key Laboratory of Cyberspace Security, Ministry of Education, China.","place":["Zhengzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-4707-2115","authenticated-orcid":false,"given":"Xiaobing","family":"Xiong","sequence":"additional","affiliation":[{"name":"Key Laboratory of Cyberspace Security, Ministry of Education, China., Key Laboratory of Cyberspace Security, Ministry of Education, China.","place":["Zhengzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2947-0239","authenticated-orcid":false,"given":"Jingjing","family":"Li","sequence":"additional","affiliation":[{"name":"National Digital Switching System Engineering and Technological Research Center, National Digital Switching System Engineering and Technological Research Center","place":["Zhengzhou, China"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,3,10]]},"reference":[{"key":"e_1_3_2_2_2","article-title":"apihash_to_yara: Convert API hashes to YARA rules","author":"Barabosch Thomas","year":"2021","unstructured":"Thomas Barabosch. 2021. apihash_to_yara: Convert API hashes to YARA rules. [Online]. Retrieved from https:\/\/github.com\/tbarabosch\/apihash_to_yara","journal-title":"[Online]"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-97620-9_16"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243771"},{"key":"e_1_3_2_5_2","volume-title":"Proceedings of the USENIX Security Symposium","author":"Cheng Binlin","year":"2021","unstructured":"Binlin Cheng, Jiang Ming, Erika A. Leal, Haotian Zhang, Jianming Fu, Guojun Peng, and Jean-Yves Marion. 2021. Obfuscation-resilient executable payload extraction from packed malware. In Proceedings of the USENIX Security Symposium. Retrieved from https:\/\/api.semanticscholar.org\/CorpusID:235246272"},{"key":"e_1_3_2_6_2","article-title":"API-Deobfuscato.","year":"2015","unstructured":"Choi.2015. API-Deobfuscato. [Online]. Retrieved February 4, 2026 from https:\/\/www.blackhat.com\/docs\/asia-15\/materials\/asia-15-Choi-API-Deobfuscator-Indentifying-Runtime-Obfuscated-API-Calls-Via-Memory-Access-Analysis.pdf","journal-title":"[Online]"},{"key":"e_1_3_2_7_2","article-title":"Cobalt Strike Official Website","author":"Strike Cobalt","year":"2021","unstructured":"Cobalt Strike. 2021. Cobalt Strike Official Website. [Online]. Retrieved February 4, 2026 from https:\/\/www.cobaltstrike.com\/","journal-title":"[Online]"},{"key":"e_1_3_2_8_2","article-title":"Clang Documentation","author":"compiler Clang","year":"2024","unstructured":"Clang compiler. 2024. Clang Documentation. [Online]. Retrieved February 4, 2026 from https:\/\/clang.llvm.org\/docs\/","journal-title":"[Online]"},{"key":"e_1_3_2_9_2","first-page":"4171","volume-title":"Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Minneapolis, MN, USA, June 2-7, 2019, Volume 1","author":"Devlin Jacob","year":"2019","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Minneapolis, MN, USA, June 2-7, 2019, Volume 1. Association for Computational Linguistics, 4171\u20134186."},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00003"},{"key":"e_1_3_2_11_2","article-title":"FireEye Official Website","year":"2021","unstructured":"FireEye. 2021. FireEye Official Website. [Online]. Retrieved from https:\/\/www.fireeye.com\/","journal-title":"[Online]"},{"key":"e_1_3_2_12_2","article-title":"HashDB: A Tool for Analyzing File Hashes","year":"2024","unstructured":"FireEye. 2024. HashDB: A Tool for Analyzing File Hashes. [Online]. Retrieved from https:\/\/github.com\/OALabs\/hashdb","journal-title":"[Online]"},{"key":"e_1_3_2_13_2","article-title":"GitHub Repository","year":"2024","unstructured":"GitHub. 2024. GitHub Repository. [Online]. Retrieved February 4, 2026 from https:\/\/github.com\/","journal-title":"[Online]"},{"key":"e_1_3_2_14_2","article-title":"Hash tutorial","author":"tutorial Hash","year":"2024","unstructured":"Hash tutorial. 2024. Hash tutorial. [Online]. Retrieved February 4, 2026 from https:\/\/research.cs.vt.edu\/AVresearch\/hashing\/index.php","journal-title":"[Online]"},{"key":"e_1_3_2_15_2","article-title":"IDA Pro Disassembler and Debugger","year":"2022","unstructured":"Hex-rays. 2022. IDA Pro Disassembler and Debugger. [Online]. Retrieved February 4, 2026 from https:\/\/www.hex-rays.com\/products\/ida\/index.shtml","journal-title":"[Online]"},{"key":"e_1_3_2_16_2","article-title":"IDAPython Documentation","year":"2024","unstructured":"Hex-rays. 2024. IDAPython Documentation. [Online]. Retrieved from https:\/\/python.docs.hex-rays.com\/","journal-title":"[Online]"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-007-0046-0"},{"key":"e_1_3_2_18_2","first-page":"3","volume-title":"Proceedings of the IEEE\/ACM International Workshop on Software Protection","author":"Junod Pascal","year":"2015","unstructured":"Pascal Junod, Julien Rinaldini, Johan Wehrli, and Julie Michielin. 2015. Obfuscator-LLVM \u2013 software protection for the masses. In Proceedings of the IEEE\/ACM International Workshop on Software Protection. IEEE Computer Society, Florence, Italy, 3\u20139."},{"key":"e_1_3_2_19_2","article-title":"Kaspersky Official Website","year":"2024","unstructured":"Kaspersky. 2024. Kaspersky Official Website. [Online]. Retrieved February 4, 2026 from https:\/\/www.kaspersky.com.cn\/","journal-title":"[Online]"},{"key":"e_1_3_2_20_2","article-title":"API Hashes v2 Script","author":"Lab Kaspersky","year":"2014","unstructured":"Kaspersky Lab. 2014. API Hashes v2 Script. [Online]. Retrieved February 4, 2026 from https:\/\/github.com\/KasperskyLab\/Apihashes\/blob\/master\/apihashesv2.py","journal-title":"[Online]"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.2197\/ipsjjip.26.813"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41284-4_7"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2016.7888727"},{"key":"e_1_3_2_24_2","doi-asserted-by":"crossref","unstructured":"Vadim D. Kotov and Michael Thomas Wojnowicz. 2018. Towards generic deobfuscation of windows API calls. arXiv preprint arXiv:1802.04466. Retrieved from https:\/\/arxiv.org\/abs\/1802.04466","DOI":"10.14722\/bar.2018.23011"},{"key":"e_1_3_2_25_2","article-title":"QuietRIATT White Paper","author":"Krumheuer Tillmann","year":"2021","unstructured":"Tillmann Krumheuer and Sebastian Raber. 2021. QuietRIATT White Paper. [Online]. Retrieved February 4, 2026 from https:\/\/www.blackhat.com\/presentations\/bh-dc-09\/Krumheuer_Raber\/BlackHat-DC-09-Krumheuer-Raber-QuietRIATT-WhitePaper.pdf","journal-title":"[Online]"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484587"},{"key":"e_1_3_2_27_2","first-page":"3835","volume-title":"Proceedings of the International Conference on Machine Learning","author":"Li Yujia","year":"2019","unstructured":"Yujia Li, Chenjie Gu, Thomas Dullien, Oriol Vinyals, and Pushmeet Kohli. 2019. Graph matching networks for learning the similarity of graph structured objects. In Proceedings of the International Conference on Machine Learning. PMLR, 3835\u20133845."},{"key":"e_1_3_2_28_2","unstructured":"Tsung-Yi Lin Priya Goyal Ross Girshick Kaiming He and Piotr Doll\u00e1r. 2018. Focal Loss for Dense Object Detection. In Proceedings of the ICCV 2017. 1\u201310."},{"key":"e_1_3_2_29_2","unstructured":"Yinhan Liu Myle Ott Naman Goyal Jingfei Du Mandar Joshi Danqi Chen Omer Levy Mike Lewis Luke Zettlemoyer and Veselin Stoyanov. 2019. Roberta: A robustly optimized bert pretraining approach. arXiv preprint arXiv:1907.11692. Retrieved from https:\/\/arxiv.org\/abs\/1907.11692"},{"key":"e_1_3_2_30_2","article-title":"FLARE IDA Plugins","author":"Team Mandiant FLARE","year":"2024","unstructured":"Mandiant FLARE Team. 2024. FLARE IDA Plugins. [Online]. Retrieved February 4, 2026 from https:\/\/github.com\/mandiant\/flare-ida\/blob\/master\/shellcode_hashes\/make_sc_hash_db.py","journal-title":"[Online]"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22038-9_15"},{"key":"e_1_3_2_32_2","article-title":"Metasploit Framework","year":"2021","unstructured":"Metasploit. 2021. Metasploit Framework. [Online]. Retrieved February 4, 2026 from https:\/\/www.metasploit.com\/","journal-title":"[Online]"},{"key":"e_1_3_2_33_2","first-page":"3111","volume-title":"Advances in Neural Information Processing Systems 26: 27th Annual Conference on Neural Information Processing Systems 2013. Proceedings of a meeting held December 5-8, 2013, Lake Tahoe, Nevada, United States","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov, Ilya Sutskever, Kai Chen, Gregory S. Corrado, and Jeffrey Dean. 2013. Distributed representations of words and phrases and their compositionality. In Advances in Neural Information Processing Systems 26: 27th Annual Conference on Neural Information Processing Systems 2013. Proceedings of a meeting held December 5-8, 2013, Lake Tahoe, Nevada, United States. 3111\u20133119."},{"key":"e_1_3_2_34_2","article-title":"ATT&CK techniques","year":"2021","unstructured":"mitre. 2021. ATT&CK techniques. [Online]. Retrieved February 4, 2026 from https:\/\/attack.mitre.org\/techniques\/T1027\/007\/","journal-title":"[Online]"},{"key":"e_1_3_2_35_2","article-title":"malchive","year":"2024","unstructured":"MITRECND. 2024. malchive. [Online]. Retrieved February 4, 2026 from https:\/\/github.com\/MITRECND\/malchive\/blob\/main\/malchive\/utilities\/findapihash.py","journal-title":"[Online]"},{"key":"e_1_3_2_36_2","article-title":"OpenSSL","year":"2023","unstructured":"OpenSSL. 2023. OpenSSL. [Online]. Retrieved February 4, 2026 from https:\/\/www.openssl.org\/","journal-title":"[Online]"},{"key":"e_1_3_2_37_2","article-title":"Pytorch: An imperative style, high-performance deep learning library","volume":"32","author":"Paszke Adam","year":"2019","unstructured":"Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, et\u00a0al. 2019. Pytorch: An imperative style, high-performance deep learning library. Advances in Neural Information Processing Systems (NeurIPS 2019) 32 (2019), 8026\u20138037.","journal-title":"Advances in Neural Information Processing Systems (NeurIPS 2019)"},{"key":"e_1_3_2_38_2","article-title":"Windows API Hashing in Malware","author":"Team Red","year":"2024","unstructured":"Red Team. 2024. Windows API Hashing in Malware. [Online]. Retrieved February 4, 2026 from https:\/\/www.ired.team\/offensive-security\/defense-evasion\/windows-api-hashing-in-malware","journal-title":"[Online]"},{"key":"e_1_3_2_39_2","article-title":"Bypass Techniques","author":"Blog Security","year":"2022","unstructured":"Security Blog. 2022. Bypass Techniques. [Online]. Retrieved February 4, 2026 from https:\/\/www.huntress.com\/blog\/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection","journal-title":"[Online]"},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-88313-5_31"},{"key":"e_1_3_2_41_2","first-page":"2579","article-title":"Visualizing data using t-SNE","volume":"9","author":"Maaten Laurens van der","year":"2008","unstructured":"Laurens van der Maaten and Geoffrey E. Hinton. 2008. Visualizing data using t-SNE. Journal of Machine Learning Research 9, 86 (2008), 2579\u20132605.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_2_42_2","article-title":"Attention is all you need","volume":"30","author":"Vaswani Ashish","year":"2017","unstructured":"Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, \u0141ukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in Neural Information Processing Systems (NIPS 2017) 30 (2017), 5998\u20136008.","journal-title":"Advances in Neural Information Processing Systems (NIPS 2017)"},{"key":"e_1_3_2_43_2","article-title":"VirusTotal Online Service","year":"2021","unstructured":"VirusTotal. 2021. VirusTotal Online Service. [Online]. Retrieved February 4, 2026 from https:\/\/www.virustotal.com\/","journal-title":"[Online]"},{"key":"e_1_3_2_44_2","article-title":"Malware Sample Analysis Report","year":"2024","unstructured":"VirusTotal. 2024. Malware Sample Analysis Report. [Online]. Retrieved February 4, 2026 from https:\/\/www.virustotal.com\/gui\/file\/8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c\/","journal-title":"[Online]"},{"key":"e_1_3_2_45_2","article-title":"Malware Sample Analysis Report","year":"2024","unstructured":"VirusTotal. 2024. Malware Sample Analysis Report. [Online]. Retrieved February 4, 2026 from https:\/\/www.virustotal.com\/gui\/file\/bfa5dba46db1253587058b0392c04c8403846fa55d7dcf1044e94e6a654d4715\/","journal-title":"[Online]"},{"key":"e_1_3_2_46_2","article-title":"Malware Sample Analysis Report","year":"2024","unstructured":"VirusTotal. 2024. Malware Sample Analysis Report. [Online]. Retrieved February 4, 2026 from https:\/\/www.virustotal.com\/gui\/file\/d3bf17ac4db4f367cfed8f40f92670066ca97e98d210b043e4d3b89a4971bbdf\/","journal-title":"[Online]"},{"key":"e_1_3_2_47_2","article-title":"Malware Sample Analysis Report (REvil Sample)","year":"2024","unstructured":"VirusTotal. 2024. Malware Sample Analysis Report (REvil Sample). [Online]. Retrieved February 4, 2026 from https:\/\/www.virustotal.com\/gui\/file\/5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93\/","journal-title":"[Online]"},{"key":"e_1_3_2_48_2","doi-asserted-by":"crossref","unstructured":"Hao Wang Zeyu Gao Chao Zhang Zihan Sha Mingyang Sun Yuchen Zhou Wenyu Zhu Wenju Sun Han Qiu and Xi Xiao. 2024. CLAP: Learning Transferable Binary Code Representations with Natural Language Supervision. In Proceedings of the ISSTA 2024. 1\u201312.","DOI":"10.1145\/3650212.3652145"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534367"},{"key":"e_1_3_2_50_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLC.2011.6016777"},{"key":"e_1_3_2_51_2","article-title":"YARA Rules Collection","author":"Repository YARA Rules","year":"2021","unstructured":"YARA Rules Repository. 2021. YARA Rules Collection. [Online]. Retrieved February 4, 2026 from https:\/\/github.com\/Yara-Rules\/rules","journal-title":"[Online]"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3793198","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,15]],"date-time":"2026-03-15T13:59:52Z","timestamp":1773583192000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3793198"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,3,10]]},"references-count":50,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2026,5,31]]}},"alternative-id":["10.1145\/3793198"],"URL":"https:\/\/doi.org\/10.1145\/3793198","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,3,10]]},"assertion":[{"value":"2025-06-15","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-01-17","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-03-10","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}