{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,4]],"date-time":"2026-06-04T21:34:25Z","timestamp":1780608865700,"version":"3.54.1"},"reference-count":27,"publisher":"SAGE Publications","issue":"11","license":[{"start":{"date-parts":[[2019,11,1]],"date-time":"2019-11-01T00:00:00Z","timestamp":1572566400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"funder":[{"DOI":"10.13039\/501100002383","name":"King Saud University","doi-asserted-by":"publisher","award":["RG-1439-021"],"award-info":[{"award-number":["RG-1439-021"]}],"id":[{"id":"10.13039\/501100002383","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["International Journal of Distributed Sensor Networks"],"published-print":{"date-parts":[[2019,11]]},"abstract":"<jats:p> Malware have become the scourge of the century, as they are continuously evolving and becoming more complex with increasing damages. Therefore, an adequate protection against such threats is vital. Behavior-based malware detection techniques have shown to be effective at overcoming the weaknesses of the signature-based ones. However, they are known for their high false alarms, which is still a very challenging problem. In this article, we address this shortcoming by proposing a rule-based behavioral malware detection system, which inherits the advantages of both signature and behavior-based approaches. We apply the proposed detection system on a combined set of three types of dynamic features, namely, (1) list of application programming interface calls; (2) application programming interface sequences; and (3) network traffic, which represents the IP addresses and domain names used by malware to connect to remote command-and-control servers. Feature selection and construction techniques, that is, term frequency\u2013inverse document frequency and longest common subsequence, are performed on the three extracted features to generate new set of features, which are used to build behavioral Yet Another Recursive Acronym rules. The proposed malware detection approach is able to achieve an accuracy of 97.22% and a false positive rate of 4.69%. <\/jats:p>","DOI":"10.1177\/1550147719889907","type":"journal-article","created":{"date-parts":[[2019,11,25]],"date-time":"2019-11-25T08:09:09Z","timestamp":1574669349000},"page":"155014771988990","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":23,"title":["Combined dynamic multi-feature and rule-based behavior for accurate malware detection"],"prefix":"10.1177","volume":"15","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9412-1959","authenticated-orcid":false,"given":"Mohamed","family":"Belaoued","sequence":"first","affiliation":[{"name":"LIRE Laboratory, Software Technologies and Information Systems Department, Constantine 2 University, Constantine, Algeria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Abdelaziz","family":"Boukellal","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Universit\u00e9 20 ao\u00fbt 1955-Skikda, Skikda, Algeria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3587-6953","authenticated-orcid":false,"given":"Mohamed Amir","family":"Koalal","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Universit\u00e9 20 ao\u00fbt 1955-Skikda, Skikda, Algeria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Abdelouahid","family":"Derhab","sequence":"additional","affiliation":[{"name":"Center of Excellence in Information Assurance (COEIA), King Saud University, Riyadh, Saudi Arabia"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Smaine","family":"Mazouzi","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Universit\u00e9 20 ao\u00fbt 1955-Skikda, Skikda, Algeria"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Farrukh Aslam","family":"Khan","sequence":"additional","affiliation":[{"name":"Center of Excellence in Information Assurance (COEIA), King Saud University, Riyadh, Saudi Arabia"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"179","published-online":{"date-parts":[[2019,11,25]]},"reference":[{"issue":"4","key":"bibr1-1550147719889907","first-page":"644","volume":"12","author":"Belaoued M","year":"2016","journal-title":"J Inform Process Syst"},{"key":"bibr4-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1145\/997150.997156"},{"key":"bibr7-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1109\/TSMCC.2009.2037978"},{"key":"bibr8-1550147719889907","first-page":"74","volume-title":"Proceedings of the 2009 3rd Hackers\u2019 workshop on computer and internet security (IITKHACK\u201909)","author":"Vinod P"},{"key":"bibr9-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-008-0086-0"},{"key":"bibr10-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1145\/2089125.2089126"},{"key":"bibr11-1550147719889907","volume":"22","author":"Aycock J.","year":"2006","journal-title":"Computer viruses and malware"},{"key":"bibr12-1550147719889907","first-page":"82","volume-title":"Proceedings of the 2014 international conference on advanced networking distributed systems and applications","author":"Belaoued M"},{"issue":"2","key":"bibr13-1550147719889907","first-page":"252","volume":"31","author":"Kumar A","year":"2017","journal-title":"J King Saud Univ Comput Inform Sci"},{"key":"bibr14-1550147719889907","first-page":"166","volume-title":"International conference on machine learning for networking","author":"Belaoued M"},{"key":"bibr15-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1007\/s00521-017-3077-6"},{"key":"bibr16-1550147719889907","first-page":"15","volume-title":"Proceedings of the 2019 2nd international conference on geoinformatics and data analysis","author":"Sun Z"},{"key":"bibr17-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.45"},{"key":"bibr18-1550147719889907","first-page":"1","volume-title":"Proceedings of the 2010 international cyber resilience conference","author":"Alazab M"},{"key":"bibr19-1550147719889907","first-page":"1871","volume-title":"Proceedings of the 2010 ACM symposium on applied computing","author":"Bayer U"},{"key":"bibr20-1550147719889907","first-page":"201","volume-title":"Proceedings of the 2010 second international conference on advances in computing, control, and telecommunication technologies","author":"Firdausi I"},{"key":"bibr21-1550147719889907","first-page":"263","volume-title":"Proceedings of the 3rd international conference on security of information and networks","author":"Nair VP"},{"key":"bibr22-1550147719889907","first-page":"399","volume-title":"International conference on detection of intrusions and malware, and vulnerability assessment","author":"Huang W"},{"key":"bibr23-1550147719889907","first-page":"1","volume-title":"Proceedings of the 2016 IEEE symposium on technologies for homeland security (HST)","author":"Mosli R"},{"key":"bibr24-1550147719889907","first-page":"187","volume-title":"Proceedings of the IFIP international conference on digital forensics","author":"Mosli R"},{"key":"bibr25-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2018.03.072"},{"key":"bibr26-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.05.010"},{"key":"bibr27-1550147719889907","doi-asserted-by":"publisher","DOI":"10.3390\/app9183680"},{"key":"bibr28-1550147719889907","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.11.016"},{"key":"bibr29-1550147719889907","first-page":"38","volume-title":"Proceedings of the 2001 IEEE symposium on security and privacy. S&P","author":"Schultz MG"},{"key":"bibr30-1550147719889907","first-page":"1020","volume-title":"Proceedings of the 2010 ACM symposium on applied computing","author":"Sami A"},{"issue":"3","key":"bibr31-1550147719889907","first-page":"965","volume":"31","author":"Lin CT","year":"2015","journal-title":"J Inf Sci Eng"}],"updated-by":[{"DOI":"10.1177\/1550147720901867","type":"correction","label":"Correction","source":"publisher","updated":{"date-parts":[[2020,1,10]],"date-time":"2020-01-10T00:00:00Z","timestamp":1578614400000}}],"container-title":["International Journal of Distributed Sensor Networks"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/journals.sagepub.com\/doi\/pdf\/10.1177\/1550147719889907","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/journals.sagepub.com\/doi\/full-xml\/10.1177\/1550147719889907","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/journals.sagepub.com\/doi\/pdf\/10.1177\/1550147719889907","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,11,25]],"date-time":"2019-11-25T08:09:17Z","timestamp":1574669357000},"score":1,"resource":{"primary":{"URL":"http:\/\/journals.sagepub.com\/doi\/10.1177\/1550147719889907"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,11]]},"references-count":27,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2019,11]]}},"alternative-id":["10.1177\/1550147719889907"],"URL":"https:\/\/doi.org\/10.1177\/1550147719889907","relation":{"correction":[{"id-type":"doi","id":"10.1177\/1550147720901867","asserted-by":"object"}]},"ISSN":["1550-1477","1550-1477"],"issn-type":[{"value":"1550-1477","type":"print"},{"value":"1550-1477","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,11]]}}}