{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T22:53:14Z","timestamp":1773183194843,"version":"3.50.1"},"reference-count":117,"publisher":"Zhejiang University Press","issue":"5","license":[{"start":{"date-parts":[[2018,5,1]],"date-time":"2018-05-01T00:00:00Z","timestamp":1525132800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61472437"],"award-info":[{"award-number":["61472437"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["springerlink.com","jzus.zju.edu.cn"],"crossmark-restriction":true},"short-container-title":["Frontiers Inf Technol Electronic Eng"],"published-print":{"date-parts":[[2018,5]]},"DOI":"10.1631\/fitee.1601745","type":"journal-article","created":{"date-parts":[[2018,7,16]],"date-time":"2018-07-16T03:53:11Z","timestamp":1531713191000},"page":"583-603","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":46,"title":["A survey of malware behavior description and analysis"],"prefix":"10.1631","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6576-5555","authenticated-orcid":false,"given":"Bo","family":"Yu","sequence":"first","affiliation":[]},{"given":"Ying","family":"Fang","sequence":"additional","affiliation":[]},{"given":"Qiang","family":"Yang","sequence":"additional","affiliation":[]},{"given":"Yong","family":"Tang","sequence":"additional","affiliation":[]},{"given":"Liu","family":"Liu","sequence":"additional","affiliation":[]}],"member":"635","published-online":{"date-parts":[[2018,7,16]]},"reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.10.011"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2014.10.031"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/ctc.2010.8"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1145\/2381896.2381900"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-12571-8_1"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-22110-1_10"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1007\/s10703-012-0149-1"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-74320-0_10"},{"key":"ref10","author":"Barnum","year":"2012","journal-title":"Standardizing cyber threat intelligence information with the structured threat information eXpression (STIX\u2122)"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1145\/2775111"},{"key":"ref12","first-page":"180","article-title":"TTAnalyze: a tool for analyzing malware","volume-title":"Proc 15th Annual Conf of the European Institute for Computer Antivirus Research","author":"Bayer","year":"2006"},{"key":"ref13","first-page":"1","article-title":"Scalable, behavior-based malware clustering","volume-title":"Proc 16th Symp on Network and Distributed System Security","author":"Bayer","year":"2009"},{"key":"ref14","first-page":"8","article-title":"A view on current malware behaviors","volume-title":"Proc 2nd USENIX Conf on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More","author":"Bayer","year":"2014"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-16612-9_14"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33167-1_46"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-19578-0_34"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/2666652.2666666"},{"key":"ref19","author":"Bos","year":"2013","journal-title":"Analysis report of behavioral features"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-68768-1_4"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.04.009"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-013-0186-3"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2014.2355839"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2013.40"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1145\/2393596.2393627"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/1342211.1342215"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/qrs.2015.37"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2010.12"},{"key":"ref29","year":"2017","journal-title":"Cuckoo sandbox"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/ICASSP.2013.6638293"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-015-0261-z"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2491300"},{"key":"ref33","author":"Deschamps","year":"2008","journal-title":"Specification language for code behavior. haviour.pdf"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.08.008"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.04.003"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.09.002"},{"key":"ref38","first-page":"9","article-title":"Experimental challenges in cyber security: a story of provenance and lineage for malware","volume-title":"Proc 4th Conf on Cyber Security Experimen-tation and Test","author":"Dumitras","year":"2011"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/2089125.2089126"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.07.004"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635869"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23379"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.30"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.11"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-015-0244-0"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-31128-4_22"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/comsnets.2009.4808876"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/2808128.2808135"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/FUZZY.2011.6007716"},{"issue":"2","key":"ref50","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1007\/s00500-013-1056-0","article-title":"IT2FS-based ontology with soft-computing mechanism for malware behavior analysis","volume":"18","author":"Huang","year":"2014","journal-title":"Soft Comput"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046692"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1587\/transinf.e92.d.945"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-04342-0_5"},{"key":"ref54","first-page":"81","article-title":"Towards automatic software lineage inference","volume-title":"Proc 22nd USENIX Conf on Security","author":"Jang","year":"2013"},{"key":"ref55","first-page":"757","article-title":"UNVEIL: a large-scale, automated approach to detecting ransomware","volume-title":"Proc 25thUSENIX Security Symp","author":"Kharraz","year":"2016"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813642"},{"key":"ref57","first-page":"287","article-title":"Barecloud: bare-metal analysis-based evasive malware detection","volume-title":"Proc 23rd USENIX Conf on Security Symp","author":"Kirat","year":"2014"},{"key":"ref58","article-title":"Behavior-based spyware detection","volume-title":"Proc 15th Conf on USENIX Security Symp","author":"Kirda","year":"2006"},{"key":"ref59","author":"Kirillov","year":"2011","journal-title":"Malware attribute enumeration and characterization (MAEC\u2122)"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1109\/ict.2016.7500406"},{"key":"ref61","article-title":"Full system emulation: achieving successful automated dynamic analysis of evasive malware","author":"Kruegel","year":"2014","journal-title":"Lastline, Inc., Las Vegas, NV, USA"},{"key":"ref62","first-page":"163","article-title":"K-Tracer: a system for extracting kernel malware behavior","volume-title":"Proc Network and Distributed System Security Symp","author":"Lanzi","year":"2009"},{"key":"ref63","first-page":"90","article-title":"Functional cognitive models of malware identification","volume-title":"Proc 13th Annual Conf on Cognitive Modeling","author":"Lebiere","year":"2015"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1109\/malware.2009.5403019"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1007\/s11227-015-1594-6"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_18"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-48674-1_51"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_5"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-10772-6_14"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-015-0297-6"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28166-7_24"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-016-0281-3"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-10-0287-8_52"},{"key":"ref74","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1007\/978-3-319-15087-1_9","article-title":"AMAL: high-fidelity, behavior-based automated malware analysis and classification","volume-title":"Proc 15th Int Workshop on Information Security Applications","author":"Mohaisen","year":"2015"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-29615-4_13"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2007.17"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/tifs.2015.2469253"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14215-4_3"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/2808797.2808894"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.1109\/tifs.2013.2242890"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1145\/2523649.2523659"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.09.006"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1145\/2746266.2746281"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23328"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2016.08.022"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_6"},{"issue":"4","key":"ref87","doi-asserted-by":"crossref","first-page":"639","DOI":"10.3233\/JCS-2010-0410","article-title":"Automatic analysis of malware behavior using machine learning","volume":"19","author":"Rieck","year":"2011","journal-title":"J Comput Secur"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/1519065.1519072"},{"key":"ref89","doi-asserted-by":"publisher","DOI":"10.1109\/acsac.2006.38"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1145\/2379690.2379695"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1109\/malware.2014.6999417"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1109\/tifs.2013.2291066"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1002\/tee.22018"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1109\/crisis.2012.6378949"},{"key":"ref95","volume-title":"A framework for mining significant subgraphs and its application in malware analysis","author":"Sirinda","year":"2014"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11203-9_11"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1109\/icpads.2011.78"},{"key":"ref98","first-page":"1","article-title":"Malware identification using cognitively-inspired inference","volume-title":"Proc 24th Annual Behavior Representation in Modeling and Simulation Conf","author":"Thomson","year":"2015"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/vizsec.2009.5375540"},{"key":"ref100","volume-title":"A malware instruction set for behavior-based analysis","author":"Trinius","year":"2011"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1109\/malware.2012.6461003"},{"key":"ref102","first-page":"181","article-title":"Malware clustering based on SNN density using system calls","volume-title":"Proc 1st Int Conf on Cloud Computing and Security","author":"Wang","year":"2015"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_2"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1109\/tdsc.2015.2457918"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1109\/asiajcis.2012.18"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_6"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11203-9_10"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1109\/icse.2015.50"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33704-8_20"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1049\/iet-ifs.2014.0099"},{"key":"ref111","first-page":"1","article-title":"HookFinder: identifying and understanding malware hooking behaviors","volume-title":"Proc Network and Distributed System Security Symp","author":"Yin","year":"2008"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1007\/s11227-014-1235-5"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2015.11"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.01.002"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660359"},{"key":"ref116","doi-asserted-by":"publisher","DOI":"10.1049\/iet-ifs.2012.0289"},{"key":"ref117","doi-asserted-by":"publisher","DOI":"10.1109\/sp.2012.16"}],"container-title":["Frontiers of Information Technology &amp; Electronic Engineering"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1631\/FITEE.1601745.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1631\/FITEE.1601745\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1631\/FITEE.1601745.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,21]],"date-time":"2026-02-21T06:57:40Z","timestamp":1771657060000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1631\/FITEE.1601745"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,5]]},"references-count":117,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2018,5]]}},"alternative-id":["1254"],"URL":"https:\/\/doi.org\/10.1631\/fitee.1601745","relation":{},"ISSN":["2095-9184","2095-9230"],"issn-type":[{"value":"2095-9184","type":"print"},{"value":"2095-9230","type":"electronic"}],"subject":[],"published":{"date-parts":[[2018,5]]},"assertion":[{"value":"http:\/\/orcid.org\/0000-0001-6576-5555","URL":"http","order":0,"name":"name","label":"Bo YU","group":{"name":"orcid","label":"ORCID"}},{"value":"2016-11-26","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-02-21","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-05-08","order":2,"name":"crosschecked","label":"Crosschecked","group":{"name":"publication_history","label":"Publication History"}},{"value":"Review","order":0,"name":"content_type","group":{"name":"content_type","label":"Content Type"}},{"value":"\u00a9 Zhejiang University and Springer-Verlag GmbH Germany, part of Springer Nature 2018","order":0,"name":"copyright","group":{"name":"copyright","label":"Copyright"}}]}}