{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:02:25Z","timestamp":1777806145787,"version":"3.51.4"},"reference-count":64,"publisher":"SAGE Publications","issue":"6","license":[{"start":{"date-parts":[[2021,8,27]],"date-time":"2021-08-27T00:00:00Z","timestamp":1630022400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2021,10,27]]},"abstract":"In this paper we present a graph-based framework that, utilizing relations between groups of System-calls, detects whether an unknown software sample is malicious or benign, and classifies a malicious software to one of a set of known malware families. In our approach we propose a novel graph representation of dependency graphs by capturing their structural evolution over time constructing sequential graph instances, the so-called Temporal Graphs. The partitions of the temporal evolution of a graph defined by specific time-slots, results to different types of graphs representations based upon the information we capture across the capturing of its evolution. The proposed graph-based framework utilizes the proposed types of temporal graphs computing similarity metrics over various graph characteristics in order to conduct the malware detection and classification procedures. Finally, we evaluate the detection rates and the classification ability of our proposed graph-based framework conducting a series of experiments over a set of known malware samples pre-classified into malware families.<\/jats:p>","DOI":"10.3233\/jcs-210057","type":"journal-article","created":{"date-parts":[[2021,8,27]],"date-time":"2021-08-27T12:32:29Z","timestamp":1630067549000},"page":"651-688","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":2,"title":["A graph-based framework for malicious software detection and classification utilizing temporal-graphs"],"prefix":"10.1177","volume":"29","author":[{"given":"Helen-Maria","family":"Dounavi","sequence":"first","affiliation":[{"name":"Department of Computer Science & Engineering, University of Ioannina, Ioannina, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Anna","family":"Mpanti","sequence":"additional","affiliation":[{"name":"Department of Computer Science & Engineering, University of Ioannina, Ioannina, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stavros D.","family":"Nikolopoulos","sequence":"additional","affiliation":[{"name":"Department of Computer Science & Engineering, University of Ioannina, Ioannina, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Iosif","family":"Polenakis","sequence":"additional","affiliation":[{"name":"Department of Computer Science & Engineering, University of Ioannina, Ioannina, Greece. E-mails:\u00a0,\u00a0,\u00a0,\u00a0"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2021,8,27]]},"reference":[{"key":"ref001","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2017.8323959"},{"key":"ref002","doi-asserted-by":"crossref","unstructured":"L.\u00a0Aneja and S.\u00a0Babbar, Research trends in malware detection on Android devices, in: International Conference on Recent Developments in Science, Engineering and Technology, Springer, 2017, pp.\u00a0629\u2013642.","DOI":"10.1007\/978-981-10-8527-7_53"},{"key":"ref003","doi-asserted-by":"crossref","unstructured":"D.\u00a0Babic, D.\u00a0Reynaud and D.\u00a0Song, Malware analysis with tree automata inference, in: Proceedings of the 23rd International Conference on Computer Aided Verification (CAV\u201911), 2011, pp.\u00a0116\u2013131.","DOI":"10.1007\/978-3-642-22110-1_10"},{"key":"ref004","doi-asserted-by":"crossref","unstructured":"S.\u00a0Basole, F.\u00a0Di Troia and M.\u00a0Stamp, Multifamily malware models,\n Journal of Computer Virology and Hacking Techniques\n 1\n (14) (2020).","DOI":"10.1007\/s11416-019-00345-8"},{"key":"ref005","doi-asserted-by":"crossref","unstructured":"M.L.\u00a0Bernardi, M.\u00a0Cimitile, D.\u00a0Distante, F.\u00a0Martinelli and F.\u00a0Mercaldo, Dynamic malware detection and phylogeny analysis using process mining,\n International Journal of Information Security\n 1\n (28) (2018).","DOI":"10.1007\/s10207-018-0415-3"},{"key":"ref006","doi-asserted-by":"crossref","unstructured":"A.\u00a0Bulazel and B.\u00a0Yener, A survey on automated dynamic malware analysis evasion and counter-evasion: PC, mobile, and web, in: Proceedings of the 1st Reversing and Offensive-Oriented Trends Symposium, ACM, 2017, pp.\u00a01\u201321.","DOI":"10.1145\/3150376.3150378"},{"key":"ref007","doi-asserted-by":"crossref","unstructured":"R.\u00a0Canzanese, M.\u00a0Kam and S.\u00a0Mancoridis, Toward an automatic, online behavioral malware classification system, in: 2013 IEEE 7th International Conference on Self-Adaptive and Self-Organizing Systems, IEEE, 2013, pp.\u00a0111\u2013120.","DOI":"10.1109\/SASO.2013.8"},{"key":"ref008","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-015-0261-z"},{"key":"ref009","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-016-0274-2"},{"key":"ref010","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Ding, X.\u00a0Xia, S.\u00a0Chen and Y.\u00a0Li, A malware detection method based on family behavior graph, in: Computers and Security, Vol.\u00a073, Elsevier, 2018, pp.\u00a073\u201386.","DOI":"10.1016\/j.cose.2017.10.007"},{"key":"ref011","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2019.01.017"},{"key":"ref012","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-73951-9_9"},{"key":"ref013","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-019-00330-1"},{"key":"ref014","doi-asserted-by":"publisher","DOI":"10.1109\/RIOS.2016.7529495"},{"key":"ref015","doi-asserted-by":"crossref","unstructured":"V.\u00a0Garg and R.K.\u00a0Yadav, Malware detection based on API calls frequency, in: 2019 4th International Conference on Information Systems and Computer Networks, (ISCON), IEEE, 2019, pp.\u00a0400\u2013404.","DOI":"10.1109\/ISCON47742.2019.9036219"},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1109\/SAI.2016.7556114"},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-75408-6_26"},{"key":"ref018","doi-asserted-by":"crossref","unstructured":"K.\u00a0Grosse, N.\u00a0Papernot, P.\u00a0Manoharan, M.\u00a0Backes and P.\u00a0McDaniel, Adversarial examples for malware detection, in: European Symposium on Research in Computer Security, Springer, Cham, 2017, pp.\u00a062\u201379.","DOI":"10.1007\/978-3-319-66399-9_4"},{"key":"ref019","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-016-0278-y"},{"key":"ref020","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-018-0314-1"},{"key":"ref021","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029824"},{"key":"ref022","doi-asserted-by":"crossref","unstructured":"X.\u00a0Hu, T.\u00a0Chiueh and K.G.\u00a0Shin, Large-scale malware indexing using function-call graphs, in: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS\u201909), 2009, pp.\u00a0611\u2013620.","DOI":"10.1145\/1653662.1653736"},{"key":"ref023","doi-asserted-by":"crossref","unstructured":"R.\u00a0Islam, R.\u00a0Tian, L.\u00a0Batten and S.\u00a0Versteeg, Classification of malware based on string and function feature selection, in: Proceedings of the Cybercrime and Trustworthy Computing and Workshop (CTC\u201910), 2010, pp.\u00a09\u201317.","DOI":"10.1109\/CTC.2010.11"},{"key":"ref024","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-008-0086-0"},{"key":"ref025","doi-asserted-by":"publisher","DOI":"10.1109\/ISEA-ISAP49340.2020.235015"},{"key":"ref026","doi-asserted-by":"publisher","DOI":"10.1007\/s10586-017-1110-2"},{"key":"ref027","doi-asserted-by":"crossref","unstructured":"B.\u00a0Kolosnjaji, G.\u00a0Eraisha, G.\u00a0Webster, A.\u00a0Zarras and C.\u00a0Eckert, Empowering convolutional networks for malware classification and analysis, in: Neural Networks (IJCNN), 2017 International Joint Conference on, IEEE, 2017, pp.\u00a03838\u20133845.","DOI":"10.1109\/IJCNN.2017.7966340"},{"key":"ref028","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-017-0309-3"},{"key":"ref029","doi-asserted-by":"publisher","DOI":"10.1016\/j.jksuci.2017.01.003"},{"key":"ref030","doi-asserted-by":"crossref","unstructured":"A.M.\u00a0Lajevardi, S.\u00a0Parsa and M.J.\u00a0Amiri, Markhor: malware detection using fuzzy similarity of system call dependency sequences,\n Journal of Computer Virology and Hacking Techniques\n 1\n (10) (2021).","DOI":"10.1007\/s11416-021-00383-1"},{"key":"ref031","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.11.010"},{"key":"ref032","doi-asserted-by":"publisher","DOI":"10.1587\/transinf.2017EDL8172"},{"key":"ref033","doi-asserted-by":"publisher","DOI":"10.1587\/transinf.2016EDL8230"},{"key":"ref034","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-10-5146-3_24"},{"key":"ref035","first-page":"22","volume":"3","author":"Mathur K.","year":"2013","journal-title":"Journal of Advanced Research in Computer Science and Software Engineering"},{"key":"ref036","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-016-0279-x"},{"key":"ref037","doi-asserted-by":"crossref","unstructured":"A.\u00a0Mohaisen, A.G.\u00a0West, A.\u00a0Mankin and O.\u00a0Alrawi, Chatter: Classifying malware families using system event ordering, in: 2014 IEEE Conference on Communications and Network, Security, IEEE, 2014, pp.\u00a0283\u2013291.","DOI":"10.1109\/CNS.2014.6997496"},{"key":"ref038","doi-asserted-by":"crossref","unstructured":"J.\u00a0Moubarak, M.\u00a0Chamoun and E.\u00a0Filiol, Comparative study of recent MEA malware phylogeny, in: Computer and Communication Systems (ICCCS), 2017 2nd International Conference on, IEEE, 2017, pp.\u00a016\u201320.","DOI":"10.1109\/CCOMS.2017.8075178"},{"key":"ref039","doi-asserted-by":"crossref","unstructured":"A.\u00a0Mpanti, S.D.\u00a0Nikolopoulos and I.\u00a0Polenakis, A graph-based model for malicious software detection exploiting domination relations between system-call groups, in: Proceedings of the 19th Int\u2019l Conference on Computer Systems and Technologies, ACM, 2018.","DOI":"10.1145\/3274005.3274028"},{"key":"ref040","doi-asserted-by":"crossref","unstructured":"S.D.\u00a0Mukesh, J.A.\u00a0Raval and H.\u00a0Upadhyay, Real-time framework for malware detection using machine learning technique, in: International Conference on Information and Communication Technology for Intelligent Systems, Springer, 2017, pp.\u00a0173\u2013182.","DOI":"10.1007\/978-3-319-63673-3_21"},{"key":"ref041","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-015-0253-z"},{"key":"ref042","doi-asserted-by":"crossref","unstructured":"L.\u00a0Nataraj, S.\u00a0Karthikeyan, G.\u00a0Jacob and B.S.\u00a0Manjunath, Malware images: Visualization and automatic classification, in: Proceedings of the 8th Int\u2019l Symposium on Visualization for Cyber Security (VizSec\u201911), 2011, pp.\u00a04\u201311.","DOI":"10.1145\/2016904.2016908"},{"key":"ref043","doi-asserted-by":"publisher","DOI":"10.1145\/2046684.2046689"},{"key":"ref044","doi-asserted-by":"publisher","DOI":"10.1145\/2812428.2812432"},{"key":"ref045","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-016-0267-1"},{"key":"ref046","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Park, D.\u00a0Reeves, V.\u00a0Mulukutla and B.\u00a0Sundaravel, Fast malware classification by automated behavioral graph matching, in: Proceedings of the 6th ACM Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW\u201910), 2010, pp.\u00a045\u201349.","DOI":"10.1145\/1852666.1852716"},{"key":"ref047","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2017.10.005"},{"key":"ref048","first-page":"74","volume":"12","author":"Rad B.B.","year":"2012","journal-title":"Journal of Computer Science and Network Security"},{"key":"ref049","doi-asserted-by":"publisher","DOI":"10.1109\/ICWR49608.2020.9122312"},{"key":"ref050","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_6"},{"key":"ref051","doi-asserted-by":"crossref","unstructured":"A.\u00a0Sami, B.\u00a0Yadegari, H.\u00a0Rahimi, N.\u00a0Peiravian, S.\u00a0Hashemi and A.\u00a0Hamze, Malware detection based on mining API calls, in: Proceedings of the 2010 ACM Symposium on Applied Computing, 2010, pp.\u00a01020\u20131025.","DOI":"10.1145\/1774088.1774303"},{"key":"ref052","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2016.2536605"},{"key":"ref053","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-93411-2_1"},{"key":"ref054","unstructured":"M.\u00a0Sikorski and A.\u00a0Honig, Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software, No Starch Press, 2012."},{"key":"ref055","doi-asserted-by":"publisher","DOI":"10.1186\/s13673-018-0125-x"},{"key":"ref056","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101773"},{"key":"ref057","unstructured":"G.\u00a0Sun and Q.\u00a0Qian, Deep learning and visualization for identifying malware families,\n IEEE Transactions on Dependable and Secure Computing\n (2018)."},{"key":"ref058","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-93638-3_48"},{"key":"ref059","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590319"},{"key":"ref060","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_6"},{"key":"ref061","doi-asserted-by":"crossref","unstructured":"F.\u00a0Xiao, Z.\u00a0Lin, Y.\u00a0Sun and Y.\u00a0Ma, Malware detection based on deep learning of behavior graphs,\n Mathematical Problems in Engineering\n (2019).","DOI":"10.1155\/2019\/8195395"},{"key":"ref062","doi-asserted-by":"crossref","unstructured":"F.\u00a0Xiao, Y.\u00a0Sun, D.\u00a0Du, X.\u00a0Li and M.\u00a0Luo, A novel malware classification method based on crucial behaviour,\n Mathematical Problems in Engineering\n (2020).","DOI":"10.1155\/2020\/6804290"},{"key":"ref063","doi-asserted-by":"crossref","unstructured":"I.\u00a0You and K.\u00a0Yim, Malware obfuscation techniques: A brief survey, in: Proceedings of the 5th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA\u201910), 2010, pp.\u00a0297\u2013300.","DOI":"10.1109\/BWCCA.2010.85"},{"key":"ref064","doi-asserted-by":"crossref","unstructured":"Y.\u00a0Zhong, H.\u00a0Yamaki and H.\u00a0Takakura, A malware classification method based on similarity of function structure, in: 2012 IEEE\/IPSJ 12th International Symposium on Applications and the Internet, IEEE, 2012, pp.\u00a0256\u2013261.","DOI":"10.1109\/SAINT.2012.48"}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-210057","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-210057","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-210057","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:29Z","timestamp":1777495529000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-210057"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,8,27]]},"references-count":64,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2021,10,27]]}},"alternative-id":["10.3233\/JCS-210057"],"URL":"https:\/\/doi.org\/10.3233\/jcs-210057","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,8,27]]}}}