{"id":"https://openalex.org/W7133216332","doi":"https://doi.org/10.1007/s10207-026-01234-0","title":"A hybrid machine learning intrusion detection method for metamorphic malware","display_name":"A hybrid machine learning intrusion detection method for metamorphic malware","publication_year":2026,"publication_date":"2026-03-02","ids":{"openalex":"https://openalex.org/W7133216332","doi":"https://doi.org/10.1007/s10207-026-01234-0"},"language":"en","primary_location":{"id":"doi:10.1007/s10207-026-01234-0","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-026-01234-0","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01234-0.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01234-0.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5115061524","display_name":"Victor Manuel Gonz\u00e1lez-Gorr\u00edn","orcid":null},"institutions":[{"id":"https://openalex.org/I138847295","display_name":"Universitat Oberta de Catalunya","ror":"https://ror.org/01f5wp925","country_code":"ES","type":"education","lineage":["https://openalex.org/I138847295"]}],"countries":["ES"],"is_corresponding":true,"raw_author_name":"Victor Manuel Gonz\u00e1lez-Gorr\u00edn","raw_affiliation_strings":["Universitat Oberta de Catalunya (UOC), Rambla Poblenou, 156, Barcelona, 08018, Spain"],"affiliations":[{"raw_affiliation_string":"Universitat Oberta de Catalunya (UOC), Rambla Poblenou, 156, Barcelona, 08018, Spain","institution_ids":["https://openalex.org/I138847295"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5126898936","display_name":"Josep Prieto-Blazquez","orcid":null},"institutions":[{"id":"https://openalex.org/I138847295","display_name":"Universitat Oberta de Catalunya","ror":"https://ror.org/01f5wp925","country_code":"ES","type":"education","lineage":["https://openalex.org/I138847295"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Josep Prieto-Blazquez","raw_affiliation_strings":["Universitat Oberta de Catalunya (UOC), Rambla Poblenou, 156, Barcelona, 08018, Spain"],"affiliations":[{"raw_affiliation_string":"Universitat Oberta de Catalunya (UOC), Rambla Poblenou, 156, Barcelona, 08018, Spain","institution_ids":["https://openalex.org/I138847295"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5115061524"],"corresponding_institution_ids":["https://openalex.org/I138847295"],"apc_list":{"value":2590,"currency":"EUR","value_usd":3190},"apc_paid":{"value":2590,"currency":"EUR","value_usd":3190},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.80041841,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"25","issue":"2","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.7421000003814697,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.7421000003814697,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.18610000610351562,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.02930000051856041,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.7080000042915344},{"id":"https://openalex.org/keywords/obfuscation","display_name":"Obfuscation","score":0.5824000239372253},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.5777000188827515},{"id":"https://openalex.org/keywords/random-forest","display_name":"Random forest","score":0.5065000057220459},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.49410000443458557},{"id":"https://openalex.org/keywords/opcode","display_name":"Opcode","score":0.4138999879360199},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.4092999994754791},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4027999937534332},{"id":"https://openalex.org/keywords/system-call","display_name":"System call","score":0.39820000529289246}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8424000144004822},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.7080000042915344},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.6603999733924866},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5892000198364258},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.5824000239372253},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.5777000188827515},{"id":"https://openalex.org/C169258074","wikidata":"https://www.wikidata.org/wiki/Q245748","display_name":"Random forest","level":2,"score":0.5065000057220459},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.49410000443458557},{"id":"https://openalex.org/C52173422","wikidata":"https://www.wikidata.org/wiki/Q766483","display_name":"Opcode","level":2,"score":0.4138999879360199},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.4092999994754791},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4027999937534332},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.39820000529289246},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.3950999975204468},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3808000087738037},{"id":"https://openalex.org/C34736171","wikidata":"https://www.wikidata.org/wiki/Q918333","display_name":"Preprocessor","level":2,"score":0.37700000405311584},{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.3440000116825104},{"id":"https://openalex.org/C23224414","wikidata":"https://www.wikidata.org/wiki/Q176769","display_name":"Hidden Markov model","level":2,"score":0.3222000002861023},{"id":"https://openalex.org/C2778924833","wikidata":"https://www.wikidata.org/wiki/Q7064603","display_name":"Novelty detection","level":3,"score":0.321399986743927},{"id":"https://openalex.org/C10551718","wikidata":"https://www.wikidata.org/wiki/Q5227332","display_name":"Data pre-processing","level":2,"score":0.30570000410079956},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.2881999909877777},{"id":"https://openalex.org/C177774035","wikidata":"https://www.wikidata.org/wiki/Q1246948","display_name":"Granularity","level":2,"score":0.2815000116825104},{"id":"https://openalex.org/C137524506","wikidata":"https://www.wikidata.org/wiki/Q2247688","display_name":"Anomaly-based intrusion detection system","level":3,"score":0.2797999978065491},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.27059999108314514},{"id":"https://openalex.org/C136389625","wikidata":"https://www.wikidata.org/wiki/Q334384","display_name":"Supervised learning","level":3,"score":0.26739999651908875},{"id":"https://openalex.org/C98763669","wikidata":"https://www.wikidata.org/wiki/Q176645","display_name":"Markov chain","level":2,"score":0.26159998774528503},{"id":"https://openalex.org/C110083411","wikidata":"https://www.wikidata.org/wiki/Q1744628","display_name":"Statistical classification","level":2,"score":0.2565000057220459},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.2554999887943268},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.25519999861717224},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.25440001487731934},{"id":"https://openalex.org/C2778738651","wikidata":"https://www.wikidata.org/wiki/Q16546687","display_name":"Novelty","level":2,"score":0.25290000438690186},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.2508000135421753}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1007/s10207-026-01234-0","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-026-01234-0","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01234-0.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1007/s10207-026-01234-0","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-026-01234-0","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01234-0.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7133216332.pdf"},"referenced_works_count":67,"referenced_works":["https://openalex.org/W290408451","https://openalex.org/W418969867","https://openalex.org/W1497883910","https://openalex.org/W1583484179","https://openalex.org/W1598757778","https://openalex.org/W1661167618","https://openalex.org/W1893133781","https://openalex.org/W1981903823","https://openalex.org/W1996975221","https://openalex.org/W2005662348","https://openalex.org/W2007321142","https://openalex.org/W2114312434","https://openalex.org/W2120418828","https://openalex.org/W2125838338","https://openalex.org/W2129294800","https://openalex.org/W2129531883","https://openalex.org/W2136922672","https://openalex.org/W2144112223","https://openalex.org/W2191468669","https://openalex.org/W2216946510","https://openalex.org/W2474942633","https://openalex.org/W2476429474","https://openalex.org/W2559974467","https://openalex.org/W2598939142","https://openalex.org/W2612186685","https://openalex.org/W2745390745","https://openalex.org/W2783291475","https://openalex.org/W2911964244","https://openalex.org/W2919115771","https://openalex.org/W2921708219","https://openalex.org/W2964051315","https://openalex.org/W3097711322","https://openalex.org/W3099702369","https://openalex.org/W3118316519","https://openalex.org/W3128377237","https://openalex.org/W3130692028","https://openalex.org/W3167041328","https://openalex.org/W3212172514","https://openalex.org/W3216826992","https://openalex.org/W4214575608","https://openalex.org/W4220895840","https://openalex.org/W4226033498","https://openalex.org/W4237049557","https://openalex.org/W4294470244","https://openalex.org/W4295854586","https://openalex.org/W4296010380","https://openalex.org/W4297679085","https://openalex.org/W4300297205","https://openalex.org/W4309089711","https://openalex.org/W4313427720","https://openalex.org/W4365816927","https://openalex.org/W4386387815","https://openalex.org/W4386741428","https://openalex.org/W4389827903","https://openalex.org/W4390317718","https://openalex.org/W4391114985","https://openalex.org/W4391503438","https://openalex.org/W4392029839","https://openalex.org/W4392377655","https://openalex.org/W4393899755","https://openalex.org/W4394629167","https://openalex.org/W4396852356","https://openalex.org/W4399455474","https://openalex.org/W4402297661","https://openalex.org/W4412038333","https://openalex.org/W4413349856","https://openalex.org/W4414284159"],"related_works":[],"abstract_inverted_index":{"Abstract":[0],"Malicious":[1],"software":[2],"conduct":[3],"using":[4,149],"sophisticated":[5],"techniques":[6],"such":[7],"as":[8,176],"obfuscation":[9],"and":[10,51,58,71,79,96,192,210],"anti-analysis":[11],"methods":[12],"to":[13,24,49,76,100],"avoid":[14],"discovery":[15],"is":[16,187],"becoming":[17],"more":[18,85,138],"complex":[19],"for":[20,93,189],"digital":[21],"forensic":[22],"analysts":[23],"deal":[25],"with.":[26],"Using":[27],"these":[28],"advanced":[29,86],"techniques,":[30],"it":[31,45],"has":[32],"previously":[33],"been":[34],"reported":[35],"that":[36,133],"attackers":[37],"have":[38],"successfully":[39],"bypassed":[40],"existing":[41],"security":[42,106],"measures,":[43],"making":[44],"a":[46,112,153,179,205],"constant":[47],"race":[48],"update":[50],"improve":[52],"existent":[53],"Intrusion":[54],"Detection":[55],"Systems":[56],"(IDSs)":[57],"saving":[59],"billions":[60],"of":[61,65,127,131,151,178,195,208,212],"dollars":[62],"in":[63,98],"currency":[64],"losses.":[66],"Traditional":[67],"Signature-based":[68],"IDSs":[69,73,99],"(SIDSs)":[70],"Anomaly-based":[72],"(ABIDSs)":[74],"struggle":[75],"detect":[77],"new":[78],"unknown":[80],"malicious":[81],"threats,":[82],"which":[83],"require":[84],"IDSs.":[87],"These":[88],"challenges":[89],"highlight":[90],"the":[91,104,125,135,160,168,185,190],"need":[92],"continuous":[94],"research":[95],"development":[97],"keep":[101],"up":[102],"with":[103,204],"evolving":[105],"threat":[107],"landscape.":[108],"This":[109,198],"paper":[110],"proposes":[111],"two-stage":[113],"solution":[114],"Machine":[115],"Learning":[116],"(ML)":[117],"detection-method":[118],"approach.":[119],"The":[120],"novelty":[121],"also":[122],"arises":[123],"from":[124,173],"combination":[126],"two":[128],"distinct":[129],"sets":[130],"features":[132,177],"enhance":[134],"final":[136],"outcome":[137],"effectively":[139],"than":[140],"if":[141],"they":[142],"were":[143],"applied":[144],"separately.":[145],"In":[146],"stage":[147,165],"1,":[148],"sequences":[150],"opcodes;":[152],"discrete":[154],"Hidden":[155],"Markov":[156],"Model":[157],"(dHMM)":[158],"validates":[159],"input":[161],"data":[162],"set;":[163],"while":[164],"2":[166],"uses":[167],"Portable":[169],"Executable":[170],"(PE)":[171],"sections":[172],"executable":[174],"files":[175],"Random":[180],"Forest":[181],"(RF)":[182],".":[183],"Ultimately,":[184],"RF":[186],"responsible":[188],"classification":[191],"detection":[193],"purposes":[194],"metamorphic":[196],"malware.":[197],"hybrid":[199],"approach":[200],"provided":[201],"promising":[202],"results":[203],"precision":[206],"rate":[207],"100%":[209],"accuracy":[211],"95%.":[213]},"counts_by_year":[],"updated_date":"2026-03-11T06:11:40.159057","created_date":"2026-03-03T00:00:00"}