{"id":"https://openalex.org/W4417299436","doi":"https://doi.org/10.1109/ecrime66972.2025.11327864","title":"Family Ties: A Close Look at the Influence of Static Features on the Precision of Malware Family Clustering","display_name":"Family Ties: A Close Look at the Influence of Static Features on the Precision of Malware Family Clustering","publication_year":2025,"publication_date":"2025-11-04","ids":{"openalex":"https://openalex.org/W4417299436","doi":"https://doi.org/10.1109/ecrime66972.2025.11327864"},"language":"en","primary_location":{"id":"doi:10.1109/ecrime66972.2025.11327864","is_oa":false,"landing_page_url":"https://doi.org/10.1109/ecrime66972.2025.11327864","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 APWG Symposium on Electronic Crime Research (eCrime)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://hal.science/hal-05405015","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5032151753","display_name":"Antonino Vitale","orcid":"https://orcid.org/0009-0002-8452-4532"},"institutions":[{"id":"https://openalex.org/I1902872","display_name":"EURECOM","ror":"https://ror.org/00sse7z02","country_code":"FR","type":"education","lineage":["https://openalex.org/I1902872","https://openalex.org/I205703379"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Antonino Vitale","raw_affiliation_strings":["EURECOM","Eurecom [Sophia Antipolis] (Campus SophiaTech, 450 Route des Chappes, CS 50193 - 06904 Biot Sophia Antipolis cedex - France)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"EURECOM","institution_ids":[]},{"raw_affiliation_string":"Eurecom [Sophia Antipolis] (Campus SophiaTech, 450 Route des Chappes, CS 50193 - 06904 Biot Sophia Antipolis cedex - France)","institution_ids":["https://openalex.org/I1902872"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090995963","display_name":"Kevin van Liebergen","orcid":"https://orcid.org/0000-0003-3454-1692"},"institutions":[{"id":"https://openalex.org/I4210162154","display_name":"IMDEA Software Institute","ror":"https://ror.org/04xvfkh51","country_code":"ES","type":"facility","lineage":["https://openalex.org/I105140100","https://openalex.org/I4210162154"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Kevin van Liebergen","raw_affiliation_strings":["IMDEA Software Institute","Institute IMDEA Software [Madrid] (Campus de Montegancedo 28223 Pozuelo de Alarc\u00f3n Madrid - Spain)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"IMDEA Software Institute","institution_ids":[]},{"raw_affiliation_string":"Institute IMDEA Software [Madrid] (Campus de Montegancedo 28223 Pozuelo de Alarc\u00f3n Madrid - Spain)","institution_ids":["https://openalex.org/I4210162154"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101938709","display_name":"Juan Caballero","orcid":"https://orcid.org/0000-0003-2962-1348"},"institutions":[{"id":"https://openalex.org/I4210162154","display_name":"IMDEA Software Institute","ror":"https://ror.org/04xvfkh51","country_code":"ES","type":"facility","lineage":["https://openalex.org/I105140100","https://openalex.org/I4210162154"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Juan Caballero","raw_affiliation_strings":["IMDEA Software Institute","Institute IMDEA Software [Madrid] (Campus de Montegancedo 28223 Pozuelo de Alarc\u00f3n Madrid - Spain)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"IMDEA Software Institute","institution_ids":[]},{"raw_affiliation_string":"Institute IMDEA Software [Madrid] (Campus de Montegancedo 28223 Pozuelo de Alarc\u00f3n Madrid - Spain)","institution_ids":["https://openalex.org/I4210162154"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5025601945","display_name":"Savino Dambra","orcid":"https://orcid.org/0000-0002-0988-9366"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Savino Dambra","raw_affiliation_strings":["Gen Digital"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Gen Digital","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5046448226","display_name":"Platon Kotzias","orcid":"https://orcid.org/0000-0003-3375-6069"},"institutions":[{"id":"https://openalex.org/I4210135209","display_name":"Centerforce","ror":"https://ror.org/02tcncc65","country_code":"US","type":"nonprofit","lineage":["https://openalex.org/I4210135209"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Platon Kotzias","raw_affiliation_strings":["BforeAI","BforeAI (United States)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"BforeAI","institution_ids":[]},{"raw_affiliation_string":"BforeAI (United States)","institution_ids":["https://openalex.org/I4210135209"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030403848","display_name":"Simone Aonzo","orcid":"https://orcid.org/0000-0001-9547-3502"},"institutions":[{"id":"https://openalex.org/I1902872","display_name":"EURECOM","ror":"https://ror.org/00sse7z02","country_code":"FR","type":"education","lineage":["https://openalex.org/I1902872","https://openalex.org/I205703379"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Simone Aonzo","raw_affiliation_strings":["EURECOM","Eurecom [Sophia Antipolis] (Campus SophiaTech, 450 Route des Chappes, CS 50193 - 06904 Biot Sophia Antipolis cedex - France)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"EURECOM","institution_ids":[]},{"raw_affiliation_string":"Eurecom [Sophia Antipolis] (Campus SophiaTech, 450 Route des Chappes, CS 50193 - 06904 Biot Sophia Antipolis cedex - France)","institution_ids":["https://openalex.org/I1902872"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5002025561","display_name":"Davide Balzarotti","orcid":"https://orcid.org/0000-0001-5957-6213"},"institutions":[{"id":"https://openalex.org/I1902872","display_name":"EURECOM","ror":"https://ror.org/00sse7z02","country_code":"FR","type":"education","lineage":["https://openalex.org/I1902872","https://openalex.org/I205703379"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Davide Balzarotti","raw_affiliation_strings":["EURECOM","Eurecom [Sophia Antipolis] (Campus SophiaTech, 450 Route des Chappes, CS 50193 - 06904 Biot Sophia Antipolis cedex - France)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"EURECOM","institution_ids":[]},{"raw_affiliation_string":"Eurecom [Sophia Antipolis] (Campus SophiaTech, 450 Route des Chappes, CS 50193 - 06904 Biot Sophia Antipolis cedex - France)","institution_ids":["https://openalex.org/I1902872"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.421159,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"13"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9059000015258789,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9059000015258789,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.02449999935925007,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.01600000075995922,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.8783000111579895},{"id":"https://openalex.org/keywords/cluster-analysis","display_name":"Cluster analysis","score":0.8496000170707703},{"id":"https://openalex.org/keywords/fuzzy-clustering","display_name":"Fuzzy clustering","score":0.48649999499320984},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.47450000047683716},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.42980000376701355},{"id":"https://openalex.org/keywords/malware-analysis","display_name":"Malware analysis","score":0.4284999966621399},{"id":"https://openalex.org/keywords/hash-function","display_name":"Hash function","score":0.37560001015663147},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.35830000042915344}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.8783000111579895},{"id":"https://openalex.org/C73555534","wikidata":"https://www.wikidata.org/wiki/Q622825","display_name":"Cluster analysis","level":2,"score":0.8496000170707703},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7628999948501587},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.6057000160217285},{"id":"https://openalex.org/C17212007","wikidata":"https://www.wikidata.org/wiki/Q5511111","display_name":"Fuzzy clustering","level":3,"score":0.48649999499320984},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.47450000047683716},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.42980000376701355},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.4284999966621399},{"id":"https://openalex.org/C99138194","wikidata":"https://www.wikidata.org/wiki/Q183427","display_name":"Hash function","level":2,"score":0.37560001015663147},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.35830000042915344},{"id":"https://openalex.org/C186767784","wikidata":"https://www.wikidata.org/wiki/Q5162841","display_name":"Consensus clustering","level":5,"score":0.3400000035762787},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.33239999413490295},{"id":"https://openalex.org/C164866538","wikidata":"https://www.wikidata.org/wiki/Q367351","display_name":"Cluster (spacecraft)","level":2,"score":0.3319999873638153},{"id":"https://openalex.org/C103278499","wikidata":"https://www.wikidata.org/wiki/Q254465","display_name":"Similarity (geometry)","level":3,"score":0.325300008058548},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3237999975681305},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.30720001459121704},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.3050999939441681},{"id":"https://openalex.org/C58166","wikidata":"https://www.wikidata.org/wiki/Q224821","display_name":"Fuzzy logic","level":2,"score":0.2847999930381775},{"id":"https://openalex.org/C2780009758","wikidata":"https://www.wikidata.org/wiki/Q6804172","display_name":"Measure (data warehouse)","level":2,"score":0.2791999876499176},{"id":"https://openalex.org/C192209626","wikidata":"https://www.wikidata.org/wiki/Q190909","display_name":"Focus (optics)","level":2,"score":0.2711000144481659}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1109/ecrime66972.2025.11327864","is_oa":false,"landing_page_url":"https://doi.org/10.1109/ecrime66972.2025.11327864","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 APWG Symposium on Electronic Crime Research (eCrime)","raw_type":"proceedings-article"},{"id":"pmh:oai:HAL:hal-05405015v1","is_oa":true,"landing_page_url":"https://hal.science/hal-05405015","pdf_url":null,"source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"APWG eCrime 2025, Cybercrimes Only AI and Crimebots can Dream of, Nov 2025, San Diego, United States","raw_type":"Conference papers"},{"id":"pmh:oai:fr.eurecom:8519","is_oa":false,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4377196942","display_name":"Graduate School and Research Center in Digital Science (EURECOM)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1902872","host_organization_name":"EURECOM","host_organization_lineage":["https://openalex.org/I1902872"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"APWG eCrime 2025, Cybercrimes Only AI and Crimebots can Dream of, 4-7 November 2025, San Diego, USA","raw_type":"Conference"}],"best_oa_location":{"id":"pmh:oai:HAL:hal-05405015v1","is_oa":true,"landing_page_url":"https://hal.science/hal-05405015","pdf_url":null,"source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"APWG eCrime 2025, Cybercrimes Only AI and Crimebots can Dream of, Nov 2025, San Diego, United States","raw_type":"Conference papers"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Malware":[0],"family":[1,33],"clustering":[2,34,71,84,223,239],"plays":[3],"a":[4,25,152,216],"crucial":[5],"role":[6],"in":[7,119],"many":[8],"security":[9],"tasks,":[10],"including":[11,41],"malware":[12,32,93,110,135,197,222],"analysis,":[13],"classification,":[14],"labeling,":[15],"triage,":[16],"threat":[17,114],"hunting,":[18],"and":[19,59,116,157,181,193,203,232,237],"lineage":[20],"studies.":[21],"This":[22],"work":[23],"takes":[24],"close":[26],"look":[27],"at":[28],"the":[29,98,145,159,179,183,209,227],"influence":[30],"on":[31,154,196],"of":[35,109,144,176,178,186,229],"11":[36,81],"popular":[37],"static":[38,221],"similarity":[39],"features,":[40,58,147],"whole-file":[42],"fuzzy":[43],"hashes":[44,49],"(e.g.,":[45,50],"SSDeep,":[46],"TLSH),":[47],"structural":[48],"PE":[51],"Hash,":[52,54],"Import":[53],"VirusTotal\u2019s":[55],"VHash),":[56],"certificate-based":[57],"icon-based":[60],"features.":[61],"Our":[62,171,213],"goal":[63],"is":[64],"not":[65],"to":[66,76,91,107,165,207],"propose":[67],"new":[68],"features":[69,82,180],"or":[70],"approaches.":[72],"Instead,":[73],"we":[74,126,200,211],"aim":[75],"measure":[77,148],"how":[78],"often":[79,105],"these":[80],"make":[83],"errors,":[85,103],"i.e.,":[86],"cluster":[87,138],"together":[88],"samples":[89,140,167],"belonging":[90],"different":[92,169],"families.":[94,170],"We":[95,137],"also":[96],"investigate":[97],"root":[99],"causes":[100],"behind":[101],"those":[102,139],"which":[104],"lead":[106],"misinterpretations":[108],"relationships,":[111],"hinder":[112],"effective":[113],"detection,":[115],"propagate":[117],"inaccuracies":[118],"downstream":[120],"analyses.":[121],"To":[122],"study":[123],"this":[124],"phenomenon,":[125],"leverage":[127],"three":[128],"public":[129],"datasets":[130],"comprising":[131],"79,993":[132],"labeled":[133],"Windows":[134],"samples.":[136],"by":[141,225],"using":[142],"each":[143],"analyzed":[146],"their":[149,155],"accuracy":[150],"with":[151],"focus":[153],"precision,":[156],"examine":[158],"reasons":[160],"that":[161],"caused":[162],"some":[163,177],"clusters":[164],"contain":[166],"from":[168],"analysis":[172],"identifies":[173],"intrinsic":[174],"limitations":[175],"highlights":[182],"severe":[184],"impact":[185],"EXE-building":[187],"tools":[188],"(like":[189],"software":[190],"protectors,":[191],"installers,":[192],"self-extracting":[194],"archives)":[195],"clustering.":[198],"Finally,":[199],"discuss":[201],"mitigations":[202],"evaluate":[204],"potential":[205],"improvements":[206],"address":[208],"problems":[210],"observed.":[212],"findings":[214],"provide":[215],"critical":[217],"foundation":[218],"for":[219,235],"improving":[220],"methodologies":[224],"emphasizing":[226],"importance":[228],"dataset":[230],"curation":[231],"feature":[233],"refinement":[234],"robust":[236],"precise":[238],"outcomes.":[240]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-12-10T00:00:00"}