{"id":"https://openalex.org/W3093538749","doi":"https://doi.org/10.1109/tdsc.2020.3032570","title":"RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on Windows","display_name":"RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on Windows","publication_year":2020,"publication_date":"2020-10-21","ids":{"openalex":"https://openalex.org/W3093538749","doi":"https://doi.org/10.1109/tdsc.2020.3032570","mag":"3093538749"},"language":"en","primary_location":{"id":"doi:10.1109/tdsc.2020.3032570","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2020.3032570","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101512874","display_name":"Runqing Yang","orcid":"https://orcid.org/0000-0002-4183-4568"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Runqing Yang","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-4183-4568","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035753317","display_name":"Xutong Chen","orcid":"https://orcid.org/0000-0001-9201-3893"},"institutions":[{"id":"https://openalex.org/I111979921","display_name":"Northwestern University","ror":"https://ror.org/000e0be47","country_code":"US","type":"education","lineage":["https://openalex.org/I111979921"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xutong Chen","raw_affiliation_strings":["Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"],"raw_orcid":"https://orcid.org/0000-0001-9201-3893","affiliations":[{"raw_affiliation_string":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA","institution_ids":["https://openalex.org/I111979921"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5055561370","display_name":"Haitao Xu","orcid":"https://orcid.org/0000-0002-0353-3879"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haitao Xu","raw_affiliation_strings":["School of Cyber Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-0353-3879","affiliations":[{"raw_affiliation_string":"School of Cyber Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047799795","display_name":"Yueqiang Cheng","orcid":"https://orcid.org/0000-0002-6277-340X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yueqiang Cheng","raw_affiliation_strings":["Baidu Security, CA, USA"],"raw_orcid":"https://orcid.org/0000-0002-6277-340X","affiliations":[{"raw_affiliation_string":"Baidu Security, CA, USA","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5024324179","display_name":"Chunlin Xiong","orcid":"https://orcid.org/0000-0003-4426-3585"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Chunlin Xiong","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0003-4426-3585","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074492926","display_name":"Linqi Ruan","orcid":null},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Linqi Ruan","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0003-1934-3057","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050925843","display_name":"Mohammad Kavousi","orcid":null},"institutions":[{"id":"https://openalex.org/I111979921","display_name":"Northwestern University","ror":"https://ror.org/000e0be47","country_code":"US","type":"education","lineage":["https://openalex.org/I111979921"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Mohammad Kavousi","raw_affiliation_strings":["Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA","institution_ids":["https://openalex.org/I111979921"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5010057779","display_name":"Zhenyuan Li","orcid":"https://orcid.org/0000-0002-7712-0292"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhenyuan Li","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":"https://orcid.org/0000-0002-7712-0292","affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101422057","display_name":"Liheng Xu","orcid":"https://orcid.org/0000-0003-4110-1548"},"institutions":[{"id":"https://openalex.org/I168879160","display_name":"Zhejiang University of Science and Technology","ror":"https://ror.org/05mx0wr29","country_code":"CN","type":"education","lineage":["https://openalex.org/I168879160"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Liheng Xu","raw_affiliation_strings":["College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"College of Computer Science and Technology, Zhejiang University, Hangzhou, Zhejiang, China","institution_ids":["https://openalex.org/I168879160"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100378166","display_name":"Yan Chen","orcid":"https://orcid.org/0000-0003-4103-1498"},"institutions":[{"id":"https://openalex.org/I111979921","display_name":"Northwestern University","ror":"https://ror.org/000e0be47","country_code":"US","type":"education","lineage":["https://openalex.org/I111979921"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yan Chen","raw_affiliation_strings":["Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA"],"raw_orcid":"https://orcid.org/0000-0003-4103-1498","affiliations":[{"raw_affiliation_string":"Department of Electrical Engineering and Computer Science, Northwestern University, Evanston, IL, USA","institution_ids":["https://openalex.org/I111979921"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":10,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.3687,"has_fulltext":false,"cited_by_count":22,"citation_normalized_percentile":{"value":0.81809288,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":"19","issue":"3","first_page":"1621","last_page":"1638"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9994999766349792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7214709520339966},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.7024409770965576},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4773250222206116},{"id":"https://openalex.org/keywords/event","display_name":"Event (particle physics)","score":0.4190966784954071},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.3682308793067932},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.3319541811943054},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.21809229254722595}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7214709520339966},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.7024409770965576},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4773250222206116},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.4190966784954071},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3682308793067932},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.3319541811943054},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.21809229254722595},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tdsc.2020.3032570","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tdsc.2020.3032570","pdf_url":null,"source":{"id":"https://openalex.org/S133795288","display_name":"IEEE Transactions on Dependable and Secure Computing","issn_l":"1545-5971","issn":["1545-5971","1941-0018","2160-9209"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320439","host_organization_name":"IEEE Computer Society","host_organization_lineage":["https://openalex.org/P4310320439","https://openalex.org/P4310319808"],"host_organization_lineage_names":["IEEE Computer Society","Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Dependable and Secure Computing","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.5099999904632568,"display_name":"Peace, Justice and strong institutions"}],"awards":[{"id":"https://openalex.org/G1317677795","display_name":null,"funder_award_id":"U1936215","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":27,"referenced_works":["https://openalex.org/W2091682045","https://openalex.org/W2096347345","https://openalex.org/W2112127916","https://openalex.org/W2131523719","https://openalex.org/W2135143063","https://openalex.org/W2213728018","https://openalex.org/W2295705535","https://openalex.org/W2397699236","https://openalex.org/W2548593421","https://openalex.org/W2560810941","https://openalex.org/W2579106964","https://openalex.org/W2635012095","https://openalex.org/W2790316935","https://openalex.org/W2790557990","https://openalex.org/W2792591096","https://openalex.org/W2887200831","https://openalex.org/W2947745012","https://openalex.org/W2962703433","https://openalex.org/W2963556271","https://openalex.org/W6601859066","https://openalex.org/W6640826072","https://openalex.org/W6712595259","https://openalex.org/W6743841043","https://openalex.org/W6751629095","https://openalex.org/W6753153400","https://openalex.org/W6754149085","https://openalex.org/W6754333932"],"related_works":["https://openalex.org/W2418291489","https://openalex.org/W2068121105","https://openalex.org/W3096519538","https://openalex.org/W2744747300","https://openalex.org/W4241166160","https://openalex.org/W2384826897","https://openalex.org/W117643398","https://openalex.org/W1997466117","https://openalex.org/W4231592561","https://openalex.org/W2300282708"],"abstract_inverted_index":{"Remote":[0],"Access":[1],"Trojan":[2],"(RAT)":[3],"attacks":[4,21],"have":[5],"become":[6],"an":[7,99,112],"extensively":[8],"prevailing":[9],"and":[10,26,48,128,151,156,203],"serious":[11],"threat":[12],"to":[13,24,72,79,116,136],"enterprise":[14],"security.":[15],"A":[16],"forensic":[17,35,102],"system":[18,103,119,178],"targeting":[19,104],"RAT":[20,49,67,101],"is":[22,75],"needed":[23],"record":[25,118],"reconstruct":[27,137],"fine-grained":[28],"semantic":[29,138],"behaviors":[30,139],"of":[31,61,65,83,140,147],"RATs.":[32],"However,":[33],"existing":[34],"systems":[36],"suffer":[37],"from":[38,70],"various":[39],"issues":[40],"such":[41],"as":[42],"intrusive":[43],"instrumentation,":[44],"nontrivial":[45],"recording":[46,154],"overhead,":[47],"behavior":[50,133,158],"blindness.":[51],"In":[52],"this":[53],"article,":[54],"we":[55,92],"first":[56,77],"conduct":[57],"a":[58,62,130,145],"large-scale":[59],"study":[60,78],"representative":[63],"set":[64],"real-world":[66],"families":[68],"active":[69],"1999":[71],"2016.":[73],"This":[74],"the":[76,81,86,90,153,157,165,188,198],"understand":[80],"landscape":[82],"RATs":[84,141],"in":[85,187,197],"literature.":[87],"Based":[88],"on":[89,175],"study,":[91],"then":[93],"propose":[94],"<sc":[95,108,148],"xmlns:mml=\"http://www.w3.org/1998/Math/MathML\"":[96,109,149,206],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">RATScope</small>":[97,110,150],",":[98],"instrumentation-free":[100],"Windows":[105,126],"platform.":[106],"Specifically,":[107],"offers":[111],"audit":[113,166],"logging":[114,167],"module":[115,168],"efficiently":[117],"logs":[120],"by":[121],"leveraging":[122],"Event":[123],"Tracing":[124],"for":[125],"(ETW),":[127],"provides":[129],"novel":[131],"program":[132],"modeling":[134],"technique":[135],"accurately.":[142],"We":[143],"implement":[144],"prototype":[146],"evaluate":[152],"overhead":[155,174],"identification":[159],"accuracy.":[160],"The":[161],"results":[162],"show":[163],"that":[164],"only":[169],"incurs":[170],"3.7":[171],"percent":[172,183,193],"runtime":[173],"average.":[176],"Our":[177],"can":[179],"achieve":[180],"around":[181,191],"90":[182],"true":[184,194],"positive":[185,195,209],"rate":[186,196],"cross-family":[189],"experiment,":[190,202],"80":[192],"two-year":[199],"spanning":[200],"temporal":[201],"near":[204],"<italic":[205],"xmlns:xlink=\"http://www.w3.org/1999/xlink\">zero</i>":[207],"false":[208],"rate.":[210]},"counts_by_year":[{"year":2025,"cited_by_count":7},{"year":2024,"cited_by_count":6},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":1},{"year":2020,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}