{"id":"https://openalex.org/W2557716486","doi":"https://doi.org/10.1109/tifs.2016.2631905","title":"ALDOCX: Detection of Unknown Malicious Microsoft Office Documents Using Designated Active Learning Methods Based on New Structural Feature Extraction Methodology","display_name":"ALDOCX: Detection of Unknown Malicious Microsoft Office Documents Using Designated Active Learning Methods Based on New Structural Feature Extraction Methodology","publication_year":2016,"publication_date":"2016-12-01","ids":{"openalex":"https://openalex.org/W2557716486","doi":"https://doi.org/10.1109/tifs.2016.2631905","mag":"2557716486"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2016.2631905","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2016.2631905","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5006355294","display_name":"Nir Nissim","orcid":"https://orcid.org/0000-0003-0652-8861"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":true,"raw_author_name":"Nir Nissim","raw_affiliation_strings":["Malware Laboratory, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Malware Laboratory, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035352952","display_name":"Aviad Cohen","orcid":"https://orcid.org/0000-0001-9976-0525"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Aviad Cohen","raw_affiliation_strings":["Malware Laboratory, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Malware Laboratory, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5072913672","display_name":"Yuval Elovici","orcid":"https://orcid.org/0000-0002-9641-128X"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Yuval Elovici","raw_affiliation_strings":["Malware Laboratory, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Malware Laboratory, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5006355294"],"corresponding_institution_ids":["https://openalex.org/I124227911"],"apc_list":null,"apc_paid":null,"fwci":6.5567,"has_fulltext":false,"cited_by_count":98,"citation_normalized_percentile":{"value":0.9746338,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":94,"max":100},"biblio":{"volume":"12","issue":"3","first_page":"631","last_page":"646"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9940000176429749,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8800837993621826},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.6574438810348511},{"id":"https://openalex.org/keywords/feature-extraction","display_name":"Feature extraction","score":0.5678900480270386},{"id":"https://openalex.org/keywords/word","display_name":"Word (group theory)","score":0.5608500242233276},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.5516020059585571},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.5168164968490601},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.44852346181869507},{"id":"https://openalex.org/keywords/information-extraction","display_name":"Information extraction","score":0.41492199897766113},{"id":"https://openalex.org/keywords/microsoft-office","display_name":"Microsoft Office","score":0.41112056374549866},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3240329623222351},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.22729411721229553}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8800837993621826},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.6574438810348511},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.5678900480270386},{"id":"https://openalex.org/C90805587","wikidata":"https://www.wikidata.org/wiki/Q10944557","display_name":"Word (group theory)","level":2,"score":0.5608500242233276},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.5516020059585571},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.5168164968490601},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.44852346181869507},{"id":"https://openalex.org/C195807954","wikidata":"https://www.wikidata.org/wiki/Q1662562","display_name":"Information extraction","level":2,"score":0.41492199897766113},{"id":"https://openalex.org/C523788702","wikidata":"https://www.wikidata.org/wiki/Q11255","display_name":"Microsoft Office","level":2,"score":0.41112056374549866},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3240329623222351},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.22729411721229553},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2016.2631905","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2016.2631905","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":24,"referenced_works":["https://openalex.org/W435900364","https://openalex.org/W1515539475","https://openalex.org/W1547190066","https://openalex.org/W1575078351","https://openalex.org/W1666672054","https://openalex.org/W1972531058","https://openalex.org/W2028187843","https://openalex.org/W2029674613","https://openalex.org/W2050855115","https://openalex.org/W2060514845","https://openalex.org/W2069350935","https://openalex.org/W2084264686","https://openalex.org/W2115638030","https://openalex.org/W2140679654","https://openalex.org/W2153635508","https://openalex.org/W2172058372","https://openalex.org/W2261775381","https://openalex.org/W2294932870","https://openalex.org/W2401293755","https://openalex.org/W2486441280","https://openalex.org/W4285719527","https://openalex.org/W6637001620","https://openalex.org/W6713000815","https://openalex.org/W6722672228"],"related_works":["https://openalex.org/W2097492617","https://openalex.org/W2753240997","https://openalex.org/W1764168690","https://openalex.org/W2537959205","https://openalex.org/W2740895074","https://openalex.org/W2772446090","https://openalex.org/W4284893819","https://openalex.org/W3152891574","https://openalex.org/W2249809453","https://openalex.org/W4316881845"],"abstract_inverted_index":{"Attackers":[0],"increasingly":[1],"take":[2],"advantage":[3],"of":[4,59,184,209,233,243,272,276],"innocent":[5],"users":[6],"who":[7],"tend":[8],"to":[9,15,37,119,141,240],"casually":[10],"open":[11],"email":[12],"messages":[13],"assumed":[14],"be":[16],"benign,":[17],"carrying":[18],"malicious":[19,41,44,62,110,128,210],"documents.":[20],"Recent":[21],"targeted":[22],"attacks":[23],"aimed":[24,55],"at":[25,56],"organizations":[26],"utilize":[27],"the":[28,69,121,181,186,190,217,234,252,256,283,287,296,302],"new":[29,39,60,79,108,127,161],"Microsoft":[30],"Word":[31],"documents":[32],"(*.docx).":[33],"Anti-virus":[34],"software":[35,219,304],"fails":[36],"detect":[38],"unknown":[40,61,109,277],"files,":[42,237],"including":[43],"docx":[45,63,93,111,162,211,236,278],"files.":[46,94,112,174],"In":[47,113],"this":[48],"paper,":[49],"we":[50,100,203],"present":[51],"ALDOCX,":[52],"a":[53,102,205,241,269],"framework":[54],"accurate":[57],"detection":[58,71,103,122,155,187,207,297],"files":[64,129,163,176,212],"that":[65,105,164,197],"also":[66,267],"efficiently":[67,142],"enhances":[68],"framework's":[70],"capabilities":[72],"over":[73],"time.":[74],"Detection":[75],"relies":[76],"upon":[77],"our":[78,134],"structural":[80],"feature":[81],"extraction":[82],"methodology":[83],"(SFEM),":[84],"which":[85,138,238],"is":[86,117],"performed":[87],"statically":[88],"using":[89,199],"meta-features":[90],"extracted":[91],"from":[92],"Using":[95],"machine-learning":[96],"algorithms":[97],"with":[98,216,251,282],"SFEM,":[99,202],"created":[101,130],"model":[104,188],"successfully":[106],"detects":[107],"addition,":[114],"because":[115],"it":[116],"crucial":[118],"maintain":[120],"model's":[123],"updatability":[124],"and":[125,153,159,189,201,255,286],"incorporate":[126],"daily,":[131],"ALDOCX":[132,157,200],"integrates":[133],"active-learning":[135,262],"(AL)":[136],"methods,":[137],"are":[139,165,177],"designed":[140],"assist":[143],"anti-virus":[144,191,218,303],"vendors":[145],"by":[146,198],"better":[147],"focusing":[148],"their":[149],"experts'":[150,247],"analytical":[151],"efforts":[152,249],"enhance":[154],"capability.":[156],"identifies":[158],"acquires":[160],"most":[166],"likely":[167],"malicious,":[168],"as":[169,171,299,301],"well":[170,300],"informative":[172],"benign":[173],"These":[175],"used":[178,230,306],"for":[179,295],"enhancing":[180],"knowledge":[182],"stores":[183],"both":[185],"software.":[192],"The":[193],"evaluation":[194],"results":[195],"show":[196],"achieved":[204],"high":[206],"rate":[208],"(94.44%":[213],"TPR)":[214],"compared":[215,250,281],"(85.9%":[220],"TPR)-with":[221],"very":[222],"low":[223],"FPR":[224],"rates":[225],"(0.19%).":[226],"ALDOCX's":[227],"AL":[228,265],"methods":[229,266],"only":[231],"14%":[232],"labeled":[235],"led":[239],"reduction":[242],"95.5%":[244],"in":[245,274],"security":[246],"labeling":[248],"passive":[253,284],"learning":[254,285],"support":[257],"vector":[258],"machine":[259],"(SVM)-Margin":[260],"(existing":[261],"method).":[263],"Our":[264],"showed":[268],"significant":[270],"improvement":[271],"91%":[273],"number":[275],"malware":[279],"acquired,":[280],"SVM-Margin,":[288],"thus":[289],"providing":[290],"an":[291],"improved":[292],"updating":[293],"solution":[294],"model,":[298],"widely":[305],"within":[307],"organizations.":[308]},"counts_by_year":[{"year":2025,"cited_by_count":8},{"year":2024,"cited_by_count":15},{"year":2023,"cited_by_count":11},{"year":2022,"cited_by_count":10},{"year":2021,"cited_by_count":14},{"year":2020,"cited_by_count":14},{"year":2019,"cited_by_count":14},{"year":2018,"cited_by_count":10},{"year":2017,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}