{"id":"https://openalex.org/W4416707471","doi":"https://doi.org/10.1109/tifs.2025.3637727","title":"Mitigating the Impact of Malware Evolution on API Sequence-Based Windows Malware Detectors","display_name":"Mitigating the Impact of Malware Evolution on API Sequence-Based Windows Malware Detectors","publication_year":2025,"publication_date":"2025-11-26","ids":{"openalex":"https://openalex.org/W4416707471","doi":"https://doi.org/10.1109/tifs.2025.3637727"},"language":null,"primary_location":{"id":"doi:10.1109/tifs.2025.3637727","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3637727","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5112126323","display_name":"Wei Xin","orcid":"https://orcid.org/0009-0001-6595-4222"},"institutions":[{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Xingyuan Wei","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5029512731","display_name":"Ce Li","orcid":"https://orcid.org/0000-0002-4627-6112"},"institutions":[{"id":"https://openalex.org/I180662265","display_name":"China Mobile (China)","ror":"https://ror.org/05gftfe97","country_code":"CN","type":"company","lineage":["https://openalex.org/I180662265"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ce Li","raw_affiliation_strings":["JIUTIAN Research, China Mobile Beijing, China"],"affiliations":[{"raw_affiliation_string":"JIUTIAN Research, China Mobile Beijing, China","institution_ids":["https://openalex.org/I180662265"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101898339","display_name":"Qiujian Lv","orcid":"https://orcid.org/0000-0003-1031-185X"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Qiujian Lv","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I4210165038"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100683169","display_name":"Ning Li","orcid":"https://orcid.org/0000-0002-1894-2720"},"institutions":[{"id":"https://openalex.org/I19820366","display_name":"Chinese Academy of Sciences","ror":"https://ror.org/034t30j35","country_code":"CN","type":"funder","lineage":["https://openalex.org/I19820366"]},{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Ning Li","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I19820366"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5103226403","display_name":"Degang Sun","orcid":"https://orcid.org/0009-0007-6408-2032"},"institutions":[{"id":"https://openalex.org/I4210108629","display_name":"Computer Network Information Center","ror":"https://ror.org/01s0wyf50","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210108629"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Degang Sun","raw_affiliation_strings":["Computer Network Information Center, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Computer Network Information Center, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210108629"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5004315215","display_name":"Yan Wang","orcid":"https://orcid.org/0000-0003-1084-1957"},"institutions":[{"id":"https://openalex.org/I4210156404","display_name":"Institute of Information Engineering","ror":"https://ror.org/04r53se39","country_code":"CN","type":"facility","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210156404"]},{"id":"https://openalex.org/I4210165038","display_name":"University of Chinese Academy of Sciences","ror":"https://ror.org/05qbk4x57","country_code":"CN","type":"education","lineage":["https://openalex.org/I19820366","https://openalex.org/I4210165038"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yan Wang","raw_affiliation_strings":["Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Institute of Information Engineering, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China","institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I4210165038"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5112126323"],"corresponding_institution_ids":["https://openalex.org/I4210156404","https://openalex.org/I4210165038"],"apc_list":null,"apc_paid":null,"fwci":1.6611,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.88421771,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":95},"biblio":{"volume":"21","issue":null,"first_page":"45","last_page":"60"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9909999966621399,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9909999966621399,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.0017999999690800905,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.0015999999595806003,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.9236000180244446},{"id":"https://openalex.org/keywords/cryptovirology","display_name":"Cryptovirology","score":0.5066999793052673},{"id":"https://openalex.org/keywords/semantics","display_name":"Semantics (computer science)","score":0.45559999346733093},{"id":"https://openalex.org/keywords/application-programming-interface","display_name":"Application programming interface","score":0.4047999978065491},{"id":"https://openalex.org/keywords/false-positive-rate","display_name":"False positive rate","score":0.3785000145435333},{"id":"https://openalex.org/keywords/server","display_name":"Server","score":0.36469998955726624}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.9236000180244446},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8557999730110168},{"id":"https://openalex.org/C84525096","wikidata":"https://www.wikidata.org/wiki/Q3506050","display_name":"Cryptovirology","level":3,"score":0.5066999793052673},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.45559999346733093},{"id":"https://openalex.org/C99613125","wikidata":"https://www.wikidata.org/wiki/Q165194","display_name":"Application programming interface","level":2,"score":0.4047999978065491},{"id":"https://openalex.org/C95922358","wikidata":"https://www.wikidata.org/wiki/Q5432725","display_name":"False positive rate","level":2,"score":0.3785000145435333},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.36469998955726624},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3499999940395355},{"id":"https://openalex.org/C206345919","wikidata":"https://www.wikidata.org/wiki/Q20380951","display_name":"Resource (disambiguation)","level":2,"score":0.3472000062465668},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.3075000047683716},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2964000105857849},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.27639999985694885},{"id":"https://openalex.org/C2778112365","wikidata":"https://www.wikidata.org/wiki/Q3511065","display_name":"Sequence (biology)","level":2,"score":0.2621000111103058},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.25540000200271606},{"id":"https://openalex.org/C2777027219","wikidata":"https://www.wikidata.org/wiki/Q1284190","display_name":"Constant (computer programming)","level":2,"score":0.2508000135421753}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2025.3637727","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2025.3637727","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":35,"referenced_works":["https://openalex.org/W191656338","https://openalex.org/W1832693441","https://openalex.org/W2056716515","https://openalex.org/W2070996757","https://openalex.org/W2184957013","https://openalex.org/W2283196293","https://openalex.org/W2464629196","https://openalex.org/W2557513839","https://openalex.org/W2712617220","https://openalex.org/W2780450026","https://openalex.org/W2890092828","https://openalex.org/W2900633536","https://openalex.org/W2969244304","https://openalex.org/W2998010923","https://openalex.org/W3000239448","https://openalex.org/W3006140559","https://openalex.org/W3008201587","https://openalex.org/W3038770761","https://openalex.org/W3045322569","https://openalex.org/W3097730806","https://openalex.org/W3112173953","https://openalex.org/W3178593045","https://openalex.org/W3198240431","https://openalex.org/W3215120663","https://openalex.org/W4205841428","https://openalex.org/W4210345192","https://openalex.org/W4212847133","https://openalex.org/W4221112654","https://openalex.org/W4281398200","https://openalex.org/W4292820477","https://openalex.org/W4312566881","https://openalex.org/W4400314713","https://openalex.org/W4405304483","https://openalex.org/W4407466172","https://openalex.org/W4409136361"],"related_works":[],"abstract_inverted_index":{"In":[0,121],"dynamicWindows":[1],"malware":[2,24,47,55,69,87,142,150],"detection,":[3],"deep":[4],"learning":[5,181],"models":[6,57,155],"are":[7],"extensively":[8],"deployed":[9],"to":[10,28,42,82,98,182,191,246],"analyze":[11],"API":[12,17,38,53,66,92,140,163,168,171],"sequences.":[13],"Methods":[14],"based":[15,116],"on":[16,117,211,229],"sequences":[18,67,93,169],"play":[19],"a":[20,126,134],"crucial":[21],"role":[22],"in":[23,37],"prevention.":[25],"However,":[26],"due":[27],"the":[29,35,43,49,65,83,91,95,118,129,146,157,184,199,207,217,230,242,248,256],"continuous":[30],"updates":[31],"of":[32,46,52,68,94,131,149,160,214,241],"APIs":[33],"and":[34,72,111,144,174,178,205,254],"changes":[36],"sequence":[39],"calls":[40],"leading":[41],"constant":[44],"evolution":[45,74],"variants,":[48],"detection":[50,56,154],"capability":[51],"sequence-based":[54,141],"significantly":[58,197],"diminishes":[59],"over":[60],"time.":[61],"We":[62,237],"observe":[63],"that":[64,136,224],"samples":[70,88,97],"before":[71],"after":[73],"usually":[75],"have":[76],"similar":[77,100,107,158],"malicious":[78,101,114],"semantics.":[79],"Specifically,":[80],"compared":[81,190],"original":[84,119],"samples,":[85],"evolved":[86],"often":[89],"use":[90],"pre-evolution":[96],"achieve":[99],"behaviors.":[102],"For":[103],"instance,":[104],"they":[105],"access":[106],"sensitive":[108],"system":[109,175],"resources":[110],"extend":[112],"new":[113],"functions":[115],"functionalities.":[120],"this":[122],"paper,":[123],"we":[124],"propose":[125],"framework":[127,135,166,195,226],"MME(Mitigating":[128],"impact":[130],"Malware":[132],"Evolution),":[133],"can":[137,196,227],"enhance":[138,183],"existing":[139],"detectors":[143],"mitigate":[145],"adverse":[147],"effects":[148],"evolution.":[151],"To":[152],"help":[153],"capture":[156],"semantics":[159],"these":[161],"post-evolution":[162],"sequences,":[164],"our":[165,194,225],"represents":[167],"using":[170],"knowledge":[172],"graphs":[173],"resource":[176],"encodings":[177],"applies":[179],"contrastive":[180],"model\u2019s":[185],"encoder.":[186],"Results":[187],"indicate":[188],"that,":[189],"regular":[192],"Text-CNN,":[193],"reduce":[198,247],"false":[200,249],"positive":[201,250],"rate":[202,251],"by":[203,209,252,258],"13.10%":[204],"improve":[206,255],"F1-Score":[208,257],"8.47%":[210],"five":[212],"years":[213],"data,":[215],"achieving":[216],"best":[218],"experimental":[219],"results.":[220],"Additionally,":[221],"evaluations":[222],"show":[223],"save":[228],"human":[231],"costs":[232],"required":[233],"for":[234],"model":[235],"maintenance.":[236],"only":[238],"need":[239],"1%":[240],"budget":[243],"per":[244],"month":[245],"11.16%":[253],"6.44%.":[259]},"counts_by_year":[{"year":2025,"cited_by_count":1}],"updated_date":"2026-03-07T16:01:11.037858","created_date":"2025-11-27T00:00:00"}