{"id":"https://openalex.org/W2010440413","doi":"https://doi.org/10.1145/1229285.1229291","title":"Analyzing network traffic to detect self-decrypting exploit code","display_name":"Analyzing network traffic to detect self-decrypting exploit code","publication_year":2007,"publication_date":"2007-03-20","ids":{"openalex":"https://openalex.org/W2010440413","doi":"https://doi.org/10.1145/1229285.1229291","mag":"2010440413"},"language":"en","primary_location":{"id":"doi:10.1145/1229285.1229291","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1229285.1229291","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2nd ACM symposium on Information, computer and communications security","raw_type":"proceedings-article"},"type":"conference-paper","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5100327269","display_name":"Qinghua Zhang","orcid":"https://orcid.org/0000-0002-3815-8108"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Qinghua Zhang","raw_affiliation_strings":["North Carolina State University, Raleigh, NC","North Carolina State University, Raleigh, NC;"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"North Carolina State University, Raleigh, NC","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, Raleigh, NC;","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030462464","display_name":"Douglas S. Reeves","orcid":"https://orcid.org/0000-0002-1775-0639"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Douglas S. Reeves","raw_affiliation_strings":["North Carolina State University, Raleigh, NC","North Carolina State University, Raleigh, NC;"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"North Carolina State University, Raleigh, NC","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, Raleigh, NC;","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5016753473","display_name":"Peng Ning","orcid":"https://orcid.org/0000-0002-1455-9919"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Peng Ning","raw_affiliation_strings":["North Carolina State University, Raleigh, NC","North Carolina State University, Raleigh, NC;"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"North Carolina State University, Raleigh, NC","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, Raleigh, NC;","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5015651954","display_name":"S. Purushothaman Iyer","orcid":"https://orcid.org/0009-0005-9132-4389"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"S. Purushothaman Iyer","raw_affiliation_strings":["North Carolina State University, Raleigh, NC","North Carolina State University, Raleigh, NC;"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"North Carolina State University, Raleigh, NC","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, Raleigh, NC;","institution_ids":["https://openalex.org/I137902535"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I137902535"],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":50,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"4","last_page":"12"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9984999895095825,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9957000017166138,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.9701057076454163},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8431894779205322},{"id":"https://openalex.org/keywords/obfuscation","display_name":"Obfuscation","score":0.6248109936714172},{"id":"https://openalex.org/keywords/payload","display_name":"Payload (computing)","score":0.6189659833908081},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.613886833190918},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.5904127955436707},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.45727211236953735},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.44645559787750244},{"id":"https://openalex.org/keywords/evasion","display_name":"Evasion (ethics)","score":0.4335523545742035},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.42143696546554565},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.30600976943969727},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.17447909712791443},{"id":"https://openalex.org/keywords/network-packet","display_name":"Network packet","score":0.10343819856643677}],"concepts":[{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.9701057076454163},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8431894779205322},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.6248109936714172},{"id":"https://openalex.org/C134066672","wikidata":"https://www.wikidata.org/wiki/Q1424639","display_name":"Payload (computing)","level":3,"score":0.6189659833908081},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.613886833190918},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.5904127955436707},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.45727211236953735},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.44645559787750244},{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.4335523545742035},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.42143696546554565},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.30600976943969727},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.17447909712791443},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.10343819856643677},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C203014093","wikidata":"https://www.wikidata.org/wiki/Q101929","display_name":"Immunology","level":1,"score":0.0},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0},{"id":"https://openalex.org/C8891405","wikidata":"https://www.wikidata.org/wiki/Q1059","display_name":"Immune system","level":2,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/1229285.1229291","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1229285.1229291","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2nd ACM symposium on Information, computer and communications security","raw_type":"proceedings-article"},{"id":"pmh:oai:CiteSeerX.psu:10.1.1.68.4003","is_oa":false,"landing_page_url":"http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.68.4003","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"http://discovery.csc.ncsu.edu/~pning/pubs/ASIACCS07a.pdf","raw_type":"text"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":23,"referenced_works":["https://openalex.org/W1485086418","https://openalex.org/W1525958661","https://openalex.org/W1552056088","https://openalex.org/W1561880491","https://openalex.org/W1564075167","https://openalex.org/W1571916075","https://openalex.org/W1583560014","https://openalex.org/W2034346354","https://openalex.org/W2035247360","https://openalex.org/W2097174997","https://openalex.org/W2108860402","https://openalex.org/W2114067856","https://openalex.org/W2120361464","https://openalex.org/W2126059122","https://openalex.org/W2126734536","https://openalex.org/W2131523719","https://openalex.org/W2137786570","https://openalex.org/W2153649523","https://openalex.org/W2157153057","https://openalex.org/W2914982603","https://openalex.org/W3153646182","https://openalex.org/W6633665954","https://openalex.org/W7005974818"],"related_works":["https://openalex.org/W2620652965","https://openalex.org/W2024170198","https://openalex.org/W4296272594","https://openalex.org/W2900526031","https://openalex.org/W2728713145","https://openalex.org/W2131332603","https://openalex.org/W2072617132","https://openalex.org/W4360993664","https://openalex.org/W2470029541","https://openalex.org/W2470502009"],"abstract_inverted_index":{"Remotely-launched":[0],"software":[1],"exploits":[2,52,64,186],"are":[3,22,54],"a":[4,66,90,107,191],"common":[5],"way":[6],"for":[7,27,93,103,197],"attackers":[8],"to":[9,69,76,213],"intrude":[10],"into":[11],"vulnerable":[12],"computer":[13],"systems.":[14],"As":[15],"detection":[16,31,72,161,165,193],"techniques":[17,21,26],"improve,":[18],"remote":[19,51],"exploitation":[20],"also":[23],"evolving.":[24],"Recent":[25],"evasion":[28],"of":[29,45,81,106,113,131,138,160,223],"exploit":[30,83,96],"include":[32],"polymorphism":[33],"(code":[34,38],"encryption)":[35],"and":[36,56,122,136,163,172],"meta-morphism":[37],"obfuscation).":[39],"This":[40,98,127],"paper":[41],"addresses":[42],"the":[43,61,77,82,86,104,129,133,139,199,221,224],"problem":[44],"detecting":[46,94],"in":[47,85,158,164,220],"network":[48,87,101,225],"traffic":[49,102],"polymorphic":[50,176,183],"that":[53,57,152],"encrypted,":[55],"self-decrypt":[58],"before":[59],"launching":[60],"intrusion.":[62],"Such":[63],"pose":[65],"great":[67],"challenge":[68],"existing":[70],"malware":[71],"techniques,":[73],"partly":[74],"due":[75],"non-obvious":[78],"starting":[79,134],"location":[80,135],"code":[84,145],"payload.We":[88],"describe":[89],"new":[91],"method":[92,99,118,149,168],"self-decrypting":[95],"codes.":[97],"scans":[100],"presence":[105],"decryption":[108,140,200],"routine,":[109,141],"which":[110,198],"is":[111,146,202,211,217],"characteristic":[112],"such":[114],"exploits.":[115],"The":[116,148,207],"proposed":[117,167],"uses":[119],"static":[120],"analysis":[121],"emulated":[123],"instruction":[124],"execution":[125],"techniques.":[126],"improves":[128],"accuracy":[130],"determining":[132],"instructions":[137],"even":[142],"if":[143],"self-modifying":[144],"used.":[147],"outperforms":[150],"approaches":[151],"have":[153,187],"been":[154,170,188],"previously":[155],"proposed,":[156],"both":[157],"terms":[159],"capabilities,":[162],"accuracy.The":[166],"has":[169],"implemented":[171],"tested":[173],"on":[174],"current":[175],"exploits,":[177],"including":[178,195],"ones":[179],"generated":[180],"by":[181],"state-of-the-art":[182],"engines.":[184],"All":[185],"detected":[189],"(i.e.,":[190],"100%":[192],"rate),":[194],"those":[196],"routine":[201],"dynamically":[203],"coded,":[204],"or":[205],"self-modifying.":[206],"false":[208],"positive":[209],"rate":[210],"close":[212],"0%.":[214],"Running":[215],"time":[216],"approximately":[218],"linear":[219],"size":[222],"payload":[226],"being":[227],"analyzed.":[228]},"counts_by_year":[{"year":2023,"cited_by_count":2},{"year":2022,"cited_by_count":1},{"year":2020,"cited_by_count":1},{"year":2019,"cited_by_count":2},{"year":2017,"cited_by_count":1},{"year":2016,"cited_by_count":2},{"year":2015,"cited_by_count":1},{"year":2014,"cited_by_count":7},{"year":2013,"cited_by_count":2},{"year":2012,"cited_by_count":3}],"updated_date":"2026-07-14T23:27:15.235271","created_date":"2025-10-10T00:00:00"}
