{"id":"https://openalex.org/W2091618476","doi":"https://doi.org/10.1145/1698750.1698752","title":"Stealthy malware detection and monitoring through VMM-based \u201cout-of-the-box\u201d semantic view reconstruction","display_name":"Stealthy malware detection and monitoring through VMM-based \u201cout-of-the-box\u201d semantic view reconstruction","publication_year":2010,"publication_date":"2010-02-01","ids":{"openalex":"https://openalex.org/W2091618476","doi":"https://doi.org/10.1145/1698750.1698752","mag":"2091618476"},"language":"en","primary_location":{"id":"doi:10.1145/1698750.1698752","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1698750.1698752","pdf_url":null,"source":{"id":"https://openalex.org/S2642811","display_name":"ACM Transactions on Information and System Security","issn_l":"1094-9224","issn":["1094-9224","1557-7406"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Information and System Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5109035300","display_name":"Xuxian Jiang","orcid":null},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Xuxian Jiang","raw_affiliation_strings":["North Carolina State University, Raleigh, NC","North Carolina State University, Raleigh, NC;"],"affiliations":[{"raw_affiliation_string":"North Carolina State University, Raleigh, NC","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, Raleigh, NC;","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100634221","display_name":"Xinyuan Wang","orcid":"https://orcid.org/0009-0006-8330-342X"},"institutions":[{"id":"https://openalex.org/I162714631","display_name":"George Mason University","ror":"https://ror.org/02jqj7156","country_code":"US","type":"education","lineage":["https://openalex.org/I162714631"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xinyuan Wang","raw_affiliation_strings":["George Mason University, Fairfax, VA"],"affiliations":[{"raw_affiliation_string":"George Mason University, Fairfax, VA","institution_ids":["https://openalex.org/I162714631"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5108280598","display_name":"Dongyan Xu","orcid":null},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Dongyan Xu","raw_affiliation_strings":["Purdue University, West Lafayette, IN"],"affiliations":[{"raw_affiliation_string":"Purdue University, West Lafayette, IN","institution_ids":["https://openalex.org/I219193219"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5109035300"],"corresponding_institution_ids":["https://openalex.org/I137902535"],"apc_list":null,"apc_paid":null,"fwci":13.1949,"has_fulltext":false,"cited_by_count":93,"citation_normalized_percentile":{"value":0.99263399,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":94,"max":100},"biblio":{"volume":"13","issue":"2","first_page":"1","last_page":"28"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.8845788240432739},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8461419343948364},{"id":"https://openalex.org/keywords/semantic-gap","display_name":"Semantic gap","score":0.7374326586723328},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.5134357213973999},{"id":"https://openalex.org/keywords/system-call","display_name":"System call","score":0.5095215439796448},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5073215365409851},{"id":"https://openalex.org/keywords/black-box","display_name":"Black box","score":0.43544524908065796},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.2808833122253418},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.2604060173034668},{"id":"https://openalex.org/keywords/image","display_name":"Image (mathematics)","score":0.09029945731163025}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.8845788240432739},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8461419343948364},{"id":"https://openalex.org/C86034646","wikidata":"https://www.wikidata.org/wiki/Q474311","display_name":"Semantic gap","level":4,"score":0.7374326586723328},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.5134357213973999},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.5095215439796448},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5073215365409851},{"id":"https://openalex.org/C94966114","wikidata":"https://www.wikidata.org/wiki/Q29256","display_name":"Black box","level":2,"score":0.43544524908065796},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2808833122253418},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2604060173034668},{"id":"https://openalex.org/C115961682","wikidata":"https://www.wikidata.org/wiki/Q860623","display_name":"Image (mathematics)","level":2,"score":0.09029945731163025},{"id":"https://openalex.org/C1667742","wikidata":"https://www.wikidata.org/wiki/Q10927554","display_name":"Image retrieval","level":3,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/1698750.1698752","is_oa":false,"landing_page_url":"https://doi.org/10.1145/1698750.1698752","pdf_url":null,"source":{"id":"https://openalex.org/S2642811","display_name":"ACM Transactions on Information and System Security","issn_l":"1094-9224","issn":["1094-9224","1557-7406"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Information and System Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6800000071525574,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[{"id":"https://openalex.org/G894026168","display_name":null,"funder_award_id":"CNS-0716376CNS-0716444CNS-0546173","funder_id":"https://openalex.org/F4320337388","funder_display_name":"Division of Computer and Network Systems"}],"funders":[{"id":"https://openalex.org/F4320337388","display_name":"Division of Computer and Network Systems","ror":"https://ror.org/02rdzmk74"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":37,"referenced_works":["https://openalex.org/W94181602","https://openalex.org/W103986934","https://openalex.org/W161166442","https://openalex.org/W198543417","https://openalex.org/W1495241705","https://openalex.org/W1500546894","https://openalex.org/W1510508184","https://openalex.org/W1513333205","https://openalex.org/W1516211918","https://openalex.org/W1516506771","https://openalex.org/W1522250664","https://openalex.org/W1548740378","https://openalex.org/W1591055603","https://openalex.org/W1641762327","https://openalex.org/W1742385376","https://openalex.org/W1813040609","https://openalex.org/W1986071441","https://openalex.org/W2029224396","https://openalex.org/W2110320325","https://openalex.org/W2111015674","https://openalex.org/W2112731379","https://openalex.org/W2114402262","https://openalex.org/W2117882778","https://openalex.org/W2131726714","https://openalex.org/W2138830053","https://openalex.org/W2142892618","https://openalex.org/W2155750598","https://openalex.org/W2166004296","https://openalex.org/W2167337769","https://openalex.org/W2171527796","https://openalex.org/W2295705535","https://openalex.org/W4206796831","https://openalex.org/W4232895233","https://openalex.org/W4244704438","https://openalex.org/W4245671428","https://openalex.org/W6630877225","https://openalex.org/W6631155369"],"related_works":["https://openalex.org/W2439951656","https://openalex.org/W1573526548","https://openalex.org/W1998188341","https://openalex.org/W3176864451","https://openalex.org/W4360982091","https://openalex.org/W2053632570","https://openalex.org/W3211525895","https://openalex.org/W2187910102","https://openalex.org/W2128507946","https://openalex.org/W4389341938"],"abstract_inverted_index":{"An":[0],"alarming":[1],"trend":[2],"in":[3,227,257],"recent":[4,64],"malware":[5,20,75,244,252,266,281],"incidents":[6],"is":[7,38,102,145],"that":[8,39,132,188,211],"they":[9,40,46,85],"are":[10,47],"armed":[11],"with":[12,268,302],"stealthy":[13],"techniques":[14],"to":[15,53,147,201],"detect,":[16],"evade,":[17],"and":[18,56,125,155,178,224,246,254,272,274,282,312],"subvert":[19],"detection":[21,55,76,245,253,270],"facilities":[22,77],"of":[23,33,79,92,98,127,158,173,204,263,296],"the":[24,27,43,74,80,90,94,99,114,122,134,163,167,189,209,213,219,228,231,235],"victim.":[25],"On":[26],"defensive":[28],"side,":[29],"a":[30,109,159,289,294],"fundamental":[31],"limitation":[32],"traditional":[34],"host-based":[35],"antimalware":[36],"systems":[37],"run":[41],"inside":[42],"very":[44],"hosts":[45],"protecting":[48],"(\u201cin-the-box\u201d),":[49],"making":[50],"them":[51],"vulnerable":[52],"counter":[54],"subversion":[57],"by":[58,104],"malware.":[59],"To":[60],"address":[61],"this":[62,118],"limitation,":[63],"solutions":[65],"based":[66],"on":[67,180,293],"virtual":[68,181],"machine":[69,182],"(VM)":[70],"technologies":[71],"advocate":[72],"placing":[73],"outside":[78],"protected":[81],"VM":[82,160,185],"(\u201cout-of-the-box\u201d).":[83],"However,":[84],"gain":[86],"tamper":[87],"resistance":[88],"at":[89],"cost":[91],"losing":[93],"internal":[95,149],"semantic":[96,115,135,150,171,190,232,236],"view":[97,143,191,199,250],"host,":[100],"which":[101],"enjoyed":[103],"\u201cin-the-box\u201d":[105],"approaches.":[106],"This":[107],"poses":[108],"technical":[110],"challenge":[111],"known":[112],"as":[113,216,218],"gap.":[116],"In":[117],"article,":[119],"we":[120,196,240],"present":[121],"design,":[123],"implementation,":[124],"evaluation":[126,300],"VMwatcher":[128,291],"\u2014an":[129],"\u201cout-of-the-box\u201d":[130,261],"approach":[131],"overcomes":[133],"gap":[136,237],"challenge.":[137],"A":[138],"new":[139,168],"technique":[140,169],"called":[141],"guest":[142,174,198],"casting":[144,200],"developed":[146],"reconstruct":[148,202],"views":[151],"(e.g.,":[152,208],"files,":[153],"processes,":[154],"kernel":[156],"modules)":[157],"nonintrusively":[161],"from":[162],"outside.":[164],"More":[165],"specifically,":[166],"casts":[170],"definitions":[172],"OS":[175],"data":[176],"structures":[177],"functions":[179],"monitor":[183],"(VMM)-level":[184],"states,":[186],"so":[187],"can":[192],"be":[193],"reconstructed.":[194],"Furthermore,":[195],"extend":[197],"details":[203],"system":[205,214,220,277],"call":[206,215,221,278],"events":[207],"process":[210],"makes":[212],"well":[217],"number,":[222],"parameters,":[223],"return":[225],"value)":[226],"VM,":[229],"enriching":[230],"view.":[233],"With":[234],"effectively":[238],"narrowed,":[239],"identify":[241],"three":[242],"unique":[243],"monitoring":[247,279],"capabilities:":[248],"(i)":[249],"comparison-based":[251],"its":[255],"demonstration":[256],"rootkit":[258],"detection;":[259],"(ii)":[260],"deployment":[262],"off-the-shelf":[264],"anti":[265],"software":[267],"improved":[269],"accuracy":[271],"tamper-resistance;":[273],"(iii)":[275],"nonintrusive":[276],"for":[280],"intrusion":[283],"behavior":[284],"observation.":[285],"We":[286],"have":[287],"implemented":[288],"proof-of-concept":[290],"prototype":[292],"number":[295],"VMM":[297],"platforms.":[298],"Our":[299],"experiments":[301],"real-world":[303],"malware,":[304],"including":[305],"elusive":[306],"kernel-level":[307],"rootkits,":[308],"demonstrate":[309],"VMwatcher's":[310],"practicality":[311],"effectiveness.":[313]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":4},{"year":2022,"cited_by_count":3},{"year":2021,"cited_by_count":2},{"year":2020,"cited_by_count":4},{"year":2019,"cited_by_count":5},{"year":2018,"cited_by_count":4},{"year":2017,"cited_by_count":6},{"year":2016,"cited_by_count":6},{"year":2015,"cited_by_count":10},{"year":2014,"cited_by_count":5},{"year":2013,"cited_by_count":18},{"year":2012,"cited_by_count":14}],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2025-10-10T00:00:00"}