{"id":"https://openalex.org/W1985663105","doi":"https://doi.org/10.1145/2808769.2808773","title":"Malicious Behavior Detection using Windows Audit Logs","display_name":"Malicious Behavior Detection using Windows Audit Logs","publication_year":2015,"publication_date":"2015-10-06","ids":{"openalex":"https://openalex.org/W1985663105","doi":"https://doi.org/10.1145/2808769.2808773","mag":"1985663105"},"language":"en","primary_location":{"id":"doi:10.1145/2808769.2808773","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2808769.2808773","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5059139229","display_name":"Konstantin Berlin","orcid":"https://orcid.org/0000-0001-9682-604X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Konstantin Berlin","raw_affiliation_strings":["Invincea Labs, LLC, Arlington, VA, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Invincea Labs, LLC, Arlington, VA, USA","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5078412347","display_name":"David Slater","orcid":"https://orcid.org/0000-0001-5639-0253"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"David Slater","raw_affiliation_strings":["Invincea Labs, LLC, Arlington, VA, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Invincea Labs, LLC, Arlington, VA, USA","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5055990462","display_name":"Joshua Saxe","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Joshua Saxe","raw_affiliation_strings":["Invincea Labs, LLC, Arlington, VA, USA"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Invincea Labs, LLC, Arlington, VA, USA","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":6.6624,"has_fulltext":false,"cited_by_count":88,"citation_normalized_percentile":{"value":0.9692285,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"35","last_page":"44"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.8290863037109375},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7117262482643127},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.7006620168685913},{"id":"https://openalex.org/keywords/audit","display_name":"Audit","score":0.6442091464996338},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.6226152777671814},{"id":"https://openalex.org/keywords/host","display_name":"Host (biology)","score":0.4288121461868286},{"id":"https://openalex.org/keywords/government","display_name":"Government (linguistics)","score":0.4271019697189331},{"id":"https://openalex.org/keywords/audit-trail","display_name":"Audit trail","score":0.4110633134841919},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.13554978370666504}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.8290863037109375},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7117262482643127},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7006620168685913},{"id":"https://openalex.org/C199521495","wikidata":"https://www.wikidata.org/wiki/Q181487","display_name":"Audit","level":2,"score":0.6442091464996338},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.6226152777671814},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.4288121461868286},{"id":"https://openalex.org/C2778137410","wikidata":"https://www.wikidata.org/wiki/Q2732820","display_name":"Government (linguistics)","level":2,"score":0.4271019697189331},{"id":"https://openalex.org/C80958533","wikidata":"https://www.wikidata.org/wiki/Q1047174","display_name":"Audit trail","level":3,"score":0.4110633134841919},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.13554978370666504},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C121955636","wikidata":"https://www.wikidata.org/wiki/Q4116214","display_name":"Accounting","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2808769.2808773","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2808769.2808773","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":28,"referenced_works":["https://openalex.org/W94487276","https://openalex.org/W187572568","https://openalex.org/W250426404","https://openalex.org/W607505555","https://openalex.org/W1583975142","https://openalex.org/W1595409123","https://openalex.org/W1941427975","https://openalex.org/W1973211701","https://openalex.org/W1981221397","https://openalex.org/W1983949504","https://openalex.org/W1987593503","https://openalex.org/W1990089904","https://openalex.org/W2005662348","https://openalex.org/W2037017056","https://openalex.org/W2057787526","https://openalex.org/W2060692877","https://openalex.org/W2066220442","https://openalex.org/W2067724436","https://openalex.org/W2074891727","https://openalex.org/W2097360283","https://openalex.org/W2129860818","https://openalex.org/W2132874238","https://openalex.org/W2135046866","https://openalex.org/W2151135920","https://openalex.org/W2169492277","https://openalex.org/W2484102177","https://openalex.org/W3136699861","https://openalex.org/W4294541781"],"related_works":["https://openalex.org/W1827256152","https://openalex.org/W3016595359","https://openalex.org/W2351252967","https://openalex.org/W2388271354","https://openalex.org/W2767429772","https://openalex.org/W2060920843","https://openalex.org/W2400358291","https://openalex.org/W2620598574","https://openalex.org/W3105682467","https://openalex.org/W1997350207"],"abstract_inverted_index":{"As":[0],"antivirus":[1,166,184],"and":[2,41,46,57,135,138,171],"network":[3],"intrusion":[4],"detection":[5,75,113,130],"systems":[6,131],"have":[7,19],"increasingly":[8],"proven":[9],"insufficient":[10],"to":[11,21,55,62,110,124,142],"detect":[12],"advanced":[13],"threats,":[14],"large":[15],"security":[16],"operations":[17],"centers":[18],"moved":[20],"deploy":[22],"endpoint-based":[23],"sensors":[24],"that":[25,94],"provide":[26,107,119],"deeper":[27],"visibility":[28],"into":[29],"low-level":[30],"events":[31],"across":[32],"their":[33],"enterprises.":[34],"Unfortunately,":[35],"for":[36],"many":[37,133],"organizations":[38],"in":[39,132,144,174],"government":[40,134],"industry,":[42],"the":[43,71,82,105],"installation,":[44],"maintenance,":[45],"resource":[47],"requirements":[48],"of":[49,73,76,114,149,179],"these":[50],"newer":[51],"solutions":[52],"pose":[53],"barriers":[54],"adoption":[56],"are":[58],"perceived":[59],"as":[60,89],"risks":[61],"organizations'":[63],"missions.":[64],"To":[65],"mitigate":[66],"this":[67],"problem":[68],"we":[69],"investigated":[70],"utility":[72],"agentless":[74],"malicious":[77,115],"endpoint":[78],"behavior,":[79],"using":[80],"only":[81],"standard":[83],"built-in":[84],"Windows":[85,95],"audit":[86,96],"logging":[87],"facility":[88],"our":[90,145,175],"signal.":[91],"We":[92],"found":[93],"logs,":[97],"while":[98],"emitting":[99],"manageable":[100],"sized":[101],"data":[102],"streams":[103],"on":[104],"endpoints,":[106],"enough":[108],"information":[109],"allow":[111],"robust":[112],"behavior.":[116],"Audit":[117],"logs":[118],"an":[120],"effective,":[121],"low-cost":[122],"alternative":[123],"deploying":[125],"additional":[126],"expensive":[127],"agent-based":[128],"breach":[129],"industrial":[136],"settings,":[137],"can":[139,159],"be":[140],"used":[141],"detect,":[143],"tests,":[146],"83%":[147],"percent":[148],"malware":[150,180],"samples":[151],"with":[152],"a":[153],"0.1%":[154],"false":[155],"positive":[156],"rate.":[157],"They":[158],"also":[160],"supplement":[161],"already":[162],"existing":[163],"host":[164],"signature-based":[165],"solutions,":[167],"like":[168],"Kaspersky,":[169],"Symantec,":[170],"McAfee,":[172],"detecting,":[173],"testing":[176],"environment,":[177],"78%":[178],"missed":[181],"by":[182],"those":[183],"systems.":[185]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":10},{"year":2024,"cited_by_count":12},{"year":2023,"cited_by_count":9},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":8},{"year":2020,"cited_by_count":7},{"year":2019,"cited_by_count":17},{"year":2018,"cited_by_count":12},{"year":2017,"cited_by_count":5},{"year":2016,"cited_by_count":1},{"year":2015,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}