{"id":"https://openalex.org/W1993370323","doi":"https://doi.org/10.1145/2810103.2813724","title":"The Dropper Effect","display_name":"The Dropper Effect","publication_year":2015,"publication_date":"2015-10-06","ids":{"openalex":"https://openalex.org/W1993370323","doi":"https://doi.org/10.1145/2810103.2813724","mag":"1993370323"},"language":"en","primary_location":{"id":"doi:10.1145/2810103.2813724","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2810103.2813724","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5065564570","display_name":"Bum Jun Kwon","orcid":"https://orcid.org/0000-0003-1801-1958"},"institutions":[{"id":"https://openalex.org/I66946132","display_name":"University of Maryland, College Park","ror":"https://ror.org/047s2c258","country_code":"US","type":"education","lineage":["https://openalex.org/I66946132"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Bum Jun Kwon","raw_affiliation_strings":["University of Maryland, College Park, MD, USA"],"affiliations":[{"raw_affiliation_string":"University of Maryland, College Park, MD, USA","institution_ids":["https://openalex.org/I66946132"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101555389","display_name":"Jayanta Mondal","orcid":"https://orcid.org/0000-0003-4263-4995"},"institutions":[{"id":"https://openalex.org/I66946132","display_name":"University of Maryland, College Park","ror":"https://ror.org/047s2c258","country_code":"US","type":"education","lineage":["https://openalex.org/I66946132"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Jayanta Mondal","raw_affiliation_strings":["University of Maryland, College Park, MD, USA"],"affiliations":[{"raw_affiliation_string":"University of Maryland, College Park, MD, USA","institution_ids":["https://openalex.org/I66946132"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037719518","display_name":"Jiyong Jang","orcid":"https://orcid.org/0000-0001-8111-2503"},"institutions":[{"id":"https://openalex.org/I1341412227","display_name":"IBM (United States)","ror":"https://ror.org/05hh8d621","country_code":"US","type":"company","lineage":["https://openalex.org/I1341412227"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Jiyong Jang","raw_affiliation_strings":["IBM Research, Yorktown Heights, NY, USA","IBM Research, Yorktown Heights,, NY, USA"],"affiliations":[{"raw_affiliation_string":"IBM Research, Yorktown Heights, NY, USA","institution_ids":["https://openalex.org/I1341412227"]},{"raw_affiliation_string":"IBM Research, Yorktown Heights,, NY, USA","institution_ids":["https://openalex.org/I1341412227"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5034154377","display_name":"Leyla Bilge","orcid":"https://orcid.org/0000-0002-8408-3741"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Leyla Bilge","raw_affiliation_strings":["Symantec Research Labs, Sophia Antipolis, France","Symantec Research Labs, Sophia-Antipolis, France"],"affiliations":[{"raw_affiliation_string":"Symantec Research Labs, Sophia Antipolis, France","institution_ids":[]},{"raw_affiliation_string":"Symantec Research Labs, Sophia-Antipolis, France","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5033409139","display_name":"Tudor Dumitra\u015f","orcid":"https://orcid.org/0000-0003-4350-7226"},"institutions":[{"id":"https://openalex.org/I66946132","display_name":"University of Maryland, College Park","ror":"https://ror.org/047s2c258","country_code":"US","type":"education","lineage":["https://openalex.org/I66946132"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Tudor Dumitra\u015f","raw_affiliation_strings":["University of Maryland, College Park, MD, USA"],"affiliations":[{"raw_affiliation_string":"University of Maryland, College Park, MD, USA","institution_ids":["https://openalex.org/I66946132"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5065564570"],"corresponding_institution_ids":["https://openalex.org/I66946132"],"apc_list":null,"apc_paid":null,"fwci":10.4191,"has_fulltext":false,"cited_by_count":100,"citation_normalized_percentile":{"value":0.9870197,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":91,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"1118","last_page":"1129"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9987000226974487,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.9042578935623169},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8023996949195862},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.6383287906646729},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.5584325790405273},{"id":"https://openalex.org/keywords/download","display_name":"Download","score":0.5366145372390747},{"id":"https://openalex.org/keywords/upload","display_name":"Upload","score":0.5305821299552917},{"id":"https://openalex.org/keywords/system-call","display_name":"System call","score":0.5091204047203064},{"id":"https://openalex.org/keywords/computer-virus","display_name":"Computer virus","score":0.49686649441719055},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4532254636287689},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.3504852056503296},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.3385493755340576},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.21369105577468872}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.9042578935623169},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8023996949195862},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.6383287906646729},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.5584325790405273},{"id":"https://openalex.org/C2780154274","wikidata":"https://www.wikidata.org/wiki/Q7126717","display_name":"Download","level":2,"score":0.5366145372390747},{"id":"https://openalex.org/C71901391","wikidata":"https://www.wikidata.org/wiki/Q7126699","display_name":"Upload","level":2,"score":0.5305821299552917},{"id":"https://openalex.org/C2778579508","wikidata":"https://www.wikidata.org/wiki/Q722192","display_name":"System call","level":2,"score":0.5091204047203064},{"id":"https://openalex.org/C19407854","wikidata":"https://www.wikidata.org/wiki/Q485","display_name":"Computer virus","level":2,"score":0.49686649441719055},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4532254636287689},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3504852056503296},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3385493755340576},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.21369105577468872}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2810103.2813724","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2810103.2813724","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":39,"referenced_works":["https://openalex.org/W1233141674","https://openalex.org/W1490011260","https://openalex.org/W1492581097","https://openalex.org/W1588282782","https://openalex.org/W1650881334","https://openalex.org/W1827212170","https://openalex.org/W1876301579","https://openalex.org/W1922851884","https://openalex.org/W1985987493","https://openalex.org/W2015452969","https://openalex.org/W2016051345","https://openalex.org/W2037109870","https://openalex.org/W2040424958","https://openalex.org/W2044911211","https://openalex.org/W2049092543","https://openalex.org/W2054143615","https://openalex.org/W2068211976","https://openalex.org/W2082180526","https://openalex.org/W2084979543","https://openalex.org/W2085761620","https://openalex.org/W2095610745","https://openalex.org/W2137964233","https://openalex.org/W2148156428","https://openalex.org/W2149706766","https://openalex.org/W2155440239","https://openalex.org/W2166128942","https://openalex.org/W2168103835","https://openalex.org/W2171770082","https://openalex.org/W2211880739","https://openalex.org/W2228075399","https://openalex.org/W2350778671","https://openalex.org/W2482374127","https://openalex.org/W2617928660","https://openalex.org/W2911964244","https://openalex.org/W3121299688","https://openalex.org/W4299301436","https://openalex.org/W6640487242","https://openalex.org/W6674628898","https://openalex.org/W6817491142"],"related_works":["https://openalex.org/W30634129","https://openalex.org/W2289997899","https://openalex.org/W3080622597","https://openalex.org/W4226184338","https://openalex.org/W2186280426","https://openalex.org/W2150795982","https://openalex.org/W2137641605","https://openalex.org/W1503224444","https://openalex.org/W2747715470","https://openalex.org/W2154529672"],"abstract_inverted_index":{"Malware":[0],"remains":[1],"an":[2,192,205],"important":[3],"security":[4],"threat,":[5],"as":[6,34,148,219],"miscreants":[7],"continue":[8],"to":[9,16,63],"deliver":[10],"a":[11,170,180,185,210],"variety":[12],"of":[13,24,46,94,104,108,144,159,194,212],"malicious":[14,59,97,145],"programs":[15],"hosts":[17],"around":[18],"the":[19,22,26,44,51,77,82,91,102,109,149,152,155],"world.":[20],"At":[21],"heart":[23],"all":[25],"malware":[27,110,175,191],"delivery":[28],"techniques":[29],"are":[30,61,226],"executable":[31],"files":[32,214],"(known":[33],"downloader":[35,132,160],"trojans":[36],"or":[37],"droppers)":[38],"that":[39,215,224],"download":[40,83,111],"other":[41],"malware.":[42],"Because":[43],"act":[45],"downloading":[47],"software":[48],"components":[49],"from":[50,121,134],"Internet":[52,156],"is":[53],"not":[54],"inherently":[55],"malicious,":[56,220],"benign":[57,95],"and":[58,70,88,96,123,128,154,168,189,221],"downloaders":[60],"difficult":[62],"distinguish":[64],"based":[65],"only":[66],"on":[67,85,163],"their":[68],"content":[69],"behavior.":[71],"In":[72],"this":[73],"paper,":[74],"we":[75,89,126,166,222],"introduce":[76],"downloader-graph":[78],"abstraction,":[79],"which":[80,113],"captures":[81],"activity":[84],"end":[86],"hosts,":[87],"explore":[90],"growth":[92,150],"patterns":[93,158],"graphs.":[98,161],"Downloader":[99],"graphs":[100,133],"have":[101],"potential":[103],"exposing":[105],"large":[106],"parts":[107],"activity,":[112,146],"may":[114],"otherwise":[115],"remain":[116],"undetected.":[117],"By":[118],"combining":[119],"telemetry":[120],"anti-virus":[122,200,229],"intrusion-prevention":[124],"systems,":[125],"reconstruct":[127],"analyze":[129],"19":[130],"million":[131,136],"5":[135],"real":[137],"hosts.":[138],"We":[139,202],"identify":[140],"several":[141],"strong":[142],"indicators":[143],"such":[147],"rate,":[151,183,188],"diameter,":[153],"access":[157],"Building":[162],"these":[164],"insights,":[165],"implement":[167],"evaluate":[169],"machine":[171],"learning":[172],"system":[173,178,217],"for":[174],"detection.":[176],"Our":[177],"achieves":[179],"96.0%":[181],"true-positive":[182],"with":[184],"1.0%":[186],"false-positive":[187],"detects":[190,218],"average":[193],"9.24":[195],"days":[196],"earlier":[197],"than":[198],"existing":[199],"products.":[201,230],"also":[203],"perform":[204],"external":[206],"validation":[207],"by":[208,228],"examining":[209],"sample":[211],"unlabeled":[213],"our":[216],"find":[223],"41.41%":[225],"blocked":[227]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":6},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":10},{"year":2021,"cited_by_count":16},{"year":2020,"cited_by_count":11},{"year":2019,"cited_by_count":15},{"year":2018,"cited_by_count":12},{"year":2017,"cited_by_count":14},{"year":2016,"cited_by_count":10}],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2016-06-24T00:00:00"}