{"id":"https://openalex.org/W2538865281","doi":"https://doi.org/10.1145/2976749.2978315","title":"Acing the IOC Game","display_name":"Acing the IOC Game","publication_year":2016,"publication_date":"2016-10-24","ids":{"openalex":"https://openalex.org/W2538865281","doi":"https://doi.org/10.1145/2976749.2978315","mag":"2538865281"},"language":"en","primary_location":{"id":"doi:10.1145/2976749.2978315","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2976749.2978315","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978315","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978315","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5084889167","display_name":"Xiaojing Liao","orcid":"https://orcid.org/0000-0001-7555-1673"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Xiaojing Liao","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5076623332","display_name":"Kan Yuan","orcid":null},"institutions":[{"id":"https://openalex.org/I4210119109","display_name":"Indiana University Bloomington","ror":"https://ror.org/02k40bc56","country_code":"US","type":"education","lineage":["https://openalex.org/I4210119109","https://openalex.org/I592451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kan Yuan","raw_affiliation_strings":["Indiana University Bloomington, Bloomington, USA"],"affiliations":[{"raw_affiliation_string":"Indiana University Bloomington, Bloomington, USA","institution_ids":["https://openalex.org/I4210119109"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100333270","display_name":"Xiaofeng Wang","orcid":"https://orcid.org/0000-0003-4902-7549"},"institutions":[{"id":"https://openalex.org/I4210119109","display_name":"Indiana University Bloomington","ror":"https://ror.org/02k40bc56","country_code":"US","type":"education","lineage":["https://openalex.org/I4210119109","https://openalex.org/I592451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"XiaoFeng Wang","raw_affiliation_strings":["Indiana University Bloomington, Bloomington, USA"],"affiliations":[{"raw_affiliation_string":"Indiana University Bloomington, Bloomington, USA","institution_ids":["https://openalex.org/I4210119109"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100452308","display_name":"Zhou Li","orcid":"https://orcid.org/0000-0002-9401-1012"},"institutions":[{"id":"https://openalex.org/I1321014770","display_name":"Association for Computing Machinery","ror":"https://ror.org/03wsadn68","country_code":"US","type":"nonprofit","lineage":["https://openalex.org/I1321014770"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Zhou Li","raw_affiliation_strings":["ACM Member, New York, USA"],"affiliations":[{"raw_affiliation_string":"ACM Member, New York, USA","institution_ids":["https://openalex.org/I1321014770"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5036446600","display_name":"Luyi Xing","orcid":"https://orcid.org/0000-0002-1036-1163"},"institutions":[{"id":"https://openalex.org/I4210119109","display_name":"Indiana University Bloomington","ror":"https://ror.org/02k40bc56","country_code":"US","type":"education","lineage":["https://openalex.org/I4210119109","https://openalex.org/I592451"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Luyi Xing","raw_affiliation_strings":["Indiana University Bloomington, Bloomington, USA"],"affiliations":[{"raw_affiliation_string":"Indiana University Bloomington, Bloomington, USA","institution_ids":["https://openalex.org/I4210119109"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5033073212","display_name":"Raheem Beyah","orcid":"https://orcid.org/0000-0002-9188-3464"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Raheem Beyah","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, USA","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5084889167"],"corresponding_institution_ids":["https://openalex.org/I130701444"],"apc_list":null,"apc_paid":null,"fwci":36.5971,"has_fulltext":true,"cited_by_count":272,"citation_normalized_percentile":{"value":0.99700737,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"755","last_page":"766"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9969000220298767,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9969000220298767,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9966999888420105,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T13083","display_name":"Advanced Text Analysis Techniques","score":0.9908999800682068,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8218643069267273},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.7625173330307007},{"id":"https://openalex.org/keywords/security-token","display_name":"Security token","score":0.6726965308189392},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.6070259213447571},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.49948954582214355},{"id":"https://openalex.org/keywords/information-extraction","display_name":"Information extraction","score":0.447083055973053},{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.44174426794052124},{"id":"https://openalex.org/keywords/download","display_name":"Download","score":0.41250497102737427},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.38917967677116394},{"id":"https://openalex.org/keywords/information-retrieval","display_name":"Information retrieval","score":0.3747670352458954},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.36775439977645874},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.34524670243263245},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.26760005950927734},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.1689527928829193}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8218643069267273},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.7625173330307007},{"id":"https://openalex.org/C48145219","wikidata":"https://www.wikidata.org/wiki/Q1335365","display_name":"Security token","level":2,"score":0.6726965308189392},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.6070259213447571},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.49948954582214355},{"id":"https://openalex.org/C195807954","wikidata":"https://www.wikidata.org/wiki/Q1662562","display_name":"Information extraction","level":2,"score":0.447083055973053},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.44174426794052124},{"id":"https://openalex.org/C2780154274","wikidata":"https://www.wikidata.org/wiki/Q7126717","display_name":"Download","level":2,"score":0.41250497102737427},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.38917967677116394},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.3747670352458954},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.36775439977645874},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.34524670243263245},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.26760005950927734},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.1689527928829193},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C151730666","wikidata":"https://www.wikidata.org/wiki/Q7205","display_name":"Paleontology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2976749.2978315","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2976749.2978315","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978315","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/2976749.2978315","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2976749.2978315","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/2976749.2978315","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure","score":0.5799999833106995}],"awards":[{"id":"https://openalex.org/G1299326818","display_name":null,"funder_award_id":"CNS-1223495","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G4527400531","display_name":null,"funder_award_id":"CNS-1223477","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6394191966","display_name":"TWC: Small: Secure Data-Intensive Computing on Hybrid Clouds","funder_award_id":"1223495","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6982404986","display_name":"TWC: Small: Understanding and Mitigating the Security Hazards of Mobile Fragmentation","funder_award_id":"1527141","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7062019924","display_name":null,"funder_award_id":"1223477","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7142134866","display_name":null,"funder_award_id":"CNS-1618493","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7726243484","display_name":null,"funder_award_id":"CNS-1527141","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2538865281.pdf","grobid_xml":"https://content.openalex.org/works/W2538865281.grobid-xml"},"referenced_works_count":26,"referenced_works":["https://openalex.org/W79696261","https://openalex.org/W1437814062","https://openalex.org/W1438616768","https://openalex.org/W1525595230","https://openalex.org/W1561092886","https://openalex.org/W1707806712","https://openalex.org/W1816257748","https://openalex.org/W1989338554","https://openalex.org/W2019798206","https://openalex.org/W2020278455","https://openalex.org/W2078922545","https://openalex.org/W2096765155","https://openalex.org/W2120814856","https://openalex.org/W2129842875","https://openalex.org/W2161494021","https://openalex.org/W2169918010","https://openalex.org/W2207751595","https://openalex.org/W2250861254","https://openalex.org/W2251896332","https://openalex.org/W2295502246","https://openalex.org/W2407451098","https://openalex.org/W2514714814","https://openalex.org/W3124333016","https://openalex.org/W6713887106","https://openalex.org/W6727823310","https://openalex.org/W7015831105"],"related_works":["https://openalex.org/W2294483539","https://openalex.org/W2378449000","https://openalex.org/W3187581118","https://openalex.org/W2938399969","https://openalex.org/W2616994865","https://openalex.org/W3143747655","https://openalex.org/W2002178493","https://openalex.org/W2901835651","https://openalex.org/W2929621094","https://openalex.org/W1996006176"],"abstract_inverted_index":{"To":[0],"adapt":[1],"to":[2,56,90,95,138,178,196,242,259],"the":[3,72,74,107,119,130,161,164,214,234,238,247,250,268,322,344,348,361,378],"rapidly":[4],"evolving":[5],"landscape":[6],"of":[7,16,67,69,109,124,181,229,310,335,337,365,380,390],"cyber":[8],"threats,":[9],"security":[10,58,386],"professionals":[11],"are":[12,77,169,257],"actively":[13],"exchanging":[14],"Indicators":[15],"Compromise":[17],"(IOC)":[18],"(e.g.,":[19,184,203,210,270,279],"malware":[20],"signatures,":[21],"botnet":[22],"IPs)":[23],"through":[24,186,225],"public":[25],"sources":[26,70],"(e.g.":[27],"blogs,":[28,294],"forums,":[29],"tweets,":[30],"etc.).":[31],"Such":[32],"information,":[33],"often":[34,170],"presented":[35],"in":[36,71,166,172,216,244],"articles,":[37],"posts,":[38],"white":[39],"papers":[40],"etc.,":[41],"can":[42,330],"be":[43,243],"converted":[44],"into":[45],"a":[46,80,139,173,179,199,204,217,226,271,299,308,313,333,352],"machine-readable":[47],"OpenIOC":[48,262,305],"format":[49],"for":[50,151],"automatic":[51],"analysis":[52],"and":[53,83,126,207,220,312,326,388],"quick":[54],"deployment":[55],"various":[57],"mechanisms":[59],"like":[60],"an":[61,148,261,282],"intrusion":[62],"detection":[63],"system.":[64,141],"With":[65],"hundreds":[66,364],"thousands":[68,336],"wild,":[73],"IOC":[75,154,201,251,328],"data":[76],"produced":[78],"at":[79,332],"high":[81,120],"volume":[82],"velocity":[84],"today,":[85],"which":[86,116,317],"becomes":[87],"increasingly":[88],"hard":[89],"manage":[91],"by":[92,106,342],"humans.":[93],"Efforts":[94],"automatically":[96,197],"gather":[97],"such":[98,381],"information":[99],"from":[100,129,281,290,347],"unstructured":[101],"text,":[102],"however,":[103],"is":[104,158,194,240,252,318],"impeded":[105],"limitations":[108],"today's":[110],"Natural":[111],"Language":[112],"Processing":[113],"(NLP)":[114],"techniques,":[115],"cannot":[117],"meet":[118],"standard":[121],"(in":[122],"terms":[123,183],"accuracy":[125],"coverage)":[127],"expected":[128],"IOCs":[131,165,345],"that":[132,163,249,264],"could":[133],"serve":[134],"as":[135,375,377],"direct":[136],"input":[137],"defense":[140],"In":[142],"this":[143,191,295],"paper,":[144],"we":[145],"present":[146],"iACE,":[147],"innovation":[149],"solution":[150],"fully":[152],"automated":[153],"extraction.":[155],"Our":[156],"approach":[157,297],"based":[159],"upon":[160],"observation":[162],"technical":[167,218,293],"articles":[168,288,338,349],"described":[171],"predictable":[174],"way:":[175],"being":[176],"connected":[177],"set":[180],"context":[182,209,278],"\"download\")":[185,212],"stable":[187],"grammatical":[188,235],"relations.":[189],"Leveraging":[190],"observation,":[192],"iACE":[193],"designed":[195],"locate":[198],"putative":[200],"token":[202],"zip":[205,273],"file)":[206,274],"its":[208,277],"\"malware\",":[211],"within":[213],"sentences":[215],"article,":[219],"further":[221],"analyze":[222],"their":[223,371],"relations":[224],"novel":[227],"application":[228],"graph":[230],"mining":[231],"techniques.":[232],"Once":[233],"connection":[236],"between":[237],"tokens":[239,256],"found":[241],"line":[245],"with":[246,307],"way":[248,319],"commonly":[253],"presented,":[254],"these":[255],"extracted":[258],"generate":[260],"item":[263],"describes":[265],"not":[266],"only":[267],"indicator":[269],"malicious":[272],"but":[275],"also":[276],"download":[280],"external":[283],"source).":[284],"Running":[285],"on":[286,360,385],"71,000":[287],"collected":[289],"45":[291],"leading":[292],"new":[296,358],"demonstrates":[298],"remarkable":[300],"performance:":[301],"it":[302],"generated":[303],"900K":[304],"items":[306],"precision":[309],"95%":[311],"coverage":[314],"over":[315,351],"90%,":[316],"beyond":[320],"what":[321],"state-of-the-art":[323],"NLP":[324],"technique":[325],"industry":[327],"tool":[329],"achieve,":[331],"speed":[334],"per":[339],"hour.":[340],"Further,":[341],"correlating":[343],"mined":[346],"published":[350],"13-year":[353],"span,":[354],"our":[355],"study":[356],"sheds":[357],"light":[359],"links":[362],"across":[363],"seemingly":[366],"unrelated":[367],"attack":[368,391],"instances,":[369],"particularly":[370],"shared":[372],"infrastructure":[373],"resources,":[374],"well":[376],"impacts":[379],"open-source":[382],"threat":[383],"intelligence":[384],"protection":[387],"evolution":[389],"strategies.":[392]},"counts_by_year":[{"year":2026,"cited_by_count":4},{"year":2025,"cited_by_count":33},{"year":2024,"cited_by_count":36},{"year":2023,"cited_by_count":36},{"year":2022,"cited_by_count":34},{"year":2021,"cited_by_count":44},{"year":2020,"cited_by_count":32},{"year":2019,"cited_by_count":24},{"year":2018,"cited_by_count":20},{"year":2017,"cited_by_count":8},{"year":2016,"cited_by_count":1}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2016-10-28T00:00:00"}