{"id":"https://openalex.org/W2603093875","doi":"https://doi.org/10.1145/3029806.3029815","title":"Large-Scale Identification of Malicious Singleton Files","display_name":"Large-Scale Identification of Malicious Singleton Files","publication_year":2017,"publication_date":"2017-03-20","ids":{"openalex":"https://openalex.org/W2603093875","doi":"https://doi.org/10.1145/3029806.3029815","mag":"2603093875"},"language":"en","primary_location":{"id":"doi:10.1145/3029806.3029815","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3029806.3029815","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5072055753","display_name":"Li Bo","orcid":"https://orcid.org/0000-0002-5977-1964"},"institutions":[{"id":"https://openalex.org/I27837315","display_name":"University of Michigan\u2013Ann Arbor","ror":"https://ror.org/00jmfr291","country_code":"US","type":"education","lineage":["https://openalex.org/I27837315"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Bo Li","raw_affiliation_strings":["University of Michigan, Ann Arbor, MI, USA"],"affiliations":[{"raw_affiliation_string":"University of Michigan, Ann Arbor, MI, USA","institution_ids":["https://openalex.org/I27837315"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5052168623","display_name":"Kevin Roundy","orcid":"https://orcid.org/0000-0002-8285-1647"},"institutions":[{"id":"https://openalex.org/I1308906816","display_name":"NortonLifeLock (United States)","ror":"https://ror.org/0449t3a80","country_code":"US","type":"company","lineage":["https://openalex.org/I1308906816"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kevin Roundy","raw_affiliation_strings":["Symantec Research Labs, Mountain View, CA, USA"],"affiliations":[{"raw_affiliation_string":"Symantec Research Labs, Mountain View, CA, USA","institution_ids":["https://openalex.org/I1308906816"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5075543149","display_name":"Chris Gates","orcid":null},"institutions":[{"id":"https://openalex.org/I1308906816","display_name":"NortonLifeLock (United States)","ror":"https://ror.org/0449t3a80","country_code":"US","type":"company","lineage":["https://openalex.org/I1308906816"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Chris Gates","raw_affiliation_strings":["Symantec Research Labs, Mountain View, CA, USA"],"affiliations":[{"raw_affiliation_string":"Symantec Research Labs, Mountain View, CA, USA","institution_ids":["https://openalex.org/I1308906816"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5038669899","display_name":"Yevgeniy Vorobeychik","orcid":"https://orcid.org/0000-0003-2471-5345"},"institutions":[{"id":"https://openalex.org/I200719446","display_name":"Vanderbilt University","ror":"https://ror.org/02vm5rt34","country_code":"US","type":"education","lineage":["https://openalex.org/I200719446"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yevgeniy Vorobeychik","raw_affiliation_strings":["Vanderbilt University, nashville, TN, USA"],"affiliations":[{"raw_affiliation_string":"Vanderbilt University, nashville, TN, USA","institution_ids":["https://openalex.org/I200719446"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5072055753"],"corresponding_institution_ids":["https://openalex.org/I27837315"],"apc_list":null,"apc_paid":null,"fwci":2.5889,"has_fulltext":false,"cited_by_count":58,"citation_normalized_percentile":{"value":0.90726558,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"227","last_page":"238"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9972000122070312,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/singleton","display_name":"Singleton","score":0.9249999523162842},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7141053676605225},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.5270436406135559},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.5192915797233582},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.4428708553314209},{"id":"https://openalex.org/keywords/obfuscation","display_name":"Obfuscation","score":0.4342384934425354},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.4330938458442688},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3312264084815979},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.3233824372291565},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.27643752098083496}],"concepts":[{"id":"https://openalex.org/C117354338","wikidata":"https://www.wikidata.org/wiki/Q1165112","display_name":"Singleton","level":3,"score":0.9249999523162842},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7141053676605225},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.5270436406135559},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.5192915797233582},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.4428708553314209},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.4342384934425354},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.4330938458442688},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3312264084815979},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3233824372291565},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.27643752098083496},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0},{"id":"https://openalex.org/C104317684","wikidata":"https://www.wikidata.org/wiki/Q7187","display_name":"Gene","level":2,"score":0.0},{"id":"https://openalex.org/C2779234561","wikidata":"https://www.wikidata.org/wiki/Q11995","display_name":"Pregnancy","level":2,"score":0.0},{"id":"https://openalex.org/C54355233","wikidata":"https://www.wikidata.org/wiki/Q7162","display_name":"Genetics","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3029806.3029815","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3029806.3029815","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6399999856948853,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G2285438663","display_name":null,"funder_award_id":"CNS-1238959 IIS-1526860","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":35,"referenced_works":["https://openalex.org/W31387316","https://openalex.org/W1502916507","https://openalex.org/W1508225132","https://openalex.org/W1548500763","https://openalex.org/W1596717185","https://openalex.org/W1853481526","https://openalex.org/W1956767865","https://openalex.org/W1966912382","https://openalex.org/W1966948031","https://openalex.org/W1981033991","https://openalex.org/W1992110042","https://openalex.org/W2018175892","https://openalex.org/W2051271066","https://openalex.org/W2096921767","https://openalex.org/W2097895487","https://openalex.org/W2109293916","https://openalex.org/W2110026675","https://openalex.org/W2121749752","https://openalex.org/W2128155976","https://openalex.org/W2131523719","https://openalex.org/W2148156428","https://openalex.org/W2153635508","https://openalex.org/W2165357553","https://openalex.org/W2166128942","https://openalex.org/W2171865010","https://openalex.org/W2171928131","https://openalex.org/W2189465200","https://openalex.org/W2285181575","https://openalex.org/W2293768274","https://openalex.org/W2296452361","https://openalex.org/W2482374127","https://openalex.org/W2559655401","https://openalex.org/W2597289420","https://openalex.org/W4299301436","https://openalex.org/W6600756316"],"related_works":["https://openalex.org/W2620652965","https://openalex.org/W2024170198","https://openalex.org/W4296272594","https://openalex.org/W2900526031","https://openalex.org/W2728713145","https://openalex.org/W2470502009","https://openalex.org/W2131332603","https://openalex.org/W2072617132","https://openalex.org/W4360993664","https://openalex.org/W2465235098"],"abstract_inverted_index":{"We":[0,82,99],"study":[1,86,105],"a":[2,31,84,108,124],"dataset":[3],"of":[4,6,19,25,44,57,68,79,87,93,118,133,154,160],"billions":[5],"program":[7],"binary":[8],"files":[9,27,62,142],"that":[10,23,54,143],"appeared":[11],"on":[12,30,112],"100":[13],"million":[14],"computers":[15],"over":[16],"the":[17,41,55,77,88,101,119],"course":[18],"12":[20],"months,":[21],"discovering":[22],"94%":[24],"these":[26],"were":[28],"present":[29,83],"single":[32],"machine.":[33],"Though":[34],"malware":[35],"polymorphism":[36],"is":[37,63],"one":[38],"cause":[39],"for":[40],"large":[42],"number":[43,67],"singleton":[45,61,97,141],"files,":[46],"additional":[47],"factors":[48],"also":[49],"contribute":[50],"to":[51,59,74,106,115,148,157],"polymorphism,":[52],"given":[53],"ratio":[56],"benign":[58,69,94],"malicious":[60,80,96,121,140],"80:1.":[64],"The":[65],"huge":[66],"singletons":[70,122],"makes":[71],"it":[72],"challenging":[73],"reliably":[75],"identify":[76,116],"minority":[78],"singletons.":[81],"large-scale":[85],"properties,":[89],"characteristics,":[90],"and":[91,95,135],"distribution":[92],"files.":[98],"leverage":[100],"insights":[102],"from":[103],"this":[104],"build":[107],"classifier":[109,156],"based":[110],"purely":[111],"static":[113],"features":[114],"92%":[117],"remaining":[120],"at":[123],"1.4%":[125],"percent":[126],"false":[127],"positive":[128],"rate,":[129],"despite":[130],"heavy":[131],"use":[132],"obfuscation":[134],"packing":[136],"techniques":[137],"by":[138],"most":[139],"we":[144,151],"make":[145],"no":[146],"attempt":[147],"de-obfuscate.":[149],"Finally,":[150],"demonstrate":[152],"robustness":[153],"our":[155],"important":[158],"classes":[159],"automated":[161],"evasion":[162],"attacks.":[163]},"counts_by_year":[{"year":2025,"cited_by_count":6},{"year":2024,"cited_by_count":10},{"year":2023,"cited_by_count":8},{"year":2022,"cited_by_count":11},{"year":2021,"cited_by_count":9},{"year":2020,"cited_by_count":7},{"year":2019,"cited_by_count":5},{"year":2018,"cited_by_count":1},{"year":2017,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}