{"id":"https://openalex.org/W2755572540","doi":"https://doi.org/10.1145/3105761","title":"Long-Span Program Behavior Modeling and Attack Detection","display_name":"Long-Span Program Behavior Modeling and Attack Detection","publication_year":2017,"publication_date":"2017-09-20","ids":{"openalex":"https://openalex.org/W2755572540","doi":"https://doi.org/10.1145/3105761","mag":"2755572540"},"language":"en","primary_location":{"id":"doi:10.1145/3105761","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3105761","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=3105761&type=pdf","source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"bronze","oa_url":"http://dl.acm.org/ft_gateway.cfm?id=3105761&type=pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5046558241","display_name":"Xiaokui Shu","orcid":"https://orcid.org/0000-0002-7381-7041"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Xiaokui Shu","raw_affiliation_strings":["IBM Research"],"affiliations":[{"raw_affiliation_string":"IBM Research","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5034366344","display_name":"Danfeng Yao","orcid":"https://orcid.org/0000-0001-8969-2792"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Danfeng (Daphne) Yao","raw_affiliation_strings":["Virginia Tech"],"affiliations":[{"raw_affiliation_string":"Virginia Tech","institution_ids":["https://openalex.org/I859038795"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035052603","display_name":"Naren Ramakrishnan","orcid":"https://orcid.org/0000-0002-1821-9743"},"institutions":[{"id":"https://openalex.org/I859038795","display_name":"Virginia Tech","ror":"https://ror.org/02smfhw86","country_code":"US","type":"education","lineage":["https://openalex.org/I859038795"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Naren Ramakrishnan","raw_affiliation_strings":["Virginia Tech"],"affiliations":[{"raw_affiliation_string":"Virginia Tech","institution_ids":["https://openalex.org/I859038795"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5055045569","display_name":"Trent Jaeger","orcid":"https://orcid.org/0000-0002-4964-1170"},"institutions":[{"id":"https://openalex.org/I130769515","display_name":"Pennsylvania State University","ror":"https://ror.org/04p491231","country_code":"US","type":"education","lineage":["https://openalex.org/I130769515"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Trent Jaeger","raw_affiliation_strings":["Pennsylvania State University"],"affiliations":[{"raw_affiliation_string":"Pennsylvania State University","institution_ids":["https://openalex.org/I130769515"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5046558241"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":3.0696,"has_fulltext":true,"cited_by_count":25,"citation_normalized_percentile":{"value":0.9268447,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"20","issue":"4","first_page":"1","last_page":"28"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.9977999925613403,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.764033854007721},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.6990752816200256},{"id":"https://openalex.org/keywords/snapshot","display_name":"Snapshot (computer storage)","score":0.5067184567451477},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.43645480275154114},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.39150863885879517},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.13381198048591614}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.764033854007721},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.6990752816200256},{"id":"https://openalex.org/C55282118","wikidata":"https://www.wikidata.org/wiki/Q252683","display_name":"Snapshot (computer storage)","level":2,"score":0.5067184567451477},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.43645480275154114},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.39150863885879517},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.13381198048591614},{"id":"https://openalex.org/C151730666","wikidata":"https://www.wikidata.org/wiki/Q7205","display_name":"Paleontology","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3105761","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3105761","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=3105761&type=pdf","source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1145/3105761","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3105761","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=3105761&type=pdf","source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},"sustainable_development_goals":[{"score":0.7400000095367432,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G1228813458","display_name":null,"funder_award_id":"4-13-1-","funder_id":"https://openalex.org/F4320337345","funder_display_name":"Office of Naval Research"},{"id":"https://openalex.org/G2043895709","display_name":null,"funder_award_id":"W911NF-13-2-0045","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G2922171469","display_name":null,"funder_award_id":"FA8650-15-","funder_id":"https://openalex.org/F4320338294","funder_display_name":"Air Force Research Laboratory"},{"id":"https://openalex.org/G3048660544","display_name":null,"funder_award_id":"W911NF-14-1-","funder_id":"https://openalex.org/F4320332180","funder_display_name":"Defense Advanced Research Projects Agency"},{"id":"https://openalex.org/G3424441068","display_name":null,"funder_award_id":"W911NF-14-1","funder_id":"https://openalex.org/F4320338281","funder_display_name":"Army Research Office"},{"id":"https://openalex.org/G3732666562","display_name":null,"funder_award_id":"W911NF-13","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G4037859840","display_name":null,"funder_award_id":"FA8650-15-C-7561","funder_id":"https://openalex.org/F4320332180","funder_display_name":"Defense Advanced Research Projects Agency"},{"id":"https://openalex.org/G4307486606","display_name":null,"funder_award_id":"W911NF-13-2-0045 (ARL Cyber Security CRA)","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G5051192394","display_name":null,"funder_award_id":"FA8650-15-C","funder_id":"https://openalex.org/F4320332180","funder_display_name":"Defense Advanced Research Projects Agency"},{"id":"https://openalex.org/G5259331294","display_name":null,"funder_award_id":"W911NF","funder_id":"https://openalex.org/F4320338295","funder_display_name":"Army Research Laboratory"},{"id":"https://openalex.org/G5524522455","display_name":null,"funder_award_id":"DARPA","funder_id":"https://openalex.org/F4320338281","funder_display_name":"Army Research Office"},{"id":"https://openalex.org/G5885924284","display_name":null,"funder_award_id":"N00014-13-1-0016","funder_id":"https://openalex.org/F4320337345","funder_display_name":"Office of Naval Research"},{"id":"https://openalex.org/G6274897657","display_name":null,"funder_award_id":"W911NF-13","funder_id":"https://openalex.org/F4320338281","funder_display_name":"Army Research Office"},{"id":"https://openalex.org/G7452299184","display_name":null,"funder_award_id":"W911NF","funder_id":"https://openalex.org/F4320338281","funder_display_name":"Army Research Office"},{"id":"https://openalex.org/G7767459810","display_name":null,"funder_award_id":"YIP W911NF-14-1-0535","funder_id":"https://openalex.org/F4320338281","funder_display_name":"Army Research Office"},{"id":"https://openalex.org/G8876996369","display_name":null,"funder_award_id":"N00014","funder_id":"https://openalex.org/F4320337345","funder_display_name":"Office of Naval Research"},{"id":"https://openalex.org/G8998121839","display_name":null,"funder_award_id":"911NF","funder_id":"https://openalex.org/F4320338281","funder_display_name":"Army Research Office"}],"funders":[{"id":"https://openalex.org/F4320332180","display_name":"Defense Advanced Research Projects Agency","ror":"https://ror.org/02caytj08"},{"id":"https://openalex.org/F4320337345","display_name":"Office of Naval Research","ror":"https://ror.org/00rk2pe57"},{"id":"https://openalex.org/F4320338281","display_name":"Army Research Office","ror":"https://ror.org/05epdh915"},{"id":"https://openalex.org/F4320338294","display_name":"Air Force Research Laboratory","ror":"https://ror.org/02e2egq70"},{"id":"https://openalex.org/F4320338295","display_name":"Army Research Laboratory","ror":"https://ror.org/011hc8f90"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2755572540.pdf","grobid_xml":"https://content.openalex.org/works/W2755572540.grobid-xml"},"referenced_works_count":64,"referenced_works":["https://openalex.org/W1112477","https://openalex.org/W14760367","https://openalex.org/W123548525","https://openalex.org/W135767600","https://openalex.org/W191098608","https://openalex.org/W1459231281","https://openalex.org/W1479871422","https://openalex.org/W1525062087","https://openalex.org/W1536898727","https://openalex.org/W1546934218","https://openalex.org/W1552056088","https://openalex.org/W1559255981","https://openalex.org/W1583975142","https://openalex.org/W1585799956","https://openalex.org/W1726304021","https://openalex.org/W1827212170","https://openalex.org/W1863862444","https://openalex.org/W1910686388","https://openalex.org/W1947347140","https://openalex.org/W2008704879","https://openalex.org/W2046952161","https://openalex.org/W2049946335","https://openalex.org/W2060678717","https://openalex.org/W2074307706","https://openalex.org/W2081357650","https://openalex.org/W2087671069","https://openalex.org/W2095577883","https://openalex.org/W2098010707","https://openalex.org/W2105497548","https://openalex.org/W2106649514","https://openalex.org/W2118315969","https://openalex.org/W2118372007","https://openalex.org/W2118528519","https://openalex.org/W2121035740","https://openalex.org/W2121195498","https://openalex.org/W2121927068","https://openalex.org/W2123886726","https://openalex.org/W2129345100","https://openalex.org/W2129860818","https://openalex.org/W2134073393","https://openalex.org/W2135143063","https://openalex.org/W2137365926","https://openalex.org/W2145969515","https://openalex.org/W2149086123","https://openalex.org/W2150847526","https://openalex.org/W2152449272","https://openalex.org/W2160892968","https://openalex.org/W2162275200","https://openalex.org/W2166924764","https://openalex.org/W2167332015","https://openalex.org/W2167830147","https://openalex.org/W2169685348","https://openalex.org/W2170470412","https://openalex.org/W2276979642","https://openalex.org/W2294798173","https://openalex.org/W2295709271","https://openalex.org/W2512784977","https://openalex.org/W2519765358","https://openalex.org/W2527840540","https://openalex.org/W2533817413","https://openalex.org/W2584029330","https://openalex.org/W3009086382","https://openalex.org/W3136767761","https://openalex.org/W4254975025"],"related_works":["https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2542847180","https://openalex.org/W3034994054","https://openalex.org/W2805712290","https://openalex.org/W2909129499","https://openalex.org/W2392087771","https://openalex.org/W2761598930","https://openalex.org/W2356600124","https://openalex.org/W4245782888"],"abstract_inverted_index":{"Intertwined":[0],"developments":[1],"between":[2,92],"program":[3,11,18,46,85,125],"attacks":[4,23,52,153],"and":[5,24,53,101,143,157,171],"defenses":[6],"witness":[7],"the":[8,42,112],"evolution":[9],"of":[10,17,44,71,76,179,181,183],"anomaly":[12,47,57],"detection":[13,48,58,131,160],"methods.":[14],"Emerging":[15],"categories":[16],"attacks,":[19],"e.g.,":[20,98],"non-control":[21],"data":[22],"data-oriented":[25],"programming,":[26],"are":[27],"able":[28],"to":[29,103,122,165,169],"comply":[30],"with":[31],"normal":[32,124],"trace":[33],"patterns":[34],"at":[35,94,140],"local":[36],"views.":[37],"This":[38],"article":[39],"points":[40],"out":[41],"deficiency":[43],"existing":[45,89],"models":[49],"against":[50,154],"new":[51],"presents":[54],"long-span":[55],"behavior":[56,126,175],"(LAD),":[59],"a":[60,95,173],"model":[61],"based":[62],"on":[63],"mildly":[64],"context-sensitive":[65],"grammar":[66],"verification.":[67],"The":[68,114,159],"key":[69],"feature":[70],"LAD":[72],"is":[73],"its":[74],"reasoning":[75],"correlations":[77],"among":[78,106],"arbitrary":[79],"events":[80,93,107],"that":[81,108,177],"occurred":[82,110],"in":[83,128],"long":[84],"traces.":[86],"It":[87],"extends":[88],"correlation":[90,104,139],"analysis":[91,105],"stack":[96],"snapshot,":[97],"paired":[99],"call":[100,185,188],"ret,":[102],"historically":[109],"during":[111],"execution.":[113],"proposed":[115],"method":[116],"leverages":[117],"specialized":[118],"machine":[119],"learning":[120],"techniques":[121],"probe":[123],"boundaries":[127],"vast":[129],"high-dimensional":[130],"space.":[132],"Its":[133],"two-stage":[134],"modeling/detection":[135],"design":[136],"analyzes":[137],"event":[138],"both":[141],"binary":[142],"quantitative":[144],"levels.":[145],"Our":[146],"prototype":[147],"successfully":[148],"detects":[149],"all":[150],"reproduced":[151],"real-world":[152],"sshd,":[155],"libpcre,":[156],"sendmail.":[158],"procedure":[161],"incurs":[162],"0.1":[163],"ms":[164,167],"1.3":[166],"overhead":[168],"profile":[170],"analyze":[172],"single":[174],"instance":[176],"consists":[178],"tens":[180],"thousands":[182],"function":[184],"or":[186],"system":[187],"events.":[189]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":5},{"year":2020,"cited_by_count":8},{"year":2019,"cited_by_count":2},{"year":2018,"cited_by_count":3},{"year":2017,"cited_by_count":1}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}