{"id":"https://openalex.org/W2773100910","doi":"https://doi.org/10.1145/3139292","title":"Handling Anti-Virtual Machine Techniques in Malicious Software","display_name":"Handling Anti-Virtual Machine Techniques in Malicious Software","publication_year":2017,"publication_date":"2017-12-06","ids":{"openalex":"https://openalex.org/W2773100910","doi":"https://doi.org/10.1145/3139292","mag":"2773100910"},"language":"en","primary_location":{"id":"doi:10.1145/3139292","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3139292","pdf_url":null,"source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101981620","display_name":"Hao Shi","orcid":"https://orcid.org/0000-0002-4315-3942"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Hao Shi","raw_affiliation_strings":["USC/Information Sciences Institute"],"affiliations":[{"raw_affiliation_string":"USC/Information Sciences Institute","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5103177278","display_name":"Jelena Mirkovi\u0107","orcid":"https://orcid.org/0000-0001-7462-8747"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jelena Mirkovic","raw_affiliation_strings":["USC/Information Sciences Institute"],"affiliations":[{"raw_affiliation_string":"USC/Information Sciences Institute","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5059226326","display_name":"Abdulla Alwabel","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Abdulla Alwabel","raw_affiliation_strings":["USC/Information Sciences Institute"],"affiliations":[{"raw_affiliation_string":"USC/Information Sciences Institute","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5101981620"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.8492,"has_fulltext":false,"cited_by_count":29,"citation_normalized_percentile":{"value":0.87290416,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"21","issue":"1","first_page":"1","last_page":"31"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9991999864578247,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9983999729156494,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8308591246604919},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.7615750432014465},{"id":"https://openalex.org/keywords/virtual-machine","display_name":"Virtual machine","score":0.6697370409965515},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.5323386788368225},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.5097138285636902},{"id":"https://openalex.org/keywords/plug-in","display_name":"Plug-in","score":0.41138797998428345},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.21086132526397705}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8308591246604919},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.7615750432014465},{"id":"https://openalex.org/C25344961","wikidata":"https://www.wikidata.org/wiki/Q192726","display_name":"Virtual machine","level":2,"score":0.6697370409965515},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.5323386788368225},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.5097138285636902},{"id":"https://openalex.org/C4924752","wikidata":"https://www.wikidata.org/wiki/Q184148","display_name":"Plug-in","level":2,"score":0.41138797998428345},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.21086132526397705}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3139292","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3139292","pdf_url":null,"source":{"id":"https://openalex.org/S4210174050","display_name":"ACM Transactions on Privacy and Security","issn_l":"2471-2566","issn":["2471-2566","2471-2574"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Privacy and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":32,"referenced_works":["https://openalex.org/W164610907","https://openalex.org/W170652726","https://openalex.org/W172558989","https://openalex.org/W191656338","https://openalex.org/W1481472066","https://openalex.org/W1503224444","https://openalex.org/W1522250664","https://openalex.org/W1534092936","https://openalex.org/W1562605315","https://openalex.org/W1992181084","https://openalex.org/W2032151752","https://openalex.org/W2084944235","https://openalex.org/W2088307662","https://openalex.org/W2100002952","https://openalex.org/W2114780348","https://openalex.org/W2115175195","https://openalex.org/W2119251836","https://openalex.org/W2120297918","https://openalex.org/W2136245903","https://openalex.org/W2140807364","https://openalex.org/W2145688371","https://openalex.org/W2161784403","https://openalex.org/W2163292449","https://openalex.org/W2169294765","https://openalex.org/W2176830056","https://openalex.org/W2193838104","https://openalex.org/W2294049595","https://openalex.org/W2574215789","https://openalex.org/W2618822292","https://openalex.org/W2712617220","https://openalex.org/W2752858240","https://openalex.org/W3008874807"],"related_works":["https://openalex.org/W3124171372","https://openalex.org/W2235294519","https://openalex.org/W4248174414","https://openalex.org/W2943837643","https://openalex.org/W2075174112","https://openalex.org/W2622620488","https://openalex.org/W2931307517","https://openalex.org/W2947326503","https://openalex.org/W1596832152","https://openalex.org/W2976854232"],"abstract_inverted_index":{"Malware":[0],"analysis":[1],"relies":[2],"heavily":[3],"on":[4],"the":[5,98,132,140,146,164,183,188,201,221],"use":[6,59],"of":[7,90,134,142,148,160,203],"virtual":[8,22],"machines":[9,58],"(VMs)":[10],"for":[11,29],"functionality":[12],"and":[13,23,32,56,62,104,136,175,217,237],"safety.":[14],"There":[15],"are":[16],"subtle":[17],"differences":[18,31,53,99,184],"in":[19,80,172],"operation":[20],"between":[21,54,100],"physical":[24,57,106,229],"machines.":[25],"Contemporary":[26],"malware":[27,46,212],"checks":[28],"these":[30],"changes":[33],"its":[34],"behavior":[35],"when":[36],"it":[37,240],"detects":[38,214],"a":[39,72,101,105,154,228],"VM":[40,103,176,194,207,235,243],"presence.":[41],"These":[42],"anti-VM":[43,78],"techniques":[44,79],"hinder":[45],"analysis.":[47],"Existing":[48],"research":[49],"approaches":[50],"to":[51,96,150,169,224],"uncover":[52],"VMs":[55,149,204],"randomized":[60],"testing,":[61],"thus":[63],"cannot":[64],"guarantee":[65],"completeness.":[66],"In":[67],"this":[68],"article,":[69],"we":[70,83,192],"propose":[71,84,193],"detect-and-hide":[73],"approach,":[74],"which":[75,199],"systematically":[76],"addresses":[77],"malware.":[81,206,246],"First,":[82],"cardinal":[85],"pill":[86,92,113,128,179],"testing":[87,93,114,180],"\u2014a":[88,196],"modification":[89],"red":[91,127],"that":[94,185,227,239],"aims":[95],"enumerate":[97],"given":[102],"machine":[107,230],"through":[108],"carefully":[109],"designed":[110],"tests.":[111],"Cardinal":[112,178],"finds":[115],"five":[116],"times":[117,123],"more":[118],"pills":[119,135],"by":[120,163],"running":[121],"15":[122],"fewer":[124],"tests":[125],"than":[126],"testing.":[129],"We":[130,233],"examine":[131],"causes":[133],"find":[137],"that,":[138],"while":[139],"majority":[141],"them":[143],"stem":[144,157,186],"from":[145,158,187,205,245],"failure":[147],"follow":[151],"CPU":[152,174],"specifications,":[153],"small":[155],"number":[156],"under-specification":[159],"certain":[161],"instructions":[162],"Intel":[165],"manual.":[166],"This":[167],"leads":[168],"divergent":[170],"implementations":[171],"different":[173],"architectures.":[177],"successfully":[181,241],"enumerates":[182],"first":[189],"cause.":[190],"Finally,":[191],"Cloak":[195,208,236],"WinDbg":[197],"plug-in":[198],"hides":[200,242],"presence":[202,244],"monitors":[209],"each":[210],"execute":[211],"command,":[213],"potential":[215],"pills,":[216],"at":[218],"runtime":[219],"modifies":[220],"command\u2019s":[222],"outcomes":[223],"match":[225],"those":[226],"would":[231],"generate.":[232],"implemented":[234],"verified":[238]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":4},{"year":2022,"cited_by_count":7},{"year":2021,"cited_by_count":5},{"year":2020,"cited_by_count":7},{"year":2019,"cited_by_count":2},{"year":2018,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}