{"id":"https://openalex.org/W3168148707","doi":"https://doi.org/10.1145/3433210.3457894","title":"Identifying Behavior Dispatchers for Malware Analysis","display_name":"Identifying Behavior Dispatchers for Malware Analysis","publication_year":2021,"publication_date":"2021-05-24","ids":{"openalex":"https://openalex.org/W3168148707","doi":"https://doi.org/10.1145/3433210.3457894","mag":"3168148707"},"language":"en","primary_location":{"id":"doi:10.1145/3433210.3457894","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3433210.3457894","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5005400634","display_name":"Kyuhong Park","orcid":"https://orcid.org/0000-0002-6040-0204"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Kyuhong Park","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5010237044","display_name":"Burak Sahin","orcid":"https://orcid.org/0009-0000-8701-9211"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Burak Sahin","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002430973","display_name":"Yongheng Chen","orcid":"https://orcid.org/0000-0001-8139-6892"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yongheng Chen","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048301900","display_name":"Jisheng Zhao","orcid":"https://orcid.org/0000-0001-5769-4507"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Jisheng Zhao","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090363876","display_name":"Evan Downing","orcid":null},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Evan Downing","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102150414","display_name":"Hong Hu","orcid":"https://orcid.org/0000-0002-6261-3190"},"institutions":[{"id":"https://openalex.org/I130769515","display_name":"Pennsylvania State University","ror":"https://ror.org/04p491231","country_code":"US","type":"education","lineage":["https://openalex.org/I130769515"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Hong Hu","raw_affiliation_strings":["Penn State University, Collegeville, PA, USA"],"affiliations":[{"raw_affiliation_string":"Penn State University, Collegeville, PA, USA","institution_ids":["https://openalex.org/I130769515"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5047140382","display_name":"Wenke Lee","orcid":"https://orcid.org/0000-0003-2761-1277"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Wenke Lee","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5005400634"],"corresponding_institution_ids":["https://openalex.org/I130701444"],"apc_list":null,"apc_paid":null,"fwci":1.0665,"has_fulltext":false,"cited_by_count":9,"citation_normalized_percentile":{"value":0.7643002,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"759","last_page":"773"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.998199999332428,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9980000257492065,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.8844438791275024},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8300609588623047},{"id":"https://openalex.org/keywords/obfuscation","display_name":"Obfuscation","score":0.6503868103027344},{"id":"https://openalex.org/keywords/cryptovirology","display_name":"Cryptovirology","score":0.6100467443466187},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5904144048690796},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.5309982299804688},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.49451538920402527},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.4679761230945587},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.44689470529556274},{"id":"https://openalex.org/keywords/malware-analysis","display_name":"Malware analysis","score":0.4461532235145569},{"id":"https://openalex.org/keywords/symbolic-execution","display_name":"Symbolic execution","score":0.41060417890548706},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.16769689321517944},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.10702049732208252},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.09080293774604797}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.8844438791275024},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8300609588623047},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.6503868103027344},{"id":"https://openalex.org/C84525096","wikidata":"https://www.wikidata.org/wiki/Q3506050","display_name":"Cryptovirology","level":3,"score":0.6100467443466187},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5904144048690796},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.5309982299804688},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.49451538920402527},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.4679761230945587},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.44689470529556274},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.4461532235145569},{"id":"https://openalex.org/C2779639559","wikidata":"https://www.wikidata.org/wiki/Q7661178","display_name":"Symbolic execution","level":3,"score":0.41060417890548706},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.16769689321517944},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.10702049732208252},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.09080293774604797}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3433210.3457894","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3433210.3457894","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.75,"id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G6069866899","display_name":null,"funder_award_id":"HR00112090031","funder_id":"https://openalex.org/F4320332180","funder_display_name":"Defense Advanced Research Projects Agency"},{"id":"https://openalex.org/G8499113514","display_name":null,"funder_award_id":"N00014-17-1-2895, N00014-15-1-2162, N00014-18-1-2662","funder_id":"https://openalex.org/F4320337345","funder_display_name":"Office of Naval Research"}],"funders":[{"id":"https://openalex.org/F4320332180","display_name":"Defense Advanced Research Projects Agency","ror":"https://ror.org/02caytj08"},{"id":"https://openalex.org/F4320337345","display_name":"Office of Naval Research","ror":"https://ror.org/00rk2pe57"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":34,"referenced_works":["https://openalex.org/W109909280","https://openalex.org/W1515180657","https://openalex.org/W1892063863","https://openalex.org/W1954816054","https://openalex.org/W1966917466","https://openalex.org/W2046185165","https://openalex.org/W2057330156","https://openalex.org/W2082594235","https://openalex.org/W2091939272","https://openalex.org/W2117030266","https://openalex.org/W2137530017","https://openalex.org/W2138788987","https://openalex.org/W2140323279","https://openalex.org/W2140807364","https://openalex.org/W2155943969","https://openalex.org/W2160637255","https://openalex.org/W2162765234","https://openalex.org/W2496999134","https://openalex.org/W2514847810","https://openalex.org/W2514974017","https://openalex.org/W2518060702","https://openalex.org/W2560252021","https://openalex.org/W2601591992","https://openalex.org/W2625806818","https://openalex.org/W2670925489","https://openalex.org/W2766540688","https://openalex.org/W2890434219","https://openalex.org/W2963723316","https://openalex.org/W2964048003","https://openalex.org/W2990227674","https://openalex.org/W4244413641","https://openalex.org/W4247464060","https://openalex.org/W4251889484","https://openalex.org/W6727732156"],"related_works":["https://openalex.org/W2900526031","https://openalex.org/W2470502009","https://openalex.org/W170652726","https://openalex.org/W4386029484","https://openalex.org/W109909280","https://openalex.org/W2899560833","https://openalex.org/W2980762452","https://openalex.org/W120176635","https://openalex.org/W4230124743","https://openalex.org/W2125235075"],"abstract_inverted_index":{"Malware":[0],"is":[1,86],"a":[2,14,73,79,82,100,119,138,144],"major":[3],"threat":[4],"to":[5,29,35,126,149,154,164,210],"modern":[6],"computer":[7],"systems.":[8],"Malicious":[9],"behaviors":[10,153,178],"are":[11,226],"hidden":[12,60,111],"by":[13],"variety":[15],"of":[16,134,146,189],"techniques:":[17],"code":[18,83],"obfuscation,":[19],"message":[20],"encoding":[21],"and":[22,92,109,168,204,213],"encryption,":[23],"etc.":[24],"Countermeasures":[25],"have":[26],"been":[27],"developed":[28],"thwart":[30],"these":[31,40,54,97,171],"techniques":[32],"in":[33],"order":[34],"expose":[36],"malicious":[37,70,93,112,129,152,177,207,230],"behaviors.":[38,130,231],"However,":[39],"countermeasures":[41],"rely":[42],"heavily":[43],"on":[44,160],"identifying":[45,96],"specific":[46],"API":[47],"calls,":[48],"which":[49,76,85,151,225],"has":[50],"significant":[51],"limitations":[52],"as":[53],"calls":[55],"can":[56,103,173],"be":[57,104],"misleading":[58],"or":[59],"from":[61],"the":[62,135,192],"analyst.":[63],"In":[64],"this":[65],"paper,":[66],"we":[67,77],"show":[68,169,184],"that":[69,121,137,170,185,219],"programs":[71],"share":[72],"key":[74],"component":[75],"call":[78],"behavior":[80,98,107,124,166,223],"dispatcher,":[81],"structure":[84],"intercepted":[87],"between":[88],"various":[89],"condition":[90],"checks":[91],"actions.":[94],"By":[95],"dispatchers,":[99,224],"malware":[101,162],"analysis":[102],"guided":[105],"into":[106],"dispatchers":[108,125,167,172,190],"activate":[110],"actions":[113],"more":[114,176,206],"easily.":[115],"We":[116,157],"propose":[117],"BDHunter,":[118],"system":[120],"automatically":[122],"identifies":[123,187,222],"assist":[127],"triggering":[128],"BDHunter":[131,159,186,220],"takes":[132],"advantage":[133],"observation":[136],"dispatcher":[139],"compares":[140],"an":[141],"input":[142],"with":[143],"set":[145],"expected":[147],"values":[148],"determine":[150],"execute":[155],"next.":[156],"evaluate":[158],"recent":[161],"samples":[163],"identify":[165],"help":[174],"trigger":[175],"(otherwise":[179],"hidden).":[180],"Our":[181],"experimental":[182],"results":[183],"77.4%":[188],"within":[191],"top":[193],"20":[194],"candidates":[195],"discovered.":[196],"Furthermore,":[197],"BDHunter-guided":[198],"concolic":[199,214],"execution":[200],"successfully":[201],"triggers":[202],"13.0x":[203],"2.6x":[205],"behaviors,":[208],"compared":[209],"unguided":[211],"symbolic":[212],"execution,":[215],"respectively.":[216],"These":[217],"demonstrate":[218],"effectively":[221],"useful":[227],"for":[228],"exposing":[229]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}