{"id":"https://openalex.org/W4283812172","doi":"https://doi.org/10.23919/cycon55549.2022.9811078","title":"JARV1S: Phenotype Clone Search for Rapid Zero-Day Malware Triage and Functional Decomposition for Cyber Threat Intelligence","display_name":"JARV1S: Phenotype Clone Search for Rapid Zero-Day Malware Triage and Functional Decomposition for Cyber Threat Intelligence","publication_year":2022,"publication_date":"2022-05-31","ids":{"openalex":"https://openalex.org/W4283812172","doi":"https://doi.org/10.23919/cycon55549.2022.9811078"},"language":"en","primary_location":{"id":"doi:10.23919/cycon55549.2022.9811078","is_oa":false,"landing_page_url":"https://doi.org/10.23919/cycon55549.2022.9811078","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5083877100","display_name":"Christopher Molloy","orcid":"https://orcid.org/0000-0003-2950-7158"},"institutions":[{"id":"https://openalex.org/I204722609","display_name":"Queen's University","ror":"https://ror.org/02y72wh86","country_code":"CA","type":"education","lineage":["https://openalex.org/I204722609"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Christopher Molloy","raw_affiliation_strings":["Queen’s University,School of Computing,Kingston,ON,Canada"],"affiliations":[{"raw_affiliation_string":"Queen’s University,School of Computing,Kingston,ON,Canada","institution_ids":["https://openalex.org/I204722609"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5052958340","display_name":"Philippe Charland","orcid":"https://orcid.org/0000-0003-4051-9942"},"institutions":[{"id":"https://openalex.org/I1297460800","display_name":"Defence Research and Development Canada","ror":"https://ror.org/00hgy8d33","country_code":"CA","type":"funder","lineage":["https://openalex.org/I1297460800","https://openalex.org/I1336338359","https://openalex.org/I2802286613"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Philippe Charland","raw_affiliation_strings":["Mission Critical Cyber Security Section Defence Research and Development Canada,Quebec,QC,Canada","Mission Critical Cyber Security Section Defence Research and Development Canada, Quebec, QC, Canada"],"affiliations":[{"raw_affiliation_string":"Mission Critical Cyber Security Section Defence Research and Development Canada,Quebec,QC,Canada","institution_ids":["https://openalex.org/I1297460800"]},{"raw_affiliation_string":"Mission Critical Cyber Security Section Defence Research and Development Canada, Quebec, QC, Canada","institution_ids":["https://openalex.org/I1297460800"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5007693994","display_name":"Steven H. H. Ding","orcid":"https://orcid.org/0000-0003-4513-200X"},"institutions":[{"id":"https://openalex.org/I204722609","display_name":"Queen's University","ror":"https://ror.org/02y72wh86","country_code":"CA","type":"education","lineage":["https://openalex.org/I204722609"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Steven H. H. Ding","raw_affiliation_strings":["Queen’s University,School of Computing,Kingston,ON,Canada"],"affiliations":[{"raw_affiliation_string":"Queen’s University,School of Computing,Kingston,ON,Canada","institution_ids":["https://openalex.org/I204722609"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5021788449","display_name":"Benjamin C. M. Fung","orcid":"https://orcid.org/0000-0001-8423-2906"},"institutions":[{"id":"https://openalex.org/I5023651","display_name":"McGill University","ror":"https://ror.org/01pxwe438","country_code":"CA","type":"education","lineage":["https://openalex.org/I5023651"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Benjamin C. M. Fung","raw_affiliation_strings":["McGill University,School of Information Studies,Montreal,QC,Canada","School of Information Studies, McGill University, Montreal, QC, Canada"],"affiliations":[{"raw_affiliation_string":"McGill University,School of Information Studies,Montreal,QC,Canada","institution_ids":["https://openalex.org/I5023651"]},{"raw_affiliation_string":"School of Information Studies, McGill University, Montreal, QC, Canada","institution_ids":["https://openalex.org/I5023651"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5083877100"],"corresponding_institution_ids":["https://openalex.org/I204722609"],"apc_list":null,"apc_paid":null,"fwci":0.4464,"has_fulltext":false,"cited_by_count":3,"citation_normalized_percentile":{"value":0.57028485,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":96},"biblio":{"volume":null,"issue":null,"first_page":"385","last_page":"403"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9905999898910522,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.9134975671768188},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7547574043273926},{"id":"https://openalex.org/keywords/cryptovirology","display_name":"Cryptovirology","score":0.6530858278274536},{"id":"https://openalex.org/keywords/triage","display_name":"Triage","score":0.622134268283844},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5250085592269897},{"id":"https://openalex.org/keywords/medicine","display_name":"Medicine","score":0.09474688768386841}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.9134975671768188},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7547574043273926},{"id":"https://openalex.org/C84525096","wikidata":"https://www.wikidata.org/wiki/Q3506050","display_name":"Cryptovirology","level":3,"score":0.6530858278274536},{"id":"https://openalex.org/C2777120189","wikidata":"https://www.wikidata.org/wiki/Q780067","display_name":"Triage","level":2,"score":0.622134268283844},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5250085592269897},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.09474688768386841},{"id":"https://openalex.org/C194828623","wikidata":"https://www.wikidata.org/wiki/Q2861470","display_name":"Emergency medicine","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.23919/cycon55549.2022.9811078","is_oa":false,"landing_page_url":"https://doi.org/10.23919/cycon55549.2022.9811078","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 14th International Conference on Cyber Conflict: Keep Moving! (CyCon)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.5099999904632568,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":19,"referenced_works":["https://openalex.org/W1544399847","https://openalex.org/W1974527629","https://openalex.org/W2018175892","https://openalex.org/W2021264330","https://openalex.org/W2048693719","https://openalex.org/W2128212613","https://openalex.org/W2132944054","https://openalex.org/W2132979129","https://openalex.org/W2516372287","https://openalex.org/W2731423391","https://openalex.org/W2732916693","https://openalex.org/W2896360708","https://openalex.org/W2926178846","https://openalex.org/W2981091784","https://openalex.org/W3011265823","https://openalex.org/W3088376608","https://openalex.org/W3137884047","https://openalex.org/W4292541930","https://openalex.org/W6740449585"],"related_works":["https://openalex.org/W4256304280","https://openalex.org/W4249009605","https://openalex.org/W2900526031","https://openalex.org/W2395100307","https://openalex.org/W2909615516","https://openalex.org/W3183826413","https://openalex.org/W4243179955","https://openalex.org/W3205001643","https://openalex.org/W2557742076","https://openalex.org/W2968504645"],"abstract_inverted_index":{"Cyber":[0],"threat":[1,44],"intelligence":[2],"(CTI)":[3],"has":[4,49,59],"become":[5],"a":[6,73,111,131,137,267],"critical":[7],"component":[8],"of":[9,12,18,24,38,76,85,89,290],"the":[10,15,25,35,41,56,82,116,150,164,246,252],"defense":[11],"organizations":[13],"against":[14,177,284],"steady":[16],"surge":[17],"cyber":[19,247],"attacks.":[20,101],"Malware":[21,195],"is":[22,125,175,214,279],"one":[23],"most":[26],"challenging":[27],"problems":[28],"for":[29,130,152,170],"CTI,":[30],"due":[31],"to":[32,97,222,249],"its":[33],"prevalence,":[34],"massive":[36],"number":[37,75],"variants,":[39],"and":[40,87,118,142,155,193,201,207,228,266,282,287],"constantly":[42],"changing":[43],"actor":[45],"behaviors.":[46],"Currently,":[47],"Malpedia":[48],"indexed":[50],"2,390":[51],"unique":[52,66],"malware":[53,67,79,100,157,167,172,178,224,226,261,268,286],"families,":[54,225],"while":[55],"AVTEST":[57],"Institute":[58],"recorded":[60],"more":[61,107,153],"than":[62],"166":[63],"million":[64],"new":[65,288],"samples":[68],"in":[69],"2021.":[70],"There":[71],"exists":[72],"vast":[74],"variants":[77,289],"per":[78],"family.":[80],"Consequently,":[81],"signature-based":[83],"representation":[84,145],"patterns":[86],"knowledge":[88,144],"legacy":[90],"systems":[91],"can":[92,105,135],"no":[93],"longer":[94],"be":[95],"generalized":[96],"detect":[98],"future":[99],"Machine":[102],"learning-based":[103],"solutions":[104],"match":[106],"variants.":[108,179,273],"However,":[109],"as":[110,183,188],"black-box":[112],"approach,":[113],"they":[114],"lack":[115],"explainability":[117],"maintainability":[119],"required":[120],"by":[121],"incident":[122],"response":[123],"teams.There":[124],"thus":[126],"an":[127,241],"urgent":[128],"need":[129],"data-driven":[132],"system":[133,169,236,258,278],"that":[134,174,219],"abstract":[136],"future-proof,":[138],"human-friendly,":[139],"systematic,":[140],"actionable,":[141],"dependable":[143],"from":[146,149,199],"software":[147],"artifacts":[148],"past":[151],"effective":[154,176,283],"insightful":[156],"triage.":[158],"In":[159],"this":[160],"paper,":[161],"we":[162],"present":[163],"first":[165],"phenotype-based":[166],"decomposition":[168,253],"quick":[171],"triage":[173],"We":[180,255],"define":[181],"phenotypes":[182,218,239],"directly":[184],"observable":[185],"characteristics":[186],"such":[187],"code":[189,208],"fragments,":[190],"constants,":[191],"functions,":[192],"strings.":[194],"development":[196],"rarely":[197],"starts":[198],"scratch,":[200],"there":[202],"are":[203,220],"many":[204],"reused":[205],"components":[206],"fragments.":[209],"The":[210,234,274],"target":[211],"under":[212],"investigation":[213],"decomposed":[215],"into":[216],"known":[217,223,291],"mapped":[221],"behaviors,":[227],"Advanced":[229],"Persistent":[230],"Threat":[231],"(APT)":[232],"groups.":[233],"implemented":[235],"provides":[237],"visualizable":[238],"through":[240,251],"interactive":[242],"tree":[243],"map,":[244],"helping":[245],"analysts":[248],"navigate":[250],"results.":[254],"evaluated":[256],"our":[257,277],"on":[259],"200,000":[260],"samples,":[262,265],"100,000":[263],"benign":[264],"family":[269],"with":[270],"over":[271],"27,284":[272],"results":[275],"indicate":[276],"scalable,":[280],"efficient,":[281],"zero-day":[285],"families.":[292]},"counts_by_year":[{"year":2024,"cited_by_count":2},{"year":2022,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}