{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,7,31]],"date-time":"2024-07-31T17:55:49Z","timestamp":1722448549071},"reference-count":79,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2019,7,1]],"date-time":"2019-07-01T00:00:00Z","timestamp":1561939200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2019,7]]},"DOI":"10.1016\/j.cose.2019.03.015","type":"journal-article","created":{"date-parts":[[2019,3,20]],"date-time":"2019-03-20T12:58:51Z","timestamp":1553086731000},"page":"120-147","update-policy":"http:\/\/dx.doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":8,"special_numbering":"C","title":["AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes"],"prefix":"10.1016","volume":"84","author":[{"given":"Robert","family":"Luh","sequence":"first","affiliation":[]},{"ORCID":"http:\/\/orcid.org\/0000-0002-1345-2829","authenticated-orcid":false,"given":"Helge","family":"Janicke","sequence":"additional","affiliation":[]},{"given":"Sebastian","family":"Schrittwieser","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2019.03.015_bib0001","first-page":"2300","article-title":"Multi class support vector machine implementation to intrusion detection Vol. 3, July 2003,","volume":"3","author":"Ambwani","year":"2003"},{"key":"10.1016\/j.cose.2019.03.015_bib0002","series-title":"Proceedings of the international conference on pervasive services, 2005. ICPS\u201905","first-page":"425","article-title":"Enabling attack behavior prediction in ubiquitous environments","author":"Anagnostopoulos","year":"2005"},{"issue":"4","key":"10.1016\/j.cose.2019.03.015_bib0003","doi-asserted-by":"crossref","first-page":"247","DOI":"10.1007\/s11416-011-0152-x","article-title":"Graph-based malware detection using dynamic analysis","volume":"7","author":"Anderson","year":"2011","journal-title":"J Comput Virol"},{"key":"10.1016\/j.cose.2019.03.015_bib0004","first-page":"1","article-title":"Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX\u2122)","volume":"11","author":"Barnum","year":"2012","journal-title":"MITRE Corp"},{"key":"10.1016\/j.cose.2019.03.015_bib0005","series-title":"Proceedings of the compression and complexity of sequences 1997","first-page":"21","article-title":"On the resemblance and containment of documents","author":"Broder","year":"1997"},{"key":"10.1016\/j.cose.2019.03.015_bib0007","series-title":"Technical report, Center for Cyber Intelligence Analysis and ThreatResearch, Hanover","article-title":"The diamond model of intrusion analysis","author":"Caltagirone","year":"2013"},{"key":"10.1016\/j.cose.2019.03.015_bib0008","series-title":"Proceedings of the fifth USENIX workshop on large-scale exploits and emergent threats (LEET)","article-title":"W32. duqu: the precursor to the next Stuxnet","author":"Chien","year":"2012"},{"issue":"3","key":"10.1016\/j.cose.2019.03.015_bib0011","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1007\/BF00994018","article-title":"Support-vector networks","volume":"20","author":"Cortes","year":"1995","journal-title":"Mach Learn"},{"key":"10.1016\/j.cose.2019.03.015_bib0012","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1613\/jair.374","article-title":"Identifying hierarchical structure in sequences: a linear-time algorithm","volume":"7","author":"Craig","year":"1997","journal-title":"J Artif Intell Res (JAIR)"},{"key":"10.1016\/j.cose.2019.03.015_bib0013","series-title":"Proceedings of the sixteenth ACM SIGKDD international conference on knowledge discovery and data mining","first-page":"47","article-title":"Multiple kernel learning for heterogeneous anomaly detection: algorithm and aviation safety case study","author":"Das","year":"2010"},{"key":"10.1016\/j.cose.2019.03.015_bib0014","series-title":"Proceedings of the international. conference on cyber security","first-page":"54","article-title":"Systems for detecting advanced persistent threats: a development roadmap using intelligent data analysis","author":"De Vries","year":"2012"},{"key":"10.1016\/j.cose.2019.03.015_bib0015","series-title":"Proceedings of the computer network security","first-page":"191","article-title":"Using behavioral modeling and customized normalcy profiles as protection against targeted cyber-attacks","author":"Dolgikh","year":"2012"},{"key":"10.1016\/j.cose.2019.03.015_bib0016","first-page":"61","article-title":"Accurate methods for the statistics of surprise and coincidence","author":"Dunning","year":"1993","journal-title":"Comput Linguist"},{"key":"10.1016\/j.cose.2019.03.015_bib0017","series-title":"Proceedings of the IEEE military communications conference, 2006. MILCOM 2006","first-page":"1","article-title":"Using attack and protection trees to analyze threats and defenses to homeland security","author":"Edge","year":"2006"},{"key":"10.1016\/j.cose.2019.03.015_bib0018","series-title":"Proceedings of the international conference on applications and theory of petri nets","first-page":"206","article-title":"Learning workflow petri nets","author":"Esparza","year":"2010"},{"key":"10.1016\/j.cose.2019.03.015_bib0019","unstructured":"Falliere N, Murchu L, Chien E. W32.stuxnet. dossier. Accessed 2015-09-18. https:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/whitepapers\/w32_stuxnet_dossier.pdf."},{"issue":"3","key":"10.1016\/j.cose.2019.03.015_sbref0016","doi-asserted-by":"crossref","first-page":"74","DOI":"10.1109\/2.573670","article-title":"Dynamic linking of software components","volume":"30","author":"Franz","year":"1997","journal-title":"Computer"},{"key":"10.1016\/j.cose.2019.03.015_bib0021","unstructured":"Freytag T. Woped-workflow petri net designer. University of Cooperative Education; 2005. 279\u2013282."},{"key":"10.1016\/j.cose.2019.03.015_sbref0017","series-title":"Proceedings of the twentieth international conference on computational linguistics","first-page":"841","article-title":"Sentiment classification on customer feedback data: noisy data, large feature vectors, and the role of linguistic analysis","author":"Gamon","year":"2004"},{"key":"10.1016\/j.cose.2019.03.015_bib0023","doi-asserted-by":"crossref","first-page":"241","DOI":"10.1016\/j.knosys.2018.11.030","article-title":"Localized multiple kernel learning for anomaly detection: one-class classification","volume":"165","author":"Gautam","year":"2019","journal-title":"Knowl Based Syst"},{"key":"10.1016\/j.cose.2019.03.015_bib0024","series-title":"Proceedings of the 2012 international conference on cyber security (cybersecurity)","first-page":"69","article-title":"A context-based detection framework for advanced persistent threats","author":"Giura","year":"2012"},{"key":"10.1016\/j.cose.2019.03.015_bib0025","unstructured":"Greenberg A. Russians fingered for \u2019Uroburos\u2019 spy malware campaign, went undetected for years \u2013 SC Magazine. Accessed 2015-07-29. http:\/\/www.scmagazine.com\/russians-fingered-for-uroburos-spy-malware-campaign-went-undetected-for-years\/article\/336570\/."},{"key":"10.1016\/j.cose.2019.03.015_bib0026","unstructured":"Herman L. Malware Attack at US Health Organization Went Undetected for 2 Years. Accessed 2015-10-20. http:\/\/www.hackbusters.com\/news\/stories\/187232-malware-attack-at-us-health-organization-went-undetected-for-2-years."},{"key":"10.1016\/j.cose.2019.03.015_bib0027","series-title":"Proceedings of the sixteenth ACM conference on computer and communications security","first-page":"611","article-title":"Large-scale malware indexing using function-call graphs","author":"Hu","year":"2009"},{"key":"10.1016\/j.cose.2019.03.015_bib0028","first-page":"80","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","volume":"1","author":"Hutchins","year":"2011","journal-title":"Leading Issues in Information Warfare & Security Research"},{"key":"10.1016\/j.cose.2019.03.015_bib0029","unstructured":"Joint Task Force Transformation Initiative. SP 800-53 rev. 4. recommended security controls for federal information systems and organizations. 2015. Gaithersburg, MD, United States. Technical report"},{"key":"10.1016\/j.cose.2019.03.015_bib0030","first-page":"547","article-title":"\u00c9tude comparative de la distribution florale dans une portion des alpes et des jura","volume":"37","author":"Jaccard","year":"1901","journal-title":"Bull Soc Vaudoise Sci Nat"},{"key":"10.1016\/j.cose.2019.03.015_sbref0023","series-title":"Proceedings of the USENIX security symposium","article-title":"Jackstraws: Picking command and control connections from bot traffic","author":"Jacob","year":"2011"},{"key":"10.1016\/j.cose.2019.03.015_bib0032","series-title":"Proceedings of the international conference on information security and cryptology","first-page":"118","article-title":"Serial model for attack tree computations","author":"J\u00fcrgenson","year":"2009"},{"key":"10.1016\/j.cose.2019.03.015_bib0033","unstructured":"Knight S.. Sophisticated malware dubbed \u2019The Mask\u2019 went undetected for the past seven years - TechSpot. Accessed 2015-07-29. http:\/\/www.techspot.com\/news\/55640-sophisticated-malware-dubbed-the-mask-went-undetected-for-the-past-seven-years.html."},{"issue":"1","key":"10.1016\/j.cose.2019.03.015_bib0034","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1093\/logcom\/exs029","article-title":"Attack\u2013defense trees","volume":"24","author":"Kordy","year":"2014","journal-title":"J Logic Comput"},{"key":"10.1016\/j.cose.2019.03.015_sbref0026","article-title":"Recent advances in intrusion detection","volume":"4637","author":"Kruegel","year":"2007"},{"issue":"1-2","key":"10.1016\/j.cose.2019.03.015_bib0036","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1002\/nav.3800020109","article-title":"The hungarian method for the assignment problem","volume":"2","author":"Kuhn","year":"1955","journal-title":"Naval Res Logist Q"},{"key":"10.1016\/j.cose.2019.03.015_bib0037","series-title":"Lectures on the theory of games","author":"Kuhn","year":"2009"},{"key":"10.1016\/j.cose.2019.03.015_bib0038","unstructured":"Kaspersky Lab. Duqu: Steal Everything. Accessed 2015-07-29. http:\/\/www.kaspersky.com\/about\/press\/major_malware_outbreaks\/duqu."},{"key":"10.1016\/j.cose.2019.03.015_bib0069","unstructured":"Kaspersky Lab\u2019s Global Research & Analysis Team. Gauss: abnormal distribution \u2013 securelist. Accessed 2015-07-29. https:\/\/securelist.com\/analysis\/36620\/gauss-abnormal-distribution\/."},{"key":"10.1016\/j.cose.2019.03.015_bib0077","unstructured":"Kujawa Adam. You dirty RAT! Part 1: DarkComet. 2012 https:\/\/blog.malwarebytes.com\/threat-analysis\/2012\/06\/you-dirty-rat-part-1-darkcomet\/."},{"key":"10.1016\/j.cose.2019.03.015_bib0039","unstructured":"Lab K. What is Flame Malware | Definition and Risks | Kaspersky Lab. 2012. Accessed 2015-07-29. http:\/\/www.kaspersky.com\/flame."},{"issue":"3","key":"10.1016\/j.cose.2019.03.015_bib0040","first-page":"18","article-title":"Classification and regression by randomforest","volume":"2","author":"Liaw","year":"2002","journal-title":"R News"},{"key":"10.1016\/j.cose.2019.03.015_bib0041","first-page":"1","article-title":"Semantics-aware detection of targeted attacks: a survey","author":"Luh","year":"2016","journal-title":"J Comput Virol Hack Tech"},{"key":"10.1016\/j.cose.2019.03.015_bib0042","first-page":"1","article-title":"SEQUIN: a grammar inference framework for analyzing malicious system behavior","author":"Luh","year":"2018","journal-title":"J Comput Virol Hack Tech"},{"key":"10.1016\/j.cose.2019.03.015_bib0043","series-title":"Proceedings of the eighteenth international conference on information integration and web-based applications and services","article-title":"TAON: An ontology-based approach to mitigating targeted attacks","author":"Luh","year":"2016"},{"key":"10.1016\/j.cose.2019.03.015_bib0044","series-title":"Proceedings of the 2017 IEEE thirty-first international conference on advanced information networking and applications (AINA)","first-page":"764","article-title":"LLR-based sentiment analysis for kernel event sequences","author":"Luh","year":"2017"},{"key":"10.1016\/j.cose.2019.03.015_bib0045","series-title":"Proceedings of the ICISSP","first-page":"397","article-title":"Design of an anomaly-based threat detection & explication system","author":"Luh","year":"2017"},{"key":"10.1016\/j.cose.2019.03.015_bib0046","series-title":"Proceedings of the forth international conference on information systems security and privacy (ICISSP 2018)","article-title":"APT RPG: Design of a gamified attacker\/defender meta model","author":"Luh","year":"2018"},{"key":"10.1016\/j.cose.2019.03.015_bib0047","doi-asserted-by":"crossref","unstructured":"Luh R, Temper M, Tjoa S, Schrittwieser S, Janicke H. Penquest: a gamified attacker\/defender meta model for cyber security assessment and education. 2018c. Preprint.","DOI":"10.5220\/0006717805260537"},{"key":"10.1016\/j.cose.2019.03.015_bib0048","series-title":"Proceedings of the seventeenth international conference on information integration and web-based applications and services","article-title":"Classifying malicious system behavior using event propagation trees","author":"Marschalek","year":"2015"},{"key":"10.1016\/j.cose.2019.03.015_bib0049","unstructured":"Mills E. A who\u2019s who of Mideast-targeted malware. Accessed 2015-09-18. http:\/\/www.cnet.com\/news\/a-whos-who-of-mideast-targeted-malware\/."},{"issue":"2","key":"10.1016\/j.cose.2019.03.015_bib0050","doi-asserted-by":"crossref","first-page":"39","DOI":"10.1145\/997150.997156","article-title":"A taxonomy of DDoD attack and ddos defense mechanisms","volume":"34","author":"Mirkovic","year":"2004","journal-title":"ACM SIGCOMM Comput Commun Rev"},{"key":"10.1016\/j.cose.2019.03.015_bib0009","unstructured":"MITRE Corporation. CAPEC \u2013 common attack pattern enumeration and Classification (CAPEC). a. Accessed 2015-09-22. https:\/\/capec.mitre.org\/."},{"key":"10.1016\/j.cose.2019.03.015_bib0010","unstructured":"MITRE Corporation. STIX \u2013 structured threat information expression | STIX Project Documentation. b. Accessed 2015-09-22. https:\/\/stixproject.github.io\/."},{"key":"10.1016\/j.cose.2019.03.015_bib0051","unstructured":"Morgan S. 2017 cybercrime report. 2017. Technical report, Cybersecurity Ventures."},{"key":"10.1016\/j.cose.2019.03.015_bib0052","unstructured":"Munsey C. Economic espionage: Competing For Trade By Stealing Industrial Secrets. Accessed 2015-09-15. https:\/\/leb.fbi.gov\/2013\/october-november\/economic-espionage-competing-for-trade-by-stealing-industrial-secrets."},{"key":"10.1016\/j.cose.2019.03.015_bib0053","series-title":"Proceedings of the tenth IFIP\/IEEE international symposium on integrated network management, 2007. IM\u201907","first-page":"100","article-title":"Real-time analysis of flow data for network attack detection","author":"M\u00fcnz","year":"2007"},{"key":"10.1016\/j.cose.2019.03.015_bib0055","series-title":"Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining","first-page":"631","article-title":"Graph-based anomaly detection","author":"Noble","year":"2003"},{"key":"10.1016\/j.cose.2019.03.015_bib0056","series-title":"Proceedings of the 1998 workshop on new security paradigms","first-page":"71","article-title":"A graph-based system for network-vulnerability analysis","author":"Phillips","year":"1998"},{"key":"10.1016\/j.cose.2019.03.015_sbref0041","series-title":"Computer network security","first-page":"86","article-title":"Attack and defense modeling with BDMP","author":"Pi\u00e8tre-Cambac\u00e9d\u00e8s","year":"2010"},{"key":"10.1016\/j.cose.2019.03.015_bib0058","series-title":"Mining of massive datasets","author":"Rajaraman","year":"2011"},{"key":"10.1016\/j.cose.2019.03.015_bib0070","unstructured":"R Development Core Team. R: A language and environment for statistical computing. r foundation for statistical computing, vienna, austria. 2008. ISBN 3-900051-07-0. http:\/\/www.R-project.org."},{"issue":"4","key":"10.1016\/j.cose.2019.03.015_sbref0043","doi-asserted-by":"crossref","first-page":"639","DOI":"10.3233\/JCS-2010-0410","article-title":"Automatic analysis of malware behavior using machine learning","volume":"19","author":"Rieck","year":"2011","journal-title":"J Comput Secur"},{"key":"10.1016\/j.cose.2019.03.015_bib0060","series-title":"Windows internals","author":"Russinovich","year":"2012"},{"issue":"12","key":"10.1016\/j.cose.2019.03.015_bib0061","first-page":"21","article-title":"Attack trees","volume":"24","author":"Schneier","year":"1999","journal-title":"Dr Dobb\u2019s J"},{"key":"10.1016\/j.cose.2019.03.015_bib0062","series-title":"Proceedings of the advances in neural information processing systems","first-page":"582","article-title":"Support vector method for novelty detection","author":"Sch\u00f6lkopf","year":"2000"},{"key":"10.1016\/j.cose.2019.03.015_bib0063","unstructured":"Seculert. Mahdi \u2013 The Cyberwar Savior?Accessed 2015-07-29. http:\/\/www.seculert.com\/blog\/2012\/07\/mahdi-cyberwar-savior.html."},{"key":"10.1016\/j.cose.2019.03.015_bib0064","series-title":"Proceedings of the 2002 IEEE symposium on security and privacy, 2002","first-page":"273","article-title":"Automated generation and analysis of attack graphs","author":"Sheyner","year":"2002"},{"issue":"1","key":"10.1016\/j.cose.2019.03.015_bib0065","first-page":"54","article-title":"Targeted cyberattacks: a superset of advanced persistent threats","author":"Sood","year":"2013","journal-title":"IEEE Secur Priv"},{"key":"10.1016\/j.cose.2019.03.015_bib0066","doi-asserted-by":"crossref","unstructured":"Stoneburner G, Goguen AY, Feringa A. SP 800-30. Risk Management Guide for Information Technology Systems. 2002. Technical report","DOI":"10.6028\/NIST.SP.800-30"},{"key":"10.1016\/j.cose.2019.03.015_bib0067","unstructured":"Syed Z, Padia A, Finin T, Mathews ML, Joshi A. UCO: a unified cybersecurity ontology. 2016."},{"key":"10.1016\/j.cose.2019.03.015_bib0068","unstructured":"Symantec. Regin: Top-tier espionage tool enables stealthy surveillance. Accessed 2015-09-15. http:\/\/www.symantec.com\/connect\/blogs\/regin-top-tier-espionage-tool-enables-stealthy-surveillance."},{"key":"10.1016\/j.cose.2019.03.015_bib0054","unstructured":"The Hacker News. Harkonnen operation \u2013 malware campaign that went undetected for 12 years. Accessed 2015-07-29. http:\/\/thehackernews.com\/2014\/09\/harkonnen-operation-malware-campaign_16.html."},{"key":"10.1016\/j.cose.2019.03.015_bib0071","series-title":"Technical report","article-title":"A malware instruction set for behavior-based analysis","author":"Trinius","year":"2009"},{"key":"10.1016\/j.cose.2019.03.015_bib0072","series-title":"Proceedings of the eighteenth international joint conference on artificial intelligence","first-page":"9","article-title":"A target-centric ontology for intrusion detection","author":"Undercoffer","year":"2004"},{"key":"10.1016\/j.cose.2019.03.015_bib0006","unstructured":"University of California. KDD Cup 1999 Data. Accessed 2015-07-29 http:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html."},{"key":"10.1016\/j.cose.2019.03.015_bib0073","series-title":"Proceedings of the 2014 first international scientific-practical conference problems of infocommunications science and technology","first-page":"173","article-title":"Flow based analysis of advanced persistent threats detecting targeted attacks in cloud computing","author":"Vance","year":"2014"},{"key":"10.1016\/j.cose.2019.03.015_bib0074","series-title":"Proceedings of the ninth ACM conference on computer and communications security","first-page":"255","article-title":"Mimicry attacks on host-based intrusion detection systems","author":"Wagner","year":"2002"},{"key":"10.1016\/j.cose.2019.03.015_bib0075","unstructured":"Wagner M, Fischer F, Luh R, Haberson A, Rind A, Keim D, Aigner W, Borgo R, Ganovelli F, Viola I. A survey of visualization systems for malware analysis. In: Proceedings of the Eurographics conference on visualization (EUROVIS) state of the art reports; 105\u2013125 EuroGraphics."},{"key":"10.1016\/j.cose.2019.03.015_sbref0053","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2017.02.003","article-title":"A knowledge-assisted visual malware analysis system: Design, validation, and reflection of kamas","volume":"67","author":"Wagner","year":"2017","journal-title":"Comput Secur"},{"key":"10.1016\/j.cose.2019.03.015_bib0078","series-title":"Proceedings of 2002 IEEE international conference on the data mining, 2002. ICDM 2003","first-page":"721","article-title":"GSPAN: graph-based substructure pattern mining","author":"Yan","year":"2002"},{"key":"10.1016\/j.cose.2019.03.015_bib0079","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1016\/j.knosys.2017.10.009","article-title":"Adaptive kernel density-based anomaly detection for nonlinear systems","volume":"139","author":"Zhang","year":"2018","journal-title":"Knowl Based Syst"}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404818314457?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404818314457?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2019,5,29]],"date-time":"2019-05-29T01:42:41Z","timestamp":1559094161000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404818314457"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7]]},"references-count":79,"alternative-id":["S0167404818314457"],"URL":"http:\/\/dx.doi.org\/10.1016\/j.cose.2019.03.015","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2019,7]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2019.03.015","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2019 Elsevier Ltd. All rights reserved.","name":"copyright","label":"Copyright"}]}}
