The rhythm of execution: unveiling the impact of sandbox execution time on cyber threat intelligence data

Xuguo WANG; Diming ZHANG; Chenglin LI; Xuan JIANG; Ligeng CHEN

doi:10.1007/s11704-025-50245-y

Front. Comput. Sci. ›› 2026, Vol. 20 ›› Issue (4) : 2004807 DOI: 10.1007/s11704-025-50245-y

Information Security

RESEARCH ARTICLE

The rhythm of execution: unveiling the impact of sandbox execution time on cyber threat intelligence data

Author information +

History +

PDF (2188KB)

Abstract

As malware techniques evolve, threat actors continuously refine their code with evasion and anti-analysis strategies, making sandbox-based cyber threat intelligence (CTI) data collection essential for analyzing malicious behaviors. However, no prior research has systematically examined the relationship between execution time and intelligence data completeness, nor its impact on intelligence data fidelity. Existing sandbox configurations typically rely on predefined execution time thresholds without empirical justification, potentially leading to premature termination of critical behaviors or excessive computational overhead. To address this gap, we analyze malware execution dynamics through system calls, code execution, and data entry access patterns mapped within the MITRE ATT&CK framework. Leveraging Extreme Value Theory (EVT), we model the probabilistic distribution of intelligence data extraction over time, enabling us to estimate the likelihood of acquiring additional intelligence data as execution progresses. Our analysis reveals that the probability of obtaining new intelligence data decreases with time. Specifically, at a 95% confidence level, the probability of acquiring additional intelligence data after three minutes is 0.092, and after five minutes is 0.074, indicating a diminishing rate of intelligence extraction over extended execution periods. These findings indicate that extending execution time beyond a specific threshold provides limited additional intelligence data, highlighting the importance of determining an optimal execution time. By introducing an empirical framework for optimizing sandbox execution time in intelligence data extraction, we introduce a quantitative and principled execution model, providing a scientifically grounded methodology for malware analysis. Our findings provide a foundation for future research in adaptive threat intelligence data collection, enabling a data-driven approach to execution time selection in large-scale security operations.

Graphical abstract

Keywords

cyber threat intelligence / execution time / sandbox / malware behavior / MITRE ATT&CK

Cite this article

Download citation ▾

Xuguo WANG, Diming ZHANG, Chenglin LI, Xuan JIANG, Ligeng CHEN. The rhythm of execution: unveiling the impact of sandbox execution time on cyber threat intelligence data. Front. Comput. Sci., 2026, 20(4): 2004807 DOI:10.1007/s11704-025-50245-y

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	Ofusori L, Bokaba T, Mhlongo S . Artificial intelligence in cybersecurity: a comprehensive review and future direction. Applied Artificial Intelligence, 2024, 38( 1): 2439609

[2]	Saeed S, Suayyid S A, Al-Ghamdi M S, Al-Muhaisen H, Almuhaideb A M . A systematic literature review on cyber threat intelligence for organizational cybersecurity resilience. Sensors, 2023, 23( 16): 7273

[3]	Conti M, Dargahi T, Dehghantanha A. Cyber threat intelligence: challenges and opportunities. In: Dehghantanha A, Conti M, Dargahi T, eds. Cyber Threat Intelligence. Cham: Springer, 2018: 1−6

[4]	Sihwail R, Omar K, Zainol Ariffin K A. A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis. International Journal on Advanced Science, Engineering and Information Technology, 2018, 8(4−2): 1662−1671

[5]	Arikkat D R, Di Sorbo A, Visaggio C A, Conti M. Can twitter be used to acquire reliable alerts against novel cyber attacks?. 2023, arXiv preprint arXiv: 2306.16087

[6]	Strom B E, Applebaum A, Miller D P, Nickels K C, Pennington A G, Thomas C B. MITRE ATT&CK®: design and philosophy. 10AOH08A-JC. McLean: MITRE, 2020

[7]	Al-Sada B, Sadighian A, Oligeri G . MITRE ATT&CK: state of the art and way forward. ACM Computing Surveys, 2024, 57( 1): 12

[8]	Zhu T, Yu J, Xiong C, . . APTSHIELD: a stable, efficient and real-time apt detection system for Linux hosts. IEEE Transactions on Dependable and Secure Computing, 2023, 20( 6): 5247–5264

[9]	Ilg N, Duplys P, Sisejkovic D, Menth M . A survey of contemporary open-source honeypots, frameworks, and tools. Journal of Network and Computer Applications, 2023, 220: 103737

[10]	Shan Y, Yao Y, Zhao T, Yang W . NeuPot: a neural network-based honeypot for detecting cyber threats in industrial control systems. IEEE Transactions on Industrial Informatics, 2023, 19( 10): 10512–10522

[11]	Nawrocki M, Kristoff J, Hiesgen R, Kanich C, Schmidt T C, Wählisch M. Sok: a data-driven view on methods to detect reflective amplification DDoS attacks using honeypots. In: Proceedings of the 8th IEEE European Symposium on Security and Privacy (EuroS&P). 2023, 576−591

[12]	Park S, Kim C H, Rhee J, Won J J, Han T, Xu D. CAFE: a virtualization-based approach to protecting sensitive cloud application logic confidentiality. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. 2015, 651−656

[13]	Mylonas A, Gritzalis D . Practical malware analysis: The hands-on guide to dissecting malicious software. Computers & Security, 2012, 31( 6): 802–803

[14]	Singh N, Tripathy S . Unveiling the veiled: an early stage detection of fileless malware. Computers & Security, 2025, 150: 104231

[15]	Alshmarni A F, Alliheedi M A . Enhancing malware detection by integrating machine learning with cuckoo sandbox. Journal of Information Security and Cybercrimes Research, 2024, 7( 1): 85–92

[16]	Zhao J, Yan Q, Liu X, Li B, Zuo G. Cyber threat intelligence modeling based on heterogeneous graph convolutional network. In: Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses. 2020, 241−256

[17]	Hahn K. Sandbox scores are not an antivirus replacement. See Gdata.pt/blog/2024/09/38031-sandbox-scores-are-not-an-antivirus-replacement website, 2024

[18]	Huang Y T, Lin C Y, Guo Y R, Lo K C, Sun Y S, Chen M C . Open source intelligence for malicious behavior discovery and interpretation. IEEE Transactions on Dependable and Secure Computing, 2022, 19( 2): 776–789

[19]	Or-Meir O, Nissim N, Elovici Y, Rokach L . Dynamic malware analysis in the modern era—a state of the art survey. ACM Computing Surveys (CSUR), 2019, 52( 5): 88

[20]	Gorter F, Giuffrida C, Van Der Kouwe E. Enviral: fuzzing the environment for evasive malware analysis. In: Proceedings of the 16th European Workshop on System Security. 2023, 8−14

[21]	Küchler A, Mantovani A, Han Y, Bilge L, Balzarotti D. Does every second count? Time-based evolution of malware behavior in sandboxes. In: Proceedings of 2021 Network and Distributed System Security Symposium. 2021

[22]	FORTINET. Global threat landscape report 2H 2023. See Fortinet.com/resources/analyst-reports/threat-report-2h-2023 website, 2023

[23]	Jamalpur S, Navya Y S, Raja P, Tagore G, G.Rama, Rao K. Dynamic malware analysis using cuckoo sandbox. In: Proceedings of the 2nd International Conference on Inventive Communication and Computational Technologies (ICICCT). 2018, 1056–1060

[24]	Kilgallon S, De La Rosa L, Cavazos J. Improving the effectiveness and efficiency of dynamic malware analysis with machine learning. In: Proceedings of 2017 Resilience Week (RWS). 2017, 30−36

[25]	Jang J W, Woo J, Yun J, Kim H K. Mal-netminer: malware classification based on social network analysis of call graph. In: Proceedings of the 23rd International Conference on World Wide Web. 2014, 731−734

[26]	Vouvoutsis V, Casino F, Patsakis C . Beyond the sandbox: leveraging symbolic execution for evasive malware classification. Computers & Security, 2025, 149: 104193

[27]	Tang J, Zhou S, Peng T, Yan X, Hu X, Tian W . DTDroid: adversarial packed android malware detection based on traffic and dynamic behavioral. IEEE Internet of Things Journal, 2025, 12( 3): 2646–2658

[28]	Inoue D, Yoshioka K, Eto M, Hoshizawa Y, Nakao K. Malware behavior analysis in isolated miniature network for revealing malware’s network activity. In: Proceedings of 2008 IEEE International Conference on Communications. 2008, 1715−1721

[29]	Inoue D, Yoshioka K, Eto M, Hoshizawa Y, Nakao K . Automated malware analysis system and its sandbox for revealing malware’s internal and external activities. IEICE Transactions on Information and Systems, 2009, E92.D( 5): 945–954

[30]	Yoshioka K, Kasama T, Matsumoto T. Sandbox analysis with controlled internet connection for observing temporal changes of malware behavior. In: Proceedings of 2009 Joint Workshop on Information Security (JWIS 2009). 2009

[31]	Lengyel T K, Maresca S, Payne B D, Webster G D, Vogl S, Kiayias A. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In: Proceedings of the 30th Annual Computer Security Applications Conference. 2014, 386−395

[32]	Vouvoutsis V, Casino F, Patsakis C . On the effectiveness of binary emulation in malware classification. Journal of Information Security and Applications, 2022, 68: 103258

[33]	Surendran R, Thomas T . Detection of malware applications from centrality measures of syscall graph. Concurrency and Computation: Practice and Experience, 2022, 34( 10): e6835

[34]	Oyama Y, Kokubo H . Forced continuation of malware execution beyond exceptions. Journal of Computer Virology and Hacking Techniques, 2022, 19( 4): 483–501

[35]	Brengel M, Rossow C. MEMSCRIMPER: time- and space-efficient storage of malware sandbox memory dumps. In: Proceedings of the 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 2018, 24−45

[36]	Fan C I, Hsiao H W, Chou C H, Tseng Y F. Malware detection systems based on API log data mining. In: Proceedings of the 39th IEEE Annual Computer Software and Applications Conference. 2015, 255−260

[37]	Kim D, Mirsky D, Majlesi-Kupaei A, Barua R. A hybrid static tool to increase the usability and scalability of dynamic detection of malware. In: Proceedings of the13th International Conference on Malicious and Unwanted Software (MALWARE). 2018, 115−123

[38]	Nunes M, Burnap P, Rana O, Reinecke P, Lloyd K . Getting to the root of the problem: a detailed comparison of kernel and user level data for dynamic malware analysis. Journal of Information Security and Applications, 2019, 48: 102365

[39]	Salehi Z, Sami A, Ghiasi M . Using feature generation from API calls for malware detection. Computer Fraud & Security, 2014, 2014( 9): 9–18

[40]	Sun B, Fujino A, Mori T, Ban T, Takahashi T, Inoue D . Automatically generating malware analysis reports using sandbox logs. IEICE Transactions on Information and Systems, 2018, E101.D( 11): 2622–2632

[41]	Wichmann A, Gerhards-Padilla E. Using infection markers as a vaccine against malware attacks. In: Proceedings of 2012 IEEE International Conference on Green Computing and Communications. 2012, 737−742

[42]	Yan L K, Jayachandra M, Zhang M, Yin H. V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In: Proceedings of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments. 2012, 227−238

[43]	Cole Y, Zhang H, Ge L, Wei S, Yu W, Lu C, Chen G, Shen D, Blasch E, Pham K D. ScanMe mobile: a local and cloud hybrid service for analyzing APKs. In: Proceedings of 2015 Conference on Research in Adaptive and Convergent Systems. 2015, 268−273

[44]	Aoki K, Yagi T, Iwamura M, Itoh M. Controlling malware HTTP communications in dynamic analysis system using search engine. In: Proceedings of 2011 Third International Workshop on Cyberspace Safety and Security (CSS). 2011, 1−6

[45]	Morales J, Xu S, Sandhu R. Analyzing malware detection efficiency with multiple anti-malware programs. ASE Science Journal, 2012, 1(2): 56–66

[46]	O’Kane P, Sezer S, McLaughlin K, Im E G . SVM training phase reduction using dataset feature filtering for malware detection. IEEE Transactions on Information forensics and Security, 2013, 8( 3): 500–509

[47]	Rathnayaka C, Jamdagni A. An efficient approach for advanced malware analysis using memory forensic technique. In: Proceedings of 2017 IEEE Trustcom/BigDataSE/ICESS. 2017, 1145−1150

[48]	Teller T, Hayon A. Enhancing automated malware analysis machines with memory analysis. See blackhat.com/docs/us-14/materials/arsenal/ us-14-Teller-Automated-Memory-Analysis-WP.pdf website, 2014

[49]	Kim M, Cho H, Yi J H . Large-scale analysis on anti-analysis techniques in real-world malware. IEEE Access, 2022, 10: 75802–75815

[50]	Kok S H, Abdullah A, Jhanjhi N Z . Early detection of crypto-ransomware using pre-encryption detection algorithm. Journal of King Saud University - Computer and Information Sciences, 2022, 34( 5): 1984–1999

[51]

Yonamine S, Taenaka Y, Kadobayashi Y, Miyamoto D . Design and implementation of a sandbox for facilitating and automating IoT malware analysis with techniques to elicit malicious behavior: case studies of functionalities for dissecting IoT malware. Journal of Computer Virology and Hacking Techniques, 2023, 19( 2): 149–163

[52]

Lindorfer M, Neugschwandtner M, Weichselbaum L, Fratantonio Y, van der Veen V, Platzer C. ANDRUBIS − 1,000, 000 apps later: a view on current android malware behaviors. In: Proceedings of 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). 2014, 3−17

[53]	Anderson B, McGrew D. Machine learning for encrypted malware traffic classification. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 2017, 1723−1732

[54]	Burnap P, French R, Turner F, Jones K . Malware classification using self organising feature maps and machine activity data. Computers & Security, 2018, 73: 399–410

[55]	Kawakoya Y, Shioji E, Iwamura M, Miyoshi J . API chaser: taint-assisted sandbox for evasive malware analysis. Journal of Information Processing, 2019, 27: 297–314

[56]	Nguyen V T, Namin A S, Dang T. MalViz: an interactive visualization tool for tracing malware. In: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. 2018, 376−379

[57]	Polino M, Continella A, Mariani S, D’Alessio S, Fontana L, Gritti F, Zanero S. Measuring and defeating anti-instrumentation-equipped malware. In: Proceedings of the 14th International Conference on Detection of intrusions and malware, and vulnerability assessment. 2017, 73−96

[58]	Sun R, Yuan X, He P, Zhu Q, Chen A, Grégio A, Oliveira D, Li X . Learning fast and slow: Propedeutica for real-time malware detection. IEEE Transactions on Neural Networks and Learning Systems, 2022, 33( 6): 2518–2529

[59]	Wüchner T, Ochoa M, Pretschner A. Robust and effective malware detection through quantitative data flow graph metrics. In: Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 2015, 98−118

[60]	Cui Y, Sun Y, Lin Z . DroidHook: a novel API-hook based android malware dynamic analysis sandbox. Automated Software Engineering, 2023, 30( 1): 10

[61]	Zhang Q, Zhou C, Xu Y, Yin Z, Wang M, Su Z, Sun C, Jiang Y, Sun J . Building dynamic system call sandbox with partial order analysis. Proceedings of the ACM on Programming Languages, 2023, 7( OOPSLA2): 266

[62]	Alhaidari F, Shaib N A, Alsafi M, Alharbi H, Alawami M, Aljindan R, Rahman A U, Zagrouba R . ZeVigilante: detecting zero-day malware using machine learning and sandboxing analysis techniques. Computational Intelligence and Neuroscience, 2022, 2022( 1): 1615528

[63]	Cozzi E, Graziano M, Fratantonio Y, Balzarotti D. Understanding Linux malware. In: Proceedings of 2018 IEEE Symposium on Security and Privacy (SP). 2018, 161−175

[64]	Fleck D, Tokhtabayev A, Alarif A, Stavrou A, Nykodym T. PyTrigger: a system to trigger & extract user-activated malware behavior. In: Proceedings of 2013 International Conference on Availability, Reliability and Security. 2013, 92−101

[65]	Shibahara T, Yagi T, Akiyama M, Chiba D, Yada T. Efficient dynamic malware analysis based on network behavior using deep learning. In: Proceedings of 2016 IEEE Global Communications Conference (GLOBECOM). 2016, 1−7

[66]	Huang Y T, Chen T Y, Hsiao S W, Sun Y S . Learning dynamic malware representation from common behavior. Journal of Information Science and Engineering, 2022, 38( 6): 1317–1334

[67]	Trajanovski T, Zhang N . An automated behaviour-based clustering of IoT botnets. Future Internet, 2021, 14( 1): 6

[68]	Bayer U, Kirda E, Kruegel C. Improving the efficiency of dynamic malware analysis. In: Proceedings of 2010 ACM Symposium on Applied Computing. 2010, 1871−1878

[69]	Cai H, Meng N, Ryder B, Yao D . DroidCat: effective android malware detection and categorization via app-level profiling. IEEE Transactions on Information forensics and Security, 2019, 14( 6): 1455–1470

[70]	Ferrante A, Medvet E, Mercaldo F, Milosevic J, Visaggio C A. Spotting the malicious moment: characterizing malware behavior using dynamic features. In: Proceedings of the 11th International Conference on Availability, Reliability and Security (ARES). 2016, 372−381

[71]	Milosevic J, Ferrante A, Malek M. What does the memory say? towards the most indicative features for efficient malware detection. In: Proceedings of the 13th IEEE Annual Consumer Communications & Networking Conference (CCNC). 2016, 759−764

[72]	Severi G, Leek T, Dolan-Gavitt B. MALREC: compact full-trace malware recording for retrospective deep analysis. In: Proceedings of the 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 2018, 3−23

[73]	D’Elia D C, Coppa E, Palmaro F, Cavallaro L . On the dissection of evasive malware. IEEE Transactions on Information Forensics and Security, 2020, 15: 2750–2765

[74]	Abdelsalam M, Krishnan R, Huang Y, Sandhu R. Malware detection in cloud infrastructures using convolutional neural networks. In: Proceedings of the 11th IEEE International Conference on Cloud Computing (CLOUD). 2018, 162−169

[75]	Rossow C, Dietrich C J, Bos H, Cavallaro L, van Steen M, Freiling F C, Pohlmann N. Sandnet: network traffic analysis of malicious software. In: Proceedings of the 1st Workshop on Building Analysis Datasets and Gathering Experience Returns for Security. 2011, 78−88

[76]	Rudman L, Irwin B. Dridex: analysis of the traffic and automatic generation of IOCs. In: Proceedings of 2016 Information Security for South Africa (ISSA). 2016, 77−84

[77]	Mahmoud R V, Anagnostopoulos M, Pastrana S, Pedersen J M . Redefining malware sandboxing: enhancing analysis through Sysmon and ELK integration. IEEE Access, 2024, 12: 68624–68636

[78]	Kaur N, Bindal A K, PhD A. A complete dynamic malware analysis. International Journal of Computer Applications, 2016, 135(4): 20–25

[79]	Koupaei A N A, Nazarov A N. Security analysis threats attacks mitigations and its impact on the internet of things (iot). Synchroinfo Journal, 2020, 6(4): 36–41

[80]	Le D T, Dinh D T, Nguyen Q L T, Tran L T. A basic malware analysis process based on fireeye ecosystem. Webology, 2022

[81]	Husari G, Al-Shaer E, Ahmed M, Chu B, Niu X. TTPDrill: automatic and accurate extraction of threat actions from unstructured text of CTI sources. In: Proceedings of the 33rd Annual Computer Security Applications Conference. 2017, 103−115

[82]	Ucci D, Aniello L, Baldoni R . Survey of machine learning techniques for malware analysis. Computers & Security, 2019, 81: 123–147

[83]	Bayer U, Comparetti P M, Hlauschek C, Kruegel C, Kirda E. Scalable, behavior-based malware clustering. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium. 2009

[84]	Ferrie P. Attacks on virtual machine emulators. In: Proceedings of AVAR Conference, Auckland, Symantec Advanced Threat Research. 2006

[85]	Miramirkhani N, Appini M P, Nikiforakis N, Polychronakis M. Spotless sandboxes: evading malware analysis systems using wear-and-tear artifacts. In: Proceedings of 2017 IEEE Symposium on Security and Privacy. 2017, 1009−1024

[86]	Paleari R, Martignoni L, Roglia G F, Bruschi D. A fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies. 2009, 2

[87]	Pék G, Bencsáth B, Buttyán L. nEther: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the 4th European Workshop on System Security. 2011, 3

[88]	Raffetseder T, Kruegel C, Kirda E. Detecting system emulators. In: Proceedings of the 10th International Conference on Information Security. 2007, 1−18

[89]	Chen X, Andersen J, Mao Z M, Bailey M, Nazario J. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: Proceedings of 2008 IEEE International Conference on Dependable Systems and Networks with FTCS and DCC (DSN). 2008, 177−186

[90]

Yokoyama A, Ishii K, Tanabe R, Papa Y, Yoshioka K, Matsumoto T, Kasama T, Inoue D, Brengel M, Backes M, Rossow C. SandPrint: fingerprinting malware sandboxes to provide intelligence for sandbox evasion. In: Proceedings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses. 2016, 165−187

[91]	Miramirkhani N, Starov O, Nikiforakis N. Dial one for scam: a large-scale analysis of technical support scams. In: Proceedings of Network and Distributed System Security Symposium. 2017

[92]	Lindorfer M, Kolbitsch C, Comparetti P M. Detecting environment- sensitive malware. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection. 2011, 338−357

[93]	Balzarotti D, Cova M, Karlberger C, Kruegel C, Kirda E, Vigna G. Efficient detection of split personalities in malware. In: Proceedings of NDSS. 2010

[94]	Johnson N M, Caballero J, Chen K Z, McCamant S, Poosankam P, Reynaud D, Song D. Differential slicing: identifying causal execution differences for security applications. In: Proceedings of 2011 IEEE Symposium on Security and Privacy. 2011, 347−362

[95]	Kang M G, Yin H, Hanna S, McCamant S, Song D. Emulating emulation-resistant malware. In: Proceedings of the 1st ACM Workshop on Virtual Machine Security. 2009, 11−22

[96]	Brumley D, Hartwig C, Liang Z, Newsome J, Song D, Yin H. Automatically identifying trigger-based behavior in malware. In: Lee W, Wang C, Dagon D, eds. Botnet Detection: Countering the Largest Security Threat. New York: Springer, 2008, 65−88

[97]	Crandall J R, Wassermann G, de Oliveira D A S, Su Z, Wu S F, Chong F T. Temporal search: detecting hidden malware timebombs with virtual machines. ACM SIGARCH Computer Architecture News, 34(5): 25−36

[98]	Moser A, Kruegel C, Kirda E. Exploring multiple execution paths for malware analysis. In: Proceedings of 2007 IEEE Symposium on Security and Privacy (SP’07). 2007, 231−245

[99]	Peng F, Deng Z, Zhang X, Xu D, Lin Z, Su Z. X-force: force-executing binary programs for security applications. In: Proceedings of the 23rd USENIX Security Symposium. 2014, 829−844

[100]

Ugarte-Pedrero X, Balzarotti D, Santos I, Bringas P G. RAMBO: run-time packer analysis with multiple branch observation. In: Proceedings of the 13th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 2016, 186−206

[101]

Caballero J, Poosankam P, Kreibich C, Song D. Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 621−634

[102]

Kirat D, Vigna G, Kruegel C. BareBox: efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference. 2011, 403−412

[103]

Kolbitsch C, Kirda E, Kruegel C. The power of procrastination: detection and mitigation of execution-stalling malicious code. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. 2011, 285−296

[104]

Christodorescu M, Jha S, Seshia S A, Song D, Bryant R E. Semantics-aware malware detection. In: Proceedings of 2005 IEEE Symposium on Security and Privacy (S&P’05). 2005, 32−46

[105]

Ahmed S, Xiao Y, Snow K Z, Tan G, Monrose F, Yao D D. Methodologies for quantifying (re-)randomization security and timing under JIT-ROP. In: Proceedings of 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020, 1803−1820

[106]

Ilić S, Gnjatović M, Tot I, Jovanović B, Maček N, Gavrilović Božović M . Going beyond API calls in dynamic malware analysis: a novel dataset. Electronics, 2024, 13( 17): 3553

[107]

Owoh N, Adejoh J, Hosseinzadeh S, Ashawa M, Osamor J, Qureshi A . Malware detection based on API call sequence analysis: a gated recurrent unit−generative adversarial network model approach. Future Internet, 2024, 16( 10): 369

[108]

Al-Ibrahim O, Mohaisen A, Kamhoua C, Kwiat K, Njilla L. Beyond free riding: quality of indicators for assessing participation in information sharing for threat intelligence. 2017, arXiv preprint arXiv: 1702.00552

[109]

Tounsi W, Rais H . A survey on technical threat intelligence in the age of sophisticated cyber attacks. Computers & Security, 2018, 72: 212–233

[110]

Sauerwein C, Fischer D, Rubsamen M, Rosenberger G, Stelzer D, Breu R. From threat data to actionable intelligence: an exploratory analysis of the intelligence cycle implementation in cyber threat intelligence sharing platforms. In: Proceedings of the 16th International Conference on Availability, Reliability and Security. 2021, 85

[111]

Dolan-Gavitt B, Hodosh J, Hulin P, Leek T, Whelan R. Repeatable reverse engineering with PANDA. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop. 2015, 4

[112]

Guven M . Dynamic malware analysis using a sandbox environment, network traffic logs, and artificial intelligence. International Journal of Computational and Experimental Science and Engineering, 2024, 10( 3): 480–490

[113]

Stamatogiannakis M, Groth P, Bos H. Decoupling provenance capture and analysis from execution. In: Proceedings of the 7th USENIX Conference on Theory and Practice of Provenance. 2015, 3

[114]

Cheng B, Ming J, Leal E A, Zhang H, Fu J, Peng G, Marion J Y. Obfuscation-resilient executable payload extraction from packed malware. In: Proceedings of the 30th USENIX Security Symposium. 2021, 3451−3468

[115]

Baldoni R, Coppa E, D’Elia D C, Demetrescu C, Finocchi I . A survey of symbolic execution techniques. ACM Computing Surveys (CSUR), 2018, 51( 3): 50

[116]

Islam M M, Dutta A, Sajid M S I, Al-Shaer E, Wei J, Farhang S. CHIMERA: autonomous planning and orchestration for malware deception. In: Proceedings of 2021 IEEE Conference on Communications and Network Security (CNS). 2021, 173−181

[117]

Sun H, Shu H, Kang F, Zhao Y, Huang Y . Malware2ATT&CK: a sophisticated model for mapping malware to ATT&CK techniques. Computers & Security, 2024, 140: 103772

[118]

Fredrikson M, Jha S, Christodorescu M, Sailer R, Yan X. Synthesizing near-optimal malware specifications from suspicious behaviors. In: Proceedings of 2010 IEEE Symposium on Security and Privacy. 2010, 45−60

[119]

Wueest C. Does malware still detect virtual machines? See community.broadcom.com/symantecenterprise/ viewdocument/does-malware-still-detect-virtual-m? CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68& tab=librarydocuments website, 2014