資安威脅快速演進，駭客由以往大規模、廣範圍且已知的攻擊方式，轉換成目標式、潛藏且未知的攻擊手法。傳統仰賴靜態特徵比對的資安監控機制，不足以抵禦目標式的新型態的網際威脅。動態行為分析技術雖然能彌補靜態特徵比對技術的不足，但面對急遽成長的網絡威脅，其分析效能仍有待克服。此外，新興虛擬化與雲端應用普及，其虛擬化特性使得傳統資安設備難以監控虛擬機器內的活動，而不足以防護虛擬機器間的攻擊。整體而言，新興網際活動監控的挑戰為：虛擬網路的監控可視性降低與威脅動態分析的時間耗費。

本論文針對這些資安挑戰，提出以虛擬安全監控為基礎的網際活動監控技術，包括：(1)建立虛擬入侵偵測系統 (vIDS)，透過虛擬系統資訊關聯分析，感知虛擬機器的作業系統或網路服務等環境與活動資訊，提供虛擬入侵偵測系統進行入侵偵測規則(detection rule) 調校，強化虛擬入侵偵測系統偵測效能，進而提升虛擬環境監控的可視性；(2)提出虛擬層 (hypervisor) 的時間加速機制，透過虛擬時間調控技術及資訊熵分析的提前終止 (early stopping) 機制，減少動態分析的時間耗費，有效提升沙箱 (VTCSandbox) 動態分析的效能。本論文亦提出惡意軟體動態探勘技術，藉由搬土距離 (earth mover's distance) 度量動態行為的資訊熵時間序列 (temporal entropy) 分布的相似度，或是攫取時間與頻率空間的特徵向量，透過機器學習機制 (machine learning)，進行未知威脅的檔案類型分群或分類，進而協助解析軟體或系統的行為，提升威脅活動監控能力。

上述技術，可改善虛擬網路活動偵測，減少動態威脅分析的時間，並識別未知威脅，藉以強化網際活動監控能力。經實驗驗證，本論文提出的虛擬入侵偵測系統架構，能有效提升虛擬環境威脅偵測的效能。而虛擬時間加速動態分析技術，可改善沙箱動態分析 42\%的效能。並以實驗初步驗證惡意軟體動態探勘技術，提供網絡威脅的行為解析能量。未來，這些技術更可結合雲端服務，提供雲端沙箱分析或軟體壓力測試等服務，強化網絡威脅監控與分析應用。

Based on the hypervisor security monitor, this research proposed a cyber activity monitoring methods, including virtual intrusion detection system, a sandboxing-based method, notably using virtual time control mechanics and information measurement in the hypervisor layer.
By translating and correlating the required information from OSs' kernal map in hypervisor layer, the OS and network services in each VM can be identified by vIDS. Consequently, the NIDS's detection rules can be tuned dynamically in the current cloud virtualization environment. Compared with conventional NIDSs which usually loads too many irrelevant rules for packets verification, the experiment shows that the NIDS in the proposed architecture is very efficient and effective.
Furthermore, by using accelerated sandboxes, cyber security researchers can easily root out potential security problems in minimum analysis time. The proposed acceleration approach has the advantage of easy deployment in various environments without much reimplementation effort for OS kernel modification. With the proposed method using hypervisor security monitoring equipped with malware-independent VTC mechanics and malware-dependent information measurement, many sophisticated, difficult-to-detect malware can be easily caught. This makes VTCSandbox a powerful detection and forensics tool against advanced malware attacks of many kinds. Our study shows that VTCSandbox increases the logged records for analysis by up to 42\% or obtains the same log size within a shorter period compared to a conventional sandbox. This research contributes to reduction in dynamic analysis lateness and enhancement of sophisticated timing-based evasion technologies against malware, which can be combined with existing techniques for further research. Our proposed system also provides an efficient method for software torture testing. For modern technologies, it can be easily adopted in cloud environments to provide cloud sandboxes with efficient cloud torture testing services.
In addition, by using the dynamic malware mining methods, the nasty malwares can be identified. In a nutshell, the methods in this thesis create a new perspective to increase the visibility of virtual network, unknown malware detection and efficiency dynamic analysis for cyber threat defense.

[1] E. Gandotra, D. Bansal, and S. Sofat, “Malware analysis and classification: A survey,” Journal of Information Security, vol. 5, no. 02, p. 56, 2014.
[2] R. Joshi and E. S. Pilli, “Network forensics,” in Fundamentals of Network Forensics, pp. 3–16, Springer, 2016.
[3] P. Johnson, D. Gorton, R. Lagerström, and M. Ekstedt, “Time between vulnerability disclosures: A measure of software product vulnerability,” Computers & Security, vol. 62, pp. 278–295, 2016.
[4] L. Bilge and T. Dumitras, “Investigating zero-day attacks,” ; login:: the magazine of USENIX & SAGE, vol. 38, no. 4, pp. 6–12, 2013.
[5] I. Friedberg, F. Skopik, G. Settanni, and R. Fiedler, “Combating advanced persistent threats: From network event correlation to incident detection,” Computers & Security, vol. 48, pp. 35–57, 2015.
[6] F. Li, A. Lai, and D. Ddl, “Evidence of advanced persistent threat: A case study of malware for political espionage,” in 2011 6th International Conference on Malicious and Unwanted Software, (Fajardo, PR, USA), pp. 102–109, 18-19 Oct. 2011.
[7] J. G. Wang, T. Herath, R. Chen, and A. Vishwanath, “Research article phishing susceptibility: An investigation into the processing of a targeted spear phishing email,” IEEE Transactions on Professional Communication, vol. 55, pp. 345–362, Dec. 2012.
[8] D. Kindlund, “Holiday watering hole attack proves difficult to detect and defend against.” https://
c.ymcdn.com/sites/www.issa.org/resource/resmgr/journalpdfs/feature0213.pdf, Feb. 2013.
[9] J. Moar, “The future of cybercrime & security: Enterprise threats & mitigation.,” Juniper research, 25 April 2017.
[10] Maria, F. Garnaeva, Y. Sinitsyn, D. Namestnikov, A. Makrushin, and Liskin, “Kaspersky security bulletin: Overall statistics for 2016.” Kaspersky, Dec. 2016.
[11] S. Mrdalj, “Would cloud computing revolutionize teaching business intelligence courses?,” The Journal of Issues in Informing Science and Information Technology, vol. 8, pp. 209–217, 2011.
[12] S. Subashini and V. Kavitha, “A survey on security issues in service delivery models of cloud computing,” Journal of Network and Computer Applications, vol. 34, pp. 1–11, Jan. 2011.
[13] J. Nieh and O. C. Leonard, “Examining VMware,” Dr. Dobb’s Journal of Software Tools, vol. 25, pp. 70, 72–74, 76, Aug. 2000.
[14] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, “Xen and the art of virtualization,” ACM SIGOPS Operating Systems Review, vol. 37, no. 5, pp. 164–177, 2003.
[15] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, “kvm: the linux virtual machine monitor,” in Linux Symposium, (Ottawa Congress Centre, Ottawa, Canada), pp. 225–230, 27-30 Jun. 2007.
[16] M. Fenn, M. A. Murphy, J. Martin, and S. Goasguen, “An evaluation of KVM for use in cloud computing,” in The 2nd International Conference on the Virtual Computing Initiative, (Research Triangle Park, North Carolina), 15-16 May 2008.
[17] SourceFire, “Sourcefire RNA (real-time network awareness) dealing with dynamic threats.” Technology Brief, 2009.
[18] Fyodor, “Remote OS detection via TCP/IP stack fingerprinting.” http://www.nmap.org/nmap/nmap-fingerprinting-article.html, Oct. 1998.
[19] O. Arkin and F. Yarochkin, “Xprobe v2.0: A “fuzzy” approach to remote active operating system fingerprinting.” http://ofirarkin.files.wordpress.com/2008/11/xprobe2.pdf, Aug. 2002.
[20] M. Zalewski and W. Stearns, “Passive OS fingerprinting tool.” http:// www.stearns.org/p0f/README, Jan. 2003.
[21] G. Taleck, “Ambiguity resolution via passive OS fingerprinting,” in The 6th International Symposium Recent Advances in Intrusion Detection, (Pittsburgh, PA, USA), pp. 192–206, 8-10 Sep. 2003.
[22] D. B. Berrueta, “A practical approach for defeating Nmap OS-Fingerprinting.” http://www.eduunix.ccut.edu.cn/index/pdf/nmap.pdf, Mar. 2003.
[23] R. Spangler, “Analysis of remote active operating system fingerprinting tools.” Technical report, May 2003.
[24] N. Provos, “Honeyd - A virtual honeypot daemon,” in 10th DFN-CERT Workshop, (Hamburg, Germany), Feb 2003.
[25] M. Smart, G. R. Malan, and F. Jahanian, “Defeating TCP/IP stack fingerprinting,” in Proceedings of 9th USENIX Security Symposium, (Denver, Colorado, USA), pp. 229–240, 14-17 Aug. 2000.
[26] S. Cesare, Y. Xiang, and W. Zhou, “Malwise - an effective and efficient classification system for packed and polymorphic malware,” Computers, IEEE Transactions on, vol. 62, no. 6, pp. 1193–1206, 2013.
[27] M. Christodorescu and S. Jha, “Static analysis of executables to detect malicious patterns,” in Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM’03, (Berkeley, CA, USA), pp. 12–12, USENIX Association, 2003.
[28] C. Wang, J. Davidson, J. Hill, and J. Knight, “Protection of software-based survivability mechanisms,” in Proceedings of the 2001 International Conference on Dependable Systems and Networks (Formerly: FTCS), DSN ’01, (Washington, DC, USA), pp. 193–202, IEEE Computer Society, 2001.
[29] M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee, “Impeding malware analysis using conditional code obfuscation.,” in NDSS, 2008.
[30] J. H. Kwon and H. J. Lee, “Bingraph: Discovering mutant malware using hierarchical semantic signatures,” in 2012 7th International Conference on Malicious and Unwanted Software (MALWARE), (Fajardo, Puerto Rico), pp. 104–111, 16-18 Oct. 2012.
[31] V. P. Nair, H. Jain, Y. K. Golecha, M. S. Gaur, and V. Laxmi, “Medusa: Metamorphic malware dynamic analysis using signature from API,” in In Proceedings of the 3rd international conference on Security of information and networks, SIN ’10, (Taganrog, Rostov-on-Don, Russian Federation), pp. 263–269, 7-11, Sep. 2010.
[32] C. Kruegel, W. Robertson, and G. Vigna, “Detecting kernel-level rootkits through binary analysis,” in Computer Security Applications Conference, 2004. 20th Annual, pp. 91–100, IEEE, 2004.
[33] S. Krishnan, K. Snow, and F. Monrose, “Trail of bytes: New techniques for supporting data provenance and limiting privacy breaches,” Information Forensics and Security, IEEE Transactions on, vol. 7, pp. 1876–1889, Dec 2012.
[34] M. Christodorescu, S. Jha, and C. Kruegel, “Mining specifications of malicious behavior,” in Proceedings of the 1st India software engineering conference, pp. 5–14, ACM, 2008.
[35] U. Bayer, P. Comparetti, Milani, C. Hlauschek, C. Kruegel, and E. Kirda, “Scalable, behavior-based malware clustering.,” in NDSS, vol. 9, pp. 8–11, 2009.
[36] AVTEST, “Malware statistics & threat report.” https://www.av-test.org/en/statistics/malware/.
[37] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on automated dynamic malware-analysis techniques and tools,” ACM Computing Surveys (CSUR), vol. 44, no. 2, pp. 6:1–6:42, 2012.
[38] C. Eagle, The IDA Pro Book, 2nd Edition. No Starch Press, June 2011.
[39] O. Yuschuk, “Ollydbg v1.10.” http://ollydbg.de/.
[40] G. H. Kim and E. H. Spafford, “The design and implementation of tripwire: A file system integrity checker,” in Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 18–29, ACM, 1994.
[41] A. Baliga, V. Ganapathy, and L. Iftode, “Detecting kernel-level rootkits using data structure invariants,” Dependable and Secure Computing, IEEE Transactions on, vol. 8, no. 5, pp. 670–684, 2011.
[42] M. Cotrozzi and D. Vincenzetti, “ATP-anti-tampering program.,” in USENIX Security, 1993.
[43] Y. Kinebuchi, S. Butt, V. Ganapathy, L. Iftode, and T. Nakajima, “Monitoring integrity using limited local memory,” Information Forensics and Security, IEEE Transactions on, vol. 8, no. 7, pp. 1230–1242, 2013.
[44] M. Kayaalp, M. Ozsoy, N. A. Ghazaleh, and D. Ponomarev, “Efficiently securing systems from code reuse attacks,” Computers, IEEE Transactions on, vol. 63, no. 5, pp. 1144–1156, 2014.
[45] D. Wagner and D. Dean, “Intrusion detection via static analysis,” in Proceedings of the 2001 IEEE Symposium on Security and Privacy, (Washington, DC, USA), pp. 156–168, IEEE Computer Society, 2001.
[46] J.-Y. Xu, A. H. Sung, P. Chavez, and S. Mukkamala, “Polymorphic malicious executable scanner by api sequence analysis,” in Hybrid Intelligent Systems, 2004. HIS’04. Fourth International Conference on, pp. 378–383, IEEE, 2004.
[47] D. Vidyarthi, S. Choudhary, S. Rakshit, and C. Kumar, “Malware detection by static checking and dynamic analysis of executables,” International Journal of Information Security and Privacy (IJISP), vol. 11, no. 3, pp. 29–41, 2017.
[48] N. Nissim, A. Cohen, C. Glezer, and Y. Elovici, “Detection of malicious pdf files and directions for enhancements: A state-of-the art survey,” Computers & Security, vol. 48, pp. 246–266, 2015.
[49] N. Nissim, A. Cohen, R. Moskovitch, A. Shabtai, M. Edri, O. BarAd, and Y. Elovici, “Keeping pace with the creation of new malicious pdf files using an active-learning based detection framework,” Security Informatics, vol. 5, no. 1, p. 1, 2016.
[50] Y. Cao, X. Pan, Y. Chen, and J. Zhuge, “Jshield: towards real-time and vulnerability-based detection of polluted drive-by download attacks,” in Proceedings of the 30th Annual Computer Security Applications Conference, pp. 466–475, ACM, 2014.
[51] Y. Kobayashi, “Linux kernel acceleration for long-term testing,” in CELF Embedded Linux Conference Europe, (Cambridge, UK), 27-28 Oct. 2010.
[52] T. A. Gray-Donald and M. W. Price, “Date and time simulation for time-sensitive applications,” Jan. 8 2013. US Patent 8,352,922.
[53] K. Scarfone and P. Mell, “Guide to intrusion detection and prevention systems (IDPS).” National Institute of Standards and Technology, Special Publication 800-94, 2007.
[54] T. Garfinkel and M. Rosenblum, “A virtual machine introspection based architecture for intrusion detection,” in The 10th Annual Network and Distributed System Security Symposium, (Catamaran Resort Hotel, San Diego, California, USA), 6-7 Feb 2003.
[55] M. Roesch, “Snort-lightweight intrusion detection for networks,” in Proceedings of the 13th Conference on Systems Administratione, (Seattle, Washington, USA), pp. 229–238, 7-12 Nov. 1999.
[56] C. Mazzariello, R. Bifulco, and R. Canonico, “Integrating a network IDS into an open source cloud computing environment,” in Information Assurance and Security (IAS), 2010 Sixth International Conference on, pp. 265 –270, aug. 2010.
[57] A. Bakshi and B. Yogesh, “Securing cloud from DDOS attacks using intrusion detection system in virtual machine,” in Communication Software and Networks, 2010. ICCSN ’10. Second International Conference on, pp. 260–264, feb. 2010.
[58] C.-C. Lo, C.-C. Huang, and J. Ku, “A cooperative intrusion detection system framework for cloud computing networks,” in Parallel Processing Workshops (ICPPW), 2010 39th International Conference on, pp. 280 –284, sept. 2010.
[59] S. Roschke, F. Cheng, and C. Meinel, “Intrusion detection in the cloud,” in Dependable, Autonomic and Secure Computing, 2009. DASC ’09. Eighth IEEE International Conference on, pp. 729 –734, dec. 2009.
[60] ThreatTrack Security, “Malware analysis with GFISandBox (formerly CWSandbox).” http://www.threattracksecurity.com/enterprise-security/sandbox-software.aspx.
[61] C. Willems, T. Holz, and F. Freiling, “Toward automated dynamic malware analysis using cwsandbox,” IEEE Security and Privacy, vol. 5, pp. 32–39, Mar. 2007.
[62] “Cuckoo sandbox: Automated malware analysis.” https://cuckoosandbox.org/.
[63] “Anubis: Analyzing unknown binaries.” http://anubis.iseclab.org/.
[64] U. Bayer, C. Kruegel, and E. Kirda, “TTAnalyze: A tool for analyzing malware,” in Proceedings
of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, (Hamburg, German), pp. 180–192, Apr. 2006.
[65] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. K. Liang, J. Newsome, P. Poosankam, and P. Saxena, “Bitblaze: A new approach to computer security via binary analysis,” in Proceedings of the 4th International Conference on Information Systems Security, (Hyderabad, India), pp. 1–25, 16-20 Dec. 2008.
[66] J. Oh, C. Im, and H. Jeong, “A system for analyzing advance bot behavior,” in International Conference on Information Systems, Technology and Management, pp. 56–63, Springer, 2010.
[67] Cuckoo developers, “Cuckoo sandbox.” Cuckoo Worshop at Blackhat US 2013, 1 Aug. 2013.
[68] M. Lindorfer, C. Kolbitsch, and P. M. Comparetti, “Detecting environment-sensitive malware,” in Proceedings of the 14th international conference on Recent Advances in Intrusion Detection, (Menlo Park, CA, USA), pp. 338–357, 20-21 Sep. 2011.
[69] C. Kruegel, “Evasive malware exposed and deconstructed.” RSA Conference, 21 April 2015.
[70] P. Chen, C. Huygens, L. Desmet, and W. Joosen, “Advanced or not? a comparative study of the use of anti-debugging and anti-vm techniques in generic and targeted malware,” in IFIP International Information Security and Privacy Conference, pp. 323–336, Springer, 2016.
[71] A. Yokoyama, K. Ishii, R. Tanabe, Y. Papa, K. Yoshioka, T. Matsumoto, T. Kasama, D. Inoue, M. Brengel, M. Backes, et al., “Sandprint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion,” in International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 165–187, Springer, 2016.
[72] D. Inoue, K. Yoshioka, M. Eto, Y. Hoshizawa, and K. Nakao, “Automated malware analysis system and its sandbox for revealing malware’s internal and external activities,” IEICE Transactions on Information and Systems, vol. E92-D, pp. 945–954, May 2009.
[73] A. Dinaburg, P. Royal, M. Sharif, and W. Lee, “Ether: malware analysis via hardware virtualization extensions,” in Proceedings of the 15th ACM conference on Computer and communications security, pp. 51–62, ACM, 2008.
[74] J. Rhee, R. Riley, Z. Lin, X. Jiang, and D. Xu, “Data-centric os kernel malware characterization,” Information Forensics and Security, IEEE Transactions on, vol. 9, pp. 72–87, Jan 2014.
[75] C.-H. Lin, C.-W. Tien, and H.-K. Pao, “Efficient and effective NIDS for cloud virtualization environment,” in Cloud Computing Technology and Science (CloudCom), 2012 IEEE 4th International Conference on, pp. 249–254, Dec 2012.
[76] C.-H. Lin, C.-W. Tien, Z.-W. Chen, C.-W. Tien, and H.-K. Pao, “Efficient spear-phishing threat detection using hypervisor monitor,” in The 49th Annual IEEE International Carnahan Conference on Security Technology, (Taipei, Taiwan), 21-24 Sep. 2015.
[77] R. Uhlig, G. Neiger, D. Rodgers, A. L. Santoni, F. C. Martins, A. V. Anderson, S. M. Bennett, A. Kagi, F. H. Leung, and L. Smith, “Intel virtualization technology,” Computer, vol. 38, no. 5, pp. 48–56, 2005.
[78] G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig, “Intel virtualization technology: Hardware support for efficient processor virtualization.,” Intel Technology Journal, vol. 10, no. 3, pp. 167–177, Aug. 2006.
[79] A. Lakhani, “Malware sandbox and breach detection evasion techniques.” http://www.drchaos.com/malware-sandbox-and-breach-detection-evasion-techniques/, 21 Feb. 2016.
[80] C. Kolbitsch, E. Kirda, and C. Kruegel, “The power of procrastination: detection and mitigation of execution-stalling malicious code,” in Proceedings of the 18th ACM conference on Computer and communications security, pp. 285–296, ACM, 2011.
[81] R. Tian, L. M. Batten, and S. Versteeg, “Function length as a tool for malware classification,” in Malicious and Unwanted Software, 2008. MALWARE 2008. 3rd International Conference on, pp. 69–76, IEEE, 2008.
[82] M. G. Schultz, E. Eskin, F. Zadok, and S. J. Stolfo, “Data mining methods for detection of new malicious executables,” in Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on, pp. 38–49, IEEE, 2001.
[83] J. Z. Kolter and M. A. Maloof, “Learning to detect malicious executables in the wild,” in Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 470–478, ACM, 2004.
[84] Y. Ye, T. Li, Q. Jiang, Z. Han, and L. Wan, “Intelligent file scoring system for malware detection from the gray list,” in Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1385–1394, ACM, 2009.
[85] M. Siddiqui, M. C. Wang, and J. Lee, “Detecting internet worms using data mining techniques,” Journal of Systemics, Cybernetics and Informatics, vol. 6, no. 6, pp. 48–53, 2009.
[86] D. Kong and G. Yan, “Discriminant malware distance learning on structural information for automated malware classification,” in Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1357–1365, ACM, 2013.
[87] R. Tian, L. Batten, R. Islam, and S. Versteeg, “An automated classification system based on the strings of trojan and virus families,” in Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on, pp. 23–30, IEEE, 2009.
[88] S. Das, Y. Liu, W. Zhang, and M. Chandramohan, “Semantics-based online malware detection: towards efficient real-time protection against malware,” IEEE transactions on information forensics and security, vol. 11, no. 2, pp. 289–302, 2016.
[89] K. Rieck, P. Trinius, C. Willems, and T. Holz, “Automatic analysis of malware behavior using machine learning,” Journal of Computer Security, vol. 19, no. 4, pp. 639–668, 2011.
[90] I. Santos, J. Devesa, F. Brezo, J. Nieves, and P. G. Bringas, “Opem: A static-dynamic approach for machine-learning-based malware detection,” in International Joint Conference CISIS¡¦12-ICEUTE12-SOCO 12 Special Sessions, pp. 271–280, Springer, 2013.
[91] R. Islam, R. Tian, L. M. Batten, and S. Versteeg, “Classification of malware based on integrated static and dynamic features,” Journal of Network and Computer Applications, vol. 36, no. 2, pp. 646–656, 2013.
[92] S. A. Musavi and M. Kharrazi, “Back to static analysis for kernel-level rootkit detection,” Information Forensics and Security, IEEE Transactions on, vol. 9, no. 9, pp. 1465–1476, 2014.
[93] F.-H. Hsu, M.-H. Wu, C.-K. Tso, C.-H. Hsu, and C.-W. Chen, “Antivirus software shield against antivirus terminators,” Information Forensics and Security, IEEE Transactions on, vol. 7, no. 5, pp. 1439–1447, 2012.
[94] C.-H. Lin, H.-K. Pao, and J.-W. Liao, “Efficient dynamic malware analysis using virtual time control mechanics,” Computers & Security, vol. 73, no. Supplement C, pp. 359 – 373, 2018.
[95] S. Luan, “Exploit two xen hypervisor vulnerabilities.” Blackhat US 2016, 3-4 Aug. 2016.
[96] Y. Rubner, C. Tomasi, and L. J. Guibas, “The earth mover’s distance as a metric for image retrieval,” International journal of computer vision, vol. 40, no. 2, pp. 99–121, 2000.
[97] I. Borg and P. J. Groenen, Modern multidimensional scaling: Theory and applications. Springer Science & Business Media, 2005.
[98] K. Q. Weinberger, J. Blitzer, and L. K. Saul, “Distance metric learning for large margin nearest neighbor classification,” in Advances in neural information processing systems, pp. 1473–1480, 2006.
[99] J. W. Cooley and J. W. Tukey, “An algorithm for the machine calculation of complex fourier series,” Mathematics of computation, vol. 19, no. 90, pp. 297–301, 1965.
[100] CSMing Group, “Malicious software datasets.” http://csmining.org/index.php/malicious-softwaredatasets-.html.
[101] K.-T. Fang and D. Lin, “Uniform experimental designs and their applications in industry. in: Khattree, r., rao, c.r., (ed.),” Handbook of Statistics, vol. 22 North-Holland, Amsterdam, pp. 131–170, 2003.
[102] K.-T. Fang, D. K. J. Lin, P. Winker, and Y. Zhang, “Uniform design: theory and applications,” Technometrics, vol. 42, pp. 237–248, Aug. 2000.
[103] Kaspersky Labs, “The darkhotel apt: A story of unusual hospitality,” 10 Nov. 2014.
[104] F-Secure Labs, “Pitou: The silent resurrection of the notorious srizbi kernel spambot,” 2 Sept. 2014.
[105] Avira, “Avira 2017 - download free antivirus for pc & mac.” https://www.avira.com/.
[106] D. Kirat, G. Vigna, and C. Kruegel, “Barecloud: Bare-metal analysis-based evasive malware detection.,”
in USENIX Security, vol. 2014, pp. 287–301, 2014.
[107] ClamAV, “Clamav is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.” https://www.clamav.net/.
[108] NSRL RDS, “National institute of standards and technology, national software reference library.” http://www.nsrl.nist.gov.
[109] “The r project for statistical computing.” https://www.r-project.org/.