{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T17:58:44Z","timestamp":1773511124045,"version":"3.50.1"},"reference-count":54,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2023,1,20]],"date-time":"2023-01-20T00:00:00Z","timestamp":1674172800000},"content-version":"am","delay-in-days":294,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/http\/www.elsevier.com\/open-access\/userlicense\/1.0\/"},{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,4,1]],"date-time":"2022-04-01T00:00:00Z","timestamp":1648771200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/100000006","name":"Office of Naval Research","doi-asserted-by":"publisher","award":["N00014-16-1-3214"],"award-info":[{"award-number":["N00014-16-1-3214"]}],"id":[{"id":"10.13039\/100000006","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000006","name":"Office of Naval Research","doi-asserted-by":"publisher","award":["N00014-16-1-3216"],"award-info":[{"award-number":["N00014-16-1-3216"]}],"id":[{"id":"10.13039\/100000006","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000006","name":"Office of Naval Research","doi-asserted-by":"publisher","award":["N00014-18-2893"],"award-info":[{"award-number":["N00014-18-2893"]}],"id":[{"id":"10.13039\/100000006","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2022,4]]},"DOI":"10.1016\/j.cose.2022.102613","type":"journal-article","created":{"date-parts":[[2022,1,14]],"date-time":"2022-01-14T10:14:14Z","timestamp":1642155254000},"page":"102613","update-policy":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":36,"special_numbering":"C","title":["Enhancing malware analysis sandboxes with emulated user behavior"],"prefix":"10.1016","volume":"115","author":[{"given":"Songsong","family":"Liu","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pengbin","family":"Feng","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shu","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kun","family":"Sun","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jiahao","family":"Cao","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"78","reference":[{"issue":"6","key":"10.1016\/j.cose.2022.102613_bib0001","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3365001","article-title":"Malware dynamic analysis evasion techniques: a survey","volume":"52","author":"Afianian","year":"2019","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"10.1016\/j.cose.2022.102613_bib0002","series-title":"7th Workshop on Cyber Security Experimentation and Test (CSET 14)","article-title":"Safe and automated live malware experimentation on public testbeds","author":"Alwabel","year":"2014"},{"key":"10.1016\/j.cose.2022.102613_bib0003","unstructured":"Analysis, F. M., 2021. Safely execute and analyze malware in a secure environment. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.fireeye.com\/solutions\/malware-analysis.html."},{"issue":"2","key":"10.1016\/j.cose.2022.102613_bib0004","doi-asserted-by":"crossref","first-page":"158","DOI":"10.1007\/s10032-002-0089-1","article-title":"Pessimalprint: a reverse turing test","volume":"5","author":"Baird","year":"2003","journal-title":"Int. J. Doc. Anal. Recogn."},{"key":"10.1016\/j.cose.2022.102613_bib0005","series-title":"10th USENIX Workshop on Offensive Technologies (WOOT 16)","article-title":"Avleak: fingerprinting antivirus emulators through black-box testing","author":"Blackthorne","year":"2016"},{"key":"10.1016\/j.cose.2022.102613_bib0006","series-title":"Technical Report","article-title":"Advanced tools for cyber ranges","author":"Braje","year":"2016"},{"key":"10.1016\/j.cose.2022.102613_bib0007","first-page":"1","article-title":"Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies","volume":"1","author":"Branco","year":"2012","journal-title":"Black Hat"},{"key":"10.1016\/j.cose.2022.102613_bib0008","series-title":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","first-page":"207","article-title":"Detecting hardware-assisted virtualization","author":"Brengel","year":"2016"},{"key":"10.1016\/j.cose.2022.102613_bib0009","series-title":"Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium","first-page":"1","article-title":"A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web","author":"Bulazel","year":"2017"},{"key":"10.1016\/j.cose.2022.102613_bib0010","series-title":"16th USENIX Symposium on Networked Systems Design and Implementation (NSDI 19)","first-page":"667","article-title":"CAUDIT: Continuous auditing of SSH servers to mitigate brute-force attacks","author":"Cao","year":"2019"},{"key":"10.1016\/j.cose.2022.102613_bib0011","article-title":"Forge: a fake online repository generation engine for cyber deception","author":"Chakraborty","year":"2019","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"10.1016\/j.cose.2022.102613_bib0012","series-title":"2008 IEEE international conference on dependable systems and networks with FTCS and DCC (DSN)","first-page":"177","article-title":"Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware","author":"Chen","year":"2008"},{"key":"10.1016\/j.cose.2022.102613_bib0013","series-title":"Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security","first-page":"395","article-title":"Towards paving the way for large-scale windows malware analysis: Generic binary unpacking with orders-of-magnitude performance boost","author":"Cheng","year":"2018"},{"key":"10.1016\/j.cose.2022.102613_bib0014","series-title":"2018 IEEE Security and Privacy Workshops (SPW)","first-page":"228","article-title":"Simulated user bots: Real time testing of insider threat detection systems","author":"Dutta","year":"2018"},{"key":"10.1016\/j.cose.2022.102613_bib0015","series-title":"ICICS","first-page":"34","article-title":"Uber: Combating sandbox evasion via user behavior emulators","author":"Feng","year":"2019"},{"key":"10.1016\/j.cose.2022.102613_bib0016","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1016\/j.jisa.2019.03.010","article-title":"Repositioning privacy concerns: web servers controlling url metadata","volume":"46","author":"Ferreira","year":"2019","journal-title":"Journal of Information Security and Applications"},{"key":"10.1016\/j.cose.2022.102613_bib0017","unstructured":"Hammond, M., 2021. pywin32. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/mhammond\/pywin32."},{"key":"10.1016\/j.cose.2022.102613_bib0018","doi-asserted-by":"crossref","DOI":"10.1109\/TKDE.2021.3076632","article-title":"Utility-preserving privacy protection of textual documents via word embeddings","author":"Hassan","year":"2021","journal-title":"IEEE Trans Knowl Data Eng"},{"key":"10.1016\/j.cose.2022.102613_bib0020","series-title":"Proceedings of the 1st ACM workshop on Virtual machine security","first-page":"11","article-title":"Emulating emulation-resistant malware","author":"Kang","year":"2009"},{"key":"10.1016\/j.cose.2022.102613_bib0021","series-title":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","first-page":"124","article-title":"Escape from monkey island: Evading high-interaction honeyclients","author":"Kapravelos","year":"2011"},{"key":"10.1016\/j.cose.2022.102613_bib0022","article-title":"Detecting malware and sandbox evasion techniques","volume":"16","author":"Keragala","year":"2016","journal-title":"SANS Institute InfoSec Reading Room"},{"key":"10.1016\/j.cose.2022.102613_bib0023","series-title":"Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security","first-page":"769","article-title":"Malgene: Automatic extraction of malware analysis evasion signature","author":"Kirat","year":"2015"},{"key":"10.1016\/j.cose.2022.102613_bib0024","series-title":"23rd USENIX Security Symposium (USENIX Security 14)","first-page":"287","article-title":"Barecloud: Bare-metal analysis-based evasive malware detection","author":"Kirat","year":"2014"},{"key":"10.1016\/j.cose.2022.102613_bib0025","series-title":"Proc. BlackHat USA Security Conference","first-page":"1","article-title":"Full system emulation: Achieving successful automated dynamic analysis of evasive malware","author":"Kruegel","year":"2014"},{"key":"10.1016\/j.cose.2022.102613_bib0026","series-title":"International Workshop on Recent Advances in Intrusion Detection","first-page":"338","article-title":"Detecting environment-sensitive malware","author":"Lindorfer","year":"2011"},{"key":"10.1016\/j.cose.2022.102613_bib0019","unstructured":"Inc, B., 2021. Symantec content analysis - dynamic sandboxing. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/docs.broadcom.com\/doc\/malware-analysis-s400-s500-en."},{"key":"10.1016\/j.cose.2022.102613_bib0027","unstructured":"Mangalapilly, Y., 2021. watchdog. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/gorakhargosh\/watchdog."},{"key":"10.1016\/j.cose.2022.102613_bib0028","series-title":"Proceedings of the 19th international symposium on software testing and analysis","first-page":"171","article-title":"Testing system virtual machines","author":"Martignoni","year":"2010"},{"key":"10.1016\/j.cose.2022.102613_bib0029","unstructured":"McAfee, 2021. Mcafee advanced threat defense - advanced detection for stealthy, zero-day malware. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/www.mcafee.com\/enterprise\/en-us\/products\/advanced-threat-defense.html."},{"key":"10.1016\/j.cose.2022.102613_bib0030","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1016\/j.comnet.2015.09.026","article-title":"User behavior based traffic emulator: a framework for generating test data for dpi tools","volume":"92","author":"Megyesi","year":"2015","journal-title":"Comput. Networks"},{"issue":"1","key":"10.1016\/j.cose.2022.102613_bib0031","doi-asserted-by":"crossref","first-page":"19","DOI":"10.3390\/jcp1010003","article-title":"Investigating anti-evasion malware triggers using automated sandbox reconfiguration techniques","volume":"1","author":"Mills","year":"2021","journal-title":"Journal of Cybersecurity and Privacy"},{"key":"10.1016\/j.cose.2022.102613_bib0032","unstructured":"Mills, G., 2021. pytrends. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/GeneralMills\/pytrends."},{"key":"10.1016\/j.cose.2022.102613_bib0033","series-title":"2017 IEEE Symposium on Security and Privacy (SP)","first-page":"1009","article-title":"Spotless sandboxes: Evading malware analysis systems using wear-and-tear artifacts","author":"Miramirkhani","year":"2017"},{"key":"10.1016\/j.cose.2022.102613_bib0034","series-title":"2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","first-page":"13","article-title":"Multi-functional traffic generation framework based on accurate user behavior emulation","author":"Moln\u00e1r","year":"2013"},{"key":"10.1016\/j.cose.2022.102613_bib0035","unstructured":"Moses-palmer, 2021. pynput. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/moses-palmer\/pynput."},{"key":"10.1016\/j.cose.2022.102613_bib0036","series-title":"Cyber Security Experimentation and Test Workshop","first-page":"17","article-title":"D2u: Data driven user emulation for the enhancement of cyber testing, training, and data set generation","author":"Oesch","year":"2021"},{"issue":"5","key":"10.1016\/j.cose.2022.102613_bib0037","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3329786","article-title":"Dynamic malware analysis in the modern era-a state of the art survey","volume":"52","author":"Or-Meir","year":"2019","journal-title":"ACM Computing Surveys (CSUR)"},{"key":"10.1016\/j.cose.2022.102613_bib0038","series-title":"Proceedings of the USENIX Workshop on Offensive Technologies (WOOT)","first-page":"86","article-title":"A fistful of red-pills: How to automatically generate procedures to detect cpu emulators","volume":"Vol.\u00a041","author":"Paleari","year":"2009"},{"key":"10.1016\/j.cose.2022.102613_bib0039","series-title":"Proceedings of the Fourth European Workshop on System Security","first-page":"1","article-title":"nether: In-guest detection of out-of-the-guest malware analyzers","author":"P\u00e9k","year":"2011"},{"key":"10.1016\/j.cose.2022.102613_bib0040","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1016\/j.jnca.2016.06.012","article-title":"User profiling in intrusion detection: a review","volume":"72","author":"Peng","year":"2016","journal-title":"Journal of Network and Computer Applications"},{"key":"10.1016\/j.cose.2022.102613_bib0041","series-title":"Proceedings of the seventh european workshop on system security","first-page":"1","article-title":"Rage against the virtual machine: hindering dynamic analysis of android malware","author":"Petsas","year":"2014"},{"key":"10.1016\/j.cose.2022.102613_bib0042","unstructured":"Pywinauto, 2021. pywinauto. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/pywinauto\/pywinauto."},{"key":"10.1016\/j.cose.2022.102613_bib0043","unstructured":"Rodola, G., 2021. psutil. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/giampaolo\/psutil."},{"key":"10.1016\/j.cose.2022.102613_bib0044","series-title":"Proceedings, ieee aerospace conference","first-page":"6","article-title":"Lariat: Lincoln adaptable real-time information assurance testbed","volume":"Vol.\u00a06","author":"Rossey","year":"2002"},{"key":"10.1016\/j.cose.2022.102613_bib0045","unstructured":"Selenium, 2021. selenium. accessed in May. https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/github.com\/SeleniumHQ\/selenium\/."},{"key":"10.1016\/j.cose.2022.102613_bib0046","series-title":"European Symposium on Research in Computer Security","first-page":"481","article-title":"Eureka: A framework for enabling static malware analysis","author":"Sharif","year":"2008"},{"key":"10.1016\/j.cose.2022.102613_bib0047","series-title":"NDSS","article-title":"Lo-phi: Low-observable physical host instrumentation for malware analysis","author":"Spensky","year":"2016"},{"key":"10.1016\/j.cose.2022.102613_bib0048","unstructured":"Vashisht, S. O., Singh, A., 2014. Turing test in reverse: new sandbox-evasion techniques seek human interaction."},{"key":"10.1016\/j.cose.2022.102613_bib0049","series-title":"2006 IEEE Symposium on Security and Privacy (S&P\u201906)","first-page":"15","article-title":"Cobra: Fine-grained malware analysis using stealth localized-executions","author":"Vasudevan","year":"2006"},{"issue":"2","key":"10.1016\/j.cose.2022.102613_bib0050","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1109\/MSP.2007.45","article-title":"Toward automated dynamic malware analysis using cwsandbox","volume":"5","author":"Willems","year":"2007","journal-title":"IEEE Security & Privacy"},{"key":"10.1016\/j.cose.2022.102613_bib0051","series-title":"The GENI Book","first-page":"35","article-title":"Deterlab and the Deter Project","author":"Wroclawski","year":"2016"},{"key":"10.1016\/j.cose.2022.102613_bib0052","series-title":"26th USENIX Security Symposium (USENIX Security 17)","first-page":"271","article-title":"Platpal: Detecting malicious documents with platform diversity","author":"Xu","year":"2017"},{"key":"10.1016\/j.cose.2022.102613_bib0053","series-title":"Proceedings of the 8th ACM SIGPLAN\/SIGOPS conference on Virtual Execution Environments","first-page":"227","article-title":"V2e: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis","author":"Yan","year":"2012"},{"key":"10.1016\/j.cose.2022.102613_bib0054","series-title":"International Symposium on Research in Attacks, Intrusions, and Defenses","first-page":"165","article-title":"Sandprint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion","author":"Yokoyama","year":"2016"}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/api.elsevier.com\/content\/article\/PII:S0167404822000128?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/api.elsevier.com\/content\/article\/PII:S0167404822000128?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T19:12:22Z","timestamp":1759086742000},"score":1,"resource":{"primary":{"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404822000128"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4]]},"references-count":54,"alternative-id":["S0167404822000128"],"URL":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1016\/j.cose.2022.102613","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2022,4]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Enhancing malware analysis sandboxes with emulated user behavior","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/summer-heart-0930.chufeiyun1688.workers.dev:443\/https\/doi.org\/10.1016\/j.cose.2022.102613","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2022 Elsevier Ltd. All rights reserved.","name":"copyright","label":"Copyright"}],"article-number":"102613"}}