Extended Call for Papers!

Extended Call For Papers

ACM Digital Threats: Research and Practice (DTRAP)

Special Issue on Memory-based malware and other unconventional threats

A.k.a. “These are not your grandpa’s malware”

Guest Editors:

Marcus Botacin – Federal University of Paraná (UFPR), Brazil

Ruimin Sun –  Northeastern University (NEU), USA

Uriel Kosayev – Antivirus Bypass Techniques book author, Founder of MalwareAnaysis.co, Red Team Tech Leader at ABInBev

Important Dates:

1. Initial Submission Deadline: September 23, 2022

1. Submissions start being reviewed as soon as they are submitted and they are accepted up to this date.
2. 1st-Round Reviews due to: November 11, 2022
3. Revised Manuscripts Submission Deadline: Jan 23, 2023
4. Final Decision: March 3, 2023 (tentative)
5. DTRAP is now an “online-first” journal. Your paper will be published online as soon as it is accepted.

Motivation: Malware is a constant threat to most organizations, thus it is key to understand malware operations to be able to respond to malware infection incidents. However, malware samples are not stationary, but they evolve all the time, and sometimes in really unexpected manners. In recent years, malware evolved from simple disk artifacts to payloads that operate solely from memory, directly from the registry, by exploiting architectural side-effects, and even more. Researchers and practitioners are often searching for the most up-to-date technique to counter malware spread, however, due to the fast malware evolution pace, the knowledge about the evolution of malware samples is not always easily available, formalized, and/or organized. To help mitigate these problems, this issue invites contributions that systematize, organize, and present new knowledge about malware trends and operations that are updated and were not covered by the traditional malware literature so far. We expected contributions both from academics as well as from the Cybersecurity industry and covering both offensive and defensive research topics. We pay special attention to research works covering memory-based threats, such as fileless and memory-only malware, as this type of attack appears to be on the rise at the moment.

About ACM and DTRAP: ACM DTRAP (Digital Threats: Research and Practice) is a scientific journal in computer security. It means that DTRAP periodically publishes research papers in a digital library (https://dl.acm.org/). DTRAP aims to bridge the gap between industry and academia. In DTRAP, readers can find papers that are practical but that have a strong background and solid foundations. As in most scientific journals, DTRAP papers are reviewed by experts in the field, always combining academic or industry experts. DTRAP is under the umbrella of the ACM (Association for Computing Machinery), the largest computing association in the world. ACM supports DTRAP’s infrastructure to ensure that papers are lifelong archived.

Topics of Interest

We solicit papers on all areas related to unconventional malware and memory-based threats. These include, but are not limited to:

• History of uncommon threats types and their evolution.

• Whereas the academic literature in computer security is typically full of good technical material, it typically lacks contextualization of threats and defenses. We believe that understanding history is very important (for current researchers and for the future generations) and we incentivize submissions that recap how and why threats emerged, famous threats, and how security measures eventually mitigated them.
• Formalization of concepts about newly-emerged threat types.

• Security as a whole and malware research, in particular, is very practical fields, such that the stakeholders tend to first get in touch with new classes of threats before they are formally defined. In this scenario, distinct terminologies tend to be used, which complicates communication. For instance, with the emergence of memory-based attacks, multiple references have been made to memory-only, fileless, and volatile threats without a proper definition of which threat class they refer to. To help mitigate this problem, we invite submissions that help establish context and the scope of distinct threat classes.
• Formal evaluation of attack and defensive techniques.

• A typical phenomenon in computer security is that there are many attacks that are known in practice by the community but that do not have a formal analysis in the academic literature that allows one to systematically understand their validity and limitations. For instance, many code injection techniques emerged recently (e.g., Process Hollowing, APC injection, AtomBombing, etc), but there is no systematic analysis of the effectiveness, implementation decisions, and detection opportunities of these techniques. Therefore, we invite paper submissions that present evaluations of these aspects for a broad range of attack and defense techniques.
• Presentation of new attack and defensive techniques. 

• One of the main missions of a scientific journal is to publicize the advancement of the state of the art. Therefore, we invite submissions of papers that present and describe new offensive and defensive techniques. We pay special attention to techniques that are related to recently-emerged threats, such as new injection techniques, new architectural side-effects, covert channels, and strategies to detect these threats. Topics of interest include, for instance, the analysis of race conditions that allow one to load code from file to memory before an AV scan and strategies AV might use to detect such occurrences.
• Observational studies of recent threats.

• We believe that informed decisions can only be made if having data to support the decisions. We believe that observational studies are a powerful instrument to provide data about real-world scenarios. Therefore, we invite paper submissions that present observational studies and longitudinal observations of malware phenomena in the wild. We are interested in measurement studies that allow the identification of the popularity of distinct attacks/techniques and the prevalence of distinct attack classes among distinct scenarios/populations.
• Design of malware detectors.

• Understanding how attacks work is essential to developing defenses. However, such understanding is only converted into an actual defense with a good design of a defensive mechanism employing this knowledge. Whereas some aspects of the defensive process can be easily found on the Internet (e.g., detection rules for known threats), little information is available about the implementation of the mechanisms that deploy these rules and the logic behind them. It is especially true for emerging threats. For instance, there are few reports about how memory-only malware has been detected in the wild. Therefore, we invite authors to submit papers describing the design of defensive mechanisms in a broad range (e.g., AV engines, EDR behavioral profiles, memory scanners, and so on).
• Hardware-based approaches to attack and defend systems.

• We understand that attacks and defenses should not be evaluated from a single perspective (e.g., detection rate), but as a whole phenomenon (e.g., social aspects, usability, so on). In this sense, performance is a key aspect of any secure system, especially for defensive mechanisms. Users do not want to spend all their CPU’s processing power performing checks, but actually executing the target code. We believe that hardware extensions and architectural modifications play a crucial role in enhancing the performance of security mechanisms. Therefore, we invite the submissions of papers that present hardware extensions designed to counter emerging threats, as well as attacks against existing and proposed hardware mitigations that might become a threat in the future.
• Data-only attacks and other non-code-based attacks.

• Not all attacks are based on executing inputted code, at least in the beginning. Systems might also be subverted based on data inputs. For instance, some attacks might tamper with existing system service’s configurations to make them to behave unexpectedly. Other attackers might spray instruction addresses in memory in the expectation of hijacking the original control flow. Others might even directly manipulate kernel objects to affect third-party applications. We believe that these attacks are not covered by the scientific literature the same way traditional attacks are. Therefore, we invite submissions of papers on data-based attacks against computer systems. We pay special attention to papers that demonstrate how the data is manipulated in memory and eventually transformed into code execution.
• Attacks and defenses for embedded systems.

• Naturally, distinct attack types occur at distinct platforms, as each one presents particularities, imposing particular challenges. Recent years have brought to the world a profusion of new platforms, and embedded systems were particularly contemplated with a myriad of new applications. Unfortunately, the threats to these systems are not covered in the literature the same way as traditional threats, causing an understanding gap. To help bridge this gap, we invite authors to submit papers on the security of embedded systems. We are particularly interested in the description of threats that occur ONLY in this type of system, rather than threats that might affect any other platform.
• Memory forensics of recent threat types.
• Emerging threats such as memory-only malware can only be detected via memory inspection procedures, such that investigating these procedures is essential to enable the development of new tools, techniques, and practices. Therefore, we invite authors to submit papers that describe forensic procedures and best practices to analyze memory-based threats. We are particularly interested in papers that might generalize the knowledge from single to multiple threats and help to establish guidelines for future malware analysis procedures. We also welcome papers that present the challenges to analyze memory threats and point out possible future directions.

Target Audience:

ACM DTRAP aims to bridge the gap between industry and academia, thus we expect both academic researchers as well as industry practitioners to submit their papers. 

Paper Types:

We welcome two broad types of research contributions:

1. Research papers: Typical academic manuscripts reporting (i) novel methodologies and results; and/or (ii) reviewing the literature and systematically organizing the knowledge on the topic.
2. Field Notes: Industrial and/or Practical reports, analysis, methodologies, detection methods, experience reports, or any other real-world case studies that complement academic research literature. Potential authors are encouraged to submit an abstract for an initial assessment of the suitability of the contribution. 

What is a Field Note? 

A field note is a formal report of the application of security practices in the real world. Its goal is to provide strong real-world evidence to complement evaluations provided by hypothetical studies. Field notes might describe, for instance, the handling of a real security incident in an industrial setting. In this case, the field note should describe how the security incident response team acted, what challenges were faced, and how they were overcome. Notice that field notes are not a simple report of the fact, but also reasoning about it. In the case of malware analysis, for instance, a field note is not a tutorial reporting each debugging step (even though it might be included), but it should also describe the scenario in which the infection occurred, discuss detection strategies, and include recommendations for other researchers when analyzing similar threats.

Field Note Examples:

            Authors might check previous field notes published at DTRAP to get a sense on what a field note looks like. Following some examples:

1. “Field Note on CVE-2019-11510: Pulse Connect Secure SSL-VPN in the Netherlands” https://dl.acm.org/doi/10.1145/3382765
2. “Field Note on Doing Digital Rights: Central and Southeast Europe Monitoring Project” https://dl.acm.org/doi/10.1145/3513024
3. ““Unless one does the research, it may seem as just a useless battery-consuming app” – Field Notes on COVID-19 Contact Tracing Applications” https://dl.acm.org/doi/10.1145/3480466

What is a contribution?            

DTRAP seeks to publish papers that present original contributions, i.e., DTRAP aims to be the media through which new knowledge is publicized. But, what constitutes a contribution? This is a long-term controversy in academia and we do not have a definitive answer for that. However, we would like to provide some (imperfect and open to discussion) insights that might help newcomers:

            Scenario 1:

            Not a contribution

                                     i) A tutorial-like report of a malware debugging session of a single threat.

            A contribution

                                     i) A description of malware analysis procedures that generalize for multiple threats.

            Scenario 2:

Not a contribution

             i) The immediate application of a known, existing tool.

A contribution

             i) The application of known tools to new datasets to describe and measure specific malware phenomena.

            Scenario 3

Not a contribution

             i) The development of a new tool/framework solely using existing techniques.

            A contribution

                                     i) The development of a new tool/framework using a new technique, with a focus on the novel aspects.

            This list is not exhaustive but the illustrated scenarios provide insights on how papers will be evaluated.

Why publish on DTRAP? 

A discovery only becomes knowledge when publicized and writing papers is a traditional and efficient way to do that. But, why choose DTRAP for your paper? We believe that a key factor to answer that is that DTRAP give authors the opportunity to have their papers reviewed by industry and academic experts at the same time. Be you either an academic or an industry professional, you will certainly benefit from DTRAP’s reviews, as every revision will count on reviewers from the two fields, presenting you with a distinct vision of the problem and the results. Moreover, ACM gives papers visibility and lifelong storage via the ACM Digital Library (https://dl.acm.org/).  

Reproducibility Manifest: 

A key aspect of science is reproducibility, i.e., the ability of other researchers to reproduce the experiments reported in the paper. Therefore, we ask authors to provide code and data as much as possible to support reproducibility attempts. When it is not possible (e.g., due to NDAs), authors must clarify and discuss how paper results can be reproduced and what are the limitations/threats to validity. We highlight that we will ask reviewers to explicitly evaluate the reproducibility level of the submitted papers;

Submission Instructions:

To submit to this special issue, please visit ACM Manuscript Central (MC) at https://mc.manuscriptcentral.com/dtrap and select paper type “Special Issue on Memory-based malware and other unconventional threats”. Details of the author guidelines for Digital Threats: Research and Practice (DTRAP) are available at https://dl.acm.org/journal/dtrap/author-guidelines. For details on how to write a field note, check out: https://dtrap-blog.acm.org/2020/07/06/how-to-start-a-field-note/

Cover Letter: Papers must be submitted along with a cover letter. It must briefly explain the paper’s contribution and what is the targeted audience. This information helps the editors to select the reviewers that best fit the paper topic. There is no format requirement and minimum or maximum page length for cover letters.

For further information, check all complementary CFP and guides at: URL

If you still have questions and/or want to ask for further information, please contact dtrap_memory_malware@acm.org

Authors Guide

ACM Digital Threats: Research and Practice (DTRAP)

Special Issue on Memory-based malware and other unconventional threats

A.k.a. “These are not your grandpa’s malware”

Guest Editors:

Marcus Botacin – Federal University of Paraná (UFPR), Brazil

Ruimin Sun –  Northeastern University (NEU), USA

Uriel Kosayev – Antivirus Bypass Techniques book author, Founder of MalwareAnaysis.co, Red Team Tech Leader at ABInBev

Important Dates:

1. Initial Submission Deadline: August 26, 2022

1. Submissions start being reviewed as soon as they are submitted and they are accepted up to this date.
2. 1st-Round Reviews due to: November 11, 2022
3. Revised Manuscripts Submission Deadline: Jan 23, 2023
4. Final Decision: March 3, 2023 (tentative)
5. DTRAP is now an “online-first” journal. Your paper will be published online as soon as it is accepted.

Paper Requirements

ACM DTRAP requires papers to present some important characteristics to be published. As follows:

Papers should be novel: To be published in this issue of ACM DTRAP, papers should be new, i.e., they should not have been published partially or entirely in any other ACADEMIC venue. Material presented in other venues (e.g., hacking conferences) is accepted at ACM DTRAP if it is not indexed by any scientific repository. In any case, extensions of previously published material are accepted. In this case, consider that papers must present at least 30% of new material (by any criteria, to be explained in the submission cover letter).

Papers should be technically sound: Papers must be technically correct with regards to all aspects, from implementation to experimental methodology. Papers should also present justified implementation choices and not ad-hoc decisions. Ideally, project decisions must be justified with references to the state-of-the-art on the topic. It means that authors should be aware of the state-of-the-art on the field to present solutions that perform AT LEAST as well as the current state-of-the-art.

Papers should present a significant contribution: It means that papers should not simply repeat the knowledge presented in previous work and/or simply introduce tools that have equivalents on the market. To get insights on what constitutes a contribution, please check the extended call for papers.

Papers should be reproducible to the most possible level: A scientific paper must describe the methodology, the used dataset, tools, and the obtained results to a level that allows other researchers in the field to reproduce the experiments to prove or disprove the author’s claims. Papers published in this issue must be reproducible. We will ask reviewers to explicitly evaluate the paper’s reproducibility. To get more insights on reproducibility, check our reproducibility manifest in the extended call for papers.

Papers should be well-presented: To be published at DTRAP, papers should not contain typos and/or significant grammar errors. Papers should also be properly formatted, with well-marked sections. There are no strict rules for the number and/or name of the sections, but these should be concise and clear. Remember that papers might be revisited a long time after their publications and readers might be interested in going straight to a given point that they sparsely remember, so they should be able to easily navigate through the paper to find it. A paper must have at least (but should not be limited to): (i) an abstract, that will be indexed by the online library, (ii) an introduction, which is usually the first interface between the reader and the paper content, such that a good introduction might be the difference between a motivated reader and a reader abandon; (iii) related work, where authors contextualize the current state-of-the-art and explain why the paper is different; (iv) methodology aspects, detailed to the point of allowing others to reproduce the experiments; (v) experiments results, to show the new achievements; and (vi) discussion/conclusion, where the implications of the findings and the limitations of the employed methods are discussed while pointing to future advancements.

Papers should be initially submitted in double-blind format: We seek to provide the most fair reviews possible, thus, ACM DTAP adopts a double-blind review process, where authors will not know who reviewed their papers and reviewers will not know who are the authors of the papers they will be reviewing. To accomplish that, we ask authors to provide their initial submission without author names, affiliation, and any other information that might identify the authors. Papers that fail to meet this requirement will not be reviewed and will be returned to the authors. ACM DTRAP will not redistribute the blinded papers to any other people than the reviewers. If authors want to keep a non-anonymous record of their submission for  any reason (e.g.,  prove  they  were the  first to  propose an idea), papers can be submitted to pre-print repositories like ArXiv (e.g., https://arxiv.org/). The double-blind requirement does not apply to the cover letter, as the editors must know who the authors are and how to get in touch with them. Notice that the editors are not allowed to review the papers they are handling.

Papers should be properly referenced: DTRAP readers have distinct backgrounds, thus do not assume that all readers have the same knowledge as the paper authors. Do not make statements like “everybody knows that” or “It’s widely known that”. instead, please reference the claims with material that supports the claims. There is no restriction on which material type can be referenced. It might be academic articles, books, but also blog posts, GitHub repositories, and/or even Youtube videos. However, have in mind that many online sources might become offline over time and DTRAP seeks to have papers accessible for a long-time. Therefore, whenever there are two distinct sources to support the same claim, prefer the most durable one (e.g., a book).

Papers will be shepherded to publication: ACM DTRAP submission is a 2-step process in which papers are not published as submitted first. The papers are initially screened in the first submission round and returned to the authors along with the reviews provided by the experts. The reviews present not only expert’s views on the topic but also insights to enhance the papers, and modification requirements to move the paper forward. The authors have a second submission opportunity to address the reviewer’s concerns and requests. The goal of this 2-step process is to publish the most complete paper versions possible.

Authors might be mentored: ACM DTRAP seeks to attract papers from professionals of multiple fields, such that some of them might not be fully aware about how the scientific publication process is conducted. Whereas we believe that everyone is able to learn, we would like to facilitate this experience. Therefore, ACM DTRAP is launching a new initiative that allows papers authors to be mentored already during the submission step by a more experienced member of the scientific community. Mentors will help answer questions about the writing and submission of a paper. Mentors, however, will not be paper co-authors. Authors can at any time write to dtrap-editors@acm..org to request a mentor.