{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T12:05:38Z","timestamp":1778155538854,"version":"3.51.4"},"publisher-location":"Berlin, Heidelberg","reference-count":51,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783540360148","type":"print"},{"value":"9783540360179","type":"electronic"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2006]]},"DOI":"10.1007\/11790754_5","type":"book-chapter","created":{"date-parts":[[2006,11,27]],"date-time":"2006-11-27T13:02:37Z","timestamp":1164632557000},"page":"74-90","source":"Crossref","is-referenced-by-count":38,"title":["Detecting Unknown Network Attacks Using Language Models"],"prefix":"10.1007","author":[{"given":"Konrad","family":"Rieck","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pavel","family":"Laskov","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","reference":[{"key":"5_CR1","doi-asserted-by":"crossref","unstructured":"Shannon, C., Moore, D.: The spread of the Witty worm. In: Proc. IEEE Symposium on Security and Privacy, vol.\u00a02(4), pp. 46\u201350 (2004)","DOI":"10.1109\/MSP.2004.59"},{"key":"5_CR2","unstructured":"CERT: Advisory CA-2001-21: Buffer overflow in telnetd. CERT Coordination Center (2001)"},{"key":"5_CR3","doi-asserted-by":"crossref","unstructured":"Rubin, S., Jha, S., Miller, B.: Language-based generation and evaluation of NIDS signatures. In: Proc. IEEE Symposium on Security and Privacy, pp. 3\u201317 (2005)","DOI":"10.1109\/SP.2005.10"},{"key":"5_CR4","series-title":"Lecture Notes in Computer Science","volume-title":"Advances in Computer Systems Architecture","author":"Z. Liang","year":"2005","unstructured":"Liang, Z., Sekar, R.: Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS, vol.\u00a03740. Springer, Heidelberg (2005)"},{"key":"5_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/11663812_11","volume-title":"Recent Advances in Intrusion Detection","author":"C. Kr\u00fcgel","year":"2006","unstructured":"Kr\u00fcgel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 207\u2013226. Springer, Heidelberg (2006)"},{"key":"5_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-540-30144-8_14","volume-title":"Information Security","author":"M. Meier","year":"2004","unstructured":"Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol.\u00a03225, pp. 158\u2013169. Springer, Heidelberg (2004)"},{"issue":"1\/2","key":"5_CR7","doi-asserted-by":"crossref","first-page":"71","DOI":"10.3233\/JCS-2002-101-204","volume":"10","author":"S. Eckmann","year":"2002","unstructured":"Eckmann, S., Vigna, G., Kemmerer, R.: STATL: An attack language for state-based intrusion detection. Journal of Computer Security\u00a010(1\/2), 71\u2013104 (2002)","journal-title":"Journal of Computer Security"},{"key":"5_CR8","doi-asserted-by":"crossref","unstructured":"Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proc. USENIX, pp. 31\u201351 (1998)","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"5_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1007\/11663812_12","volume-title":"Recent Advances in Intrusion Detection","author":"K. Wang","year":"2006","unstructured":"Wang, K., Cretu, G., Stolfo, S.J.: Anomalous Payload-Based Worm Detection and Signature Generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 227\u2013246. Springer, Heidelberg (2006)"},{"key":"5_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1007\/978-3-540-30143-1_11","volume-title":"Recent Advances in Intrusion Detection","author":"K. Wang","year":"2004","unstructured":"Wang, K., Stolfo, S.J.: Anomalous Payload-Based Network Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 203\u2013222. Springer, Heidelberg (2004)"},{"key":"5_CR11","doi-asserted-by":"crossref","unstructured":"Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proc. Symposium on Applied Computing, pp. 201\u2013208 (2002)","DOI":"10.1145\/508791.508835"},{"key":"5_CR12","series-title":"Lecture Notes in Computer Science","first-page":"220","volume-title":"Recent Advances in Intrusion Detection","author":"M. Mahoney","year":"2004","unstructured":"Mahoney, M., Chan, P.: An analysis of the 1999 DARPA\/Lincoln Laboratory evaluation data for network anomaly detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol.\u00a03224, pp. 220\u2013237. Springer, Heidelberg (2004)"},{"key":"5_CR13","doi-asserted-by":"crossref","unstructured":"Mahoney, M., Chan, P.: PHAD: Packet header anomaly detection for identifying hostile network traffic. Technical Report CS-2001-2, Florida Institute of Technology (2001)","DOI":"10.1109\/ICDM.2003.1250987"},{"key":"5_CR14","volume-title":"Applications of Data Mining in Computer Security","author":"E. Eskin","year":"2002","unstructured":"Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)"},{"key":"5_CR15","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1145\/382912.382914","volume":"3","author":"W. Lee","year":"2001","unstructured":"Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security\u00a03, 227\u2013261 (2001)","journal-title":"ACM Transactions on Information and System Security"},{"key":"5_CR16","doi-asserted-by":"crossref","unstructured":"Mahoney, M., Chan, P.: Learning models of network traffic for detecting novel attacks. Technical Report CS-2002-8, Florida Institute of Technology (2002)","DOI":"10.1145\/775094.775102"},{"key":"5_CR17","doi-asserted-by":"crossref","unstructured":"Mahoney, M.: Network traffic anomaly detection based on packet bytes. In: Proc. ACM Symposium on Applied Computing, pp. 346\u2013350 (2003)","DOI":"10.1145\/952532.952601"},{"key":"5_CR18","unstructured":"Vargiya, R., Chan, P.: Boundary detection in tokenizing netwok application payload for anomaly detection. In: Proc. ICDM Workshop on Data Mining for Computer Security, pp. 50\u201359 (2003)"},{"key":"5_CR19","doi-asserted-by":"crossref","unstructured":"Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proc. IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 120\u2013128 (1996)","DOI":"10.1109\/SECPRI.1996.502675"},{"issue":"3","key":"5_CR20","doi-asserted-by":"crossref","first-page":"151","DOI":"10.3233\/JCS-980109","volume":"6","author":"S. Hofmeyr","year":"1998","unstructured":"Hofmeyr, S., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security\u00a06(3), 151\u2013180 (1998)","journal-title":"Journal of Computer Security"},{"key":"5_CR21","doi-asserted-by":"crossref","unstructured":"Warrender, C., Forrest, S., Perlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proc. IEEE Symposium on Security and Privacy, pp. 133\u2013145 (1999)","DOI":"10.1109\/SECPRI.1999.766910"},{"key":"5_CR22","doi-asserted-by":"crossref","unstructured":"Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proc. NSPW, pp. 101\u2013110 (2000)","DOI":"10.1145\/366173.366197"},{"key":"5_CR23","unstructured":"Ghosh, A., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proc. USENIX, Santa Clara, CA, USA, pp. 51\u201362 (1999)"},{"key":"5_CR24","doi-asserted-by":"crossref","unstructured":"Eskin, E., Lee, W., Stolfo, S.: Modeling system calls for intrusion detection with dynamic window sizes. In: Proc. DISCEX (2001)","DOI":"10.1109\/DISCEX.2001.932213"},{"issue":"5199","key":"5_CR25","doi-asserted-by":"publisher","first-page":"843","DOI":"10.1126\/science.267.5199.843","volume":"267","author":"M. Damashek","year":"1995","unstructured":"Damashek, M.: Gauging similarity with n-grams: Language-independent categorization of text. Science\u00a0267(5199), 843\u2013848 (1995)","journal-title":"Science"},{"key":"5_CR26","doi-asserted-by":"crossref","unstructured":"de la Briandais, R.: File searching using variable length keys. In: Proc. AFIPS Western Joint Computer Conference, pp. 295\u2013298 (1959)","DOI":"10.1145\/1457838.1457895"},{"issue":"9","key":"5_CR27","doi-asserted-by":"publisher","first-page":"490","DOI":"10.1145\/367390.367400","volume":"3","author":"E. Fredkin","year":"1960","unstructured":"Fredkin, E.: Trie memory. Communications of ACM\u00a03(9), 490\u2013499 (1960)","journal-title":"Communications of ACM"},{"key":"5_CR28","volume-title":"The art of computer programming","author":"D. Knuth","year":"1973","unstructured":"Knuth, D.: The art of computer programming, vol.\u00a03. Addison-Wesley, Reading (1973)"},{"key":"5_CR29","unstructured":"Emran, S., Ye, N.: Robustness of canberra metric in computer intrusion detection. In: Proc. IEEE Workshop on Information Assurance and Security, West Point, NY, USA (2001)"},{"issue":"3","key":"5_CR30","doi-asserted-by":"publisher","first-page":"297","DOI":"10.2307\/1932409","volume":"26","author":"L. Dice","year":"1945","unstructured":"Dice, L.: Measure of the amount of ecologic association between species. Ecology\u00a026(3), 297\u2013302 (1945)","journal-title":"Ecology"},{"key":"5_CR31","volume-title":"Principles of numerical taxonomy","author":"R. Sokal","year":"1963","unstructured":"Sokal, R., Sneath, P.: Principles of numerical taxonomy. Freeman, San Francisco (1963)"},{"key":"5_CR32","unstructured":"Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proc. ACM CSS Workshop on Data Mining Applied to Security (2001)"},{"key":"5_CR33","doi-asserted-by":"crossref","unstructured":"Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., Srivastava, J.: A comparative study of anomaly detection schemes in network intrusion detection. In: Proc. SIAM (2003)","DOI":"10.1137\/1.9781611972733.3"},{"key":"5_CR34","doi-asserted-by":"crossref","unstructured":"Laskov, P., Sch\u00e4fer, C., Kotenko, I.: Intrusion detection in unlabeled data with quarter-sphere support vector machines. In: Proc. DIMVA, pp. 71\u201382 (2004)","DOI":"10.1515\/PIKO.2004.228"},{"issue":"4","key":"5_CR35","doi-asserted-by":"publisher","first-page":"579","DOI":"10.1016\/S1389-1286(00)00139-0","volume":"34","author":"R. Lippmann","year":"2000","unstructured":"Lippmann, R., Haines, J., Fried, D., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks\u00a034(4), 579\u2013595 (2000)","journal-title":"Computer Networks"},{"key":"5_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1007\/3-540-39945-3_10","volume-title":"Recent Advances in Intrusion Detection","author":"J. McHugh","year":"2000","unstructured":"McHugh, J.: The 1998 Lincoln Laboratory IDS Evaluation. In: Debar, H., M\u00e9, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol.\u00a01907, pp. 145\u2013161. Springer, Heidelberg (2000)"},{"issue":"4","key":"5_CR37","doi-asserted-by":"publisher","first-page":"262","DOI":"10.1145\/382912.382923","volume":"3","author":"J. McHugh","year":"2000","unstructured":"McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. on Information Systems Security\u00a03(4), 262\u2013294 (2000)","journal-title":"ACM Trans. on Information Systems Security"},{"key":"5_CR38","unstructured":"Moore, H.D.: The metasploit project \u2013 open-source platform for developing, testing, and using exploit code (2005), http:\/\/www.metasploit.com"},{"key":"5_CR39","doi-asserted-by":"publisher","first-page":"419","DOI":"10.1162\/153244302760200687","volume":"2","author":"H. Lodhi","year":"2002","unstructured":"Lodhi, H., Saunders, C., Shawe-Taylor, J., Cristianini, N., Watkins, C.: Text classification using string kernels. Journal of Machine Learning Research\u00a02, 419\u2013444 (2002)","journal-title":"Journal of Machine Learning Research"},{"key":"5_CR40","unstructured":"Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. LISA, pp. 229\u2013238 (1999)"},{"issue":"1","key":"5_CR41","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1109\/34.824820","volume":"22","author":"G. Nagy","year":"2000","unstructured":"Nagy, G.: Twenty years of document image analysis in PAMI. IEEE Trans. Pattern Analysis and Machine Intelligence\u00a022(1), 36\u201362 (2000)","journal-title":"IEEE Trans. Pattern Analysis and Machine Intelligence"},{"issue":"2","key":"5_CR42","doi-asserted-by":"publisher","first-page":"164","DOI":"10.1109\/TPAMI.1979.4766902","volume":"1","author":"C.Y. Suen","year":"1979","unstructured":"Suen, C.Y.: N-gram statistics for natural language understanding and text processing. IEEE Trans. Pattern Analysis and Machine Intelligence\u00a01(2), 164\u2013172 (1979)","journal-title":"IEEE Trans. Pattern Analysis and Machine Intelligence"},{"key":"5_CR43","unstructured":"Cavnar, W.B., Trenkle, J.M.: N-gram-based text categorization. In: Proc. SDAIR, Las Vegas, NV, USA, pp. 161\u2013175 (1994)"},{"issue":"1","key":"5_CR44","doi-asserted-by":"publisher","first-page":"48","DOI":"10.1108\/EUM0000000007161","volume":"58","author":"A.M. Robertson","year":"1998","unstructured":"Robertson, A.M., Willett, P.: Applications of n-grams in textual information systems. Journal of Documentation\u00a058(1), 48\u201369 (1998)","journal-title":"Journal of Documentation"},{"key":"5_CR45","doi-asserted-by":"crossref","first-page":"39","DOI":"10.7551\/mitpress\/1113.003.0006","volume-title":"Advances in Large Margin Classifiers","author":"C. Watkins","year":"2000","unstructured":"Watkins, C.: Dynamic alignment kernels. In: Smola, A., Bartlett, P., Sch\u00f6lkopf, B., Schuurmans, D. (eds.) Advances in Large Margin Classifiers, pp. 39\u201350. MIT Press, Cambridge (2000)"},{"key":"5_CR46","doi-asserted-by":"crossref","unstructured":"Leslie, C., Eskin, E., Noble, W.: The spectrum kernel: A string kernel for SVM protein classification. In: Proc. Pacific Symp. Biocomputing, pp. 564\u2013575 (2002)","DOI":"10.1142\/9789812799623_0053"},{"key":"5_CR47","unstructured":"Lee, W., Stolfo, S., Chan, P.: Learning patterns from unix process execution traces for intrusion detection. In: Proc. AAAI workshop on Fraud Detection and Risk Management, Providence, RI, USA, pp. 50\u201356 (1997)"},{"key":"5_CR48","doi-asserted-by":"crossref","unstructured":"Michael, C.: Finding the vocabulary of program behavior data for anomaly detection. In: Proc. DISCEX, pp. 152\u2013163 (2003)","DOI":"10.1109\/DISCEX.2003.1194881"},{"issue":"2","key":"5_CR49","doi-asserted-by":"crossref","first-page":"147","DOI":"10.1002\/j.1538-7305.1950.tb00463.x","volume":"29","author":"R.W. Hamming","year":"1950","unstructured":"Hamming, R.W.: Error-detecting and error-correcting codes. Bell System Technical Journal\u00a029(2), 147\u2013160 (1950)","journal-title":"Bell System Technical Journal"},{"key":"5_CR50","volume-title":"Cluster Analysis for Applications","author":"M. Anderberg","year":"1973","unstructured":"Anderberg, M.: Cluster Analysis for Applications. Academic Press, Inc., New York (1973)"},{"key":"5_CR51","doi-asserted-by":"crossref","unstructured":"Harmeling, S., Dornhege, G., Tax, D., Meinecke, F., M\u00fcller, K.R.: From outliers to prototypes: ordering data. Neurocomputing (in press, 2006)","DOI":"10.1016\/j.neucom.2005.05.015"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware &amp; Vulnerability Assessment"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/11790754_5.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,1,12]],"date-time":"2025-01-12T04:41:47Z","timestamp":1736656907000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/11790754_5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006]]},"ISBN":["9783540360148","9783540360179"],"references-count":51,"URL":"https:\/\/doi.org\/10.1007\/11790754_5","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2006]]}}}