{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,16]],"date-time":"2025-12-16T12:29:25Z","timestamp":1765888165121},"publisher-location":"Cham","reference-count":42,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030220372"},{"type":"electronic","value":"9783030220389"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-22038-9_5","type":"book-chapter","created":{"date-parts":[[2019,6,9]],"date-time":"2019-06-09T23:02:31Z","timestamp":1560121351000},"page":"89-108","update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Detecting, Fingerprinting and Tracking Reconnaissance Campaigns Targeting Industrial Control Systems"],"prefix":"10.1007","author":[{"given":"Olivier","family":"Cabana","sequence":"first","affiliation":[]},{"given":"Amr M.","family":"Youssef","sequence":"additional","affiliation":[]},{"given":"Mourad","family":"Debbabi","sequence":"additional","affiliation":[]},{"given":"Bernard","family":"Lebel","sequence":"additional","affiliation":[]},{"given":"Marthe","family":"Kassouf","sequence":"additional","affiliation":[]},{"given":"Basile L.","family":"Agba","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2019,6,6]]},"reference":[{"key":"5_CR1","doi-asserted-by":"crossref","unstructured":"Ban, T., Inoue, D.: Practical darknet traffic analysis: methods and case studies. In: 2017 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld\/SCALCOM\/UIC\/ATC\/CBDCom\/IOP\/SCI), pp. 1\u20138. IEEE (2017)","DOI":"10.1109\/UIC-ATC.2017.8397445"},{"key":"5_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"442","DOI":"10.1007\/978-3-319-70139-4_45","volume-title":"Neural Information Processing","author":"T Ban","year":"2017","unstructured":"Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Detection of botnet activities through the lens of a large-scale darknet. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.-S.M. (eds.) ICONIP 2017. LNCS, vol. 10638, pp. 442\u2013451. Springer, Cham (2017). \n                      https:\/\/doi.org\/10.1007\/978-3-319-70139-4_45"},{"key":"5_CR3","doi-asserted-by":"crossref","unstructured":"Bou-Harb, E.: A probabilistic model to preprocess darknet data for cyber threat intelligence generation. In: 2016 IEEE International Conference on Communications (ICC), pp. 1\u20136. IEEE (2016)","DOI":"10.1109\/ICC.2016.7510881"},{"key":"5_CR4","doi-asserted-by":"crossref","unstructured":"Bou-Harb, E., Debbabi, M., Assi, C.: On detecting and clustering distributed cyber scanning. In: 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 926\u2013933. IEEE (2013)","DOI":"10.1109\/IWCMC.2013.6583681"},{"key":"5_CR5","doi-asserted-by":"crossref","unstructured":"Bou-Harb, E., Debbabi, M., Assi, C.: A statistical approach for fingerprinting probing activities. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pp. 21\u201330. IEEE (2013)","DOI":"10.1109\/ARES.2013.9"},{"key":"5_CR6","doi-asserted-by":"crossref","unstructured":"Bou-Harb, E., Debbabi, M., Assi, C.: Behavioral analytics for inferring large-scale orchestrated probing events. In: 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 506\u2013511. IEEE (2014)","DOI":"10.1109\/INFCOMW.2014.6849283"},{"issue":"3","key":"5_CR7","doi-asserted-by":"publisher","first-page":"1496","DOI":"10.1109\/SURV.2013.102913.00020","volume":"16","author":"E Bou-Harb","year":"2014","unstructured":"Bou-Harb, E., Debbabi, M., Assi, C.: Cyber scanning: a comprehensive survey. IEEE Commun. Surv. Tutorials 16(3), 1496\u20131519 (2014)","journal-title":"IEEE Commun. Surv. Tutorials"},{"key":"5_CR8","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1016\/j.cose.2014.02.005","volume":"43","author":"E Bou-Harb","year":"2014","unstructured":"Bou-Harb, E., Debbabi, M., Assi, C.: On fingerprinting probing activities. Comput. Secur. 43, 35\u201348 (2014)","journal-title":"Comput. Secur."},{"key":"5_CR9","doi-asserted-by":"crossref","unstructured":"Bou-Harb, E., Debbabi, M., Assi, C.: A time series approach for inferring orchestrated probing campaigns by analyzing darknet traffic. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 180\u2013185. IEEE (2015)","DOI":"10.1109\/ARES.2015.9"},{"key":"5_CR10","doi-asserted-by":"publisher","first-page":"S47","DOI":"10.1016\/j.diin.2017.02.002","volume":"20","author":"E Bou-Harb","year":"2017","unstructured":"Bou-Harb, E., Scanlon, M.: Behavioral service graphs: a formal data-driven approach for prompt investigation of enterprise and internet-wide infections. Digit. Invest. 20, S47\u2013S55 (2017)","journal-title":"Digit. Invest."},{"key":"5_CR11","unstructured":"Cherepanov, A.: Win32\/industroyer: a new threat for industrial control systems. White paper, ESET, June 2017"},{"key":"5_CR12","doi-asserted-by":"crossref","unstructured":"Coudriau, M., Lahmadi, A., Fran\u00e7ois, J.: Topological analysis and visualisation of network monitoring data: darknet case study. In: 2016 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1\u20136. IEEE (2016)","DOI":"10.1109\/WIFS.2016.7823920"},{"key":"5_CR13","unstructured":"Dragos: TRISIS Malware Analysis of Safety System Targeted Malware. Dragos Inc. (2017). \n                      https:\/\/dragos.com\/blog\/trisis\/TRISIS-01.pdf"},{"key":"5_CR14","doi-asserted-by":"crossref","unstructured":"Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: The Network and Distributed System Security Symposium (NDSS) (2017)","DOI":"10.14722\/ndss.2017.23149"},{"key":"5_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"376","DOI":"10.1007\/978-3-319-26561-2_45","volume-title":"Neural Information Processing","author":"N Furutani","year":"2015","unstructured":"Furutani, N., Kitazono, J., Ozawa, S., Ban, T., Nakazato, J., Shimamura, J.: Adaptive DDoS-event detection from big darknet traffic data. In: Arik, S., Huang, T., Lai, W.K., Liu, Q. (eds.) ICONIP 2015. LNCS, vol. 9492, pp. 376\u2013383. Springer, Cham (2015). \n                      https:\/\/doi.org\/10.1007\/978-3-319-26561-2_45"},{"key":"5_CR16","doi-asserted-by":"crossref","unstructured":"Garg, S., Singh, A., Batra, S., Kumar, N., Obaidat, M.: Enclass: ensemble-based classification model for network anomaly detection in massive datasets. In: GLOBECOM 2017-2017 IEEE Global Communications Conference. pp. 1\u20137. IEEE (2017)","DOI":"10.1109\/GLOCOM.2017.8255025"},{"key":"5_CR17","volume-title":"Vector Quantization and Signal Compression","author":"A Gersho","year":"2012","unstructured":"Gersho, A., Gray, R.M.: Vector Quantization and Signal Compression, vol. 159. Springer Science & Business Media, Berlin (2012)"},{"key":"5_CR18","doi-asserted-by":"publisher","first-page":"118","DOI":"10.1016\/j.procs.2018.10.511","volume":"144","author":"N Hashimoto","year":"2018","unstructured":"Hashimoto, N., Ozawa, S., Ban, T., Nakazato, J., Shimamura, J.: A darknet traffic analysis for IoT malwares using association rule learning. Procedia Comput. Sci. 144, 118\u2013123 (2018)","journal-title":"Procedia Comput. Sci."},{"key":"5_CR19","unstructured":"ICS-Cert-US: Rockwell automation controllogix plc vulnerabilities (2018). \n                      https:\/\/ics-cert.us-cert.gov\/advisories\/ICSA-13-011-03"},{"key":"5_CR20","unstructured":"Jin, Y., Simon, G., Xu, K., Zhang, Z.L., Kumar, V.: Grays anatomy: dissecting scanning activities using IP gray space analysis. In: Usenix SysML 2007 (2007)"},{"key":"5_CR21","unstructured":"Johnson, B., Caban, D., Krotofil, M., Scali, D., Brubaker, N., Glyer, C.: Attackers deploy new ICS attack framework triton and cause operational disruption to critical infrastructure (2017). \n                      https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/12\/attackers-deploy-new-ics-attack-framework-triton.html"},{"key":"5_CR22","doi-asserted-by":"publisher","first-page":"91","DOI":"10.1016\/j.compeleceng.2016.01.012","volume":"50","author":"G Kirubavathi","year":"2016","unstructured":"Kirubavathi, G., Anitha, R.: Botnet detection via mining of traffic flow characteristics. Comput. Electr. Eng. 50, 91\u2013101 (2016)","journal-title":"Comput. Electr. Eng."},{"key":"5_CR23","unstructured":"Lagraa, S., Fran\u00e7ois, J.: Knowledge discovery of port scans from darknet. In: IFIP\/IEEE Symposium on Integrated Network and Service Management (IM), 2017, pp. 935\u2013940. IEEE (2017)"},{"issue":"1","key":"5_CR24","doi-asserted-by":"publisher","first-page":"175","DOI":"10.1109\/TIFS.2010.2086445","volume":"6","author":"Z Li","year":"2011","unstructured":"Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE Trans. Inf. Forensics Secur. 6(1), 175\u2013188 (2011)","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"5_CR25","unstructured":"Lipovsky, R.: Back in blackenergy *: 2014 targeted attacks in ukraine and poland (2014). \n                      https:\/\/www.welivesecurity.com\/2014\/09\/22\/back-in-blackenergy-2014\/"},{"key":"5_CR26","unstructured":"Lipovsky, R., Cherepanov, A.: Blackenergy trojan strikes again: attacks ukrainian electric power industry (2016). \n                      https:\/\/www.welivesecurity.com\/2016\/01\/04\/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry\/"},{"key":"5_CR27","unstructured":"Lloyd\u2019s: Business blackout: the insurance implications of a cyber attack on the us powergrid. Technical report, Center for Risk Studies, University of Cambridge (2015)"},{"issue":"11","key":"5_CR28","doi-asserted-by":"publisher","first-page":"2916","DOI":"10.1109\/TPDS.2014.2370031","volume":"26","author":"Z Lu","year":"2015","unstructured":"Lu, Z., Sun, X., Wen, Y., Cao, G., La Porta, T.: Algorithms and applications for community detection in weighted networks. IEEE Trans. Parallel Distrib. Syst. 26(11), 2916\u20132926 (2015)","journal-title":"IEEE Trans. Parallel Distrib. Syst."},{"key":"5_CR29","doi-asserted-by":"crossref","unstructured":"Lv, Y., Li, Y., Tu, S., Xiang, S., Xia, C.: Coordinated scan detection algorithm based on the global characteristics of time sequence. In: 2014 Ninth International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), pp. 199\u2013206. IEEE (2014)","DOI":"10.1109\/BWCCA.2014.64"},{"key":"5_CR30","unstructured":"Mazel, J., Fontugne, R., Fukuda, K.: Identifying coordination of network scans using probed address structure. In: Traffic Monitoring and Analysis-8th International Workshop, TMA, pp. 7\u20138 (2016)"},{"key":"5_CR31","unstructured":"Mirian, A., et al.: An internet-wide view of ICS devices. In: 14th Annual Conference on Privacy, Security and Trust (PST), 2016, pp. 96\u2013103. IEEE (2016)"},{"issue":"9","key":"5_CR32","doi-asserted-by":"publisher","first-page":"1","DOI":"10.18637\/jss.v053.i09","volume":"53","author":"D M\u00fcllner","year":"2013","unstructured":"M\u00fcllner, D., et al.: Fastcluster: fast hierarchical, agglomerative clustering routines for R and python. J. Stat. Softw. 53(9), 1\u201318 (2013)","journal-title":"J. Stat. Softw."},{"key":"5_CR33","unstructured":"Nichols, K., Blake, S., Baker, F., Black, D.: Definition of the differentiated services field (DS field) in the IPv4 and IPv6 Headers (1998). \n                      https:\/\/tools.ietf.org\/pdf\/rfc2474.pdf"},{"key":"5_CR34","unstructured":"Ethernet\/IP quick start for vendors handbook (2008). \n                      https:\/\/www.odva.org\/Portals\/0\/Library\/Publications_Numbered\/PUB00213R0_EtherNetIP_Developers_Guide.pdf"},{"key":"5_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/978-3-540-70542-0_10","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"E Passerini","year":"2008","unstructured":"Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186\u2013206. Springer, Heidelberg (2008). \n                      https:\/\/doi.org\/10.1007\/978-3-540-70542-0_10"},{"key":"5_CR36","unstructured":"Passive DNS FAQ (2018). \n                      https:\/\/www.farsightsecurity.com\/technical\/passive-dns\/passive-dns-faq\/"},{"key":"5_CR37","unstructured":"Pcap4j (2018). \n                      https:\/\/github.com\/kaitoy\/pcap4j"},{"key":"5_CR38","first-page":"2825","volume":"12","author":"F Pedregosa","year":"2011","unstructured":"Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825\u20132830 (2011)","journal-title":"J. Mach. Learn. Res."},{"issue":"1","key":"5_CR39","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1145\/584091.584093","volume":"5","author":"CE Shannon","year":"2001","unstructured":"Shannon, C.E.: A mathematical theory of communication. ACM SIGMOBILE Mob. Comput. Commun. Rev. 5(1), 3\u201355 (2001)","journal-title":"ACM SIGMOBILE Mob. Comput. Commun. Rev."},{"key":"5_CR40","unstructured":"(2018). \n                      https:\/\/www.tcpdump.org"},{"key":"5_CR41","doi-asserted-by":"crossref","unstructured":"Zakroum, M., et al.: Exploratory data analysis of a network telescope traffic and prediction of port probing rates. In: 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), pp. 175\u2013180. IEEE (2018)","DOI":"10.1109\/ISI.2018.8587323"},{"key":"5_CR42","unstructured":"Zetter, K., Barrett, B., Lapowsky, I., Newman, L., Greenberg, A.: An unprecedented look at stuxnet, the world\u2019s first digital weapon (2014). \n                      https:\/\/www.wired.com\/2014\/11\/countdown-to-zero-day-stuxnet\/"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-22038-9_5","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,9]],"date-time":"2019-06-09T23:09:23Z","timestamp":1560121763000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-22038-9_5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030220372","9783030220389"],"references-count":42,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-22038-9_5","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"6 June 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Gothenburg","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Sweden","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19 June 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 June 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"16","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2019","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.dimva2019.org\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"dimca2019.hotcrp.com","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"80","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"23","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"29% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"6","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}}]}}