{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,22]],"date-time":"2026-04-22T19:13:10Z","timestamp":1776885190228,"version":"3.51.2"},"publisher-location":"Cham","reference-count":24,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783031175503","type":"print"},{"value":"9783031175510","type":"electronic"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-031-17551-0_13","type":"book-chapter","created":{"date-parts":[[2022,9,29]],"date-time":"2022-09-29T13:25:48Z","timestamp":1664457948000},"page":"201-216","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["A Two-Stage Method for\u00a0Fine-Grained DNS Covert Tunnel Behavior Detection"],"prefix":"10.1007","author":[{"given":"Bingxu","family":"Wang","sequence":"first","affiliation":[]},{"given":"Gang","family":"Xiong","sequence":"additional","affiliation":[]},{"given":"Peipei","family":"Fu","sequence":"additional","affiliation":[]},{"given":"Gaopeng","family":"Gou","sequence":"additional","affiliation":[]},{"given":"Yingchao","family":"Qin","sequence":"additional","affiliation":[]},{"given":"Zhen","family":"Li","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,9,30]]},"reference":[{"key":"13_CR1","unstructured":"Andeersson, B., Ekman, E.: Iodine [EB\/OL] (2014). http:\/\/code.kryo.se\/iodine\/"},{"key":"13_CR2","unstructured":"Pietraszek, B.: T.DNScat (2005). http:\/\/tadek.pietraszek.org\/projects\/DNScat\/"},{"key":"13_CR3","unstructured":"Dembour, C.: DNS2TCP (2010). http:\/\/www.hsc.fr\/ressources\/outils\/dns2tcp\/"},{"key":"13_CR4","doi-asserted-by":"crossref","unstructured":"Born, K., Gustafson, D.: NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, pp. 1\u20134 (2010)","DOI":"10.1145\/1852666.1852718"},{"key":"13_CR5","unstructured":"Bilge, L., et al.: Exposure: finding malicious domains using passive DNS analysis. In: NDSS, pp. 1\u201317 (2011)"},{"key":"13_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1007\/978-3-642-38998-6_16","volume-title":"Emerging Management Mechanisms for the Future Internet","author":"W Ellens","year":"2013","unstructured":"Ellens, W., \u017buraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Doyen, G., Waldburger, M., \u010celeda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 124\u2013135. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-38998-6_16"},{"key":"13_CR7","doi-asserted-by":"crossref","unstructured":"Almusawi, A., Amintoosi, H.: DNS tunneling detection method based on multilabel support vector machine. Secur. Commun. Netw. 2018(6), 1\u20139 2018","DOI":"10.1155\/2018\/6137098"},{"key":"13_CR8","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1016\/j.cose.2018.09.006","volume":"80","author":"A Nadler","year":"2019","unstructured":"Nadler, A., Aminov, A., Shabtai, A.: Detection of malicious and low throughput data exfiltration over the DNS protocol. Comput. Secur. 80, 36\u201353 (2019)","journal-title":"Comput. Secur."},{"issue":"1","key":"13_CR9","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1109\/TNSM.2019.2940735","volume":"17","author":"J Ahmed","year":"2019","unstructured":"Ahmed, J., Gharakheili, H.H., Raza, Q., et al.: Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts. IEEE Trans. Netw. Serv. Manage. 17(1), 265\u2013279 (2019)","journal-title":"IEEE Trans. Netw. Serv. Manage."},{"key":"13_CR10","series-title":"Lecture Notes in Electrical Engineering","doi-asserted-by":"publisher","first-page":"221","DOI":"10.1007\/978-981-10-4154-9_26","volume-title":"Information Science and Applications 2017","author":"VT Do","year":"2017","unstructured":"Do, V.T., Engelstad, P., Feng, B., van Do, T.: Detection of DNS tunneling in mobile networks using machine learning. In: Kim, K., Joukov, N. (eds.) ICISA 2017. LNEE, vol. 424, pp. 221\u2013230. Springer, Singapore (2017). https:\/\/doi.org\/10.1007\/978-981-10-4154-9_26"},{"issue":"3","key":"13_CR11","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1109\/COMST.2007.4317620","volume":"9","author":"S Zander","year":"2007","unstructured":"Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols. IEEE Commun. Surv. Tut. 9(3), 44\u201357 (2007)","journal-title":"IEEE Commun. Surv. Tut."},{"issue":"1","key":"13_CR12","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1016\/j.comnet.2008.09.010","volume":"53","author":"M Dusi","year":"2009","unstructured":"Dusi, M., Crotti, M., Gringoli, F., et al.: Tunnel Hunter: detecting application-layer tunnels with statistical fingerprinting. Comput. Netw. 53(1), 81\u201397 (2009)","journal-title":"Comput. Netw."},{"key":"13_CR13","unstructured":"Van Horenbeeck, M.: Deception on the network: thinking differently about covert channels (2006)"},{"key":"13_CR14","unstructured":"Skoudis, E.: The six most dangerous new attack techniques and what\u2019s coming next. In: RSA Conference (RSA2012) (2012)"},{"key":"13_CR15","unstructured":"Grunzweig, J., Scott, M., Lee, B.: New wekby attacks use DNS requests as command and control mechanism. Palo Alto Networks (2016)"},{"key":"13_CR16","unstructured":"Brumaghin, E., Grady, C.: Covert channels and poor decisions: the tale of DNSMessenger. Accessed 10 Jun 2017 (2019)"},{"key":"13_CR17","unstructured":"https:\/\/www.alexa.com\/ (2022)"},{"key":"13_CR18","unstructured":"https:\/\/www.cobaltstrike.com\/"},{"key":"13_CR19","doi-asserted-by":"crossref","unstructured":"Friedman, J.H.: Greedy function approximation: a gradient boosting machine. Ann. Stat. 29(5), 1189\u20131232 (2001)","DOI":"10.1214\/aos\/1013203451"},{"issue":"1","key":"13_CR20","doi-asserted-by":"publisher","first-page":"253","DOI":"10.1023\/A:1013912006537","volume":"48","author":"M Collins","year":"2002","unstructured":"Collins, M., Schapire, R.E., Singer, Y.: Logistic regression, adaboost and bregman distances. Mach. Learn. 48(1), 253\u2013285 (2002). https:\/\/doi.org\/10.1023\/A:1013912006537","journal-title":"Mach. Learn."},{"key":"13_CR21","doi-asserted-by":"crossref","unstructured":"Liu, C., et al.: A byte-level CNN method to detect DNS tunnels. In: 2019 IEEE 38th International Performance Computing and Communications Conference, pp. 1\u20138. IEEE Press, Piscataway (2019)","DOI":"10.1109\/IPCCC47392.2019.8958714"},{"key":"13_CR22","doi-asserted-by":"crossref","unstructured":"Wu, K.M., Zhang, Y.Z., Yin, T.: TDAE: autoencoder-based automatic feature learning method for the detection of DNS tunnel. In: 2020 IEEE International Conference on Communications, pp. 1\u20137. IEEE Press, Piscataway (2020)","DOI":"10.1109\/ICC40277.2020.9149162"},{"issue":"1","key":"13_CR23","first-page":"169","volume":"41","author":"M Zhang","year":"2020","unstructured":"Zhang, M., Sun, H.L., Yang, P.: Identification of DNS covert channel based on improved convolutional neural network. J. Commun. 41(1), 169\u2013179 (2020)","journal-title":"J. Commun."},{"key":"13_CR24","doi-asserted-by":"crossref","unstructured":"Almusawi, A., Amintoosi, H.: DNS tunneling detection method based on multilabel support vector machine. Secur. Commun. Netw. 2018(6), 1\u20139 2018","DOI":"10.1155\/2018\/6137098"}],"container-title":["Lecture Notes in Computer Science","Science of Cyber Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-17551-0_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,9,29]],"date-time":"2022-09-29T13:27:28Z","timestamp":1664458048000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-17551-0_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031175503","9783031175510"],"references-count":24,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-17551-0_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"30 September 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SciSec","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Science of Cyber Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Matsue","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Japan","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10 August 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12 August 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"scisec2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.scisec.org","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Easychair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"30","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"15","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"50% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2.3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"2","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3 Posters","order":10,"name":"additional_info_on_review_process","label":"Additional Info on Review Process","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}