{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,15]],"date-time":"2025-08-15T01:39:06Z","timestamp":1755221946129,"version":"3.43.0"},"publisher-location":"Cham","reference-count":74,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032006233","type":"print"},{"value":"9783032006240","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-032-00624-0_8","type":"book-chapter","created":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T11:42:31Z","timestamp":1754739751000},"page":"163-185","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Striking Back at Cobalt: Using Network Traffic Metadata to Detect Cobalt Strike Masquerading Command and\u00a0Control Channels"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-2166-0881","authenticated-orcid":false,"given":"Cl\u00e9ment","family":"Parssegny","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0002-0222-6794","authenticated-orcid":false,"given":"Johan","family":"Mazel","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0558-5015","authenticated-orcid":false,"given":"Olivier","family":"Levillain","sequence":"additional","affiliation":[]},{"given":"Pierre","family":"Chifflier","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,8,10]]},"reference":[{"key":"8_CR1","doi-asserted-by":"crossref","unstructured":"Abu\u00a0Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: ACM SIGCOMM IMC (2006)","DOI":"10.1145\/1177080.1177086"},{"key":"8_CR2","unstructured":"Althouse, J.: Tls fingerprinting with ja3 and ja3s (2019). https:\/\/engineering.salesforce.com\/tls-fingerprinting-with-ja3-and-ja3s\/"},{"key":"8_CR3","unstructured":"Althouse, J.: Ja4+ network fingerprinting (2023). https:\/\/blog.foxio.io\/ja4%2B-network-fingerprinting"},{"key":"8_CR4","doi-asserted-by":"crossref","unstructured":"Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: AISec (2016)","DOI":"10.1145\/2996758.2996768"},{"key":"8_CR5","unstructured":"Anderson, B., McGrew, D.: Accurate tls fingerprinting using destination context and knowledge bases (2020)"},{"key":"8_CR6","doi-asserted-by":"crossref","unstructured":"Buczak, A.L., Hanke, P.A., Cancro, G.J., Toma, M.K., Watkins, L.A., Chavis, J.S.: Detection of tunnels in pcap data by random forests. In: CISRC 2016 (2016)","DOI":"10.1145\/2897795.2897804"},{"key":"8_CR7","doi-asserted-by":"crossref","unstructured":"Bujlow, T., Carela-Espa\u00f1ol, V., Barlet-Ros, P.: Independent comparison of popular dpi tools for traffic classification. Comput, Nets (2015)","DOI":"10.1016\/j.comnet.2014.11.001"},{"key":"8_CR8","unstructured":"Censys: Jarm in censys search. https:\/\/docs.censys.com\/docs\/ls-jarm"},{"key":"8_CR9","doi-asserted-by":"crossref","unstructured":"Chen, S., Lang, B., Liu, H., Li, D., Gao, C.: Dns covert channel detection method using the lstm model (2021)","DOI":"10.1016\/j.cose.2020.102095"},{"key":"8_CR10","unstructured":"Cisco: NetFlow v1, v5, v7 and v8 (2007). https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/net_mgmt\/netflow_collection_engine\/3-6\/user\/guide\/format.html"},{"key":"8_CR11","unstructured":"Cisco: NetFlow v9 (2011). https:\/\/www.cisco.com\/en\/US\/technologies\/tk648\/tk362\/technologies_white_paper09186a00800a3db9.html"},{"key":"8_CR12","unstructured":"CobaltStrike: https:\/\/www.cobaltstrike.com"},{"key":"8_CR13","unstructured":"CobaltStrike: https:\/\/www.cobaltstrike.com\/help-malleable-c2"},{"key":"8_CR14","unstructured":"CobaltStrike: Official malleable profiles repository (2014). https:\/\/github.com\/Cobalt-Strike\/Malleable-C2-Profiles"},{"key":"8_CR15","unstructured":"CobaltStrike: (2022). https:\/\/hstechdocs.helpsystems.com\/manuals\/cobaltstrike\/current\/userguide\/content\/topics\/listener-infrastructure_peer-2-peer.htm"},{"key":"8_CR16","unstructured":"CrowdStrike: (2018). https:\/\/www.crowdstrike.com\/blog\/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda\/"},{"key":"8_CR17","unstructured":"Cybereason. https:\/\/www.cybereason.com\/blog\/sliver-c2-leveraged-by-many-threat-actors"},{"key":"8_CR18","doi-asserted-by":"crossref","unstructured":"Dietrich, C., Rossow, C., Freiling, F., Bos, H., van Steen, M., Pohlmann, N.: On botnets that use dns for command and control. In: EC2ND (2011)","DOI":"10.1109\/EC2ND.2011.16"},{"key":"8_CR19","unstructured":"Rescorla, E.: Mozilla: RFC on TLS 1.3. https:\/\/www.rfc-editor.org\/rfc\/rfc8446"},{"key":"8_CR20","unstructured":"Vincent van\u00a0der Eijk, C.S.: Detecting Cobalt Strike beacons in NetFlow data (2020)"},{"key":"8_CR21","doi-asserted-by":"crossref","unstructured":"Elsadig, M.A., Gafar, A.: Covert channel detection: machine learning approaches. IEEE Access, 38391\u201338405 (2022)","DOI":"10.1109\/ACCESS.2022.3164392"},{"key":"8_CR22","unstructured":"Felt, A.P., Barnes, R., King, A., Palmer, C., Bentzel, C., Tabriz, P.: Measuring https adoption on the web. In: USENIX Security (2017)"},{"key":"8_CR23","doi-asserted-by":"crossref","unstructured":"Freiling, F., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: ESORICS (2005)","DOI":"10.1007\/11555827_19"},{"key":"8_CR24","doi-asserted-by":"crossref","unstructured":"Garc\u00eda, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Elsevier Advanced Technology Publications (2014)","DOI":"10.1016\/j.cose.2014.05.011"},{"key":"8_CR25","unstructured":"Github: https:\/\/github.com\/looCiprian\/GC2-sheet"},{"key":"8_CR26","unstructured":"Github: https:\/\/github.com\/YDHCUI\/manjusaka"},{"key":"8_CR27","unstructured":"Github: https:\/\/github.com\/BishopFox\/sliver"},{"key":"8_CR28","unstructured":"Google Cybersecurity Action Team (2023). https:\/\/services.google.com\/fh\/files\/blogs\/gcat_threathorizons_full_apr2023.pdf"},{"key":"8_CR29","unstructured":"Gu, G., Porras, P., Yegneswaran, V., Fong, M.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: USENIX Security (2007)"},{"key":"8_CR30","unstructured":"Gu, G., Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: NDSS Symposium (2008)"},{"key":"8_CR31","unstructured":"Hu, Y.Z.: Mining data from cobalt strike beacons (2022). https:\/\/www.nccgroup.com\/us\/research-blog\/mining-data-from-cobalt-strike-beacons"},{"key":"8_CR32","doi-asserted-by":"crossref","unstructured":"Kondo, S., Sato, N.: Botnet traffic detection techniques by c &c session classification using svm. Adv. Inform. Comput. Secur. (2007)","DOI":"10.1007\/978-3-540-75651-4_7"},{"key":"8_CR33","unstructured":"Kravensecurity: C2 hunting: How to find c2 servers with shodan (2024). https:\/\/kravensecurity.com\/c2-hunting-using-shodan\/"},{"key":"8_CR34","unstructured":"Labayen, V., Maga\u00f1a, E., Morat\u00f3, D., Izal, M.: Network traffic and code for machine learning classification. Mach. Learn. Netw. (2020)"},{"key":"8_CR35","doi-asserted-by":"crossref","unstructured":"Labayen, V., Maga\u00f1a, E., Morat\u00f3, D., Izal, M.: Online classification of user activities using machine learning on network traffic. Comput, Nets (2020)","DOI":"10.1016\/j.comnet.2020.107557"},{"key":"8_CR36","doi-asserted-by":"crossref","unstructured":"Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Using machine learning techniques to identify botnet traffic. In: LCN (2006)","DOI":"10.1109\/LCN.2006.322210"},{"key":"8_CR37","unstructured":"Microsoft (2021). https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/05\/27\/new-sophisticated-email-based-attack-from-nobelium\/"},{"key":"8_CR38","doi-asserted-by":"crossref","unstructured":"Mileva, A., Panajotov, B.: Covert channels in tcp\/ip protocol stack - extended version-. Open Comput. Sci. (2014)","DOI":"10.2478\/s13537-014-0205-6"},{"key":"8_CR39","unstructured":"MitreAtt &ck: https:\/\/attack.mitre.org\/software\/S0154\/"},{"key":"8_CR40","unstructured":"MitreAtt &ck: https:\/\/attack.mitre.org\/techniques\/T1071\/001\/"},{"key":"8_CR41","unstructured":"MitreAtt &ck: https:\/\/attack.mitre.org\/techniques\/T1071\/004\/"},{"key":"8_CR42","unstructured":"MTA: https:\/\/www.malware-traffic-analysis.net\/2023\/01\/31\/"},{"key":"8_CR43","unstructured":"MTA: https:\/\/www.malware-traffic-analysis.net\/2023\/05\/23\/"},{"key":"8_CR44","unstructured":"MTA: https:\/\/www.malware-traffic-analysis.net\/2023\/07\/12\/"},{"key":"8_CR45","unstructured":"MTA: https:\/\/www.malware-traffic-analysis.net\/2023\/10\/03\/"},{"key":"8_CR46","unstructured":"MTA: https:\/\/www.malware-traffic-analysis.net\/2023\/11\/06\/"},{"key":"8_CR47","unstructured":"MTA: https:\/\/www.malware-traffic-analysis.net\/2023\/"},{"key":"8_CR48","unstructured":"Nayak, C.: https:\/\/bruteratel.com\/"},{"key":"8_CR49","unstructured":"Nivargi, V., Bhaowa, M., Lee, T.: Machine Learning Based Botnet Detection (2006)"},{"key":"8_CR50","unstructured":"Mavis, N.: The art and science of detecting Cobalt Strike (2020)"},{"key":"8_CR51","doi-asserted-by":"crossref","unstructured":"Oliver, J., Hagen, J.: Designing the elements of a fuzzy hashing scheme. In: EUC (2021)","DOI":"10.1109\/EUC53437.2021.00028"},{"key":"8_CR52","doi-asserted-by":"crossref","unstructured":"Pai, K., Shubhodeep, M., Madhusoodhana, S.: Novel tls signature extraction for malware detection (2020)","DOI":"10.1109\/CONECCT50063.2020.9198590"},{"key":"8_CR53","doi-asserted-by":"crossref","unstructured":"Ramos, F.M., Wang, X.: A machine learning based approach to detect stealthy cobalt strike c &c activities from encrypted network traffic. Mach. Learn. Netw. (2022)","DOI":"10.1007\/978-3-031-36183-8_8"},{"key":"8_CR54","doi-asserted-by":"crossref","unstructured":"Ramos, F.M., Wang, X.: Detecting stealthy cobalt strike c &c activities via multi-flow based machine learning. In: ICMLA (2023)","DOI":"10.1109\/ICMLA58977.2023.00332"},{"key":"8_CR55","unstructured":"Red Canary: Threat detection report (2022). https:\/\/resource.redcanary.com\/rs\/003-YRU-314\/images\/2022_ThreatDetectionReport_RedCanary.pdf"},{"key":"8_CR56","unstructured":"Salesforce: Easily identify malicious servers on the internet with jarm (2020). https:\/\/engineering.salesforce.com\/easily-identify-malicious-servers-on-the-internet-with-jarm\/"},{"key":"8_CR57","unstructured":"SentinelOne (2023). https:\/\/www.sentinelone.com\/blog\/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors\/"},{"key":"8_CR58","doi-asserted-by":"crossref","unstructured":"Simmons, G.J.: The prisoners\u2019 problem and the subliminal channel. In: Advances in Cryptology, pp. 51\u201367 (1984)","DOI":"10.1007\/978-1-4684-4730-9_5"},{"key":"8_CR59","doi-asserted-by":"crossref","unstructured":"Sosnowski, M., Zirngibl, J., Sattler, P., Carle, G.: DissecTLS: a scalable active scanner for TLS server configurations, capabilities, and TLS fingerprinting. In: PAM 2023 (2023)","DOI":"10.1007\/978-3-031-28486-1_6"},{"key":"8_CR60","unstructured":"Sosnowski, M., et al.: Active TLS stack fingerprinting: characterizing TLS server deployments at scale. In: TMA 2022 (2022)"},{"key":"8_CR61","unstructured":"Staniford-chen, S., et al.: Grids : A graph based intrusion detection system for large networks (1998)"},{"key":"8_CR62","unstructured":"Stratosphere: Stratosphere laboratory datasets (2015). https:\/\/www.stratosphereips.org\/datasets-overview"},{"key":"8_CR63","unstructured":"Talos: https:\/\/blog.talosintelligence.com\/manjusaka-offensive-framework"},{"key":"8_CR64","unstructured":"O\u2019Leary, T.J., Bonner, T., Janus, M., Given, D., Wickens, E.. Simpson, J.: Finding Beacons In The Dark (2021)"},{"key":"8_CR65","unstructured":"Unit42 (2022). https:\/\/unit42.paloaltonetworks.com\/brute-ratel-c4-tool\/"},{"key":"8_CR66","unstructured":"UPC (2015). https:\/\/historic.cba.upc.edu\/monitoring\/traffic-classification.html"},{"key":"8_CR67","unstructured":"US district court for the eastern district of New York (2023). https:\/\/noticeofpleadings.com\/crackedcobaltstrike\/"},{"key":"8_CR68","doi-asserted-by":"crossref","unstructured":"Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: RAID (2004)","DOI":"10.1007\/978-3-540-30143-1_11"},{"key":"8_CR69","unstructured":"Warmer, M.: Detection of web based C2 channels. Ph.D. thesis (2011)"},{"key":"8_CR70","doi-asserted-by":"crossref","unstructured":"Yang, X., Ruan, S., Yue, Y., Sun, B.: Petnet: plaintext-aware encrypted traffic detection network for identifying cobalt strike https traffics. Comput, Nets (2024)","DOI":"10.1016\/j.comnet.2023.110120"},{"key":"8_CR71","doi-asserted-by":"crossref","unstructured":"Zander, S., Armitage, G., Branch, P.: A survey of covert channels and countermeasures in computer network protocols (2007)","DOI":"10.1109\/COMST.2007.4317620"},{"key":"8_CR72","unstructured":"Zeek: conn.log. https:\/\/docs.zeek.org\/en\/master\/logs\/conn.html"},{"key":"8_CR73","unstructured":"Zeek: Zeek framework official website. https:\/\/zeek.org\/"},{"key":"8_CR74","doi-asserted-by":"crossref","unstructured":"Zhang, H., Papadopoulos, C., Massey, D.: Detecting encrypted botnet traffic (2013)","DOI":"10.1109\/INFCOM.2013.6567180"}],"container-title":["Lecture Notes in Computer Science","Availability, Reliability and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-00624-0_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T11:42:44Z","timestamp":1754739764000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-00624-0_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783032006233","9783032006240"],"references-count":74,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-00624-0_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"10 August 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ARES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Availability, Reliability and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ghent","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Belgium","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ares-12025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/2025.ares-conference.eu","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}