{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,17]],"date-time":"2026-05-17T07:09:20Z","timestamp":1779001760016,"version":"3.51.4"},"publisher-location":"Cham","reference-count":43,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319608754","type":"print"},{"value":"9783319608761","type":"electronic"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-60876-1_17","type":"book-chapter","created":{"date-parts":[[2017,6,3]],"date-time":"2017-06-03T08:00:34Z","timestamp":1496476834000},"page":"366-387","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":13,"title":["Unsupervised Detection of APT C&C Channels using Web Request Graphs"],"prefix":"10.1007","author":[{"given":"Pavlos","family":"Lamprakis","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ruggiero","family":"Dargenio","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"David","family":"Gugelmann","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Vincent","family":"Lenders","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Markus","family":"Happe","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Laurent","family":"Vanbever","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2017,6,4]]},"reference":[{"key":"17_CR1","unstructured":"APT Case RUAG. Technical Report. GovCERT.ch, 23 May 2016. \n https:\/\/www.melani.admin.ch\/dam\/melani\/en\/dokumente\/2016\/technical%20report%20ruag.pdf.download.pdf\/Report_Ruag-Espionage-Case.pdf"},{"key":"17_CR2","unstructured":"Contagiodump Blog. \n http:\/\/contagiodump.blogspot.com\n \n . Accessed Jan 2017"},{"key":"17_CR3","unstructured":"HTTP Access Control. \n https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Access_control_CORS\n \n . Accessed Jan 2017"},{"key":"17_CR4","unstructured":"HTTP Method Definitions. \n https:\/\/www.w3.org\/Protocols\/rfc2616\/rfc2616-sec9.html\n \n . Accessed Jan 2017"},{"key":"17_CR5","unstructured":"Malware Capture Facility Project. \n http:\/\/mcfp.weebly.com\n \n . Accessed Jan 2017"},{"key":"17_CR6","unstructured":"Malware-Traffic-Analysis Blog. \n http:\/\/www.malware-traffic-analysis.net\n \n . Accessed Jan 2017"},{"key":"17_CR7","unstructured":"pcapanalysis. \n http:\/\/www.pcapanalysis.com\n \n . Accessed Jan 2017"},{"key":"17_CR8","doi-asserted-by":"crossref","unstructured":"Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC 2012, pp. 129\u2013138. ACM (2012)","DOI":"10.1145\/2420950.2420969"},{"key":"17_CR9","unstructured":"Bugzilla: Bug 1282878. \n https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1282878\n \n . Accessed Feb 2017"},{"key":"17_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1007\/978-3-319-03584-0_10","volume-title":"Cyberspace Safety and Security","author":"P Burghouwt","year":"2013","unstructured":"Burghouwt, P., Spruit, M., Sips, H.: Detection of covert botnet command and control channels by causal analysis of traffic flows. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 117\u2013131. Springer, Cham (2013). doi:\n 10.1007\/978-3-319-03584-0_10"},{"key":"17_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-662-44885-4_5","volume-title":"Communications and Multimedia Security","author":"P Chen","year":"2014","unstructured":"Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: Decker, B., Z\u00faquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63\u201372. Springer, Heidelberg (2014). doi:\n 10.1007\/978-3-662-44885-4_5"},{"key":"17_CR12","unstructured":"Cylance: Operation cleaver report. \n http:\/\/cdn2.hubspot.net\/hubfs\/270968\/assets\/Cleaver\/Cylance_Operation_Cleaver_Report.pdf\n \n . Accessed Feb 2017"},{"key":"17_CR13","unstructured":"FireEye: Evasive Tactics: Taidoor. \n https:\/\/www.fireeye.com\/blog\/threat-research\/2013\/09\/evasive-tactics-taidoor-3.html\n \n . Accessed Feb 2017"},{"key":"17_CR14","unstructured":"FireEye: To Russia With Targeted Attack. \n https:\/\/www.fireeye.com\/blog\/threat-research\/2012\/12\/to-russia-with-apt.html\n \n . Accessed Feb 2017"},{"key":"17_CR15","unstructured":"Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the USENIX Security Symposium. USENIX Security 2008 (2008)"},{"key":"17_CR16","unstructured":"Gu, G., Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2008) (2008)"},{"key":"17_CR17","doi-asserted-by":"crossref","unstructured":"Gugelmann, D., Gasser, F., Ager, B., Lenders, V.: Hviz: Http(s) traffic aggregation and visualization for network forensics. In: Proceedings of the DFRWS Europe (DFRWS 2015 Europe) Digital Investigation 12, Supplement 1, pp. 1\u201311 (2015)","DOI":"10.1016\/j.diin.2015.01.005"},{"key":"17_CR18","unstructured":"IETF: Online Certificate Status Protocol - OCSP. \n https:\/\/tools.ietf.org\/html\/rfc6960\n \n . Accessed Feb 2017"},{"key":"17_CR19","unstructured":"Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: picking command and control connections from bot traffic. In: Proceedings of the USENIX Security Symposium. USENIX Security 2011 (2011)"},{"key":"17_CR20","unstructured":"Jones, M.: Protecting privacy with referrers (2010). \n https:\/\/www.facebook.com\/notes\/facebook-engineering\/protecting-privacy-with-referrers\/392382738919\/\n \n . Accessed Feb 2017"},{"key":"17_CR21","unstructured":"Lab, K.: The Nettraveler (aka \u2018Travnet\u2019). \n https:\/\/kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/vlpdfs\/kaspersky-the-net-traveler-part1-final.pdf\n \n . Accessed Jan 2017"},{"issue":"5","key":"17_CR22","doi-asserted-by":"publisher","first-page":"1801","DOI":"10.3837\/tiis.2014.05.017","volume":"8","author":"SJ Kim","year":"2014","unstructured":"Kim, S.J., Lee, S., Bae, B.: Has-analyzer: detecting http-based c&c based on the analysis of http activity sets. TIIS 8(5), 1801\u20131816 (2014)","journal-title":"TIIS"},{"key":"17_CR23","unstructured":"Lab, K.: The Darkhotel APT, a story of unusual hospitality. \n https:\/\/securelist.com\/files\/2014\/11\/darkhotel_kl_07.11.pdf\n \n . Accessed Feb 2017"},{"key":"17_CR24","unstructured":"Mandiant: APT1 - Exposing One of China\u2019s Cyber Espionage Units. \n https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/services\/pdfs\/mandiant-apt1-report.pdf\n \n . Accessed Feb 2017"},{"key":"17_CR25","doi-asserted-by":"crossref","unstructured":"Neasbitt, C., Perdisci, R., Li, K., Nelms, T.: Clickminer: towards forensic reconstruction of user-browser interactions from network traces. In: Proceedings of the ACM CCS 2014, pp. 1244\u20131255. ACM (2014)","DOI":"10.1145\/2660267.2660268"},{"key":"17_CR26","unstructured":"Nelms, T., Perdisci, R., Ahamad, M.: Execscent: mining for new c&c domains in live networks with adaptive control protocol templates. In: Proceedings of the USENIX Security Symposium, pp. 589\u2013604. USENIX, Washington, D.C. (2013)"},{"key":"17_CR27","unstructured":"Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: Webwitness: investigating, categorizing, and mitigating malware download paths. In: Proceedings of the USENIX Security Symposium, pp. 1025\u20131040. USENIX (2015)"},{"key":"17_CR28","unstructured":"NIST: Managing Information Security Risk. \n http:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-39.pdf\n \n , nIST Special Publication 800\u201339"},{"key":"17_CR29","unstructured":"Norman: Operation Hangover. \n http:\/\/enterprise-manage.norman.c.bitbit.net\/resources\/files\/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf\n \n . Accessed Feb 2017"},{"key":"17_CR30","doi-asserted-by":"crossref","unstructured":"Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: Proceedings of the IEEE\/IFIP Int. Conf. on Dependable Systems and Networks, DSN 2015, pp. 45\u201356. IEEE Computer Society (2015)","DOI":"10.1109\/DSN.2015.14"},{"issue":"23\u201324","key":"17_CR31","doi-asserted-by":"publisher","first-page":"2435","DOI":"10.1016\/S1389-1286(99)00112-7","volume":"31","author":"V Paxson","year":"1999","unstructured":"Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23\u201324), 2435\u20132463 (1999)","journal-title":"Comput. Netw."},{"key":"17_CR32","first-page":"2825","volume":"12","author":"F Pedregosa","year":"2011","unstructured":"Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., Duchesnay, E.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825\u20132830 (2011)","journal-title":"J. Mach. Learn. Res."},{"issue":"2","key":"17_CR33","doi-asserted-by":"publisher","first-page":"487","DOI":"10.1016\/j.comnet.2012.06.022","volume":"57","author":"R Perdisci","year":"2013","unstructured":"Perdisci, R., Ariu, D., Giacinto, G.: Scalable fine-grained behavioral clustering of http-based malware. Comput. Netw. 57(2), 487\u2013500 (2013)","journal-title":"Comput. Netw."},{"key":"17_CR34","unstructured":"Proofpoint: Nettraveler apt targets russian, european interests. \n https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/nettraveler-apt-targets-russian-european-interests\n \n . Accessed Jan 2017"},{"key":"17_CR35","unstructured":"Security, F.: Looking at the Sky for a DarkComet. \n https:\/\/www.fidelissecurity.com\/sites\/default\/files\/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf\n \n . Accessed Feb 2017"},{"key":"17_CR36","unstructured":"SeleniumHQ: \n http:\/\/www.seleniumhq.org\n \n . Accessed Jan 2017"},{"key":"17_CR37","unstructured":"Symantec: Internet security threat report. Technical Report 21, Symantec, April 2016. \n https:\/\/www.symantec.com\/security-center\/threat-report"},{"key":"17_CR38","doi-asserted-by":"crossref","unstructured":"Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: Botfinder: finding bots in network traffic without deep packet inspection. In: Proceedings of the International Conference on Emerging Networking Experiments and Technologies (CoNEXT), pp. 349\u2013360. ACM (2012)","DOI":"10.1145\/2413176.2413217"},{"key":"17_CR39","unstructured":"TrendMicro: The Taidoor Campaign. \n https:\/\/www.trendmicro.de\/cloud-content\/us\/pdfs\/security-intelligence\/white-papers\/wp_the_taidoor_campaign.pdf\n \n . Accessed Feb 2017"},{"key":"17_CR40","doi-asserted-by":"crossref","unstructured":"Vassio, L., Drago, I., Mellia, M.: Detecting user actions from HTTP traces: toward an automatic approach. In: International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 50\u201355 (2016)","DOI":"10.1109\/IWCMC.2016.7577032"},{"key":"17_CR41","unstructured":"W3C: Referer Policy. \n https:\/\/w3c.github.io\/webappsec-referrer-policy\n \n . Accessed Feb 2017"},{"key":"17_CR42","unstructured":"Xie, G., Iliofotou, M., Karagiannis, T., Faloutsos, M., Jin, Y.: Resurf: reconstructing web-surfing activity from network traffic. In: Proceedings of the International Conference on Networking, IFIP (2013)"},{"key":"17_CR43","doi-asserted-by":"crossref","unstructured":"Zhang, H., Banick, W., Yao, D., Ramakrishnan, N.: User intention-based traffic dependence analysis for anomaly detection. In: IEEE Symposium on Security and Privacy Workshops, pp. 104\u2013112, May 2012","DOI":"10.1109\/SPW.2012.15"}],"container-title":["Lecture Notes in Computer Science","Detection of Intrusions and Malware, and Vulnerability Assessment"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-60876-1_17","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,20]],"date-time":"2019-05-20T02:26:41Z","timestamp":1558319201000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-60876-1_17"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319608754","9783319608761"],"references-count":43,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-60876-1_17","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017]]},"assertion":[{"value":"4 June 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"DIMVA","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Bonn","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Germany","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2017","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"6 July 2017","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"7 July 2017","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"dimva2017","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.dimva.org\/dimva2017","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}