{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,27]],"date-time":"2026-02-27T22:59:03Z","timestamp":1772233143901,"version":"3.50.1"},"publisher-location":"Cham","reference-count":30,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319673790","type":"print"},{"value":"9783319673806","type":"electronic"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-67380-6_26","type":"book-chapter","created":{"date-parts":[[2017,9,11]],"date-time":"2017-09-11T21:13:35Z","timestamp":1505164415000},"page":"280-291","source":"Crossref","is-referenced-by-count":9,"title":["DNS Tunneling Detection Techniques \u2013 Classification, and Theoretical Comparison in Case of a Real APT Campaign"],"prefix":"10.1007","author":[{"given":"Viivi","family":"Nuojua","sequence":"first","affiliation":[]},{"given":"Gil","family":"David","sequence":"additional","affiliation":[]},{"given":"Timo","family":"H\u00e4m\u00e4l\u00e4inen","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,9,13]]},"reference":[{"key":"26_CR1","unstructured":"Farnham, G., Atlasis, A.: Detecting DNS tunneling. SANS Institute InfoSec Reading Room, pp. 1\u201332 (2013)"},{"key":"26_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1007\/978-3-642-38998-6_16","volume-title":"Emerging Management Mechanisms for the Future Internet","author":"W Ellens","year":"2013","unstructured":"Ellens, W., \u017buraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Doyen, G., Waldburger, M., \u010celeda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 124\u2013135. Springer, Heidelberg (2013). doi:\n10.1007\/978-3-642-38998-6_16"},{"key":"26_CR3","unstructured":"Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. \nhttps:\/\/www.anomali.com\/blog\/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"},{"key":"26_CR4","unstructured":"New Wekby attacks use DNS requests as command and control mechanism (2016). \nhttp:\/\/researchcenter.paloaltonetworks.com\/2016\/05\/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism\/"},{"key":"26_CR5","unstructured":"Chinese cyber espionage APT group leveraging recently leaked hacking team exploits to target a financial services firm. \nhttps:\/\/www.zscaler.com\/blogs\/research\/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm"},{"key":"26_CR6","doi-asserted-by":"crossref","unstructured":"Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: NIS04-2: detection of DNS anomalies using flow data analysis. In: IEEE Global Telecommunications Conference, GLOBECOM 2006, pp. 1\u20136 (2006)","DOI":"10.1109\/GLOCOM.2006.280"},{"key":"26_CR7","unstructured":"Copeland III, J.A.: Flow-based detection of network intrusions (2007). \nhttp:\/\/www.google.com\/patents\/US7185368"},{"key":"26_CR8","volume-title":"Nonparametric Methods in Change Point Problems","author":"E Brodsky","year":"2013","unstructured":"Brodsky, E., Darkhovsky, B.S.: Nonparametric Methods in Change Point Problems. Springer Science & Business Media, Heidelberg (2013)"},{"key":"26_CR9","doi-asserted-by":"crossref","unstructured":"Marchal, S., Fran\u00e7ois, J., Wagner, C., State, R., Dulaunoy, A., Engel, T., Festor, O.: DNSSM: a large scale passive DNS security monitoring framework. In: 2012 IEEE Network Operations and Management Symposium (NOMS), pp. 988\u2013993. IEEE (2012)","DOI":"10.1109\/NOMS.2012.6212019"},{"key":"26_CR10","first-page":"100","volume":"28","author":"JA Hartigan","year":"1979","unstructured":"Hartigan, J.A., Wong, M.A.: Algorithm AS 136: a K-means clustering algorithm. J. R. Stat. Soc. Ser. C Appl. Stat. 28, 100\u2013108 (1979)","journal-title":"J. R. Stat. Soc. Ser. C Appl. Stat."},{"key":"26_CR11","doi-asserted-by":"crossref","unstructured":"Aiello, M., Mongelli, M., Papaleo, G.: Basic classifiers for DNS tunneling detection. In: 2013 IEEE Symposium on Computers and Communications (ISCC), pp. 880\u2013885 (2013)","DOI":"10.1109\/ISCC.2013.6755060"},{"key":"26_CR12","doi-asserted-by":"crossref","first-page":"1987","DOI":"10.1002\/dac.2836","volume":"28","author":"M Aiello","year":"2015","unstructured":"Aiello, M., Mongelli, M., Papaleo, G.: DNS tunneling detection through statistical fingerprints of protocol messages and machine learning. Int. J. Commun. Syst. 28, 1987\u20132002 (2015)","journal-title":"Int. J. Commun. Syst."},{"key":"26_CR13","unstructured":"HSC - Tools - Dns2tcp. \nhttp:\/\/www.hsc.fr\/ressources\/outils\/dns2tcp\/"},{"key":"26_CR14","doi-asserted-by":"crossref","unstructured":"Moore, A.W., Zuev, D.: Internet traffic classification using Bayesian analysis techniques. In: Proceedings of the 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pp. 50\u201360. ACM, New York (2005)","DOI":"10.1145\/1064212.1064220"},{"key":"26_CR15","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1109\/TIT.1967.1053964","volume":"13","author":"T Cover","year":"1967","unstructured":"Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13, 21\u201327 (1967)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"26_CR16","volume-title":"Pattern Recognition and Neural Networks","author":"BD Ripley","year":"2007","unstructured":"Ripley, B.D.: Pattern Recognition and Neural Networks. Cambridge University Press, Cambridge (2007)"},{"key":"26_CR17","first-page":"273","volume":"20","author":"C Cortes","year":"1995","unstructured":"Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20, 273\u2013297 (1995)","journal-title":"Mach. Learn."},{"key":"26_CR18","first-page":"85","volume":"5","author":"P Satam","year":"2015","unstructured":"Satam, P., Alipour, H., Al-Nashif, Y., Hariri, S.: Anomaly behavior analysis of DNS protocol. J. Internet Serv. Inf. Secur. JISIS 5, 85\u201397 (2015)","journal-title":"J. Internet Serv. Inf. Secur. JISIS"},{"key":"26_CR19","first-page":"123","volume":"24","author":"L Breiman","year":"1996","unstructured":"Breiman, L.: Bagging predictors. Mach. Learn. 24, 123\u2013140 (1996)","journal-title":"Mach. Learn."},{"key":"26_CR20","volume-title":"Principles of Data Mining","author":"M Bramer","year":"2007","unstructured":"Bramer, M.: Principles of Data Mining. Springer, London (2007)"},{"key":"26_CR21","unstructured":"Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis (2010). \narXiv:1004.4358\n\n[cs]"},{"key":"26_CR22","doi-asserted-by":"crossref","unstructured":"Born, K., Gustafson, D.: NgViz: detecting DNS tunnels through n-gram visualization and quantitative analysis. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, pp. 47:1\u201347:4. ACM, New York (2010)","DOI":"10.1145\/1852666.1852718"},{"key":"26_CR23","doi-asserted-by":"crossref","DOI":"10.4159\/harvard.9780674434929","volume-title":"Selected Studies of the Principle of Relative Frequencies of Language","author":"GK Zipf","year":"1932","unstructured":"Zipf, G.K.: Selected Studies of the Principle of Relative Frequencies of Language. Harvard University, Cambridge (1932)"},{"key":"26_CR24","unstructured":"kryo.se: iodine (IP-over-DNS, IPv4 over DNS tunnel). \nhttp:\/\/code.kryo.se\/iodine\/"},{"key":"26_CR25","unstructured":"TCP-over-DNS tunnel software HOWTO. \nhttp:\/\/analogbit.com\/2008\/07\/27\/tcp-over-dns-tunnel-software-howto\/"},{"key":"26_CR26","doi-asserted-by":"crossref","first-page":"852","DOI":"10.1016\/j.procs.2013.05.109","volume":"17","author":"C Qi","year":"2013","unstructured":"Qi, C., Chen, X., Xu, C., Shi, J., Liu, P.: A bigram based real time DNS tunnel detection approach. Procedia Comput. Sci. 17, 852\u2013860 (2013)","journal-title":"Procedia Comput. Sci."},{"key":"26_CR27","unstructured":"DNScat. \nhttp:\/\/tadek.pietraszek.org\/projects\/DNScat\/"},{"key":"26_CR28","doi-asserted-by":"crossref","unstructured":"Binsalleeh, H., Kara, A.M., Youssef, A., Debbabi, M.: Characterization of covert channels in DNS. In: 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), pp. 1\u20135 (2014)","DOI":"10.1109\/NTMS.2014.6814008"},{"key":"26_CR29","doi-asserted-by":"crossref","unstructured":"Kara, A.M., Binsalleeh, H., Mannan, M., Youssef, A., Debbabi, M.: Detection of malicious payload distribution channels in DNS. In: 2014 IEEE International Conference on Communications (ICC), pp. 853\u2013858 (2014)","DOI":"10.1109\/ICC.2014.6883426"},{"key":"26_CR30","doi-asserted-by":"crossref","unstructured":"Cejka, T., Rosa, Z., Kubatova, H.: Stream-wise detection of surreptitious traffic over DNS. In: 2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), pp. 300\u2013304 (2014)","DOI":"10.1109\/CAMAD.2014.7033254"}],"container-title":["Lecture Notes in Computer Science","Internet of Things, Smart Spaces, and Next Generation Networks and Systems"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-67380-6_26","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2017,10,3]],"date-time":"2017-10-03T03:55:27Z","timestamp":1507002927000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-67380-6_26"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319673790","9783319673806"],"references-count":30,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-67380-6_26","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017]]}}}