{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T14:40:09Z","timestamp":1751294409590,"version":"3.41.0"},"publisher-location":"Cham","reference-count":39,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319751597"},{"type":"electronic","value":"9783319751603"}],"license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1007\/978-3-319-75160-3_23","type":"book-chapter","created":{"date-parts":[[2018,2,3]],"date-time":"2018-02-03T03:37:15Z","timestamp":1517629035000},"page":"383-403","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["BotTokenizer: Exploring Network Tokens of HTTP-Based Botnet Using Malicious Network Traces"],"prefix":"10.1007","author":[{"given":"Biao","family":"Qi","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Zhixin","family":"Shi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yan","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jizhi","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Qiwen","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jianguo","family":"Jiang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2018,2,4]]},"reference":[{"key":"23_CR1","unstructured":"Antonakakis, M., Demar, J., Stevens, K., Dagon, D.: Unveiling the network criminal infrastructure of TDSS\/TDL4. Damballa Research Report 2012 (2012)"},{"key":"23_CR2","doi-asserted-by":"crossref","unstructured":"Chiba, D., Yagi, T., Akiyama, M., Aoki, K., Hariu, T., Goto, S.: BotProfiler: profiling variability of substrings in HTTP requests to detect malware-infected hosts. In: 2015 IEEE Trustcom\/BigDataSE\/ISPA, vol. 1, pp. 758\u2013765. IEEE (2015)","DOI":"10.1109\/Trustcom.2015.444"},{"key":"23_CR3","doi-asserted-by":"publisher","first-page":"100","DOI":"10.1016\/j.cose.2014.05.011","volume":"45","author":"S Garcia","year":"2014","unstructured":"Garcia, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100\u2013123 (2014)","journal-title":"Comput. Secur."},{"key":"23_CR4","first-page":"8","volume":"7","author":"J Goebel","year":"2007","unstructured":"Goebel, J., Holz, T.: Rishi: identify bot contaminated hosts by IRC nickname evaluation. HotBots 7, 8\u20138 (2007)","journal-title":"HotBots"},{"key":"23_CR5","unstructured":"Goodman, N.: A survey of advances in botnet technologies. arXiv preprint arXiv:1702.01132 (2017)"},{"key":"23_CR6","unstructured":"Gu, G., Perdisci, R., Zhang, J., Lee, W., et al.: BotMiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, vol. 5, pp. 139\u2013154 (2008)"},{"key":"23_CR7","doi-asserted-by":"crossref","unstructured":"Gu, G., Yegneswaran, V., Porras, P., Stoll, J., Lee, W.: Active botnet probing to identify obscure command and control channels. In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 241\u2013253. IEEE (2009)","DOI":"10.1109\/ACSAC.2009.30"},{"key":"23_CR8","unstructured":"Gu, G., Zhang, J., Lee, W.: BotSniffer: detecting botnet command and control channels in network traffic (2008)"},{"key":"23_CR9","doi-asserted-by":"crossref","unstructured":"Han, X., Kheir, N., Balzarotti, D.: PhishEye: live monitoring of sandboxed phishing kits. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1402\u20131413. ACM (2016)","DOI":"10.1145\/2976749.2978330"},{"key":"23_CR10","doi-asserted-by":"crossref","unstructured":"Jang, J., Brumley, D., Venkataraman, S.: BitShred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications security, pp. 309\u2013320. ACM (2011)","DOI":"10.1145\/2046707.2046742"},{"key":"23_CR11","unstructured":"Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: USENIX Security Symposium, San Diego, CA, vol. 286 (2004)"},{"key":"23_CR12","unstructured":"Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detection. In: USENIX Security, vol. 6 (2006)"},{"key":"23_CR13","doi-asserted-by":"crossref","unstructured":"Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: 2006 IEEE Symposium on Security and Privacy, pp. 15. IEEE (2006)","DOI":"10.1109\/SP.2006.18"},{"issue":"3","key":"23_CR14","doi-asserted-by":"publisher","first-page":"502","DOI":"10.1016\/j.comcom.2010.04.007","volume":"34","author":"W Lu","year":"2011","unstructured":"Lu, W., Rammidi, G., Ghorbani, A.A.: Clustering botnet communication traffic based on n-gram feature selection. Comput. Commun. 34(3), 502\u2013514 (2011)","journal-title":"Comput. Commun."},{"key":"23_CR15","doi-asserted-by":"crossref","unstructured":"Ma, J., Saul, L.K., Savage, S., Voelker, G.M.: Identifying suspicious URLs: an application of large-scale online learning. In: Proceedings of the 26th Annual International Conference on Machine Learning, pp. 681\u2013688. ACM (2009)","DOI":"10.1145\/1553374.1553462"},{"key":"23_CR16","doi-asserted-by":"crossref","unstructured":"Malan, D.J., Smith, M.D.: Host-based detection of worms through peer-to-peer cooperation. In: Proceedings of the 2005 ACM Workshop on Rapid Malcode, pp. 72\u201380. ACM (2005)","DOI":"10.1145\/1103626.1103641"},{"key":"23_CR17","unstructured":"Nelms, T., Perdisci, R., Ahamad, M.: ExecScent: mining for new C&C domains in live networks with adaptive control protocol templates. In: USENIX Security, pp. 589\u2013604 (2013)"},{"key":"23_CR18","doi-asserted-by":"crossref","unstructured":"Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, pp. 226\u2013241. IEEE (2005)","DOI":"10.1109\/SP.2005.15"},{"issue":"2","key":"23_CR19","doi-asserted-by":"publisher","first-page":"487","DOI":"10.1016\/j.comnet.2012.06.022","volume":"57","author":"R Perdisci","year":"2013","unstructured":"Perdisci, R., Ariu, D., Giacinto, G.: Scalable fine-grained behavioral clustering of HTTP-based malware. Comput. Netw. 57(2), 487\u2013500 (2013)","journal-title":"Comput. Netw."},{"key":"23_CR20","unstructured":"Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: NSDI, vol. 10, p. 14 (2010)"},{"key":"23_CR21","doi-asserted-by":"crossref","unstructured":"Perdisci, R., et al.: VAMO: towards a fully automated malware clustering validity analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 329\u2013338. ACM (2012)","DOI":"10.1145\/2420950.2420999"},{"key":"23_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"144","DOI":"10.1007\/978-3-642-41284-4_8","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"MZ Rafique","year":"2013","unstructured":"Rafique, M.Z., Caballero, J.: FIRMA: malware clustering and network signature generation with mixed network behaviors. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds.) RAID 2013. LNCS, vol. 8145, pp. 144\u2013163. Springer, Heidelberg (2013). https:\/\/doi.org\/10.1007\/978-3-642-41284-4_8"},{"key":"23_CR23","doi-asserted-by":"crossref","unstructured":"Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Felix, J., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: 2011 Ninth Annual International Conference on Privacy, Security and Trust (PST), pp. 174\u2013180. IEEE (2011)","DOI":"10.1109\/PST.2011.5971980"},{"key":"23_CR24","doi-asserted-by":"crossref","unstructured":"Sakib, M.N., Huang, C.T.: Using anomaly detection based techniques to detect HTTP-based botnet C&C traffic. In: 2016 IEEE International Conference on Communications (ICC), pp. 1\u20136. IEEE (2016)","DOI":"10.1109\/ICC.2016.7510883"},{"key":"23_CR25","unstructured":"Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI, vol. 4, p. 4 (2004)"},{"key":"23_CR26","unstructured":"Small, S., Mason, J., Monrose, F., Provos, N., Stubblefield, A.: To catch a predator: a natural language approach for eliciting malicious payloads. In: USENIX Security Symposium, pp. 171\u2013184 (2008)"},{"key":"23_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"880","DOI":"10.1007\/978-3-540-45234-8_85","volume-title":"Field Programmable Logic and Application","author":"I Sourdis","year":"2003","unstructured":"Sourdis, I., Pnevmatikatos, D.: Fast, large-scale string match for a 10 Gbps FPGA-based network intrusion detection system. In: Y. K. Cheung, P., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, pp. 880\u2013889. Springer, Heidelberg (2003). https:\/\/doi.org\/10.1007\/978-3-540-45234-8_85"},{"issue":"2","key":"23_CR28","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1109\/MSECP.2003.1193207","volume":"99","author":"L Spitzner","year":"2003","unstructured":"Spitzner, L.: The honeynet project: trapping the hackers. IEEE Secur. Priv. 99(2), 15\u201323 (2003)","journal-title":"IEEE Secur. Priv."},{"key":"23_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"227","DOI":"10.1007\/11663812_12","volume-title":"Recent Advances in Intrusion Detection","author":"K Wang","year":"2006","unstructured":"Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227\u2013246. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11663812_12"},{"key":"23_CR30","doi-asserted-by":"crossref","unstructured":"Wang, X., Zheng, K., Niu, X., Wu, B., Wu, C.: Detection of command and control in advanced persistent threat based on independent access. In: 2016 IEEE International Conference on Communications (ICC), pp. 1\u20136. IEEE (2016)","DOI":"10.1109\/ICC.2016.7511197"},{"key":"23_CR31","doi-asserted-by":"crossref","unstructured":"Witten, I.H., Paynter, G.W., Frank, E., Gutwin, C., Nevill-Manning, C.G.: KEA: practical automatic keyphrase extraction. In: Proceedings of the Fourth ACM Conference on Digital Libraries, pp. 254\u2013255. ACM (1999)","DOI":"10.1145\/313238.313437"},{"key":"23_CR32","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"232","DOI":"10.1007\/978-3-642-04444-1_15","volume-title":"Computer Security \u2013 ESORICS 2009","author":"P Wurzinger","year":"2009","unstructured":"Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232\u2013249. Springer, Heidelberg (2009). https:\/\/doi.org\/10.1007\/978-3-642-04444-1_15"},{"issue":"4","key":"23_CR33","doi-asserted-by":"publisher","first-page":"171","DOI":"10.1145\/1402946.1402979","volume":"38","author":"Y Xie","year":"2008","unstructured":"Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. ACM SIGCOMM Comput. Commun. Rev. 38(4), 171\u2013182 (2008)","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"23_CR34","doi-asserted-by":"crossref","unstructured":"Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 116\u2013127. ACM (2007)","DOI":"10.1145\/1315245.1315261"},{"key":"23_CR35","doi-asserted-by":"crossref","unstructured":"Zand, A., Vigna, G., Yan, X., Kruegel, C.: Extracting probable command and control signatures for detecting botnets. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1657\u20131662. ACM (2014)","DOI":"10.1145\/2554850.2554896"},{"key":"23_CR36","doi-asserted-by":"crossref","unstructured":"Zarras, A., Papadogiannakis, A., Gawlik, R., Holz, T.: Automated generation of models for fast and precise detection of http-based malware. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust (PST), pp. 249\u2013256. IEEE (2014)","DOI":"10.1109\/PST.2014.6890946"},{"key":"23_CR37","unstructured":"Zeidanloo, H.R., Manaf, A.B.A.: Botnet detection by monitoring similar communication patterns. arXiv preprint arXiv:1004.1232 (2010)"},{"key":"23_CR38","unstructured":"Zeng, Y., Hu, X., Shin, K.G.: Detection of botnets using combined host-and network-level information. In: 2010 IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 291\u2013300. IEEE (2010)"},{"key":"23_CR39","doi-asserted-by":"crossref","unstructured":"Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: 2011 IEEE\/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 121\u2013132. IEEE (2011)","DOI":"10.1109\/DSN.2011.5958212"}],"container-title":["Lecture Notes in Computer Science","Information Security and Cryptology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-75160-3_23","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T14:03:50Z","timestamp":1751292230000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-75160-3_23"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018]]},"ISBN":["9783319751597","9783319751603"],"references-count":39,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-75160-3_23","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2018]]},"assertion":[{"value":"4 February 2018","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"Inscrypt","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security and Cryptology","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Xi'an","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2017","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"3 November 2017","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5 November 2017","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"13","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"cisc2017","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.inscrypt.cn\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}