{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,26]],"date-time":"2025-03-26T12:54:29Z","timestamp":1742993669634,"version":"3.40.3"},"publisher-location":"Singapore","reference-count":13,"publisher":"Springer Singapore","isbn-type":[{"type":"print","value":"9789813349216"},{"type":"electronic","value":"9789813349223"}],"license":[{"start":{"date-parts":[[2020,1,1]],"date-time":"2020-01-01T00:00:00Z","timestamp":1577836800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,1,19]],"date-time":"2021-01-19T00:00:00Z","timestamp":1611014400000},"content-version":"vor","delay-in-days":384,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>In recent years, a large number of users continuously suffer from DDoS attacks. DDoS attack volume is on the rise and the scale of botnets is also getting larger. Many security organizations began to use data-driven approaches to investigate gangs and groups beneath DDoS attack behaviors, trying to unveil the facts and intentions of DDoS gangs. In this paper, DDoSAGD - a DDoS Attack Group Discovery framework is proposed to help gang recognition and situation awareness. A heterogeneous graph is constructed from botnet control message and relative threat intelligence data, and a meta path-based similarity measurement is set up to calculate relevance between C2 servers. Then two graph mining measures are combined to build up our hierarchical attack group discovery workflow, which can output attack groups with both behavior-based similarity and evidence-based relevance. Finally, the experimental results demonstrate that the designed models are promising in terms of recognition of attack groups, and evolution process of different attack groups is also illustrated.<\/jats:p>","DOI":"10.1007\/978-981-33-4922-3_8","type":"book-chapter","created":{"date-parts":[[2021,1,18]],"date-time":"2021-01-18T11:21:04Z","timestamp":1610968864000},"page":"97-114","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Practical DDoS Attack Group Discovery and Tracking with Complex Graph-Based Network"],"prefix":"10.1007","author":[{"given":"Yu","family":"Rao","sequence":"first","affiliation":[]},{"given":"Weixin","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Tian","family":"Zhu","sequence":"additional","affiliation":[]},{"given":"Hanbin","family":"Yan","sequence":"additional","affiliation":[]},{"given":"Hao","family":"Zhou","sequence":"additional","affiliation":[]},{"given":"Jinghua","family":"Bai","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,1,19]]},"reference":[{"key":"8_CR1","unstructured":"NSFOCUS. DDoS Attack Landscape, pp. 3\u20136. NSFOCUS, Beijing (2019). https:\/\/nsfocusglobal.com\/2019-ddos-attack-landscape-report"},{"key":"8_CR2","unstructured":"CNCERT\/CC. Analysis report of active DDoS attack gang in 2018, p. 3. CNCERT\/CC, Guangzhou (2019). https:\/\/www.cert.org.cn\/publish\/main\/upload\/File\/20190131.pdf"},{"key":"8_CR3","unstructured":"CNCERT\/CC. Analysis report on website attack situation and \u201cattack Gang\u201d mining in 2018, pp. 21\u201338. CNCERT\/CC, Guangzhou (2019). https:\/\/www.cert.org.cn\/publish\/main\/upload\/File\/2018threats.pdf"},{"key":"8_CR4","unstructured":"Yang, H., Sun, X., Zhao, R.: Behavior Analysis of IP Chain-Gangs, pp. 7\u201322. NSFOCUS, Beijing (2018). https:\/\/nti.nsfocusglobal.com\/pdf\/Behavior_Analysis_of_IP_Chain_Gangs.pdf"},{"key":"8_CR5","unstructured":"Zhu, T., Yan, H., Zhu, L.: DDoS attack gang analysis method based on network attack accompanying behavior: China, cn108173884a (2018)"},{"key":"8_CR6","unstructured":"Wang, Q., Zhou, H., Yan, H., Mei, R., Han, Z.: Network security situation analysis based on malicious code propagation log. J. Inf. Secur. 4(05), 14\u201324 (2019)"},{"key":"8_CR7","volume-title":"Detection of IP Gangs: Strategically Organized Bots","author":"T Zhao","year":"2018","unstructured":"Zhao, T., Qiu, X.: Detection of IP Gangs: Strategically Organized Bots. Springer, New York (2018)"},{"key":"8_CR8","doi-asserted-by":"crossref","unstructured":"Santanna, J.J., De Schmidt, R.O., Tuncer, D., et al.: Booter blacklist: unveiling DDoS-for-hire websites. In: 2016 12th International Conference on Network and Service Management (CNSM), Montreal, QC, pp. 144\u2013152 (2016)","DOI":"10.1109\/CNSM.2016.7818410"},{"key":"8_CR9","doi-asserted-by":"crossref","unstructured":"Blondel, V.D., et al.: Fast unfolding of communities in large networks. J. Stat. Mech.: Theory Exp. 10(2008), P10008 (2008)","DOI":"10.1088\/1742-5468\/2008\/10\/P10008"},{"key":"8_CR10","unstructured":"Shapiro, L.G.: Connected component labeling and adjacency graph construction. Mach. Intell. Pattern Recogn. 19(19), 1\u201330 (1996)"},{"key":"8_CR11","unstructured":"https:\/\/blogs.cisco.com\/security\/talos\/sshpsychos"},{"key":"8_CR12","unstructured":"https:\/\/mp.weixin.qq.com\/s\/jPA0lCbSi_JLkEn3WoMH7Q"},{"key":"8_CR13","unstructured":"https:\/\/blog.malwaremustdie.org\/2015\/07\/mmd-0037-2015-bad-shellshock.html"}],"container-title":["Communications in Computer and Information Science","Cyber Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-33-4922-3_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,1,18]],"date-time":"2021-01-18T11:37:43Z","timestamp":1610969863000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-981-33-4922-3_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020]]},"ISBN":["9789813349216","9789813349223"],"references-count":13,"URL":"https:\/\/doi.org\/10.1007\/978-981-33-4922-3_8","relation":{},"ISSN":["1865-0929","1865-0937"],"issn-type":[{"type":"print","value":"1865-0929"},{"type":"electronic","value":"1865-0937"}],"subject":[],"published":{"date-parts":[[2020]]},"assertion":[{"value":"19 January 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CNCERT","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China Cyber Security Annual Conference","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Beijing","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2020","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12 August 2020","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"12 August 2020","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"17","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"cncert2020","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/conf.cert.org.cn","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}