{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T23:54:39Z","timestamp":1743119679969,"version":"3.40.3"},"publisher-location":"Singapore","reference-count":31,"publisher":"Springer Nature Singapore","isbn-type":[{"type":"print","value":"9789819712731"},{"type":"electronic","value":"9789819712748"}],"license":[{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,1,1]],"date-time":"2024-01-01T00:00:00Z","timestamp":1704067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2024]]},"DOI":"10.1007\/978-981-97-1274-8_9","type":"book-chapter","created":{"date-parts":[[2024,3,12]],"date-time":"2024-03-12T19:20:02Z","timestamp":1710271202000},"page":"133-146","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Improving DNS Data Exfiltration Detection Through Temporal Analysis"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2947-486X","authenticated-orcid":false,"given":"Georgios","family":"Spathoulas","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9193-8517","authenticated-orcid":false,"given":"Marios","family":"Anagnostopoulos","sequence":"additional","affiliation":[]},{"given":"Konstantinos","family":"Papageorgiou","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1278-1943","authenticated-orcid":false,"given":"Georgios","family":"Kavallieratos","sequence":"additional","affiliation":[]},{"given":"Georgios","family":"Theodoridis","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,3,13]]},"reference":[{"issue":"12","key":"9_CR1","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1016\/S1353-4858(19)30144-8","volume":"2019","author":"M Al-kasassbeh","year":"2019","unstructured":"Al-kasassbeh, M., Khairallah, T.: Winning tactics with DNS tunnelling. Netw. Secur. 2019(12), 12\u201319 (2019)","journal-title":"Netw. Secur."},{"key":"9_CR2","unstructured":"Alharbi, T., Koutny, M.: Domain name system (DNS) tunnelling detection using structured occurrence nets (SONs). In: Proceedings of the International Workshop on Petri Nets and Software Engineering (PNSE 2019) (2019)"},{"key":"9_CR3","doi-asserted-by":"crossref","unstructured":"Almusawi, A., Amintoosi, H.: DNS tunneling detection method based on multilabel support vector machine. Secur. Commun. Netw. 2018 (2018)","DOI":"10.1155\/2018\/6137098"},{"key":"9_CR4","doi-asserted-by":"crossref","unstructured":"Anagnostopoulos, M., Kambourakis, G., Konstantinou, E., Gritzalis, S.: DNSSEC vs. DNSCurve: a side-by-side comparison. In: Situational Awareness in Computer Network Defense: Principles, Methods and Applications, pp. 201\u2013220. IGI Global (2012)","DOI":"10.4018\/978-1-4666-0104-8.ch012"},{"key":"9_CR5","unstructured":"Born, K., Gustafson, D.: Detecting DNS tunnels using character frequency analysis. In: Proceedings of the 9th Annual Security Conference (2010)"},{"issue":"11","key":"9_CR6","first-page":"16","volume":"3","author":"Y Bubnov","year":"2018","unstructured":"Bubnov, Y.: DNS tunneling detection using feedforward neural network. Eur. J. Eng. Technol. Res. 3(11), 16\u201319 (2018)","journal-title":"Eur. J. Eng. Technol. Res."},{"key":"9_CR7","doi-asserted-by":"crossref","unstructured":"Buczak, A.L., Hanke, P.A., Cancro, G.J., Toma, M.K., Watkins, L.A., Chavis, J.S.: Detection of tunnels in PCAP data by random forests. In: Proceedings of the 11th Annual Cyber and Information Security Research Conference, pp. 1\u20134 (2016)","DOI":"10.1145\/2897795.2897804"},{"key":"9_CR8","doi-asserted-by":"crossref","unstructured":"Cejka, T., Rosa, Z., Kubatova, H.: Stream-wise detection of surreptitious traffic over DNS. In: 2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), pp. 300\u2013304. IEEE (2014)","DOI":"10.1109\/CAMAD.2014.7033254"},{"key":"9_CR9","doi-asserted-by":"crossref","unstructured":"Das, A., Shen, M.Y., Shashanka, M., Wang, J.: Detection of exfiltration and tunneling over DNS. In: 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 737\u2013742. IEEE (2017)","DOI":"10.1109\/ICMLA.2017.00-71"},{"key":"9_CR10","doi-asserted-by":"crossref","unstructured":"Dietrich, C.J., Rossow, C., Freiling, F.C., Bos, H., van Steen, M.V., Pohlmann, N.: On botnets that use DNS for command and control. In: 2011 Seventh European Conference on Computer Network Defense (EC2ND), pp. 9\u201316 (2011)","DOI":"10.1109\/EC2ND.2011.16"},{"key":"9_CR11","series-title":"LNEE","doi-asserted-by":"publisher","first-page":"221","DOI":"10.1007\/978-981-10-4154-9_26","volume-title":"ICISA 2017","author":"VT Do","year":"2017","unstructured":"Do, V.T., Engelstad, P., Feng, B., Van Do, T.: Detection of DNS tunneling in mobile networks using machine learning. In: Kim, K., Joukov, N. (eds.) ICISA 2017. LNEE, vol. 424, pp. 221\u2013230. Springer, Singapore (2017). https:\/\/doi.org\/10.1007\/978-981-10-4154-9_26"},{"key":"9_CR12","unstructured":"Farnham, G., Atlasis, A.: Detecting DNS tunneling. SANS Institute InfoSec Reading Room, vol. 9, pp. 1\u201332 (2013)"},{"key":"9_CR13","unstructured":"Hind, J.: Catching DNS tunnels with AI. In: Proceedings of DefCon, vol. 17 (2009)"},{"key":"9_CR14","doi-asserted-by":"publisher","DOI":"10.1201\/9780429329913","volume-title":"Botnets: Architectures, Countermeasures, and Challenges","author":"G Kambourakis","year":"2019","unstructured":"Kambourakis, G., Anagnostopoulos, M., Meng, W., Zhou, P.: Botnets: Architectures, Countermeasures, and Challenges. CRC Press, Boca Raton (2019)"},{"key":"9_CR15","doi-asserted-by":"crossref","unstructured":"Lai, C.M., Huang, B.C., Huang, S.Y., Mao, C.H., Lee, H.M.: Detection of DNS tunneling by feature-free mechanism. In: 2018 IEEE Conference on Dependable and Secure Computing (DSC), pp. 1\u20132. IEEE (2018)","DOI":"10.1109\/DESEC.2018.8625166"},{"key":"9_CR16","doi-asserted-by":"crossref","unstructured":"Lambion, D., Josten, M., Olumofin, F., De\u00a0Cock, M.: Malicious DNS tunneling detection in real-traffic DNS data. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 5736\u20135738. IEEE (2020)","DOI":"10.1109\/BigData50022.2020.9378418"},{"key":"9_CR17","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103132","volume":"128","author":"J Liang","year":"2023","unstructured":"Liang, J., Wang, S., Zhao, S., Chen, S.: FECC: DNS tunnel detection model based on CNN and clustering. Comput. Secur. 128, 103132 (2023)","journal-title":"Comput. Secur."},{"key":"9_CR18","doi-asserted-by":"crossref","unstructured":"Liu, C., Dai, L., Cui, W., Lin, T.: A byte-level CNN method to detect DNS tunnels. In: 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC), pp. 1\u20138. IEEE (2019)","DOI":"10.1109\/IPCCC47392.2019.8958714"},{"key":"9_CR19","unstructured":"Mullaney, C.: Morto worm sets a (DNS) record. Technical report (2011). http:\/\/www.symantec.com\/connect\/blogs\/morto-worm-sets-dns-record"},{"key":"9_CR20","unstructured":"Nadler, A., Aminov, A., Shabtai, A.: Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol. CoRR abs\/1709.08395 (2017)"},{"key":"9_CR21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-319-67380-6_26","volume-title":"Internet of Things, Smart Spaces, and Next Generation Networks and Systems","author":"V Nuojua","year":"2017","unstructured":"Nuojua, V., David, G., H\u00e4m\u00e4l\u00e4ainen, T.: DNS tunneling detection techniques - classification, and theoretical comparison in case of a real APT campaign. In: Galinina, O., Andreev, S., Balandin, S., Koucheryavy, Y. (eds.) Internet of Things, Smart Spaces, and Next Generation Networks and Systems. LNCS, vol. 10531, pp. 280\u2013291. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-67380-6_26"},{"key":"9_CR22","doi-asserted-by":"crossref","unstructured":"Preston, R.: DNS tunneling detection with supervised learning. In: 2019 IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1\u20136. IEEE (2019)","DOI":"10.1109\/HST47167.2019.9032913"},{"key":"9_CR23","doi-asserted-by":"crossref","unstructured":"Sammour, M., Hussin, B., Othman, M.F.I., Doheir, M., AlShaikhdeeb, B., Talib, M.S.: DNS tunneling: a review on features. Int. J. Eng. Technol. 7(3.20), 1\u20135 (2018)","DOI":"10.14419\/ijet.v7i3.20.17266"},{"key":"9_CR24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"112","DOI":"10.1007\/978-3-319-64701-2_9","volume-title":"Network and System Security","author":"S Shafieian","year":"2017","unstructured":"Shafieian, S., Smith, D., Zulkernine, M.: Detecting DNS tunneling using ensemble learning. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 112\u2013127. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-64701-2_9"},{"key":"9_CR25","unstructured":"Tatang, D., Quinkert, F., Dolecki, N., Holz, T.: A study of newly observed hostnames and DNS tunneling in the wild. arXiv preprint arXiv:1902.08454 (2019)"},{"key":"9_CR26","doi-asserted-by":"crossref","unstructured":"Tatang, D., Quinkert, F., Holz, T.: Below the radar: spotting DNS tunnels in newly observed hostnames in the wild. In: 2019 APWG Symposium on Electronic Crime Research (eCrime), pp. 1\u201315. IEEE (2019)","DOI":"10.1109\/eCrime47957.2019.9037595"},{"key":"9_CR27","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102818","volume":"120","author":"S Wang","year":"2022","unstructured":"Wang, S., Sun, L., Qin, S., Li, W., Liu, W.: KRTunnel: DNS channel detector for mobile devices. Comput. Secur. 120, 102818 (2022)","journal-title":"Comput. Secur."},{"key":"9_CR28","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2021.108322","volume":"197","author":"Y Wang","year":"2021","unstructured":"Wang, Y., Zhou, A., Liao, S., Zheng, R., Hu, R., Zhang, L.: A comprehensive survey on DNS tunnel detection. Comput. Netw. 197, 108322 (2021)","journal-title":"Comput. Netw."},{"issue":"3","key":"9_CR29","doi-asserted-by":"publisher","first-page":"143","DOI":"10.1109\/TDSC.2013.10","volume":"10","author":"K Xu","year":"2013","unstructured":"Xu, K., Butler, P., Saha, S., Yao, D.: DNS for massive-scale command and control. IEEE Trans. Dependable Secure Comput. 10(3), 143\u2013153 (2013)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"9_CR30","doi-asserted-by":"crossref","unstructured":"Yu, B., Smith, L., Threefoot, M., Olumofin, F.G.: Behavior analysis based DNS tunneling detection and classification with big data technologies. In: IoTBD, pp. 284\u2013290 (2016)","DOI":"10.5220\/0005795002840290"},{"issue":"6","key":"9_CR31","doi-asserted-by":"publisher","first-page":"1865","DOI":"10.1007\/s10207-023-00723-w","volume":"22","author":"K \u017di\u017ea","year":"2023","unstructured":"\u017di\u017ea, K., Tadi\u0107, P., Vuleti\u0107, P.: DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviour. Int. J. Inf. Secur. 22(6), 1865\u20131880 (2023)","journal-title":"Int. J. Inf. Secur."}],"container-title":["Communications in Computer and Information Science","Ubiquitous Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-97-1274-8_9","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,12]],"date-time":"2024-03-12T19:21:20Z","timestamp":1710271280000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-97-1274-8_9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024]]},"ISBN":["9789819712731","9789819712748"],"references-count":31,"URL":"https:\/\/doi.org\/10.1007\/978-981-97-1274-8_9","relation":{},"ISSN":["1865-0929","1865-0937"],"issn-type":[{"type":"print","value":"1865-0929"},{"type":"electronic","value":"1865-0937"}],"subject":[],"published":{"date-parts":[[2024]]},"assertion":[{"value":"13 March 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"UbiSec","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Ubiquitous Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Exeter","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"United Kingdom","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"1 November 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"3 November 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ubisec2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/hpcn.exeter.ac.uk\/ubisec2023\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"MyReview","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"91","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"29","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"32% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"4","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}