{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,11]],"date-time":"2026-05-11T14:04:57Z","timestamp":1778508297936,"version":"3.51.4"},"reference-count":28,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2016,5,21]],"date-time":"2016-05-21T00:00:00Z","timestamp":1463788800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2017,4]]},"DOI":"10.1007\/s10207-016-0331-3","type":"journal-article","created":{"date-parts":[[2016,5,23]],"date-time":"2016-05-23T10:34:17Z","timestamp":1463999657000},"page":"115-132","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":28,"title":["A method for identifying compromised clients based on DNS traffic analysis"],"prefix":"10.1007","volume":"16","author":[{"given":"Matija","family":"Stevanovic","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jens Myrup","family":"Pedersen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alessandro","family":"D\u2019Alconzo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Stefan","family":"Ruehrup","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2016,5,21]]},"reference":[{"key":"331_CR1","unstructured":"Amazon Inc: Alexa\u2014the list of the most popular domains. http:\/\/s3.amazonaws.com\/alexa-static\/top-1m.csv.zip (2015)"},{"key":"331_CR2","unstructured":"Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: USENIX Security Symposium, pp. 273\u2013290, (2010)"},{"key":"331_CR3","unstructured":"Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, II N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: USENIX Security Symposium, (2011)"},{"key":"331_CR4","unstructured":"Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium, pp. 491\u2013506, (2012)"},{"key":"331_CR5","unstructured":"Berger, A.: Pydnsmap. https:\/\/github.com\/anderasberger\/pydnsmap (2014)"},{"key":"331_CR6","doi-asserted-by":"crossref","first-page":"28","DOI":"10.1016\/j.comnet.2016.02.009","volume":"100","author":"A Berger","year":"2016","unstructured":"Berger, A., D\u2019Alconzo, A., Gansterer, W.N., Pescap\u00e9, A.: Mining agile DNS traffic using graph analysis for cybercrime detection. Comput. Netw. 100, 28\u201344 (2016)","journal-title":"Comput. Netw."},{"issue":"4","key":"331_CR7","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1145\/2584679","volume":"16","author":"L Bilge","year":"2014","unstructured":"Bilge, L., Sen, S., Balzarotti, D., Kirda, E., Kruegel, C.: Exposure: a passive DNS analysis service to detect and report malicious domains. ACM Trans. Inf. Syst. Secur. (TISSEC) 16(4), 14 (2014)","journal-title":"ACM Trans. Inf. Syst. Secur. (TISSEC)"},{"issue":"1","key":"331_CR8","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1023\/A:1010933404324","volume":"45","author":"L Breiman","year":"2001","unstructured":"Breiman, L.: Random forests. Mach. Learn. 45(1), 5\u201332 (2001)","journal-title":"Mach. Learn."},{"issue":"1","key":"331_CR9","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1016\/j.comnet.2011.07.018","volume":"56","author":"H Choi","year":"2012","unstructured":"Choi, H., Lee, H.: Identifying botnets by capturing group activities in DNS traffic. Comput. Netw. 56(1), 20\u201333 (2012)","journal-title":"Comput. Netw."},{"key":"331_CR10","unstructured":"Damballa Inc: Top-10 TLDs abused by botnets for CNC. https:\/\/www.damballa.com\/top-10-tlds-abused-by-botnets-for-cnc\/ (2009)"},{"issue":"1","key":"331_CR11","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1145\/1656274.1656278","volume":"11","author":"M Hall","year":"2009","unstructured":"Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The weka data mining software: an update. SIGKDD Explor. Newsl. 11(1), 10\u201318 (2009)","journal-title":"SIGKDD Explor. Newsl."},{"key":"331_CR12","unstructured":"Holz, T., Gorecki, C., Rieck, K., Freiling, F.C.: Measuring and detecting fast-flux service networks. In: NDSS, (2008)"},{"key":"331_CR13","unstructured":"Kay, B., Greve, P.: Mapping the Mal Web. Tech. Rep., McAfee, Inc. http:\/\/promos.mcafee.com\/en-US\/PDF\/MTMW_Report (2011)"},{"key":"331_CR14","doi-asserted-by":"crossref","unstructured":"Knysz, M., Hu, X., Shin, K.G.: Good guys vs. bot guise: mimicry attacks against fast-flux detection systems. In: INFOCOM, 2011 Proceedings IEEE, IEEE, pp. 1844\u20131852, (2011)","DOI":"10.1109\/INFCOM.2011.5934985"},{"key":"331_CR15","unstructured":"Luo, P., Torres, R., Zhang, Z.L., Saha, S., Lee, S.J., Nuccim, A., Mellia, M.: Leveraging client-side DNS failure patterns to identify malicious behaviors. In: IEEE Conference on Communications and Network Security (CNS), 2015, IEEE, pp. 406\u2013414, (2015)"},{"key":"331_CR16","unstructured":"MaxMind Inc: Databases of AS numbers. ( 2015a)"},{"key":"331_CR17","unstructured":"MaxMind Inc: Databases of cities. geolite.maxmind.com\/download\/geoip\/database\/GeoLite2-City.mmdb.gz"},{"key":"331_CR18","doi-asserted-by":"crossref","unstructured":"Mockapetris, P.: Domain names\u2014implementation and specifications. RFC 1035, RFC Editor. https:\/\/tools.ietf.org\/rfc\/rfc1035.txt (1987)","DOI":"10.17487\/rfc1035"},{"key":"331_CR19","doi-asserted-by":"crossref","unstructured":"Nazario, J., Holz, T.: As the net churns: fast-flux botnet observations. In: 3rd International Conference on Malicious and Unwanted Software, 2008. MALWARE 2008, IEEE, pp. 24\u201331, (2008)","DOI":"10.1109\/MALWARE.2008.4690854"},{"key":"331_CR20","unstructured":"NoVirusThanks Company Srl: Ipvoid\u2014IP address blacklist checker tool. http:\/\/www.ipvoid.com (2014a)"},{"key":"331_CR21","unstructured":"NoVirusThanks Company Srl: Urlvoid\u2014website reputation checker tool. http:\/\/www.urlvoid.com (2014b)"},{"issue":"5","key":"331_CR22","first-page":"714","volume":"9","author":"R Perdisci","year":"2012","unstructured":"Perdisci, R., Corona, I., Giacinto, G.: Early detection of malicious flux networks via large-scale passive dns traffic analysis. IEEE Trans. Depend. Secure Comput. 9(5), 714\u2013726 (2012)","journal-title":"IEEE Trans. Depend. Secure Comput."},{"key":"331_CR23","doi-asserted-by":"crossref","unstructured":"Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 192\u2013211. Springer, Switzerland (2014)","DOI":"10.1007\/978-3-319-08509-8_11"},{"key":"331_CR24","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1016\/j.diin.2014.11.001","volume":"12","author":"R Sharifnya","year":"2015","unstructured":"Sharifnya, R., Abadi, M.: DFBotkiller: domain-flux botnet detection based on the history of group activities and failures in DNS traffic. Digit. Investig. 12, 15\u201326 (2015)","journal-title":"Digit. Investig."},{"key":"331_CR25","doi-asserted-by":"publisher","first-page":"142","DOI":"10.1016\/j.cose.2015.09.004","volume":"55","author":"M Stevanovic","year":"2015","unstructured":"Stevanovic, M., Pedersen, J.M., D\u2019Alconzo, A., Ruehrup, S., Berger, A.: On the ground truth problem of malicious DNS traffic analysis. Comput. Secur. 55, 142\u2013158 (2015). doi: 10.1016\/j.cose.2015.09.004","journal-title":"Comput. Secur."},{"key":"331_CR26","unstructured":"Van\u00a0Leijenhorst, T., Chin, K.W., Lowe, D.: On the viability and performance of DNS tunneling. In: Proceedings of the International Conference on Information Technology and Applications, (2008)"},{"key":"331_CR27","doi-asserted-by":"crossref","unstructured":"Yadav, S., Reddy, A.K.K., Reddy, A., Ranjan, S.: Detecting algorithmically generated malicious domain names. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, ACM, pp. 48\u201361, (2010)","DOI":"10.1145\/1879141.1879148"},{"key":"331_CR28","unstructured":"Yan, P.: How likely is a domain to be malicious? Here\u2019s a look at the stats and graphs that help us decide. https:\/\/labs.opendns.com\/2013\/01\/08\/ (2013)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-016-0331-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10207-016-0331-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-016-0331-3","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-016-0331-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,9,8]],"date-time":"2019-09-08T15:12:15Z","timestamp":1567955535000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10207-016-0331-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,5,21]]},"references-count":28,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2017,4]]}},"alternative-id":["331"],"URL":"https:\/\/doi.org\/10.1007\/s10207-016-0331-3","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,5,21]]}}}