{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,6]],"date-time":"2026-06-06T16:34:40Z","timestamp":1780763680632,"version":"3.54.1"},"reference-count":36,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2016,7,20]],"date-time":"2016-07-20T00:00:00Z","timestamp":1468972800000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2017,10]]},"DOI":"10.1007\/s10207-016-0344-y","type":"journal-article","created":{"date-parts":[[2016,7,20]],"date-time":"2016-07-20T05:03:23Z","timestamp":1468991003000},"page":"475-490","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":52,"title":["Detecting zero-day attacks using context-aware anomaly detection at the application-layer"],"prefix":"10.1007","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6013-5642","authenticated-orcid":false,"given":"Patrick","family":"Duessel","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Christian","family":"Gehl","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Ulrich","family":"Flegel","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Sven","family":"Dietrich","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Michael","family":"Meier","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2016,7,20]]},"reference":[{"key":"344_CR1","unstructured":"Borisov, N., Brumley, D.J., Wang, H., Dunagan, J., Joshi, P., Guo, C.: Generic application-level protocol analyzer and its language. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2007)"},{"key":"344_CR2","doi-asserted-by":"crossref","unstructured":"Cretu, G., Stavrou, A., Locasto, M., Stolfo, S.J., Keromytis, A.D.: Casting out demons: sanitizing training data for anomaly sensors. In: ieeesp (2008)","DOI":"10.1109\/SP.2008.11"},{"key":"344_CR3","unstructured":"Cui, W., Kannan, J., Wang. H.J.: Discoverer: automatic protocol reverse engineering from network traces. In: SS\u201907: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 1\u201314 (2007)"},{"key":"344_CR4","unstructured":"Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.: Polymorphic shellcode engine using spectrum analysis. Phrack. 11(61) (2003)"},{"key":"344_CR5","doi-asserted-by":"crossref","unstructured":"D\u00fcssel, P., Gehl, C., Laskov, P., Rieck, K.: Incorporation of application layer protocol syntax into anomaly detection. In: ICISS, pp. 188\u2013202 (2008)","DOI":"10.1007\/978-3-540-89862-7_17"},{"key":"344_CR6","unstructured":"Folga, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of USENIX Security Symposium, pp. 241\u2013256 (2006)"},{"key":"344_CR7","doi-asserted-by":"crossref","unstructured":"Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 120\u2013128. Oakland (1996)","DOI":"10.1109\/SECPRI.1996.502675"},{"key":"344_CR8","doi-asserted-by":"crossref","unstructured":"Gao, D., Reiter, M.K., Song, D.: Behavioral distance measurement using hidden markov models. In: Recent Adances in Intrusion Detection (RAID), pp. 19\u201340 (2006)","DOI":"10.1007\/11856214_2"},{"issue":"5","key":"344_CR9","doi-asserted-by":"crossref","first-page":"1239","DOI":"10.1016\/j.comnet.2006.09.016","volume":"51","author":"KL Ingham","year":"2007","unstructured":"Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Comput. Netw. 51(5), 1239\u20131255 (2007)","journal-title":"Comput. Netw."},{"key":"344_CR10","unstructured":"Kloft, M., Laskov, P.: Security analysis of online centroid anomaly detection. Technical report UCB\/EECS-2010-22. EECS Department, University of California, Berkeley (2010)"},{"key":"344_CR11","unstructured":"Kolesnikov, O., Dagon, D., Lee, W.: Advanced polymorphic worms: evading IDS by blending with normal traffic. In: Proceedings of USENIX Security Symposium (2004)"},{"key":"344_CR12","doi-asserted-by":"crossref","unstructured":"Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of 10th ACM Conference on Computer and Communications Security, pp. 251\u2013261 (2003)","DOI":"10.1145\/948109.948144"},{"key":"344_CR13","doi-asserted-by":"crossref","unstructured":"Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of ACM Symposium on Applied, Computing, pp. 201\u2013208 (2002)","DOI":"10.1145\/508791.508835"},{"issue":"5","key":"344_CR14","doi-asserted-by":"crossref","first-page":"717","DOI":"10.1016\/j.comnet.2005.01.009","volume":"48","author":"C Kruegel","year":"2005","unstructured":"Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48(5), 717\u2013738 (2005)","journal-title":"Comput. Netw."},{"key":"344_CR15","doi-asserted-by":"crossref","first-page":"227","DOI":"10.1145\/382912.382914","volume":"3","author":"W Lee","year":"2000","unstructured":"Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur. 3, 227\u2013261 (2000)","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"344_CR16","first-page":"419","volume":"2","author":"H Lodhi","year":"2002","unstructured":"Lodhi, H., Saunders, C., Shawe-Taylor, J., Cristianini, N., Watkins, C.: Text classification using string kernels. J. Mach. Learn. Res. 2, 419\u2013444 (2002)","journal-title":"J. Mach. Learn. Res."},{"key":"344_CR17","doi-asserted-by":"crossref","unstructured":"Mahoney, M.V., Chan, P.K.: PHAD: packet header anomaly detection for identifying hostile network traffic. Technical Report CS-2001-2, Florida Institute of Technology (2001)","DOI":"10.1109\/ICDM.2003.1250987"},{"key":"344_CR18","doi-asserted-by":"crossref","unstructured":"Mahoney, M.V., Chan, P.K.: Learning nonstationary models of normal network traffic for detecting novel attacks. In: Proceedings of ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 376\u2013385 (2002)","DOI":"10.1145\/775047.775102"},{"key":"344_CR19","doi-asserted-by":"crossref","unstructured":"Mahoney, M.V., Chan, P.K.: An analysis of the 1999 DARPA\/Lincoln Laboratory evaluation data for network anomaly detection. In: Giovanni V, Kruegel, Christopher, Erland J (eds) Recent Advances in Intrusion Detection. Springer, Berlin, Heidelberg, pp. 220\u2013237 (2003)","DOI":"10.1007\/978-3-540-45248-5_13"},{"issue":"2","key":"344_CR20","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1109\/72.914517","volume":"12","author":"K-R M\u00fcller","year":"2001","unstructured":"M\u00fcller, K.-R., Mika, S., R\u00e4tsch, G., Tsuda, K., Sch\u00f6lkopf, B.: An introduction to kernel-based learning algorithms. IEEE Neural Netw. 12(2), 181\u2013201 (2001)","journal-title":"IEEE Neural Netw."},{"key":"344_CR21","doi-asserted-by":"crossref","unstructured":"Pang, R., Paxson, V., Sommer, R., Peterson, L.L.: binpac: A yacc for writing application protocol parsers. In: Proceedings of ACM Internet Measurement Conference, pp. 289\u2013300 (2006)","DOI":"10.1145\/1177080.1177119"},{"key":"344_CR22","doi-asserted-by":"crossref","unstructured":"Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of USENIX Security Symposium, pp. 31\u201351 (1998)","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"344_CR23","unstructured":"Paxson, V.: The bro 0.8 user manual. Lawrence Berkeley National Laboratory and ICSI Center for Internet Research (2004)"},{"key":"344_CR24","doi-asserted-by":"crossref","unstructured":"Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. 53(6), 864\u2013881 (2009)","DOI":"10.1016\/j.comnet.2008.11.011"},{"key":"344_CR25","doi-asserted-by":"crossref","unstructured":"Rieck, K., Laskov, P.: Detecting unknown network attacks using language models. In: Detection of Intrusions and Malware, and Vulnerability Assessment, Proceedings of 3rd DIMVA Conference, LNCS, pp. 74\u201390 (2006)","DOI":"10.1007\/11790754_5"},{"key":"344_CR26","doi-asserted-by":"crossref","unstructured":"Rieck, K., Laskov, P.: Language models for detection of unknown attacks in network traffic. J. Comput. Virol. 2(4), 243\u2013256 (2007)","DOI":"10.1007\/s11416-006-0030-0"},{"key":"344_CR27","doi-asserted-by":"crossref","unstructured":"Rieck, K., Laskov, P.: Visualization and explanation of payload-based anomaly detection. In: Proceedings of European Conference on Computer Network Defense (EC2ND) (2009)","DOI":"10.1109\/EC2ND.2009.12"},{"key":"344_CR28","unstructured":"Roesch, M.: Snort: lightweight intrusion detection for networks. In: Proceedings of USENIX Large Installation System Administration Conference LISA, pp. 229\u2013238 (1999)"},{"key":"344_CR29","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511809682","volume-title":"Kernel Methods for Pattern Analysis","author":"J Shawe-Taylor","year":"2004","unstructured":"Shawe-Taylor, J., Cristianini, N.: Kernel Methods for Pattern Analysis. Cambridge University Press, Cambridge (2004)"},{"key":"344_CR30","unstructured":"Song, Y., Keromytis, A.D., Stolfo, S.J.: Spectrogram: a mixture-of-markov-chains model for anomaly detection in web traffic. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (2009)"},{"key":"344_CR31","unstructured":"Tax, D., Duin, R.: Data domain description by support vectors. In: Verleysen, M. (ed.) Proceedings ESANN, pp. 251\u2013256. D. Facto Press, Brussels (1999)"},{"key":"344_CR32","first-page":"113","volume-title":"Kernels and Bioinformatics","author":"SVN Vishwanathan","year":"2004","unstructured":"Vishwanathan, S.V.N., Smola, A.J.: Fast kernels for string and tree matching. In: Tsuda, K., Sch\u00f6lkopf, B., Vert, J.F. (eds.) Kernels and Bioinformatics, pp. 113\u2013130. MIT Press, Cambridge (2004)"},{"key":"344_CR33","doi-asserted-by":"crossref","unstructured":"Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Recent Adances in Intrusion Detection (RAID), pp. 203\u2013222 (2004)","DOI":"10.1007\/978-3-540-30143-1_11"},{"key":"344_CR34","doi-asserted-by":"crossref","unstructured":"Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID), pp. 226\u2013248 (2006)","DOI":"10.1007\/11856214_12"},{"key":"344_CR35","unstructured":"Wireshark. Wireshark: network protocol analyzer. http:\/\/www.wireshark.org (2010)"},{"key":"344_CR36","unstructured":"Wondracek, G., Milani, C.P., Kruegel, C., Kirda, E.: Automatic network protocol analysis. In: 15th Symposium on Network and Distributed System Security (NDSS) (2008)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s10207-016-0344-y\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-016-0344-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-016-0344-y","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-016-0344-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,9,24]],"date-time":"2020-09-24T04:00:47Z","timestamp":1600920047000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s10207-016-0344-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,7,20]]},"references-count":36,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2017,10]]}},"alternative-id":["344"],"URL":"https:\/\/doi.org\/10.1007\/s10207-016-0344-y","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,7,20]]}}}