{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T03:19:56Z","timestamp":1761707996212,"version":"3.32.0"},"reference-count":69,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2006,12,19]],"date-time":"2006-12-19T00:00:00Z","timestamp":1166486400000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["J Comput Virol"],"published-print":{"date-parts":[[2007,2,7]]},"DOI":"10.1007\/s11416-006-0030-0","type":"journal-article","created":{"date-parts":[[2006,12,18]],"date-time":"2006-12-18T12:47:00Z","timestamp":1166446020000},"page":"243-256","source":"Crossref","is-referenced-by-count":58,"title":["Language models for detection of unknown attacks in network traffic"],"prefix":"10.1007","volume":"2","author":[{"given":"Konrad","family":"Rieck","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pavel","family":"Laskov","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2006,12,19]]},"reference":[{"unstructured":"Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of USENIX Security Symposium (2002)","key":"30_CR1"},{"issue":"4","key":"30_CR2","first-page":"46","volume":"2","author":"C. Shannon","year":"2004","unstructured":"Shannon C. and Moore D. (2004). The spread of the Witty worm. IEEE Sec. Priv. 2(4): 46\u201350","journal-title":"Priv."},{"issue":"4","key":"30_CR3","first-page":"33","volume":"1","author":"D. Moore","year":"2003","unstructured":"Moore D., Paxson V., Savage S., Shannon C., Staniford S. and Weaver N. (2003). Inside the Slammer worm. IEEE Sec. Priv. 1(4): 33\u201339","journal-title":"Priv."},{"unstructured":"CERT: Advisory CA-2001\u201321: Buffer overflow in telnetd. CERT Coordination Center (2001)","key":"30_CR4"},{"unstructured":"CERT: Advisory CA-2002\u201328: Openssh vulnerabilities in challenge response handling. CERT Coordination Center (2002)","key":"30_CR5"},{"doi-asserted-by":"crossref","unstructured":"Mahoney, M., Chan, P.: PHAD: packet header anomaly detection for identifying hostile network traffic. Technical Report CS-2001\u20132, Florida Institute of Technology (2001)","key":"30_CR6","DOI":"10.1109\/ICDM.2003.1250987"},{"doi-asserted-by":"crossref","unstructured":"Mahoney, V., Chan, K.P.: Learning rules for anomaly detection of hostile network traffic. In: Proceedings of International Conference on Data Mining (ICDM) (2003)","key":"30_CR7","DOI":"10.1109\/ICDM.2003.1250987"},{"doi-asserted-by":"crossref","unstructured":"Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of ACM Symposium on Applied Computing, 201\u2013208 (2002)","key":"30_CR8","DOI":"10.1145\/508832.508835"},{"doi-asserted-by":"crossref","unstructured":"Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. In: Applications of Data Mining in Computer Security. Kluwer, Dordrecht (2002)","key":"30_CR9","DOI":"10.1007\/978-1-4615-0953-0_4"},{"doi-asserted-by":"crossref","unstructured":"Mahoney, M., Chan, P.: An analysis of the 1999 DARPA\/Lincoln Laboratory evaluation data for network anomaly detection. In: Recent Adances in Intrusion Detection (RAID), 220\u2013237 (2004)","key":"30_CR10","DOI":"10.1007\/978-3-540-45248-5_13"},{"unstructured":"Vargiya, R., Chan, P.: Boundary detection in tokenizing netwok application payload for anomaly detection. In: Proceedings of ICDM Workshop on Data Mining for Computer Security, 50\u201359 (2003)","key":"30_CR11"},{"doi-asserted-by":"crossref","unstructured":"Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of 10th ACM Conference on Computer and Communications Security, 251\u2013261 (2003)","key":"30_CR12","DOI":"10.1145\/948109.948144"},{"doi-asserted-by":"crossref","unstructured":"Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Recent Adances in Intrusion Detection (RAID), 203\u2013222 (2004)","key":"30_CR13","DOI":"10.1007\/978-3-540-30143-1_11"},{"key":"30_CR14","first-page":"227","volume":"3","author":"W. Lee","year":"2001","unstructured":"Lee W. and Stolfo S.J. (2001). A framework for constructing features and models for intrusion detection systems. ACM Trans. Inform. Syst. Sec. 3: 227\u2013261","journal-title":"Inform. Syst. Sec."},{"doi-asserted-by":"crossref","unstructured":"Mahoney, M., Chan, P.: Learning models of network traffic for detecting novel attacks. Technical Report CS-2002\u20138, Florida Institute of Technology (2002)","key":"30_CR15","DOI":"10.1145\/775094.775102"},{"doi-asserted-by":"crossref","unstructured":"Mahoney, M.: Network traffic anomaly detection based on packet bytes. In: Proceedings of ACM Symposium on Applied Computing, 346\u2013350 (2003)","key":"30_CR16","DOI":"10.1145\/952532.952601"},{"doi-asserted-by":"crossref","unstructured":"Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system. In: Proceedings of ACM Symposium on Applied Computing (2004)","key":"30_CR17","DOI":"10.1145\/967900.967988"},{"doi-asserted-by":"crossref","unstructured":"Wang, K., Cretu, G., Stolfo, S.: Anomalous payload-based worm detection and signature generation. In: Recent Adances in Intrusion Detection (RAID) (2005)","key":"30_CR18","DOI":"10.1007\/11663812_12"},{"doi-asserted-by":"crossref","unstructured":"Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, 120\u2013128 (1996)","key":"30_CR19","DOI":"10.1109\/SECPRI.1996.502675"},{"issue":"3","key":"30_CR20","doi-asserted-by":"crossref","first-page":"151","DOI":"10.3233\/JCS-980109","volume":"6","author":"S. Hofmeyr","year":"1998","unstructured":"Hofmeyr S., Forrest S. and Somayaji A. (1998). Intrusion detection using sequences of system calls. J. Comput. Sec. 6(3): 151\u2013180","journal-title":"J. Comput. Sec."},{"doi-asserted-by":"crossref","unstructured":"Warrender, C., Forrest, S., Perlmutter, B.: Detecting intrusions using system calls: alternative data models. In: Proceedings of IEEE Symposium on Security and Privacy 133\u2013145 (1999)","key":"30_CR21","DOI":"10.1109\/SECPRI.1999.766910"},{"doi-asserted-by":"crossref","unstructured":"Marceau, C.: Characterizing the behavior of a program using multiple-length n-grams. In: Proceedings of New Security Paradigms Workshop (NSPW) 101\u2013110 (2000)","key":"30_CR22","DOI":"10.1145\/366173.366197"},{"unstructured":"Ghosh, A., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: Proceedings of USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 51\u201362 (1999)","key":"30_CR23"},{"doi-asserted-by":"crossref","unstructured":"Eskin, E., Lee, W., Stolfo, S.: Modeling system calls for intrusion detection with dynamic window sizes. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX) (2001)","key":"30_CR24","DOI":"10.1109\/DISCEX.2001.932213"},{"doi-asserted-by":"crossref","unstructured":"Wang, K., Parekh, J., Stolfo, S.: Anagram: a content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID) 226\u2013248 (2006)","key":"30_CR25","DOI":"10.1007\/11856214_12"},{"unstructured":"Cavnar, W.B., Trenkle, J.M.: N-gram-based text categorization. In: Proceedings SDAIR, Las Vegas 161\u2013175 (1994)","key":"30_CR26"},{"issue":"5199","key":"30_CR27","doi-asserted-by":"crossref","first-page":"843","DOI":"10.1126\/science.267.5199.843","volume":"267","author":"M. Damashek","year":"1995","unstructured":"Damashek M. (1995). Gauging similarity with n-grams: language-independent categorization of text. Science 267(5199): 843\u2013848","journal-title":"Science"},{"doi-asserted-by":"crossref","unstructured":"Joachims, T.: Text categorization with support vector Learning with many relevant features. Technical Report 23, LS VIII, University of Dortmund (1997)","key":"30_CR28","DOI":"10.1007\/BFb0026683"},{"issue":"1","key":"30_CR29","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1109\/34.824820","volume":"22","author":"G. Nagy","year":"2000","unstructured":"Nagy G. (2000). Twenty years of document image analysis in PAMI. IEEE Trans. Pattern Anal. Mach. Intell. 22(1): 36\u201362","journal-title":"Pattern Anal. Mach. Intell."},{"issue":"1","key":"30_CR30","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1108\/eb026671","volume":"35","author":"G. Salton","year":"1979","unstructured":"Salton G. (1979). Mathematics and information retrieval. J. Doc. 35(1): 1\u201329","journal-title":"J. Doc."},{"issue":"2","key":"30_CR31","doi-asserted-by":"crossref","first-page":"164","DOI":"10.1109\/TPAMI.1979.4766902","volume":"1","author":"C.Y. Suen","year":"1979","unstructured":"Suen C.Y. (1979). N-gram statistics for natural language understanding and text processing. IEEE Trans. Pattern Anal. Mach. Intell. 1(2): 164\u2013172","journal-title":"Pattern Anal. Mach. Intell."},{"unstructured":"Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (2001)","key":"30_CR32"},{"unstructured":"Emran, S., Ye, N.: Robustness of canberra metric in computer intrusion detection. In: Proceedings of IEEE Workshop on Information Assurance and Security, West Point (2001)","key":"30_CR33"},{"key":"30_CR34","first-page":"87","volume":"36","author":"P. Jaccard","year":"1900","unstructured":"Jaccard P. (1900). Contribution au probl\u00e8me de l\u2019immigration post-glaciaire de la flore alpine. Bulletin de la Soci\u00e9t\u00e9 Vaudoise des Sciences Naturelles 36: 87\u2013130","journal-title":"Bulletin de la Soci\u00e9t\u00e9 Vaudoise des Sciences Naturelles"},{"key":"30_CR35","volume-title":"Cluster Analysis for Applications","author":"M. Anderberg","year":"1973","unstructured":"Anderberg M. (1973). Cluster Analysis for Applications. Academic, New York"},{"doi-asserted-by":"crossref","unstructured":"de la Briandais, R.: File searching using variable length keys. In: Proceedings AFIPS Western Joint Computer Conference 295\u2013298 (1959)","key":"30_CR36","DOI":"10.1145\/1457838.1457895"},{"doi-asserted-by":"crossref","unstructured":"Fredkin, E.: Trie memory. Commun. 3(9):490\u2013499: ACM, (1960)","key":"30_CR37","DOI":"10.1145\/367390.367400"},{"key":"30_CR38","volume-title":"The art of computer programming, vol. 3","author":"D. Knuth","year":"1973","unstructured":"Knuth D. (1973). The art of computer programming, vol. 3. Addison-Wesley, New York"},{"doi-asserted-by":"crossref","unstructured":"Rieck, K., Laskov, P., M\u00fcller, K.R.: Efficient algorithms for similarity measures over sequential data: a look beyond kernels. In: Pattern Recognition, Proceedings of 28th DAGM Symposium. LNCS 374\u2013383 (2006)","key":"30_CR39","DOI":"10.1007\/11861898_38"},{"doi-asserted-by":"crossref","unstructured":"Rieck, K., Laskov, P., Sonnenburg, S.: Computation of similarity measures for sequential data using generalized suffix trees. In: Advances in Neural Information Processing Systems 19, MIT, Cambridge (2006)","key":"30_CR40","DOI":"10.7551\/mitpress\/7503.003.0152"},{"doi-asserted-by":"crossref","unstructured":"Lazarevic, A., Ertoz, L., Kumar, V., Ozgur, A., , J.: A comparative study of anomaly detection schemes in network intrusion detection,. In: Proceedings of SIAM International Conference on Data Mining (2003)","key":"30_CR41","DOI":"10.1137\/1.9781611972733.3"},{"doi-asserted-by":"crossref","unstructured":"Laskov, P., Sch\u00e4fer, C., Kotenko, I.: Intrusion detection in unlabeled data with quarter\u2013sphere support vector machines. In: Detection of Intrusions and Malware, and Vulnerability Assessment, Proceedings of DIMVA Conference, 71\u201382 (2004)","key":"30_CR42","DOI":"10.1515\/PIKO.2004.228"},{"doi-asserted-by":"crossref","unstructured":"Laskov, P., D\u00fcssel, P., Sch\u00e4fer, C., Rieck, K.: Learning intrusion detection: supervised or unsupervised? In: Image Analysis and Processing, Proceedings of 13th ICIAP Conference, 50\u201357 (2005)","key":"30_CR43","DOI":"10.1007\/11553595_6"},{"doi-asserted-by":"crossref","unstructured":"Rieck, K., Laskov, P.: Detecting unknown network attacks using language models. In: Detection of Intrusions and Malware, and Vulnerability Assessment, Proceedings of 3rd DIMVA Conference. LNCS, 74\u201390 (2006)","key":"30_CR44","DOI":"10.1007\/11790754_5"},{"issue":"3\u20134","key":"30_CR45","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1007\/s007780050006","volume":"8","author":"E. Knorr","year":"2000","unstructured":"Knorr E., Ng R. and Tucakov V. (2000). Distance-based outliers: algorithms and applications. Int. J. Very Large Data Bases 8(3\u20134): 237\u2013253","journal-title":"Int. J. Very Large Data Bases"},{"issue":"13\u201315","key":"30_CR46","doi-asserted-by":"crossref","first-page":"1608","DOI":"10.1016\/j.neucom.2005.05.015","volume":"69","author":"S. Harmeling","year":"2006","unstructured":"Harmeling S., Dornhege G., Tax D., Meinecke F.C. and M\u00fcller K.R. (2006). From outliers to prototypes: ordering data. Neurocomputing 69(13\u201315): 1608\u20131618","journal-title":"Neurocomputing"},{"issue":"4","key":"30_CR47","doi-asserted-by":"crossref","first-page":"579","DOI":"10.1016\/S1389-1286(00)00139-0","volume":"34","author":"R. Lippmann","year":"2000","unstructured":"Lippmann R., Haines J., Fried D., Korba J. and Das K. (2000). The 1999 DARPA off-line intrusion detection evaluation. Comput. Netw. 34(4): 579\u2013595","journal-title":"Comput. Netw."},{"doi-asserted-by":"crossref","unstructured":"McHugh, J.: The 1998 Lincoln Laboratory IDS evaluation. In: Recent Adances in Intrusion Detection (RAID) 145\u2013161 (2000)","key":"30_CR48","DOI":"10.1007\/3-540-39945-3_10"},{"issue":"4","key":"30_CR49","first-page":"262","volume":"3","author":"J. McHugh","year":"2000","unstructured":"McHugh J. (2000). Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inform. Syst. Sec. 3(4): 262\u2013294","journal-title":"Inform. Syst. Sec."},{"unstructured":"Moore, H.D.: The metasploit project\u2014open-source platform for developing, testing, and using exploit code. http:\/\/www.metasploit.com (2005)","key":"30_CR50"},{"key":"30_CR51","first-page":"419","volume":"2","author":"H. Lodhi","year":"2002","unstructured":"Lodhi H., Saunders C., Shawe-Taylor J., Cristianini N. and Watkins C. (2002). Text classification using string kernels. J. Mach. Learn. Res. 2: 419\u2013444","journal-title":"J. Mach. Learn. Res."},{"doi-asserted-by":"crossref","unstructured":"Tan, K., Maxion, R.: \u201cWhy 6?\u201d Defining the operational limits of stide, an anomaly-based intrusion detector. In: Proceedings of IEEE Symposium on Security and Privacy, 188\u2013201 (2002)","key":"30_CR52","DOI":"10.1109\/SECPRI.2002.1004371"},{"unstructured":"Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of USENIX Large Installation System Administration Conference LISA, 229\u2013238 (1999)","key":"30_CR53"},{"unstructured":"Microsoft: MS00-078\u2014web server folder traversal vulnerability. Microsoft Sec. Bull. (2000)","key":"30_CR54"},{"unstructured":"Anonymous: Once upon a free() ... Phrack Magazine 0xb(0x39) (2001) 57\u20130x09","key":"30_CR55"},{"doi-asserted-by":"crossref","unstructured":"Kreibich, C., Crowcroft, J.: Honeycomb\u2014creating intrusion detection signatures using honeypots. In: Proceedings of Workshop on Hot Topics in Networks (2003)","key":"30_CR56","DOI":"10.1145\/972374.972384"},{"unstructured":"Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of USENIX Security Symposium (2004)","key":"30_CR57"},{"unstructured":"Singh, S., Estan, G., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of USENIX OSDI (2004)","key":"30_CR58"},{"unstructured":"Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of IEEE Symposium on Security and Privacy 120\u2013132 (2005)","key":"30_CR59"},{"unstructured":"Microsoft: MS05-021\u2014vulnerability in exchange server could allow remote code execution: Microsoft Sec Bull. (2005)","key":"30_CR60"},{"unstructured":"Kolesnik, O., Dagon, D., Lee, W.: Advanced polymorphic worms: evading IDS by blending with normal traffic. In: Proceedings of USENIX Security Symposium (2004)","key":"30_CR61"},{"issue":"1","key":"30_CR62","doi-asserted-by":"crossref","first-page":"48","DOI":"10.1108\/EUM0000000007161","volume":"58","author":"A.M. Robertson","year":"1998","unstructured":"Robertson A.M. and Willett P. (1998). Applications of n-grams in textual information systems. J. Doc. 58(1): 48\u201369","journal-title":"J. Doc."},{"doi-asserted-by":"crossref","unstructured":"Watkins, C.: Dynamic alignment kernels. In: Smola, A., , P., Sch\u00f6lkopf, B., Schuurmans, D., (eds) Advances in large Margin Classifiers, MIT, Cambridge 39\u201350 (2000)","key":"30_CR63","DOI":"10.7551\/mitpress\/1113.003.0006"},{"doi-asserted-by":"crossref","unstructured":"Leslie, C., Eskin, E., Noble, W.: The spectrum kernel: a string kernel for SVM protein classification. In: Proceedings Pacific Symposium Biocomputing. 564\u2013575 (2002)","key":"30_CR64","DOI":"10.1142\/9789812799623_0053"},{"unstructured":"Lee, W., Stolfo, S., Chan, P.: Learning patterns from unix process execution traces for intrusion detection. In: Proceedings of AAAI Workshop on Fraud Detection and Risk Management, Providence 50\u201356 (1997)","key":"30_CR65"},{"doi-asserted-by":"crossref","unstructured":"Michael, C.: Finding the vocabulary of program behavior data for anomaly detection. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX) 152\u2013163 (2003)","key":"30_CR66","DOI":"10.1109\/DISCEX.2003.1194881"},{"doi-asserted-by":"crossref","unstructured":"Abou-Assaleh, T., Cercone, N., Keselj, V., Sweidanm, R.: Detection of new malicious code using n-grams signatures. In: Proceedings Second Annual Conference on Privacy, Security and Trust, 193\u2013196 (2004)","key":"30_CR67","DOI":"10.1109\/CMPSAC.2004.1342667"},{"issue":"1\u20132","key":"30_CR68","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1007\/s11416-005-0002-9","volume":"1","author":"M. Karim","year":"2005","unstructured":"Karim M., Walenstein A., Lakhotia A. and Laxmi P. (2005). Malware phylogeny generation using permutations of code. J. Comput. Virol. 1(1\u20132): 13\u201323","journal-title":"J. Comput. Virol."},{"unstructured":"Kolter, J., Maloof, M.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. (2006) (to appear)","key":"30_CR69"}],"container-title":["Journal in Computer Virology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-006-0030-0.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s11416-006-0030-0\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-006-0030-0","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,1,12]],"date-time":"2025-01-12T15:00:34Z","timestamp":1736694034000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s11416-006-0030-0"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,12,19]]},"references-count":69,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2007,2,7]]}},"alternative-id":["30"],"URL":"https:\/\/doi.org\/10.1007\/s11416-006-0030-0","relation":{},"ISSN":["1772-9890","1772-9904"],"issn-type":[{"type":"print","value":"1772-9890"},{"type":"electronic","value":"1772-9904"}],"subject":[],"published":{"date-parts":[[2006,12,19]]}}}