{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,12]],"date-time":"2026-01-12T20:46:30Z","timestamp":1768250790528,"version":"3.49.0"},"reference-count":43,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2016,5,1]],"date-time":"2016-05-01T00:00:00Z","timestamp":1462060800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2016,5,1]],"date-time":"2016-05-01T00:00:00Z","timestamp":1462060800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2016,1,20]],"date-time":"2016-01-20T00:00:00Z","timestamp":1453248000000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["ARO YIP W911NF-14-1-0535"],"award-info":[{"award-number":["ARO YIP W911NF-14-1-0535"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-0953638"],"award-info":[{"award-number":["CNS-0953638"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers & Security"],"published-print":{"date-parts":[[2016,5]]},"DOI":"10.1016\/j.cose.2016.01.002","type":"journal-article","created":{"date-parts":[[2016,1,21]],"date-time":"2016-01-21T02:34:34Z","timestamp":1453343674000},"page":"180-198","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":47,"special_numbering":"C","title":["Causality reasoning about network events for detecting stealthy malware activities"],"prefix":"10.1016","volume":"58","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3877-7512","authenticated-orcid":false,"given":"Hao","family":"Zhang","sequence":"first","affiliation":[]},{"given":"Danfeng (Daphne)","family":"Yao","sequence":"additional","affiliation":[]},{"given":"Naren","family":"Ramakrishnan","sequence":"additional","affiliation":[]},{"given":"Zhibin","family":"Zhang","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2016.01.002_bib0010","series-title":"Malware analysis with tree automata inference","first-page":"116","author":"Babi\u0107","year":"2011"},{"key":"10.1016\/j.cose.2016.01.002_bib0015","series-title":"Supervised random walks: predicting and recommending links in social networks","first-page":"635","author":"Backstrom","year":"2011"},{"key":"10.1016\/j.cose.2016.01.002_bib0020","first-page":"13","volume":"vol. 463","author":"Baeza-Yates","year":"1999"},{"key":"10.1016\/j.cose.2016.01.002_bib0025","series-title":"Towards highly reliable enterprise network services via inference of multi-level dependencies","first-page":"19","author":"Bahl","year":"2007"},{"key":"10.1016\/j.cose.2016.01.002_bib0030","series-title":"EXPOSURE: finding malicious domains using passive DNS analysis","first-page":"20","author":"Bilge","year":"2011"},{"key":"10.1016\/j.cose.2016.01.002_bib0035","series-title":"Web Tap: detecting covert web traffic","first-page":"110","author":"Borders","year":"2004"},{"key":"10.1016\/j.cose.2016.01.002_bib0040","series-title":"Automating network application dependency discovery: experiences, limitations, and new solutions","first-page":"117","author":"Chen","year":"2008"},{"issue":"3","key":"10.1016\/j.cose.2016.01.002_bib0045","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1023\/A:1022627411411","article-title":"Support-vector networks","volume":"20","author":"Cortes","year":"1995","journal-title":"Mach Learn"},{"key":"10.1016\/j.cose.2016.01.002_bib0050","series-title":"Detection and analysis of drive-by-download attacks and malicious JavaScript code","first-page":"2","author":"Cova","year":"2010"},{"key":"10.1016\/j.cose.2016.01.002_bib0055","series-title":"BINDER: an extrusion-based break-in detector for personal computers","first-page":"4","author":"Cui","year":"2005"},{"key":"10.1016\/j.cose.2016.01.002_bib0060","author":"DNScat"},{"key":"10.1016\/j.cose.2016.01.002_bib0065","series-title":"The foundations of cost-sensitive learning","first-page":"973","author":"Elkan","year":"2001"},{"key":"10.1016\/j.cose.2016.01.002_bib0070","series-title":"Semi-supervised network traffic classification","first-page":"369","author":"Erman","year":"2007"},{"issue":"2","key":"10.1016\/j.cose.2016.01.002_bib0075","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1145\/1117454.1117456","article-title":"Link mining: a survey","volume":"7","author":"Getoor","year":"2005","journal-title":"SIGKDD Explor Newsl"},{"key":"10.1016\/j.cose.2016.01.002_bib0080","series-title":"Visual analytics for complex concepts using a human cognition model","first-page":"91","author":"Green","year":"2008"},{"key":"10.1016\/j.cose.2016.01.002_bib0085","series-title":"BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection","first-page":"2","author":"Gu","year":"2008"},{"key":"10.1016\/j.cose.2016.01.002_bib0090","series-title":"Not-a-bot: improving service availability in the face of botnet attacks","first-page":"20","author":"Gummadi","year":"2009"},{"key":"10.1016\/j.cose.2016.01.002_bib0095","series-title":"Estimating continuous distributions in Bayesian classifiers","first-page":"338","author":"John","year":"1995"},{"key":"10.1016\/j.cose.2016.01.002_bib0100","series-title":"Using transactional information to predict link strength in online social networks","first-page":"20","author":"Kahanda","year":"2009"},{"key":"10.1016\/j.cose.2016.01.002_bib0105","series-title":"What's going on? Learning communication rules in edge networks","first-page":"19","author":"Kandula","year":"2008"},{"key":"10.1016\/j.cose.2016.01.002_bib0110","series-title":"Classification and computation of dependencies for distributed management","first-page":"78","author":"Keller","year":"2000"},{"key":"10.1016\/j.cose.2016.01.002_bib0115","series-title":"Enriching intrusion alerts through multi-host causality","first-page":"2","author":"King","year":"2005"},{"key":"10.1016\/j.cose.2016.01.002_bib0120","series-title":"Effective and efficient malware detection at the end host","first-page":"351","author":"Kolbitsch","year":"2009"},{"key":"10.1016\/j.cose.2016.01.002_bib0125","series-title":"A data mining framework for building intrusion detection models","first-page":"120","author":"Lee","year":"1999"},{"key":"10.1016\/j.cose.2016.01.002_bib0130","series-title":"WebProphet: automating performance prediction for web services","first-page":"20","author":"Li","year":"2010"},{"issue":"7","key":"10.1016\/j.cose.2016.01.002_bib0135","doi-asserted-by":"crossref","first-page":"1019","DOI":"10.1002\/asi.20591","article-title":"The link-prediction problem for social networks","volume":"58","author":"Liben-Nowell","year":"2007","journal-title":"J Am Soc Inf Sci Tec"},{"key":"10.1016\/j.cose.2016.01.002_bib0140","author":"MIT Lincoln Laboratory"},{"key":"10.1016\/j.cose.2016.01.002_bib0145","series-title":"Internet traffic classification using Bayesian analysis techniques","first-page":"50","author":"Moore","year":"2005"},{"key":"10.1016\/j.cose.2016.01.002_bib0150","series-title":"SpyProxy: execution-based detection of malicious web content","first-page":"20","author":"Moshchuk","year":"2007"},{"key":"10.1016\/j.cose.2016.01.002_bib0155","series-title":"NSDMiner: automated discovery of network service dependencies","first-page":"2507","author":"Natarajan","year":"2012"},{"key":"10.1016\/j.cose.2016.01.002_bib0160","series-title":"ClickMiner: towards forensic reconstruction of user-browser interactions from network traces","first-page":"1244","author":"Neasbitt","year":"2014"},{"issue":"1\u20134","key":"10.1016\/j.cose.2016.01.002_bib0165","doi-asserted-by":"crossref","first-page":"56","DOI":"10.1109\/SURV.2008.080406","article-title":"A survey of techniques for Internet traffic classification using machine learning","volume":"10","author":"Nguyen","year":"2008","journal-title":"IEEE Commun Surv Tut"},{"key":"10.1016\/j.cose.2016.01.002_bib0170","author":"Tlogger"},{"issue":"5","key":"10.1016\/j.cose.2016.01.002_bib0175","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1145\/1163593.1163596","article-title":"A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification","volume":"36","author":"Williams","year":"2006","journal-title":"SIGCOMM Comput Commun Rev"},{"key":"10.1016\/j.cose.2016.01.002_bib0180","series-title":"ReSurf: reconstructing web-surfing activity from network traffic","first-page":"1","author":"Xie","year":"2013"},{"key":"10.1016\/j.cose.2016.01.002_bib0185","series-title":"Using Bayesian networks for cyber security analysis","first-page":"211","author":"Xie","year":"2010"},{"issue":"3","key":"10.1016\/j.cose.2016.01.002_bib0190","doi-asserted-by":"crossref","first-page":"143","DOI":"10.1109\/TDSC.2013.10","article-title":"DNS for massive-scale command and control","volume":"10","author":"Xu","year":"2013","journal-title":"IEEE Trans Dependable Sec Comput"},{"key":"10.1016\/j.cose.2016.01.002_bib0195","doi-asserted-by":"crossref","unstructured":"Zand A., Vigna G., Kemmerer R., Kruegel C. Rippler: delay injection for service dependency detection. In INFOCOM'14. 2014. p. 2157\u201365. 2, 5, 19.","DOI":"10.1109\/INFOCOM.2014.6848158"},{"key":"10.1016\/j.cose.2016.01.002_bib0200","series-title":"User intention-based traffic dependence analysis for anomaly detection","first-page":"104","author":"Zhang","year":"2012"},{"key":"10.1016\/j.cose.2016.01.002_bib0205","series-title":"Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery","first-page":"2","author":"Zhang","year":"2014"},{"key":"10.1016\/j.cose.2016.01.002_bib0210","series-title":"Visualizing traffic causality for analyzing network anomalies","first-page":"37","author":"Zhang","year":"2015"},{"key":"10.1016\/j.cose.2016.01.002_bib0215","series-title":"Aiding intrusion analysis using machine learning","first-page":"40","author":"Zomlot","year":"2013"},{"key":"10.1016\/j.cose.2016.01.002_bib0230","author":"Pony botnet"}],"container-title":["Computers & Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404816000043?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404816000043?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,9,28]],"date-time":"2025-09-28T19:02:23Z","timestamp":1759086143000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404816000043"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,5]]},"references-count":43,"alternative-id":["S0167404816000043"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2016.01.002","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2016,5]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Causality reasoning about network events for detecting stealthy malware activities","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2016.01.002","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"Copyright \u00a9 2016 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}]}}