{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,10]],"date-time":"2026-02-10T19:13:08Z","timestamp":1770750788447,"version":"3.50.0"},"reference-count":79,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"National Cybersecurity Authority, Saudi Arabia","award":["CRPG-25-3377"],"award-info":[{"award-number":["CRPG-25-3377"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Open J. Commun. Soc."],"published-print":{"date-parts":[[2025]]},"DOI":"10.1109\/ojcoms.2025.3610784","type":"journal-article","created":{"date-parts":[[2025,9,16]],"date-time":"2025-09-16T17:36:23Z","timestamp":1758044183000},"page":"7823-7841","source":"Crossref","is-referenced-by-count":1,"title":["STING: A Stealthy Backdoor Attack on GNN-Based Malicious Domain Detection via DNS Perturbations"],"prefix":"10.1109","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9479-4985","authenticated-orcid":false,"given":"Muhammad","family":"Anan","sequence":"first","affiliation":[{"name":"College of Engineering and Advaced Computing, Alfaisal University, Riyadh, Saudi Arabia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3375-0310","authenticated-orcid":false,"given":"Mahmoud","family":"Nazzal","sequence":"additional","affiliation":[{"name":"Computer Science Department, Old Dominion University, Norfolk, VA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1583-713X","authenticated-orcid":false,"given":"Abdallah","family":"Khreishah","sequence":"additional","affiliation":[{"name":"Newark College of Engineering, New Jersey Institute of Technology, Newark, NJ, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7660-9512","authenticated-orcid":false,"given":"Issa","family":"Khalil","sequence":"additional","affiliation":[{"name":"Qatar Computing Research Institute, Hamad Bin Khalifa University, Doha, Qatar"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1032-8275","authenticated-orcid":false,"given":"Nhathai","family":"Phan","sequence":"additional","affiliation":[{"name":"Newark College of Engineering, New Jersey Institute of Technology, Newark, NJ, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7040-8963","authenticated-orcid":false,"given":"Ahmad","family":"Sawalmeh","sequence":"additional","affiliation":[{"name":"College of Engineering and Advaced Computing, Alfaisal University, Riyadh, Saudi Arabia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1016\/j.techsoc.2010.07.001"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCEE.2009.151"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1145\/280324.280336"},{"key":"ref4","volume-title":"Brand squatting domain detection systems and methods","author":"Nabeel","year":"2022"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2023.3333903"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1016\/j.asoc.2023.111080"},{"key":"ref7","first-page":"1","article-title":"Mining DNS for malicious domain registrations","volume-title":"Proc. 6th Int. Conf. Collab. Comput., Netw., Appl. Worksharing (CollaborateCom)","author":"He"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/3191329"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3401897"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1109\/HPCC-DSS-SmartCity-DependSys53884.2021.00063"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.103059"},{"key":"ref12","first-page":"18","article-title":"Building a dynamic reputation system for DNS","volume-title":"Proc. 19th USENIX Security Symp. (USENIX Security)","author":"Antonakakis"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/2584679"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/2666652.2666659"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897877"},{"key":"ref16","article-title":"Killing two birds with one stone: Malicious domain detection with high accuracy and coverage","author":"Khalil","year":"2017","journal-title":"arXiv:1711.00300"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/3176258.3176329"},{"key":"ref18","first-page":"399","article-title":"HinDom: A robust malicious domain detection system based on heterogeneous information network with transductive classification","volume-title":"Proc. 22nd Int. Symp. Res. Attacks, Intrusions Defenses (RAID)","author":"Sun"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/CSCWD49262.2021.9437852"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-15931-2_42"},{"key":"ref21","volume-title":"Method to identify malicious Web domain names thanks to their dynamics","author":"Khalil","year":"2020"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3422337.3447840"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2015.35"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2014.04.013"},{"key":"ref25","first-page":"8577","article-title":"Factor graph neural networks","volume-title":"Proc. Adv. Neural Inf. Process. Syst.","volume":"33","author":"Zhang"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/IEEECONF44664.2019.9048920"},{"key":"ref27","first-page":"1115","article-title":"Adversarial attack on graph structured data","volume-title":"Proc. Int. Conf. Mach. Learn.","author":"Dai"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/3219819.3220078"},{"key":"ref29","article-title":"Graph universal adversarial attacks: A few bad actors ruin graph learning models","author":"Zang","year":"2020","journal-title":"arXiv:2002.04784"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00006"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3450569.3463560"},{"key":"ref32","first-page":"1523","article-title":"Graph backdoor","volume-title":"Proc. 30th USENIX Security Symp. (USENIX Security)","author":"Xi"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3468218.3469046"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3545948.3545976"},{"key":"ref35","first-page":"1","article-title":"Semi-supervised classification with graph convolutional networks","volume-title":"Proc. Int. Conf. Learn. Represent. (ICLR)","author":"Welling"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2020.2978386"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380027"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1145\/3308558.3313562"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3366423.3380297"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1145\/3269206.3272010"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2022.110038"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/TBDATA.2021.3132672"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1155\/2020\/8810817"},{"key":"ref44","article-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain","author":"Gu","year":"2017","journal-title":"arXiv:1708.06733"},{"key":"ref45","article-title":"A comprehensive survey on trustworthy graph neural networks: Privacy, robustness, fairness, and explainability","author":"Dai","year":"2022","journal-title":"arXiv:2204.08570"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1214\/aoms\/1177706098"},{"key":"ref47","article-title":"Adversarial attacks on graph neural networks via meta learning","author":"Z\u00fcgner","year":"2019","journal-title":"arXiv:1902.08412"},{"key":"ref48","volume-title":"Method and system for domain maliciousness assessment via real-time graph inference","author":"Nabeel","year":"2021"},{"key":"ref49","first-page":"685","article-title":"Neural enhanced belief propagation on factor graphs","volume-title":"Proc. Int. Conf. Artif. Intell. Statist.","author":"Satorras"},{"key":"ref50","first-page":"1165","article-title":"FANCI: Feature-based automated NXDomain classification and intelligence","volume-title":"Proc. 27th USENIX Security Symp. (USENIX Security)","author":"Sch\u00fcppen"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.102057"},{"key":"ref52","volume-title":"Scoring domains and IPS using domain resolution data to identify malicious domains and IPS","author":"Tirumala","year":"2022"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS47738.2020.9110462"},{"key":"ref54","volume-title":"DomainTools-Maltego integration","year":"2023"},{"key":"ref55","article-title":"Detecting DGA-based botnets: Methods and lessons learned","volume-title":"Proc. 21st USENIX Security Symp.","author":"Antonakakis"},{"key":"ref56","first-page":"1","article-title":"Measuring and detecting fast-flux service networks","volume-title":"Proc. 15th Annu. Netw. Distrib. Syst. Security Symp. (NDSS)","author":"Holz"},{"key":"ref57","volume-title":"SAC025: Fast Flux Hosting and DNS","year":"2008"},{"key":"ref58","first-page":"1341","article-title":"Platforms in everything: An empirical study on the ecosystem of bulletproof hosting","volume-title":"Proc. 28th USENIX Security Symp.","author":"Noroozian"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134049"},{"key":"ref60","first-page":"1","article-title":"EXPOSURE: Finding malicious domains using passive DNS analysis","volume-title":"Proc. 18th Annu. Netw. Distrib. Syst. Security Symp. (NDSS)","author":"Bilge"},{"key":"ref61","first-page":"1","article-title":"Framing dependencies introduced by underground commoditization","volume-title":"Proc. 26th USENIX Security Symp.","author":"Thomas"},{"key":"ref62","volume-title":"Domain Abuse Activity Reporting (DAAR) System Report","year":"2019"},{"key":"ref63","first-page":"4","article-title":"Spamcraft: An inside look at spam campaign orchestration","volume-title":"Proc. LEET","author":"Kreibich"},{"key":"ref64","first-page":"1","article-title":"Deepphish: Simulating malicious ai","volume-title":"Proc. APWG Symp. Electron. Crime Res. (eCrime)","author":"Bahnsen"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978317"},{"key":"ref66","article-title":"PDNS-Net: A large heterogeneous graph benchmark dataset of network resolutions for graph learning","author":"Kumarasinghe","year":"2022","journal-title":"arXiv:2203.07969"},{"key":"ref67","article-title":"Graph representation of DNS-related data for detecting malicious actions","author":"Rismyhr","year":"2020"},{"key":"ref68","volume-title":"EIRIKRISMYHR\/Mis4900: Master\u2019s thesis-information security.","author":"Rismyhr","year":"2025"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-50420-5_28"},{"key":"ref70","first-page":"1025","article-title":"Inductive representation learning on large graphs","volume-title":"Proc. 31st Conf. Neural Inf. Process. Syst.","volume":"30","author":"Hamilton"},{"key":"ref71","first-page":"3721","article-title":"Compromised or attacker-owned: A large scale classification and study of hosting domains of malicious URLs","volume-title":"Proc. USENIX Security Symp.","author":"De Silva"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/669"},{"key":"ref73","article-title":"Detection of adversarial training examples in poisoning attacks through anomaly detection","author":"Paudice","year":"2018","journal-title":"arXiv:1802.03041"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/2133360.2133363"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.2307\/1270566"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1145\/342009.335388"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.5555\/1953048.2078195"},{"key":"ref78","first-page":"1","article-title":"DGraph: A large-scale financial dataset for graph anomaly detection","volume-title":"Proc. 36th Conf. Neural Inf. Process. Syst. Datasets Benchmarks Track","author":"Huang"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1007\/BF01588971"}],"container-title":["IEEE Open Journal of the Communications Society"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/8782661\/10829557\/11165113.pdf?arnumber=11165113","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,30]],"date-time":"2025-09-30T12:29:50Z","timestamp":1759235390000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11165113\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":79,"URL":"https:\/\/doi.org\/10.1109\/ojcoms.2025.3610784","relation":{},"ISSN":["2644-125X"],"issn-type":[{"value":"2644-125X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]}}}