{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,20]],"date-time":"2026-03-20T16:23:38Z","timestamp":1774023818468,"version":"3.50.1"},"reference-count":51,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2019QY1303"],"award-info":[{"award-number":["2019QY1303"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2019QY1301"],"award-info":[{"award-number":["2019QY1301"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100002367","name":"Strategic Priority Research Program of the Chinese Academy of Sciences","doi-asserted-by":"publisher","award":["XDC02040100"],"award-info":[{"award-number":["XDC02040100"]}],"id":[{"id":"10.13039\/501100002367","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100002367","name":"Strategic Priority Research Program of the Chinese Academy of Sciences","doi-asserted-by":"publisher","award":["NSFC U1836211"],"award-info":[{"award-number":["NSFC U1836211"]}],"id":[{"id":"10.13039\/501100002367","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004826","name":"Beijing Natural Science Foundation","doi-asserted-by":"publisher","award":["JQ18011"],"award-info":[{"award-number":["JQ18011"]}],"id":[{"id":"10.13039\/501100004826","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100002367","name":"Youth Innovation Promotion Association CAS","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100002367","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Program of Key Laboratory of Network Assessment Technology"},{"DOI":"10.13039\/501100002367","name":"Chinese Academy of Sciences","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100002367","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Program of Beijing Key Laboratory of Network Security and Protection Technology"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2021]]},"DOI":"10.1109\/tifs.2021.3071595","type":"journal-article","created":{"date-parts":[[2021,4,7]],"date-time":"2021-04-07T19:42:42Z","timestamp":1617824562000},"page":"3589-3603","source":"Crossref","is-referenced-by-count":33,"title":["MBTree: Detecting Encryption RATs Communication Using Malicious Behavior Tree"],"prefix":"10.1109","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7581-7160","authenticated-orcid":false,"given":"Cong","family":"Dong","sequence":"first","affiliation":[]},{"given":"Zhigang","family":"Lu","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7229-3231","authenticated-orcid":false,"given":"Zelin","family":"Cui","sequence":"additional","affiliation":[]},{"given":"Baoxu","family":"Liu","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5624-2987","authenticated-orcid":false,"given":"Kai","family":"Chen","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","author":"ishikawa","year":"2020","journal-title":"Open Source as Fuel of Recent Apt"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/ICOIN.2017.7899588"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.59"},{"key":"ref32","first-page":"1093","article-title":"Understanding the Mirai botnet","author":"antonakakis","year":"2017","journal-title":"Proc 26th USENIX Secur Symp (USENIX)"},{"key":"ref31","first-page":"537","article-title":"Sigbox: Automatic signature generation method for fine-grained traffic identification","volume":"33","author":"shim","year":"2017","journal-title":"J Inf Sci Eng"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/2413176.2413217"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.05.011"},{"key":"ref36","year":"2019","journal-title":"Stratosphere Laboratory Datasets"},{"key":"ref35","first-page":"25","article-title":"Trends in wide area IP traffic patterns&#x2014;A view from Ames Internet exchange","author":"mccreary","year":"2000","journal-title":"Proceedings ITC Specialist Seminar"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.5121\/ijcnc.2013.5302"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2005.15"},{"key":"ref27","year":"2020","journal-title":"Suricata"},{"key":"ref29","first-page":"14","article-title":"Behavioral clustering of http-based malware and signature generation using malicious network traces","volume":"10","author":"perdisci","year":"2010","journal-title":"Proc USENIX Symp Netw Syst Design Implement (NSDI)"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.03.013"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1109\/IPCCC47392.2019.8958768"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2019.106944"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2019.2899085"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1007\/s00500-019-04030-2"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/TNSM.2019.2933358"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2020.107258"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1016\/S1389-1286(99)00112-7"},{"key":"ref25","first-page":"229","article-title":"Snort: Lightweight intrusion detection for networks","volume":"99","author":"roesch","year":"1999","journal-title":"LISA"},{"key":"ref50","doi-asserted-by":"publisher","DOI":"10.1109\/TNSE.2020.3009832"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/1327452.1327492"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_15"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24097"},{"key":"ref40","first-page":"1","article-title":"The increased use of powershell in attacks","author":"wueest","year":"2016","journal-title":"Proc CA Symantec Corporation World Headquarters"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00034"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2010.12.002"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/GLOCOM.2010.5683649"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.5220\/0005740704070414"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2019.2911156"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2017.2692682"},{"key":"ref18","article-title":"Catching worms, Trojan horses and PUPs: Unsupervised detection of silent delivery campaigns","author":"jun kwon","year":"2016","journal-title":"arXiv 1611 02787"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-99073-6_17"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1109\/WCNC.2019.8885817"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1155\/2019\/3093809"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2017.00035"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-191286"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.33851\/JMIS.2019.6.4.165"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.12.014"},{"key":"ref49","first-page":"699","article-title":"Alembic: Automated model inference for stateful network functions","author":"moon","year":"2019","journal-title":"Proc USENIX Symp Netw Syst Design Implement (NSDI)"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2833059"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813715"},{"key":"ref45","author":"kadianakis","year":"2013","journal-title":"Obfs3 (The Threebfuscator)"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24083"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1145\/3234511"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.06.005"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/TCNS.2016.2532804"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2017.10.016"},{"key":"ref43","year":"2019","journal-title":"CICFlowMeter"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9151439\/09398652.pdf?arnumber=9398652","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T14:52:41Z","timestamp":1652194361000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9398652\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"references-count":51,"URL":"https:\/\/doi.org\/10.1109\/tifs.2021.3071595","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"value":"1556-6013","type":"print"},{"value":"1556-6021","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021]]}}}