{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T13:07:03Z","timestamp":1772888823543,"version":"3.50.1"},"reference-count":61,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2020,3,1]],"date-time":"2020-03-01T00:00:00Z","timestamp":1583020800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/100006785","name":"Google","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100006785","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Netw. Serv. Manage."],"published-print":{"date-parts":[[2020,3]]},"DOI":"10.1109\/tnsm.2019.2940735","type":"journal-article","created":{"date-parts":[[2019,9,11]],"date-time":"2019-09-11T19:48:18Z","timestamp":1568231298000},"page":"265-279","source":"Crossref","is-referenced-by-count":42,"title":["Monitoring Enterprise DNS Queries for Detecting Data Exfiltration From Internal Hosts"],"prefix":"10.1109","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4886-3510","authenticated-orcid":false,"given":"Jawad","family":"Ahmed","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9333-7635","authenticated-orcid":false,"given":"Hassan","family":"Habibi Gharakheili","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Qasim","family":"Raza","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Craig","family":"Russell","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7985-6765","authenticated-orcid":false,"given":"Vijay","family":"Sivaraman","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"ref38","first-page":"1","article-title":"Detection of malicious and low throughput data exfiltration over the DNS protocol","author":"nadler","year":"2017","journal-title":"CoRR"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/Trustcom\/BigDataSE\/ICESS.2017.256"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1016\/j.procs.2013.05.109"},{"key":"ref31","first-page":"1","article-title":"Detecting DNS tunnels using character frequency analysis","author":"born","year":"2010","journal-title":"Proc Annu Security Conf"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/1852666.1852718"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-10-4154-9_26"},{"key":"ref36","first-page":"1165","article-title":"FANCI: Feature-based automated NXDomain classification and intelligence","author":"sch\u00fcppen","year":"2018","journal-title":"Proc Usenix Security Symp"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1145\/2897795.2897804"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/ICMLA.2017.00-71"},{"key":"ref60","author":"lotter","year":"1033","journal-title":"Domain administrators operations guide"},{"key":"ref61","author":"barr","year":"1912","journal-title":"Common DNS operational and configuration errors"},{"key":"ref28","first-page":"17","article-title":"Practical comprehensive bounds on surreptitious communication over DNS","author":"paxson","year":"2013","journal-title":"Proc Usenix Security Symp"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/SURV.2013.032213.00009"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/ICUFN.2016.7536939"},{"key":"ref2","year":"2017","journal-title":"The Global DNS Threat Survey"},{"key":"ref1","first-page":"649","article-title":"Real-time detection of DNS exfiltration and tunneling from enterprise networks","author":"ahmed","year":"2019","journal-title":"Integrated Network and Service Management (IM)"},{"key":"ref20","first-page":"24","article-title":"From throw-away traffic to bots: Detecting the rise of DGA-based malware","author":"antonakakis","year":"2012","journal-title":"Proc Usenix Security Symp"},{"key":"ref22","first-page":"1","article-title":"EXPOSURE: Finding malicious domains using passive DNS analysis","author":"bilge","year":"2011","journal-title":"Proc USENIX Netw Distrib Syst Security Symp (NDSS)"},{"key":"ref21","author":"hao","year":"2010","journal-title":"An Internet Wide View into DNS Lookup Patterns"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068842"},{"key":"ref23","first-page":"18","article-title":"Building a dynamic reputation system for DNS","author":"antonakakis","year":"2010","journal-title":"Proc Usenix Security Symp"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/SECURWARE.2009.48"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1109\/ISSREW.2014.20"},{"key":"ref50","author":"qasim","year":"2018","journal-title":"DET (extensible) Data Exfiltration Toolkit"},{"key":"ref51","year":"2018","journal-title":"MasterCard Credit Card Generator"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.5220\/0005795002840290"},{"key":"ref58","year":"2019","journal-title":"How to Remove Adlooxtracking"},{"key":"ref57","year":"2019","journal-title":"Easy Removal Method of Imrworldwide com Infection"},{"key":"ref56","first-page":"37","article-title":"Tunneling activities detection using machine learning techniques","author":"allard","year":"2011","journal-title":"J Telecommun Inf Technol"},{"key":"ref55","author":"mercer","year":"2018","journal-title":"DNSpionage Campaign Targets Middle East"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2014.61"},{"key":"ref53","year":"2019","journal-title":"Kryo se Iodine (IP-Over-DNS IPv4 Over DNS Tunnel)"},{"key":"ref52","year":"2018","journal-title":"DNS EXfiltration Dataset"},{"key":"ref10","author":"dietrich","year":"2011","journal-title":"Feederbot&#x2014;A Bot Using DNS as Carrier for Its CNC"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1109\/EC2ND.2011.16"},{"key":"ref40","first-page":"79","article-title":"Harnessing predictive models for assisting network forensic investigations of DNS tunnels","author":"homem","year":"2017","journal-title":"Proc ADFSL Conf Digit Forensics Secur Law"},{"key":"ref12","author":"mullaney","year":"2011","journal-title":"Morto Worm Sets A (DNS) Record"},{"key":"ref13","author":"spring","year":"2016","journal-title":"Wekby apt gang using DNS tunneling for command and control"},{"key":"ref14","author":"kathuria","year":"2015","journal-title":"DNS Firewall is not a Next Generation Firewall"},{"key":"ref15","author":"brumaghin","year":"2017","journal-title":"Covert Channels and Poor Decisions The Tale of DNSMessenger"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-15986-3_9"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2007.4317620"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3191329"},{"key":"ref19","first-page":"27","article-title":"Detecting malware domains at the upper DNS hierarchy","author":"antonakakis","year":"2011","journal-title":"Proc Usenix Security Symp"},{"key":"ref4","author":"krebs","year":"2014","journal-title":"Deconstructing the 2014 Sally Beauty Breach"},{"key":"ref3","author":"greenberg","year":"2014","journal-title":"DNS Attacks Putting Organizations at Risk Survey Finds"},{"key":"ref6","year":"2015","journal-title":"BernhardPOS&#x2014;New POS Malware"},{"key":"ref5","author":"rascagneres","year":"2014","journal-title":"New FrameworkPOS variant exfiltrates data via DNS requests"},{"key":"ref8","author":"shulmin","year":"2017","journal-title":"Use of DNS Tunneling for C&C Communications"},{"key":"ref7","author":"lynch","year":"2016","journal-title":"Multigrain-point of sale attackers make an unhealthy addition to the pantry"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2008.17"},{"key":"ref9","author":"neumann","year":"2018","journal-title":"UDPoS&#x2014;Exfiltrating Credit Card Data via DNS"},{"key":"ref46","author":"mendieta","year":"2016","journal-title":"Three Month FrameworkPOS Malware Campaign Nabs 43 000 Credit Cards from Point of Sale Systems"},{"key":"ref45","author":"lee","year":"2016","journal-title":"Detecting DNS Data Exfiltration"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.3390\/e19080422"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1948.tb01338.x"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-15986-3_11"},{"key":"ref41","year":"2018","journal-title":"Top 1 million website in the world"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.17487\/rfc1035"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom\/BigDataSE.2018.00242"}],"container-title":["IEEE Transactions on Network and Service Management"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/4275028\/9032249\/08832271.pdf?arnumber=8832271","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,4,27]],"date-time":"2022-04-27T17:05:01Z","timestamp":1651079101000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/8832271\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3]]},"references-count":61,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tnsm.2019.2940735","relation":{},"ISSN":["1932-4537","2373-7379"],"issn-type":[{"value":"1932-4537","type":"electronic"},{"value":"2373-7379","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,3]]}}}