{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T19:50:00Z","timestamp":1772913000159,"version":"3.50.1"},"reference-count":58,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2021,3,1]],"date-time":"2021-03-01T00:00:00Z","timestamp":1614556800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2021,3,1]],"date-time":"2021-03-01T00:00:00Z","timestamp":1614556800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,3,1]],"date-time":"2021-03-01T00:00:00Z","timestamp":1614556800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"Australian Defence Science and Technology Group"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Netw. Serv. Manage."],"published-print":{"date-parts":[[2021,3]]},"DOI":"10.1109\/tnsm.2021.3050091","type":"journal-article","created":{"date-parts":[[2021,1,9]],"date-time":"2021-01-09T20:28:55Z","timestamp":1610224135000},"page":"1031-1048","source":"Crossref","is-referenced-by-count":38,"title":["Hierarchical Anomaly-Based Detection of Distributed DNS Attacks on Enterprise Networks"],"prefix":"10.1109","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-8677-248X","authenticated-orcid":false,"given":"Minzhao","family":"Lyu","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9333-7635","authenticated-orcid":false,"given":"Hassan Habibi","family":"Gharakheili","sequence":"additional","affiliation":[]},{"given":"Craig","family":"Russell","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7985-6765","authenticated-orcid":false,"given":"Vijay","family":"Sivaraman","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","year":"2018","journal-title":"NoviSwitch™ 2122 High Performance OpenFlow Switch"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2005.35"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-15986-3_9"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1145\/2523426.2534976"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978306"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/2133360.2133363"},{"key":"ref37","first-page":"393","article-title":"Rampart: Protecting Web applications from CPU-exhaustion denial-of-service attacks","author":"meng","year":"2018","journal-title":"Proc Usenix Security"},{"key":"ref36","first-page":"139","article-title":"One-class SVMs for document classification","volume":"2","author":"manevitz","year":"2002","journal-title":"J Mach Learn Res"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2017.02.007"},{"key":"ref34","first-page":"1093","article-title":"Understanding the Mirai Botnet","author":"antonakakis","year":"2017","journal-title":"Proc Usenix Security"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978387"},{"key":"ref27","first-page":"1113","article-title":"Who is answering my queries: Understanding and characterizing interception of the DNS resolution path","author":"liu","year":"2018","journal-title":"Proc Usenix Security"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2008.17"},{"key":"ref2","first-page":"1","article-title":"Detecting malware domains at the upper DNS hierarchy","author":"antonakakis","year":"2011","journal-title":"Proc Usenix Security"},{"key":"ref1","year":"2017","journal-title":"Threat advisory Mirai botnet"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2017.2724506"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.17487\/RFC8484"},{"key":"ref21","author":"greene","year":"2016","journal-title":"How the Dyn DDoS Attack Unfolded"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815683"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978293"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243862"},{"key":"ref25","first-page":"19","article-title":"Offloading real-time DDoS attack detection to programmable data planes","author":"lapolli","year":"2019","journal-title":"Proc IFIP\/IEEE im"},{"key":"ref50","year":"2018","journal-title":"IP Reputation Investigation"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663731"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00470-5_8"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24007"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-73614-1_8"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1109\/SURV.2013.031413.00127"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23200"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1080\/00401706.1962.10490022"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2015.47"},{"key":"ref10","year":"2016","journal-title":"Overcoming the DNS Blind Spot"},{"key":"ref11","year":"2018","journal-title":"Strategies to Protect Against Distributed Denial of Service Attacks"},{"key":"ref40","first-page":"1","article-title":"IoTPOT: Analysing the rise of IoT compromises","author":"pa","year":"2015","journal-title":"Proc USENIX WOOT"},{"key":"ref12","first-page":"1","article-title":"Recursive DNS architectures and vulnerability implications","author":"dagon","year":"2009","journal-title":"Proc NDSS"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/586110.586136"},{"key":"ref14","first-page":"245","article-title":"The ever-changing labyrinth: A large-scale analysis of wildcard DNS powered blackhat SEO","author":"du","year":"2016","journal-title":"Proc Usenix Security"},{"key":"ref15","first-page":"605","article-title":"ZMap: Fast Internet-wide scanning and its security applications","author":"durumeric","year":"2013","journal-title":"Proc Usenix Security"},{"key":"ref16","year":"2020","journal-title":"EfficientIP and IDC DNS Attacks Cost Nearly $1 Million Each Increasingly Impacting the Cloud"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2016.03.028"},{"key":"ref18","first-page":"817","article-title":"Bohatei: Flexible and elastic DDoS defense","author":"fayaz","year":"2015","journal-title":"Proc Usenix Security"},{"key":"ref19","year":"2018","journal-title":"Verisign DDoS Protection Services"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.17487\/rfc4033"},{"key":"ref3","first-page":"491","article-title":"From throw-away traffic to bots: Detecting the rise of DGA-based malware","author":"antonakakis","year":"2012","journal-title":"Proc Usenix Security"},{"key":"ref6","first-page":"1","article-title":"Towards IoT-DDoS prevention using edge computing","author":"bhardwaj","year":"2018","journal-title":"Proc USENIX HotEdge"},{"key":"ref5","author":"asghari","year":"2020","journal-title":"Offline IP Address to Autonomous System Number Lookup Module"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2014.61"},{"key":"ref7","first-page":"1","article-title":"Optimizing recurrent pulsing attacks using application-layer amplification of open DNS resolvers","author":"bushart","year":"2018","journal-title":"Proc USENIX WOOT"},{"key":"ref49","year":"2019","journal-title":"The continued rise of ddos attacks"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131373"},{"key":"ref46","first-page":"171","article-title":"LADS: Large-scale automated DDOS detection system","author":"sekar","year":"2006","journal-title":"Proc USENIX ATC"},{"key":"ref45","first-page":"1165","article-title":"FANCI: Feature-based automated NXDomain classification and intelligence","author":"sch\u00fcppen","year":"2018","journal-title":"Proc Usenix Security"},{"key":"ref48","year":"2018","journal-title":"Sophos XG Firewall How to Prevent DoS and DDoS Attacks"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"ref42","year":"2018","journal-title":"DoS and Zone Protection Best Practices"},{"key":"ref41","year":"2018","journal-title":"PA-3000 Series Datasheet"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23233"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1145\/2566486.2567993"}],"container-title":["IEEE Transactions on Network and Service Management"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/4275028\/9374858\/09316919.pdf?arnumber=9316919","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T14:52:38Z","timestamp":1652194358000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9316919\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,3]]},"references-count":58,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tnsm.2021.3050091","relation":{},"ISSN":["1932-4537","2373-7379"],"issn-type":[{"value":"1932-4537","type":"electronic"},{"value":"2373-7379","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,3]]}}}