{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,23]],"date-time":"2026-04-23T10:50:46Z","timestamp":1776941446012,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":51,"publisher":"ACM","license":[{"start":{"date-parts":[[2013,11,4]],"date-time":"2013-11-04T00:00:00Z","timestamp":1383523200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2013,11,4]]},"DOI":"10.1145\/2517312.2517316","type":"proceedings-article","created":{"date-parts":[[2013,11,12]],"date-time":"2013-11-12T15:29:36Z","timestamp":1384270176000},"page":"67-76","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":55,"title":["A close look on\n            <i>n<\/i>\n            -grams in intrusion detection"],"prefix":"10.1145","author":[{"given":"Christian","family":"Wressnegger","sequence":"first","affiliation":[{"name":"idalab GmbH, Berlin, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Guido","family":"Schwenk","sequence":"additional","affiliation":[{"name":"Berlin University of Technology, Berlin, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daniel","family":"Arp","sequence":"additional","affiliation":[{"name":"University of G\u00f6ttingen, G\u00f6ttingen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Konrad","family":"Rieck","sequence":"additional","affiliation":[{"name":"University of G\u00f6ttingen, G\u00f6ttingen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2013,11,4]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/362686.362692"},{"key":"e_1_3_2_1_2_1","volume-title":"Proc. of USENIX Security Symposium","author":"Caballero J.","year":"2011","unstructured":"Caballero , J. , Grier , C. , Kreibich , C. , and Paxson , V . Measuring pay-per-install: The commoditization of malware distribution . In Proc. of USENIX Security Symposium ( 2011 ). Caballero, J., Grier, C., Kreibich, C., and Paxson, V. Measuring pay-per-install: The commoditization of malware distribution. In Proc. of USENIX Security Symposium (2011)."},{"key":"e_1_3_2_1_3_1","first-page":"161","volume-title":"Proc. of SDAIR","author":"Cavnar W.","year":"1994","unstructured":"Cavnar , W. , and Trenkle , J . N-gram-based text categorization . In Proc. of SDAIR ( Las Vegas, NV, USA. , Apr. 1994 ), pp. 161 -- 175 . Cavnar, W., and Trenkle, J. N-gram-based text categorization. In Proc. of SDAIR (Las Vegas, NV, USA., Apr. 1994), pp. 161--175."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772720"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.11"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1126\/science.267.5199.843"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1774088.1774482"},{"key":"e_1_3_2_1_8_1","volume-title":"Pattern classification","author":"Duda R., P.E.","year":"2001","unstructured":"Duda , R., P.E. Hart , and D.G. Stork . Pattern classification , second ed. John Wiley & Sons , 2001 . Duda, R., P.E.Hart, and D.G.Stork. Pattern classification, second ed. John Wiley & Sons, 2001."},{"key":"e_1_3_2_1_9_1","volume-title":"Applications of Data Mining in Computer Security","author":"Eskin E.","year":"2002","unstructured":"Eskin , E. , Arnold , A. , Prerau , M. , Portnoy , L. , and Stolfo , S . Applications of Data Mining in Computer Security . Kluwer , 2002 , ch. A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. Applications of Data Mining in Computer Security. Kluwer, 2002, ch. A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data."},{"key":"e_1_3_2_1_10_1","first-page":"241","volume-title":"Proc. of USENIX Security Symposium","author":"Fogla P.","year":"2006","unstructured":"Fogla , P. , Sharif , M. , Perdisci , R. , Kolesnikov , O. , and Lee , W . Polymorphic blending attacks . In Proc. of USENIX Security Symposium ( 2006 ), pp. 241 -- 256 . Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., and Lee, W. Polymorphic blending attacks. In Proc. of USENIX Security Symposium (2006), pp. 241--256."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.5555\/1947337.1947356"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315292"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1278940.1278945"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.5555\/647593.728880"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33338-5_18"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"crossref","unstructured":"Hofmeyr S. Forrest S. and Somayaji A. Intrusion detection using sequences of system calls. 151--180.   Hofmeyr S. Forrest S. and Somayaji A. Intrusion detection using sequences of system calls. 151--180.","DOI":"10.3233\/JCS-980109"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.5555\/1776434.1776439"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.33"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37300-8_6"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.13"},{"key":"e_1_3_2_1_21_1","volume-title":"Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research (JMLR)","author":"Kolter J.","year":"2006","unstructured":"Kolter , J. , and Maloof , M . Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research (JMLR) ( 2006 ). Kolter, J., and Maloof, M. Learning to detect and classify malicious executables in the wild. Journal of Machine Learning Research (JMLR) (2006)."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-39650-5_19"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/508791.508835"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2076732.2076785"},{"key":"e_1_3_2_1_25_1","first-page":"50","volume-title":"Proc. of AAAI Workshop on Fraud Detection and Risk Management","author":"Lee W.","year":"1997","unstructured":"Lee , W. , Stolfo , S. , and Chan , P . Learning patterns from unix process execution traces for intrusion detection . In Proc. of AAAI Workshop on Fraud Detection and Risk Management ( Providence, RI, USA , 1997 ), pp. 50 -- 56 . Lee, W., Stolfo, S., and Chan, P. Learning patterns from unix process execution traces for intrusion detection. In Proc. of AAAI Workshop on Fraud Detection and Risk Management (Providence, RI, USA, 1997), pp. 50--56."},{"key":"e_1_3_2_1_26_1","first-page":"130","volume-title":"Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001), Proc. of IEEE Symposium on Security and Privacy","author":"Lee W.","unstructured":"Lee , W. , and Xiang , D . Information-theoretic measures for anomaly detection . In Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001), Proc. of IEEE Symposium on Security and Privacy , pp. 130 -- 143 . Lee, W., and Xiang, D. Information-theoretic measures for anomaly detection. In Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001), Proc. of IEEE Symposium on Security and Privacy, pp. 130--143."},{"key":"e_1_3_2_1_27_1","volume-title":"Results of the DARPA 1998 offline intrusion detection evaluation. In Recent Adances in Intrusion Detection (RAID)","author":"Lippmann R.","year":"1999","unstructured":"Lippmann , R. , Cunningham , R. , Fried , D. , Kendall , K. , Webster , S. , and Zissman , M . Results of the DARPA 1998 offline intrusion detection evaluation. In Recent Adances in Intrusion Detection (RAID) ( 1999 ). Lippmann, R., Cunningham, R., Fried, D., Kendall, K., Webster, S., and Zissman, M. Results of the DARPA 1998 offline intrusion detection evaluation. In Recent Adances in Intrusion Detection (RAID) (1999)."},{"key":"e_1_3_2_1_28_1","first-page":"220","volume-title":"Recent Adances in Intrusion Detection (RAID)","author":"Mahoney M.","year":"2004","unstructured":"Mahoney , M. , and Chan , P . An analysis of the 1999 DARPA\/Lincoln Laboratory evaluation data for network anomaly detection . In Recent Adances in Intrusion Detection (RAID) ( 2004 ), pp. 220 -- 237 . Mahoney, M., and Chan, P. An analysis of the 1999 DARPA\/Lincoln Laboratory evaluation data for network anomaly detection. In Recent Adances in Intrusion Detection (RAID) (2004), pp. 220--237."},{"key":"e_1_3_2_1_29_1","volume-title":"Syngress","author":"Maynor K.","year":"2007","unstructured":"Maynor , K. , Mookhey , K. , Cervini , J., F., R. , and Beaver , K . Metasploit Toolkit . Syngress , 2007 . Maynor, K., Mookhey, K., Cervini, J., F., R., and Beaver, K. Metasploit Toolkit. Syngress, 2007."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"crossref","unstructured":"McHugh J. Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. 262--294.  McHugh J. Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. 262--294.","DOI":"10.1145\/382912.382923"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/863955.863994"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2008.11.011"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2006.165"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.patrec.2008.06.016"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2008.22"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"crossref","unstructured":"Reddy D. K. S. and Pujari A. K. N-gram analysis for computer virus detection. 231--239.  Reddy D. K. S. and Pujari A. K. N-gram analysis for computer virus detection. 231--239.","DOI":"10.1007\/s11416-006-0027-8"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920267"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1007\/11790754_5"},{"key":"e_1_3_2_1_39_1","volume-title":"Automatic analysis of malware behavior using machine learning. Journal of Computer Security (JCS) 19, 4 (June","author":"Rieck K.","year":"2011","unstructured":"Rieck , K. , Trinius , P. , Willems , C. , and Holz , T . Automatic analysis of malware behavior using machine learning. Journal of Computer Security (JCS) 19, 4 (June 2011 ), 639--668. Rieck, K., Trinius, P., Willems, C., and Holz, T. Automatic analysis of malware behavior using machine learning. Journal of Computer Security (JCS) 19, 4 (June 2011), 639--668."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1162\/089976601750264965"},{"key":"e_1_3_2_1_41_1","volume-title":"Learning with Kernels","author":"Sch\u00f6lkopf B.","year":"2002","unstructured":"Sch\u00f6lkopf , B. , and Smola , A . Learning with Kernels . MIT Press , Cambridge, MA , 2002 . Sch\u00f6lkopf, B., and Smola, A. Learning with Kernels. MIT Press, Cambridge, MA, 2002."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2381896.2381911"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.5555\/975545"},{"key":"e_1_3_2_1_44_1","volume-title":"Journal of Machine Learning Research (JMLR)","author":"Shi Q.","year":"2009","unstructured":"Shi , Q. , Petterson , J. , Dror , G. , Langford , J. , Smola , A. , and Vishwanathan , S . Hash kernels for structured data . Journal of Machine Learning Research (JMLR) 10, Nov ( 2009 ), 2615--2637. Shi, Q., Petterson, J., Dror, G., Langford, J., Smola, A., and Vishwanathan, S. Hash kernels for structured data. Journal of Machine Learning Research (JMLR) 10, Nov (2009), 2615--2637."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.25"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/TPAMI.1979.4766902"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.5555\/829514.830544"},{"key":"e_1_3_2_1_48_1","volume-title":"Proc. of ACM Conference on Computer and Communications Security (CCS).","author":"Wagner D.","unstructured":"Wagner , D. , and Soto , P . In Proc. of ACM Conference on Computer and Communications Security (CCS). Wagner, D., and Soto, P. In Proc. of ACM Conference on Computer and Communications Security (CCS)."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/11856214_12"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-30143-1_11"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1999.766910"}],"event":{"name":"CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security","location":"Berlin Germany","acronym":"CCS'13","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2013 ACM workshop on Artificial intelligence and security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2517312.2517316","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2517312.2517316","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T08:19:08Z","timestamp":1750234748000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2517312.2517316"}},"subtitle":["anomaly detection vs. classification"],"short-title":[],"issued":{"date-parts":[[2013,11,4]]},"references-count":51,"alternative-id":["10.1145\/2517312.2517316","10.1145\/2517312"],"URL":"https:\/\/doi.org\/10.1145\/2517312.2517316","relation":{},"subject":[],"published":{"date-parts":[[2013,11,4]]},"assertion":[{"value":"2013-11-04","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}