{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,8]],"date-time":"2026-04-08T09:00:25Z","timestamp":1775638825253,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":41,"publisher":"ACM","license":[{"start":{"date-parts":[[2013,12,9]],"date-time":"2013-12-09T00:00:00Z","timestamp":1386547200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000144","name":"Division of Computer and Network Systems","doi-asserted-by":"publisher","award":["CNS-1116777"],"award-info":[{"award-number":["CNS-1116777"]}],"id":[{"id":"10.13039\/100000144","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2013,12,9]]},"DOI":"10.1145\/2523649.2523670","type":"proceedings-article","created":{"date-parts":[[2014,1,6]],"date-time":"2014-01-06T20:44:07Z","timestamp":1389041047000},"page":"199-208","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":216,"title":["Beehive"],"prefix":"10.1145","author":[{"given":"Ting-Fang","family":"Yen","sequence":"first","affiliation":[{"name":"RSA Laboratories, Cambridge, MA"}]},{"given":"Alina","family":"Oprea","sequence":"additional","affiliation":[{"name":"RSA Laboratories, Cambridge, MA"}]},{"given":"Kaan","family":"Onarlioglu","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA"}]},{"given":"Todd","family":"Leetham","sequence":"additional","affiliation":[{"name":"EMC Corp, Hopkinton, MA"}]},{"given":"William","family":"Robertson","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA"}]},{"given":"Ari","family":"Juels","sequence":"additional","affiliation":[{"name":"RSA Laboratories, Cambridge, MA"}]},{"given":"Engin","family":"Kirda","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA"}]}],"member":"320","published-online":{"date-parts":[[2013,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"OSSEC -- Open Source Security. http:\/\/www.ossec.net. OSSEC -- Open Source Security. http:\/\/www.ossec.net."},{"key":"e_1_3_2_1_2_1","unstructured":"Snort. http:\/\/www.snort.org. Snort. http:\/\/www.snort.org."},{"key":"e_1_3_2_1_3_1","unstructured":"The Bro Network Security Monitor. http:\/\/www.bro.org\/. The Bro Network Security Monitor. http:\/\/www.bro.org\/."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177086"},{"key":"e_1_3_2_1_5_1","volume-title":"USENIX Security","author":"Antonakakis M.","year":"2010","unstructured":"M. Antonakakis , R. Perdisci , D. Dagon , W. Lee , and N. Feamster . Building a Dynamic Reputation System for DNS . In USENIX Security , 2010 . M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster. Building a Dynamic Reputation System for DNS. In USENIX Security, 2010."},{"key":"e_1_3_2_1_6_1","volume-title":"USENIX Security","author":"Antonakakis M.","year":"2011","unstructured":"M. Antonakakis , R. Perdisci , W. Lee , N. Vasiloglou , II, and D. Dagon . Detecting Malware Domains at the Upper DNS Hierarchy . In USENIX Security , 2011 . M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, II, and D. Dagon. Detecting Malware Domains at the Upper DNS Hierarchy. In USENIX Security, 2011."},{"key":"e_1_3_2_1_7_1","volume-title":"USENIX Security","author":"Antonakakis M.","year":"2012","unstructured":"M. Antonakakis , R. Perdisci , Y. Nadji , N. Vasiloglou , S. Abu-Nimeh , W. Lee , and D. Dagon . From Throw-away Traffic to Bots: Detecting the Rise of DGA-based Malware . In USENIX Security , 2012 . M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From Throw-away Traffic to Bots: Detecting the Rise of DGA-based Malware. In USENIX Security, 2012."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420969"},{"key":"e_1_3_2_1_9_1","volume-title":"NDSS","author":"Bilge L.","year":"2011","unstructured":"L. Bilge , E. Kirda , K. Christopher , and M. Balduzzi . EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis . In NDSS , 2011 . L. Bilge, E. Kirda, K. Christopher, and M. Balduzzi. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In NDSS, 2011."},{"key":"e_1_3_2_1_10_1","volume-title":"USENIX SRUTI","author":"Binkley J. R.","year":"2006","unstructured":"J. R. Binkley and S. Singh . An Algorithm for Anomaly-based Botnet Detection . In USENIX SRUTI , 2006 . J. R. Binkley and S. Singh. An Algorithm for Anomaly-based Botnet Detection. In USENIX SRUTI, 2006."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644897"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1269880.1269886"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/1317531.1317931"},{"key":"e_1_3_2_1_14_1","volume-title":"USENIX SRUTI","author":"Cooke E.","year":"2005","unstructured":"E. Cooke , F. Jahanian , and D. McPherson . The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets . In USENIX SRUTI , 2005 . E. Cooke, F. Jahanian, and D. McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. In USENIX SRUTI, 2005."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1352664.1352675"},{"key":"e_1_3_2_1_16_1","volume-title":"IFIP TC 6 Networking Conf.","author":"Fran\u00e7ois J.","year":"2011","unstructured":"J. Fran\u00e7ois , S. Wang , R. State , and T. Engel . BotTrack: Tracking Botnets Using NetFlow and PageRank . In IFIP TC 6 Networking Conf. , 2011 . J. Fran\u00e7ois, S. Wang, R. State, and T. Engel. BotTrack: Tracking Botnets Using NetFlow and PageRank. In IFIP TC 6 Networking Conf., 2011."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/11555827_19"},{"key":"e_1_3_2_1_18_1","volume-title":"USENIX Security","author":"Gu G.","year":"2008","unstructured":"G. Gu , R. Perdisci , J. Zhang , and W. Lee . BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-independent Botnet Detection . In USENIX Security , 2008 . G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-independent Botnet Detection. In USENIX Security, 2008."},{"key":"e_1_3_2_1_19_1","volume-title":"USENIX Security","author":"Gu G.","year":"2007","unstructured":"G. Gu , P. Porras , V. Yegneswaran , M. Fong , and W. Lee . BotHunter: Detecting Malware Infection Through IDS-driven Dialog Correlation . In USENIX Security , 2007 . G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting Malware Infection Through IDS-driven Dialog Correlation. In USENIX Security, 2007."},{"key":"e_1_3_2_1_20_1","volume-title":"NDSS","author":"Gu G.","year":"2008","unstructured":"G. Gu , J. Zhang , and W. Lee . BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic . In NDSS , 2008 . G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In NDSS, 2008."},{"key":"e_1_3_2_1_21_1","volume-title":"NDSS","author":"Holz T.","year":"2008","unstructured":"T. Holz , C. Gorecki , K. Rieck , and F. C. Freiling . Measuring and Detecting Fast-Flux Service Networks . In NDSS , 2008 . T. Holz, C. Gorecki, K. Rieck, and F. C. Freiling. Measuring and Detecting Fast-Flux Service Networks. In NDSS, 2008."},{"key":"e_1_3_2_1_22_1","volume-title":"USENIX NSDI","author":"John J. P.","year":"2009","unstructured":"J. P. John , A. Moshchuk , S. D. Gribble , and A. Krishnamurthy . Studying Spamming Botnets Using Botlab . In USENIX NSDI , 2009 . J. P. John, A. Moshchuk, S. D. Gribble, and A. Krishnamurthy. Studying Spamming Botnets Using Botlab. In USENIX NSDI, 2009."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4757-1904-8"},{"key":"e_1_3_2_1_24_1","volume-title":"USENIX HotBots","author":"Karasaridis A.","year":"2007","unstructured":"A. Karasaridis , B. Rexroad , and D. Hoeflin . Wide-scale Botnet Detection and Characterization . In USENIX HotBots , 2007 . A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale Botnet Detection and Characterization. In USENIX HotBots, 2007."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"crossref","DOI":"10.1002\/9780470316801","volume-title":"Finding Groups in Data. An Introduction to Cluster Analysis","author":"Kaufman L.","year":"1990","unstructured":"L. Kaufman and P. J. Rousseeuw . Finding Groups in Data. An Introduction to Cluster Analysis . Wiley , 1990 . L. Kaufman and P. J. Rousseeuw. Finding Groups in Data. An Introduction to Cluster Analysis. Wiley, 1990."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SMCSIA.2003.1232406"},{"key":"e_1_3_2_1_27_1","volume-title":"IEEE LCN","author":"Livadas C.","year":"2006","unstructured":"C. Livadas , R. Walsh , D. Lapsley , and W. Strayer . Using Machine Learning Techniques to Identify Botnet Traffic . In IEEE LCN , 2006 . C. Livadas, R. Walsh, D. Lapsley, and W. Strayer. Using Machine Learning Techniques to Identify Botnet Traffic. In IEEE LCN, 2006."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1557019.1557153"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2008.4690854"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_10"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.36"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1159913.1159947"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87357-0_2"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/LCN.2006.322100"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/1529282.1529734"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/WETICE.2005.35"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/1879141.1879148"},{"key":"e_1_3_2_1_39_1","volume-title":"SECURECOMM","author":"Yadav S.","year":"2011","unstructured":"S. Yadav and A. N. Reddy . Winning With DNS Failures: Strategies for Faster Botnet Detection . In SECURECOMM , 2011 . S. Yadav and A. N. Reddy. Winning With DNS Failures: Strategies for Faster Botnet Detection. In SECURECOMM, 2011."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_11"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2012.6263961"}],"event":{"name":"ACSAC '13: Annual Computer Security Applications Conference","location":"New Orleans Louisiana USA","acronym":"ACSAC '13","sponsor":["ACSA Applied Computing Security Assoc"]},"container-title":["Proceedings of the 29th Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2523649.2523670","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2523649.2523670","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T07:34:03Z","timestamp":1750232043000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2523649.2523670"}},"subtitle":["large-scale log analysis for detecting suspicious activity in enterprise networks"],"short-title":[],"issued":{"date-parts":[[2013,12,9]]},"references-count":41,"alternative-id":["10.1145\/2523649.2523670","10.1145\/2523649"],"URL":"https:\/\/doi.org\/10.1145\/2523649.2523670","relation":{},"subject":[],"published":{"date-parts":[[2013,12,9]]},"assertion":[{"value":"2013-12-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}