{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T09:37:43Z","timestamp":1774517863672,"version":"3.50.1"},"reference-count":47,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2014,4,1]],"date-time":"2014-04-01T00:00:00Z","timestamp":1396310400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2014,4]]},"abstract":"<jats:p>A wide range of malicious activities rely on the domain name service (DNS) to manage their large, distributed networks of infected machines. As a consequence, the monitoring and analysis of DNS queries has recently been proposed as one of the most promising techniques to detect and blacklist domains involved in malicious activities (e.g., phishing, spam, botnets command-and-control, etc.). EXPOSURE is a system we designed to detect such domains in real time, by applying 15 unique features grouped in four categories.<\/jats:p>\n          <jats:p>\n            We conducted a controlled experiment with a large, real-world dataset consisting of billions of DNS requests. The extremely positive results obtained in the tests convinced us to implement our techniques and deploy it as a free, online service. In this article, we present the\n            <jats:sc>Exposure<\/jats:sc>\n            system and describe the results and lessons learned from 17 months of its operation. Over this amount of time, the service detected over 100K malicious domains. The statistics about the time of usage, number of queries, and target IP addresses of each domain are also published on a daily basis on the service Web page.\n          <\/jats:p>","DOI":"10.1145\/2584679","type":"journal-article","created":{"date-parts":[[2014,5,7]],"date-time":"2014-05-07T12:48:53Z","timestamp":1399466933000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":255,"title":["Exposure"],"prefix":"10.1145","volume":"16","author":[{"given":"Leyla","family":"Bilge","sequence":"first","affiliation":[{"name":"Symantec Research"}]},{"given":"Sevil","family":"Sen","sequence":"additional","affiliation":[{"name":"Hacettepe University"}]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"Eurecom"}]},{"given":"Engin","family":"Kirda","sequence":"additional","affiliation":[{"name":"Northeastern University"}]},{"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[{"name":"University of California, Santa Barbara"}]}],"member":"320","published-online":{"date-parts":[[2014,4]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Alexa. 2009. Alexa web information company. http:\/\/www.alexa.com\/topsites\/.  Alexa. 2009. Alexa web information company. http:\/\/www.alexa.com\/topsites\/."},{"key":"e_1_2_1_2_1","unstructured":"Amini B. 2008. Kraken botnet infiltration. http:\/\/dvlabs.tippingpoint.com\/blog\/2008\/04\/28\/kraken-botnet-infiltration.  Amini B. 2008. Kraken botnet infiltration. http:\/\/dvlabs.tippingpoint.com\/blog\/2008\/04\/28\/kraken-botnet-infiltration."},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the 19th Usenix Security Symposium.","author":"Antonakakis M.","unstructured":"Antonakakis , M. , Perdisci , R. , Dagon , D. , Lee , W. , and Feamster , N . 2010. Building a dynamic reputation system for DNS . In Proceedings of the 19th Usenix Security Symposium. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19th Usenix Security Symposium."},{"key":"e_1_2_1_4_1","volume-title":"Proceedings of the 20th Usenix Security Symposium.","author":"Antonakakis M.","unstructured":"Antonakakis , M. , Perdisci , R. , Lee , W. , Vasiloglou , N. , and Dagon , D . 2011. Detecting malware domains at the upper DNS hierarchy . In Proceedings of the 20th Usenix Security Symposium. Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., and Dagon, D. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the 20th Usenix Security Symposium."},{"key":"e_1_2_1_5_1","volume-title":"Proceedings of the 21st Usenix Security Symposium.","author":"Antonakakis M.","unstructured":"Antonakakis , M. , Perdisci , R. , Nadji , Y. , Vasiloglou , N. , Abu-Nimeh , S. , Lee , W. , and Dagon , D . 2012. From throw-away traffic to bots: Detecting the rise of dga-based malware . In Proceedings of the 21st Usenix Security Symposium. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., and Dagon, D. 2012. From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st Usenix Security Symposium."},{"key":"e_1_2_1_6_1","unstructured":"Basseville M. and Nikiforov I. V. 1993. Detection of Abrupt Changes - Theory and Application. Prentice-Hall.   Basseville M. and Nikiforov I. V. 1993. Detection of Abrupt Changes - Theory and Application . Prentice-Hall."},{"key":"e_1_2_1_7_1","volume-title":"Proceedings of the 15th EICAR Conference.","author":"Bayer U.","unstructured":"Bayer , U. , Kruegel , C. , and Kirda , E . 2006. TTAnalyze: A tool for analyzing malware . In Proceedings of the 15th EICAR Conference. Bayer, U., Kruegel, C., and Kirda, E. 2006. TTAnalyze: A tool for analyzing malware. In Proceedings of the 15th EICAR Conference."},{"key":"e_1_2_1_8_1","unstructured":"Berkhin P. 2002. Survey of clustering data mining techniques. Tech. rep. http:\/\/www.cc.gatech.edu\/~isbell\/classes\/reading\/papers\/berkhin02survey.pdf.  Berkhin P. 2002. Survey of clustering data mining techniques. Tech. rep. http:\/\/www.cc.gatech.edu\/~isbell\/classes\/reading\/papers\/berkhin02survey.pdf."},{"key":"e_1_2_1_9_1","volume-title":"Proceedings of the Annual Network and Distributed System Security Symposium (NDSS\u201911)","author":"Bilge L.","unstructured":"Bilge , L. , Kirda , E. , Kruegel , C. , and Balduzzi , M . 2011. Exposure: Finding malicious domains using passive DNS analysis . In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS\u201911) . Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. 2011. Exposure: Finding malicious domains using passive DNS analysis. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS\u201911)."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0031-3203(96)00142-2"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 7th IEEE International Conference on Computer and Information Technologies.","author":"Choi H.","unstructured":"Choi , H. , Lee , H. , and Kim , H . 2007. Botnet detection by monitoring group activities in DNS traffic . In Proceedings of the 7th IEEE International Conference on Computer and Information Technologies. Choi, H., Lee, H., and Kim, H. 2007. Botnet detection by monitoring group activities in DNS traffic. In Proceedings of the 7th IEEE International Conference on Computer and Information Technologies."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611972726.12"},{"key":"e_1_2_1_13_1","unstructured":"Cova M. 2013. Wepawet. http:\/\/wepawet.iseclab.org\/.  Cova M. 2013. Wepawet. http:\/\/wepawet.iseclab.org\/."},{"key":"e_1_2_1_14_1","unstructured":"DNS. 2010. DNSBL - Spam database lookup. http:\/\/www.dnsbl.info\/.  DNS. 2010. DNSBL - Spam database lookup. http:\/\/www.dnsbl.info\/."},{"key":"e_1_2_1_15_1","unstructured":"Domains M. 2009. Malware domain block list. http:\/\/www.malwaredomains.com\/.  Domains M. 2009. Malware domain block list. http:\/\/www.malwaredomains.com\/."},{"key":"e_1_2_1_16_1","unstructured":"ECJ. 2012. ecj20: A java-based evolutionary computation research system. http:\/\/cs.gmu.edu\/eclab\/projects\/ecj\/.  ECJ. 2012. ecj20: A java-based evolutionary computation research system. http:\/\/cs.gmu.edu\/eclab\/projects\/ecj\/."},{"key":"e_1_2_1_17_1","volume-title":"Proceedings of the 3rd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET\u201910)","author":"Felegyhazi M.","unstructured":"Felegyhazi , M. , Kreibich , C. , and Paxson , V . 2010. On the potential of proactive domain blacklisting . In Proceedings of the 3rd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET\u201910) . Felegyhazi, M., Kreibich, C., and Paxson, V. 2010. On the potential of proactive domain blacklisting. In Proceedings of the 3rd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET\u201910)."},{"key":"e_1_2_1_18_1","unstructured":"Google. 2010. Google safe browsing. http:\/\/www.google.com\/tools\/firefox\/safebrowsing\/.  Google. 2010. Google safe browsing. http:\/\/www.google.com\/tools\/firefox\/safebrowsing\/."},{"key":"e_1_2_1_19_1","volume-title":"Proceedings of the Annual Network and Distributed System Security Symposium (NDSS\u201908)","author":"Holz T.","unstructured":"Holz , T. , Gorecki , C. , Rieck , K. , and Freiling , F . 2008. Measuring and detecting fast-flux service networks . In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS\u201908) . Holz, T., Gorecki, C., Rieck, K., and Freiling, F. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Annual Network and Distributed System Security Symposium (NDSS\u201908)."},{"key":"e_1_2_1_20_1","unstructured":"ISC. 2010. Internet systems consortium. https:\/\/sie.isc.org\/.  ISC. 2010. Internet systems consortium. https:\/\/sie.isc.org\/."},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/375663.375680"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-00975-4_22"},{"key":"e_1_2_1_23_1","unstructured":"List M. D. 2009a. Malware domains list. http:\/\/www.malwaredomainlist.com\/mdl.php.  List M. D. 2009a. Malware domains list. http:\/\/www.malwaredomainlist.com\/mdl.php."},{"key":"e_1_2_1_24_1","unstructured":"List Z. B. 2009b. Zeus domain blocklist. https:\/\/zeustracker.abuse.ch\/blocklist.php?download=Domainblocklist.  List Z. B. 2009b. Zeus domain blocklist. https:\/\/zeustracker.abuse.ch\/blocklist.php?download=Domainblocklist."},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/1557019.1557153"},{"key":"e_1_2_1_26_1","unstructured":"McAfee. 2010. McAfee siteadvisor. http:\/\/www.siteadvisor.com\/.  McAfee. 2010. McAfee siteadvisor. http:\/\/www.siteadvisor.com\/."},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the International Conference on Malicious and Unwanted Software.","author":"Nazario J.","unstructured":"Nazario , J. and Holz , T . 2008. As the net churns: Fast-flux botnet observations . In Proceedings of the International Conference on Malicious and Unwanted Software. Nazario, J. and Holz, T. 2008. As the net churns: Fast-flux botnet observations. In Proceedings of the International Conference on Malicious and Unwanted Software."},{"key":"e_1_2_1_28_1","unstructured":"Norton. 2010. Norton safe web. http:\/\/safeweb.norton.com\/.  Norton. 2010. Norton safe web. http:\/\/safeweb.norton.com\/."},{"key":"e_1_2_1_29_1","unstructured":"Open Graph. 2013. The open graph viz platform. https:\/\/gephi.org.  Open Graph. 2013. The open graph viz platform. https:\/\/gephi.org."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-70542-0_10"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.36"},{"key":"e_1_2_1_32_1","unstructured":"Phishtank. 2009. Phishtank. http:\/\/www.phishtank.com\/.  Phishtank. 2009. Phishtank. http:\/\/www.phishtank.com\/."},{"key":"e_1_2_1_33_1","volume-title":"Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats.","author":"Porras P.","unstructured":"Porras , P. , Saidi , H. , and Yegneswaran , V . 2009. A foray into conficker\u2019s logic and rendezvous points . In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats. Porras, P., Saidi, H., and Yegneswaran, V. 2009. A foray into conficker\u2019s logic and rendezvous points. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats."},{"key":"e_1_2_1_34_1","volume-title":"Proceedings of the 5th Australian Joint Conference on Artificial Intelligence. World Scientific. 343--348","author":"Quinlan J.","year":"1995","unstructured":"Quinlan , J. 1995 . Learning with continuous classes . In Proceedings of the 5th Australian Joint Conference on Artificial Intelligence. World Scientific. 343--348 . Quinlan, J. 1995. Learning with continuous classes. In Proceedings of the 5th Australian Joint Conference on Artificial Intelligence. World Scientific. 343--348."},{"key":"e_1_2_1_35_1","unstructured":"RFC. 1995. RFC 1794 - DNS support for load balancing. http:\/\/tools.ietf.org\/html\/rfc1794.  RFC. 1995. RFC 1794 - DNS support for load balancing. http:\/\/tools.ietf.org\/html\/rfc1794."},{"key":"e_1_2_1_36_1","volume-title":"RFC 1912 - Common dns operational and configuration errors. http:\/\/www.faqs.org\/rfcs\/rfc1912","author":"RFC.","year":"1996","unstructured":"RFC. 1996 . RFC 1912 - Common dns operational and configuration errors. http:\/\/www.faqs.org\/rfcs\/rfc1912 .html. RFC. 1996. RFC 1912 - Common dns operational and configuration errors. http:\/\/www.faqs.org\/rfcs\/rfc1912.html."},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"key":"e_1_2_1_38_1","unstructured":"Symantec. 2011. Symantec threat report. http:\/\/www.symantec.com\/business\/theme.jsp?themeid=threatreport.  Symantec. 2011. Symantec threat report. http:\/\/www.symantec.com\/business\/theme.jsp?themeid=threatreport."},{"key":"e_1_2_1_39_1","unstructured":"Theodoridis S. and Koutroumbas K. 2009. Pattern Recognition. Academic Press.   Theodoridis S. and Koutroumbas K. 2009. Pattern Recognition . Academic Press."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDM.2009.12"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1529282.1529734"},{"key":"e_1_2_1_42_1","volume-title":"Proceedings of the 1st Conference on Computer Security Incident.","author":"Weimer F.","year":"2005","unstructured":"Weimer , F. 2005 . Passive DNS replication . In Proceedings of the 1st Conference on Computer Security Incident. Weimer, F. 2005. Passive DNS replication. In Proceedings of the 1st Conference on Computer Security Incident."},{"key":"e_1_2_1_43_1","unstructured":"WHOIS. 1995. RFC1834 - Whois and network information lookup service whois++. http:\/\/www.faqs.org\/rfcs\/rfc1834.html.  WHOIS. 1995. RFC1834 - Whois and network information lookup service whois++. http:\/\/www.faqs.org\/rfcs\/rfc1834.html."},{"key":"e_1_2_1_44_1","volume-title":"Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann","author":"Witten I.","year":"2005","unstructured":"Witten , I. and Frank , E . 2005 . Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann , San Fransisco, CA . Witten, I. and Frank, E. 2005. Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, San Fransisco, CA."},{"key":"e_1_2_1_45_1","unstructured":"Wolf J. 2008. Technical details of srizbis domain generation algorithm. http:\/\/tinyurl.com\/6mdasc.  Wolf J. 2008. Technical details of srizbis domain generation algorithm. http:\/\/tinyurl.com\/6mdasc."},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-73614-1_8"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the 9th International Conference on Pattern Recognition.","author":"Zitouni H.","unstructured":"Zitouni , H. , Sevil , S. , Ozkan , D. , and Duygulu , P . 2008. Re-ranking of image search results using a graph algorithm . In Proceedings of the 9th International Conference on Pattern Recognition. Zitouni, H., Sevil, S., Ozkan, D., and Duygulu, P. 2008. Re-ranking of image search results using a graph algorithm. In Proceedings of the 9th International Conference on Pattern Recognition."}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2584679","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2584679","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T07:01:43Z","timestamp":1750230103000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2584679"}},"subtitle":["A Passive DNS Analysis Service to Detect and Report Malicious Domains"],"short-title":[],"issued":{"date-parts":[[2014,4]]},"references-count":47,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2014,4]]}},"alternative-id":["10.1145\/2584679"],"URL":"https:\/\/doi.org\/10.1145\/2584679","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2014,4]]},"assertion":[{"value":"2013-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-12-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2014-04-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}