{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T17:58:14Z","timestamp":1773511094952,"version":"3.50.1"},"reference-count":72,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2020,7,6]],"date-time":"2020-07-06T00:00:00Z","timestamp":1593993600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2020,11,30]]},"abstract":"<jats:p>Malicious domains, including phishing websites, spam servers, and command and control servers, are the reason for many of the cyber attacks nowadays. Thus, detecting them in a timely manner is important to not only identify cyber attacks but also take preventive measures. There has been a plethora of techniques proposed to detect malicious domains by analyzing Domain Name System (DNS) traffic data. Traditionally, DNS acts as an Internet miscreant\u2019s best friend, but we observe that the subtle traces in DNS logs left by such miscreants can be used against them to detect malicious domains. Our approach is to build a set of domain graphs by connecting \u201crelated\u201d domains together and injecting known malicious and benign domains into these graphs so that we can make inferences about the other domains in the domain graphs. A key challenge in building these graphs is how to accurately identify related domains so that incorrect associations are minimized and the number of domains connected from the dataset is maximized. Based on our observations, we first train two classifiers and then devise a set of association rules that assist in linking domains together. We perform an in-depth empirical analysis of the graphs built using these association rules on passive DNS data and show that our techniques can detect many more malicious domains than the state-of-the-art.<\/jats:p>","DOI":"10.1145\/3401897","type":"journal-article","created":{"date-parts":[[2020,7,6]],"date-time":"2020-07-06T21:29:07Z","timestamp":1594070947000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":25,"title":["Following Passive DNS Traces to Detect Stealthy Malicious Domains Via Graph Inference"],"prefix":"10.1145","volume":"23","author":[{"given":"Mohamed","family":"Nabeel","sequence":"first","affiliation":[{"name":"Qatar Computing Research Institute, Doha, Qatar"}]},{"given":"Issa M.","family":"Khalil","sequence":"additional","affiliation":[{"name":"Qatar Computing Research Institute, Doha, Qatar"}]},{"given":"Bei","family":"Guan","sequence":"additional","affiliation":[{"name":"Collaborative Innovation Center, Chinese Academy of Sciences, Beijing, China"}]},{"given":"Ting","family":"Yu","sequence":"additional","affiliation":[{"name":"Qatar Computing Research Institute, Doha, Qatar"}]}],"member":"320","published-online":{"date-parts":[[2020,7,6]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Retrieved on","author":"RFC","year":"2019","unstructured":"2016. RFC 7858 : Specification for DNS over Transport Layer Security (TLS) . Retrieved on Feb. 17, 2019 from https:\/\/tools.ietf.org\/html\/rfc 2016. RFC 7858: Specification for DNS over Transport Layer Security (TLS). Retrieved on Feb. 17, 2019 from https:\/\/tools.ietf.org\/html\/rfc"},{"key":"e_1_2_1_2_1","volume-title":"Retrieved on","author":"RFC","year":"2019","unstructured":"2018. RFC 8484 : DNS Queries over HTTPS . Retrieved on Feb. 17, 2019 from https:\/\/tools.ietf.org\/html\/rfc8484. 2018. RFC 8484: DNS Queries over HTTPS. Retrieved on Feb. 17, 2019 from https:\/\/tools.ietf.org\/html\/rfc8484."},{"key":"e_1_2_1_3_1","volume-title":"Retrieved","year":"2019","unstructured":"2019a. AWS Public IP Ranges . Retrieved Feb. 17, 2019 from https:\/\/ip-ranges.amazonaws.com\/ip-ranges.json. 2019a. AWS Public IP Ranges. Retrieved Feb. 17, 2019 from https:\/\/ip-ranges.amazonaws.com\/ip-ranges.json."},{"key":"e_1_2_1_4_1","volume-title":"Retrieved","year":"2019","unstructured":"2019a. CDN Planet CDN List . Retrieved Feb. 25, 2019 from https:\/\/www.cdnplanet.com\/cdns\/. 2019a. CDN Planet CDN List. Retrieved Feb. 25, 2019 from https:\/\/www.cdnplanet.com\/cdns\/."},{"key":"e_1_2_1_5_1","unstructured":"2019. Comodo Free SSL Certificate. Retrieved from https:\/\/www.comodo.com\/e-commerce\/ssl-certificates\/free-ssl-certificate.php.  2019. Comodo Free SSL Certificate. Retrieved from https:\/\/www.comodo.com\/e-commerce\/ssl-certificates\/free-ssl-certificate.php."},{"key":"e_1_2_1_6_1","volume-title":"Retrieved","year":"2019","unstructured":"2019a. DNS Lookup Dynamic DNS List . Retrieved Feb. 25, 2019 from https:\/\/dnslookup.me\/dynamic-dns\/. 2019a. DNS Lookup Dynamic DNS List. Retrieved Feb. 25, 2019 from https:\/\/dnslookup.me\/dynamic-dns\/."},{"key":"e_1_2_1_7_1","volume-title":"Retrieved","year":"2019","unstructured":"2019a. Google Public IP API . Retrieved Feb. 17, 2019 from https:\/\/github.com\/bcoe\/gce-ips\/blob\/master\/index.js. 2019a. Google Public IP API. Retrieved Feb. 17, 2019 from https:\/\/github.com\/bcoe\/gce-ips\/blob\/master\/index.js."},{"key":"e_1_2_1_8_1","volume-title":"Google Safe Browsing: Making the world\u2019s information safely accessible. Retrieved","year":"2019","unstructured":"2019. Google Safe Browsing: Making the world\u2019s information safely accessible. Retrieved February 2019 from https:\/\/safebrowsing.google.com. 2019. Google Safe Browsing: Making the world\u2019s information safely accessible. Retrieved February 2019 from https:\/\/safebrowsing.google.com."},{"key":"e_1_2_1_9_1","volume-title":"Retrieved","year":"2019","unstructured":"2019. Microsoft Azure Public IP Ranges . Retrieved Feb. 17, 2019 from https:\/\/github.com\/bcoe\/which-cloud\/blob\/master\/data\/PublicIPs.xml. 2019. Microsoft Azure Public IP Ranges. Retrieved Feb. 17, 2019 from https:\/\/github.com\/bcoe\/which-cloud\/blob\/master\/data\/PublicIPs.xml."},{"key":"e_1_2_1_10_1","volume-title":"Neu5ron Dynamic DNS List. Retrieved","year":"2019","unstructured":"2019b. Neu5ron Dynamic DNS List. Retrieved Feb. 25, 2019 from https:\/\/gist.github.com\/neu5ron\/860c158180e01b61a524. 2019b. Neu5ron Dynamic DNS List. Retrieved Feb. 25, 2019 from https:\/\/gist.github.com\/neu5ron\/860c158180e01b61a524."},{"key":"e_1_2_1_11_1","volume-title":"Retrieved","year":"2019","unstructured":"2019. Public Suffix List . Retrieved Feb. 10, 2019 from https:\/\/publicsuffix.org\/. 2019. Public Suffix List. Retrieved Feb. 10, 2019 from https:\/\/publicsuffix.org\/."},{"key":"e_1_2_1_12_1","volume-title":"scikit-learn. Retrieved from","year":"2019","unstructured":"2019. scikit-learn. Retrieved from Feb. 10, 2019 . http:\/\/scikit-learn.org\/. 2019. scikit-learn. Retrieved from Feb. 10, 2019. http:\/\/scikit-learn.org\/."},{"key":"e_1_2_1_13_1","unstructured":"2019b. Team AWS. Retrieved Feb. 17 2019 from https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/using-instance-addressing.html\/.  2019b. Team AWS. Retrieved Feb. 17 2019 from https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/using-instance-addressing.html\/."},{"key":"e_1_2_1_14_1","unstructured":"2019c. Team AWS. Retrieved Feb. 17 2019 from https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/elastic-ip-addresses-eip.html.  2019c. Team AWS. Retrieved Feb. 17 2019 from https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/elastic-ip-addresses-eip.html."},{"key":"e_1_2_1_15_1","unstructured":"2019b. Team Google. Retrieved Feb. 17 2019 from https:\/\/cloud.google.com\/compute\/docs\/ip-addresses\/ephemeraladdress.  2019b. Team Google. Retrieved Feb. 17 2019 from https:\/\/cloud.google.com\/compute\/docs\/ip-addresses\/ephemeraladdress."},{"key":"e_1_2_1_16_1","unstructured":"2019. Which-Cloud Tool. Retrieved Feb. 17 2019 from https:\/\/github.com\/bcoe\/which-cloud.  2019. Which-Cloud Tool. Retrieved Feb. 17 2019 from https:\/\/github.com\/bcoe\/which-cloud."},{"key":"e_1_2_1_17_1","unstructured":"2019. WHOIS Records. Retrieved Feb. 10 2019 from https:\/\/whois.icann.org\/.  2019. WHOIS Records. Retrieved Feb. 10 2019 from https:\/\/whois.icann.org\/."},{"key":"e_1_2_1_18_1","volume-title":"Retrieved","year":"2019","unstructured":"2019b. WPO Foundation CDN List . Retrieved Feb. 25, 2019 from https:\/\/github.com\/WPO-Foundation\/webpagetest\/blob\/master\/agent\/wpthook\/cdn.h. 2019b. WPO Foundation CDN List. Retrieved Feb. 25, 2019 from https:\/\/github.com\/WPO-Foundation\/webpagetest\/blob\/master\/agent\/wpthook\/cdn.h."},{"key":"e_1_2_1_19_1","volume-title":"McAfee Site Advisor. Retrieved","year":"2020","unstructured":"2020. McAfee Site Advisor. Retrieved March 2020 from https:\/\/www.mcafee.com\/siteadvisor. 2020. McAfee Site Advisor. Retrieved March 2020 from https:\/\/www.mcafee.com\/siteadvisor."},{"key":"e_1_2_1_20_1","volume-title":"Retrieved","year":"2019","unstructured":"Alexa. 2019 . Alexa Top Sites . Retrieved Feb. 28, 2019 from http:\/\/aws.amazon.com\/alexa-top-sites\/. Alexa. 2019. Alexa Top Sites. Retrieved Feb. 28, 2019 from http:\/\/aws.amazon.com\/alexa-top-sites\/."},{"key":"e_1_2_1_21_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917)","author":"Alrwais S.","unstructured":"S. Alrwais , X. Liao , X. Mi , P. Wang , X. Wang , F. Qian , R. Beyah , and D. McCoy . 2017. Under the shadow of sunshine: Understanding and detecting bulletproof hosting on legitimate service provider networks . In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917) . 805--823. S. Alrwais, X. Liao, X. Mi, P. Wang, X. Wang, F. Qian, R. Beyah, and D. McCoy. 2017. Under the shadow of sunshine: Understanding and detecting bulletproof hosting on legitimate service provider networks. In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917). 805--823."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2996758.2996767"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the 19th USENIX Conference on Security. 273--290","author":"Antonakakis Manos","year":"2010","unstructured":"Manos Antonakakis , Roberto Perdisci , David Dagon , Wenke Lee , and Nick Feamster . 2010 . Building a dynamic reputation system for DNS . In Proceedings of the 19th USENIX Conference on Security. 273--290 . Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Conference on Security. 273--290."},{"key":"e_1_2_1_24_1","volume-title":"Proceedings of the 20th USENIX Conference on Security. USENIX Association, 27--42","author":"Antonakakis Manos","year":"2011","unstructured":"Manos Antonakakis , Roberto Perdisci , Wenke Lee , Nikolaos Vasiloglou , II , and David Dagon . 2011 . Detecting malware domains at the upper DNS hierarchy . In Proceedings of the 20th USENIX Conference on Security. USENIX Association, 27--42 . Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, II, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the 20th USENIX Conference on Security. USENIX Association, 27--42."},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 21st USENIX Conference on Security Symposium. 24--24","author":"Antonakakis Manos","year":"2012","unstructured":"Manos Antonakakis , Roberto Perdisci , Yacin Nadji , Nikolaos Vasiloglou , Saeed Abu-Nimeh , Wenke Lee , and David Dagon . 2012 . From throw-away traffic to bots: Detecting the rise of DGA-based malware . In Proceedings of the 21st USENIX Conference on Security Symposium. 24--24 . Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In Proceedings of the 21st USENIX Conference on Security Symposium. 24--24."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2584679"},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the 27th Conference on Computer Communications, INFOCOMM\u201908","author":"Chen Z.","unstructured":"Z. Chen , C. Ji , and P. Barford . 2008. Spatial-temporal characteristics of internet malicious sources . In Proceedings of the 27th Conference on Computer Communications, INFOCOMM\u201908 . Z. Chen, C. Ji, and P. Barford. 2008. Spatial-temporal characteristics of internet malicious sources. In Proceedings of the 27th Conference on Computer Communications, INFOCOMM\u201908."},{"key":"e_1_2_1_28_1","volume-title":"Retrieved","author":"Security Farsight","year":"2019","unstructured":"Farsight Security , Inc. 2019 . DNS Database . Retrieved Feb. 28, 2019 from https:\/\/www.dnsdb.info\/. Farsight Security, Inc. 2019. DNS Database. Retrieved Feb. 28, 2019 from https:\/\/www.dnsdb.info\/."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815706"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2014.2358637"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.5555\/1894166.1894197"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.33"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2014.04.013"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICNP.2010.5762763"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3176258.3176329"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897877"},{"key":"e_1_2_1_37_1","volume-title":"Proceedings of the 18th Conference on USENIX Security Symposium. USENIX Association, 351--366","author":"Kolbitsch Clemens","year":"2009","unstructured":"Clemens Kolbitsch , Paolo Milani Comparetti , Christopher Kruegel , Engin Kirda , Xiaoyong Zhou , and XiaoFeng Wang . 2009 . Effective and efficient malware detection at the end host . In Proceedings of the 18th Conference on USENIX Security Symposium. USENIX Association, 351--366 . Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang. 2009. Effective and efficient malware detection at the end host. In Proceedings of the 18th Conference on USENIX Security Symposium. USENIX Association, 351--366."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/2785956.2787494"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813665"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_9"},{"key":"e_1_2_1_41_1","volume-title":"Proceedings of the IEEE 12th International Conference on Computer Vision. 506--513","author":"Leistner C.","unstructured":"C. Leistner , A. Saffari , J. Santner , and H. Bischof . 2009. Semi-supervised random forests . In Proceedings of the IEEE 12th International Conference on Computer Vision. 506--513 . C. Leistner, A. Saffari, J. Santner, and H. Bischof. 2009. Semi-supervised random forests. In Proceedings of the IEEE 12th International Conference on Computer Vision. 506--513."},{"key":"e_1_2_1_42_1","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917)","author":"Lever C.","unstructured":"C. Lever , P. Kotzias , D. Balzarotti , J. Caballero , and M. Antonakakis . 2017. A lustrum of malware network communication: Evolution and insights . In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917) . 788--804. C. Lever, P. Kotzias, D. Balzarotti, J. Caballero, and M. Antonakakis. 2017. A lustrum of malware network communication: Evolution and insights. In Proceedings of the IEEE Symposium on Security and Privacy (SP\u201917). 788--804."},{"key":"e_1_2_1_43_1","volume-title":"Saul","author":"Liu Suqi","year":"2015","unstructured":"Suqi Liu , Ian Foster , Stefan Savage , Geoffrey M. Voelker , and Lawrence K . Saul . 2015 . Who is .Com?: Learning to parse WHOIS records. In Proceedings of the 2015 Internet Measurement Conference. ACM, 369--380. Suqi Liu, Ian Foster, Stefan Savage, Geoffrey M. Voelker, and Lawrence K. Saul. 2015. Who is .Com?: Learning to parse WHOIS records. In Proceedings of the 2015 Internet Measurement Conference. ACM, 369--380."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666652.2666659"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39235-1_1"},{"key":"e_1_2_1_46_1","unstructured":"OpenDNS. [n.d.]. PhishTank. Retrieved Feb. 16 2019 from https:\/\/www.phishtank.com\/.  OpenDNS. [n.d.]. PhishTank. Retrieved Feb. 16 2019 from https:\/\/www.phishtank.com\/."},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the National Conference on Artificial Intelligence.","author":"Pearl Judea","year":"1982","unstructured":"Judea Pearl . 1982 . Reverend Bayes on inference engines: A distributed hierarchical approach . In Proceedings of the National Conference on Artificial Intelligence. Judea Pearl. 1982. Reverend Bayes on inference engines: A distributed hierarchical approach. In Proceedings of the National Conference on Artificial Intelligence."},{"key":"e_1_2_1_48_1","volume-title":"Applications and Worksharing - Proceedings of the14th EAI International Conference, CollaborateCom","author":"Peng Chengwei","year":"2018","unstructured":"Chengwei Peng , Xiaochun Yun , Yongzheng Zhang , and Shuhao Li . 2018 . MalShoot: Shooting malicious domains through graph embedding on passive DNS data. In Collaborative Computing: Networking , Applications and Worksharing - Proceedings of the14th EAI International Conference, CollaborateCom 2018. 488--503. Chengwei Peng, Xiaochun Yun, Yongzheng Zhang, and Shuhao Li. 2018. MalShoot: Shooting malicious domains through graph embedding on passive DNS data. In Collaborative Computing: Networking, Applications and Worksharing - Proceedings of the14th EAI International Conference, CollaborateCom 2018. 488--503."},{"key":"#cr-split#-e_1_2_1_49_1.1","doi-asserted-by":"crossref","unstructured":"Chengwei Peng Xiaochun Yun Yongzheng Zhang Shuhao Li and Jun Xiao. 2017. Discovering malicious domains through alias-canonical graph. In 2017 IEEE Trustcom\/BigDataSE\/ICESS. 225--232. DOI:https:\/\/doi.org\/10.1109\/Trustcom\/BigDataSE\/ICESS.2017.241 10.1109\/Trustcom","DOI":"10.1109\/Trustcom\/BigDataSE\/ICESS.2017.241"},{"key":"#cr-split#-e_1_2_1_49_1.2","doi-asserted-by":"crossref","unstructured":"Chengwei Peng Xiaochun Yun Yongzheng Zhang Shuhao Li and Jun Xiao. 2017. Discovering malicious domains through alias-canonical graph. In 2017 IEEE Trustcom\/BigDataSE\/ICESS. 225--232. DOI:https:\/\/doi.org\/10.1109\/Trustcom\/BigDataSE\/ICESS.2017.241","DOI":"10.1109\/Trustcom\/BigDataSE\/ICESS.2017.241"},{"key":"e_1_2_1_50_1","volume-title":"Proceedings of the 45th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks. 403--414","author":"Rahbarinia B.","unstructured":"B. Rahbarinia , R. Perdisci , and M. Antonakakis . 2015. Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks . In Proceedings of the 45th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks. 403--414 . B. Rahbarinia, R. Perdisci, and M. Antonakakis. 2015. Segugio: Efficient behavior-based tracking of malware-control domains in large ISP networks. In Proceedings of the 45th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks. 403--414."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-2010-0410"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37300-8_3"},{"key":"e_1_2_1_53_1","first-page":"2","article-title":"Survey and taxonomy of IP address lookup algorithms","volume":"15","author":"Ruiz-Sanchez M. A.","year":"2001","unstructured":"M. A. Ruiz-Sanchez , E. W. Biersack , and W. Dabbous . 2001 . Survey and taxonomy of IP address lookup algorithms . Magazine of Global Internetworking 15 , 2 (March 2001), 8--23. M. A. Ruiz-Sanchez, E. W. Biersack, and W. Dabbous. 2001. Survey and taxonomy of IP address lookup algorithms. Magazine of Global Internetworking 15, 2 (March 2001), 8--23.","journal-title":"Magazine of Global Internetworking"},{"key":"e_1_2_1_54_1","doi-asserted-by":"crossref","unstructured":"Quirin Scheitle Oliver Hohlfeld Julien Gamba Jonas Jelten Torsten Zimmermann Stephen D. Strowes and Narseo Vallina-Rodriguez. 2018. A long way to the top: Significance structure and stability of internet top lists. In IMC.  Quirin Scheitle Oliver Hohlfeld Julien Gamba Jonas Jelten Torsten Zimmermann Stephen D. Strowes and Narseo Vallina-Rodriguez. 2018. A long way to the top: Significance structure and stability of internet top lists. In IMC.","DOI":"10.1145\/3278532.3278574"},{"key":"e_1_2_1_55_1","volume-title":"Proceedings of the 2016 USENIX Conference on Usenix Annual Technical Conference. USENIX Association, 195--208","author":"Scott Will","year":"2016","unstructured":"Will Scott , Thomas Anderson , Tadayoshi Kohno , and Arvind Krishnamurthy . 2016 . Satellite: Joint analysis of CDNs and network-level interference . In Proceedings of the 2016 USENIX Conference on Usenix Annual Technical Conference. USENIX Association, 195--208 . Will Scott, Thomas Anderson, Tadayoshi Kohno, and Arvind Krishnamurthy. 2016. Satellite: Joint analysis of CDNs and network-level interference. In Proceedings of the 2016 USENIX Conference on Usenix Annual Technical Conference. USENIX Association, 195--208."},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-016-0331-3"},{"key":"e_1_2_1_57_1","volume-title":"Proceedings of the 2nd Conference on USENIX Workshop on Offensive Technologies. 5:1\u20135:9.","author":"Stinson Elizabeth","unstructured":"Elizabeth Stinson and John C. Mitchell . 2008. Towards systematic evaluation of the evadability of bot\/botnet detection methods . In Proceedings of the 2nd Conference on USENIX Workshop on Offensive Technologies. 5:1\u20135:9. Elizabeth Stinson and John C. Mitchell. 2008. Towards systematic evaluation of the evadability of bot\/botnet detection methods. In Proceedings of the 2nd Conference on USENIX Workshop on Offensive Technologies. 5:1\u20135:9."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/ACSAC.2009.29"},{"key":"e_1_2_1_59_1","volume-title":"22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID\u201919)","author":"Sun Xiaoqing","year":"2019","unstructured":"Xiaoqing Sun , Mingkai Tong , Jiahai Yang , Liu Xinran , and Liu Heng . 2019 . HinDom: A robust malicious domain detection system based on heterogeneous information network with transductive classification . In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID\u201919) . USENIX Association, 399--412. https:\/\/www.usenix.org\/conference\/raid 2019\/presentation\/sun. Xiaoqing Sun, Mingkai Tong, Jiahai Yang, Liu Xinran, and Liu Heng. 2019. HinDom: A robust malicious domain detection system based on heterogeneous information network with transductive classification. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID\u201919). USENIX Association, 399--412. https:\/\/www.usenix.org\/conference\/raid2019\/presentation\/sun."},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2623330.2623342"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.17"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3278532.3278569"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3011077.3011112"},{"key":"e_1_2_1_64_1","volume-title":"Subsidiary of Google","year":"2019","unstructured":"VirusTotal , Subsidiary of Google . 2019 . Retrieved Feb. 28, 2019 from VirusTotal \u2013 Free Online Virus, Malware and URL Scanner . https:\/\/www.virustotal.com\/. VirusTotal, Subsidiary of Google. 2019. Retrieved Feb. 28, 2019 from VirusTotal \u2013 Free Online Virus, Malware and URL Scanner. https:\/\/www.virustotal.com\/."},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663742"},{"key":"e_1_2_1_66_1","volume-title":"FIRST Conference on Computer Security Incident. 98","author":"Weimer Florian","year":"2005","unstructured":"Florian Weimer . 2005 . Passive DNS replication . In FIRST Conference on Computer Security Incident. 98 . Florian Weimer. 2005. Passive DNS replication. In FIRST Conference on Computer Security Incident. 98."},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/1282380.1282415"},{"key":"e_1_2_1_68_1","volume-title":"Exploring artificial intelligence in the new millennium","author":"Yedidia Jonathan S.","unstructured":"Jonathan S. Yedidia , William T. Freeman , and Yair Weiss . 2003. Exploring artificial intelligence in the new millennium . Morgan Kaufmann Publishers Inc ., 239--269. Jonathan S. Yedidia, William T. Freeman, and Yair Weiss. 2003. Exploring artificial intelligence in the new millennium. Morgan Kaufmann Publishers Inc., 239--269."},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2015.70"},{"key":"e_1_2_1_70_1","volume-title":"Article 67 (July","author":"Zhauniarovich Yury","year":"2018","unstructured":"Yury Zhauniarovich , Issa Khalil , Ting Yu , and Marc Dacier . 2018. A survey on malicious domains detection through DNS data analysis. ACM Computing Surveys 51, 4 , Article 67 (July 2018 ), 36 pages. DOI:https:\/\/doi.org\/10.1145\/3191329 10.1145\/3191329 Yury Zhauniarovich, Issa Khalil, Ting Yu, and Marc Dacier. 2018. A survey on malicious domains detection through DNS data analysis. ACM Computing Surveys 51, 4, Article 67 (July 2018), 36 pages. DOI:https:\/\/doi.org\/10.1145\/3191329"},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1155\/2015\/102687"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3401897","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3401897","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:03:12Z","timestamp":1750197792000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3401897"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,7,6]]},"references-count":72,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,11,30]]}},"alternative-id":["10.1145\/3401897"],"URL":"https:\/\/doi.org\/10.1145\/3401897","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,7,6]]},"assertion":[{"value":"2019-03-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-05-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-07-06","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}