{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T01:40:44Z","timestamp":1769910044715,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":49,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,12,5]],"date-time":"2022-12-05T00:00:00Z","timestamp":1670198400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,12,5]]},"DOI":"10.1145\/3564625.3564646","type":"proceedings-article","created":{"date-parts":[[2022,12,3]],"date-time":"2022-12-03T01:01:29Z","timestamp":1670029289000},"page":"240-250","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["View from Above: Exploring the Malware Ecosystem from the Upper DNS Hierarchy"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4077-2772","authenticated-orcid":false,"given":"Aaron","family":"Faulkenberry","sequence":"first","affiliation":[{"name":"Georgia Institute of Technology, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7717-5368","authenticated-orcid":false,"given":"Athanasios","family":"Avgetidis","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4501-066X","authenticated-orcid":false,"given":"Zane","family":"Ma","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4374-737X","authenticated-orcid":false,"given":"Omar","family":"Alrawi","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6148-8981","authenticated-orcid":false,"given":"Charles","family":"Lever","sequence":"additional","affiliation":[{"name":"Devo, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5617-7417","authenticated-orcid":false,"given":"Panagiotis","family":"Kintis","sequence":"additional","affiliation":[{"name":"Voreas Laboratories Inc, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9805-2217","authenticated-orcid":false,"given":"Fabian","family":"Monrose","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3815-5932","authenticated-orcid":false,"given":"Angelos D.","family":"Keromytis","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1578-8307","authenticated-orcid":false,"given":"Manos","family":"Antonakakis","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2022,12,5]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2019. UNSD - Statistical Classifications. https:\/\/unstats.un.org\/unsd\/classifications.  2019. UNSD - Statistical Classifications. https:\/\/unstats.un.org\/unsd\/classifications."},{"key":"e_1_3_2_1_2_1","unstructured":"2022. VirusTotal. https:\/\/www.virustotal.com.  2022. VirusTotal. https:\/\/www.virustotal.com."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23243"},{"key":"e_1_3_2_1_4_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)","author":"Alrawi Omar","year":"2021","unstructured":"Omar Alrawi , Charles Lever , Kevin Valakuzhy , Kevin Snow , Fabian Monrose , Manos Antonakakis , 2021 . The Circle of life: A {large-scale} study of the {IoT} malware lifecycle . In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21) . Omar Alrawi, Charles Lever, Kevin Valakuzhy, Kevin Snow, Fabian Monrose, Manos Antonakakis, 2021. The Circle of life: A {large-scale} study of the {IoT} malware lifecycle. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21)."},{"key":"e_1_3_2_1_5_1","volume-title":"Proceedings of the 26th USENIX Security Symposium (USENIX Security 17)","author":"Antonakakis Manos","year":"2017","unstructured":"Manos Antonakakis , Tim April , Michael Bailey , Matt Bernhard , Elie Bursztein , Jaime Cochran , Zakir Durumeric , J\u00a0Alex Halderman , Luca Invernizzi , Michalis Kallitsis , 2017 . Understanding the Mirai botnet . In Proceedings of the 26th USENIX Security Symposium (USENIX Security 17) . Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J\u00a0Alex Halderman, Luca Invernizzi, Michalis Kallitsis, 2017. Understanding the Mirai botnet. In Proceedings of the 26th USENIX Security Symposium (USENIX Security 17)."},{"key":"e_1_3_2_1_6_1","volume-title":"Proceedings of the 20th USENIX Security Symposium (USENIX Security 11)","author":"Antonakakis Manos","year":"2011","unstructured":"Manos Antonakakis , Roberto Perdisci , Wenke Lee , Nikolaos Vasiloglou\u00a0II, and David Dagon . 2011 . Detecting malware domains at the upper {DNS} hierarchy . In Proceedings of the 20th USENIX Security Symposium (USENIX Security 11) . Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou\u00a0II, and David Dagon. 2011. Detecting malware domains at the upper {DNS} hierarchy. In Proceedings of the 20th USENIX Security Symposium (USENIX Security 11)."},{"key":"e_1_3_2_1_7_1","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23)","author":"Avgetidis Athanasios","year":"2023","unstructured":"Athanasios Avgetidis , Omar Alrawi , Kevin Valakuzhy , Charles Lever , Paul Burbage , Angelos Keromytis , Fabian Monrose , and Manos Antonakakis . 2023 . Beyond the gates: An empirical analysis of HTTP-managed password stealers and operators . In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23) . Athanasios Avgetidis, Omar Alrawi, Kevin Valakuzhy, Charles Lever, Paul Burbage, Angelos Keromytis, Fabian Monrose, and Manos Antonakakis. 2023. Beyond the gates: An empirical analysis of HTTP-managed password stealers and operators. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23)."},{"key":"e_1_3_2_1_8_1","volume-title":"Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats (LEET 09)","author":"Bayer Ulrich","year":"2009","unstructured":"Ulrich Bayer , Imam Habibi , Davide Balzarotti , Engin Kirda , and Christopher Kruegel . 2009 . A view on current malware behaviors . In Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats (LEET 09) . Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel. 2009. A view on current malware behaviors. In Proceedings of the 2nd USENIX Conference on Large-scale Exploits and Emergent Threats (LEET 09)."},{"key":"e_1_3_2_1_9_1","unstructured":"CAIDA. 2022. Routeviews Prefix-to-AS mappings (pfx2as) for IPv4 and IPv6. http:\/\/data.caida.org\/datasets\/routing\/routeviews-prefix2as\/.  CAIDA. 2022. Routeviews Prefix-to-AS mappings (pfx2as) for IPv4 and IPv6. http:\/\/data.caida.org\/datasets\/routing\/routeviews-prefix2as\/."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2714576.2714637"},{"key":"e_1_3_2_1_11_1","volume-title":"D Lawrence, and Warren Kumari.","author":"Contavalli Carlo","year":"2016","unstructured":"Carlo Contavalli , Wilmer Van Der\u00a0Gaast , D Lawrence, and Warren Kumari. 2016 . Client subnet in DNS queries. RFC 7871 (Informational) . http:\/\/www.ietf.org\/rfc\/rfc7875.txt Carlo Contavalli, Wilmer Van Der\u00a0Gaast, D Lawrence, and Warren Kumari. 2016. Client subnet in DNS queries. RFC 7871 (Informational). http:\/\/www.ietf.org\/rfc\/rfc7875.txt"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068842"},{"key":"e_1_3_2_1_13_1","volume-title":"Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 08)","author":"Kanich Chris","year":"2008","unstructured":"Chris Kanich , Kirill Levchenko , Brandon Enright , Geoffrey\u00a0 M Voelker , and Stefan Savage . 2008 . The heisenbot uncertainty problem: Challenges in separating bots from chaff .. In Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 08) . Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey\u00a0M Voelker, and Stefan Savage. 2008. The heisenbot uncertainty problem: Challenges in separating bots from chaff.. In Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET 08)."},{"key":"e_1_3_2_1_14_1","volume-title":"Proceedings of the 25th USENIX Security Symposium (USENIX Security 16)","author":"Kharraz Amin","year":"2016","unstructured":"Amin Kharraz , Sajjad Arshad , Collin Mulliner , William Robertson , and Engin Kirda . 2016 . UNVEIL: A large-scale, automated approach to detecting ransomware . In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16) . Amin Kharraz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. 2016. UNVEIL: A large-scale, automated approach to detecting ransomware. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16)."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23522"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24343"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_9"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.59"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/BADGERS.2014.7"},{"key":"e_1_3_2_1_20_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security 18)","author":"Liu Baojun","year":"2018","unstructured":"Baojun Liu , Chaoyi Lu , Haixin Duan , Ying Liu , Zhou Li , Shuang Hao , and Min Yang . 2018 . Who is answering my queries: Understanding and characterizing interception of the DNS resolution path . In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18) . Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao, and Min Yang. 2018. Who is answering my queries: Understanding and characterizing interception of the DNS resolution path. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18)."},{"key":"e_1_3_2_1_21_1","unstructured":"Malwarebytes. 2022. 2022 Global Threat Report. https:\/\/go.crowdstrike.com\/rs\/281-OBQ-266\/images\/Report2022GTR.pdf.  Malwarebytes. 2022. 2022 Global Threat Report. https:\/\/go.crowdstrike.com\/rs\/281-OBQ-266\/images\/Report2022GTR.pdf."},{"key":"e_1_3_2_1_22_1","unstructured":"Malwarebytes. 2022. 2022 Threat Review. https:\/\/www.malwarebytes.com\/resources\/malwarebytes-threat-review-2022\/mwb_threatreview_2022_ss_v1.pdf.  Malwarebytes. 2022. 2022 Threat Review. https:\/\/www.malwarebytes.com\/resources\/malwarebytes-threat-review-2022\/mwb_threatreview_2022_ss_v1.pdf."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3055305.3055306"},{"key":"e_1_3_2_1_24_1","unstructured":"P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034 (INTERNET STANDARD). http:\/\/www.ietf.org\/rfc\/rfc1034.txt Updated by RFCs 1101 1183 1348 1876 1982 2065 2181 2308 2535 4033 4034 4035 4343 4035 4592 5936.  P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034 (INTERNET STANDARD). http:\/\/www.ietf.org\/rfc\/rfc1034.txt Updated by RFCs 1101 1183 1348 1876 1982 2065 2181 2308 2535 4033 4034 4035 4343 4035 4592 5936."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/52324.52338"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Paul\u00a0V Mockapetris. 1987. Rfc1035: Domain names-implementation and specification.  Paul\u00a0V Mockapetris. 1987. Rfc1035: Domain names-implementation and specification.","DOI":"10.17487\/rfc1035"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2487788.2488056"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-08509-8_7"},{"key":"e_1_3_2_1_29_1","volume-title":"AMAL: High-fidelity, behavior-based automated malware analysis and classification. computers & security 52(2015).","author":"Mohaisen Aziz","year":"2015","unstructured":"Aziz Mohaisen , Omar Alrawi , and Manar Mohaisen . 2015 . AMAL: High-fidelity, behavior-based automated malware analysis and classification. computers & security 52(2015). Aziz Mohaisen, Omar Alrawi, and Manar Mohaisen. 2015. AMAL: High-fidelity, behavior-based automated malware analysis and classification. computers & security 52(2015)."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3355369.3355568"},{"key":"e_1_3_2_1_31_1","volume-title":"Proceedings of the 2015 ACM Internet Measurement Conference (IMC 15)","author":"Moura CM","year":"2015","unstructured":"Giovane\u00a0 CM Moura , Moritz M\u00fcller , and Marco Davids . 2015 . Domain names abuse and TLDs: From monetization towards . In Proceedings of the 2015 ACM Internet Measurement Conference (IMC 15) . Giovane\u00a0CM Moura, Moritz M\u00fcller, and Marco Davids. 2015. Domain names abuse and TLDs: From monetization towards. In Proceedings of the 2015 ACM Internet Measurement Conference (IMC 15)."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23218"},{"key":"e_1_3_2_1_33_1","volume-title":"Malpedia: A collaborative effort to inventorize the malware landscape. Botconf","author":"Plohmann Daniel","year":"2017","unstructured":"Daniel Plohmann , Martin Clauss , Steffen Enders , and Elmar Padilla . 2017 . Malpedia: A collaborative effort to inventorize the malware landscape. Botconf (2017). Daniel Plohmann, Martin Clauss, Steffen Enders, and Elmar Padilla. 2017. Malpedia: A collaborative effort to inventorize the malware landscape. Botconf (2017)."},{"key":"e_1_3_2_1_34_1","volume-title":"Tranco: A research-oriented top sites ranking hardened against manipulation. arXiv preprint arXiv:1806.01156(2018).","author":"Pochat Victor\u00a0Le","year":"2018","unstructured":"Victor\u00a0Le Pochat , Tom Van\u00a0Goethem , Samaneh Tajalizadehkhoob , Maciej Korczy\u0144ski , and Wouter Joosen . 2018 . Tranco: A research-oriented top sites ranking hardened against manipulation. arXiv preprint arXiv:1806.01156(2018). Victor\u00a0Le Pochat, Tom Van\u00a0Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy\u0144ski, and Wouter Joosen. 2018. Tranco: A research-oriented top sites ranking hardened against manipulation. arXiv preprint arXiv:1806.01156(2018)."},{"key":"e_1_3_2_1_35_1","unstructured":"The\u00a0Tor Project. 2022. TorDNSEL\u2019s exit lists. https:\/\/metrics.torproject.org\/collector\/archive\/exit-lists\/.  The\u00a0Tor Project. 2022. TorDNSEL\u2019s exit lists. https:\/\/metrics.torproject.org\/collector\/archive\/exit-lists\/."},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of the 17th USENIX Security Symposium (USENIX Security 08)","author":"Provos N","year":"2008","unstructured":"N Provos , P Mavrommatis , MA Rajab , and F Monrose . 2008 . All your iFRAMEs point to us . In Proceedings of the 17th USENIX Security Symposium (USENIX Security 08) . N Provos, P Mavrommatis, MA Rajab, and F Monrose. 2008. All your iFRAMEs point to us. In Proceedings of the 17th USENIX Security Symposium (USENIX Security 08)."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3419394.3423640"},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security 18)","author":"Rezaeirad Mohammad","year":"2018","unstructured":"Mohammad Rezaeirad , Brown Farinholt , Hitesh Dharmdasani , Paul Pearce , Kirill Levchenko , and Damon McCoy . 2018 . {Schr\u00f6dinger\u2019s}{RAT}: Profiling the stakeholders in the remote access trojan ecosystem . In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18) . Mohammad Rezaeirad, Brown Farinholt, Hitesh Dharmdasani, Paul Pearce, Kirill Levchenko, and Damon McCoy. 2018. {Schr\u00f6dinger\u2019s}{RAT}: Profiling the stakeholders in the remote access trojan ecosystem. In Proceedings of the 27th USENIX Security Symposium (USENIX Security 18)."},{"key":"e_1_3_2_1_39_1","volume-title":"Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer.","author":"Rossow Christian","year":"2012","unstructured":"Christian Rossow , Christian Dietrich , and Herbert Bos . 2012 . Large-scale analysis of malware downloaders . In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer. Christian Rossow, Christian Dietrich, and Herbert Bos. 2012. Large-scale analysis of malware downloaders. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427261"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053023"},{"key":"e_1_3_2_1_43_1","unstructured":"Georgia Tech. 2022. GT malware passive DNS data daily feed. https:\/\/impactcybertrust.org\/dataset_view?idDataset=520.  Georgia Tech. 2022. GT malware passive DNS data daily feed. https:\/\/impactcybertrust.org\/dataset_view?idDataset=520."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2567948.2579359"},{"key":"e_1_3_2_1_45_1","volume-title":"Proceedings of the 2006 Network and Distributed System Security Symposium (NDSS 06)","author":"Wang Yi-Min","year":"2006","unstructured":"Yi-Min Wang , Doug Beck , Xuxian Jiang , and Roussi Roussev . 2006 . Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities . In Proceedings of the 2006 Network and Distributed System Security Symposium (NDSS 06) . Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev. 2006. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the 2006 Network and Distributed System Security Symposium (NDSS 06)."},{"key":"e_1_3_2_1_46_1","volume-title":"Proceedings of the 2011 USENIX Workshop on Free and Open Communications on the Internet (FOCI 11)","author":"Weaver Nicholas","year":"2011","unstructured":"Nicholas Weaver , Christian Kreibich , and Vern Paxson . 2011 . Redirecting {DNS} for Ads and Profit . In Proceedings of the 2011 USENIX Workshop on Free and Open Communications on the Internet (FOCI 11) . Nicholas Weaver, Christian Kreibich, and Vern Paxson. 2011. Redirecting {DNS} for Ads and Profit. In Proceedings of the 2011 USENIX Workshop on Free and Open Communications on the Internet (FOCI 11)."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-24668-8_15"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660352"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3487552.3487853"}],"event":{"name":"ACSAC: Annual Computer Security Applications Conference","location":"Austin TX USA","acronym":"ACSAC"},"container-title":["Proceedings of the 38th Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3564625.3564646","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3564625.3564646","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:09:12Z","timestamp":1750183752000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3564625.3564646"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,12,5]]},"references-count":49,"alternative-id":["10.1145\/3564625.3564646","10.1145\/3564625"],"URL":"https:\/\/doi.org\/10.1145\/3564625.3564646","relation":{},"subject":[],"published":{"date-parts":[[2022,12,5]]},"assertion":[{"value":"2022-12-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}