{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T16:28:20Z","timestamp":1781022500827,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":62,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,7,20]],"date-time":"2025-07-20T00:00:00Z","timestamp":1752969600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation for Distinguished Young Scholars of China","award":["62425201"],"award-info":[{"award-number":["62425201"]}]},{"name":"Science Fund for Creative Research Groups of the National Natural Science Foundation of China","award":["62221003"],"award-info":[{"award-number":["62221003"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,7,20]]},"DOI":"10.1145\/3690624.3709218","type":"proceedings-article","created":{"date-parts":[[2025,4,4]],"date-time":"2025-04-04T18:48:32Z","timestamp":1743792512000},"page":"342-353","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Wedjat: Detecting Sophisticated Evasion Attacks via Real-time Causal Analysis"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-3636-5218","authenticated-orcid":false,"given":"Li","family":"Gao","sequence":"first","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4568-6125","authenticated-orcid":false,"given":"Chuanpu","family":"Fu","sequence":"additional","affiliation":[{"name":"Tsinghua University, Bejing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4366-4777","authenticated-orcid":false,"given":"Xinhao","family":"Deng","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2587-8517","authenticated-orcid":false,"given":"Ke","family":"Xu","sequence":"additional","affiliation":[{"name":"Tsinghua University, BeiJing, China &amp; Zhongguancun Lab, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8776-8730","authenticated-orcid":false,"given":"Qi","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China &amp; Zhongguancun Lab, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,7,20]]},"reference":[{"key":"e_1_3_2_2_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM41043.2020.9155465"},{"key":"e_1_3_2_2_2_1","volume-title":"Alahmadi et al","author":"Bushra","year":"2022","unstructured":"Bushra A. Alahmadi et al. 2022. 99% False Positives: A Qualitative Study of SOC Analysts' Perspectives on Security Alarms. In Security. USENIX, 2783--2800."},{"key":"e_1_3_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3097983.3098163"},{"key":"e_1_3_2_2_4_1","volume-title":"McGrew","author":"Anderson Blake","year":"2016","unstructured":"Blake Anderson and David A. McGrew. 2016. Identifying Encrypted Malware Traffic with Contextual Flow Data. In AISec. ACM, 35--46."},{"key":"e_1_3_2_2_5_1","unstructured":"Daniel Arp et al. 2022. Dos and Don'ts of Machine Learning in Computer Security. In Security. USENIX."},{"key":"e_1_3_2_2_6_1","doi-asserted-by":"crossref","unstructured":"Alireza Bahramali et al. 2020. Practical Traffic Analysis Attacks on Secure Messaging Applications. In NDSS. ISOC.","DOI":"10.14722\/ndss.2020.24347"},{"key":"e_1_3_2_2_7_1","doi-asserted-by":"crossref","unstructured":"Diogo Barradas et al. 2021. FlowLens: Enabling Efficient Flow Classification for ML-based Network Security Applications. In NDSS. ISOC.","DOI":"10.14722\/ndss.2021.24067"},{"key":"e_1_3_2_2_8_1","volume-title":"25th USENIX Security Symposium (USENIX Security 16)","author":"Bartos Karel","year":"2016","unstructured":"Karel Bartos, Michal Sofka, and Vojtech Franc. 2016. Optimized invariant representation of network traffic for detecting unseen malware variants. In 25th USENIX Security Symposium (USENIX Security 16). 807--822."},{"key":"e_1_3_2_2_9_1","doi-asserted-by":"crossref","unstructured":"Leyla Bilge et al. 2012. Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis. In ACSAC. ACM 129--138.","DOI":"10.1145\/2420950.2420969"},{"key":"e_1_3_2_2_10_1","volume-title":"Pattern recognition and machine learning","author":"Bishop Christopher M","unstructured":"Christopher M Bishop and Nasser M Nasrabadi. 2006. Pattern recognition and machine learning. Vol. 4. Springer."},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1214\/21-AOS2064"},{"key":"e_1_3_2_2_12_1","unstructured":"Cisco. Accessed May 2022. Cisco Encrypted Traffic Analytics. https:\/\/www.cisco.com \/c\/en\/us\/solutionsenterprise-networks\/enterprise-network-security\/eta. html."},{"key":"e_1_3_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014066"},{"key":"e_1_3_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1014052.1014118"},{"key":"e_1_3_2_2_15_1","doi-asserted-by":"crossref","unstructured":"Xuewei Feng et al. 2020. Off-Path TCP Exploits of the Mixed IPID Assignment. In CCS. ACM 1323--1335.","DOI":"10.1145\/3372297.3417884"},{"key":"e_1_3_2_2_16_1","unstructured":"Canadian Institute for Cybersecurity. Accessed Jan. 2024 a. DNS-over-HTTP datasets. https:\/\/www.unb.ca\/cic\/datasets\/dohbrw-2020.html."},{"key":"e_1_3_2_2_17_1","unstructured":"Canadian Institute for Cybersecurity. Accessed Jan. 2024 b. A real-time dataset and benchmark for large-scale attacks in IoT environment. https:\/\/www.unb.ca\/cic\/datasets\/iotdataset-2023.html."},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"crossref","unstructured":"Chuanpu Fu et al. 2023a. Point Cloud Analysis for ML-Based Malicious Traffic Detection: Reducing Majorities of False Positive Alarms. In CCS. ACM 1005--1019.","DOI":"10.1145\/3576915.3616631"},{"key":"e_1_3_2_2_19_1","volume-title":"to appear. Frequency Domain Feature Based Robust Malicious Traffic Detection","author":"Chuanpu Fu","unstructured":"Chuanpu Fu et al. to appear. Frequency Domain Feature Based Robust Malicious Traffic Detection. IEEE\/ACM Trans. Netw. ( to appear)."},{"key":"e_1_3_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484585"},{"key":"e_1_3_2_2_21_1","volume-title":"Detecting unknown encrypted malicious traffic in real time via flow interaction graph analysis. arXiv preprint arXiv:2301.13686","author":"Fu Chuanpu","year":"2023","unstructured":"Chuanpu Fu, Qi Li, and Ke Xu. 2023b. Detecting unknown encrypted malicious traffic in real time via flow interaction graph analysis. arXiv preprint arXiv:2301.13686 (2023)."},{"key":"e_1_3_2_2_22_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Gong Jiajun","year":"2020","unstructured":"Jiajun Gong and Tao Wang. 2020. Zero-delay lightweight defenses against website fingerprinting. In 29th USENIX Security Symposium (USENIX Security 20). 717--734."},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484758"},{"key":"e_1_3_2_2_24_1","volume-title":"Nazca: Detecting Malware Distribution in Large-Scale Networks. In NDSS. ISOC.","author":"Luca Invernizzi","year":"2014","unstructured":"Luca Invernizzi et al. 2014. Nazca: Detecting Malware Distribution in Large-Scale Networks. In NDSS. ISOC."},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"crossref","unstructured":"Arthur Selle Jacobs et al. 2022. AI\/ML for Network Security: The Emperor has no Clothes. In CCS. ACM 1537--1551.","DOI":"10.1145\/3548606.3560609"},{"key":"e_1_3_2_2_26_1","volume-title":"Proceedings, Part I 21","author":"Juarez Marc","year":"2016","unstructured":"Marc Juarez, Mohsen Imani, Mike Perry, Claudia Diaz, and Matthew Wright. 2016. Toward an efficient website fingerprinting defense. In Computer Security--ESORICS 2016: 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26--30, 2016, Proceedings, Part I 21. Springer, 27--46."},{"key":"e_1_3_2_2_27_1","doi-asserted-by":"crossref","unstructured":"Min Suk Kang et al. 2013. The Crossfire Attack. In SP. IEEE 127--141.","DOI":"10.1109\/SP.2013.19"},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"crossref","unstructured":"Chaz Lever et al. 2017. A Lustrum of Malware Network Communication: Evolution and Insights. In SP. IEEE 788--804.","DOI":"10.1109\/SP.2017.59"},{"key":"e_1_3_2_2_29_1","volume-title":"Workshop at UAI. AUAI.","author":"Liang Dawen","year":"2016","unstructured":"Dawen Liang, Laurent Charlin, and David M Blei. 2016. Causal inference for recommendation. In Causation: Foundation to Application, Workshop at UAI. AUAI."},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512217"},{"key":"e_1_3_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737507"},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3219819.3220027"},{"key":"e_1_3_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR52688.2022.01657"},{"key":"e_1_3_2_2_34_1","volume-title":"USENIX Security Symposium. 3829--3846","author":"Liu Zaoxing","year":"2021","unstructured":"Zaoxing Liu, Hun Namkung, Georgios Nikolaidis, Jeongkeun Lee, Changhoon Kim, Xin Jin, Vladimir Braverman, Minlan Yu, and Vyas Sekar. 2021. Jaqen: A High-Performance Switch-Native Approach for Detecting and Mitigating Volumetric DDoS Attacks with Programmable Switches.. In USENIX Security Symposium. 3829--3846."},{"key":"e_1_3_2_2_35_1","volume-title":"Graphical Models: Selecting causal and statistical models. Ph.,D. Dissertation","author":"Meek Christopher","year":"1997","unstructured":"Christopher Meek. 1997. Graphical Models: Selecting causal and statistical models. Ph.,D. Dissertation. Carnegie Mellon University."},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24056"},{"key":"e_1_3_2_2_37_1","unstructured":"Robert Merget et al. 2019. Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. In Security. USENIX 1029--1046."},{"key":"e_1_3_2_2_38_1","volume-title":"Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:1802.09089","author":"Mirsky Yisroel","year":"2018","unstructured":"Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. 2018. Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:1802.09089 (2018)."},{"key":"e_1_3_2_2_39_1","unstructured":"Terry Nelms et al. 2015. WebWitness: Investigating Categorizing and Mitigating Malware Download Paths. In Security. USENIX 1025--1040."},{"key":"e_1_3_2_2_40_1","volume-title":"Bro: a system for detecting network intruders in real-time. Computer networks","author":"Paxson Vern","year":"1999","unstructured":"Vern Paxson. 1999. Bro: a system for detecting network intruders in real-time. Computer networks, Vol. 31, 23--24 (1999), 2435--2463."},{"key":"e_1_3_2_2_41_1","volume-title":"Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs. In CCS. ACM, 1757--1771.","author":"Giancarlo Pellegrino","year":"2017","unstructured":"Giancarlo Pellegrino et al. 2017. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs. In CCS. ACM, 1757--1771."},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"crossref","unstructured":"Vera Rimmer et al. 2018. Automated Website Fingerprinting through Deep Learning. In NDSS. ISOC.","DOI":"10.14722\/ndss.2018.23105"},{"key":"e_1_3_2_2_43_1","first-page":"229","article-title":"Snort: Lightweight intrusion detection for networks","volume":"99","author":"Martin Roesch","year":"1999","unstructured":"Martin Roesch et al. 1999. Snort: Lightweight intrusion detection for networks.. In Lisa, Vol. 99. 229--238.","journal-title":"Lisa"},{"key":"e_1_3_2_2_44_1","first-page":"108","article-title":"Toward generating a new intrusion detection dataset and intrusion traffic characterization","volume":"1","author":"Sharafaldin Iman","year":"2018","unstructured":"Iman Sharafaldin, Arash Habibi Lashkari, and Ali A Ghorbani. 2018. Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp, Vol. 1 (2018), 108--116.","journal-title":"ICISSp"},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3050608"},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"crossref","unstructured":"Sandra Siby et al. 2020. Encrypted DNS -textgreater Privacy? A Traffic Analysis Perspective. In NDSS. ISOC.","DOI":"10.14722\/ndss.2020.24301"},{"key":"e_1_3_2_2_47_1","unstructured":"Giuseppe Siracusano et al. 2022. Re-architecting Traffic Analysis with Neural Network Interface Cards. In NSDI. USENIX 513--533."},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2207243.2207252"},{"key":"e_1_3_2_2_49_1","unstructured":"Suricata. Accessed May 2022. An Open Source Threat Detection Engine. https:\/\/suricata-ids.org\/."},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"crossref","unstructured":"Ruming Tang et al. 2020. ZeroWall: Detecting Zero-Day Web Attacks through Encoder-Decoder Recurrent Neural Networks. In INFOCOM. IEEE 2479--2488.","DOI":"10.1109\/INFOCOM41043.2020.9155278"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"crossref","unstructured":"Florian Tegeler et al. 2012. BotFinder: finding bots in network traffic without deep packet inspection. In CoNEXT. ACM 349--360.","DOI":"10.1145\/2413176.2413217"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"crossref","unstructured":"Kurt Thomas et al. 2017. Data Breaches Phishing or Malware?: Understanding the Risks of Stolen Credentials. In CCS. ACM 1421--1434.","DOI":"10.1145\/3133956.3134067"},{"key":"e_1_3_2_2_53_1","doi-asserted-by":"crossref","unstructured":"Thijs van Ede et al. 2020. FlowPrint: Semi-Supervised Mobile-App Fingerprinting on Encrypted Network Traffic. In NDSS. ISOC.","DOI":"10.14722\/ndss.2020.24412"},{"key":"e_1_3_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3101311"},{"key":"e_1_3_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01391"},{"key":"e_1_3_2_2_56_1","volume-title":"Ripple: A Programmable, Decentralized Link-Flooding Defense Against Adaptive Adversaries. In Security. USENIX, 3865--3880.","author":"Jiarong Xing","year":"2021","unstructured":"Jiarong Xing et al. 2021. Ripple: A Programmable, Decentralized Link-Flooding Defense Against Adaptive Adversaries. In Security. USENIX, 3865--3880."},{"key":"e_1_3_2_2_57_1","unstructured":"Zeek. Accessed May 2022. An Open Source Network Security Monitoring Tool. https:\/\/zeek.org\/."},{"key":"e_1_3_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2023.103644"},{"key":"e_1_3_2_2_59_1","volume-title":"Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches. In NDSS. ISOC.","author":"Menghao Zhang","year":"2020","unstructured":"Menghao Zhang et al. 2020. Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches. In NDSS. ISOC."},{"key":"e_1_3_2_2_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2805600"},{"key":"e_1_3_2_2_61_1","unstructured":"Guangmeng Zhou et al. 2023. NetBeacon: An Efficient Design of Intelligent Network Data Plane. In Security. USENIX to appear."},{"key":"e_1_3_2_2_62_1","first-page":"4396","article-title":"Domain generalization: A survey","volume":"45","author":"Zhou Kaiyang","year":"2022","unstructured":"Kaiyang Zhou, Ziwei Liu, Yu Qiao, Tao Xiang, and Chen Change Loy. 2022. Domain generalization: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, Vol. 45, 4 (2022), 4396--4415.","journal-title":"IEEE Transactions on Pattern Analysis and Machine Intelligence"}],"event":{"name":"KDD '25: The 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining","location":"Toronto ON Canada","acronym":"KDD '25","sponsor":["SIGMOD ACM Special Interest Group on Management of Data","SIGKDD ACM Special Interest Group on Knowledge Discovery in Data"]},"container-title":["Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V.1"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3690624.3709218","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3690624.3709218","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,16]],"date-time":"2025-08-16T15:43:35Z","timestamp":1755359015000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3690624.3709218"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,20]]},"references-count":62,"alternative-id":["10.1145\/3690624.3709218","10.1145\/3690624"],"URL":"https:\/\/doi.org\/10.1145\/3690624.3709218","relation":{},"subject":[],"published":{"date-parts":[[2025,7,20]]},"assertion":[{"value":"2025-07-20","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}