{"id":"https://openalex.org/W3111734087","doi":"https://doi.org/10.1109/csnet50428.2020.9265466","title":"Detecting abnormal DNS traffic using unsupervised machine learning","display_name":"Detecting abnormal DNS traffic using unsupervised machine learning","publication_year":2020,"publication_date":"2020-10-21","ids":{"openalex":"https://openalex.org/W3111734087","doi":"https://doi.org/10.1109/csnet50428.2020.9265466","mag":"3111734087"},"language":"en","primary_location":{"id":"doi:10.1109/csnet50428.2020.9265466","is_oa":false,"landing_page_url":"https://doi.org/10.1109/csnet50428.2020.9265466","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2020 4th Cyber Security in Networking Conference (CSNet)","raw_type":"proceedings-article"},"type":"preprint","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://hal.science/hal-03184957","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5064286253","display_name":"Thi Quynh Nguyen","orcid":"https://orcid.org/0009-0002-4263-2850"},"institutions":[{"id":"https://openalex.org/I134560555","display_name":"Universit\u00e9 Toulouse III - Paul Sabatier","ror":"https://ror.org/02v6kpv12","country_code":"FR","type":"education","lineage":["https://openalex.org/I134560555"]},{"id":"https://openalex.org/I3131550300","display_name":"Universit\u00e9 Toulouse-I-Capitole","ror":"https://ror.org/0443n9e75","country_code":"FR","type":"education","lineage":["https://openalex.org/I3131550300"]},{"id":"https://openalex.org/I4210119061","display_name":"Institut de Recherche en Informatique de Toulouse","ror":"https://ror.org/01rx4qw44","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I205747304","https://openalex.org/I205747304","https://openalex.org/I4210119061","https://openalex.org/I4210152422","https://openalex.org/I4387153255","https://openalex.org/I4405258862","https://openalex.org/I4405259414"]},{"id":"https://openalex.org/I4210152422","display_name":"Universit\u00e9 Toulouse - Jean Jaur\u00e8s","ror":"https://ror.org/04ezk3x31","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210152422"]},{"id":"https://openalex.org/I4210160189","display_name":"Institut Polytechnique de Bordeaux","ror":"https://ror.org/054qv7y42","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210160189"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Thi Quynh Nguyen","raw_affiliation_strings":["University Paul Sabatier,Toulouse,France","IRIT-SIERA - Service IntEgration and netwoRk Administration (IRIT\r\n118 Route de Narbonne\r\n31062 Toulouse Cedex 9 - France)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University Paul Sabatier,Toulouse,France","institution_ids":["https://openalex.org/I134560555"]},{"raw_affiliation_string":"IRIT-SIERA - Service IntEgration and netwoRk Administration (IRIT\r\n118 Route de Narbonne\r\n31062 Toulouse Cedex 9 - France)","institution_ids":["https://openalex.org/I4210152422","https://openalex.org/I134560555","https://openalex.org/I4210119061","https://openalex.org/I3131550300","https://openalex.org/I4210160189"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5001626345","display_name":"Romain Laborde","orcid":"https://orcid.org/0000-0002-0943-6180"},"institutions":[{"id":"https://openalex.org/I134560555","display_name":"Universit\u00e9 Toulouse III - Paul Sabatier","ror":"https://ror.org/02v6kpv12","country_code":"FR","type":"education","lineage":["https://openalex.org/I134560555"]},{"id":"https://openalex.org/I3131550300","display_name":"Universit\u00e9 Toulouse-I-Capitole","ror":"https://ror.org/0443n9e75","country_code":"FR","type":"education","lineage":["https://openalex.org/I3131550300"]},{"id":"https://openalex.org/I4210119061","display_name":"Institut de Recherche en Informatique de Toulouse","ror":"https://ror.org/01rx4qw44","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I205747304","https://openalex.org/I205747304","https://openalex.org/I4210119061","https://openalex.org/I4210152422","https://openalex.org/I4387153255","https://openalex.org/I4405258862","https://openalex.org/I4405259414"]},{"id":"https://openalex.org/I4210152422","display_name":"Universit\u00e9 Toulouse - Jean Jaur\u00e8s","ror":"https://ror.org/04ezk3x31","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210152422"]},{"id":"https://openalex.org/I4210160189","display_name":"Institut Polytechnique de Bordeaux","ror":"https://ror.org/054qv7y42","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210160189"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Romain Laborde","raw_affiliation_strings":["University Paul Sabatier,Toulouse,France","IRIT-SIERA - Service IntEgration and netwoRk Administration (IRIT\r\n118 Route de Narbonne\r\n31062 Toulouse Cedex 9 - France)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University Paul Sabatier,Toulouse,France","institution_ids":["https://openalex.org/I134560555"]},{"raw_affiliation_string":"IRIT-SIERA - Service IntEgration and netwoRk Administration (IRIT\r\n118 Route de Narbonne\r\n31062 Toulouse Cedex 9 - France)","institution_ids":["https://openalex.org/I4210152422","https://openalex.org/I134560555","https://openalex.org/I4210119061","https://openalex.org/I3131550300","https://openalex.org/I4210160189"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5064062710","display_name":"Abdelmalek Benzekri","orcid":"https://orcid.org/0000-0001-8236-8690"},"institutions":[{"id":"https://openalex.org/I134560555","display_name":"Universit\u00e9 Toulouse III - Paul Sabatier","ror":"https://ror.org/02v6kpv12","country_code":"FR","type":"education","lineage":["https://openalex.org/I134560555"]},{"id":"https://openalex.org/I3131550300","display_name":"Universit\u00e9 Toulouse-I-Capitole","ror":"https://ror.org/0443n9e75","country_code":"FR","type":"education","lineage":["https://openalex.org/I3131550300"]},{"id":"https://openalex.org/I4210119061","display_name":"Institut de Recherche en Informatique de Toulouse","ror":"https://ror.org/01rx4qw44","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I205747304","https://openalex.org/I205747304","https://openalex.org/I4210119061","https://openalex.org/I4210152422","https://openalex.org/I4387153255","https://openalex.org/I4405258862","https://openalex.org/I4405259414"]},{"id":"https://openalex.org/I4210152422","display_name":"Universit\u00e9 Toulouse - Jean Jaur\u00e8s","ror":"https://ror.org/04ezk3x31","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210152422"]},{"id":"https://openalex.org/I4210160189","display_name":"Institut Polytechnique de Bordeaux","ror":"https://ror.org/054qv7y42","country_code":"FR","type":"education","lineage":["https://openalex.org/I4210160189"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Abdelmalek Benzekri","raw_affiliation_strings":["University Paul Sabatier,Toulouse,France","IRIT-SIERA - Service IntEgration and netwoRk Administration (IRIT\r\n118 Route de Narbonne\r\n31062 Toulouse Cedex 9 - France)"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University Paul Sabatier,Toulouse,France","institution_ids":["https://openalex.org/I134560555"]},{"raw_affiliation_string":"IRIT-SIERA - Service IntEgration and netwoRk Administration (IRIT\r\n118 Route de Narbonne\r\n31062 Toulouse Cedex 9 - France)","institution_ids":["https://openalex.org/I4210152422","https://openalex.org/I134560555","https://openalex.org/I4210119061","https://openalex.org/I3131550300","https://openalex.org/I4210160189"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5106473642","display_name":"Bruno Qu'hen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Bruno Qu'hen","raw_affiliation_strings":["MODIS,Courbevoie,France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"MODIS,Courbevoie,France","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.1345,"has_fulltext":false,"cited_by_count":12,"citation_normalized_percentile":{"value":0.80989297,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"8"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9973000288009644,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8405237793922424},{"id":"https://openalex.org/keywords/dbscan","display_name":"DBSCAN","score":0.6491740942001343},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.5984735488891602},{"id":"https://openalex.org/keywords/cluster-analysis","display_name":"Cluster analysis","score":0.5923119783401489},{"id":"https://openalex.org/keywords/unsupervised-learning","display_name":"Unsupervised learning","score":0.5656071305274963},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.5484455823898315},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.5372452735900879},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5068812966346741},{"id":"https://openalex.org/keywords/byte","display_name":"Byte","score":0.44551941752433777},{"id":"https://openalex.org/keywords/constant-false-alarm-rate","display_name":"Constant false alarm rate","score":0.43078285455703735},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.4229367971420288},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.3586770296096802},{"id":"https://openalex.org/keywords/fuzzy-clustering","display_name":"Fuzzy clustering","score":0.2529675364494324}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8405237793922424},{"id":"https://openalex.org/C46576248","wikidata":"https://www.wikidata.org/wiki/Q1114630","display_name":"DBSCAN","level":5,"score":0.6491740942001343},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.5984735488891602},{"id":"https://openalex.org/C73555534","wikidata":"https://www.wikidata.org/wiki/Q622825","display_name":"Cluster analysis","level":2,"score":0.5923119783401489},{"id":"https://openalex.org/C8038995","wikidata":"https://www.wikidata.org/wiki/Q1152135","display_name":"Unsupervised learning","level":2,"score":0.5656071305274963},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.5484455823898315},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.5372452735900879},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5068812966346741},{"id":"https://openalex.org/C43364308","wikidata":"https://www.wikidata.org/wiki/Q8799","display_name":"Byte","level":2,"score":0.44551941752433777},{"id":"https://openalex.org/C77052588","wikidata":"https://www.wikidata.org/wiki/Q644307","display_name":"Constant false alarm rate","level":2,"score":0.43078285455703735},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.4229367971420288},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.3586770296096802},{"id":"https://openalex.org/C17212007","wikidata":"https://www.wikidata.org/wiki/Q5511111","display_name":"Fuzzy clustering","level":3,"score":0.2529675364494324},{"id":"https://openalex.org/C104047586","wikidata":"https://www.wikidata.org/wiki/Q5033439","display_name":"Canopy clustering algorithm","level":4,"score":0.0},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/csnet50428.2020.9265466","is_oa":false,"landing_page_url":"https://doi.org/10.1109/csnet50428.2020.9265466","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2020 4th Cyber Security in Networking Conference (CSNet)","raw_type":"proceedings-article"},{"id":"pmh:oai:HAL:hal-03184957v1","is_oa":true,"landing_page_url":"https://hal.science/hal-03184957","pdf_url":null,"source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://ieeexplore.ieee.org/abstract/document/9265466","raw_type":"Conference papers"}],"best_oa_location":{"id":"pmh:oai:HAL:hal-03184957v1","is_oa":true,"landing_page_url":"https://hal.science/hal-03184957","pdf_url":null,"source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://ieeexplore.ieee.org/abstract/document/9265466","raw_type":"Conference papers"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.6200000047683716}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":29,"referenced_works":["https://openalex.org/W1546503963","https://openalex.org/W1673310716","https://openalex.org/W1969126031","https://openalex.org/W1975415766","https://openalex.org/W2031163547","https://openalex.org/W2039377530","https://openalex.org/W2049633694","https://openalex.org/W2117316063","https://openalex.org/W2127218421","https://openalex.org/W2137107348","https://openalex.org/W2144182447","https://openalex.org/W2155653793","https://openalex.org/W2631977690","https://openalex.org/W2789758093","https://openalex.org/W2899891373","https://openalex.org/W2900069093","https://openalex.org/W2954312565","https://openalex.org/W2958189542","https://openalex.org/W2973153123","https://openalex.org/W3013443908","https://openalex.org/W3016980352","https://openalex.org/W3033509752","https://openalex.org/W4254182148","https://openalex.org/W4288309149","https://openalex.org/W4300672471","https://openalex.org/W6637131181","https://openalex.org/W6678914141","https://openalex.org/W6739656747","https://openalex.org/W6764938236"],"related_works":["https://openalex.org/W3163639875","https://openalex.org/W2364999035","https://openalex.org/W4226497289","https://openalex.org/W4386078164","https://openalex.org/W2369356834","https://openalex.org/W2966681114","https://openalex.org/W2553918434","https://openalex.org/W2891797536","https://openalex.org/W2356023405","https://openalex.org/W3105289658"],"abstract_inverted_index":{"Nowadays,":[0],"complex":[1],"attacks":[2],"like":[3,19],"Advanced":[4],"Persistent":[5],"Threats":[6],"(APTs)":[7],"often":[8],"use":[9],"tunneling":[10],"techniques":[11],"to":[12,33,104,122,144],"avoid":[13],"being":[14],"detected":[15],"by":[16,37],"security":[17],"systems":[18],"Intrusion":[20],"Detection":[21],"System":[22],"(IDS),":[23],"Security":[24],"Event":[25],"Information":[26],"Management":[27],"(SIEMs)":[28],"or":[29,149],"firewalls.":[30],"Companies":[31],"try":[32],"identify":[34],"these":[35],"APTs":[36],"defining":[38],"rules":[39],"on":[40,89],"their":[41],"intrusion":[42],"detection":[43,125],"system,":[44],"but":[45],"it":[46],"is":[47],"a":[48,53],"hard":[49],"task":[50],"that":[51,114],"requires":[52],"lot":[54],"of":[55,66,79,92,100,147,151],"time":[56],"and":[57,84,117,127,130],"effort.":[58],"In":[59],"this":[60],"study,":[61],"we":[62,110],"compare":[63],"the":[64,90,93,101,140,145,155],"performance":[65],"four":[67],"unsupervised":[68],"machine-learning":[69],"algorithms:":[70],"K-means,":[71],"Gaussian":[72],"Mixture":[73],"Model":[74],"(GMM),":[75],"Density-Based":[76],"Spatial":[77],"Clustering":[78],"Applications":[80],"with":[81],"Noise":[82],"(DBSCAN),":[83],"Local":[85],"Outlier":[86],"Factor":[87],"(LOF)":[88],"Boss":[91],"SOC":[94],"Dataset":[95],"Version":[96],"1":[97],"(Botsv1)":[98],"dataset":[99],"Splunk":[102],"project":[103],"detect":[105],"malicious":[106],"DNS":[107],"traffics.":[108],"Then":[109],"propose":[111],"an":[112],"approach":[113],"combines":[115],"DBSCAN":[116],"K":[118],"Nearest":[119],"Neighbor":[120],"(KNN)":[121],"achieve":[123],"100%":[124],"rate":[126],"between":[128],"1.6%":[129],"2.3%":[131],"false-positive":[132],"rate.":[133],"A":[134],"simple":[135],"post-analysis":[136],"consisting":[137],"in":[138],"ranking":[139],"IP":[141],"addresses":[142],"according":[143],"number":[146],"requests":[148],"volume":[150],"bytes":[152],"sent":[153],"determines":[154],"infected":[156],"machines.":[157]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":3},{"year":2022,"cited_by_count":2},{"year":2021,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}