{"id":"https://openalex.org/W4401567999","doi":"https://doi.org/10.1109/tifs.2024.3443596","title":"GraphTunnel: Robust DNS Tunnel Detection Based on DNS Recursive Resolution Graph","display_name":"GraphTunnel: Robust DNS Tunnel Detection Based on DNS Recursive Resolution Graph","publication_year":2024,"publication_date":"2024-01-01","ids":{"openalex":"https://openalex.org/W4401567999","doi":"https://doi.org/10.1109/tifs.2024.3443596"},"language":"en","primary_location":{"id":"doi:10.1109/tifs.2024.3443596","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2024.3443596","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5086168764","display_name":"Guangyuan Gao","orcid":"https://orcid.org/0000-0002-3287-375X"},"institutions":[{"id":"https://openalex.org/I150229711","display_name":"University of Electronic Science and Technology of China","ror":"https://ror.org/04qr3zq92","country_code":"CN","type":"education","lineage":["https://openalex.org/I150229711"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Guangyuan Gao","raw_affiliation_strings":["School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China","institution_ids":["https://openalex.org/I150229711"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5029715489","display_name":"Weina Niu","orcid":"https://orcid.org/0000-0002-3235-3463"},"institutions":[{"id":"https://openalex.org/I150229711","display_name":"University of Electronic Science and Technology of China","ror":"https://ror.org/04qr3zq92","country_code":"CN","type":"education","lineage":["https://openalex.org/I150229711"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Weina Niu","raw_affiliation_strings":["School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China"],"raw_orcid":"https://orcid.org/0000-0002-3235-3463","affiliations":[{"raw_affiliation_string":"School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China","institution_ids":["https://openalex.org/I150229711"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Jiacheng Gong","orcid":"https://orcid.org/0009-0000-7970-9968"},"institutions":[{"id":"https://openalex.org/I150229711","display_name":"University of Electronic Science and Technology of China","ror":"https://ror.org/04qr3zq92","country_code":"CN","type":"education","lineage":["https://openalex.org/I150229711"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiacheng Gong","raw_affiliation_strings":["School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China"],"raw_orcid":"https://orcid.org/0009-0000-7970-9968","affiliations":[{"raw_affiliation_string":"School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China","institution_ids":["https://openalex.org/I150229711"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5106511173","display_name":"Dujuan Gu","orcid":"https://orcid.org/0000-0003-3445-8100"},"institutions":[{"id":"https://openalex.org/I110630785","display_name":"NSK (United States)","ror":"https://ror.org/027qba521","country_code":"US","type":"company","lineage":["https://openalex.org/I110630785","https://openalex.org/I4210157453"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Dujuan Gu","raw_affiliation_strings":["NSFOCUS Technologies Group Company Ltd., Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"NSFOCUS Technologies Group Company Ltd., Beijing, China","institution_ids":["https://openalex.org/I110630785"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5052688074","display_name":"Li Song","orcid":"https://orcid.org/0000-0001-5622-9558"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Song Li","raw_affiliation_strings":["State Key Laboratory of Blockchain and Data Security and the School of Cyber Science and Technology, Zhejiang University, Hangzhou, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"State Key Laboratory of Blockchain and Data Security and the School of Cyber Science and Technology, Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102892645","display_name":"Mingxue Zhang","orcid":"https://orcid.org/0000-0001-8863-8751"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Mingxue Zhang","raw_affiliation_strings":["State Key Laboratory of Blockchain and Data Security and the School of Cyber Science and Technology, Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0000-0001-8863-8751","affiliations":[{"raw_affiliation_string":"State Key Laboratory of Blockchain and Data Security and the School of Cyber Science and Technology, Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100780268","display_name":"Xiaosong Zhang","orcid":"https://orcid.org/0000-0001-9886-1412"},"institutions":[{"id":"https://openalex.org/I150229711","display_name":"University of Electronic Science and Technology of China","ror":"https://ror.org/04qr3zq92","country_code":"CN","type":"education","lineage":["https://openalex.org/I150229711"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xiaosong Zhang","raw_affiliation_strings":["School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China"],"raw_orcid":"https://orcid.org/0000-0001-9886-1412","affiliations":[{"raw_affiliation_string":"School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, China","institution_ids":["https://openalex.org/I150229711"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":3.1221,"has_fulltext":false,"cited_by_count":10,"citation_normalized_percentile":{"value":0.92166125,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"19","issue":null,"first_page":"7705","last_page":"7719"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12326","display_name":"Network Packet Processing and Optimization","score":0.9987000226974487,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7621157169342041},{"id":"https://openalex.org/keywords/graph-theory","display_name":"Graph theory","score":0.42681217193603516},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.4214869439601898},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3598947823047638},{"id":"https://openalex.org/keywords/algorithm","display_name":"Algorithm","score":0.32881033420562744},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.26259875297546387},{"id":"https://openalex.org/keywords/combinatorics","display_name":"Combinatorics","score":0.1365659534931183},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.13251250982284546}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7621157169342041},{"id":"https://openalex.org/C88230418","wikidata":"https://www.wikidata.org/wiki/Q131476","display_name":"Graph theory","level":2,"score":0.42681217193603516},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.4214869439601898},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3598947823047638},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.32881033420562744},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.26259875297546387},{"id":"https://openalex.org/C114614502","wikidata":"https://www.wikidata.org/wiki/Q76592","display_name":"Combinatorics","level":1,"score":0.1365659534931183},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.13251250982284546}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tifs.2024.3443596","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tifs.2024.3443596","pdf_url":null,"source":{"id":"https://openalex.org/S61310614","display_name":"IEEE Transactions on Information Forensics and Security","issn_l":"1556-6013","issn":["1556-6013","1556-6021"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Information Forensics and Security","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1594973751","display_name":null,"funder_award_id":"U2336204","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6027530306","display_name":null,"funder_award_id":"62372086","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G6305206681","display_name":null,"funder_award_id":"24ZNSFSC0038","funder_id":"https://openalex.org/F4320329861","funder_display_name":"Natural Science Foundation of Sichuan Province"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320329861","display_name":"Natural Science Foundation of Sichuan Province","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":37,"referenced_works":["https://openalex.org/W2108362714","https://openalex.org/W2144578696","https://openalex.org/W2926623002","https://openalex.org/W2962711740","https://openalex.org/W2964015378","https://openalex.org/W3001279236","https://openalex.org/W3011076252","https://openalex.org/W3097571736","https://openalex.org/W3161297440","https://openalex.org/W3170557823","https://openalex.org/W3170778503","https://openalex.org/W3185198511","https://openalex.org/W3196850909","https://openalex.org/W3206115910","https://openalex.org/W4213362721","https://openalex.org/W4220754043","https://openalex.org/W4221094970","https://openalex.org/W4226373174","https://openalex.org/W4283730810","https://openalex.org/W4283813601","https://openalex.org/W4291801460","https://openalex.org/W4297733535","https://openalex.org/W4319320234","https://openalex.org/W4319455844","https://openalex.org/W4322622793","https://openalex.org/W4323045928","https://openalex.org/W4383620399","https://openalex.org/W4387351365","https://openalex.org/W4388407550","https://openalex.org/W4391006443","https://openalex.org/W4391725244","https://openalex.org/W6608273010","https://openalex.org/W6718044600","https://openalex.org/W6738964360","https://openalex.org/W6754929296","https://openalex.org/W6763291434","https://openalex.org/W6802835872"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2051487156","https://openalex.org/W2073681303","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109"],"abstract_inverted_index":{"DNS":[0,37,65,94,109,136,148,198,233,242,250,255,276,297],"tunnels,":[1,66],"due":[2],"to":[3,15,27,86,150,182,206],"their":[4,189],"versatility":[5],"and":[6,18,33,46,53,97,118,138,173,188,216],"concealment,":[7],"have":[8],"become":[9],"a":[10,23,127,227,246],"preferred":[11],"method":[12],"for":[13,121,134,229],"attackers":[14],"execute":[16],"Command":[17],"Control":[19],"(C&C)":[20],"attacks,":[21],"posing":[22],"significant":[24],"security":[25],"threat":[26],"terminal":[28],"devices.":[29],"Therefore,":[30],"the":[31,43,59,73,113,145,155,167,184,192,203,208,214,286],"efficient":[32],"accurate":[34],"detection":[35,63,88,196],"of":[36,61,64,76,115,159,186,197,211,232,270,290],"tunnels":[38,137],"is":[39],"important":[40],"in":[41,58,191,213,240,249,258,293],"reducing":[42],"economic":[44],"losses":[45],"privacy":[47],"risks":[48],"faced":[49],"by":[50,226,263],"both":[51],"enterprises":[52],"individuals.":[54],"Despite":[55],"notable":[56],"advancements":[57],"research":[60],"intelligent":[62],"existing":[67],"model-based":[68],"approaches":[69],"predominantly":[70],"concentrate":[71],"on":[72,130],"surface-level":[74],"features":[75,185,210],"domain":[77],"names":[78],"or":[79],"packet":[80],"payloads.":[81],"This":[82,123],"narrow":[83],"focus":[84],"leads":[85],"low":[87],"accuracy":[89,248,281],"when":[90],"dealing":[91,294],"with":[92,106,279,295],"unknown":[93,254],"tunnel":[95,251],"attacks":[96],"traffic":[98],"from":[99],"wildcard":[100,264],"DNS.":[101,160],"Furthermore,":[102],"these":[103,169],"methods":[104],"struggle":[105],"accurately":[107],"identifying":[108,139],"tunneling":[110,140,234,277],"tools,":[111],"complicating":[112],"task":[114],"swiftly":[116],"locating":[117],"mitigating":[119],"malware":[120],"analysts.":[122],"paper":[124],"proposes":[125],"GraphTunnel,":[126],"framework":[128],"based":[129],"graph":[131,176,215],"neural":[132],"networks":[133],"detecting":[135],"tools.":[141,235],"It":[142],"delves":[143],"into":[144,175,219],"correlations":[146],"among":[147],"resolutions":[149],"construct":[151],"paths":[152,170],"that":[153,165,239],"represent":[154],"recursive":[156],"resolution":[157],"process":[158],"By":[161],"using":[162],"central":[163],"nodes":[164,187,212],"denote":[166],"gateways,":[168],"are":[171,223],"connected":[172],"transformed":[174],"structures.":[177],"Concurrently,":[178],"it":[179],"employs":[180],"GraphSage":[181],"aggregate":[183],"edges":[190],"graph,":[193],"enabling":[194],"effective":[195],"tunnels.":[199,256,298],"Additionally,":[200],"GraphTunnel":[201,244,266,273],"utilizes":[202],"G2M":[204],"algorithm":[205],"capture":[207],"statistical":[209],"maps":[217],"them":[218],"grayscale":[220],"images,":[221],"which":[222],"then":[224],"processed":[225],"CNN":[228],"multi-class":[230],"identification":[231],"Experimental":[236],"results":[237],"demonstrate":[238],"non-wildcard":[241],"scenarios,":[243],"achieves":[245],"100%":[247],"detection,":[252],"encompassing":[253],"Even":[257],"high":[259],"false-positive":[260],"environments":[261],"caused":[262],"DNS,":[265],"maintains":[267],"an":[268,280],"F1-Score":[269],"99.78%.":[271],"Moreover,":[272],"can":[274],"identify":[275],"tools":[278],"rate":[282],"exceeding":[283],"98.57%,":[284],"enhancing":[285],"rapid":[287],"mitigation":[288],"capabilities":[289],"emergency":[291],"responders":[292],"malicious":[296]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":8},{"year":2024,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}