{"id":"https://openalex.org/W2972478609","doi":"https://doi.org/10.1109/tnsm.2019.2940735","title":"Monitoring Enterprise DNS Queries for Detecting Data Exfiltration From Internal Hosts","display_name":"Monitoring Enterprise DNS Queries for Detecting Data Exfiltration From Internal Hosts","publication_year":2019,"publication_date":"2019-09-11","ids":{"openalex":"https://openalex.org/W2972478609","doi":"https://doi.org/10.1109/tnsm.2019.2940735","mag":"2972478609"},"language":"en","primary_location":{"id":"doi:10.1109/tnsm.2019.2940735","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2019.2940735","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5004608330","display_name":"Jawad Ahmed","orcid":"https://orcid.org/0000-0003-4886-3510"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Jawad Ahmed","raw_affiliation_strings":["School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, Australia"],"raw_orcid":"https://orcid.org/0000-0003-4886-3510","affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030677680","display_name":"Hassan Habibi Gharakheili","orcid":"https://orcid.org/0000-0002-9333-7635"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Hassan Habibi Gharakheili","raw_affiliation_strings":["School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, Australia"],"raw_orcid":"https://orcid.org/0000-0002-9333-7635","affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047243369","display_name":"Qasim Raza","orcid":"https://orcid.org/0000-0003-1397-646X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Qasim Raza","raw_affiliation_strings":["Lumina Networks Australia Pvt Ltd., Sydney, Australia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Lumina Networks Australia Pvt Ltd., Sydney, Australia","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022260477","display_name":"Craig Russell","orcid":"https://orcid.org/0000-0002-1942-7296"},"institutions":[{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"government","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]},{"id":"https://openalex.org/I42894916","display_name":"Data61","ror":"https://ror.org/03q397159","country_code":"AU","type":"other","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I42894916","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Craig Russell","raw_affiliation_strings":["Data61, CSIRO, Sydney, Australia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Data61, CSIRO, Sydney, Australia","institution_ids":["https://openalex.org/I42894916","https://openalex.org/I1292875679"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5091021682","display_name":"Vijay Sivaraman","orcid":"https://orcid.org/0000-0001-7985-6765"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Vijay Sivaraman","raw_affiliation_strings":["School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, Australia"],"raw_orcid":"https://orcid.org/0000-0001-7985-6765","affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, Australia","institution_ids":["https://openalex.org/I31746571"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":4.4629,"has_fulltext":false,"cited_by_count":48,"citation_normalized_percentile":{"value":0.95052785,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":99},"biblio":{"volume":"17","issue":"1","first_page":"265","last_page":"279"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8732985258102417},{"id":"https://openalex.org/keywords/domain-name-system","display_name":"Domain Name System","score":0.6936026811599731},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6384010314941406},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.5989686846733093},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.5529624223709106},{"id":"https://openalex.org/keywords/server","display_name":"Server","score":0.5056662559509277},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.4468925893306732},{"id":"https://openalex.org/keywords/host","display_name":"Host (biology)","score":0.41595423221588135},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.3179302513599396},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.20628052949905396}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8732985258102417},{"id":"https://openalex.org/C35026560","wikidata":"https://www.wikidata.org/wiki/Q8767","display_name":"Domain Name System","level":3,"score":0.6936026811599731},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6384010314941406},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.5989686846733093},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.5529624223709106},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.5056662559509277},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.4468925893306732},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.41595423221588135},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.3179302513599396},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.20628052949905396},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tnsm.2019.2940735","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2019.2940735","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.44999998807907104}],"awards":[],"funders":[{"id":"https://openalex.org/F4320309327","display_name":"Google","ror":"https://ror.org/00njsd438"},{"id":"https://openalex.org/F4320320386","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07"},{"id":"https://openalex.org/F4320320591","display_name":"Macquarie University","ror":"https://ror.org/01sf06y89"},{"id":"https://openalex.org/F4320335334","display_name":"Defence Science and Technology Group","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":51,"referenced_works":["https://openalex.org/W85558978","https://openalex.org/W155384935","https://openalex.org/W203347454","https://openalex.org/W1561314694","https://openalex.org/W1561983441","https://openalex.org/W1590326873","https://openalex.org/W1619613999","https://openalex.org/W1681390985","https://openalex.org/W1954903228","https://openalex.org/W1970499440","https://openalex.org/W1985987493","https://openalex.org/W1990497396","https://openalex.org/W1993704367","https://openalex.org/W1995875735","https://openalex.org/W1998458784","https://openalex.org/W2028223155","https://openalex.org/W2055234825","https://openalex.org/W2111427271","https://openalex.org/W2150593342","https://openalex.org/W2154874878","https://openalex.org/W2296719434","https://openalex.org/W2326113404","https://openalex.org/W2361133702","https://openalex.org/W2401054255","https://openalex.org/W2518011484","https://openalex.org/W2595170736","https://openalex.org/W2631977690","https://openalex.org/W2735163484","https://openalex.org/W2754468074","https://openalex.org/W2760564675","https://openalex.org/W2783412901","https://openalex.org/W2804240301","https://openalex.org/W2889547652","https://openalex.org/W2890593201","https://openalex.org/W2920956968","https://openalex.org/W2921261235","https://openalex.org/W2948023660","https://openalex.org/W2963379686","https://openalex.org/W2987823657","https://openalex.org/W3099008069","https://openalex.org/W4213362721","https://openalex.org/W6606342502","https://openalex.org/W6608273010","https://openalex.org/W6633578641","https://openalex.org/W6633853188","https://openalex.org/W6635295082","https://openalex.org/W6640663528","https://openalex.org/W6713023146","https://openalex.org/W6739656747","https://openalex.org/W6745039170","https://openalex.org/W6763291434"],"related_works":["https://openalex.org/W2183899684","https://openalex.org/W2097492617","https://openalex.org/W3004039032","https://openalex.org/W2753240997","https://openalex.org/W2054545906","https://openalex.org/W2065991182","https://openalex.org/W2948569047","https://openalex.org/W596534943","https://openalex.org/W3214913819","https://openalex.org/W2784818382"],"abstract_inverted_index":{"Enterprise":[0],"networks":[1,262],"constantly":[2],"face":[3],"the":[4,20,101,109,209,213,245,267,295],"threat":[5],"of":[6,70,74,89,143,175,188,212,259,269,283],"valuable":[7],"and":[8,35,79,87,118,129,138,160,229,278,280,289,299],"sensitive":[9],"data":[10,28,71,90],"being":[11],"stolen":[12],"by":[13,225,263],"cyber-attackers.":[14],"Sophisticated":[15],"attackers":[16,65],"are":[17,291],"increasingly":[18],"exploiting":[19],"Domain":[21],"Name":[22],"System":[23],"(DNS)":[24],"service":[25],"for":[26,38,64,84,297],"exfiltrating":[27],"as":[29,31],"well":[30],"maintaining":[32],"tunneled":[33],"command":[34],"control":[36],"communications":[37],"malware.":[39],"This":[40,76],"is":[41,45,115,156],"because":[42],"DNS":[43,121,144,169,189,222,257],"traffic":[44,122,190,206],"usually":[46],"allowed":[47],"to":[48,66,116,157,165,294],"pass":[49],"through":[50],"enterprise":[51,110,261,274],"firewalls":[52],"without":[53,72],"deep":[54],"inspection":[55],"or":[56,99],"state":[57],"maintenance,":[58],"thereby":[59],"providing":[60],"a":[61,81,130,162,172],"covert":[62],"channel":[63],"encode":[67],"low":[68],"volumes":[69],"fear":[73],"detection.":[75],"paper":[77],"develops":[78],"evaluates":[80],"real-time":[82,107],"mechanism":[83],"detecting":[85],"exfiltration":[86,227],"tunneling":[88],"over":[91,135,272],"DNS.":[92],"Unlike":[93],"prior":[94,250],"solutions":[95],"that":[96,146,231],"operate":[97],"off-line":[98],"in":[100,106,168,249],"network":[102,210],"core,":[103],"ours":[104],"works":[105],"at":[108],"edge.":[111],"Our":[112,153,287],"first":[113],"contribution":[114,155],"collect":[117],"analyze":[119],"real":[120],"from":[123,150,191,208],"two":[124,214,226,260],"organizations":[125],"(a":[126],"large":[127],"University":[128],"mid-sized":[131],"Government":[132],"Research":[133],"Institute)":[134],"several":[136],"days":[137],"extract":[139],"numerous":[140],"stateless":[141],"attributes":[142],"messages":[145],"can":[147,234],"distinguish":[148],"malicious":[149,221],"legitimate":[151],"queries.":[152],"second":[154],"develop,":[158],"tune,":[159],"train":[161],"machine-learning":[163],"algorithm":[164],"detect":[166],"anomalies":[167],"queries":[170,223,258],"using":[171],"benign":[173],"dataset":[174],"top":[176],"rank":[177],"primary":[178],"domains.":[179],"To":[180],"achieve":[181],"this,":[182],"we":[183,198],"have":[184],"used":[185,248],"14":[186],"days-worth":[187],"each":[192],"organization.":[193],"For":[194],"our":[195,200,232,242],"third":[196],"contribution,":[197],"implement":[199],"scheme":[201],"on":[202],"live":[203],"10":[204],"Gbps":[205],"streams":[207],"borders":[211],"organizations,":[215],"inject":[216],"more":[217],"than":[218],"three":[219],"million":[220],"generated":[224],"tools,":[228],"show":[230],"solution":[233,243],"identify":[235],"them":[236],"with":[237,244],"high":[238],"accuracy.":[239],"We":[240,252],"compare":[241],"two-class":[246],"classifier":[247],"work.":[251],"draw":[253],"insights":[254],"into":[255],"anomalous":[256],"their":[264,284],"anomaly":[265],"scores,":[266],"trace":[268],"query":[270],"count":[271],"time,":[273],"hosts":[275],"querying":[276],"them,":[277],"TTL":[279],"Type":[281],"fields":[282],"corresponding":[285],"responses.":[286],"tools":[288],"datasets":[290],"made":[292],"available":[293],"public":[296],"validation":[298],"further":[300],"research.":[301]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":7},{"year":2024,"cited_by_count":6},{"year":2023,"cited_by_count":10},{"year":2022,"cited_by_count":13},{"year":2021,"cited_by_count":6},{"year":2020,"cited_by_count":5}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}