{"id":"https://openalex.org/W3120413657","doi":"https://doi.org/10.1109/tnsm.2021.3050091","title":"Hierarchical Anomaly-Based Detection of Distributed DNS Attacks on Enterprise Networks","display_name":"Hierarchical Anomaly-Based Detection of Distributed DNS Attacks on Enterprise Networks","publication_year":2021,"publication_date":"2021-01-09","ids":{"openalex":"https://openalex.org/W3120413657","doi":"https://doi.org/10.1109/tnsm.2021.3050091","mag":"3120413657"},"language":"en","primary_location":{"id":"doi:10.1109/tnsm.2021.3050091","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2021.3050091","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5082890991","display_name":"Minzhao Lyu","orcid":"https://orcid.org/0000-0001-8677-248X"},"institutions":[{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"government","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]},{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]},{"id":"https://openalex.org/I42894916","display_name":"Data61","ror":"https://ror.org/03q397159","country_code":"AU","type":"other","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I42894916","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":true,"raw_author_name":"Minzhao Lyu","raw_affiliation_strings":["CSIRO\u2019s Data61, Sydney, NSW, Australia","School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"CSIRO\u2019s Data61, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I42894916","https://openalex.org/I1292875679"]},{"raw_affiliation_string":"School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030677680","display_name":"Hassan Habibi Gharakheili","orcid":"https://orcid.org/0000-0002-9333-7635"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Hassan Habibi Gharakheili","raw_affiliation_strings":["School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022260477","display_name":"Craig Russell","orcid":"https://orcid.org/0000-0002-1942-7296"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Craig Russell","raw_affiliation_strings":["School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I31746571"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5091021682","display_name":"Vijay Sivaraman","orcid":"https://orcid.org/0000-0001-7985-6765"},"institutions":[{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Vijay Sivaraman","raw_affiliation_strings":["School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"School of Electrical Engineering and Telecommunications, University of New South Wales, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I31746571"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5082890991"],"corresponding_institution_ids":["https://openalex.org/I1292875679","https://openalex.org/I31746571","https://openalex.org/I42894916"],"apc_list":null,"apc_paid":null,"fwci":5.2566,"has_fulltext":false,"cited_by_count":43,"citation_normalized_percentile":{"value":0.95568072,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":99},"biblio":{"volume":"18","issue":"1","first_page":"1031","last_page":"1048"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12326","display_name":"Network Packet Processing and Optimization","score":0.9986000061035156,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/domain-name-system","display_name":"Domain Name System","score":0.8491425514221191},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.835909366607666},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.6514139771461487},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6185581088066101},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.598889172077179},{"id":"https://openalex.org/keywords/denial-of-service-attack","display_name":"Denial-of-service attack","score":0.5868715643882751},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.5589414238929749},{"id":"https://openalex.org/keywords/network-packet","display_name":"Network packet","score":0.5533742308616638},{"id":"https://openalex.org/keywords/name-server","display_name":"Name server","score":0.4581230878829956},{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.45479467511177063},{"id":"https://openalex.org/keywords/server","display_name":"Server","score":0.43048587441444397},{"id":"https://openalex.org/keywords/subnet","display_name":"Subnet","score":0.4114202857017517},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.27203303575515747},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.2715039849281311},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.1187620460987091}],"concepts":[{"id":"https://openalex.org/C35026560","wikidata":"https://www.wikidata.org/wiki/Q8767","display_name":"Domain Name System","level":3,"score":0.8491425514221191},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.835909366607666},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.6514139771461487},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6185581088066101},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.598889172077179},{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.5868715643882751},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.5589414238929749},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.5533742308616638},{"id":"https://openalex.org/C105320234","wikidata":"https://www.wikidata.org/wiki/Q41494","display_name":"Name server","level":3,"score":0.4581230878829956},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.45479467511177063},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.43048587441444397},{"id":"https://openalex.org/C21099817","wikidata":"https://www.wikidata.org/wiki/Q7631721","display_name":"Subnet","level":2,"score":0.4114202857017517},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.27203303575515747},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.2715039849281311},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.1187620460987091}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/tnsm.2021.3050091","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2021.3050091","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.7699999809265137,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":60,"referenced_works":["https://openalex.org/W59037818","https://openalex.org/W1479710165","https://openalex.org/W1486426806","https://openalex.org/W1543512222","https://openalex.org/W1561983441","https://openalex.org/W1573745704","https://openalex.org/W1669806660","https://openalex.org/W1927311981","https://openalex.org/W1985987493","https://openalex.org/W1987034518","https://openalex.org/W1989454965","https://openalex.org/W1995443851","https://openalex.org/W1998458784","https://openalex.org/W2025266141","https://openalex.org/W2028060714","https://openalex.org/W2028110717","https://openalex.org/W2111958600","https://openalex.org/W2114398364","https://openalex.org/W2131904035","https://openalex.org/W2158656420","https://openalex.org/W2162969618","https://openalex.org/W2296719434","https://openalex.org/W2340896621","https://openalex.org/W2401054255","https://openalex.org/W2460878432","https://openalex.org/W2535001381","https://openalex.org/W2535407856","https://openalex.org/W2538104847","https://openalex.org/W2588683548","https://openalex.org/W2612493356","https://openalex.org/W2743402300","https://openalex.org/W2748868501","https://openalex.org/W2770959194","https://openalex.org/W2806616617","https://openalex.org/W2887131850","https://openalex.org/W2888872082","https://openalex.org/W2888998951","https://openalex.org/W2889100774","https://openalex.org/W2889547652","https://openalex.org/W2890515393","https://openalex.org/W2892214024","https://openalex.org/W2920956968","https://openalex.org/W2940715617","https://openalex.org/W3008207353","https://openalex.org/W3083082814","https://openalex.org/W6602452583","https://openalex.org/W6628906117","https://openalex.org/W6632389096","https://openalex.org/W6633578641","https://openalex.org/W6637397297","https://openalex.org/W6677217071","https://openalex.org/W6679539681","https://openalex.org/W6713023146","https://openalex.org/W6719369174","https://openalex.org/W6743493502","https://openalex.org/W6753946683","https://openalex.org/W6753981864","https://openalex.org/W6754357002","https://openalex.org/W6754689273","https://openalex.org/W6762132567"],"related_works":["https://openalex.org/W4230824443","https://openalex.org/W2038807247","https://openalex.org/W2097156747","https://openalex.org/W2559738661","https://openalex.org/W2183899684","https://openalex.org/W386065407","https://openalex.org/W2016713855","https://openalex.org/W1642214788","https://openalex.org/W2733931179","https://openalex.org/W2965181964"],"abstract_inverted_index":{"Domain":[0],"Name":[1],"System":[2],"(DNS)":[3],"is":[4,12],"a":[5,69,124,133,189,224,261,297],"critical":[6],"service":[7],"for":[8,72,126,240],"enterprise":[9,200],"operations,":[10],"and":[11,51,61,80,91,99,147,175,210,219,235,254,271,277],"often":[13],"made":[14],"openly":[15],"accessible":[16],"across":[17],"firewalls.":[18],"Malicious":[19],"actors":[20],"use":[21,30,84],"this":[22,68],"fact":[23],"to":[24,34,97,108,119,137,202,228,260,280],"attack":[25,35,55,109],"organizational":[26],"DNS":[27,94,129,139,186,208,230,265],"servers,":[28],"or":[29,115],"them":[31],"as":[32,78],"reflectors":[33],"other":[36],"victims.":[37],"Further,":[38],"attackers":[39],"can":[40,45,52,167],"operate":[41],"with":[42,152,172],"little":[43],"resources,":[44],"hide":[46],"behind":[47],"open":[48],"recursive":[49],"resolvers,":[50],"amplify":[53],"their":[54,113,117],"volume":[56],"manifold.":[57],"The":[58],"rising":[59],"frequency":[60],"effectiveness":[62],"of":[63,86,88,144,162,197,206,213,243,264],"DNS-based":[64],"DDoS":[65],"attacks":[66,130,170,287],"make":[67],"growing":[70],"concern":[71],"organizations.":[73],"Solutions":[74],"available":[75],"today,":[76],"such":[77],"firewalls":[79],"intrusion":[81],"detection":[82,238],"systems,":[83],"combinations":[85],"black-lists":[87],"malicious":[89,214],"sources":[90,110],"thresholds":[92],"on":[93],"traffic":[95,140,187],"volumes":[96],"detect":[98,168],"defend":[100],"against":[101,275],"volumetric":[102],"attacks,":[103],"which":[104],"are":[105,180],"not":[106],"robust":[107],"that":[111,131,155,288],"morph":[112],"identity":[114],"adapt":[116],"rates":[118,174],"evade":[120],"detection.":[121],"We":[122,183,222,256],"propose":[123],"method":[125,166],"detecting":[127,285],"distributed":[128,169,286],"uses":[132],"hierarchical":[134,225],"graph":[135,226],"structure":[136,227],"track":[138],"at":[141,159,251],"three":[142],"levels":[143,161,242],"host,":[145],"subnet,":[146],"autonomous":[148],"system":[149],"(AS),":[150],"combined":[151],"machine":[153],"learning":[154],"identifies":[156],"anomalous":[157],"behaviors":[158],"various":[160,204,241],"the":[163,195,211,244,268,273],"hierarchy.":[164],"Our":[165,178],"even":[171],"low":[173],"stealthy":[176],"patterns.":[177],"contributions":[179],"three-fold:":[181],"(1)":[182],"analyze":[184],"real":[185],"over":[188],"week":[190],"(nearly":[191],"400M":[192],"packets)":[193],"from":[194,267],"edges":[196],"two":[198,269],"large":[199],"networks":[201],"highlight":[203],"types":[205],"incoming":[207],"queries":[209],"behavior":[212],"entities":[215],"generating":[216],"query":[217],"scans":[218],"floods;":[220],"(2)":[221],"develop":[223],"monitor":[229],"activity,":[231],"identify":[232],"key":[233],"attributes,":[234],"train/tune/evaluate":[236],"anomaly":[237],"models":[239],"hierarchy,":[245],"yielding":[246],"more":[247],"than":[248],"99%":[249],"accuracy":[250],"each":[252],"level;":[253],"(3)":[255],"apply":[257],"our":[258],"scheme":[259],"month's":[262],"worth":[263],"data":[266],"enterprises":[270],"compare":[272],"results":[274],"blacklists":[276],"firewall":[278],"logs":[279],"demonstrate":[281],"its":[282],"ability":[283],"in":[284],"might":[289],"be":[290],"missed":[291],"by":[292],"legacy":[293],"methods":[294],"while":[295],"maintaining":[296],"decent":[298],"real-time":[299],"performance.":[300]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":9},{"year":2024,"cited_by_count":11},{"year":2023,"cited_by_count":9},{"year":2022,"cited_by_count":13}],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}