{"id":"https://openalex.org/W4308632297","doi":"https://doi.org/10.1145/3548606.3560604","title":"Exposing the Rat in the Tunnel","display_name":"Exposing the Rat in the Tunnel","publication_year":2022,"publication_date":"2022-11-07","ids":{"openalex":"https://openalex.org/W4308632297","doi":"https://doi.org/10.1145/3548606.3560604"},"language":"en","primary_location":{"id":"doi:10.1145/3548606.3560604","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3548606.3560604","pdf_url":null,"source":{"id":"https://openalex.org/S4363608815","display_name":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5082811062","display_name":"Priyanka Dodia","orcid":null},"institutions":[{"id":"https://openalex.org/I1301390666","display_name":"Qatar Airways (Qatar)","ror":"https://ror.org/01hx00y13","country_code":"QA","type":"company","lineage":["https://openalex.org/I1301390666"]}],"countries":["QA"],"is_corresponding":true,"raw_author_name":"Priyanka Dodia","raw_affiliation_strings":["Qatar Computing Research Institute, Doha, Qatar"],"affiliations":[{"raw_affiliation_string":"Qatar Computing Research Institute, Doha, Qatar","institution_ids":["https://openalex.org/I1301390666"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089748259","display_name":"Mashael AlSabah","orcid":"https://orcid.org/0000-0001-6764-8280"},"institutions":[{"id":"https://openalex.org/I1301390666","display_name":"Qatar Airways (Qatar)","ror":"https://ror.org/01hx00y13","country_code":"QA","type":"company","lineage":["https://openalex.org/I1301390666"]}],"countries":["QA"],"is_corresponding":false,"raw_author_name":"Mashael AlSabah","raw_affiliation_strings":["Qatar Computing Research Institute, Doha, Qatar"],"affiliations":[{"raw_affiliation_string":"Qatar Computing Research Institute, Doha, Qatar","institution_ids":["https://openalex.org/I1301390666"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5088269951","display_name":"Omar Alrawi","orcid":"https://orcid.org/0000-0002-4374-737X"},"institutions":[{"id":"https://openalex.org/I130701444","display_name":"Georgia Institute of Technology","ror":"https://ror.org/01zkghx44","country_code":"US","type":"education","lineage":["https://openalex.org/I130701444"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Omar Alrawi","raw_affiliation_strings":["Georgia Institute of Technology, Atlanta, GA, USA"],"affiliations":[{"raw_affiliation_string":"Georgia Institute of Technology, Atlanta, GA, USA","institution_ids":["https://openalex.org/I130701444"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5100453702","display_name":"Tao Wang","orcid":"https://orcid.org/0000-0003-3886-0420"},"institutions":[{"id":"https://openalex.org/I18014758","display_name":"Simon Fraser University","ror":"https://ror.org/0213rcc28","country_code":"CA","type":"education","lineage":["https://openalex.org/I18014758"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Tao Wang","raw_affiliation_strings":["Simon Fraser University, Vancouver, BC, Canada"],"affiliations":[{"raw_affiliation_string":"Simon Fraser University, Vancouver, BC, Canada","institution_ids":["https://openalex.org/I18014758"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5082811062"],"corresponding_institution_ids":["https://openalex.org/I1301390666"],"apc_list":null,"apc_paid":null,"fwci":2.8348,"has_fulltext":false,"cited_by_count":31,"citation_normalized_percentile":{"value":0.9247403,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"875","last_page":"889"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.9118083715438843},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8206205368041992},{"id":"https://openalex.org/keywords/anonymity","display_name":"Anonymity","score":0.67994624376297},{"id":"https://openalex.org/keywords/ransomware","display_name":"Ransomware","score":0.6744526028633118},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.6330509781837463},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5790542960166931},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.5759686231613159},{"id":"https://openalex.org/keywords/malware-analysis","display_name":"Malware analysis","score":0.53916996717453},{"id":"https://openalex.org/keywords/cryptovirology","display_name":"Cryptovirology","score":0.4916406273841858},{"id":"https://openalex.org/keywords/server","display_name":"Server","score":0.4899848997592926},{"id":"https://openalex.org/keywords/host","display_name":"Host (biology)","score":0.4866848587989807},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4659690856933594},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.3322782516479492}],"concepts":[{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.9118083715438843},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8206205368041992},{"id":"https://openalex.org/C178005623","wikidata":"https://www.wikidata.org/wiki/Q308859","display_name":"Anonymity","level":2,"score":0.67994624376297},{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.6744526028633118},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.6330509781837463},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5790542960166931},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.5759686231613159},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.53916996717453},{"id":"https://openalex.org/C84525096","wikidata":"https://www.wikidata.org/wiki/Q3506050","display_name":"Cryptovirology","level":3,"score":0.4916406273841858},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.4899848997592926},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.4866848587989807},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4659690856933594},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.3322782516479492},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C18903297","wikidata":"https://www.wikidata.org/wiki/Q7150","display_name":"Ecology","level":1,"score":0.0},{"id":"https://openalex.org/C104317684","wikidata":"https://www.wikidata.org/wiki/Q7187","display_name":"Gene","level":2,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3548606.3560604","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3548606.3560604","pdf_url":null,"source":{"id":"https://openalex.org/S4363608815","display_name":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:repository.hkust.edu.hk:1783.1-159800","is_oa":false,"landing_page_url":"http://repository.hkust.edu.hk/ir/Record/1783.1-159800","pdf_url":null,"source":{"id":"https://openalex.org/S4306401796","display_name":"Rare & Special e-Zone (The Hong Kong University of Science and Technology)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I200769079","host_organization_name":"Hong Kong University of Science and Technology","host_organization_lineage":["https://openalex.org/I200769079"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Conference paper"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.7699999809265137,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":26,"referenced_works":["https://openalex.org/W1521422460","https://openalex.org/W1587106557","https://openalex.org/W1621730125","https://openalex.org/W1775772884","https://openalex.org/W1974189812","https://openalex.org/W1993568446","https://openalex.org/W2010439280","https://openalex.org/W2108217512","https://openalex.org/W2135579486","https://openalex.org/W2170085959","https://openalex.org/W2269460187","https://openalex.org/W2350778671","https://openalex.org/W2490879758","https://openalex.org/W2782597251","https://openalex.org/W2808451423","https://openalex.org/W2902408484","https://openalex.org/W2903379676","https://openalex.org/W2913857451","https://openalex.org/W2914280573","https://openalex.org/W2963704216","https://openalex.org/W2989013751","https://openalex.org/W3091890513","https://openalex.org/W3111533025","https://openalex.org/W3114031232","https://openalex.org/W3159521830","https://openalex.org/W3181596493"],"related_works":["https://openalex.org/W2469507153","https://openalex.org/W2008790809","https://openalex.org/W2160963033","https://openalex.org/W3022706011","https://openalex.org/W2909615516","https://openalex.org/W2768892939","https://openalex.org/W2249256574","https://openalex.org/W2397240470","https://openalex.org/W4210907385","https://openalex.org/W2065339563"],"abstract_inverted_index":{"Tor~\\citetor":[0],"is":[1,47,64],"the":[2,27,121,167,179,189,201],"most":[3],"widely":[4],"used":[5],"anonymous":[6],"communication":[7,134],"network":[8,128],"with":[9,107,152,208],"millions":[10],"of":[11,22,90,163,191],"daily":[12],"users~\\citetormetrics.":[13],"Since":[14],"Tor":[15,46,164],"provides":[16],"server":[17],"and":[18,36,54,56,69,95,104,198],"client":[19],"anonymity,":[20],"hundreds":[21,89],"malware":[23,63,85,92,102,133,150,157,180],"binaries":[24],"found":[25],"in":[26,166],"wild":[28],"rely":[29],"on":[30,194],"it":[31,58],"to":[32,59,113,130,147,176],"hide":[33],"their":[34],"presence":[35],"hinder":[37],"Command":[38],"&":[39],"Control":[40],"(C&C)":[41],"takedown":[42],"operations.":[43],"We":[44,87],"believe":[45],"a":[48],"paramount":[49],"tool":[50],"enabling":[51],"online":[52],"freedom":[53],"privacy,":[55],"blocking":[57],"defend":[60],"against":[61],"such":[62],"infeasible":[65],"for":[66],"both":[67],"users":[68],"organizations.":[70],"In":[71,111],"this":[72],"work,":[73],"we":[74,124,173,187],"present":[75],"effective":[76],"traffic":[77,115],"analysis":[78,116],"approaches":[79],"that":[80,142,200],"can":[81,203],"accurately":[82,177],"identify":[83,204],"Tor-based":[84,91],"communication.":[86],"collect":[88],"binaries,":[93],"execute":[94],"examine":[96],"more":[97],"than":[98,161],"47,000":[99],"active":[100],"encrypted":[101],"connections":[103,151,158],"compare":[105],"them":[106],"benign":[108],"browsing":[109],"traffic.":[110],"addition":[112],"traditional":[114],"features":[117,129],"(which":[118],"work":[119],"at":[120],"connection":[122],"level),":[123],"propose":[125],"global":[126],"host-level":[127],"capture":[131],"peculiar":[132],"fingerprints":[135],"across":[136],"host":[137],"logs.":[138],"Our":[139],"experiments":[140],"confirm":[141],"our":[143,192],"models":[144,193],"are":[145,174],"able":[146,175],"detect":[148,178],"\"zero-day''":[149],"0.7%":[153],"FPR":[154],"even":[155,207],"when":[156],"constitute":[159],"less":[160],"5%":[162],"traces":[165],"test":[168],"set.":[169],"Using":[170],"multi-labeling":[171],"approaches,":[172],"behavior-based":[181],"classes":[182],"(grayware,":[183],"ransomware,":[184],"etc).":[185],"Finally,":[186],"evaluate":[188],"robustness":[190],"real-world":[195],"enterprise":[196],"logs":[197],"show":[199],"classifiers":[202],"infected":[205],"hosts":[206],"missing":[209],"features.":[210]},"counts_by_year":[{"year":2026,"cited_by_count":4},{"year":2025,"cited_by_count":14},{"year":2024,"cited_by_count":10},{"year":2023,"cited_by_count":3}],"updated_date":"2026-03-10T16:38:18.471706","created_date":"2025-10-10T00:00:00"}