{"id":"https://openalex.org/W4404612261","doi":"https://doi.org/10.1145/3689932.3694766","title":"Using LLM Embeddings with Similarity Search for Botnet TLS Certificate Detection","display_name":"Using LLM Embeddings with Similarity Search for Botnet TLS Certificate Detection","publication_year":2024,"publication_date":"2024-11-06","ids":{"openalex":"https://openalex.org/W4404612261","doi":"https://doi.org/10.1145/3689932.3694766"},"language":"en","primary_location":{"id":"doi:10.1145/3689932.3694766","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3689932.3694766","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5114753397","display_name":"Kumar Shashwat","orcid":"https://orcid.org/0000-0003-4610-8255"},"institutions":[{"id":"https://openalex.org/I2613432","display_name":"University of South Florida","ror":"https://ror.org/032db5x82","country_code":"US","type":"education","lineage":["https://openalex.org/I2613432"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kumar Shashwat","raw_affiliation_strings":["University of South Florida, Tampa, USA"],"raw_orcid":"https://orcid.org/0000-0003-4610-8255","affiliations":[{"raw_affiliation_string":"University of South Florida, Tampa, USA","institution_ids":["https://openalex.org/I2613432"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5111063249","display_name":"Francis Hahn","orcid":null},"institutions":[{"id":"https://openalex.org/I2613432","display_name":"University of South Florida","ror":"https://ror.org/032db5x82","country_code":"US","type":"education","lineage":["https://openalex.org/I2613432"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Francis Hahn","raw_affiliation_strings":["University of South Florida, Tampa, USA"],"raw_orcid":"https://orcid.org/0009-0000-1357-6349","affiliations":[{"raw_affiliation_string":"University of South Florida, Tampa, USA","institution_ids":["https://openalex.org/I2613432"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089028359","display_name":"Stuart Millar","orcid":"https://orcid.org/0000-0002-4258-7853"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Stuart Millar","raw_affiliation_strings":["Rapid7 LLC, Belfast, United Kingdom"],"raw_orcid":"https://orcid.org/0000-0002-4258-7853","affiliations":[{"raw_affiliation_string":"Rapid7 LLC, Belfast, United Kingdom","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5113810433","display_name":"Xinming Ou","orcid":"https://orcid.org/0009-0007-2501-7991"},"institutions":[{"id":"https://openalex.org/I2613432","display_name":"University of South Florida","ror":"https://ror.org/032db5x82","country_code":"US","type":"education","lineage":["https://openalex.org/I2613432"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xinming Ou","raw_affiliation_strings":["University of South Florida, Tampa, United States"],"raw_orcid":"https://orcid.org/0009-0007-2501-7991","affiliations":[{"raw_affiliation_string":"University of South Florida, Tampa, United States","institution_ids":["https://openalex.org/I2613432"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.6244,"has_fulltext":false,"cited_by_count":2,"citation_normalized_percentile":{"value":0.71905098,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":95,"max":96},"biblio":{"volume":null,"issue":null,"first_page":"173","last_page":"183"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9990000128746033,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9980999827384949,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.916447103023529},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6566468477249146},{"id":"https://openalex.org/keywords/similarity","display_name":"Similarity (geometry)","score":0.5767542719841003},{"id":"https://openalex.org/keywords/certificate","display_name":"Certificate","score":0.5355223417282104},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.4060026705265045},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3779560327529907},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.34681564569473267},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.24625706672668457},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.2195168435573578},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.17838138341903687}],"concepts":[{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.916447103023529},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6566468477249146},{"id":"https://openalex.org/C103278499","wikidata":"https://www.wikidata.org/wiki/Q254465","display_name":"Similarity (geometry)","level":3,"score":0.5767542719841003},{"id":"https://openalex.org/C96865113","wikidata":"https://www.wikidata.org/wiki/Q2946816","display_name":"Certificate","level":2,"score":0.5355223417282104},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4060026705265045},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3779560327529907},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.34681564569473267},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.24625706672668457},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.2195168435573578},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.17838138341903687},{"id":"https://openalex.org/C115961682","wikidata":"https://www.wikidata.org/wiki/Q860623","display_name":"Image (mathematics)","level":2,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3689932.3694766","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3689932.3694766","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 Workshop on Artificial Intelligence and Security","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G1676047699","display_name":null,"funder_award_id":"2235102","funder_id":"https://openalex.org/F4320323817","funder_display_name":"Universitas Brawijaya"},{"id":"https://openalex.org/G8980133038","display_name":null,"funder_award_id":"N00014-23-1-2538","funder_id":"https://openalex.org/F4320323817","funder_display_name":"Universitas Brawijaya"}],"funders":[{"id":"https://openalex.org/F4320323817","display_name":"Universitas Brawijaya","ror":"https://ror.org/01wk3d929"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":17,"referenced_works":["https://openalex.org/W1603159690","https://openalex.org/W2003116136","https://openalex.org/W2007178835","https://openalex.org/W2048465382","https://openalex.org/W2154874878","https://openalex.org/W2250539671","https://openalex.org/W2493916176","https://openalex.org/W2761623801","https://openalex.org/W2897924986","https://openalex.org/W2998702515","https://openalex.org/W3025125719","https://openalex.org/W4205998570","https://openalex.org/W4298869031","https://openalex.org/W4299301436","https://openalex.org/W4386350032","https://openalex.org/W4392240262","https://openalex.org/W4396758700"],"related_works":["https://openalex.org/W2294483539","https://openalex.org/W3159690896","https://openalex.org/W4230824443","https://openalex.org/W1989286518","https://openalex.org/W2945572725","https://openalex.org/W2921012173","https://openalex.org/W2758517546","https://openalex.org/W3134680667","https://openalex.org/W2804396347","https://openalex.org/W2185943007"],"abstract_inverted_index":{"Modern":[0],"botnets":[1,14],"leverage":[2],"TLS":[3,10,31,99],"encryption":[4],"to":[5,57,192,205,237,242],"mask":[6],"C&C":[7,164],"server":[8],"communications.":[9],"certificates":[11,32,82,97,100,182,223,227,250],"used":[12,101],"by":[13,36,102,208],"could":[15],"exhibit":[16],"subtle":[17],"characteristics":[18],"that":[19,76,108],"facilitate":[20],"detection.":[21],"In":[22],"this":[23],"paper":[24],"we":[25,219],"investigate":[26],"whether":[27],"text":[28,43],"features":[29],"from":[30,184,224],"can":[33,77],"be":[34,78,206,238],"represented":[35],"open-source":[37,111],"and":[38,98,154,228,233],"3rd":[39],"party":[40],"vendor":[41,125],"LLM":[42],"embeddings":[44],"in":[45,157,247,251],"a":[46,55,73,87,124,129,158,176,185],"projected":[47,74,149],"vector":[48,67],"space,":[49],"for":[50,69],"the":[51,92,115,212,252],"purpose":[52],"of":[53,91,133,171,179],"building":[54],"classifier":[56],"detect":[58],"botnet":[59,96,198,249],"certificates.":[60],"Our":[61],"method":[62],"extracts":[63],"informative":[64],"features,":[65],"generating":[66],"representations":[68],"effective":[70],"identification,":[71],"creating":[72],"space":[75,151],"queried":[79],"with":[80,166,211],"test":[81,137],"via":[83],"similarity":[84],"search.":[85],"Using":[86],"balanced":[88],"dataset":[89],"consisting":[90],"publicly":[93],"available":[94],"SSLBL":[95],"popular":[103],"websites,":[104],"our":[105,119],"evaluations":[106],"show":[107],"C-BERT,":[109],"an":[110,147,167],"model,":[112],"emerges":[113],"as":[114],"preferred":[116],"choice":[117],"within":[118],"proposed":[120],"system":[121],"rather":[122],"than":[123],"solution.":[126],"C-BERT":[127],"achieves":[128],"competitive":[130],"F1":[131,169],"score":[132,170],"0.994":[134],"on":[135,141,175],"unseen":[136],"data,":[138],"97.9%":[139],"accuracy":[140],"data":[142],"gathered":[143],"several":[144],"months":[145],"after":[146],"initial":[148],"embedding":[150],"was":[152,203],"created,":[153],"maintains":[155],"performance":[156],"simulated":[159],"zero-day":[160],"evaluation":[161,174],"against":[162],"four":[163],"groups,":[165],"average":[168],"0.946.":[172],"Further":[173],"random":[177],"sample":[178],"150,000":[180,226],"real-world":[181],"collected":[183],"full":[186],"internet":[187],"scan":[188],"between":[189],"Jan":[190],"2024":[191,194],"May":[193],"predicts":[195],"13":[196],"potential":[197],"certificates,":[199],"among":[200],"which":[201],"one":[202],"confirmed":[204,236],"malicious":[207],"VirusTotal.":[209],"Comparing":[210],"scenario":[213],"where":[214],"no":[215],"such":[216],"tool":[217],"exists,":[218],"randomly":[220],"selected":[221],"1,300":[222],"these":[225],"ran":[229],"them":[230],"through":[231],"VirusTotal,":[232],"none":[234],"were":[235],"malicious.":[239],"This":[240],"translates":[241],"100":[243],"fold":[244],"effort":[245],"reduction":[246],"identifying":[248],"wild.":[253]},"counts_by_year":[{"year":2025,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}