{"id":"https://openalex.org/W2489501841","doi":"https://doi.org/10.1147/jrd.2016.2557639","title":"Scalable analytics to detect DNS misuse for establishing stealthy communication channels","display_name":"Scalable analytics to detect DNS misuse for establishing stealthy communication channels","publication_year":2016,"publication_date":"2016-07-01","ids":{"openalex":"https://openalex.org/W2489501841","doi":"https://doi.org/10.1147/jrd.2016.2557639","mag":"2489501841"},"language":"en","primary_location":{"id":"doi:10.1147/jrd.2016.2557639","is_oa":false,"landing_page_url":"https://doi.org/10.1147/jrd.2016.2557639","pdf_url":null,"source":{"id":"https://openalex.org/S4210219925","display_name":"IBM Journal of Research and Development","issn_l":"0018-8646","issn":["0018-8646","2151-8556"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320652","host_organization_name":"IBM","host_organization_lineage":["https://openalex.org/P4310320652"],"host_organization_lineage_names":["IBM"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IBM Journal of Research and Development","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5109894761","display_name":"Douglas Lee Schales","orcid":null},"institutions":[{"id":"https://openalex.org/I4210114115","display_name":"IBM Research - Thomas J. Watson Research Center","ror":"https://ror.org/0265w5591","country_code":"US","type":"facility","lineage":["https://openalex.org/I1341412227","https://openalex.org/I4210114115"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"D. L. Schales","raw_affiliation_strings":["IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA"],"affiliations":[{"raw_affiliation_string":"IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA","institution_ids":["https://openalex.org/I4210114115"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037719518","display_name":"Jiyong Jang","orcid":"https://orcid.org/0000-0001-8111-2503"},"institutions":[{"id":"https://openalex.org/I4210114115","display_name":"IBM Research - Thomas J. Watson Research Center","ror":"https://ror.org/0265w5591","country_code":"US","type":"facility","lineage":["https://openalex.org/I1341412227","https://openalex.org/I4210114115"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"J. Jang","raw_affiliation_strings":["IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA"],"affiliations":[{"raw_affiliation_string":"IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA","institution_ids":["https://openalex.org/I4210114115"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100686453","display_name":"Ting Wang","orcid":"https://orcid.org/0000-0001-7414-5390"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"T. Wang","raw_affiliation_strings":["IBM Security Division, CTO Security Intelligence, Fredericton, NB, Canada"],"affiliations":[{"raw_affiliation_string":"IBM Security Division, CTO Security Intelligence, Fredericton, NB, Canada","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5073150709","display_name":"Xiaoyan Hu","orcid":"https://orcid.org/0000-0002-4172-1977"},"institutions":[{"id":"https://openalex.org/I4210114115","display_name":"IBM Research - Thomas J. Watson Research Center","ror":"https://ror.org/0265w5591","country_code":"US","type":"facility","lineage":["https://openalex.org/I1341412227","https://openalex.org/I4210114115"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"X. Hu","raw_affiliation_strings":["IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA"],"affiliations":[{"raw_affiliation_string":"IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA","institution_ids":["https://openalex.org/I4210114115"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5078172448","display_name":"Dhilung Kirat","orcid":null},"institutions":[{"id":"https://openalex.org/I4210114115","display_name":"IBM Research - Thomas J. Watson Research Center","ror":"https://ror.org/0265w5591","country_code":"US","type":"facility","lineage":["https://openalex.org/I1341412227","https://openalex.org/I4210114115"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"D. Kirat","raw_affiliation_strings":["IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA"],"affiliations":[{"raw_affiliation_string":"IBM Research Division, Thomas J. Watson Research Center, Yorktown Heights, NY, USA","institution_ids":["https://openalex.org/I4210114115"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072759454","display_name":"Bjoern Wuest","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"B. Wuest","raw_affiliation_strings":["IBM Security Division, CTO Security Intelligence, Fredericton, NB, Canada"],"affiliations":[{"raw_affiliation_string":"IBM Security Division, CTO Security Intelligence, Fredericton, NB, Canada","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5028670480","display_name":"Marc Ph. Stoecklin","orcid":null},"institutions":[{"id":"https://openalex.org/I4210114115","display_name":"IBM Research - Thomas J. Watson Research Center","ror":"https://ror.org/0265w5591","country_code":"US","type":"facility","lineage":["https://openalex.org/I1341412227","https://openalex.org/I4210114115"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"M. Ph. Stoecklin","raw_affiliation_strings":["IBM Research Division, IBM Thomas J. Watson Research Center, Yorktown Heights, NY, USA"],"affiliations":[{"raw_affiliation_string":"IBM Research Division, IBM Thomas J. Watson Research Center, Yorktown Heights, NY, USA","institution_ids":["https://openalex.org/I4210114115"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5109894761"],"corresponding_institution_ids":["https://openalex.org/I4210114115"],"apc_list":null,"apc_paid":null,"fwci":0.8686,"has_fulltext":false,"cited_by_count":9,"citation_normalized_percentile":{"value":0.77058246,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":96},"biblio":{"volume":"60","issue":"4","first_page":"3:1","last_page":"3:14"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12326","display_name":"Network Packet Processing and Optimization","score":0.998199999332428,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/domain-name-system","display_name":"Domain Name System","score":0.806875467300415},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7759093642234802},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.7317410707473755},{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.6726236343383789},{"id":"https://openalex.org/keywords/big-data","display_name":"Big data","score":0.534155011177063},{"id":"https://openalex.org/keywords/analytics","display_name":"Analytics","score":0.53085857629776},{"id":"https://openalex.org/keywords/domain","display_name":"Domain (mathematical analysis)","score":0.5268011689186096},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5015690326690674},{"id":"https://openalex.org/keywords/command-and-control","display_name":"Command and control","score":0.49960803985595703},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.4692010283470154},{"id":"https://openalex.org/keywords/block","display_name":"Block (permutation group theory)","score":0.4211321473121643},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.40784600377082825},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.36806803941726685},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.21298843622207642},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.20754706859588623},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.18638339638710022},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.0904378592967987},{"id":"https://openalex.org/keywords/telecommunications","display_name":"Telecommunications","score":0.08430111408233643}],"concepts":[{"id":"https://openalex.org/C35026560","wikidata":"https://www.wikidata.org/wiki/Q8767","display_name":"Domain Name System","level":3,"score":0.806875467300415},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7759093642234802},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.7317410707473755},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.6726236343383789},{"id":"https://openalex.org/C75684735","wikidata":"https://www.wikidata.org/wiki/Q858810","display_name":"Big data","level":2,"score":0.534155011177063},{"id":"https://openalex.org/C79158427","wikidata":"https://www.wikidata.org/wiki/Q485396","display_name":"Analytics","level":2,"score":0.53085857629776},{"id":"https://openalex.org/C36503486","wikidata":"https://www.wikidata.org/wiki/Q11235244","display_name":"Domain (mathematical analysis)","level":2,"score":0.5268011689186096},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5015690326690674},{"id":"https://openalex.org/C506615639","wikidata":"https://www.wikidata.org/wiki/Q21662260","display_name":"Command and control","level":2,"score":0.49960803985595703},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.4692010283470154},{"id":"https://openalex.org/C2777210771","wikidata":"https://www.wikidata.org/wiki/Q4927124","display_name":"Block (permutation group theory)","level":2,"score":0.4211321473121643},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.40784600377082825},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.36806803941726685},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.21298843622207642},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.20754706859588623},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.18638339638710022},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.0904378592967987},{"id":"https://openalex.org/C76155785","wikidata":"https://www.wikidata.org/wiki/Q418","display_name":"Telecommunications","level":1,"score":0.08430111408233643},{"id":"https://openalex.org/C134306372","wikidata":"https://www.wikidata.org/wiki/Q7754","display_name":"Mathematical analysis","level":1,"score":0.0},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.0},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1147/jrd.2016.2557639","is_oa":false,"landing_page_url":"https://doi.org/10.1147/jrd.2016.2557639","pdf_url":null,"source":{"id":"https://openalex.org/S4210219925","display_name":"IBM Journal of Research and Development","issn_l":"0018-8646","issn":["0018-8646","2151-8556"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310320652","host_organization_name":"IBM","host_organization_lineage":["https://openalex.org/P4310320652"],"host_organization_lineage_names":["IBM"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IBM Journal of Research and Development","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/9","score":0.6100000143051147,"display_name":"Industry, innovation and infrastructure"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":25,"referenced_works":["https://openalex.org/W4861383","https://openalex.org/W17316494","https://openalex.org/W80155331","https://openalex.org/W1561983441","https://openalex.org/W1673310716","https://openalex.org/W1778942215","https://openalex.org/W1811963175","https://openalex.org/W1954903228","https://openalex.org/W1982092405","https://openalex.org/W1998843210","https://openalex.org/W2082550445","https://openalex.org/W2094257886","https://openalex.org/W2100307718","https://openalex.org/W2136495567","https://openalex.org/W2144982963","https://openalex.org/W2148323889","https://openalex.org/W2173213060","https://openalex.org/W2209064213","https://openalex.org/W2401054255","https://openalex.org/W6603260413","https://openalex.org/W6633578641","https://openalex.org/W6637131181","https://openalex.org/W6681658524","https://openalex.org/W6688098044","https://openalex.org/W6713023146"],"related_works":["https://openalex.org/W86804927","https://openalex.org/W2290321311","https://openalex.org/W3172308862","https://openalex.org/W2738000821","https://openalex.org/W3080777947","https://openalex.org/W2934080905","https://openalex.org/W2489501841","https://openalex.org/W3044847442","https://openalex.org/W3011860454","https://openalex.org/W142852360"],"abstract_inverted_index":{"The":[0,86,154],"Domain":[1],"Name":[2],"System":[3],"(DNS)":[4],"protocol":[5],"is":[6,94],"one":[7],"of":[8,20,25,88,104,182,187],"the":[9,137,169],"few":[10],"application":[11],"protocols":[12],"that":[13],"are":[14,74,139,159],"allowed":[15],"to":[16,52,81,120],"cross":[17],"network":[18],"perimeters":[19],"organizations.":[21],"However,":[22],"comprehensive":[23],"monitoring":[24],"DNS":[26,39,78,105,122,184],"traffic":[27],"has":[28],"been":[29],"often":[30],"overlooked":[31],"in":[32],"many":[33],"organizations'":[34],"cybersecurity":[35],"strategies.":[36],"As":[37],"such,":[38],"provides":[40],"a":[41,95,195],"highly":[42],"attractive":[43],"channel":[44],"for":[45],"advanced":[46],"threat":[47],"actors":[48],"and":[49,55,62,68,90,107,124,128,148,151,156,161,171],"botnet":[50],"operators":[51],"establish":[53],"hard-to-block":[54],"stealthy":[56],"communication":[57],"channels":[58],"between":[59],"infected":[60],"devices":[61],"command-and-control":[63],"(C&C)":[64],"infrastructures.":[65,85],"Fast-fluxing":[66],"(FF)":[67],"domain":[69,92,130],"name":[70],"generation":[71],"algorithms":[72,119,138,155],"(DGAs)":[73],"two":[75,118,142],"well-known":[76],"public":[77],"exploitation":[79],"techniques":[80],"build":[82],"agile":[83],"C&C":[84],"detection":[87],"FF":[89,127],"DGA":[91,129],"names":[93],"big":[96,143],"data":[97,144,185],"problem,":[98],"as":[99],"it":[100],"requires":[101],"analyzing":[102],"millions":[103],"queries":[106],"replies":[108],"over":[109,163],"extended":[110],"time":[111],"periods.":[112,166],"In":[113],"this":[114],"paper,":[115],"we":[116,134],"propose":[117],"perform":[121],"analytics":[123],"effectively":[125],"detect":[126],"names.":[131],"More":[132],"importantly,":[133],"describe":[135,168],"how":[136],"implemented":[140],"using":[141],"processing":[145],"models:":[146],"MapReduce":[147],"Feature":[149],"Collection":[150],"Correlation":[152],"Engine.":[153],"implementation":[157],"proposed":[158],"iterative":[160],"scale":[162],"long":[164],"analysis":[165],"We":[167],"implementations":[170],"provide":[172],"an":[173],"evaluation":[174],"complemented":[175],"with":[176],"case":[177],"studies":[178],"on":[179],"50":[180],"days":[181],"real-world":[183],"consisting":[186],"more":[188],"than":[189],"40":[190],"billion":[191],"events,":[192],"collected":[193],"within":[194],"large":[196],"corporate":[197],"network.":[198]},"counts_by_year":[{"year":2025,"cited_by_count":1},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":2},{"year":2020,"cited_by_count":2},{"year":2019,"cited_by_count":1},{"year":2017,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}