{"id":"https://openalex.org/W2961835015","doi":"https://doi.org/10.23919/cycon.2019.8756814","title":"Machine Learnin\u0123-based Detection of C&amp;C Channels with a Focus on the Locked Shields Cyber Defense Exercise","display_name":"Machine Learnin\u0123-based Detection of C&amp;C Channels with a Focus on the Locked Shields Cyber Defense Exercise","publication_year":2019,"publication_date":"2019-05-01","ids":{"openalex":"https://openalex.org/W2961835015","doi":"https://doi.org/10.23919/cycon.2019.8756814","mag":"2961835015"},"language":"en","primary_location":{"id":"doi:10.23919/cycon.2019.8756814","is_oa":false,"landing_page_url":"https://doi.org/10.23919/cycon.2019.8756814","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 11th International Conference on Cyber Conflict (CyCon)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5086657063","display_name":"Nicolas Kanzig","orcid":null},"institutions":[{"id":"https://openalex.org/I35440088","display_name":"ETH Zurich","ror":"https://ror.org/05a28rw58","country_code":"CH","type":"education","lineage":["https://openalex.org/I2799323385","https://openalex.org/I35440088"]}],"countries":["CH"],"is_corresponding":true,"raw_author_name":"Nicolas Kanzig","raw_affiliation_strings":["Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland"],"affiliations":[{"raw_affiliation_string":"Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I35440088"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5003682993","display_name":"Roland Meier","orcid":"https://orcid.org/0000-0002-8268-9037"},"institutions":[{"id":"https://openalex.org/I35440088","display_name":"ETH Zurich","ror":"https://ror.org/05a28rw58","country_code":"CH","type":"education","lineage":["https://openalex.org/I2799323385","https://openalex.org/I35440088"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Roland Meier","raw_affiliation_strings":["Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland"],"affiliations":[{"raw_affiliation_string":"Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I35440088"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5031490259","display_name":"Luca Gambazzi","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Luca Gambazzi","raw_affiliation_strings":["Science and Technology armasuisse, Thun, Switzerland"],"affiliations":[{"raw_affiliation_string":"Science and Technology armasuisse, Thun, Switzerland","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048330561","display_name":"Vincent Lenders","orcid":"https://orcid.org/0000-0002-2289-3722"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Vincent Lenders","raw_affiliation_strings":["Science and Technology armasuisse, Thun, Switzerland"],"affiliations":[{"raw_affiliation_string":"Science and Technology armasuisse, Thun, Switzerland","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5070110259","display_name":"Laurent Vanbever","orcid":"https://orcid.org/0000-0003-1455-4381"},"institutions":[{"id":"https://openalex.org/I35440088","display_name":"ETH Zurich","ror":"https://ror.org/05a28rw58","country_code":"CH","type":"education","lineage":["https://openalex.org/I2799323385","https://openalex.org/I35440088"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Laurent Vanbever","raw_affiliation_strings":["Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland"],"affiliations":[{"raw_affiliation_string":"Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I35440088"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5086657063"],"corresponding_institution_ids":["https://openalex.org/I35440088"],"apc_list":null,"apc_paid":null,"fwci":0.9265,"has_fulltext":false,"cited_by_count":14,"citation_normalized_percentile":{"value":0.77588533,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":94,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"19"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7318812608718872},{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.7148576378822327},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.5658510327339172},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.5453826785087585},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5334643721580505},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.5094500184059143},{"id":"https://openalex.org/keywords/network-packet","display_name":"Network packet","score":0.4860099256038666},{"id":"https://openalex.org/keywords/network-topology","display_name":"Network topology","score":0.44364678859710693},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.4432518482208252},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.341958612203598},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.15685775876045227},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.11104965209960938},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.10055884718894958}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7318812608718872},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.7148576378822327},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.5658510327339172},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.5453826785087585},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5334643721580505},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.5094500184059143},{"id":"https://openalex.org/C158379750","wikidata":"https://www.wikidata.org/wiki/Q214111","display_name":"Network packet","level":2,"score":0.4860099256038666},{"id":"https://openalex.org/C199845137","wikidata":"https://www.wikidata.org/wiki/Q145490","display_name":"Network topology","level":2,"score":0.44364678859710693},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.4432518482208252},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.341958612203598},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.15685775876045227},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.11104965209960938},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.10055884718894958},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.0},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0},{"id":"https://openalex.org/C104317684","wikidata":"https://www.wikidata.org/wiki/Q7187","display_name":"Gene","level":2,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.23919/cycon.2019.8756814","is_oa":false,"landing_page_url":"https://doi.org/10.23919/cycon.2019.8756814","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 11th International Conference on Cyber Conflict (CyCon)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":13,"referenced_works":["https://openalex.org/W2097101695","https://openalex.org/W2114996745","https://openalex.org/W2154874878","https://openalex.org/W2169178923","https://openalex.org/W2343828539","https://openalex.org/W2401054255","https://openalex.org/W2748868501","https://openalex.org/W2784567728","https://openalex.org/W2885163910","https://openalex.org/W2990747716","https://openalex.org/W6684773713","https://openalex.org/W6713023146","https://openalex.org/W6743493502"],"related_works":["https://openalex.org/W2294483539","https://openalex.org/W2378449000","https://openalex.org/W3187581118","https://openalex.org/W2938399969","https://openalex.org/W2616994865","https://openalex.org/W3143747655","https://openalex.org/W2002178493","https://openalex.org/W2929621094","https://openalex.org/W1996006176","https://openalex.org/W2193050358"],"abstract_inverted_index":{"The":[0,71],"diversity":[1],"of":[2,100,133,151,158,294,302],"applications":[3],"and":[4,38,47,59,63,89,139,196,207,246,266,274],"devices":[5,122],"in":[6,33,86,96,124,128,270,286,298],"enterprise":[7],"networks":[8,120],"combined":[9],"with":[10,263,275],"large":[11],"traffic":[12,81,99,112,116,194],"volumes":[13],"make":[14],"it":[15,91,288],"inherently":[16],"challenging":[17],"to":[18,75,92,155,163,175,188,232,259],"quickly":[19,58],"identify":[20,93,260],"malicious":[21,45,115],"traffic.":[22,160],"When":[23],"incidents":[24],"occur,":[25],"emergency":[26],"response":[27],"teams":[28],"often":[29],"lose":[30],"precious":[31],"time":[32,273],"reverse-engineering":[34],"the":[35,87,97,106,156,172,200,219,280,299,303],"network":[36,69,80,237],"topology":[37],"configuration":[39],"before":[40],"they":[41],"can":[42],"focus":[43],"on":[44,148,212],"activities":[46],"digital":[48],"forensics.":[49],"In":[50,161,225],"this":[51],"paper,":[52],"we":[53,104,141,170,208,252],"present":[54],"a":[55,77,125,129,143,149,213,234,249],"system":[56,285],"that":[57,84,108,254],"reliably":[60],"identifies":[61],"Command":[62],"Control":[64],"(C&C)":[65],"channels":[66,262],"without":[67],"prior":[68],"knowledge.":[70],"key":[72],"idea":[73],"is":[74,257],"train":[76],"classifier":[78,146,256],"using":[79],"from":[82,166,248],"attacks":[83,184],"happened":[85],"past":[88],"use":[90,142,215],"C&C":[94,159,190,261,296],"connections":[95],"current":[98],"other":[101],"networks.":[102],"Specifically,":[103],"leverage":[105],"fact":[107],"-":[109,114,185,195],"while":[110],"benign":[111,193],"differs":[113],"bears":[117],"similarities":[118],"across":[119],"(e.g.,":[121],"participating":[123,250],"botnet":[126],"act":[127],"similar":[130],"manner":[131],"irrespective":[132],"their":[134],"location).":[135],"To":[136],"ensure":[137],"performance":[138],"scalability,":[140],"random":[144],"forest":[145],"based":[147],"set":[150],"computationally-efficient":[152],"features":[153],"tailored":[154],"detection":[157],"order":[162],"prevent":[164],"attackers":[165],"outwitting":[167],"our":[168,205,255,284],"classifier,":[169],"tune":[171],"model":[173],"parameters":[174],"maximize":[176],"robustness.":[177],"We":[178,202],"measure":[179],"high":[180],"resilience":[181],"against":[182,238],"possible":[183],"e.g.,":[186],"attempts":[187],"camouflaging":[189],"flows":[191],"as":[192],"packet":[197],"loss":[198],"during":[199],"inference.":[201],"have":[203,229,290],"implemented":[204],"approach":[206],"show":[209,253],"its":[210],"practicality":[211],"real":[214,272],"case:":[216],"Locked":[217,226],"Shields,":[218,227],"world's":[220],"largest":[221],"cyber":[222],"defense":[223],"exercise.":[224,304],"defenders":[228],"limited":[230],"resources":[231],"protect":[233],"large,":[235],"heterogeneous":[236],"unknown":[239],"attacks.":[240],"Using":[241],"recorded":[242],"datasets":[243],"(from":[244],"2017":[245],"2018)":[247],"team,":[251],"able":[258],"99%":[264],"precision":[265],"over":[267],"90%":[268],"recall":[269],"near":[271],"realistic":[276],"resource":[277],"requirements.":[278],"If":[279],"team":[281],"had":[282],"used":[283],"2018,":[287],"would":[289],"discovered":[291],"10":[292],"out":[293],"12":[295],"servers":[297],"first":[300],"hours":[301]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":4},{"year":2022,"cited_by_count":2},{"year":2021,"cited_by_count":3}],"updated_date":"2026-03-12T08:34:05.389933","created_date":"2025-10-10T00:00:00"}