{"id":"https://openalex.org/W2960279950","doi":"https://doi.org/10.23919/cycon.2019.8757163","title":"Detection of Malicious Remote Shell Sessions","display_name":"Detection of Malicious Remote Shell Sessions","publication_year":2019,"publication_date":"2019-05-01","ids":{"openalex":"https://openalex.org/W2960279950","doi":"https://doi.org/10.23919/cycon.2019.8757163","mag":"2960279950"},"language":"en","primary_location":{"id":"doi:10.23919/cycon.2019.8757163","is_oa":false,"landing_page_url":"https://doi.org/10.23919/cycon.2019.8757163","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 11th International Conference on Cyber Conflict (CyCon)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5082242389","display_name":"Pierre Dumont","orcid":"https://orcid.org/0000-0002-4358-2835"},"institutions":[{"id":"https://openalex.org/I35440088","display_name":"ETH Zurich","ror":"https://ror.org/05a28rw58","country_code":"CH","type":"education","lineage":["https://openalex.org/I2799323385","https://openalex.org/I35440088"]},{"id":"https://openalex.org/I4210116793","display_name":"Kudelski (Switzerland)","ror":"https://ror.org/022m5tt98","country_code":"CH","type":"company","lineage":["https://openalex.org/I4210116793"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Pierre Dumont","raw_affiliation_strings":["Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich / Kudelski Security, Z\u00fcrich / Lausanne, Switzerland"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich / Kudelski Security, Z\u00fcrich / Lausanne, Switzerland","institution_ids":["https://openalex.org/I4210116793","https://openalex.org/I35440088"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5003682993","display_name":"Roland Meier","orcid":"https://orcid.org/0000-0002-8268-9037"},"institutions":[{"id":"https://openalex.org/I35440088","display_name":"ETH Zurich","ror":"https://ror.org/05a28rw58","country_code":"CH","type":"education","lineage":["https://openalex.org/I2799323385","https://openalex.org/I35440088"]}],"countries":["CH"],"is_corresponding":false,"raw_author_name":"Roland Meier","raw_affiliation_strings":["Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Department of Information Technology and Electrical Engineering, ETH Z\u00fcrich, Z\u00fcrich, Switzerland","institution_ids":["https://openalex.org/I35440088"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5069424041","display_name":"David Gugelmann","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"David Gugelmann","raw_affiliation_strings":["Exeon Analytics, Z\u00fcrich, Switzerland"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Exeon Analytics, Z\u00fcrich, Switzerland","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5048330561","display_name":"Vincent Lenders","orcid":"https://orcid.org/0000-0002-2289-3722"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Vincent Lenders","raw_affiliation_strings":["Science and Technology armasuisse, Thun, Switzerland"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Science and Technology armasuisse, Thun, Switzerland","institution_ids":[]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.7438,"has_fulltext":false,"cited_by_count":7,"citation_normalized_percentile":{"value":0.7437166,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":96},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"20"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7690107822418213},{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.7278386950492859},{"id":"https://openalex.org/keywords/denial-of-service-attack","display_name":"Denial-of-service attack","score":0.696122944355011},{"id":"https://openalex.org/keywords/password","display_name":"Password","score":0.69484543800354},{"id":"https://openalex.org/keywords/honeypot","display_name":"Honeypot","score":0.665074348449707},{"id":"https://openalex.org/keywords/shell","display_name":"Shell (structure)","score":0.585560142993927},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.550244152545929},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5353963971138},{"id":"https://openalex.org/keywords/session","display_name":"Session (web analytics)","score":0.5163387060165405},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.2127685844898224},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.209843248128891},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.20302584767341614},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.18399348855018616},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.12103772163391113}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7690107822418213},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.7278386950492859},{"id":"https://openalex.org/C38822068","wikidata":"https://www.wikidata.org/wiki/Q131406","display_name":"Denial-of-service attack","level":3,"score":0.696122944355011},{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.69484543800354},{"id":"https://openalex.org/C191267431","wikidata":"https://www.wikidata.org/wiki/Q911932","display_name":"Honeypot","level":2,"score":0.665074348449707},{"id":"https://openalex.org/C2781052500","wikidata":"https://www.wikidata.org/wiki/Q2230313","display_name":"Shell (structure)","level":2,"score":0.585560142993927},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.550244152545929},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5353963971138},{"id":"https://openalex.org/C2779182362","wikidata":"https://www.wikidata.org/wiki/Q17126187","display_name":"Session (web analytics)","level":2,"score":0.5163387060165405},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2127685844898224},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.209843248128891},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.20302584767341614},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.18399348855018616},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.12103772163391113},{"id":"https://openalex.org/C147176958","wikidata":"https://www.wikidata.org/wiki/Q77590","display_name":"Civil engineering","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.23919/cycon.2019.8757163","is_oa":false,"landing_page_url":"https://doi.org/10.23919/cycon.2019.8757163","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2019 11th International Conference on Cyber Conflict (CyCon)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Industry, innovation and infrastructure","id":"https://metadata.un.org/sdg/9","score":0.6399999856948853}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":15,"referenced_works":["https://openalex.org/W1580437619","https://openalex.org/W1955645522","https://openalex.org/W1981157808","https://openalex.org/W1987684126","https://openalex.org/W2083358597","https://openalex.org/W2096118443","https://openalex.org/W2121749752","https://openalex.org/W2129650357","https://openalex.org/W2131723927","https://openalex.org/W2141087303","https://openalex.org/W2342408547","https://openalex.org/W2748868501","https://openalex.org/W6640935840","https://openalex.org/W6678051712","https://openalex.org/W6743493502"],"related_works":["https://openalex.org/W2789663798","https://openalex.org/W2375896275","https://openalex.org/W4230913293","https://openalex.org/W2166943775","https://openalex.org/W2775236000","https://openalex.org/W2073762068","https://openalex.org/W2151915331","https://openalex.org/W2071426633","https://openalex.org/W4230824443","https://openalex.org/W2292210693"],"abstract_inverted_index":{"Remote":[0],"shell":[1,30,94,112,146,205],"sessions":[2,95,113,133],"via":[3],"protocols":[4],"such":[5,151],"as":[6,37,134,155,160],"SSH":[7],"are":[8,66],"essential":[9],"for":[10],"managing":[11],"systems,":[12],"deploying":[13],"applications,":[14],"and":[15,98,157,176,194],"running":[16],"experiments.":[17],"However,":[18],"combined":[19],"with":[20],"weak":[21],"passwords":[22],"or":[23,53,79,136],"flaws":[24],"in":[25,46,69,90],"the":[26,47,107,140,145,185],"authentication":[27],"process,":[28],"remote":[29,60],"access":[31,97],"becomes":[32],"a":[33,55,164,188,195],"major":[34],"security":[35],"risk,":[36],"it":[38],"allows":[39],"an":[40,50],"attacker":[41],"to":[42,71,75,80,96,131,162],"run":[43],"arbitrary":[44],"commands":[45,122,143,154],"name":[48],"of":[49,62,84,109,121,142,153,192,199],"impersonated":[51],"user":[52],"even":[54],"system":[56],"administrator.":[57],"For":[58],"example,":[59],"shells":[61],"weakly":[63],"protected":[64],"systems":[65],"often":[67,92],"exploited":[68],"order":[70],"build":[72],"large":[73],"botnets,":[74],"send":[76],"spam":[77],"emails,":[78],"launch":[81],"distributed":[82],"denial":[83],"service":[85],"attacks.":[86],"Also,":[87],"malicious":[88,111,137],"insiders":[89],"organizations":[91],"use":[93,158],"transfer":[99],"restricted":[100],"data.":[101],"In":[102],"this":[103],"work,":[104],"we":[105],"tackle":[106],"problem":[108],"detecting":[110],"based":[114,171],"on":[115,172],"session":[116],"logs,":[117],"i.e.,":[118],"recorded":[119],"sequences":[120,152],"that":[123,144,184],"were":[124],"executed":[125],"over":[126],"time.":[127],"Our":[128,169],"approach":[129],"is":[130],"classify":[132],"benign":[135],"by":[138],"analyzing":[139],"sequence":[141],"users":[147],"executed.":[148],"We":[149],"model":[150],"n-grams":[156],"them":[159],"features":[161],"train":[163],"supervised":[165],"machine":[166],"learning":[167],"classifier.":[168],"evaluation,":[170],"freely":[173],"available":[174],"data":[175,177],"from":[178],"our":[179],"own":[180],"honeypot":[181],"infrastructure,":[182],"shows":[183],"classifier":[186],"reaches":[187],"true":[189,196],"positive":[190],"rate":[191,198],"99.4%":[193],"negative":[197],"99.7%":[200],"after":[201],"observing":[202],"only":[203],"four":[204],"commands.":[206]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":2},{"year":2021,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}