由於 “進階持續性威脅” (APT) 是駭客長期連續性的隱匿攻擊 步驟。因此，檢測企業內部的威脅攻擊就像在大海撈針一樣。在 入侵企業環境之前，駭客會發現並利用入口點中存在的漏洞。其 中，Web 伺服器是駭客在入侵企業環境前常見的攻擊入口點。在 入侵到企業內部時，Active Directory (AD) 則是駭客首要的入侵標 的，由於企業內的使用者帳戶、用戶端電腦、工作站、伺服器、 儲存設備和印表機等資源與時俱增，而 AD 的設計是為了統一集 中控管、簡化管理工作和加強網路安全性，其保存企業內部所有 資源的資訊。駭客為了實現資料洩露，常使用隱匿技術 (如:偽 造標頭) 透過 HTTP 協定的 C&C 伺服器進行通訊和資料收發。因 此，本篇論文提出四種機制以在企業實現多層安全防護的目的。 在 Web 伺服器的防護中，本篇論文提出名為 WebHound 的非監督 式且資料驅動的異常偵測。它不僅識別駭客的偵察行為，並透過 分析大規模的 Web 訪問日誌來檢測駭客的部署策略和入侵手段。 此外，本篇論文亦提出一個名為 ChainSpot 的 AD 異常帳號偵測的 機制。透過綜整 AD 用戶於應用層服務的存取行為順序建模，並 評估行為偏離以偵測帳號是否遭到感染。為了偵測駭客是否連線HTTP 協定的 C&C 伺服器，本篇論文提出一個 HTTP 流量監控機 制，其分析主機上運行的瀏覽器和應用程式的指紋，以檢測企業 內對外的 HTTP 流量異常。惡意程式分類對於病毒偵測技術來說 佔有一席之地，為了準確的分類，本篇論文透過非監督式群聚動 靜態行為以萃取行為特徵，並在各式病毒家族間透過詞嵌入的方 式找出其語意分析後的相似行為。最後，實驗結果顯示本篇論文 提出的技術有更好的準確率，並減輕專家知識的需求和監控人員 在企業中檢測網絡攻擊的大量人力。

Detecting cyber threats inside enterprise is like finding needles in a haystack. “Advanced persistent threat” (APT) is a set of stealthy and continuous computer hacking processes. Hackers usually discover and exploit vulnerabilities existing in the entry point before invading a corporate environment. The web server exploration is a popular mean used by hackers to gain access to enterprise computer systems. Given service logs of who used what service, and when, how can we find intrusions and anomalies of Active Directory (AD)? To achieve data leakage, hackers usually hide their malicious activities to communicate with the C&C server through HTTP protocol. Various techniques for stealth, e.g., using fake header, are developed which directly leads the security system’s failure to detect hacker’s activities. Therefore, we propose four approaches to achieve multiple layered security protection in an enterprise. For a web server, we propose an unsupervised data-driven anomaly detection known as WebHound . It not only identifies hacker’s reconnaissance but also detects the customized intrusion means deployed by hackers by analyzing large-scale web access logs. A cyber threat detection framework - ChainSpot was proposed for AD, in which the novelty is to build graphical patterns by summarizing user’s sequential behaviors of using application-layer services, and to discover deviations against one’s normal patterns. To monitor network traffic, we focus on profiling fingerprints of browsers & applications running on the different client-side host to detect anomaly among outbound HTTP traffics at the behavioral and semantic level. Patterns describing fake header are also elaborately designed using graph structure and become significant features in the proposed method for the subsequent detection. Multi-class malware classification is an essential analysis tool in defense against malware attacks. For accurate classification, we extract features of malware by clustering of their static and dynamic behavior in an unsupervised manner. Via a novel use of word embedding, we perform the clustering over a common semantic-space shared by malware families. The experiment results show that our proposed methods have a better accuracy rate than compared targets. In summary, our proposed approaches alleviate the heavy demand for expert knowledge and human efforts to detect cyber-attack in an enterprise.

[1] Darktrace. https://www.darktrace.com/en/.
[2] Elasticsearch. https://www.elastic.co/products/elasticsearch.
[3] Filtering sql injection from classic asp. https://blogs.iis.net/nazim/filtering-sql-injection-from-classic-asp.
[4] Http status codes. http://www.restapitutorial.com/httpstatuscodes.html.
[5] Modsecurity: Open source web application firewall. https://modsecurity.org/.
[6] Public security log sharing site. http://log-sharing.dreamhosters.com/.
[7] Snort. https://www.snort.org/.
[8] Sql injection prevention cheat sheet. https://www.owasp.org/index. php/SQL_Injection_Prevention_Cheat_Sheet.138
[9] (2013). Trend micro white paper on advanced persistent threat(apt). Technicalreport, Trend Micro Inc.
[10] (2014). Directory system agent. Technical report, Microsoft, MSDN Library. [Online; accessed: 6-May-2014].
[11] (2015a). Active directory collection: Active directory on a windows server 2003 network. Technical report, Microsoft, TechNet Library. [Online; accessed: 6-May- 2015].
[12] (2015b). How the kerberos version 5 authentication protocol works. Technical report, Microsoft, TechNet Library. [Online; accessed: 6-May-2015].
[13] (2015). M-Trends 2015: A VIEW FROM THE FRONT LINES.
[14] (2016). Event code 4771: Kerberos pre-authentication failed. [Online; accessed: 17-April-2016].
[15] (2016). Windows security log events. [Online; accessed: 17-April-2016].
[16] Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., and Giacinto, G. (2016). Novel feature extraction, selection and fusion for effective malware family classi- fication. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pages 183–194. ACM.
[17] Akoglu, L., McGlohon, M., and Faloutsos, C. (2010). Oddball: Spotting anoma- lies in weighted graphs. In Pacific-Asia Conference on Knowledge Discovery and Data Mining, pages 410–421. Springer.
[18] Akoglu, L., Tong, H., and Koutra, D. (2015). Graph based anomaly detection and description: a survey. Data Mining and Knowledge Discovery, 29(3):626–688.
[19] Anderson, B., Quist, D., Neil, J., Storlie, C., and Lane, T. (2011). Graph-based malware detection using dynamic analysis. Journal in computer Virology, 7(4):247– 258.
[20] Annachhatre, C., Austin, T. H., and Stamp, M. (2015). Hidden markov models for malware classification. Journal of Computer Virology and Hacking Techniques, 11(2):59–73.
[21] Atluri, A. C. and Tran, V. (2017). Botnets threat analysis and detection. In Information Security Practices, pages 7–28. Springer.
[22] Barford, P. and Yegneswaran, V. (2007). An inside look at botnets. In Malware detection, pages 171–191. Springer.
[23] Bartos, K., Sofka, M., and Franc, V. (2016). Optimized invariant representa- tion of network traffic for detecting unseen malware variants. In USENIX Security Symposium, pages 807–822.
[24] Baychev,Y.andBilge,L.(2018).Spearphishingmalware:Dowereallyknowthe unknown? In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 46–66. Springer.
[25] Baysa, D., Low, R. M., and Stamp, M. (2013). Structural entropy and metamor- phic malware. Journal of computer virology and hacking techniques, 9(4):179–192.
[26] Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., and Kruegel, C. (2012). Dis- closure: detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Con- ference, pages 129–138. ACM.
[27] Binkley, J. R. and Singh, S. (2006). An algorithm for anomaly-based botnet detection. SRUTI, 6:7–7.
[28] Borders, K. and Prakash, A. (2004). Web tap: detecting covert web traffic. In Proceedings of the 11th ACM conference on Computer and communications secu- rity, pages 110–120. ACM.
[29] Bortolameotti, R., van Ede, T., Caselli, M., Everts, M. H., Hartel, P., Hofstede, R., Jonker, W., and Peter, A. (2017). Decanter: Detection of anomalous outbound http traffic by passive application fingerprinting. In Proceedings of the 33rd Annual Computer Security Applications Conference, pages 373–386. ACM.
[30] Braue, D. (2015). Cybercrime not ”solvable”, requires data-based harm minimisation. http://www.cso.com.au/article/565596/ cybercrime-solvable-requires-data-based-harm-minimisation/.
[31] Breunig, M. M., Kriegel, H.-P., Ng, R. T., and Sander, J. (2000). Lof: identifying density-based local outliers. In ACM sigmod record, volume 29, pages 93–104. ACM.
[32] Carl, L. et al. (2006). Using machine learning technliques to identify botnet traffic. In Local Computer Networks, Proceedings 2006 31st IEEE Conference on. IEEE.
[33] Carlin, D., Cowan, A., O’Kane, P., and Sezer, S. (2017). The effects of tradi- tional anti-virus labels on malware detection using dynamic runtime opcodes. IEEE Access, 5:17742–17752.
[34] Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM computing surveys (CSUR), 41(3):15.
[35] Chen, K. L., Lee, H., Shing, C.-c., and Shing, M. (2010). A study of identity management features in erp systems. Issues in Information Systems, 11(1):644– 648.
[36] Chen, M.-Y., Kundu, A., and Zhou, J. (1994). Off-line handwritten word recog- nition using a hidden markov model type stochastic network. Pattern Analysis and Machine Intelligence, IEEE Transactions on, 16(5):481–496.
[37] Cheng, J. Y.-C., Tsai, T.-S., and Yang, C.-S. (2013). An information retrieval approach for malware classification based on windows api calls. In Machine Learn- ing and Cybernetics (ICMLC), 2013 International Conference on, volume 4, pages 1678–1683. IEEE.
[38] Cheng, W., Zhang, K., Chen, H., Jiang, G., Chen, Z., and Wang, W. (2016). Ranking causal anomalies via temporal and dynamical analysis on vanishing corre- lations. In In Poceedings of the ACM SIGKDD International Conference on Knowl- edge Discovery and Data Mining (SIGKDD).
[39] Choi, Y. H., Han, B. J., Bae, B. C., Oh, H. G., and Sohn, K. W. (2012). Toward extracting malware features for classification using static and dynamic analysis. In Computing and Networking Technology (ICCNT), 2012 8th International Conference on, pages 126–129. IEEE.
[40] Christodorescu, M. and Jha, S. (2006). Static analysis of executables to detect malicious patterns. Technical report, WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES.
[41] Cortes, C. and Vapnik, V. (1995). Support-vector networks. Machine learning, 20(3):273–297.
[42] Cristianini, N., Shawe-Taylor, J., et al. (2000). An introduction to support vector machines and other kernel-based learning methods. Cambridge university press.
[43] Dahl, G. E., Stokes, J. W., Deng, L., and Yu, D. (2013). Large-scale malware classification using random projections and neural networks. In Acoustics, Speech and Signal Processing (ICASSP), 2013 IEEE International Conference on, pages 3422–3426. IEEE.
[44] Dai, J., Guha, R. K., and Lee, J. (2009). Efficient virus detection using dynamic instruction sequences. JCP, 4(5):405–414.
[45] Damodaran, A., Di Troia, F., Visaggio, C. A., Austin, T. H., and Stamp, M. (2017). A comparison of static, dynamic, and hybrid analysis for malware detection. Journal of Computer Virology and Hacking Techniques, 13(1):1–12.
[46] David,O.E.andNetanyahu,N.S.(2015).Deepsign:Deeplearningforautomatic malware signature generation and classification. In Neural Networks (IJCNN), 2015 International Joint Conference on, pages 1–8. IEEE.
[47] Deshpande, P. (2013). Metamorphic detection using function call graph analysis.
[48] Deshpande,S.,Park,Y.,andStamp,M.(2014).Eigenvalueanalysisformetamor- phic detection. Journal of computer virology and hacking techniques, 10(1):53–65.
[49] Di Mauro, M. and Di Sarno, C. (2018). Improving siem capabilities through an enhanced probe for encrypted skype traffic detection. Journal of Information Security and Applications, 38:85–95.
[50] Elkan, C. (2003). Using the triangle inequality to accelerate k-means. In ICML, pages 147–153.
[51] Eskandari, M. and Hashemi, S. (2012). A graph mining approach for detecting unknown malwares. Journal of Visual Languages & Computing, 23(3):154–162.
[52] Eskandari, M., Khorshidpur, Z., and Hashemi, S. (2012). To incorporate sequen- tial dynamic features in malware detection engines. In Intelligence and Security Informatics Conference (EISIC), 2012 European, pages 46–52. IEEE.
[53] Eslahi, M., Hashim, H., and Tahir, N. (2013). An efficient false alarm reduction approach in http-based botnet detection. In Computers & Informatics (ISCI), 2013 IEEE Symposium on, pages 201–205. IEEE.
[54] Feily, M., Shahrestani, A., and Ramadass, S. (2009). A survey of botnet and botnet detection. In Emerging Security Information, Systems and Technologies, 2009. SECURWARE’09. Third International Conference on, pages 268–273. IEEE.
[55] Feinstein, L., Schnackenberg, D., Balupari, R., and Kindred, D. (2003). Sta- tistical approaches to ddos attack detection and response. In DARPA Information Survivability Conference and Exposition, 2003. Proceedings, volume 1, pages 303–314. IEEE.
[56] Forgy, E. W. (1965). Cluster analysis of multivariate data: efficiency versus interpretability of classifications. biometrics, 21:768–769.
[57] Frey, B. J. and Dueck, D. (2007). Clustering by passing messages between data points. science, 315(5814):972–976.
[58] Ge, Y., Jiang, G., Ding, M., and Xiong, H. (2014). Ranking metric anomaly in in- variant networks. ACM Transactions on Knowledge Discovery from Data (TKDD), 8(2):8.
[59] Globerson, A., Chechik, G., Pereira, F., and Tishby, N. (2007). Euclidean embed- ding of co-occurrence data. Journal of Machine Learning Research, 8(Oct):2265– 2295.
[60] GmbH, A.-T. AV-TEST – The Independent IT-Security Institute.
[61]Goh, V. (2016). The anatomy of large-scale cyber at- tacks. http://www.cso.com.au/article/606694/ anatomy-large-scale-cyber-attacks/.
[62] Golub, G. H. and Reinsch, C. (1970). Singular value decomposition and least squares solutions. Numerische mathematik, 14(5):403–420.
[63] Gu, G., Perdisci, R., Zhang, J., Lee, W., et al. (2008a). Botminer: Clustering analysis of network traffic for protocol-and structure-independent botnet detection. In USENIX security symposium, volume 5, pages 139–154.
[64] Gu, G., Zhang, J., and Lee, W. (2008b). Botsniffer: Detecting botnet command and control channels in network traffic.
[65] Gunestas, M. and Bilgin, Z. (2016). Log analysis using temporal logic and re- construction approach: Web server case. The Journal of Digital Forensics, Security and Law: JDFSL, 11(2):35.
[66] Gyo ̈ngyi, Z., Garcia-Molina, H., and Pedersen, J. (2004). Combating web spam with trustrank. In Proceedings of the Thirtieth international conference on Very large data bases-Volume 30, pages 576–587. VLDB Endowment.
[67] He, G., Zhang, T., Ma, Y., and Xu, B. (2014). A novel method to detect en- crypted data exfiltration. In Advanced Cloud and Big Data (CBD), 2014 Second International Conference on, pages 240–246. IEEE.
[68] Henderson, K., Eliassi-Rad, T., Faloutsos, C., Akoglu, L., Li, L., Maruhashi, K., Prakash, B. A., and Tong, H. (2010). Metric forensics: a multi-level approach for mining volatile graphs. In Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 163–172. ACM.
[69] Holte, R. C. and Drummond, C. (2008). Cost-sensitive classifier evaluation using cost curves. In Advances in Knowledge Discovery and Data Mining, pages 26–29. Springer.
[70] Hoplaros, D., Tari, Z., and Khalil, I. (2014). Data summarization for network traffic monitoring. Journal of network and computer applications, 37:194–205.
[71] Invernizzi, L., Miskovic, S., Torres, R., Kruegel, C., Saha, S., Vigna, G., Lee, 147 S.-J., and Mellia, M. (2014). Nazca: Detecting malware distribution in large-scale networks. In NDSS, volume 14, pages 23–26.
[72] Jaeger, D., Ussath, M., Cheng, F., and Meinel, C. (2015). Multi-step attack pat- tern detection on normalized event logs. In Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on, pages 390–398. IEEE.
[73] Jiang, D., Xu, Z., Zhang, P., and Zhu, T. (2014). A transform domain-based anomaly detection approach to network-wide traffic. Journal of Network and Com- puter Applications, 40:292–306.
[74] Jiang, G., Chen, H., and Yoshihira, K. (2006). Modeling and tracking of transac- tion flow dynamics for fault detection in complex systems. IEEE Transactions on Dependable and Secure Computing, 3(4):312–326.
[75] Jidigam, R. K., Austin, T. H., and Stamp, M. (2015). Singular value decom- position and metamorphic detection. Journal of Computer Virology and Hacking Techniques, 11(4):203–216.
[76] Karasaridis, A., Rexroad, B., Hoeflin, D. A., et al. (2007). Wide-scale botnet detection and characterization. HotBots, 7:7–7.
[77] Kheir, N. (2013a). Analyzing http user agent anomalies for malware detection. In Data Privacy Management and Autonomous Spontaneous Security, pages 187–200. Springer.
[78] Kheir, N. (2013b). Behavioral classification and detection of malware through http user agent anomalies. Journal of Information Security and Applications, 18(1):2–13.
[79] Ki, Y., Kim, E., and Kim, H. K. (2015). A novel approach to detect malware based on api call sequence analysis. International Journal of Distributed Sensor Networks, 11(6):659101.
[80] Kinable, J. and Kostakis, O. (2011). Malware classification based on call graph clustering. Journal in computer virology, 7(4):233–245.
[81] Kolbitsch, C., Comparetti, P. M., Kruegel, C., Kirda, E., Zhou, X.-y., and Wang, X. (2009). Effective and efficient malware detection at the end host. In USENIX security symposium, volume 4, pages 351–366.
[82] Kruegel, C. and Vigna, G. (2003). Anomaly detection of web-based attacks. In Proceedings of the 10th ACM conference on Computer and communications secu- rity, pages 251–261. ACM.
[83] Langville, A. N. and Meyer, C. D. (2005). A survey of eigenvector methods for web information retrieval. SIAM review, 47(1):135–161.
[84] Lebret, R. and Collobert, R. (2013). Word emdeddings through hellinger pca. arXiv preprint arXiv:1312.5542.
[85] Lee, J., Austin, T. H., and Stamp, M. (2015). Compression-based analysis of metamorphic malware. International Journal of Security and Networks, 10(2):124– 136.
[86] Levy, O. and Goldberg, Y. (2014a). Linguistic regularities in sparse and explicit word representations. In Proceedings of the eighteenth conference on computational natural language learning, pages 171–180.
[87] Levy, O. and Goldberg, Y. (2014b). Neural word embedding as implicit matrix factorization. In Advances in neural information processing systems, pages 2177– 2185.
[88] Li, Y., Xu, L., Tian, F., Jiang, L., Zhong, X., and Chen, E. (2015). Word em- bedding revisited: A new representation learning and explicit matrix factorization perspective. In IJCAI, pages 3650–3656.
[89] Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., and Tung, K.-Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1):16–24.
[90] Lin, D. and Stamp, M. (2011). Hunting for undetectable metamorphic viruses. Journal in computer virology, 7(3):201–214.
[91] Liu,C.,Yan,X.,Yu,H.,Han,J.,andPhilip,S.Y.(2005).Miningbehaviorgraphs for” backtrace” of noncrashing bugs. In SDM, pages 286–297. SIAM.
[92] Malkin, R. (2016). Fighting the growing threat of ddos attacks down under. http://www.cso.com.au/article/606693/ fighting-growing-threat-ddos-attacks-down-under/.
[93] Manevitz, L. M. and Yousef, M. (2001). One-class svms for document classifi- cation. Journal of Machine Learning Research, 2(Dec):139–154.
[94] Matta, V., Di Mauro, M., and Longo, M. (2017). Ddos attacks with randomized traffic innovation: botnet identification challenges and strategies. IEEE Transac- tions on Information Forensics and Security, 12(8):1844–1859.
[95] Mikolov, T., Sutskever, I., Chen, K., Corrado, G. S., and Dean, J. (2013). Dis- tributed representations of words and phrases and their compositionality. In Ad- vances in neural information processing systems, pages 3111–3119.
[96] Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., and Rajarajan, M. (2013). A survey of intrusion detection techniques in cloud. Journal of Network and Com- puter Applications, 36(1):42–57.
[97] Nelms, T., Perdisci, R., and Ahamad, M. (2013). Execscent: Mining for new c&c domains in live networks with adaptive control protocol templates. In USENIX Security Symposium, pages 589–604.
[98] Norris, J. R. (1998). Markov chains. Number 2. Cambridge university press.
[99] Oprea, A., Li, Z., Yen, T.-F., Chin, S. H., and Alrwais, S. (2015). Detection of early-stage enterprise infection by mining large-scale log data. In Dependable Sys- tems and Networks (DSN), 2015 45th Annual IEEE/IFIP International Conference on, pages 45–56. IEEE.
[100] Page, L., Brin, S., Motwani, R., and Winograd, T. (1999). The pagerank citation ranking: Bringing order to the web. Technical report, Stanford InfoLab.
[101] Pao, H.-K., Mao, C.-H., Lee, H.-M., Chen, C.-D., and Faloutsos, C. (2010). An intrinsic graphical signature based on alert correlation analysis for intrusion de- tection. In Technologies and Applications of Artificial Intelligence (TAAI), 2010 International Conference on, pages 102–109. IEEE.
[102] Perdisci, R., Ariu, D., and Giacinto, G. (2013). Scalable fine-grained behavioral clustering of http-based malware. Computer Networks, 57(2):487–500.
[103] Perdisci, R., Lee, W., and Feamster, N. (2010). Behavioral clustering of http- based malware and signature generation using malicious network traces. In NSDI, volume 10, page 14.
[104] Rabiner, L. (1989). A tutorial on hidden markov models and selected applica- tions in speech recognition. Proceedings of the IEEE, 77(2):257–286.
[105] Rafique,M.Z.andCaballero,J.(2013).Firma:Malwareclusteringandnetwork signature generation with mixed network behaviors. In International Workshop on Recent Advances in Intrusion Detection, pages 144–163. Springer.
[106] Ray, S. and Turi, R. H. (1999). Determination of number of clusters in k-means clustering and application in colour image segmentation. In Proceedings of the 4th International Conference on Advances in Pattern Recognition and Digital Tech- niques (ICAPRDT’99).
[107] Rhee, J., Riley, R., Xu, D., and Jiang, X. (2010). Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In International Workshop on Recent Advances in Intrusion Detection, pages 178–197. Springer.
[108] Rossi, R. A., Gallagher, B., Neville, J., and Henderson, K. (2013). Modeling dynamic behavior in large evolving graphs. In Proceedings of the sixth ACM inter- national conference on Web search and data mining, pages 667–676. ACM.
[109] Russinovich, M. E. and Solomon, D. A. (2004). Microsoft Windows Inter- nals: Microsoft Windows Server (TM) 2003, Windows XP, and Windows 2000 (Pro- Developer). Microsoft Press.
[110] Schwenk, G. and Rieck, K. (2011a). Adaptive detection of covert communi- cation in http requests. In Computer Network Defense (EC2ND), 2011 Seventh European Conference on, pages 25–32. IEEE.
[111] Schwenk, G. and Rieck, K. (2011b). Adaptive detection of covert communi- cation in http requests. In Computer Network Defense (EC2ND), 2011 Seventh European Conference on, pages 25–32. IEEE.
[112] Severi, G., Leek, T., and Dolan-Gavitt, B. (2018). M alrec: Compact full-trace malware recording for retrospective deep analysis. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 3–23. Springer.
[113] Shankarapani, M. K., Ramamoorthy, S., Movva, R. S., and Mukkamala, S. (2011). Malware detection using assembly and api call sequences. Journal in com- puter virology, 7(2):107–119.
[114] Shapiro, M. (1986). Structure and encapsulation in distributed systems: the proxy principle. In icdcs, pages 198–204.
[115] Singh,T.(2015).Supportvectormachinesandmetamorphicmalwaredetection. [116] Strayer, W. T., Lapsely, D., Walsh, R., and Livadas, C. (2008). Botnet detection based on network behavior. In Botnet Detection, pages 1–24. Springer.
[116] Strayer, W. T., Lapsely, D., Walsh, R., and Livadas, C. (2008). Botnet detection based on network behavior. In Botnet Detection, pages 1–24. Springer.
[117] Strayer,W.T.,Walsh,R.,Livadas,C.,andLapsley,D.(2006).Detectingbotnets with tight command and control. In Local Computer Networks, Proceedings 2006 31st IEEE Conference on, pages 195–202. IEEE.
[118] Sun, J., Tao, D., and Faloutsos, C. (2006). Beyond streams and graphs: dynamic tensor analysis. In Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 374–383. ACM.
[119] Sun, X., Dai, J., Liu, P., Singhal, A., and Yen, J. (2016). Towards probabilistic identification of zero-day attack paths. In Communications and Network Security (CNS), 2016 IEEE Conference on, pages 64–72. IEEE.
[120] Tamersoy, A., Roundy, K., and Chau, D. H. (2014). Guilt by association: large scale malware detection by mining file-relation graphs. In Proceedings of the 20th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 1524–1533. ACM.
[121] Tao, C., Ge, Y., Song, Q., Ge, Y., and Omitaomu, O. A. (2014). Metric ranking of invariant networks with belief propagation. In 2014 IEEE International Confer- ence on Data Mining, pages 1001–1006. IEEE.
[122] Tong, H., Faloutsos, C., and Pan, J.-Y. (2006). Fast random walk with restart and its applications.
[123] Wang, W., Wang, Y., Tan, X., Liu, Y., and Yang, S. (2018). Botcapturer: De- tecting botnets based on two-layered analysis with graph anomaly detection and network traffic clustering. International Journal of Performability Engineering, 14(5):1050.
[124] Wei, T.-E., Lee, H.-M., Jeng, A. B., Lamba, H., and Faloutsos, C. (2019). Web- hound: a data-driven intrusion detection from real-world web access logs. Soft Computing, pages 1–19.
[125] Wilson, A. D. and Bobick, A. F. (1999). Parametric hidden markov models for gesture recognition. Pattern Analysis and Machine Intelligence, IEEE Transactions on, 21(9):884–900.
[126] Yen, T.-F., Heorhiadi, V., Oprea, A., Reiter, M. K., and Juels, A. (2014). An epidemiological study of malware encounters in a large enterprise. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1117–1130. ACM.
[127] Yen, T.-F., Oprea, A., Onarlioglu, K., Leetham, T., Robertson, W., Juels, A., and Kirda, E. (2013). Beehive: Large-scale log analysis for detecting suspicious activ- ity in enterprise networks. In Proceedings of the 29th Annual Computer Security Applications Conference, pages 199–208. ACM.
[128] Zarras, A., Papadogiannakis, A., Gawlik, R., and Holz, T. (2014). Automated generation of models for fast and precise detection of http-based malware. In Pri- vacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on, pages 249–256. IEEE.
[129] Zhang, H., Yao, D. D., Ramakrishnan, N., and Zhang, Z. (2016). Causality reasoning about network events for detecting stealthy malware activities. computers & security, 58:180–198.
[130] Zhang, X. and Xu, Z. (2018). On the feasibility of automatic malware family signature generation. In Proceedings of the First Workshop on Radical and Experi- ential Security, pages 69–72. ACM.