bibliography.bib

% Schiavoni's Thesis
@inproceedings{schiavoni2013,
    address = {London, {UK}},
    title = {Phoenix: {DGA-based} Botnet Tracking and Intelligence},
    booktitle = {Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment ({DIMVA)}},
    publisher = {Springer-Verlag},
    author = {{Stefano Schiavoni} and {Federico Maggi} and {Lorenzo Cavallaro} and {Stefano Zanero}},
    year = {2014}
}

% Miki's Thesis
@mastersthesis{spagnuolo2013,
    author    = "Michele Spagnuolo",
    title     = "BitIodine: Extracting Intelligence from the Bitcoin
Network",
    school    = "Politecnico Di Milano",
    type     = "Master's Thesis",
    address  = "Piazza Leonardo da Vinci 32, Milan",
    year      = "2013",
    month    = "December",
}

% Papers on Botnets
@inproceedings{grier2012manufacturing,
  title={Manufacturing compromise: the emergence of exploit-as-a-service},
  author={Grier, Chris and Ballard, Lucas and Caballero, Juan and Chachra, Neha and Dietrich, Christian J and Levchenko, Kirill and Mavrommatis, Panayiotis and McCoy, Damon and Nappa, Antonio and Pitsillidis, Andreas and others},
  booktitle={Proceedings of the 2012 ACM conference on Computer and communications security},
  pages={821--832},
  year={2012},
  organization={ACM}
}

@inproceedings{stone2009fire,
  title={{Fire: Finding rogue networks}},
  author={Stone-Gross, Brett and Kruegel, Christopher and Almeroth, Kevin and Moser, Andreas and Kirda, Engin},
  booktitle={Computer Security Applications Conference, 2009. ACSAC'09. Annual},
  pages={231--240},
  year={2009},
  organization={IEEE}
}

@inproceedings{antonakakis2011,
    author = {Antonakakis, Manos and Perdisci, Roberto and Lee, Wenke and Vasiloglou,II, Nikolaos and Dagon, David},
    title = {Detecting Malware Domains at the Upper DNS Hierarchy},
    booktitle = {Proceedings of the 20th USENIX Conference on Security},
    series = {SEC'11},
    year = {2011},
    location = {San Francisco, CA},
    pages = {27--27},
    numpages = {1},
    url = {http://dl.acm.org/citation.cfm?id=2028067.2028094},
    acmid = {2028094},
    publisher = {USENIX Association},
    address = {Berkeley, CA, USA},
}

@inproceedings{antonakakis2012,
    author = {Antonakakis, Manos and Perdisci, Roberto and Nadji, Yacin and Vasiloglou, Nikolaos and Abu-Nimeh, Saeed and Lee, Wenke and Dagon, David},
    title = {From Throw-away Traffic to Bots: Detecting the Rise of DGA-based Malware},
    booktitle = {Proceedings of the 21st USENIX Conference on Security Symposium},
    series = {Security'12},
    year = {2012},
    location = {Bellevue, WA},
    pages = {24--24},
    numpages = {1},
    url = {http://dl.acm.org/citation.cfm?id=2362793.2362817},
    acmid = {2362817},
    publisher = {USENIX Association},
    address = {Berkeley, CA, USA},
}

@inproceedings{bailey2009,
    author={Bailey, M. and Cooke, E. and Jahanian, F. and Yunjing Xu and Karir, M.},
    booktitle={Conference For Homeland Security, 2009. CATCH '09. Cybersecurity Applications Technology},
    title={A Survey of Botnet Technology and Defenses},
    year={2009},
    month={March},
    pages={299-304},
    keywords={Internet;security of data;Botnet technology;botnet defense;global Internet threats;Computer crime;Computer security;Computer worms;Educational institutions;Floods;Government;Home computing;Internet;Paper technology;Terrorism;Botnet;detection;mitigation},
    doi={10.1109/CATCH.2009.40},
}

@inproceedings{eslahi2013,
    author={Eslahi, M. and Hashim, H. and Tahir, N.M.},
    booktitle={Computers Informatics (ISCI), 2013 IEEE Symposium on},
    title={An efficient false alarm reduction approach in HTTP-based botnet detection},
    year={2013},
    month={April},
    pages={201-205},
    keywords={computer network security;telecommunication traffic;transport protocols;HTTP protocol;HTTP-based botnet detection;Internet;cyber-attack;false alarm rates;false alarm reduction;false alarms;network security systems;normal Web traffic;Command and control systems;Computers;Filtering algorithms;Internet;Protocols;Security;Servers;Botnet Detection;Command and Control Mechanism;False Alarm Rate;HTTP Botnet;Network Security},
    doi={10.1109/ISCI.2013.6612403},
}

@article{shin2013,
    author = {Shin, Seungwon and Xu, Zhaoyan and Gu, Guofei},
    title = {EFFORT: A New Host-network Cooperated Framework for Efficient and Effective Bot Malware Detection},
    journal = {Comput. Netw.},
    issue_date = {September, 2013},
    volume = {57},
    number = {13},
    month = sep,
    year = {2013},
    issn = {1389-1286},
    pages = {2628--2642},
    numpages = {15},
    url = {http://dx.doi.org/10.1016/j.comnet.2013.05.010},
    doi = {10.1016/j.comnet.2013.05.010},
    acmid = {2514317},
    publisher = {Elsevier North-Holland, Inc.},
    address = {New York, NY, USA},
    keywords = {Botnet, Botnet detection, Network security},
}

@inproceedings{feily2009,
    author={Feily, M. and Shahrestani, A. and Ramadass, S.},
    booktitle={Emerging Security Information, Systems and Technologies, 2009. SECURWARE '09. Third International Conference on},
    title={A Survey of Botnet and Botnet Detection},
    year={2009},
    month={June},
    pages={268-273},
    keywords={digital signatures;invasive software;botnet detection techniques;cyber-crime prevention;cyber-security;distributed denial of service attack;distributed platform;malware dissemination;Automatic control;Command and control systems;Computer crime;Computer science;Computer security;Distributed computing;Information security;National security;Protocols;Robotics and automation;Botnet;Botnet Detection;Cyber-security},
    doi={10.1109/SECURWARE.2009.48},
}


@inproceedings{gross2009,
    author = {Stone-Gross, Brett and Cova, Marco and Cavallaro, Lorenzo and Gilbert, Bob and Szydlowski, Martin and Kemmerer, Richard and Kruegel, Christopher and Vigna, Giovanni},
    title = {Your Botnet is My Botnet: Analysis of a Botnet Takeover},
    booktitle = {Proceedings of the 16th ACM Conference on Computer and Communications Security},
    series = {CCS '09},
    year = {2009},
    isbn = {978-1-60558-894-0},
    location = {Chicago, Illinois, USA},
    pages = {635--647},
    numpages = {13},
    url = {http://doi.acm.org/10.1145/1653662.1653738},
    doi = {10.1145/1653662.1653738},
    acmid = {1653738},
    publisher = {ACM},
    address = {New York, NY, USA},
    keywords = {botnet, malware, measurement, security, torpig},
}


@inproceedings{bilge2012,
    author = {Bilge, Leyla and Balzarotti, Davide and Robertson, William and Kirda, Engin and Kruegel, Christopher},
    title = {Disclosure: Detecting Botnet Command and Control Servers Through Large-scale NetFlow Analysis},
    booktitle = {Proceedings of the 28th Annual Computer Security Applications Conference},
    series = {ACSAC '12},
    year = {2012},
    isbn = {978-1-4503-1312-4},
    location = {Orlando, Florida},
    pages = {129--138},
    numpages = {10},
    url = {http://doi.acm.org/10.1145/2420950.2420969},
    doi = {10.1145/2420950.2420969},
    acmid = {2420969},
    publisher = {ACM},
    address = {New York, NY, USA},
}


@inproceedings{bilge2011exposure,
  title={{Exposure: Finding malicious domains using passive DNS analysis}},
  author={Leyla Bilge and Engin Kirda and Christopher Kruegel and Marco Balduzzi},
  booktitle={Proceedings of NDSS},
  year={2011}
}


@inproceedings{holz2008,
  title={{Measuring and Detecting Fast-Flux Service Networks}},
  author={Thorsten Holz and Christian Gorecki and Konrad Rieck and Felix C. Freiling},
  booktitle={Symposium on
Network and Distributed System Security},
  year={2008}
}

@inproceedings{neugschwandtner2011,
    author = {{Neugschwandtner, Matthias and Comparetti, Paolo Milani and Platzer, Christian}},
    title = {{Detecting Malware's Failover C\&C Strategies with Squeeze}},
    booktitle = {Proceedings of the 27th Annual Computer Security Applications Conference},
    series = {ACSAC '11},
    year = {2011},
    isbn = {978-1-4503-0672-0},
    location = {Orlando, Florida},
    pages = {21--30},
    numpages = {10},
    url = {http://doi.acm.org/10.1145/2076732.2076736},
    doi = {10.1145/2076732.2076736},
    acmid = {2076736},
    publisher = {ACM},
    address = {New York, NY, USA},
}

@inproceedings{aburajab2006,
    author = {Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas},
    title = {A Multifaceted Approach to Understanding the Botnet Phenomenon},
    booktitle = {Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement},
    series = {IMC '06},
    year = {2006},
    isbn = {1-59593-561-4},
    location = {Rio de Janeriro, Brazil},
    pages = {41--52},
    numpages = {12},
    url = {http://doi.acm.org/10.1145/1177080.1177086},
    doi = {10.1145/1177080.1177086},
    acmid = {1177086},
    publisher = {ACM},
    address = {New York, NY, USA},
    keywords = {botnets, computer security, malware, network security},
}

@inproceedings{rossow2011,
    author = {Rossow, Christian and Dietrich, Christian J. and Bos, Herbert and Cavallaro, Lorenzo and van Steen, Maarten and Freiling, Felix C. and Pohlmann, Norbert},
    title = {Sandnet: Network Traffic Analysis of Malicious Software},
    booktitle = {Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security},
    series = {BADGERS '11},
    year = {2011},
    isbn = {978-1-4503-0768-0},
    location = {Salzburg, Austria},
    pages = {78--88},
    numpages = {11},
    url = {http://doi.acm.org/10.1145/1978672.1978682},
    doi = {10.1145/1978672.1978682},
    acmid = {1978682},
    publisher = {ACM},
    address = {New York, NY, USA},
}

@inproceedings{haddadi2013,
    author={Haddadi, F. and Zincir-Heywood, A.N.},
    booktitle={Evolutionary Computation (CEC), 2013 IEEE Congress on},
    title={Analyzing string format-based classifiers for botnet detection: GP and SVM},
    year={2013},
    month={June},
    pages={2626-2633},
    keywords={Internet;data analysis;genetic algorithms;pattern classification;security of data;support vector machines;DNS-based method;GP;Internet;SSK with lambda pruning;SVM;Stateful-SBB;botnet detection;classification process;classifier analysis;domain name system;genetic programming;string format input;string format-based classifier;string subsequence kernel;support vector machines;Computers;Feature extraction;Internet;Kernel;Servers;Support vector machines;Training;botnet domain name detection;evolutionary computation;genetic programming},
    doi={10.1109/CEC.2013.6557886},
}

@incollection{haddadi2013malicious,
  title={Malicious automatically generated domain name detection using Stateful-SBB},
  author={Haddadi, Fariba and Kayacik, H Gunes and Zincir-Heywood, A Nur and Heywood, Malcolm I},
  booktitle={Applications of Evolutionary Computation},
  pages={529--539},
  year={2013},
  publisher={Springer}
}

@article{perdisci2012,
    title =  {{Early detection of malicious flux networks via large-scale passive DNS analysis}},
    author = {Perdisci, Roberto and Corona, Igino and Giacinto, Giorgio},
    journal =  {Dependable and Secure Computing, IEEE Transactionson},
    volume = 9,
    number = 5,
    pages = {714--726},
    year = 2012,
    publisher = {IEEE}
}

@inproceedings{sharifnya2013,
    author={Sharifnya, R. and Abadi, M.},
    booktitle={Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on},
    title={A novel reputation system to detect DGA-based botnets},
    year={2013},
    month={Oct},
    pages={417-423},
    keywords={invasive software;C&C server;DGA-based botnets;DNS queries;bot herder;command and control servers;compromised hosts;domain name generation algorithm;reputation system;suspicious bot activities;suspicious failure matrix;suspicious group activity matrix;Computers;Detectors;Educational institutions;History;IP networks;Servers;Superluminescent diodes;botnet detection;domain fluxing;domain name generation algorithm;reputation system;suspicious activity},
    doi={10.1109/ICCKE.2013.6682860}
}

@inproceedings{guerid2013,
    author={Guerid, H. and Mittig, K. and Serhrouchni, A.},
    booktitle={Communication Systems and Networks (COMSNETS), 2013 Fifth International Conference on},
    title={Privacy-preserving domain-flux botnet detection in a large scale network},
    year={2013},
    month={Jan},
    pages={1-9},
    keywords={data privacy;data structures;invasive software;network servers;real-time systems;telecommunication traffic;anonymised DNS traffic;benign traffic;bloom filters;bot control;community traffic;large scale network;malicious servers;malicious traffic;malware;operator network;privacy preservation;privacy-preserving domain-flux botnet detection;production environment;real-time detection;user privacy;Communities;IP networks;Malware;Privacy;Real-time systems;Servers;Vectors;DGA;DNS;botnet detection;domain-flux},
    doi={10.1109/COMSNETS.2013.6465572}
}

@inproceedings{sharestani2013,
    author={Shahrestani, A. and Feily, M. and Masood, M. and Muniandy, B.},
    booktitle={Telecommunication Technologies (ISTT), 2012 International Symposium on},
    title={Visualization of invariant bot behavior for effective botnet traffic detection},
    year={2012},
    month={Nov},
    pages={325-330},
    keywords={data mining;data visualisation;graphical user interfaces;invasive software;telecommunication traffic;botnet traffic detection;computer network attacks;graphical user friendly interface;histograms;human perception;information visualization;invariant bot behavior visualization;knowledge discovery;network traffic;scatter plots;security monitoring tools;security personnel;Data visualization;Histograms;Monitoring;Personnel;Security;Telecommunication traffic;Visualization;Bot Behavior;Botnet Detection;Network Monitoring;Security;Visualization},
    doi={10.1109/ISTT.2012.6481606}
}

@misc{decker2009study,
    title={{A study of the Pushdo/Cutwail Botnet}},
    author={Decker, Alice and Sancho, David and Kharouni, Loucif and Goncharov, Max and McArdle, Robert},
    year={2009},
    url={http://www.techrepublic.com/whitepapers/pushdo-cutwail-a-study-of-the-pushdo-cutwail-botnet/1689473}
}

@misc{shevchenko2010domain,
    title={{Domain name generator for Murofet}},
    author={Shevchenko, Sergei},
    year={2010},
    url={http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html}
}

@misc{shevchenko2008srizbi,
    title={Srizbi domain generator calculator},
    author={Shevchenko, Sergei},
    year={2008},
    url={http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html}
}


% Security Reports
@misc{mcafee2013,
    title={{McAfee Threats Report: First Quarter 2013}},
    author={{McAfee Labs}},
    year={2013},
    url={http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2013.pdf}
}

@misc{enisa2013,
    title={{ENISA Threat Landscape, Mid-year 2013}},
    author={{ENISA}},
    year={2013}
}

@misc{enisa2012,
    title={{ENISA Threat Landscape, Responding to the Evolving Threat Environment}},
    author={{ENISA}},
    year={2012}
}

@misc{dell2013,
    title={{CryptLocker Ransomware}},
    author={{Keith Jarvis}},
    year={2013},
    url={http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/}
}

@misc{micro2011,
    title={{Sinkholing Botnets, A Trend Micro Technical Paper}},
    author={{David Sancho and Rainer Link}},
    year={2011},
    url={http://www.trendmicro.co.uk/media/misc/sinkholing-botnets-technical-paper-en.pdf}
}

@misc{damballa2012,
    title={{DGAs in the Hands of Cyber-Criminals, Examining The State Of The Art In Malware Evasion Techniques }},
    author={{Damballa}},
    year={2012},
    url={https://www.damballa.com/downloads/r_pubs/WP_DGAs-in-the-Hands-of-Cyber-Criminals.pdf}
}

@misc{xu2013,
    title={{Think You Know Fast-Flux Domains? Think Again}},
    author={{Wei Xu and Xinran Wang}},
    year={2013},
    url={https://media.blackhat.com/us-13/US-13-Xu-New-Trends-in-FastFlux-Networks-Slides.pdf}
}

% Papers on Clustering
@book{alpaydin2004introduction,
  title={Introduction to machine learning},
  author={Alpaydin, Ethem},
  year={2004},
  publisher={MIT press}
}

@article{hubert1976,
  title={Quadratic assignment as a general data analysis strategy},
  author={Hubert, Lawrence and Schultz, James},
  journal={British Journal of Mathematical and Statistical Psychology},
  volume={29},
  number={2},
  pages={190--241},
  year={1976},
  publisher={Wiley Online Library}
}

@article{lodhi2002,
    author = {Lodhi, Huma and Saunders, Craig and Shawe-Taylor, John and Cristianini, Nello and Watkins, Chris},
    title = {Text Classification Using String Kernels},
    journal = {J. Mach. Learn. Res.},
    issue_date = {3/1/2002},
    volume = {2},
    month = {March},
    year = {2002},
    issn = {1532-4435},
    pages = {419--444},
    numpages = {26},
    url = {http://dx.doi.org/10.1162/153244302760200687},
    doi = {10.1162/153244302760200687},
    acmid = {944799},
    publisher = {JMLR.org},
    keywords = {approximating kernels, kernels and support vector machines, string subsequence kernel, text classification},
}


@article{shafer2008,
    author = {Shafer, Glenn and Vovk, Vladimir},
    title = {A Tutorial on Conformal Prediction},
    journal = {J. Mach. Learn. Res.},
    issue_date = {6/1/2008},
    volume = {9},
    month = {June},
    year = {2008},
    issn = {1532-4435},
    pages = {371--421},
    numpages = {51},
    url = {http://dl.acm.org/citation.cfm?id=1390681.1390693},
    acmid = {1390693},
    publisher = {JMLR.org},
}

@article{chang2013,
    author = {Chang, Jian and Venkatasubramanian, Krishna K. and West, Andrew G. and Lee, Insup},
    title = {Analyzing and Defending Against Web-based Malware},
    journal = {ACM Comput. Surv.},
    issue_date = {August 2013},
    volume = {45},
    number = {4},
    month = aug,
    year = {2013},
    issn = {0360-0300},
    pages = {49:1--49:35},
    articleno = {49},
    numpages = {35},
    url = {http://doi.acm.org/10.1145/2501654.2501663},
    doi = {10.1145/2501654.2501663},
    acmid = {2501663},
    publisher = {ACM},
    address = {New York, NY, USA},
    keywords = {Web-based malware},
}

% RFCs
@misc{rfc1034,
    author="Paul V. Mockapetris",
    title="{Domain names - concepts and facilities}",
    series="Request for Comments",
    number="1034",
    howpublished="RFC 1034 (Internet standard)",
    publisher="IETF",
    organization="Internet Engineering Task Force",
    year=1987,
    month=nov,
    note="Updated by RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035, 4343, 4035, 4592, 5936",
    url="http://www.ietf.org/rfc/rfc1034.txt",
}

% DNS Replication
@inproceedings{weimer2005passive,
  title={Passive DNS replication},
  author={Weimer, Florian},
  booktitle={FIRST Conference on Computer Security Incident},
  year={2005}
}