Joint Detection of Malicious Domains and Infected Clients

Lukas Machlica; Paul Prasse; Rene Knaebel; Tobias Scheffer; Tomas Pevny

arxiv: 1906.09084 · v1 · pith:LCV245SGnew · submitted 2019-06-21 · 💻 cs.LG · cs.CR· stat.ML

Joint Detection of Malicious Domains and Infected Clients

Paul Prasse , Rene Knaebel , Lukas Machlica , Tomas Pevny , Tobias Scheffer This is my paper

Pith reviewed 2026-05-25 19:06 UTC · model grok-4.3

classification 💻 cs.LG cs.CRstat.ML

keywords malware detectionmalicious domainstransfer learningsluice networksHTTPS traffic analysisinfected clientsjoint detectionencrypted traffic

0 comments

The pith

Sluice networks couple the detection of infected clients and malicious domains to improve both from encrypted traffic data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper investigates joint detection of malware-infected computers and malicious domains using only observable HTTPS features such as addresses, timestamps, and data volumes. The two tasks are linked because infected clients tend to contact malicious domains, so the authors apply sluice networks to enable transfer learning that lets each task bootstrap the other. Experiments on large-scale traffic show the joint model outperforms separate reference models while also surfacing previously unseen malware, malware families, and malicious domains. A reader would care because individual labeling of domains is expensive and encryption hides content, so mutual bootstrapping could scale detection without extra forensic effort.

Core claim

By modeling the two detection problems together with sluice networks, the approach lets information flow between the client-infection and domain-maliciousness tasks; this transfer learning yields higher accuracy on both and uncovers threats that had not been seen before in the training data.

What carries the argument

Sluice networks that perform transfer learning between the coupled client and domain detection tasks.

If this is right

The joint model detects previously unknown malware instances.
It identifies previously unknown malware families.
It flags previously unknown malicious domains.
It outperforms standard reference models on the same traffic features.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The coupling could reduce the need for expensive individual forensic labeling of domains.
Similar joint modeling might apply to other pairs of security tasks that share observable traffic patterns.
Real-world use would still require mechanisms to handle changes in attacker behavior over time.

Load-bearing premise

The assumption that infected clients tend to interact with malicious domains in a way that supplies useful shared signal for transfer learning.

What would settle it

A controlled experiment on the same traffic dataset in which separate models for each task match or exceed the joint sluice-network performance on detection of unknown malware and domains.

read the original abstract

Detection of malware-infected computers and detection of malicious web domains based on their encrypted HTTPS traffic are challenging problems, because only addresses, timestamps, and data volumes are observable. The detection problems are coupled, because infected clients tend to interact with malicious domains. Traffic data can be collected at a large scale, and antivirus tools can be used to identify infected clients in retrospect. Domains, by contrast, have to be labeled individually after forensic analysis. We explore transfer learning based on sluice networks; this allows the detection models to bootstrap each other. In a large-scale experimental study, we find that the model outperforms known reference models and detects previously unknown malware, previously unknown malware families, and previously unknown malicious domains.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Sluice networks let the client and domain detection tasks bootstrap each other on HTTPS metadata, with reported gains over baselines and some ability to surface unknowns.

read the letter

The core move is to treat the two detection problems as coupled and apply sluice networks so that labels from one task help the other through shared layers. The abstract notes that client labels come cheaply from antivirus while domain labels require manual work, so the transfer setup directly addresses that imbalance. The large-scale study claims the joint model beats reference approaches and flags previously unseen malware families and domains from addresses, timestamps, and volumes alone. That is the actual new piece: a concrete multi-task transfer application to this particular pair of security tasks rather than a generic claim about sluice nets. The coupling assumption is plausible given how malware works, and nothing in the abstract suggests circular labeling or post-hoc fitting. The experimental claims line up with what a careful supervised study on real traffic would produce. One soft spot is that the abstract gives no numbers on precision-recall trade-offs, baseline details, or how the unknown cases were validated, so the practical size of the improvement is hard to judge without the tables. If the full paper shows clean temporal splits and no leakage between training and test domains, the results should stand. Minor concern only. This is useful reading for people who already work on encrypted-traffic detection or multi-task learning for security data. It is not a foundational methods paper but a solid applied case. It deserves peer review because the problem is well-motivated, the method is standard but appropriately chosen, and the claims are testable with the data they describe.

Referee Report

1 major / 2 minor

Summary. The paper proposes a sluice-network architecture for joint supervised detection of malware-infected clients and malicious domains from HTTPS metadata (addresses, timestamps, volumes). It exploits the statistical coupling between the tasks—infected clients disproportionately contact malicious domains—to enable mutual bootstrapping via transfer learning. A large-scale study is reported in which the joint model outperforms reference models and additionally surfaces previously unseen malware, malware families, and malicious domains.

Significance. If the experimental claims hold under proper controls, the work supplies a concrete, reproducible demonstration that multi-task transfer can mitigate label scarcity in one task (domain labeling) by leveraging the other (client labeling via AV). The setting is realistic for encrypted traffic and the coupling assumption is domain-plausible; successful transfer would be a useful data point for the broader literature on sluice networks and cybersecurity ML.

major comments (1)

The central experimental claim (outperformance plus detection of unknown threats) is stated only at the abstract level; no section, table, or figure supplies the train/test split protocol, the definition of “unknown,” the labeling procedure for domains, or the statistical significance tests against the reference models. Without these details the load-bearing result cannot be assessed.

minor comments (2)

Notation for the sluice-network layers and the precise form of the transfer loss should be introduced with an equation or diagram in §3 or §4.
The abstract refers to “known reference models” without naming them or citing the corresponding papers; this should be corrected in the introduction.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed review and the recommendation for major revision. The single major comment identifies a clear need for greater transparency in the experimental protocol, which we will address directly in the revised manuscript.

read point-by-point responses

Referee: The central experimental claim (outperformance plus detection of unknown threats) is stated only at the abstract level; no section, table, or figure supplies the train/test split protocol, the definition of “unknown,” the labeling procedure for domains, or the statistical significance tests against the reference models. Without these details the load-bearing result cannot be assessed.

Authors: We agree that these methodological details must be presented explicitly and accessibly rather than being distributed across sections. In the revised manuscript we will add a dedicated subsection (new Section 4.3) that consolidates: (i) the train/test split protocol, which uses a strict temporal split with a one-week gap to prevent leakage; (ii) the precise definition of “unknown” (clients, domains, and malware families absent from the training set and labeled only via post-hoc AV or forensic reports); (iii) the domain labeling procedure (expert manual review supplemented by threat-intelligence feeds and WHOIS analysis); and (iv) the statistical tests (McNemar’s test with exact p-values and bootstrap confidence intervals on F1 and AUC). We will also insert a summary table (Table 2) and update the result figures with significance markers. These additions will make the central claims fully reproducible and assessable. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper presents an empirical multi-task learning study using sluice networks to jointly model coupled detection tasks (malicious domains and infected clients) from HTTPS metadata. The central claim rests on standard supervised training with transfer learning, evaluated via large-scale experiments that report outperformance on held-out data and discovery of unseen instances. No derivation chain, equations, or first-principles results are present that reduce to inputs by construction. The coupling assumption is an explicit modeling choice justified by domain knowledge rather than a self-referential definition or fitted parameter renamed as prediction. No load-bearing self-citations or uniqueness theorems are invoked. The work is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only; no explicit free parameters, axioms, or invented entities described. Standard neural network hyperparameters would typically serve as free parameters in such models.

pith-pipeline@v0.9.0 · 5654 in / 1030 out tokens · 49159 ms · 2026-05-25T19:06:13.922993+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

45 extracted references · 45 canonical work pages · 5 internal anchors

[1]

Mart\' n Abadi, Ashish Agarwal, Paul Barham, Eugene Brevdo, Zhifeng Chen, Craig Citro, Greg S. Corrado, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Ian Goodfellow, Andrew Harp, Geoffrey Irving, Michael Isard, Yangqing Jia, Rafal Jozefowicz, Lukasz Kaiser, Manjunath Kudlur, Josh Levenberg, Dandelion Man\' e , Rajat Monga, Sherry Moore, Derek...

work page 2015
[2]

Graph-based malware detection using dynamic analysis

Blake Anderson, Daniel Quist, Joshua Neil, Curtis Storlie, and Terran Lane. Graph-based malware detection using dynamic analysis. Journal of Computer Virology, 7 0 (4): 0 247--258, 2011

work page 2011
[3]

Multi-task feature learning

Andreas Argyriou, Theodoros Evgeniou, and Massimiliano Pontil. Multi-task feature learning. In B. Sch\" o lkopf, J. C. Platt, and T. Hoffman, editors, Advances in Neural Information Processing Systems 19, pages 41--48. MIT Press, 2007. URL http://papers.nips.cc/paper/3143-multi-task-feature-learning.pdf

work page 2007
[4]

Malware detection using network traffic analysis in android based mobile devices

Anshul Arora, Shree Garg, and Sateesh K Peddoju. Malware detection using network traffic analysis in android based mobile devices. In International Conference on Next Generation Mobile Apps, Services and Technologies, pages 66--71, 2014

work page 2014
[5]

Robust representation for domain adaptation in network security

Karel Bartos and Michal Sofka. Robust representation for domain adaptation in network security. In European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, pages 116--132. Springer, 2015

work page 2015
[6]

Optimized invariant representation of network traffic for detecting unseen malware variants

Karel Bartos, Michal Sofka, and Vojtech Franc. Optimized invariant representation of network traffic for detecting unseen malware variants. In USENIX Security Symposium, pages 807--822, 2016

work page 2016
[7]

A bayesian/information theoretic model of learning to learn via multiple task sampling

Jonathan Baxter. A bayesian/information theoretic model of learning to learn via multiple task sampling. Machine Learning, 28 0 (1): 0 7--39, 1997

work page 1997
[8]

Multi-task learning for hiv therapy screening

Steffen Bickel, Jasmina Bogojeska, Thomas Lengauer, and Tobias Scheffer. Multi-task learning for hiv therapy screening. In Proceedings of the International Conference on Machine learning, pages 56--63. ACM, 2008

work page 2008
[9]

Transparent proxy server, January 30 2001

Scott B Blum and Jonathan Lueker. Transparent proxy server, January 30 2001. US Patent 6,182,141

work page 2001
[10]

R. Caruana. Multitask learning: A knowledge-based source of inductive bias. In Proceedings of the International Conference on Machine Learning, 1993

work page 1993
[11]

Fran c ois Chollet et al. Keras. https://keras.io, 2015

work page 2015
[12]

Traffic classification through simple statistical fingerprinting

Manuel Crotti, Maurizio Dusi, Francesco Gringoli, and Luca Salgarelli. Traffic classification through simple statistical fingerprinting. ACM SIGCOMM Computer Communication Review, 37 0 (1): 0 5--16, 2007

work page 2007
[13]

Demontis, M

A. Demontis, M. Melis, B. Biggio, D. Maiorca, D. Arp, K. Rieck, I. Corona, G. Giacinto, and F. Roli. Yes, machine learning can be more secure! a case study on android malware detection. IEEE Transactions on Dependable and Secure Computing, pages 1--1, 2018. ISSN 1545-5971. doi:10.1109/TDSC.2017.2700270

work page doi:10.1109/tdsc.2017.2700270 2018
[14]

A neural network model for low-resource universal dependency parsing

Long Duong, Trevor Cohn, Steven Bird, and Paul Cook. A neural network model for low-resource universal dependency parsing. In Proceedings of the Conference on Empirical Methods in Natural Language Processing, pages 339--348, 2015

work page 2015
[15]

Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting

Maurizio Dusi, Manuel Crotti, Francesco Gringoli, and Luca Salgarelli. Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting. Computer Networks, 53 0 (1): 0 81--97, 2009

work page 2009
[16]

Learning multiple tasks with kernel methods

Theodoros Evgeniou, Charles A Micchelli, and Massimiliano Pontil. Learning multiple tasks with kernel methods. Journal of Machine Learning Research, 6 0 (Apr): 0 615--637, 2005

work page 2005
[17]

Hierarchical bayesian domain adaptation

Jenny Rose Finkel and Christopher D Manning. Hierarchical bayesian domain adaptation. In Proceedings of ACL Human Language Technologies, pages 602--610, 2009

work page 2009
[18]

Half the web is now encrypted

Klint Finley. Half the web is now encrypted. T hat makes everyone safer. Wired, Jan 2017. URL https://www.wired.com/2017/01/half-web-now-encrypted-makes-everyone-safer/

work page 2017
[19]

Learning detector of malicious network traffic from weak labels

Vojtech Franc, Michal Sofka, and Karel Bartos. Learning detector of malicious network traffic from weak labels. In Albert Bifet, Michael May, Bianca Zadrozny, Ricard Gavalda, Dino Pedreschi, Francesco Bonchi, Jaime Cardoso, and Myra Spiliopoulou, editors, Machine Learning and Knowledge Discovery in Databases, pages 85--99. Springer International Publishin...

work page 2015
[20]

Domain-adversarial training of neural networks

Yaroslav Ganin, Evgeniya Ustinova, Hana Ajakan, Pascal Germain, Hugo Larochelle, Fran c ois Laviolette, Mario Marchand, and Victor Lempitsky. Domain-adversarial training of neural networks. Journal of Machine Learning Research, 17 0 (59): 0 1--35, 2016

work page 2016
[21]

Convolutional Sequence to Sequence Learning

Jonas Gehring, Michael Auli, David Grangier, Denis Yarats, and Yann N Dauphin. Convolutional sequence to sequence learning. arXiv preprint arXiv:1705.03122, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[22]

Malware phylogeny generation using permutations of code

Md Enamul Karim, Andrew Walenstein, Arun Lakhotia, and Laxmi Parida. Malware phylogeny generation using permutations of code. Journal in Computer Virology, 1 0 (1-2): 0 13--23, 2005

work page 2005
[23]

R. Kogan. Bedep trojan malware spread by the angler exploit kit gets political. Spider Labs Blog, April 2015. https://www.trustwave.com/Resources/SpiderLabs-Blog/Bedep-trojan-malware-spread-by-the-Angler-exploit-kit-gets-political/

work page 2015
[24]

Automatic discovery of web servers hosting similar applications

Jan Kohout and Tomas Pevny. Automatic discovery of web servers hosting similar applications. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, 2015 a

work page 2015
[25]

Unsupervised detection of malware in persistent web traffic

Jan Kohout and Tomas Pevny. Unsupervised detection of malware in persistent web traffic. In Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing, 2015 b

work page 2015
[26]

Lashkari, A

A. Lashkari, A. Kadir, H. Gonzalez, K. Mbah, and A. Ghorbani. Towards a network-based framework for android malware detection and characterization. In Proceedings International Conference on Privacy, Security, and Trust, 2015

work page 2015
[27]

Hyperband: A Novel Bandit-Based Approach to Hyperparameter Optimization

Lisha Li, Kevin G. Jamieson, Giulia DeSalvo, Afshin Rostamizadeh, and Ameet Talwalkar. Efficient hyperparameter optimization and infinitely many armed bandits. CoRR, abs/1603.06560, 2016. URL http://arxiv.org/abs/1603.06560

work page internal anchor Pith review Pith/arXiv arXiv 2016
[28]

k-nn classification of malware in https traffic using the metric space approach

Jakub Loko c , Jan Kohout, P r emysl C ech, Tom \'a s Skopal, and Tom \'a s Pevn \'y . k-nn classification of malware in https traffic using the metric space approach. In Michael Chau, G. Alan Wang, and Hsinchun Chen, editors, Intelligence and Security Informatics, pages 131--145. Springer International Publishing, Cham, 2016. ISBN 978-3-319-31863-9

work page 2016
[29]

Learning Multiple Tasks with Multilinear Relationship Networks

Mingsheng Long and Jianmin Wang. Learning multiple tasks with deep relationship networks. In arXiv:1506.02117, 2015

work page internal anchor Pith review Pith/arXiv arXiv 2015
[30]

Malik and R

J. Malik and R. Kaushal. CREDROID : Android malware detection by network traffic analysis. In Proceedings of the First ACM Workshop on Privacy-Aware Mobile Computing, pages 28--36. ACM, 2016

work page 2016
[31]

Distributed representations of words and phrases and their compositionality

Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg S Corrado, and Jeff Dean. Distributed representations of words and phrases and their compositionality. In C. J. C. Burges, L. Bottou, M. Welling, Z. Ghahramani, and K. Q. Weinberger, editors, Advances in Neural Information Processing Systems 26, pages 3111--3119. Curran Associates, Inc., 2013. URL http://paper...

work page 2013
[32]

Cross-stitch networks for multi-task learning

Ishan Misra, Abhinav Shrivastava, Abhinav Gupta, and Martial Hebert. Cross-stitch networks for multi-task learning. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 3994--4003, 2016

work page 2016
[33]

Execscent: Mining for new C&C domains in live networks with adaptive control protocol templates

Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. Execscent: Mining for new C&C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium, 2013

work page 2013
[34]

Nguyen and G

T. Nguyen and G. Armitage. A survey of techniques for internet traffic classification using machine learning. IEEE Communications Surveys, Tutorials, 10 0 (4): 0 56--76, 2008

work page 2008
[35]

Malware classification with recurrent networks

Razvan Pascanu, Jack W Stokes, Hermineh Sanossian, Mady Marinescu, and Anil Thomas. Malware classification with recurrent networks. In Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing, pages 1916--1920. IEEE, 2015

work page 1916
[36]

Pedregosa, G

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. Scikit-learn: Machine learning in P ython. Journal of Machine Learning Research, 12: 0 2825--2830, 2011

work page 2011
[37]

Pevny and P

T. Pevny and P. Somol. Discriminative models for multi-instance problems with tree structure. In Proceedings of the International Workshop on Artificial Intelligence for Computer Security, 2016

work page 2016
[38]

Prasse, L

P. Prasse, L. Machlica, T. Pevn\' y , J. Havelka, and T. Scheffer. Malware detection by analysing network traffic with neural networks. In Proceedings of the European Conference on Machine Learning, 2017

work page 2017
[39]

Latent Multi-task Architecture Learning

S. Ruder, J. Bingel, I. Augenstein, and A. S gaard. Sluice networks: learning what to share between loosely related tasks. arXiv:1705.08142v1 [stat.ML], 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017
[40]

One packer to rule them all: Empirical identification, comparison and circumvention of current antivirus detection techniques

Arne Swinnen and Alaeddine Mesbahi. One packer to rule them all: Empirical identification, comparison and circumvention of current antivirus detection techniques. BlackHat USA, 2014. URL https://www.blackhat.com/docs/us-14/materials/us-14-Mesbahi-One-Packer-To-Rule-Them-All-WP.pdf

work page 2014
[41]

Wright, Fabian Monrose, and Gerald M

Charles V. Wright, Fabian Monrose, and Gerald M. Masson. On inferring application protocol behaviors in encrypted network traffic. Journal of Machine Learning Research, 7: 0 2745--2769, 2006

work page 2006
[42]

Trace Norm Regularised Deep Multi-Task Learning

Yongxin Yang and Timothy M Hospedales. Trace norm regularised deep multi-task learning. arXiv:1606.04038, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016
[43]

@esa (Ref

\@ifxundefined[1] #1\@undefined \@firstoftwo \@secondoftwo \@ifnum[1] #1 \@firstoftwo \@secondoftwo \@ifx[1] #1 \@firstoftwo \@secondoftwo [2] @ #1 \@temptokena #2 #1 @ \@temptokena \@ifclassloaded agu2001 natbib The agu2001 class already includes natbib coding, so you should not add it explicitly Type <Return> for now, but then later remove the command n...

work page
[44]

\@lbibitem[] @bibitem@first@sw\@secondoftwo \@lbibitem[#1]#2 \@extra@b@citeb \@ifundefined br@#2\@extra@b@citeb \@namedef br@#2 \@nameuse br@#2\@extra@b@citeb \@ifundefined b@#2\@extra@b@citeb @num @parse #2 @tmp #1 NAT@b@open@#2 NAT@b@shut@#2 \@ifnum @merge>\@ne @bibitem@first@sw \@firstoftwo \@ifundefined NAT@b*@#2 \@firstoftwo @num @NAT@ctr \@secondoft...

work page
[45]

b &C .' T #'s|)\- ? T] 9Յeo 7 2 Bg .(x c@FR+ . 'q k] C quX rg 'JL

@open @close @open @close and [1] URL: #1 \@ifundefined chapter * \@mkboth \@ifxundefined @sectionbib * \@mkboth * \@mkboth\@gobbletwo \@ifclassloaded amsart * \@ifclassloaded amsbook * \@ifxundefined @heading @heading NAT@ctr thebibliography [1] @ \@biblabel @NAT@ctr \@bibsetup #1 @NAT@ctr @ @openbib .11em \@plus.33em \@minus.07em 4000 4000 `\.\@m @bibit...

work page 2009

[1] [1]

Mart\' n Abadi, Ashish Agarwal, Paul Barham, Eugene Brevdo, Zhifeng Chen, Craig Citro, Greg S. Corrado, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Ian Goodfellow, Andrew Harp, Geoffrey Irving, Michael Isard, Yangqing Jia, Rafal Jozefowicz, Lukasz Kaiser, Manjunath Kudlur, Josh Levenberg, Dandelion Man\' e , Rajat Monga, Sherry Moore, Derek...

work page 2015

[2] [2]

Graph-based malware detection using dynamic analysis

Blake Anderson, Daniel Quist, Joshua Neil, Curtis Storlie, and Terran Lane. Graph-based malware detection using dynamic analysis. Journal of Computer Virology, 7 0 (4): 0 247--258, 2011

work page 2011

[3] [3]

Multi-task feature learning

Andreas Argyriou, Theodoros Evgeniou, and Massimiliano Pontil. Multi-task feature learning. In B. Sch\" o lkopf, J. C. Platt, and T. Hoffman, editors, Advances in Neural Information Processing Systems 19, pages 41--48. MIT Press, 2007. URL http://papers.nips.cc/paper/3143-multi-task-feature-learning.pdf

work page 2007

[4] [4]

Malware detection using network traffic analysis in android based mobile devices

Anshul Arora, Shree Garg, and Sateesh K Peddoju. Malware detection using network traffic analysis in android based mobile devices. In International Conference on Next Generation Mobile Apps, Services and Technologies, pages 66--71, 2014

work page 2014

[5] [5]

Robust representation for domain adaptation in network security

Karel Bartos and Michal Sofka. Robust representation for domain adaptation in network security. In European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, pages 116--132. Springer, 2015

work page 2015

[6] [6]

Optimized invariant representation of network traffic for detecting unseen malware variants

Karel Bartos, Michal Sofka, and Vojtech Franc. Optimized invariant representation of network traffic for detecting unseen malware variants. In USENIX Security Symposium, pages 807--822, 2016

work page 2016

[7] [7]

A bayesian/information theoretic model of learning to learn via multiple task sampling

Jonathan Baxter. A bayesian/information theoretic model of learning to learn via multiple task sampling. Machine Learning, 28 0 (1): 0 7--39, 1997

work page 1997

[8] [8]

Multi-task learning for hiv therapy screening

Steffen Bickel, Jasmina Bogojeska, Thomas Lengauer, and Tobias Scheffer. Multi-task learning for hiv therapy screening. In Proceedings of the International Conference on Machine learning, pages 56--63. ACM, 2008

work page 2008

[9] [9]

Transparent proxy server, January 30 2001

Scott B Blum and Jonathan Lueker. Transparent proxy server, January 30 2001. US Patent 6,182,141

work page 2001

[10] [10]

R. Caruana. Multitask learning: A knowledge-based source of inductive bias. In Proceedings of the International Conference on Machine Learning, 1993

work page 1993

[11] [11]

Fran c ois Chollet et al. Keras. https://keras.io, 2015

work page 2015

[12] [12]

Traffic classification through simple statistical fingerprinting

Manuel Crotti, Maurizio Dusi, Francesco Gringoli, and Luca Salgarelli. Traffic classification through simple statistical fingerprinting. ACM SIGCOMM Computer Communication Review, 37 0 (1): 0 5--16, 2007

work page 2007

[13] [13]

Demontis, M

A. Demontis, M. Melis, B. Biggio, D. Maiorca, D. Arp, K. Rieck, I. Corona, G. Giacinto, and F. Roli. Yes, machine learning can be more secure! a case study on android malware detection. IEEE Transactions on Dependable and Secure Computing, pages 1--1, 2018. ISSN 1545-5971. doi:10.1109/TDSC.2017.2700270

work page doi:10.1109/tdsc.2017.2700270 2018

[14] [14]

A neural network model for low-resource universal dependency parsing

Long Duong, Trevor Cohn, Steven Bird, and Paul Cook. A neural network model for low-resource universal dependency parsing. In Proceedings of the Conference on Empirical Methods in Natural Language Processing, pages 339--348, 2015

work page 2015

[15] [15]

Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting

Maurizio Dusi, Manuel Crotti, Francesco Gringoli, and Luca Salgarelli. Tunnel hunter: Detecting application-layer tunnels with statistical fingerprinting. Computer Networks, 53 0 (1): 0 81--97, 2009

work page 2009

[16] [16]

Learning multiple tasks with kernel methods

Theodoros Evgeniou, Charles A Micchelli, and Massimiliano Pontil. Learning multiple tasks with kernel methods. Journal of Machine Learning Research, 6 0 (Apr): 0 615--637, 2005

work page 2005

[17] [17]

Hierarchical bayesian domain adaptation

Jenny Rose Finkel and Christopher D Manning. Hierarchical bayesian domain adaptation. In Proceedings of ACL Human Language Technologies, pages 602--610, 2009

work page 2009

[18] [18]

Half the web is now encrypted

Klint Finley. Half the web is now encrypted. T hat makes everyone safer. Wired, Jan 2017. URL https://www.wired.com/2017/01/half-web-now-encrypted-makes-everyone-safer/

work page 2017

[19] [19]

Learning detector of malicious network traffic from weak labels

Vojtech Franc, Michal Sofka, and Karel Bartos. Learning detector of malicious network traffic from weak labels. In Albert Bifet, Michael May, Bianca Zadrozny, Ricard Gavalda, Dino Pedreschi, Francesco Bonchi, Jaime Cardoso, and Myra Spiliopoulou, editors, Machine Learning and Knowledge Discovery in Databases, pages 85--99. Springer International Publishin...

work page 2015

[20] [20]

Domain-adversarial training of neural networks

Yaroslav Ganin, Evgeniya Ustinova, Hana Ajakan, Pascal Germain, Hugo Larochelle, Fran c ois Laviolette, Mario Marchand, and Victor Lempitsky. Domain-adversarial training of neural networks. Journal of Machine Learning Research, 17 0 (59): 0 1--35, 2016

work page 2016

[21] [21]

Convolutional Sequence to Sequence Learning

Jonas Gehring, Michael Auli, David Grangier, Denis Yarats, and Yann N Dauphin. Convolutional sequence to sequence learning. arXiv preprint arXiv:1705.03122, 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017

[22] [22]

Malware phylogeny generation using permutations of code

Md Enamul Karim, Andrew Walenstein, Arun Lakhotia, and Laxmi Parida. Malware phylogeny generation using permutations of code. Journal in Computer Virology, 1 0 (1-2): 0 13--23, 2005

work page 2005

[23] [23]

R. Kogan. Bedep trojan malware spread by the angler exploit kit gets political. Spider Labs Blog, April 2015. https://www.trustwave.com/Resources/SpiderLabs-Blog/Bedep-trojan-malware-spread-by-the-Angler-exploit-kit-gets-political/

work page 2015

[24] [24]

Automatic discovery of web servers hosting similar applications

Jan Kohout and Tomas Pevny. Automatic discovery of web servers hosting similar applications. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, 2015 a

work page 2015

[25] [25]

Unsupervised detection of malware in persistent web traffic

Jan Kohout and Tomas Pevny. Unsupervised detection of malware in persistent web traffic. In Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing, 2015 b

work page 2015

[26] [26]

Lashkari, A

A. Lashkari, A. Kadir, H. Gonzalez, K. Mbah, and A. Ghorbani. Towards a network-based framework for android malware detection and characterization. In Proceedings International Conference on Privacy, Security, and Trust, 2015

work page 2015

[27] [27]

Hyperband: A Novel Bandit-Based Approach to Hyperparameter Optimization

Lisha Li, Kevin G. Jamieson, Giulia DeSalvo, Afshin Rostamizadeh, and Ameet Talwalkar. Efficient hyperparameter optimization and infinitely many armed bandits. CoRR, abs/1603.06560, 2016. URL http://arxiv.org/abs/1603.06560

work page internal anchor Pith review Pith/arXiv arXiv 2016

[28] [28]

k-nn classification of malware in https traffic using the metric space approach

Jakub Loko c , Jan Kohout, P r emysl C ech, Tom \'a s Skopal, and Tom \'a s Pevn \'y . k-nn classification of malware in https traffic using the metric space approach. In Michael Chau, G. Alan Wang, and Hsinchun Chen, editors, Intelligence and Security Informatics, pages 131--145. Springer International Publishing, Cham, 2016. ISBN 978-3-319-31863-9

work page 2016

[29] [29]

Learning Multiple Tasks with Multilinear Relationship Networks

Mingsheng Long and Jianmin Wang. Learning multiple tasks with deep relationship networks. In arXiv:1506.02117, 2015

work page internal anchor Pith review Pith/arXiv arXiv 2015

[30] [30]

Malik and R

J. Malik and R. Kaushal. CREDROID : Android malware detection by network traffic analysis. In Proceedings of the First ACM Workshop on Privacy-Aware Mobile Computing, pages 28--36. ACM, 2016

work page 2016

[31] [31]

Distributed representations of words and phrases and their compositionality

Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg S Corrado, and Jeff Dean. Distributed representations of words and phrases and their compositionality. In C. J. C. Burges, L. Bottou, M. Welling, Z. Ghahramani, and K. Q. Weinberger, editors, Advances in Neural Information Processing Systems 26, pages 3111--3119. Curran Associates, Inc., 2013. URL http://paper...

work page 2013

[32] [32]

Cross-stitch networks for multi-task learning

Ishan Misra, Abhinav Shrivastava, Abhinav Gupta, and Martial Hebert. Cross-stitch networks for multi-task learning. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pages 3994--4003, 2016

work page 2016

[33] [33]

Execscent: Mining for new C&C domains in live networks with adaptive control protocol templates

Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. Execscent: Mining for new C&C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium, 2013

work page 2013

[34] [34]

Nguyen and G

T. Nguyen and G. Armitage. A survey of techniques for internet traffic classification using machine learning. IEEE Communications Surveys, Tutorials, 10 0 (4): 0 56--76, 2008

work page 2008

[35] [35]

Malware classification with recurrent networks

Razvan Pascanu, Jack W Stokes, Hermineh Sanossian, Mady Marinescu, and Anil Thomas. Malware classification with recurrent networks. In Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing, pages 1916--1920. IEEE, 2015

work page 1916

[36] [36]

Pedregosa, G

F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. Scikit-learn: Machine learning in P ython. Journal of Machine Learning Research, 12: 0 2825--2830, 2011

work page 2011

[37] [37]

Pevny and P

T. Pevny and P. Somol. Discriminative models for multi-instance problems with tree structure. In Proceedings of the International Workshop on Artificial Intelligence for Computer Security, 2016

work page 2016

[38] [38]

Prasse, L

P. Prasse, L. Machlica, T. Pevn\' y , J. Havelka, and T. Scheffer. Malware detection by analysing network traffic with neural networks. In Proceedings of the European Conference on Machine Learning, 2017

work page 2017

[39] [39]

Latent Multi-task Architecture Learning

S. Ruder, J. Bingel, I. Augenstein, and A. S gaard. Sluice networks: learning what to share between loosely related tasks. arXiv:1705.08142v1 [stat.ML], 2017

work page internal anchor Pith review Pith/arXiv arXiv 2017

[40] [40]

One packer to rule them all: Empirical identification, comparison and circumvention of current antivirus detection techniques

Arne Swinnen and Alaeddine Mesbahi. One packer to rule them all: Empirical identification, comparison and circumvention of current antivirus detection techniques. BlackHat USA, 2014. URL https://www.blackhat.com/docs/us-14/materials/us-14-Mesbahi-One-Packer-To-Rule-Them-All-WP.pdf

work page 2014

[41] [41]

Wright, Fabian Monrose, and Gerald M

Charles V. Wright, Fabian Monrose, and Gerald M. Masson. On inferring application protocol behaviors in encrypted network traffic. Journal of Machine Learning Research, 7: 0 2745--2769, 2006

work page 2006

[42] [42]

Trace Norm Regularised Deep Multi-Task Learning

Yongxin Yang and Timothy M Hospedales. Trace norm regularised deep multi-task learning. arXiv:1606.04038, 2016

work page internal anchor Pith review Pith/arXiv arXiv 2016

[43] [43]

@esa (Ref

\@ifxundefined[1] #1\@undefined \@firstoftwo \@secondoftwo \@ifnum[1] #1 \@firstoftwo \@secondoftwo \@ifx[1] #1 \@firstoftwo \@secondoftwo [2] @ #1 \@temptokena #2 #1 @ \@temptokena \@ifclassloaded agu2001 natbib The agu2001 class already includes natbib coding, so you should not add it explicitly Type <Return> for now, but then later remove the command n...

work page

[44] [44]

\@lbibitem[] @bibitem@first@sw\@secondoftwo \@lbibitem[#1]#2 \@extra@b@citeb \@ifundefined br@#2\@extra@b@citeb \@namedef br@#2 \@nameuse br@#2\@extra@b@citeb \@ifundefined b@#2\@extra@b@citeb @num @parse #2 @tmp #1 NAT@b@open@#2 NAT@b@shut@#2 \@ifnum @merge>\@ne @bibitem@first@sw \@firstoftwo \@ifundefined NAT@b*@#2 \@firstoftwo @num @NAT@ctr \@secondoft...

work page

[45] [45]

b &C .' T #'s|)\- ? T] 9Յeo 7 2 Bg .(x c@FR+ . 'q k] C quX rg 'JL

@open @close @open @close and [1] URL: #1 \@ifundefined chapter * \@mkboth \@ifxundefined @sectionbib * \@mkboth * \@mkboth\@gobbletwo \@ifclassloaded amsart * \@ifclassloaded amsbook * \@ifxundefined @heading @heading NAT@ctr thebibliography [1] @ \@biblabel @NAT@ctr \@bibsetup #1 @NAT@ctr @ @openbib .11em \@plus.33em \@minus.07em 4000 4000 `\.\@m @bibit...

work page 2009