{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2017:3OICCPPVVJW5JNYLCIOCJCAVOZ","short_pith_number":"pith:3OICCPPV","canonical_record":{"source":{"id":"1709.08395","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-25T09:32:40Z","cross_cats_sorted":[],"title_canon_sha256":"4bcab107e0bd7cda9b9a3d444df55009a82639afaa64eea51f40af417aee6702","abstract_canon_sha256":"2646de4d2a88ebf1cf775632fdaf39b733929932888d7b598ad9a4c0f8cdec2b"},"schema_version":"1.0"},"canonical_sha256":"db90213df5aa6dd4b70b121c24881576500be13fce25c847e812febc2dfd122e","source":{"kind":"arxiv","id":"1709.08395","version":2},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.08395","created_at":"2026-05-18T00:13:05Z"},{"alias_kind":"arxiv_version","alias_value":"1709.08395v2","created_at":"2026-05-18T00:13:05Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.08395","created_at":"2026-05-18T00:13:05Z"},{"alias_kind":"pith_short_12","alias_value":"3OICCPPVVJW5","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_16","alias_value":"3OICCPPVVJW5JNYL","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_8","alias_value":"3OICCPPV","created_at":"2026-05-18T12:30:58Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2017:3OICCPPVVJW5JNYLCIOCJCAVOZ","target":"record","payload":{"canonical_record":{"source":{"id":"1709.08395","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-25T09:32:40Z","cross_cats_sorted":[],"title_canon_sha256":"4bcab107e0bd7cda9b9a3d444df55009a82639afaa64eea51f40af417aee6702","abstract_canon_sha256":"2646de4d2a88ebf1cf775632fdaf39b733929932888d7b598ad9a4c0f8cdec2b"},"schema_version":"1.0"},"canonical_sha256":"db90213df5aa6dd4b70b121c24881576500be13fce25c847e812febc2dfd122e","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T00:13:05.228903Z","signature_b64":"71XAWYbEAvkoqYFsO5jpogOyXbQFRYmI4lMk3015cn4hal+42hKuKF9iU3e4L2EZR9e3Mn6E9X8lEpM+3gB9Bw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"db90213df5aa6dd4b70b121c24881576500be13fce25c847e812febc2dfd122e","last_reissued_at":"2026-05-18T00:13:05.228206Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T00:13:05.228206Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1709.08395","source_version":2,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:13:05Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"/6BMN+D+K/0mwCqyBkw3xkDByVrIeyqy40W8KbjoNl/lG/TQ3r/qux9ZRSvuxnw2Dsi7Oxv7OxNt9Z7C05qlCA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-10T22:34:09.462455Z"},"content_sha256":"49e72b1ff3c10dfb85cd2274e3d8f8d5961108e1f6092a4b0f25c2e470778037","schema_version":"1.0","event_id":"sha256:49e72b1ff3c10dfb85cd2274e3d8f8d5961108e1f6092a4b0f25c2e470778037"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2017:3OICCPPVVJW5JNYLCIOCJCAVOZ","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Asaf Nadler, Asaf Shabtai, Avi Aminov","submitted_at":"2017-09-25T09:32:40Z","abstract_excerpt":"In the presence of security countermeasures, a malware designed for data exfiltration must do so using a covert channel to achieve its goal. Among existing covert channels stands the domain name system (DNS) protocol. Although the detection of covert channels over the DNS has been thoroughly studied in the last decade, previous research dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection is not undermined, an entire class of low throughput DNS exfiltration malware remained overlooked. The goal of this study is to propose a method"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.08395","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:13:05Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"v/HSZEKI7v0QctrPg6EOXyF6V6kEXrY2FHJanIcumgASiqSkreZCWh1kSIXTCYzCHug/VGIk2q3TEvH7lgzJBg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-10T22:34:09.463173Z"},"content_sha256":"47ca3f06765dd4f9181fe70d6a852f35f22ca4fe3bddc25c2b28207b53ff1d4d","schema_version":"1.0","event_id":"sha256:47ca3f06765dd4f9181fe70d6a852f35f22ca4fe3bddc25c2b28207b53ff1d4d"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/3OICCPPVVJW5JNYLCIOCJCAVOZ/bundle.json","state_url":"https://pith.science/pith/3OICCPPVVJW5JNYLCIOCJCAVOZ/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/3OICCPPVVJW5JNYLCIOCJCAVOZ/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-10T22:34:09Z","links":{"resolver":"https://pith.science/pith/3OICCPPVVJW5JNYLCIOCJCAVOZ","bundle":"https://pith.science/pith/3OICCPPVVJW5JNYLCIOCJCAVOZ/bundle.json","state":"https://pith.science/pith/3OICCPPVVJW5JNYLCIOCJCAVOZ/state.json","well_known_bundle":"https://pith.science/.well-known/pith/3OICCPPVVJW5JNYLCIOCJCAVOZ/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2017:3OICCPPVVJW5JNYLCIOCJCAVOZ","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"2646de4d2a88ebf1cf775632fdaf39b733929932888d7b598ad9a4c0f8cdec2b","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-25T09:32:40Z","title_canon_sha256":"4bcab107e0bd7cda9b9a3d444df55009a82639afaa64eea51f40af417aee6702"},"schema_version":"1.0","source":{"id":"1709.08395","kind":"arxiv","version":2}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.08395","created_at":"2026-05-18T00:13:05Z"},{"alias_kind":"arxiv_version","alias_value":"1709.08395v2","created_at":"2026-05-18T00:13:05Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.08395","created_at":"2026-05-18T00:13:05Z"},{"alias_kind":"pith_short_12","alias_value":"3OICCPPVVJW5","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_16","alias_value":"3OICCPPVVJW5JNYL","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_8","alias_value":"3OICCPPV","created_at":"2026-05-18T12:30:58Z"}],"graph_snapshots":[{"event_id":"sha256:47ca3f06765dd4f9181fe70d6a852f35f22ca4fe3bddc25c2b28207b53ff1d4d","target":"graph","created_at":"2026-05-18T00:13:05Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"In the presence of security countermeasures, a malware designed for data exfiltration must do so using a covert channel to achieve its goal. Among existing covert channels stands the domain name system (DNS) protocol. Although the detection of covert channels over the DNS has been thoroughly studied in the last decade, previous research dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection is not undermined, an entire class of low throughput DNS exfiltration malware remained overlooked. The goal of this study is to propose a method","authors_text":"Asaf Nadler, Asaf Shabtai, Avi Aminov","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-25T09:32:40Z","title":"Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.08395","kind":"arxiv","version":2},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:49e72b1ff3c10dfb85cd2274e3d8f8d5961108e1f6092a4b0f25c2e470778037","target":"record","created_at":"2026-05-18T00:13:05Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"2646de4d2a88ebf1cf775632fdaf39b733929932888d7b598ad9a4c0f8cdec2b","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-25T09:32:40Z","title_canon_sha256":"4bcab107e0bd7cda9b9a3d444df55009a82639afaa64eea51f40af417aee6702"},"schema_version":"1.0","source":{"id":"1709.08395","kind":"arxiv","version":2}},"canonical_sha256":"db90213df5aa6dd4b70b121c24881576500be13fce25c847e812febc2dfd122e","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"db90213df5aa6dd4b70b121c24881576500be13fce25c847e812febc2dfd122e","first_computed_at":"2026-05-18T00:13:05.228206Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T00:13:05.228206Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"71XAWYbEAvkoqYFsO5jpogOyXbQFRYmI4lMk3015cn4hal+42hKuKF9iU3e4L2EZR9e3Mn6E9X8lEpM+3gB9Bw==","signature_status":"signed_v1","signed_at":"2026-05-18T00:13:05.228903Z","signed_message":"canonical_sha256_bytes"},"source_id":"1709.08395","source_kind":"arxiv","source_version":2}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:49e72b1ff3c10dfb85cd2274e3d8f8d5961108e1f6092a4b0f25c2e470778037","sha256:47ca3f06765dd4f9181fe70d6a852f35f22ca4fe3bddc25c2b28207b53ff1d4d"],"state_sha256":"dfd49c2fa2d3a65e8f908d89835c8080cff73cea9da36b868a7ddefcefc7e054"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"GgwMeRZ8ueiwr7i0Y1l5f8KLTGLDY9PzcR/fHKEh/H/gWKEXAfUUmr9i9YmjSdZGqVOS0eg+aOVx+lON2MY+AQ==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-10T22:34:09.466973Z","bundle_sha256":"c5b51ca5e742b7ff1015524f41a3c35385e37bab1570464c87d077363a4facac"}}