{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2017:4H32DHHCSBNCCYIVHUE23L3PKS","short_pith_number":"pith:4H32DHHC","canonical_record":{"source":{"id":"1709.06363","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-19T11:52:02Z","cross_cats_sorted":[],"title_canon_sha256":"44e620af0ed390ad96ee362b2e8904e87865e39695120f14baf053c5429691ef","abstract_canon_sha256":"5ae04b5a8f07217a9c83af5b1a92b2d6d7715a2172e873f6738bf20f6c2dc682"},"schema_version":"1.0"},"canonical_sha256":"e1f7a19ce2905a2161153d09adaf6f549d606f06c885b9e56111cb7f09ecbeaf","source":{"kind":"arxiv","id":"1709.06363","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.06363","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"arxiv_version","alias_value":"1709.06363v1","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.06363","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"pith_short_12","alias_value":"4H32DHHCSBNC","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_16","alias_value":"4H32DHHCSBNCCYIV","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_8","alias_value":"4H32DHHC","created_at":"2026-05-18T12:30:58Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2017:4H32DHHCSBNCCYIVHUE23L3PKS","target":"record","payload":{"canonical_record":{"source":{"id":"1709.06363","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-19T11:52:02Z","cross_cats_sorted":[],"title_canon_sha256":"44e620af0ed390ad96ee362b2e8904e87865e39695120f14baf053c5429691ef","abstract_canon_sha256":"5ae04b5a8f07217a9c83af5b1a92b2d6d7715a2172e873f6738bf20f6c2dc682"},"schema_version":"1.0"},"canonical_sha256":"e1f7a19ce2905a2161153d09adaf6f549d606f06c885b9e56111cb7f09ecbeaf","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T00:34:53.432403Z","signature_b64":"kEMy7lBwKURQVK87WTx9OU0n4184imNXXsuIa6CBhOtS64CMPdtDgwjYVTUNpyLIgaZCB83TlaMy22cegMs9BQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"e1f7a19ce2905a2161153d09adaf6f549d606f06c885b9e56111cb7f09ecbeaf","last_reissued_at":"2026-05-18T00:34:53.431648Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T00:34:53.431648Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1709.06363","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:34:53Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"CbY+r8YSO2f6DEqfp5vQc1FHcr6x/yLGbYRR6jjgH+52GnRD2VQmIcoDe7p0hvFvP3RiGlpu2lgnQkxGVwIUDg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-24T03:54:31.353971Z"},"content_sha256":"a637302f186384a0f0bf516f7b7bde5bfc71228ba542c5118da22b771b430211","schema_version":"1.0","event_id":"sha256:a637302f186384a0f0bf516f7b7bde5bfc71228ba542c5118da22b771b430211"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2017:4H32DHHCSBNCCYIVHUE23L3PKS","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Entropy-based Prediction of Network Protocols in the Forensic Analysis of DNS Tunnels","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Irvin Homem, Panagiotis Papapetrou, Spyridon Dosis","submitted_at":"2017-09-19T11:52:02Z","abstract_excerpt":"DNS tunneling techniques are often used for malicious purposes but network security mechanisms have struggled to detect these. Network forensic analysis has thus been used but has proved slow and effort intensive as Network Forensics Analysis Tools struggle to deal with undocumented or new network tunneling techniques. In this paper we present a method to aid forensic analysis through automating the inference of protocols tunneled within DNS tunneling techniques. We analyze the internal packet structure of DNS tunneling techniques and characterize the information entropy of different network p"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.06363","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-18T00:34:53Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"Ps+j9UmTtgCcgEvTSzIltLrfGH+q48We6AoFxHtq950A/CFGGgL+VVnexgENx0StFpYHMNi1RRrLwMViokIkCg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-06-24T03:54:31.354308Z"},"content_sha256":"5255742de6dd4dbfd56fc4716becca1f185c3e5539c7f82c0c0095bb4dbf9db0","schema_version":"1.0","event_id":"sha256:5255742de6dd4dbfd56fc4716becca1f185c3e5539c7f82c0c0095bb4dbf9db0"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/4H32DHHCSBNCCYIVHUE23L3PKS/bundle.json","state_url":"https://pith.science/pith/4H32DHHCSBNCCYIVHUE23L3PKS/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/4H32DHHCSBNCCYIVHUE23L3PKS/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-06-24T03:54:31Z","links":{"resolver":"https://pith.science/pith/4H32DHHCSBNCCYIVHUE23L3PKS","bundle":"https://pith.science/pith/4H32DHHCSBNCCYIVHUE23L3PKS/bundle.json","state":"https://pith.science/pith/4H32DHHCSBNCCYIVHUE23L3PKS/state.json","well_known_bundle":"https://pith.science/.well-known/pith/4H32DHHCSBNCCYIVHUE23L3PKS/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2017:4H32DHHCSBNCCYIVHUE23L3PKS","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"5ae04b5a8f07217a9c83af5b1a92b2d6d7715a2172e873f6738bf20f6c2dc682","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-19T11:52:02Z","title_canon_sha256":"44e620af0ed390ad96ee362b2e8904e87865e39695120f14baf053c5429691ef"},"schema_version":"1.0","source":{"id":"1709.06363","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1709.06363","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"arxiv_version","alias_value":"1709.06363v1","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1709.06363","created_at":"2026-05-18T00:34:53Z"},{"alias_kind":"pith_short_12","alias_value":"4H32DHHCSBNC","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_16","alias_value":"4H32DHHCSBNCCYIV","created_at":"2026-05-18T12:30:58Z"},{"alias_kind":"pith_short_8","alias_value":"4H32DHHC","created_at":"2026-05-18T12:30:58Z"}],"graph_snapshots":[{"event_id":"sha256:5255742de6dd4dbfd56fc4716becca1f185c3e5539c7f82c0c0095bb4dbf9db0","target":"graph","created_at":"2026-05-18T00:34:53Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"DNS tunneling techniques are often used for malicious purposes but network security mechanisms have struggled to detect these. Network forensic analysis has thus been used but has proved slow and effort intensive as Network Forensics Analysis Tools struggle to deal with undocumented or new network tunneling techniques. In this paper we present a method to aid forensic analysis through automating the inference of protocols tunneled within DNS tunneling techniques. We analyze the internal packet structure of DNS tunneling techniques and characterize the information entropy of different network p","authors_text":"Irvin Homem, Panagiotis Papapetrou, Spyridon Dosis","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-19T11:52:02Z","title":"Entropy-based Prediction of Network Protocols in the Forensic Analysis of DNS Tunnels"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1709.06363","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:a637302f186384a0f0bf516f7b7bde5bfc71228ba542c5118da22b771b430211","target":"record","created_at":"2026-05-18T00:34:53Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"5ae04b5a8f07217a9c83af5b1a92b2d6d7715a2172e873f6738bf20f6c2dc682","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-09-19T11:52:02Z","title_canon_sha256":"44e620af0ed390ad96ee362b2e8904e87865e39695120f14baf053c5429691ef"},"schema_version":"1.0","source":{"id":"1709.06363","kind":"arxiv","version":1}},"canonical_sha256":"e1f7a19ce2905a2161153d09adaf6f549d606f06c885b9e56111cb7f09ecbeaf","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"e1f7a19ce2905a2161153d09adaf6f549d606f06c885b9e56111cb7f09ecbeaf","first_computed_at":"2026-05-18T00:34:53.431648Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-18T00:34:53.431648Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"kEMy7lBwKURQVK87WTx9OU0n4184imNXXsuIa6CBhOtS64CMPdtDgwjYVTUNpyLIgaZCB83TlaMy22cegMs9BQ==","signature_status":"signed_v1","signed_at":"2026-05-18T00:34:53.432403Z","signed_message":"canonical_sha256_bytes"},"source_id":"1709.06363","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:a637302f186384a0f0bf516f7b7bde5bfc71228ba542c5118da22b771b430211","sha256:5255742de6dd4dbfd56fc4716becca1f185c3e5539c7f82c0c0095bb4dbf9db0"],"state_sha256":"031aa93bc2842c34f6d5cc7ba3542819e772c682ec97b5c342a8bf91a7bdc9ee"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"yW+wIs/riYIFyAZQm2CTy7Lpog6Yz+CcTBdzQD5TNf++YDk9Xz/DrBN6ggzDdoaP5LkfhS2PerEWCBHbho7bBQ==","signed_message":"bundle_sha256_bytes","signed_at":"2026-06-24T03:54:31.356225Z","bundle_sha256":"6e67a93b222e80f8656709af74395cf47340c70e7af32b54b75ede8b841add8d"}}