Download and Read online, DOWNLOAD EBOOK, [PDF EBOOK EPUB ], Ebooks

download, Read Ebook EPUB/KINDE, Download Book Format PDF

Security and Privacy in Communication Networks

16th EAI International Conference SecureComm 2020
Washington DC USA October 21 23 2020 Proceedings
Part II Noseong Park

OR CLICK LINK
https://textbookfull.com/product/security-and-
privacy-in-communication-networks-16th-eai-
international-conference-
securecomm-2020-washington-dc-usa-
october-21-23-2020-proceedings-part-ii-noseong-
Read with Our Free App Audiobook Free park/
Format PFD EBook, Ebooks dowload PDF
with Andible trial, Real book, online, KINDLE , Download[PDF] and Read and Read
Read book Format PDF Ebook, Dowload online, Read book Format PDF Ebook,
[PDF] and Real ONLINE Dowload [PDF] and Real ONLINE
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Security and Privacy in Communication Networks 16th EAI

International Conference SecureComm 2020 Washington DC
USA October 21 23 2020 Proceedings Part I Noseong Park

https://textbookfull.com/product/security-and-privacy-in-
communication-networks-16th-eai-international-conference-
securecomm-2020-washington-dc-usa-october-21-23-2020-proceedings-
part-i-noseong-park/

Security and Privacy in Communication Networks 15th EAI

International Conference SecureComm 2019 Orlando FL USA
October 23 25 2019 Proceedings Part II Songqing Chen

https://textbookfull.com/product/security-and-privacy-in-
communication-networks-15th-eai-international-conference-
securecomm-2019-orlando-fl-usa-october-23-25-2019-proceedings-
part-ii-songqing-chen/

Social Cultural and Behavioral Modeling 13th

International Conference SBP BRiMS 2020 Washington DC
USA October 18 21 2020 Proceedings Robert Thomson

https://textbookfull.com/product/social-cultural-and-behavioral-
modeling-13th-international-conference-sbp-brims-2020-washington-
dc-usa-october-18-21-2020-proceedings-robert-thomson/

Security and Privacy in Communication Networks 14th

International Conference SecureComm 2018 Singapore
Singapore August 8 10 2018 Proceedings Part II Raheem
Beyah
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-14th-international-conference-
securecomm-2018-singapore-singapore-august-8-10-2018-proceedings-
Security and Privacy in Communication Networks 12th
International Conference SecureComm 2016 Guangzhou
China October 10 12 2016 Proceedings 1st Edition Robert
Deng
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-12th-international-conference-
securecomm-2016-guangzhou-china-
october-10-12-2016-proceedings-1st-edition-robert-deng/

Computer Vision ECCV 2020 16th European Conference

Glasgow UK August 23 28 2020 Proceedings Part II Andrea
Vedaldi

https://textbookfull.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-ii-andrea-vedaldi/

Security and Privacy in Communication Networks 14th

International Conference SecureComm 2018 Singapore
Singapore August 8 10 2018 Proceedings Part I Raheem
Beyah
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-14th-international-conference-
securecomm-2018-singapore-singapore-august-8-10-2018-proceedings-
part-i-raheem-beyah/

e Learning e Education and Online Training 6th EAI

International Conference eLEOT 2020 Changsha China June
20 21 2020 Proceedings Part II Shuai Liu

https://textbookfull.com/product/e-learning-e-education-and-
online-training-6th-eai-international-conference-
eleot-2020-changsha-china-june-20-21-2020-proceedings-part-ii-
shuai-liu/

Computer Aided Verification 32nd International

Conference CAV 2020 Los Angeles CA USA July 21 24 2020
Proceedings Part II Shuvendu K. Lahiri

https://textbookfull.com/product/computer-aided-
verification-32nd-international-conference-cav-2020-los-angeles-
ca-usa-july-21-24-2020-proceedings-part-ii-shuvendu-k-lahiri/
Noseong Park · Kun Sun ·
Sara Foresti · Kevin Butler ·
Nitesh Saxena (Eds.)

336

Security and Privacy

in Communication
Networks
16th EAI International Conference, SecureComm 2020
Washington, DC, USA, October 21–23, 2020
Proceedings, Part II

Part 2
Lecture Notes of the Institute
for Computer Sciences, Social Informatics
and Telecommunications Engineering 336

Editorial Board Members

Ozgur Akan
Middle East Technical University, Ankara, Turkey
Paolo Bellavista
University of Bologna, Bologna, Italy
Jiannong Cao
Hong Kong Polytechnic University, Hong Kong, China
Geoffrey Coulson
Lancaster University, Lancaster, UK
Falko Dressler
University of Erlangen, Erlangen, Germany
Domenico Ferrari
Università Cattolica Piacenza, Piacenza, Italy
Mario Gerla
UCLA, Los Angeles, USA
Hisashi Kobayashi
Princeton University, Princeton, USA
Sergio Palazzo
University of Catania, Catania, Italy
Sartaj Sahni
University of Florida, Gainesville, USA
Xuemin (Sherman) Shen
University of Waterloo, Waterloo, Canada
Mircea Stan
University of Virginia, Charlottesville, USA
Xiaohua Jia
City University of Hong Kong, Kowloon, Hong Kong
Albert Y. Zomaya
University of Sydney, Sydney, Australia
More information about this series at http://www.springer.com/series/8197
Noseong Park Kun Sun
• •

Sara Foresti Kevin Butler

• •

Nitesh Saxena (Eds.)

Security and Privacy

in Communication
Networks
16th EAI International Conference, SecureComm 2020
Washington, DC, USA, October 21–23, 2020
Proceedings, Part II

123
Editors
Noseong Park Kun Sun
Yonsei University George Mason University
Seoul, Korea (Republic of) Fairfax, VA, USA
Sara Foresti Kevin Butler
Dipartimento di Informatica University of Florida
Universita degli Studi Gainesville, FL, USA
Milan, Milano, Italy
Nitesh Saxena
Division of Nephrology
University of Alabama
Birmingham, AL, USA

ISSN 1867-8211 ISSN 1867-822X (electronic)

Lecture Notes of the Institute for Computer Sciences, Social Informatics
and Telecommunications Engineering
ISBN 978-3-030-63094-2 ISBN 978-3-030-63095-9 (eBook)
https://doi.org/10.1007/978-3-030-63095-9

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

We are delighted to introduce the proceedings of the 16th EAI International Conference
on Security and Privacy in Communication Networks (SecureComm 2020). This
conference has brought together researchers, developers, and practitioners from around
the world who are leveraging and developing security and privacy technology for a safe
and robust system or network.
These proceedings contain 60 papers, which were selected from 120 submissions
(an acceptance rate of 50%) from universities, national laboratories, and the private
sector from across the USA as well as other countries in Europe and Asia. All the
submissions went through an extensive review process by internationally-recognized
experts in cybersecurity.
Any successful conference requires the contributions of different stakeholder groups
and individuals, who have selflessly volunteered their time and energy in disseminating
the call for papers, submitting their research findings, participating in the peer reviews
and discussions, etc. First and foremost, we would like to offer our gratitude to the
entire Organizing Committee for guiding the entire process of the conference. We are
also deeply grateful to all the Technical Program Committee members for their time
and effort in reading, commenting, debating, and finally selecting the papers. We also
thank all the external reviewers for assisting the Technical Program Committee in their
particular areas of expertise as well as all the authors, participants, and session chairs
for their valuable contributions. Support from the Steering Committee and EAI staff
members was also crucial in ensuring the success of the conference. It was a great
privilege to work with such a large group of dedicated and talented individuals.
We hope that you found the discussions and interactions at SecureComm 2020,
which was held online, enjoyable and that the proceedings will simulate further
research.

October 2020 Kun Sun

Sara Foresti
Kevin Butler
Nitesh Saxena
 Organization

Steering Committee
Imrich Chlamtac University of Trento, Italy
Guofei Gu Texas A&M University, USA
Peng Liu Penn State University, USA
Sencun Zhu Penn State University, USA

Organizing Committee
General Co-chairs
Kun Sun George Mason University, USA
Sara Foresti Università degli Studi di Milano, Italy

TPC Chair and Co-chair

Kevin Butler University of Florida, USA
Nitesh Saxena University of Alabama at Birmingham, USA

Sponsorship and Exhibit Chair

Liang Zhao George Mason University, USA

Local Chair
Hemant Purohit George Mason University, USA

Workshops Chair
Qi Li Tsinghua University, China

Publicity and Social Media Chairs

Emanuela Marasco George Mason University, USA
Carol Fung Virginia Commonwealth University, USA

Publications Chair
Noseong Park Yonsei University, South Korea

Web Chair
Pengbin Feng George Mason University, USA

Panels Chair
Massimiliano Albanese George Mason University, USA
viii Organization

Tutorials Chair
Fabio Scotti Università degli Studi di Milano, Italy

Technical Program Committee

Adwait Nadkarni William & Mary, USA
Amro Awad Sandia National Laboratories, USA
An Wang Case Western Reserve University, USA
Aziz Mohaisen University of Central Florida, USA
Birhanu Eshete University of Michigan - Dearborn, USA
Byron Williams University of Florida, USA
Cliff Zou University of Central Florida, USA
Cong Wang City University of Hong Kong, Hong Kong
Daniel Takabi Georgia State University, USA
Dave (Jing) Tian Purdue University, USA
David Barrera Carleton University, Canada
Debin Gao Singapore Management University, Singapore
Dinghao Wu Penn State University, USA
Eric Chan-Tin Loyola University Chicago, USA
Eugene Vasserman Kansas State University, USA
Fatima M. Anwar University of Massachusetts Amherst, USA
Fengyuan Xu Nanjing University, China
Girish Revadigar University of New South Wales, Australia
Gokhan Kul University of Massachusetts Dartmouth, USA
Huacheng Zeng University of Louisville, USA
Hyoungshick Kim Sungkyunkwan University, South Korea
Jeffrey Spaulding Canisius College, USA
Jian Liu The University of Tennessee at Knoxville, USA
Jiawei Yuan University of Massachusetts Dartmouth, USA
Jun Dai California State University, Sacramento, USA
Kai Bu Zhejiang University, China
Kai Chen Institute of Information Engineering, Chinese Academy
of Sciences, China
Karim Elish Florida Polytechnic University, USA
Kuan Zhang University of Nebraska-Lincoln, USA
Le Guan University of Georgia, USA
Maliheh Shirvanian Visa Research, USA
Martin Strohmeier University of Oxford, UK
Mengjun Xie The University of Tennessee at Chattanooga, USA
Mohamed Shehab University of North Carolina at Charlotte, USA
Mohammad Mannan Concordia University, Canada
Murtuza Jadliwala The University of Texas at San Antonio, USA
Neil Gong Duke University, USA
Patrick McDaniel Penn State University, USA
Pierangela Samarati Università degli Studi di Milano, Italy
 Organization ix

Qiang Tang New Jersey Institute of Technology, USA

Rongxing Lu University of New Brunswick, Canada
Sankardas Roy Bowling Green State University, USA
Selcuk Uluagac Florida International University, USA
Seungwon Shin KAIST, South Korea
Shouhuai Xu The University of Texas at San Antonio, USA
Simon Woo SUNY Korea, South Korea
Suzanne Wetzel Stevens Institute of Technology, USA
Taegyu Kim Purdue University, USA
Thomas Moyer University of North Carolina at Charlotte, USA
Tzipora Halevi Brooklyn College, USA
Vinnie Monaco Naval Postgraduate School, USA
Wenhai Sun Purdue University, USA
Wenjing Lou Virginia Polytechnic Institute and State University,
USA
Wensheng Zhang Iowa State University, USA
Xiao Zhang Palo Alto Networks, USA
Xingliang Yuan Monash University, Australia
Yanchao Zhang Arizona State University, USA
Yingying Chen Rutgers University, USA
Yinzhi Cao Johns Hopkins University, USA
Yong Guan Iowa State University, USA
Yuan (Alex) Zhang Nanjing University, China
Yuan Zhang Fudan University, China
Z. Berkay Celik Purdue University, USA
Zhiqiang Lin Ohio State University, USA
 Contents – Part II

A Practical Machine Learning-Based Framework to Detect DNS Covert

Communication in Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Ruming Tang, Cheng Huang, Yanti Zhou, Haoxian Wu, Xianglin Lu,
Yongqian Sun, Qi Li, Jinjin Li, Weiyao Huang, Siyuan Sun, and Dan Pei

CacheLoc: Leveraging CDN Edge Servers for User Geolocation . . . . . . . . . . 22

Mingkui Wei, Khaled Rabieh, and Faisal Kaleem

Modeling Mission Impact of Cyber Attacks on Energy Delivery Systems. . . . 41

Md Ariful Haque, Sachin Shetty, Charles A. Kamhoua,
and Kimberly Gold

Identifying DApps and User Behaviors on Ethereum via Encrypted Traffic . . . 62

Yu Wang, Zhenzhen Li, Gaopeng Gou, Gang Xiong, Chencheng Wang,
and Zhen Li

TransNet: Unseen Malware Variants Detection Using Deep

Transfer Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Candong Rong, Gaopeng Gou, Mingxin Cui, Gang Xiong, Zhen Li,
and Li Guo

A Brokerage Approach for Secure Multi-Cloud Storage

Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Muhammad Ihsan Haikal Sukmana, Kennedy Aondona Torkura,
Sezi Dwi Sagarianti Prasetyo, Feng Cheng, and Christoph Meinel

On the Effectiveness of Behavior-Based Ransomware Detection . . . . . . . . . . 120

Jaehyun Han, Zhiqiang Lin, and Donald E. Porter

POQ: A Consensus Protocol for Private Blockchains Using Intel SGX . . . . . . 141
Golam Dastoger Bashar, Alejandro Anzola Avila, and Gaby G. Dagher

Share Withholding in Blockchain Mining. . . . . . . . . . . . . . . . . . . . . . . . . . 161

Sang-Yoon Chang

PEDR: A Novel Evil Twin Attack Detection Scheme Based on Phase

Error Drift Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Jiahui Zhang, Qian Lu, Ruobing Jiang, and Haipeng Qu

Differentially Private Social Graph Publishing for Community Detection . . . . 208

Xuebin Ma, Jingyu Yang, and Shengyi Guan
xii Contents – Part II

LaaCan: A Lightweight Authentication Architecture for Vehicle Controller

Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Syed Akib Anwar Hridoy and Mohammad Zulkernine

A Machine Learning Based Smartphone App for GPS Spoofing Detection . . . 235
Javier Campos, Kristen Johnson, Jonathan Neeley, Staci Roesch,
Farha Jahan, Quamar Niyaz, and Khair Al Shamaileh

AOMDroid: Detecting Obfuscation Variants of Android Malware Using

Transfer Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Yu Jiang, Ruixuan Li, Junwei Tang, Ali Davanian, and Heng Yin

ML-Based Early Detection of IoT Botnets . . . . . . . . . . . . . . . . . . . . . . . . . 254

Ayush Kumar, Mrinalini Shridhar, Sahithya Swaminathan,
and Teng Joon Lim

Post-Quantum Cryptography in WireGuard VPN. . . . . . . . . . . . . . . . . . . . . 261

Quentin M. Kniep, Wolf Müller, and Jens-Peter Redlich

Evaluating the Cost of Personnel Activities in Cybersecurity Management:

A Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Rafał Leszczyna

SGX-Cube: An SGX-Enhanced Single Sign-On System Against

Server-Side Credential Leakage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Songsong Liu, Qiyang Song, Kun Sun, and Qi Li

EW256357 : A New Secure NIST P-256 Compatible Elliptic Curve

for VoIP Applications’ Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Nilanjan Sen, Ram Dantu, and Kirill Morozov

Ucam: A User-Centric, Blockchain-Based and End-to-End Secure Home IP

Camera System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Xinxin Fan, Zhi Zhong, Qi Chai, and Dong Guo

Private Global Generator Aggregation from Different Types

of Local Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Chunling Han and Rui Xue

Perturbing Smart Contract Execution Through the Underlying Runtime . . . . . 336

Pinchen Cui and David Umphress

Blockchain Based Multi-keyword Similarity Search Scheme over

Encrypted Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Mingyue Li, Chunfu Jia, and Wei Shao
 Contents – Part II xiii

Using the Physical Layer to Detect Attacks on Building

Automation Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Andreas Zdziarstek, Willi Brekenfelder, and Felix Eibisch

Formalizing Dynamic Behaviors of Smart Contract Workflow in Smart

Healthcare Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Mohammad Saidur Rahman, Ibrahim Khalil, and Abdelaziz Bouras

Malware Classification Using Attention-Based Transductive

Learning Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Liting Deng, Hui Wen, Mingfeng Xin, Yue Sun, Limin Sun,
and Hongsong Zhu

COOB: Hybrid Secure Device Pairing Scheme in a Hostile Environment . . . . 419

Sameh Khalfaoui, Jean Leneutre, Arthur Villard, Jingxuan Ma,
and Pascal Urien

A Robust Watermarking Scheme with High Security and Low

Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Liangjia Li, Yuling Luo, Junxiu Liu, Senhui Qiu, and Lanhang Li

Selecting Privacy Enhancing Technologies for IoT-Based Services . . . . . . . . 455

Immanuel Kunz, Christian Banse, and Philipp Stephanow

Khopesh - Contact Tracing Without Sacrificing Privacy . . . . . . . . . . . . . . . . 475

Friedrich Doku and Ethan Doku

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

 Contents – Part I

Email Address Mutation for Proactive Deterrence Against Lateral

Spear-Phishing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Md Mazharul Islam, Ehab Al-Shaer,
and Muhammad Abdul Basit Ur Rahim

ThreatZoom: Hierarchical Neural Network for CVEs

to CWEs Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Ehsan Aghaei, Waseem Shadid, and Ehab Al-Shaer

Detecting Dictionary Based AGDs Based on Community Detection . . . . . . . 42

Qianying Shen and Futai Zou

On the Accuracy of Measured Proximity of Bluetooth-Based Contact

Tracing Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Qingchuan Zhao, Haohuang Wen, Zhiqiang Lin, Dong Xuan,
and Ness Shroff

A Formal Verification of Configuration-Based Mutation Techniques

for Moving Target Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Muhammad Abdul Basit Ur Rahim, Ehab Al-Shaer, and Qi Duan

Coronavirus Contact Tracing App Privacy: What Data Is Shared

by the Singapore OpenTrace App? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Douglas J. Leith and Stephen Farrell

The Maestro Attack: Orchestrating Malicious Flows with BGP . . . . . . . . . . . 97

Tyler McDaniel, Jared M. Smith, and Max Schuchard

pyDNetTopic: A Framework for Uncovering What Darknet Market Users

Talking About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Jingcheng Yang, Haowei Ye, and Futai Zou

MisMesh: Security Issues and Challenges in Service Meshes . . . . . . . . . . . . 140

Dalton A. Hahn, Drew Davidson, and Alexandru G. Bardas

The Bitcoin Hunter: Detecting Bitcoin Traffic over Encrypted Channels . . . . 152
Fatemeh Rezaei, Shahrzad Naseri, Ittay Eyal, and Amir Houmansadr

MAAN: A Multiple Attribute Association Network for Mobile Encrypted

Traffic Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Fengzhao Shi, Chao Zheng, Yiming Cui, and Qingyun Liu
xvi Contents – Part I

Assessing Adaptive Attacks Against Trained JavaScript Classifiers . . . . . . . . 190

Niels Hansen, Lorenzo De Carli, and Drew Davidson

An Encryption System for Securing Physical Signals. . . . . . . . . . . . . . . . . . 211

Yisroel Mirsky, Benjamin Fedidat, and Yoram Haddad

A Cooperative Jamming Game in Wireless Networks Under Uncertainty . . . . 233

Zhifan Xu and Melike Baykal-Gürsoy

SmartSwitch: Efficient Traffic Obfuscation Against Stream Fingerprinting . . . 255

Haipeng Li, Ben Niu, and Boyang Wang

Misreporting Attacks in Software-Defined Networking. . . . . . . . . . . . . . . . . 276

Quinn Burke, Patrick McDaniel, Thomas La Porta, Mingli Yu,
and Ting He

A Study of the Privacy of COVID-19 Contact Tracing Apps . . . . . . . . . . . . 297

Haohuang Wen, Qingchuan Zhao, Zhiqiang Lin, Dong Xuan,
and Ness Shroff

Best-Effort Adversarial Approximation of Black-Box Malware Classifiers . . . 318

Abdullah Ali and Birhanu Eshete

Review Trade: Everything Is Free in Incentivized Review Groups. . . . . . . . . 339

Yubao Zhang, Shuai Hao, and Haining Wang

Integrity: Finding Integer Errors by Targeted Fuzzing . . . . . . . . . . . . . . . . . 360

Yuyang Rong, Peng Chen, and Hao Chen

Improving Robustness of a Popular Probabilistic Clustering Algorithm

Against Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Sayed M. Saghaian N. E., Tom La Porta, Simone Silvestri,
and Patrick McDaniel

Automated Bystander Detection and Anonymization

in Mobile Photography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
David Darling, Ang Li, and Qinghua Li

SmartWiFi: Universal and Secure Smart Contract-Enabled WiFi Hotspot . . . . 425

Nikolay Ivanov, Jianzhi Lou, and Qiben Yan

ByPass: Reconsidering the Usability of Password Managers . . . . . . . . . . . . . 446

Elizabeth Stobert, Tina Safaie, Heather Molyneaux,
Mohammad Mannan, and Amr Youssef

Anomaly Detection on Web-User Behaviors Through Deep Learning . . . . . . 467

Jiaping Gui, Zhengzhang Chen, Xiao Yu, Cristian Lumezanu,
and Haifeng Chen
 Contents – Part I xvii

Identity Armour: User Controlled Browser Security. . . . . . . . . . . . . . . . . . . 474

Ross Copeland and Drew Davidson

Connecting Web Event Forecasting with Anomaly Detection: A Case Study

on Enterprise Web Applications Using Self-supervised Neural Networks . . . . 481
Xiaoyong Yuan, Lei Ding, Malek Ben Salem, Xiaolin Li, and Dapeng Wu

Performance Analysis of Elliptic Curves for VoIP Audio Encryption Using

a Softphone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Nilanjan Sen, Ram Dantu, and Mark Thompson

TCNN: Two-Way Convolutional Neural Network for Image Steganalysis . . . 509

Zhili Chen, Baohua Yang, Fuhu Wu, Shuai Ren, and Hong Zhong

PrivyTRAC – Privacy and Security Preserving Contact Tracing System . . . . . 515

Ssu-Hsin Yu

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

 A Practical Machine Learning-Based
Framework to Detect DNS Covert
Communication in Enterprises

Ruming Tang1,2 , Cheng Huang3 , Yanti Zhou4 , Haoxian Wu3 , Xianglin Lu1,2 ,
Yongqian Sun5 , Qi Li1,2(B) , Jinjin Li4 , Weiyao Huang4 , Siyuan Sun4 ,
and Dan Pei1,2
1
Tsinghua University, Beijing, China
trm14@mails.tsinghua.edu.cn, {peidan,qli01}@tsinghua.edu.cn
2
Beijing National Research Center for Information Science and Technology
(BNRist), Beijing, China
everl@bupt.edu.cn
3
BizSeer Technologies Co., Ltd., Beijing, China
huangcheng@bizseer.com, MOVIEGEORGE@pku.edu.cn
4
Bank of Communications, Shanghai, China
{zhouyt,lijj,huangweiyao,sunsiyuan}@bankcomm.com
5
Nankai University, Tianjin, China
sunyongqian@nankai.edu.cn

Abstract. DNS is a key protocol of the Internet infrastructure, which

ensures network connectivity. However, DNS suffers from various threats.
In particular, DNS covert communication is one serious threat in enter-
prise networks, by which attackers establish stealthy communications
between internal hosts and remote servers. In this paper, we propose
D 2 C2 (Detection of DNS Covert Communication), a practical and flex-
ible machine learning-based framework to detect DNS covert communi-
cations. D 2 C2 is an end-to-end framework contains modular detection
models including supervised and unsupervised ones, which detect multi-
ple types of threats efficiently and flexibly. We have deployed D 2 C2 in a
large commercial bank with 100 millions of DNS queries per day. During
the deployment, D 2 C2 detected over 4k anomalous DNS communica-
tions per day, achieving high precision over 0.97 on average. It uncovers
a significant number of unnoticed security issues including seven com-
promised hosts in the enterprise network.

Keywords: DNS · Malicious domain detection · Data exfiltration ·

DGA

1 Introduction
As a core infrastructure on the Internet, the Domain Name System (DNS)
is commonly used in all kinds of Internet applications, to translate easy-to-
c ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020
Published by Springer Nature Switzerland AG 2020. All Rights Reserved
N. Park et al. (Eds.): SecureComm 2020, LNICST 336, pp. 1–21, 2020.
https://doi.org/10.1007/978-3-030-63095-9_1
2 R. Tang et al.

Fig. 1. Examples of (a) normal DNS lookups, (b) DNS-based data exfiltration, and (c)
DNS-based C&C.

recognize domain names into IP addresses. Unfortunately, the DNS system suf-
fers from known vulnerabilities, such as DDoS [27], spoofing [24] and other
exploits [8,30,36]. To defend against these attacks, approaches such as [10,18,24]
have been proposed. Unlike those traditional attacks which target DNS system
itself, DNS covert communication is leveraged to transmit messages cross the
boundary between an enterprise’s LAN (i.e., office network and datacenter) and
the Internet, through DNS messages in a stealthy and unauthorized manner.
However, the defense against DNS covert communication in enterprises is still
not well-studied, and is the focus of this paper.
In enterprises, security tools are commonly deployed to closely monitor the
traffic between the enterprise’s LAN and the Internet to detect serious security
attacks such as data exfiltration (which transmits valuable internal data to the
Internet), command-and-control (C&C) of internal hosts by external attackers,
and so on. However, those data exfiltration and C&C using covert communication
via the DNS traffic [7,8,22,23,28] are still hard to detect.
Figure 1 shows examples of normal DNS lookup and DNS covert communi-
cation. In the normal DNS lookup in Fig. 1(a), a normal host queries its local
DNS server about google.com, and the local DNS server then iteratively queries
DNS root server and .com top-level domain server (both are omitted in the
figure) and relays the response (which indicates the corresponding IP address is
172.217.164.100 ) from the authoritative name server for google.com to the host.
Figure 1(b) shows an example of real point of sale (POS) malware, in which POS
 A Practical Machine Learning-Based Framework 3

malware exfiltrated credit card information in the domain names of the DNS
queries [20]. Such exfiltration incidents (e.g., MULTIGRAIN [20], UDPoS [28])
caused many loss to the users and providers. The compromised host encodes the
stolen credit card information as subdomains in the domain name to be queried,
and when the query arrives at the authoritative name server controlled by the
attacker, the attacker can then easily decode the credit card information from
the queried domain name. Figure 1(c) shows an example of DNS C&C [22] where
a malware-infected host talks to and receives command from its C&C server by
sending a DNS query message to and receiving corresponding DNS response from
the compromised authoritative name server, which is the C&C server. In this
example, the seemingly-random domain name (rohgoruhgsorhugih.nl) queried
are actually dynamically generated by Domain-Generation-Algorithms (DGAs)
and automatically synchronized between the compromised host and the C&C
server [9,13,29,30,35,36].
Therefore, new detection methods are needed to detect these DNS covert
communication because traditional security tools based on blacklists, rules,
signatures cannot enumerate or capture the dynamically changing subdomain
names in the DNS covert communications exemplified in Fig. 1 (b)(c).
Our intuitive idea in detecting DNS covert communication is to apply
machine learning (ML) to capture a suspicious domain based on its features
(see the feature list in Table 2, e.g., the length of the domain). Although this
idea is promising, previous ML-based approaches along this direction have not
been deployed in the real-world enterprises yet, to the best of our knowledge,
due to the following the three challenges.
First, the performance of different ML algorithms might be different for dif-
ferent enterprises because the DNS traffic data distribution might be different.
Furthermore, the machine learning algorithms used in previous works, super-
vised models perform better and are preferred for some kinds of known threat
types, while unsupervised models are more preferred for some unknown but rare
threats. Thus, the algorithms used should be generic and flexible (as opposed to
being fixed) in the detection system. Second, different DNS covert communica-
tion threats might have different patterns, thus previous machine-leaning based
approaches, to the best of our knowledge, so far only focuses on specific types
of such attacks, e.g., [7,8] only detect data exfiltration, and [30] only detects
DGA domains. However, enterprises in the real-world are interested in detect-
ing various attacks, thus are reluctant to deploy the aforementioned piece-meal
approaches that can detect only one type of DNS covert communication. Third,
a practical ML-based detection system needs to have feedback mechanisms to
either add labeled data for re-training in the supervised approaches and/or tune
the parameters in the unsupervised approaches, and also fully utilize (as opposed
to replacing) the traditional DNS security tools such as the domain blacklist.
To tackle the above challenges, in this paper we propose a practical, flexi-
ble and end-to-end ML-based framework, called D 2 C2 (Detecting DNS Covert
Communication), to effectively detect various DNS covert communications in
enterprises by leveraging supervised and unsupervised classifiers trained by var-
4 R. Tang et al.

ious types of features extracted from DNS logs. It is an end-to-end framework

and consists of several modules with an intuitive but efficient workflow, which
is easy to be deployed and maintained in enterprise environments. One flexible
detection module is used to detect all types of covert communication threats
via domain names in DNS traffic. D 2 C2 also uses feedback to take advantage of
manual investigations on alerts to improve detection performance. The results
of detection are aggregated and visualized, for better display for the operators,
to make D 2 C2 more friendly to the users.
In the flexible detection module, modular multiple detection models are used,
including supervised and unsupervised approaches so that, for each type of
threat, the most suitable model (detector) for it can be applied. Based on all
results aggregated from detectors, D 2 C2 is able to reveal covert communication
threats in a comprehensive way. The flexible and modular design of multiple
detectors also makes it very flexible. Each detector can be adjusted easily and
individually for updating or modification, e.g., model tuning or re-training.
Our major contributions can be summarized as follows.

– We propose the first practical, flexible, and end-to-end ML-based framework,

D 2 C2 , which is easy to be deployed in enterprises to detect DNS covert com-
munication threats, to the best of our knowledge.
– We design a modular threat detection component which consists of super-
vised and unsupervised methods in series, and can be modified flexibly and
individually to handle different data distribution in different enterprises.
– We deployed D 2 C2 in a large commercial bank with more than 25K hosts,
detecting more than 100 millions DNS queries per day. D 2 C2 is the first large-
scale deployment of DNS covert communication detection system in the wild,
to the best of our knowledge.
– Based on our evaluation over 5 billion DNS logs, D 2 C2 detected 4k anomalous
logs per day efficiently, and achieved high precision (over 0.97). It uncovered
real covert communication threats in the wild, including 7 compromised hosts
unknown to the operators previously.

2 Background

2.1 Domain Name System

A DNS log contains several important fields: NAME (the queried domain name),
TYPE (A for IPv4 address, CNAME for canonical names, TXT for text records
and etc.), and RDATA (the resource) [21]. For example, the query in Fig. 1(a)
contains the queried name (www.google.com), class (IN ), type (A). The response
log contains the response: RCODE (Response Code), TTL (Time to Live) and
the answer, and the corresponding query. The answer is the IPv4 address(es) for
the queried name. RCODE indicates the condition of the answer, NOERROR
(in this example) means a normal answer, and NXDomain indicates that the
queried name does not exist.
 A Practical Machine Learning-Based Framework 5

Fig. 2. Typical types of DNS external exploits threats.

Although DNS is a fundamental system that many services rely on, some
enterprise operators treat DNS as a “set and forget” infrastructure, and do not
update them from time to time with the latest security mechanisms [17]. For
example, DNSSEC [12] is one security extension of DNS proposed early, but its
adoption is quite slow till recently [10,15]. Some operators may be interested in
the availability of DNS only when DNS servers go wrong.
Figure 2 shows some typical exploits against DNS [17]. Attacks against DNS
infrastructure itself (i.e., DDoS and spoofing) are much easier to be noticed
because it leads to the failures or errors in DNS servers. DDoS (Distributed
Denial of Service) attacks compromise the availability of DNS, and spoofing (to
redirect users to attackers) leads to wrong or unreachable destinations. Besides
these, some attackers take advantage of the lack of monitoring on DNS traffic,
and choose DNS as a channel for covert communication (in bold in Fig. 2), which
is more difficult to notice.

2.2 Covert Communications in DNS Channel

In this paper, we focus on DNS Covert Communication, which is one of the
most important DNS-related threats in enterprise environments, where operators
pay close attention to malicious communication to the Internet. In a covert
communication case, attackers use DNS to establish a communication channel
between compromised hosts and remote servers, without being monitored by
other security measures.
A common attack is to encode data in certain fields in the DNS packet
[8,17,31]. Attackers can simply use the subdomains as payloads, encoding data
into the NAME field like “<encoded...information>.evildomain.com.” as shown
in Fig. 1(b), which is known as data exfiltration. Such encoded data are usually
long strings that are not commonly seen in normal domain names. Some attackers
also use DNS channel to transmit C&C communication between compromised
hosts and remote C&C servers. In this way, the compromised hosts can inform
the attackers of their current status. Figure 1(c) shows an example of a host
querying a C&C domain, which is generated by an algorithm (IRCBot). Obvious
differences can be seen between popular domain names and this domain name,
which contains no recognizable words or abbreviation.
In general, malicious communication through DNS channel can be deter-
mined by two indicators: whether the DNS packets carry malicious payloads or
the hosts connect to malicious destinations. As mentioned before, the domain
6 R. Tang et al.

name directly tells where the host is looking for, and it also can be used to carry
messages. Besides domain name in NAME field, RDATA field in response also
provides a good payload for attackers. RDATA fields in TYPE CNAME or TXT
packets allow more characters to be sent, which means larger “bandwidth” for
attackers [17,23]. However, TYPE A (and AAAA) logs account for the vast
majority of all DNS logs (see data trace statistics in Sect. 5), therefore in this
paper we consider anomalies in domain names as our primary threats
to be detected in this paper.
In this paper, we only focus on domains that are related to covert communi-
cation threats (mainly data exfiltration and C&C threats). However, not all mali-
cious domains are related to covert communication. Some malicious domains are
disguised for phishing, e.g., Domain Shadowing (hijack normal domains and cre-
ate new subdomains to redirect users [19]) and Typo-Squatting (register domain
names which are similar to popular websites and leverage typos of users [34]),
which are not considered as covert communication.

2.3 Related Work

Exfiltration in domain names, by nature, contain more information because of

the extra payload, thus are longer than normal ones. Thus, some security engi-
neers detect suspicious domains using a domain name length threshold. However,
such signature-based methods do not always work due to the static threshold
and can be easily evaded. In recent years, anomaly detection based approaches
are proposed to detect exfiltration based on features in DNS traffic. Das et al.
detect encoded data in DNS traffic related to exfiltration and tunneling [11].
Ahmed et al. present an Isolation Forest approach to detecting exfiltration in an
enterprise [7,8]. However, these approaches have not been tested on real attacks
in the wild, but only on synthetic data generated by toolkits.
Many prior work about C&C communications focused on DGA [9,13,29,
30,35,36], which are widely used to generate seemingly random domain names
(Algorithmically-Generated Domains, AGDs). AGDs appear in many security
events, for instance, botnets, to avoid traditional blocking mechanisms like black-
lists, sinkholes or signature-based firewalls. Many prior studies used classifiers to
detect AGDs because they are different from normal domain names. Antonakakis
et al. present an approach to detecting DGA based on Bipartite Graph Recursive
Clustering and multi-class Alternating Decision Trees from NXDomains (queries
for non-existed domains) [9]. Schüppen et al. propose FANCI, using Random
Forests (RF) and Support Vector Machines (SVM) to detect DGAs with a high
accuracy [30]. Sun et al. use a Heterogeneous Information Network to model the
DGAs and detect them via transductive classification [33]. Tong et al. propose
D3N, a system using Convolutional Neural Networks (CNN) to detect DGA
domains from NXDomains [35]. Most of these classifiers are supervised because
researchers can easily get DGA domains as positive samples by synthetic gener-
ating, but there are also unsupervised approaches used in detecting them. Gao
et al. use X-Means to cluster domains, also from NXDomains [13]. Zang et al.
 A Practical Machine Learning-Based Framework 7

Fig. 3. The framework overview of D 2 C2 . Figure (a) shows the overview of three stages
in D 2 C2 . Figure (b) shows the detailed workflow of the Threats Detection module.
Dashed lines denote malicious samples detected and dotted denote benign ones.

extract features from domain names and other registration information and use
X-Means algorithm to detect AGDs related to Fast-flux [36].
Summary: Each of the aforementioned prior studies focus on just one specific
type of anomalous domain names. However, in enterprises, operators have to
face threats of all kinds, thus would need lots of efforts to assemble and tune the
above “piecemeal” solutions. Therefore, we hope to design a generic framework
that is directly deployable, detecting multiple types of covert communication
threats with high flexibility.

3 Framework Overview

In this section, we present the core idea for our design and the overview of D 2 C2 .

3.1 Design Goal

Our design goal is to develop a practical framework to detect covert

communication in DNS traffic in enterprise environments. Such a framework
should be easy to deploy in real-world enterprise environments, and it should be
able to achieve high performance with low overhead.
DNS covert communication consists of data exfiltration, C&C communica-
tion and other kinds of threats. To detect these threats, a multi-class classifier
seems suitable. However, using one detection model for all the above threats will
be inflexible, and such a complex model makes it hard for parameter tuning,
which we want to avoid as much as we can, since data distribution changes over
time and over different enterprises. Therefore, we use multiple individual detec-
tion models (each one is called a detector and focuses on certain types of DNS
covert communication threats) instead of one complex model. For each detector,
we can choose the most effective algorithm, based on their performance and feed-
back. Such a modular detection module enables us to update or replace models
flexibly. For example, in case the data distribution changes (e.g., over time or
8 R. Tang et al.

Table 1. Alternative models for each detector.

Detector Alternative models

Data exfiltration Random forest (RF)
Support vector machine (SVM)
Multi-layer perceptron (MLP)
DGA RF, SVM & MLP
Outlier Isolation forest (iForest)
X-Means

when new APIs deployed), the re-training or model tuning can be done indi-
vidually, without the need to adjust the overall system workflow. Such updates
can be triggered periodically or manually based on the feedback. As a result,
the workflow of D 2 C2 stays the same, making it easy to be deployed in practice.
Meanwhile, our detection models are very flexible for modification to achieve
better performance in real-world detection.
The manual investigation is very necessary for a security system to confirm,
analyze and mitigate reported threats. We hope that D 2 C2 is able to learn
from these manual investigations. Thus we design D 2 C2 as a human-in-the-loop
(HITL) one with feedback from security engineers. All investigation results can
be further utilized for threshold adjusting, model tuning or re-training.

3.2 Overview

An system overview of D 2 C2 is shown in Fig. 3(a), which can be divided into

three major stages: Processing Stage is used to read and parse raw data. Detec-
tion Stage is used to extract certain features and detect threats in DNS logs via
machine learning based algorithms. Investigation Stage is to confirm the results
from detection results and generate the overall reports to operators.
Processing Stage: This stage has only one Data Parsing module. First,
D 2 C2 parses the raw data, extracting user demographics, DNS packets and
other network information. The raw data consists of both DNS queries and
DNS responses. As mentioned in Sect. 2.1, a DNS response already contains its
corresponding query, thus for a query which has a response, D 2 C2 only parses
the response as the input. A query without response (due to time-out or other
errors) will be used directly as input with an added tag “no response”.
Detection Stage: The detection stage is composed of three modules: Blacklist,
Feature Extraction and Threats Detection. Blacklist module first filters the
logs, to efficiently detect known malicious domains with low overhead. It is cre-
ated from the enterprise blacklist maintained by the operators and is updated by
manual investigation feedback and threat intelligence. Second, Feature Extrac-
tion module extracts features from the remaining logs. Last, we detect multiple
 A Practical Machine Learning-Based Framework 9

Table 2. Features extracted from the domain names.

# Feature Type D-Exfil D-DGA

1 Length of domain name Integer  
2 Length of subdomain Integer 
3 No. of labels Integer  
4 Longest label length Integer  
5 Contains one-character label Boolean
6 Contains IPv4 Boolean
7 Has “WWW” prefix Boolean
8 Alphabet size Integer 
9 No. of uppercase characters Integer 
10 The ratio of digits Float  
11 Ratio of hexadecimal parts Float 
12 Ratio of vowels Float 
13 Ratio of underscore Float
14 Ratio of repeat characters Float 
15 Ratio of consecutive consonants Float 
16 Ratio of consecutive digits Float  
17 Shannon entropy [16] Float  
18 Gibberish score [26] Float 
19 Bigram of domain name Vector 

types of threats using Threats Detection module. The threats detection mod-
ule contains multiple chosen classifiers (detectors), each of which focuses on one
or more specific types of threats. Detectors can be modified according to the
change of data. Results combined from all detectors will be aggregated and then
sent for further investigation.
A more detailed architecture of Threats Detection is shown in Fig. 3(b), with
three detectors in series. Simply, a sample detected as malicious by one detector
will be stored, and a benign sample will be moved to the next detector. After
all detectors are done, the results will be aggregated and sent to the investiga-
tion module. For each detector, different models can be applied based on their
performance in practice. Table 1 lists the algorithms we used for these detectors
during deployment. The detector workflow will be described in Sect. 4.
Investigation Stage: The investigation stage is divided into three modules:
Whitelist, Manual Investigation and Visualization. When receiving the detection
results, Whitelist module is used to flag some certain samples before them
reaching the operators. This is because some queries generated by certain trusted
applications (usually security products from different vendors) whose behavior
is similar to that of the attackers, e.g., sending data through DNS channel,
10 R. Tang et al.

which may result in unnecessary alerts. Similar to the blacklist module, the
whitelist is created and updated based on enterprise operators. The remaining
results are further reported to Manual Investigation module, where operators
and security engineers are involved. Operators and security engineers check the
detection results. The false alerts are used as feedback to our detectors, which
may trigger alterations of thresholds, feature weights or even re-training of the
machine learning algorithms. True threats confirmed are reported and visualized
for analysis and display in Visualization module.

4 Features and Detectors

In this section, we first present the features we extract from domain names.
Then we explain the detailed implementation workflow of threat detectors and
alternative algorithms used in these detectors.

4.1 Features Extraction

The performance of machine learning-based detection relies on feature engineer-

ing. Thus the feature extraction module must be carefully designed. Queried
domain names indicate whether the host is connecting to a dangerous target or
not. Therefore, if we can flag a suspicious domain, we are able to flag a suspicious
DNS query as well. Data exfiltration domains, which encode messages in the sub-
domain names, are likely to contain more characters in their domains. On the
other hand, domain names generated by DGAs, as mentioned in Sect. 2.3, often
appear more random than normal domains. For example, the ratio of numerical
characters and the length of the longest meaningful substring (LMS) show DGA
domains’ disparities from others [17], which indicate the different construction
of suspicious domain names. In summary, we choose features widely used in data
exfiltration detection [7,8] and DGA detections [9,25,29,30] for our detectors.
Not all features from prior work are used, some of them are removed because
of their low feature importances via the evaluation feedback on small scale of
labeled data experiments. In addition, we added two features, feature #18 and
#19 in Table 2, where we list all the features used in D 2 C2 . Note that we do not
claim the features in Table 2 as our contributions.
Structural Features: The differences in the construction of domains can be
indicated by structural features. Length (#1 & #2 in Table 2) is an important
feature since more characters mean more information, and many DGA families
generate domains in a certain range of length. #3 & #4 are structural features
of Labels (split by dot, e.g., “www.foo.com” has three labels: “www”, “foo”
and “com”), since certain patterns in labels can be observed in data exfiltration
traffic [7]. #5-7 check whether the domain names contain a certain pattern.
Linguistics Features: As domain names can be treated as strings, we also
extract linguistics features (#8-16) to capture the differences in types of charac-
ters, including uppercase character, digit, hex, vowel, consonant and underscore.
Another random document with
no related content on Scribd:
 LEGEND:
(A) = H₂O Content, (%)
(B) = Accel. Chloropicrin Service Time, (Min.)
(C) = Chloropicrin
(D) = Phosgene
(E) = Hydrocyanic Acid
(F) = Arsine
(G) = Cyanogen Chloride
(H) = Trichloromethylchloroformate
(I) = Chlorine

Service Time, Minutes

Standard Conditions
(B)
No. Charcoal Nation (A)
(G) (H) (I)
(C) (D) (E) (F)

Poor U. S. A.
1 0 10 120175 20 18 55 50 270
cocoanut
Medium U. S. A.
2 0 30 350260 25 25 65 65 370
cocoanut
Good U. S. A.
3 0 60 620310 27 30 75 70 420
cocoanut
Same as U. S. A.
4 No. 2 but 12 18 320330 35 16 35 95
wet
No. 2 U. S. A.
5 0 35 400700 70 400 70 190 510
impregnated
6 Wood French 0 2.5 25 75 9 0 1 20
7 Wood British 0 6 70 90 18 4 5 30
8 Peach stone British 0 16 190135 30 25 65 60
Treated German
9 0 42 230105 20 20 22 25
wood
No. 9 German
10 30 9 90320 16 1110 120
impregnated

Standard Conditions of Tests

Mesh of absorbent 8-14
 Depth of absorbent layer 10 cm.
Rate of flow per sq. cm. per min. 500 cc.
Concentration of toxic gas 0.1 per cent
Relative humidity 50 per cent
Temperature 20°
Results expressed in minutes to the 99 per cent efficiency points.
Results corrected to uniform concentrations and size of particles.

Soda-Lime
Charcoal is not a satisfactory all-round absorbent because it has too little capacity
for certain highly volatile acid gases, such as phosgene and hydrocyanic acid, and
because oxidizing agents are needed for certain gases. To overcome these
deficiencies the use of an alkali oxidizing agent in combination with the charcoal has
been found advisable. The material actually used for this purpose has been granules of
soda-lime containing sodium permanganate. Its principal function may be said to be to
act as a reservoir of large capacity for the permanent fixation of the more volatile acid
and oxidizable gases.
The development of a satisfactory soda-lime was a difficult problem. The principal
requirements follow: Its activity is not of vital importance, as the charcoal is able to take
up gas with extreme rapidity and then later give it off more slowly to the soda-lime.
Absorptive capacity is of the greatest importance, since the soda-lime is relied upon to
hold in chemical combination a very large amount of toxic gas. Both chemical stability
and mechanical strength are difficult to attain. The latter had never been solved until
the war made some solution absolutely imperative.

Composition of Regular Army Soda-Lime

The exact composition of the army soda-lime has undergone considerable
modification from time to time as it has been found desirable to change the raw
materials or the method of manufacture. A rough average formula which will serve to
bring out the interrelation between the different constituents is as follows:

Composition of Wet Mix

Per Cent
Hydrated lime 45
Cement 14
Kieselguhr 6
Sodium hydroxide 1
 Water 33
After Drying
Moisture content 8
After Spraying
Moisture content 13 (approx.)
Sodium permanganate content 3 (approx.)
Within limits, the method of manufacture is more important than the composition or
other variables, and has been the subject of a great deal of research work even on
apparently minor details. The process finally adopted consists essentially in making a
plastic mass of lime, cement, kieselguhr, caustic soda, and water, spreading in slabs
on wire-bottomed trays, allowing to set for 2 or 3 days under carefully controlled
conditions, drying, grinding, and screening to 8-14 mesh, and finally spraying with a
strong solution of sodium permanganate with a specially designed spray nozzle. The
spraying process is a recent development, most of the soda-lime having been made by
putting the sodium permanganate into the original wet mix. Many difficulties had to be
overcome in developing the spraying process, but it eventually gave a better final
product, and resulted in a large saving of permanganate which was formerly lost during
drying, in fines, etc.

Function of Different Components

Lime. The hydrated lime furnishes the backbone of the absorptive properties of the
soda-lime. It constitutes over 50 per cent of the finished dry granule and is responsible
in a chemical sense for practically all the gas absorption.
Cement. Cement furnishes a degree of hardness adequate to withstand service
conditions. It interferes somewhat with the absorptive properties of the soda-lime and it
is an open question whether the gain in hardness produced by its use is valuable
enough to compensate for the decreased absorption which results.
Kieselguhr. The loss in absorptive capacity due to the presence of cement is in
part counterbalanced by the simultaneous introduction of a relatively small weight
though considerable bulk, of kieselguhr. In some cases, there seems to be a reaction
between the lime and the kieselguhr, which results in some increase in hardness.
Sodium Hydroxide. Sodium hydroxide has two primary functions in the soda-lime
granule. In the first place, a small amount serves to give the granule considerable more
activity. The second function is to maintain roughly the proper moisture content. This
water content (roughly 13-14 per cent after spraying) is very important, in order that the
maximum gas absorption may be secured.
Sodium Permanganate. The function of the sodium permanganate is to oxidize
certain gases, such as arsine,[30] and to act as an assurance of protection against
possible new gases. The purity of the sodium permanganate solution used was found
to be one of the most important factors in making stable soda-lime. It was, therefore,
necessary to work out special methods for its manufacture. Two such methods were
developed, and successfully put into operation.
Careful selection of other material is also necessary, and this phase of the work
contributed greatly to the final development of the form of soda-lime.
 CHAPTER XIV
TESTING ABSORBENTS AND GAS MASKS

One of the first necessities in the development of absorbents and

gas masks was a method of testing them and comparing their
deficiencies. While the ultimate test of the value of an absorbent,
canister or facepiece is, of course, the actual man test of the
complete mask, the time consumed in these tests is so great that
more rapid tests were devised for the control of these factors and the
man test used as a check of the purely mechanical methods.

Testing of Absorbents[31]
Absorbents should be tested for moisture, hardness, uniformity of
sample and efficiency against various gases.
Moisture is simply determined by drying for two hours at 150°.
The loss in weight is called moisture.
The hardness or resistance to abrasion is determined by shaking
a 50-gram sample with steel ball bearings for 30 minutes on a Ro-
tap shaking machine. The material is then screened and the
hardness number is determined by multiplying the weight of
absorbent remaining on the screen by two.
The efficiency of an absorbent against various gases depends
upon a variety of factors. Because of this, it is necessary to select
standard conditions for the test. These were chosen as follows:
The absorbent under test is filled into a sample tube of specified
diameter (2 cm.) to a depth of 10 cm. by the standard method for
filling tubes, and a standard concentration (usually 1,000 or 10,000
p.p.m. by volume) of the gas in air of definite (50 per cent) humidity
is passed through the absorbent at a rate of 500 cc. per sq. cm. per
min. The concentration of the entering gas is determined by analysis.
The length of time is noted from the instant the gas-air mixture is
started through the absorbent to the time the gas or some toxic or
irritating reaction product of the gas begins to come through the
absorbent, as determined by some qualitative test. Quantitative
samples of the outflowing gas are then taken at known intervals and
from the amount of gas found in the sample the per cent efficiency of
the absorbent at the corresponding time is calculated.

p.p.m. entering gas - p.p.m.

Per cent ×
effluent gas
efficiency = 100.
p.p.m. entering gas
These efficiencies are plotted against the minutes elapsed from
the beginning of the test to the middle of the sampling period
corresponding to that efficiency point. A smooth curve is drawn
through these points and the efficiency of the absorbent is reported
as so many minutes to the 100, 99, 95, 90, 80, etc., per cent
efficiency points.
The apparatus used in carrying out this test is shown in Fig. 74.
Descriptive details may be found in the article by Fieldner in The
Journal of Industrial and Engineering Chemistry for June, 1919. With
modifications for high and low boiling materials, the apparatus is
adapted to such a variety of gases as chlorine, phosgene, carbon
dioxide, sulfur dioxide, hydrocyanic acid, benzyl bromide,
chloropicrin, superpalite, etc.
As the quality of the charcoal increased, the so-called standard
test required so long a period that an accelerated test was devised.
In this the rate was increased to 1,000 cc. per minute, the relative
humidity of the gas-air mixture was decreased to zero, and the
concentration was about 7,000 p.p.m. The rate is obtained by using
a tube with an internal diameter of 1.41 cm. instead of 2.0 cm.

Canisters
 After an absorbent has been developed to a given point, and is
considered of sufficient value to be used in a canister, the materials
are assembled as described in Chapter XII. While the final test is the
actual use of the canister, machine tests have been devised which
give valuable information regarding the value of the absorbent in the
canister and the method of filling.

Fig. 74.—Standard Two-tube Apparatus for Testing

Absorbents,
Showing Arrangement for Gases Stored in Cylinders.
 The first test must be that for leakage. The canister must show no
signs of leaking when submitted to an air pressure of 15 inches of
mercury (about half of the normal atmospheric pressure).
The second factor tested is the resistance to air flow. This is
determined at a flow of 85 liters per minute and should not exceed 3
inches. The latest canister design has a much lower resistance (from
2 to 2½ inches).
The third test is the efficiency of the canister against various
gases. For routine work, phosgene, chloropicrin and hydrocyanic
acid are used against the standard mixture of charcoal and soda-
lime: Chloropicrin is usually used against straight charcoal fillings,
while phosgene and hydrocyanic acid are used against soda-lime.

Fig. 75.—Apparatus for Testing Canisters Against

Chloropicrin.
 Different types of apparatus are required for these gases. They
are very complicated, as may be seen from the sketch in Fig. 75,
and yet a man very quickly learns the procedure necessary to carry
out a test of this kind. The gas is passed through the canister under
given conditions, until at the end of the apparatus a test paper or
solution indicates that the gas is no longer absorbed but is passing
through unchanged. This point is called the “break point,” and the
time required to reach this point is known as the life of the canister.
This time is also the time to 100 per cent efficiency. Other points,
such as 99, 95, 90 and 80 per cent efficiency are determined. These
are used in comparing canisters.
The canister tests were of two general classes: continuous and
intermittent. In the first the air-gas mixture was drawn through
continuously until the break point was reached. The results obtained
in this way, however, did not give the time measure of the value of a
canister in actual use. The intermittent test differs only in that the
flow of air-gas mixture is intermittent, corresponding to regular
breathing. Special valves were adapted to this work.
Canisters must also be tested as to the protection they offer
against smoke. These methods are discussed in Chapter XVIII.

Man Tests
The final test of the canister is always carried out by means of the
so-called “man test.” Special man-test laboratories were built at
Washington, Philadelphia and Long Island. These are so constructed
that, if necessary, a man may enter the chamber containing the gas
and thus test the efficiency of the completed gas mask. In most
cases, however, the canister is placed inside or outside the gas-
chamber and the men breathe through the canister, detecting the
break point by throat and lung irritation.
The following brief description of the man test laboratory at the
American University will give a good idea of the plan and procedure.
[32]
 The man test laboratory is a one-story building, 56 ft. in length
and 25 ft. in width. The main part is occupied by three gas
chambers, laboratory tables, and various devices for putting up and
controlling gas concentrations in the chambers. A small part at one
end is used as an office and storeroom.
Good ventilation is of great importance in a laboratory of this
nature. This is secured by means of a 6 ft. fan connected to suitable
ducts. The fan is mounted on a heavy framework outside and at one
end of the building. The fan is driven at a speed of about 250 r.p.m.
by a 10 h.p. motor. The main duct is 33 in. square, extending to all
parts of the building. A connection is also made to a small hood used
when making chemical analyses.
The gases, fumes, etc., drawn out by the fan, are forced up and
out of a stack 30 in. in diameter, extending upward 55 ft. above the
ground level.
The main features of each of the three gas chambers are
identical. Auxiliary pieces of apparatus are used with each chamber,
the type of apparatus being determined by the characteristics of the
gas employed.
 Fig. 76.—Man Test Laboratory,
American University.

Each chamber is 10 ft. long, 8 ft. wide and 8½ ft. high, having,
therefore, a capacity of 680 cu. ft. or 19,257 liters. The floor is
concrete, and the walls and ceiling are constructed on a framework
of 2 × 4 in. scantling, finished on the outside with wainscoting and on
the inside with two layers of Upson board (laid with the joints lapped)
covered with a ½ in. layer of special cement plaster laid upon
expanded metal lath. The interior finish is completed by two coats of
acid-proof white paint. The single entrance to the chamber is from
outside the laboratory, and is closed by two doors, with a 36 × 40 in.
lock between them. These doors are solid, of 3-ply construction, 2½
in. thick, with refrigerator handles, which may be operated from
either inside or outside the chamber. The door jambs are lined with ³/
₁₆ in. heavy rubber tubing to secure a tight seal.
 At the end of the chamber opposite the doors, a pane of ¼ in.
wire plate glass, 36 × 48 in., is set into the wall, and additional
illumination may be secured by 2 headlights, 12 in. square, set into
the ceiling of the chamber and of the air-lock, respectively, and
provided with 200 watt Mazda lamps and Holophane reflectors.
Openings into the chamber, five in number, are spaced across this
end beneath the window and 9 in. above the table top.
Fans are installed for keeping the concentration uniform.

Fig. 77.—Details of Canister Holder.

Various devices have been installed for attaching the canister to

be tested (Fig. 77). This arrangement allows the canister to be
changed at will without any necessity for disturbing the concentration
of gas by entering the chamber.
Arrangements for removing the gas from the chamber consist of
a small “bleeder” which allows a continuous escape of small
amounts and a large blower for rapidly exhausting the entire
contents of the chamber.
Other general features of the equipment deal with the
determination of the physical condition surrounding the tests, often a
matter of considerable importance. The temperature of the gas
inside the chamber is easily ascertained by means of a thermometer
suspended inside the window in such a position as to be read from
the outside. The relative humidity of the mixture of air and gas in the
chamber is determined by means of a somewhat modified Regnault
dew point apparatus mounted on the built-in table.

Pressure Drop and Leak Detecting

Apparatus
Another piece of apparatus consists of a combined pressure drop
machine and leak tester (Fig. 78) for measuring the resistance of
canisters and testing them for faulty construction. This is mounted on
a small table, with the motor and air pump installed on a shelf
underneath. The resistance, or pressure drop, of canisters is
measured by the flow meter A and the water manometer B. Air is
drawn through the canister and the flow meter A at the rate of 85
liters per min., the flow being adjusted by the needle valve. The
pressure drop across the canister is read on the water manometer B,
one end of which is connected to the suction line, the other open to
the air. The reading is generally made in inches, correction being
made for the resistance of the connecting hose and the apparatus
itself.
Canisters are tested for leaks by the apparatus shown at D in Fig.
78. The canister is clamped down tightly by wing nuts against a
piece of heavy ¼-in. sheet rubber large enough to cover completely
the bottom of the canister and prevent any inflow of air through the
valve. Suction is then applied, and a leak is indicated by a steady
flow of air bubbles through the liquid in the gas-washing cylinder E. A
second gas-washing cylinder, empty, is inserted in the line between
E and the canister as a trap for any liquid drawn back when the
suction is shut off. If a leak is shown, it can be located by applying air
pressure to the canister and then immersing it in water.

Fig. 78.—Apparatus for Determining Pressure Drop

and for Detecting Leaks in Canisters.

Methods of Conducting Tests

Three general methods of conducting man tests are followed:
(1) Canisters are placed in the brackets outside the chamber or
fastened to the wall tubes within the chamber. The subjects of the
test remain outside the chamber, and the facepieces of the masks
are connected directly to the canisters, in the first case, and to the
wall tubes connecting with the canisters, in the second case. The
concentration is established and the time noted. Then the men put
on the masks and breathe until they can detect the gas coming
through the canisters. Reading matter is provided for the men during
the test period. When gas is detected, the time is again noted and
the time required for the gas to penetrate the canister is reported as
the “time to break down” or “service time” of the canister. Ten
canisters are tested at one time, and the average of the results for
the 10 canisters is taken for that type of canister. Much less accurate
results are obtained when the final figure is based on a small number
of canisters. This is largely due to the various breathing rates and
sensitiveness of different men.
(2) The canisters are placed as in (1), but it is only necessary to
know if they will give perfect protection for a given length of time.
The procedure is the same as in (1), except that the test is arbitrarily
stopped at the end of the indicated time, and the number of canisters
and the service times of the same noted.
(3) When the canisters are of such a type that they cannot be
properly tested as in (1), or when it is desired to test the penetrability
of the facepiece, the men wear the complete mask and enter the
chamber. They remain until gas penetrates the canister or the
facepiece, as the case may be, or until it is determined that the
desired degree of protection is afforded. The service time is
computed as in (1).
(4) Maximum-breathing-rate tests are made either by men in the
chamber or by the men outside, in which they do vigorous work on a
bicycle ergometer. In this test the average man will run his breathing
rate up to 60 or 70 liters per min.
The concentration of the gas is followed throughout the test by
aspirating samples and analyzing them.
Type of Masks Used. In the future the 1919 model will be used
for all tests. In general, during the War, the following procedure held,
although variations occurred in special cases:
When men entered a gas-chamber, the full facepiece was, of
course, required. The type of facepiece was determined by the
nature of the gas. If the gas was most easily detected by odor or eye
irritation, a modified Tissot mask was used. If it was most easily
detected by throat irritation, a mouth-breathing mask was employed.
When men were outside the chamber, the choice was made in
the same manner, except in the case of detection of the gas by
throat irritation. In this case the mouthpiece was attached to two or
three lengths of breathing tubes and a separate noseclip was used.
The facepiece was not needed and the men were much more
comfortable without it.
Disinfection of Masks. Mouthpieces are disinfected after use by
first holding them under a stream of running water and brushing out
thoroughly with a test tube brush; then the latter is dipped into a 2
per cent solution of lysol, and the inner parts of the mouthpiece are
brushed out well; finally the mouthpiece and exhaling valve are
dipped bodily into the lysol solution and allowed to dry without
rinsing. Tissot masks are wiped out with a cloth moistened in alcohol,
followed by another cloth moistened in 2 per cent lysol solution. The
flexible tubes are given periodic rinsings with 95 per cent alcohol.
Applicability of Man Tests. Man tests are applicable to all gases
which can be detected by the subject of the test before he breathes
a dangerous amount.
The man test laboratory described above provides facilities for
obtaining information concerning the efficiency of canisters,
facepieces, etc., within very short periods of time, without waiting for
the construction of special apparatus required for machine tests. To
get satisfactory results from machine tests, a delicate qualitative
chemical test for the gas is essential. Man tests can be made when
such a qualitative test is not known. Further, man tests can be made
with higher concentrations of some gases than is practicable with
machines. Evolution of excessive amounts of moisture when high
concentrations of some gases are used causes much more trouble
with machine tests than with man tests.
On the other hand, man tests are adversely affected by the
varying sensitiveness and lung capacities of the men, and the
humidity of the air-gas mixture is not subject to as exact control as is
the case with machine tests.

Field Tests
It will be observed that all of the above tests are concerned only
with the efficiency of the absorbent and its packing in the canister.
No attempt was made to determine the comfort and general “feel” of
the mask. For this purpose field tests were devised, covering periods
from two to five hours. The first test was a five-hour continuous
wearing test. It was assumed that any mask which could be worn for
five hours without developing any marked features of discomfort
could, if the occasion demanded it, be worn for a much longer period
of time. A typical test follows:
8:00 to Instruction and adjustment of gas
8:30 mask.
Gas-chamber tests
8:30 to Games involving mental and physical
9:30 activity
9:30 to Cross-country hike with suitable
11:30 periods of rest
11:30 to Tests of vision
12:00
12:00 to Games to test mental condition of
12:30 subjects
12:30 to Gas-chamber fit test
1:00
 Fig. 79.—Hemispherical Vision Chart.

Vision was tested by means of a hemispherical chart (Fig. 79).

This chart was 6 ft. in diameter and was constructed of heavy paper
laid over a wire frame. A hinged head rest was provided for holding
the subject’s head firmly in position with the center directly between
the eyes. The subject wearing the mask took up his position, and
with one eye closed at a time, indicated how far along the meridian
of longitude he could see with the other eye. The observer sketched
in the limit of vision by outlining the perimeter of the roughly circular
field allowed by each eyepiece. The intersection of the two fields
gave the extent of binocular vision possible with the mask.
 Various other tests were also used, in order that the extent and
nature of the vision could be accurately determined.
Aside from the problems of comfort, protection, vision and other
important features of gas mask efficiency, the question arose as to
whether certain designs of masks or canisters were mechanically
able to withstand the rough treatment they were certain to receive in
actual field service. A test was, therefore, developed to simulate
such service as transportation of masks from base depots to the
front, carrying of supplies and munitions by men wearing masks in
the “alert” position, exposure to rain and mud, hasty adjustment of
masks during gas alarms and typical mistreatment of masks by the
soldiers.
All these tests were of great value in the development of a good
gas mask.
 CHAPTER XV
OTHER DEFENSIVE MEASURES

Protective Clothing
Protective clothing was an additional feature of the general
program of protection. As far as factory protection is concerned, the
use of protective garments was more or less of a temporary
expedient and they were abandoned as fast as automatic machinery
and standard practice made their use less necessary. It is likewise a
question regarding their value at the front. It is very certain that the
garments developed needed to be made lighter and more
comfortable to be of much value to the fighting unit.
The first development of protective clothing was along the lines of
factory protection. The large number of casualties in connection with
the manufacture of mustard gas made it imperative that the workmen
be protected not only from splashes of the liquid mustard gas, but
also from its vapors. The first suit developed provided protection to
the entire body. The ordinary clothing materials and even rubberized
fabrics offered little protection but it was found that certain oilcloths
were practically impermeable to mustard gas. The suit was a single
garment, buttoning in the back, with no openings in the front, no
pockets and with tie-strings at wrists and ankles. The head was
protected by means of an aluminium helmet, supported by means of
a head band resting on the head like a cap and slung from the inside
of the helmet; this permitted slight head motions independent of the
helmet. In order to provide cooling and ventilating and pure air
breathing, the suit was inflated by pumping a considerable volume of
air into the suit through a flexible hose long enough to permit
considerable freedom of movement.