Security and Privacy in Communication

Networks 16th EAI International

Conference SecureComm 2020
Washington DC USA October 21 23
2020 Proceedings Part II Noseong Park
Visit to download the full and correct content document:
https://textbookfull.com/product/security-and-privacy-in-communication-networks-16th
-eai-international-conference-securecomm-2020-washington-dc-usa-october-21-23-2
020-proceedings-part-ii-noseong-park/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Security and Privacy in Communication Networks 16th EAI

International Conference SecureComm 2020 Washington DC
USA October 21 23 2020 Proceedings Part I Noseong Park

https://textbookfull.com/product/security-and-privacy-in-
communication-networks-16th-eai-international-conference-
securecomm-2020-washington-dc-usa-october-21-23-2020-proceedings-
part-i-noseong-park/

Security and Privacy in Communication Networks 15th EAI

International Conference SecureComm 2019 Orlando FL USA
October 23 25 2019 Proceedings Part II Songqing Chen

https://textbookfull.com/product/security-and-privacy-in-
communication-networks-15th-eai-international-conference-
securecomm-2019-orlando-fl-usa-october-23-25-2019-proceedings-
part-ii-songqing-chen/

Social Cultural and Behavioral Modeling 13th

International Conference SBP BRiMS 2020 Washington DC
USA October 18 21 2020 Proceedings Robert Thomson

https://textbookfull.com/product/social-cultural-and-behavioral-
modeling-13th-international-conference-sbp-brims-2020-washington-
dc-usa-october-18-21-2020-proceedings-robert-thomson/

Security and Privacy in Communication Networks 14th

International Conference SecureComm 2018 Singapore
Singapore August 8 10 2018 Proceedings Part II Raheem
Beyah
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-14th-international-conference-
securecomm-2018-singapore-singapore-august-8-10-2018-proceedings-
Security and Privacy in Communication Networks 12th
International Conference SecureComm 2016 Guangzhou
China October 10 12 2016 Proceedings 1st Edition Robert
Deng
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-12th-international-conference-
securecomm-2016-guangzhou-china-
october-10-12-2016-proceedings-1st-edition-robert-deng/

Computer Vision ECCV 2020 16th European Conference

Glasgow UK August 23 28 2020 Proceedings Part II Andrea
Vedaldi

https://textbookfull.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-ii-andrea-vedaldi/

Security and Privacy in Communication Networks 14th

International Conference SecureComm 2018 Singapore
Singapore August 8 10 2018 Proceedings Part I Raheem
Beyah
https://textbookfull.com/product/security-and-privacy-in-
communication-networks-14th-international-conference-
securecomm-2018-singapore-singapore-august-8-10-2018-proceedings-
part-i-raheem-beyah/

e Learning e Education and Online Training 6th EAI

International Conference eLEOT 2020 Changsha China June
20 21 2020 Proceedings Part II Shuai Liu

https://textbookfull.com/product/e-learning-e-education-and-
online-training-6th-eai-international-conference-
eleot-2020-changsha-china-june-20-21-2020-proceedings-part-ii-
shuai-liu/

Computer Aided Verification 32nd International

Conference CAV 2020 Los Angeles CA USA July 21 24 2020
Proceedings Part II Shuvendu K. Lahiri

https://textbookfull.com/product/computer-aided-
verification-32nd-international-conference-cav-2020-los-angeles-
ca-usa-july-21-24-2020-proceedings-part-ii-shuvendu-k-lahiri/
Noseong Park · Kun Sun ·
Sara Foresti · Kevin Butler ·
Nitesh Saxena (Eds.)

336

Security and Privacy

in Communication
Networks
16th EAI International Conference, SecureComm 2020
Washington, DC, USA, October 21–23, 2020
Proceedings, Part II

Part 2
Lecture Notes of the Institute
for Computer Sciences, Social Informatics
and Telecommunications Engineering 336

Editorial Board Members

Ozgur Akan
Middle East Technical University, Ankara, Turkey
Paolo Bellavista
University of Bologna, Bologna, Italy
Jiannong Cao
Hong Kong Polytechnic University, Hong Kong, China
Geoffrey Coulson
Lancaster University, Lancaster, UK
Falko Dressler
University of Erlangen, Erlangen, Germany
Domenico Ferrari
Università Cattolica Piacenza, Piacenza, Italy
Mario Gerla
UCLA, Los Angeles, USA
Hisashi Kobayashi
Princeton University, Princeton, USA
Sergio Palazzo
University of Catania, Catania, Italy
Sartaj Sahni
University of Florida, Gainesville, USA
Xuemin (Sherman) Shen
University of Waterloo, Waterloo, Canada
Mircea Stan
University of Virginia, Charlottesville, USA
Xiaohua Jia
City University of Hong Kong, Kowloon, Hong Kong
Albert Y. Zomaya
University of Sydney, Sydney, Australia
More information about this series at http://www.springer.com/series/8197
Noseong Park Kun Sun
• •

Sara Foresti Kevin Butler

• •

Nitesh Saxena (Eds.)

Security and Privacy

in Communication
Networks
16th EAI International Conference, SecureComm 2020
Washington, DC, USA, October 21–23, 2020
Proceedings, Part II

123
Editors
Noseong Park Kun Sun
Yonsei University George Mason University
Seoul, Korea (Republic of) Fairfax, VA, USA
Sara Foresti Kevin Butler
Dipartimento di Informatica University of Florida
Universita degli Studi Gainesville, FL, USA
Milan, Milano, Italy
Nitesh Saxena
Division of Nephrology
University of Alabama
Birmingham, AL, USA

ISSN 1867-8211 ISSN 1867-822X (electronic)

Lecture Notes of the Institute for Computer Sciences, Social Informatics
and Telecommunications Engineering
ISBN 978-3-030-63094-2 ISBN 978-3-030-63095-9 (eBook)
https://doi.org/10.1007/978-3-030-63095-9

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

We are delighted to introduce the proceedings of the 16th EAI International Conference
on Security and Privacy in Communication Networks (SecureComm 2020). This
conference has brought together researchers, developers, and practitioners from around
the world who are leveraging and developing security and privacy technology for a safe
and robust system or network.
These proceedings contain 60 papers, which were selected from 120 submissions
(an acceptance rate of 50%) from universities, national laboratories, and the private
sector from across the USA as well as other countries in Europe and Asia. All the
submissions went through an extensive review process by internationally-recognized
experts in cybersecurity.
Any successful conference requires the contributions of different stakeholder groups
and individuals, who have selflessly volunteered their time and energy in disseminating
the call for papers, submitting their research findings, participating in the peer reviews
and discussions, etc. First and foremost, we would like to offer our gratitude to the
entire Organizing Committee for guiding the entire process of the conference. We are
also deeply grateful to all the Technical Program Committee members for their time
and effort in reading, commenting, debating, and finally selecting the papers. We also
thank all the external reviewers for assisting the Technical Program Committee in their
particular areas of expertise as well as all the authors, participants, and session chairs
for their valuable contributions. Support from the Steering Committee and EAI staff
members was also crucial in ensuring the success of the conference. It was a great
privilege to work with such a large group of dedicated and talented individuals.
We hope that you found the discussions and interactions at SecureComm 2020,
which was held online, enjoyable and that the proceedings will simulate further
research.

October 2020 Kun Sun

Sara Foresti
Kevin Butler
Nitesh Saxena
 Organization

Steering Committee
Imrich Chlamtac University of Trento, Italy
Guofei Gu Texas A&M University, USA
Peng Liu Penn State University, USA
Sencun Zhu Penn State University, USA

Organizing Committee
General Co-chairs
Kun Sun George Mason University, USA
Sara Foresti Università degli Studi di Milano, Italy

TPC Chair and Co-chair

Kevin Butler University of Florida, USA
Nitesh Saxena University of Alabama at Birmingham, USA

Sponsorship and Exhibit Chair

Liang Zhao George Mason University, USA

Local Chair
Hemant Purohit George Mason University, USA

Workshops Chair
Qi Li Tsinghua University, China

Publicity and Social Media Chairs

Emanuela Marasco George Mason University, USA
Carol Fung Virginia Commonwealth University, USA

Publications Chair
Noseong Park Yonsei University, South Korea

Web Chair
Pengbin Feng George Mason University, USA

Panels Chair
Massimiliano Albanese George Mason University, USA
viii Organization

Tutorials Chair
Fabio Scotti Università degli Studi di Milano, Italy

Technical Program Committee

Adwait Nadkarni William & Mary, USA
Amro Awad Sandia National Laboratories, USA
An Wang Case Western Reserve University, USA
Aziz Mohaisen University of Central Florida, USA
Birhanu Eshete University of Michigan - Dearborn, USA
Byron Williams University of Florida, USA
Cliff Zou University of Central Florida, USA
Cong Wang City University of Hong Kong, Hong Kong
Daniel Takabi Georgia State University, USA
Dave (Jing) Tian Purdue University, USA
David Barrera Carleton University, Canada
Debin Gao Singapore Management University, Singapore
Dinghao Wu Penn State University, USA
Eric Chan-Tin Loyola University Chicago, USA
Eugene Vasserman Kansas State University, USA
Fatima M. Anwar University of Massachusetts Amherst, USA
Fengyuan Xu Nanjing University, China
Girish Revadigar University of New South Wales, Australia
Gokhan Kul University of Massachusetts Dartmouth, USA
Huacheng Zeng University of Louisville, USA
Hyoungshick Kim Sungkyunkwan University, South Korea
Jeffrey Spaulding Canisius College, USA
Jian Liu The University of Tennessee at Knoxville, USA
Jiawei Yuan University of Massachusetts Dartmouth, USA
Jun Dai California State University, Sacramento, USA
Kai Bu Zhejiang University, China
Kai Chen Institute of Information Engineering, Chinese Academy
of Sciences, China
Karim Elish Florida Polytechnic University, USA
Kuan Zhang University of Nebraska-Lincoln, USA
Le Guan University of Georgia, USA
Maliheh Shirvanian Visa Research, USA
Martin Strohmeier University of Oxford, UK
Mengjun Xie The University of Tennessee at Chattanooga, USA
Mohamed Shehab University of North Carolina at Charlotte, USA
Mohammad Mannan Concordia University, Canada
Murtuza Jadliwala The University of Texas at San Antonio, USA
Neil Gong Duke University, USA
Patrick McDaniel Penn State University, USA
Pierangela Samarati Università degli Studi di Milano, Italy
 Organization ix

Qiang Tang New Jersey Institute of Technology, USA

Rongxing Lu University of New Brunswick, Canada
Sankardas Roy Bowling Green State University, USA
Selcuk Uluagac Florida International University, USA
Seungwon Shin KAIST, South Korea
Shouhuai Xu The University of Texas at San Antonio, USA
Simon Woo SUNY Korea, South Korea
Suzanne Wetzel Stevens Institute of Technology, USA
Taegyu Kim Purdue University, USA
Thomas Moyer University of North Carolina at Charlotte, USA
Tzipora Halevi Brooklyn College, USA
Vinnie Monaco Naval Postgraduate School, USA
Wenhai Sun Purdue University, USA
Wenjing Lou Virginia Polytechnic Institute and State University,
USA
Wensheng Zhang Iowa State University, USA
Xiao Zhang Palo Alto Networks, USA
Xingliang Yuan Monash University, Australia
Yanchao Zhang Arizona State University, USA
Yingying Chen Rutgers University, USA
Yinzhi Cao Johns Hopkins University, USA
Yong Guan Iowa State University, USA
Yuan (Alex) Zhang Nanjing University, China
Yuan Zhang Fudan University, China
Z. Berkay Celik Purdue University, USA
Zhiqiang Lin Ohio State University, USA
 Contents – Part II

A Practical Machine Learning-Based Framework to Detect DNS Covert

Communication in Enterprises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Ruming Tang, Cheng Huang, Yanti Zhou, Haoxian Wu, Xianglin Lu,
Yongqian Sun, Qi Li, Jinjin Li, Weiyao Huang, Siyuan Sun, and Dan Pei

CacheLoc: Leveraging CDN Edge Servers for User Geolocation . . . . . . . . . . 22

Mingkui Wei, Khaled Rabieh, and Faisal Kaleem

Modeling Mission Impact of Cyber Attacks on Energy Delivery Systems. . . . 41

Md Ariful Haque, Sachin Shetty, Charles A. Kamhoua,
and Kimberly Gold

Identifying DApps and User Behaviors on Ethereum via Encrypted Traffic . . . 62

Yu Wang, Zhenzhen Li, Gaopeng Gou, Gang Xiong, Chencheng Wang,
and Zhen Li

TransNet: Unseen Malware Variants Detection Using Deep

Transfer Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Candong Rong, Gaopeng Gou, Mingxin Cui, Gang Xiong, Zhen Li,
and Li Guo

A Brokerage Approach for Secure Multi-Cloud Storage

Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Muhammad Ihsan Haikal Sukmana, Kennedy Aondona Torkura,
Sezi Dwi Sagarianti Prasetyo, Feng Cheng, and Christoph Meinel

On the Effectiveness of Behavior-Based Ransomware Detection . . . . . . . . . . 120

Jaehyun Han, Zhiqiang Lin, and Donald E. Porter

POQ: A Consensus Protocol for Private Blockchains Using Intel SGX . . . . . . 141
Golam Dastoger Bashar, Alejandro Anzola Avila, and Gaby G. Dagher

Share Withholding in Blockchain Mining. . . . . . . . . . . . . . . . . . . . . . . . . . 161

Sang-Yoon Chang

PEDR: A Novel Evil Twin Attack Detection Scheme Based on Phase

Error Drift Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Jiahui Zhang, Qian Lu, Ruobing Jiang, and Haipeng Qu

Differentially Private Social Graph Publishing for Community Detection . . . . 208

Xuebin Ma, Jingyu Yang, and Shengyi Guan
xii Contents – Part II

LaaCan: A Lightweight Authentication Architecture for Vehicle Controller

Area Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Syed Akib Anwar Hridoy and Mohammad Zulkernine

A Machine Learning Based Smartphone App for GPS Spoofing Detection . . . 235
Javier Campos, Kristen Johnson, Jonathan Neeley, Staci Roesch,
Farha Jahan, Quamar Niyaz, and Khair Al Shamaileh

AOMDroid: Detecting Obfuscation Variants of Android Malware Using

Transfer Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Yu Jiang, Ruixuan Li, Junwei Tang, Ali Davanian, and Heng Yin

ML-Based Early Detection of IoT Botnets . . . . . . . . . . . . . . . . . . . . . . . . . 254

Ayush Kumar, Mrinalini Shridhar, Sahithya Swaminathan,
and Teng Joon Lim

Post-Quantum Cryptography in WireGuard VPN. . . . . . . . . . . . . . . . . . . . . 261

Quentin M. Kniep, Wolf Müller, and Jens-Peter Redlich

Evaluating the Cost of Personnel Activities in Cybersecurity Management:

A Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Rafał Leszczyna

SGX-Cube: An SGX-Enhanced Single Sign-On System Against

Server-Side Credential Leakage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Songsong Liu, Qiyang Song, Kun Sun, and Qi Li

EW256357 : A New Secure NIST P-256 Compatible Elliptic Curve

for VoIP Applications’ Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Nilanjan Sen, Ram Dantu, and Kirill Morozov

Ucam: A User-Centric, Blockchain-Based and End-to-End Secure Home IP

Camera System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Xinxin Fan, Zhi Zhong, Qi Chai, and Dong Guo

Private Global Generator Aggregation from Different Types

of Local Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Chunling Han and Rui Xue

Perturbing Smart Contract Execution Through the Underlying Runtime . . . . . 336

Pinchen Cui and David Umphress

Blockchain Based Multi-keyword Similarity Search Scheme over

Encrypted Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Mingyue Li, Chunfu Jia, and Wei Shao
 Contents – Part II xiii

Using the Physical Layer to Detect Attacks on Building

Automation Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Andreas Zdziarstek, Willi Brekenfelder, and Felix Eibisch

Formalizing Dynamic Behaviors of Smart Contract Workflow in Smart

Healthcare Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Mohammad Saidur Rahman, Ibrahim Khalil, and Abdelaziz Bouras

Malware Classification Using Attention-Based Transductive

Learning Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Liting Deng, Hui Wen, Mingfeng Xin, Yue Sun, Limin Sun,
and Hongsong Zhu

COOB: Hybrid Secure Device Pairing Scheme in a Hostile Environment . . . . 419

Sameh Khalfaoui, Jean Leneutre, Arthur Villard, Jingxuan Ma,
and Pascal Urien

A Robust Watermarking Scheme with High Security and Low

Computational Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Liangjia Li, Yuling Luo, Junxiu Liu, Senhui Qiu, and Lanhang Li

Selecting Privacy Enhancing Technologies for IoT-Based Services . . . . . . . . 455

Immanuel Kunz, Christian Banse, and Philipp Stephanow

Khopesh - Contact Tracing Without Sacrificing Privacy . . . . . . . . . . . . . . . . 475

Friedrich Doku and Ethan Doku

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

 Contents – Part I

Email Address Mutation for Proactive Deterrence Against Lateral

Spear-Phishing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Md Mazharul Islam, Ehab Al-Shaer,
and Muhammad Abdul Basit Ur Rahim

ThreatZoom: Hierarchical Neural Network for CVEs

to CWEs Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Ehsan Aghaei, Waseem Shadid, and Ehab Al-Shaer

Detecting Dictionary Based AGDs Based on Community Detection . . . . . . . 42

Qianying Shen and Futai Zou

On the Accuracy of Measured Proximity of Bluetooth-Based Contact

Tracing Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Qingchuan Zhao, Haohuang Wen, Zhiqiang Lin, Dong Xuan,
and Ness Shroff

A Formal Verification of Configuration-Based Mutation Techniques

for Moving Target Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Muhammad Abdul Basit Ur Rahim, Ehab Al-Shaer, and Qi Duan

Coronavirus Contact Tracing App Privacy: What Data Is Shared

by the Singapore OpenTrace App? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Douglas J. Leith and Stephen Farrell

The Maestro Attack: Orchestrating Malicious Flows with BGP . . . . . . . . . . . 97

Tyler McDaniel, Jared M. Smith, and Max Schuchard

pyDNetTopic: A Framework for Uncovering What Darknet Market Users

Talking About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Jingcheng Yang, Haowei Ye, and Futai Zou

MisMesh: Security Issues and Challenges in Service Meshes . . . . . . . . . . . . 140

Dalton A. Hahn, Drew Davidson, and Alexandru G. Bardas

The Bitcoin Hunter: Detecting Bitcoin Traffic over Encrypted Channels . . . . 152
Fatemeh Rezaei, Shahrzad Naseri, Ittay Eyal, and Amir Houmansadr

MAAN: A Multiple Attribute Association Network for Mobile Encrypted

Traffic Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Fengzhao Shi, Chao Zheng, Yiming Cui, and Qingyun Liu
xvi Contents – Part I

Assessing Adaptive Attacks Against Trained JavaScript Classifiers . . . . . . . . 190

Niels Hansen, Lorenzo De Carli, and Drew Davidson

An Encryption System for Securing Physical Signals. . . . . . . . . . . . . . . . . . 211

Yisroel Mirsky, Benjamin Fedidat, and Yoram Haddad

A Cooperative Jamming Game in Wireless Networks Under Uncertainty . . . . 233

Zhifan Xu and Melike Baykal-Gürsoy

SmartSwitch: Efficient Traffic Obfuscation Against Stream Fingerprinting . . . 255

Haipeng Li, Ben Niu, and Boyang Wang

Misreporting Attacks in Software-Defined Networking. . . . . . . . . . . . . . . . . 276

Quinn Burke, Patrick McDaniel, Thomas La Porta, Mingli Yu,
and Ting He

A Study of the Privacy of COVID-19 Contact Tracing Apps . . . . . . . . . . . . 297

Haohuang Wen, Qingchuan Zhao, Zhiqiang Lin, Dong Xuan,
and Ness Shroff

Best-Effort Adversarial Approximation of Black-Box Malware Classifiers . . . 318

Abdullah Ali and Birhanu Eshete

Review Trade: Everything Is Free in Incentivized Review Groups. . . . . . . . . 339

Yubao Zhang, Shuai Hao, and Haining Wang

Integrity: Finding Integer Errors by Targeted Fuzzing . . . . . . . . . . . . . . . . . 360

Yuyang Rong, Peng Chen, and Hao Chen

Improving Robustness of a Popular Probabilistic Clustering Algorithm

Against Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Sayed M. Saghaian N. E., Tom La Porta, Simone Silvestri,
and Patrick McDaniel

Automated Bystander Detection and Anonymization

in Mobile Photography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
David Darling, Ang Li, and Qinghua Li

SmartWiFi: Universal and Secure Smart Contract-Enabled WiFi Hotspot . . . . 425

Nikolay Ivanov, Jianzhi Lou, and Qiben Yan

ByPass: Reconsidering the Usability of Password Managers . . . . . . . . . . . . . 446

Elizabeth Stobert, Tina Safaie, Heather Molyneaux,
Mohammad Mannan, and Amr Youssef

Anomaly Detection on Web-User Behaviors Through Deep Learning . . . . . . 467

Jiaping Gui, Zhengzhang Chen, Xiao Yu, Cristian Lumezanu,
and Haifeng Chen
 Contents – Part I xvii

Identity Armour: User Controlled Browser Security. . . . . . . . . . . . . . . . . . . 474

Ross Copeland and Drew Davidson

Connecting Web Event Forecasting with Anomaly Detection: A Case Study

on Enterprise Web Applications Using Self-supervised Neural Networks . . . . 481
Xiaoyong Yuan, Lei Ding, Malek Ben Salem, Xiaolin Li, and Dapeng Wu

Performance Analysis of Elliptic Curves for VoIP Audio Encryption Using

a Softphone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Nilanjan Sen, Ram Dantu, and Mark Thompson

TCNN: Two-Way Convolutional Neural Network for Image Steganalysis . . . 509

Zhili Chen, Baohua Yang, Fuhu Wu, Shuai Ren, and Hong Zhong

PrivyTRAC – Privacy and Security Preserving Contact Tracing System . . . . . 515

Ssu-Hsin Yu

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

 A Practical Machine Learning-Based
Framework to Detect DNS Covert
Communication in Enterprises

Ruming Tang1,2 , Cheng Huang3 , Yanti Zhou4 , Haoxian Wu3 , Xianglin Lu1,2 ,
Yongqian Sun5 , Qi Li1,2(B) , Jinjin Li4 , Weiyao Huang4 , Siyuan Sun4 ,
and Dan Pei1,2
1
Tsinghua University, Beijing, China
[email protected], {peidan,qli01}@tsinghua.edu.cn
2
Beijing National Research Center for Information Science and Technology
(BNRist), Beijing, China
[email protected]
3
BizSeer Technologies Co., Ltd., Beijing, China
[email protected], [email protected]
4
Bank of Communications, Shanghai, China
{zhouyt,lijj,huangweiyao,sunsiyuan}@bankcomm.com
5
Nankai University, Tianjin, China
[email protected]

Abstract. DNS is a key protocol of the Internet infrastructure, which

ensures network connectivity. However, DNS suffers from various threats.
In particular, DNS covert communication is one serious threat in enter-
prise networks, by which attackers establish stealthy communications
between internal hosts and remote servers. In this paper, we propose
D 2 C2 (Detection of DNS Covert Communication), a practical and flex-
ible machine learning-based framework to detect DNS covert communi-
cations. D 2 C2 is an end-to-end framework contains modular detection
models including supervised and unsupervised ones, which detect multi-
ple types of threats efficiently and flexibly. We have deployed D 2 C2 in a
large commercial bank with 100 millions of DNS queries per day. During
the deployment, D 2 C2 detected over 4k anomalous DNS communica-
tions per day, achieving high precision over 0.97 on average. It uncovers
a significant number of unnoticed security issues including seven com-
promised hosts in the enterprise network.

Keywords: DNS · Malicious domain detection · Data exfiltration ·

DGA

1 Introduction
As a core infrastructure on the Internet, the Domain Name System (DNS)
is commonly used in all kinds of Internet applications, to translate easy-to-
c ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2020
Published by Springer Nature Switzerland AG 2020. All Rights Reserved
N. Park et al. (Eds.): SecureComm 2020, LNICST 336, pp. 1–21, 2020.
https://doi.org/10.1007/978-3-030-63095-9_1
2 R. Tang et al.

Fig. 1. Examples of (a) normal DNS lookups, (b) DNS-based data exfiltration, and (c)
DNS-based C&C.

recognize domain names into IP addresses. Unfortunately, the DNS system suf-
fers from known vulnerabilities, such as DDoS [27], spoofing [24] and other
exploits [8,30,36]. To defend against these attacks, approaches such as [10,18,24]
have been proposed. Unlike those traditional attacks which target DNS system
itself, DNS covert communication is leveraged to transmit messages cross the
boundary between an enterprise’s LAN (i.e., office network and datacenter) and
the Internet, through DNS messages in a stealthy and unauthorized manner.
However, the defense against DNS covert communication in enterprises is still
not well-studied, and is the focus of this paper.
In enterprises, security tools are commonly deployed to closely monitor the
traffic between the enterprise’s LAN and the Internet to detect serious security
attacks such as data exfiltration (which transmits valuable internal data to the
Internet), command-and-control (C&C) of internal hosts by external attackers,
and so on. However, those data exfiltration and C&C using covert communication
via the DNS traffic [7,8,22,23,28] are still hard to detect.
Figure 1 shows examples of normal DNS lookup and DNS covert communi-
cation. In the normal DNS lookup in Fig. 1(a), a normal host queries its local
DNS server about google.com, and the local DNS server then iteratively queries
DNS root server and .com top-level domain server (both are omitted in the
figure) and relays the response (which indicates the corresponding IP address is
172.217.164.100 ) from the authoritative name server for google.com to the host.
Figure 1(b) shows an example of real point of sale (POS) malware, in which POS
 A Practical Machine Learning-Based Framework 3

malware exfiltrated credit card information in the domain names of the DNS
queries [20]. Such exfiltration incidents (e.g., MULTIGRAIN [20], UDPoS [28])
caused many loss to the users and providers. The compromised host encodes the
stolen credit card information as subdomains in the domain name to be queried,
and when the query arrives at the authoritative name server controlled by the
attacker, the attacker can then easily decode the credit card information from
the queried domain name. Figure 1(c) shows an example of DNS C&C [22] where
a malware-infected host talks to and receives command from its C&C server by
sending a DNS query message to and receiving corresponding DNS response from
the compromised authoritative name server, which is the C&C server. In this
example, the seemingly-random domain name (rohgoruhgsorhugih.nl) queried
are actually dynamically generated by Domain-Generation-Algorithms (DGAs)
and automatically synchronized between the compromised host and the C&C
server [9,13,29,30,35,36].
Therefore, new detection methods are needed to detect these DNS covert
communication because traditional security tools based on blacklists, rules,
signatures cannot enumerate or capture the dynamically changing subdomain
names in the DNS covert communications exemplified in Fig. 1 (b)(c).
Our intuitive idea in detecting DNS covert communication is to apply
machine learning (ML) to capture a suspicious domain based on its features
(see the feature list in Table 2, e.g., the length of the domain). Although this
idea is promising, previous ML-based approaches along this direction have not
been deployed in the real-world enterprises yet, to the best of our knowledge,
due to the following the three challenges.
First, the performance of different ML algorithms might be different for dif-
ferent enterprises because the DNS traffic data distribution might be different.
Furthermore, the machine learning algorithms used in previous works, super-
vised models perform better and are preferred for some kinds of known threat
types, while unsupervised models are more preferred for some unknown but rare
threats. Thus, the algorithms used should be generic and flexible (as opposed to
being fixed) in the detection system. Second, different DNS covert communica-
tion threats might have different patterns, thus previous machine-leaning based
approaches, to the best of our knowledge, so far only focuses on specific types
of such attacks, e.g., [7,8] only detect data exfiltration, and [30] only detects
DGA domains. However, enterprises in the real-world are interested in detect-
ing various attacks, thus are reluctant to deploy the aforementioned piece-meal
approaches that can detect only one type of DNS covert communication. Third,
a practical ML-based detection system needs to have feedback mechanisms to
either add labeled data for re-training in the supervised approaches and/or tune
the parameters in the unsupervised approaches, and also fully utilize (as opposed
to replacing) the traditional DNS security tools such as the domain blacklist.
To tackle the above challenges, in this paper we propose a practical, flexi-
ble and end-to-end ML-based framework, called D 2 C2 (Detecting DNS Covert
Communication), to effectively detect various DNS covert communications in
enterprises by leveraging supervised and unsupervised classifiers trained by var-
4 R. Tang et al.

ious types of features extracted from DNS logs. It is an end-to-end framework

and consists of several modules with an intuitive but efficient workflow, which
is easy to be deployed and maintained in enterprise environments. One flexible
detection module is used to detect all types of covert communication threats
via domain names in DNS traffic. D 2 C2 also uses feedback to take advantage of
manual investigations on alerts to improve detection performance. The results
of detection are aggregated and visualized, for better display for the operators,
to make D 2 C2 more friendly to the users.
In the flexible detection module, modular multiple detection models are used,
including supervised and unsupervised approaches so that, for each type of
threat, the most suitable model (detector) for it can be applied. Based on all
results aggregated from detectors, D 2 C2 is able to reveal covert communication
threats in a comprehensive way. The flexible and modular design of multiple
detectors also makes it very flexible. Each detector can be adjusted easily and
individually for updating or modification, e.g., model tuning or re-training.
Our major contributions can be summarized as follows.

– We propose the first practical, flexible, and end-to-end ML-based framework,

D 2 C2 , which is easy to be deployed in enterprises to detect DNS covert com-
munication threats, to the best of our knowledge.
– We design a modular threat detection component which consists of super-
vised and unsupervised methods in series, and can be modified flexibly and
individually to handle different data distribution in different enterprises.
– We deployed D 2 C2 in a large commercial bank with more than 25K hosts,
detecting more than 100 millions DNS queries per day. D 2 C2 is the first large-
scale deployment of DNS covert communication detection system in the wild,
to the best of our knowledge.
– Based on our evaluation over 5 billion DNS logs, D 2 C2 detected 4k anomalous
logs per day efficiently, and achieved high precision (over 0.97). It uncovered
real covert communication threats in the wild, including 7 compromised hosts
unknown to the operators previously.

2 Background

2.1 Domain Name System

A DNS log contains several important fields: NAME (the queried domain name),
TYPE (A for IPv4 address, CNAME for canonical names, TXT for text records
and etc.), and RDATA (the resource) [21]. For example, the query in Fig. 1(a)
contains the queried name (www.google.com), class (IN ), type (A). The response
log contains the response: RCODE (Response Code), TTL (Time to Live) and
the answer, and the corresponding query. The answer is the IPv4 address(es) for
the queried name. RCODE indicates the condition of the answer, NOERROR
(in this example) means a normal answer, and NXDomain indicates that the
queried name does not exist.
 A Practical Machine Learning-Based Framework 5

Fig. 2. Typical types of DNS external exploits threats.

Although DNS is a fundamental system that many services rely on, some
enterprise operators treat DNS as a “set and forget” infrastructure, and do not
update them from time to time with the latest security mechanisms [17]. For
example, DNSSEC [12] is one security extension of DNS proposed early, but its
adoption is quite slow till recently [10,15]. Some operators may be interested in
the availability of DNS only when DNS servers go wrong.
Figure 2 shows some typical exploits against DNS [17]. Attacks against DNS
infrastructure itself (i.e., DDoS and spoofing) are much easier to be noticed
because it leads to the failures or errors in DNS servers. DDoS (Distributed
Denial of Service) attacks compromise the availability of DNS, and spoofing (to
redirect users to attackers) leads to wrong or unreachable destinations. Besides
these, some attackers take advantage of the lack of monitoring on DNS traffic,
and choose DNS as a channel for covert communication (in bold in Fig. 2), which
is more difficult to notice.

2.2 Covert Communications in DNS Channel

In this paper, we focus on DNS Covert Communication, which is one of the
most important DNS-related threats in enterprise environments, where operators
pay close attention to malicious communication to the Internet. In a covert
communication case, attackers use DNS to establish a communication channel
between compromised hosts and remote servers, without being monitored by
other security measures.
A common attack is to encode data in certain fields in the DNS packet
[8,17,31]. Attackers can simply use the subdomains as payloads, encoding data
into the NAME field like “<encoded...information>.evildomain.com.” as shown
in Fig. 1(b), which is known as data exfiltration. Such encoded data are usually
long strings that are not commonly seen in normal domain names. Some attackers
also use DNS channel to transmit C&C communication between compromised
hosts and remote C&C servers. In this way, the compromised hosts can inform
the attackers of their current status. Figure 1(c) shows an example of a host
querying a C&C domain, which is generated by an algorithm (IRCBot). Obvious
differences can be seen between popular domain names and this domain name,
which contains no recognizable words or abbreviation.
In general, malicious communication through DNS channel can be deter-
mined by two indicators: whether the DNS packets carry malicious payloads or
the hosts connect to malicious destinations. As mentioned before, the domain
6 R. Tang et al.

name directly tells where the host is looking for, and it also can be used to carry
messages. Besides domain name in NAME field, RDATA field in response also
provides a good payload for attackers. RDATA fields in TYPE CNAME or TXT
packets allow more characters to be sent, which means larger “bandwidth” for
attackers [17,23]. However, TYPE A (and AAAA) logs account for the vast
majority of all DNS logs (see data trace statistics in Sect. 5), therefore in this
paper we consider anomalies in domain names as our primary threats
to be detected in this paper.
In this paper, we only focus on domains that are related to covert communi-
cation threats (mainly data exfiltration and C&C threats). However, not all mali-
cious domains are related to covert communication. Some malicious domains are
disguised for phishing, e.g., Domain Shadowing (hijack normal domains and cre-
ate new subdomains to redirect users [19]) and Typo-Squatting (register domain
names which are similar to popular websites and leverage typos of users [34]),
which are not considered as covert communication.

2.3 Related Work

Exfiltration in domain names, by nature, contain more information because of

the extra payload, thus are longer than normal ones. Thus, some security engi-
neers detect suspicious domains using a domain name length threshold. However,
such signature-based methods do not always work due to the static threshold
and can be easily evaded. In recent years, anomaly detection based approaches
are proposed to detect exfiltration based on features in DNS traffic. Das et al.
detect encoded data in DNS traffic related to exfiltration and tunneling [11].
Ahmed et al. present an Isolation Forest approach to detecting exfiltration in an
enterprise [7,8]. However, these approaches have not been tested on real attacks
in the wild, but only on synthetic data generated by toolkits.
Many prior work about C&C communications focused on DGA [9,13,29,
30,35,36], which are widely used to generate seemingly random domain names
(Algorithmically-Generated Domains, AGDs). AGDs appear in many security
events, for instance, botnets, to avoid traditional blocking mechanisms like black-
lists, sinkholes or signature-based firewalls. Many prior studies used classifiers to
detect AGDs because they are different from normal domain names. Antonakakis
et al. present an approach to detecting DGA based on Bipartite Graph Recursive
Clustering and multi-class Alternating Decision Trees from NXDomains (queries
for non-existed domains) [9]. Schüppen et al. propose FANCI, using Random
Forests (RF) and Support Vector Machines (SVM) to detect DGAs with a high
accuracy [30]. Sun et al. use a Heterogeneous Information Network to model the
DGAs and detect them via transductive classification [33]. Tong et al. propose
D3N, a system using Convolutional Neural Networks (CNN) to detect DGA
domains from NXDomains [35]. Most of these classifiers are supervised because
researchers can easily get DGA domains as positive samples by synthetic gener-
ating, but there are also unsupervised approaches used in detecting them. Gao
et al. use X-Means to cluster domains, also from NXDomains [13]. Zang et al.
 A Practical Machine Learning-Based Framework 7

Fig. 3. The framework overview of D 2 C2 . Figure (a) shows the overview of three stages
in D 2 C2 . Figure (b) shows the detailed workflow of the Threats Detection module.
Dashed lines denote malicious samples detected and dotted denote benign ones.

extract features from domain names and other registration information and use
X-Means algorithm to detect AGDs related to Fast-flux [36].
Summary: Each of the aforementioned prior studies focus on just one specific
type of anomalous domain names. However, in enterprises, operators have to
face threats of all kinds, thus would need lots of efforts to assemble and tune the
above “piecemeal” solutions. Therefore, we hope to design a generic framework
that is directly deployable, detecting multiple types of covert communication
threats with high flexibility.

3 Framework Overview

In this section, we present the core idea for our design and the overview of D 2 C2 .

3.1 Design Goal

Our design goal is to develop a practical framework to detect covert

communication in DNS traffic in enterprise environments. Such a framework
should be easy to deploy in real-world enterprise environments, and it should be
able to achieve high performance with low overhead.
DNS covert communication consists of data exfiltration, C&C communica-
tion and other kinds of threats. To detect these threats, a multi-class classifier
seems suitable. However, using one detection model for all the above threats will
be inflexible, and such a complex model makes it hard for parameter tuning,
which we want to avoid as much as we can, since data distribution changes over
time and over different enterprises. Therefore, we use multiple individual detec-
tion models (each one is called a detector and focuses on certain types of DNS
covert communication threats) instead of one complex model. For each detector,
we can choose the most effective algorithm, based on their performance and feed-
back. Such a modular detection module enables us to update or replace models
flexibly. For example, in case the data distribution changes (e.g., over time or
8 R. Tang et al.

Table 1. Alternative models for each detector.

Detector Alternative models

Data exfiltration Random forest (RF)
Support vector machine (SVM)
Multi-layer perceptron (MLP)
DGA RF, SVM & MLP
Outlier Isolation forest (iForest)
X-Means

when new APIs deployed), the re-training or model tuning can be done indi-
vidually, without the need to adjust the overall system workflow. Such updates
can be triggered periodically or manually based on the feedback. As a result,
the workflow of D 2 C2 stays the same, making it easy to be deployed in practice.
Meanwhile, our detection models are very flexible for modification to achieve
better performance in real-world detection.
The manual investigation is very necessary for a security system to confirm,
analyze and mitigate reported threats. We hope that D 2 C2 is able to learn
from these manual investigations. Thus we design D 2 C2 as a human-in-the-loop
(HITL) one with feedback from security engineers. All investigation results can
be further utilized for threshold adjusting, model tuning or re-training.

3.2 Overview

An system overview of D 2 C2 is shown in Fig. 3(a), which can be divided into

three major stages: Processing Stage is used to read and parse raw data. Detec-
tion Stage is used to extract certain features and detect threats in DNS logs via
machine learning based algorithms. Investigation Stage is to confirm the results
from detection results and generate the overall reports to operators.
Processing Stage: This stage has only one Data Parsing module. First,
D 2 C2 parses the raw data, extracting user demographics, DNS packets and
other network information. The raw data consists of both DNS queries and
DNS responses. As mentioned in Sect. 2.1, a DNS response already contains its
corresponding query, thus for a query which has a response, D 2 C2 only parses
the response as the input. A query without response (due to time-out or other
errors) will be used directly as input with an added tag “no response”.
Detection Stage: The detection stage is composed of three modules: Blacklist,
Feature Extraction and Threats Detection. Blacklist module first filters the
logs, to efficiently detect known malicious domains with low overhead. It is cre-
ated from the enterprise blacklist maintained by the operators and is updated by
manual investigation feedback and threat intelligence. Second, Feature Extrac-
tion module extracts features from the remaining logs. Last, we detect multiple
 A Practical Machine Learning-Based Framework 9

Table 2. Features extracted from the domain names.

# Feature Type D-Exfil D-DGA

1 Length of domain name Integer  
2 Length of subdomain Integer 
3 No. of labels Integer  
4 Longest label length Integer  
5 Contains one-character label Boolean
6 Contains IPv4 Boolean
7 Has “WWW” prefix Boolean
8 Alphabet size Integer 
9 No. of uppercase characters Integer 
10 The ratio of digits Float  
11 Ratio of hexadecimal parts Float 
12 Ratio of vowels Float 
13 Ratio of underscore Float
14 Ratio of repeat characters Float 
15 Ratio of consecutive consonants Float 
16 Ratio of consecutive digits Float  
17 Shannon entropy [16] Float  
18 Gibberish score [26] Float 
19 Bigram of domain name Vector 

types of threats using Threats Detection module. The threats detection mod-
ule contains multiple chosen classifiers (detectors), each of which focuses on one
or more specific types of threats. Detectors can be modified according to the
change of data. Results combined from all detectors will be aggregated and then
sent for further investigation.
A more detailed architecture of Threats Detection is shown in Fig. 3(b), with
three detectors in series. Simply, a sample detected as malicious by one detector
will be stored, and a benign sample will be moved to the next detector. After
all detectors are done, the results will be aggregated and sent to the investiga-
tion module. For each detector, different models can be applied based on their
performance in practice. Table 1 lists the algorithms we used for these detectors
during deployment. The detector workflow will be described in Sect. 4.
Investigation Stage: The investigation stage is divided into three modules:
Whitelist, Manual Investigation and Visualization. When receiving the detection
results, Whitelist module is used to flag some certain samples before them
reaching the operators. This is because some queries generated by certain trusted
applications (usually security products from different vendors) whose behavior
is similar to that of the attackers, e.g., sending data through DNS channel,
10 R. Tang et al.

which may result in unnecessary alerts. Similar to the blacklist module, the
whitelist is created and updated based on enterprise operators. The remaining
results are further reported to Manual Investigation module, where operators
and security engineers are involved. Operators and security engineers check the
detection results. The false alerts are used as feedback to our detectors, which
may trigger alterations of thresholds, feature weights or even re-training of the
machine learning algorithms. True threats confirmed are reported and visualized
for analysis and display in Visualization module.

4 Features and Detectors

In this section, we first present the features we extract from domain names.
Then we explain the detailed implementation workflow of threat detectors and
alternative algorithms used in these detectors.

4.1 Features Extraction

The performance of machine learning-based detection relies on feature engineer-

ing. Thus the feature extraction module must be carefully designed. Queried
domain names indicate whether the host is connecting to a dangerous target or
not. Therefore, if we can flag a suspicious domain, we are able to flag a suspicious
DNS query as well. Data exfiltration domains, which encode messages in the sub-
domain names, are likely to contain more characters in their domains. On the
other hand, domain names generated by DGAs, as mentioned in Sect. 2.3, often
appear more random than normal domains. For example, the ratio of numerical
characters and the length of the longest meaningful substring (LMS) show DGA
domains’ disparities from others [17], which indicate the different construction
of suspicious domain names. In summary, we choose features widely used in data
exfiltration detection [7,8] and DGA detections [9,25,29,30] for our detectors.
Not all features from prior work are used, some of them are removed because
of their low feature importances via the evaluation feedback on small scale of
labeled data experiments. In addition, we added two features, feature #18 and
#19 in Table 2, where we list all the features used in D 2 C2 . Note that we do not
claim the features in Table 2 as our contributions.
Structural Features: The differences in the construction of domains can be
indicated by structural features. Length (#1 & #2 in Table 2) is an important
feature since more characters mean more information, and many DGA families
generate domains in a certain range of length. #3 & #4 are structural features
of Labels (split by dot, e.g., “www.foo.com” has three labels: “www”, “foo”
and “com”), since certain patterns in labels can be observed in data exfiltration
traffic [7]. #5-7 check whether the domain names contain a certain pattern.
Linguistics Features: As domain names can be treated as strings, we also
extract linguistics features (#8-16) to capture the differences in types of charac-
ters, including uppercase character, digit, hex, vowel, consonant and underscore.
 A Practical Machine Learning-Based Framework 11

Most features are self-explanatory, and we discuss the rest. Alphabet size is the
number of unique characters in the domain name. Ratio of repeat characters
(#14) is defined as the number of unique characters (each of which is repeated)
divided by alphabet size. Ratio of consecutive consonants (#15) is defined as
the sum of all lengths of consequent consonants (which larger than 1), divided
by the domain name length. Ratio of consecutive digits (#16) is similar to #15.
Statistics Features: We choose three statistics features commonly used in
determining the information in a sequence, Shannon Entropy (#17), Gibberish
Score (#18) and N-Gram. The Gibberish Score we implemented is based on
Hidden Markov Chain [6,26]. It is used to determine the “meaningful” contents
from domains, and a string with more meaningful words will get a higher score.
Furthermore, we use bigram (#19) in feature extraction. We calculated the top-
200 bigrams on historical benign domains and Majestic Top Websites [5]. Then
we checked the presences of these 200 bigrams in each domain name to form a
N × 200 matrix (N denotes the number of all domains for feature extraction).
While not all of the bigrams have high feature importance, to lower the overhead,
we use Principal Component Analysis (PCA) to reduce the 200 dimensions to
15. Thus for each domain name, we get a 1 × 15 vector as its feature.
Different features are used for different detectors, based on feature impor-
tance. The features used for Data Exfiltration Detector (D-Exfil ) and DGA
Detector (D-DGA) are marked in Table 2. As Outlier Detector aims to catch
any threats missed by the two previous detectors, it uses all features in the list.

4.2 Anomaly Detection Methods

As mentioned before, in enterprise environments, two popular targets of covert

communication are Data Exfiltration and C&C Communication, and DGA
domains are most commonly seen in C&C scenarios while other manually forged
domain names are very rare. Therefore we design two specific detectors, the Data
Exfiltration Detector and the DGA Detector for these two main threats,
respectively. For other suspicious domains left in the DNS logs, we use an extra
Outlier Detector in order to cover as many threats as possible.
The implementation of multiple standalone detectors grants D 2 C2 with high
flexibility. For each individual detector, the algorithm can be updated or replaced
easily, according to the performance of different algorithms.
During our study, the chosen algorithms are listed in Table 1. To bet-
ter evaluate the flexibility and performance of our system, for each detector,
we picked several popular algorithms for these detectors based on the prior
research [8,19,30,32]. Detectors for Data Exfiltration and DGA Communication
use supervised algorithms, including random forest (RF), support vector
machine (SVM) and multi-layer perceptron (MLP). Outlier Detector uses
unsupervised algorithms, including isolation forest (iForest) and X-Means.
Note that X-Means is a clustering algorithm, thus we calculate the distances from
each sample to its clustering center as an indicator of anomaly in two ways: 1)
if the distance is larger than a given threshold, then the sample is labeled as
12 R. Tang et al.

an outlier; 2) if the average of all samples in the same cluster is larger than
the threshold, then the whole cluster is marked as an outlier cluster. The other
algorithms are all binary classifiers and we directly use their predicted labels as
classified results. All these methods use features described in Sect. 4.1.

4.3 Workflow of All Detectors

The threat detection module is the primary module in D 2 C2 and is also one
main contribution in this paper. It contains multiple detectors, including super-
vised and unsupervised approaches. Thus the workflow of all detectors should be
well designed to make them work together efficiently. The general idea of differ-
ent approaches’ cooperation is: supervised approaches focus on detecting known
threats, while unsupervised approaches trying to catch rare unknown threats.
All three detectors are to flag covert communication threats based on sus-
picious domains, which are mainly data exfiltration and C&C communication
cases. As mentioned before, supervised methods are more suitable in detecting
known threats, thus we implemented two supervised detectors (Data Exfiltration
Detector and DGA Detector ) for these two primary types of threats. While there
will be other suspicious domains that do not fall into these two categories, we
use an unsupervised outlier detection model (Outlier Detector ) to capture these
domains with no specific types.
Figure 3(b) shows the implementation of threats detection module in D 2 C2
framework, consisting of the three detectors running in series. During the detec-
tion, all malicious samples detected by a detector will be stored in a database,
and all benign samples remaining will be sent to the next detector for testing.
The first two supervised detectors will detect known threats which are majori-
ties of all the threats. Thus they will filter most of the threats in the data.
The remaining suspicious domains are very rare compared to the other normal
domains. Such distribution of data will be suitable for the unsupervised outlier
detection algorithm. After all detectors are applied, the results will be aggre-
gated and sent to the next stage for investigation and visualization. Besides, the
detected outliers could also be used to improve the supervised approaches, in
cases that some missed data exfiltration or DGA threats (which are false neg-
atives of the two detectors) are caught as outliers and then confirmed by the
manual investigation, thus are used as feedback.

5 Deployment in a Large Enterprise

In this section, we evaluate our design by a real-world deployment in a large
enterprise environment with substantial DNS traffic. Then we present insights
into the threats and security issues in the enterprise environments.

5.1 Data Trace

We have deployed D 2 C2 in an enterprise environment with a large scale of Inter-
net traffic. In this enterprise, there are more than 25k hosts, including servers
 A Practical Machine Learning-Based Framework 13

Table 3. Distribution of different DNS types in a one-month dataset.

Types # of Queries (Responses) Total %

A 2,310,206,811 (2,175,715,764) 4, 485, 922, 575 75.98%
AAAA 443,000,848 (441,857,308) 884, 858, 156 14.98%
PTR 245,185,527 (244,886,490) 490, 072, 017 8.30%
SOA 5,751,338 (5,722,695) 11, 474, 033 0.19%
SRV 5,651,489 (5,611,368) 11, 262, 857 0.19%
NS 4,790,185 (4,788,276) 9, 578, 461 0.16%
TXT 3,392,785 (3,389,870) 6, 782, 655 0.11%
CNAME 630,267 (630,246) 1, 260, 513 0.02%
MX 327,305 (320,792) 648, 097 0.01%
Other 958,983 (963,691) 1, 922, 674 0.03%
Total 3,019,895,538 (2,883,886,500) 5, 903, 782, 038 −

in IDC and desktops/laptops in office networks. Some sensors were deployed in

the DNS servers controlled by this enterprise to collect DNS logs in its network
from all hosts. The average number of DNS logs per day is around 100 millions.
The detailed statistics for 1-month dataset with over 5 billion DNS logs are
shown in Table 3. The number of queries is ∼5% more than that of responses.
This is because not all queries have responses due to time-out, packet loss or other
kinds of network errors. As mentioned before, all responses will be input into
D 2 C2 , since each response contains its corresponding query. For queries without
responses, the queries will be input into D 2 C2 directly. We also count different
types in DNS logs, and list the numbers in Table 3. Type A (IPv4 address) and
type AAAA (IPv6 address) dominate in all logs, take up 75.98% and 14.98%,
respectively. PTR (pointer) also accounts for 8.30% among all types. PTR query
is commonly used for reverse DNS lookups, which are the opposite of A or AAAA
queries. It is also used for DNS service discovery, replying with service names.
The ratios of other types, i.e., CNAME (canonical name), MX (mail exchange),
NS (name server), SOA (state of authority), SRV (service locator) and TXT
(descriptive text), are all very small. “Other” contains multiple types which are
very rare in our traffic, including TKEY (transaction key), SPF (sender policy
framework) and etc..
The operators and security engineers in the enterprise also maintain a black-
list and a whitelist. Both lists are parsed and all the entries are fed into D 2 C2
as the domain names in Blacklist module and Whitelist module. The blacklist
consists of known malicious domains found previously or reported in take-downs
and security databases including DGArchive [25], 360 Netlab Opendata [4] and
other threat intelligence services used by the enterprise. The whitelist contains
domains controlled by the studied enterprise, security vendors and several pop-
ular websites from Majestic Top Websites [5].
14 R. Tang et al.

Table 4. Evaluation metrics on labeled dataset.

Detector Precision Recall Accuracy F1

D-Exfil RF 1.0000 1.0000 1.0000 1.0000
MLP 0.9999 0.9995 0.9995 0.9993
SVM 0.9997 0.9998 0.9998 0.9997
D-DGA RF 0.9580 0.9787 0.9945 0.9682
MLP 0.9290 0.9660 0.9910 0.9471
SVM 0.8049 0.9558 0.9765 0.8793
D-Outlier iForest 0.8495 0.9190 0.9988 0.8829
X-Means 0.6708 0.5371 0.9981 0.5965

Table 5. Processing speed of different models on labeled dataset.

Model Processing speed (logs/s)

Supervised RF 49344.9
MLP 9210.2
SVM 24150.2
Unsupervised iForest 9149.0
X-Means 4090.6

5.2 Evaluation Results

During the deployment, we used the following evaluation metrics:
– precision = |T P |/(|T P | + |F P |), recall = |T P |/(|T P | + |F N |)
– accuracy = (|T P | + |T N |)/(|T P | + |F P | + |T N | + |F N |)
– f 1-measure = (2 × precision × recall)/(precision + recall)
TP, FP, TN and FN stand for true positives, false positives, true negatives
and false negatives, respectively.
Because in a large volume of real-world traffic, it is difficult to get all data
labeled. Thus we evaluate our models in two ways: on a labeled historical
data (an extra trace of over 764k labeled logs) and on the un-labeled real-
time traffic for a month (which is shown in Table 3). The labeled historical
data trace were collected in the enterprise before D 2 C2 was deployed. It consists
of historical logs previously labeled and verified by operators. This data trace
is used to evaluate all the algorithms we chose in Sect. 4.2. However, during
deployment, it is very difficult to label all logs because of the large volume
of traffic. In this case, since all positives (alerts) will be checked by operators
according to the workflow of D 2 C2 , the precision is accurate. But the recall can
only be approximately obtained (since there may be unlabeled threats in the
dataset). So we only present precision for these detection results.
For a practical detection framework used in the real world, the false alert
rate is also a critical metric. This is because all alerts need to be investigated
Another random document with
no related content on Scribd:
The Project Gutenberg eBook of Through India and
Burmah with pen and brush
This ebook is for the use of anyone anywhere in the United States
and most other parts of the world at no cost and with almost no
restrictions whatsoever. You may copy it, give it away or re-use it
under the terms of the Project Gutenberg License included with this
ebook or online at www.gutenberg.org. If you are not located in the
United States, you will have to check the laws of the country where
you are located before using this eBook.

Title: Through India and Burmah with pen and brush

Author: A. Hugh Fisher

Release date: August 28, 2023 [eBook #71505]

Language: English

Original publication: London: T. Werner Laurie, 1911

Credits: Al Haines

*** START OF THE PROJECT GUTENBERG EBOOK THROUGH

INDIA AND BURMAH WITH PEN AND BRUSH ***
The Moat, Fort Dufferin, Mandalay.
 THROUGH
INDIA AND BURMAH
WITH PEN AND BRUSH

BY

A. HUGH FISHER
"The beauty of the world is simple like a looking-glass."

LONDON
T. WERNER LAURIE
CLIFFORD'S INN

TO MY FRIENDS IN ENGLAND

PREFACE

The following series of "Travel Pictures" is an endeavour to embody

some of my impressions and experiences in India and Burmah.
 For kind permission to reproduce among the illustrations eight of the
painted sketches I made for them, my thanks are due to the Visual
Instruction Committee of the Colonial Office who sent me out to the East as
their artist.

The two chapters "The Moharam Festival" and "Rakhykash" are

included in this book by the courtesy of the Editor of The Fortnightly
Review, in which publication they have already appeared.

A. HUGH FISHER.

CONTENTS

CHAP.

I. RANGOON
II. HIS HIGHNESS THE SAWBWA OF HSIPAW
III. UP THE IRRAWADDY TO BHAMO
IV. THE DEAD HEART OF A KINGDOM
V. MANDALAY
VI. SOUTHERN INDIA, THE LAND OF HINDOO TEMPLES
VII. CALCUTTA
VIII. MY FIRST SIGHT OF THE HIMALAYAS
IX. BENARES
X. LUCKNOW
XI. CAWNPORE
XII. THE HOUSE OF DREAM
XIII. DELHI
XIV. DEHRA DUN AND LANDOUR
XV. AN EVENING OF GOLD
XVI. "GUARD YOUR SHOES"
XVII. "A GATE OF EMPIRE"
XVIII. THE CAPITAL OF THE PUNJAB
XIX. AT THE COURT OF HIS HIGHNESS THE RAJAH OF NABHA
XX. IN SIGHT OF AFGHANISTAN
XXI. RAJPUTANA
XXII. SIR PRATAP SINGH
XXIII. THE MOHARAM FESTIVAL
XXIV. RAKHYKASH
XXV. POLITICAL
INDEX

ILLUSTRATIONS

THE MOAT, FORT DUFFERIN, MANDALAY ... Frontispiece

"THEY COULD NOT LIE DOWN WITHOUT OVERLAPPING"
MONGOLIAN TYPE OF MOHAMMEDAN
MUTAMA, A HINDOO BABY
HINDOO GIRL, SHOWING ELABORATE JEWELLERY
ALTAR TABLE AT A BUDDHIST SOCIETY'S CELEBRATION
BOY SHOWING TATOOING CUSTOMARY WITH ALL BURMESE
MALES
IN THE SHAN STATES: GUARD AND POLICEMAN
KATHA
AT A BURMESE PWE
BURMESE ACTORS AT BHAMO
A VILLAGE ON THE IRRAWADDY
BURMESE MURDERERS
PAGAN
BURMESE DWARF (3 ft. 5 in. high) SUFFERING FROM CATARACT
BURMESE PRIEST AND HIS BETEL Box
BURMESE MOTHER AND CHILD
THE SACRED TANK AND THE ROCK, TRICHINOPOLY
THE MAIN BAZAAR, TRICHINOPOLY
KARAPANASAMI, THE BLACK GOD
HINDOO MOTHER AND CHILD
BENGAL GOVERNMENT OFFICES, CALCUTTA
BENGALEE ACTRESS, MISS TIN CORRY DASS THE YOUNGER
"A CHARMING OLD GENTLEMAN FROM DELHI"
AVENUE OF OREODOXA PALMS, BOTANICAL GARDENS,
CALCUTTA
THE KUTAB MINAR AND THE IRON PILLAR, FATEHPUR SIKRI
THE FORT OF ALI MASJID, IN THE KHYBER PASS
HIS HIGHNESS THE RAJAH OF NABHA
THE PALACE OF THE MAHARAJAH OF UDAIPUR (DRYPOINT
ETCHING)
THE MOHARAM FESTIVAL AT AGRA

THROUGH INDIA AND BURMAH

 CHAPTER I

RANGOON

Down came the rain, sudden, heavy and terrible, seeming to quell even
the sea's rage and whelming those defenceless hundreds of dark-skinned
voyagers in new and more dreadful misery.

Terrors were upon them, and in abject wretchedness and hopeless

struggle men, women and children spread every strip of their belongings
over their bodies and even used for shelter the very mats upon which they
had been lying.

What trouble a Hindoo will take to keep his body from the rain!
Extremely cleanly and fond of unlimited ablutions he yet detests nothing so
much as a wetting from the sky, and now, wholly at the mercy of the
elements, do what they would, no human ingenuity availed to keep these
wretched people dry.

It was the season of the rice harvest, when South India coolies swarm
over to Burmah much as the peasantry of Mayo and Connemara used to
crowd to England every summer.

If anybody is really anxious to remember that there are paddy fields in

Burmah he should cross the Bay of Bengal in December.

Somebody said that our ship was an unlucky one—that it ran down the
Mecca on her last trip and killed her third officer; but we got through safely
enough, though that crossing was one of the most disagreeable as well as the
most weird I ever made—disagreeable because of the bad weather, and
weird because of the passengers.

The deck and the lower deck were tanks of live humanity, and when it
began to get rough, as it did the morning after we left Madras, catching the
end of a strayed cyclone, it was worse than a Chinese puzzle to cross from
the saloon to the spar deck, and ten chances to one that even if you did
manage to avoid stepping on a body you slipped and shot into seven sick
Hindoo ladies and a family of children.

There were six first-class passengers, all Europeans, and 1700 deck
passengers, all Asiatics, and the latter paid twelve rupees each for the four
days' passage, bringing with them their own food.

"THEY COULD NOT LIE DOWN WITHOUT OVERLAPPING."

 The first evening all six of the Europeans appeared at dinner—a
Trichinopoly collector, a Madras tanning manager and his wife (who told me
that half your American boots and shoes are made from buffalo skins
shipped from Madras to the United States), a young lieutenant going to take
charge of a mountain battery of Punjabis at Maimyo in Upper Burmah, and a
young Armenian, son of a merchant at Rangoon, who had been to Europe
about his eyes.

After coffee the man next to me suddenly leapt from his chair with a
yell. He thought he had been bitten by a centipede. The centipede was there
right enough, but as the pain passed off the next day we supposed the brute
had only fastened his legs in and had not really bitten.

The nights were sultry and the ship rolled worse every watch. I think,
however, that I never saw people try harder than those natives did to keep
clean. They had all brought new palm-leaf mats to lie upon, but they could
not lie down without overlapping. I asked the captain what he did about
scrubbing decks, and he said it was always done at the end of the voyage!
Next morning the downpour, already referred to, began and did the business
with cruel effectiveness.

As we neared Burmah the sea grew calm again and the rain abated. The
sun dried sick bodies and cheered despondent hearts. I spoke to a woman
crouching by some sacks and tin cans, with an old yellow cloth round her
head and shoulders, and another cloth swathing her loins. She had very dark
brown eyes, and her fingernails were bright red and also the palms of her
hands from the "maradelli" tied round the nails at night. She was the wife of
a man the other side of fourteen people, some four yards away. I asked his
name, not knowing that a Hindoo woman may not pronounce her husband's
name. She called him "Veetkar," which means uncle or houseman: the man
was of the Palla caste, which is just a little higher than the Pariah, and they
had been married five years but had no children. This was the man's second
marriage, his first wife having died of some liver complaint he said. Like
most of the passengers they were going out for paddy-field work, but unlike
so many others, they were "on their own" not being taken over by a labour
contractor. The man said he should get work at Kisshoor village, about eight
miles from Rangoon. Every year for seven years he had been over.
 Altogether, this man had saved, according to his own statement, two
hundred rupees in the seven years' work, and had invested this in bullocks
and a little field near his village, which was named Verloocooli. He had left
the son of his first wife to look after the house and the field.

MONGOLIAN TYPE OF MOHAMMEDAN.

 Under a thin muslin an ayah was watching our talk. She said she was a
Christian and came from Lazarus Church. Her husband ran away, leaving
her with three children in Madras, so she works now as an ayah to an
Eurasian lady, while her mother looks after the children in Madras.

About twenty people round one corner of the open hatch seemed to
belong to one another. They came from the Soutakar district and were
drinking rice-water—that is the water poured off when rice is boiled. A
Mohammedan with two sons was going to sell things. The boys would watch
the goods, he told me. He was returning to Upper Burmah, where he had
lived twenty-four years, and he had only been over to Madras to visit his
mother and father. He has "just a little shop" for the sale of such goods as
dal, chili, salt, onions, coconut oil, sweet oil, tamarind, matches and candles.

Then there was the Mongolian type of Mohammedan. He was very fat
and greasy, and had one of his dog teeth long like a tusk. He was a tin-
worker and made large cans in his shop in Rangoon.

I went down between decks and never saw people packed so closely
before except on Coronation Day. Even "marked" men discarded all clothing
but a small loin cloth: most of them could not move hand or foot without
their neighbours feeling the change of position; and as upon the deck above,
they often lay partly over each other. Yet in spite of the general
overcrowding, I noticed a woman of the Brahmin caste lying at her ease in a
small open space marked out by boxes and tin trunks. There was a large
lamp in a white reflector hanging by the companion-way, and some of those
lying nearest to it held leaf fans over their faces to keep the light from their
eyes.

The next day was brighter. There was a light wind and the whole sunlit
crowd was a babel of excited talk. A little naked Hindoo baby, just able to
walk, was playing mischievously with me. I had been nursing her for a while
and now she was laughing, and with palms up-turned was moving her hands
like a Nautch dancer as her eyes twinkled with merriment. She was called
Mutama, and the poor mite's ears had had a big cut made in them and the
lobes were already pulled out more than two inches by the bunches of metal
rings fastened in for this purpose.
 A purple shawl, tied up to dry, bellied out in the wind over the side of the
ship in a patch of vivid colour. It had a border of gold thread and was of
native make. Not that the gold thread itself is made in Madras. It is curious
that English manufacturers have tried in vain to make these shawls so that
their gold thread shall not tarnish, whereas the gold thread obtained from
France does not do so.

On a box in the midst of hubbub, a Mohammedan was praying, bending

his body up and down and looking toward the sun.
 MUTAMA, A HINDOO BABY.

The following morning we reached very turbid water, thick and yellow,
with blue reflections of the sky in the ripples. We could just see the coast of
Burmah and about noon caught sight of the pilot brig, and entering the wide
Rangoon river, passed a Chinese junk with all sails spread. Now the mats
began to go overboard and gulls swooped round the ship. We had passed the
obelisk at the mouth of the river when, above a green strip of coast on a little
blue hill, the sun shone upon something golden.
 "The Pagoda!" I cried, and a pagoda it was, but only one at Siriam where
there is a garrison detachment. The Golden Pagoda—the Shwe Dagon—
appeared at first grey and more to the north. The water was now as thick and
muddy as the Thames at the Tower Bridge. It was full of undercurrents too,
and there was a poor chance for anyone who fell in.

Over went the mats, scores and scores and scores of them!

There is a bar a little further on called the Hastings, and it was a question
whether we'd get over it that afternoon. A line of yellow sand detached itself
from the green, and then the water became like shot silk, showing a pale
flood of cerulean slowly spreading over its turbid golden brown. On the low
bank were green bushes and undergrowth, and beyond—flat levels of tawny-
yellow and low tree-clad rising ground that reminded me of the Thames
above Godstow.

Beyond the green point of Siriam, just after the Pegu River branches off
to the right, the Rangoon River sweeps round in a great curve, at the far end
of which stretches the city. It was pale violet in the afternoon light, with
smoke streaming from vessels in the harbour, and on the highest point the
Shwe Dagon just showing on one edge that it was gold. Far to the right were
some twenty tall chimney-stacks of the Burmah Oil Works, but their colour,
instead of being sooty and unclean, was all blue and amethyst under a citron
sky.

The Customs Officer came out in a long boat, pulled by four men in red
turbans, and in his launch the medical officer of the port with a lady doctor.
There is a constant but ineffectual struggle to keep plague out of Burmah,
and every one of our 1700 deck passengers had to be thoroughly examined
—stripped to the waist with arms up, while the doctor passed his hands
down each side of the body.

The same night, on shore, I drove to the Shwe Dagon past the race-
ground, where a military tattoo was going on by torchlight.

Two gigantic leogryphs of plaster-faced brick stand one on each side of

the long series of steps which lead under carved teak roofs and between rows
of pillars up to the open flagged space on which the Pagoda stands.
 I left the "tikka gharry" on the roadway and went up the steps of the
entrance alone. It was a weird experience, walking up those gloomy stairs at
night. Alone? At first it seemed so—the stalls at the sides of each landing or
wide level space between the flights of steps were deserted; but, as I walked
on, a Pariah dog came snarling viciously towards me and another joined him,
and then like jackals, their eyes glowing in the darkness, more and more of
them came. I had no stick with me, and as I meant going on it was a relief to
find that among the shadows of the pillars, to right and left, men were
sleeping. One stirred himself to call off the dogs and I walked up another
flight of steps, which gleamed a little beneath a hidden lamp.

Between great pillars, faced with plaster, red on the lower portion and
white above, I walked on while more dogs came yelping and snarling
angrily. I heard a low human wail which changed to a louder note and died
away—someone praying perhaps. Then all was quite still except for the
crickets. Now I was in a hall of larger columns and walked under a series of
carved screens—arches of wood set between pairs of them. Half-way up
these columns hung branches of strange temple offerings, things made in
coloured papers with gold sticks hanging from them.

At last I came out upon the upper platform on which stands the Pagoda
itself. Facing the top of the last flight of steps at the back of a large many-
pillared porch, reeking with the odour of burnt wax, I saw a cavernous
hollow, and set within it, behind lighted candles, dimly a golden Buddha in
the dusk. Outside, a strip of matting was laid over the flagged pavement all
round the platform, and in the stones little channels cut transversely for
drainage in the time of the rains lay in wait to trip careless feet.

Some years ago when the great "Hti" was brought down from the summit
of the Pagoda, after an earthquake, to be restored and further embellished,
people of all classes brought offerings of money and jewellery through the
turnstiles on to this platform. What a sight it must have been to see the lines
of Burmese people crowding up through these two turnstiles, one for silver
and one for gold—one woman giving two jewelled bracelets and the next a
bangle; a receipt would be given to each donor and then bangle and bracelets
thrown into the melting-pot after their jewels had been taken out for adding
to the "Hti."
 HINDOO GIRL, SHOWING ELABORATE JEWELLERY.

Glittering metal drops quivered from the edges of richly-decorated

umbrellas; columns, covered as in a kind of mosaic with jewels and bright
glass, shone and sparkled; colossal figures cast grim shadows, and over all
the vast mass of the Shwe Dagon rose in its strange curved grandeur of worn
and faded gold far up into the night sky with a compelling loveliness, and
from the air above came floating down the sweet silvery tinkle of jewelled
bells shaken by the breeze.

Night had driven unscourged the money-changers from the temple, and
the magic light of the moon weaving silver threads through every garish tint
of paint had changed crude colours to ideal harmonies. Not colour alone but
form also was glorified. The grotesque had become dramatic, confusion had
changed to dignity, all surrounding detraction was subdued and the great
ascending curves of the Pagoda rose in simple, uncontested beauty. Nature
adored, acknowledging conquest, and the sound of those far wind-caught
bells was like that of the voices of angels and fairies singing about the cradle
of a child.

I had seen no building of such emotional appeal nor any that seems so
perfectly designed to wed the air and light that bathe it and caress it. But
imagine the Shwe Dagon transplanted to the cold light of some gargantuan
museum near the Cromwell Road; the nicest taste, the most steadfast
determination, could not unlock its charm. Here, upon easy hinge, the door
swings back at every raising of the eyes, and illumination is for all
beholders.

The following afternoon I was again at the Shwe Dagon, and to watch its
beauty under the glory of the setting sun was a further revelation. It seemed
to show fresh and delicate charm at each part of the day, and after burning at
sunset, like a man filled with impetuous passion, shone in the after-glow
with the diviner loveliness of the woman who gives her heart.

The river front of Rangoon is a wide, busy and dusty thoroughfare, on to

which wide streets open—Phayre Street, Bark Street and the rest, and great
piles of office buildings face the water—buildings with Corinthian porticoes
and columns with great drums like those of the Temple of Diana at Ephesus
without their sculptures. A line of white stucco houses curves round the bend
of the Sule Pagoda Street, wide and tree-bordered, like a road at Dorchester
or a Paris boulevard, making a handsome vista with its Pagoda surmounting
a flight of steps at the far end.

Building proceeds at such a rate that the big city seems to be growing
while you look at it, but there are plenty of open spaces. Government House,
in red brick and white stone, with an old bronze bell hung in front of the
portico between two brass cannon, stands in a goodly park with fine trees
and wide lawns and the Royal Lakes, across which there is a beautiful view
of the Shwe Dagon, are surrounded by large grounds with trim, well-kept
walks and drives. While I was painting by one of the lakes a water-snake
every now and then lifted its head above the surface, sometimes a foot and a
half out of the water like some long-necked bird.
 I was driving back towards the hotel along the Calvert Road when I
noticed a temporary wood-framed structure, covered with coloured papers
and painted trellis-work. On inquiry I found it had been erected by a
Buddhist Society of that quarter of the city, and that the same night upon a
stage close to it in the open air a "Pwe" would be given, to which I was
bidden welcome about nine o'clock.

At my hotel two people had been poisoned by tinned food a few weeks
earlier, but whatever the table lacked in quality it made up in
pretentiousness. I quote that day's menu for comparison with the items of
another repast the same evening:—

Canapes aux anchois.

Potage à la Livonienne,
Barfurt—sauce Ravigotte.
Inlets mignons à la Parisienne.
Civets de lièvre à la St Hubert.
Cannetons faits aux petits pois—salade.
Fanchonettes au confiture.
Glace—crême au chocolat.
Dessert.
Café.

It was after an early and somewhat abridged version of the above that I
drove in the cheerless discomfort of a "tikka gharry" through Rangoon again
in the moonlight. After twenty minutes I saw once more the paper temple.
There were two long lines of lanterns high in the air in the shape of a
horizontal V, and under them a great crowd of people. The trellised temple
itself was also charmingly decorated with lanterns.
 ALTAR TABLE AT A BUDDHIST SOCIETY'S CELEBRATION.

Inside I was effusively welcomed. A chair was placed for me on gay-

coloured carpets at one side of a raised altar platform, at the back of which
was a glass-fronted shrine containing an alabaster Buddha and strange lamps
in front, with two large kneeling figures and a pair of bronze birds. The
whole raised space before the shrine, some ten yards long by four yards
deep, was covered with white cloths, on which was placed close together a
multitude of dishes and plates of rich cakes, fruits and dainties. There were
green coconuts, piles of oranges, melons with patterns cut upon them,
leaving the outer green rind in curves and spirals, while the incised pattern
was stained with red and green pigment, and a mighty pumpkin with a kind
of "Christmas tree" planted in it, decked with packets of dried durian pickle
pinched in at a little distance from each end so that they looked like Tom
Smith's crackers. Now refreshment was brought to me in the shape of dried
prawns and, upon a large plate in neat little separate heaps, the following
delicacies:—

Green ginger, minced.

Sweet potatoes, shredded.
Fried coconut.
Sesamum seeds in oil.
Dried seed potatoes.
Tea leaves.
Fried ground nuts.

The president of this Buddhist Society, a stout Burman, with a rose-pink

silk kerchief rolled loosely round his head, came and bowed to me, raising
his hands and then sat upon another chair at my side, while a young Burman
stood behind to interpret our mutual felicitations.

Four silver dishes were now brought to me on a lacquered box, and these
contained Burmah cheroots, betel leaves and areca nut, tobacco leaves and
chunam (lime). Chilis were also brought, which made me long in vain for a
cool drink.

Outside, beyond the walls of pale green trellis, glowed the lanterns, and
faces peered at us between the strips of wood. Cloth of red and white stripes
lined the roof, and countless flags, quite tiny ones, were fastened along the
outer green railing.

In front of the Buddha had now been placed some beautiful gold
chalices. The white alabaster figure of Gautama was half as high as a man,
and a band covered with gems glittered across its breast.

The interpreter informed me that the whole gathering was a festival of

the Buddha Kaitsa Wut Society, and he added:—"We are the people in
Burmah always polite to everybody—do please whatever you like here." He
spoke English with assurance, but to me his meaning was not always clear.
Here are some of his actual words in answer to my request for further
information:—"In time long past the monies of the members were according
to the orders of the chief here, but they always used to pray every night with
white dress, not any sort of fancy dress. Whenever we pray in order yearly
we used to give charity to everybody."

About ten o'clock I moved outside, where another arm-chair had been
placed for me, this time in the midst of a great crowd of people.

In front of me rose a staging of bamboo framework, with seven oil lamps

hanging before it. Immediately below this staging a native orchestra played
strange instruments by candle-light and upon the ground, which sloped
conveniently, were ranged considerably over a thousand people. I counted
thirty-six rows of over twenty-five each, and ever-increasing crowds
thronged back and sides. Most of the seated audience were on mats or low
bedsteads, and many were smoking the large light-coloured cheroots.

My interpreter had now gone to join some ladies, and I was left to make
the best I could of this, my first, Burmese "Pwe."

Two characters were dancing on the stage when I took my seat. Perhaps
they were a prince and princess—at any rate they were dressed in old
Burmese court style, in very narrow skirts similar to the "hobble," and
strange short jackets cut with curled bases like horned moons stretched and
held in shape by bamboo frames. There was much swaying and posturing of
the body, combined with quick, jerky movements, the arms were moved a
great deal with bent elbows and the hands with fingers straight and the palms
bent back sharply at the wrists. When these dancers left the stage two men
entered in long white gowns, with broad white bands tied round the head in
big bows. They turned their backs upon the audience at first, and then
turning round squatted upon the floor. Two more similarly dressed came in
in the same manner, and after they had squatted beside the others two quite
astounding figures came on the scene with long bare swords.

The music all this while kept up an accompaniment of jingle and clapper
and tum, tum, tum—jingle and clapper and tum, tum, tum, with a
particularly squeaky wind instrument going ahead at the same time like a
cork being drawn backward and forward over a pane of wet glass.
 I discovered now that on turning their backs to the audience on first
entering, the performers made obeisance to a draped bench at the back of the
stage. Two more sword-bearing figures came in and two lance-bearers in
very lovely bejewelled dresses of old gold. There was a long shrill speech
now—then a loud bang, at which all the actors fell to the ground, and a
figure entered bearing a short-pointed mace and sat at once on the draped
bench.

It was the beginning of a long drama of old Burmese court-life which

would go on all night long. The sword and lance-bearers went out, leaving
the gentleman with the mace talking to the four white-gowned men (they
were probably a king and his ministers), and he went on talking to them for a
long half-hour, during which, at rare intervals, one of them sat up and made
some remarks. At last a curtain came down, leaving two of the white-
gowned ones outside it. These were joined by a manifestly "comic"
character, a man with bare chest and a dark blue skirt, who kept the audience
in continual merriment while he was on the scene.

Every now and then I turned my head to look up at the great V-shaped
line of lanterns hanging high in the air overhead from tall bamboo poles, and
the stars shining over all from the night sky. A number of the children were
sleeping, though their elders made a good deal of noise, laughing heartily at
the comic actor as the play went on and on and on. I should like to have
stayed longer, but an appointment with some elephants at an early hour the
next morning made me reluctantly leave the "Pwe" at midnight and hunt
among the back rows of the audience for the driver of that "tikka gharry."

Everyone has heard of the Burmese elephants piling timber. The largest
of the timber companies employing elephants is the Bombay Burmah
Trading Corporation, Limited. The logs, floated down the river from forest-
lands, eight hundred or a thousand miles upstream, are stranded at high rain-
tides at Poozoondoung, a tract of lowland to which I drove in the early
morning.

I reached there just after sunrise, before the dew of the night was yet
evaporated, and the logs, on which one had to walk to avoid the mud, were
very slippery and more difficult to negotiate with boots than without.
 The work of the elephants is to push, drag or pile the teak logs, and on
the morning of my visit there were three of the great quadrupeds at work:—
Hpo Chem, aged fifty, a fine tusker who had been twenty years at the work,
and two female elephants, Mee Cyan, seventy years of age, and Mee Poo,
thirty. The male elephant has, of course, tremendous strength in his tusks and
uses them for carrying, holding the log firmly with his trunk as he gravely
walks up the pile of logs to place his burden on the top. Female elephants
can only pile by a combined lift and drag, and do not raise the log entirely
from the ground. Pushing with the head is called "ounging."

Most of the elephants in use in Burmah have been got by Kheddah

operations, the Kheddah being a big stockade built under Government
direction in a similar way to the Kraals of Ceylon. At the last Kheddah many
elephants died suddenly of anthrax (some two hundred in about three days),
and a number of the trained animals were lost as well as those newly
captured.

The hours of elephant labour at Poozoondoung are strictly limited, being

from six to nine in the morning and from three to six in the afternoon.

At Poozoondoung, not far from the timber-yards, the chief rice-mills are
situated. They were idle now, but when I saw them again after the harvest
their big chimneys were belching forth black smoke from the burning husk.
The husk obtained from the milled grain is not only sufficient for all fuel
requirements, but much has to be shot into the creek for waste.

The engine staffs are, as upon most of the flotilla steamers,

Chittagonians, Burmese being employed chiefly as clerks.

Native boats called "Loungoes" brought such of the "paddy" from the
country as did not come by rail.

"Hulling" the rice is the operation of breaking off the husk. There were
rows of pairs of round flat stones, the under ones stationary, the upper ones
revolving, not grinding but merely breaking off the husk. Both grain and
husk fell from these stones together to the floor below, and were carried by
bucket-elevators to a fanning-room, where the husk was blown off. After
leaving the fans the grain had its remaining inner skin taken off in "cones"—
cement-faced stones made to press the grain against an outer jacket of
perforated wire. At the base of the cone a cloth hung round an opening in the
floor, through which the rice dropped, while the white skin fell upon the
floor outside to be called "bran," and shipped to Europe for use in the
manufacture of cattle cakes.

In the process of "whitening" much of the grain is broken and sorted by

graduated sieves, into four or five degrees of size. Finally the rice bags are
shipped on to a cargo boat in the creek, for despatch by steamer to India or
Europe.

When the rice-mills are in full work the smoke of their chimneys hangs
above Rangoon, but overhead every evening the flying foxes pass as usual,
and the beautiful Pagoda is far enough away to remain untarnished upon its
little hill.
 BOY SHOWING TATOOING CUSTOMARY WITH ALL BURMESE
MALES.

CHAPTER II

HIS HIGHNESS THE SAWBWA OF HSIPAW

I left the Phayre Street station at Rangoon on a bright morning, which

made me think of England and the perfect beginning of a warm summer day
at home. The paddy-fields were like an ocean on each side of the railway
line, and as yellow as ripe corn: some distant hills, the Eastern Yomans
which divide Burmah from Siam, were faintly visible and became clearer
after I had passed Pegu. There are no elephants in those hills, though they
are yet in their thousands in the Western Yomans (one man I met had
counted sixty in a single herd).

Railway journeys with unshuttered windows are like miscellaneous

collections of snapshot photographs—now men in the paddy-fields wearing
the huge low conical bamboo hats of the Shan States; then big anthills and
snipe; a banyan tree—the gutta-percha banyan tree, Burmese Nynung, out of
which the natives make their birdlime; grey squares of flat hard mud, the
Burmese threshing floor; a crowd of brown hawks about a group of natives
drying fish; a small eagle with four-foot spread of wings, sometimes called a
peacock hawk, having blue eyes instead of the usual eagle yellow; an Eng
tree, a taxed tree largely used for building purposes (a tree that comes up and
is of no use is called here a Powk-pin); in a stream a man swinging a fishing-
net hung on crossed arched hoops at the end of a pole—a net of just the same
pattern I have seen on Arno shallows at Florence; a dull leaden-coloured
layer of rotting fish on bamboo screens raised above the ground on poles—
when rotted enough and full enough of insects, it will be pounded up to
make a national dish called "Ngape."