Qian Chen scite author profile

Ransomware, a class of self-propagating malware that uses encryption to hold the victims' data ransom, has emerged in recent years as one of the most dangerous cyber threats, with widespread damage; e.g., zero-day ransomware WannaCry has caused world-wide catastrophe, from knocking U.K. National Health Service hospitals offline to shutting down a Honda Motor Company in Japan [1]. Our close collaboration with security operations of large enterprises reveals that defense against ransomware relies on tedious analysis from high-volume systems logs of the first few infections. Sandbox analysis of freshly captured malware is also commonplace in operation.We introduce a method to identify and rank the most discriminating ransomware features from a set of ambient (non-attack) system logs and at least one log stream containing both ambient and ransomware behavior. These ranked features reveal a set of malware actions that are produced automatically from system logs, and can help automate tedious manual analysis. We test our approach using WannaCry and two polymorphic samples by producing logs with Cuckoo Sandbox during both ambient, and ambient plus ransomware executions. Our goal is to extract the features of the malware from the logs with only knowledge that malware was present. We compare outputs with a detailed analysis of WannaCry allowing validation of the algorithm's feature extraction and provide analysis of the method's robustness to variations of input data-changing quality/quantity of ambient data and testing polymorphic ransomware. Most notably, our patterns are accurate and unwavering when generated from polymorphic WannaCry copies, on which 63 (of 63 tested) antivirus (AV) products fail.

show abstract

High throughput virus plaque quantitation using a flatbed scanner

Sullivan¹,

Kloess²,

Chen³

et al. 2012

Journal of Virological Methods

View full text Add to dashboard Cite

A Survey of Intrusion Detection Systems Leveraging Host Data

et al. 2019

View full text Add to dashboard Cite

This survey focuses on intrusion detection systems (IDS) that leverage host-based data sources for detecting attacks on enterprise network. The host-based IDS (HIDS) literature is organized by the input data source, presenting targeted sub-surveys of HIDS research leveraging system logs, audit data, Windows Registry, file systems, and program analysis. While system calls are generally included in audit data, several publicly available system call datasets have spawned a flurry of IDS research on this topic, which merits a separate section. To accommodate current researchers, a section giving descriptions of publicly available datasets is included, outlining their characteristics and shortcomings when used for IDS evaluation. Related surveys are organized and described. All sections are accompanied by tables concisely organizing the literature and datasets discussed. Finally, challenges, trends, and broader observations are throughout the survey and in the conclusion along with future directions of IDS research. Overall, this survey was designed to allow easy access to the diverse types of data available on a host for sensing intrusion, the progressions of research using each, and the accessible datasets for prototyping in the area.

show abstract

DeepID-Net: multi-stage and deformable deep convolutional neural networks for object detection

Ouyang¹,

Luo²,

Zeng³

et al. 2014

Preprint

View full text Add to dashboard Cite

A Combination of M50I and V151I Polymorphic Mutations in HIV-1 Subtype B Integrase Results in Defects in Autoprocessing

Yang

Hao

Khan

et al. 2021

Viruses

View full text Add to dashboard Cite

We have recently reported that a recombinant HIV-1NL4.3 containing Met-to-Ile change at codon 50 of integrase (IN) (IN:M50I) exhibits suppression of the virus release below 0.5% of WT HIV, and the released viral particles are replication-incompetent due to defects in Gag/GagPol processing by inhibition of the initiation of autoprocessing of GagPol polyproteins in the virions and leads to replication-incompetent viruses. The coexisting Ser-to-Asn change at codon 17 of IN or Asn-to-Ser mutation at codon 79 of RNaseH (RH) compensated the defective IN:M50I phenotype, suggesting that both IN and RH regulate an HIV infectability. In the current study, to elucidate a distribution of the three mutations during anti-retroviral therapy among patients, we performed a population analysis using 529 plasma virus RNA sequences obtained through the MiSeq. The result demonstrated that 14 plasma HIVs contained IN:M50I without the compensatory mutations. Comparing the sequences of the 14 viruses with that of the defective virus illustrated that only Val-to-Ile change at codon 151 of IN (IN:V151I) existed in the recombinant virus. This IN:V151I is known as a polymorphic mutation and was derived from HIVNL4.3 backbone. A back-mutation at 151 from Ile-to-Val in the defective virus recovered HIV replication capability, and Western Blotting assay displayed that the back-mutation restored Gag/GagPol processing in viral particles. These results demonstrate that a combination of IN:M50I and IN:V151I mutations, but not IN:M50I alone, produces a defective virus.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Qian Chen

Automated Behavioral Analysis of Malware: A Case Study of WannaCry Ransomware

High throughput virus plaque quantitation using a flatbed scanner

A Survey of Intrusion Detection Systems Leveraging Host Data

DeepID-Net: multi-stage and deformable deep convolutional neural networks for object detection

A Combination of M50I and V151I Polymorphic Mutations in HIV-1 Subtype B Integrase Results in Defects in Autoprocessing

Contact Info

Product

Resources

About