{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,28]],"date-time":"2026-02-28T22:35:28Z","timestamp":1772318128132,"version":"3.50.1"},"publisher-location":"Cham","reference-count":38,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030346362","type":"print"},{"value":"9783030346379","type":"electronic"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-34637-9_15","type":"book-chapter","created":{"date-parts":[[2019,12,6]],"date-time":"2019-12-06T00:04:15Z","timestamp":1575590655000},"page":"199-214","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":28,"title":["Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection"],"prefix":"10.1007","author":[{"given":"Qian","family":"Chen","sequence":"first","affiliation":[]},{"given":"Sheikh Rabiul","family":"Islam","sequence":"additional","affiliation":[]},{"given":"Henry","family":"Haswell","sequence":"additional","affiliation":[]},{"given":"Robert A.","family":"Bridges","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2019,12,6]]},"reference":[{"key":"15_CR1","unstructured":"Davis, J.: 71% of ransomware attacks targeted small businesses in 2018, March 2019. \nhttps:\/\/healthitsecurity.com\/news\/71-of-ransomware-attacks-targeted-small-businesses-in-2018"},{"key":"15_CR2","unstructured":"Dobran, B.: Definitive guide for preventing and detecting ransomware (2019). \nhttps:\/\/phoenixnap.com\/blog\/preventing-detecting-ransomware-attacks"},{"key":"15_CR3","unstructured":"Freed, B.: One year after atlanta\u2019s ransomware attack, the city says it\u2019s transforming its technology (2019). \nhttps:\/\/statescoop.com\/one-year-after-atlantas-ransomware-attack-the-city-says-its-transforming-its-technology\/"},{"key":"15_CR4","unstructured":"Olenick, D.: Atlanta ransomware recovery cost now at \\$17 million, reports say (2018). \nhttps:\/\/www.scmagazine.com\/home\/security-news\/ransomware\/atlanta-ransomware-recovery-cost-now-at-17-million-reports-say\/"},{"key":"15_CR5","unstructured":"Bridges, R.A., Iannacone, M.D., Goodall, J.R., Beaver, J.M.: How do information security workers use host data? A summary of interviews with security analysts. arXiv preprint 1812.02867 (2018)"},{"key":"15_CR6","unstructured":"Goodall, J., Lutters, W., Komlodi, A.: The work of intrusion detection: rethinking the role of security analysts. In: AMCIS 2004 Proceedings, p. 179 (2004)"},{"issue":"1","key":"15_CR7","doi-asserted-by":"publisher","first-page":"26","DOI":"10.1108\/09685221011035241","volume":"18","author":"R Werlinger","year":"2010","unstructured":"Werlinger, R., Muldner, K., Hawkey, K., Beznosov, K.: Preparation, detection, and analysis: the diagnostic work of it security incident response. Inf. Manag. Comput. Secur. 18(1), 26\u201342 (2010)","journal-title":"Inf. Manag. Comput. Secur."},{"key":"15_CR8","doi-asserted-by":"crossref","unstructured":"Chen, Q., Bridges, R.A.: Automated behavioral analysis of malware: a case study of WannaCry ransomware. In: 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 454\u2013460, December 2017","DOI":"10.1109\/ICMLA.2017.0-119"},{"key":"15_CR9","unstructured":"Malwarebytes LABS: Look into locky ransomware, July 2016. \nhttps:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/03\/look-into-locky\/"},{"key":"15_CR10","unstructured":"Gao, W.: Dissecting Cerber ransomware, July 2017. \nhttps:\/\/www.ixiacom.com\/company\/blog\/dissecting-cerber-ransomware"},{"key":"15_CR11","unstructured":"Doevan, J.: Locky virus, how to remove (2018). \nhttps:\/\/www.2-spyware.com\/remove-locky-virus.html"},{"key":"15_CR12","unstructured":"Cisco\u2019s Talos Intelligence Group Blog: Gandcrab Ransomware Walks its Way onto Compromised Sites (2018). \nhttps:\/\/blog.talosintelligence.com\/2018\/05\/gandcrab-compromised-sites.html\n\n. Accessed 25 Aug 2018"},{"key":"15_CR13","unstructured":"This Ransomware Demands Nude instead of Bitcoin - Motherboard (2017). \nhttps:\/\/motherboard.vice.com\/en_us\/article\/yw3w47\/this-ransomware-demands-nudes-instead-of-bitcoin\n\n. Accessed 24 Aug 2018"},{"key":"15_CR14","unstructured":"Defray ransomware sets sights on healthcare and other industries, August 2017. \nhttps:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cyber-attacks\/defray-ransomware-sets-sights-on-healthcare-and-other-industries"},{"key":"15_CR15","unstructured":"Crowe, J.: Alert: Defray ransomware launching extremely personalized attacks, August 2017. \nhttps:\/\/blog.barkly.com\/defray-ransomware-highly-targeted-campaigns"},{"key":"15_CR16","unstructured":"Threat Spotlight: Defray Ransomeware Hits Healthcare and Education (2017). \nhttps:\/\/threatvector.cylance.com\/en_us\/home\/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html\n\n. Accessed 16 Aug 2018"},{"key":"15_CR17","unstructured":"Cuckoo Sandbox - Automated Malware Analysis. \nhttps:\/\/cuckoosandbox.org\/\n\n. Accessed 26 Aug 2018"},{"key":"15_CR18","unstructured":"Perlroth, N.: Boeing possibly hit by \u2018WannaCry\u2019 malware attack, March 2018. \nhttps:\/\/www.nytimes.com\/2018\/03\/28\/technology\/boeing-wannacry-malware.html"},{"key":"15_CR19","unstructured":"Lemos, R.: Satan ransomware adds more evil tricks, May 2019. \nwww.darkreading.com\/vulnerabilities---threats\/satan-ransomware-adds-more-evil-tricks\/d\/d-id\/1334779"},{"key":"15_CR20","unstructured":"Cimpanu, C.: DBGer ransomware uses EternalBlue and Mimikatz to spread across networks (2018). \nhttps:\/\/www.bleepingcomputer.com\/news\/security\/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks\/"},{"key":"15_CR21","unstructured":"Barkly Research: Cerber ransomware: everything you need to know, March 2017. \nhttps:\/\/blog.barkly.com\/cerber-ransomware-statistics-2017"},{"key":"15_CR22","unstructured":"Malwarebytes LABS: Cerber ransomware: new, but mature, June 2018. \nhttps:\/\/blog.malwarebytes.com\/threat-analysis\/2016\/03\/cerber-ransomware-new-but-mature\/"},{"key":"15_CR23","unstructured":"Tiwari, R.: Evolution of GandCrab ransomware, April 2018. \nhttps:\/\/www.acronis.com\/en-us\/articles\/gandcrab\/"},{"key":"15_CR24","unstructured":"Salvio, J.: GandCrab V4.0 analysis: new shell, same old menace (2018). \nhttps:\/\/www.fortinet.com\/blog\/threat-research\/gandcrab-v4-0-analysis-new-shell-same-old-menace.html"},{"key":"15_CR25","unstructured":"Mundo, A.: GandCrab ransomware puts the pinch on victims, July 2018. \nhttps:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/gandcrab-ransomware-puts-the-pinch-on-victims\/"},{"key":"15_CR26","doi-asserted-by":"crossref","unstructured":"Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE Trans. Emerg. Top. Comput. (2019)","DOI":"10.1109\/TETC.2017.2756908"},{"key":"15_CR27","doi-asserted-by":"crossref","unstructured":"Verma, M.E., Bridges, R.A.: Defining a metric space of host logs and operational use cases. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5068\u20135077, December 2018","DOI":"10.1109\/BigData.2018.8622083"},{"key":"15_CR28","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1016\/j.jnca.2018.09.013","volume":"124","author":"D Morato","year":"2018","unstructured":"Morato, D., Berrueta, E., Maga\u00f1a, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Netw. Comput. Appl. 124, 14\u201332 (2018)","journal-title":"J. Netw. Comput. Appl."},{"issue":"2","key":"15_CR29","doi-asserted-by":"publisher","first-page":"6","DOI":"10.1145\/2089125.2089126","volume":"44","author":"M Egele","year":"2012","unstructured":"Egele, M., et al.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 6 (2012)","journal-title":"ACM Comput. Surv. (CSUR)"},{"issue":"5","key":"15_CR30","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1016\/0306-4573(88)90021-0","volume":"24","author":"G Salton","year":"1988","unstructured":"Salton, G., Buckley, C.: Term-weighting approaches in automatic text retrieval. Inf. Process. Manag. 24(5), 513\u2013523 (1988)","journal-title":"Inf. Process. Manag."},{"key":"15_CR31","unstructured":"Welling, M.: Fisher linear discriminant analysis. Department of Computer Science, University of Toronto, vol. 3, no. 1 (2005)"},{"issue":"1","key":"15_CR32","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/s10994-006-6226-1","volume":"63","author":"P Geurts","year":"2006","unstructured":"Geurts, P., Ernst, D., Wehenkel, L.: Extremely randomized trees. Mach. Learn. 63(1), 3\u201342 (2006)","journal-title":"Mach. Learn."},{"key":"15_CR33","unstructured":"Islam, S.R., Eberle, W., Ghafoor, S.K.: Credit default mining using combined machine learning and heuristic approach. In: Proceedings of the 2018 International Conference on Data Science (ICDATA), pp. 16\u201322. ACSE (2018)"},{"key":"15_CR34","unstructured":"Wannacry Malware Profile - FireEye (2017). \nhttps:\/\/www.fireeye.com\/blog\/threat-research\/2017\/05\/wannacry-malware-profile.html\n\n. Accessed 10 Aug 2018"},{"key":"15_CR35","unstructured":"DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks (2017). \nhttps:\/\/www.bleepingcomputer.com\/news\/security\/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks\/\n\n. Accessed 10 Aug 2018"},{"key":"15_CR36","unstructured":"Locky Ransomware Switches to the Asasin Extension via Broken Spam Campaign (2017). \nhttps:\/\/www.bleepingcomputer.com\/news\/security\/locky-ransomware-switches-to-the-asasin-extension-via-broken-spam-campaigns\/\n\n. Accessed 21 Aug 2018"},{"key":"15_CR37","unstructured":"Munde, S.: Satan ransomware raises its head again! June 2018. \nhttps:\/\/blogs.quickheal.com\/satan-ransomware-raises-head\/"},{"key":"15_CR38","doi-asserted-by":"publisher","first-page":"465","DOI":"10.1016\/j.procs.2016.08.072","volume":"94","author":"Monika","year":"2016","unstructured":"Monika, Zavarsky, P., Lindskog, D.: Experimental analysis of ransomware on Windows and Android platforms: evolution and characterization. Procedia Comput. Sci. 94, 465\u2013472 (2016)","journal-title":"Procedia Computer Science"}],"container-title":["Lecture Notes in Computer Science","Science of Cyber Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-34637-9_15","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,12,6]],"date-time":"2019-12-06T00:06:26Z","timestamp":1575590786000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-34637-9_15"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030346362","9783030346379"],"references-count":38,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-34637-9_15","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"6 December 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SciSec","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Science of Cyber Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Nanjing","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"9 August 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"scisec2019","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/www.sci-cs.net\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"62","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"20","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"8","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"32% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}