{"id":"https://openalex.org/W4402711998","doi":"https://doi.org/10.1145/3658644.3690269","title":"CanCal: Towards Real-time and Lightweight Ransomware Detection and Response in Industrial Environments","display_name":"CanCal: Towards Real-time and Lightweight Ransomware Detection and Response in Industrial Environments","publication_year":2024,"publication_date":"2024-12-02","ids":{"openalex":"https://openalex.org/W4402711998","doi":"https://doi.org/10.1145/3658644.3690269"},"language":"en","primary_location":{"id":"doi:10.1145/3658644.3690269","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690269","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690269","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"preprint","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690269","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5029601880","display_name":"Shenao Wang","orcid":"https://orcid.org/0000-0003-3818-3343"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Shenao Wang","raw_affiliation_strings":["Huazhong University of Science and Technology, Wuhan, China"],"affiliations":[{"raw_affiliation_string":"Huazhong University of Science and Technology, Wuhan, China","institution_ids":["https://openalex.org/I47720641"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5076296815","display_name":"Feng Dong","orcid":"https://orcid.org/0000-0001-7091-2169"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Feng Dong","raw_affiliation_strings":["Huazhong University of Science and Technology, Wuhan, China"],"affiliations":[{"raw_affiliation_string":"Huazhong University of Science and Technology, Wuhan, China","institution_ids":["https://openalex.org/I47720641"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Hangfeng Yang","orcid":"https://orcid.org/0000-0001-5459-5458"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hangfeng Yang","raw_affiliation_strings":["Sangfor Technologies Inc., Shenzhen, China"],"affiliations":[{"raw_affiliation_string":"Sangfor Technologies Inc., Shenzhen, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100659425","display_name":"Jingheng Xu","orcid":"https://orcid.org/0000-0001-7311-9924"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jingheng Xu","raw_affiliation_strings":["Sangfor Technologies Inc., Shenzhen, China"],"affiliations":[{"raw_affiliation_string":"Sangfor Technologies Inc., Shenzhen, China","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5115695530","display_name":"Haoyu Wang","orcid":"https://orcid.org/0000-0003-1100-8633"},"institutions":[{"id":"https://openalex.org/I47720641","display_name":"Huazhong University of Science and Technology","ror":"https://ror.org/00p991c53","country_code":"CN","type":"education","lineage":["https://openalex.org/I47720641"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haoyu Wang","raw_affiliation_strings":["Huazhong University of Science and Technology, Wuhan, China"],"affiliations":[{"raw_affiliation_string":"Huazhong University of Science and Technology, Wuhan, China","institution_ids":["https://openalex.org/I47720641"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5029601880"],"corresponding_institution_ids":["https://openalex.org/I47720641"],"apc_list":null,"apc_paid":null,"fwci":3.4155,"has_fulltext":true,"cited_by_count":10,"citation_normalized_percentile":{"value":0.93466511,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":99,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"2326","last_page":"2340"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9973000288009644,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9940000176429749,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/ransomware","display_name":"Ransomware","score":0.9646944403648376},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7339015007019043},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.541485071182251},{"id":"https://openalex.org/keywords/embedded-system","display_name":"Embedded system","score":0.49271753430366516},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4527474045753479},{"id":"https://openalex.org/keywords/real-time-computing","display_name":"Real-time computing","score":0.3951975703239441},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.38629966974258423},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.23524683713912964}],"concepts":[{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.9646944403648376},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7339015007019043},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.541485071182251},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.49271753430366516},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4527474045753479},{"id":"https://openalex.org/C79403827","wikidata":"https://www.wikidata.org/wiki/Q3988","display_name":"Real-time computing","level":1,"score":0.3951975703239441},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.38629966974258423},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.23524683713912964}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3658644.3690269","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690269","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690269","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2408.16515","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2408.16515","pdf_url":"https://arxiv.org/pdf/2408.16515","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3658644.3690269","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3658644.3690269","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3658644.3690269","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[{"display_name":"Industry, innovation and infrastructure","score":0.550000011920929,"id":"https://metadata.un.org/sdg/9"}],"awards":[{"id":"https://openalex.org/G1121271761","display_name":null,"funder_award_id":"Program","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2087396116","display_name":null,"funder_award_id":"China","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G2870525900","display_name":null,"funder_award_id":"Wuhan","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G391238517","display_name":null,"funder_award_id":", and","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G5853313636","display_name":null,"funder_award_id":"Knowledge","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G7659621868","display_name":null,"funder_award_id":"62072046","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"}],"has_content":{"grobid_xml":false,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4402711998.pdf"},"referenced_works_count":27,"referenced_works":["https://openalex.org/W1678356000","https://openalex.org/W2295598076","https://openalex.org/W2513529237","https://openalex.org/W2539082945","https://openalex.org/W2559964890","https://openalex.org/W2765383620","https://openalex.org/W2775582065","https://openalex.org/W2789729245","https://openalex.org/W2885096636","https://openalex.org/W2896600304","https://openalex.org/W2902391397","https://openalex.org/W3007070494","https://openalex.org/W3039822732","https://openalex.org/W3132588576","https://openalex.org/W3215200159","https://openalex.org/W4200569302","https://openalex.org/W4212915751","https://openalex.org/W4214850595","https://openalex.org/W4288760578","https://openalex.org/W4306377502","https://openalex.org/W4318189316","https://openalex.org/W4366447842","https://openalex.org/W4384948742","https://openalex.org/W4388193636","https://openalex.org/W4388867277","https://openalex.org/W4389454898","https://openalex.org/W4394744483"],"related_works":["https://openalex.org/W3201228709","https://openalex.org/W2922354075","https://openalex.org/W4389157351","https://openalex.org/W4232561318","https://openalex.org/W3202245533","https://openalex.org/W4253977752","https://openalex.org/W2942879794","https://openalex.org/W2964829536","https://openalex.org/W2904586340","https://openalex.org/W3120595989"],"abstract_inverted_index":{"Ransomware":[0],"attacks":[1,285],"have":[2],"emerged":[3],"as":[4,182,184],"one":[5],"of":[6,41,67,104,199,231,241,282,303],"the":[7,38,54,115,232,239,301],"most":[8],"significant":[9],"cybersecurity":[10],"threats.":[11],"Despite":[12],"numerous":[13],"methods":[14],"proposed":[15],"for":[16,48,56,259],"detecting":[17],"and":[18,45,81,97,118,138,193,214,252,272,295,308],"defending":[19],"against":[20],"ransomware,":[21,150],"existing":[22],"approaches":[23],"face":[24],"two":[25],"fundamental":[26],"limitations":[27],"in":[28,70,305,312],"large-scale":[29,71,146],"industrial":[30,72,147],"applications:":[31],"(1)":[32],"Behavior-based":[33],"detection":[34,61,100],"engines":[35,62],"suffer":[36],"from":[37,85,128,235,286],"enormous":[39],"overhead":[40],"monitoring":[42,116],"all":[43,107],"processes":[44,80,113],"resource":[46],"constraints":[47],"model":[49],"inference,":[50],"failing":[51],"to":[52,75,78,124,212,222,229,266,288],"meet":[53],"requirements":[55],"real-time":[57,96,194],"detection;":[58],"(2)":[59],"Decoy-based":[60],"generate":[63],"an":[64],"overwhelming":[65],"number":[66],"false":[68,178],"positives":[69],"clusters,":[73],"leading":[74],"intolerable":[76],"disruptions":[77],"critical":[79],"excessive":[82],"inspection":[83,233],"efforts":[84,234],"security":[86,236],"analysts.":[87,237],"To":[88],"address":[89],"these":[90],"challenges,":[91],"we":[92],"propose":[93],"CanCal,":[94],"a":[95,145,164,197,249,261],"lightweight":[98,136],"ransomware":[99,126,173,275,284,310],"system.":[101],"Specifically,":[102],"instead":[103],"indiscriminately":[105],"analyzing":[106],"processes,":[108],"CanCal":[109,162,180,202,244,269,304],"selectively":[110],"filters":[111],"suspicious":[112],"by":[114,208,218],"layers":[117],"then":[119],"performs":[120],"in-depth":[121],"behavioral":[122],"analysis":[123,281],"isolate":[125],"activities":[127],"benign":[129],"operations,":[130],"minimizing":[131],"alert":[132],"fatigue":[133],"while":[134,187,224],"ensuring":[135],"computational":[137],"storage":[139],"overhead.":[140],"The":[141],"experimental":[142],"results":[143],"on":[144,170,255],"environment":[148],"(1,761":[149],"~":[151],"3":[152,200],"million":[153,257],"events,":[154,175],"continuous":[155],"test":[156],"over":[157,260],"5":[158,296],"months)":[159],"indicate":[160],"that":[161],"achieves":[163],"remarkable":[165],"99.65%":[166],"true":[167],"positive":[168],"rate":[169],"555,678":[171],"unknown":[172,309],"behavior":[174],"with":[176],"near-zero":[177],"positives.":[179],"is":[181],"effective":[183],"state-of-the-art":[185],"techniques":[186],"enabling":[188],"rapid":[189],"inference":[190],"within":[191,196],"30ms":[192],"response":[195],"maximum":[198],"seconds.":[201],"dramatically":[203],"reduces":[204],"average":[205],"CPU":[206,216],"utilization":[207,217],"91.04%":[209],"(from":[210,220,227],"6.7%":[211],"0.6%)":[213],"peak":[215],"76.69%":[219],"26.6%":[221],"6.2%),":[223],"avoiding":[225],"76.50%":[226],"3,192":[228],"750)":[230],"By":[238],"time":[240],"this":[242],"writing,":[243],"has":[245],"been":[246],"integrated":[247],"into":[248],"commercial":[250],"product":[251],"successfully":[253,270],"deployed":[254],"3.32":[256],"endpoints":[258],"year.":[262],"From":[263],"March":[264,287],"2023":[265,290],"April":[267],"2024,":[268],"detected":[271],"thwarted":[273],"61":[274],"attacks.":[276],"A":[277],"detailed":[278],"manual":[279],"forensic":[280],"27":[283],"June":[289],"(including":[291],"13":[292],"n-day":[293],"exploits":[294],"high-risk":[297],"zero-day":[298],"attacks)":[299],"demonstrates":[300],"effectiveness":[302],"combating":[306],"sophisticated":[307],"threats":[311],"real-world":[313],"scenarios.":[314]},"counts_by_year":[{"year":2026,"cited_by_count":3},{"year":2025,"cited_by_count":7}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}