pith. sign in

arxiv: 1907.06775 · v1 · pith:JZPLQBX4new · submitted 2019-07-15 · 💻 cs.CR · cs.DB

Hands Off my Database: Ransomware Detection in Databases through Dynamic Analysis of Query Sequences

Lukas Iffl\"ander , Alexandra Dmitrienko , Christoph Hagen , Michael Jobst , Samuel Kounev This is my paper

Pith reviewed 2026-05-24 21:07 UTC · model grok-4.3

classification 💻 cs.CR cs.DB
keywords ransomware detectiondatabase securityquery sequence analysisColored Petri Netsdynamic monitoringMySQLserver-side attacks
0
0 comments X

The pith

DIMAQS detects server-side database ransomware by matching incoming query sequences against Colored Petri Net models of attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper sets out to show that ransomware attacks on databases produce recognizable sequences of queries that can be caught at runtime by monitoring all traffic with Colored Petri Nets. A sympathetic reader would see this as filling an important gap, since existing defenses target only client machines while database ransomware has already caused large financial losses and continues to spread across server platforms. The approach claims to work globally across connections rather than being limited to single users, and the evaluation reports perfect detection with low overhead on a MySQL proof-of-concept.

Core claim

DIMAQS performs runtime monitoring of incoming queries and pattern matching using Colored Petri Nets for attack detection. The system design includes novel techniques for efficient global detection of malicious query sequences without limiting detection to distinct user connections. Its MySQL implementation achieves no false positives, no false negatives, and performance overhead under 5 percent.

What carries the argument

Colored Petri Nets that encode patterns of malicious query sequences for runtime matching against live database traffic.

If this is right

  • Database administrators can add ransomware detection to existing servers with under 5 percent slowdown.
  • Detection works across all user connections rather than requiring per-connection tracking.
  • The same modeling approach can be applied to other database systems beyond the MySQL prototype.
  • Public release of the data sets allows direct comparison with future detection methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If query patterns remain stable over time, the Colored Petri Net models could be updated infrequently rather than rebuilt for every new attack variant.
  • Combining the sequence model with per-query anomaly checks might reduce the chance that an attacker crafts queries to stay inside the normal pattern.
  • The global detection property suggests the method could scale to shared database clusters where connections are pooled or short-lived.

Load-bearing premise

Ransomware attacks always produce query sequences whose patterns in Colored Petri Nets remain distinct from any legitimate traffic.

What would settle it

A recorded ransomware attack whose query sequence is accepted by the Colored Petri Net model as normal traffic, or a set of normal queries rejected as malicious.

Figures

Figures reproduced from arXiv: 1907.06775 by Alexandra Dmitrienko, Christoph Hagen, Lukas Iffl\"ander, Michael Jobst, Samuel Kounev.

Figure 1
Figure 1. Figure 1: Demonstration of Petri net execution using a simpl [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Colored Petri Net example. In comparison to the reg [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: System architecture of DIMAQS. Dark grey boxes [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: The CPN used to classify database transactions. [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Performance influence of DIMAQS for sysbench [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
read the original abstract

Ransomware is an emerging threat which imposed a \$ 5 billion loss in 2017 and is predicted to hit \$ 11.5 billion in 2019. While initially targeting PC (client) platforms, ransomware recently made the leap to server-side databases - starting in January 2017 with the MongoDB Apocalypse attack, followed by other attack waves targeting a wide range of DB types such as MongoDB, MySQL, ElasticSearch, Cassandra, Hadoop, and CouchDB. While previous research has developed countermeasures against client-side ransomware (e.g., CryptoDrop and ShieldFS), the problem of server-side ransomware has received zero attention so far. In our work, we aim to bridge this gap and present DIMAQS (Dynamic Identification of Malicious Query Sequences), a novel anti-ransomware solution for databases. DIMAQS performs runtime monitoring of incoming queries and pattern matching using Colored Petri Nets (CPNs) for attack detection. Our system design exhibits several novel techniques to enable efficient detection of malicious query sequences globally (i.e., without limiting detection to distinct user connections). Our proof-of-concept implementation targets MySQL servers. The evaluation shows high efficiency with no false positives and no false negatives and very moderate performance overhead of under 5%. We will publish our data sets and implementation allowing the community to reproduce our tests and compare to our results.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces DIMAQS, a runtime monitoring system for detecting server-side database ransomware via dynamic analysis of query sequences modeled with Colored Petri Nets (CPNs). It targets MySQL, enables global detection without per-connection scoping, and reports zero false positives/negatives plus under 5% overhead in its evaluation, with a commitment to release datasets and implementation.

Significance. If the detection claims hold under broader validation, the work would be significant as the first dedicated countermeasure for database ransomware, extending CPN-based pattern matching to global query-sequence monitoring. The explicit plan to publish datasets and code is a clear strength for reproducibility and follow-on research.

major comments (2)
  1. [Evaluation section] Evaluation section: The zero false-positive/negative claim requires that ransomware CPN transitions have no overlap with any legitimate query traffic. The reported experiments do not describe testing against common legitimate workloads (bulk deletes, schema migrations, index rebuilds, or admin analytics) that can generate similar multi-query sequences, leaving the global-detection guarantee unverified beyond the attack traces used.
  2. [System design] System design (global detection technique): The design asserts that pattern matching can be performed server-wide without per-connection limits, yet no argument or additional experiment shows how the CPN places/transitions are guaranteed to be ransomware-exclusive rather than merely tuned to the evaluated attack set.
minor comments (2)
  1. [Abstract] Abstract: the performance-overhead figure is stated without reference to the specific benchmark workload or measurement procedure used.
  2. The paper promises public release of datasets and code but does not specify the exact artifacts (e.g., CPN definitions, query traces) that will be included.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the two major comments point by point below, agreeing that additional material is needed to strengthen the claims on detection exclusivity and evaluation coverage.

read point-by-point responses

  1. Referee: [Evaluation section] Evaluation section: The zero false-positive/negative claim requires that ransomware CPN transitions have no overlap with any legitimate query traffic. The reported experiments do not describe testing against common legitimate workloads (bulk deletes, schema migrations, index rebuilds, or admin analytics) that can generate similar multi-query sequences, leaving the global-detection guarantee unverified beyond the attack traces used.

    Authors: We agree that the current evaluation description is limited and does not explicitly cover the listed legitimate workloads. In the revised manuscript we will expand the Evaluation section with new experiments exercising bulk deletes, schema migrations, index rebuilds, and admin analytics queries. These will be run against the same CPN models to confirm they produce no matches, thereby supporting the zero false-positive claim under broader conditions. revision: yes

  2. Referee: [System design] System design (global detection technique): The design asserts that pattern matching can be performed server-wide without per-connection limits, yet no argument or additional experiment shows how the CPN places/transitions are guaranteed to be ransomware-exclusive rather than merely tuned to the evaluated attack set.

    Authors: The CPNs are derived directly from the observable query sequences in documented ransomware campaigns (e.g., rapid DROP DATABASE / DROP TABLE sequences without preceding legitimate administrative steps). We will add a dedicated paragraph in the System Design section that contrasts these sequences with typical legitimate multi-query patterns and explains why the chosen places and transitions capture ransomware-specific ordering rather than generic tuning. The expanded evaluation experiments mentioned above will supply empirical confirmation that the same CPNs remain silent on the additional legitimate workloads. revision: yes

Circularity Check

0 steps flagged

No significant circularity; system description and evaluation are self-contained

full rationale

The paper presents DIMAQS as a new implementation for runtime query monitoring via Colored Petri Nets, with claims of zero FP/FN based on empirical evaluation of a proof-of-concept on MySQL. No equations, fitted parameters, self-citations, or ansatzes are shown that reduce the detection claims to prior inputs by construction. The central premise relies on the distinctness of ransomware patterns (an external assumption open to falsification) rather than any self-definitional or load-bearing self-citation chain. This is the expected non-finding for an implementation-focused systems paper.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Central claim rests on the domain assumption that CPNs can capture ransomware patterns distinctly from normal traffic; no free parameters or invented entities are described in the abstract.

axioms (1)
  • domain assumption Colored Petri Nets can accurately distinguish malicious query sequences from legitimate ones in database workloads
    Detection mechanism depends on this modeling premise for pattern matching.
invented entities (1)
  • DIMAQS detection system no independent evidence
    purpose: Runtime monitoring and CPN-based ransomware detection for databases
    New system introduced in the work; no independent evidence outside the paper.

pith-pipeline@v0.9.0 · 5786 in / 1181 out tokens · 21613 ms · 2026-05-24T21:07:27.303130+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

62 extracted references · 62 canonical work pages

  1. [1]

    Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou

    Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Za- kir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. Understand- ing the Mirai Botnet. In USENIX Security Symposium , 2017

    work page 2017

  2. [2]

    Intrusion Detection Systems: A Sur- vey and Taxonomy

    Stefan Axelsson. Intrusion Detection Systems: A Sur- vey and Taxonomy. Technical report, Department of Computer Engineering, Chalmers University of Tech- nology, Goteborg, Sweden, 2000

    work page 2000

  3. [3]

    Bertino, A

    E. Bertino, A. Kamra, E. Terzi, and A. V akali. Intrusion Detection in RBAC-administered Databases. In Annual Computer Security Applications Conference (ACSAC) , 2005

    work page 2005

  4. [4]

    Learning SQL for Database Intrusion Detec- tion Using Context-Sensitive Modelling (Extended Ab- stract)

    Christian Bockermann, Martin Apel, and Michael Meier. Learning SQL for Database Intrusion Detec- tion Using Context-Sensitive Modelling (Extended Ab- stract). In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2009

    work page 2009

  5. [5]

    H. Chen, L. Amodeo, F. Chu, and K. Labadi. Modeling and Performance Evaluation of Supply Chains Using Batch Deterministic and Stochastic Petri Nets. IEEE Transactions on Automation Science and Engineering (T-ASE), 2005

    work page 2005

  6. [6]

    DEMIDS: A Misuse Detection System for Database Systems

    Christina Yip Chung, Michael Gertz, and Karl Levitt. DEMIDS: A Misuse Detection System for Database Systems. In Integrity and Internal Control in Informa- tion Systems (IICIS) , 1999

    work page 1999

  7. [7]

    A Benevolent Hacker Is Warning Owners of Unsecured Cassandra Databases

    Catalin Cimpanu. A Benevolent Hacker Is Warning Owners of Unsecured Cassandra Databases. Bleeping Computer, 2017. URL: https://bit.ly/2SiAnLz

    work page 2017

  8. [8]

    Database Ransom Attacks Hit CouchDB and Hadoop Servers

    Catalin Cimpanu. Database Ransom Attacks Hit CouchDB and Hadoop Servers. Bleeping Computer ,

    work page

  9. [9]

    6E.g., for Prolog databases the ransom message insertion and table dele- tion could be mapped to the assert and the retractall commands

    URL: https://bit.ly/2iVbas0. 6E.g., for Prolog databases the ransom message insertion and table dele- tion could be mapped to the assert and the retractall commands

    work page

  10. [10]

    Massive Wave of MongoDB Ran- som Attacks Makes 26,000 New Victims

    Catalin Cimpanu. Massive Wave of MongoDB Ran- som Attacks Makes 26,000 New Victims. Bleeping Computer, 2017. URL: https://bit.ly/2wAfq3X

    work page 2017

  11. [11]

    MongoDB Apocalypse: Profes- sional Ransomware Group Gets Involved, Infections Reach 28K Servers

    Catalin Cimpanu. MongoDB Apocalypse: Profes- sional Ransomware Group Gets Involved, Infections Reach 28K Servers. Bleeping Computer, 2017. URL: https://bit.ly/2idWSRn

    work page 2017

  12. [12]

    MongoDB Hijackers Move on to ElasticSearch Servers

    Catalin Cimpanu. MongoDB Hijackers Move on to ElasticSearch Servers. Bleeping Computer , 2017. URL: https://bit.ly/2NX0SYk

    work page 2017

  13. [13]

    ShieldFS: The Last Word in Ransomware Resilient Filesystems

    Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, and Federico Maggi. ShieldFS: The Last Word in Ransomware Resilient Filesystems. In Black Hat USA, 2017

    work page 2017

  14. [14]

    ShieldFS: A Self-healing, Ransomware-aware Filesystem

    Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, and Federico Maggi. ShieldFS: A Self-healing, Ransomware-aware Filesystem. In An- nual Conference on Computer Security Applications (ACSAC), 2016

    work page 2016

  15. [15]

    MySQL 5.7 Manual , 2018

    Oracle Corporation. MySQL 5.7 Manual , 2018. URL: https://bit.ly/2xQAe8F

    work page 2018

  16. [16]

    Advanced MySQL Exploitation

    Muhaimin Dzulfakar. Advanced MySQL Exploitation. In Black Hat USA, 2009

    work page 2009

  17. [17]

    HPE ProLiant DL360 Generation9 (Gen9), 2014

    Hewlet Packard Enterprise. HPE ProLiant DL360 Generation9 (Gen9), 2014. URL: https://bit.ly/2XL6iKt

    work page 2014

  18. [18]

    A Generic Intru- sion Detection and Diagnoser System Based on Com- plex Event Processing

    Massimo Ficco and Luigi Romano. A Generic Intru- sion Detection and Diagnoser System Based on Com- plex Event Processing. In International Conference on Data Compression, Communications and Process- ing (CCP), 2011

    work page 2011

  19. [19]

    Detecting Malicious SQL

    José Fonseca, Marco Vieira, and Henrique Madeira. Detecting Malicious SQL. In Trust, Privacy and Se- curity in Digital Business (TrustBus) , 2007

    work page 2007

  20. [20]

    MySQL-Exploit-Remote-Root- Code-Execution-Privesc-CVE-2016-6662, 2017

    Dawid Golunski. MySQL-Exploit-Remote-Root- Code-Execution-Privesc-CVE-2016-6662, 2017. URL: https://bit.ly/2SjtMAC

    work page 2016

  21. [21]

    IMPERVA SecureSphere Database Audit and Protection , 2018

    Rob Gravelle. IMPERVA SecureSphere Database Audit and Protection , 2018. URL: https://bit.ly/2NZk2gm

    work page 2018

  22. [22]

    Buehrer and Bruce W

    Gregory T. Buehrer and Bruce W . Weide and Paolo A. G. Sivilotti. Using Parse Tree V alidation to Prevent SQL Injection Attacks. In International W orkshop on Software Engineering and Middleware (SEM) , 2005. 12

    work page 2005

  23. [23]

    William G. J. Halfond and Alessandro Orso. AM- NESIA. In IEEE/ACM International Conference on Automated Software Engineering (ASE) , 2005

    work page 2005

  24. [24]

    William G. J. Halfond and Alessandro Orso. Prevent- ing SQL Injection Attacks Using AMNESIA. In Inter- national Conference on Software Engineering (ICSE) , 2006

    work page 2006

  25. [25]

    Software Fault Tree and Coloured Petri Net-based Specification, Design and Implementa- tion of Agent-based Intrusion Detection Systems

    Guy Helmer, Johnny Wong, Mark Slagell, V asant Honavar, Les Miller, Y anxin Wang, Xia Wang, and Na- talia Stakhanova. Software Fault Tree and Coloured Petri Net-based Specification, Design and Implementa- tion of Agent-based Intrusion Detection Systems. In- ternational Journal of Information and Computer Secu- rity, 1(1/2), 2007

    work page 2007

  26. [26]

    Plan- ning, Petri Nets, and Intrusion Detection

    Y uan Ho, Deborah Frincke, and Donald Tobin. Plan- ning, Petri Nets, and Intrusion Detection. In National Information Systems Security Conference (NISSC) , 1998

    work page 1998

  27. [27]

    Yi Hu and B. Panda. Identification of Malicious Transactions in Database Systems. In International Database Engineering and Applications Symposium (IDEAS), 2003

    work page 2003

  28. [28]

    A Data Mining Approach for Database Intrusion Detection

    Yi Hu and Brajendra Panda. A Data Mining Approach for Database Intrusion Detection. In ACM Symposium on Applied computing (SAC) , 2004

    work page 2004

  29. [29]

    Jian Huang, Jun Xu, Xinyu Xing, Peng Liu, and Moin- uddin K. Qureshi. FlashGuard: Leveraging Intrin- sic Flash Properties to Defend Against Encryption Ran- somware. In ACM SIGSAC Conference on Computer and Communications Security (CCS) , 2017

    work page 2017

  30. [30]

    IBM Security Guardium , 2018

    IBM. IBM Security Guardium , 2018. URL: https://ibm.co/2ShttWW

    work page 2018

  31. [31]

    K. Ilgun. USTA T: A Real-time Intrusion Detection Sys- tem for UNIX. In IEEE Computer Society Symposium on Research in Security and Privacy , 1993

    work page 1993

  32. [32]

    Ilgun, R

    K. Ilgun, R. A. Kemmerer, and P . A. Porras. State Transition Analysis a Rule-based Intrusion Detection Approach. IEEE Transactions on Software Engineer- ing, 21(3), 1995

    work page 1995

  33. [33]

    Xeon® Processor E5-2640 v3 Specifications,

    Intel®. Xeon® Processor E5-2640 v3 Specifications,

    work page

  34. [34]

    URL: https://intel.ly/2qFbGJX

    work page

  35. [35]

    Walsh, and Helmut Schneider

    Blake Ives, Kenneth R. Walsh, and Helmut Schneider. The Domino Effect of Password Reuse. Communica- tions of the ACM , 47(4), 2004

    work page 2004

  36. [36]

    SQL-IDS: A Specification-based Approach for SQL- Injection Detection

    Konstantinos Kemalis and Theodores Tzouramanis. SQL-IDS: A Specification-based Approach for SQL- Injection Detection. In ACM Symposium on Applied Computing (SAC), 2008

    work page 2008

  37. [37]

    UNVEIL: A Large-scale, Automated Approach to Detecting Ransomware

    Amin Kharaz, Sajjad Arshad, Collin Mulliner, William Robertson, and Engin Kirda. UNVEIL: A Large-scale, Automated Approach to Detecting Ransomware. In USENIX Security Symposium , 2016

    work page 2016

  38. [38]

    Redemption: Real- Time Protection Against Ransomware at End-Hosts

    Amin Kharraz and Engin Kirda. Redemption: Real- Time Protection Against Ransomware at End-Hosts. In International Symposium on Research in Attacks, Intru- sions, and Defenses (RAID) , 2017

    work page 2017

  39. [39]

    PayBreak: Defense Against Cryptographic Ransomware

    Eugene Kolodenker, William Koch, Gianluca Stringh- ini, and Manuel Egele. PayBreak: Defense Against Cryptographic Ransomware. In ACM Asia Confer- ence on Computer and Communications Security (ASI- ACCS), 2017

    work page 2017

  40. [40]

    akopytov/sysbench, 2018

    Alexey Kopytov. akopytov/sysbench, 2018. URL: https://bit.ly/2jjeuf4

    work page 2018

  41. [41]

    A Software Ar- chitecture to Support Misuse Intrusion Detection

    Sandeep Kumar and Eugene Spafford. A Software Ar- chitecture to Support Misuse Intrusion Detection. Tech- nical report, Department of Computer Science, Purdue University, 1999. URL: https://bit.ly/2Sij6C6

    work page 1999

  42. [42]

    Spafford

    Sandeep Kumar and Eugene H. Spafford. A Pat- tern Matching Model for Misuse Intrusion Detection. Technical report, Purdue University, 1994. URL: https://bit.ly/2YVb3xA

    work page 1994

  43. [43]

    V . C. S. Lee, J. A. Stankovic, and S. H. Son. In- trusion Detection in Real-time Database Systems Via Time Signatures. In IEEE Real-Time T echnology and Applications Symposium (RTAS), 2000

    work page 2000

  44. [44]

    P . Liu. DAIS: A Real-Time Data Attack Isolation Sys- tem for Commercial Database Applications. In Annual Computer Security Applications Conference (ACSAC) , 2001

    work page 2001

  45. [45]

    Architectures for Intrusion Tolerant Database Systems

    Peng Liu. Architectures for Intrusion Tolerant Database Systems. In Annual Computer Security Ap- plications Conference (ACSAC), 2002

    work page 2002

  46. [46]

    DIDAFIT: Detecting Intrusions in Databases Through Fingerprint- ing Transactions

    Wai Lup Low, Joseph Lee, and Peter Teoh. DIDAFIT: Detecting Intrusions in Databases Through Fingerprint- ing Transactions. In International Conference on En- terprise Information Systems (ICEIS) , 2002

    work page 2002

  47. [47]

    Luckham and Brian Frasca

    David C. Luckham and Brian Frasca. Complex Event Processing in Distributed Systems. Tech- nical report, Stanford University, 1998. URL: https://bit.ly/2YUIa4J

    work page 1998

  48. [48]

    Ngo, and Shambhu Upadhyaya

    Sunu Mathew, Michalis Petropoulos, Hung Q. Ngo, and Shambhu Upadhyaya. A Data-Centric Approach to Insider Attack Detection in Database Systems. In Lecture Notes in Computer Science , RAID, 2010. 13

    work page 2010

  49. [49]

    MediaWiki/de — Medi- aWiki, The Free Wiki Engine, 2018

    MediaWiki. MediaWiki/de — Medi- aWiki, The Free Wiki Engine, 2018. URL: https://bit.ly/2XROloW

    work page 2018

  50. [50]

    RWGuard: A Real-Time Detection System Against Cryptographic Ransomware

    Shagufta Mehnaz, Anand Mudgerikar, and Elisa Bertino. RWGuard: A Real-Time Detection System Against Cryptographic Ransomware. In Research in Attacks, Intrusions, and Defenses (RAID) , 2018

    work page 2018

  51. [51]

    Los Angeles Hospital Pays Hackers $17,000 After Attack, 2016

    Steve Morgan. Los Angeles Hospital Pays Hackers $17,000 After Attack, 2016. URL: https://nyti.ms/2GrlIt1

    work page 2016

  52. [52]

    Cybersecurity Business Report

    Steve Morgan. Cybersecurity Business Report. Ran- somware Damage Costs predicted to hit USD 11.5B by 2019, 2017. URL: https://bit.ly/2VNjsB1

    work page 2019

  53. [53]

    Petri Net Theory and the Model- ing of Systems

    James Lyle Peterson. Petri Net Theory and the Model- ing of Systems. Prentice Hall PTR, 1981

    work page 1981

  54. [54]

    DIWeDa - Detecting Intrusions in Web Databases

    Alex Roichman and Ehud Gudes. DIWeDa - Detecting Intrusions in Web Databases. In Annual IFIP WG 11.3 W orking Conference on Data and Applications Security and Privacy (DBSEC) , 2008

    work page 2008

  55. [55]

    vikin91/BibSpace, 2018

    Piotr Rygielski. vikin91/BibSpace, 2018. URL: https://bit.ly/2JBr07c

    work page 2018

  56. [56]

    Nolen Scaife, Henry Carter, Patrick Traynor, and Kevin R. B. Butler. CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data. In IEEE Interna- tional Conference on Distributed Computing Systems (ICDCS), 2016

    work page 2016

  57. [57]

    Semantic MediaWiki, 2018

    semantic mediawiki.org. Semantic MediaWiki, 2018. URL: https://bit.ly/30tny3U

    work page 2018

  58. [58]

    Shiuh-Pyng Shieh and V . D. Gligor. On a Pattern- oriented Model for Intrusion Detection. IEEE Transac- tions on Knowledge and Data Engineering , 9(4), 1997

    work page 1997

  59. [59]

    The Essence of Command Injection Attacks in Web Applications

    Zhendong Su and Gary Wassermann. The Essence of Command Injection Attacks in Web Applications. In SIGPLAN-SIGACT Symposium on Principles of Pro- gramming Languages (POPL), 2006

    work page 2006

  60. [60]

    A Learning-Based Approach to the Detection of SQL At- tacks

    Fredrik V aleur, Darren Mutz, and Giovanni Vigna. A Learning-Based Approach to the Detection of SQL At- tacks. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2005

    work page 2005

  61. [61]

    Intrusion Detection Techniques and Approaches

    Theuns V erwoerd and Ray Hunt. Intrusion Detection Techniques and Approaches. Computer Communica- tions, 25(15), 2002

    work page 2002

  62. [62]

    0.2 BTC strikes back, now attacking MySQL databases, 2017

    Ofri Ziv. 0.2 BTC strikes back, now attacking MySQL databases, 2017. URL: https://bit.ly/2JImQsR. 14

    work page 2017