@article{ChengDennisOsuohaetal.2023, author = {Cheng, Feng and Dennis, Alice B. and Osuoha, Josephine Ijeoma and Canitz, Julia and Kirschbaum, Frank and Tiedemann, Ralph}, title = {A new genome assembly of an African weakly electric fish (Campylomormyrus compressirostris, Mormyridae) indicates rapid gene family evolution in Osteoglossomorpha}, series = {BMC genomics}, volume = {24}, journal = {BMC genomics}, number = {1}, publisher = {BMC}, address = {London}, issn = {1471-2164}, doi = {10.1186/s12864-023-09196-6}, pages = {13}, year = {2023}, abstract = {Background Teleost fishes comprise more than half of the vertebrate species. Within teleosts, most phylogenies consider the split between Osteoglossomorpha and Euteleosteomorpha/Otomorpha as basal, preceded only by the derivation of the most primitive group of teleosts, the Elopomorpha. While Osteoglossomorpha are generally species poor, the taxon contains the African weakly electric fish (Mormyroidei), which have radiated into numerous species. Within the mormyrids, the genus Campylomormyrus is mostly endemic to the Congo Basin. Campylomormyrus serves as a model to understand mechanisms of adaptive radiation and ecological speciation, especially with regard to its highly diverse species-specific electric organ discharges (EOD). Currently, there are few well-annotated genomes available for electric fish in general and mormyrids in particular. Our study aims at producing a high-quality genome assembly and to use this to examine genome evolution in relation to other teleosts. This will facilitate further understanding of the evolution of the osteoglossomorpha fish in general and of electric fish in particular. Results A high-quality weakly electric fish (C. compressirostris) genome was produced from a single individual with a genome size of 862 Mb, consisting of 1,497 contigs with an N50 of 1,399 kb and a GC-content of 43.69\%. Gene predictions identified 34,492 protein-coding genes, which is a higher number than in the two other available Osteoglossomorpha genomes of Paramormyrops kingsleyae and Scleropages formosus. A Computational Analysis of gene Family Evolution (CAFE5) comparing 33 teleost fish genomes suggests an overall faster gene family turnover rate in Osteoglossomorpha than in Otomorpha and Euteleosteomorpha. Moreover, the ratios of expanded/contracted gene family numbers in Osteoglossomorpha are significantly higher than in the other two taxa, except for species that had undergone an additional genome duplication (Cyprinus carpio and Oncorhynchus mykiss). As potassium channel proteins are hypothesized to play a key role in EOD diversity among species, we put a special focus on them, and manually curated 16 Kv1 genes. We identified a tandem duplication in the KCNA7a gene in the genome of C. compressirostris. Conclusions We present the fourth genome of an electric fish and the third well-annotated genome for Osteoglossomorpha, enabling us to compare gene family evolution among major teleost lineages. Osteoglossomorpha appear to exhibit rapid gene family evolution, with more gene family expansions than contractions. The curated Kv1 gene family showed seven gene clusters, which is more than in other analyzed fish genomes outside Osteoglossomorpha. The KCNA7a, encoding for a potassium channel central for EOD production and modulation, is tandemly duplicated which may related to the diverse EOD observed among Campylomormyrus species.}, language = {en} } @article{HuChengXuetal.2021, author = {Hu, Ting-Li and Cheng, Feng and Xu, Zhen and Chen, Zhong-Zheng and Yu, Lei and Ban, Qian and Li, Chun-Lin and Pan, Tao and Zhang, Bao-Wei}, title = {Molecular and morphological evidence for a new species of the genus Typhlomys (Rodentia: Platacanthomyidae)}, series = {Zoological research : ZR = Dongwuxue-yanjiu : jikan / published by Kunming Institute of Zoology, Chinese Academy of Sciences, Zhongguo Kexueyuan Kunming Dongwu Yanjiusuo zhuban, Dongwuxue-yanjiu Bianji Weiyuanhui bianji}, volume = {42}, journal = {Zoological research : ZR = Dongwuxue-yanjiu : jikan / published by Kunming Institute of Zoology, Chinese Academy of Sciences, Zhongguo Kexueyuan Kunming Dongwu Yanjiusuo zhuban, Dongwuxue-yanjiu Bianji Weiyuanhui bianji}, number = {1}, publisher = {Yunnan Renmin Chubanshe}, address = {Kunming}, issn = {2095-8137}, doi = {10.24272/j.issn.2095-8137.2020.132}, pages = {100 -- 107}, year = {2021}, abstract = {In this study, we reassessed the taxonomic position of Typhlomys (Rodentia: Platacanthomyidae) from Huangshan, Anhui, China, based on morphological and molecular evidence. Results suggested that Typhlomys is comprised of up to six species, including four currently recognized species ( Typhlomys cinereus, T. chapensis, T. daloushanensis, and T. nanus), one unconfirmed candidate species, and one new species ( Typhlomys huangshanensis sp. nov.). Morphological analyses further supported the designation of the Huangshan specimens found at mid-elevations in the southern Huangshan Mountains (600 m to 1 200 m a.s.l.) as a new species.}, language = {en} } @article{TorkuraSukmanaChengetal.2020, author = {Torkura, Kennedy A. and Sukmana, Muhammad Ihsan Haikal and Cheng, Feng and Meinel, Christoph}, title = {CloudStrike}, series = {IEEE access : practical research, open solutions}, volume = {8}, journal = {IEEE access : practical research, open solutions}, publisher = {Institute of Electrical and Electronics EngineersĀ }, address = {Piscataway}, issn = {2169-3536}, doi = {10.1109/ACCESS.2020.3007338}, pages = {123044 -- 123060}, year = {2020}, abstract = {Most cyber-attacks and data breaches in cloud infrastructure are due to human errors and misconfiguration vulnerabilities. Cloud customer-centric tools are imperative for mitigating these issues, however existing cloud security models are largely unable to tackle these security challenges. Therefore, novel security mechanisms are imperative, we propose Risk-driven Fault Injection (RDFI) techniques to address these challenges. RDFI applies the principles of chaos engineering to cloud security and leverages feedback loops to execute, monitor, analyze and plan security fault injection campaigns, based on a knowledge-base. The knowledge-base consists of fault models designed from secure baselines, cloud security best practices and observations derived during iterative fault injection campaigns. These observations are helpful for identifying vulnerabilities while verifying the correctness of security attributes (integrity, confidentiality and availability). Furthermore, RDFI proactively supports risk analysis and security hardening efforts by sharing security information with security mechanisms. We have designed and implemented the RDFI strategies including various chaos engineering algorithms as a software tool: CloudStrike. Several evaluations have been conducted with CloudStrike against infrastructure deployed on two major public cloud infrastructure: Amazon Web Services and Google Cloud Platform. The time performance linearly increases, proportional to increasing attack rates. Also, the analysis of vulnerabilities detected via security fault injection has been used to harden the security of cloud resources to demonstrate the effectiveness of the security information provided by CloudStrike. Therefore, we opine that our approaches are suitable for overcoming contemporary cloud security issues.}, language = {en} } @article{SapeginJaegerChengetal.2017, author = {Sapegin, Andrey and Jaeger, David and Cheng, Feng and Meinel, Christoph}, title = {Towards a system for complex analysis of security events in large-scale networks}, series = {Computers \& security : the international journal devoted to the study of the technical and managerial aspects of computer security}, volume = {67}, journal = {Computers \& security : the international journal devoted to the study of the technical and managerial aspects of computer security}, publisher = {Elsevier Science}, address = {Oxford}, issn = {0167-4048}, doi = {10.1016/j.cose.2017.02.001}, pages = {16 -- 34}, year = {2017}, abstract = {After almost two decades of development, modern Security Information and Event Management (SIEM) systems still face issues with normalisation of heterogeneous data sources, high number of false positive alerts and long analysis times, especially in large-scale networks with high volumes of security events. In this paper, we present our own prototype of SIEM system, which is capable of dealing with these issues. For efficient data processing, our system employs in-memory data storage (SAP HANA) and our own technologies from the previous work, such as the Object Log Format (OLF) and high-speed event normalisation. We analyse normalised data using a combination of three different approaches for security analysis: misuse detection, query-based analytics, and anomaly detection. Compared to the previous work, we have significantly improved our unsupervised anomaly detection algorithms. Most importantly, we have developed a novel hybrid outlier detection algorithm that returns ranked clusters of anomalies. It lets an operator of a SIEM system to concentrate on the several top-ranked anomalies, instead of digging through an unsorted bundle of suspicious events. We propose to use anomaly detection in a combination with signatures and queries, applied on the same data, rather than as a full replacement for misuse detection. In this case, the majority of attacks will be captured with misuse detection, whereas anomaly detection will highlight previously unknown behaviour or attacks. We also propose that only the most suspicious event clusters need to be checked by an operator, whereas other anomalies, including false positive alerts, do not need to be explicitly checked if they have a lower ranking. We have proved our concepts and algorithms on a dataset of 160 million events from a network segment of a big multinational company and suggest that our approach and methods are highly relevant for modern SIEM systems.}, language = {en} } @article{AzodiChengMeinel2015, author = {Azodi, Amir and Cheng, Feng and Meinel, Christoph}, title = {Event Driven Network Topology Discovery and Inventory Listing Using REAMS}, series = {Wireless personal communications : an international journal}, volume = {94}, journal = {Wireless personal communications : an international journal}, publisher = {Springer}, address = {New York}, issn = {0929-6212}, doi = {10.1007/s11277-015-3061-3}, pages = {415 -- 430}, year = {2015}, abstract = {Network Topology Discovery and Inventory Listing are two of the primary features of modern network monitoring systems (NMS). Current NMSs rely heavily on active scanning techniques for discovering and mapping network information. Although this approach works, it introduces some major drawbacks such as the performance impact it can exact, specially in larger network environments. As a consequence, scans are often run less frequently which can result in stale information being presented and used by the network monitoring system. Alternatively, some NMSs rely on their agents being deployed on the hosts they monitor. In this article, we present a new approach to Network Topology Discovery and Network Inventory Listing using only passive monitoring and scanning techniques. The proposed techniques rely solely on the event logs produced by the hosts and network devices present within a network. Finally, we discuss some of the advantages and disadvantages of our approach.}, language = {en} } @article{JaegerGraupnerPelchenetal.2018, author = {Jaeger, David and Graupner, Hendrik and Pelchen, Chris and Cheng, Feng and Meinel, Christoph}, title = {Fast Automated Processing and Evaluation of Identity Leaks}, series = {International journal of parallel programming}, volume = {46}, journal = {International journal of parallel programming}, number = {2}, publisher = {Springer}, address = {New York}, issn = {0885-7458}, doi = {10.1007/s10766-016-0478-6}, pages = {441 -- 470}, year = {2018}, abstract = {The relevance of identity data leaks on the Internet is more present than ever. Almost every week we read about leakage of databases with more than a million users in the news. Smaller but not less dangerous leaks happen even multiple times a day. The public availability of such leaked data is a major threat to the victims, but also creates the opportunity to learn not only about security of service providers but also the behavior of users when choosing passwords. Our goal is to analyze this data and generate knowledge that can be used to increase security awareness and security, respectively. This paper presents a novel approach to the processing and analysis of a vast majority of bigger and smaller leaks. We evolved from a semi-manual to a fully automated process that requires a minimum of human interaction. Our contribution is the concept and a prototype implementation of a leak processing workflow that includes the extraction of digital identities from structured and unstructured leak-files, the identification of hash routines and a quality control to ensure leak authenticity. By making use of parallel and distributed programming, we are able to make leaks almost immediately available for analysis and notification after they have been published. Based on the data collected, this paper reveals how easy it is for criminals to collect lots of passwords, which are plain text or only weakly hashed. We publish those results and hope to increase not only security awareness of Internet users but also security on a technical level on the service provider side.}, language = {en} } @article{PengLiuWangetal.2018, author = {Peng, Junjie and Liu, Danxu and Wang, Yingtao and Zeng, Ying and Cheng, Feng and Zhang, Wenqiang}, title = {Weight-based strategy for an I/O-intensive application at a cloud data center}, series = {Concurrency and computation : practice \& experience}, volume = {30}, journal = {Concurrency and computation : practice \& experience}, number = {19}, publisher = {Wiley}, address = {Hoboken}, issn = {1532-0626}, doi = {10.1002/cpe.4648}, pages = {14}, year = {2018}, abstract = {Applications with different characteristics in the cloud may have different resources preferences. However, traditional resource allocation and scheduling strategies rarely take into account the characteristics of applications. Considering that an I/O-intensive application is a typical type of application and that frequent I/O accesses, especially small files randomly accessing the disk, may lead to an inefficient use of resources and reduce the quality of service (QoS) of applications, a weight allocation strategy is proposed based on the available resources that a physical server can provide as well as the characteristics of the applications. Using the weight obtained, a resource allocation and scheduling strategy is presented based on the specific application characteristics in the data center. Extensive experiments show that the strategy is correct and can guarantee a high concurrency of I/O per second (IOPS) in a cloud data center with high QoS. Additionally, the strategy can efficiently improve the utilization of the disk and resources of the data center without affecting the service quality of applications.}, language = {en} } @article{RoschkeChengMeinel2012, author = {Roschke, Sebastian and Cheng, Feng and Meinel, Christoph}, title = {An alert correlation platform for memory-supported techniques}, series = {Concurrency and computation : practice \& experience}, volume = {24}, journal = {Concurrency and computation : practice \& experience}, number = {10}, publisher = {Wiley-Blackwell}, address = {Hoboken}, issn = {1532-0626}, doi = {10.1002/cpe.1750}, pages = {1123 -- 1136}, year = {2012}, abstract = {Intrusion Detection Systems (IDS) have been widely deployed in practice for detecting malicious behavior on network communication and hosts. False-positive alerts are a popular problem for most IDS approaches. The solution to address this problem is to enhance the detection process by correlation and clustering of alerts. To meet the practical requirements, this process needs to be finished fast, which is a challenging task as the amount of alerts in large-scale IDS deployments is significantly high. We identifytextitdata storage and processing algorithms to be the most important factors influencing the performance of clustering and correlation. We propose and implement a highly efficient alert correlation platform. For storage, a column-based database, an In-Memory alert storage, and memory-based index tables lead to significant improvements of the performance. For processing, algorithms are designed and implemented which are optimized for In-Memory databases, e.g. an attack graph-based correlation algorithm. The platform can be distributed over multiple processing units to share memory and processing power. A standardized interface is designed to provide a unified view of result reports for end users. The efficiency of the platform is tested by practical experiments with several alert storage approaches, multiple algorithms, as well as a local and a distributed deployment.}, language = {en} } @article{RoschkeChengMeinel2013, author = {Roschke, Sebastian and Cheng, Feng and Meinel, Christoph}, title = {High-quality attack graph-based IDS correlation}, series = {Logic journal of the IGPL}, volume = {21}, journal = {Logic journal of the IGPL}, number = {4}, publisher = {Oxford Univ. Press}, address = {Oxford}, issn = {1367-0751}, doi = {10.1093/jigpal/jzs034}, pages = {571 -- 591}, year = {2013}, abstract = {Intrusion Detection Systems are widely deployed in computer networks. As modern attacks are getting more sophisticated and the number of sensors and network nodes grow, the problem of false positives and alert analysis becomes more difficult to solve. Alert correlation was proposed to analyse alerts and to decrease false positives. Knowledge about the target system or environment is usually necessary for efficient alert correlation. For representing the environment information as well as potential exploits, the existing vulnerabilities and their Attack Graph (AG) is used. It is useful for networks to generate an AG and to organize certain vulnerabilities in a reasonable way. In this article, a correlation algorithm based on AGs is designed that is capable of detecting multiple attack scenarios for forensic analysis. It can be parameterized to adjust the robustness and accuracy. A formal model of the algorithm is presented and an implementation is tested to analyse the different parameters on a real set of alerts from a local network. To improve the speed of the algorithm, a multi-core version is proposed and a HMM-supported version can be used to further improve the quality. The parallel implementation is tested on a multi-core correlation platform, using CPUs and GPUs.}, language = {en} }