A Ransomware Detection Method Using Fuzzy Hashing for Mitigating the Risk of Occlusion of Information Systems

Today, a significant threat to organisational information systems is ransomware that can completely occlude the information system by denying access to its data. To reduce this exposure and damage from ransomware attacks, organisations are obliged to concentrate explicitly on the threat of ransomware, alongside their malware prevention strategy. In attempting to prevent the escalation of ransomware attacks, it is important to account for their polymorphic behaviour and dispersion of inexhaustible versions. However, a number of ransomware samples possess similarity as they are created by similar groups of threat actors. A particular threat actor or group often adopts similar practices or codebase to create unlimited versions of their ransomware. As a result of these common traits and codebase, it is probable that new or unknown ransomware variants can be detected based on a comparison with their originating or existing samples. Therefore, this paper presents a detection method for ransomware by employing a similarity preserving hashing method called fuzzy hashing. This detection method is applied on the collected WannaCry or WannaCryptor ransomware corpus utilising three fuzzy hashing methods SSDEEP, SDHASH and mvHASH-B to evaluate the similarity detection success rate by each method. Moreover, their fuzzy similarity scores are utilised to cluster the collected ransomware corpus and its results are compared to determine the relative accuracy of the selected fuzzy hashing methods.

[1]  L. H. Encinas,et al.  State of the Art in Similarity Preserving Hashing Functions , 2014 .

[2]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[3]  Nitin Naik,et al.  Fuzzy reasoning based Windows Firewall for preventing denial of service attack , 2016, 2016 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[4]  Qiang Shen,et al.  Dynamic Fuzzy Rule Interpolation and Its Application to Intrusion Detection , 2018, IEEE Transactions on Fuzzy Systems.

[5]  Nitin Naik,et al.  Discovering Hackers by Stealth: Predicting Fingerprinting Attacks on Honeypot Systems , 2018, 2018 IEEE International Systems Engineering Symposium (ISSE).

[6]  Nitin Naik,et al.  Intelligent Dynamic Honeypot Enabled by Dynamic Fuzzy Rule Interpolation , 2018, 2018 IEEE 20th International Conference on High Performance Computing and Communications; IEEE 16th International Conference on Smart City; IEEE 4th International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[7]  Nitin Naik,et al.  Honeypots That Bite Back: A Fuzzy Technique for Identifying and Inhibiting Fingerprinting Attacks on Low Interaction Honeypots , 2018, 2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[8]  Caitlin Sadowski SimHash : Hash-based Similarity Detection , 2007 .

[9]  Vassil Roussev,et al.  Data Fingerprinting with Similarity Digests , 2010, IFIP Int. Conf. Digital Forensics.

[10]  P. Rousseeuw Silhouettes: a graphical aid to the interpretation and validation of cluster analysis , 1987 .

[11]  Jesse M. Ehrenfeld WannaCry, Cybersecurity and Health Information Technology: A Time to Act , 2017, Journal of Medical Systems.

[12]  Nitin Naik,et al.  Vigilant Dynamic Honeypot Assisted by Dynamic Fuzzy Rule Interpolation , 2018, 2018 IEEE Symposium Series on Computational Intelligence (SSCI).

[13]  Nitin Naik,et al.  Cyberthreat Hunting - Part 2: Tracking Ransomware Threat Actors using Fuzzy Hashing and Fuzzy C-Means Clustering , 2019, 2019 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[14]  J. Dunn Well-Separated Clusters and Optimal Fuzzy Partitions , 1974 .

[15]  Andrew Tridgell,et al.  Efficient Algorithms for Sorting and Synchronization , 1999 .

[16]  Krzysztof Cabaj,et al.  Network activity analysis of CryptoWall ransomware , 2015 .

[17]  Nitin Naik,et al.  D-FRI-WinFirewall: Dynamic fuzzy rule interpolation for Windows Firewall , 2017, 2017 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[18]  Nitin Naik,et al.  Fuzzy Logic Aided Intelligent Threat Detection in Cisco Adaptive Security Appliance 5500 Series Firewalls , 2018, 2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[19]  Harald Baier,et al.  A Fuzzy Hashing Approach Based on Random Sequences and Hamming Distance , 2012 .

[20]  Christoph Busch,et al.  mvHash-B - A New Approach for Similarity Preserving Hashing , 2013, 2013 Seventh International Conference on IT Security Incident Management and IT Forensics.

[21]  Nitin Naik,et al.  Enhancing Windows Firewall Security Using Fuzzy Reasoning , 2016, 2016 IEEE 14th Intl Conf on Dependable, Autonomic and Secure Computing, 14th Intl Conf on Pervasive Intelligence and Computing, 2nd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[22]  David Ball,et al.  Augmented windows fuzzy firewall for preventing denial of service attack , 2017, 2017 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[23]  Nitin Naik,et al.  A Fuzzy Approach for Detecting and Defending Against Spoofing Attacks on Low Interaction Honeypots , 2018, 2018 21st International Conference on Information Fusion (FUSION).

[24]  Nitin Naik,et al.  Threat-Aware Honeypot for Discovering and Predicting Fingerprinting Attacks Using Principal Components Analysis , 2018, 2018 IEEE Symposium Series on Computational Intelligence (SSCI).

[25]  Nitin Naik,et al.  Cyberthreat Hunting - Part 1: Triaging Ransomware using Fuzzy Hashing, Import Hashing and YARA Rules , 2019, 2019 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).

[26]  M. North,et al.  Ransomware: Evolution, Mitigation and Prevention , 2017 .

[27]  Vassil Roussev,et al.  An evaluation of forensic similarity hashes , 2011, Digit. Investig..

[28]  Vasilios Katos,et al.  Big data security analysis approach using Computational Intelligence techniques in R for desktop users , 2016, 2016 IEEE Symposium Series on Computational Intelligence (SSCI).

[29]  Guy N. Brock,et al.  clValid , an R package for cluster validation , 2008 .