Ransomware Network Traffic Analysis for Pre-encryption Alert

Cyber Security researchers are in an ongoing battle against ransomware attacks. Some exploits begin with social engineering methods to install payloads on victims’ computers, followed by a communication with command and control servers for data exchange. To scale down these attacks, scientists should shed light on the danger of those rising intrusions to prevent permanent data loss. To join this arm race against malware, we propose in this paper an analysis of various ransomware families based on the collected system and network logs from a computer. We delve into malicious network traffic generated by these samples to perform a packet level detection. Our goal is to reconstruct ransomware’s full activity to check if its network communication is distinguishable from benign traffic. Then, we examine if the first packet sent occurs before data’s encryption to alert the administrators or afterwards. We aim to define the first occurrence of the alert raised by malicious network traffic and where it takes place in a ransomware workflow. Logs collected are available at http://serveur2.seres.rennes.telecom-bretagne.eu/data/RansomwareData/.

[1]  Karim Ganame,et al.  Network Behavioral Analysis for Zero-Day Malware Detection - A Case Study , 2017, ISDDC.

[2]  Mohsen Guizani,et al.  The rise of ransomware and emerging security challenges in the Internet of Things , 2017, Comput. Networks.

[3]  Dimitris Kanellopoulos,et al.  Data Preprocessing for Supervised Leaning , 2007 .

[4]  Amutha Prabakar Muniyandi,et al.  Network Anomaly Detection by Cascading K-Means Clustering and C4.5 Decision Tree algorithm , 2012 .

[5]  Krzysztof Cabaj,et al.  Network activity analysis of CryptoWall ransomware , 2015 .

[6]  Ali Dehghantanha,et al.  Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection , 2018, ArXiv.

[7]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[8]  Michael P. Wellman,et al.  Towards the Science of Security and Privacy in Machine Learning , 2016, ArXiv.

[9]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[10]  Mohiuddin Ahmed,et al.  A survey of network anomaly detection techniques , 2016, J. Netw. Comput. Appl..

[11]  Jean-Marc Robert,et al.  An Efficient Approach to Detect TorrentLocker Ransomware in Computer Systems , 2016, CANS.

[12]  Miss. Harshada U Salvi,et al.  Ransomware: A Cyber Extortion , 2016 .

[13]  Gabriele Lenzini,et al.  Next Generation Cryptographic Ransomware , 2018, NordSec.

[14]  Bander Ali Saleh Al-rimy,et al.  Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions , 2018, Comput. Secur..

[15]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[16]  Pedro García-Teodoro,et al.  R-Locker: Thwarting ransomware action through a honeyfile-based approach , 2018, Comput. Secur..

[17]  Lalu Banoth,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2017 .

[18]  Zhi Xu,et al.  Machine Learning in Cyber-Security - Problems, Challenges and Data Sets , 2018, ArXiv.

[19]  Alessandro Barenghi,et al.  ShieldFS: a self-healing, ransomware-aware filesystem , 2016, ACSAC.

[20]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[21]  Yu Yang,et al.  Automated Detection and Analysis for Android Ransomware , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[22]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  Adam L. Young,et al.  An Implementation of Cryptoviral Extortion Using Microsoft's Crypto API , 2006 .

[24]  Gianluca Stringhini,et al.  PayBreak: Defense Against Cryptographic Ransomware , 2017, AsiaCCS.

[25]  Routa Moussaileb,et al.  Ransomware's Early Mitigation Mechanisms , 2018, ARES.

[26]  A. Malathi,et al.  A Detailed Analysis on NSL-KDD Dataset Using Various Machine Learning Techniques for Intrusion Detection , 2013 .

[27]  Jean-Louis Lanet,et al.  Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure , 2017, NordSec.

[28]  Ali Dehghantanha,et al.  Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence , 2018, IEEE Transactions on Emerging Topics in Computing.

[29]  Toshima Singh Evolving Threat Agents: Ransomware and their Variants , 2017 .

[30]  Sung-Ryul Kim,et al.  Automatic Ransomware Detection and Analysis Based on Dynamic API Calls Flow Graph , 2017, RACS.

[31]  Wojciech Mazurczyk,et al.  Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics , 2016, Comput. Electr. Eng..

[32]  Daniele Sgandurra,et al.  Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection , 2016, ArXiv.