Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics

Abstract Ransomware is currently one of the key threats facing individuals and corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data, and it is only possible to recover it once a ransom has been paid. Therefore, devising efficient and effective countermeasures is a pressing necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes the characteristics of the ransomware communication. Based on an observation of network communication between two crypto ransomware families, namely CryptoWall and Locky, we conclude that an analysis of the HTTP message sequences and their respective content sizes is enough to detect such threats. We show the feasibility of our approach by designing and evaluating a proof-of-concept SDN-based detection system. The experimental results confirm that the proposed approach is feasible and efficient.

[1]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[2]  Leyla Bilge,et al.  Automatically Generating Models for Botnet Detection , 2009, ESORICS.

[3]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[4]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[5]  Martin Rehák,et al.  Malware detection using HTTP user-agent discrepancy identification , 2014, 2014 IEEE International Workshop on Information Forensics and Security (WIFS).

[6]  Sakir Sezer,et al.  Evolution of ransomware , 2018, IET Networks.

[7]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[8]  Lisandro Zambenedetti Granville,et al.  MARS: An SDN-based malware analysis solution , 2016, 2016 IEEE Symposium on Computers and Communication (ISCC).

[9]  Daniele Sgandurra,et al.  Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection , 2016, ArXiv.

[10]  Nizar Kheir,et al.  Analyzing HTTP User Agent Anomalies for Malware Detection , 2012, DPM/SETOP.

[11]  Christian Rossow,et al.  ProVeX: Detecting Botnets with Encrypted Command and Control Channels , 2013, DIMVA.

[12]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[13]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[14]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[15]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[16]  Nicolo Andronio Heldroid: Fast and Efficient Linguistic-Based Ransomware Detection , 2015 .

[17]  Bing Wang,et al.  Malware Detection for Mobile Devices Using Software-Defined Networking , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[18]  Wojciech Mazurczyk,et al.  Security--A Perpetual War: Lessons from Nature , 2015, IT Professional.

[19]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[20]  Guofei Gu,et al.  CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?) , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[21]  Ananthram Swami,et al.  Malware traffic detection using tamper resistant features , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[22]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[23]  Krzysztof Cabaj,et al.  Network activity analysis of CryptoWall ransomware , 2015 .

[24]  Wojciech Mazurczyk,et al.  Using Software-Defined Networking for Ransomware Mitigation: The Case of CryptoWall , 2016, IEEE Network.

[25]  Adam Tofilski,et al.  Preemptive Defensive Self‐Sacrifice by Ant Workers , 2008, The American Naturalist.

[26]  Konrad Rieck,et al.  Botzilla: detecting the "phoning home" of malicious software , 2010, SAC '10.

[27]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).