论文信息 - Discriminating Unknown Software Using Distance Model

Discriminating Unknown Software Using Distance Model

Crypto-ransomware is a class of malware that encrypt their victim’s data and only return the decryption key in exchange for a ransom. In a previous work, we have yet designed a solution able to detect any ciphering of files using statistical estimator. Once detected, a pop up requests the user to verify if that operation is allowed on not. To improve our tool, automation is needed. In this paper, an anomaly detection mechanism to determine if a suspected group of threads is an authorized cryptographic software or a malicious code is presented. The effectiveness of our solution to correctly distinguish between valid programs and ransomware is evaluated using a string analysis. The tf-idf metric is used to choose the most pertinent features. The distance of a candidate software with a vector representing the allowed cryptographic software is measured. If the distance exceeds a threshold, the suspected process is flagged as a ransomware. We have evaluated our approach with the samples provided by open databases and executed on our bare metal platform.

[1] Marius Gheorghescu. AN AUTOMATED VIRUS CLASSIFICATION SYSTEM , 2006 .

[2] Bhavani M. Thuraisingham,et al. A scalable multi-level feature extraction technique to detect malicious executables , 2007, Inf. Syst. Frontiers.

[3] Yoseba K. Penya,et al. Idea: Opcode-Sequence-Based Malware Detection , 2010, ESSoS.

[4] Jean-Louis Lanet,et al. Data Aware Defense (DaD): Towards a Generic and Practical Ransomware Countermeasure , 2017, NordSec.

[5] Keith Marzullo,et al. Analysis of Computer Intrusions Using Sequences of Function Calls , 2007, IEEE Transactions on Dependable and Secure Computing.

[6] William W. Cohen. Learning Trees and Rules with Set-Valued Features , 1996, AAAI/IAAI, Vol. 1.

[7] Moti Yung,et al. Cryptovirology: extortion-based security threats and countermeasures , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8] Salvatore J. Stolfo,et al. Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9] Min Zhao,et al. SBMDS: an interpretable string based malware detection system using SVM ensemble with bagging , 2009, Journal in Computer Virology.

[10] Aurélien Palisse. Analyse et détection de logiciels de rançon , 2019 .