The Experts below are selected from a list of 2190 Experts worldwide ranked by ideXlab platform
Wojciech Mazurczyk - One of the best experts on this subject based on the ideXlab platform.
-
software defined networking based crypto Ransomware detection using http traffic characteristics
2017Co-Authors: Krzysztof Cabaj, Marcin Gregorczyk, Wojciech MazurczykAbstract:Abstract Ransomware is currently one of the key threats facing individuals and corporate Internet users. Especially dangerous is crypto Ransomware that encrypts important user data, and it is only possible to recover it once a ransom has been paid. Therefore, devising efficient and effective countermeasures is a pressing necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes the characteristics of the Ransomware communication. Based on an observation of network communication between two crypto Ransomware families, namely CryptoWall and Locky, we conclude that an analysis of the HTTP message sequences and their respective content sizes is enough to detect such threats. We show the feasibility of our approach by designing and evaluating a proof-of-concept SDN-based detection system. The experimental results confirm that the proposed approach is feasible and efficient.
-
Using software-defined networking for Ransomware mitigation: The case of cryptowall
2016Co-Authors: Krzysztof Cabaj, Wojciech MazurczykAbstract:Currently, different forms of Ransomware are increasingly threatening Internet users. Modern Ransomware encrypts important user data and it is only possible to recover it once a ransom has been paid. In this paper we show how Software-Defined Networking (SDN) can be utilized to improve Ransomware mitigation. In more detail, we analyze the behavior of popular Ransomware - CryptoWall - and, based on this knowledge, we propose two real-time mitigation methods. Then we designed the SDN-based system, implemented using OpenFlow, which facilitates a timely reaction to this threat, and is a crucial factor in the case of crypto Ransomware. What is important is that such a design does not significantly affect overall network performance. Experimental results confirm that the proposed approach is feasible and efficient.
Raouf Khayami - One of the best experts on this subject based on the ideXlab platform.
-
know abnormal find evil frequent pattern mining for Ransomware threat hunting and intelligence
2020Co-Authors: Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf KhayamiAbstract:Emergence of crypto-Ransomware has significantly changed the cyber threat landscape. A crypto Ransomware removes data custodian access by encrypting valuable data on victims’ computers and requests a ransom payment to re-instantiate custodian access by decrypting data. Timely detection of Ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky Ransomware samples, 535 Cerber Ransomware samples and 572 samples of TeslaCrypt Ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different Ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99 percent accuracy in detecting Ransomware instances from goodware samples and 96.5 percent accuracy in detecting family of a given Ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for Ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different Ransomware families which can be used for identification of a Ransomware sample family for building intelligence about threat actors and threat profile of a given target.
-
drthis deep Ransomware threat hunting and intelligence system at the fog layer
2019Co-Authors: Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, Kimkwang Raymond Choo, David Ellis NewtonAbstract:Abstract Ransomware, a malware designed to encrypt data for ransom payments, is a potential threat to fog layer nodes as such nodes typically contain considerably amount of sensitive data. The capability to efficiently hunt abnormalities relating to Ransomware activities is crucial in the timely detection of Ransomware. In this paper, we present our Deep Ransomware Threat Hunting and Intelligence System (DRTHIS) to distinguish Ransomware from goodware and identify their families. Specifically, DRTHIS utilizes Long Short-Term Memory (LSTM) and Convolutional Neural Network (CNN), two deep learning techniques, for classification using the softmax algorithm. We then use 220 Locky, 220 Cerber and 220 TeslaCrypt Ransomware samples, and 219 goodware samples, to train DRTHIS. In our evaluations, DRTHIS achieves an F-measure of 99.6% with a true positive rate of 97.2% in the classification of Ransomware instances. Additionally, we demonstrate that DRTHIS is capable of detecting previously unseen Ransomware samples from new Ransomware families in a timely and accurate manner using Ransomware from the CryptoWall, TorrentLocker and Sage families. The findings show that 99% of CryptoWall samples, 75% of TorrentLocker samples and 92% of Sage samples are correctly classified.
Fabio Martinelli - One of the best experts on this subject based on the ideXlab platform.
-
classification of Ransomware families with machine learning based onn gram of opcodes
2019Co-Authors: Francesco Mercaldo, Fabio Martinelli, Hanqi Zhang, Xi Xiao, Arun Kumar SangaiahAbstract:Abstract Ransomware is a special type of malware that can lock victims’ screen and/or encrypt their files to obtain ransoms, resulting in great damage to users. Mapping Ransomware into families is useful for identifying the variants of a known Ransomware sample and for reducing analysts’ workload. However, Ransomware that can fingerprint the environment can evade the precious work of dynamic analysis. To the best of our knowledge, to overcome this shortcoming, we are the first to propose an approach based on static analysis to classifying Ransomware. First, opcode sequences from Ransomware samples are transformed into N-gram sequences. Then, Term frequency-Inverse document frequency (TF-IDF) is calculated for each N-gram to select feature N-grams so that these N-grams exhibit better discrimination between families. Finally, we treat the vectors composed of the TF values of the feature N-grams as the feature vectors and subsequently feed them to five machine-learning methods to perform Ransomware classification. Six evaluation criteria are employed to validate the model. Thorough experiments performed using real datasets demonstrate that our approach can achieve the best Accuracy of 91.43%. Furthermore, the average F1-measure of the “wannacry” Ransomware family is up to 99%, and the Accuracy of binary classification is up to 99.3%. The proposed method can detect and classify Ransomware that can fingerprint the environment. In addition, we discover that different feature dimensions are required for achieving similar classifier performance with feature N-grams of diverse lengths.
-
Extinguishing Ransomware - A Hybrid Approach to Android Ransomware Detection
2018Co-Authors: Alberto Ferrante, Francesco Mercaldo, Miroslaw Malek, Fabio Martinelli, Jelena MilosevicAbstract:Mobile Ransomware is on the rise and effective defense from it is of utmost importance to guarantee security of mobile users’ data. Current solutions provided by antimalware vendors are signature-based and thus ineffective in removing Ransomware and restoring the infected devices and files. Also, current state-of-the art literature offers very few solutions to effectively detecting and blocking mobile Ransomware. Starting from these considerations, we propose a hybrid method able to effectively counter Ransomware. The proposed method first examines applications to be used on a device prior to their installation (static approach) and then observes their behavior at runtime and identifies if the system is under attack (dynamic approach). To detect Ransomware, the static detection method uses the frequency of opcodes while the dynamic detection method considers CPU usage, memory usage, network usage and system call statistics. We evaluate the performance of our hybrid detection method on a dataset that contains both Ransomware and legitimate applications. Additionally, we evaluate the performance of the static and dynamic stand-alone methods for comparison. Our results show that although both static and dynamic detection methods perform well in detecting Ransomware, their combination in a form of a hybrid method performs best, being able to detect Ransomware with 100% precision and having a false positive rate of less than 4%.
-
r packdroid api package based characterization and detection of mobile Ransomware
2017Co-Authors: Davide Maiorca, Francesco Mercaldo, Corrado Aaron Visaggio, Giorgio Giacinto, Fabio MartinelliAbstract:Ransomware has become a serious and concrete threat for mobile platforms and in particular for Android. In this paper, we propose R-PackDroid, a machine learning system for the detection of Android Ransomware. Differently to previous works, we leverage information extracted from system API packages, which allow to characterize applications without specific knowledge of user-defined content such as the application language or strings. Results attained on very recent data show that it is possible to detect Android Ransomware and to distinguish it from generic malware with very high accuracy. Moreover, we used R-PackDroid to flag applications that were detected as Ransomware with very low confidence by the VirusTotal service. In this way, we were able to correctly distinguish true Ransomware from false positives, thus providing valuable help for the analysis of these malicious applications.
Syed Zainuddin Mohd Shaid - One of the best experts on this subject based on the ideXlab platform.
-
Ransomware threat success factors taxonomy and countermeasures
2018Co-Authors: Bander Ali Saleh Alrimy, Mohd Aizaini Maarof, Syed Zainuddin Mohd ShaidAbstract:The paper surveys state-of-the-art studies on Ransomware analysis, detection, and prediction.The work describes the enabling technologies and factors that contribute to successful Ransomware attacks.The paper proposes a general taxonomy for the different Ransomware types from different perspectives.The study presents open issues and future research directions on Ransomware analysis, detection and prediction. The proposed taxonomy classifies Ransomware from three perspectives: severity based, platform based, and target based. Ransomware is a malware category that exploits security mechanisms such as cryptography in order to hijack user files and related resources and demands money in exchange for the locked data. Therefore, Ransomware has become a lucrative business that has gained increasing popularity among attackers. Unlike traditional malware, even after removal, Ransomware's effect is irreversible and difficult to mitigate without the help of its creator. In addition to the downtime costs and the money that individuals and business entities could pay as a ransom, those victims could incur other damage such as loss of data, reputation, and life. To date, several studies have been conducted to address this unique, challenging threat and have tried to provide detection and prevention solutions. However, there is a lack of survey articles that explore the research endeavors in Ransomware and highlight the challenges and issues faced by existing solutions. This survey fills the gap and provides a holistic state-of-the-art review of the research on Ransomware and its detection and prevention techniques. The survey puts forward a novel Ransomware taxonomy, from several perspectives. It then elaborates on the factors that lead to a successful Ransomware attacks before discussing in detail the research into counteracting Ransomware, including analysis, prevention, detection and prediction solutions. The survey concludes with a brief discussion on the open issues and potential research directions in the near future.
-
A 0-Day Aware Crypto-Ransomware Early Behavioral Detection Framework
2018Co-Authors: Bander Ali Saleh Al-rimy, Mohd Aizaini Maarof, Syed Zainuddin Mohd ShaidAbstract:Crypto-Ransomware exploits cryptography to hijack personal files and documents and hold them to ransom. Utilizing such technological leap, crypto-Ransomware targets a wide range of systems, and platforms. Although many users, whether individuals or organizations, practice proactive security procedures like regular backup, advanced crypto-Ransomware can bypass these countermeasures rendering the valuable data vulnerable to such extortion attack. Due to the irreversible nature of its damage, thwarting crypto-Ransomware becomes challenging. Although several studies have been conducted to tackle crypto-Ransomware detection problem, most of them dealt with it from malware perspective. Such approach has deemed ineffective given the unique characteristics that distinguish this attack which necessitate the early discovery before encryption takes place. To this end, this paper puts forward an efficient and effective framework for building crypto-Ransomware early detection models that protect users, whether individuals or organizations, of being victimized by such attack.
Sajad Homayoun - One of the best experts on this subject based on the ideXlab platform.
-
know abnormal find evil frequent pattern mining for Ransomware threat hunting and intelligence
2020Co-Authors: Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf KhayamiAbstract:Emergence of crypto-Ransomware has significantly changed the cyber threat landscape. A crypto Ransomware removes data custodian access by encrypting valuable data on victims’ computers and requests a ransom payment to re-instantiate custodian access by decrypting data. Timely detection of Ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky Ransomware samples, 535 Cerber Ransomware samples and 572 samples of TeslaCrypt Ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different Ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99 percent accuracy in detecting Ransomware instances from goodware samples and 96.5 percent accuracy in detecting family of a given Ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for Ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different Ransomware families which can be used for identification of a Ransomware sample family for building intelligence about threat actors and threat profile of a given target.
-
drthis deep Ransomware threat hunting and intelligence system at the fog layer
2019Co-Authors: Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, Kimkwang Raymond Choo, David Ellis NewtonAbstract:Abstract Ransomware, a malware designed to encrypt data for ransom payments, is a potential threat to fog layer nodes as such nodes typically contain considerably amount of sensitive data. The capability to efficiently hunt abnormalities relating to Ransomware activities is crucial in the timely detection of Ransomware. In this paper, we present our Deep Ransomware Threat Hunting and Intelligence System (DRTHIS) to distinguish Ransomware from goodware and identify their families. Specifically, DRTHIS utilizes Long Short-Term Memory (LSTM) and Convolutional Neural Network (CNN), two deep learning techniques, for classification using the softmax algorithm. We then use 220 Locky, 220 Cerber and 220 TeslaCrypt Ransomware samples, and 219 goodware samples, to train DRTHIS. In our evaluations, DRTHIS achieves an F-measure of 99.6% with a true positive rate of 97.2% in the classification of Ransomware instances. Additionally, we demonstrate that DRTHIS is capable of detecting previously unseen Ransomware samples from new Ransomware families in a timely and accurate manner using Ransomware from the CryptoWall, TorrentLocker and Sage families. The findings show that 99% of CryptoWall samples, 75% of TorrentLocker samples and 92% of Sage samples are correctly classified.
