2entFOX: A framework for high survivable ransomwares detection

Ahmadian, Mohammad; Shahriari, Hamid Reza

doi:10.1109/iscisc.2016.7736455

Cited by 46 publications

(23 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Monitoring network events may reveal connections to Command & Control Servers, intercepted network packets could leak information such as encryption keys, and logs could reveal behaviour that is different to baseline activity. As an example, [29] and [13] detect ransomware that uses domain generation algorithms (DGAs) by monitoring DNS traffic to apply Markov Chains and behavioural-based detection features.…”

Section: Detectionmentioning

confidence: 99%

A Roadmap for Improving the Impact of Anti-ransomware Research

Pont

Oun

Brierley

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

Section: Detectionmentioning

confidence: 99%

A Roadmap for Improving the Impact of Anti-ransomware Research

Pont

Oun

Brierley

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Most ransomwares detection solutions are relying on filesystem [35]- [37] and registry events [38] to identify malicious behaviors. Investigation of 1359 ransomware samples showed that majority of ransomware samples are using similar APIs and generating similar logs of filesystem activities [36].…”

Section: Related Workmentioning

confidence: 99%

“…Investigation of 1359 ransomware samples showed that majority of ransomware samples are using similar APIs and generating similar logs of filesystem activities [36]. For example, using 20 types of filesystem and registry events as features of a Bayesian Network model against 20 Windows ransomware samples resulted to an accurate ransomware detection with F-Measure of 0.93 [38]. UNVEIL [36] as a rasnsomware classification system utilized filesystem events to distinguish 13,637 ransomwares from a dataset of 148,223 malware samples with accuracy of 96.3%.…”

Section: Related Workmentioning

confidence: 99%

Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence

Homayoun

Dehghantanha

Ahmadzadeh

et al. 2020

IEEE Trans. Emerg. Topics Comput.

130

View full text Add to dashboard Cite

Abstract-Emergence of crypto-ransomware has significantly changed the cyber threat landscape. A crypto ransomware removes data custodian access by encrypting valuable data on victims' computers and requests a ransom payment to reinstantiate custodian access by decrypting data. Timely detection of ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky ransomware samples, 535 Cerber ransomware samples and 572 samples of TeslaCrypt ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99% accuracy in detecting ransomware instances from goodware samples and 96.5% accuracy in detecting family of a given ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different ransomware families which can be used for identification of a ransomware sample family for building intelligence about threat actors and threat profile of a given target.

show abstract

“…It focuses on the observation of three elements, namely, I/O data buffer entropy, access patterns and file system activities [1]. Moreover, some others are type-specific solutions that deal with only one type, such as cryptoransomware [21][22][23][24][25]. For example, Scaife presented an earlywarning detection system that alerts users during suspicious file activities [21].…”

Section: Background and Related Workmentioning

confidence: 99%

Automatically Traceback RDP‐Based Targeted Ransomware Attacks

Wang

Liu

Qiu

et al. 2018

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

While various ransomware defense systems have been proposed to deal with traditional randomly-spread ransomware attacks (based on their unique high-noisy behaviors at hosts and on networks), none of them considered ransomware attacks precisely aiming at specific hosts, e.g., using the common Remote Desktop Protocol (RDP). To address this problem, we propose a systematic method to fight such specifically targeted ransomware by trapping attackers via a network deception environment and then using traceback techniques to identify attack sources. In particular, we developed various monitors in the proposed deception environment to gather traceable clues about attackers, and we further design an analysis system that automatically extracts and analyze the collected clues. Our evaluations show that the proposed method can trap the adversary in the deception environment and significantly improve the efficiency of clue analysis. Furthermore, it also helps us trace back RDP-based ransomware attackers and ransomware makers in the practical applications.

show abstract

2entFOX: A framework for high survivable ransomwares detection

Cited by 46 publications

References 3 publications

A Roadmap for Improving the Impact of Anti-ransomware Research

A Roadmap for Improving the Impact of Anti-ransomware Research

Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence

Automatically Traceback RDP‐Based Targeted Ransomware Attacks

Contact Info

Product

Resources

About