Intrusion and ransomware detection system

El-Kosairy, Ahmed; Azer, Marianne A.

doi:10.1109/cais.2018.8471688

Cited by 24 publications

(21 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, shared folders with other devices, a web server, a fake memory partition, a file and e-mail or pictures as tokens. These traps were trialled against six types of ransomware, including CryptoWall, which was run 50 times on the device and for which a 100% detection rate was achieved [21]. In other words, these solutions are based on the creation of a sample that is not used by the network or its clients, and thus any attempt to reach it can reasonably be considered suspicious.…”

Section: Problem Statementmentioning

confidence: 99%

“…In fact, the honeypot approach may be an effective and straightforward solution to implement, whether at the network level using systems to act as traps, as suggested in [21], or at the level of devices, as suggested in [20], by using files to act as traps. The effectiveness and privilege of this approach lies in its ease of implementation and its ability to detect unknown threats.…”

Section: Problem Statementmentioning

confidence: 99%

See 1 more Smart Citation

SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit

Al-Otaibi

2021

IEEE Access

View full text Add to dashboard Cite

In the last decade, many ransomware attacks had the ability to spread within local networks or even outside them. At the same time, software defined networking (SDN) has provided a major boost to networks by transferring intelligence from network devices to a programmable logically centralised controller. The latter can be programmed to be compatible with the requirements of a wide range of networks and environments in a straightforward manner. This has motivated researchers to design SDNbased security solutions against threats targeting traditional networks and systems. This paper investigates the use of SDN to detect and mitigate the risk of self-propagating ransomware. The infamous BadRabbit ransomware has been used for the proof of concept. To achieve this, an extensive analysis of BadRabbit was performed to identify its characteristics and understand its behaviour at both the infected device level and at the network level. As a result, several unique artifacts were extracted from BadRabbit, which could facilitate its detection. These artifacts were relied upon to design an SDN-based intrusion detection and prevention system. Our system comprises five modules, namely deep packet inspection, ARP scanning detection, packet header inspection, honeypot, and SMB checker. The first two modules have been inspired by other works and have been included for comparison with the existing solutions. Three other modules rely on novel SDN-based methods for ransomware detection. We have also evaluated the efficiency and the performance of our system in terms of detection time, CPU utilisation, as well as TCP and ping latency. Finally, the proposed approach has also been tested for other ransomware families, such as WannaCry and NotPetya. Our experimental results show that the system is effective in terms of detecting self-propagating ransomware and outperforms other proposed approaches. INDEX TERMS Self-propagating ransomware, intrusion detection and prevention, SDN security, BadRabbit detection.

show abstract

Section: Problem Statementmentioning

confidence: 99%

Section: Problem Statementmentioning

confidence: 99%

SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit

Al-Otaibi

2021

IEEE Access

View full text Add to dashboard Cite

show abstract

“…• Two types of decoy files exist Low and High Interaction. Low interaction decoy files contain arbitrary data to detect ransomware's actions on the documents, whereas high interaction decoy files contain false information to confuse the attacker and lead him to further deception mechanisms implemented on the system [16]. The latter is used in the use case since Doxware tackles the content of files.…”

Section: Honeypot Key Elementsmentioning

confidence: 99%

Watch out! Doxware on the way…

Moussaileb

Navas

Cuppens

2020

Journal of Information Security and Applications

View full text Add to dashboard Cite

Malware remains the number one threat for individuals, enterprises, and governments. Malware's aftermath can cause irreversible casualties if the requirements of the attackers are not met in time. Security researchers' primary objective is protecting the assets that a person/company possesses. They are in a constant battle in this cyberwar facing attackers' malicious intent. To compete in this arms race against security breaches, we propose an insight into plausible attacks, especially Doxware (also called leakware). We present a quantification model that explores the Windows file system in search of valuable data. It is based on the Term Frequency-Inverse Document Frequency (TF-IDF) solution provided in the literature for information retrieval. The highest-ranked files will be then exfiltrated over the Internet to the attacker's server. Then, we studied possible countermeasures including deceptionbased techniques. Amongst the existent ones, we implemented and tested one based on honeypot files and folders to protect users' assets. We conclude by presenting future perspectives in this area with the possible counter-countermeasures that can be used by an attacker to bypass current detection mechanisms. Our approach delivers an observation of the evolution of malware throughout the last years. It enables users to prevent their sensitive information from being exposed to potential risks.

show abstract

“…Gatecrashers ought to be kept from such maltreatments of assets, and their malicious undertakings counterattacked. Among the least difficult strategies for holding intruders back from compromising servers and associations is the usage of standard security controls, similar to Interruption Anticipation Frameworks (IPS), firewalls, and against contaminations [16].…”

Section: Introductionmentioning

confidence: 99%

Ransomware: A Survey on Various Attacks and Defense Mechanisms

Gomathi¹,

Kumari²

2021

Proceedings of the First International Conference on Combinatorial and Optimization, ICCAP 2021, December 7-8 2021, Chennai, In

View full text Add to dashboard Cite

This paper examines various attacks and the techniques used in ransomware. Ransomware is a form of malicious software (malware) which make an alarm of revealing or denying access to the set of data or computer system, generally by encrypting them, waits till a ransom is paid by victim to the attacker. Ransomware attacks are all around normal nowadays. Cyber offenders attack an organization or a business or an individual those who come from all progress. Besides, a big part of the victims who pay the payment are probably going to experience the ill effects of rehash ransomware attacks, particularly in case it isn't cleaned from the framework. Ransomware was otherwise called "cryptoviral extortion," It is utilized to distinguish the weakness of the objective framework where there is the chance of malware attacks. Cryptowall-a ransomware attacker utilizes the methods ahead of time to penetrate PCs without knowing the person in question. The pernicious programming enters the PC by means of spam messages. Attackers have evolved progressively more innovative over time to time, demanding upgrades that are extremely impossible to track, which aids cybercriminals stay anonymous. In this paper, we look at the overall outline of various attacks and talked about the crypto-ware malware methodologies.

show abstract

Intrusion and ransomware detection system

Cited by 24 publications

References 6 publications

SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit

SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit

Watch out! Doxware on the way…

Ransomware: A Survey on Various Attacks and Defense Mechanisms

Contact Info

Product

Resources

About