Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence

Homayoun, Sajad; Dehghantanha, Ali; Ahmadzadeh, Marzieh; Hashemi, Sattar; Khayami, Raouf

doi:10.1109/tetc.2017.2756908

Cited by 118 publications

(83 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, the time constraint is also due to the encryption process involved in the ransomware infection that could also encrypt the collected information. The Wireshark and Process Monitor executables are launched on Windows OS 7 32 bits as in [21]. Each one of them has an independent task for collecting the following information: Wireshark collects the information about network activity whereas Process Monitor gathers the whole system activity (including network information).…”

Section: Data Collectionmentioning

confidence: 99%

Ransomware Network Traffic Analysis for Pre-encryption Alert

Moussaileb

Cuppens

Lanet³

et al. 2020

Foundations and Practice of Security

View full text Add to dashboard Cite

Cyber Security researchers are in an ongoing battle against ransomware attacks. Some exploits begin with social engineering methods to install payloads on victims' computers, followed by a communication with command and control servers for data exchange. To scale down these attacks, scientists should shed light on the danger of those rising intrusions to prevent permanent data loss. To join this arm race against malware, we propose in this paper an analysis of various ransomware families based on the collected system and network logs from a computer. We delve into malicious network traffic generated by these samples to perform a packet level detection. Our goal is to reconstruct ransomware's full activity to check if its network communication is distinguishable from benign traffic. Then, we examine if the first packet sent occurs before data's encryption to alert the administrators or afterwards. We aim to define the first occurrence of the alert raised by malicious network traffic and where it takes place in a ransomware workflow. Logs collected are available at http://serveur2.seres.rennes.telecom-bretagne.eu/data/RansomwareData/.

show abstract

Section: Data Collectionmentioning

confidence: 99%

Ransomware Network Traffic Analysis for Pre-encryption Alert

Moussaileb

Cuppens

Lanet³

et al. 2020

Foundations and Practice of Security

View full text Add to dashboard Cite

show abstract

“…Identification of ransomware families is indeed a valuable research angle, as demonstrated by several other papers. Homayoun et al (2017) used Sequential Pattern Mining to detect best features that can be used to distinguish ransomware applications from benign applications. They focussed on three ransomware families (Locky, Cerber and TeslaCrypt) and were able to identify a given ransomware family with a 96.5% accuracy within 10 s of the ransomware's execution.…”

Section: Tools and Strategies For Analysing Ransomwarementioning

confidence: 99%

Ransomware deployment methods and analysis: views from a predictive model and human responses

Hull

John²,

Arief

2019

Crime Sci

View full text Add to dashboard Cite

Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better understanding on how ransomware is being deployed, its characteristics, as well as how potential victims may react to ransomware incidents. This paper aims to address this challenge by carrying out an investigation on 18 families of ransomware, leading to a model for categorising ransomware behavioural characteristics, which can then be used to improve detection and handling of ransomware incidents. The categorisation was done in respect to the stages of ransomware deployment methods with a predictive model we developed called Randep. The stages are fingerprint, propagate, communicate, map, encrypt, lock, delete and threaten. Analysing the samples gathered for the predictive model provided an insight into the stages and timeline of ransomware execution. Furthermore, we carried out a study on how potential victims (individuals, as well as IT support staff at universities and SMEs) detect that ransomware was being deployed on their machine, what steps they took to investigate the incident, and how they responded to the attack. Both quantitative and qualitative data were collected through questionnaires and in-depth interviews. The results shed an interesting light into the most common attack methods, the most targeted operating systems and the infection symptoms, as well as recommended defence mechanisms. This information can be used in the future to create behavioural patterns for improved ransomware detection and response. which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

show abstract

“…The outcomes have shown the improvement over the security performance in SDS systems. Dodangeh and Jahangir [2] have developed a new scheme to satisfy the security in WBAN. Two mutual authentication and key exchange protocols were proposed to deal with the overall network architecture in WBAN circumstances.…”

Section: Related Workmentioning

confidence: 99%

Trusted Detection of Ransom ware using Machine Learning Algorithms

2019

IJITEE

View full text Add to dashboard Cite

Nowadays, the Computer Networks and the internet are increased. Lots of information is accessed and allowed to the users to share the information to the Internet. One of the major issues with internet was different types of attack. Ransomware is a one kind of attack or it is malicious software that threatens to publish the victim's data. A variety of threats is the main target for the effective network security and avoids them from spreading or entering to the networks the network security on computer essential for computer networks. Ransom ware is a critical threat in network security since each day the raising of ransomware gets abundant. The major problem by the researchers is the prediction of ransomware. This paper planned to carry out a review on the different method to detect ransomware. Ransomware detection is very much helpful on minimizing the workload of analyst and for determining the variation in hidden Ransomware samples. Using machine learning algorithms Ransomware detected efficiently and trustfully.

show abstract

Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence

Cited by 118 publications

References 40 publications

Ransomware Network Traffic Analysis for Pre-encryption Alert

Ransomware Network Traffic Analysis for Pre-encryption Alert

Ransomware deployment methods and analysis: views from a predictive model and human responses

Trusted Detection of Ransom ware using Machine Learning Algorithms

Contact Info

Product

Resources

About