Ransomware detection and mitigation using software-defined networking: The case of WannaCry

Akbanov, Maxat; Vassilakis, Vassilios G.; Logothetis, Michael D.

doi:10.1016/j.compeleceng.2019.03.012

Cited by 72 publications

(55 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since the Software Defined Networking (SDN) solutions are now a de-facto standard, the presence of a controller with a networkwide view can be a promising feature for blocking the malicious network traffic. Several research attempts have already been made to investigate this topic: for instance, the authors of [196] presented an SDN system which dynamically modifies the network structure when malware activity is discovered, and there are also a few studies focused on the ransomware [197], [198], [199], botnets [200] as well as zero-day attacks [201] detection. However, much more research is needed.…”

Section: Attack Trends and Research Directionsmentioning

confidence: 99%

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Caviglione

Choraś

Corona³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

Section: Attack Trends and Research Directionsmentioning

confidence: 99%

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Caviglione

Choraś

Corona³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

“…When it comes to ransomware with worm-spreading capabilities, researchers have studied two related families: WannaCry and ExPetr. For WannaCry [16], the suggestion is to use two applications. The first uses a dynamic IP blacklist to detect WannaCry's communication with its C&C, which prevents the victim's device from being encrypted.…”

Section: B Sdn-based Ransomware Detectionmentioning

confidence: 99%

“…That is, [13]- [15] propose approaches to detect ransomware communications with the C&C, in order, for example, to prevent a victim's device from being encrypted. On the other hand, approaches proposed in [16], [17] attempt to detect ransomwares' attempts to spread within a network. Our results of the BadRabbit ransomware analysis given later in Section IV indicate that a system infected with the BadRabbit ransomware does not make attempts to commu- nicate with third parties, as it depends on generating an encryption key using Microsoft libraries and then encrypting this key with a public key in a form of behaviour similar to that of ExPetr [17].…”

Section: Problem Statementmentioning

confidence: 99%

“…The aim of our work is to detect attempts to spread ransomware at the network level rather than to prevent device encryption, which has already been addressed in previous works. Solutions presented in [16], [17] may result in high numbers of false positives by blocking an unnecessary high number of legitimate users. Moreover, they are essentially dependent on the network not needing the SMB service.…”

Section: Problem Statementmentioning

confidence: 99%

See 1 more Smart Citation

SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit

Al-Otaibi

2021

IEEE Access

Self Cite

View full text Add to dashboard Cite

In the last decade, many ransomware attacks had the ability to spread within local networks or even outside them. At the same time, software defined networking (SDN) has provided a major boost to networks by transferring intelligence from network devices to a programmable logically centralised controller. The latter can be programmed to be compatible with the requirements of a wide range of networks and environments in a straightforward manner. This has motivated researchers to design SDNbased security solutions against threats targeting traditional networks and systems. This paper investigates the use of SDN to detect and mitigate the risk of self-propagating ransomware. The infamous BadRabbit ransomware has been used for the proof of concept. To achieve this, an extensive analysis of BadRabbit was performed to identify its characteristics and understand its behaviour at both the infected device level and at the network level. As a result, several unique artifacts were extracted from BadRabbit, which could facilitate its detection. These artifacts were relied upon to design an SDN-based intrusion detection and prevention system. Our system comprises five modules, namely deep packet inspection, ARP scanning detection, packet header inspection, honeypot, and SMB checker. The first two modules have been inspired by other works and have been included for comparison with the existing solutions. Three other modules rely on novel SDN-based methods for ransomware detection. We have also evaluated the efficiency and the performance of our system in terms of detection time, CPU utilisation, as well as TCP and ping latency. Finally, the proposed approach has also been tested for other ransomware families, such as WannaCry and NotPetya. Our experimental results show that the system is effective in terms of detecting self-propagating ransomware and outperforms other proposed approaches. INDEX TERMS Self-propagating ransomware, intrusion detection and prevention, SDN security, BadRabbit detection.

show abstract

“…Currently, the popular use of machine learning in many sectors has inspired malware researcher to use the approach as ransomware detection system that helps to increase detection rates [5]. Furthermore, the increases of attacks from new ransomware families shows that attackers improving themselves with numerous cunning and sophisticated features such as encryption mechanisms or propagation of worm [6]. Hence, the motivation of this research is to study anomaly behavior of ransomware and analyze the behavior based on ransomware distinct features.…”

Section: Ransomware At Glancementioning

confidence: 99%

Ransomware Behavior Attack Construction via Graph Theory Approach

Rosli¹,

Abdullah²,

Yassin³

et al. 2020

IJACSA

View full text Add to dashboard Cite

Ransomware has becoming a current trend of cyberattack where its reputation among malware that cause a massive amount recovery in terms of cost and time for ransomware victims. Previous studies and solutions have showed that when it comes to malware detection, malware behavior need to be prioritized and analyzed in order to recognize malware attack pattern. Although the current state-of-art solutions and frameworks used dynamic analysis approach such as machine learning that provide more impact rather than static approach, but there is not any approachable way in representing the analysis especially a detection that relies on malware behavior. Therefore, this paper proposed a graph theory approach which is analysis of the ransomware behavior that can be visualized into graph-based pattern. An experiment has been conducted with ten ransomware samples for malware analysis and verified using VirusTotal. Then, file system among features were selected in the experiment as a medium to understand the behavior of ransomware using data capturing tools. After that, the result of the analysis was visualized in a graph pattern based on Neo4j which is graph database tool. By using graph as a base, the discussion has been made to recognize each type of ransomware that acts differently in the file system and analyze which node that have the most impact during analysis part.

show abstract

Ransomware detection and mitigation using software-defined networking: The case of WannaCry

Cited by 72 publications

References 18 publications

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit

Ransomware Behavior Attack Construction via Graph Theory Approach

Contact Info

Product

Resources

About