nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

04.05.2021 | Original Paper

Signature-less ransomware detection and mitigation

verfasst von: Yash Shashikant Joshi, Harsh Mahajan, Sumedh Nitin Joshi, Kshitij Pradeep Gupta, Aarti Amod Agarkar

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 4/2021

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Ransomware is a challenging threat that encrypts a user's files until some ransom is paid by the victim. This type of malware is a profitable business for attackers, generating millions of dollars annually. Several approaches based on signature matching have been proposed to detect ransomware intrusions but they fail to detect ransomware whose signature is unknown. We try to detect ransomware's behaviour with the help of a mini-filter driver using a signature-less detection method. The proposed technique combines the working of Shannon’s entropy and fuzzy hash to provide better results in detecting ransomware. Not only this technique has been practically tested but has been successful in detecting over 95% of the tested ransomware attacks on windows operating systems.

Vorheriger Artikel Data augmentation and transfer learning to classify malware images in a deep learning context

Nächster Artikel Android malware classification using convolutional neural network and LSTM

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Poriye, A.M., Kumar, V.: Ransomware detection and prevention. Int. J. Comput. Sci. Eng. 6(5), 900–905 (2018). https://doi.org/10.26438/ijcse/v6i5.900905CrossRef

Luo, X., Liao, Q.: Awareness education as the key to ransomware prevention. Inf. Syst. Secur. (2007). https://doi.org/10.1080/10658980701576412CrossRef

Gorman, G.O., McDonald, G.: Ransomware : a growing menace. Symantec (2012).

Monika, Zavarsky, P., Lindskog, D.: Experimental analysis of ransomware on windows and android platforms: evolution and characterization. Procedia Comput. Sci. 94, 465–472 (2016). https://doi.org/10.1016/j.procs.2016.08.072

Kumar, S., Spafford, E.H.: A generic virus scanner in C++. In: Proceedings - Annual Computer Security Applications Conference, ACSAC (1992). https://doi.org/10.1109/CSAC.1992.228218.

Traynor, P., Chien, M., Weaver, S., Hicks, B., McDaniel, P.: Noninvasive methods for host certification. ACM Trans. Inf. Syst. Secur. (2008). https://doi.org/10.1145/1341731.1341737CrossRef

Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings - Annual Computer Security Applications Conference, ACSAC (2007). https://doi.org/10.1109/ACSAC.2007.21.

Dekel, K., Mizrachi, L., Zaikin, R., Vanunu, O.: Method and system for mitigating the effects of ransomware (2018).

Moore, C.: Detecting ransomware with honeypot techniques. In: Proceedings of 2016 Cybersecurity Cyberforensics Conference. CCC 2016, pp. 77–81 (2016). https://doi.org/10.1109/CCC.2016.14.

10.

Lance Spitzner, Honeypots: Tracking Hackers. 2002.

11.

Mohammed, M., Rehman, H.U.: Honeypots and routers: collecting internet attacks (2016).

12.

Gonzalez, D., Hayajneh, T.: Detection and prevention of crypto-ransomware. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference, UEMCON 2017, pp. 472–478 (2017). https://doi.org/10.1109/UEMCON.2017.8249052

13.

Scaife, N., Carter, H., Traynor, P., Butler, K.R.B.: CryptoLock (and Drop It): stopping ransomware attacks on user data. In: Proceedings - International Conference on Distributed Computing Systems, pp. 303–312 (2016). https://doi.org/10.1109/ICDCS.2016.46.

14.

Hosfelt, D.D.: Automated detection and classification of cryptographic algorithms in binary programs through machine learning. 2015, [Online]. Available: http://arxiv.org/%0Aabs/1503.01186.

15.

Bottazzi, G., Italiano, G.F., Spera, D.: Preventing ransomware attacks through file system filter drivers. In: Proceedings of the Second Italian Conference on Cyber Security (ITASEC18), At Milan (2018).

16.

Rajaram, R., Castellani, B., Wilson, A.N.: Advancing Shannon entropy for measuring diversity in systems. Complexity (2014). https://doi.org/10.1155/2017/8715605CrossRefMATH

17.

Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digit. Investig. 3(Supplement), 91–97 (2006). https://doi.org/10.1016/j.diin.2006.06.015CrossRef

18.

Roussev, V.: Data fingerprinting with similarity digests. IFIP Adv. Inform. Commun. Technol. (2010). https://doi.org/10.1007/978-3-642-15506-2_15CrossRef

19.

Sarantinos, N., Benzaïd, C., Arabiat, O., Al-Nemrat, A.: Forensic malware analysis: the value of fuzzy hashing algorithms in identifying similarities. In: Proceedings - 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Proce, 2016. https://doi.org/10.1109/TrustCom.2016.0274.

20.

Roussev, V.: An evaluation of forensic similarity hashes. Digit. Investig. (2011). https://doi.org/10.1016/j.diin.2011.05.005CrossRef

21.

Naik, N., Jenkins, P., Savage, N., Yang, L., Naik, K., Song, J.: Augmented YARA rules fused with fuzzy hashing in ransomware triaging. IEEE Symp. Ser. Comput. Intell. (SSCI) 2019, 625–632 (2019). https://doi.org/10.1109/SSCI44817.2019.9002773CrossRef

22.

Naik, N., Jenkins, P., Savage, N.: A ransomware detection method using fuzzy hashing for mitigating the risk of occlusion of information systems. In: ISSE 2019 - 5th IEEE International Symposium on Systems Engineering, Proceedings (2019). https://doi.org/10.1109/ISSE46696.2019.8984540.

23.

Kim, H., Hollasch, L.W., Coulter, D., Matt: Load order groups and altitudes for filter drivers (2017). https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/load-order-groups-and-altitudes-for-minifilter-drivers.

24.

Hollasch, L.W., Coulter, D., Marshall, D.: IRP_MJ_CREATE (IFS) - Windows drivers | Microsoft Docs (2017). https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-create#:~:text=TheI%2FO Manager sends, or volume is being opened.

25.

Hollasch, L.W., Coulter, D., Kim, A., MacMichael, D.: IRP_MJ_WRITE (IFS) - Windows drivers|Microsoft Docs (2017). https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/irp-mj-write.

26.

Hudek, T., Graff, E., Sherer, T.: IRP_MJ_CLOSE - Windows drivers | Microsoft Docs (2017). https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/irp-mj-close.

27.

Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. (2007). https://doi.org/10.1109/MSP.2007.48CrossRef

28.

Paul, C.B.: Entropy-based file type identification and partitioning (2017).

29.

Mansfield-Devine, S.: Ransomware: taking businesses hostage. Netw. Secur. (2016). https://doi.org/10.1016/S1353-4858(16)30096-4CrossRef

30.

Russinovich, M.: Sysinternals suite. Microsoft (2018).

Titel: Signature-less ransomware detection and mitigation
verfasst von: Yash Shashikant Joshi
Harsh Mahajan
Sumedh Nitin Joshi
Kshitij Pradeep Gupta
Aarti Amod Agarkar
Publikationsdatum: 04.05.2021
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 4/2021
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-021-00384-0

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2021

Understanding Linux kernel vulnerabilities

Malware detection and classification using community detection and social network analysis

Data augmentation and transfer learning to classify malware images in a deep learning context

A novel method for malware detection based on hardware events using deep neural networks

Android malware classification using convolutional neural network and LSTM

Premium Partner