A 0-Day Aware Crypto-Ransomware Early Behavioral Detection Framework

  • Bander Ali Saleh Al-rimy
  • Mohd Aizaini Maarof
  • Syed Zainuddin Mohd Shaid
Conference paper
First Online:
Part of the Lecture Notes on Data Engineering and Communications Technologies book series (LNDECT, volume 5)

Abstract

Crypto-Ransomware exploits cryptography to hijack personal files and documents and hold them to ransom. Utilizing such technological leap, crypto-ransomware targets a wide range of systems, and platforms. Although many users, whether individuals or organizations, practice proactive security procedures like regular backup, advanced crypto-ransomware can bypass these countermeasures rendering the valuable data vulnerable to such extortion attack. Due to the irreversible nature of its damage, thwarting crypto-ransomware becomes challenging. Although several studies have been conducted to tackle crypto-ransomware detection problem, most of them dealt with it from malware perspective. Such approach has deemed ineffective given the unique characteristics that distinguish this attack which necessitate the early discovery before encryption takes place. To this end, this paper puts forward an efficient and effective framework for building crypto-ransomware early detection models that protect users, whether individuals or organizations, of being victimized by such attack.

Keywords

Crypto-ransomware Locker-ransomware Malware Bitcoin Cybercurrency Cryptography Scareware Early detection 
This is a preview of subscription content, log in to check access.

References

  1. 1.
    Xue, L., Sun, G.: Design and implementation of a malware detection system based on network behavior. Secur. Commun. Netw. 8(3), 459–470 (2015)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Naval, S., et al.: Employing program semantics for malware detection. IEEE Trans. Inf. Forensics Secur. 10(12), 2591–2604 (2015)CrossRefGoogle Scholar
  3. 3.
    Everett, C.: Ransomware: to pay or not to pay? Comput. Fraud Secur. 2016(4), 8–12 (2016)CrossRefGoogle Scholar
  4. 4.
    Spagnuolo, M., Maggi, F., Zanero, S.: BitIodine: extracting intelligence from the bitcoin network. In: Safavi-Naini, R., Christin, N. (eds.) 18th International Conference on Financial Cryptography and Data Security, FC 2014, pp. 457–468. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: UNVEIL: a large-scale, automated approach to detecting ransomware. Paper presented at the 25th USENIX Security Symposium (USENIX Security 16), pp. 757–772 (2016)Google Scholar
  6. 6.
    Kharraz, A., et al.: Cutting the gordian knot: a look under the hood of ransomware attacks. In: Maggi, F., Almgren, M., Gulisano, V. (eds.) 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2015, pp. 3–24. Springer, Heidelberg (2015)Google Scholar
  7. 7.
    Song, S., Kim, B., Lee, S.: The effective ransomware prevention technique using process monitoring on android platform. Mobile Inf. Syst. 2016, 1–8 (2016)Google Scholar
  8. 8.
    Mercaldo, F., et al.: Ransomware steals your phone. formal methods rescue it. In: Albert, E., Lanese, I. (eds.) Formal Techniques for Distributed Objects, Components, and Systems: 36th IFIP WG 6.1 International Conference, FORTE 2016, Held as Part of the 11th International Federated Conference on Distributed Computing Techniques, DisCoTec 2016, Heraklion, Crete, Greece, 6–9 June 2016, Proceedings, pp. 212–221. Springer, Cham (2016)Google Scholar
  9. 9.
    Yang, T., et al.: Automated Detection and Analysis for Android Ransomware, pp. 1338–1343 (2015)Google Scholar
  10. 10.
    Andronio, N., Zanero, S., Maggi, F.: HELDROID: dissecting and detecting mobile ransomware. In: Bos, H., Blanc, G., Monrose, F. (eds.) 18th International Symposium on Research in Attacks, Intrusions, and Defenses, RAID 2015, pp. 382–404. Springer, Heidelberg (2015)Google Scholar
  11. 11.
    Sittig, D.F., Singh, H.: A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. Appl. Clin. Inf. 7(2), 624–632 (2016)CrossRefGoogle Scholar
  12. 12.
    Young, A.L.: Cryptoviral extortion using Microsoft’s crypto API. Int. J. Inf. Secur. 5(2), 67–76 (2006)CrossRefGoogle Scholar
  13. 13.
    Young, A.L.: Building a cryptovirus using Microsoft’s cryptographic API. In: Zhou, J. et al. (eds.) Information Security: 8th International Conference, ISC 2005, Singapore, 20–23 September 2005, Proceedings, pp. 389–401. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Kumar, S.M., Kumar, M.R.: Cryptoviral extortion: a virus based approach. Int. J. Comput. Trends Technol. (IJCTT) 4(5), 1149–1153 (2013)Google Scholar
  15. 15.
    Ahmadian, M.M., Shahriari, H.R., Ghaffarian, S.M.: Connection-monitor and connection-breaker: a novel approach for prevention and detection of high survivable ransomwares. In: 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC). IEEE (2015)Google Scholar
  16. 16.
    Young, A., Yung, M.: Cryptovirology: extortion-based security threats and countermeasures. In: Proceedings, 1996 IEEE Symposium on Security and Privacy. IEEE (1996)Google Scholar
  17. 17.
    Pathak, P., Nanded, Y.M.: A dangerous trend of cybercrime: ransomware growing challenge. Int. J. Adv. Res. Comput. Eng. Technol. (IJARCET) 5(2), 371–373 (2016)Google Scholar
  18. 18.
    Bhardwaj, A., et al.: Ransomware digital extortion: a rising new age threat. Indian J. Sci. Technol. 9, 14 (2016)Google Scholar
  19. 19.
    Savage, K., Coogan, P., Lau, H.: The evolution of ransomware. In: Security Response. Symantec CorporationGoogle Scholar
  20. 20.
    Ahmadian, M.M., Shahriari, H.R., Ghaffarian, S.M.: Connection-monitor and connection-breaker: a novel approach for prevention and detection of high survivable ransomwares. In: 12th International ISC Conference on Information Security and Cryptology, ISCISC 2015. Institute of Electrical and Electronics Engineers Inc. (2015)Google Scholar
  21. 21.
    Das, S., et al.: Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans. Inf. Forensics Secur. 11(2), 289–302 (2016)CrossRefGoogle Scholar
  22. 22.
    Ahmadian, M.M., Shahriari. H.R.: 2entFOX: a framework for high survivable ransomwares detection. In: 2016 13th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC) (2016)Google Scholar
  23. 23.
    Luo, X., Liao, Q.: Ransomware: a new cyber hijacking threat to enterprises. In: Handbook of Research on Information Security and Assurance, pp. 1–6. IGI Global (2008)Google Scholar
  24. 24.
    Bridges, L.: The changing face of malware. Netw. Secur. 2008(1), 17–20 (2008)CrossRefGoogle Scholar
  25. 25.
    Gazet, A.: Comparative analysis of various ransomware virii. J. Comput. Virol. 6(1), 77–90 (2010)CrossRefGoogle Scholar
  26. 26.
    Luo, X., Liao, Q.: Awareness education as the key to ransomware prevention. Inf. Syst. Secur. 16(4), 195–202 (2007)CrossRefGoogle Scholar
  27. 27.
    Kim, D., Soh, W., Kim, S.: Design of quantification model for prevent of cryptolocker. Indian J. Sci. Technol. 8(19) (2015)Google Scholar
  28. 28.
    Cabaj, K., et al.: Network activity analysis of CryptoWall ransomware. Przeglad Elektrotechniczny 91(11), 201–204 (2015)Google Scholar
  29. 29.
    Choi, K., Scott, T., LeClair, D.: Ransomware against police: diagnosis of risk factors via application of cyber-routine activities theory. Int. J. Forensic Sci. Pathol. 4(7), 253–258 (2016)Google Scholar
  30. 30.
    Scaife, N., et al.: CryptoLock (and drop it): stopping ransomware attacks on user data (2016)Google Scholar
  31. 31.
    Mustaca, S.: Are your IT professionals prepared for the challenges to come? Comput. Fraud Secur. 2014(3), 18–20 (2014)CrossRefGoogle Scholar
  32. 32.
    Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics. arXiv preprint arXiv:1611.08294 (2016)
  33. 33.
    Singhal, A.: Modern information retrieval: a brief overview. IEEE Data Eng. Bull. 24(4), 35–43 (2001)Google Scholar
  34. 34.
    Paltoglou, G., Thelwall, M.: A study of information retrieval weighting schemes for sentiment analysis. In: Proceedings of the 48th Annual Meeting of the Association for Computational Linguistics, Association for Computational Linguistics (2010)Google Scholar
  35. 35.
    Alam, S., et al.: Sliding window and control flow weight for metamorphic malware detection. J. Comput. Virol. Hacking Tech. 11(2), 75–88 (2015)CrossRefGoogle Scholar
  36. 36.
    O’Kane, P., Sezer, S., McLaughlin, K.: N-gram density based malware detection. In: 2014 World Symposium on Computer Applications and Research, WSCAR 2014 (2014)Google Scholar
  37. 37.
    Santhosh, S., Ranveer, S.: N-gram based malicious code detection using support vector machine learning approach. In: 4th International Conference on Advances in Recent Technologies in Communication and Computing, ARTCom 2012. Institution of Engineering and Technology (2012)Google Scholar
  38. 38.
    Yang, Y., Pedersen, J.O.: A comparative study on feature selection in text categorization. In: ICML (1997)Google Scholar
  39. 39.
    Joachims, T.: Text categorization with support vector machines: learning with many relevant features. In: Nédellec, C., Rouveirol, C. (eds.) 10th European Conference on Machine Learning Chemnitz Machine Learning: ECML 1998, Germany, 21–23 April 1998 Proceedings, pp. 137–142. Springer, Heidelberg (1998)Google Scholar
  40. 40.
    Zhang, M., Xu, B.Y., Wang, D.X.: An anomaly detection model for network intrusions using one-class SVM and scaling strategy. In: Guo, S., et al. (eds.) Collaborative Computing: Networking, Applications, and Worksharing, Collaboratecom 2015, pp. 267–278. Springer, New York (2016)Google Scholar
  41. 41.
    Shang, W.L., et al.: Intrusion detection algorithm based on OCSVM in industrial control system. Secur. Commun. Netw. 9(10), 1040–1049 (2016)CrossRefGoogle Scholar
  42. 42.
    Zhang, M., Xu, B., Gong, J.: An anomaly detection model based on one-class SVM to detect network intrusions. In: 11th International Conference on Mobile Ad-Hoc and Sensor Networks, MSN 2015. Institute of Electrical and Electronics Engineers Inc. (2015)Google Scholar
  43. 43.
    Sgandurra, D., et al.: Automated dynamic analysis of ransomware: benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Bander Ali Saleh Al-rimy
    • 1
  • Mohd Aizaini Maarof
    • 1
  • Syed Zainuddin Mohd Shaid
    • 1
  1. 1.Faculty of ComputingUniversiti Teknologi Malaysia (UTM)Johor BahruMalaysia

Personalised recommendations