Skip to main content
SpringerLink
Log in

Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection

  • Conference paper
  • First Online:
Science of Cyber Security (SciSec 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11933))

Included in the following conference series:

Abstract

Security operation centers (SOCs) typically use a variety of tools to collect large volumes of host logs for detection and forensic of intrusions. Our experience, supported by recent user studies on SOC operators, indicates that operators spend ample time (e.g., hundreds of man hours) on investigations into logs seeking adversarial actions. Similarly, reconfiguration of tools to adapt detectors for future similar attacks is commonplace upon gaining novel insights (e.g., through internal investigation or shared indicators). This paper presents an automated malware pattern-extraction and early detection tool, testing three machine learning approaches: TF-IDF (term frequency–inverse document frequency), Fisher’s LDA (linear discriminant analysis) and ET (extra trees/extremely randomized trees) that can (1) analyze freshly discovered malware samples in sandboxes and generate dynamic analysis reports (host logs); (2) automatically extract the sequence of events induced by malware given a large volume of ambient (un-attacked) host logs, and the relatively few logs from hosts that are infected with potentially polymorphic malware; (3) rank the most discriminating features (unique patterns) of malware and from the behavior learned detect malicious activity, and (4) allows operators to visualize the discriminating features and their correlations to facilitate malware forensic efforts. To validate the accuracy and efficiency of our tool, we design three experiments and test seven ransomware attacks (i.e., WannaCry, DBGer, Cerber, Defray, GandCrab, Locky, and nRansom). The experimental results show that TF-IDF is the best of the three methods to identify discriminating features, and ET is the most time-efficient and robust approach.

This manuscript has been authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Davis, J.: 71% of ransomware attacks targeted small businesses in 2018, March 2019. https://healthitsecurity.com/news/71-of-ransomware-attacks-targeted-small-businesses-in-2018

  2. Dobran, B.: Definitive guide for preventing and detecting ransomware (2019). https://phoenixnap.com/blog/preventing-detecting-ransomware-attacks

  3. Freed, B.: One year after atlanta’s ransomware attack, the city says it’s transforming its technology (2019). https://statescoop.com/one-year-after-atlantas-ransomware-attack-the-city-says-its-transforming-its-technology/

  4. Olenick, D.: Atlanta ransomware recovery cost now at \$17 million, reports say (2018). https://www.scmagazine.com/home/security-news/ransomware/atlanta-ransomware-recovery-cost-now-at-17-million-reports-say/

  5. Bridges, R.A., Iannacone, M.D., Goodall, J.R., Beaver, J.M.: How do information security workers use host data? A summary of interviews with security analysts. arXiv preprint 1812.02867 (2018)

    Google Scholar 

  6. Goodall, J., Lutters, W., Komlodi, A.: The work of intrusion detection: rethinking the role of security analysts. In: AMCIS 2004 Proceedings, p. 179 (2004)

    Google Scholar 

  7. Werlinger, R., Muldner, K., Hawkey, K., Beznosov, K.: Preparation, detection, and analysis: the diagnostic work of it security incident response. Inf. Manag. Comput. Secur. 18(1), 26–42 (2010)

    Article  Google Scholar 

  8. Chen, Q., Bridges, R.A.: Automated behavioral analysis of malware: a case study of WannaCry ransomware. In: 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 454–460, December 2017

    Google Scholar 

  9. Malwarebytes LABS: Look into locky ransomware, July 2016. https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/

  10. Gao, W.: Dissecting Cerber ransomware, July 2017. https://www.ixiacom.com/company/blog/dissecting-cerber-ransomware

  11. Doevan, J.: Locky virus, how to remove (2018). https://www.2-spyware.com/remove-locky-virus.html

  12. Cisco’s Talos Intelligence Group Blog: Gandcrab Ransomware Walks its Way onto Compromised Sites (2018). https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html. Accessed 25 Aug 2018

  13. This Ransomware Demands Nude instead of Bitcoin - Motherboard (2017). https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin. Accessed 24 Aug 2018

  14. Defray ransomware sets sights on healthcare and other industries, August 2017. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries

  15. Crowe, J.: Alert: Defray ransomware launching extremely personalized attacks, August 2017. https://blog.barkly.com/defray-ransomware-highly-targeted-campaigns

  16. Threat Spotlight: Defray Ransomeware Hits Healthcare and Education (2017). https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html. Accessed 16 Aug 2018

  17. Cuckoo Sandbox - Automated Malware Analysis. https://cuckoosandbox.org/. Accessed 26 Aug 2018

  18. Perlroth, N.: Boeing possibly hit by ‘WannaCry’ malware attack, March 2018. https://www.nytimes.com/2018/03/28/technology/boeing-wannacry-malware.html

  19. Lemos, R.: Satan ransomware adds more evil tricks, May 2019. www.darkreading.com/vulnerabilities---threats/satan-ransomware-adds-more-evil-tricks/d/d-id/1334779

  20. Cimpanu, C.: DBGer ransomware uses EternalBlue and Mimikatz to spread across networks (2018). https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/

  21. Barkly Research: Cerber ransomware: everything you need to know, March 2017. https://blog.barkly.com/cerber-ransomware-statistics-2017

  22. Malwarebytes LABS: Cerber ransomware: new, but mature, June 2018. https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/

  23. Tiwari, R.: Evolution of GandCrab ransomware, April 2018. https://www.acronis.com/en-us/articles/gandcrab/

  24. Salvio, J.: GandCrab V4.0 analysis: new shell, same old menace (2018). https://www.fortinet.com/blog/threat-research/gandcrab-v4-0-analysis-new-shell-same-old-menace.html

  25. Mundo, A.: GandCrab ransomware puts the pinch on victims, July 2018. https://securingtomorrow.mcafee.com/mcafee-labs/gandcrab-ransomware-puts-the-pinch-on-victims/

  26. Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE Trans. Emerg. Top. Comput. (2019)

    Google Scholar 

  27. Verma, M.E., Bridges, R.A.: Defining a metric space of host logs and operational use cases. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5068–5077, December 2018

    Google Scholar 

  28. Morato, D., Berrueta, E., Magaña, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Netw. Comput. Appl. 124, 14–32 (2018)

    Article  Google Scholar 

  29. Egele, M., et al.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 6 (2012)

    Article  Google Scholar 

  30. Salton, G., Buckley, C.: Term-weighting approaches in automatic text retrieval. Inf. Process. Manag. 24(5), 513–523 (1988)

    Article  Google Scholar 

  31. Welling, M.: Fisher linear discriminant analysis. Department of Computer Science, University of Toronto, vol. 3, no. 1 (2005)

    Google Scholar 

  32. Geurts, P., Ernst, D., Wehenkel, L.: Extremely randomized trees. Mach. Learn. 63(1), 3–42 (2006)

    Article  Google Scholar 

  33. Islam, S.R., Eberle, W., Ghafoor, S.K.: Credit default mining using combined machine learning and heuristic approach. In: Proceedings of the 2018 International Conference on Data Science (ICDATA), pp. 16–22. ACSE (2018)

    Google Scholar 

  34. Wannacry Malware Profile - FireEye (2017). https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html. Accessed 10 Aug 2018

  35. DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks (2017). https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/. Accessed 10 Aug 2018

  36. Locky Ransomware Switches to the Asasin Extension via Broken Spam Campaign (2017). https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-asasin-extension-via-broken-spam-campaigns/. Accessed 21 Aug 2018

  37. Munde, S.: Satan ransomware raises its head again! June 2018. https://blogs.quickheal.com/satan-ransomware-raises-head/

  38. Monika, Zavarsky, P., Lindskog, D.: Experimental analysis of ransomware on Windows and Android platforms: evolution and characterization. Procedia Comput. Sci. 94, 465–472 (2016)

    Article  Google Scholar 

Download references

Acknowledgements

Special thanks to the reviewers that helped polish this document, including Michael Iannacone. Research sponsored by the Laboratory Directed Research and Development Program of Oak Ridge National Laboratory, managed by UT-Battelle, LLC, for the U. S. Department of Energy, and by the National Science Foundation under Grant No.1812599. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

Author information

Authors and Affiliations

  1. Electrical and Computer Engineering Department, University of Texas at San Antonio, San Antonio, TX, USA

    Qian Chen & Henry Haswell

  2. Computer Science Department, Tennessee Technological University, Cookeville, TN, USA

    Sheikh Rabiul Islam

  3. Computational Sciences and Engineering Division, Oak Ridge National Laboratory, Oak Ridge, TN, USA

    Robert A. Bridges

Authors
  1. Qian Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sheikh Rabiul Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Henry Haswell
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Robert A. Bridges
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qian Chen .

Editor information

Editors and Affiliations

  1. Institute of Information Engineering and School of Cybersecurity, University of Chinese Academy of Sciences, Beijing, China

    Feng Liu

  2. Nanjing University of Posts and Telecommunications, Nanning, China

    Jia Xu

  3. Department of Computer Science, The University of Texas at San Antonio, San Antonio, TX, USA

    Shouhuai Xu

  4. Google and Columbia University, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chen, Q., Islam, S.R., Haswell, H., Bridges, R.A. (2019). Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection. In: Liu, F., Xu, J., Xu, S., Yung, M. (eds) Science of Cyber Security. SciSec 2019. Lecture Notes in Computer Science(), vol 11933. Springer, Cham. https://doi.org/10.1007/978-3-030-34637-9_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-34637-9_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-34636-2

  • Online ISBN: 978-3-030-34637-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation