Abstract
Security operation centers (SOCs) typically use a variety of tools to collect large volumes of host logs for detection and forensic of intrusions. Our experience, supported by recent user studies on SOC operators, indicates that operators spend ample time (e.g., hundreds of man hours) on investigations into logs seeking adversarial actions. Similarly, reconfiguration of tools to adapt detectors for future similar attacks is commonplace upon gaining novel insights (e.g., through internal investigation or shared indicators). This paper presents an automated malware pattern-extraction and early detection tool, testing three machine learning approaches: TF-IDF (term frequency–inverse document frequency), Fisher’s LDA (linear discriminant analysis) and ET (extra trees/extremely randomized trees) that can (1) analyze freshly discovered malware samples in sandboxes and generate dynamic analysis reports (host logs); (2) automatically extract the sequence of events induced by malware given a large volume of ambient (un-attacked) host logs, and the relatively few logs from hosts that are infected with potentially polymorphic malware; (3) rank the most discriminating features (unique patterns) of malware and from the behavior learned detect malicious activity, and (4) allows operators to visualize the discriminating features and their correlations to facilitate malware forensic efforts. To validate the accuracy and efficiency of our tool, we design three experiments and test seven ransomware attacks (i.e., WannaCry, DBGer, Cerber, Defray, GandCrab, Locky, and nRansom). The experimental results show that TF-IDF is the best of the three methods to identify discriminating features, and ET is the most time-efficient and robust approach.
This manuscript has been authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Davis, J.: 71% of ransomware attacks targeted small businesses in 2018, March 2019. https://healthitsecurity.com/news/71-of-ransomware-attacks-targeted-small-businesses-in-2018
Dobran, B.: Definitive guide for preventing and detecting ransomware (2019). https://phoenixnap.com/blog/preventing-detecting-ransomware-attacks
Freed, B.: One year after atlanta’s ransomware attack, the city says it’s transforming its technology (2019). https://statescoop.com/one-year-after-atlantas-ransomware-attack-the-city-says-its-transforming-its-technology/
Olenick, D.: Atlanta ransomware recovery cost now at \$17 million, reports say (2018). https://www.scmagazine.com/home/security-news/ransomware/atlanta-ransomware-recovery-cost-now-at-17-million-reports-say/
Bridges, R.A., Iannacone, M.D., Goodall, J.R., Beaver, J.M.: How do information security workers use host data? A summary of interviews with security analysts. arXiv preprint 1812.02867 (2018)
Goodall, J., Lutters, W., Komlodi, A.: The work of intrusion detection: rethinking the role of security analysts. In: AMCIS 2004 Proceedings, p. 179 (2004)
Werlinger, R., Muldner, K., Hawkey, K., Beznosov, K.: Preparation, detection, and analysis: the diagnostic work of it security incident response. Inf. Manag. Comput. Secur. 18(1), 26–42 (2010)
Chen, Q., Bridges, R.A.: Automated behavioral analysis of malware: a case study of WannaCry ransomware. In: 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 454–460, December 2017
Malwarebytes LABS: Look into locky ransomware, July 2016. https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
Gao, W.: Dissecting Cerber ransomware, July 2017. https://www.ixiacom.com/company/blog/dissecting-cerber-ransomware
Doevan, J.: Locky virus, how to remove (2018). https://www.2-spyware.com/remove-locky-virus.html
Cisco’s Talos Intelligence Group Blog: Gandcrab Ransomware Walks its Way onto Compromised Sites (2018). https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html. Accessed 25 Aug 2018
This Ransomware Demands Nude instead of Bitcoin - Motherboard (2017). https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin. Accessed 24 Aug 2018
Defray ransomware sets sights on healthcare and other industries, August 2017. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/defray-ransomware-sets-sights-on-healthcare-and-other-industries
Crowe, J.: Alert: Defray ransomware launching extremely personalized attacks, August 2017. https://blog.barkly.com/defray-ransomware-highly-targeted-campaigns
Threat Spotlight: Defray Ransomeware Hits Healthcare and Education (2017). https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html. Accessed 16 Aug 2018
Cuckoo Sandbox - Automated Malware Analysis. https://cuckoosandbox.org/. Accessed 26 Aug 2018
Perlroth, N.: Boeing possibly hit by ‘WannaCry’ malware attack, March 2018. https://www.nytimes.com/2018/03/28/technology/boeing-wannacry-malware.html
Lemos, R.: Satan ransomware adds more evil tricks, May 2019. www.darkreading.com/vulnerabilities---threats/satan-ransomware-adds-more-evil-tricks/d/d-id/1334779
Cimpanu, C.: DBGer ransomware uses EternalBlue and Mimikatz to spread across networks (2018). https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/
Barkly Research: Cerber ransomware: everything you need to know, March 2017. https://blog.barkly.com/cerber-ransomware-statistics-2017
Malwarebytes LABS: Cerber ransomware: new, but mature, June 2018. https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
Tiwari, R.: Evolution of GandCrab ransomware, April 2018. https://www.acronis.com/en-us/articles/gandcrab/
Salvio, J.: GandCrab V4.0 analysis: new shell, same old menace (2018). https://www.fortinet.com/blog/threat-research/gandcrab-v4-0-analysis-new-shell-same-old-menace.html
Mundo, A.: GandCrab ransomware puts the pinch on victims, July 2018. https://securingtomorrow.mcafee.com/mcafee-labs/gandcrab-ransomware-puts-the-pinch-on-victims/
Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S., Khayami, R.: Know abnormal, find evil: frequent pattern mining for ransomware threat hunting and intelligence. IEEE Trans. Emerg. Top. Comput. (2019)
Verma, M.E., Bridges, R.A.: Defining a metric space of host logs and operational use cases. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5068–5077, December 2018
Morato, D., Berrueta, E., Magaña, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Netw. Comput. Appl. 124, 14–32 (2018)
Egele, M., et al.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 6 (2012)
Salton, G., Buckley, C.: Term-weighting approaches in automatic text retrieval. Inf. Process. Manag. 24(5), 513–523 (1988)
Welling, M.: Fisher linear discriminant analysis. Department of Computer Science, University of Toronto, vol. 3, no. 1 (2005)
Geurts, P., Ernst, D., Wehenkel, L.: Extremely randomized trees. Mach. Learn. 63(1), 3–42 (2006)
Islam, S.R., Eberle, W., Ghafoor, S.K.: Credit default mining using combined machine learning and heuristic approach. In: Proceedings of the 2018 International Conference on Data Science (ICDATA), pp. 16–22. ACSE (2018)
Wannacry Malware Profile - FireEye (2017). https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html. Accessed 10 Aug 2018
DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks (2017). https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/. Accessed 10 Aug 2018
Locky Ransomware Switches to the Asasin Extension via Broken Spam Campaign (2017). https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-asasin-extension-via-broken-spam-campaigns/. Accessed 21 Aug 2018
Munde, S.: Satan ransomware raises its head again! June 2018. https://blogs.quickheal.com/satan-ransomware-raises-head/
Monika, Zavarsky, P., Lindskog, D.: Experimental analysis of ransomware on Windows and Android platforms: evolution and characterization. Procedia Comput. Sci. 94, 465–472 (2016)
Acknowledgements
Special thanks to the reviewers that helped polish this document, including Michael Iannacone. Research sponsored by the Laboratory Directed Research and Development Program of Oak Ridge National Laboratory, managed by UT-Battelle, LLC, for the U. S. Department of Energy, and by the National Science Foundation under Grant No.1812599. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Chen, Q., Islam, S.R., Haswell, H., Bridges, R.A. (2019). Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection. In: Liu, F., Xu, J., Xu, S., Yung, M. (eds) Science of Cyber Security. SciSec 2019. Lecture Notes in Computer Science(), vol 11933. Springer, Cham. https://doi.org/10.1007/978-3-030-34637-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-34637-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34636-2
Online ISBN: 978-3-030-34637-9
eBook Packages: Computer ScienceComputer Science (R0)