Abstract
Ransomware, a class of self-propagating malware that uses encryption to hold the victims' data ransom, has emerged in recent years as one of the most dangerous cyber threats, with widespread damage; e.g., zero-day ransomware WannaCry has caused world-wide catastrophe, from knocking U.K. National Health Service hospitals offline to shutting down a Honda Motor Company in Japan [1]. Our close collaboration with security operations of large enterprises reveals that defense against ransomware relies on tedious analysis from high-volume systems logs of the first few infections. Sandbox analysis of freshly captured malware is also commonplace in operation. We introduce a method to identify and rank the most discriminating ransomware features from a set of ambient (non-attack) system logs and at least one log stream containing both ambient and ransomware behavior. These ranked features reveal a set of malware actions that are produced automatically from system logs, and can help automate tedious manual analysis. We test our approach using WannaCry and two polymorphic samples by producing logs with Cuckoo Sandbox during both ambient, and ambient plus ransomware executions. Our goal is to extract the features of the malware from the logs with only knowledge that malware was present. We compare outputs with a detailed analysis of WannaCry allowing validation of the algorithm's feature extraction and provide analysis of the method's robustness to variations of input data-changing quality/quantity of ambient data and testing polymorphic ransomware. Most notably, our patterns are accurate and unwavering when generated from polymorphic WannaCry copies, on which 63 (of 63 tested) antivirus (AV) products fail.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 |
| Editors | Xuewen Chen, Bo Luo, Feng Luo, Vasile Palade, M. Arif Wani |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Pages | 454-460 |
| Number of pages | 7 |
| ISBN (Electronic) | 9781538614174 |
| DOIs | |
| State | Published - 2017 |
| Event | 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 - Cancun, Mexico Duration: Dec 18 2017 → Dec 21 2017 |
Publication series
| Name | Proceedings - 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 |
|---|---|
| Volume | 2017-December |
Conference
| Conference | 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 |
|---|---|
| Country/Territory | Mexico |
| City | Cancun |
| Period | 12/18/17 → 12/21/17 |
Funding
Author\u2019swishtothankLaurenceNicholsIII,MariaMcClel-malwaredetection,\u201DProcediaComputerScience,vol.46, land, Mark Pleszkoch, Mike Iannacone, Sarah Powers and the pp. 804 \u2013 811, 2015. Proceedings of the International anonymous reviewers for helping us formulate, complete, and Conference on Information and Communication Tech-polish this work. nologies, ICICT 2014, 3-5 December 2014 at Bolgatty This material is based on research sponsored by the follow-Palace & Island Resort, Kochi, India. ing: Laboratory Directed Research and Development Program [15] C. Lim et al., \u201CMal-ONE: A unified framework for fast of Oak Ridge National Laboratory, managed by UT-Battelle, and efficient malware detection,\u201D in 2014 2nd Interna- LLC, for the U. S. Department of Energy, contract DE-AC05-tional Conference on Technology, Informatics, Manage- 00OR22725, DOE IJC3 Cyber R&D Effort, and the National ment, Engineering Environment, pp. 1\u20136, Aug 2014. Science Foundation under Grant No.1700391. Any opinions, [16] M. Vasilescu et al., \u201CPractical malware analysis based findings, and conclusions or recommendations expressed in on sandboxing\u201D, in 2014 RoEduNet Conference 13th this material are those of the authors and do not necessarily Edition: Networking in Education and Research Joint reflect the views of the National Science Foundation. Event RENAM 8th Conference, pp. 1\u20136, Sept 2014. This manuscript has been authored by UT-Battelle,LLC under Contract No. DE-AC05-00OR22725with the U.S. Department of Energy. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The Department of Energy will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan)