Automated behavioral analysis of malware: A case study of wannacry ransomware

Qian Chen, Robert A. Bridges

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

152 Scopus citations

Abstract

Ransomware, a class of self-propagating malware that uses encryption to hold the victims' data ransom, has emerged in recent years as one of the most dangerous cyber threats, with widespread damage; e.g., zero-day ransomware WannaCry has caused world-wide catastrophe, from knocking U.K. National Health Service hospitals offline to shutting down a Honda Motor Company in Japan [1]. Our close collaboration with security operations of large enterprises reveals that defense against ransomware relies on tedious analysis from high-volume systems logs of the first few infections. Sandbox analysis of freshly captured malware is also commonplace in operation. We introduce a method to identify and rank the most discriminating ransomware features from a set of ambient (non-attack) system logs and at least one log stream containing both ambient and ransomware behavior. These ranked features reveal a set of malware actions that are produced automatically from system logs, and can help automate tedious manual analysis. We test our approach using WannaCry and two polymorphic samples by producing logs with Cuckoo Sandbox during both ambient, and ambient plus ransomware executions. Our goal is to extract the features of the malware from the logs with only knowledge that malware was present. We compare outputs with a detailed analysis of WannaCry allowing validation of the algorithm's feature extraction and provide analysis of the method's robustness to variations of input data-changing quality/quantity of ambient data and testing polymorphic ransomware. Most notably, our patterns are accurate and unwavering when generated from polymorphic WannaCry copies, on which 63 (of 63 tested) antivirus (AV) products fail.

Original languageEnglish
Title of host publicationProceedings - 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017
EditorsXuewen Chen, Bo Luo, Feng Luo, Vasile Palade, M. Arif Wani
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages454-460
Number of pages7
ISBN (Electronic)9781538614174
DOIs
StatePublished - 2017
Event16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017 - Cancun, Mexico
Duration: Dec 18 2017Dec 21 2017

Publication series

NameProceedings - 16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017
Volume2017-December

Conference

Conference16th IEEE International Conference on Machine Learning and Applications, ICMLA 2017
Country/TerritoryMexico
CityCancun
Period12/18/1712/21/17

Funding

This manuscript has been authored by UT-Battelle,LLC under Contract No. DE-AC05-00OR22725with the U.S. Department of Energy. The United States Government retains and the publisher, by accepting the article for publication, acknowledges that the United States Government retains a non-exclusive, paid-up, irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow others to do so, for United States Government purposes. The Department of Energy will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan)

FundersFunder number
Science Foundation
U. S. Department of Energy
UT-Battelle
U.S. Department of Energy
Directorate for Education and Human Resources1700391
Oak Ridge National Laboratory

    Fingerprint

    Dive into the research topics of 'Automated behavioral analysis of malware: A case study of wannacry ransomware'. Together they form a unique fingerprint.

    Cite this