Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection

Qian Chen, Sheikh Rabiul Islam, Henry Haswell, Robert A. Bridges

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

26 Scopus citations

Abstract

Security operation centers (SOCs) typically use a variety of tools to collect large volumes of host logs for detection and forensic of intrusions. Our experience, supported by recent user studies on SOC operators, indicates that operators spend ample time (e.g., hundreds of man hours) on investigations into logs seeking adversarial actions. Similarly, reconfiguration of tools to adapt detectors for future similar attacks is commonplace upon gaining novel insights (e.g., through internal investigation or shared indicators). This paper presents an automated malware pattern-extraction and early detection tool, testing three machine learning approaches: TF-IDF (term frequency–inverse document frequency), Fisher’s LDA (linear discriminant analysis) and ET (extra trees/extremely randomized trees) that can (1) analyze freshly discovered malware samples in sandboxes and generate dynamic analysis reports (host logs); (2) automatically extract the sequence of events induced by malware given a large volume of ambient (un-attacked) host logs, and the relatively few logs from hosts that are infected with potentially polymorphic malware; (3) rank the most discriminating features (unique patterns) of malware and from the behavior learned detect malicious activity, and (4) allows operators to visualize the discriminating features and their correlations to facilitate malware forensic efforts. To validate the accuracy and efficiency of our tool, we design three experiments and test seven ransomware attacks (i.e., WannaCry, DBGer, Cerber, Defray, GandCrab, Locky, and nRansom). The experimental results show that TF-IDF is the best of the three methods to identify discriminating features, and ET is the most time-efficient and robust approach.

Original languageEnglish
Title of host publicationScience of Cyber Security - 2nd International Conference, SciSec 2019, Revised Selected Papers
EditorsFeng Liu, Jia Xu, Shouhuai Xu, Moti Yung
PublisherSpringer
Pages199-214
Number of pages16
ISBN (Print)9783030346362
DOIs
StatePublished - 2019
Event2nd International Conference on Science of Cyber Security, SciSec 2019 - Nanjing, China
Duration: Aug 9 2019Aug 11 2019

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11933 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference2nd International Conference on Science of Cyber Security, SciSec 2019
Country/TerritoryChina
CityNanjing
Period08/9/1908/11/19

Funding

Acknowledgements. Special thanks to the reviewers that helped polish this document, including Michael Iannacone. Research sponsored by the Laboratory Directed Research and Development Program of Oak Ridge National Laboratory, managed by UT-Battelle, LLC, for the U. S. Department of Energy, and by the National Science Foundation under Grant No.1812599. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

FundersFunder number
National Science Foundation
U.S. Department of Energy
Directorate for Education and Human Resources1812599
Oak Ridge National Laboratory

    Fingerprint

    Dive into the research topics of 'Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection'. Together they form a unique fingerprint.

    Cite this