Ransomware detection based on V-detector negative selection algorithm

Lu, Tianliang; Zhang, Lu; Wang, Shunye; Gong, Qi

doi:10.1109/spac.2017.8304335

Cited by 18 publications

(12 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• The read and write frequency is commonly used by these tools to detect the malware [29], [30]. Every ransomware must read and write the files to encrypt them, which they can do slowly to avoid being detected by these tools.…”

Section: History and Classification Of Ransomwarementioning

confidence: 99%

“…We do not offer this information yet; however, only four tools base their detection exclusively on these parameters. Most tools that analyse system function calls or the cryptographic primitives combine them with other parameters, like file extensions [5], I/O operations [7], [30], [37], and data access information [48].…”

Section: Possible Uses For the Data In The Repositorymentioning

confidence: 99%

See 1 more Smart Citation

Open Repository for the Evaluation of Ransomware Detection Tools

Berrueta

Morató²,

Magaña

et al. 2020

IEEE Access

View full text Add to dashboard Cite

Crypto-ransomware is a type of malware that encrypts user files, deletes the original data, and asks for ransom to recover the hijacked documents. Several articles have presented detection techniques for this type of malware; these techniques are applied before the ransomware encrypts files or during its action in an infected host. The evaluation of these proposals has always been accomplished using sets of ransomware samples that are prepared locally for the research article, without making the data available. Different studies use different sets of samples and different evaluation metrics, resulting in insufficient comparability. In this paper, we describe a public data repository containing the file access operations of more than 70 ransomware samples during the encryption of a large network shared directory. These data have already been used successfully in the evaluation of a network-based ransomware detection algorithm. Now, we are making these data available to the community and describing their details, how they were captured, and how they can be used in the evaluation and comparison of the results of most ransomware detection techniques. INDEX TERMSRansomware, open repository, traffic analysis. EDUARDO BERRUETA was graduated in telecommunication engineering from the Public University of Navarre (UPNA), Spain, in 2016. He received the M.Sc. degree in telecommunication engineering from UPNA, in 2018, where he is currently pursuing the Ph.D. degree with the Telecommunications, Networks and Services Research Group. Previously, he attended the University of Turin for completing his thesis on software defined networking. In 2016, he held a Scholarship at the Automatics and Computing Department. In 2017 and 2018, he was a Research Assistant with the Telecommunications, Networks and Services Research Group, UPNA. DANIEL MORATO received the M.Sc. degree in telecommunication engineering and the Ph.D. degree from the Public University of Navarre, Spain. In 2002, he was a Visiting Postdoctoral Fellow with the Electrical Engineering and Computer Sciences Department, University of California at Berkeley, Berkeley. Since 2006, he has been working at the Public University of Navarre. He is currently an Associate Professor with the Department of Electrical, Electronic and Communications Engineering. In 2014, he became a member of the Institute of Smart Cities. His research interests include high-speed networks, the performance and traffic analysis of Internet services, and network monitoring. EDUARDO MAGAÑA received the M.Sc. and Ph.D. degrees in telecommunications engineering from the

show abstract

Section: History and Classification Of Ransomwarementioning

confidence: 99%

Section: Possible Uses For the Data In The Repositorymentioning

confidence: 99%

Open Repository for the Evaluation of Ransomware Detection Tools

Berrueta

Morató²,

Magaña

et al. 2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Furthermore, one of the most important challenges is to provide enhanced mechanisms to predict ransomware attacks before they happens and then apply countermeasures. On one hand, there are several articles that show novel detection and prediction methods [7,13,14,18]. On the other hand, some prevention mechanisms are presented in order to established some principles and suggestions to avoid a ransomware attack or loss of information [22,23,28,30].…”

Section: Current Researchmentioning

confidence: 99%

“…Part of the current research analyzes the behavior of API calls. For example, Lu et al [18] proposed a ransomware detection method based on V-detector negative selection algorithm combined with a mutation optimizer. This proposal takes into account three main features: API function calls (crypto, processes, services), behavioral expressions (network, registers and directory operations), and memory.…”

Section: Detection and Predictionmentioning

confidence: 99%

A Survey on Situational Awareness of Ransomware Attacks—Detection and Prevention Parameters

et al. 2019

View full text Add to dashboard Cite

In recent years, cybercrime activities have grown significantly, compromising device security and jeopardizing the normal activities of enterprises. The profits obtained through intimidation and the limitations for tracking down the illegal transactions have created a lucrative business based on the hijacking of users’ files. In this context, ransomware takes advantage of cryptography to compromise the user information or deny access to the operating system. Then, the attacker extorts the victim to pay a ransom in order to regain access, recover the data, or keep the information private. Nowadays, the adoption of Situational Awareness (SA) and cognitive approaches can facilitate the rapid identification of ransomware threats. SA allows knowing what is happening in compromised devices and network communications through monitoring, aggregation, correlation, and analysis tasks. The current literature provides some parameters that are monitored and analyzed in order to prevent these kinds of attacks at an early stage. However, there is no complete list of them. To the best of our knowledge, this paper is the first proposal that summarizes the parameters evaluated in this research field and considers the SA concept. Furthermore, there are several articles that tackle ransomware problems. However, there are few surveys that summarize the current situation in the area, not only regarding its evolution but also its issues and future challenges. This survey also provides a classification of ransomware articles based on detection and prevention approaches.

show abstract

“…There have been several proposals for the detection of ransomware [9] [10] [11]. Most of them require the malware to take destructive actions before an alarm can be raised [12], [13], which implies the loss of some files.…”

Section: Introductionmentioning

confidence: 99%

Ransomware Encrypted Your Files but You Restored Them from Network Traffic

Berrueta

Morató

Magaña

et al. 2018

2018 2nd Cyber Security in Networking Conference (CSNet)

View full text Add to dashboard Cite

In a scenario where user files are stored in a network shared volume, a single computer infected by ransomware could encrypt the whole set of shared files, with a large impact on user productivity. On the other hand, medium and large companies maintain hardware or software probes that monitor the traffic in critical network links, in order to evaluate service performance, detect security breaches, account for network or service usage, etc. In this paper we suggest using the monitoring capabilities in one of these tools in order to keep a trace of the traffic between the users and the file server. Once the ransomware is detected, the lost files can be recovered from the traffic trace. This includes any user modifications posterior to the last snapshot of periodic backups. The paper explains the problems faced by the monitoring tool, which is neither the client nor the server of the file sharing operations. It also describes the data structures in order to process the actions of users that could be simultaneously working on the same file. A proof of concept software implementation was capable of successfully recovering the files encrypted by 18 different ransomware families.

show abstract

Ransomware detection based on V-detector negative selection algorithm

Cited by 18 publications

References 8 publications

Open Repository for the Evaluation of Ransomware Detection Tools

Open Repository for the Evaluation of Ransomware Detection Tools

A Survey on Situational Awareness of Ransomware Attacks—Detection and Prevention Parameters

Ransomware Encrypted Your Files but You Restored Them from Network Traffic

Contact Info

Product

Resources

About