Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics

📝 Abstract

Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages’ sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.

💡 Analysis

Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages’ sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.

📄 Content

Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics Krzysztof Cabaj1, Marcin Gregorczyk2 and Wojciech Mazurczyk2 1Warsaw University of Technology, Institute of Computer Science, Warsaw, Poland 2Warsaw University of Technology, Institute of Telecommunications, Warsaw, Poland email: kcabaj@ii.pw.edu.pl, {M.Gregorczyk, wmazurczyk}@tele.pw.edu.pl

Abstract — Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages’ sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN- based detection system. Experimental results confirm that the proposed approach is feasible and efficient.
Keywords: ransomware, malware, software-defined networking, network security

Introduction Year 2016 has been named by mass media as “the year of the ransomware” and this type of threat is currently considered by the security community and law enforcement agencies (see e.g. Europol’s recent “2016 Internet Organized Crime Threat Assessment” report [7]) as a key threat to Internet users. Ransomware is a type of malicious software that is designed for the direct revenue generation and which after infection holds victim’s machine or user’s critical data “hostage” until a payment is made. Ransomware developers are constantly improving their “products” making it harder to design and develop effective and long-lasting countermeasures. Considering the fact that more and more devices is foreseen to be connected to the Internet due to e.g. Internet of Things (IoT) paradigm makes it a perfect environment for ransomware to spread in a foreseeable future [9]. The ransomware plague has been currently so widely sprawled that there are even crime-as-a-service tools available in the dark web (like TOX ransomware-construction kit [8]) which allow even inexperienced cybercriminals to create their own customized malware, to manage infections, and profits.

There are two main types of modern ransomware i.e. locker and crypto. The infection for both kinds of malicious software happens in the similar way i.e. a user machine is infected by means of various attack vectors, e.g., by drive-by-download, malvertisement, phising, spam, different forms of social engineering, etc. However, what comes after the infection is different for both types. Locker ransomware denies user access to an infected machine but typically the underlying system and files are left untouched. On the other hand, a crypto ransomware is a kind of a data locker that prevents the user from accessing her/his vital files or data (e.g., documents, pictures, videos, etc.) by using some form of encryption. Therefore attacked files are useless until a ransom is paid and the decryption key is obtained. Then after the user’s machine is locked or data is encrypted the victim is presented with an extortion message. In many cases paying the ransom to the cybercriminal is the only way to get back access to the machine/data. The value of the requested ransom differs and is typically in range US $300- $700, and the favored payment currency is bitcoins [9]. It must be emphasized that not only individual users are currently targeted but also companies and institutions like hospitals, law enforcement agencies, etc. Clearly effective and efficient solutions to counter ransomware infections are desired.

Although the first cases of crypto ransomware have been known for more than 10 years (e.g. Trojan.Gpcoder) it must be emphasized that the recent plague of this type of malware is related to the improved design of the cybercriminals’ “products”. The main difference now is that crypto ransomware moved from custom or symmetric key to asymmetric key cryptography (Fig. 1). In this case, when the machine is infected, it contacts C&C (Command & Control) server through the multiple proxy servers (which are typically legitimate but hacked machines) to request a public encryption key. At C&C a pair of matching public-private keys is generated for each infection and the public key is returned to the compromised host (private key never leaves the C&C server). Then the public key is used to securely transfer session key in order to encrypt the chosen files which are deemed most important for the user. It is worth noting that if correctly implemented, asymmetric cry

This content is AI-processed based on ArXiv data.