Machine Learning-Based Detection of Ransomware Using SDN

Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization Pub Date : 2018-03-14 DOI:10.1145/3180465.3180467

Greg Cusack, Oliver Michel, Eric Keller

{"title":"Machine Learning-Based Detection of Ransomware Using SDN","authors":"Greg Cusack, Oliver Michel, Eric Keller","doi":"10.1145/3180465.3180467","DOIUrl":null,"url":null,"abstract":"The growth of malware poses a major threat to internet users, governments, and businesses around the world. One of the major types of malware, ransomware, encrypts a user's sensitive information and only returns the original files to the user after a ransom is paid. As malware developers shift the delivery of their product from HTTP to HTTPS to protect themselves from payload inspection, we can no longer rely on deep packet inspection to extract features for malware identification. Toward this goal, we propose a solution leveraging a recent trend in networking hardware, that is programmable forwarding engines (PFEs). PFEs allow collection of per-packet, network monitoring data at high rates. We use this data to monitor the network traffic between an infected computer and the command and control (C&C) server. We extract high-level flow features from this traffic and use this data for ransomware classification. We write a stream processor and use a random forest, binary classifier to utilizes these rich flow records in fingerprinting malicious, network activity without the requirement of deep packet inspection. Our classification model achieves a detection rate in excess of 0.86, while maintaining a false negative rate under 0.11. Our results suggest that a flow-based fingerprinting method is feasible and accurate enough to catch ransomware before encryption.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"72 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"71","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3180465.3180467","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 71

Abstract

The growth of malware poses a major threat to internet users, governments, and businesses around the world. One of the major types of malware, ransomware, encrypts a user's sensitive information and only returns the original files to the user after a ransom is paid. As malware developers shift the delivery of their product from HTTP to HTTPS to protect themselves from payload inspection, we can no longer rely on deep packet inspection to extract features for malware identification. Toward this goal, we propose a solution leveraging a recent trend in networking hardware, that is programmable forwarding engines (PFEs). PFEs allow collection of per-packet, network monitoring data at high rates. We use this data to monitor the network traffic between an infected computer and the command and control (C&C) server. We extract high-level flow features from this traffic and use this data for ransomware classification. We write a stream processor and use a random forest, binary classifier to utilizes these rich flow records in fingerprinting malicious, network activity without the requirement of deep packet inspection. Our classification model achieves a detection rate in excess of 0.86, while maintaining a false negative rate under 0.11. Our results suggest that a flow-based fingerprinting method is feasible and accurate enough to catch ransomware before encryption.

查看原文本刊更多论文

基于SDN的机器学习勒索软件检测

恶意软件的增长对世界各地的互联网用户、政府和企业构成了重大威胁。勒索软件是恶意软件的主要类型之一，它会加密用户的敏感信息，只有在支付赎金后才会将原始文件返回给用户。随着恶意软件开发人员将其产品的交付从HTTP转移到HTTPS，以保护自己免受有效负载检查的影响，我们不能再依赖深度数据包检测来提取恶意软件识别的特征。为了实现这一目标，我们提出了一种利用网络硬件最新趋势的解决方案，即可编程转发引擎(pfe)。pfe允许以高速率收集每个数据包和网络监控数据。我们使用这些数据来监控受感染计算机与命令和控制(C&C)服务器之间的网络流量。我们从这些流量中提取高级流特征，并使用这些数据进行勒索软件分类。我们编写了一个流处理器，并使用随机森林、二值分类器来利用这些丰富的流记录在不需要深度包检测的情况下识别恶意网络活动。我们的分类模型实现了超过0.86的检测率，同时保持了0.11以下的假阴性率。我们的研究结果表明，基于流量的指纹识别方法是可行的，并且足够准确，可以在加密之前捕获勒索软件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

自引率

0.00%

发文量