TY - GEN
T1 - A ransomware detection method using fuzzy hashing for mitigating the risk of occlusion of information systems
AU - Naik, Nitin
AU - Jenkins, Paul
AU - Savage, Nick
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/10/3
Y1 - 2019/10/3
N2 - Today, a significant threat to organisational information systems is ransomware that can completely occlude the information system by denying access to its data. To reduce this exposure and damage from ransomware attacks, organisations are obliged to concentrate explicitly on the threat of ransomware, alongside their malware prevention strategy. In attempting to prevent the escalation of ransomware attacks, it is important to account for their polymorphic behaviour and dispersion of inexhaustible versions. However, a number of ransomware samples possess similarity as they are created by similar groups of threat actors. A particular threat actor or group often adopts similar practices or codebase to create unlimited versions of their ransomware. As a result of these common traits and codebase, it is probable that new or unknown ransomware variants can be detected based on a comparison with their originating or existing samples. Therefore, this paper presents a detection method for ransomware by employing a similarity preserving hashing method called fuzzy hashing. This detection method is applied on the collected WannaCry or WannaCryptor ransomware corpus utilising three fuzzy hashing methods SSDEEP, SDHASH and mvHASH-B to evaluate the similarity detection success rate by each method. Moreover, their fuzzy similarity scores are utilised to cluster the collected ransomware corpus and its results are compared to determine the relative accuracy of the selected fuzzy hashing methods.
AB - Today, a significant threat to organisational information systems is ransomware that can completely occlude the information system by denying access to its data. To reduce this exposure and damage from ransomware attacks, organisations are obliged to concentrate explicitly on the threat of ransomware, alongside their malware prevention strategy. In attempting to prevent the escalation of ransomware attacks, it is important to account for their polymorphic behaviour and dispersion of inexhaustible versions. However, a number of ransomware samples possess similarity as they are created by similar groups of threat actors. A particular threat actor or group often adopts similar practices or codebase to create unlimited versions of their ransomware. As a result of these common traits and codebase, it is probable that new or unknown ransomware variants can be detected based on a comparison with their originating or existing samples. Therefore, this paper presents a detection method for ransomware by employing a similarity preserving hashing method called fuzzy hashing. This detection method is applied on the collected WannaCry or WannaCryptor ransomware corpus utilising three fuzzy hashing methods SSDEEP, SDHASH and mvHASH-B to evaluate the similarity detection success rate by each method. Moreover, their fuzzy similarity scores are utilised to cluster the collected ransomware corpus and its results are compared to determine the relative accuracy of the selected fuzzy hashing methods.
KW - Fuzzy Hashing
KW - K-Means Clustering
KW - Ransomware
KW - SDHASH
KW - SSDEEP
KW - Similarity Preserving Hashing
KW - WannaCry
KW - WannaCryptor
KW - mvHASH-B
UR - http://www.scopus.com/inward/record.url?scp=85080931618&partnerID=8YFLogxK
U2 - 10.1109/ISSE46696.2019.8984540
DO - 10.1109/ISSE46696.2019.8984540
M3 - Conference contribution
AN - SCOPUS:85080931618
T3 - ISSE 2019 - 5th IEEE International Symposium on Systems Engineering, Proceedings
BT - ISSE 2019 - 5th IEEE International Symposium on Systems Engineering, Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 5th Annual IEEE International Symposium on Systems Engineering, ISSE 2019
Y2 - 1 October 2019 through 3 October 2019
ER -