Day 2 : Machine Learning approach for detecting Ransomware

“Wannacry is the Stuxnet of Ransomware” 
― James Scott, Senior Fellow, Institute for Critical Infrastructure Technology

Stuxnet is a computer virus that almost started WW3. It exploited security holes that system developers were unaware of. These holes are known as zero days. This computer virus would remian dormant without the specific target. It was looking to shut down the centrifuges that spin nuclear material at Iran's enrichment facilities.

To know more about stuxnet, find below some useful resources
1. https://www.csoonline.com/article/3218104/malware/what-is-stuxnet-who-created-it-and-how-does-it-work.html is an interesting read
2. https://youtu.be/7g0pi4J8auQ is an interesting watch

Wannacry targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It took advantage of installing backdoors onto infected systems. It propagated through EternalBlue, an exploit in older Windows systems. More information about Wannacry will be detailed out in the next post.

The primary focus of this post is to understand key points from the paper cited below.
Cusack, Greg, Oliver Michel, and Eric Keller. "Machine Learning-Based Detection of Ransomware Using SDN." In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 1-6. ACM, 2018.

The recent trend has seen malware developers shift from HTTP to HTTPS to make deep packet inspection difficult, hence protecting themselves from payload inspection. So we need a solution that can leverage other features of network to identify ransomware. In order to extract features, we build a programmable forwarding engine that allows collection of per-packet, network monitoring data at high rates. Network traffic between an infected computer and the command and control (C&C) server is monitored. A stream processor is written which feeds data into  random forest, a binary classifier that utilizes these rich flow records in fingerprinting malicious, network activity without the requirement of deep packet inspection.

The architecture of the system and the results obtained have been detailed out as Paper 3 in https://docs.google.com/document/d/18km6eA_VHNL9qBiHXbjvbWFOWoSMeryeXvSD3xOhabk/edit?usp=sharing

Resource to the presentation of the paper by the authors https://pdfs.semanticscholar.org/1a3d/edd9dfb77922fa680a914434e7af162dc1e5.pdf


Comments

  1. Ram P RustagiJanuary 29, 2019 at 9:21 PM

    It is also possible that some systems may still access things even though SSL certificate mismatch occurs. Would you like to consider terminating the HTTPS Connection, present a different certificate (which will have name mismatch) assuming client continues with name mismatch and still carry out DPI

    ReplyDelete

Post a Comment

Popular posts from this blog

Day 12: Master Slave SDN Controller Architecture

In the previous post, I was struggling to figure out why all controllers can install flows in all switches irrespective of the code. Well, today the mystery is getting resolved. I found this book that explains beautifully the various roles that a controller can play. The three roles are: Equal : this happens by default all the equal controllers in a network that are connected to the switch can add and delete flows from it Slave: it has a read-only limitation to the switch openflow tables Master: very similar to the switch, but only 1 master can be connected to the switch at that point of time, and no other flows can intercept the communication between switch and master. I highly recommend you go through the above link to get a better picture. Since the default role of any controller is "Equal", we couldn't really differentiate between the three controller flows yesterday. But one good news from this is that we don't really need extensive coding to assi...
Read more

Day 1: Understanding Ransomware and how to detect them?

Image
To start this journey, let’s begin at the basics and learn about what ransomwares are, what is the meaning of a ransomware attack, how have other people detected it so far? By learning the above, we will be in a position to analyze any ransomware attack and devise methods to detect, mitigate and prevent them. Definition: Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. To continue understanding and addressing the threats posed by ransomware, let us dig a little deeper. As the definition specifies, ransomware is a type of malicious software. Now, what is a malicious software? Definition: Malware (= Malicious + Software) is a software which is specifically designed to disrupt, damage, or gain authorized access to a computer system. These malwares (or simply dangerous content that can corrupt your system), can enter your system from various s...
Read more

Day 50: Tcpreplay and tcpliveplay approach

Today we shall be exploring how to copy and redirect the OpenFlow packets to more than one controller from the load balancer. The load balancer is anyway sending the OpenFlow packets to one of the slave controllers - c1 or c2. The packets sent to these two controllers needs to be sent to master controller so the master controller can update the new flows added by c1 or c2 on the switches. This ensures synchronization between controllers. There are two implementation methods to achieve the same: Copy all packets generated from the load balancer to the controller side. Only the packets having destination IP address of c1 and c2 can be redirected to the master controller. Thus we can prevent the packets which already are reaching the master controller to be sent as duplicates Copy and redirect packets from the slave controllers - c1 and c2. We need not take care of duplicate packets reaching master controller. This will reduce the time taken to redirect packets. Since the second a...
Read more