Machine Learning-Based Detection of Ransomware Using SDN

Machine Learning-Based Detection of Ransomware Using SDN

Abstract

The growth of malware poses a major threat to internet users, governments, and businesses around the world. One of the major types of malware, ransomware, encrypts a user's sensitive information and only returns the original files to the user after a ransom is paid. As malware developers shift the delivery of their product from HTTP to HTTPS to protect themselves from payload inspection, we can no longer rely on deep packet inspection to extract features for malware identification. Toward this goal, we propose a solution leveraging a recent trend in networking hardware, that is programmable forwarding engines (PFEs). PFEs allow collection of per-packet, network monitoring data at high rates. We use this data to monitor the network traffic between an infected computer and the command and control (C&C) server. We extract high-level flow features from this traffic and use this data for ransomware classification. We write a stream processor and use a random forest, binary classifier to utilizes these rich flow records in fingerprinting malicious, network activity without the requirement of deep packet inspection. Our classification model achieves a detection rate in excess of 0.86, while maintaining a false negative rate under 0.11. Our results suggest that a flow-based fingerprinting method is feasible and accurate enough to catch ransomware before encryption.

Grafik Top
Authors
  • Cusack, Greg
  • Michel, Oliver
  • Keller, Eric
Grafik Top
Shortfacts
Category
Paper in Conference Proceedings or in Workshop Proceedings (Paper)
Event Title
2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization
Divisions
Communication Technologies
Subjects
Computersicherheit
Kuenstliche Intelligenz
Angewandte Informatik
Event Location
Tempe, AZ, USA
Event Type
Workshop
Event Dates
March 2018
Date
March 2018
Export
Grafik Top