Publication: Ransomware early detection by the analysis of file sharing traffic
Date
Director
Publisher
Abstract
Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users.
Description
Keywords
Department
Faculty/School
Degree
Doctorate program
item.page.cita
item.page.rights
© 2018 The Authors. This is an open access article under the CC BY license
Los documentos de Academica-e están protegidos por derechos de autor con todos los derechos reservados, a no ser que se indique lo contrario.