Ransomware early detection by the analysis of file sharing traffic
Fecha
2018Autor
Versión
Acceso abierto / Sarbide irekia
Tipo
Artículo / Artikulua
Versión
Versión publicada / Argitaratu den bertsioa
Impacto
|
10.1016/j.jnca.2018.09.013
Resumen
Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company ...
[++]
Crypto ransomware is a type of malware that locks access to user files by encrypting them and demands a ransom in order to obtain the decryption key. This type of malware has become a serious threat for most enterprises. In those cases where the infected computer has access to documents in network shared volumes, a single host can lock access to documents across several departments in the company. We propose an algorithm that can detect ransomware action and prevent further activity over shared documents. The algorithm is based on the analysis of passively monitored traffic by a network probe. 19 different ransomware families were used for testing the algorithm in action. The results show that it can detect ransomware activity in less than 20 s, before more than 10 files are lost. Recovery of even those files was also possible because their content was stored in the traffic monitored by the network probe. Several days of traffic from real corporate networks were used to validate a low rate of false alarms. This paper offers also analytical models for the probability of early detection and the probability of false alarms for an arbitrarily large population of users. [--]
Materias
Malware detection,
Traffic analysis,
Network security,
Ransomware
Editor
Elsevier
Publicado en
Journal of Network and Computer Applications, 124 (2018) 14–32
Departamento
Universidad Pública de Navarra. Departamento de Ingeniería Eléctrica, Electrónica y de Comunicación /
Nafarroako Unibertsitate Publikoa. Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza Saila /
Universidad Pública de Navarra/Nafarroako Unibertsitate Publikoa. Institute of Smart Cities - ISC
Versión del editor
Entidades Financiadoras
This work was supported by Spanish MINECO through project PIT (TEC2015-69417-C2-2-R).