Visible to the public Machine Learning-Based Detection of Ransomware Using SDN

TitleMachine Learning-Based Detection of Ransomware Using SDN
Publication TypeConference Paper
Year of Publication2018
AuthorsCusack, Greg, Michel, Oliver, Keller, Eric
Conference NameProceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5635-0
Keywordscomposability, machine learning, Malware, Metrics, programmable forwarding engines, pubcrawl, ransomware, Resiliency, software-defined networking, stream processing
AbstractThe growth of malware poses a major threat to internet users, governments, and businesses around the world. One of the major types of malware, ransomware, encrypts a user's sensitive information and only returns the original files to the user after a ransom is paid. As malware developers shift the delivery of their product from HTTP to HTTPS to protect themselves from payload inspection, we can no longer rely on deep packet inspection to extract features for malware identification. Toward this goal, we propose a solution leveraging a recent trend in networking hardware, that is programmable forwarding engines (PFEs). PFEs allow collection of per-packet, network monitoring data at high rates. We use this data to monitor the network traffic between an infected computer and the command and control (C&C) server. We extract high-level flow features from this traffic and use this data for ransomware classification. We write a stream processor and use a random forest, binary classifier to utilizes these rich flow records in fingerprinting malicious, network activity without the requirement of deep packet inspection. Our classification model achieves a detection rate in excess of 0.86, while maintaining a false negative rate under 0.11. Our results suggest that a flow-based fingerprinting method is feasible and accurate enough to catch ransomware before encryption.
Citation Keycusack_machine_2018