题名

運用網路封包分析與機器學習之勒索病毒偵測技術

并列篇名

Ransomware Detection Technique by using Network Packet Analysis and Machine Learning

作者

蔡文淙(Wen-Tsung Tsai);林韶如(Shao-Ru Lin);劉得民(Te-Min Liu);周兆龍(Chao-Lung Chou)

关键词

勒索病毒 ; 動態分析 ; 網路封包 ; 機器學習 ; Ransomware ; Dynamic Analysis ; Packet ; Machine Learning

期刊名称

資訊安全通訊

卷期/出版年月

28卷4期(2022 / 11 / 01)

页次

36 - 57

内容语文

繁體中文
中文摘要

企業及政府機構遭勒索病毒攻擊的資安事件,近年來逐漸登上新聞或資安網站的版面,駭客透過駭侵手法滲透使用者電腦,甚至運用社交工程,藉由執行勒索病毒將其電腦文件檔案進行加密,受害者如急於取回文件,避免造成組織營運停滯、個人利益受損,有可能依駭客指定方法進行贖付。為減少損害,在受這類攻擊的當下,爭取應變時間就是首重目標,因此需要動態分析的方式,即時偵測出勒索病毒的攻擊。本研究基於勒索病毒在網路環境發動攻擊時所產生特殊的異常行為,提出「勒索文件封包數」與「異常封包數」兩項指標,偵測同一區網內部電腦,是否遭受勒索病毒攻擊,並運用決策樹、循序最小優化及簡單邏輯迴歸等機器學習演算法,依所提出之兩項指標數值對不同勒索病毒進行分類。經600次的實驗,實驗結果平均準確率可達99.25%以上,證明本文提出之方法可有效地偵測並分類勒索病毒。
英文摘要

In recent years, information security incidents about enterprises and government agencies being attacked by ransomware viruses have gradually appeared on the news. Hackers penetrate users' computers through social engineering or insidious methods and encrypt their files by using ransomware viruses. Suppose the victim is eager to restore the files to avoid stagnation of the organization's operations and damage to personal interests. In that case, the ransom payment may be made according to the method specified by the hacker. To reduce damage, gaining response time is the primary goal while attacked by such attacks. Therefore, a real-time dynamic analysis method is required to detect ransomware attacks. Because of the abnormal behaviors of ransomware attacks in the network environment, this research proposes two indicators, that is, the ransom file (RF) and abnormal packets (AP), to detect whether computers are attacked by ransomware and use machine learning algorithms such as decision tree, sequential minimum optimization (SMO) and simple Logistic regression to classify different ransomware according to the two indicators. After 600 rounds of experiments, the results show an average classification accuracy rate of 99.25%, indicating that the proposed method can effectively detect and classify ransomware.
主题分类 基礎與應用科學 > 資訊科學
参考文献
  1. Lin, H.C.,Wang, P.,Hong, W.Q.(2019).Using signature analyses to construct an ontological model of ransomware.Communications of the CCISA,25(2),37-58.
    連結:
  2. Check Point Software Technologies, https://pages.checkpoint.com/cyber-security-report-2021.html (2021/12/10).
  3. Virscan, http://r.virscan.org (2022/11/28).
  4. 台灣電腦網路危機處理暨協調中心 , https://www.twcert.org.tw/tw/cp-14-4502-000a2-1.html. (2022/11/28).
  5. The Winlock case – I’m taking bets! ttps://securelist.com/the-winlock-case-im-takingbets/29623 (2022/11/28).
  6. VirusTotal, https://www.virustotal.com/gui/home/upload (2022/11/28).
  7. Jotti, https://virusscan.jotti.org (2022/11/28).
  8. Etoday, https://finance.ettoday.net/news/2179744#ixzz7Q2YclPLT (2022/11/28).
  9. Aishwarya, B.,Samala, G.,Koirala, T.K.,Ruhul, I.M..Packet sniffing and network traffic analysis using TCP-a new approach.Advances in Electronics, Communication and Computing
  10. Bijitha, C.V.,Rohit, S.,Nath, H.V.(2020).Rohit and H.V. Nath, Secure Knowledge Management in Artificial Intelligence Era.Singapore:Springer.
  11. Chen, Q.,Bridges, R.A..Automated behavioral analysis of malware- a case study of WannaCry ransomware.International Conference on Computer Communication and Informatics
  12. Dominguez, AS.,Benitez, P.,Gonzalez, R.A.R.(2011).Logistic regression models.Allergol Immunopathol,39(5),295-305.
  13. Ekta, G.,Divya, B.,Sanjeev, S.(2014).Malware analysis and classification: a survey.Journal of Information Security,5(2),56-64.
  14. Hans, H.,Swain, P.H.(1977).The decision tree classifier: design and potential.IEEE Transactions on Geoscience Electronics,15(3),142-147.
  15. Herleen, K.,Naveen, G.(2020).Innovative Data Communication Technologies and Application.U.S.A:Springer.
  16. Juraj, U.(2020).Czech Republic,Masaryk University.
  17. Kok, S.H.,Abdullah, A.,Jhanjhi, N.Z.(2020).Early detection of crypto-ransomware using pre-encryption detection algorithm.Journal of King Saud University - Computer and Information Sciences,34(5),51984-1999.
  18. Kok, S.H.,Azween, A.,Jhanjhi, N.Z.,Supramaniam, M.(2019).Ransomware, threat and detection techniques: a review.International Journal of Computer Science and Network Security,19(2),136-146.
  19. Marisa, M.K.,Alexandra, P.(2020).,Carnegie Mellon University.
  20. Maxat, A.,Vassilakis, V.G.,Logothetis, M.D.(2019).WannaCry ransomware: analysis of infection, persistence, recovery prevention and propagation mechanisms.Journal of Telecommunications and Information Technology,1,113-124.
  21. Nolen, S.,Henry, C.,Patrick, T.,Butler, K.R.B..CryptoLock (and drop it): stopping ransomware attacks on user data.International Conference on Distributed Computing Systems
  22. Omer, A.,Refik, S..Investigation of possibilities to detect malware using existing tools.IEEE/ACS 14th International Conference on Computer Systems and Applications
  23. Pallavi, A.,Vishal, S.(2013).Network monitoring and analysis by packet sniffing method.International Journal of Engineering Trends and Technology,4(5),2133-2135.
  24. Philip, O.,Sakir, S.,Domhnall, C.(2018).Evolution of ransomware.IET Journal,7(5),321-327.
  25. Platt, J.C.(1988).Microsoft Research Technical ReportMicrosoft Research Technical Report,U.S.A.:.
  26. Sgandurra, D.,Muñoz-González, L.,Mohsen, R.,Lupu, E.C.(2016).,未出版
  27. Veronika, S.,Gabor, A.,Akos, D.(2021).Introduction of the ARDS—anti-ransomware defense System model—based on the systematic review of worldwide ransomware attacks.Applied Science,11(13)
  28. 林韶如(2022)。國防大學理工學院資訊工程學系。
print cancel