Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

WannaLaugh: A Configurable Ransomware Emulator -- Learning to Mimic Malicious Storage Traces (2403.07540v2)

Published 12 Mar 2024 in cs.CR and cs.AI

Abstract: Ransomware, a fearsome and rapidly evolving cybersecurity threat, continues to inflict severe consequences on individuals and organizations worldwide. Traditional detection methods, reliant on static signatures and application behavioral patterns, are challenged by the dynamic nature of these threats. This paper introduces three primary contributions to address this challenge. First, we introduce a ransomware emulator. This tool is designed to safely mimic ransomware attacks without causing actual harm or spreading malware, making it a unique solution for studying ransomware behavior. Second, we demonstrate how we use this emulator to create storage I/O traces. These traces are then utilized to train machine-learning models. Our results show that these models are effective in detecting ransomware, highlighting the practical application of our emulator in developing responsible cybersecurity tools. Third, we show how our emulator can be used to mimic the I/O behavior of existing ransomware thereby enabling safe trace collection. Both the emulator and its application represent significant steps forward in ransomware detection in the era of machine-learning-driven cybersecurity.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (51)
  1. IBM-Security. X-Force threat intelligence index, 2023. URL https://www.ibm.com/reports/threat-intelligence. Accessed: 18.03.2023.
  2. Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR), 54(9):1–36, 2021. doi: 10.1145/3479393. URL https://doi.org/10.1145/3479393.
  3. A survey on device behavior fingerprinting: Data sources, techniques, application scenarios, and datasets. IEEE Communications Surveys and Tutorials, 23:1048–1077, 2021.
  4. Intelligent and behavioral-based detection of malware in IoT spectrum sensors. International Journal of Information Security, 23:541–561, 2023. doi: 10.1007/s10207-022-00602-w.
  5. Machine learning based ransomware detection using storage access patterns obtained from live-forensic hypervisor. In 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), pages 1–6, 2019. doi: 10.1109/IOTSMS48152.2019.8939214. URL https://doi.org/10.1109/IOTSMS48152.2019.8939214.
  6. Leveraging computational storage for power-efficient distributed data analytics. ACM Trans. Embed. Comput. Syst., 21(6), oct 2022. doi: 10.1145/3528577. URL https://doi.org/10.1145/3528577.
  7. Towards non-intrusive software introspection and beyond. In 2020 IEEE International Conference on Cloud Engineering (IC2E), pages 173–184, 2020. doi: 10.1109/IC2E48712.2020.00025. URL https://doi.org/10.1109/IC2E48712.2020.00025.
  8. FIRMA: Malware clustering and network signature generation with mixed network behaviors. In Research in Attacks, Intrusions, and Defenses, pages 144–163, 2013. ISBN 978-3-642-41284-4. doi: 10.1007/978-3-642-41284-4˙8. URL https://doi.org/10.1007/978-3-642-41284-4_8.
  9. Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. ArXiv.org, September 2016. doi: 10.48550/arXiv.1609.03020. URL https://doi.org/10.48550/arXiv.1609.03020.
  10. Ransomware detection using the dynamic analysis and machine learning: A survey and research directions. Applied Sciences, 12(1), 2022. ISSN 2076-3417. doi: 10.3390/app12010172. URL https://www.mdpi.com/2076-3417/12/1/172.
  11. MADAM: Effective and efficient behavior-based android malware detection and prevention. IEEE Transactions on Dependable and Secure Computing, 15(1):83–97, 2018. doi: 10.1109/TDSC.2016.2536605. URL https://doi.org/10.1109/TDSC.2016.2536605.
  12. Ransomware detection using deep learning based unsupervised feature extraction and a cost sensitive pareto ensemble classifier. Scientific reports, 12(1):15647, September 2022. ISSN 2045-2322. doi: 10.1038/s41598-022-19443-7. URL https://europepmc.org/articles/PMC9485118.
  13. Automatic ransomware detection and analysis based on dynamic API calls flow graph. In Proceedings of the International Conference on Research in Adaptive and Convergent Systems, pages 196––201, 2017. ISBN 9781450350273. doi: 10.1145/3129676.3129704. URL https://doi.org/10.1145/3129676.3129704.
  14. A behavior based malware detection scheme for avoiding false positive. In 2010 6th IEEE Workshop on Secure Network Protocols, pages 79–84, 2010. doi: 10.1109/NPSEC.2010.5634444. URL https://doi.org/10.1109/NPSEC.2010.5634444.
  15. On the effectiveness of behavior-based ransomware detection. In Security and Privacy in Communication Networks (SecureComm), pages 120–140, 2020. doi: 10.1007/978-3-030-63095-9˙7. URL https://doi.org/10.1007/978-3-030-63095-9_7.
  16. Enhanced ransomware detection techniques using machine learning algorithms. In 2021 4th International Conference on Computing and Communications Technologies (ICCCT), pages 52–58, 2021. doi: 10.1109/ICCCT53315.2021.9711906. URL https://doi.org/10.1109/ICCCT53315.2021.9711906.
  17. Development of a machine learning model for detecting and classifying ransomware. In 2021 1st International Conference on Multidisciplinary Engineering and Applied Science (ICMEAS), pages 1–5, 2021. doi: 10.1109/ICMEAS52683.2021.9692402. URL https://doi.org/10.1109/ICMEAS52683.2021.9692402.
  18. Ransomware classification and detection with machine learning algorithms. In 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC), pages 0316–0322, 2022. doi: 10.1109/CCWC54503.2022.9720869. URL https://doi.org/10.1109/CCWC54503.2022.9720869.
  19. A survey of crypto ransomware attack detection methodologies: An evolving outlook. Sensors, 22(5), 2022. ISSN 1424-8220. doi: 10.3390/s22051837. URL https://www.mdpi.com/1424-8220/22/5/1837.
  20. A comprehensive survey on deep learning based malware detection techniques. Computer Science Review, 47:100529, 2023. ISSN 1574-0137. doi: 10.1016/j.cosrev.2022.100529. URL https://doi.org/10.1016/j.cosrev.2022.100529.
  21. RanSAP: An open dataset of ransomware storage access patterns for training machine learning models. Forensic Science International: Digital Investigation, 40:301314, 2022. ISSN 2666-2817. doi: 10.1016/j.fsidi.2021.301314. URL https://doi.org/10.1016/j.fsidi.2021.301314.
  22. Nextronsystems quickbuck. URL https://github.com/NextronSystems/ransomware-simulator. Accessed: 29.01.2024.
  23. leomatias ransomware-simulator. URL https://github.com/leomatias/Ransomware-Simulator. Accessed: 29.01.2024.
  24. Joelgmsec psransom. URL https://github.com/JoelGMSec/PSRansom. Accessed: 29.01.2024.
  25. Tarcísio Marinho. Python gonnacry. URL https://github.com/tarcisio-marinho/GonnaCry. Accessed: 25.03.2023.
  26. lawndoc. Ransim. URL https://github.com/lawndoc/RanSim. Accessed: 25.03.2023.
  27. Shinolocker. URL https://shinolocker.com. Accessed: 29.01.2024.
  28. Carbonsec ransomware readiness. URL https://www.carbonsec.com/services/ransomware-readiness. Accessed: 29.01.2024.
  29. spin.ai ransomware-simulator. URL https://spin.ai/ransomware-simulator. Accessed: 29.01.2024.
  30. KnowBe4 Inc. Knowbe4 ransim simulator. URL https://www.knowbe4.com/ransomware-simulator. Accessed: 29.01.2024.
  31. Acronis. Taking a deep dive into Sodinokibi ransomware. URL https://www.acronis.com/en-us/cyber-protection-center/posts/sodinokibi-ransomware/. Accessed: 25.03.2023.
  32. Trend Micro Research. Ransomware spotlight - Black Basta. URL https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta. Accessed: 15.03.2023.
  33. Unit42. LockBit 2.0: How this RaaS operates and how to protect against it. URL https://unit42.paloaltonetworks.com/lockbit-2-ransomware/. Accessed: 20.03.2023.
  34. IBM Security. X-Force threat intelligence index malware analysis report LockFile malware profile. 2022. URL https://exchange.xforce.ibmcloud.com/malware-analysis/guid:674f5949970a487028354a309492ac0c.
  35. Secureworks. WCry ransomware analysis. URL https://www.secureworks.com/research/wcry-ransomware-analysis. Accessed: 20.03.2023.
  36. Packt SecurityPro. Decoding Conti. URL https://security.packt.com/conti/. Accessed: 15.03.2023.
  37. Filebench: A flexible framework for file system benchmarking. login Usenix Mag., 41(1), 2016. URL https://www.usenix.org/publications/login/spring2016/tarasov.
  38. Ray: A distributed framework for emerging AI applications. In 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18), pages 561–577, Carlsbad, CA, October 2018. USENIX Association. ISBN 978-1-939133-08-3. URL https://www.usenix.org/conference/osdi18/presentation/moritz.
  39. PyCryptodome, 2023. URL https://pycryptodome.readthedocs.io/en/latest/index.html. Accessed: 30.03.2023.
  40. Qml (qt modeling language). URL https://doc.qt.io/qt-6/qtqml-index.html. Accessed: 15.01.2024.
  41. Bringing science to digital forensics with standardized forensic corpora. Digit. Investig., 6:S2––S11, sep 2009. ISSN 1742-2876. doi: 10.1016/j.diin.2009.06.016. URL https://doi.org/10.1016/j.diin.2009.06.016.
  42. Locating system problems using dynamic instrumentation. In Proceedings of Ottawa Linux Symposium (OLS, 2005. URL https://sourceware.org/systemtap/systemtap-ols.pdf.
  43. A review on genetic algorithm: past, present, and future. Multimedia Tools and Applications, 80:8091–8126, 2021. doi: 10.1007/s11042-020-10139-6. URL https://doi.org/10.1007/s11042-020-10139-6.
  44. Simulated annealing: From basics to applications. Handbook of metaheuristics, pages 1–35, 2019. doi: 10.1007/978-3-319-91086-4˙1. URL https://doi.org/10.1007/978-3-319-91086-4_1.
  45. A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Transactions on Evolutionary Computation, 6(2):182–197, 2002. doi: 10.1109/4235.996017. URL https://doi.org/10.1109/4235.996017.
  46. The elitist non-dominated sorting genetic algorithm with inheritance (i-NSGA-II) and its jumping gene adaptations for multi-objective optimization. Information Sciences, 382-383:15–37, 2017. ISSN 0020-0255. doi: 10.1016/j.ins.2016.12.003. URL https://doi.org/10.1016/j.ins.2016.12.003.
  47. Dual generative adversarial networks based unknown encryption ransomware attack detection. IEEE Access, 10:900–913, 2021. doi: 10.1109/ACCESS.2021.3128024. URL https://doi.org/10.1109/ACCESS.2021.3128024.
  48. SDGen: Mimicking datasets for content generation in storage benchmarks. In 13th USENIX Conference on File and Storage Technologies (FAST 15), pages 317–330, February 2015. ISBN 978-1-931971-201. URL https://www.usenix.org/conference/fast15/technical-sessions/presentation/gracia-tinedo.
  49. Trace-based workload generation and execution. In Euro-Par 2021: Parallel Processing: 27th International Conference on Parallel and Distributed Computing, Lisbon, Portugal, September 1–3, 2021, Proceedings, pages 37––54, 2021. ISBN 978-3-030-85664-9. doi: 10.1007/978-3-030-85665-6˙3. URL https://doi.org/10.1007/978-3-030-85665-6_3.
  50. Sysbench: a scriptable multi-threaded benchmark tool. URL https://github.com/akopytov/sysbench. Accessed: 30.01.2024.
  51. Towards resilient machine learning for ransomware detection. arXiv preprint arXiv:1812.09400, 2018.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets