DOCSLIB.ORG

Exploration of Clustering Overlaps in a Ransomware

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Exploration of Clustering Overlaps in a Ransomware EXPLORATION OF CLUSTERING OVERLAPS IN A RANSOMWARE NETWORK BASED ON LINK STRUCTURES AND CONTENT RELEVANCE (Exploration of temporal events and the formation of cluster overlap in a ransomware network) BERNARD CHUKWUEMEKA OGAZI-ONYEMAECHI PhD, MEng, MSc, BSc Doctor of Philosophy (PhD) SCHOOL OF COMPUTING, SCIENCE AND ENGINEERING UNIVERSITY OF SALFORD A Thesis Submitted in Partial Fulfilment of the Requirements for the Degree of Doctor of Philosophy MARCH 2019 Contents EXPLORATION OF CLUSTERING OVERLAPS IN A RANSOMWARE NETWORK BASED ON LINK STRUCTURES AND CONTENT RELEVANCE ................................. i Contents ................................................................................................................................. ii List of figures ....................................................................................................................... vi List of Appendices ................................................................................................................ xi Acknowledgments ............................................................................................................... xii Dedication........................................................................................................................... xiii Declaration ......................................................................................................................... xiv Abstract................................................................................................................................ xv CHAPTER 1 .......................................................................................................................... 1 GENERAL INTRODUCTION ............................................................................................. 1 1.0 Introduction ............................................................................................................. 1 1.1 The Motivation for this Investigation ................................................................... 10 1.2 Problem Statement ..................................................................................................... 12 1.3 Research Aim and Objectives .................................................................................... 14 1) To explore and identify the topology (structure) and Cluster (Nodes) of Ransom- ware Community (Family) Networks to develop an understanding of the patterns exhibited by developing ransomware attacks (threats). ............................................... 15 2) To detect Ransomware Cluster Network overlaps (hubs) and outliers. ............... 15 3) To explore the use of machine learning approaches to identify, detect and analyse the key parameters affecting cluster evolution in Ransomware Networks. ................. 15 4) To compare different network key performance parameters to identify the active cluster overlap for the real-time detection and termination of Ransom-ware (Network) threats. .......................................................................................................................... 15 5) To identify the most impactful parameters (links and contents) to consider when analysing a Ransomware Network for the detection of Ransomware threat. .............. 15 6) To make recommendations on the key characteristics of developing threats for future approaches to control ransomware threats. ........................................................ 15 1.4 Objectives of the Investigation .................................................................................. 16 1. To analyse link structures of ransomware networks and their effects on cluster overlaps and distribution of threats .............................................................................. 17 2. To analyse content relevance in cluster formation and spread of ransomware threat 17 ii 3. To develop an understanding for a real-time detection of overlaps to identify active nodes to remove to dislodge ransom-ware threats ....................................................... 18 1.5 Research Contributions .............................................................................................. 18 1.6 Research Limitations and Scope ................................................................................ 19 1.7 Structure of Thesis ..................................................................................................... 21 CHAPTER 2 ........................................................................................................................ 23 2.0 Background of the Study ...................................................................................... 23 2.1 Malware Evolution and Timeline .............................................................................. 27 2.2 Economic Impact of Malware Attacks ...................................................................... 36 2.3 How Do Industries Control Ransom-ware threats ..................................................... 39 2.4 Clustering Overlap and Machine Learning Approach to the Control of Ransomware ......................................................................................................................................... 39 2.5 Summary of Literature Review.................................................................................. 46 CHAPTER 3 ........................................................................................................................ 48 BACKGROUND OF E-SECURITY THREATS AND ATTACKS AND RESEARCH METHODOLOGY .............................................................................................................. 48 3.0 Background of E-security Threats and Attacks .................................................... 48 3.1 Methodology .............................................................................................................. 50 CHAPTER 4 ........................................................................................................................ 55 DESIGN AND IMPLEMENTATION ................................................................................ 55 4.0 Introduction ................................................................................................................ 55 4.1 Ransom-ware Data Collection and Processing .......................................................... 57 4.2 Supervised Machine Learning Approach .................................................................. 58 4.2 Cluster Graphing to show different Communities (sub-cluster) of Ransomware Network ........................................................................................................................... 61 4.3 Detection of Ransomware Cluster Network Overlap (Hubs) and Outliers using Machine Learning Algorithms ......................................................................................... 63 4.4 Implications of Removing the Active Cluster Overlap Node in Validation Analysis of the Ransomware Threat ................................................................................................... 67 4.5 Summary .................................................................................................................... 67 CHAPTER 5 ........................................................................................................................ 69 ANALYSIS AND GRAPHICAL PRESENTATION OF TIME SERIES RESULTS ....... 69 5.0 Introduction ................................................................................................................ 69 5.1 Time Series of Ransomware Data ............................................................................. 69 5.1.1 Decomposition of Time Series ............................................................................ 71 iii 5.1.2 Time Series Similarity Measures ........................................................................ 79 5.1.3 Implications of the Components of the Time Series on the Development of Ransomware Threats .................................................................................................... 82 5.1.4 Summary ............................................................................................................. 83 CHAPTER 6 ........................................................................................................................ 85 DISCUSSION OF RESULTS AND SUMMARY .............................................................. 85 6.0 Introduction ................................................................................................................ 85 6.1 Visualizing and Exploring the Topology of Ransomware Network.......................... 85 6.2 Visualizing and Exploring Overlapping Clusters to Identify Active Cluster to Dislodge Ransomware Threat. ...................................................................................................... 110 6.3 The Profiling and Tracking of Active Cluster Overlap Using Intensity Maps ........ 138 6.4 The Profiling and Tracking of Active Cluster Overlap Using the Objects (Variables) Counts ............................................................................................................................ 141 6.5 Summary of Key Findings ....................................................................................... 151 CHAPTER 7 ...................................................................................................................... 156 SUMMARY, CONCLUSION,
Load more

Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Undergraduate Report
    UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • Computer Security CS 426 Lecture 15
    Computer Security CS 426 Lecture 15 Malwares CS426 Fall 2010/Lecture 15 1 Trapdoor • SttitittSecret entry point into a system – Specific user identifier or password that circumvents normal security procedures. • Commonlyyy used by developers – Could be included in a compiler. CS426 Fall 2010/Lecture 15 2 Logic Bomb • Embedded in legitimate programs • Activated when specified conditions met – E.g., presence/absence of some file; Particular date/time or particular user • When triggered, typically damages system – Modify/delete files/disks CS426 Fall 2010/Lecture 15 3 Examppgle of Logic Bomb • In 1982 , the Trans-Siber ian Pipe line inc iden t occurred. A KGB operative was to steal the plans fhititdtltditfor a sophisticated control system and its software from a Canadian firm, for use on their Siberi an pi peli ne. The CIA was tippe d o ff by documents in the Farewell Dossier and had the company itlibbithinsert a logic bomb in the program for sabotage purposes. This eventually resulted in "the most monu mental non-nu clear ex plosion and fire ever seen from space“. CS426 Fall 2010/Lecture 15 4 Trojan Horse • Program with an overt Example: Attacker: (expected) and covert effect Place the following file cp /bin/sh /tmp/.xxsh – Appears normal/expected chmod u+s,o+x /tmp/.xxsh – Covert effect violates security policy rm ./ls • User tricked into executing ls $* Trojan horse as /homes/victim/ls – Expects (and sees) overt behavior – Covert effect performed with • Victim user’s authorization ls CS426 Fall 2010/Lecture 15 5 Virus • Self-replicating
    [Show full text]
  • The Most Common Blunder People Make When the Topic of a Computer Virus Arises Is to Refer to a Worm Or Trojan Horse As a Virus
    Trojan And Email Forging 1) Introduction To Trojan&viruses: A Trojan horse, or Trojan, in computing is a generally non-self-replicating type of malware program containing malicious code that, when executed, carries out actions determined by the nature of the Trojan, typically causing loss or theft of data, and possible system harm. The term is derived from the story of the wooden horse used to trick defenders of Troy into taking concealed warriors into their city in ancient Anatolia, because computer Trojans often employ a form of social engineering, presenting themselves as routine, useful, or interesting in order to persuade victims to install them on their computers.[1][2][3][4][5] A Trojan often acts as a backdoor, contacting a controller which can then have unauthorized access to the affected computer.[6] While Trojans and backdoors are not easily detectable by themselves, computers may appear to run slower due to heavy processor or network usage. Malicious programs are classified as Trojans if they do not attempt to inject themselves into other files (computer virus) or otherwise propagate themselves (worm).[7] A computer may host a Trojan via a malicious program a user is duped into executing (often an e-mail attachment disguised to be unsuspicious, e.g., a routine form to be filled in) or by drive-by download. The Difference Between a Computer Virus, Worm and Trojan Horse The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. One common mistake that people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus.
    [Show full text]
  • Strategies of Computer Worms
    304543_ch09.qxd 1/7/05 9:05 AM Page 313 CHAPTER 9 Strategies of Computer Worms “Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect.” —Concise Oxford English Dictionary, Revised Tenth Edition 313 304543_ch09.qxd 1/7/05 9:05 AM Page 314 Chapter 9—Strategies of Computer Worms 9.1 Introduction This chapter discusses the generic (or at least “typical”) structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a “worm.” We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses1. Let me explain. The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take con- trol of remote systems without any help from the users, usually exploiting a vul- nerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats. Table
    [Show full text]
  • Tangled Web : Tales of Digital Crime from the Shadows of Cyberspace
    TANGLED WEB Tales of Digital Crime from the Shadows of Cyberspace RICHARD POWER A Division of Macmillan USA 201 West 103rd Street, Indianapolis, Indiana 46290 Tangled Web: Tales of Digital Crime Associate Publisher from the Shadows of Cyberspace Tracy Dunkelberger Copyright 2000 by Que Corporation Acquisitions Editor All rights reserved. No part of this book shall be reproduced, stored in a Kathryn Purdum retrieval system, or transmitted by any means, electronic, mechanical, pho- Development Editor tocopying, recording, or otherwise, without written permission from the Hugh Vandivier publisher. No patent liability is assumed with respect to the use of the infor- mation contained herein. Although every precaution has been taken in the Managing Editor preparation of this book, the publisher and author assume no responsibility Thomas Hayes for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. Project Editor International Standard Book Number: 0-7897-2443-x Tonya Simpson Library of Congress Catalog Card Number: 00-106209 Copy Editor Printed in the United States of America Michael Dietsch First Printing: September 2000 Indexer 02 01 00 4 3 2 Erika Millen Trademarks Proofreader Benjamin Berg All terms mentioned in this book that are known to be trademarks or ser- vice marks have been appropriately capitalized. Que Corporation cannot Team Coordinator attest to the accuracy of this information. Use of a term in this book should Vicki Harding not be regarded as affecting the validity of any trademark or service mark. Design Manager Warning and Disclaimer Sandra Schroeder Every effort has been made to make this book as complete and as accurate Cover Designer as possible, but no warranty or fitness is implied.
    [Show full text]
  • The Norman Book on Computer Viruses Ii Z the Norman Book on Computer Viruses
    The Norman Book on Computer Viruses ii z The Norman Book on Computer Viruses Norman ASA is not liable for any other form of loss or damage arising from use of the documentation or from errors or deficiencies therein, including but not limited to loss of earnings. In particular, and without the limitations imposed by the licensing agreement with regard to any special use or purpose, Norman ASA will in no event be liable for loss of profits or other commercial damage including but not limited to incidental or consequential damages. The information in this document as well as the functionality of the software is subject to change without notice. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording or information storage and retrieval systems, for any purpose other than the purchaser's personal use, without the explicit written permission of Norman ASA. Contributors to The Norman Book on Viruses: Snorre Fagerland, Sylvia Moon, Kenneth Walls, Carl Bretteville Edited by Camilla Jaquet and Yngve Ness The Norman logo is a registered trademark of Norman ASA. Names of products mentioned in this documentation are either trademarks or registered trademarks of their respective owners. They are mentioned for identification purposes only. Norman documentation is Copyright © 1990-2002 Norman ASA. All rights reserved. October 2001 Copyright © 1990-2002 Norman z iii Norman Offices Norman Data Defense Systems Pty Ltd 6 Sarton Road, Clayton, Victoria, 3168 Australia. Tel: +61 3 9562 7655 Fax: +61 3 9562 9663 E-mail: [email protected] Web: http://www.norman.com.au Norman Data Defense Systems A/S Dronningensgade 23, DK-5000 Odense C, Denmark Tel.
    [Show full text]
  • UTTARAKHAND OPEN UNIVERSITY Teen Pani Bypass Road, Near Transport Nagar, Haldwani -263139 Phone No- 05946 - 261122, 261123 Toll Free No
    CYBER CRIMES AND CONSUMER PROTECTION IN CYBERSPACE CYL-104 [1] CYL- 104 Cyber Crimes And Consumer Protection in Cyber Space School of Law UTTARAKHAND OPEN UNIVERSITY Teen Pani Bypass Road, Near Transport Nagar, Haldwani -263139 Phone No- 05946 - 261122, 261123 Toll Free No. 18001804025 Fax No.- 05946-264232, Email- [email protected], http://uou.ac.in Uttarakhand Open University CYBER CRIMES AND CONSUMER PROTECTION IN CYBERSPACE CYL-104 [2] BOARD OF STUDIES Professor Girija Prasad Pande, Director, School of Law, Uttarakhand Open University, Haldwani, Nainital. Professor J.S.Bisht, Faculty of Law,S.S. Jeena Campus, Almora,Kumaun University, Nainital, Uttarakhand. Professor B.P. Maithani, Former RTI Advisor, Government of Uttarakhand Mr. Deepankur Joshi, Coordinator School of Law, Uttarakhand Open University, Haldwani, (Nainital). UNIT WRITING UNIT WRITERS UNIT [1] Dr. Razit Sharma, Assistant Professor, Unit- 1,2,3,4 Law College, Uttaranchal University, Dehradun Uttarakhand [2] Ms. Sapna Agarwal, Advocate High Court of Uttarakhand, Unit- 5,6,7 Nainital [3 Mr. Rajeev Bhatt, Advocate High Court of Uttarakhand, Ex. RTI Advisor Kumaun University Nainital, Ex. Assistant Professor Unity Unit- 8 ,9,10 Law College Rudrapur [4] Dr. Sushim Shukla, Assistant Professor, Unit- 11, 12, 13 Law College, Uttaranchal University, Dehradun Uttarakhand EDITOR Mr. Deepankur Joshi, Coordinator, School of Law, Uttarakhand Open University, Haldwani, (Nainital) Copyright © Uttarakhand Open University, Haldwani, Nainital Edition- 2018, Pre Publication copy for Limited Circulation ISBN- Publication- Directorate of Studies and Publication, Uttarakhand Open University, Haldwani, Nainital. E- Mail: [email protected] . Uttarakhand Open University CYBER CRIMES AND CONSUMER PROTECTION IN CYBERSPACE CYL-104 [3] POST GRADUATE DIPLOMA IN CYBER LAW CYL- 104 CYBERCRIMES AND CONSUMER PROTECTION IN CYBER SPACE INDEX S.
    [Show full text]
  • Trojan White Paper
    Trojan White Paper Aelphaeis Mangarae [Igniteds.NET] May 5 th 2006 http://igniteds.net irc.EFnet.org #d-u © Copyright Igniteds Security Community 2006 Igniteds Security Group - Igniteds.NET______________________ Contents [Introduction] [What Is A Trojan?] [Anti-Virus Solutions] - Introduction - How Do AV’s Detect Trojans? - What Is Heuristic Analysis? - What Is A File Packer/Compressor? - Norton Anti-Virus (Symantec) - McAfee Anti-Virus (Network Associates) - Kaspersky Anti-Virus (Kaspersky Labs) - NOD32 (ESET) - Bit Defender - Panda Anti-Virus (Panda Software) [Trojans] - Back Orifice XP - Bifrost - CIA - Lithium - MoSucker - Net Devil - Nuclear RAT - Optix Pro - Poison Ivy - SubSeven - Tequila Bandita - Theef [The Scene] - The Trojan Coder - The Script Kiddie [Trojan Removal] - Detecting A Trojan - General Removal [Methods Of Infection] - IRC - P2P - Instant Messaging - Web Pages - Software Vulnerabilities - Social Engineering Igniteds Security Group - Igniteds.NET______________________ [Trojan Technologies] - Rootkit Technology - Polymorphism - Firewall Bypass - Reverse Connection [Security Tools] - Zone Alarm - Agnitum Outpost Firewall - PsList - PsKill - Registry Commander - X-Netstat [About The Author] [Greetz To] Igniteds Security Group - Igniteds.NET______________________ [Introduction] Many home users are kept in the dark about Trojans, what they are exactly, and the force behind them. The Trojan scene is quite an interesting one, one which I will document in this text, in order to give readers a better understanding of Trojans and the people that create and use them, After all there is more to Trojans than just the Trojans themselves. I will also detail in this text the technologies the latest Trojans incorporate in order to make themselves more stealthy and/or harder to remove. The general purpose of this text is to educate the reader about Trojans, so they can help protect themselves against them, and in the event of infection they may remove them and try and to prevent them from doing any further damage.
    [Show full text]
  • Chapter 3: Viruses, Worms, and Blended Threats
    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57
    [Show full text]
  • Content Agnostic Malware Detection in Networks
    Content Agnostic Malware Detection in Networks Dissertation zur Erlangung des mathematisch-naturwissenschaftlichen Doktorgrades \Doctor rerum naturalium" der Georg-August-Universit¨atG¨ottingen vorgelegt von Florian Tegeler aus Osnabr¨uck G¨ottingen2012 iii Referent: Professor Dr. Xiaoming Fu Koreferent: Professor Dr. Christopher Kruegel Tag der m¨undlichen Pr¨ufung:08. Mai 2012 Abstract Bots are the root cause of many security problems on the Internet { they send spam, steal information from infected machines, and perform distributed denial of service attacks. Given their security impact, it is not surprising that a large number of techniques have been proposed that aim to detect and mitigate bots, both network-based and host-based approaches. Detecting bots at the network-level has a number of advantages over host- based solutions, as it allows for the efficient analysis of a large number of hosts without the need for any end point installation. Currently, network-based bot- net detection techniques often target the command and control traffic between the bots and their botmaster. Moreover, a significant majority of these tech- niques are based on the analysis of packet payloads. The proposed approaches range from simple pattern matching against signatures to structural analysis of command and control communication. Unfortunately, deep packet inspection is rendered increasingly ineffective as malware authors start to use obfuscated or encrypted command and control connections. This thesis presents BotFinder, a novel system that can detect individual, malware-infected hosts in a network, based solely on the statistical patterns of the network traffic they generate, without relying on content analysis. Bot- Finder uses machine learning techniques to identify the key features of com- mand and control communications, based on observing traffic that bots pro- duce in a controlled environment.
    [Show full text]