EXPLORATION OF CLUSTERING OVERLAPS IN A RANSOMWARE NETWORK BASED ON LINK STRUCTURES AND CONTENT RELEVANCE (Exploration of temporal events and the formation of cluster overlap in a ransomware network) BERNARD CHUKWUEMEKA OGAZI-ONYEMAECHI PhD, MEng, MSc, BSc Doctor of Philosophy (PhD) SCHOOL OF COMPUTING, SCIENCE AND ENGINEERING UNIVERSITY OF SALFORD A Thesis Submitted in Partial Fulfilment of the Requirements for the Degree of Doctor of Philosophy MARCH 2019 Contents EXPLORATION OF CLUSTERING OVERLAPS IN A RANSOMWARE NETWORK BASED ON LINK STRUCTURES AND CONTENT RELEVANCE ................................. i Contents ................................................................................................................................. ii List of figures ....................................................................................................................... vi List of Appendices ................................................................................................................ xi Acknowledgments ............................................................................................................... xii Dedication........................................................................................................................... xiii Declaration ......................................................................................................................... xiv Abstract................................................................................................................................ xv CHAPTER 1 .......................................................................................................................... 1 GENERAL INTRODUCTION ............................................................................................. 1 1.0 Introduction ............................................................................................................. 1 1.1 The Motivation for this Investigation ................................................................... 10 1.2 Problem Statement ..................................................................................................... 12 1.3 Research Aim and Objectives .................................................................................... 14 1) To explore and identify the topology (structure) and Cluster (Nodes) of Ransom- ware Community (Family) Networks to develop an understanding of the patterns exhibited by developing ransomware attacks (threats). ............................................... 15 2) To detect Ransomware Cluster Network overlaps (hubs) and outliers. ............... 15 3) To explore the use of machine learning approaches to identify, detect and analyse the key parameters affecting cluster evolution in Ransomware Networks. ................. 15 4) To compare different network key performance parameters to identify the active cluster overlap for the real-time detection and termination of Ransom-ware (Network) threats. .......................................................................................................................... 15 5) To identify the most impactful parameters (links and contents) to consider when analysing a Ransomware Network for the detection of Ransomware threat. .............. 15 6) To make recommendations on the key characteristics of developing threats for future approaches to control ransomware threats. ........................................................ 15 1.4 Objectives of the Investigation .................................................................................. 16 1. To analyse link structures of ransomware networks and their effects on cluster overlaps and distribution of threats .............................................................................. 17 2. To analyse content relevance in cluster formation and spread of ransomware threat 17 ii 3. To develop an understanding for a real-time detection of overlaps to identify active nodes to remove to dislodge ransom-ware threats ....................................................... 18 1.5 Research Contributions .............................................................................................. 18 1.6 Research Limitations and Scope ................................................................................ 19 1.7 Structure of Thesis ..................................................................................................... 21 CHAPTER 2 ........................................................................................................................ 23 2.0 Background of the Study ...................................................................................... 23 2.1 Malware Evolution and Timeline .............................................................................. 27 2.2 Economic Impact of Malware Attacks ...................................................................... 36 2.3 How Do Industries Control Ransom-ware threats ..................................................... 39 2.4 Clustering Overlap and Machine Learning Approach to the Control of Ransomware ......................................................................................................................................... 39 2.5 Summary of Literature Review.................................................................................. 46 CHAPTER 3 ........................................................................................................................ 48 BACKGROUND OF E-SECURITY THREATS AND ATTACKS AND RESEARCH METHODOLOGY .............................................................................................................. 48 3.0 Background of E-security Threats and Attacks .................................................... 48 3.1 Methodology .............................................................................................................. 50 CHAPTER 4 ........................................................................................................................ 55 DESIGN AND IMPLEMENTATION ................................................................................ 55 4.0 Introduction ................................................................................................................ 55 4.1 Ransom-ware Data Collection and Processing .......................................................... 57 4.2 Supervised Machine Learning Approach .................................................................. 58 4.2 Cluster Graphing to show different Communities (sub-cluster) of Ransomware Network ........................................................................................................................... 61 4.3 Detection of Ransomware Cluster Network Overlap (Hubs) and Outliers using Machine Learning Algorithms ......................................................................................... 63 4.4 Implications of Removing the Active Cluster Overlap Node in Validation Analysis of the Ransomware Threat ................................................................................................... 67 4.5 Summary .................................................................................................................... 67 CHAPTER 5 ........................................................................................................................ 69 ANALYSIS AND GRAPHICAL PRESENTATION OF TIME SERIES RESULTS ....... 69 5.0 Introduction ................................................................................................................ 69 5.1 Time Series of Ransomware Data ............................................................................. 69 5.1.1 Decomposition of Time Series ............................................................................ 71 iii 5.1.2 Time Series Similarity Measures ........................................................................ 79 5.1.3 Implications of the Components of the Time Series on the Development of Ransomware Threats .................................................................................................... 82 5.1.4 Summary ............................................................................................................. 83 CHAPTER 6 ........................................................................................................................ 85 DISCUSSION OF RESULTS AND SUMMARY .............................................................. 85 6.0 Introduction ................................................................................................................ 85 6.1 Visualizing and Exploring the Topology of Ransomware Network.......................... 85 6.2 Visualizing and Exploring Overlapping Clusters to Identify Active Cluster to Dislodge Ransomware Threat. ...................................................................................................... 110 6.3 The Profiling and Tracking of Active Cluster Overlap Using Intensity Maps ........ 138 6.4 The Profiling and Tracking of Active Cluster Overlap Using the Objects (Variables) Counts ............................................................................................................................ 141 6.5 Summary of Key Findings ....................................................................................... 151 CHAPTER 7 ...................................................................................................................... 156 SUMMARY, CONCLUSION,