Lockout-Tagout Ransomware:  A Detection Method for Ransomware using Fuzzy Hashing and Clustering

Nitin Naik; Paul Jenkins; Jonathan Gillett; Haralambos Mouratidis; Kshirasagar Naik; Jingping Song

doi:10.1109/SSCI44817.2019.9003148

Lockout-Tagout Ransomware: A Detection Method for Ransomware using Fuzzy Hashing and Clustering

Nitin Naik, Paul Jenkins, Jonathan Gillett, Haralambos Mouratidis, Kshirasagar Naik, Jingping Song

College of Engineering and Physical Sciences

Research output: Chapter in Book/Published conference output › Conference publication

Abstract

Ransomware attacks are a prevalent cybersecurity threat to every user and enterprise today. This is attributed to their polymorphic behaviour and dispersion of inexhaustible versions due to the same ransomware family or threat actor. A certain ransomware family or threat actor repeatedly utilises nearly the same style or codebase to create a vast number of ransomware versions. Therefore, it is essential for users and enterprises to keep well-informed about this threat landscape and adopt proactive prevention strategies to minimise its spread and affects. This requires a technique to detect ransomware samples to determine the similarity and link with the known ransomware family or threat actor. Therefore, this paper presents a detection method for ransomware by employing a combination of a similarity preserving hashing method called fuzzy hashing and a clustering method. This detection method is applied on the collected WannaCry/WannaCryptor ransomware samples utilising a range of fuzzy hashing and clustering methods. The clustering results of various clustering methods are evaluated through the use of the internal evaluation indexes to determine the accuracy and consistency of their clustering results, thus the effective combination of fuzzy hashing and clustering method as applied to the particular ransomware corpus. The proposed detection method is a static analysis method, which requires fewer computational overheads and performs rapid comparative analysis with respect to other static analysis methods.

Original language	English
Title of host publication	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
Publisher	IEEE
Pages	641-648
Number of pages	8
ISBN (Electronic)	9781728124858
ISBN (Print)	978-1-7281-2486-5
DOIs	https://doi.org/10.1109/SSCI44817.2019.9003148
Publication status	Published - 20 Feb 2020
Event	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019 - Xiamen, China Duration: 6 Dec 2019 → 9 Dec 2019

Publication series

Name	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

Conference

Conference	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
Country/Territory	China
City	Xiamen
Period	6/12/19 → 9/12/19

Bibliographical note

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Keywords

agnes
clara
clustering
diana
fuzzy hashing
k-means
pam
ransomware
sdhash
similarity preserving hashing
ssdeep
wannacry
wannacryptor

Access to Document

10.1109/SSCI44817.2019.9003148

SSCI-19-Ransomware-Detection-FuzzyHashing-Clustering-DrNaik
© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted author manuscript, 621 KB

Cite this

Naik, N., Jenkins, P., Gillett, J., Mouratidis, H., Naik, K., & Song, J. (2020). Lockout-Tagout Ransomware: A Detection Method for Ransomware using Fuzzy Hashing and Clustering. In 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019 (pp. 641-648). Article 9003148 (2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019). IEEE. https://doi.org/10.1109/SSCI44817.2019.9003148

@inproceedings{c8ef7ebc497141fd8d4cca0fc72d61dc,

title = "Lockout-Tagout Ransomware: A Detection Method for Ransomware using Fuzzy Hashing and Clustering",

abstract = "Ransomware attacks are a prevalent cybersecurity threat to every user and enterprise today. This is attributed to their polymorphic behaviour and dispersion of inexhaustible versions due to the same ransomware family or threat actor. A certain ransomware family or threat actor repeatedly utilises nearly the same style or codebase to create a vast number of ransomware versions. Therefore, it is essential for users and enterprises to keep well-informed about this threat landscape and adopt proactive prevention strategies to minimise its spread and affects. This requires a technique to detect ransomware samples to determine the similarity and link with the known ransomware family or threat actor. Therefore, this paper presents a detection method for ransomware by employing a combination of a similarity preserving hashing method called fuzzy hashing and a clustering method. This detection method is applied on the collected WannaCry/WannaCryptor ransomware samples utilising a range of fuzzy hashing and clustering methods. The clustering results of various clustering methods are evaluated through the use of the internal evaluation indexes to determine the accuracy and consistency of their clustering results, thus the effective combination of fuzzy hashing and clustering method as applied to the particular ransomware corpus. The proposed detection method is a static analysis method, which requires fewer computational overheads and performs rapid comparative analysis with respect to other static analysis methods.",

keywords = "agnes, clara, clustering, diana, fuzzy hashing, k-means, pam, ransomware, sdhash, similarity preserving hashing, ssdeep, wannacry, wannacryptor",

author = "Nitin Naik and Paul Jenkins and Jonathan Gillett and Haralambos Mouratidis and Kshirasagar Naik and Jingping Song",

note = "{\textcopyright} 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.; 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019 ; Conference date: 06-12-2019 Through 09-12-2019",

year = "2020",

month = feb,

day = "20",

doi = "10.1109/SSCI44817.2019.9003148",

language = "English",

isbn = "978-1-7281-2486-5",

series = "2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019",

publisher = "IEEE",

pages = "641--648",

booktitle = "2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019",

address = "United States",

}

Naik, N, Jenkins, P, Gillett, J, Mouratidis, H, Naik, K & Song, J 2020, Lockout-Tagout Ransomware: A Detection Method for Ransomware using Fuzzy Hashing and Clustering. in 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019., 9003148, 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019, IEEE, pp. 641-648, 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019, Xiamen, China, 6/12/19. https://doi.org/10.1109/SSCI44817.2019.9003148

Lockout-Tagout Ransomware: A Detection Method for Ransomware using Fuzzy Hashing and Clustering. / Naik, Nitin; Jenkins, Paul; Gillett, Jonathan et al.
2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019. IEEE, 2020. p. 641-648 9003148 (2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019).

Research output: Chapter in Book/Published conference output › Conference publication

TY - GEN

T1 - Lockout-Tagout Ransomware

T2 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

AU - Naik, Nitin

AU - Jenkins, Paul

AU - Gillett, Jonathan

AU - Mouratidis, Haralambos

AU - Naik, Kshirasagar

AU - Song, Jingping

N1 - © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

PY - 2020/2/20

Y1 - 2020/2/20

N2 - Ransomware attacks are a prevalent cybersecurity threat to every user and enterprise today. This is attributed to their polymorphic behaviour and dispersion of inexhaustible versions due to the same ransomware family or threat actor. A certain ransomware family or threat actor repeatedly utilises nearly the same style or codebase to create a vast number of ransomware versions. Therefore, it is essential for users and enterprises to keep well-informed about this threat landscape and adopt proactive prevention strategies to minimise its spread and affects. This requires a technique to detect ransomware samples to determine the similarity and link with the known ransomware family or threat actor. Therefore, this paper presents a detection method for ransomware by employing a combination of a similarity preserving hashing method called fuzzy hashing and a clustering method. This detection method is applied on the collected WannaCry/WannaCryptor ransomware samples utilising a range of fuzzy hashing and clustering methods. The clustering results of various clustering methods are evaluated through the use of the internal evaluation indexes to determine the accuracy and consistency of their clustering results, thus the effective combination of fuzzy hashing and clustering method as applied to the particular ransomware corpus. The proposed detection method is a static analysis method, which requires fewer computational overheads and performs rapid comparative analysis with respect to other static analysis methods.

AB - Ransomware attacks are a prevalent cybersecurity threat to every user and enterprise today. This is attributed to their polymorphic behaviour and dispersion of inexhaustible versions due to the same ransomware family or threat actor. A certain ransomware family or threat actor repeatedly utilises nearly the same style or codebase to create a vast number of ransomware versions. Therefore, it is essential for users and enterprises to keep well-informed about this threat landscape and adopt proactive prevention strategies to minimise its spread and affects. This requires a technique to detect ransomware samples to determine the similarity and link with the known ransomware family or threat actor. Therefore, this paper presents a detection method for ransomware by employing a combination of a similarity preserving hashing method called fuzzy hashing and a clustering method. This detection method is applied on the collected WannaCry/WannaCryptor ransomware samples utilising a range of fuzzy hashing and clustering methods. The clustering results of various clustering methods are evaluated through the use of the internal evaluation indexes to determine the accuracy and consistency of their clustering results, thus the effective combination of fuzzy hashing and clustering method as applied to the particular ransomware corpus. The proposed detection method is a static analysis method, which requires fewer computational overheads and performs rapid comparative analysis with respect to other static analysis methods.

KW - agnes

KW - clara

KW - clustering

KW - diana

KW - fuzzy hashing

KW - k-means

KW - pam

KW - ransomware

KW - sdhash

KW - similarity preserving hashing

KW - ssdeep

KW - wannacry

KW - wannacryptor

UR - http://www.scopus.com/inward/record.url?scp=85080878755&partnerID=8YFLogxK

UR - https://ieeexplore.ieee.org/document/9003148

U2 - 10.1109/SSCI44817.2019.9003148

DO - 10.1109/SSCI44817.2019.9003148

M3 - Conference publication

AN - SCOPUS:85080878755

SN - 978-1-7281-2486-5

T3 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

SP - 641

EP - 648

BT - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

PB - IEEE

Y2 - 6 December 2019 through 9 December 2019

ER -