The Evolution of Embedding Metadata in Blockchain Transactions

The use of blockchains is growing every day, and their utility has greatly expanded from sending and receiving crypto-coins to smart-contracts and decentralized autonomous organizations. Modern blockchains underpin a variety of applications: from designing a global identity to improving satellite connectivity. In our research we look at the ability of blockchains to store metadata in an increasing volume of transactions and with evolving focus of utilization. We further show that basic approaches to improving blockchain privacy also rely on embedding metadata. This paper identifies and classifies real-life blockchain transactions embedding metadata of a number of major protocols running essentially over the bitcoin blockchain. The empirical analysis here presents the evolution of metadata utilization in the recent years, and the discussion suggests steps towards preventing criminal use. Metadata are relevant to any blockchain, and our analysis considers primarily bitcoin as a case study. The paper concludes that simultaneously with both expanding legitimate utilization of embedded metadata and expanding blockchain functionality, the applied research on improving anonymity and security must also attempt to protect against blockchain abuse.Comment: 9 pages, 6 figures, 1 table, 2018 International Joint Conference on Neural Network

Zero-Day Aware Decision Fusion-Based Model for Crypto-Ransomware Early Detection

Crypto-ransomware employs the cryptography to lock user personal files and demands ransom to release them. By utilizing several technological utilities like cyber-currency and cloud-based developing platforms, crypto-ransomware has gained high popularity among adversaries. Motivated by the monetary revenue, crypto-ransomware developers continuously produce many variants of such malicious programs to evade the detection. Consequently, the rate of crypto-ransomware novel attacks is continuously increasing. As such, it is imperative for detection solutions to be able to discover these novel attacks, also called zero-day attacks. While anomaly detection-based solutions are able to deal with this problem, they suffer the high rate of false alarms. Thus, this paper puts forward a detection model that incorporates anomaly with behavioral detection approaches. In this model, two types of detection estimators were built. The first type is an ensemble of behavioral-based classifiers whereas the second type is an anomaly-based estimator. The decisions of both types of estimators were combined using fusion technique. The proposed model is able to detect the novel attack while maintaining low false alarms rate. By applying the proposed model, the detection rate was increased from 96% to 99% and the false positive rate was as low as 2.4 %

Ransomware: Current Trend, Challenges, and Research Directions

Ransomware attacks have become a global incidence, with the primary aim of making monetary gains through illicit means. The attack started through e-mails and has expanded through spamming and phishing. Ransomware encrypts targets’ files and display notifications, requesting for payment before the data can be unlocked. Ransom demand is usually in form of virtual currency, bitcoin, because it is difficult to track. In this paper, we give a brief overview of the current trend, challenges, and research progress in the bid to finding lasting solutions to the menace of ransomware that currently challenge computer and network security, and data privacy

A pseudo feedback-based annotated TF-IDF technique for dynamic crypto-ransomware pre-encryption boundary delineation and features extraction

The cryptography employed against user files makes the effect of crypto-ransomware attacks irreversible even after detection and removal. Thus, detecting such attacks early, i.e. during pre-encryption phase before the encryption takes place is necessary. Existing crypto-ransomware early detection solutions use a fixed time-based thresholding approach to determine the pre-encryption phase boundaries. However, the fixed time thresholding approach implies that all samples start the encryption at the same time. Such assumption does not necessarily hold for all samples as the time for the main sabotage to start varies among different crypto-ransomware families due to the obfuscation techniques employed by the malware to change its attack strategies and evade detection, which generates different attack behaviors. Additionally, the lack of sufficient data at the early phases of the attack adversely affects the ability of feature extraction techniques in early detection models to perceive the characteristics of the attacks, which, consequently, decreases the detection accuracy. Therefore, this paper proposes a Dynamic Pre-encryption Boundary Delineation and Feature Extraction (DPBD-FE) scheme that determines the boundary of the pre-encryption phase, from which the features are extracted and selected more accurately. Unlike the fixed thresholding employed by the extant works, DPBD-FE tracks the pre-encryption phase for each instance individually based on the first occurrence of any cryptography-related APIs. Then, an annotated Term Frequency-Inverse Document Frequency (aTF-IDF) technique was utilized to extract the features from runtime data generated during the pre-encryption phase of crypto-ransomware attacks. The aTF-IDF overcomes the challenge of insufficient attack patterns during the early phases of the attack lifecycle. The experimental evaluation shows that DPBD-FE was able to determine the pre-encryption boundaries and extract the features related to this phase more accurately compared to related works

Analysis of encryption schemes in modern ransomware

In the past few years, activity of ransomware increased. As new variants and families of ransomware are developed, security systems have to keep up. Well designed encryption system is at the heart of ransomware and even a small mistake in the algorithm can break it. This paper analyzes 10 ransomware samples from various families. The goal of the analysis is to describe encryption schemes used in current ransomware. This includes key generation and storage, symmetric and asymmetric ciphers and their chosen implementation

Ransomware behavioural analysis on windows platforms

Ransomware infections have grown exponentially during the recent past to cause major disruption in operations across a range of industries including the government. Through this research, we present an analysis of 14 strains of ransomware that infect Windows platforms, and we do a comparison of Windows Application Programming Interface (API) calls made through ransomware processes with baselines of normal operating system behaviour. The study identifies and reports salient features of ransomware as referred through the frequencies of API call

A cyber-kill-chain based taxonomy of crypto-ransomware features

In spite of being just a few years old, ransomware is quickly becoming a serious threat to our digital infrastructures, data and services. Majority of ransomware families are requesting for a ransom payment to restore a custodian access or decrypt data which were encrypted by the ransomware earlier. Although the ransomware attack strategy seems to be simple, security specialists ranked ransomware as a sophisticated attack vector with many variations and families. Wide range of features which are available in different families and versions of ransomware further complicates their detection and analysis. Though the existing body of research provides significant discussions about ransomware details and capabilities, the all research body is fragmented. Therefore, a ransomware feature taxonomy would advance cyber defenders’ understanding of associated risks of ransomware. In this paper we provide, to the best of our knowledge, the first scientific taxonomy of ransomware features, aligned with Lockheed Martin Cyber Kill Chain (CKC) model. CKC is a well-established model in industry that describes stages of cyber intrusion attempts. To ease the challenge of applying our taxonomy in real world, we also provide the corresponding ransomware defence taxonomy aligned with Courses of Action matrix (an intelligence-driven defence model). We believe that this research study is of high value for the cyber security research community, as it provides the researchers with a means of assessing the vulnerabilities and attack vectors towards the intended victims

Deteksi Malware Ransomware Berdasarkan Panggilan API dengan Metode Ekstraksi Fitur N-gram dan TF-IDF

Ransomware merupakan ancaman malware yang paling menakutkan saat ini karena memiliki kemampuan mengenkripsi data, selain itu jumlah serangan ransomware yang terus meningkat mengakibatkan kerugian yang tidak sedikit. Penanganan atas serangan ini semakin sulit dilakukan dikarenakan varian ransomware yang terus berkembang. Dibutuhkan suatu sistem yang mampu mendeteksi ransomware bahkan untuk varian ransomware terbaru. Melalui penelitian ini kami membuat suatu sistem yang mampu mendeteksi ransomware dan normalware menggunakan metode machine learning dengan memanfaatkan data panggilan API dari ransomware dan normalware. Pada penelitian ini kami hanya melakukan binary classification untuk semua varian ransomware yang terdeteksi. Proses ekstraksi fitur terlebih dilakukan dengan metode N-gram dan TF-IDF pada panggilan API untuk membentuk subset fitur yang digunakan dalam proses pembelajaran model. Pembuatan model deteksi dilakukan dengan melatih data panggilan API dari beberapa varian ransomware. Pengujian model dilakukan baik terhadap varian ransomware yang sudah dilatih sebelumnya maupun varian ransomware diluar data latih. Proses pembelajaran model dilakukan untuk mencari kesamaan fitur dari data panggilan API berbagai varian ransomware pada data latih, kesamaan fitur ini akan dimanfaatkan untuk mendeteksi varian lain dari ransomware diluar data latih. Hasil penelitian menunjukkan bahwa akurasi rata-rata model terhadap varian ransomware dalam data latih adalah 94% dengan skor error rate tertinggi 10%. Adapun hasil deteksi ransomware untuk varian diluar data latih menunjukkan akurasi rata-rata 83% dengan skor error rate tertinggi 30%. Sehingga dengan demikian model yang dibuat pada penelitian ini dapat digunakan untuk mendeteksi ransomware meskipun varian dari ransomware mengalami perkembangan

Preventing Ransomware Attacks Through File System Filter Drivers

International audienceOver the last years ransomware attacks have been widely spreading over the Internet, indiscriminately targeting home users as well as corporates and public agencies. Several approaches have been proposed to analyze and detect ransomware intrusions in literature, moving from combined heuristics, behavior analysis, sandbox-based solutions and machine learning techniques to function calls monitoring. Our approach differs from the above by shifting the focus from removing the problem to mitigating damages, to ensure data availability despite malware attacks. The aim is not to detect new ransomware samples, but simply to protect integrity and availability of private data. In other words, we interfere with ransomware usual behavior, intercepting I/O request packets and denying operations on user's valuable data