Warfare against digital extortions: Machine learning to secure your systems

Library Content Type:
Publish Date: 
Wednesday, May 11, 2022
Event Name: 
Event Track:

Ransomware attack, or any attack on computer systems of an organization is a “game of hide and seek” between the attacker and the defender. Every time defender builds better protection, attacker break it with superior attack.

For defender, the game is tough. For attacker to succeed, he needs to succeed, once that too anywhere in scattered systems of an organization. For defender to succeed, he needs to succeed every time 24 x 7 that too everywhere. Protecting systems is endless job, with continuous learning. And so obvious way out is to build machine that learns themselves, with the help of machine learning algorithms.

Transfer digital war into security crusade. Merely applying reactive tactics against Ransomware will keep organizations running after extortionist. What is needed is long term strategy, with continuous focus, to win this war against Ransomware. There is need to have dedicated resources, planning and funding to make security movement within the organizations to protect systems against digital extortions.

Warfare against digital extortions: Machine learning to secure your systems Ransomware or Malware or any of their siblings are nothing but a piece of program that stays in your system for months, works without your knowledge in background and try to damage, steal or lock important data in your system. This paper discusses important aspects of Ransomware and easy ways for armoring for protection, with machine learning algorithms.

Know your enemy: What is Ransomware and how it looks?

Segment your forces for the war: General Framework for analyzing any binaries

Following methods are typically considered for analyzing any binary for potential Ransomware threats.

  1. Static methods
    1. Structural analysis
    2. Static code analysis
  2. Dynamic methods
  3. Behavioral analysis
  4. Debugging
  5. Dynamic instrumentation

Machine learning in Behavioral Analysis of Binary Files

Through the analysis of ransomware network behavior, upon infection, ransomware will request a DNS query to a DNS server for the C&C information for a configuration file. The ransomware will then contact the C&C servers, which will give the ransomware further instructions on how to behave. So DNS query and HTTP requests are what is most important for the analysis of ransomware network traffic.

Behavior of binary files can be captured, and normalcy behavior can be profiled. This could be done through log analysis or monitoring the system calls made. Destination of network calls, any HTTP requests made by binary, access to specific set of files/directories, access frequency, etc. could form set of features to be monitored for a binary. The profiles are developed by monitoring such features over a period of time. Unsupervised Anomaly detection algorithms like isolation forest can be used then to detect anomalous behavior of binaries and raise an alert.

Watch video: