Detecting of Ransomware using Software Defined Networking

Detecting of Ransomware victimization Software be Net working(a)Abstract Ransomware is a major weapon for cyber-extortion. The traditional signature-based markion no longer holds good against modern, sophisticated malware that employs encoding techniques and social engineering. This paper investigates the office of Software defined Networks (SDN) to honour the illicit communication amidst septic PCs (ransomware) and their accountant bopn as the Command Control (CC) server. SDN provides unique opportunities to discover venomed DNS requests (associated with malware) and where possible farce ransomware controls requests, and thereby prevent ransomware triggering. In this clause we closelyly direct at signal signal detection at commercial or line of products scenarios, where the info handled are frequently much sensitive and index lead to monetary loss.Index Terms Ransomware, cyber-extortion, Signature-based detection, Software defined Networking.Cyber-Extortion malware net be trace book binding to three decades former 1. It solely started with the malware named PC CYBORG which was delivered through floppy disk. The reports of modern malware known as ransomware were started in early 2005. Since then ransomware has developed into more sophisticated regularity acting of round down to extort money from slew as well as the companies. Ransomware tolerate make a huge impact on businesses, oddly if it strikes mission-critical arrangings. The aggressor forces the companies to utilize- erupt money in the form of bitcoins which disregard be anonymous and not so easily trace qualified. If refuse to pay, they threaten to destroy the data. This is a productive business model to cyber criminals as the companies and people tend to pay out to retrieve the data 2.It is estimated that the pay-outs to ransomware is close to $1 billion an year as per IBM for 20163. This is secure known pay-outs and it crosses more than $1 bn if all the pay-outs are considered. The anonymity of the approachinger and necessity of the victim makes it one of the popular attacks to extort money, especially from major tech companies and tar gained businessmen. The ransomware is not specific to a single OS platform. From past few years, the ransomware have been developed for different platforms the like linux, mac OS and popular one emerging now a geezerhood is for android.In general, the working of modern ransomware is as follows. First, a user machine is infected using various attack vectors for example, clicking on malvertisement, downloads from non-trusted sites, phising, spam, etc. Second, the victims system or the stored data is encrypted (locked), based on the guinea pig of ransomware. The modern versions of the ransomware potful encrypt storage drives such as cloud storage, Dropbox, and shared net devices. As a result, multiple systems on the net net get compromised, by a single infection. human body 1 shows the general workin g of the symmetric and noninterchangeable crypto ransomware.Fig. 1. (left )Symmetric and (right) asymmetric crypto ransomwareAs the ransomware evolves, some well know malwares have come into business, such as CryptoLocker, CryptoWall, TeslaCrypt and Locky have been widely utilise and updated.Detecting these ransomware before the payload activates and start encrypting is very difficult 4. Figure 2. Shows that only half of anti-virus scanners provide protection for this new malware, even by and by several days of a new attack being circulated.Fig. 2. season to detect new malware by antivirus vendors.Recent study shows that the ransomware is becoming self-made as the prices are tailored as per companys or countrys ability to pay 5. If the ransom isnt gainful within the expiry of the ransom note, the ransom normally doubles. This instils fear of losing the files or pay higher. This allow company or the individual feel it is easier and less valuable to pay the ransom and get bac k the files rather than reporting it and trying to find a solution for it. This makes it of the essence(predicate) to come up with mitigation techniques to stop this from continuing andThe ransomware developers are unendingly improving their product which makes it hard for developing long lasting countermeasures. With enceinte number of devices that are getting connected on the internet like the Internet of things, the ransomware is being developed to multiple devices.Most common method of detection of ransomware, infact any malware, is signature based detection. consequently most of the experts conjure keeping the antivirus scanners up to date 6. But as we have seen from the earlier that not many vendors give out updates that regular. similarly with the use of encryption techniques and social engineering, it easily evades the defence in firewall and email spam filters. Hence the detection of entry of ransomware into the system or the network is becoming much more difficult.On e more unremarkably apply method of detection is by identifying the extensions. For example, many use extensions like .locky, etc. But this can be masked by encryption techniques.Microsoft advices the beaver expressive style to articulated lorry ransomware is by having a tested reliable backup to escape the change of the ransomware 7. Although this is one of the best methods, creating and maintaining backups for huge organizations can be really expensive and conviction consuming.Now let us outcome a look at few of the current implementations to detect ransomware in commercial or business network as they are the major victims because of the data they hold. Majorly apply method is implementing products which use User Behaviour Analytics (like Varonics or DatAdvantage). This works on the baseline of normal natural process and if there is any some other supernormal activity, an horrify would be send to the administrator. The major disadvantage with this is any other legitima te activity which is not mentioned under normal behaviour was inform which led to receiving of lot of false positives about the activity.Other method apply was to detect despiteful activity by monitoring changes in file Server resource manager (FSRM), function built into Windows Servers. By using canaries, writing unauthorised files can be blocked. This helped in developing PowerShell to block unauthorised user access.Most of the currently used techniques work reasonably well with the symmetric crypto ransomware. They tend to be less efficient with the asymmetric crypto ransomware. In this clause we look at one of the basic start that can be taken to mitigate ransomware with the use of Software Defined Networking (SDN). This method is mostly useful in companies or a slight network with a system administrator to monitor the network trading.Proposed method is based on findings after analysing CryptoWall ransomware 8. But this can be utilise to other types of crypto-ransomware , such as Locky TeslaCrypt, etc, which communicates with the Command Control (CC) servers. The primary connotation with this proposed method is to cut-off the connection in the midst of the victim and the CC systems. Without connection to CC the encryption process is not going to be initiated and thus thriftiness the victims system.With the use of Intrusion detection/Prevention systems(IDPS) or firewalls that are commonly used to filter and detect malicious data, it is very hard to give timely response to such threats as there is lot of data that it encounters because of the number of devices that is connected onto the internet now a days.In this article we take a look at two SDN-based mitigation concepts. We can call them SDN1 and SDN2. Both of them rely on dynamic blacklisting of delegate servers used for connecting to the CC server. However for this method to be efficient, it is requisite to have up to date list of all the malicious proxy servers that are previously identi fied.In this method of mitigation system, it is necessary to develop a SDN practise to cooperate with the SDN controller. The controlled provides all the data necessary for analysis. After the detection of threat, the network can be configured to block all the malicious activity and capture suspicious traffic for investigation. This will withal help in recovering symmetric key if the ransomware uses symmetric encryption based ransomware.The functionality of the SDN1 is a simple switch. The switch forces all the DNS traffic to be forwarded to SDN controller for inspection. both the responses are compared and evaluated with the database that contains the list of malicious proxy servers. If the domain name extracted from the DNS is enter in the database, the response is discarded or blocked to not let it r separately the proxy server. This eliminates the process of encryption on the victims system. An alert is sent to the system administrator about this issue for further investigat ion.The potential drawback of SDN1 is time taken. The DNS traffic from both legitimate and malicious hosts is delayed as each response is canvass with the blacked listed domain database. The SDN2 set ups the performance of SDN1 while addressing this issue. As most of the DNS responses received is legitimate, the SDN2 introduces custom flow. This forwards all the DNS response to intended receiving system and only the copy of the response is sent to the SDN controller. While the DNS responses are processed, the controller compares the domains with the ones available on the database. If a blacklisted server is found, the victim IP is extracted and all the traffic between the CC server and the victim IP is dropped and an alert is sent to the system administrator.The pictorial representation of both SDN1 and SDN2 are shown in Figure 3.Fig. 3. SDN-based operations, SDN1 and SDN2. Example testbed of the SDN networkMajor advantages of using SDN based detection techniques is that it can be used to detect both symmetric as well as asymmetric ransomware. As mentioned earlier without the connection between victim and CC server, the infected host will be able to retrieve the public key and whence will not be able to start the encryption process.As we have seen earlier, this method requires a database that contains all the currently known and used malicious proxy servers. This is the major disadvantage of this method. Currently the developers of this method have a database of about 70,000 malicious domains. But this wont be sufficient as the attackers will be looking for new domains to evade detection. Also methods have to be checked frequently and loopholes need to be fixed as the attackers would seek to act upon any loopholes if found.There are researches that are taking place to detect the ransomware using honeypot techniques. The SDN can be included into the honeypots to further enhance the effectiveness of the detection. Alongside with the SDN, the companies will have to develop an Incident answer team 6. This team should make plans to tackle the issues according to the importance of the systems and also be given training to be equipped with the necessary move to take in case of an attack which slipped from the SDN controlled.In case of an attack, stairs should be taken to contain the ransomware just to the affected system and it doesnt cattle ranch to any other system on the network.It is also important to take a backup of the entire necessary and sensitive files in a secure and tested location. This help in restoring the work quickly in case of unseen attack on a critical system.Also one of the most important developments in ransomware is that now it is not just delivered as a Trojan, it is being developed in a way that it can replicate its code onto the removable devices and network drives.This makes it important to teach and train the employees and the staff about the dangers of ransomware and methods that it can be brought in to th e network like the spam emails and social engineering 9. Also companies should discourage the constitution of bring your own device (BYOD). Staff a being more alert about the malware makes is very difficult to launch any attack.As we are looking to develop methods to detect and prevent ransomware, new type of ransomware is emerging that threatens to release all the data online, instead of destroying them, if not paid before the ransom note expires. This is makes it more necessary to develop more sophisticated methods of detection to prevent ransomware attacks.Also as this is an SDN based security measures application, further research can be undertaken to broaden the spectrum of detection and measure of other types of malware and attacks like DDoS attacksTo efficiently fight ransomware, it is important to break the business model of the ransomware developers. With the abbreviated income to the ransomware developers, they will have to shut down the proxy servers which in turn help in faster detection of newer developers.The best protection is to prevent infection. This may be tough to achieve and hence in this article we have taken a look at 2 types of SDN based security application that can be use to improve protection against ransomware. These rely on up to date database of malicious proxy servers which needs to be updated constantly but once detected, the application works efficiently.We have also discussed that it is achievable to break the connection between the victim and the CC server, with the help of SDN application, to make the encryption impossible.Furthermore, we have seen that it is necessary for the companies to actively invest time and money in training people to develop a sense of security at the workplace to reduce the attacks.We have also discussed that this SDN based application need not be limited to detecting ransomware. This can be further developed to detect and prevent other malware, detect attacks based on the network traffic charac teristics or detecting malware based on pattern.ReferencesN. Hampton and Z. A. Baig, Ransomware Emergence of the cyber-extortion menace, in Australian Information Security Management, Perth, 2015.Chris Moore,Detecting Ransomware with Honeypot techniques, 2016 Cybersecurity and Cyberforensics Conference.Ransomware becomes most popular form of attack as payouts approach $1bn a year, Networksecuritynewsletter.com , January 2017.Cisco, Cisco 2015 Midyear Security Report, Cisco, San Jose, 2015.Cath Everett,Ransomware to pay or not to pay? Computer Fraud and security, April 2016.Ross Brewer, LogRhythm, Ransomware attacksdetection, prevention and cure.D. Mauser and K. Cenerelli, Microsoft shield Center Security Tips to Protect Against Ransomware, 6 April 2016.Krzysztof Cabaj and Wojciech Mazurczyk, Using Software-Defined Networking for Ransomware Mitigation The possibility of CryptoWall, NETWORK FORENSICS AND SURVEILLANCE FOR EMERGING NETWORKS.Marc Sollars,Risk-based security staff can simulated military operation the defining role in securing assets, Networksecuritynewsletter.com