Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics
This addresses the threat of crypto ransomware for individual and corporate Internet users, but it is incremental as it builds on existing SDN and traffic analysis methods.
The paper tackled the problem of detecting crypto ransomware by analyzing HTTP traffic characteristics, proposing a Software-Defined Networking (SDN) based approach that uses sequences and content sizes of HTTP messages, and experimental results confirmed its feasibility and efficiency.
Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages' sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.