KIPS Transactions on Computer and Communication Systems (정보처리학회논문지:컴퓨터 및 통신 시스템)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Real-Time Ransomware Infection Detection System Based on Social Big Data Mining

소셜 빅데이터 마이닝 기반 실시간 랜섬웨어 전파 감지 시스템

  • 김미희 (한경대학교 컴퓨터공학과(컴퓨터시스템연구소)) ;
  • 윤준혁 (한경대학교 컴퓨터공학과)
  • Received : 2018.05.14
  • Accepted : 2018.07.26
  • Published : 2018.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Ransomware, a malicious software that requires a ransom by encrypting a file, is becoming more threatening with its rapid propagation and intelligence. Rapid detection and risk analysis are required, but real-time analysis and reporting are lacking. In this paper, we propose a ransomware infection detection system using social big data mining technology to enable real-time analysis. The system analyzes the twitter stream in real time and crawls tweets with keywords related to ransomware. It also extracts keywords related to ransomware by crawling the news server through the news feed parser and extracts news or statistical data on the servers of the security company or search engine. The collected data is analyzed by data mining algorithms. By comparing the number of related tweets, google trends (statistical information), and articles related wannacry and locky ransomware infection spreading in 2017, we show that our system has the possibility of ransomware infection detection using tweets. Moreover, the performance of proposed system is shown through entropy and chi-square analysis.

파일을 암호화시켜 몸값을 요구하는 악성 소프트웨어인 랜섬웨어는 빠른 전파력과 지능화로 더욱 위협적이 되고 있다. 이에 빠른 탐지 및 위험 분석이 요구되고 있지만, 실시간 분석 및 보고가 미비한 상태이다. 본 논문에서는 실시간 분석이 가능하도록 소셜 빅데이터 마이닝 기술을 활용하여 랜섬웨어 전파 감지 시스템을 제안한다. 본 시스템에서는 트위터 스트림을 실시간 분석하여 랜섬웨어와 관련된 키워드를 가진 트윗을 크롤링한다. 또한 뉴스피드 분석기를 통해 뉴스서버를 크롤링하여 랜섬웨어 관련 키워드를 추출하고, 보안업체의 서버나 탐색 엔진을 통해 뉴스나 통계데이터를 추출한다. 수집된 데이터는 데이터 마이닝 알고리즘으로 랜섬웨어 감염 정도를 분석한다. 2017년 전파가 많이 되었던 워너크라이와 록키 랜섬웨어 감염전파 시 관련 트윗의 수와 구글 트렌드(통계 정보) 정보, 관련 기사를 비교하여 트윗을 이용한 본 시스템의 랜섬웨어 감염 탐지 가능성을 보이고, 엔트로피와 카이-스퀘어 분석을 통해 제안 시스템 성능을 보인다.

Keywords

References

  1. S. Morgan, Ransomware damage in 2017, 15-fold increase in two years to $ 5 billion [Internet], http://www.itworld.co.kr/tags/60228/랜섬웨어/104915.
  2. RSS Wikipedia [Internet], https://ko.wikipedia.org/wiki/RSS.
  3. Digital News Reporter, World's Largest Ransomware Attack ... 100 Countries Hit [Internet], http://news.mk.co.kr/news Read.php?no=320427&year=2017.
  4. Last year, domestic Ransomware suffered 300 billion won [Internet], http://www.ddaily.co.kr/news/article.html?no=152419.
  5. Social Network Service Wikipedia [Internet], https://ko.wikipedia.org/wiki/소셜_네트워크_서비스.
  6. I. D. Cho and N. G. Kim, "Recommending Core and Connecting Keywords of Research Area Using Social Network and Data Mining Techniques," Journal of Korea Intelligent Information Systems Society, Vol.17, Issue.1, pp.127-138, 2011.
  7. Y. H. Yang, I. S. Jung, Y. T. Kim, and W. S. Cho, "An Awareness Identification and Preference Analysis for Domestic University Using SNS Data," Journal of The Korea Big Data Service Society, Vol.1, No.1, pp.1-13, 2014. https://doi.org/10.29268/stbd.2014.1.1.1
  8. B. Lee, J. Yoon, S. Kim, and B. Hwang, "Detecting social signals of flu symptoms," in Proceedings of Collaborative Computing: Networking, Applications and Work-sharing, 2012.
  9. S. Verma, Y. Park, and M. Kim, "Predicting Flu-Rate Using Big Data Analytics Based on Social Data and Weather Conditions," Adv. Sci. Lett. Vol.23, pp.12775-12779, 2017. https://doi.org/10.1166/asl.2017.10897
  10. S. W. Lee and H. Y. Lee, "A Data Mining and Social Network Analysis to Understand Multi-Destination Tour Behavior of Inbound Free Independent Tourists in Seoul," in Proceedings of the Korean Academic Association of Business Administration, pp.321-334, 2017.
  11. J. Na and M. Kim, "Design of a Real-time Risk Analysis System for Ransomware Using Mining based on Social Network Service," in Proceedings of the Fall Conference of the KIPS, 2017.
  12. Latest Ransomware Trend Analysis Report: Detailed analysis and forecast of major Ransomware in 2016, ASEC Response Team, 2017.
  13. H. Lee, J. Sung, Y. Kim, J. Kim, and K. Kim, "The Automation Model of Ransomware Analysis and Detection Pattern," Journal of the Korea Institute of Information and Communication Engineering, Vol.21, No.8, pp.1581-1588, 2017. https://doi.org/10.6109/JKIICE.2017.21.8.1581
  14. Y. Kim, D. Ham, Y. Joo, and K. H. Lee, "Analysis and Countermeasures for the Ransomware Cryptolocker," in Proceedings of Korea Information Processing Society, Vol.23, No.1, 2016.
  15. J. M. Youn, and J. C. Ryu, "How to Detect and Block Ransomware with File Extension Management in MacOS," Journal of the Korea Institute of Information Security & Cryptology, Vol.27, No.2, pp.251-258, 2017. https://doi.org/10.13089/JKIISC.2017.27.2.251
  16. B. Kim, W. Kim, J. Lee, S. Yim, S. Song, and S. Lee, "Design and Implementation of a Ransomware Prevention System using Process Monitoring on Android Platform," in Proceedings of the Korean Institute of Information Scientists and Engineers, pp.852-853, 2015.
  17. S. Kim and Y. Lee, "Application of New Agenda Setting Model by Internet," in Proceedings of The Korean Society for Journalism & Communication Studies, pp. 529-551, 2006.
  18. Twitter Developer Documentation [Internet], https://dev.twitter.com/docs.
  19. Report of Ransomware Invasion Analysis in 2017 [Internet], https://www.rancert.com/bbs/bbs.php?bbs_id=notice&mode=view&id=52.
  20. AhnLab RSSfeed [Internet], http://www.ahnlab.com/kr/site/etc/rss.do.
  21. Selenium [Internet], http://www.seleniumhq.org/docs/.
  22. PhantomJS [Internet], http://phantomjs.org/documentation/.
  23. BeautifulSoup4 [Internet], https://www.crummy.com/software/BeautifulSoup/bs4/doc.
  24. Ransomware Computer Emergency Response Team Coordination Center(RanCERT) [Internet], https://www.rancert.com/.
  25. KoNLPy [Internet], http://konlpy-ko.readthedocs.io/ko/v0.4.4/#.
  26. L. Feinstein, D. Schnackenberg, R. Balupari and D. Kindred, "Statistical approaches to DDoS attack detection and response," in Proceedings DARPA Information Survivability Conference and Exposition, Vol. 1, pp.303-314, 2003.
  27. Google trend [Internet], https://trends.google.com/trends/
  28. Variant Locky Ransomware (.ykcol) Infection Attention , Hauri Co. [Internet], https://www.hauri.co.kr/ransomware/viewer.php?idx=69.
  29. M. Gill, Locky Ransomware variant found ... Spam Mail Attention [Internet], http://www.dailysecu.com/?mod=news&act=articleView&idxno=24525.