Journal of Industrial Convergence (산업융합연구)

DAEHAN Society of Industrial Management (대한산업경영학회)
권호 표지
DOI QR코드

DOI QR Code

Extraction and Taxonomy of Ransomware Features for Proactive Detection and Prevention

사전 탐지와 예방을 위한 랜섬웨어 특성 추출 및 분류

  • Yoon-Cheol Hwang (Department of Talmage Liberal Arts.Convergence College, Hannam University)
  • 황윤철 (한남대학교 탈메이지 교양.융합대학)
  • Received : 2023.07.14
  • Accepted : 2023.09.20
  • Published : 2023.09.28
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, there has been a sharp increase in the damages caused by ransomware across various sectors of society, including individuals, businesses, and nations. Ransomware is a malicious software that infiltrates user computer systems, encrypts important files, and demands a ransom in exchange for restoring access to the files. Due to its diverse and sophisticated attack techniques, ransomware is more challenging to detect than other types of malware, and its impact is significant. Therefore, there is a critical need for accurate detection and mitigation methods. To achieve precise ransomware detection, an inference engine of a detection system must possess knowledge of ransomware features. In this paper, we propose a model to extract and classify the characteristics of ransomware for accurate detection of ransomware, calculate the similarity of the extracted characteristics, reduce the dimension of the characteristics, group the reduced characteristics, and classify the characteristics of ransomware into attack tools, inflow paths, installation files, command and control, executable files, acquisition rights, circumvention techniques, collected information, leakage techniques, and state changes of the target system. The classified characteristics were applied to the existing ransomware to prove the validity of the classification, and later, if the inference engine learned using this classification technique is installed in the detection system, most of the newly emerging and variant ransomware can be detected.

최근 들어 개인, 기업, 국가 등 사회 전반에 랜섬웨어에 의한 피해가 급증하고 있으며 그 규모도 점차 커지고 있다. 랜섬웨어는 사용자 컴퓨터 시스템에 침입하여 사용자의 중요 파일들을 암호화하여 사용자가 해당 파일들을 사용하지 못하게 하고 그 댓가로 금품을 요구하는 악의적인 소프트웨어이다. 랜섬웨어는 기타 다른 악의적인 코드들에 비해 공격기법이 다양하고 정교하여 탐지가 어렵고 피해 규모가 크기 때문에 정확한 탐지와 해결 방법이 필요하다. 정확한 랜섬웨어를 탐지하기 위해서는 랜섬웨어의 특성들로 학습한 탐지 시스템의 추론엔진이 요구된다. 따라서 본 논문에서는 랜섬웨어의 정확한 탐지를 위해 랜섬웨어가 가지는 특성을 추출하여 분류하는 모델을 제안하고 추출된 특성들의 유사성을 계산하여 특성의 차원을 축소한 다음 축소된 특성들을 그룹화하여 랜섬웨어의 특성으로 공격 도구, 유입경로, 설치파일, command and control, 실행파일, 획득권한, 우회기법, 수집정보, 유출기법, 목표 시스템의 상태 변경으로 분류하였다. 분류된 특성을 기존 랜섬웨어에 적용하여 분류의 타당성을 증명하였고, 차후에 이 분류기법을 이용해 학습한 추론엔진을 탐지시스템에 장착하면 새롭게 등장하는 신종과 변종 랜섬웨어도 대부분 탐지할 수 있다.

Keywords

Acknowledgement

This work was supported by 2022 Hannam University Research Fund.

References

  1. Y. C. Hwang. (2022). Extraction and classification of malicious code feature information for intelligent detection model. Industrial Convergence Research (formerly Journal of the Korean Society of Industrial Management), 20(5), 61-68. DOI : 10.22678/JIC.2022.20.5.061
  2. Y. C. Hwang, & H. J. Mun. (2022). Design of Intelligent Intrusion Context-aware Inference System for Active Detection and Response Journal of Convergence for Information Technology, 12(4), 126-132. DOI : 10.22156/CS4SMB.2022.12.04.126
  3. H. S. Kim, & S. J. Lee. (2023). Comparative analysis of effective feature extraction techniques for machine learning-based ransomware attack detection. Journal of Convergence Security, 23(1), 117-123.
  4. K. B. Lee, J. Y. Ok, & K. Lim. (2018). Signature extraction and selection method for ransomware dynamic analysis. The actual journal of computing of the Society for Information Science, 24(2), 99-104. DOI : 10.5626/KTCP.2018.24.2.99
  5. K. W. Moon, J. H. Lee. (2022). Recent Ransomware Trends and Development Direction. Journal of Information Security Society, 32(3), 33-39.
  6. K.W. Moon, J. H. Lee (2018). Analysis of latest ransomware features. Journal of the Korean Society of Communications and Communications, 43(4), 715-722. DOI : 10.7840/kics.2018.43.4.715
  7. H. S. Kim, I. S. Kim. (2019). Malicious code distribution site characteristics analysis and countermeasures study. Journal of the Information Security Society, 29(1), 93-103.
  8. D. J. Jeon, & D. G. Park. (2018). Real-time malicious file detection technique using machine learning technique. Journal of the Korean Society of Information Technology, 16(3), 101-113.
  9. Y. S. Lee, J. W. Lee, N. Y. Rae, S. J. Jung, K Seong, & W. Y So. (2018, June). Malicious code detection method trend analysis using deep learning. In Proceedings of KIIT Conference (pp. 166-169).
  10. IBM Security X-Force Threat Intelligence Index (accessed January 6, 2023), https://www.ibm.com/reports/threat-intelligence
  11. H. M. Nam, J. S. Jang, & Y. H. Jeon. (2016). Research on analysis of ransomware attack techniques and countermeasures. Proceedings of the Korea Internet Information Society Conference, 17(1), 283-284.
  12. H. Choi, & Y. Cho (2017). Research on Minimizing the Damage from Ransomware Attack by Case Study. Journal of Korea Society of Digital Industry and Information Management, 13(1), 103-111. DOI : 10.17662/KSDIM.2017.13.1.103
  13. Chandrashekar, G., & Sahin, F. (2014). A survey on feature selection methods. Computers & Electrical Engineering, 40(1), 16-28. https://doi.org/10.1016/j.compeleceng.2013.11.024
  14. K. H. Lee, M. C. Hwang, Y. I. Koo, D. Y. Hyun, & Y. Y. Yoo. (2022). A study on a ransomware detection model using opcode and API clustering and similarity analysis. Korean Information Processing Society Conference Proceedings, 29(1), 179-182.
  15. J. Y. Byeon, D. H. Kim, H. C. Kim, & S. Y. Choi, (2021). RFA: Recursive Feature Addition Algorithm for Machine Learning-Based Malware Classification. Journal of the Korea Society of Computer and Information, 26(2), 61-68. DOI : 10.9708/JKSCI.2021.26.02.061
  16. Murtagh, F., & Contreras, P. (2017). Algorithms for hierarchical clustering: an overview, II. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(6), e1219.