Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics

TL;DR

This paper proposes an SDN-based method for detecting crypto ransomware by analyzing HTTP traffic patterns, specifically message sequences and content sizes, demonstrating its feasibility and efficiency through experiments.

Contribution

Introduces a novel SDN-based ransomware detection approach utilizing HTTP traffic characteristics, with a proof-of-concept implementation and experimental validation.

Findings

Detection based on HTTP message sequences and sizes is effective.

The proposed system is feasible and efficient.

Experimental results confirm detection capability.

Abstract

Ransomware is currently the key threat for individual as well as corporate Internet users. Especially dangerous is crypto ransomware that encrypts important user data and it is only possible to recover it once a ransom has been paid. Therefore devising efficient and effective countermeasures is a rising necessity. In this paper we present a novel Software-Defined Networking (SDN) based detection approach that utilizes characteristics of ransomware communication. Based on the observation of network communication of two crypto ransomware families, namely CryptoWall and Locky we conclude that analysis of the HTTP messages' sequences and their respective content sizes is enough to detect such threats. We show feasibility of our approach by designing and evaluating the proof-of-concept SDN-based detection system. Experimental results confirm that the proposed approach is feasible and efficient.