Toward A Network-Assisted Approach for Effective Ransomware Detection

TL;DR

This paper introduces a Network-Assisted Approach (NAA) combining local and network-level detection methods to identify ransomware infections effectively, validated through Docker-based simulations in different network environments.

Contribution

The paper presents a novel NAA framework integrating local and network detection techniques for ransomware, with experimental validation in simulated network scenarios.

Findings

Network-level detection is effective in WAN and LAN environments.

Docker simulations demonstrate high detection accuracy.

Hybrid approach improves ransomware identification reliability.

Abstract

Ransomware is a kind of malware using cryptographic mechanisms to prevent victims from normal use of their computers. As a result, victims lose the access to their files and desktops unless they pay the ransom to the attackers. By the end of 2019, ransomware attack had caused more than 10 billion dollars of financial loss to enterprises and individuals. In this work, we propose Network-Assisted Approach (NAA), which contains effective local detection and network-level detection mechanisms, to help users determine whether a machine has been infected by ransomware. To evaluate its performance, we built 100 containers in Docker to simulate network scenarios. A hybrid ransomware sample which is close to real-world ransomware is deployed on stimulative infected machines. The experiment results show that our network-level detection mechanisms are separately applicable to WAN and LAN environments for ransomware detection.