Alotaibi, Fahad and Vasilakis, Vasileios orcid.org/0000-0003-4902-8226 (2021) SDN-Based Detection of Self-Propagating Ransomware:The Case of BadRabbit. IEEE Access. pp. 28039-28058. ISSN 2169-3536
Abstract
In the last decade, many ransomware attacks had the ability to spread within local networks or even outside them. At the same time, software defined networking (SDN) has provided a major boost to networks by transferring intelligence from network devices to a programmable logically centralised controller. The latter can be programmed to be compatible with the requirements of a wide range of networks and environments in a straightforward manner. This has motivated researchers to design SDN-based security solutions against threats targeting traditional networks and systems. This article investigates the use of SDN to detect and mitigate the risk of self-propagating ransomware. The infamous BadRabbit ransomware has been used for the proof of concept. To achieve this, an extensive analysis of BadRabbit was performed to identify its characteristics and understand its behaviour at both the infected device level and at the network level. As a result, several unique artifacts were extracted from BadRabbit, which could facilitate its detection. These artifacts were relied upon to design an SDN-based intrusion detection and prevention system. Our system comprises five modules, namely deep packet inspection, ARP scanning detection, packet header inspection, honeypot, and SMB checker. The first two modules have been inspired by other works and have been included for comparison with the existing solutions. Three other modules rely on novel SDN-based methods for ransomware detection. We have also evaluated the efficiency and the performance of our system in terms of detection time, CPU utilisation, as well as TCP and ping latency. Finally, the proposed approach has also been tested for other ransomware families, such as WannaCry and NotPetya. Our experimental results show that the system is effective in terms of detecting self-propagating ransomware and outperforms other proposed approaches
Metadata
Item Type: | Article |
---|---|
Authors/Creators: |
|
Keywords: | Ransomware,SDN,Intrusion detection and prevention system |
Dates: |
|
Institution: | The University of York |
Academic Units: | The University of York > Faculty of Sciences (York) > Computer Science (York) |
Depositing User: | Pure (York) |
Date Deposited: | 17 Mar 2021 09:20 |
Last Modified: | 16 Oct 2024 17:25 |
Published Version: | https://doi.org/10.1109/ACCESS.2021.3058897 |
Status: | Published |
Refereed: | Yes |
Identification Number: | 10.1109/ACCESS.2021.3058897 |
Open Archives Initiative ID (OAI ID): | oai:eprints.whiterose.ac.uk:172267 |
Download
Filename: 09352796.pdf
Description: SDN-Based Detection of Self-Propagating Ransomware: The Case of BadRabbit
Licence: CC-BY 2.5