Ransomware Attack Detection Based On Antivirus Signature And Network Intrusion Detection

Cybercrime activities cannot be separated from the development of malware.In Internet Security Threat Report,crime by exploiting malware becomes the ultimate crime.One of the highest spreading malware is ransomware.Ransomware has increased year by year since 2013 and peaked in 2016 at 1,271 detections for one day in 2017.Some ransomware such as WannaCry,Petya/NotPetya,and Badrabbit spread through computer network.By utilizing MS17-010 exploit,this ransomware spread utilizes SMB Vulnerability and spread faster to another computer.So,ransomware attacks are more dangerous for user computers.Some security staff rely on security tools like antivirus.However,antivirus needs update and antivirus company take a long time for provide the latest update.For solve this problem,this research proposed antivirus signature based on DLL Files and API Calls of ransomware files.For detection ransomware traffic on network computer,this research proposed network intrusion detection.So,detection files based on antivirus signature and detection traffic based on network intrusion detection has high theoretical value and practical significance.Some antivirus used antivirus signature based on MD5 and hexdump.With gathering malware files,analyze it one by one,extract MD5 and extract hexdump.This system is effective for known malware with similar MD5 and hexdump.However,some malware though has the same type but different MD5 and hexdump.To solve this problem,this research improved detection ransomware files based on its DLL Files and functional API Calls.With extract portables executables(PE)header,DLL Files,and functional API Calls to analyze characteristic of ransomware files.The experiment showed detection ransomware files based on DLL Files and functional API Calls with machine learning have a good result then detection files based on MD5 and hexdump.The precision of detection of ransomware files on this experiment is 94%.Ransomware is able to spread on network computer with utilizes SMB Vulnerability.Some of research is only analyze botnet and another malware.The best of our knowledge,analyze ransomware and make detection on network computer is limited but some countries have felt the effect of this ransomware.To solve this problem,this research presented network intrusion detection system for detection ransomware traffic.With analyze ransomware behavior,classification traffic with machine learning,and make rules for detection ransomware.Experiment result showed the successful detection ransomware traffic and improved detection object and method research for network intrusion detection system.The precision of detection ransomware traffic with using machine learning is 99%.Looking at the high development of ransomware,this research proposed two systems for detection.The first detection its files with using antivirus signature and the second detection its traffic with using network intrusion detection system.Experimental result show that the system can detection ransomware files and traffic and improved the method for detection it.