Our Publications
Here you find our publications.
2020
Moussaileb, Routa; Cuppens, Nora; Lanet, Jean Louis; Bouder, Hélène Le
Ransomware Network Traffic Analysis for Pre-encryption Alert Journal Article
In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12056 LNCS, pp. 20–38, 2020, ISSN: 16113349.
Abstract | Links | BibTeX | Tags: Machine learning, Network traffic, Ransomware
@article{Moussaileb2020,
title = {Ransomware Network Traffic Analysis for Pre-encryption Alert},
author = {Routa Moussaileb and Nora Cuppens and Jean Louis Lanet and H\'{e}l\`{e}ne Le Bouder},
doi = {10.1007/978-3-030-45371-8_2},
issn = {16113349},
year = {2020},
date = {2020-01-01},
journal = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},
volume = {12056 LNCS},
pages = {20--38},
abstract = {Cyber Security researchers are in an ongoing battle against ransomware attacks. Some exploits begin with social engineering methods to install payloads on victims' computers, followed by a communication with command and control servers for data exchange. To scale down these attacks, scientists should shed light on the danger of those rising intrusions to prevent permanent data loss. To join this arm race against malware, we propose in this paper an analysis of various ransomware families based on the collected system and network logs from a computer. We delve into malicious network traffic generated by these samples to perform a packet level detection. Our goal is to reconstruct ransomware's full activity to check if its network communication is distinguishable from benign traffic. Then, we examine if the first packet sent occurs before data's encryption to alert the administrators or afterwards. We aim to define the first occurrence of the alert raised by malicious network traffic and where it takes place in a ransomware workflow. Logs collected are available at http://serveur2.seres.rennes.telecom-bretagne.eu/data/RansomwareData/.},
keywords = {Machine learning, Network traffic, Ransomware},
pubstate = {published},
tppubtype = {article}
}
Cyber Security researchers are in an ongoing battle against ransomware attacks. Some exploits begin with social engineering methods to install payloads on victims' computers, followed by a communication with command and control servers for data exchange. To scale down these attacks, scientists should shed light on the danger of those rising intrusions to prevent permanent data loss. To join this arm race against malware, we propose in this paper an analysis of various ransomware families based on the collected system and network logs from a computer. We delve into malicious network traffic generated by these samples to perform a packet level detection. Our goal is to reconstruct ransomware's full activity to check if its network communication is distinguishable from benign traffic. Then, we examine if the first packet sent occurs before data's encryption to alert the administrators or afterwards. We aim to define the first occurrence of the alert raised by malicious network traffic and where it takes place in a ransomware workflow. Logs collected are available at http://serveur2.seres.rennes.telecom-bretagne.eu/data/RansomwareData/.