Cyberthreat Hunting - Part 2: Tracking Ransomware Threat Actors Using Fuzzy Hashing and Fuzzy C-Means Clustering
Title | Cyberthreat Hunting - Part 2: Tracking Ransomware Threat Actors Using Fuzzy Hashing and Fuzzy C-Means Clustering |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Naik, Nitin, Jenkins, Paul, Savage, Nick, Yang, Longzhi |
Conference Name | 2019 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE) |
Date Published | June 2019 |
Publisher | IEEE |
ISBN Number | 978-1-5386-1728-1 |
Keywords | attack surfaces, c-means clustering, Cerber, cluster ransomware samples, clustering methods, clustering techniques, composability, Context-Triggered Piecewise Hashing, cryptography, CryptoWall, CTPH, cyberthreat hunting, efficient fuzzy analysis approach, FCM, FCM clustering results, fuzzy c-means clustering, Fuzzy Cryptography, Fuzzy Hashing, fuzzy hashing methods, fuzzy set theory, fuzzy similarity scores, fuzzy techniques, Indexes, Locky, malicious code writing, Measurement, Metrics, pattern clustering, privacy, pubcrawl, ransomware, ransomware threat actor, Resiliency, Scalability, SDHASH, signature based defense, Similarity Preserving, SSDEEP, successful attack vectors, threat actors, threat vectors, Triaging, unknown ransomware, unlimited polymorphic samples, WannaCry, WannaCryptor, Writing |
Abstract | Threat actors are constantly seeking new attack surfaces, with ransomeware being one the most successful attack vectors that have been used for financial gain. This has been achieved through the dispersion of unlimited polymorphic samples of ransomware whilst those responsible evade detection and hide their identity. Nonetheless, every ransomware threat actor adopts some similar style or uses some common patterns in their malicious code writing, which can be significant evidence contributing to their identification. he first step in attempting to identify the source of the attack is to cluster a large number of ransomware samples based on very little or no information about the samples, accordingly, their traits and signatures can be analysed and identified. T herefore, this paper proposes an efficient fuzzy analysis approach to cluster ransomware samples based on the combination of two fuzzy techniques fuzzy hashing and fuzzy c-means (FCM) clustering. Unlike other clustering techniques, FCM can directly utilise similarity scores generated by a fuzzy hashing method and cluster them into similar groups without requiring additional transformational steps to obtain distance among objects for clustering. Thus, it reduces the computational overheads by utilising fuzzy similarity scores obtained at the time of initial triaging of whether the sample is known or unknown ransomware. The performance of the proposed fuzzy method is compared against k-means clustering and the two fuzzy hashing methods SSDEEP and SDHASH which are evaluated based on their FCM clustering results to understand how the similarity score affects the clustering results. |
URL | https://ieeexplore.ieee.org/document/8858825 |
DOI | 10.1109/FUZZ-IEEE.2019.8858825 |
Citation Key | naik_cyberthreat_2019 |
- signature based defense
- fuzzy techniques
- Indexes
- Locky
- malicious code writing
- Measurement
- pattern clustering
- privacy
- pubcrawl
- Ransomware
- ransomware threat actor
- SDHASH
- fuzzy similarity scores
- Similarity Preserving
- SSDEEP
- successful attack vectors
- threat actors
- threat vectors
- Triaging
- unknown ransomware
- unlimited polymorphic samples
- WannaCry
- WannaCryptor
- Writing
- Cryptography
- Resiliency
- Metrics
- Fuzzy Cryptography
- Attack Surfaces
- c-means clustering
- Cerber
- cluster ransomware samples
- clustering methods
- clustering techniques
- composability
- Context-Triggered Piecewise Hashing
- Scalability
- CryptoWall
- CTPH
- cyberthreat hunting
- efficient fuzzy analysis approach
- FCM
- FCM clustering results
- fuzzy c-means clustering
- Fuzzy Hashing
- fuzzy hashing methods
- fuzzy set theory