Title | Comparing Ransomware using TLSH and @DisCo Analysis Frameworks |
Publication Type | Conference Paper |
Year of Publication | 2021 |
Authors | Cooley, Rafer, Cutshaw, Michael, Wolf, Shaya, Foster, Rita, Haile, Jed, Borowczak, Mike |
Conference Name | 2021 IEEE International Conference on Big Data (Big Data) |
Date Published | dec |
Keywords | Big Data, Conferences, Feeds, Fuzzy Cryptography, Intermediate Representation, Locality-Sensitive Hash, Metrics, pubcrawl, ransomware, resilience, Resiliency, Scalability, threat indicators |
Abstract | Modern malware indicators utilized by the current top threat feeds are easily bypassed and generated through enigmatic methods, leading to a lack of detection capabilities for cyber defenders. Static hash-based algorithms such as MD5 or SHA generate indicators that are rendered obsolete by modifying a single byte of the source file. Conversely, fuzzy hash-based algorithms such as SSDEEP and TLSH are more robust to alterations of source information; however, these methods often utilize context boundaries that are hard to define or not based on meaningful information. In previous work, a custom binary analysis tool was created called @DisCo. In this study, four current ransomware campaigns were analyzed using TLSH fuzzy hashing and the @DisCo tool. While TLSH works on the binary level of the entire program, @DisCo works at an intermediate function level. The results from each analysis method were compared to provide validation between the two as well as introduce a narrative for using combinations of these types of methods for the creation of stronger indicators of compromise. |
DOI | 10.1109/BigData52589.2021.9671573 |
Citation Key | cooley_comparing_2021 |