Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지
DOI QR코드

DOI QR Code

The Automation Model of Ransomware Analysis and Detection Pattern

랜섬웨어 분석 및 탐지패턴 자동화 모델에 관한 연구

  • Lee, Hoo-Ki (Department of IT Policy and Management, Soongsil University) ;
  • Seong, Jong-Hyuk (Department of Information Security Systems, Kyonggi University) ;
  • Kim, Yu-Cheon (Department of Information Security, Dongguk University) ;
  • Kim, Jong-Bae (Graduate School of Software, Soongsil University) ;
  • Gim, Gwang-Yong (Dept. of Business Administration, Soongsil University)
  • Received : 2017.04.14
  • Accepted : 2017.05.19
  • Published : 2017.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, circulating ransomware is becoming intelligent and sophisticated through a spreading new viruses and variants, targeted spreading using social engineering attack, malvertising that circulate a large quantity of ransomware by hacking advertising server, or RaaS(Ransomware-as-a- Service), from the existing attack way that encrypt the files and demand money. In particular, it makes it difficult to track down attackers by bypassing security solutions, disabling parameter checking via file encryption, and attacking target-based ransomware with APT(Advanced Persistent Threat) attacks. For remove the threat of ransomware, various detection techniques are developed, but, it is very hard to respond to new and varietal ransomware. Accordingly, in this paper, find out a making Signature-based Detection Patterns and problems, and present a pattern automation model of ransomware detecting for responding to ransomware more actively. This study is expected to be applicable to various forms in enterprise or public security control center.

최근 광범위하게 유포되고 있는 랜섬웨어는 단순 파일 암호화 후 금전을 요구하는 기존 방식의 공격에서 벗어나 신 변종 유포, 사회공학적 공격 방법을 이용한 표적형 유포, 광고 서버를 해킹해 랜섬웨어를 대량으로 유포하는 멀버타이징 형태의 유포, RaaS 등을 통해 더욱 고도화, 지능화되고 있다. 특히, 보안솔루션을 우회하거나 파일암호화를 통해 파라미터 확인을 불가능하게 하고, APT 공격을 접목한 타겟형 랜섬웨어 공격 등으로 공격자에 대한 추적을 어렵게 하고 있다. 이와 같은 랜섬웨어의 위협에서 벗어나기 위해 다양한 탐지기법이 개발되고 있지만 새롭게 출몰하는 랜섬웨어에 대응하기에는 힘든 상황이다. 이에 본 논문에서는 시그니처 기반의 탐지 패턴 제작 및 그 문제점에 대해 알아보고, 랜섬웨어에 보다 더 능동적으로 대처하기 위해 일련의 과정을 자동으로 진행하는 랜섬웨어 감염 탐지 패턴 자동화 모델을 제시한다. 본 모델은 기업이나 공공 보안관제센터에서 다양한 응용이 가능할 것으로 기대된다.

Keywords

References

  1. B. J. Kim, W. S. Kim, J. H. Lee, S. H. Yim, S. G. Song, and S. J. Lee, "Design and implementation of a ransomware prevention system using process monitoring on android platform," Proceedings of the Korean institute of information scientists and engineers, pp. 852-853, Dec. 2015.
  2. J. Y. Moon and Y. H. Chang, "Ransomware analysis and method for minimize the damage," The Journal of the Convergence on Culture Technology, vol. 2, no. 1, pp.79- 85, Feb. 2016. https://doi.org/10.17703/JCCT.2016.2.1.79
  3. Malwarebytes (2017, January). 2017 State of Malware Report[Internet]. Available: https://blog.malwarebytes.com/malwarebytes-news/2017/02/2016-state-of-malware-report/.
  4. SonicWall (2017. February). 2017 SonicWall Annual Threat Report [Internet]. https://www.sonicwall.com/whitepaper/2017-sonicwall-annual-threat-report8121810/.
  5. Badware.info (2016. December), Malicious Link Diffusion Detection System Trend Analysis Report [Internet]. Available: http://www.uproot.im/pdf/badware.pdf.
  6. Korea Ransomware Infringement Response Center (2017. February). 2017 Ransomware Infringement Analysis Report [Internet], Available: https://www.rancert.com/bbs/bbs.php?bbs_id=notice&mode=view&id=52.
  7. KISA (2017. January). 16-year Ransomware trend and 17-year outlook [Internet], Available: http://www.krcert.or.kr/data/reportView.do?bulletin_writing_sequence=24983.
  8. J. M. Youn, J. G. Jo, and J. C. Ryu, "Methodology for intercepting the ransomware attacks using file i/o intervals," Journal of The Korea Institute of Information Security & Cryptology, vol.26, no.3, pp.645-653, Jun. 2016. https://doi.org/10.13089/JKIISC.2016.26.3.645
  9. G. S. Kim and M. S. Kang, "The next generation of cyber security issues and threats and countermeasures," Journal of the Institute of Electronics and Information Engineers, vol. 41, no. 4, pp. 69-77, Apr. 2014.
  10. Hauri (2017. March). Virobot Security Magazine[Internet], Available: http://www.hauri.co.kr/information/magazine_view.html?intSeq=95&page=1.
  11. Kbench (2017. February). Evolving Korea customized Ransomware. Venus Locker variant disguised as educational schedule discovery in Korea [Internet]. Available: http://www.kbench.com/?q=node/172991.
  12. Symantec (2016. June). An Special report: Ransomware and Business [Internet], Available: https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware.
  13. Trendmicro (2016. July). Why Ransomware is 'Eaten' Part 2: Penteration Strategy [Internet]. Available: http://www.trendmicro.co.kr/kr/blog/ransomware-arrival-methods/index.html.

Cited by

  1. 랜섬웨어 탐지를 위한 효율적인 미끼 파일 배치 방법 vol.8, pp.1, 2019, https://doi.org/10.30693/smj.2019.8.1.27