A Grammar-Based Behavioral Distance Measure between Ransomware Variants
|
ABSTRACT Effective detection, recognition, and mitigation of ransomware requires a way to characterize different variants and estimate their similarity to one another. Unlike other malware, ransomware deliberately discloses itself and interacts explicitly with the victim. The resulting behavioral trace offers a richer characterization than the simple code signatures used to detect other forms of malware, but is also more complex and harder to characterize. Exploiting this trace both defensively and forensically requires a distance measure between pairs of attacks. We develop such a measure based on representation of the attack behavior in a context-free grammar. We motivate this approach, summarize the grammar we have developed, present a series of increasingly refined grammatical distance measures, and illustrate their performance on actual attacks. |
|
 |
Dr. H. Van Dyke Parunak is a Senior Research Scientist at Parallax Advanced Research. He has extensive research experience in chaos and complex systems, AI, distributed computing, and human interfaces, with special expertise in swarm intelligence and stigmergic reasoning, in over three decades of research for DARPA, IARPA, and ONR. Most recently, he developed the SCAMP (Social Causality using Agents with Multiple Perspectives) causal language and simulator, which is being used for a government client in modeling integrated multi-domain scenarios (including maneuver warfare, electromagnetic operations, and social dynamics). |
License: CC-3.0
Submitted by Regan Williams
on