A Grammar-Based Behavioral Distance Measure Between Ransomware Variants

Effective attribution of ransomware attacks requires a way to characterize different variants and estimates their similarity to one another. Unlike other malware, ransomware deliberately discloses itself and interacts explicitly with the victim. This characteristic invites the application of insight...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on computational social systems 2022-02, Vol.9 (1), p.8-17
Main Author: Dyke Parunak, H. Van
Format: Article
Language:English
Subjects:
Attribution
context-free grammars
Cybersecurity
detection
forensics
Grammar
grammatical distance
Linguistics
Malware
narrative space
Ransomware
Reconnaissance
social modeling
Spaceborne radar
tagmemics
Trajectory
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Effective attribution of ransomware attacks requires a way to characterize different variants and estimates their similarity to one another. Unlike other malware, ransomware deliberately discloses itself and interacts explicitly with the victim. This characteristic invites the application of insights from social systems. The resulting behavioral trace offers a richer characterization than the simple code signatures used to detect other forms of malware, but is also more complex and harder to characterize. Exploiting this trace forensically requires a distance measure between pairs of attacks. In the Ransomware Analysis as Dialogue for Attribution and Reconnaissance (RADAR) project, we developed such a measure based on representation of the attack behavior in a context-free grammar. We motivate this approach by insights from behavioral linguistics, summarize the grammar we have developed, present a series of increasingly refined grammatical distance measures, and illustrate their performance on actual attacks. Then we suggest applications of our distance measure to other problems of social modeling.
ISSN:2329-924X
2329-924X
2373-7476
DOI:10.1109/TCSS.2021.3060972