Ransomware detection and mitigation using software-defined networking: the case of WannaCry

Maxat Akbanov, Vasileios Vasilakis, Michael Logothetis

Research output: Contribution to journalArticlepeer-review

Abstract

Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. We investigate the use of software-defined networking (SDN) to detect and mitigate advanced ransomware threat. We present our ransomware analysis results and our developed SDN-based security framework. For the proof of concept, the infamous WannaCry ransomware was used. Based on the obtained results, we design an SDN detection and mitigation framework and develop a solution based on OpenFlow. The developed solution detects suspicious activities through network traffic monitoring and blocks infected hosts by adding flow table entries into OpenFlow switches in a real-time manner. Finally, our experiments with multiple samples of WannaCry show that the developed mechanism in all cases is able to promptly detect the infected machines and prevent WannaCry from spreading.
Original languageEnglish
Pages (from-to)111-121
Number of pages11
JournalComputers & Electrical Engineering
Volume76
Issue numberJune 2019
Early online date21 Mar 2019
DOIs
Publication statusPublished - Jun 2019

Bibliographical note

© 2019 Elsevier Ltd. This is an author-produced version of the published paper. Uploaded in accordance with the publisher’s self-archiving policy.

Keywords

  • WannaCry
  • Ransomware
  • Software-defined networking
  • OpenFlow
  • Malware analysis

Cite this