Skip to main content
SpringerLink
Log in

A Learning Methodology for Line-Rate Ransomware Mitigation with P4 Switches

  • Conference paper
  • First Online:
Network and System Security (NSS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13787))

Included in the following conference series:

  • 1085 Accesses

Abstract

Ransomware is currently the leading malware threat propagating throughout today’s networks and is the preeminent attack vector for adversaries aiming to extort a broad array of targets for financial gain. The de facto strategies for combating such maliciousness have long been host-based; however, these strategies are often inconsistently deployed and are typically not supported by devices with more modest computational capacity, such as the Internet of Things (IoT) domain. As a result, host-based techniques often do not scale well. Alternatively, network Intrusion Detection and Prevention Systems (IDSs/IPSs) mitigate this issue to some extent by offering a degree of network-level protection, but they too ultimately suffer the same scalability pitfall, as their performance degrades substantially amid higher traffic rates. Moreover, IDSs and IPSs are heavily reliant upon deep packet inspection, which adversaries easily circumvent with encryption. In response to such issues, we present a novel in-network methodology for integrating Random Forests (RFs) into programmable switches for traffic classification tasks, which we leverage to perform line-rate ransomware detection and mitigation. In turn, the Tbps packet processing capability of programmable switches seamlessly allows the proposed methodology to scale to even the busiest networks. Our methodology functions solely on network traffic features that are invariant to encryption. Additionally, our network-based approach can also be instrumented as a secondary defense strategy to host-based approaches that lack full network coverage. The proposed methodology was implemented on an Intel Tofino hardware switch and was shown to fit comfortably within the device’s resource bounds, with room to spare for other essential switch-based applications. In addition, the methodology was empirically evaluated using a number of the most prominent ransomware strains, demonstrating that it is capable of performing both binary or multiclass ransomware traffic classification with a precision and recall of over 0.99. Furthermore, this performance was obtained with as little as three packets from a compromised source. Indeed, such prompt detection can enable the mitigation of both ransomware propagation and the encryption of a victim’s files.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. p4lang/behavioral-model, November 2019. https://github.com/p4lang/behavioral-model

  2. Akbanov, M., Vassilakis, V.G., Logothetis, M.D.: Ransomware detection and mitigation using software-defined networking: the case of wannacry. Comput. Electr. Eng. 76, 111–121 (2019)

    Article  Google Scholar 

  3. Alotaibi, F.M., Vassilakis, V.G.: Sdn-based detection of self-propagating ransomware: the case of badrabbit. IEEE Access 9, 28039–28058 (2021)

    Article  Google Scholar 

  4. AlSabeh, A., Khoury, J., Kfoury, E., Crichigno, J., Bou-Harb, E.: A survey on security applications of p4 programmable switches and a stride-based vulnerability assessment. Comput. Netw. 207, 108800 (2022)

    Article  Google Scholar 

  5. AlSabeh, A., Safa, H., Bou-Harb, E., Crichigno, J.: Exploiting ransomware paranoia for execution prevention. In: ICC 2020–2020 IEEE International Conference on Communications (ICC), pp. 1–6. IEEE (2020)

    Google Scholar 

  6. Barradas, D., Santos, N., Rodrigues, L., Signorello, S., Ramos, F.M., Madeira, A.: Flowlens: enabling efficient flow classification for ML-based network security applications. In: Proceedings of the 28th Network and Distributed System Security Symposium, San Diego, CA, USA (2021)

    Google Scholar 

  7. Bitner, J.R., Ehrlich, G., Reingold, E.M.: Efficient generation of the binary reflected gray code and its applications. Commun. ACM 19(9), 517–521 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  8. Bosshart, P., et al.: P4: programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)

    Article  Google Scholar 

  9. Bou-Harb, E.: A brief survey of security approaches for cyber-physical systems. In: 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2016)

    Google Scholar 

  10. Bou-Harb, E., Debbabi, M., Assi, C.: A statistical approach for fingerprinting probing activities. In: 2013 International Conference on Availability, Reliability and Security, pp. 21–30. IEEE (2013)

    Google Scholar 

  11. Bou-Harb, E., Debbabi, M., Assi, C.: A systematic approach for detecting and clustering distributed cyber scanning. Comput. Netw. 57(18), 3826–3839 (2013)

    Article  Google Scholar 

  12. Bou-Harb, E., Debbabi, M., Assi, C.: Behavioral analytics for inferring large-scale orchestrated probing events. In: 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 506–511. IEEE (2014)

    Google Scholar 

  13. Bou-Harb, E., Debbabi, M., Assi, C.: Big data behavioral analytics meet graph theory: on effective botnet takedowns. IEEE Network 31(1), 18–26 (2016)

    Article  Google Scholar 

  14. Bou-Harb, E., Debbabi, M., Assi, C.: A novel cyber security capability: inferring internet-scale infections by correlating malware and probing activities. Comput. Netw. 94, 327–343 (2016)

    Article  Google Scholar 

  15. Bou-Harb, E., Lakhdari, N.E., Binsalleeh, H., Debbabi, M.: Multidimensional investigation of source port 0 probing. Digit. Investig. 11, S114–S123 (2014)

    Article  Google Scholar 

  16. Busse-Grawitz, C., Meier, R., Dietmüller, A., Bühler, T., Vanbever, L.: pforest: In-network inference with random forests. arXiv preprint arXiv:1909.05680 (2019)

  17. Cabaj, K., Gregorczyk, M., Mazurczyk, W.: Software-defined networking-based crypto ransomware detection using http traffic characteristics. Comput. Electr. Eng. 66, 353–368 (2018)

    Article  Google Scholar 

  18. Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Network 30(6), 14–20 (2016)

    Article  Google Scholar 

  19. Chen, X., Kim, H., Aman, J.M., Chang, W., Lee, M., Rexford, J.: Measuring TCP round-trip time in the data plane. In: Proceedings of the Workshop on Secure Programmable Network Infrastructure, pp. 35–41 (2020)

    Google Scholar 

  20. Chernikova, A., et al.: Cyber network resilience against self-propagating malware attacks. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) ESORICS 2022. LNCS, vol. 13554, pp. 531–550. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17140-6_26

  21. Cusack, G., Michel, O., Keller, E.: Machine learning-based detection of ransomware using SDN. In: Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 1–6 (2018)

    Google Scholar 

  22. Friday, K., Bou-Harb, E., Crichigno, J., Scanlon, M., Beebe, N.: On offloading network forensic analytics to programmable data plane switches. Book Series: World Scientific Series in Digital Forensics and Cybersecurity (2021)

    Google Scholar 

  23. Friday, K., Kfoury, E., Bou-Harb, E., Crichigno, J.: Towards a unified in-network DDoS detection and mitigation strategy. In: 2020 6th IEEE Conference on Network Softwarization (NetSoft), pp. 218–226. IEEE (2020)

    Google Scholar 

  24. Friday, K., Kfoury, E., Bou-Harb, E., Crichigno, J.: Inc: In-network classification of botnet propagation at line rate. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) ESORICS 2022. LNCE, vol. 13554, pp. 551–569. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17140-6_27

  25. Gutterman, C., et al.: Requet: real-time QOE detection for encrypted YouTube traffic. In: Proceedings of the 10th ACM Multimedia Systems Conference, pp. 48–59 (2019)

    Google Scholar 

  26. Humayun, M., Jhanjhi, N., Alsayat, A., Ponnusamy, V.: Internet of things and ransomware: evolution, mitigation and prevention. Egyptian Inform. J. 22(1), 105–117 (2021)

    Article  Google Scholar 

  27. Intel: Intel Tofin Series Programmable Ethernet Switch ASIC. https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch/tofino-series/tofino.html

  28. Intel: Intelő tofino 3 intelligent fabric processor brief. https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch/tofino-3-brief.html

  29. Jareth: How ransomware spreads: 9 most common infection methods and how to stop them, December 2019. https://blog.emsisoft.com/en/35083/how-ransomware-spreads-9-most-common-infection-methods-and-how-to-stop-them/

  30. of Justice, T.U.S.D.: How to protect your networks from ransomware, March 2022. https://www.justice.gov/criminal-ccips/file/872771/download

  31. Kapoor, A., Gupta, A., Gupta, R., Tanwar, S., Sharma, G., Davidson, I.E.: Ransomware detection, avoidance, and mitigation scheme: a review and future directions. Sustainability 14(1), 8 (2021)

    Article  Google Scholar 

  32. Keshet, Y.: Prevent automated propagation of ransomware attacks, June 2021. https://www.silverfort.com/blog/prevent-automated-propagation-of-ransomware-attacks/

  33. Kfoury, E.F., Crichigno, J., Bou-Harb, E.: An exhaustive survey on p4 programmable data plane switches: taxonomy, applications, challenges, and future trends. IEEE Access 9, 87094–87155 (2021)

    Article  Google Scholar 

  34. Kovar, R.: Ransomware encrypts nearly 100,000 files in under 45 minutes, March 2022. https://www.splunk.com/en_us/blog/security/ransomware-encrypts-nearly-100-000-files-in-under-45-minutes.html

  35. Largent, W.: Ransomware: Past, present, and future, September 2022. https://blog.talosintelligence.com/ransomware-history-past-prologue/

  36. Lee, J.H., Singh, K.: Switchtree: in-network computing and traffic analyses with random forests. Neural Comput. Appl. 1–12 (2020)

    Google Scholar 

  37. Maurya, A., Kumar, N., Agrawal, A., Khan, R.: Ransomware: evolution, target and safety measures. Int. J. Comput. Sci. Eng. 6(1), 80–85 (2018)

    Google Scholar 

  38. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    Article  Google Scholar 

  39. Moreira, C.M., Kaddoum, G., Bou-Harb, E.: Cross-layer authentication protocol design for ultra-dense 5g hetnets. In: 2018 IEEE International Conference on Communications (ICC), pp. 1–7. IEEE (2018)

    Google Scholar 

  40. NetSecResearch, June 2022. https://github.com/NetSecResearch/InNetworkRansomwareDetection

  41. Paganini, P.: Self-propagating ransomware spreading in the wild, May 2016. https://securityaffairs.co/wordpress/47890/malware/self-propagating-ransomware.html

  42. Pour, M.S., et al.: On data-driven curation, learning, and analysis for inferring evolving internet-of-things (IoT) botnets in the wild. Comput. Secur. 91, 101707 (2020)

    Article  Google Scholar 

  43. Pour, M.S., et al.: Data-driven curation, learning and analysis for inferring evolving IoT botnets in the wild. In: Proceedings of the 14th International Conference on Availability, Reliability and Security, pp. 1–10 (2019)

    Google Scholar 

  44. Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K.: Peerrush: mining for unwanted p2p traffic. J. Inf. Secur. Appl. 19(3), 194–208 (2014)

    Google Scholar 

  45. Robertson, J., Turton, W.: Colonial hackers stole data thursday ahead of shutdown, May 2021. https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown

  46. Rouka, E., Birkinshaw, C., Vassilakis, V.G.: SDN-based malware detection and mitigation: The case of expetr ransomware. In: 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT), pp. 150–155. IEEE (2020)

    Google Scholar 

  47. Sandbox, T., January 2022. https://hatching.io/triage/

  48. Seals, T.: Ryuk ransomware: now with worming self-propagation, March 2021. https://threatpost.com/ryuk-ransomware-worming-self-propagation/164412/

  49. Shen, M., Liu, Y., Zhu, L., Xu, K., Du, X., Guizani, N.: Optimizing feature selection for efficient encrypted traffic classification: a systematic approach. IEEE Network 34(4), 20–27 (2020)

    Article  Google Scholar 

  50. SonicWall, October 2021. https://www.sonicwall.com/news/sonicwall-the-year-of-ransomware-continues-with-unprecedented-late-summer-surge/

  51. Stratosphere: Stratosphere laboratory datasets (2015). https://www.stratosphereips.org/datasets-overview. Accessed 13 Mar 2020

  52. Tandon, A., Nayyar, A.: A comprehensive survey on ransomware attack: a growing havoc cyberthreat. Data Management, Analytics and Innovation, pp. 403–420 (2019)

    Google Scholar 

  53. Wheelus, C., Bou-Harb, E., Zhu, X.: Tackling class imbalance in cyber security datasets. In: 2018 IEEE International Conference on Information Reuse and Integration (IRI), pp. 229–232. IEEE (2018)

    Google Scholar 

  54. Xiong, Z., Zilberman, N.: Do switches dream of machine learning? toward in-network classification. In: Proceedings of the 18th ACM Workshop on Hot Topics in Networks, pp. 25–33 (2019)

    Google Scholar 

  55. Yaqoob, I., et al.: The rise of ransomware and emerging security challenges in the internet of things. Comput. Networks 129, 444–458 (2017)

    Article  Google Scholar 

  56. Zahra, S.R., Chishti, M.A.: Ransomware and internet of things: a new security nightmare. In: 2019 9th International Conference on Cloud Computing, Data Science & Engineering (confluence), pp. 551–555. IEEE (2019)

    Google Scholar 

  57. Zheng, C., Zilberman, N.: Planter: seeding trees within switches. In: Proceedings of the SIGCOMM 2021 Poster and Demo Sessions, pp. 12–14 (2021)

    Google Scholar 

Download references

Acknowledgements

This material is based on research funded by the National Science Foundation (NSF) grant #2104273.

Author information

Authors and Affiliations

  1. The Cyber Center for Security and Analytics, The University of Texas at San Antonio, San Antonio, USA

    Kurt Friday & Elias Bou-Harb

  2. Integrated Information Technology, The University of South Carolina, Columbia, USA

    Jorge Crichigno

Authors
  1. Kurt Friday
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elias Bou-Harb
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jorge Crichigno
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kurt Friday .

Editor information

Editors and Affiliations

  1. Monash University, Clayton, VIC, Australia

    Xingliang Yuan

  2. The University of Queensland, Queensland, QLD, Australia

    Guangdong Bai

  3. University of Malaga, Málaga, Spain

    Cristina Alcaraz

  4. Concordia University, Montreal, QC, Canada

    Suryadipta Majumdar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Friday, K., Bou-Harb, E., Crichigno, J. (2022). A Learning Methodology for Line-Rate Ransomware Mitigation with P4 Switches. In: Yuan, X., Bai, G., Alcaraz, C., Majumdar, S. (eds) Network and System Security. NSS 2022. Lecture Notes in Computer Science, vol 13787. Springer, Cham. https://doi.org/10.1007/978-3-031-23020-2_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-23020-2_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-23019-6

  • Online ISBN: 978-3-031-23020-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation