Go to DBLP homepageA Grammar-Based Behavioral Distance Measure Between Ransomware Variants
Abstract: Effective attribution of ransomware attacks requires a way to characterize different variants and estimates their similarity to one another. Unlike other malware, ransomware deliberately discloses itself and interacts explicitly with the victim. This characteristic invites the application of insights from social systems. The resulting behavioral trace offers a richer characterization than the simple code signatures used to detect other forms of malware, but is also more complex and harder to characterize. Exploiting this trace forensically requires a distance measure between pairs of attacks. In the Ransomware Analysis as Dialogue for Attribution and Reconnaissance (RADAR) project, we developed such a measure based on representation of the attack behavior in a context-free grammar. We motivate this approach by insights from behavioral linguistics, summarize the grammar we have developed, present a series of increasingly refined grammatical distance measures, and illustrate their performance on actual attacks. Then we suggest applications of our distance measure to other problems of social modeling.
Loading