A Comprehensive Detection Approach of Wannacry: Principles, Rules and Experiments

Abstract

Recently, cybercrime has become an important research issue in the field of cybersecurity. And ransomware is considered one of the main categories of cybercrime. The Wannacry ransomware attack broken out in 2017 is one of the largest ransomware attacks in history, creating huge threats to the data security of individual users and enterprises. Since 2017, although the principle of Wannacry has been figured comprehensively and numerous detection and defense methods have been proposed, all of these existing methods have some defects. Therefore, we propose to build a comprehensive detection approach of Wannacry with a set of rules, which is named Comprehensive Wannacry Detection Rules (CWDR). Through principle analysis, we extract the traffic features. And these features can be easily distinguished from other normal traffic information during the Wannacry attack. Base on these traffic features, a set of rules is designed to detect the attack process of Wannacry. CWDR rule set can detect Wannacry at all 8 stages through network traffic monitoring. Finally, we instantiate the rule set using Suricata and do benchmark experiments with ET Open rule set and Snort rule set. In the basic experiment, the False Negative Rate of the CWDR rule set, ET Open rule set, and Snort rule set are 0%, 25%, 50%. In the evasion experiment, the False Negative Rate of the CWDR rule set, ET Open rule set, and Snort rule set are 12.5%, 75%, 62.5%. The results show that the CWDR rule set can detect the attack process of Wannacry ransomware more precisely.