Skip to content

bsrdgms/BOMRa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 

Repository files navigation

BOMRa

The Behavioral Model for Ransomware (BOMRa), designed using semantic web techniques, is capable of representing the comprehensive behavioral activity of ransomware along with the malicious intent behind the attack. The model portrays the system-level operations performed in the victim machine to achieve a malicious objective. The research work proposed demonstrates the systematization of malware activity specifically for ransomware. The method proposes a domain ontology that is engineered using a "middle-out" approach.

In BOMRa, the ransomware behavior information is formally represented as malicious Tactic, Behavior, and Windows Artifact. In this, the concept Tactic represents the high-level actions adopted by the ransomware to attain its malicious objectives, which also covers adversarial techniques and sub-techniques. The abstract conceptual activities that take place on a system when ransomware executes on the victim machine are aggregated and formally represented using the concept Behavior. The actual system-level operations carried out by the ransomware when it performs the abstract activities are represented using the concept Windows Artifact. Also, the proposed model is designed to be consistent and interoperable with other publicly available standard cybersecurity knowledge bases.

Concept Class Expression
Tactic Things that are (adoptedBy some Ransomware) and (implementedBy some Behavior) and (accomplishes some MaliciousObjective)
Behavior Things that (implements some Tactic) and (calls some WindowsAPI or executes some WindowsCommand or processes some WindowsRegistry) and (performedBy some Ransomware) and (detectedBy some Pattern)
Windows Artifact Things that are (usedBy some Behavior)
Ransomware Things that are (DigitalArtifacts) and (adopts some Tactic) and (performs some Behavior) and (achieves some MaliciousObjective) and (triggers some Pattern)
Pattern Things that are (triggeredBy some Ransomware) and (detects some Behavior)
--- ---

The proposed ontology is qualitatively evaluated to ensure its relevance and robustness. The efficacy and effectiveness of the proposed methodology is qualitatively evaluated based on its performance against a set of competency questions (CQs).

Competency Questions

The CQs detailed in this section are designed based on the challenges faced by state-of-the-art malware research identified through literature reviews and the limitations of existing cyber security adversarial knowledge bases. BOMRa is designed to provide solutions for all the competency questions that aim to address some of the limitations of the current ransomware research. The competence of the proposed method, however, is not limited to following questions.

CQ1: Which are all the ransomware samples that perform a particular system-level operation?

This CQ challenges the ability of Knowledge Base to identify and retrieve distinct ransomware samples that perform a particular system-level operation. For instance, the BOMRa can answer questions such as, “Which ransomware samples perform file deletion operations using DeleteFileW?”. In BOMRa, semantic equivalence is defined between entities that perform a fundamentally similar operation. All the DeleteFile APIs such as NtDeleteFile, DeleteFileA, DeleteFileW, or ZwDeleteFile Windows APIs are defined as semantically equivalent in BOMRa using appropriate axioms. This reduces the need to manually track and list all Windows API calls that may be used to delete a file from the Installable File System. The following SPARQL query snippet demonstrates the aforesaid logic.

PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
PREFIX owl: <http://www.w3.org/2002/07/owl#>
PREFIX bomra: <http://research.amrita.edu/bsr/ontologies/2022/ransomware-behavioural-ontology/#>

SELECT DISTINCT ?ransomware
WHERE{
  ?ransomware a bomra:Ransomware .
  ?equiv_classes a owl:equivalentClass bomra:DeleteFileW .
  ?api_calls a ?equiv_classes .
  ?ransomware bomra:calls ?api_calls
}
ORDER BY ASC(?ransomware)

The query listed in Fig. 8 is used to infer a solution for CQ1. The query initially identifies the entities that are defined as equivalent to DeleteFileW in BOMRa. It subsequently searches the Knowledge Base to identify and list distinct samples that call one of the four Windows APIs that are used for file deletion operation.

CQ2: Which all ransomware samples perform a particular behavior?

This CQ challenges the ability of Knowledge Base to process abstract behavioral information of ransomware. For instance, the BOMRa can answer questions such as, “Which all ransomware samples exhibit file encryption behavior?”. In BOMRa, the concept File Encryption abstracts all system-level operations that can perform cryptographic encryption of files existing on the system. Also, the relationship ‘exhibits’ maps all ransomware samples that exhibit a particular abstract behavior. The SPARQL query mentioned in subsequent code snippet searches the Knowledge Base to list distinct samples that exhibit file encryption operation.

PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
PREFIX owl: <http://www.w3.org/2002/07/owl#>
PREFIX bomra: <http://research.amrita.edu/bsr/ontologies/2022/ransomware-behavioural-ontology/#>

SELECT DISTINCT ?ransomware
WHERE{
  ?ransomware a bomra:Ransomware .
  ?behavior_1 a bomra:FileDecryption .
  ?ransomware bomra:exhibits ?behavior_1
}
ORDER BY ASC(?ransomware)

CQ3: Which all ransomware samples adopt a particular adversarial strategy?

The Knowledge Base is capable of inferring ransomware samples that adopt a particular adversarial tactic. An adversary performs a sequence of operations to achieve a malicious motive. BOMRa consists of predefined relationships between adversarial tactics, abstract behaviors, and actual system-level operations.

For instance, the BOMRa can answer questions such as, “Which ransomware samples adopt an adversarial strategy for Code Execution Forestallment?”. In BOMRa, the concept Code Execution Forestallment defines the adversarial tactic commonly adopted to evade detection. The Knowledge System initially perceives all distinct techniques that are defined under Code Execution Forestallment. Then, it infers the sequence of system-level operations associated with each of these techniques using the property chains mentioned in Section III (F). The Knowledge System then applies the inferred knowledge to identify and list distinct ransomware samples that adopt Code Execution Forestallment technique. The corresponding query is illustrated by following SPARQL query snippet.

PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
PREFIX owl: <http://www.w3.org/2002/07/owl#>
PREFIX bomra: <http://research.amrita.edu/bsr/ontologies/2022/ransomware-behavioural-ontology/#>

SELECT DISTINCT ?ransomware
WHERE{
  ?ransomware rdf:type bomra:Ransomware .
  ?equiv_classes rdf:type bomra:CodeExecutionForestallment .
  ?ransomware bomra:adopts ?technique
}
ORDER BY ASC(?ransomware)

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published