Ransomware detection and mitigation using SDN: the case of BadRabbit

Thumbnail Image

Date

Authors

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Ransomware is a relatively new, illegal business model used by criminals for the purposes of extortion. This model recently achieved notable success due to people’s increasing dependence on technology and the development of anonymisation techniques. Many organizations have been affected by various types of malicious software, which has resulted in large financial and reputational losses. Moreover, in the last decade, many ransomware attacks had the ability to spread within a local network or even outside the network. At the same time, software defined networking (SDN) has provided a major boost to networks by transferring intelligence from network devices to a programmable logically centralised controller. The latter can be programmed to be compatible with the requirements of a wide range of networks and environments in a straightforward manner. This has motivated researchers to design SDN-based security solutions against threats targeting traditional networks and systems. This paper investigates the use of SDN to detect and mitigate the risk of self-propagating ransomware. The infamous BadRabbit ransomware has been used for the proof of concept. To achieve this, an extensive analysis of BadRabbit was performed to identify its characteristics and understand its behaviour at both the infected device level and at the network level. As a result, several unique artifacts were extracted from BadRabbit which could facilitate its detection. These artifacts were relied upon to design an SDN-based intrusion detection and prevention system. Our system comprises five modules, namely deep packet inspection, packet header inspection, honeypot, ARP scanning detection, and SMB checker. We have also evaluated the efficiency and the performance of our system in terms of detection time, CPU utilisation, as well as TCP and ping latency. Our experimental results show that the system is effective in terms of detecting self-propagating ransomware, such as BadRabbit and NotPetya.

Description

Keywords

Citation

URI

https://drepo.sdl.edu.sa/handle/20.500.14154/39914

Collections

SACM - United Kingdom

Endorsement

Review

Supplemented By

Referenced By

Copyright owned by the Saudi Digital Library (SDL) © 2025