Exploration of clustering overlaps in a ransomware network based on link structures and content relevance

Abstract

The advancement in technology makes it easy and effective to transmit and spread ransomware to different devices. The result is increased ransomware threats to different sectors of the World Economy. The reason for the spread of these threats is that Ransomware developers are trying to increase their revenue by infecting victims of specific (industry) sectors of the world economy with targeted ransomware to breach their security and steal valuable data. To counter these threats, industries employ different security measures to prevent ransomware-related losses, yet losses continue to occur because of the ever-changing dynamics of ransomware. Consequently, industries are continuously, searching for effective measures to control ransomware attacks. Forensic and security experts and law enforcement operatives also have limitations in the control of such security threats.

The study of cluster analysis in none ransomware domains (e.g. complex social networks links and contents) has proved invaluable for the detection of cluster hubs, authorities, and communities in complex social networks. This has helped in targeted marketing activities and in the detection, identification, and prediction of terrorist and criminal hubs (gangs) within a network. That ransomware distribution and spread have similar complex network configuration to the social network, application of cluster analysis on the ransomware becomes a possible area of interest in the fight against ransomware threats. Compared to the social network, ransomware structure comprises of a set of links and contents, whose nodes (vertices) represent ransomware families, IP Addresses, URLs, Host, Registrar, ASNs, Countries, status or other entities embedded in the distribution. Real-time Active Cluster Overlap Profiling and Tracking (ACOPT) of ransomware network overlapping cluster trends presents an opportunity to prevent a successful attack. The study reveals there is active threat when the network events activity peaks at 53.53% with a prior gradual increase from 10.19% through 27.38%. The threat happens when the number of overlapping clusters reaches the highest maximum threshold preceded by the lowest minimum threshold. At the onset of threat, the clustering elements and the percentage values between the active cluster node and terminal cluster node are equal (29.11%); and the difference between them and the highest percentage cluster node (41.77%) is -12.11% and 12.11%. In addition, the onset is characterized when the percentages of the cluster intensity of the active cluster node and terminal cluster node reaches respective values of 31.03% and 24.89% and the difference between them and the cluster node with the highest value (44.08%) becomes equal to -13.05% and 14.19%. The active threat therefore, occurs when the active cluster node and terminal cluster node records respective 27.38% and 39.29% in the number of clustering objects, while other cluster nodes record equal values of 11.11%. The active overlapping cluster, therefore, is identified to be the cluster that has the most regular, consistent and closely distributed number of clustering objects, measures of centrality and intensity values in all the cumulative periods of the time series of the ransomware network.

Therefore, the present investigation by exploring temporal events and overlapping cluster formation in a Ransomware network identified an active cluster-overlap, which could be removed to timely dislodge potential Ransomware threat. The active cluster-overlap was tracked through cluster profiling in a time-series and periodic network clustering analysis of Ransomware Network to establish pattern consistency. The consistency tracking and validation were achieved using the key performance parameters of the network, cluster intensities, and the frequencies of clustering objects. The removal of the active Cluster Overlap (node 1) was proved effective in dislodging the ransomware network and controlling threat before it attacks. Hence, the study proposes a real-time Exploratory Machine-learning Cluster Overlap System (EMCOS) for links and contents cluster analysis in a complex ransom-ware network as a tool to control threat.