DOI : https://doi.org/10.18517/ijaseit.12.3.15329

Hermes Ransomware v2.1 Action Monitoring using Next Generation Security Operation Center (NGSOC) Complex Correlation Rules

Yau Ti Dun (1), Mohd Faizal Ab Razak (2), Mohamad Fadli Zolkipli (3), Tan Fui Bee (4), Ahmad Firdaus (5)
(1) Faculty of Computing, Universiti Malaysia Pahang, Pahang, 26600, Malaysia
(2) Faculty of Computing, Universiti Malaysia Pahang, Pahang, 26600, Malaysia
(3) School of Computing, UUM College Arts & Sciences, Universiti Utara Malaysia, 06010, Kedah, Malaysia
(4) Faculty of Computing, Universiti Malaysia Pahang, Pahang, 26600, Malaysia
(5) Faculty of Computing, Universiti Malaysia Pahang, Pahang, 26600, Malaysia
Fulltext View | Download
How to cite (IJASEIT) :
Dun, Yau Ti, et al. “Hermes Ransomware v2.1 Action Monitoring Using Next Generation Security Operation Center (NGSOC) Complex Correlation Rules”. International Journal on Advanced Science, Engineering and Information Technology, vol. 12, no. 3, May 2022, pp. 1287-92, doi:10.18517/ijaseit.12.3.15329.
Citation Format :
A new malware is identified every fewer than five seconds in today's threat environment, which is changing at a rapid speed. As part of cybercrime, there is a lot of malware activity that can infect the system and make it problematic. Cybercrime is a rapidly growing field, allowing cyber thieves to engage in a wide range of damaging activities. Hacking, scams, child pornography, and identity theft are all examples of cybercrime. Cybercrime victims might be single entities or groups of persons who are being targeted for harm. Cybercrime and malware become more hazardous and damaging because of these factors. Subsequent to these factors, there is a need to construct Next Generation Security Operation Centers (NGSOCs). SOC consists of human resources, processes, and technology designed to deal with security events derived from the Security Incident Event Management (SIEM) log analysis. This research examines how Next Generation Security Operation Centers (NGSOCs) respond to malicious activity. This study develops a use case to detect the latest Hermes Ransomware v2.1 malware using complex correlation rules for the SIEM anomalies engine. This study aims to analyze and detect Hermes Ransomware v2.1. As a result, NGSOC distinguishes malware activities' initial stages by halting traffic attempts to download malware. By forwarding logs to SIEM, the use case can support Threat Analyst in finding other Indicators of Compromise (IOC) to assist organizations in developing a systematic and more preemptive approach for ransomware detection.

GData blog, “Malware trends 2017,” 2018. .

Gartner, “Rethink Your Security & Risk Strategy with 2021 Cybersecurity Frameworks and Best Practices,” 2021. .

S. Abijah Roseline and S. Geetha, “A comprehensive survey of tools and techniques mitigating computer and mobile malware attacks,” Comput. Electr. Eng., vol. 92, no. May, p. 107143, 2021, doi: 10.1016/j.compeleceng.2021.107143.

S. R. T. Mat, M. F. Ab Razak, M. N. M. Kahar, J. M. Arif, S. Mohamad, and A. Firdaus, “Towards a systematic description of the field using bibliometric analysis: malware evolution,” Scientometrics, vol. 126, no. 3, pp. 2013-2055, 2021, doi: 10.1007/s11192-020-03834-6.

H. Hanif, M. H. N. Md Nasir, M. F. Ab Razak, A. Firdaus, and N. B. Anuar, “The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches,” J. Netw. Comput. Appl., vol. 179, no. February, p. 103009, 2021, doi: 10.1016/j.jnca.2021.103009.

Y. T. Dun, M. F. A. Razak, M. F. Zolkipli, T. F. Bee, and A. Firdaus, “Grasp on next generation security operation centre (NGSOC): Comparative study,” Int. J. Nonlinear Anal. Appl., vol. 12, no. 2, pp. 869-895, 2021, doi: 10.22075/ijnaa.2021.5145.

S. R. T. Mat, M. F. A. Razak, M. N. M. Kahar, J. M. Arif, and A. Firdaus, “A Bayesian probability model for Android malware detection Sharfah,” ICT Express, pp. 1-12, 2021, doi: 10.1016/j.icte.2021.09.003.

S. R. T. Mat, M. F. A. Razak, M. N. M. Kahar, J. M. Arif, S. Mohamad, and A. Firdaus, “Towards a systematic description of the field using bibliometric analysis: malware evolution,” J. Sci., pp. 1-38, 2021.

M. F. J. Klaib, M. R. A. Sara, and M. Hasan, “D-GREEDY: Greedy shortest superstring with delayed random choice,” Int. J. Softw. Eng. Comput. Syst., vol. 6, no. 1, pp. 8-17, 2020.

W. Z. A. Zakaria, M. F. Abdollah, O. Mohd, and A. F. M. Ariffin, “The rise of ransomware,” ACM Int. Conf. Proceeding Ser., no. May, pp. 66-70, 2017, doi: 10.1145/3178212.3178224.

R. Jusoh, A. Firdaus, S. Anwar, M. Z. Osman, M. F. Darmawan, and M. F. Ab Razak, “Malware detection using static analysis in Android: a review of FeCO (features, classification, and obfuscation),” PeerJ Comput. Sci., vol. 7, no. e522, pp. 1-54, 2021, doi: 10.7717/peerj-cs.522.

A. Alabdulatif, H. Kumarage, I. Khalil, and X. Yi, “Privacy-preserving anomaly detection in cloud with lightweight homomorphic encryption,” J. Comput. Syst. Sci., vol. 90, no. May, pp. 28-45, 2017, doi: 10.1016/j.jcss.2017.03.001.

T. Dargahi, A. Dehghantanha, P. N. Bahrami, M. Conti, G. Bianchi, and L. Benedetto, “A Cyber-Kill-Chain based taxonomy of crypto-ransomware features,” J. Comput. Virol. Hacking Tech., vol. 15, no. 4, pp. 277-305, 2019, doi: 10.1007/s11416-019-00338-7.

M. Vielberth, F. Bohm, I. Fichtinger, and G. Pernul, “Security Operations Center: A Systematic Study and Open Challenges,” IEEE Access, vol. 8, 2020, doi: 10.1109/ACCESS.2020.3045514.

P. Danquah, “Security Operations Center: A Framework for Automated Triage, Containment and Escalation,” J. Inf. Secur., vol. 11, no. 04, pp. 225-240, 2020, doi: 10.4236/jis.2020.114015.

E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap, “Towards a Framework for Measuring the Performance of a Security Operations Center Analyst,” Int. Conf. Cyber Secur. Prot. Digit. Serv. Cyber Secur. 2020, 2020, doi: 10.1109/CyberSecurity49315.2020.9138872.

O. V. Lee et al., “A malicious URLs detection system using optimization and machine learning classifiers,” Indones. J. Electr. Eng. Comput. Sci., vol. 17, no. 3, pp. 1210-1214, 2020, doi: 10.11591/ijeecs.v17.i3.pp1210-1214.

W. P. Aung, H. H. Lwin, and K. K. Lin, “Developing and Analysis of Cyber Security Models for Security Operation Center in Myanmar,” 2020 IEEE Conf. Comput. Appl. ICCA 2020, pp. 1-6, 2020, doi: 10.1109/ICCA49400.2020.9022821.

N. N. M. Nasri, M. F. A. Razak, R. D. R. Saedudin, S. Mohamad-Asmara, and A. Firdaus, “Android malware detection system using machine learning,” Int. J. Adv. Trends Comput. Sci. Eng., vol. 9, no. 1 Special Issue 5, pp. 327-333, 2020, doi: 10.30534/ijatcse/2020/4691.52020.

B. Bouyeddou, F. Harrou, B. Kadri, and Y. Sun, “Detecting network cyber-attacks using an integrated statistical approach,” Cluster Comput., vol. 24, no. 2, pp. 1435-1453, 2021, doi: 10.1007/s10586-020-03203-1.

N. Miloslavskaya and S. Furnell, “Network Security Intelligence Centres for Information Security Incident Management,” Adv. Intell. Syst. Comput., vol. 1310, no. May, pp. 270-282, 2021, doi: 10.1007/978-3-030-65596-9_34.

R. Malkawe, M. Qasaimeh, F. Ghanim, and M. Ababneh, “Toward an early assessment for ransomware attack vulnerabilities,” ACM Int. Conf. Proceeding Ser., no. May, p. 3368734, 2019, doi: 10.1145/3368691.3368734.

Infoblox, “Hermes Ransomware Cyber Report,” Pp 1-3, no. February 2017, pp. 2017-2019, 2017.

J. ho Hwang, J. Kwak, and T. jin Lee, “Fast k-NN based Malware Analysis in a Massive Malware Environment,” KSII Trans. Internet Inf. Syst., vol. 13, no. 12, pp. 6145-6158, 2019, doi: 10.3837/tiis.2019.12.019.

M. Vielberth, F. Bohm, I. Fichtinger, and G. Pernul, “Security Operations Center: A Systematic Study and Open Challenges,” IEEE Access, no. May, p. 3045514, 2020, doi: 10.1109/ACCESS.2020.3045514.

M. H. Khyavi, “ISMS role in the improvement of digital forensics related process in SOC’s,” Cryptogr. Secur., 2020.

Authors who publish with this journal agree to the following terms:

    1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
    2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
    3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).