Talos: a prototype Intrusion Detection and Prevention system for profiling ransomware behaviour Ashley Charles Wood, Thaddeus Eze, Lee Speakman University of Chester, Chester, United Kingdom ashley.wood@chester.ac.uk t.eze@chester.ac.uk l.speakman@chester.ac.uk Abstract: In this paper, we profile the behaviour and functionality of multiple recent variants of WannaCry and CrySiS/Dharma, through static and dynamic malware analysis. We then analyse and detail the commonly occurring behavioural features of ransomware. These features are utilised to develop a prototype Intrusion Detection and Prevention System (IDPS) named Talos, which comprises of several detection mechanisms/components. Benchmarking is later performed to test and validate the performance of the proposed Talos IDPS system and the results discussed in detail. It is established that the Talos system can successfully detect all ransomware variants tested, in an average of 1.7 seconds and instigate remedial action in a timely manner following first detection. The paper concludes with a summarisation of our main findings and discussion of potential future works which may be carried out to allow the effective detection and prevention of ransomware on systems and networks. Keywords: IDS, IPS, IDPS, Ransomware, WannaCry, CrySiS/Dharma 1.Introduction 1.1 Introduction In our previous paper (Wood & Eze, 2020), we examined the way in which ransomware interacts with the system on infection to implicate upon both data and system functionality. Our key finding was that it was possible to restore data and system functionality following ransomware infection. This paper iterates on our previous work (Wood & Eze, 2020) and explores the prospect of profiling the behaviour of ransomware and developing an Intrusion Detection and Prevention System (IDPS) system based exclusively on the commonly occurring system behaviours of ransomware. Section two provides an overview of ransomware in recent times, section three summarises previous research in this area, section four summarises our behavioural analysis of WannaCry and CrySiS/Dharma, section five outlines and details the proposed Talos system and its detection performance. Section six concludes the paper with a summary and discussion of this study’s main findings, before drawing the paper to a close with an overview of areas requiring further work to advance the state-of-the-art in IDPS technology. 1.2 Relevant terminologies This paper refers to several acronyms and terminologies throughout, these are Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Intrusion Detection and Prevention Systems (IDPS) and Ransomware. Firstly, Intrusion Detection Systems (IDS) automate the process of manual intrusion detection processes by monitoring networks and systems for malicious/suspicious activity in violation of established security policies. If activity is identified, activity is logged and alerts sent to administrators (Azhagiri et al, 2015). Comparatively, Intrusion Prevention Systems (IPS) share the same capability of an IDS but additionally respond to and take remedial action when malicious activity is identified, before notifying administrators of the activity detected and remedial action taken (Azhagiri et al, 2015). An Intrusion Detection and Prevention System (IDPS) as the name implies combines the capabilities of both IDS and IPS to formulate a more robust system. Ransomware refers to a type of malicious software which is designed to restrict access to a computer system and its data until such a time a monetary fee is paid. 2. Background As technology evolves to become more advanced and sophisticated, so have the attackers, who are continually designing and developing ever more destructive and imaginative means of breaching network and system security. As society, the economy and critical infrastructure, increasingly depend upon information technology (IT), cyberattacks are becoming increasingly attractive to attackers with potentially disastrous consequences (Jang-Jaccard & Nepal, 2014). The COVID pandemic has exacerbated the growing issue of malware/ransomware attacks, due to organisations swiftly adapting business infrastructures, which has left multiple loopholes within