A proposed Crypto-Ransomware Early Detection(CRED) Model using an Integrated Deep Learning and Vector Space Model Approach

Alqahtani, Abdullah; Gazzan, Mazen; Sheldon, Frederick T.

doi:10.1109/ccwc47524.2020.9031182

Cited by 19 publications

(27 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This is the case of [38], where an ensemble-based detection model which incorporates two techniques (incremental bagging and enhanced semi-random subspace selection) is evaluated for ransomware detection. In [39,40], deep learning techniques are explored. In the first case, to extract the latent representation of a high dimension of collected data to identify malicious behaviours accurately.…”

Section: Related Workmentioning

confidence: 99%

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Gómez-Hernández

Sánchez-Fernández

García-Teodoro

2021

IET Information Security

View full text Add to dashboard Cite

After several years, crypto‐ransomware attacks still constitute a principal threat for individuals and organisations worldwide. Despite the fact that a number of solutions are deployed to fight against this plague, one main challenge is that of early reaction, as merely detecting its occurrence can be useless to avoid the pernicious effects of the malware. With this aim, the authors introduced in a previous work a novel anti‐ransomware tool for Unix platforms named R‐Locker. The proposal is supported on a honeyfile‐based approach, where ‘infinite’ trap files are disseminated around the target filesystem for early detection and to effectively block the ransomware action. The authors extend here the tool with three main new contributions. First, R‐Locker is migrated to Windows platforms, where specific differences exist regarding FIFO handling. Second, the global management of the honeyfiles around the target filesystem is now improved to maximise protection. Finally, blocking suspicious ransomware is (semi)automated through the dynamic use of white‐/black‐lists. As in the original work for Unix systems, the new Windows version of R‐Locker shows high effectivity and efficiency in thwarting ransomware action.

show abstract

Section: Related Workmentioning

confidence: 99%

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Gómez-Hernández

Sánchez-Fernández

García-Teodoro

2021

IET Information Security

View full text Add to dashboard Cite

show abstract

“…The experimental results showed a convergence performance of about 50%. CRED [13] used a process-and data-driven approach to detect cryptography algorithms. CRED built an early detection model using both data-and process-driven approaches based on the LSTM algorithm.…”

Section: Introductionmentioning

confidence: 99%

“…This allowed the ransomware to be identified before it started an encryption attack. As a result, the model proposed in [13] effectively protected personal and business data. RWguard [14] studied ransomware detection and experimented on samples from 14 widely known ransomware families.…”

Section: Introductionmentioning

confidence: 99%

Identifying Symmetric-Key Algorithms Using CNN in Intel Processor Trace

Yang

Park

2021

Electronics

View full text Add to dashboard Cite

Malware and ransomware are often encrypted to protect their own code, making it challenging to apply reverse engineering to analyze them. Recently, various studies have been underway to identify cryptography algorithms in malware or ransomware that use anti-reversing technology via deep-learning technology. In particular, CNNs (convolution neural networks) are deep-learning algorithms with superior performance, as compared to existing machine-learning algorithms in image classification. In the cases of malicious files to which anti-debugging techniques or anti-DBI (dynamic binary instrumentation) techniques are applied, if the traces are extracted using various debuggers or DBI, the traces are cut off due to these techniques. The IPT (Intel processor trace) has the advantage of extracting an accurate trace of a program by bypassing the anti-debugging or anti-DBI technique. This paper presents a novel method by which to identify the symmetric-key algorithms by applying a CNN to the traces extracted from the IPT. The IPT minimally interrupts software execution. First, the trace encrypted by the symmetric-key algorithms is extracted using the IPT. Then it is converted into an image to be an input into the CNN. The experiments were carried out with two different datasets. The first dataset contained traces extracted by different types of symmetric-key algorithms, and the training results were classified into nine classes with 100% accuracy. The second dataset contained traces that included the various bit sizes of the security keys and the block-cipher modes for each type of symmetric-key algorithm. Training results were classified into 36 classes with an accuracy of 70.55%. While previous studies have identified the types of encryption algorithms, this study employed a CNN to identify the number of key bits and the block-cipher modes as well.

show abstract

“…In these methods, a truncated API call sequence that focuses on the pre-encryption behavior of the ransomware is collected. The truncation length is either static for all samples based upon analysis duration or the number of steps [104,210,223], or dynamic based upon the occurrence of the first cryptographic API call [13,18,6]. A static length is limited because it assumes that all the ransomware variants start encryption at a specific time.…”

Section: Problem Statementmentioning

confidence: 99%

“…A static length is limited because it assumes that all the ransomware variants start encryption at a specific time. A dynamic length is also limited in that the first cryptographic API call may be related to the unpacking of binary hence misleading [18]. Such limitations need to be addressed for a concrete ransomware early detection solution.…”

Section: Problem Statementmentioning

confidence: 99%

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Abbasi¹

View full text Add to dashboard Cite

Ransomware is malware that hijacks a victim's data using encryption and demands a ransom in exchange for the decryption key. Ransomware has gained prominence due to its attack vector and the irreversible nature of damage to data. Ransomware has indiscriminately attacked individuals and organizations worldwide, disrupting their businesses and services. The number of successful ransomware attacks across the globe highlights the inadequacy of existing ransomware defense. Static and dynamic analysis are two popular approaches to malware analysis. The former does not require execution of the malware binary, whereas the latter requires executing the binary in a controlled environment. Static analysis-based detection, e.g., signature-matching, is widely adopted by commercial antivirus solutions but can be thwarted by evasion techniques, e.g., polymorphism and code obfuscation, utilized in modern malware. Consequently, dynamic analysis-based or behavior-based detection approaches have gained popularity because malware behavior cannot be changed entirely across its variants. Both signature and behavior-based detection complement each other. Behavior-based ransomware detection comes with certain challenges and problems, such as data high-dimensionality that occurs because a process may execute thousands of API calls per second. Manual inspection of these API calls for feature engineering requires an expert and is a time-intensive task. Another problem with some existing ransomware detection models is the reliance on handcrafted malice scoring functions that assign scores to the processes describing their threat levels. Other challenges to ransomware detection research include the limited availability of ransomware data sets that can be used with Machine Learning (ML) methods and their reuse scope. The scope of reuse of available data sets is limited because of their format, e.g., sequential data may be used with recurrent neural networks but not with commonly used ML-based classification algorithms, and focus, e.g., network activity and filesystem activity. For the above-mentioned reasons, ransomware detection research is generally followed by ransomware analysis. However, to the best of our knowledge, not many of the existing ransomware behavior analysis studies discuss the challenges involved in the process. This thesis aims to automate the solutions to the problems related to ransomware behavior detection and classification using evolutionary computation methods, i.e., particle swarm optimization and genetic programming, and deep neural networks, i.e., long short-term memory. This thesis proposes a wrapper feature selection method to address the high dimensionality in ransomware behavior data. The proposed method utilizes particle swarm optimization to automatically select a suitable number of features from each feature group and therefore does not require expert input. This thesis further proposes an automated method of evolving malice scoring models for ransomware detection. The proposed method formulates the problem as a symbolic regression problem and solves it using genetic programming. Unlike existing methods, the proposed method does not require expert knowledge to design the model. Furthermore, this thesis proposes an automated behavior analysis framework for highlighting challenges associated with ransomware behavior analysis and solutions to these challenges. Finally, this thesis proposes a new representation of the API call sequences that combines the API call names and important call arguments. The proposed representation of the API call sequences helped improve ransomware early detection performance. All the methods proposed in this thesis either automate the existing manual solutions or achieve comparable or better performance compared to existing methods.

show abstract

A proposed Crypto-Ransomware Early Detection(CRED) Model using an Integrated Deep Learning and Vector Space Model Approach

Cited by 19 publications

References 22 publications

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker

Identifying Symmetric-Key Algorithms Using CNN in Intel Processor Trace

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Contact Info

Product

Resources

About