Minerva: A File-Based Ransomware Detector

Hitaj, Dorjan; Pagnotta, Giulio; Gaspari, Fabio De; Carli, Lorenzo De; Mancini, Luigi V.

doi:10.48550/arxiv.2301.11050

Cited by 3 publications

(3 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, it was an empirical study due to the use of static analysis. Minerva, a ransomware detection approach was presented in [39] which observes all the operation performed on a file during a specific time. This work was limited as it can raise false alarms by focusing on the encryption of files that could be encrypted by benign programs.…”

Section: A Early Detection Of Ransomware Attacksmentioning

confidence: 99%

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

Urooj,

Al-Rimy,

Zainal

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim's device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the preencryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-theart solutions. The wGAN achieved higher accuracy and lower false alarm rates.

show abstract

Section: A Early Detection Of Ransomware Attacksmentioning

confidence: 99%

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

Urooj,

Al-Rimy,

Zainal

et al. 2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Furthermore, the use of cryptographic algorithms and reinforcement learning has been proposed as a means to enhance ransomware detection and defense mechanisms [ 22 , 23 ]. In response to the increasing sophistication of ransomware attacks, researchers have introduced innovative approaches such as file-based ransomware detectors and self-configurable prevention techniques for the Internet of Medical Things (IoMT) [ 24 , 25 ]. Additionally, the development of early-stage detection systems based on pre-attack internal API calls has been explored as a means to mitigate ransomware attacks [ 26 ].…”

Section: Introductionmentioning

confidence: 99%

eMIFS: A Normalized Hyperbolic Ransomware Deterrence Model Yielding Greater Accuracy and Overall Performance

Alqahtani,

Sheldon

2024

Sensors

View full text Add to dashboard Cite

Early detection of ransomware attacks is critical for minimizing the potential damage caused by these malicious attacks. Feature selection plays a significant role in the development of an efficient and accurate ransomware early detection model. In this paper, we propose an enhanced Mutual Information Feature Selection (eMIFS) technique that incorporates a normalized hyperbolic function for ransomware early detection models. The normalized hyperbolic function is utilized to address the challenge of perceiving common characteristics among features, particularly when there are insufficient attack patterns contained in the dataset. The Term Frequency–Inverse Document Frequency (TF–IDF) was used to represent the features in numerical form, making it ready for the feature selection and modeling. By integrating the normalized hyperbolic function, we improve the estimation of redundancy coefficients and effectively adapt the MIFS technique for early ransomware detection, i.e., before encryption takes place. Our proposed method, eMIFS, involves evaluating candidate features individually using the hyperbolic tangent function (tanh), which provides a suitable representation of the features’ relevance and redundancy. Our approach enhances the performance of existing MIFS techniques by considering the individual characteristics of features rather than relying solely on their collective properties. The experimental evaluation of the eMIFS method demonstrates its efficacy in detecting ransomware attacks at an early stage, providing a more robust and accurate ransomware detection model compared to traditional MIFS techniques. Moreover, our results indicate that the integration of the normalized hyperbolic function significantly improves the feature selection process and ultimately enhances ransomware early detection performance.

show abstract

“…Additionally, there has been an exploration into employing dynamic analysis, decoy-based security, and process monitoring to improve ransomware detection [32][33][34]. The creation of smart and adaptable detection systems, alongside the use of performance counters and detectors that focus on file-based ransomware, is indicative of the complex nature of these detection solutions [35][36][37]. Furthermore, the adoption of AI-driven hybrid methods and layered profiling with machine learning has been pivotal in enhancing ransomware-detection processes [38].…”

Section: Introductionmentioning

confidence: 99%

An Incremental Mutual Information-Selection Technique for Early Ransomware Detection

Gazzan,

Sheldon

2024

Information

View full text Add to dashboard Cite

Ransomware attacks have emerged as a significant threat to critical data and systems, extending beyond traditional computers to mobile and IoT/Cyber–Physical Systems. This study addresses the need to detect early ransomware behavior when only limited data are available. A major step for training such a detection model is choosing a set of relevant and non-redundant features, which is challenging when data are scarce. Therefore, this paper proposes an incremental mutual information-selection technique as a method for selecting the relevant features at the early stages of ransomware attacks. It introduces an adaptive feature-selection technique that processes data in smaller, manageable batches. This approach lessens the computational load and enhances the system’s ability to quickly adapt to new data arrival, making it particularly suitable for ongoing attacks during the initial phases of the attack. The experimental results emphasize the importance of the proposed technique in estimating feature significance in limited data scenarios. Such results underscore the significance of the incremental approach as a proactive measure in addressing the escalating challenges posed by ransomware.

show abstract

Minerva: A File-Based Ransomware Detector

Cited by 3 publications

References 26 publications

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

eMIFS: A Normalized Hyperbolic Ransomware Deterrence Model Yielding Greater Accuracy and Overall Performance

An Incremental Mutual Information-Selection Technique for Early Ransomware Detection

Contact Info

Product

Resources

About