A proposed Crypto-Ransomware Early Detection(CRED) Model using an Integrated Deep Learning and Vector Space Model Approach

Crypto-ransomware is a malware category that targets user-related files to encrypt them and hold them to ransom. The irreversible effect of crypto-ransomware attacks entails early detection before it starts encrypting the files. Although several works have been proposed to detect such attacks at the pre-encryption phase before the encryption takes place, the main limitation of these works is the way in which they define the boundaries of the pre-encryption phase. That is, these studies determine the pre-encryption boundaries based on tracking the first call of any cryptography-related Application Programming Interface (API). However, relying on the first call of cryptography-related APIs to delineate the pre-encryption boundaries is not accurate as these APIs might be related to other (normal) tasks done by the crypto-ransomware, such as unpacking and/or decrypting the metamorphic payload, before the ransomware starts the malicious activities. In that case, the collected pre-encryption data lack many relevant pre-encryption attack patterns that come after the mistakenly-identified pre-encryption boundary. Such data insufficiency adversely affects the accuracy of the detection model and increases the rate of false alarms. To overcome such limitations, this paper proposes an early detection model (CRED) that can determine the pre-encryption boundaries and collect the data related to this phase more accurately. Unlike the extant research, the CRED model employs data-centric and process-centric detection approaches to combine both IRP and API data. These data will then be used to train a deep learning-based model. The CRED model will be evaluated using a data-benchmark collected by executing real-world crypto-ransomware samples downloaded from a widely-used repository. The performance of the detection model will be validated using the k-fold cross validation and compared against the models proposed by the existing works.

[1]  Ziming Zhao,et al.  Uncovering the Face of Android Ransomware: Characterization and Real-Time Detection , 2018, IEEE Transactions on Information Forensics and Security.

[2]  Herbert Bos,et al.  Prudent Practices for Designing Malware Experiments: Status Quo and Outlook , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  Ali Dehghantanha,et al.  DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer , 2019, Future Gener. Comput. Syst..

[4]  Jin Kwak,et al.  Real Time Android Ransomware Detection by Analyzed Android Applications , 2019, 2019 International Conference on Electronics, Information, and Communication (ICEIC).

[5]  Yuli Adam Prasetyo,et al.  Zero-Day Aware Decision Fusion-Based Model for Crypto-Ransomware Early Detection , 2018, International Journal of Integrated Engineering.

[6]  Kevin Jones,et al.  Early Stage Malware Prediction Using Recurrent Neural Networks , 2017, Comput. Secur..

[7]  Bander Ali Saleh Al-rimy,et al.  Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions , 2018, Comput. Secur..

[8]  Fabio Martinelli,et al.  On the effectiveness of system API-related information for Android ransomware detection , 2018, Comput. Secur..

[9]  Ali Dehghantanha,et al.  Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence , 2018, IEEE Transactions on Emerging Topics in Computing.

[10]  Bander Ali Saleh Al-rimy,et al.  Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection , 2019, Future Gener. Comput. Syst..

[11]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[12]  Wei Zhang,et al.  Semantics-Based Online Malware Detection: Towards Efficient Real-Time Protection Against Malware , 2016, IEEE Transactions on Information Forensics and Security.

[13]  Miguel Correia,et al.  Hail to the Thief: Protecting data from mobile ransomware with ransomsafedroid , 2017, 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA).

[14]  Lorena Isabel Barona López,et al.  A Survey on Situational Awareness of Ransomware Attacks - Detection and Prevention Parameters , 2019, Remote. Sens..

[15]  Rahil Hosseini,et al.  A state-of-the-art survey of malware detection approaches using data mining techniques , 2018, Human-centric Computing and Information Sciences.

[16]  Muttukrishnan Rajarajan,et al.  Employing Program Semantics for Malware Detection , 2015, IEEE Transactions on Information Forensics and Security.

[17]  Nir Nissim,et al.  Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory , 2018, Expert Syst. Appl..

[18]  Pedro García-Teodoro,et al.  R-Locker: Thwarting ransomware action through a honeyfile-based approach , 2018, Comput. Secur..

[19]  Yuval Elovici,et al.  Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining , 2018, Knowl. Based Syst..

[20]  Sakir Sezer,et al.  A Multi-Classifier Network-Based Crypto Ransomware Detection System: A Case Study of Locky Ransomware , 2019, IEEE Access.

[21]  Bander Ali Saleh Al-rimy,et al.  Redundancy Coefficient Gradual Up-weighting-based Mutual Information Feature Selection Technique for Crypto-ransomware Early Detection , 2018, Future Gener. Comput. Syst..

[22]  Mohsen Guizani,et al.  The rise of ransomware and emerging security challenges in the Internet of Things , 2017, Comput. Networks.

[23]  Ali Dehghantanha,et al.  Detecting crypto-ransomware in IoT networks based on energy consumption footprint , 2018, J. Ambient Intell. Humaniz. Comput..

[24]  S. Sibi Chakkaravarthy,et al.  A Survey on malware analysis and mitigation techniques , 2019, Comput. Sci. Rev..

[25]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[26]  Wojciech Mazurczyk,et al.  Software-Defined Networking-based Crypto Ransomware Detection Using HTTP Traffic Characteristics , 2016, Comput. Electr. Eng..

[27]  Ondrej Pluskal Behavioural malware detection using efficient SVM implementation , 2015, RACS.

[28]  Bander Ali Saleh Al-rimy,et al.  A 0-Day Aware Crypto-Ransomware Early Behavioral Detection Framework , 2017 .