Volume 18, Issue 3 (12-2021)
JSDP 2021, 18(3): 29-44 |
Back to browse issues page
Download citation:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
BibTeX | RIS | EndNote | Medlars | ProCite | Reference Manager | RefWorks
Send citation to:
darabian H, Hashemi S, Homayoon S, Bagherifard K. Detecting Ransomware and Identifying their Families Using Sequence Mining in Dynamic Analysis. JSDP 2021; 18 (3) :29-44
URL: http://jsdp.rcisp.ac.ir/article-1-1003-en.html
URL: http://jsdp.rcisp.ac.ir/article-1-1003-en.html
shiraz University
Abstract: (1545 Views)
Nowadays, crypto-ransomware is considered as one of the most threats in cybersecurity. Crypto ransomware removes data access by encrypting valuable data and requests a ransom payment to allow data decryption. The number of Crypto ransomware variants has increased rapidly every year, and ransomware needs to be distinguished from the goodware types and other types of ransomware to protect users' machines from ransomware-based attacks. Most published works considered System File and process behavior to identify ransomware which depend on how quickly and accurately system logs can be obtained and mined to detect abnormalities. Due to the severity of irreparable damage of ransomware attacks, timely detection of ransomware is of great importance. This paper focuses on the early detection of ransomware samples by analyzing behavioral logs of programs executing on the operating system before the malicious program destroy all the files. Sequential Pattern Mining is utilized to find Maximal Sequential Patterns of activities within different ransomware families as candidate features for classification. First, we prepare our test environment to execute and collect activity logs of 572 TeslaCrypt samples, 535 Cerber ransomware, and 517 Locky ransomware samples. Our testbed has the capability to be used in other projects where the automatic execution of malware samples is essential. Then, we extracted valuable features from the output of the Sequence Mining technique to train a classification algorithm for detecting ransomware samples. 99% accuracy in detecting ransomware instances from benign samples and 96.5% accuracy in detecting family of a given ransomware sample proves the usefulness and practicality of our proposed methods in detecting ransomware samples.
Type of Study: Applicable |
Subject:
Paper
Received: 2019/04/28 | Accepted: 2020/08/18 | Published: 2022/01/20 | ePublished: 2022/01/20
Received: 2019/04/28 | Accepted: 2020/08/18 | Published: 2022/01/20 | ePublished: 2022/01/20
References
1. [1] M. Hopkins and A. Dehghantanha, "Exploit Kits: The production line of the Cybercrime economy?," in 2015 2nd International Conference on Information Security and Cyber Forensics, InfoSec 2015, 2016, pp. 23-27. [DOI:10.1109/InfoSec.2015.7435501] [PMID]
2. [2] Hosseini F, Mirzarezaee M, Sharifi A, "Malware Detection using Classification of Variable-Length Sequences," JSDP, vol. 16 (2), pp.137-146, 2019 [DOI:10.29252/jsdp.16.2.137]
3. [3] Symantec, "Internet Security Threat Report (ISTR)," no. April. p. 10, 2017.
4. [4] D. Palmer, "How Bitcoin helped fuel an explosion in ransomware attacks," 2016. [Online]. Available: http://www.zdnet.com/article/how-bitcoin-helped-fuel-an-explosion-in-ransomware-attacks/.
5. [5] A. Azmoodeh, A. Dehghantanha, M. Conti, and K.-K. R. Choo, "Detecting crypto-ransomware in IoT networks based on energy consumption footprint," J. Ambient Intell. Humaniz. Comput., Aug. 2017. [DOI:10.1007/s12652-017-0558-5]
6. [6] R. Richardson and M. M. North, "Ransomware : Evolution , Mitigation and Prevention," Int. Manag. Rev., vol. 13, no. 1, pp. 10-21, Jan. 2017.
7. [7] K. Savage, P. Coogan, and H. Lau, "The Evolution of Ransomware," Res. Manag., vol. 54, no. 5, pp. 59-63, 2015. [DOI:10.1007/s12176-015-0581-3]
8. [8] Monika, P. Zavarsky, and D. Lindskog, "Experimental Analysis of Ransomware on Windows and Android Platforms: Evolution and Characterization," in Procedia Computer Science, 2016, vol. 94, pp. 465-472. [DOI:10.1016/j.procs.2016.08.072]
9. [9] E. Kirda, "UNVEIL: A large-scale, automated approach to detecting ransomware (keynote)," in usenix.org, 2017, pp. 1-1. [DOI:10.1109/SANER.2017.7884603]
10. [10] N. Scaife, H. Carter, P. Traynor, and K. R. B. Butler, "CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data," in Proceedings - International Conference on Distributed Computing Systems, 2016, vol. Aug2016, pp. 303-312. [DOI:10.1109/ICDCS.2016.46]
11. [11] A. Continella et al., "ShieldFS," in Proceedings of the 32nd Annual Conference on Computer Security Applications - ACSAC 16, 2016, pp. 336-347. [DOI:10.1145/2991079.2991110]
12. [12] A. Palisse, A. Durand, H. Le Bouder, C. Le Guernic, and J. L. Lanet, "Data aware defense (DaD): Towards a generic and practical ransomware countermeasure," in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2017, vol. 10674 LNCS, pp. 192-208. [DOI:10.1007/978-3-319-70290-2_12]
13. [13] D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, "Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection," undefined, 2016.
14. [14] A. Kharraz and E. Kirda, "Redemption: Real-Time Protection Against Ransomware at End-Hosts," in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2017, vol. 10453 LNCS, pp. 98-119. [DOI:10.1007/978-3-319-66332-6_5]
15. [15] Z. He, X. Xu, J. Z. Huang, and S. Deng, "A Frequent Pattern Discovery Method for Outlier Detection," Springer, Berlin, Heidelberg, 2010, pp. 726-732. [DOI:10.1007/978-3-540-27772-9_80]
16. [16] R. Agrawal and R. Srikant, "Mining Sequential Patterns," in Proceedings of the Eleventh International Conference on Data Engineering, 1995, pp. 3-14.
17. [17] C. H. Mooney and J. F. Roddick, "Sequential pattern mining -- approaches and algorithms," ACM Comput. Surv., vol. 45, no. 2, pp. 1-39, Feb. 2013. [DOI:10.1145/2431211.2431218]
18. [18] Andrej Karpathy, "The Unreasonable Effectiveness of Recurrent Neural Networks," 2015. [Online]. Available: http://karpath-y.github.io/2015/05/21/rnn-effectiveness/. [Accessed: 30-May-2019].
19. [19] "What is Apache MapReduce? | IBM." [Online]. Available: https://www.ibm.com/-analytics/hadoop/mapreduce. [Accessed: 30-May-2019].
20. [20] J. A. K. Suykens, "Introduction to Machine Learning," 2014, pp. 765-773. [DOI:10.1016/B978-0-12-396502-8.00013-9]
21. [21] M. Sohrabi, M. M. Javidi, and S. Hashemi, "Detecting intrusion transactions in database systems: A novel approach," J. Intell. Inf. Syst., vol. 42, no. 3, pp. 619-644, Jun. 2014. [DOI:10.1007/s10844-013-0286-z]
22. [22] S. Boughorbel, F. Jarray, and M. El-Anbari, "Optimal classifier for imbalanced data using Matthews Correlation Coefficient metric," PLoS One, vol. 12, no. 6, pp. e0177678, Jun. 2017. [DOI:10.1371/journal.pone.0177678] [PMID] [PMCID]
23. [23] D. M. W. Powers, "Evaluation: From precision, recall and fmeasure to roc, informedness, markedness and correlation," J. Mach. Learn. Technol., vol. 2, no. 1, pp. 37-63, 2007.
24. [24] A. Hall, Mark, "Correlation-based feature selection for machine learning," 1999.
Send email to the article author
| Rights and permissions | |
 |
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. |
