A Ransomware Early Detection Model based on an Enhanced Joint Mutual Information Feature Selection Method
Received: 17 February 2024 | Revised: 4 March 2024 and 21 March 2024 | Accepted: 24 March 2024 | Online: 16 July 2024
Corresponding author: Bander Ali Saleh Al-rimy
Abstract
Crypto ransomware attacks pose a significant threat by encrypting users' data and demanding ransom payments, causing permanent data loss if not detected and mitigated before encryption occurs. The existing studies have faced challenges in the pre-encryption phase due to elusive attack patterns, insufficient data, and the lack of comprehensive information, often confusing the current detection techniques. Selecting appropriate features that effectively indicate an impending ransomware attack is a critical challenge. This research addresses this challenge by introducing an Enhanced Joint Mutual Information (EJMI) method that effectively assigns weights and ranks features based on their relevance while conducting contextual data analysis. The EJMI method employs a dual ranking system—TF for crypto APIs and TF-IDF for non-crypto APIs—to enhance the detection process and select the most significant features for training various Machine Learning (ML) classifiers. Furthermore, grid search is utilized for optimal classifier parameterization, aiming to detect ransomware efficiently and accurately in its pre-encryption phase. The proposed EJMI method has demonstrated a 4% improvement in detection accuracy compared to previous methods, highlighting its effectiveness in identifying and preventing crypto-ransomware attacks before data encryption occurs.
Keywords:
Ransomware, Early detection, Macine learning, Feature selectionDownloads
References
Y. A. Ahmed, B. Kocer, and B. A. S. Al-rimy, "Automated Analysis Approach for the Detection of High Survivable Ransomware," KSII Transactions on Internet and Information Systems, vol. 14, no. 5, pp. 2236–2258, May 2020.
H. Oz, A. Aris, A. Levi, and A. S. Uluagac, "A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions," ACM Computing Surveys, vol. 54, no. 11s, Jan. 2022, Art. no. 238.
Y. A. Ahmed, B. Koçer, S. Huda, B. A. Saleh Al-rimy, and M. M. Hassan, "A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection," Journal of Network and Computer Applications, vol. 167, Oct. 2020, Art. no. 102753.
B. A. S. Al-rimy, M. A. Maarof, and S. Z. M. Shaid, "Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions," Computers & Security, vol. 74, pp. 144–166, May 2018.
A. Alqahtani and F. T. Sheldon, "Temporal Data Correlation Providing Enhanced Dynamic Crypto-Ransomware Pre-Encryption Boundary Delineation," Sensors, vol. 23, no. 9, Jan. 2023, Art. no. 4355.
M. Almousa, S. Basavaraju, and M. Anwar, "API-Based Ransomware Detection Using Machine Learning-Based Threat Detection Models," in 18th International Conference on Privacy, Security and Trust, Auckland, New Zealand, Dec. 2021, pp. 1–7.
A. M. A. Assaggaf, B. A. Al-Rimy, N. L. Ismail, and A. Al-Nahari, "Development of Graph-Based Knowledge on Ransomware Attacks Using Twitter Data," in The International Conference on Data Science and Emerging Technologies, Dec. 2022, pp. 168–183.
S. H. Kok, A. Abdullah, and N. Jhanjhi, "Early detection of crypto-ransomware using pre-encryption detection algorithm," Journal of King Saud University - Computer and Information Sciences, vol. 34, no. 5, pp. 1984–1999, May 2022.
B. A. S. Al-rimy et al., "Redundancy Coefficient Gradual Up-weighting-based Mutual Information Feature Selection technique for Crypto-ransomware early detection," Future Generation Computer Systems, vol. 115, pp. 641–658, Feb. 2021.
A. Al-Marghilani, "Comprehensive Analysis of IoT Malware Evasion Techniques," Engineering, Technology & Applied Science Research, vol. 11, no. 4, pp. 7495–7500, Aug. 2021.
J. Kumar and G. Ranganathan, "Malware Attack Detection in Large Scale Networks using the Ensemble Deep Restricted Boltzmann Machine," Engineering, Technology & Applied Science Research, vol. 13, no. 5, pp. 11773–11778, Oct. 2023.
A. Continella et al., "ShieldFS: A Self-healing, Ransomware-aware Filesystem," in 32nd Annual Conference on Computer Security Applications, Los Angeles, CA, USA, Dec. 2016, pp. 336–347.
N. Scaife, H. Carter, P. Traynor, and K. R. B. Butler, "CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data," in 36th International Conference on Distributed Computing Systems, Nara, Japan, Jun. 2016, pp. 303–312.
E. Kolodenker, W. Koch, G. Stringhini, and M. Egele, "PayBreak: Defense Against Cryptographic Ransomware," in ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, United Arab Emirates, Apr. 2017, pp. 599–611.
K. Aldriwish, "A Deep Learning Approach for Malware and Software Piracy Threat Detection," Engineering, Technology & Applied Science Research, vol. 11, no. 6, pp. 7757–7762, Dec. 2021.
D. W. Fernando, N. Komninos, and T. Chen, "A Study on the Evolution of Ransomware Detection Using Machine Learning and Deep Learning Techniques," IoT, vol. 1, no. 2, pp. 551–604, Dec. 2020.
U. Urooj, B. A. S. Al-rimy, A. Zainal, F. A. Ghaleb, and M. A. Rassam, "Ransomware Detection Using the Dynamic Analysis and Machine Learning: A Survey and Research Directions," Applied Sciences, vol. 12, no. 1, Jan. 2022, Art. no. 172.
U. Urooj, M. A. B. Maarof, and B. A. S. Al-rimy, "A proposed Adaptive Pre-Encryption Crypto-Ransomware Early Detection Model," in 3rd International Cyber Resilience Conference, Langkawi Island, Malaysia, Jan. 2021, pp. 1–6.
S. Homayoun, A. Dehghantanha, M. Ahmadzadeh, S. Hashemi, and R. Khayami, "Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence," IEEE Transactions on Emerging Topics in Computing, vol. 8, no. 2, pp. 341–351, Apr. 2020.
D. Sgandurra, L. Munoz-Gonzalez, R. Mohsen, and E. C. Lupu, "Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection." arXiv, Sep. 10, 2016.
B. A. S. Al-Rimy et al., "A Pseudo Feedback-Based Annotated TF-IDF Technique for Dynamic Crypto-Ransomware Pre-Encryption Boundary Delineation and Features Extraction," IEEE Access, vol. 8, pp. 140586–140598, 2020.
G. Cusack, O. Michel, and E. Keller, "Machine Learning-Based Detection of Ransomware Using SDN," in ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, AZ, USA, Mar. 2018, pp. 1–6.
K. C. Roy and Q. Chen, "DeepRan: Attention-based BiLSTM and CRF for Ransomware Early Detection and Classification," Information Systems Frontiers, vol. 23, no. 2, pp. 299–315, Apr. 2021.
B. A. S. Al-rimy, M. A. Maarof, and S. Z. M. Shaid, "Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection," Future Generation Computer Systems, vol. 101, pp. 476–491, Dec. 2019.
P. M. Anand, P. V. S. Charan, and S. K. Shukla, "HiPeR-Early Detection of a Ransomware Attack using Hardware Performance Counters," Digital Threats: Research and Practice, vol. 4, no. 3, 2023, Art. no. 43.
U. Urooj, B. A. S. Al-Rimy, A. B. Zainal, F. Saeed, A. Abdelmaboud, and W. Nagmeldin, "Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks," IEEE Access, vol. 12, pp. 3910–3925, 2024.
M. Gazzan and F. T. Sheldon, "An Enhanced Minimax Loss Function Technique in Generative Adversarial Network for Ransomware Behavior Prediction," Future Internet, vol. 15, no. 10, Oct. 2023, Art. no. 318.
P. Roemsri, S. Puangpontip, and R. Hewett, "On Detecting Crypto Ransomware Attacks: Can Simple Strategies be Effective?," in 6th International Conference on Information and Computer Technologies, Raleigh, NC, USA, Mar. 2023, pp. 138–143.
S. Zhang, T. Du, P. Shi, X. Su, and Y. Han, "Early Detection and Defense Countermeasure Inference of Ransomware based on API Sequence," International Journal of Advanced Computer Science and Applications, vol. 14, no. 10, pp. 632–641, Jan. 2023.
Q. Kang and Y. Gu, "Enhancing Ransomware Detection: A Windows API Min Max Relevance Refinement Approach." Nov. 16, 2023.
M. Bennasar, Y. Hicks, and R. Setchi, "Feature selection using Joint Mutual Information Maximisation," Expert Systems with Applications, vol. 42, no. 22, pp. 8520–8532, Dec. 2015.
A. Hashemi, M. B. Dowlatshahi, and H. Nazamabadi-pour, "Minimum redundancy maximum relevance ensemble feature selection: A bi-objective Pareto-based approach," Journal of Soft Computing and Information Technology, vol. 12, no. 1, pp. 20–28, 2023.
B. P. Joshi, N. Joshi, S. Oli, A. Rayal, A. Kumar, and A. Singh, "MIFS Ordered Weighted Operators method for renewable-energy-source-selection," in 2nd International Conference on Industrial Electronics: Developments & Applications, Imphal, India, Sep. 2023, pp. 248–253.
Downloads
How to Cite
License
Copyright (c) 2024 Tasnem Magdi Hassin Mohamed, Bander Ali Saleh Al-rimy, Sultan Ahmed Almalki
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.
