Sajad Homayoun scite author profile

Abstract-Emergence of crypto-ransomware has significantly changed the cyber threat landscape. A crypto ransomware removes data custodian access by encrypting valuable data on victims' computers and requests a ransom payment to reinstantiate custodian access by decrypting data. Timely detection of ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky ransomware samples, 535 Cerber ransomware samples and 572 samples of TeslaCrypt ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99% accuracy in detecting ransomware instances from goodware samples and 96.5% accuracy in detecting family of a given ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different ransomware families which can be used for identification of a ransomware sample family for building intelligence about threat actors and threat profile of a given target.

show abstract

DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer

Homayoun

Dehghantanha

Ahmadzadeh

et al. 2019

Future Generation Computer Systems

120

View full text Add to dashboard Cite

Ransomware, a malware designed to encrypt data for ransom payments, is a threat to fog layer nodes as such nodes typically contain considerably amount of sensitive data. The capability to efficiently hunt abnormalities relating to ransomware activities is crucial in timely detection of ransomware. In this paper, we present our Deep Ransomware Threat Hunting and Intelligence System (DRTHIS) to distinguish ransomware from goodware and identify their families. Specifically, DRTHIS utilizes Long Short-Term Memory (LSTM) and Convolutional Neural Network (CNN), two deep learning techniques, for classification using the softmax algorithm. We then use 220 Locky, 220 Cerber and 220 TeslaCrypt ransomware samples, and 219 goodware samples, to train DRTHIS. Findings from our evaluations demonstrate that the proposed system achieves an F-measure of 99.6% with a true positive rate of 97.2% in the classification of ransomware instances. Additionally, we demonstrate that DRTHIS is capable of detecting previously unseen ransomware samples from new ransomware families in a timely and accurate manner using ransomware from the CryptoWall, TorrentLocker and Sage families. The findings show that 99% of CryptoWall samples, 75% of TorrentLocker samples and 92% of Sage samples are correctly classified.

show abstract

Detecting Cryptomining Malware: a Deep Learning Approach for Static and Dynamic Analysis

et al. 2020

View full text Add to dashboard Cite

BoTShark: A Deep Learning Approach for Botnet Traffic Detection

Homayoun

Ahmadzadeh

Hashemi

et al. 2018

View full text Add to dashboard Cite

An opcode‐based technique for polymorphic Internet of Things malware detection

Darabian

Dehghantanha

Hashemi

et al. 2019

Concurrency and Computation

View full text Add to dashboard Cite

The increasing popularity of Internet of Things (IoT) devices makes them an attractive target for malware authors. In this paper, we use sequential pattern mining technique to detect most frequent opcode sequences of malicious IoT applications. Detected maximal frequent patterns (MFP) of opcode sequences can be used to differentiate malicious from benign IoT applications.We then evaluate the suitability of MFPs as a classification feature for K nearest neighbors (KNN), support vector machines (SVM), multilayer perceptron (MLP), AdaBoost, decision tree, and random forest classifier. Specifically, we achieve an accuracy rate of 99% in the detection of unseen IoT malware. We also demonstrate the utility of our approach in detecting polymorphed IoT malware samples.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Sajad Homayoun

Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence

DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer

Detecting Cryptomining Malware: a Deep Learning Approach for Static and Dynamic Analysis

BoTShark: A Deep Learning Approach for Botnet Traffic Detection

An opcode‐based technique for polymorphic Internet of Things malware detection

Contact Info

Product

Resources

About