A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection

Ahmed, Yunis Ali; Koçer, Barış; Huda, Shamsul; Al‐rimy, Bander Ali Saleh; Hassan, Mohammad Mehedi

doi:10.1016/j.jnca.2020.102753

Cited by 87 publications

(74 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Via API Call Behavior: One of the main behavioral features obtained from dynamic analysis of ransomware is API calls. In this context, the works [8,15,17,34,49,122,166,182,203] used API calls as features to build ML classiiers to detect ransomware in PCs/workstations. Some of the studies used API calls as features and built SVM classiiers [182], Long-Short Term Memory (LSTM) classiiers [122], Recurrent Neural Network (RNN) classiiers [7], and Restricted Boltzmann Machine classiiers [166].…”

Section: Ransomware Detection For Pcs/worktationsmentioning

confidence: 99%

“…In addition to the reviewed studies building various classiiers using API calls, some researchers focused more on inding the most signiicant API call features. Ahmed et al [8] proposed a new iltering method in the feature selection process to ind the most appropriate API call n-grams for ransomware detection. They tested the performance of various ML classiiers.…”

Section: Ransomware Detection For Pcs/worktationsmentioning

confidence: 99%

See 1 more Smart Citation

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

et al. 2022

View full text Add to dashboard Cite

In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.

show abstract

Section: Ransomware Detection For Pcs/worktationsmentioning

confidence: 99%

Section: Ransomware Detection For Pcs/worktationsmentioning

confidence: 99%

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Data-centric identification aims to track the sources being affected rather than the malicious operation causing the attack [19]. Data-centric crypto ransomware identification techniques [4][5][6][7][8][9] have been explored in several studies. To identify anomalous modifications, most of these solutions offered rely on analyzing user-related documents on a continual basis.…”

Section: Data Centric-based Approachesmentioning

confidence: 99%

“…The efforts of security professionals and researches have converged to fight ransomware attacks [5,6]. They work side-by-side to detect, prevent, and mitigate such attacks and their potential effect.…”

Section: Introductionmentioning

confidence: 99%

A Survey of Crypto Ransomware Attack Detection Methodologies: An Evolving Outlook

Alqahtani

Sheldon

2022

Sensors

View full text Add to dashboard Cite

Recently, ransomware attacks have been among the major threats that target a wide range of Internet and mobile users throughout the world, especially critical cyber physical systems. Due to its unique characteristics, ransomware has attracted the attention of security professionals and researchers toward achieving safer and higher assurance systems that can effectively detect and prevent such attacks. The state-of-the-art crypto ransomware early detection models rely on specific data acquired during the runtime of an attack’s lifecycle. However, the evasive mechanisms that these attacks employ to avoid detection often nullify the solutions that are currently in place. More effort is needed to keep up with an attacks’ momentum to take the current security defenses to the next level. This survey is devoted to exploring and analyzing the state-of-the-art in ransomware attack detection toward facilitating the research community that endeavors to disrupt this very critical and escalating ransomware problem. The focus is on crypto ransomware as the most prevalent, destructive, and challenging variation. The approaches and open issues pertaining to ransomware detection modeling are reviewed to establish recommendations for future research directions and scope.

show abstract

“…These methods change the binary of the malware, and thus its hash, but leave its behavior unmodified. Behavioralbased malware detection has been extensively studied in the literature [13,15]. Machine learning techniques were used to train a model based on features collected from dynamic analysis.…”

Section: Introductionmentioning

confidence: 99%

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

et al. 2021

View full text Add to dashboard Cite

Malware variants are the major emerging threats that face cybersecurity due to the potential damage to computer systems. Many solutions have been proposed for detecting malware variants. However, accurate detection is challenging due to the constantly evolving nature of the malware variants that cause concept drift. Existing malware detection solutions assume that the mapping learned from historical malware features will be valid for new and future malware. The relationship between input features and the class label has been considered stationary, which doesn't hold for the ever-evolving nature of malware variants. Malware features change dynamically due to code obfuscations, mutations, and the modification made by malware authors to change the features' distribution and thus evade the detection rendering the detection model obsolete and ineffective. This study presents an Adaptive behavioral-based Incremental Batch Learning Malware Variants Detection model using concept drift detection and sequential deep learning (AIBL-MVD) to accommodate the new malware variants. Malware behavior were extracted using dynamic analysis by running the malware files in a sandbox environment and collecting their Application Programming Interface (API) traces. According to the malware first-time appearance, the malware samples were sorted to capture the malware variants' change characteristics. The base classifier was then trained based on a subset of historical malware samples using a sequential deep learning model. The new malware samples were mixed with a subset of old data and gradually introduced to the learning model in an adaptive batch size incremental learning manner to address the catastrophic forgetting dilemma of the incremental learning. The statistical process control technique has been used to detect the concept drift as indication for incrementally updating the model as well as reducing the frequency of model updates. Results from extensive experiments show that the proposed model is superior in terms of detection rate and the efficiency compared with the static model, periodic retraining approaches, and the fixed batch size incremental learning approach. The model maintains an average of 99.41% detection accuracy of new and variants malware with a low updating frequency of 1.35 times per month.

show abstract

A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection

Cited by 87 publications

References 20 publications

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

A Survey of Crypto Ransomware Attack Detection Methodologies: An Evolving Outlook

An Adaptive Behavioral-Based Incremental Batch Learning Malware Variants Detection Model Using Concept Drift Detection and Sequential Deep Learning

Contact Info

Product

Resources

About