Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques

Hwang, Jinsoo; Kim, Jeankyung; Lee, Seung Hwan; Kim, Ki-Chang

doi:10.1007/s11277-020-07166-9

Cited by 110 publications

(72 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Hwang et al [20] have proposed a two-stage mixed ransomware detection model using the Markov model and Random Forest. They leveraged the Windows API call sequence pattern to build a Markov model, then used the Random Forest machine learning model to train the remaining data.…”

Section: Literature Reviewmentioning

confidence: 99%

Analysis of Crypto-Ransomware Using ML-Based Multi-Level Profiling

Poudyal¹,

Dasgupta

2021

IEEE Access

View full text Add to dashboard Cite

Crypto-ransomware is the most prevalent form of modern malware, has affected various industries, demanding a significant amount of ransom. Mainly, small businesses, healthcare, education, and government sectors have been under continuous attacks by these adversaries. Various static and dynamic analysis techniques exist, but these methods become less efficient as the malware writers continuously trick the defenders. Numerous research of ransomware with AI techniques often lack the behavioral analysis and its correlation mapping. In this work, we developed an AI-powered hybrid approach overcoming the recent challenges to detect ransomware. Specifically, we proposed a deep inspection approach for multi-level profiling of crypto-ransomware, which captures the distinct features at Dynamic link library, function call, and assembly levels. We showed how the code segments correlate at these levels for studied samples. Our hybrid multi-level analysis approach includes advanced static and dynamic methods and a novel strategy of analyzing behavioral chains with AI techniques. Moreover, association rule mining, natural language processing techniques, and machine learning classifiers are integrated for building ransomware validation and detection model. We experimented with crypto-ransomware samples (collected from VirusTotal). One of the machine learning algorithms achieved the highest accuracy of 99.72% and a false positive rate of 0.003 with two class datasets. The result exhibited that multi-level profiling can better detect ransomware samples with higher accuracy. The multi-level feature sequence can be extracted from most of the applications running in the different operating systems; therefore, we believe that our method can detect ransomware for devices on multiple platforms. We designed a prototype, AIRaD (AI-based Ransomware Detection) tool, which will allow researchers and the defenders to visualize the analysis with proper interpretation.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Analysis of Crypto-Ransomware Using ML-Based Multi-Level Profiling

Poudyal¹,

Dasgupta

2021

IEEE Access

View full text Add to dashboard Cite

show abstract

“…In [3] Hwang et al combined a Markov model with random forest model to build two-stage mixed ransomware detection model. The Markov model is used to capture the characteristics of ransomware with the Windows API call sequence pattern that obtained by a dynamic analysis.…”

Section: Related Researchmentioning

confidence: 99%

“…They are based on certain features extracted from a dynamic analysis or static analysis, such as API sequences, opcode strings of files, file entropy levels, and/or change in system files. The use of the API function call sequence to detect and classify ransomware types had been applied in many practical studies, such as in [1], [2], [3], [4], showing promising results. However, the fundamental problem of detection methods based on static analysis is weak detection when attackers use code obfuscation methods or zero-day attacks.…”

Section: Introductionmentioning

confidence: 99%

LightGBM-based Ransomware Detection using API Call Sequences

Nguyen¹,

Lee²

2021

IJACSA

View full text Add to dashboard Cite

“…This research uses a two-staged approach to detecting ransomware [24]. The authors acknowledge the increasing diversity in ransomware and the difficulty in detecting ransomware.…”

Section: Two Stage Ransomware Detectionmentioning

confidence: 99%

“…For example, one algorithm would handle behavioural data, another would handle hardware, and a third algorithm would handle the network data. The use of multiple algorithms is present in [24,25] where the systems use a Markov Chain and Decision tree, and a Naïve Bayes and Decision Tree hybrid, respectively. The most suitable machine learning or deep learning approaches would have to be selected and aggregated to take decisions from all three components and then decided whether a sample is a ransomware or not.…”

Section: New Directions/ransomware Evolutionmentioning

confidence: 99%

A Study on the Evolution of Ransomware Detection Using Machine Learning and Deep Learning Techniques

Fernando

Komninos

2020

IoT

View full text Add to dashboard Cite

This survey investigates the contributions of research into the detection of ransomware malware using machine learning and deep learning algorithms. The main motivations for this study are the destructive nature of ransomware, the difficulty of reversing a ransomware infection, and how important it is to detect it before infecting a system. Machine learning is coming to the forefront of combatting ransomware, so we attempted to identify weaknesses in machine learning approaches and how they can be strengthened. The threat posed by ransomware is exceptionally high, with new variants and families continually being found on the internet and dark web. Recovering from ransomware infections is difficult, given the nature of the encryption schemes used by them. The increase in the use of artificial intelligence also coincides with this boom in ransomware. The exploration into machine learning and deep learning approaches when it comes to detecting ransomware poses high interest because machine learning and deep learning can detect zero-day threats. These techniques can generate predictive models that can learn the behaviour of ransomware and use this knowledge to detect variants and families which have not yet been seen. In this survey, we review prominent research studies which all showcase a machine learning or deep learning approach when detecting ransomware malware. These studies were chosen based on the number of citations they had by other research. We carried out experiments to investigate how the discussed research studies are impacted by malware evolution. We also explored the new directions of ransomware and how we expect it to evolve in the coming years, such as expansion into IoT (Internet of Things), with IoT being integrated more into infrastructures and into homes.

show abstract

Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques

Cited by 110 publications

References 9 publications

Analysis of Crypto-Ransomware Using ML-Based Multi-Level Profiling

Analysis of Crypto-Ransomware Using ML-Based Multi-Level Profiling

LightGBM-based Ransomware Detection using API Call Sequences

A Study on the Evolution of Ransomware Detection Using Machine Learning and Deep Learning Techniques

Contact Info

Product

Resources

About