Abstract
Detecting ransomware is harder than general malware because of the ever-increasing number of ransomwares with different signatures, which makes traditional signature-based detection technique powerless against ransomware. Current ransomware detection techniques usually build a complex model that incorporates various behavioral traits. The traits include suspicious file activities, API call pattern or frequency, registry keys, file extensions, etc. In this paper, we build a two-stage mixed ransomware detection model, Markov model and Random Forest model. First we focus on Windows API call sequence pattern and build a Markov model to capture the characteristics of ransomware. Next we build Random Forest machine learning model to the remaining data in order to control both false positive (FPR) and false negative (FNR) error rates. As a result of our two-stage mixed detection method we can achieve overall accuracy 97.3% with 4.8% FPR and 1.5% FNR.
Similar content being viewed by others
References
Alazab, M., Venkatraman, S., & Watters, P. (2011). Zero-day malware detection based on supervised learning algorithms of API call signatures. In Proceedings of the 9th Australasian data mining conference (AusDM 2011) (Vol. 121, pp. 171–182). Australian Computer Society.
Bayer, U., Kruegel, C., & Kirda, E. (2006). TTAnalyze: A tool for analyzing malware. In Proceedings of the European institute for computer antivirus research annual conference.
BBC News. (2016). University pays 20,000 Dollars to ransomware hackers. http://www.bbc.com/news/technology-36478650. Accessed 24 Jan 2020.
Belcher, P. (2016). Sofos-Invincea. https://www.securitynewspaper.com/2016/06/07/hash-factory-new-cerber-ransomware-morphs-every-15-seconds/. Accessed 24 Jan 2020.
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., & Tawbi, N. (2001). Static detection of malicious code in executable programs. In Proceedings of the symposium on requirements engineering for information security (SREIS ’01).
Butler, K., Scaife, N., Carter, H., & Traynor, P. (2016). CryptoLock (and drop it): Stoping ransomware attacks on user data. In Proceedings of international conference on distributive computing systems.
Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., & Maggi, F. (2016). Shieldfs: A self-healing, ransomware-aware filesystem. In Proceedings of the 32nd annual conference on computer security applications (pp. 336–347). ACM.
CryptoLocker Ransomware Information Guide and FAQ. (2016). [WWW]. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.
CUCKOO FOUNDATION. (2015). Cuckoo sandbox: Automated malware analysis. www.cuckoosandbox.org. Accessed 24 Jan 2020.
Francescani, C. (2016). Ransomware hackers blackmail U.S. police departments. http://www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html. Accessed 24 Jan 2020.
Gupta, S., Sharma, H., & Kaur S. (2016). Malware characterization using Windows API call sequences. In Proceedings of security, privacy, and applied cryptography engineering: 6th international conferences, SPACE 2016, Hyderabad, India, December 14–18.
Jang, J. W., Woo, J., Yun, J., & Kim, H. K. (2014). Mal-netminer: Malware classification based on social network analysis of call graph. In Proceedings of the companion publication of the 23rd international conference on world wide web companion (WWWCompanion 2014) (pp. 731–734). International World Wide Web Conferences Steering Committee.
Jozwiak, I., Kedziora, M., & Melinska, A. (2011). Theoretical and practical aspects of encrypted containers detection. In W. Zamojski, J. Kacprzyk, J. Mazurkiewicz, J. Sugier, & T. Walkowiak (Eds.), Digital forensics approach, dependable computer systems (pp. 75–85). Berlin: Springer.
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the Gordian knot: A look under the hood of ransomware attacks (pp. 1–10). Retrieved April 8, 2016, from http://seclab.ccs.neu.edu/static/publications/dimva2015ransomware.pdf.
Kharraz, A, et al. (2016). UNVEIL: A large-scale, automated approach to detecting ransomware. In 25th USENIX security symposium (USENIX Security 16).
Kolodenker, E., Koch, W., Stringhini, G., & Egele, M. (2017). Paybreak: Defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, ASIA CCS 2017, New York, NY, USA (pp. 599–611).
Lipovsky, R. (2014). We live security. Retrieved December 22, 2014, from https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/.
Mariconti, E., Onwuzurike, L., Andriotis, P., Cristofaro, E. D., Ross, G., & Stringhini, G. (2017). MaMaDroid: Detecting android malware by building Markov chains of behavioral models. In The proceedings of 24th network and distributed system security symposium.
Mimoso, M. (2017). Leaked NSA exploit spreading ransomware worldwide. https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/. Accessed 24 Jan 2020.
Peisert, S., Bishop, M., Karin, S., & Marzullo, K. (2007). Analysis of computer intrusions using sequences of function calls. IEEE Transactions on Dependable and Secure Computing, 4(2), 137–150.
Qiao, Y., Yang, Y., Ji, L., & He, J. (2013). Analyzing malware by abstracting the frequent item sets in API call sequences. In Proceedings of the 12th IEEE international conference on trust, security and privacy in computing and communications (TrustCom 2013) (pp. 265–270).
Sathyanarayan, V. S., Kohli, P., & Bruhadeshwar, B. (2008). Signature generation and detection of malware families. In Information security and privacy. Berlin: Springer.
Sgandurra, D., Munoz-Gonzalez, L. M., Mohsen, R., & Lupu, E. C. (2016). Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv:1609.03020v1.
Shankarapani, M., Kancherla, K., Ramammoorthy, S., Movva, R., & Mukkamala, S. (2010). Kernel machines for malware classification and similarity analysis. In Proceedings of the international joint conference on neural networks (IJCNN 2010) (pp. 1–6).
WIRED Magazine. (2016). Why hospitals are the perfect targets for ransomware. https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/. Accessed 24 Jan 2020.
You, K., & Yim, I. (2016). Malware obfuscation techniques: A brief survey. In International conference on broadband, wireless computing communication and application.
Youngjoon, K., Eunjin, K., & HuyKang, K. (2015). A Novel approach to detect Malware based on API call sequence analysis. International Journal of Distributed Sensor Networks. https://doi.org/10.1155/2015/659101
Zhang, H., Xiao, X., Mercaldo, F., Ni, S., Martinelli, F., & Sangaiah, A. K. (2019). Classification of ransomware families with machine learning based on N-gram of opcodes. Future Generation Computer Systems, 90, 211–211.
Acknowledgements
This work was supported by Inha University and a National Research Foundation of Korea grant funded by the Korean Government (NRF-2017R1E1A1A03070865).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Hwang, J., Kim, J., Lee, S. et al. Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques. Wireless Pers Commun 112, 2597–2609 (2020). https://doi.org/10.1007/s11277-020-07166-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-020-07166-9