Skip to main content
SpringerLink
Log in

Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Detecting ransomware is harder than general malware because of the ever-increasing number of ransomwares with different signatures, which makes traditional signature-based detection technique powerless against ransomware. Current ransomware detection techniques usually build a complex model that incorporates various behavioral traits. The traits include suspicious file activities, API call pattern or frequency, registry keys, file extensions, etc. In this paper, we build a two-stage mixed ransomware detection model, Markov model and Random Forest model. First we focus on Windows API call sequence pattern and build a Markov model to capture the characteristics of ransomware. Next we build Random Forest machine learning model to the remaining data in order to control both false positive (FPR) and false negative (FNR) error rates. As a result of our two-stage mixed detection method we can achieve overall accuracy 97.3% with 4.8% FPR and 1.5% FNR.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alazab, M., Venkatraman, S., & Watters, P. (2011). Zero-day malware detection based on supervised learning algorithms of API call signatures. In Proceedings of the 9th Australasian data mining conference (AusDM 2011) (Vol. 121, pp. 171–182). Australian Computer Society.

  2. Bayer, U., Kruegel, C., & Kirda, E. (2006). TTAnalyze: A tool for analyzing malware. In Proceedings of the European institute for computer antivirus research annual conference.

  3. BBC News. (2016). University pays 20,000 Dollars to ransomware hackers. http://www.bbc.com/news/technology-36478650. Accessed 24 Jan 2020.

  4. Belcher, P. (2016). Sofos-Invincea. https://www.securitynewspaper.com/2016/06/07/hash-factory-new-cerber-ransomware-morphs-every-15-seconds/. Accessed 24 Jan 2020.

  5. Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M.M., Lavoie, Y., & Tawbi, N. (2001). Static detection of malicious code in executable programs. In Proceedings of the symposium on requirements engineering for information security (SREIS ’01).

  6. Butler, K., Scaife, N., Carter, H., & Traynor, P. (2016). CryptoLock (and drop it): Stoping ransomware attacks on user data. In Proceedings of international conference on distributive computing systems.

  7. Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S., & Maggi, F. (2016). Shieldfs: A self-healing, ransomware-aware filesystem. In Proceedings of the 32nd annual conference on computer security applications (pp. 336–347). ACM.

  8. CryptoLocker Ransomware Information Guide and FAQ. (2016). [WWW]. http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information.

  9. CUCKOO FOUNDATION. (2015). Cuckoo sandbox: Automated malware analysis. www.cuckoosandbox.org. Accessed 24 Jan 2020.

  10. Francescani, C. (2016). Ransomware hackers blackmail U.S. police departments. http://www.cnbc.com/2016/04/26/ransomware-hackers-blackmail-us-police-departments.html. Accessed 24 Jan 2020.

  11. Gupta, S., Sharma, H., & Kaur S. (2016). Malware characterization using Windows API call sequences. In Proceedings of security, privacy, and applied cryptography engineering: 6th international conferences, SPACE 2016, Hyderabad, India, December 14–18.

  12. Jang, J. W., Woo, J., Yun, J., & Kim, H. K. (2014). Mal-netminer: Malware classification based on social network analysis of call graph. In Proceedings of the companion publication of the 23rd international conference on world wide web companion (WWWCompanion 2014) (pp. 731–734). International World Wide Web Conferences Steering Committee.

  13. Jozwiak, I., Kedziora, M., & Melinska, A. (2011). Theoretical and practical aspects of encrypted containers detection. In W. Zamojski, J. Kacprzyk, J. Mazurkiewicz, J. Sugier, & T. Walkowiak (Eds.), Digital forensics approach, dependable computer systems (pp. 75–85). Berlin: Springer.

    Chapter  Google Scholar 

  14. Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015). Cutting the Gordian knot: A look under the hood of ransomware attacks (pp. 1–10). Retrieved April 8, 2016, from http://seclab.ccs.neu.edu/static/publications/dimva2015ransomware.pdf.

  15. Kharraz, A, et al. (2016). UNVEIL: A large-scale, automated approach to detecting ransomware. In 25th USENIX security symposium (USENIX Security 16).

  16. Kolodenker, E., Koch, W., Stringhini, G., & Egele, M. (2017). Paybreak: Defense against cryptographic ransomware. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, ASIA CCS 2017, New York, NY, USA (pp. 599–611).

  17. Lipovsky, R. (2014). We live security. Retrieved December 22, 2014, from https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/.

  18. Mariconti, E., Onwuzurike, L., Andriotis, P., Cristofaro, E. D., Ross, G., & Stringhini, G. (2017). MaMaDroid: Detecting android malware by building Markov chains of behavioral models. In The proceedings of 24th network and distributed system security symposium.

  19. Mimoso, M. (2017). Leaked NSA exploit spreading ransomware worldwide. https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/. Accessed 24 Jan 2020.

  20. Peisert, S., Bishop, M., Karin, S., & Marzullo, K. (2007). Analysis of computer intrusions using sequences of function calls. IEEE Transactions on Dependable and Secure Computing, 4(2), 137–150.

    Article  Google Scholar 

  21. Qiao, Y., Yang, Y., Ji, L., & He, J. (2013). Analyzing malware by abstracting the frequent item sets in API call sequences. In Proceedings of the 12th IEEE international conference on trust, security and privacy in computing and communications (TrustCom 2013) (pp. 265–270).

  22. Sathyanarayan, V. S., Kohli, P., & Bruhadeshwar, B. (2008). Signature generation and detection of malware families. In Information security and privacy. Berlin: Springer.

  23. Sgandurra, D., Munoz-Gonzalez, L. M., Mohsen, R., & Lupu, E. C. (2016). Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv:1609.03020v1.

  24. Shankarapani, M., Kancherla, K., Ramammoorthy, S., Movva, R., & Mukkamala, S. (2010). Kernel machines for malware classification and similarity analysis. In Proceedings of the international joint conference on neural networks (IJCNN 2010) (pp. 1–6).

  25. WIRED Magazine. (2016). Why hospitals are the perfect targets for ransomware. https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/. Accessed 24 Jan 2020.

  26. You, K., & Yim, I. (2016). Malware obfuscation techniques: A brief survey. In International conference on broadband, wireless computing communication and application.

  27. Youngjoon, K., Eunjin, K., & HuyKang, K. (2015). A Novel approach to detect Malware based on API call sequence analysis. International Journal of Distributed Sensor Networks. https://doi.org/10.1155/2015/659101

    Article  Google Scholar 

  28. Zhang, H., Xiao, X., Mercaldo, F., Ni, S., Martinelli, F., & Sangaiah, A. K. (2019). Classification of ransomware families with machine learning based on N-gram of opcodes. Future Generation Computer Systems, 90, 211–211.

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by Inha University and a National Research Foundation of Korea grant funded by the Korean Government (NRF-2017R1E1A1A03070865).

Author information

Authors and Affiliations

  1. Department of Statistics, Inha University, Incheon, Korea

    Jinsoo Hwang, Jeankyung Kim & Seunghwan Lee

  2. School of Information and Communication Engineering, Inha University, Incheon, Korea

    Kichang Kim

Authors
  1. Jinsoo Hwang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jeankyung Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Seunghwan Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kichang Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kichang Kim.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hwang, J., Kim, J., Lee, S. et al. Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques. Wireless Pers Commun 112, 2597–2609 (2020). https://doi.org/10.1007/s11277-020-07166-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-020-07166-9

Keywords

Search

Navigation