DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer
Introduction
Ransomware is a recent threat that has affected a number of industries and countries [1], and is reportedly the fastest growing malware type [[2], [3]]. Today’s ransomware is a sophisticated threat affecting users all around the world. The first wave of ‘misleading’ applications appears in 2005. Specifically, performance enhancement tools or fake spyware removal tools (e.g. RegistryCare, PerformanceOptimizer and SpySherriff) designed to mainly target Windows computers and their users, claimed that there is a critical performance/security issue in the victim’s computer and recommended the user to buy an additional program to eliminate the problem. Since then, a more disruptive form of extortion emerged which disables access and control of the computer by locking up the computer from being use. There has been a recent shift to the use of ransomware, where data in the infected computers are being encrypted for ransom.
In the literature, there are two main types of ransomware, namely: Locker and Crypto ransomware. Lockers deny users’ access without generally making any changes to the data stored on the system, while crypto-ransomware encrypts all or selected data based on predefined file formats (e.g. *.pdf and *.doc) using a (strong) cryptography algorithm such as AES or RSA [4]. After the victim’s data have been encrypted, the victim is presented with the ransom payment instructions in order to obtain a decryption key and recover their data.
Unsurprisingly, ransomware has attracted the attention of security researchers and practitioners. For example, ransomwaretracker.abuse.ch1tracks major ransomware families, such as Locky, Cerber, TeslaCrypt, CryptoWall, TorrentLocker and Sage. Locky ransomware is usually distributed via phishing e-mails that contain Microsoft Word Office documents with embedded malicious macros, which will subsequently result in the download of the ransomware [5]. Cerber ransomware is often distributed via exploit kits [6], and has the capability to encrypt the victim’s data without connecting to a command and control (C2 or C&C) server. TeslaCrypt is another major ransomware family, which is distributed using exploit kits and is capable of encrypting all user contents including network mapped drives [7]. CryptoWall ransomware first appears in 2014 [7], and is widely distributed using web exploit kits, phishing emails, and corrupted attachments (e.g. PDF files). TorrentLocker ransomware is distributed via emails that attempt to deceive victims into downloading the ransomware by sending emails purporting to be shipping notifications, driving violations, or other corporate/government correspondence. Sage is a more recent ransomware, which is distributed via Microsoft Office documents and is capable of encrypting user data without the need to contact a C2 server.
With the popularity of Internet of Things (IoT) devices in our society (e.g. smart homes and smart cities), such devices can also be targeted by ransomware attackers [[8], [9]]. Increasingly, IoT devices are also being placed at the edge/fog layer [[10], [11], [12]]. The naive solution of encrypting the fog layer of an IoT network (also known as data historian nodes) would impact on data collection from IoT devices (e.g. sensors being deployed in the field), as well as affecting the quality of the architecture due to the exacting computational requirements.
While user training may minimize the success rate of ransomware attack campaigns [[13], [14], [15]], such solutions are not likely to work for fog layer nodes since these nodes are not being in direct contact with end users. Existing ransomware detection approaches include signature-based and behavioral-based ransomware detection techniques. A detection system may consider static features (e.g. entropy of bytes, Program Executable (PE) imports, and ASCII printable strings) to identify malware, and a system with dynamic analysis usually focuses on the application’s Windows API calls [[16], [17]] or network behavior [18]. Although static features can be useful for characterizing malware samples, attackers can easily obfuscate the malware code to complicate static analysis. Also, most ransomware behavior detection solutions rely on filesystem [[19], [20], [21]] and registry events [22] to identify malicious behavior.
The use of machine learning to facilitate ransomware detection is becoming popular, for example in static analysis [23], dynamic analysis [[16], [17]] or hybrid analysis [24] of malware and normal applications. However, using deep learning algorithms to detect ransomware applications appears to be an understudied topic, despite its potential to extract useful features based on ransomware activities that will facilitate the detection of ransomware, including previously unseen ransomware.
Since system calls are of great importance in tracing events for determining malware behavior [17], in this paper we will focus on detecting ransomware samples and characterizing their families by analyzing the sequence of actions taken by an application. We will implement a many to one classifier by considering the sequences of actions performed by both goodware or ransomware samples as the inputs, in order to determine whether the sample is a ransomware and predicting their families accurately. We will use Long Short-Term Memory (LSTM) and Convolutional Neural Network (CNN) in our proposed Deep Ransomware Threat Hunting and Intelligence System (DRTHIS).
We implement the proposed system using Python 2.7 and Python 3.5, as well as Keras 2.0.5 which provides fast experimentation with its high-level neural networks API. Keras [25] has the capability of running on top of TensorFlow, CNTK and Theano to make programming easier for deep learning researchers and developers. We will use Multi layer Perceptron (MLP) with three layers of input, hidden and output in our comparative analysis. We set the input neurons to be equal to the padded length of sequences to feed one sequence at a time to the network. We also ensure that the number of hidden neurons is not more than twice the number of input neurons [26]. We then train and evaluate the performance of our proposed system using a dataset of 220 Locky samples, 220 Cerber samples, 220 TeslaCrypt, as well as benign samples from our previous research [27] augmented by 99 CryptoWall samples, 28 TorrentLocker samples and 77 Sage samples. To avoid overfitting our system, we will use Dropout [28] as a regularization technique to prevent complex co-adaptations on the training data [29]. Dropout ignores randomly selected neurons during training in the forward pass. In other words, the dropped out neurons are temporarily removed from the forward pass and any weight updates are not applied to the neuron on the backward pass.
We will perform 10-fold cross validation to evaluate the proposed system, and use True Positive (TP), False Positive (FP), True Negative (TN), and False Negative [[30], [31]] as the evaluation metrics. TP indicates the total of the samples that are correctly identified as a positive label, and FP shows the total negative samples incorrectly classified as positive. TN denotes the number of correctly rejected samples, while FN refers to incorrectly rejected samples. Precision (see below) reflects the positive predictive value by dividing TP by the total of FP and TP predicted by a classifier as shown in Eq. (1). Recall shows the rate of positive samples that are correctly identified which is calculated by dividing TP by the total of TP and FN, and this is described in Eq. (2). F-measure considers both Precision and Recall of the test set in the harmonic mean of precision and recall as shown in Eq. (3).
Although Area Under the Curve (AUC) is a measure of how well a parameter can be used to distinguish between two classes, there is no explicit formula to compute AUC [32]. Matthews Correlation Coefficient (MCC) [33] is first introduced to assess the performance of prediction in bio-informatics and provides a measure of quality to compare different classifiers [34]. The possible value of MCC is, where indicates perfect prediction. In binary classifiers with total disagreement, the MCC value will be while a value of indicates random classification. MCC is also robust to imbalanced data [32]. While Precision, Recall or F-measure values in a random guessing would be higher than 0.5, the MCC value would be around 0 for random guessing. Therefore, to ensure that our classifiers are far from random classifiers, we will compute MCC values for each classifier. These values can be computed using Eq. (4).
The remainder of this paper is structured as follows. In Section 2, we will review related research in ransomware detection. Section 3 presents our proposed DRTHIS. Section 4 describes how DRTHIS trains best binary classifier for threat hunting, and Section 5 describes the training of one class classifiers as well as deep feature extractor for threat intelligence. Section 6 presents the findings of the evaluation. Finally, we conclude the paper in Section 7.
Section snippets
Related work
In recent years, ransomware has attracted the attention of information security researchers and practitioners, given its popularity with cybercriminals [[35], [36]].
Most ransomware detection solutions rely on the dynamic behavior of applications such as registry changes [22], and filesystem activities [[19], [20], [21]] to identify malicious applications. A study using 1359 ransomware samples revealed that the majority of ransomware samples are making similar API calls and similar filesystem
Proposed Deep Ransomware Threat Hunting and Intelligence System (DRTHIS)
The proposed DRTHIS utilizes a binary classifier, a Deep Feature Extractor (DFE), and a One Class Classifier (OCCs), for hunting ransomware samples and identifying their families based on the application sequence of activities — see also Fig. 1.
When a user launches an application, the system records all executed events that within the first ten seconds of application execution, and transforms the captured sequence to determine whether a given sample is a ransomware or not. This stage is
Threat hunting
We apply LSTM and CNN methods introduced in Fig. 6, Fig. 7 to train final binary classifiers for detecting (hunting) ransomware samples. We create the dataset by combining both and to train our models for the binary classification of ransomware and goodware. It worth noting that we have a separate dataset for evaluating our final model, and does not contribute to the ranking and Embedding processes.
At first, we train our LSTM
Threat intelligence
Unlike Threat Hunting that separates ransomware from goodware, the deep learning task of Threat Intelligence trains a Softmax classifier to separate samples from 4 class labels of. In fact, the objective of the deep learning task is to create an optimal classifier for identifying known families, while DFE extracts features from a trained LSTM into a vector before feeding to Softmax for the final classification (, as shown in Fig. 6). We will use the same
Evaluation and discussion
We evaluate the performance of DRTHIS using both ransomware samples from new ransomware families and benign applications.
Table 6 presents the classification result after applying DRTHIS on,, and. In the table, the New column represents samples that do not belong to any family (ransomware belonging to new families) while the number of samples detected in more than one family are listed in the Conflict column. Only two Cerber samples encounter conflicts after
Conclusion and future work
Fog computing will be increasingly commonplace and with fog nodes having more computational and storage capabilities (e.g. due to advances in technologies), fog nodes will be a more attractive target for ransomware (and other cyber exploitation).
In this paper, we presented DRTHIS that is designed to detect ransomware and identify the family of the ransomware within the first ten seconds of an application execution. In other words, the proposed system can be deployed on the fog layer to serve as
Acknowledgments
The authors thank the editor and the anonymous reviewers for their constructive feedback, and ransomwaretracker.abuse.ch and virustotal.com for their support of this research. This work is partially supported by the European Council International Incoming Fellowship, United Kingdom(FP7-PEOPLE-2013-IIF) grant number 625402, and the Cloud Technology Endowed Professorship. The information and views in this paper are those of the authors and do not necessarily reflect the official opinion of their
Sajad Homayoun is a Ph.D candidate of Computer Networks at Shiraz University of Technology since 2013. He also has a master’s degree in Information Technology form K. N. Toosi University of Technology (Khajeh Nasir Toosi) of Tehran and a bachelor’s degree in Computer Software. He is currently in charge of security laboratory (SecLab) in Shiraz University of Technology since 2014. His research interests are Cyber Security, Machine Learning Applications in Computer Security and Computer Networks.
References (53)
- et al.
Internet of Things security and forensics: Challenges and opportunities
Future Gener. Comput. Syst.
(2018) - et al.
A foggy research future: Advances and future opportunities in fog computing research
Future Gener. Comput. Syst.
(2018) - et al.
MAGMA network behavior classifier for malware traffic
Comput. Netw.
(2016) Comparison of the predicted and observed secondary structure of t4 phage lysozyme
Biochim Biophys Acta
(1975)- et al.
Improving sentiment analysis via sentence type classification using BiLSTM-CRF and CNN
Expert Syst. Appl.
(2017) - et al.
LSTM network: A deep learning approach for short-term traffic forecast
IET Intell. Transp. Syst.
(2017) - et al.
Improving sentiment analysis via sentence type classification using BiLSTM-CRF and CNN
Expert Syst. Appl.
(2017) - EUROPOL, The internet organised crime threat assessment (IOCTA), 2016,...
Threat Landscape Report 2016: 15 Top Cyber-Threats And Trends
(2017)The Reign of Ransomware
(2016)
The Evolution of Ransomware
The Current State of Ransomware
Detecting crypto-ransomware in IoT networks based on energy consumption footprint
J. Ambient Intell. Humaniz. Comput.
Vehicular fog computing: Architecture, use case, and security and forensic challenges
IEEE Commun. Mag.
Awareness education as the key to ransomware prevention
Inf. Syst. Secur.
Education and prevention relationships on security incidents for home computers
Journal of Computer Information Systems
Analysis of protective behavior and security incidents for home computers
J. Comput. Inf. Syst.
DL4MD: A deep learning framework for intelligent malware detection
Deep learning for classification of malware system call sequences
Cutting the gordian knot: A look under the hood of ransomware attacks
Unveil: A large-scale, automated approach to detecting ransomware
Detecting ransomware with honeypot techniques
2entFOX: A framework for high survivable ransomwares detection
Cited by (117)
Securing the Industrial Internet of Things against ransomware attacks: A comprehensive analysis of the emerging threat landscape and detection mechanisms
2024, Journal of Network and Computer ApplicationsRansomware early detection: A survey
2024, Computer NetworksSwiftR: Cross-platform ransomware fingerprinting using hierarchical neural networks on hybrid features
2023, Expert Systems with ApplicationsApplying staged event-driven access control to combat ransomware
2023, Computers and SecurityA comprehensive survey on deep learning based malware detection techniques
2023, Computer Science Review
Sajad Homayoun is a Ph.D candidate of Computer Networks at Shiraz University of Technology since 2013. He also has a master’s degree in Information Technology form K. N. Toosi University of Technology (Khajeh Nasir Toosi) of Tehran and a bachelor’s degree in Computer Software. He is currently in charge of security laboratory (SecLab) in Shiraz University of Technology since 2014. His research interests are Cyber Security, Machine Learning Applications in Computer Security and Computer Networks.
Ali Dehghantanha is the director of Security of Advanced Systems (SoAS) lab in the School of Computer Science, University of Guelph (UofG), Ontario, Canada. He has served for more than a decade in a variety of industrial and academic positions with leading players in Cyber-Security and Artificial Intelligence. Prior to joining UofG, he has served as a Senior Lecturer in the University of Sheffield, UK and as an EU Marie-Curie International Incoming Fellow at the University of Salford, UK. His main research interests are malware analysis and digital forensics, IoT security and application of AI in the Cyber Security.
Marzieh Ahmadzadeh holds a Ph.D in Computer Science and MSc. In Information Technology, both received from the University of Nottingham, UK, and a first class BSc in Software Engineering received from Isfahan University, Iran. Since September 2006, she has been an assistant professor at the school of computer Engineering and IT, Shiraz University of Technology, where she has supervised more than 20 MSc students whose research area are mostly applied data mining. Being a research assistant at the University of Nottingham and full stack software engineer for 3 years is also part of her work experience. Her research interest includes Data Mining, Data Security, HCI and Computer Science Education.
Sattar Hashemi received the PhD degree in computer science from Iran University of Science and Technology in conjunction with Monash University, Australia, in 2008. Following academic appointments at Shiraz University, he is currently an associate professor at Electrical and Computer Engineering School, Shiraz University, Shiraz, Iran. His research interests include machine learning, data mining, social networks, data stream mining, game theory, and adversarial learning.
Raouf Khayami is Dean of Information Technology and Computer Engineering department of Shiraz University of Technology. He earned his Ph.D. of Computer Engineering from Shiraz University in 2009. His research interests include data mining, Business intelligence, and Enterprise Architecture.
Kim-Kwang Raymond Choo received the Ph.D. in Information Security from Queensland University of Technology, Australia. He currently holds the Cloud Technology Endowed Professorship at The University of Texas at San Antonio, and has an adjunct appointment at the University of South Australia. In 2016, he was named the Cybersecurity Educator of the Year - APAC (Cybersecurity Excellence Awards are produced in cooperation with the Information Security Community on LinkedIn), and in 2015 he and his team won the Digital Forensics Research Challenge organized by Germany’s University of Erlangen–Nuremberg. He is the recipient of the 2018 UTSA College of Business Col. Jean Piccione and Lt. Col. Philip Piccione Endowed Research Award for Tenured Faculty, ESORICS 2015 Best Paper Award, 2014 Highly Commended Award by the Australia New Zealand Policing Advisory Agency, Fulbright Scholarship in 2009, 2008 Australia Day Achievement Medallion, and British Computer Society’s Wilkes Award in 2008. He is also a Fellow of the Australian Computer Society, and an IEEE Senior Member.
David Ellis Newton received his PhD from Salford University in 1989. He is currently a Senior Lecturer within Computer Science and Software Engineering in the School of Computing, Science and Engineering at Salford University in the UK. He played a major role in researching for and liaising with European partners in an externally funded European RACE project on the development of digital High-Definition Television. Over the past two decades, he has built up an extensive network of industrial & academic contacts both in the UK and Europe. He has a broad range of interests across the Computer Science domain and has contributed to or organised various conferences, Intensive Programmes of Study and Knowledge Transfer Partnerships with industry in diverse areas including E-Discovery, the Internet of Things, Big Data, Information Security, Cyber Security, e-learning techniques and mobile development. He currently teaches Programming to Computer Science and Software Engineering. First year Honours degree students and Data Structures & Algorithms to second year students from the same courses. In the recent past, he has also taught modules on Software Quality to final year Computer Science students and regularly take on Final Year projects as well as MSc projects.