Hardlife Ngirande,Martin Muduva,Ronald Chiwariro,Austin Makate

DOI: https://doi.org/10.22214/ijraset.2024.57885

2024-01-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Ransomware is a malicious code designed to encrypt and lock personal data such as documents and photos, in order to create opportunity for extorting money from the victims. Android operating systems are particularly targeted due to their large market share. Previous studies have primarily relied on signature-based detection methods, which require sufficient data samples and labelled signatures. However, modern ransomware utilizes obfuscation techniques that make it challenging to analyse using static methods. This project proposes a hybrid analysis approach for Android ransomware, employing the SVM algorithm for detection. The novelty lies in the limited exploration of SVM algorithms for ransomware analysis. The dataset used in the study was obtained from CICA and Mal 2017. Static features, including permissions, intents, encoding methods, and API calls were used, along with dynamic features such as network activities and system calls. The SVM model achieved good performance, with 81% accuracy and 90% precision using static features, and 100% accuracy with dynamic features

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

K. R. Kalphana,S. Aanjankumar,M. Surya,M. S. Ramadevi,K. R. Ramela,T Anitha,N. Nagaprasad,Ramaswamy Krishnaraj

DOI: https://doi.org/10.1038/s41598-024-70544-x

IF: 4.6

2024-09-29

Scientific Reports

Abstract:In recent times, the number of malware on Android mobile phones has been growing, and a new kind of malware is Android ransomware. This research aims to address the emerging concerns about Android ransomware in the mobile sector. Previous studies highlight that the number of new Android ransomware is increasing annually, which poses a huge threat to the privacy of mobile phone users for sensitive data. Various existing techniques are active to detect ransomware and secure the data in the mobile cloud. However, these approaches lack accuracy and detection performance with insecure storage. To resolve this and enhance the security level, the proposed model is presented. This manuscript provides both recognition algorithms based on the deep learning model and secured storage of detected data in the cloud with a secret key to safeguard sensitive user information using the hybrid cryptographic model. Initially, the input APK files and data are preprocessed to extract features. The collection of optimal features is carried out using the Squirrel search optimization process. After that, the Deep Learning-based model, adaptive deep saliency The AlexNet classifier is presented to detect and classify data as malicious or normal. The detected data, which is not malicious, is stored on a cloud server. For secured storage of data in the cloud, a hybrid cryptographic model such as hybrid homomorphic Elliptic Curve Cryptography and Blowfish is employed, which includes key computation and key generation processes. The cryptographic scheme includes encryption and decryption of data, after which the application response is found to attain a decrypted result upon user request. The performance is carried out for both the Deep Learning-based model and the hybrid cryptography-based security model, and the results obtained are 99.89% accuracy in detecting malware compared with traditional models. The effectiveness of the proposed system over other models such as GNN is 94.76%, CNN is 95.76%, and Random Forest is 96%.

multidisciplinary sciences

Amnah Albin Ahmed,Afrah Shaahid,Fatima Alnasser,Shahad Alfaddagh,Shadha Binagag,Deemah Alqahtani

DOI: https://doi.org/10.3390/s24010189

2023-12-28

Abstract:In today's digitalized era, the usage of Android devices is being extensively witnessed in various sectors. Cybercriminals inevitably adapt to new security technologies and utilize these platforms to exploit vulnerabilities for nefarious purposes, such as stealing users' sensitive and personal data. This may result in financial losses, discredit, ransomware, or the spreading of infectious malware and other catastrophic cyber-attacks. Due to the fact that ransomware encrypts user data and requests a ransom payment in exchange for the decryption key, it is one of the most devastating types of malicious software. The implications of ransomware attacks can range from a loss of essential data to a disruption of business operations and significant monetary damage. Artificial intelligence (AI)-based techniques, namely machine learning (ML), have proven to be notable in the detection of Android ransomware attacks. However, ensemble models and deep learning (DL) models have not been sufficiently explored. Therefore, in this study, we utilized ML- and DL-based techniques to build efficient, precise, and robust models for binary classification. A publicly available dataset from Kaggle consisting of 392,035 records with benign traffic and 10 different types of Android ransomware attacks was used to train and test the models. Two experiments were carried out. In experiment 1, all the features of the dataset were used. In experiment 2, only the best 19 features were used. The deployed models included a decision tree (DT), support vector machine (SVM), k-nearest neighbor (KNN), ensemble of (DT, SVM, and KNN), feedforward neural network (FNN), and tabular attention network (TabNet). Overall, the experiments yielded excellent results. DT outperformed the others, with an accuracy of 97.24%, precision of 98.50%, and F1-score of 98.45%. Whereas, in terms of the highest recall, SVM achieved 100%. The acquired results were thoroughly discussed, in addition to addressing limitations and exploring potential directions for future work.

José A. Gómez-Hernández,Pedro García-Teodoro

DOI: https://doi.org/10.3390/s24092679

IF: 3.9

2024-04-24

Sensors

Abstract:Given the high relevance and impact of ransomware in companies, organizations, and individuals around the world, coupled with the widespread adoption of mobile and IoT-related devices for both personal and professional use, the development of effective and efficient ransomware mitigation schemes is a necessity nowadays. Although a number of proposals are available in the literature in this line, most of them rely on machine-learning schemes that usually involve high computational cost and resource consumption. Since current personal devices are small and limited in capacities and resources, the mentioned schemes are generally not feasible and usable in practical environments. Based on a honeyfile detection solution previously introduced by the authors for Linux and Window OSs, this paper presents a ransomware detection tool for Android platforms where the use of trap files is combined with a reactive monitoring scheme, with three main characteristics: (i) the trap files are properly deployed around the target file system, (ii) the FileObserver service is used to early alert events that access the traps following certain suspicious sequences, and (iii) the experimental results show high performance of the solution in terms of detection accuracy and efficiency.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Hashida Haidros Rahima Manzil,S. Manohar Naik

DOI: https://doi.org/10.1007/s11416-023-00495-w

2023-08-23

Journal of Computer Virology and Hacking Techniques

Abstract:Ransomware is a serious cyberthreat for Android users, with devastating consequences for its victims. By locking or encrypting the targeted device, victims are often left unable to access their data, with attackers demanding payment in bitcoins in exchange for decryption. These attacks can occur across various sectors, including government, business, and health systems. Therefore, effective measures to mitigate this threat are critical. This paper proposes a novel hamming distance-based feature selection technique for detecting Android ransomware through static analysis. The detection approach involves four phases: feature extraction, binary feature vector generation, feature selection, and classification. A Python tool is used to automatically extract static features from Android applications, which are then processed for feature vector generation and selection. The effectiveness of the proposed technique is evaluated using various experiments, including machine learning and deep learning techniques. In addition, this article outlines a threat scenario of ransomware on the Android platform. The proposed system achieves a maximum detection accuracy of 99% with Random Forest and Decision Tree classifiers, surpassing state-of-the-art studies. Overall, the proposed technique offers an efficient solution for detecting Android ransomware, which could help prevent future attacks and reduce the impact of this serious cyberthreat.

Ibrahim R. Alzahrani,Randa Allafi

DOI: https://doi.org/10.3934/math.2024331

2024-01-01

AIMS Mathematics

Abstract:With the widespread use of Internet, Internet of Things (IoT) devices have exponentially increased. These devices become vulnerable to malware attacks with the enormous amount of data on IoT devices; as a result, malware detection becomes a major problem in IoT devices. A reliable and effective mechanism is essential for malware detection. In recent years, research workers have developed various techniques for the complex detection of malware, but accurate detection continues to be a problem. Ransomware attacks pose major security risks to corporate and personal information and data. The owners of computer-based resources can be influenced by monetary losses, reputational damage, and privacy and verification violations due to successful assaults of ransomware. Therefore, there is a need to swiftly and accurately detect the ransomware. With this motivation, the study designs an Ebola optimization search algorithm for enhanced deep learning-based ransomware detection (EBSAEDL-RD) technique in IoT security. The purpose of the EBSAEDL-RD method is to recognize and classify the ransomware to achieve security in the IoT platform. To accomplish this, the EBSAEDL-RD technique employs min-max normalization to scale the input data into a useful format. Also, the EBSAEDL-RD technique makes use of the EBSA technique to select an optimum set of features. Meanwhile, the classification of ransomware takes place using the bidirectional gated recurrent unit (BiGRU) model. Then, the sparrow search algorithm (SSA) can be applied for optimum hyperparameter selection of the BiGRU model. The wide-ranging experiments of the EBSAEDL-RD approach are performed on benchmark data. The obtained results highlighted that the EBSAEDL-RD algorithm reaches better performance over other models on IoT security.

mathematics, applied

Ashwag Albakri,Fatimah Alhayan,Nazik Alturki,Saahirabanu Ahamed,Shermin Shamsudheen

DOI: https://doi.org/10.3390/app13042172

2023-02-08

Applied Sciences

Abstract:Since the development of information systems during the last decade, cybersecurity has become a critical concern for many groups, organizations, and institutions. Malware applications are among the commonly used tools and tactics for perpetrating a cyberattack on Android devices, and it is becoming a challenging task to develop novel ways of identifying them. There are various malware detection models available to strengthen the Android operating system against such attacks. These malware detectors categorize the target applications based on the patterns that exist in the features present in the Android applications. As the analytics data continue to grow, they negatively affect the Android defense mechanisms. Since large numbers of unwanted features create a performance bottleneck for the detection mechanism, feature selection techniques are found to be beneficial. This work presents a Rock Hyrax Swarm Optimization with deep learning-based Android malware detection (RHSODL-AMD) model. The technique presented includes finding the Application Programming Interfaces (API) calls and the most significant permissions, which results in effective discrimination between the good ware and malware applications. Therefore, an RHSO based feature subset selection (RHSO-FS) technique is derived to improve the classification results. In addition, the Adamax optimizer with attention recurrent autoencoder (ARAE) model is employed for Android malware detection. The experimental validation of the RHSODL-AMD technique on the Andro-AutoPsy dataset exhibits its promising performance, with a maximum accuracy of 99.05%.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Christopher Jun Wen Chew,Vimal Kumar,Panos Patros,Robi Malik

DOI: https://doi.org/10.1007/s10207-024-00819-x

2024-03-04

International Journal of Information Security

Abstract:Ransomware, particularly crypto ransomware, has emerged as the go-to malware for threat actors aiming to compromise data on Android devices as well as in general. In this paper, we present a ransomware detection technique based on behaviours observed in the system calls performed by the malware. We first describe our repeatable and extensible methodology for extracting the system call log and patterns. We then identify and present some common high-level system call behavioural patterns exhibited by crypto ransomware, and evaluate these patterns. We further describe the implementation of a streaming implementation that utilises regular expressions for modelling malware behaviours and finite state machines for detecting crypto ransomware behaviours in real time. The success of our proof of concept evaluation allows us to envision our proposed technique applied as part of a self-protection system on Android phones against malware.

computer science, information systems, theory & methods, software engineering

Malak Aljabri,Fahd Alhaidari,Aminah Albuainain,Samiyah Alrashidi,Jana Alansari,Wasmiyah Alqahtani,Jana Alshaya

DOI: https://doi.org/10.1016/j.eij.2024.100445

IF: 4.195

2024-01-31

Egyptian Informatics Journal

Abstract:Ransomware attacks have escalated recently and are affecting essential infrastructure and enterprises across the globe. Unfortunately, ransomware uses sophisticated encryption techniques to encrypt important files on the targeted machine and then demands payment to decrypt the data. Artificial intelligent techniques including machine learning have been increasingly applied in the field of cybersecurity and greatly contributed to detecting and preventing different kinds of attacks However, the number of studies that applied machine learning to detect ransomware are still limited by the obfuscation of malware, the lack of setting up a proper analysis environment, the accuracy of models, and the high false-positive rate. Thus, it is crucial to develop effective ransomware detection based on machine learning techniques. This study aims to build a robust machine-learning model that can recognize unknown samples using memory dumps to detect ransomware with high accuracy and minimal false positives providing an extensive analysis of how memory traces can assist in the detection of ransomware. This goal was achieved by building a new dataset composed of recent ransomware group attack samples like Revil, Lockbit, and BlackCat, as well as a number of benign samples, including office applications, Windows applications, and compression applications, which were dynamically analyzed within an enhanced cuckoo sandbox to ensure the most reliable results. Then, a set of machine learning models were developed, and a comparative performance analysis was conducted. Among the various models evaluated, XGBoost was the best-performing model, using only 47 features out of 58. It achieved 97.85% accuracy with a 2% false positive rate.

computer science, information systems, artificial intelligence

Abdulrahman Alzahrani,Ali Alshehri,Hani Alshahrani,Huirong Fu

DOI: https://doi.org/10.48550/arXiv.2005.05571

2020-05-12

Abstract:Malware proliferation and sophistication have drastically increased and evolved continuously. Recent indiscriminate ransomware victimizations have imposed critical needs of effective detection techniques to prevent damages. Therefore, ransomware has drawn attention among cyberspace researchers. This paper contributes a comprehensive overview of ransomware attacks and summarizes existing detection and prevention techniques in both Windows and Android platforms. Moreover, it highlights the strengths and shortcomings of those techniques and provides a comparison between them. Furthermore, it gives recommendations to users and system administrators.

Computers and Society,Cryptography and Security

Rajif Agung Yunmar,Sri Suning Kusumawardani,Widyawan,Fadi Mohsen

DOI: https://doi.org/10.1109/access.2024.3377658

IF: 3.9

2024-03-27

IEEE Access

Abstract:Over the last decade, numerous research efforts have been dedicated to countering malicious mobile applications. Given its market share, Android OS has been the primary target for most of these apps. Researchers have devised numerous solutions to protect Android devices and their users, categorizing them into static and dynamic approaches. Each of these approaches has its own advantages and disadvantages. The hybrid approach aims to combine the benefits of both. This study closely examines the hybrid solutions proposed between 2012 and 2023, highlighting their strengths and limitations. The objective of this study is to provide a comprehensive review of existing research on Android malware detection using a hybrid approach. Our review identifies several issues related to hybrid detection approaches, including datasets, feature utilization and selection, working environments, detection order mechanisms, integrity of the detection step, detection algorithms, and the use of automated input generation. Key findings of this study include: (i) the majority of studies have not adequately addressed on-device detection and have overlooked the importance of system usability, (ii) many studies rely on outdated datasets that do not accurately represent the current threat landscape, (iii) there is a need for a methodology to detect zero-day attacks, and (iv) most research has not paid attention to the impact of automated input generation on malware behavior and code coverage. We also discuss some open issues and future directions that will help substantiate the hybrid approach study.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yahye Abukar Ahmed,Shamsul Huda,Bander Ali Saleh Al-rimy,Nouf Alharbi,Faisal Saeed,Fuad A. Ghaleb,Ismail Mohamed Ali

DOI: https://doi.org/10.3390/su14031231

IF: 3.9

2022-01-21

Sustainability

Abstract:Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection, to deceive the security measures and make both static and dynamic analysis more difficult. In this paper, a Weighted minimum Redundancy maximum Relevance (WmRmR) technique was proposed for better feature significance estimation in the data captured during the early stages of ransomware attacks. The technique combines an enhanced mRMR (EmRmR) with the Term Frequency-Inverse Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights calculated by the TF-IDF. The proposed technique has the capability to assess whether a feature in the relevant set is important or not. It has low-dimensional complexity and a smaller number of evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement method was used to decrease the size of the extracted data by identifying the system calls with strong behavioral indication. After extensive experimentation, the proposed technique has shown to be effective for ransomware early detection with low-complexity and few false-positive rates. To evaluate the proposed technique, we compared it with existing behavioral detection methods.

environmental sciences,environmental studies,green & sustainable science & technology

Jaehyuk Lee,Jinseo Yun,Kyungroul Lee

DOI: https://doi.org/10.3390/electronics13061030

IF: 2.9

2024-03-10

Electronics

Abstract:Ransomware, which emerged in 1989, has evolved to the present in numerous variants and new forms. For this reason, serious damage caused by ransomware has occurred not only within our country but around the world, and, according to the analysis of ransomware trends, ransomware poses an ongoing and significant threat, with major damage expected to continue to occur in the future. To address this problem, various approaches to detect ransomware have been explored, with a recent focus on file entropy estimation methods. These methods exploit the characteristic increase in file entropy that is caused by ransomware encryption. In response, a method was developed to neutralize entropy-based ransomware detection technology by manipulating entropy using encoding methods from the attacker's perspective. Consequently, from the defender's standpoint, countermeasures are essential to minimize the damage caused by ransomware. Therefore, this article proposes a methodology that utilizes diverse machine learning models such as K-Nearest Neighbors (KNN), logistic regression, decision tree, random forest, gradient boosting, support vector machine (SVM), and multi-layer perception (MLP) to detect files infected with ransomware. The experimental results demonstrate empirically that files infected with ransomware can be detected with approximately 98% accuracy, and the results of this research are expected to provide valuable information for developing countermeasures against various ransomware detection technologies.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hasan Alkahtani,Theyazn H. H. Aldhyani

DOI: https://doi.org/10.3390/s22062268

IF: 3.9

2022-03-15

Sensors

Abstract:With the rapid expansion of the use of smartphone devices, malicious attacks against Android mobile devices have increased. The Android system adopted a wide range of sensitive applications such as banking applications; therefore, it is becoming the target of malware that exploits the vulnerabilities of the security system. A few studies proposed models for the detection of mobile malware. Nevertheless, improvements are required to achieve maximum efficiency and performance. Hence, we implemented machine learning and deep learning approaches to detect Android-directed malicious attacks. The support vector machine (SVM), k-nearest neighbors (KNN), linear discriminant analysis (LDA), long short-term memory (LSTM), convolution neural network-long short-term memory (CNN-LSTM), and autoencoder algorithms were applied to identify malware in mobile environments. The cybersecurity system was tested with two Android mobile benchmark datasets. The correlation was calculated to find the high-percentage significant features of these systems in the protection against attacks. The machine learning and deep learning algorithms successfully detected the malware on Android applications. The SVM algorithm achieved the highest accuracy (100%) using the CICAndMal2017 dataset. The LSTM model also achieved a high percentage accuracy (99.40%) using the Drebin dataset. Additionally, by calculating the mean error, mean square error, root mean square error, and Pearson correlation, we found a strong relationship between the predicted values and the target values in the validation phase. The correlation coefficient for the SVM method was R2 = 100% using the CICAndMal2017 dataset, and LSTM achieved R2 = 97.39% in the Drebin dataset. Our results were compared with existing security systems, showing that the SVM, LSTM, and CNN-LSTM algorithms are of high efficiency in the detection of malware in the Android environment.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Caio C. Moreira,Davi C. Moreira,Claudomiro Sales

DOI: https://doi.org/10.1016/j.jisa.2024.103716

IF: 4.96

2024-02-10

Journal of Information Security and Applications

Abstract:This study presents a comprehensive static analysis method that combines multiple structural features extracted from Windows executable files. The method employs an ensemble soft voting model that comprises three machine learning techniques: Logistic Regression (LR), Random Forest (RF), and eXtreme Gradient Boosting (XGB). Our proposed model aims to identify newly emerged ransomware families by analyzing header fields, imported Dynamic-link Libraries (DLLs), function calls, and entropy of sections. To assess the method's efficacy in detecting zero-day ransomware families, we created a dataset consisting of 2675 binary samples. The training set consisted of 1023 samples from 25 relevant ransomware families and 1134 benign applications (goodware) samples. The testing set comprised 385 samples from 15 recent ransomware families and 133 goodware samples. The results for the Detection of New Ransomware Families (DNRF) demonstrated weighted averages of 97.53% accuracy, 96.36% precision, 97.52% recall, and 96.41% F-measure. In addition, the scanning and prediction showed an average of 0.37 s. These results showed the model's adaptability to the ever-changing ransomware landscape while maintaining reasonable testing times, making it applicable as an additional security layer in antivirus protection systems on low-resource hardware devices. Furthermore, we used the SHapley Additive exPlanations (SHAP) interpretation method to establish trust and gain insights into the decision-making process of the proposed model. Our method offers significant advantages and can assist developers of ransomware detection systems in creating more resilient, dependable, and real-time solutions.

computer science, information systems

Narendra Singh,Somanath Tripathy

DOI: https://doi.org/10.1016/j.cose.2024.103819

IF: 5.105

2024-03-29

Computers & Security

Abstract:Ransomware attacks disrupt and disable systems, demanding a ransom from the victim to restore functionality. Most of the state-of-the-art approaches focus on analyzing their behaviour at the post-infection, to identify ransomware and therefore, fails to detect at the early stage. This work proposes a ransomware detection mechanism named Weapon , to identify the threat at the pre-operational stage in Android system. Weapon extracts the key features from the behavioural characteristics (permissions and API calls) of the APK file and generates semantic features. Consequently, the MITRE ATT&CK framework is used to correlate with the semantic features to detect ransomware before its operational stage efficiently. The experimental results demonstrate that our approach could successfully identify 89.82% ransomware samples at the pre-operational stage.

computer science, information systems

Emad T Elkabbash,Reham R Mostafa,Sherif I Barakat

DOI: https://doi.org/10.1371/journal.pone.0260232

IF: 3.7

2021-11-19

PLoS ONE

Abstract:Smartphone usage is nearly ubiquitous worldwide, and Android provides the leading open-source operating system, retaining the most significant market share and active user population of all open-source operating systems. Hence, malicious actors target the Android operating system to capitalize on this consumer reliance and vulnerabilities present in the system. Hackers often use confidential user data to exploit users for advertising, extortion, and theft. Notably, most Android malware detection tools depend on conventional machine-learning algorithms; hence, they lose the benefits of metaheuristic optimization. Here, we introduce a novel detection system based on optimizing the random vector functional link (RVFL) using the artificial Jellyfish Search (JS) optimizer following dimensional reduction of Android application features. JS is used to determine the optimal configurations of RVFL to improve classification performance. RVFL+JS minimizes the runtime of the execution of the optimized models with the best performance metrics, based on a dataset consisting of 11,598 multi-class applications and 471 static and dynamic features.

Abdullah Alqahtani,Frederick T Sheldon

DOI: https://doi.org/10.3390/s22051837

2022-02-25

Abstract:Recently, ransomware attacks have been among the major threats that target a wide range of Internet and mobile users throughout the world, especially critical cyber physical systems. Due to its unique characteristics, ransomware has attracted the attention of security professionals and researchers toward achieving safer and higher assurance systems that can effectively detect and prevent such attacks. The state-of-the-art crypto ransomware early detection models rely on specific data acquired during the runtime of an attack's lifecycle. However, the evasive mechanisms that these attacks employ to avoid detection often nullify the solutions that are currently in place. More effort is needed to keep up with an attacks' momentum to take the current security defenses to the next level. This survey is devoted to exploring and analyzing the state-of-the-art in ransomware attack detection toward facilitating the research community that endeavors to disrupt this very critical and escalating ransomware problem. The focus is on crypto ransomware as the most prevalent, destructive, and challenging variation. The approaches and open issues pertaining to ransomware detection modeling are reviewed to establish recommendations for future research directions and scope.

Augusto Parisot,Raphael C. S. Machado,L. Bento

DOI: https://doi.org/10.1109/MetroInd4.0IoT61288.2024.10584155

2024-05-29

Abstract:With the significant rise in ransomware attacks in recent years, these malwares have emerged as one of the top threats to global cybersecurity. This article introduces a dynamic methodology for ransomware classification, leveraging the advanced analysis capabilities of the Cuckoo Sandbox combined with widely used machine learning techniques. We constructed three novel datasets focusing on API calls, network interactions, and string information extracted from malware samples, applying the TF-IDF technique for essential feature extraction. The efficacy of six machine learning (ML) classification algorithms is evaluated, with the Random Forest and Support Vector Machine models standing out for their exceptional robustness and adaptability across various preprocessing scenarios.

Computer Science