Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm-Reference-Cited by-同舟云学术

Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm

Published:2019-11-01 Issue:4 Volume:8 Page:79
ISSN:2073-431X
Container-title:Computers
language:en
Short-container-title:Computers

Author:

Kok S.^ORCID,Abdullah Azween^ORCID,Jhanjhi NZ^ORCID,Supramaniam Mahadevan^ORCID

Abstract

Ransomware is a relatively new type of intrusion attack, and is made with the objective of extorting a ransom from its victim. There are several types of ransomware attacks, but the present paper focuses only upon the crypto-ransomware, because it makes data unrecoverable once the victim’s files have been encrypted. Therefore, in this research, it was proposed that machine learning is used to detect crypto-ransomware before it starts its encryption function, or at the pre-encryption stage. Successful detection at this stage is crucial to enable the attack to be stopped from achieving its objective. Once the victim was aware of the presence of crypto-ransomware, valuable data and files can be backed up to another location, and then an attempt can be made to clean the ransomware with minimum risk. Therefore we proposed a pre-encryption detection algorithm (PEDA) that consisted of two phases. In, PEDA-Phase-I, a Windows application programming interface (API) generated by a suspicious program would be captured and analyzed using the learning algorithm (LA). The LA can determine whether the suspicious program was a crypto-ransomware or not, through API pattern recognition. This approach was used to ensure the most comprehensive detection of both known and unknown crypto-ransomware, but it may have a high false positive rate (FPR). If the prediction was a crypto-ransomware, PEDA would generate a signature of the suspicious program, and store it in the signature repository, which was in Phase-II. In PEDA-Phase-II, the signature repository allows the detection of crypto-ransomware at a much earlier stage, which was at the pre-execution stage through the signature matching method. This method can only detect known crypto-ransomware, and although very rigid, it was accurate and fast. The two phases in PEDA formed two layers of early detection for crypto-ransomware to ensure zero files lost to the user. However in this research, we focused upon Phase-I, which was the LA. Based on our results, the LA had the lowest FPR of 1.56% compared to Naive Bayes (NB), Random Forest (RF), Ensemble (NB and RF) and EldeRan (a machine learning approach to analyze and classify ransomware). Low FPR indicates that LA has a low probability of predicting goodware wrongly.

Publisher

MDPI AG

Subject

Computer Networks and Communications,Human-Computer Interaction

Link

https://www.mdpi.com/2073-431X/8/4/79/pdf

Reference35 articles.

1. A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage Control;Tailor;Int. J. Res. Sci. Innov.,2017

2. A review of latest wannacry ransomware: Actions and preventions;Askarifar;J. Eng. Sci. Technol.,2018

3. A Survey of Malware Detection Techniques;Mathur,2007

4. A Short Review for Ransomware: Pros and Cons;Shakir,2018

Cited by 68 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Trends and challenges in research into the human aspects of ransomware: a systematic mapping study;Information & Computer Security;2024-07-05

2. Ransomware Detection Model Based on Adaptive Graph Neural Network Learning;Applied Sciences;2024-05-27

3. Malware Detection using Machine Learning;International Journal of Innovative Science and Research Technology (IJISRT);2024-05-07

4. An Empirical Study of Data Disruption by Ransomware Attacks;Proceedings of the IEEE/ACM 46th International Conference on Software Engineering;2024-04-12

5. Ransomware early detection: A survey;Computer Networks;2024-02