Dynamic Ransomware Detection for Windows Platform Using Machine Learning Classifiers

Abstract

In this world of growing technological advancements, ransomware attacks are also on the rise. This threat often affects the finance of individuals, organizations, and financial sectors. In order to effectively detect and block these ransomware threats, the dynamic analysis strategy was proposed and carried out as the approach of this research. This paper aims to detect ransomware attacks with dynamic analysis and classify the attacks using various machine learning classifiers namely: Random Forest, Naïve Bayes, J48, Decision Table and Hoeffding Tree. The TON IoT Datasets from the University of New South Wales' (UNSW) were used to capture ransomware attack features on Windows 7. During the experiment, a testbed was configured with numerous virtual Windows 7 machines and a single attacker host to carry out the ransomware attack. A total of 77 classification features are selected based on the changes before and after the attack. Random Forest and J48 classifiers outperformed other classifiers with the highest accuracy results of 99.74%. The confusion matrix highlights that both Random Forest and J48 classifiers are able to accurately classify the ransomware attacks with the AUC value of 0.997 respectively.  Our experimental result also suggests that dynamic analysis with machine learning classifier is an effective solution to detect ransomware with the accuracy percentage exceeds 98%.