Skip to main content
SpringerLink
Log in

Zero-day Ransomware Attack Detection using Deep Contractive Autoencoder and Voting based Ensemble Classifier

  • Published:
Applied Intelligence Aims and scope Submit manuscript

Abstract

Ransomware attacks are hazardous cyber-attacks that use cryptographic methods to hold victims’ data until the ransom is paid. Zero-day ransomware attacks try to exploit new vulnerabilities and are considered a severe threat to existing security solutions and internet resources. In the case of zero-day attacks, training data is not available before the attack takes place. Therefore, we exploit Zero-shot Learning (ZSL) capabilities that can effectively deal with unseen classes compared to the traditional machine learning techniques. ZSL is a two-stage process comprising of: Attribute Learning (AL) and Inference Stage (IS). In this regard, this work presents a new Deep Contractive Autoencoder based Attribute Learning (DCAE-ZSL) technique as well as an IS method based on Heterogeneous Voting Ensemble (DCAE-ZSL-HVE). In the proposed DCAE-ZSL approach, Contractive Autoencoder (CAE) is employed to extract core features of known and unknown ransomware. The regularization term of CAE helps in penalizing the classifier's sensitivity against the small dissimilarities in the latent space. On the other hand, in case of the IS, four combination rules Global Majority (GM), Local Majority (LM), Cumulative Vote-against based Global Majority (CVAGM), Cumulative Vote-for based Global Majority (CVFGM) are utilized to find the final prediction. It is empirically shown that in comparison to conventional machine learning techniques, models trained on contractive embedding show reasonable performance against zero-day attacks. Furthermore, it is shown that the exploitation of these core features through the proposed voting based ensemble (DCAE-ZSL-HVE) has demonstrated significant improvement in detecting zero-day attacks (recall = 0.95) and reducing False Negative (FN = 6).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Data Availability

All the datasets used in this work are publicly available, whereas datasets that are generated during simulations are available from the corresponding author on reasonable request.

References

  1. Al-rimy BAS, Maarof MA, Shaid SZM (2018) Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Comput Secur

  2. Hwang J, Kim J, Lee S, Kim K (2020) Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques. Wirel Pers Commun. https://doi.org/10.1007/s11277-020-07166-9

    Article  Google Scholar 

  3. Bilge L, Dumitras T (2012) Before we knew it: An empirical study of zero-day attacks in the real world. Proc ACM Conf Comput Commun Secur

  4. Sood AK, Enbody RJ (2011) Malvertising - Exploiting web advertising. Comput Fraud Secur. https://doi.org/10.1016/S1361-3723(11)70041-0

    Article  Google Scholar 

  5. McDowell K (2006) Now that we are all so well-educated about spyware, can we put the bad guys out of business? In: Proceedings of the 34th Annual ACM SIGUCCS Fall 2006 Conference, SIGUCCS ’06

  6. Kharraz A, Robertson W, Balzarotti D, et al (2015) Cutting the gordian knot: A look under the hood of ransomware attacks. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

  7. Masdari M, Khezri H (2020) A survey and taxonomy of the fuzzy signature-based Intrusion Detection Systems. Appl Soft Comput J

  8. Medhat M, Gaber S, Abdelbaki N (2018) A new static-based framework for ransomware detection. In: Proceedings - IEEE 16th International Conference on Dependable, Autonomic and Secure Computing, IEEE 16th International Conference on Pervasive Intelligence and Computing, IEEE 4th International Conference on Big Data Intelligence and Computing and IEEE 3

  9. Jung S, Won Y (2018) Ransomware detection method based on context-aware entropy analysis. Soft Comput. https://doi.org/10.1007/s00500-018-3257-z

    Article  Google Scholar 

  10. Zakaria WZA, Abdollah MF, Mohd O, Ariffin AFM (2017) The rise of ransomware. ACM Int Conf Proc Ser

  11. Lin SW, Ying KC, Lee CY, Lee ZJ (2012) An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection. Appl Soft Comput J. https://doi.org/10.1016/j.asoc.2012.05.004

    Article  Google Scholar 

  12. Tajoddin A, Abadi M (2019) RAMD: registry-based anomaly malware detection using one-class ensemble classifiers. Appl Intell. https://doi.org/10.1007/s10489-018-01405-0

    Article  Google Scholar 

  13. Saleh MA (2020) Evaluation of Supervised Machine Learning Classifiers for Detecting Ransomware based on Naïve Bayes, SVM, KNN, C 4.5, andRandom Forest Algorithms

  14. Ashit D (2016) Detection of Malware and Malicious Executables Using E-Birch Algorithm. Int J Adv Comput Sci Appl. https://doi.org/10.14569/ijacsa.2016.070118

    Article  Google Scholar 

  15. Tian Q, Han D, Li KC et al (2020) An intrusion detection approach based on improved deep belief network. Appl Intell. https://doi.org/10.1007/s10489-020-01694-4

    Article  Google Scholar 

  16. Idhammad M, Afdel K, Belouch M (2018) Semi-supervised machine learning approach for DDoS detection. Appl Intell. https://doi.org/10.1007/s10489-018-1141-2

    Article  Google Scholar 

  17. Andronio N, Zanero S, Maggi F (2015) HELDROID: Dissecting and detecting mobile ransomware. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

  18. Mercaldo F, Nardone V, Santone A, Visaggio CA (2016) Ransomware steals your phone Formal methods rescue it. Lect Notes Comput Sci (including Subser Lect Notes Artif Intell Lect Notes Bioinformatics). https://doi.org/10.1007/978-3-319-39570-8_14

    Article  Google Scholar 

  19. Das S, Liu Y, Zhang W, Chandramohan M (2016) Semantics-based online malware detection: Towards efficient real-time protection against malware. IEEE Trans Inf Forensics Secur. https://doi.org/10.1109/TIFS.2015.2491300

    Article  Google Scholar 

  20. Alsoghyer S, Almomani I (2019) Ransomware detection system for android applications. Electron. https://doi.org/10.3390/electronics8080868

    Article  Google Scholar 

  21. Kharraz A, Arshad S, Mulliner C, et al (2016) Unveil: A large-scale, automated approach to detecting ransomware. In: Proceedings of the 25th USENIX Security Symposium

  22. Song S, Kim B, Lee S (2016) The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform. Mob Inf Syst. https://doi.org/10.1155/2016/2946735

    Article  Google Scholar 

  23. Aydin MA, Zaim AH, Ceylan KG (2009) A hybrid intrusion detection system design for computer network security. Comput Electr Eng. https://doi.org/10.1016/j.compeleceng.2008.12.005

    Article  MATH  Google Scholar 

  24. Ferrante A, Malek M, Martinelli F, et al (2018) Extinguishing ransomware - a hybrid approach to android ransomware detection. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

  25. Netto DF, Shony KM, Lalson ER (2018) An Integrated Approach for Detecting Ransomware Using Static and Dynamic Analysis. In: 2018 International CET Conference on Control, Communication, and Computing, IC4 2018

  26. Sgandurra D, Muñoz-González L, Mohsen R, Lupu EC (2016) Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection

  27. Al-rimy BAS, Maarof MA, Prasetyo YA, et al (2018) Zero-Day Aware Decision Fusion-Based Model for Crypto-Ransomware Early Detection. Int J Integr Eng 10 https://doi.org/10.30880/ijie.2018.10.06.011

  28. Al-rimy BAS, Maarof MA, Shaid SZM (2018) A 0-Day Aware Crypto-Ransomware Early Behavioral Detection Framework

  29. Sun X, Gu J, Sun H (2020) Research progress of zero-shot learning. Appl Intell

  30. Rivero J, Ribeiro B, Chen N, Leite FS (2017) A grassmannian approach to zero-shot learning for network intrusion detection. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

  31. Zhang X, Gao L, Jiang Y et al (2019) A zero-shot intrusion detection method based on regression model. Proc - 2019 7th Int Conf Adv Cloud Big Data CBD 2019:186–191. https://doi.org/10.1109/CBD.2019.00042

    Article  Google Scholar 

  32. Li Z, Qin Z, Shen P, Jiang L (2019) Zero-shot learning for intrusion detection via attribute representation. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

  33. Lv N, Chen C, Qiu T, Sangaiah AK (2018) Deep Learning and Superpixel Feature Extraction Based on Contractive Autoencoder for Change Detection in SAR Images. IEEE Trans Ind Informatics. https://doi.org/10.1109/TII.2018.2873492

    Article  Google Scholar 

  34. Van Der Maaten L, Hinton G (2008) Visualizing data using t-SNE. J Mach Learn Res

  35. Baldi P (2012) Autoencoders, Unsupervised Learning, and Deep Architectures. ICML Unsupervised Transf Learn. https://doi.org/10.1561/2200000006

    Article  Google Scholar 

  36. Qureshi AS, Khan A, Shamim N, Durad MH (2019) Intrusion detection using deep sparse auto-encoder and self-taught learning. Neural Comput Appl. https://doi.org/10.1007/s00521-019-04152-6

    Article  Google Scholar 

  37. Rifai S, Vincent P, Muller X, et al (2011) Contractive auto-encoders: Explicit invariance during feature extraction. In: Proceedings of the 28th International Conference on Machine Learning, ICML 2011

  38. Romera-Paredes B, Torr PHS (2015) An embarrassingly simple approach to zero-shot learning. In: 32nd International Conference on Machine Learning, ICML 2015

  39. Lampert CH, Nickisch H, Harmeling S (2014) Attribute-based classification for zero-shot visual object categorizationa. IEEE Trans Pattern Anal Mach Intell. https://doi.org/10.1109/TPAMI.2013.140

    Article  Google Scholar 

  40. Akata Z, Perronnin F, Harchaoui Z, Schmid C (2013) Label-embedding for attribute-based classification. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition

  41. Lampert CH, Nickisch H, Harmeling S (2010) Learning to detect unseen object classes by between-class attribute transfer

  42. Binbusayyis A, Vaiyapuri T (2021) Unsupervised deep learning approach for network intrusion detection combining convolutional autoencoder and one-class SVM. Appl Intell

  43. He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition

  44. Szegedy C, Vanhoucke V, Ioffe S, et al (2016) Rethinking the Inception Architecture for Computer Vision. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition

  45. Vasan D, Alazab M, Wassan S et al (2020) Image-Based malware classification using ensemble of CNN architectures (IMCEC). Comput Secur. https://doi.org/10.1016/j.cose.2020.101748

    Article  Google Scholar 

  46. Zeng G, He Y, Yu Z, et al (2016) InceptionNet/GoogLeNet - Going Deeper with Convolutions. Cvpr

  47. Khan F, Ncube C, Ramasamy LK et al (2020) A Digital DNA Sequencing Engine for Ransomware Detection Using Machine Learning. IEEE Access. https://doi.org/10.1109/ACCESS.2020.3003785

    Article  Google Scholar 

  48. Zhang B, Xiao W, Xiao X et al (2020) Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes. Futur Gener Comput Syst. https://doi.org/10.1016/j.future.2019.09.025

    Article  Google Scholar 

  49. Al-rimy BAS, Maarof MA, Shaid SZM (2019) Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection. Futur Gener Comput Syst. https://doi.org/10.1016/j.future.2019.06.005

    Article  Google Scholar 

  50. Vinayakumar V, Alazab M, Jolfaei A, et al (2019) Ransomware triage using deep learning: Twitter as a case study. In: Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019

  51. Maniath S, Ashok A, Poornachandran P, et al (2018) Deep learning LSTM based ransomware detection. In: 2017 Recent Developments in Control, Automation and Power Engineering, RDCAPE 2017

  52. Homayoun S, Dehghantanha A, Ahmadzadeh M et al (2019) DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer. Futur Gener Comput Syst. https://doi.org/10.1016/j.future.2018.07.045

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank Pattern Recognition lab at Pakistan Institute of Engineering and Applied Sciences for providing them healthy research environment and computational facilities.

Author information

Authors and Affiliations

  1. Department of Computer and Information Science, Pakistan Institute of Engineering and Applied Sciences, Nilore, 45650, Islamabad, Pakistan

    Umme Zahoora & Asifullah Khan

  2. School of Mathematics, Computer Science and Engineering, City University of London, London, EC1V 0HB, UK

    Muttukrishnan Rajarajan

  3. School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing, 210044, China

    Zahoqing Pan

  4. Center for Mathematical Sciences, Pakistan Institute of Engineering and Applied Sciences, Nilore, 45650, Islamabad, Pakistan

    Asifullah Khan

  5. PIEAS Artificial Intelligence Center (PAIC), Pakistan Institute of Engineering & Applied Sciences, Nilore, 45650, Islamabad, Pakistan

    Asifullah Khan

Authors
  1. Umme Zahoora
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Muttukrishnan Rajarajan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zahoqing Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Asifullah Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Asifullah Khan.

Ethics declarations

Conflicts of interest

Authors declare no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zahoora, U., Rajarajan, M., Pan, Z. et al. Zero-day Ransomware Attack Detection using Deep Contractive Autoencoder and Voting based Ensemble Classifier. Appl Intell 52, 13941–13960 (2022). https://doi.org/10.1007/s10489-022-03244-6

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-022-03244-6

Keywords

Search

Navigation