Abstract
Ransomware attacks are hazardous cyber-attacks that use cryptographic methods to hold victims’ data until the ransom is paid. Zero-day ransomware attacks try to exploit new vulnerabilities and are considered a severe threat to existing security solutions and internet resources. In the case of zero-day attacks, training data is not available before the attack takes place. Therefore, we exploit Zero-shot Learning (ZSL) capabilities that can effectively deal with unseen classes compared to the traditional machine learning techniques. ZSL is a two-stage process comprising of: Attribute Learning (AL) and Inference Stage (IS). In this regard, this work presents a new Deep Contractive Autoencoder based Attribute Learning (DCAE-ZSL) technique as well as an IS method based on Heterogeneous Voting Ensemble (DCAE-ZSL-HVE). In the proposed DCAE-ZSL approach, Contractive Autoencoder (CAE) is employed to extract core features of known and unknown ransomware. The regularization term of CAE helps in penalizing the classifier's sensitivity against the small dissimilarities in the latent space. On the other hand, in case of the IS, four combination rules Global Majority (GM), Local Majority (LM), Cumulative Vote-against based Global Majority (CVAGM), Cumulative Vote-for based Global Majority (CVFGM) are utilized to find the final prediction. It is empirically shown that in comparison to conventional machine learning techniques, models trained on contractive embedding show reasonable performance against zero-day attacks. Furthermore, it is shown that the exploitation of these core features through the proposed voting based ensemble (DCAE-ZSL-HVE) has demonstrated significant improvement in detecting zero-day attacks (recall = 0.95) and reducing False Negative (FN = 6).
Similar content being viewed by others
Data Availability
All the datasets used in this work are publicly available, whereas datasets that are generated during simulations are available from the corresponding author on reasonable request.
References
Al-rimy BAS, Maarof MA, Shaid SZM (2018) Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Comput Secur
Hwang J, Kim J, Lee S, Kim K (2020) Two-Stage Ransomware Detection Using Dynamic Analysis and Machine Learning Techniques. Wirel Pers Commun. https://doi.org/10.1007/s11277-020-07166-9
Bilge L, Dumitras T (2012) Before we knew it: An empirical study of zero-day attacks in the real world. Proc ACM Conf Comput Commun Secur
Sood AK, Enbody RJ (2011) Malvertising - Exploiting web advertising. Comput Fraud Secur. https://doi.org/10.1016/S1361-3723(11)70041-0
McDowell K (2006) Now that we are all so well-educated about spyware, can we put the bad guys out of business? In: Proceedings of the 34th Annual ACM SIGUCCS Fall 2006 Conference, SIGUCCS ’06
Kharraz A, Robertson W, Balzarotti D, et al (2015) Cutting the gordian knot: A look under the hood of ransomware attacks. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Masdari M, Khezri H (2020) A survey and taxonomy of the fuzzy signature-based Intrusion Detection Systems. Appl Soft Comput J
Medhat M, Gaber S, Abdelbaki N (2018) A new static-based framework for ransomware detection. In: Proceedings - IEEE 16th International Conference on Dependable, Autonomic and Secure Computing, IEEE 16th International Conference on Pervasive Intelligence and Computing, IEEE 4th International Conference on Big Data Intelligence and Computing and IEEE 3
Jung S, Won Y (2018) Ransomware detection method based on context-aware entropy analysis. Soft Comput. https://doi.org/10.1007/s00500-018-3257-z
Zakaria WZA, Abdollah MF, Mohd O, Ariffin AFM (2017) The rise of ransomware. ACM Int Conf Proc Ser
Lin SW, Ying KC, Lee CY, Lee ZJ (2012) An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection. Appl Soft Comput J. https://doi.org/10.1016/j.asoc.2012.05.004
Tajoddin A, Abadi M (2019) RAMD: registry-based anomaly malware detection using one-class ensemble classifiers. Appl Intell. https://doi.org/10.1007/s10489-018-01405-0
Saleh MA (2020) Evaluation of Supervised Machine Learning Classifiers for Detecting Ransomware based on Naïve Bayes, SVM, KNN, C 4.5, andRandom Forest Algorithms
Ashit D (2016) Detection of Malware and Malicious Executables Using E-Birch Algorithm. Int J Adv Comput Sci Appl. https://doi.org/10.14569/ijacsa.2016.070118
Tian Q, Han D, Li KC et al (2020) An intrusion detection approach based on improved deep belief network. Appl Intell. https://doi.org/10.1007/s10489-020-01694-4
Idhammad M, Afdel K, Belouch M (2018) Semi-supervised machine learning approach for DDoS detection. Appl Intell. https://doi.org/10.1007/s10489-018-1141-2
Andronio N, Zanero S, Maggi F (2015) HELDROID: Dissecting and detecting mobile ransomware. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Mercaldo F, Nardone V, Santone A, Visaggio CA (2016) Ransomware steals your phone Formal methods rescue it. Lect Notes Comput Sci (including Subser Lect Notes Artif Intell Lect Notes Bioinformatics). https://doi.org/10.1007/978-3-319-39570-8_14
Das S, Liu Y, Zhang W, Chandramohan M (2016) Semantics-based online malware detection: Towards efficient real-time protection against malware. IEEE Trans Inf Forensics Secur. https://doi.org/10.1109/TIFS.2015.2491300
Alsoghyer S, Almomani I (2019) Ransomware detection system for android applications. Electron. https://doi.org/10.3390/electronics8080868
Kharraz A, Arshad S, Mulliner C, et al (2016) Unveil: A large-scale, automated approach to detecting ransomware. In: Proceedings of the 25th USENIX Security Symposium
Song S, Kim B, Lee S (2016) The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform. Mob Inf Syst. https://doi.org/10.1155/2016/2946735
Aydin MA, Zaim AH, Ceylan KG (2009) A hybrid intrusion detection system design for computer network security. Comput Electr Eng. https://doi.org/10.1016/j.compeleceng.2008.12.005
Ferrante A, Malek M, Martinelli F, et al (2018) Extinguishing ransomware - a hybrid approach to android ransomware detection. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Netto DF, Shony KM, Lalson ER (2018) An Integrated Approach for Detecting Ransomware Using Static and Dynamic Analysis. In: 2018 International CET Conference on Control, Communication, and Computing, IC4 2018
Sgandurra D, Muñoz-González L, Mohsen R, Lupu EC (2016) Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection
Al-rimy BAS, Maarof MA, Prasetyo YA, et al (2018) Zero-Day Aware Decision Fusion-Based Model for Crypto-Ransomware Early Detection. Int J Integr Eng 10 https://doi.org/10.30880/ijie.2018.10.06.011
Al-rimy BAS, Maarof MA, Shaid SZM (2018) A 0-Day Aware Crypto-Ransomware Early Behavioral Detection Framework
Sun X, Gu J, Sun H (2020) Research progress of zero-shot learning. Appl Intell
Rivero J, Ribeiro B, Chen N, Leite FS (2017) A grassmannian approach to zero-shot learning for network intrusion detection. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Zhang X, Gao L, Jiang Y et al (2019) A zero-shot intrusion detection method based on regression model. Proc - 2019 7th Int Conf Adv Cloud Big Data CBD 2019:186–191. https://doi.org/10.1109/CBD.2019.00042
Li Z, Qin Z, Shen P, Jiang L (2019) Zero-shot learning for intrusion detection via attribute representation. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Lv N, Chen C, Qiu T, Sangaiah AK (2018) Deep Learning and Superpixel Feature Extraction Based on Contractive Autoencoder for Change Detection in SAR Images. IEEE Trans Ind Informatics. https://doi.org/10.1109/TII.2018.2873492
Van Der Maaten L, Hinton G (2008) Visualizing data using t-SNE. J Mach Learn Res
Baldi P (2012) Autoencoders, Unsupervised Learning, and Deep Architectures. ICML Unsupervised Transf Learn. https://doi.org/10.1561/2200000006
Qureshi AS, Khan A, Shamim N, Durad MH (2019) Intrusion detection using deep sparse auto-encoder and self-taught learning. Neural Comput Appl. https://doi.org/10.1007/s00521-019-04152-6
Rifai S, Vincent P, Muller X, et al (2011) Contractive auto-encoders: Explicit invariance during feature extraction. In: Proceedings of the 28th International Conference on Machine Learning, ICML 2011
Romera-Paredes B, Torr PHS (2015) An embarrassingly simple approach to zero-shot learning. In: 32nd International Conference on Machine Learning, ICML 2015
Lampert CH, Nickisch H, Harmeling S (2014) Attribute-based classification for zero-shot visual object categorizationa. IEEE Trans Pattern Anal Mach Intell. https://doi.org/10.1109/TPAMI.2013.140
Akata Z, Perronnin F, Harchaoui Z, Schmid C (2013) Label-embedding for attribute-based classification. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
Lampert CH, Nickisch H, Harmeling S (2010) Learning to detect unseen object classes by between-class attribute transfer
Binbusayyis A, Vaiyapuri T (2021) Unsupervised deep learning approach for network intrusion detection combining convolutional autoencoder and one-class SVM. Appl Intell
He K, Zhang X, Ren S, Sun J (2016) Deep residual learning for image recognition. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
Szegedy C, Vanhoucke V, Ioffe S, et al (2016) Rethinking the Inception Architecture for Computer Vision. In: Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
Vasan D, Alazab M, Wassan S et al (2020) Image-Based malware classification using ensemble of CNN architectures (IMCEC). Comput Secur. https://doi.org/10.1016/j.cose.2020.101748
Zeng G, He Y, Yu Z, et al (2016) InceptionNet/GoogLeNet - Going Deeper with Convolutions. Cvpr
Khan F, Ncube C, Ramasamy LK et al (2020) A Digital DNA Sequencing Engine for Ransomware Detection Using Machine Learning. IEEE Access. https://doi.org/10.1109/ACCESS.2020.3003785
Zhang B, Xiao W, Xiao X et al (2020) Ransomware classification using patch-based CNN and self-attention network on embedded N-grams of opcodes. Futur Gener Comput Syst. https://doi.org/10.1016/j.future.2019.09.025
Al-rimy BAS, Maarof MA, Shaid SZM (2019) Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection. Futur Gener Comput Syst. https://doi.org/10.1016/j.future.2019.06.005
Vinayakumar V, Alazab M, Jolfaei A, et al (2019) Ransomware triage using deep learning: Twitter as a case study. In: Proceedings - 2019 Cybersecurity and Cyberforensics Conference, CCC 2019
Maniath S, Ashok A, Poornachandran P, et al (2018) Deep learning LSTM based ransomware detection. In: 2017 Recent Developments in Control, Automation and Power Engineering, RDCAPE 2017
Homayoun S, Dehghantanha A, Ahmadzadeh M et al (2019) DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer. Futur Gener Comput Syst. https://doi.org/10.1016/j.future.2018.07.045
Acknowledgements
The authors would like to thank Pattern Recognition lab at Pakistan Institute of Engineering and Applied Sciences for providing them healthy research environment and computational facilities.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflicts of interest
Authors declare no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Zahoora, U., Rajarajan, M., Pan, Z. et al. Zero-day Ransomware Attack Detection using Deep Contractive Autoencoder and Voting based Ensemble Classifier. Appl Intell 52, 13941–13960 (2022). https://doi.org/10.1007/s10489-022-03244-6
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-022-03244-6