Skip to main content
SpringerLink
Log in

An effective ransomware detection approach in a cloud environment using volatile memory features

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Cloud computing has become one of the most preferred solutions for enterprises to implement and extend various enterprise applications. The importance of virtual servers in cloud computing makes them a lucrative target among attackers. Current security mechanisms can be circumvented by malware present on same machine. This paper presents an approach for reliable ransomware detection on an enterprise’s private cloud. It captures the volatile memory state of virtual machines and extracts a valuable set of RAM, file system and network features after execution of benign and malicious samples. Further, feature selection and machine learning techniques are applied to these extracted features for determining the effectiveness of proposed set of features. The proposed methodology is evaluated in four extensive experiments and results depict that it can differentiate between benign and ransomware samples. Random Forest classifier performed best in all experiment setups in comparison to all other classifiers. The proposed methodology can effectively serve as a basis for detecting infection in enterprise virtual machines.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Notes

  1. https://www.flexera.com/blog/cloud/2019/02/cloud-computing-trends-2019-state-of-the-cloud-survey/.

  2. https://www.isc2.org/-/media/ISC2/Landing-Pages/2019-Cloud-Security-Report-ISC2.ashx?la=en&hash=06133FF277FCCFF720FC8B96DF505CA66A7CE565.

  3. https://www.oracle.com/fr/a/ocom/docs/dc/final-oracle-and-kpmg-cloud-threat-report-2019.pdf.

  4. https://www.kaspersky.com/about/press-releases/2016_attacks-on-business-now-equal-one-every-40-seconds.

  5. http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months.

  6. https://www.cisco.com/c/dam/m/en_ca/never-better/assets/files/midyearsecurity-report-2016.pdf,

  7. http://blog.talosintelligence.com/2017/05/wannacry.html.

  8. https://www.volatilityfoundation.org/.

  9. https://www.virustotal.com/gui/home/upload.

  10. https://www.hybrid-analysis.com/.

References

  1. Alhawi, O.M., Baldwin, J., Dehghantanha, A.: Leveraging machine learning techniques for windows ransomware network traffic detection. In: Cyber threat intelligence, pp. 93–106. Springer, Cham (2018)

  2. Andronio, N., Zanero, S., Maggi, F.: Heldroid: Dissecting and detecting mobile ransomware. In: international symposium on recent advances in intrusion detection, pp. 382–404. Springer, Cham. (2015)

  3. Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy: Detecting host-based code injection attacks in memory dumps. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 209–229. Springer, Cham (2017)

  4. Bhardwaj, A., Avasthi, V., Sastry, H., Subrahmanyam, G.V.B.: Ransomware digital extortion: a rising new age threat. Indian J. Sci. Technol. 9(14), 1–5 (2016)

    Article  Google Scholar 

  5. Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Network 30(6), 14–20 (2016)

    Article  Google Scholar 

  6. Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Software Eng. 45(12), 1230–1252 (2018)

    Article  Google Scholar 

  7. Cohen, A., Nissim, N.: Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst. Appl. 102, 158–178 (2018)

    Article  Google Scholar 

  8. Crowe, J.: 2018 WannaCry ransomware statistics: The numbers behind the outbreak. Accessed March 20, 2020. https:// blog.barkly.com/wannacry-ransomware-statistics-2017.

  9. Emm, D., Unuchek, R. Kruglov, K.: Kaspersky Security Bulletin 2016: Review of the year. Kaspersky Labs. Accessed March 20, 2020. https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_2016_Review_ENG.pdf. (2016)

  10. Feng, Y., Liu, C., Liu, B.: Poster: A new approach to detecting ransomware with deception. In: 38th IEEE Symposium on Security and Privacy Workshops, p. 39 (2017)

  11. Hwang, J., Kim, J., Lee, S., Kim, K.: Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wireless Pers. Commun. 112(4), 2597–2609 (2020)

    Article  Google Scholar 

  12. Kim, S., Kim, J.: POSTER: Mining with Proof-of-Probability in blockchain. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 841–843 (2018)

  13. Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: {UNVEIL}: A large-scale, automated approach to detecting ransomware. In: 25th {USENIX} Security Symposium ({USENIX} Security 16), pp. 757–772 (2016)

  14. Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: Defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611 (2017)

  15. Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C.A., Martinelli, F. R-PackDroid: API package-based characterization and detection of mobile ransomware. In: Proceedings of the symposium on applied computing, pp. 1718–1723 (2017)

  16. Maniath, S., Ashok, A., Poornachandran, P., Sujadevi, V.G., AU, P.S., Jan, S.: Deep learning LSTM based ransomware detection. In: 2017 Recent Developments in Control, Automation & Power Engineering (RDCAPE), pp. 442–446. IEEE (2017)

  17. Mehnaz, S., Mudgerikar, A., Bertino, E.: Rwguard: A real-time detection system against cryptographic ransomware. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 114–136. Springer, Cham (2018)

  18. Mercaldo, F.: A framework for supporting ransomware detection and prevention based on hybrid analysis. J. Comput. Virol. Hacking Tech., 17, 1–7 (2021)

  19. Moon, J., Chang, Y.: Ransomware analysis and method for minimize the damage. J. Converg. Cult. Technol. 2(1), 79–85 (2016)

    Article  Google Scholar 

  20. Morato, D., Berrueta, E., Magaña, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Netw. Comput. Appl. 124, 14–32 (2018)

    Article  Google Scholar 

  21. Nieuwenhuizen, D.: A behavioural-based approach to ransomware detection. Whitepaper. MWR Labs Whitepaper (2017)

  22. Nissim, N., Lapidot, Y., Cohen, A., Elovici, Y.: Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining. Knowl.-Based Syst. 153, 147–175 (2018)

    Article  Google Scholar 

  23. Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)

  24. Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)

  25. Sharma, S., Krishna, C.R., Kumar, R.: RansomDroid: Forensic analysis and detection of Android Ransomware using unsupervised machine learning technique. Forensic Sci Int Digital Investig 37, 301168 (2021)

    Article  Google Scholar 

  26. Thomas, S., Sherly, K.K., Dija, S.: Extraction of memory forensic artifacts from windows 7 ram image. In 2013 IEEE Conference on Information & Communication Technologies, pp. 937–942. IEEE (2013)

  27. Vidal, J.M., Orozco, A.L.S., Villalba, L.J.G.: Alert correlation framework for malware detection by anomaly-based packet payload analysis. J. Netw. Comput. Appl. 97, 11–22 (2017)

    Article  Google Scholar 

  28. Vinayakumar, R., Soman, K.P., Velan, K.S., Ganorkar, S.: Evaluating shallow and deep networks for ransomware detection and classification. In: 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 259–265. IEEE (2017)

  29. Zhang, S., Wang, L., Zhang, L.: Extracting windows registry information from physical memory. In: 2011 3rd International Conference on Computer Research and Development, Vol. 2, pp. 85–89. IEEE. (2011)

Download references

Author information

Authors and Affiliations

  1. Department of CSE, The NorthCap University, Gurugram, India

    Prachi & Sumit Kumar

Authors
  1. Prachi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sumit Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Prachi.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Prachi, Kumar, S. An effective ransomware detection approach in a cloud environment using volatile memory features. J Comput Virol Hack Tech 18, 407–424 (2022). https://doi.org/10.1007/s11416-022-00425-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-022-00425-2

Keywords

Search

Navigation