Abstract
Cloud computing has become one of the most preferred solutions for enterprises to implement and extend various enterprise applications. The importance of virtual servers in cloud computing makes them a lucrative target among attackers. Current security mechanisms can be circumvented by malware present on same machine. This paper presents an approach for reliable ransomware detection on an enterprise’s private cloud. It captures the volatile memory state of virtual machines and extracts a valuable set of RAM, file system and network features after execution of benign and malicious samples. Further, feature selection and machine learning techniques are applied to these extracted features for determining the effectiveness of proposed set of features. The proposed methodology is evaluated in four extensive experiments and results depict that it can differentiate between benign and ransomware samples. Random Forest classifier performed best in all experiment setups in comparison to all other classifiers. The proposed methodology can effectively serve as a basis for detecting infection in enterprise virtual machines.
Similar content being viewed by others
Notes
References
Alhawi, O.M., Baldwin, J., Dehghantanha, A.: Leveraging machine learning techniques for windows ransomware network traffic detection. In: Cyber threat intelligence, pp. 93–106. Springer, Cham (2018)
Andronio, N., Zanero, S., Maggi, F.: Heldroid: Dissecting and detecting mobile ransomware. In: international symposium on recent advances in intrusion detection, pp. 382–404. Springer, Cham. (2015)
Barabosch, T., Bergmann, N., Dombeck, A., Padilla, E.: Quincy: Detecting host-based code injection attacks in memory dumps. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 209–229. Springer, Cham (2017)
Bhardwaj, A., Avasthi, V., Sastry, H., Subrahmanyam, G.V.B.: Ransomware digital extortion: a rising new age threat. Indian J. Sci. Technol. 9(14), 1–5 (2016)
Cabaj, K., Mazurczyk, W.: Using software-defined networking for ransomware mitigation: the case of cryptowall. IEEE Network 30(6), 14–20 (2016)
Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Software Eng. 45(12), 1230–1252 (2018)
Cohen, A., Nissim, N.: Trusted detection of ransomware in a private cloud using machine learning methods leveraging meta-features from volatile memory. Expert Syst. Appl. 102, 158–178 (2018)
Crowe, J.: 2018 WannaCry ransomware statistics: The numbers behind the outbreak. Accessed March 20, 2020. https:// blog.barkly.com/wannacry-ransomware-statistics-2017.
Emm, D., Unuchek, R. Kruglov, K.: Kaspersky Security Bulletin 2016: Review of the year. Kaspersky Labs. Accessed March 20, 2020. https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_2016_Review_ENG.pdf. (2016)
Feng, Y., Liu, C., Liu, B.: Poster: A new approach to detecting ransomware with deception. In: 38th IEEE Symposium on Security and Privacy Workshops, p. 39 (2017)
Hwang, J., Kim, J., Lee, S., Kim, K.: Two-stage ransomware detection using dynamic analysis and machine learning techniques. Wireless Pers. Commun. 112(4), 2597–2609 (2020)
Kim, S., Kim, J.: POSTER: Mining with Proof-of-Probability in blockchain. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 841–843 (2018)
Kharraz, A., Arshad, S., Mulliner, C., Robertson, W., Kirda, E.: {UNVEIL}: A large-scale, automated approach to detecting ransomware. In: 25th {USENIX} Security Symposium ({USENIX} Security 16), pp. 757–772 (2016)
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: Paybreak: Defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611 (2017)
Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C.A., Martinelli, F. R-PackDroid: API package-based characterization and detection of mobile ransomware. In: Proceedings of the symposium on applied computing, pp. 1718–1723 (2017)
Maniath, S., Ashok, A., Poornachandran, P., Sujadevi, V.G., AU, P.S., Jan, S.: Deep learning LSTM based ransomware detection. In: 2017 Recent Developments in Control, Automation & Power Engineering (RDCAPE), pp. 442–446. IEEE (2017)
Mehnaz, S., Mudgerikar, A., Bertino, E.: Rwguard: A real-time detection system against cryptographic ransomware. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 114–136. Springer, Cham (2018)
Mercaldo, F.: A framework for supporting ransomware detection and prevention based on hybrid analysis. J. Comput. Virol. Hacking Tech., 17, 1–7 (2021)
Moon, J., Chang, Y.: Ransomware analysis and method for minimize the damage. J. Converg. Cult. Technol. 2(1), 79–85 (2016)
Morato, D., Berrueta, E., Magaña, E., Izal, M.: Ransomware early detection by the analysis of file sharing traffic. J. Netw. Comput. Appl. 124, 14–32 (2018)
Nieuwenhuizen, D.: A behavioural-based approach to ransomware detection. Whitepaper. MWR Labs Whitepaper (2017)
Nissim, N., Lapidot, Y., Cohen, A., Elovici, Y.: Trusted system-calls analysis methodology aimed at detection of compromised virtual machines using sequential mining. Knowl.-Based Syst. 153, 147–175 (2018)
Scaife, N., Carter, H., Traynor, P., Butler, K.R.: Cryptolock (and drop it): stopping ransomware attacks on user data. In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 303–312. IEEE (2016)
Sgandurra, D., Muñoz-González, L., Mohsen, R., Lupu, E.C.: Automated dynamic analysis of ransomware: Benefits, limitations and use for detection. arXiv preprint arXiv:1609.03020 (2016)
Sharma, S., Krishna, C.R., Kumar, R.: RansomDroid: Forensic analysis and detection of Android Ransomware using unsupervised machine learning technique. Forensic Sci Int Digital Investig 37, 301168 (2021)
Thomas, S., Sherly, K.K., Dija, S.: Extraction of memory forensic artifacts from windows 7 ram image. In 2013 IEEE Conference on Information & Communication Technologies, pp. 937–942. IEEE (2013)
Vidal, J.M., Orozco, A.L.S., Villalba, L.J.G.: Alert correlation framework for malware detection by anomaly-based packet payload analysis. J. Netw. Comput. Appl. 97, 11–22 (2017)
Vinayakumar, R., Soman, K.P., Velan, K.S., Ganorkar, S.: Evaluating shallow and deep networks for ransomware detection and classification. In: 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 259–265. IEEE (2017)
Zhang, S., Wang, L., Zhang, L.: Extracting windows registry information from physical memory. In: 2011 3rd International Conference on Computer Research and Development, Vol. 2, pp. 85–89. IEEE. (2011)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Prachi, Kumar, S. An effective ransomware detection approach in a cloud environment using volatile memory features. J Comput Virol Hack Tech 18, 407–424 (2022). https://doi.org/10.1007/s11416-022-00425-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-022-00425-2