Classifying Ransomware Using Machine Learning Algorithms

  • Samuel EgunjobiEmail author
  • Simon ParkinsonEmail author
  • Andrew CramptonEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11872)


Ransomware is a continuing threat and has resulted in the battle between the development and detection of new techniques. Detection and mitigation systems have been developed and are in wide-scale use; however, their reactive nature has resulted in a continuing evolution and updating process. This is largely because detection mechanisms can often be circumvented by introducing changes in the malicious code and its behaviour. In this paper, we demonstrate a classification technique of integrating both static and dynamic features to increase the accuracy of detection and classification of ransomware. We train supervised machine learning algorithms using a test set and use a confusion matrix to observe accuracy, enabling a systematic comparison of each algorithm. In this work, supervised algorithms such as the Naïve Bayes algorithm resulted in an accuracy of 96% with the test set result, SVM 99.5%, random forest 99.5%, and 96%. We also use Youden’s index to determine sensitivity and specificity.


Ransomware Malware Machine Learning 


  1. 1.
    A. Kumar, K.S.K., Aghila, G.: A learning model to detect maliciousness of portable executable using integrated feature set. J. King Saud Univ. - Comput. Inf. Sci. (2017)Google Scholar
  2. 2.
    Mohaisen, A., Alrawi, O., Mohaisen, M.: Amal: high-fidelity, behavior-based automated malware analysis and classification. Comput. Secur. 52, 251–266 (2015)CrossRefGoogle Scholar
  3. 3.
    Alazab, M.: Profiling and classifying the behavior of malicious codes. J. Syst. Softw. 100, 91–102 (2015)CrossRefGoogle Scholar
  4. 4.
    Shahzad, F., Shahzad, M., Farooq, M.: In-execution dynamic malware analysis and detection by mining information in process control blocks of linux OS. Inf. Sci. (Ny) 231, 45–63 (2013)CrossRefGoogle Scholar
  5. 5.
    Gatz, D.F., Smith, L.: The standard error of a weighted mean concentration-i. Bootstrapping vs other methods. Atmos. Environ. 29(11), 1185–1193 (1995)CrossRefGoogle Scholar
  6. 6.
    Grant, L., Parkinson, S.: Identifying file interaction patterns in ransomware behaviour. In: Parkinson, S., Crampton, A., Hill, R. (eds.) Guide to Vulnerability Analysis for Computer Networks and Systems. CCN, pp. 317–335. Springer, Cham (2018). Scholar
  7. 7.
    Lu, H., Wang, X., Zhao, B., Wang, F., Su, J.: Endmal: an anti-obfuscation and collaborative malware detection system using syscall sequences. Math. Comput. Model. 58(5), 1140–1154 (2013)CrossRefGoogle Scholar
  8. 8.
    Zhang, H., Xiao, X., Mercaldo, F., Ni, S., Martinelli, F., Sangaiah, A.K.: Classification of ransomware families with machine learning based on n-gram of opcodes. Futur. Gener. Comput. Syst. 90, 211–221 (2019)CrossRefGoogle Scholar
  9. 9.
    Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on integrated static and dynamic features. J. Network Comput. Appl. 36(2), 646–656 (2013)CrossRefGoogle Scholar
  10. 10.
    Deepa, K., Radhamani, G., Vinod, P.: Investigation of feature selection methods for android malware analysis. Procedia Comput. Sci. 46, 841–848 (2015)CrossRefGoogle Scholar
  11. 11.
    Sun, M., Li, X., Lui, J.C., Ma, R.T., Liang, Z.: Monet: a user-oriented behavior-based malware variants detection system for android. IEEE Trans. Inf. Forensics Secur. 12(5), 1103–1112 (2017)CrossRefGoogle Scholar
  12. 12.
    Milosevic, N., Dehghantanha, A., Choo, K.K.R.: Machine learning aided android malware classification. Comput. Electr. Eng. 61, 266–274 (2017)CrossRefGoogle Scholar
  13. 13.
    Burnap, P., French, R., Turner, F., Jones, K.: Malware classification using self organising feature maps and machine activity data. Comput. Secur. 73, 399–410 (2018)CrossRefGoogle Scholar
  14. 14.
    Patil, T.R., Sherekar, M.S.S.: Performance analysis of naive bayes and j48 classification algorithm for data classification. Int. J. Comput. Sci. Appl. 6(2), 256–261 (2013)Google Scholar
  15. 15.
    Provataki, A., Katos, V.: Differential malware forensics. Digit. Investig. 10(4), 311–322 (2013)CrossRefGoogle Scholar
  16. 16.
    Das, S., Liu, Y., Zhang, W., Chandramohan, M.: Semantics-based online malware detection: towards efficient real-time protection against malware. IEEE Trans. Inf. Forensics Secur. 11(2), 289–302 (2016)CrossRefGoogle Scholar
  17. 17.
    Schultz, M.G., Eskin, E., Zadok, F., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: Proceedings 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 38–49. IEEE (2000)Google Scholar
  18. 18.
    Sharma, A., Sahay, S.K.: An effective approach for classification of advanced malware with high accuracy. arXiv preprint arXiv:1606.06897 (2016)
  19. 19.
    Shijo, P.V., Salim, A.: Integrated static and dynamic analysis for malware detection. Procedia Comput. Sci. 46, 804–811 (2015) CrossRefGoogle Scholar
  20. 20.
    Townsend, J.T.: Theoretical analysis of an alphabetic confusion matrix* (1971)Google Scholar
  21. 21.
    Zhang, H.: The optimality of naive bayesGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer Science, School of Computing and EngineeringUniversity of HuddersfieldQueensgateUK

Personalised recommendations