Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection

  • Omar M. K. Alhawi
  • James Baldwin
  • Ali DehghantanhaEmail author
Part of the Advances in Information Security book series (ADIS, volume 70)


Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper we introduce NetConverse, a machine learning evaluation study for consistent detection of Windows ransomware network traffic. Using a dataset created from conversation-based network traffic features we achieved a True Positive Rate (TPR) of 97.1% using the Decision Tree (J48) classifier.


Ransomware Malware detection Machine learning Network traffic Intrusion detection 



We should acknowledge and thank Virus Total for graciously providing us with a private API key for use during our research to prepare the dataset. The authors would like to thank Mr. Ali Feizollah for his assistance with the feature extraction process. This work is partially supported by the European Council 268 International Incoming Fellowship (FP7-PEOPLE-2013-IIF) grant.


  1. 1.
    M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 2nd International Conference on Information Security and Cyber Forensics, InfoSec 2015, 2016, pp. 23–27.Google Scholar
  2. 2.
    “Cyber-extortion losses skyrocket, says FBI.” [Online]. Available: [Accessed: 31-Mar-2017].
  3. 3.
    Federal Bureau of Investigation, “Protecting Your Networks from Ransomware,” 2016.Google Scholar
  4. 4.
    D. O’Brien, “Special Report: Ransomware and Businesses 2016,” Symantec Corp, pp. 1–30, 2016.Google Scholar
  5. 5.
    CERT UK, “Is ransomware still a threat ?,” 2016.Google Scholar
  6. 6.
    Europol, Internet Organised Crime Threat Assessment 2016. 2016.Google Scholar
  7. 7.
    “The No More Ransom Project.” [Online]. Available: [Accessed: 31-Mar-2017].
  8. 8.
    “Ransomware Protection - RansomFree by Cybereason.” [Online]. Available: [Accessed: 31-Mar-2017].
  9. 9.
    “Darktrace|Technology.” [Online]. Available: [Accessed: 31-Mar-2017].
  10. 10.
    “Cerber Ransomware Now Evades Machine Learning.” [Online]. Available: . [Accessed: 31-Mar-2017].Google Scholar
  11. 11.
    D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection,” no. September, 2016.Google Scholar
  12. 12.
    F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., vol. 20, no. 1, pp. 343–357, 2016.Google Scholar
  13. 13.
    Symantec, “The evolution of ransomware,” 2015.Google Scholar
  14. 14.
    A. Feizollah, N. B. Anuar, R. Salleh, and A. W. A. Wahab, “A review on feature selection in mobile malware detection,” Digit. Investig., vol. 13, no. March, pp. 22–37, 2015.Google Scholar
  15. 15.
    M. Damshenas, A. Dehghantanha, and R. Mahmoud, “A Survey on Malware propagation, analysis and detection,” Int. J. Cyber-Security Digit. Forensics, vol. 2, no. 4, pp. 10–29, 2013.Google Scholar
  16. 16.
    N. Milosevic, A. Dehghantanha, and K. K. R. Choo, “Machine learning aided Android malware classification,” Computers and Electrical Engineering, 2016.Google Scholar
  17. 17.
    M. Damshenas, A. Dehghantanha, K.-K. R. Choo, and R. Mahmud, “M0Droid: An Android Behavioral-Based Malware Detection Model,” J. Inf. Priv. Secur., vol. 11, no. 3, pp. 141–157, Jul. 2015.Google Scholar
  18. 18.
    K. K. R. Azmoodeh, Amin; Dehghantanha, Ali; Conti, Mauro; Choo, “Detecting Crypto Ransomware in IoT Networks Based On Energy Consumption Footprint,” J. Ambient Intell. Humaniz. Comput., 2017.Google Scholar
  19. 19.
    F. Mercaldo, V. Nardone, and A. Santone, “Ransomware Inside Out,” 2016.Google Scholar
  20. 20.
    K. Liao, Z. Zhao, A. Doupe, and G.-J. Ahn, “Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin,” in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1–13.Google Scholar
  21. 21.
    D. D. Hosfelt, “Automated detection and classification of cryptographic algorithms in binary programs through machine learning,” 2015.Google Scholar
  22. 22.
    S. Ranshous, S. Shen, D. Koutra, C. Faloutsos, and N. F. Samatova, “Anomaly Detection in Dynamic Networks: A Survey,” 2014.Google Scholar
  23. 23.
    Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, “ReFormat: Automatic Reverse Engineering of Encrypted Messages,” Springer, Berlin, Heidelberg, 2009, pp. 200–215.Google Scholar
  24. 24.
    A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware,” Usenix Secur., pp. 757–772, 2016.Google Scholar
  25. 25.
    K. Cabaj, P. Gawkowski, K. Grochowski, and D. Osojca, “Network activity analysis of CryptoWall ransomware,” pp. 91–11, 2015.Google Scholar
  26. 26.
    “Weka 3 - Data Mining with Open Source Machine Learning Software in Java.” [Online]. Available: [Accessed: 31-Mar-2017].
  27. 27.
    “Tracker | Ransomware Tracker,” 2016. [Online]. Available: [Accessed: 04-Jan-2017].
  28. 28.
    “VirusTotal - Free Online Virus, Malware and URL Scanner.” [Online]. Available:[Accessed: 31-Mar-2017].
  29. 29.
    G. Combs, “Wireshark · Go Deep.,” 2017. [Online]. Available: [Accessed: 29-May-2017].
  30. 30.
    P. Narang, C. Hota, and V. Venkatakrishnan, “PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification,” EURASIP J. Inf. Secur., vol. 2014, no. 1, p. 15, 2014.Google Scholar
  31. 31.
    A. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Commun. Surv. Tutorials, vol. PP, no. 99, p. 1, 2015.Google Scholar
  32. 32.
    W. L. W. Lee, S. J. Stolfo, and K. W. Mok, “A data mining framework for building intrusion detection models,” IEEE Symp. Secur. Priv., vol. 0, no. c, pp. 120–132, 1999.Google Scholar
  33. 33.
    A. Azodi, M. Gawron, A. Sapegin, F. Cheng, and C. Meinel, “Leveraging event structure for adaptive machine learning on big data landscapes,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2015, vol. 9395, pp. 28–40.Google Scholar
  34. 34.
    F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., pp. 1–15, 2014.Google Scholar
  35. 35.
    S. B. Kotsiantis, “Supervised machine learning: A review of classification techniques,” Informatica, vol. 31, pp. 249–268, 2007.Google Scholar
  36. 36.
    P. Narang, S. Ray, C. Hota, and V. Venkatakrishnan, “PeerShark: Detecting peer-to-peer botnets by tracking conversations,” in Proceedings - IEEE Symposium on Security and Privacy, 2014, vol. 2014–Janua, pp. 108–115.Google Scholar
  37. 37.
    Hamed HaddadPajouh, Ali Dehghantanha, Raouf Khayami, and Kim-Kwang Raymond Choo, “Intelligent OS X Malware Threat Detection”, Journal of Computer Virology and Hacking Techniques, 2017Google Scholar
  38. 38.
    Amin Azmoudeh, Ali Dehghantanha and Kim-Kwang Raymond Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning”, IEEE Transactions on Sustainable Computing, 2017Google Scholar
  39. 39.
    Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence”, IEEE Transactions on Emerging Topics in Computing, 2017 - DOI: 10.1109/TETC.2017.2756908Google Scholar
  40. 40.
    Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, Zaiton Muda, and Mohd Taufik Abdullah, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Transactions on Sustainable Computing, DOI: 10.1109/TSUSC.2017.2687103, 2017.Google Scholar
  41. 41.
    Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, “CloudMe Forensics: A Case of Big-Data Investigation,” Concurrency and Computation: Practice and Experience,, 2017
  42. 42.
    Dennis Kiwia, Ali Dehghantanha, Kim-Kwang Raymond Choo, Jim Slaughter, “A Cyber Kill Chain Based Taxonomy of Banking Trojans for Evolutionary Computational Intelligence”, Journal of Computational Science, 2017Google Scholar
  43. 43.
    Amin Azmoodeh, Ali Dehghantanha, Mauro Conti, Raymond Choo, “Detecting Crypto-Ransomware in IoT Networks Based On Energy Consumption Footprint”, Journal of Ambient Intelligence and Humanized Computing, DOI: 10.1007/s12652-017-0558-5, 2017Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Omar M. K. Alhawi
    • 1
  • James Baldwin
    • 1
  • Ali Dehghantanha
    • 2
    Email author
  1. 1.School of Computing, Science and EngineeringUniversity of SalfordManchesterUK
  2. 2.Department of Computer ScienceUniversity of SheffieldSheffieldUK

Personalised recommendations