Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection
Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper we introduce NetConverse, a machine learning evaluation study for consistent detection of Windows ransomware network traffic. Using a dataset created from conversation-based network traffic features we achieved a True Positive Rate (TPR) of 97.1% using the Decision Tree (J48) classifier.
KeywordsRansomware Malware detection Machine learning Network traffic Intrusion detection
We should acknowledge and thank Virus Total for graciously providing us with a private API key for use during our research to prepare the dataset. The authors would like to thank Mr. Ali Feizollah for his assistance with the feature extraction process. This work is partially supported by the European Council 268 International Incoming Fellowship (FP7-PEOPLE-2013-IIF) grant.
- 1.M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 2nd International Conference on Information Security and Cyber Forensics, InfoSec 2015, 2016, pp. 23–27.Google Scholar
- 2.“Cyber-extortion losses skyrocket, says FBI.” [Online]. Available: http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/. [Accessed: 31-Mar-2017].
- 3.Federal Bureau of Investigation, “Protecting Your Networks from Ransomware,” 2016.Google Scholar
- 4.D. O’Brien, “Special Report: Ransomware and Businesses 2016,” Symantec Corp, pp. 1–30, 2016.Google Scholar
- 5.CERT UK, “Is ransomware still a threat ?,” 2016.Google Scholar
- 6.Europol, Internet Organised Crime Threat Assessment 2016. 2016.Google Scholar
- 7.“The No More Ransom Project.” [Online]. Available: https://www.nomoreransom.org/. [Accessed: 31-Mar-2017].
- 8.“Ransomware Protection - RansomFree by Cybereason.” [Online]. Available: https://ransomfree.cybereason.com/. [Accessed: 31-Mar-2017].
- 9.“Darktrace|Technology.” [Online]. Available: https://www.darktrace.com/technology/#machine-learning. [Accessed: 31-Mar-2017].
- 10.“Cerber Ransomware Now Evades Machine Learning.” [Online]. Available: . [Accessed: 31-Mar-2017].Google Scholar
- 11.D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection,” no. September, 2016.Google Scholar
- 12.F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., vol. 20, no. 1, pp. 343–357, 2016.Google Scholar
- 13.Symantec, “The evolution of ransomware,” 2015.Google Scholar
- 14.A. Feizollah, N. B. Anuar, R. Salleh, and A. W. A. Wahab, “A review on feature selection in mobile malware detection,” Digit. Investig., vol. 13, no. March, pp. 22–37, 2015.Google Scholar
- 15.M. Damshenas, A. Dehghantanha, and R. Mahmoud, “A Survey on Malware propagation, analysis and detection,” Int. J. Cyber-Security Digit. Forensics, vol. 2, no. 4, pp. 10–29, 2013.Google Scholar
- 16.N. Milosevic, A. Dehghantanha, and K. K. R. Choo, “Machine learning aided Android malware classification,” Computers and Electrical Engineering, 2016.Google Scholar
- 17.M. Damshenas, A. Dehghantanha, K.-K. R. Choo, and R. Mahmud, “M0Droid: An Android Behavioral-Based Malware Detection Model,” J. Inf. Priv. Secur., vol. 11, no. 3, pp. 141–157, Jul. 2015.Google Scholar
- 18.K. K. R. Azmoodeh, Amin; Dehghantanha, Ali; Conti, Mauro; Choo, “Detecting Crypto Ransomware in IoT Networks Based On Energy Consumption Footprint,” J. Ambient Intell. Humaniz. Comput., 2017.Google Scholar
- 19.F. Mercaldo, V. Nardone, and A. Santone, “Ransomware Inside Out,” 2016.Google Scholar
- 20.K. Liao, Z. Zhao, A. Doupe, and G.-J. Ahn, “Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin,” in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1–13.Google Scholar
- 21.D. D. Hosfelt, “Automated detection and classification of cryptographic algorithms in binary programs through machine learning,” 2015.Google Scholar
- 22.S. Ranshous, S. Shen, D. Koutra, C. Faloutsos, and N. F. Samatova, “Anomaly Detection in Dynamic Networks: A Survey,” 2014.Google Scholar
- 23.Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, “ReFormat: Automatic Reverse Engineering of Encrypted Messages,” Springer, Berlin, Heidelberg, 2009, pp. 200–215.Google Scholar
- 24.A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware,” Usenix Secur., pp. 757–772, 2016.Google Scholar
- 25.K. Cabaj, P. Gawkowski, K. Grochowski, and D. Osojca, “Network activity analysis of CryptoWall ransomware,” pp. 91–11, 2015.Google Scholar
- 26.“Weka 3 - Data Mining with Open Source Machine Learning Software in Java.” [Online]. Available: http://www.cs.waikato.ac.nz/ml/weka/. [Accessed: 31-Mar-2017].
- 27.“Tracker | Ransomware Tracker,” 2016. [Online]. Available: https://ransomwaretracker.abuse.ch/tracker/. [Accessed: 04-Jan-2017].
- 28.“VirusTotal - Free Online Virus, Malware and URL Scanner.” [Online]. Available: https://www.virustotal.com/.[Accessed: 31-Mar-2017].
- 29.G. Combs, “Wireshark · Go Deep.,” 2017. [Online]. Available: https://www.wireshark.org/. [Accessed: 29-May-2017].
- 30.P. Narang, C. Hota, and V. Venkatakrishnan, “PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification,” EURASIP J. Inf. Secur., vol. 2014, no. 1, p. 15, 2014.Google Scholar
- 31.A. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Commun. Surv. Tutorials, vol. PP, no. 99, p. 1, 2015.Google Scholar
- 32.W. L. W. Lee, S. J. Stolfo, and K. W. Mok, “A data mining framework for building intrusion detection models,” IEEE Symp. Secur. Priv., vol. 0, no. c, pp. 120–132, 1999.Google Scholar
- 33.A. Azodi, M. Gawron, A. Sapegin, F. Cheng, and C. Meinel, “Leveraging event structure for adaptive machine learning on big data landscapes,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2015, vol. 9395, pp. 28–40.Google Scholar
- 34.F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., pp. 1–15, 2014.Google Scholar
- 35.S. B. Kotsiantis, “Supervised machine learning: A review of classification techniques,” Informatica, vol. 31, pp. 249–268, 2007.Google Scholar
- 36.P. Narang, S. Ray, C. Hota, and V. Venkatakrishnan, “PeerShark: Detecting peer-to-peer botnets by tracking conversations,” in Proceedings - IEEE Symposium on Security and Privacy, 2014, vol. 2014–Janua, pp. 108–115.Google Scholar
- 37.Hamed HaddadPajouh, Ali Dehghantanha, Raouf Khayami, and Kim-Kwang Raymond Choo, “Intelligent OS X Malware Threat Detection”, Journal of Computer Virology and Hacking Techniques, 2017Google Scholar
- 38.Amin Azmoudeh, Ali Dehghantanha and Kim-Kwang Raymond Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning”, IEEE Transactions on Sustainable Computing, 2017Google Scholar
- 39.Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence”, IEEE Transactions on Emerging Topics in Computing, 2017 - DOI: 10.1109/TETC.2017.2756908Google Scholar
- 40.Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, Zaiton Muda, and Mohd Taufik Abdullah, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Transactions on Sustainable Computing, DOI: 10.1109/TSUSC.2017.2687103, 2017.Google Scholar
- 41.Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, “CloudMe Forensics: A Case of Big-Data Investigation,” Concurrency and Computation: Practice and Experience, http://onlinelibrary.wiley.com/doi/10.1002/cpe.4277, 2017
- 42.Dennis Kiwia, Ali Dehghantanha, Kim-Kwang Raymond Choo, Jim Slaughter, “A Cyber Kill Chain Based Taxonomy of Banking Trojans for Evolutionary Computational Intelligence”, Journal of Computational Science, 2017Google Scholar
- 43.Amin Azmoodeh, Ali Dehghantanha, Mauro Conti, Raymond Choo, “Detecting Crypto-Ransomware in IoT Networks Based On Energy Consumption Footprint”, Journal of Ambient Intelligence and Humanized Computing, DOI: 10.1007/s12652-017-0558-5, 2017Google Scholar