An Incremental Mutual Information-Selection Technique for Early Ransomware Detection
Abstract
:1. Introduction
- An incremental mutual information-selection (IMIS) technique was developed to adaptively reassess the relevancy of selected features dynamically when new data arrives.
- The IMIS was integrated into a DBN-based ransomware-detection model for better detection accuracy.
- An extensive experimental evaluation of the IMIS was conducted and compared with the existing methods to measure the improvement achieved.
2. Related Works
3. Methodology
3.1. Incremental Mutual Information Selection (IMIS)
3.1.1. Correlation Coefficient Calculation
3.1.2. Adjusting the Weighting Factor
3.1.3. Formulating the Adjustment Function
3.2. Integration of Incremental Mutual Information Selection (IMIS) into a DBN-Based Ransomware-Detection Model
Algorithm 1: Incremental Mutual Information Selection (IMIS) |
Input: |
Data_Batches: Stream of data batches from devices |
Target_Class: The class variable for intrusion detection (e.g., normal or attack) |
Alpha: Weighting factor for balancing historical and new data (initially set) |
Threshold: Threshold for significant change in mutual information |
Output: |
Selected_Features: Set of features selected for intrusion detection |
Procedure IMIS(Data_Batches, Target_Class, Alpha, Threshold): |
Initialize Historical_MI as an empty dictionary |
Initialize Selected_Features as an empty set |
for each Batch in Data_Batches: |
Current_MI = CalculateMutualInformation(Batch, Target_Class) |
Historical_MI = UpdateFeatureRelevance(Historical_MI, Current_MI, Alpha) |
Selected_Features = SelectAndUpdateFeatures(Historical_MI, Selected_Features, Threshold) |
Yield Selected_Features |
Procedure CalculateMutualInformation(Batch, Target_Class): |
return {Feature: ComputeMutualInformation(Feature, Target_Class) for Feature in Batch} |
Procedure UpdateFeatureRelevance(Historical_MI, Current_MI, Alpha): |
return {Feature: Alpha ×Historical_MI.get(Feature, 0) + (1 - Alpha) ×MI for Feature, MI in Current_MI.items()} |
Procedure SelectAndUpdateFeatures(Historical_MI, Selected_Features, Threshold): |
return {Feature for Feature, MI in Historical_MI.items() if MI > Threshold or Feature in Selected_Features} |
3.3. Training the IMIS-DBN Ransomware-Detection Model
4. Results and Discussion
5. Conclusions
Author Contributions
Funding
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Neprash, H.T.; McGlave, C.C.; Cross, D.A.; Virnig, B.A.; Puskarich, M.A.; Huling, J.D.; Rozenshtein, A.Z.; Nikpay, S.S. Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016–2021. JAMA Health Forum 2022, 3, e224873. [Google Scholar] [CrossRef]
- Wang, Z.; Liu, C.; Qiu, J.; Tian, Z.; Cui, X.; Su, S. Automatically Traceback RDP-Based Targeted Ransomware Attacks. Wirel. Commun. Mob. Comput. 2018, 2018, 7943586. [Google Scholar] [CrossRef]
- Aboaoja, F.A.; Zainal, A.; Ghaleb, F.A.; Al-rimy, B.A.S. Toward an ensemble behavioral-based early evasive malware detection framework. In Proceeding of the 2021 International Conference on Data Science and Its Applications (ICoDSA), Bandung, Indonesia, 6–7 October 2021; IEEE: New York, NY, USA, 2021; pp. 181–186. [Google Scholar]
- Oz, H.; Aris, A.; Levi, A.; Uluagac, A.S. A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Comput. Surv. 2022, 54, 1–37. [Google Scholar] [CrossRef]
- Razaulla, S.; Fachkha, C.; Markarian, C.; Gawanmeh, A.; Mansoor, W.; Fung, B.C.M.; Assi, C. The Age of Ransomware: A Survey on the Evolution, Taxonomy, and Research Directions. IEEE Access 2023, 11, 40698–40723. [Google Scholar] [CrossRef]
- Gazzan, M.; Alqahtani, A.; Sheldon, F.T. Key Factors Influencing the Rise of Current Ransomware Attacks on Industrial Control Systems. In Proceedings of the 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 27–30 January 2021; IEEE: New York, NY, USA, 2021; pp. 1417–1422. [Google Scholar]
- Benmalek, M. Ransomware on cyber-physical systems: Taxonomies, case studies, security gaps, and open challenges. Internet Things Cyber-Phys. Syst. 2024, 4, 186–202. [Google Scholar] [CrossRef]
- Urooj, U.; Maarof, M.A.B.; Al-rimy, B.A.S. A proposed Adaptive Pre-Encryption Crypto-Ransomware Early Detection Model. In Proceedings of the 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, 29–31 January 2021; IEEE: New York, NY, USA, 2021; pp. 1–6. [Google Scholar]
- Eliando, E.; Purnomo, Y. LockBit 2.0 Ransomware: Analysis of infection, persistence, prevention mechanism. CogITo Smart J. 2022, 8, 232–243. [Google Scholar] [CrossRef]
- Gazzan, M.; Sheldon, F.T. An enhanced minimax loss function technique in generative adversarial network for ransomware behavior prediction. Futur. Internet 2023, 15, 318. [Google Scholar] [CrossRef]
- Almashhadani, A.O.; Kaiiali, M.; Sezer, S.; O’Kane, P. A Multi-Classifier Network-Based Crypto Ransomware Detection System: A Case Study of Locky Ransomware. IEEE Access 2019, 7, 47053–47067. [Google Scholar] [CrossRef]
- Al-Rimy, B.A.S.; Maarof, M.A.; Alazab, M.; Alsolami, F.; Shaid, S.Z.M.; Ghaleb, F.A.; Al-Hadhrami, T.; Ali, A.M. A Pseudo Feedback-Based Annotated TF-IDF Technique for Dynamic Crypto-Ransomware Pre-Encryption Boundary Delineation and Features Extraction. IEEE Access 2020, 8, 140586–140598. [Google Scholar] [CrossRef]
- Dini, P.; Elhanashi, A.; Begni, A.; Saponara, S.; Zheng, Q.; Gasmi, K. Overview on Intrusion Detection Systems Design Exploiting Machine Learning for Networking Cybersecurity. Appl. Sci. 2023, 13, 7507. [Google Scholar] [CrossRef]
- Zimba, A.; Wang, Z.; Simukonda, L. Towards Data Resilience: The Analytical Case of Crypto Ransomware Data Recovery Techniques. Int. J. Inf. Technol. Comput. Sci. 2018, 10, 40–51. [Google Scholar] [CrossRef]
- Al-Rimy, B.A.S.; Maarof, M.A.; Alazab, M.; Shaid, S.Z.M.; Ghaleb, F.A.; Almalawi, A.; Ali, A.M.; Al-Hadhrami, T. Redundancy coefficient gradual up-weighting-based mutual information feature selection technique for crypto-ransomware early detection. Futur. Gener. Comput. Syst. 2021, 115, 641–658. [Google Scholar] [CrossRef]
- Kumar, P.; Ramlie, H.R.E.B.H. Anatomy of Ransomware: Attack Stages, Patterns and Handling Techniques. In Proceedings of the International Conference on Computational Intelligence in Information System, Bandar Seri Begawan, Brunei Darussalam, 25–27 January 2021. [Google Scholar] [CrossRef]
- Al-Dwairi, M.; Shatnawi, A.S.; Al-Khaleel, O.; Al-Duwairi, B. Ransomware-Resilient Self-Healing XML Documents. Futur. Internet 2022, 14, 115. [Google Scholar] [CrossRef]
- Gazzan, M.; Sheldon, F.T. Opportunities for Early Detection and Prediction of Ransomware Attacks against Industrial Control Systems. Futur. Internet 2023, 15, 144. [Google Scholar] [CrossRef]
- Garmehi, M. Risks, Limitations and the Need for Additional Measures Against Ransomware in the Health Information Technology Infrastructure. J. North Khorasan Univ. Med. Sci. 2022, 14, 79–85. [Google Scholar] [CrossRef]
- Tzachor, A.; Devare, M.; King, B.; Avin, S.; Héigeartaigh, S. Responsible artificial intelligence in agriculture requires systemic understanding of risks and externalities. Nat. Mach. Intell. 2022, 4, 104–109. [Google Scholar] [CrossRef]
- Ali, A.; Al-Rimy, B.A.S.; Almazroi, A.A.; Alsubaei, F.S.; Almazroi, A.A.; Saeed, F. Securing secrets in cyber-physical systems: A cutting-edge privacy approach with consortium blockchain. Sensors 2023, 23, 7162. [Google Scholar] [CrossRef]
- Beaman, C.; Barkworth, A.; Akande, T.D.; Hakak, S.; Khan, M.K. Ransomware: Recent advances, analysis, challenges and future research directions. Comput. Secur. 2021, 111, 102490. [Google Scholar] [CrossRef]
- Dargahi, T.; Dehghantanha, A.; Bahrami, P.N.; Conti, M.; Bianchi, G.; Benedetto, L. A Cyber-Kill-Chain based taxonomy of crypto-ransomware features. J. Comput. Virol. Hacking Tech. 2019, 15, 277–305. [Google Scholar] [CrossRef]
- Szücs, V.; Arányi, G.; Dávid, Á. Introduction of the ARDS—Anti-Ransomware Defense System Model—Based on the Systematic Review of Worldwide Ransomware Attacks. Appl. Sci. 2021, 11, 6070. [Google Scholar] [CrossRef]
- Ahmed, Y.A.; Huda, S.; Al-Rimy, B.A.S.; Alharbi, N.; Saeed, F.; Ghaleb, F.A.; Ali, I.M. A Weighted Minimum Redundancy Maximum Relevance Technique for Ransomware Early Detection in Industrial IoT. Sustainability 2022, 14, 1231. [Google Scholar] [CrossRef]
- Homayoun, S.; Dehghantanha, A.; Ahmadzadeh, M.; Hashemi, S.; Khayami, R. Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence. IEEE Trans. Emerg. Top. Comput. 2017, 8, 341–351. [Google Scholar] [CrossRef]
- Homayoun, S.; Dehghantanha, A.; Ahmadzadeh, M.; Hashemi, S.; Khayami, R.; Choo, K.-K.R.; Newton, D.E. DRTHIS: Deep ransomware threat hunting and intelligence system at the fog layer. Futur. Gener. Comput. Syst. 2018, 90, 94–104. [Google Scholar] [CrossRef]
- Tariq, U.; Ullah, I.; Uddin, M.Y.; Kwon, S.J. An Effective Self-Configurable Ransomware Prevention Technique for IoMT. Sensors 2022, 22, 8516. [Google Scholar] [CrossRef]
- Naik, N.; Jenkins, P.; Gillett, J.; Mouratidis, H.; Naik, K.; Song, J. Lockout-Tagout Ransomware: A Detection Method for Ransomware Using Fuzzy Hashing and Clustering. In Proceedings of the IEEE Symposium Series on Computational Intelligence (SSCI), Xiamen, China, 6–9 December 2019. [Google Scholar] [CrossRef]
- Lee, K.; Lee, S.-Y.; Yim, K. Machine Learning Based File Entropy Analysis for Ransomware Detection in Backup Systems. IEEE Access 2019, 7, 110205. [Google Scholar] [CrossRef]
- Bae, S.I.; Bin Lee, G.; Im, E.G. Ransomware detection using machine learning algorithms. Concurr. Comput. Pract. Exp. 2019, 32, e5422. [Google Scholar] [CrossRef]
- Jaya, M.I.; Razak, M.F.A. Dynamic Ransomware Detection for Windows Platform Using Machine Learning Classifiers. JOIV Int. J. Informatics Vis. 2022, 6, 469–474. [Google Scholar] [CrossRef]
- Genç, Z.A.; Lenzini, G.; Sgandurra, D. On Deception-Based Protection against Cryptographic Ransomware. In Proceedings of the DIMVA 2019: Detection of Intrusions and Malware, and Vulnerability Assessment, Gothenburg, Sweden, 19–20 June 2019. [Google Scholar] [CrossRef]
- Song, S.; Kim, B.; Lee, S. The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform. Mob. Inf. Syst. 2016, 2016, 2946735. [Google Scholar] [CrossRef]
- Fernández Maimó, L.; Huertas Celdrán, A.; Perales Gómez, Á.L.; García Clemente, F.J.; Weimer, J.; Lee, I. Intelligent and Dynamic Ransomware Spread Detection and Mitigation in Integrated Clinical Environments. Sensors 2019, 19, 1114. [Google Scholar] [CrossRef]
- Alam, M.; Sinha, S.; Bhattacharya, S.; Dutta, S.; Mukhopadhyay, D.; Chattopadhyay, A. RAPPER: Ransomware Prevention via Performance Counters. arXiv 2020, arXiv:2004.01712. [Google Scholar]
- Hitaj, D.; Pagnotta, G.; Gaspari, F.D.; Carli, L.D.; Mancini, L.V. Minerva: A File-Based Ransomware Detector. arXiv 2023, arXiv:2301.11050. [Google Scholar]
- Poudyal, S.; Dasgupta, D. Analysis of Crypto-Ransomware Using ML-Based Multi-Level Profiling. IEEE Access 2021, 9, 122532–122547. [Google Scholar] [CrossRef]
- Scalas, M.; Maiorca, D.; Mercaldo, F.; Visaggio, C.A.; Martinelli, F.; Giacinto, G. On the effectiveness of system API-related information for Android ransomware detection. Comput. Secur. 2019, 86, 168–182. [Google Scholar] [CrossRef]
- Urooj, U.; Al-Rimy, B.A.S.; Zainal, A.B.; Saeed, F.; Abdelmaboud, A.; Nagmeldin, W. Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks. IEEE Access 2024, 12, 3910–3925. [Google Scholar] [CrossRef]
- Lee, K.; Lee, J.; Lee, S.-Y.; Yim, K. Effective Ransomware Detection Using Entropy Estimation of Files for Cloud Services. Sensors 2023, 23, 3023. [Google Scholar] [CrossRef]
- Alsaif, S.A. Machine Learning-Based Ransomware Classification of Bitcoin Transactions. Appl. Comput. Intell. Soft Comput. 2023, 2023, 6274260. [Google Scholar] [CrossRef]
- Rhode, M.; Burnap, P.; Jones, K. Early-stage malware prediction using recurrent neural networks. Comput. Secur. 2018, 77, 578–594. [Google Scholar] [CrossRef]
- Alqahtani, A.; Sheldon, F.T. A Survey of Crypto Ransomware Attack Detection Methodologies: An Evolving Outlook. Sensors 2022, 22, 1837. [Google Scholar] [CrossRef]
- Liu, Y.; Li, J.; Liu, B.; Gao, X.; Liu, X. Malware detection method based on image analysis and generative adversarial networks. Concurr. Comput. Pract. Exp. 2022, 34, e7170. [Google Scholar] [CrossRef]
- Wang, Z.; Wang, W.; Yang, Y.; Han, Z.; Xu, D.; Su, C. CNN- and GAN-based classification of malicious code families: A code visualization approach. Int. J. Intell. Syst. 2022, 37, 12472–12489. [Google Scholar] [CrossRef]
- Catal, C.; Gunduz, H.; Ozcan, A. Malware Detection Based on Graph Attention Networks for Intelligent Transportation Systems. Electronics 2021, 10, 2534. [Google Scholar] [CrossRef]
- He, K.; Zhang, X.; Ren, S.; Sun, J. Deep residual learning for image recognition. In Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA, 27–30 June 2016. [Google Scholar] [CrossRef]
- Javaheri, D.; Lalbakhsh, P.; Hosseinzadeh, M. A Novel Method for Detecting Future Generations of Targeted and Metamorphic Malware Based on Genetic Algorithm. IEEE Access 2021, 9, 69951–69970. [Google Scholar] [CrossRef]
- Jang, S.; Li, S.; Sung, Y. Generative Adversarial Network for Global Image-Based Local Image to Improve Malware Classification Using Convolutional Neural Network. Appl. Sci. 2020, 10, 7585. [Google Scholar] [CrossRef]
- Smith, D.; Khorsandroo, S.; Roy, K. Leveraging Feature Selection to Improve the Accuracy for Malware Detection. Preprint 2023. [Google Scholar] [CrossRef]
- Alsoghyer, S.; Almomani, I. Ransomware Detection System for Android Applications. Electronics 2019, 8, 868. [Google Scholar] [CrossRef]
- Lall, S.; Ray, S.; Bandyopadhyay, S. Generating Realistic Cell Samples for Gene Selection in scRNA-seq Data: A Novel Generative Framework. bioRxiv 2021. [Google Scholar] [CrossRef]
- Liu, Q.; Liang, T.; Dinavahi, V. Deep Learning for Hardware-Based Real-Time Fault Detection and Localization of All Electric Ship MVDC Power System. IEEE Open J. Ind. Appl. 2020, 1, 194–204. [Google Scholar] [CrossRef]
- Wang, S.; Zhao, C.; Huang, L.; Li, Y.; Li, R. Current status, application, and challenges of the interpretability of generative adversarial network models. Comput. Intell. 2022, 39, 283–314. [Google Scholar] [CrossRef]
- Bijitha, C.V.; Sukumaran, R.; Nath, H.V. A Survey on Ransomware Detection Techniques. In Proceedings of the SKM 2019: Secure Knowledge Management in Artificial Intelligence Era, Goa, India, 21–22 December 2020. [Google Scholar] [CrossRef]
- Sgandurra, D.; Muñoz-González, L.; Mohsen, R.; Lupu, E. Automated Dynamic Analysis of Ransomware: Benefits, Limitations and Use for Detection. arXiv 2016, arXiv:1609.03020. [Google Scholar]
- Chakkaravarthy, S.S.; Sangeetha, D.; Cruz, M.V.; Vaidehi, V.; Raman, B. Design of Intrusion Detection Honeypot Using Social Leopard Algorithm to Detect IoT Ransomware Attacks. IEEE Access 2020, 8, 169944–169956. [Google Scholar] [CrossRef]
- Abbasi, M.S. Automating Behavior-Based Ransomware Analysis, Detection, and Classification Using Machine Learning. Ph.D. Thesis, Victoria University of Wellington, Wellington, New Zealand, 2023. [Google Scholar] [CrossRef]
- Kim, G.; Kim, S.; Kang, S.; Kim, J. A method for decrypting data infected with Hive ransomware. J. Inf. Secur. Appl. 2022, 71, 103387. [Google Scholar] [CrossRef]
- Chen, Q.; Islam, S.R.; Haswell, H.; Bridges, R.A. Automated Ransomware Behavior Analysis: Pattern Extraction and Early Detection. In Proceedings of the SciSec 2019: Science of Cyber Security, Nanjing, China, 9–11 August 2019. [Google Scholar] [CrossRef]
- Ahmed, Y.A.; Koçer, B.; Huda, S.; Al-Rimy, B.A.S.; Hassan, M.M. A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection. J. Netw. Comput. Appl. 2020, 167, 102753. [Google Scholar] [CrossRef]
- Gavel, S.; Raghuvanshi, A.S.; Tiwari, S. Maximum correlation based mutual information scheme for intrusion detection in the data networks. Expert Syst. Appl. 2021, 189, 116089. [Google Scholar] [CrossRef]
- Yuan, G.; Lu, L.; Zhou, X. Feature selection using a sinusoidal sequence combined with mutual information. Eng. Appl. Artif. Intell. 2023, 126, 107168. [Google Scholar] [CrossRef]
Proposed | RCGU | EMRMR | MIFS | JMI | |
---|---|---|---|---|---|
Percall (s) | 0.01 | 0.054 | 0.063 | 0.03 | 0.07 |
Tottime (min) | 3.5 | 10.8 | 12.6 | 6 | 14 |
Training time (min) | 19 | 33 | 37 | 28 | 24 |
Type | Features | Rank |
---|---|---|
Crypto APIs | CryptEncrypt | 1 |
CryptGenKey | 3 | |
CryptDestroyKey | 6 | |
BCryptGenRandom | 9 | |
File access APIs | CreateFile | 2 |
FindFirstFileEXA | 5 | |
FindNextFileA | 8 | |
DeleteFile | 10 | |
Network APIs | WinHttpConnect | 4 |
WinHttpOpenRequest | 7 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Gazzan, M.; Sheldon, F.T. An Incremental Mutual Information-Selection Technique for Early Ransomware Detection. Information 2024, 15, 194. https://doi.org/10.3390/info15040194
Gazzan M, Sheldon FT. An Incremental Mutual Information-Selection Technique for Early Ransomware Detection. Information. 2024; 15(4):194. https://doi.org/10.3390/info15040194
Chicago/Turabian StyleGazzan, Mazen, and Frederick T. Sheldon. 2024. "An Incremental Mutual Information-Selection Technique for Early Ransomware Detection" Information 15, no. 4: 194. https://doi.org/10.3390/info15040194
APA StyleGazzan, M., & Sheldon, F. T. (2024). An Incremental Mutual Information-Selection Technique for Early Ransomware Detection. Information, 15(4), 194. https://doi.org/10.3390/info15040194