Bitlis Eren Üniversitesi Fen Bilimleri Dergisi 2147-3129 2147-3188 Bitlis Eren University 10.17798/bitlisfen.1038966 Engineering Mühendislik Ransomware Detection in Cyber Security Domain Ransomware Detection in Cyber Security Domain https://orcid.org/0000-0003-0737-1966 Aslan Ömer BANDIRMA ONYEDİ EYLÜL ÜNİVERSİTESİ, BANDIRMA MESLEK YÜKSEKOKULU 06 30 2022 11 2 508 518 12 20 2021 03 28 2022 Copyright © 2012, Bitlis Eren Üniversitesi Fen Bilimleri Dergisi 2012 Bitlis Eren Üniversitesi Fen Bilimleri Dergisi

In recent years, ransomware has become highly profitable cyber attacks. This is because, everyday there are several new devices attending to computer networks before testing their security strength. In addition, it is easy to launch ransomware attacks by using Ransomware-as-a-Service. This paper proposed a new method that creates the ransomware specific features by using ransomware behaviors which are performed on file, registry, and network resources. The weights are assigned to the behaviors based upon where the actions are performed. The most feasible features are selected based on the assigned weights as well as Information Gain. The selected features are classified by using ML classifiers including J48 (C4.5), RF (Random Forest), AdaBoost (Adaptive Boosting), SLR (Simple Logistic Regression), KNN (K-Nearest Neighbors), BN (Bayesian Network), and SMO (Sequential Minimal Optimization). The experiments are performed on several ransomware variants as well as benign samples. The test results show that our proposed method is feasible and effective. The DR, FPR, f-measure, and accuracy are measured as 100%, 1.4%, 99.4%, 99.38%, respectively.

In recent years, ransomware has become highly profitable cyber attacks. This is because, everyday there are several new devices attending to computer networks before testing their security strength. In addition, it is easy to launch ransomware attacks by using Ransomware-as-a-Service. This paper proposed a new method that creates the ransomware specific features by using ransomware behaviors which are performed on file, registry, and network resources. The weights are assigned to the behaviors based upon where the actions are performed. The most feasible features are selected based on the assigned weights as well as Information Gain. The selected features are classified by using ML classifiers including J48 (C4.5), RF (Random Forest), AdaBoost (Adaptive Boosting), SLR (Simple Logistic Regression), KNN (K-Nearest Neighbors), BN (Bayesian Network), and SMO (Sequential Minimal Optimization). The experiments are performed on several ransomware variants as well as benign samples. The test results show that our proposed method is feasible and effective. The DR, FPR, f-measure, and accuracy are measured as 100%, 1.4%, 99.4%, 99.38%, respectively.

 Cyber security Ransomware detection Behavior-based detection Machine learning Cyber security ransomware ransomware detection behavior-based detection [1] D. Nieuwenhuizen, “A behavioural-based approach to ransomware detection,” MWR Labs Whitepaper, 2017. [2] Associated Press, "The Latest: UN warns cybercrime on rise during pandemic," 2020. [3] Sophos Report, "The State of Ransomware 2021," 2021. [4] Cognyte CTI Research Group, "Ransomware Attack Statistics 2021 – Growth & Analysis," 2021. [5] S. Morgan, "Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021," Cybercrime Magazine, 2019. [6] Ö. Aslan and R. Samet, "Investigation of possibilities to detect malware using existing Tools," in 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications (AICCSA) (pp. 1277-1284), 2017. [7] J. P. Tailor and A.D. Patel, "A comprehensive survey: ransomware attacks prevention, monitoring and damage control," Int. J. Res. Sci. Innov, vol. 15, pp. 116-121, 2017. [8] R. Brewer, "Ransomware attacks: detection, prevention and cure," Network Security, vol. 9, no. 5-9, 2016. [9] D. Sgandurra, L. Muñoz-González, R. Mohsen and E. C. Lupu, "Automated dynamic analysis of ransomware: Benefits, limitations and use for detection," arXiv preprint arXiv:1609.03020, 2016. [10] Ö. Aslan, R. Samet and Ö. Ö. Tanrıöver, "Using a Subtractive Center Behavioral Model to Detect Malware," Security and Communication Networks, 2020. [11] R. Vinayakumar, K.P. Soman, K.S. Velan and S. Ganorkar, “Evaluating shallow and deep networks for ransomware detection and classification,” in 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 259-265, 2017. [12] K. Cabaj, M. Gregorczyk and W. Mazurczyk, "Software-defined networking-based crypto ransomware detection using HTTP traffic characteristics," Computers and Electrical Engineering, vol. 66, pp. 353-368, 2018. [13] A. O. Almashhadani, M. Kaiiali, S. Sezer and P. O’Kane, "A multi-classifier network-based crypto ransomware detection system: A case study of locky ransomware," IEEE Access, vol. 7, pp. 47053-47067, 2019. [14] S. I. Bae, G. B. Lee and E. G. Im, "Ransomware detection using machine learning algorithms," Concurrency and Computation: Practice and Experience, vol. 32, no. 18, e5422, 2020. [15] Ö. Aslan and R. Samet, "A comprehensive review on malware detection approaches," IEEE Access,vol. 8, pp. 6249-6271, 2020. [16] C. Beaman, A. Barkworth, T. D. Akande, S. Hakak and M. K. Khan, "Ransomware: Recent advances, analysis, challenges and future research directions," Computers and Security, vol. 111, pp. 102490, 2021. [17] Malware downloading website, https://malshare.com/, accessible in 2021. [18] Malware downloading website, https://thezoo.morirt.com/, accessible in 2021. [19] Malware downloading website, http://www.tekdefense.com/, accessible in 2021. [20] Malware downloading website, https://virusshare.com/, accessible in 2021.