Android Ransomware Detection System using Feature Selection with Bootstrap Aggregating MARS

Year 2024, , 38 - 45, 31.12.2024

Kerem Gencer , Fatih Basciftci

https://doi.org/10.57020/ject.1528965

Abstract

Android ransomware has become one of the most dangerous types of attack that have occurred recently due to the increasing use of the Android operating system. Generally, ransomware is based on the idea of encrypting the files in the victim’s device and then demanding money to provide the decryption password. Machine learning techniques are increasingly used for Android ransomware detection and analysis. In this study, Android ransomware is detected using Bootstrap Aggregating based Multivariate Adaptive Regression Splines (Bagging MARS) for the first time in feature selection. A feature matrix with 134 permissions and API calls in total was reduced to 34 features via the proposed Bagging MARS feature selection technique. Multi-Layer Perceptron (MLP), one of the classification techniques, produced the best accuracy with 90.268%. Additionally, the proposed feature selection method yielded more successful results compared to the filter, wrapper, and embedded methods used. Thus, this method, which was used for the first time to detect the common features of Android Ransomware, will enable the next Android Ransomware detection systems to work faster and with a higher success rate.

Keywords

Bagging, feature selection, machine learning, MARS, ransomware, static analysis

References

• Rajput, T. S. (2017). Evolving threat agents: Ransomware and their variants. International Journal of Computer Applications, 164, 28–34.
• Uma, E., & Kannan, A. (2014). Improved cross site scripting filter for input validation against attacks in web services. Kuwait Journal of Science, 41(2).
• Nowinson, M. (2020). The biggest ransomware attack of 2020. CRN. https://www.crn.com/slide-shows/security/the-11-biggest-ransomware-attacks-of-2020-so-far
• Jesus, M. D., Malubay, M. & Ramos, A.C. (2020). Ransomware report: Avaddon and new techniques emerge, industrial sector targeted. TrendMicro. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
• Statcounter. (2020). Mobile operating system market share worldwide. Statcounter. https://gs.statcounter.com/os-market-share/mobile/worldwide
• Chebyshev, V. (2020). Mobile malware evolution 2019. Securelist. https://securelist.com/mobile-malware-evolution-2019/96280/
• C. E. (2020). Ransomware facts, trends & statistics for 2020. Safety Detectives. https://www.safetydetectives.com/blog/ransomware-statistics/
• Alsoghyer, S., & Almomani, I. (2019). Ransomware detection system for Android applications. Electronics, 8, 868.
• Andronio, N., Zanero, S., & Maggi, F. (2015). Heldroid: Dissecting and detecting mobile ransomware. In Research in Attacks, Intrusions, and Defenses: 18th International Symposium, RAID 2015, Kyoto, Japan, November 2-4, 2015. Proceedings 18 (pp. 382-404). Springer International Publishing.
• Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C. A., & Martinelli, F. (2017, April). R-PackDroid: API package-based characterization and detection of mobile ransomware. In Proceedings of the symposium on applied computing (pp. 1718-1723).
• Kirubavathi, G., & Anne, W. R. (2024). Behavioral-based detection of Android ransomware using machine learning techniques. International Journal of System Assurance Engineering and Management, 1–22.
• Manzil, H. H. R., & Naik, S. M. (2024). Android ransomware detection using a novel hamming distance-based feature selection. Journal of Computer Virology and Hacking Techniques, 20(1), 71–93.
• Li, D., Shi, W., Lu, N., Lee, S. S., & Lee, S. (2024). ARdetector: Android ransomware detection framework. The Journal of Supercomputing, 80(6), 7557–7584.
• Deisy, C., Subbulakshmi, B., Baskar, S., & Ramaraj, N. (2007). Efficient dimensionality reduction approaches for feature selection. In 2007 International Conference on Computational Intelligence and Multimedia Applications (ICCIMA 2007).
• Yildiz, O., & Doğru, I. A. (2019). Permission-based Android malware detection system using feature selection with genetic algorithm. International Journal of Software Engineering and Knowledge Engineering, 29, 245–262.
• Chakravarty, S. (2020, June). Feature selection and evaluation of permission-based android malware detection. In 2020 4th International conference on trends in electronics and informatics (ICOEI)(48184) (pp. 795-799). IEEE.
• Varma, R. K., Akhila, K., & Mallidi, S. K. R. (2020). Feature reduction and optimization of malware detection system using ant colony optimization and rough sets. International Journal of Information Security and Privacy, 14(3), 95–114.
• Zheng, C., Dellarocca, N., Andronio, N., Zanero, S., & Maggi, F. (2017). GreatEatlon: Fast, static detection of mobile ransomware. In Security and Privacy in Communication Networks (pp. 136–156). Springer International Publishing.
• Mercaldo, F., Nardone, V., & Santone, A. (2016). Ransomware inside out. In 2016 11th International Conference on Availability, Reliability and Security (pp. 628–637).
• Cimitile, A., Mercaldo, F., Nardone, V., Santone, A., & Visaggio, C. A. (2018). Talos: No more ransomware victims with formal methods. International Journal of Information Security, 17(6), 719–738.
• Song, S., Kim, B., & Lee, S. (2016). The effective ransomware prevention technique using process monitoring on Android platform. Mobile Information Systems, 2016, 2946735.
• Chen, J., Wang, C., Zhao, Z., Chen, K., Du, R., & Ahn, G. (2018). Uncovering the face of Android ransomware: Characterization and real-time detection. IEEE Transactions on Information Forensics and Security, 13(5), 1286–1300.
• Ferrante, A., Malek, M., Martinelli, F., Mercaldo, F., & Milosevic, J. (2017). Extinguishing ransomware - A hybrid approach to Android ransomware detection. In Proceedings of the 10th International Symposium on Foundations and Practice of Security (pp. 49–64). Springer International Publishing.
• Gharib, A., & Ghorbani, A. (2017). DNA-Droid: A real-time Android ransomware detection framework. In Proceedings of the 11th International Conference on Network and System Security (pp. 256–272). Springer International Publishing.
• Rastogi, V., Chen, Y., & Jiang, X. (2013). DroidChameleon: Evaluating Android antimalware against transformation attacks. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (pp. 329–334).
• Diaz-Diaz, N., Aguilar-Ruiz, J. S., & Nepomuceno, J. A. (2005). Feature selection based on bootstrapping. In Proceedings of the 2005 ICSC Congress on Computational Intelligence Methods and Applications.
• Ilham, S., Abderrahim, G., & Abdelhakim, B. A. (2018). Permission based malware detection in Android devices. In Proceedings of the 3rd International Conference on Smart City Applications (pp. 83). Association for Computing Machinery.
• Simon, J. L., & Bruce, P. C. (1991). Resampling: A tool for everyday statistical work. Chance, 4(1), 22–32.
• Efron, B. (1983). Estimating the error rate of a prediction rule: Improvement on cross-validation. Journal of the American Statistical Association, 78(382), 316–331.
• Pokhriyal, A. (2021). What is bootstrap sampling in statistics and machine learning? Analytics Vidhya. https://medium.com/analytics-vidhya/what-is-bootstrapping-in-machine-learning-777fc44e222a
• Banks, D. (2001). Exploratory data analysis: Multivariate approaches (Nonparametric regression). In International Encyclopedia of the Social & Behavioral Sciences (pp. 5087–5092). Elsevier.
• Muñoz, J., & Felicísimo, Á. M. (2004). Comparison of statistical methods commonly used in predictive modelling. Journal of Vegetation Science, 15(2), 285–292.
• Put, R., Xu, Q. S., Massart, D. L., & Vander Heyden, Y. (2004). Multivariate adaptive regression splines (MARS) in chromatographic quantitative structure–retention relationship studies. Journal of Chromatography A, 1055(1), 11–19.
• Olecka, A. (2007). Beyond classification: Challenges of data mining for credit scoring. In Knowledge Discovery and Data Mining: Challenges and Realities (pp. 139-161). IGI Global.
• Xu, Q. S., Daeyaert, F., Lewi, P. J., & Massart, D. L. (2006). Studies of relationship between biological activities and HIV reverse transcriptase inhibitors by multivariate adaptive regression splines with curds and whey. Chemometrics and Intelligent Laboratory Systems, 82(1–2), 24–30.
• Friedman, J. H. (1991). Multivariate adaptive regression splines (with discussion). The Annals of Statistics, 19(1), 1–141.
• Lewis, P. A. W., & Stevens, J. G. (1991). Nonlinear modeling of time series using multivariate adaptive regression splines (MARS). Journal of the American Statistical Association, 86(416), 864–877.
• Mukhopadhyay, A., & Iqbal, A. (2009). Prediction of mechanical property of steel strips using multivariate adaptive regression splines. Journal of Applied Statistics, 36(1), 1–9.
• Ağraz, M., & Purutçuoğlu, V. (2019). Extended lasso-type MARS (LMARS) model in the description of biological network. Journal of Statistical Computation and Simulation, 89(1), 1–14.
• Google. (2020). Google. Access date:2021. http://play.google.com/store
• Virustotal. (2020). Virustotal. Access date:2021. https://www.virustotal.com
• Ransommobi. (2020). Ransommobi. Access date:2021. https://www.ransommobi.com