Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm
Ransomware is a relatively new type of intrusion attack, and is made with the objective of extorting a ransom from its victim. There are several types of ransomware attacks, but the present paper focuses only upon the crypto-ransomware, because it makes data unrecoverable once the victim’s files hav...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2019-11-01
|
| Series: | Computers |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2073-431X/8/4/79 |
| _version_ | 1811307708783001600 |
|---|---|
| author | S. H. Kok Azween Abdullah NZ Jhanjhi Mahadevan Supramaniam |
| author_facet | S. H. Kok Azween Abdullah NZ Jhanjhi Mahadevan Supramaniam |
| author_sort | S. H. Kok |
| collection | DOAJ |
| description | Ransomware is a relatively new type of intrusion attack, and is made with the objective of extorting a ransom from its victim. There are several types of ransomware attacks, but the present paper focuses only upon the crypto-ransomware, because it makes data unrecoverable once the victim’s files have been encrypted. Therefore, in this research, it was proposed that machine learning is used to detect crypto-ransomware before it starts its encryption function, or at the pre-encryption stage. Successful detection at this stage is crucial to enable the attack to be stopped from achieving its objective. Once the victim was aware of the presence of crypto-ransomware, valuable data and files can be backed up to another location, and then an attempt can be made to clean the ransomware with minimum risk. Therefore we proposed a pre-encryption detection algorithm (PEDA) that consisted of two phases. In, PEDA-Phase-I, a Windows application programming interface (API) generated by a suspicious program would be captured and analyzed using the learning algorithm (LA). The LA can determine whether the suspicious program was a crypto-ransomware or not, through API pattern recognition. This approach was used to ensure the most comprehensive detection of both known and unknown crypto-ransomware, but it may have a high false positive rate (FPR). If the prediction was a crypto-ransomware, PEDA would generate a signature of the suspicious program, and store it in the signature repository, which was in Phase-II. In PEDA-Phase-II, the signature repository allows the detection of crypto-ransomware at a much earlier stage, which was at the pre-execution stage through the signature matching method. This method can only detect known crypto-ransomware, and although very rigid, it was accurate and fast. The two phases in PEDA formed two layers of early detection for crypto-ransomware to ensure zero files lost to the user. However in this research, we focused upon Phase-I, which was the LA. Based on our results, the LA had the lowest FPR of 1.56% compared to Naive Bayes (NB), Random Forest (RF), Ensemble (NB and RF) and EldeRan (a machine learning approach to analyze and classify ransomware). Low FPR indicates that LA has a low probability of predicting goodware wrongly. |
| first_indexed | 2024-04-13T09:09:07Z |
| format | Article |
| id | doaj.art-7b98d9d7387e499f8bd6718b4361c316 |
| institution | Directory Open Access Journal |
| issn | 2073-431X |
| language | English |
| last_indexed | 2024-04-13T09:09:07Z |
| publishDate | 2019-11-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Computers |
| spelling | doaj.art-7b98d9d7387e499f8bd6718b4361c3162022-12-22T02:52:55ZengMDPI AGComputers2073-431X2019-11-01847910.3390/computers8040079computers8040079Prevention of Crypto-Ransomware Using a Pre-Encryption Detection AlgorithmS. H. Kok0Azween Abdullah1NZ Jhanjhi2Mahadevan Supramaniam3School of Computer and IT (SoCIT), Taylor’s University, Subang Jaya 47500, Selangor, MalaysiaSchool of Computer and IT (SoCIT), Taylor’s University, Subang Jaya 47500, Selangor, MalaysiaSchool of Computer and IT (SoCIT), Taylor’s University, Subang Jaya 47500, Selangor, MalaysiaResearch and Innovation Management Center, SEGi University, Petaling Jaya 47810, Selangor, MalaysiaRansomware is a relatively new type of intrusion attack, and is made with the objective of extorting a ransom from its victim. There are several types of ransomware attacks, but the present paper focuses only upon the crypto-ransomware, because it makes data unrecoverable once the victim’s files have been encrypted. Therefore, in this research, it was proposed that machine learning is used to detect crypto-ransomware before it starts its encryption function, or at the pre-encryption stage. Successful detection at this stage is crucial to enable the attack to be stopped from achieving its objective. Once the victim was aware of the presence of crypto-ransomware, valuable data and files can be backed up to another location, and then an attempt can be made to clean the ransomware with minimum risk. Therefore we proposed a pre-encryption detection algorithm (PEDA) that consisted of two phases. In, PEDA-Phase-I, a Windows application programming interface (API) generated by a suspicious program would be captured and analyzed using the learning algorithm (LA). The LA can determine whether the suspicious program was a crypto-ransomware or not, through API pattern recognition. This approach was used to ensure the most comprehensive detection of both known and unknown crypto-ransomware, but it may have a high false positive rate (FPR). If the prediction was a crypto-ransomware, PEDA would generate a signature of the suspicious program, and store it in the signature repository, which was in Phase-II. In PEDA-Phase-II, the signature repository allows the detection of crypto-ransomware at a much earlier stage, which was at the pre-execution stage through the signature matching method. This method can only detect known crypto-ransomware, and although very rigid, it was accurate and fast. The two phases in PEDA formed two layers of early detection for crypto-ransomware to ensure zero files lost to the user. However in this research, we focused upon Phase-I, which was the LA. Based on our results, the LA had the lowest FPR of 1.56% compared to Naive Bayes (NB), Random Forest (RF), Ensemble (NB and RF) and EldeRan (a machine learning approach to analyze and classify ransomware). Low FPR indicates that LA has a low probability of predicting goodware wrongly.https://www.mdpi.com/2073-431X/8/4/79cryptoencryptionmachine learningransomwareintrusion detection |
| spellingShingle | S. H. Kok Azween Abdullah NZ Jhanjhi Mahadevan Supramaniam Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm Computers crypto encryption machine learning ransomware intrusion detection |
| title | Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm |
| title_full | Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm |
| title_fullStr | Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm |
| title_full_unstemmed | Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm |
| title_short | Prevention of Crypto-Ransomware Using a Pre-Encryption Detection Algorithm |
| title_sort | prevention of crypto ransomware using a pre encryption detection algorithm |
| topic | crypto encryption machine learning ransomware intrusion detection |
| url | https://www.mdpi.com/2073-431X/8/4/79 |
| work_keys_str_mv | AT shkok preventionofcryptoransomwareusingapreencryptiondetectionalgorithm AT azweenabdullah preventionofcryptoransomwareusingapreencryptiondetectionalgorithm AT nzjhanjhi preventionofcryptoransomwareusingapreencryptiondetectionalgorithm AT mahadevansupramaniam preventionofcryptoransomwareusingapreencryptiondetectionalgorithm |