TY - JOUR
T1 - A ransomware early detection model based on an enhanced joint mutual information feature selection method
AU - Hassin Mohamed, Tasnem Magdi
AU - Saleh Al-Rimy, Bander Ali
AU - Almalki, Sultan Ahmed
N1 - Publisher Copyright:
© by the authors.
PY - 2024/8/1
Y1 - 2024/8/1
N2 - Crypto ransomware attacks pose a significant threat by encrypting users' data and demanding ransom payments, causing permanent data loss if not detected and mitigated before encryption occurs. The existing studies have faced challenges in the pre-encryption phase due to elusive attack patterns, insufficient data, and the lack of comprehensive information, often confusing the current detection techniques. Selecting appropriate features that effectively indicate an impending ransomware attack is a critical challenge. This research addresses this challenge by introducing an Enhanced Joint Mutual Information (EJMI) method that effectively assigns weights and ranks features based on their relevance while conducting contextual data analysis. The EJMI method employs a dual ranking system—TF for crypto APIs and TF-IDF for non-crypto APIs—to enhance the detection process and select the most significant features for training various Machine Learning (ML) classifiers. Furthermore, grid search is utilized for optimal classifier parameterization, aiming to detect ransomware efficiently and accurately in its pre-encryption phase. The proposed EJMI method has demonstrated a 4% improvement in detection accuracy compared to previous methods, highlighting its effectiveness in identifying and preventing crypto-ransomware attacks before data encryption occurs.
AB - Crypto ransomware attacks pose a significant threat by encrypting users' data and demanding ransom payments, causing permanent data loss if not detected and mitigated before encryption occurs. The existing studies have faced challenges in the pre-encryption phase due to elusive attack patterns, insufficient data, and the lack of comprehensive information, often confusing the current detection techniques. Selecting appropriate features that effectively indicate an impending ransomware attack is a critical challenge. This research addresses this challenge by introducing an Enhanced Joint Mutual Information (EJMI) method that effectively assigns weights and ranks features based on their relevance while conducting contextual data analysis. The EJMI method employs a dual ranking system—TF for crypto APIs and TF-IDF for non-crypto APIs—to enhance the detection process and select the most significant features for training various Machine Learning (ML) classifiers. Furthermore, grid search is utilized for optimal classifier parameterization, aiming to detect ransomware efficiently and accurately in its pre-encryption phase. The proposed EJMI method has demonstrated a 4% improvement in detection accuracy compared to previous methods, highlighting its effectiveness in identifying and preventing crypto-ransomware attacks before data encryption occurs.
KW - early detection
KW - feature selection
KW - machine learning
KW - ransomware
UR - http://www.scopus.com/inward/record.url?scp=85202994536&partnerID=8YFLogxK
U2 - 10.48084/etasr.7092
DO - 10.48084/etasr.7092
M3 - Article
AN - SCOPUS:85202994536
SN - 2241-4487
VL - 14
SP - 15400
EP - 15407
JO - Engineering, Technology and Applied Science Research
JF - Engineering, Technology and Applied Science Research
IS - 4
ER -