A ransomware early detection model based on an enhanced joint mutual information feature selection method

Tasnem Magdi Hassin Mohamed, Bander Ali Saleh Al-Rimy*, Sultan Ahmed Almalki

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

1 Downloads (Pure)

Abstract

Crypto ransomware attacks pose a significant threat by encrypting users' data and demanding ransom payments, causing permanent data loss if not detected and mitigated before encryption occurs. The existing studies have faced challenges in the pre-encryption phase due to elusive attack patterns, insufficient data, and the lack of comprehensive information, often confusing the current detection techniques. Selecting appropriate features that effectively indicate an impending ransomware attack is a critical challenge. This research addresses this challenge by introducing an Enhanced Joint Mutual Information (EJMI) method that effectively assigns weights and ranks features based on their relevance while conducting contextual data analysis. The EJMI method employs a dual ranking system—TF for crypto APIs and TF-IDF for non-crypto APIs—to enhance the detection process and select the most significant features for training various Machine Learning (ML) classifiers. Furthermore, grid search is utilized for optimal classifier parameterization, aiming to detect ransomware efficiently and accurately in its pre-encryption phase. The proposed EJMI method has demonstrated a 4% improvement in detection accuracy compared to previous methods, highlighting its effectiveness in identifying and preventing crypto-ransomware attacks before data encryption occurs.

Original languageEnglish
Pages (from-to)15400-15407
Number of pages8
JournalEngineering, Technology and Applied Science Research
Volume14
Issue number4
Early online date16 Jul 2024
DOIs
Publication statusPublished - 1 Aug 2024

Keywords

  • early detection
  • feature selection
  • machine learning
  • ransomware

Fingerprint

Dive into the research topics of 'A ransomware early detection model based on an enhanced joint mutual information feature selection method'. Together they form a unique fingerprint.

Cite this