TY - JOUR
T1 - A system call refinement-based enhanced Minimum Redundancy Maximum Relevance method for ransomware early detection
AU - Ahmed, Yahye Abukar
AU - Koçer, Barış
AU - Huda, Shamsul
AU - Saleh Al-rimy, Bander Ali
AU - Hassan, Mohammad Mehedi
N1 - Publisher Copyright:
© 2020 Elsevier Ltd
PY - 2020/10/1
Y1 - 2020/10/1
N2 - Ransomware is a special type of malicious software that encrypts the user's assets and makes it unavailable to the users until a ransom is paid to the ransomware author. Such attacks have become one of the most widespread malware that poses serious threat to both individuals and business organizations. Against this destructive malicious program, the dynamic analysis approach is the most popular approach for detecting such an attack. The majority of dynamic analysis relies on the system calls, as these provide an interface for programs to request service from the operating system. However, the redundancy and the irrelevant system calls that the ransomware authors inject in the actual execution flow of suspicious binaries generate a high noisy behavioural sequence that adversely impacts in the detection performance of anti-ransomware tools. To this end, we proposed a non-signature-based detection approach based on the effective windows API call sequences using supervised machine learning techniques. To achieve this objective, we propose an Enhanced Maximum-Relevance and Minimum-Redundancy (EmRmR) filter method to remove the noisy features and select the most relevant subset of features to characterize the real behaviour of the ransomware. Unlike the original mRmR, the EmRmR avoids unnecessary computations intrinsic in the original mRmR algorithms with a small number of evaluations. In addition, this work has introduced a refinement process to reduce the size of the program's call traces by removing those windows API calls that do not have a strong indication for describing the critical behaviour of the ransomware. After accomplishing extensive experimental evaluations, and comparing with existing behavioural-based detection approaches, the proposed method has shown to be effective for discriminating the behaviour of ransomware, and indicates a high detection accuracy with few false-positive rates.
AB - Ransomware is a special type of malicious software that encrypts the user's assets and makes it unavailable to the users until a ransom is paid to the ransomware author. Such attacks have become one of the most widespread malware that poses serious threat to both individuals and business organizations. Against this destructive malicious program, the dynamic analysis approach is the most popular approach for detecting such an attack. The majority of dynamic analysis relies on the system calls, as these provide an interface for programs to request service from the operating system. However, the redundancy and the irrelevant system calls that the ransomware authors inject in the actual execution flow of suspicious binaries generate a high noisy behavioural sequence that adversely impacts in the detection performance of anti-ransomware tools. To this end, we proposed a non-signature-based detection approach based on the effective windows API call sequences using supervised machine learning techniques. To achieve this objective, we propose an Enhanced Maximum-Relevance and Minimum-Redundancy (EmRmR) filter method to remove the noisy features and select the most relevant subset of features to characterize the real behaviour of the ransomware. Unlike the original mRmR, the EmRmR avoids unnecessary computations intrinsic in the original mRmR algorithms with a small number of evaluations. In addition, this work has introduced a refinement process to reduce the size of the program's call traces by removing those windows API calls that do not have a strong indication for describing the critical behaviour of the ransomware. After accomplishing extensive experimental evaluations, and comparing with existing behavioural-based detection approaches, the proposed method has shown to be effective for discriminating the behaviour of ransomware, and indicates a high detection accuracy with few false-positive rates.
KW - Maximum relevance and minimum redundancy
KW - N-Grams
KW - Ransomware
KW - Refinement
KW - System call
UR - http://www.scopus.com/inward/record.url?scp=85087381714&partnerID=8YFLogxK
U2 - 10.1016/j.jnca.2020.102753
DO - 10.1016/j.jnca.2020.102753
M3 - Article
AN - SCOPUS:85087381714
SN - 1084-8045
VL - 167
JO - Journal of Network and Computer Applications
JF - Journal of Network and Computer Applications
M1 - 102753
ER -