TY - JOUR
T1 - A weighted minimum redundancy maximum relevance technique for ransomware early detection in industrial IoT
AU - Ahmed, Yahye Abukar
AU - Huda, Shamsul
AU - Al-Rimy, Bander Ali Saleh
AU - Alharbi, Nouf
AU - Saeed, Faisal
AU - Ghaleb, Fuad A.
AU - Ali, Ismail Mohamed
N1 - Publisher Copyright:
© 2022 by the authors. Licensee MDPI, Basel, Switzerland.
PY - 2022/2/1
Y1 - 2022/2/1
N2 - Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection, to deceive the security measures and make both static and dynamic analysis more difficult. In this paper, a Weighted minimum Redundancy maximum Relevance (WmRmR) technique was proposed for better feature significance estimation in the data captured during the early stages of ransomware attacks. The technique combines an enhanced mRMR (EmRmR) with the Term FrequencyInverse Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights calculated by the TF-IDF. The proposed technique has the capability to assess whether a feature in the relevant set is important or not. It has low-dimensional complexity and a smaller number of evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement method was used to decrease the size of the extracted data by identifying the system calls with strong behavioral indication. After extensive experimentation, the proposed technique has shown to be effective for ransomware early detection with low-complexity and few false-positive rates. To evaluate the proposed technique, we compared it with existing behavioral detection methods.
AB - Ransomware attacks against Industrial Internet of Things (IIoT) have catastrophic consequences not only to the targeted infrastructure, but also the services provided to the public. By encrypting the operational data, the ransomware attacks can disrupt the normal operations, which represents a serious problem for industrial systems. Ransomware employs several avoidance techniques, such as packing, obfuscation, noise insertion, irrelevant and redundant system call injection, to deceive the security measures and make both static and dynamic analysis more difficult. In this paper, a Weighted minimum Redundancy maximum Relevance (WmRmR) technique was proposed for better feature significance estimation in the data captured during the early stages of ransomware attacks. The technique combines an enhanced mRMR (EmRmR) with the Term FrequencyInverse Document Frequency (TF-IDF) so that it can filter out the runtime noisy behavior based on the weights calculated by the TF-IDF. The proposed technique has the capability to assess whether a feature in the relevant set is important or not. It has low-dimensional complexity and a smaller number of evaluations compared to the original mRmR method. The TF-IDF was used to evaluate the weights of the features generated by the EmRmR algorithm. Then, an inclusive entropy-based refinement method was used to decrease the size of the extracted data by identifying the system calls with strong behavioral indication. After extensive experimentation, the proposed technique has shown to be effective for ransomware early detection with low-complexity and few false-positive rates. To evaluate the proposed technique, we compared it with existing behavioral detection methods.
KW - Crypto-ransomware
KW - Enhanced maximum Relevance and minimum Redundancy
KW - Industrial Internet of Things
KW - Supervised approach
KW - TF-IDF
UR - http://www.scopus.com/inward/record.url?scp=85123114310&partnerID=8YFLogxK
U2 - 10.3390/su14031231
DO - 10.3390/su14031231
M3 - Article
AN - SCOPUS:85123114310
SN - 2071-1050
VL - 14
JO - Sustainability (Switzerland)
JF - Sustainability (Switzerland)
IS - 3
M1 - 1231
ER -