TY - JOUR
T1 - Addressing behavioral drift in ransomware early detection through weighted generative adversarial networks
AU - Urooj, Umara
AU - Al-Rimy, Bander Ali Saleh
AU - Zainal, Anazida Binti
AU - Saeed, Faisal
AU - Abdelmaboud, Abdelzahir
AU - Nagmeldin, Wamda
N1 - Publisher Copyright:
© 2013 IEEE.
PY - 2024/9/8
Y1 - 2024/9/8
N2 - Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim's device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the pre-encryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-the-art solutions. The wGAN achieved higher accuracy and lower false alarm rates of 97% and 0.0088 respectively.
AB - Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim's device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the pre-encryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-the-art solutions. The wGAN achieved higher accuracy and lower false alarm rates of 97% and 0.0088 respectively.
KW - Adaptive
KW - crypto-ransomware
KW - early detection
KW - generative adversarial networks
KW - metamorphic
KW - polymorphic
KW - ransomware
KW - ransomware prediction
UR - http://www.scopus.com/inward/record.url?scp=85181567208&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2023.3348451
DO - 10.1109/ACCESS.2023.3348451
M3 - Article
AN - SCOPUS:85181567208
SN - 2169-3536
VL - 12
SP - 3910
EP - 3925
JO - IEEE Access
JF - IEEE Access
ER -