Addressing behavioral drift in ransomware early detection through weighted generative adversarial networks

Umara Urooj*, Bander Ali Saleh Al-Rimy*, Anazida Binti Zainal, Faisal Saeed, Abdelzahir Abdelmaboud, Wamda Nagmeldin

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

3 Downloads (Pure)

Abstract

Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim's device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the pre-encryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-the-art solutions. The wGAN achieved higher accuracy and lower false alarm rates of 97% and 0.0088 respectively.

Original languageEnglish
Pages (from-to)3910-3925
Number of pages16
JournalIEEE Access
Volume12
Early online date29 Dec 2023
DOIs
Publication statusPublished - 8 Sept 2024

Keywords

  • Adaptive
  • crypto-ransomware
  • early detection
  • generative adversarial networks
  • metamorphic
  • polymorphic
  • ransomware
  • ransomware prediction

Cite this