Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection

Bander Ali Saleh Al-rimy*, Mohd Aizaini Maarof, Syed Zainudeen Mohd Shaid

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

The irreversible effect is what characterizes crypto-ransomware and distinguishes it from traditional malware. That is, even after neutralizing the attack, the targeted files remain encrypted and cannot be accessed without the decryption key. Thus, it is imperative to detect such a threat early, i.e. in the initial phases before the encryption takes place. However, the lack of sufficient information in initial phases of the attack is the main challenge to early detection, leading to low detection accuracy and a high rate of false alarms. This is due to the way that the existing solutions have been designed based on, which assumes the availability of complete information about the behavior of such attacks at detection time. Nevertheless, this does not hold for early detection that takes place while the attack is underway, and data are not fully available. To address such limitations, this paper proposes two novel techniques; incremental bagging (iBagging) and enhanced semi-random subspace selection (ESRS), and incorporates them into an ensemble-based detection model. The proposed iBagging was firstly used to build incremental subsets in a way that reflects the progression of crypto-ransomware behavior during its different attack phases. ESRS was then used to build optimal, noise-free and diverse features subspaces, by which, a pool of classifiers was trained. Finally, a grid search was employed to select the best combination of base classifiers. Majority voting was utilized for the final decision. The experimental evaluation of the proposed techniques and model was conducted and compared with the existing crypto-ransomware early detection solutions. The results demonstrate that the proposed techniques and model overcame the data limitation in the early phases of the attacks and achieved higher detection accuracy than existing solutions.

Original languageEnglish
Pages (from-to)476-491
Number of pages16
JournalFuture Generation Computer Systems
Volume101
Early online date1 Jul 2019
DOIs
Publication statusPublished - 1 Dec 2019

Keywords

  • Bitcoin
  • Crypto-ransomware
  • Cryptography
  • Early detection
  • Ensemble learning
  • IoT
  • Malware
  • Ransomware

Fingerprint

Dive into the research topics of 'Crypto-ransomware early detection model using novel incremental bagging with enhanced semi-random subspace selection'. Together they form a unique fingerprint.

Cite this