Zero-day aware decision fusion-based model for crypto-ransomware early detection

Crypto-ransomware employs the cryptography to lock user personal files and demands ransom to release them. By utilizing several technological utilities like cyber-currency and cloud-based developing platforms, crypto-ransomware has gained high popularity among adversaries. Motivated by the monetary revenue, crypto-ransomware developers continuously produce many variants of such malicious programs to evade the detection. Consequently, the rate of crypto-ransomware novel attacks is continuously increasing. As such, it is imperative for detection solutions to be able to discover these novel attacks, also called zero-day attacks. While anomaly detection-based solutions are able to deal with this problem, they suffer the high rate of false alarms. Thus, this paper puts forward a detection model that incorporates anomaly with behavioral detection approaches. In this model, two types of detection estimators were built. The first type is an ensemble of behavioral-based classifiers whereas the second type is an anomaly-based estimator. The decisions of both types of estimators were combined using fusion technique. The proposed model is able to detect the novel attack while maintaining low false alarms rate. By applying the proposed model, the detection rate was increased from 96% to 99% and the false positive rate was as low as 2.4 %.