Abstract
Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper we introduce NetConverse, a machine learning evaluation study for consistent detection of Windows ransomware network traffic. Using a dataset created from conversation-based network traffic features we achieved a True Positive Rate (TPR) of 97.1% using the Decision Tree (J48) classifier.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 2nd International Conference on Information Security and Cyber Forensics, InfoSec 2015, 2016, pp. 23–27.
“Cyber-extortion losses skyrocket, says FBI.” [Online]. Available: http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/. [Accessed: 31-Mar-2017].
Federal Bureau of Investigation, “Protecting Your Networks from Ransomware,” 2016.
D. O’Brien, “Special Report: Ransomware and Businesses 2016,” Symantec Corp, pp. 1–30, 2016.
CERT UK, “Is ransomware still a threat ?,” 2016.
Europol, Internet Organised Crime Threat Assessment 2016. 2016.
“The No More Ransom Project.” [Online]. Available: https://www.nomoreransom.org/. [Accessed: 31-Mar-2017].
“Ransomware Protection - RansomFree by Cybereason.” [Online]. Available: https://ransomfree.cybereason.com/. [Accessed: 31-Mar-2017].
“Darktrace|Technology.” [Online]. Available: https://www.darktrace.com/technology/#machine-learning. [Accessed: 31-Mar-2017].
“Cerber Ransomware Now Evades Machine Learning.” [Online]. Available: . [Accessed: 31-Mar-2017].
D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection,” no. September, 2016.
F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., vol. 20, no. 1, pp. 343–357, 2016.
Symantec, “The evolution of ransomware,” 2015.
A. Feizollah, N. B. Anuar, R. Salleh, and A. W. A. Wahab, “A review on feature selection in mobile malware detection,” Digit. Investig., vol. 13, no. March, pp. 22–37, 2015.
M. Damshenas, A. Dehghantanha, and R. Mahmoud, “A Survey on Malware propagation, analysis and detection,” Int. J. Cyber-Security Digit. Forensics, vol. 2, no. 4, pp. 10–29, 2013.
N. Milosevic, A. Dehghantanha, and K. K. R. Choo, “Machine learning aided Android malware classification,” Computers and Electrical Engineering, 2016.
M. Damshenas, A. Dehghantanha, K.-K. R. Choo, and R. Mahmud, “M0Droid: An Android Behavioral-Based Malware Detection Model,” J. Inf. Priv. Secur., vol. 11, no. 3, pp. 141–157, Jul. 2015.
K. K. R. Azmoodeh, Amin; Dehghantanha, Ali; Conti, Mauro; Choo, “Detecting Crypto Ransomware in IoT Networks Based On Energy Consumption Footprint,” J. Ambient Intell. Humaniz. Comput., 2017.
F. Mercaldo, V. Nardone, and A. Santone, “Ransomware Inside Out,” 2016.
K. Liao, Z. Zhao, A. Doupe, and G.-J. Ahn, “Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin,” in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1–13.
D. D. Hosfelt, “Automated detection and classification of cryptographic algorithms in binary programs through machine learning,” 2015.
S. Ranshous, S. Shen, D. Koutra, C. Faloutsos, and N. F. Samatova, “Anomaly Detection in Dynamic Networks: A Survey,” 2014.
Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, “ReFormat: Automatic Reverse Engineering of Encrypted Messages,” Springer, Berlin, Heidelberg, 2009, pp. 200–215.
A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware,” Usenix Secur., pp. 757–772, 2016.
K. Cabaj, P. Gawkowski, K. Grochowski, and D. Osojca, “Network activity analysis of CryptoWall ransomware,” pp. 91–11, 2015.
“Weka 3 - Data Mining with Open Source Machine Learning Software in Java.” [Online]. Available: http://www.cs.waikato.ac.nz/ml/weka/. [Accessed: 31-Mar-2017].
“Tracker | Ransomware Tracker,” 2016. [Online]. Available: https://ransomwaretracker.abuse.ch/tracker/. [Accessed: 04-Jan-2017].
“VirusTotal - Free Online Virus, Malware and URL Scanner.” [Online]. Available: https://www.virustotal.com/.[Accessed: 31-Mar-2017].
G. Combs, “Wireshark · Go Deep.,” 2017. [Online]. Available: https://www.wireshark.org/. [Accessed: 29-May-2017].
P. Narang, C. Hota, and V. Venkatakrishnan, “PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification,” EURASIP J. Inf. Secur., vol. 2014, no. 1, p. 15, 2014.
A. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Commun. Surv. Tutorials, vol. PP, no. 99, p. 1, 2015.
W. L. W. Lee, S. J. Stolfo, and K. W. Mok, “A data mining framework for building intrusion detection models,” IEEE Symp. Secur. Priv., vol. 0, no. c, pp. 120–132, 1999.
A. Azodi, M. Gawron, A. Sapegin, F. Cheng, and C. Meinel, “Leveraging event structure for adaptive machine learning on big data landscapes,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2015, vol. 9395, pp. 28–40.
F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., pp. 1–15, 2014.
S. B. Kotsiantis, “Supervised machine learning: A review of classification techniques,” Informatica, vol. 31, pp. 249–268, 2007.
P. Narang, S. Ray, C. Hota, and V. Venkatakrishnan, “PeerShark: Detecting peer-to-peer botnets by tracking conversations,” in Proceedings - IEEE Symposium on Security and Privacy, 2014, vol. 2014–Janua, pp. 108–115.
Hamed HaddadPajouh, Ali Dehghantanha, Raouf Khayami, and Kim-Kwang Raymond Choo, “Intelligent OS X Malware Threat Detection”, Journal of Computer Virology and Hacking Techniques, 2017
Amin Azmoudeh, Ali Dehghantanha and Kim-Kwang Raymond Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning”, IEEE Transactions on Sustainable Computing, 2017
Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence”, IEEE Transactions on Emerging Topics in Computing, 2017 - DOI: 10.1109/TETC.2017.2756908
Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, Zaiton Muda, and Mohd Taufik Abdullah, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Transactions on Sustainable Computing, DOI: 10.1109/TSUSC.2017.2687103, 2017.
Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, “CloudMe Forensics: A Case of Big-Data Investigation,” Concurrency and Computation: Practice and Experience, http://onlinelibrary.wiley.com/doi/10.1002/cpe.4277, 2017
Dennis Kiwia, Ali Dehghantanha, Kim-Kwang Raymond Choo, Jim Slaughter, “A Cyber Kill Chain Based Taxonomy of Banking Trojans for Evolutionary Computational Intelligence”, Journal of Computational Science, 2017
Amin Azmoodeh, Ali Dehghantanha, Mauro Conti, Raymond Choo, “Detecting Crypto-Ransomware in IoT Networks Based On Energy Consumption Footprint”, Journal of Ambient Intelligence and Humanized Computing, DOI: 10.1007/s12652-017-0558-5, 2017
Acknowledgments
We should acknowledge and thank Virus Total for graciously providing us with a private API key for use during our research to prepare the dataset. The authors would like to thank Mr. Ali Feizollah for his assistance with the feature extraction process. This work is partially supported by the European Council 268 International Incoming Fellowship (FP7-PEOPLE-2013-IIF) grant.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Alhawi, O.M.K., Baldwin, J., Dehghantanha, A. (2018). Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection. In: Dehghantanha, A., Conti, M., Dargahi, T. (eds) Cyber Threat Intelligence. Advances in Information Security, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-319-73951-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-73951-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-73950-2
Online ISBN: 978-3-319-73951-9
eBook Packages: Computer ScienceComputer Science (R0)