Skip to main content
SpringerLink
Log in

Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection

  • Chapter
  • First Online:
Cyber Threat Intelligence

Part of the book series: Advances in Information Security ((ADIS,volume 70))

Abstract

Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper we introduce NetConverse, a machine learning evaluation study for consistent detection of Windows ransomware network traffic. Using a dataset created from conversation-based network traffic features we achieved a True Positive Rate (TPR) of 97.1% using the Decision Tree (J48) classifier.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. M. Hopkins and A. Dehghantanha, “Exploit Kits: The production line of the Cybercrime economy?,” in 2015 2nd International Conference on Information Security and Cyber Forensics, InfoSec 2015, 2016, pp. 23–27.

    Google Scholar 

  2. “Cyber-extortion losses skyrocket, says FBI.” [Online]. Available: http://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/. [Accessed: 31-Mar-2017].

  3. Federal Bureau of Investigation, “Protecting Your Networks from Ransomware,” 2016.

    Google Scholar 

  4. D. O’Brien, “Special Report: Ransomware and Businesses 2016,” Symantec Corp, pp. 1–30, 2016.

    Google Scholar 

  5. CERT UK, “Is ransomware still a threat ?,” 2016.

    Google Scholar 

  6. Europol, Internet Organised Crime Threat Assessment 2016. 2016.

    Google Scholar 

  7. “The No More Ransom Project.” [Online]. Available: https://www.nomoreransom.org/. [Accessed: 31-Mar-2017].

  8. “Ransomware Protection - RansomFree by Cybereason.” [Online]. Available: https://ransomfree.cybereason.com/. [Accessed: 31-Mar-2017].

  9. “Darktrace|Technology.” [Online]. Available: https://www.darktrace.com/technology/#machine-learning. [Accessed: 31-Mar-2017].

  10. “Cerber Ransomware Now Evades Machine Learning.” [Online]. Available: . [Accessed: 31-Mar-2017].

    Google Scholar 

  11. D. Sgandurra, L. Muñoz-González, R. Mohsen, and E. C. Lupu, “Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection,” no. September, 2016.

    Google Scholar 

  12. F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., vol. 20, no. 1, pp. 343–357, 2016.

    Google Scholar 

  13. Symantec, “The evolution of ransomware,” 2015.

    Google Scholar 

  14. A. Feizollah, N. B. Anuar, R. Salleh, and A. W. A. Wahab, “A review on feature selection in mobile malware detection,” Digit. Investig., vol. 13, no. March, pp. 22–37, 2015.

    Google Scholar 

  15. M. Damshenas, A. Dehghantanha, and R. Mahmoud, “A Survey on Malware propagation, analysis and detection,” Int. J. Cyber-Security Digit. Forensics, vol. 2, no. 4, pp. 10–29, 2013.

    Google Scholar 

  16. N. Milosevic, A. Dehghantanha, and K. K. R. Choo, “Machine learning aided Android malware classification,” Computers and Electrical Engineering, 2016.

    Google Scholar 

  17. M. Damshenas, A. Dehghantanha, K.-K. R. Choo, and R. Mahmud, “M0Droid: An Android Behavioral-Based Malware Detection Model,” J. Inf. Priv. Secur., vol. 11, no. 3, pp. 141–157, Jul. 2015.

    Google Scholar 

  18. K. K. R. Azmoodeh, Amin; Dehghantanha, Ali; Conti, Mauro; Choo, “Detecting Crypto Ransomware in IoT Networks Based On Energy Consumption Footprint,” J. Ambient Intell. Humaniz. Comput., 2017.

    Google Scholar 

  19. F. Mercaldo, V. Nardone, and A. Santone, “Ransomware Inside Out,” 2016.

    Google Scholar 

  20. K. Liao, Z. Zhao, A. Doupe, and G.-J. Ahn, “Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin,” in 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, pp. 1–13.

    Google Scholar 

  21. D. D. Hosfelt, “Automated detection and classification of cryptographic algorithms in binary programs through machine learning,” 2015.

    Google Scholar 

  22. S. Ranshous, S. Shen, D. Koutra, C. Faloutsos, and N. F. Samatova, “Anomaly Detection in Dynamic Networks: A Survey,” 2014.

    Google Scholar 

  23. Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, “ReFormat: Automatic Reverse Engineering of Encrypted Messages,” Springer, Berlin, Heidelberg, 2009, pp. 200–215.

    Google Scholar 

  24. A. Kharaz, S. Arshad, C. Mulliner, W. Robertson, and E. Kirda, “UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware,” Usenix Secur., pp. 757–772, 2016.

    Google Scholar 

  25. K. Cabaj, P. Gawkowski, K. Grochowski, and D. Osojca, “Network activity analysis of CryptoWall ransomware,” pp. 91–11, 2015.

    Google Scholar 

  26. “Weka 3 - Data Mining with Open Source Machine Learning Software in Java.” [Online]. Available: http://www.cs.waikato.ac.nz/ml/weka/. [Accessed: 31-Mar-2017].

  27. “Tracker | Ransomware Tracker,” 2016. [Online]. Available: https://ransomwaretracker.abuse.ch/tracker/. [Accessed: 04-Jan-2017].

  28. “VirusTotal - Free Online Virus, Malware and URL Scanner.” [Online]. Available: https://www.virustotal.com/.[Accessed: 31-Mar-2017].

  29. G. Combs, “Wireshark · Go Deep.,” 2017. [Online]. Available: https://www.wireshark.org/. [Accessed: 29-May-2017].

  30. P. Narang, C. Hota, and V. Venkatakrishnan, “PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification,” EURASIP J. Inf. Secur., vol. 2014, no. 1, p. 15, 2014.

    Google Scholar 

  31. A. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Commun. Surv. Tutorials, vol. PP, no. 99, p. 1, 2015.

    Google Scholar 

  32. W. L. W. Lee, S. J. Stolfo, and K. W. Mok, “A data mining framework for building intrusion detection models,” IEEE Symp. Secur. Priv., vol. 0, no. c, pp. 120–132, 1999.

    Google Scholar 

  33. A. Azodi, M. Gawron, A. Sapegin, F. Cheng, and C. Meinel, “Leveraging event structure for adaptive machine learning on big data landscapes,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2015, vol. 9395, pp. 28–40.

    Google Scholar 

  34. F. A. Narudin, A. Feizollah, N. B. Anuar, and A. Gani, “Evaluation of machine learning classifiers for mobile malware detection,” Soft Comput., pp. 1–15, 2014.

    Google Scholar 

  35. S. B. Kotsiantis, “Supervised machine learning: A review of classification techniques,” Informatica, vol. 31, pp. 249–268, 2007.

    Google Scholar 

  36. P. Narang, S. Ray, C. Hota, and V. Venkatakrishnan, “PeerShark: Detecting peer-to-peer botnets by tracking conversations,” in Proceedings - IEEE Symposium on Security and Privacy, 2014, vol. 2014–Janua, pp. 108–115.

    Google Scholar 

  37. Hamed HaddadPajouh, Ali Dehghantanha, Raouf Khayami, and Kim-Kwang Raymond Choo, “Intelligent OS X Malware Threat Detection”, Journal of Computer Virology and Hacking Techniques, 2017

    Google Scholar 

  38. Amin Azmoudeh, Ali Dehghantanha and Kim-Kwang Raymond Choo, “Robust Malware Detection for Internet Of (Battlefield) Things Devices Using Deep Eigenspace Learning”, IEEE Transactions on Sustainable Computing, 2017

    Google Scholar 

  39. Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh, Sattar Hashemi, Raouf Khayami, “Know Abnormal, Find Evil: Frequent Pattern Mining for Ransomware Threat Hunting and Intelligence”, IEEE Transactions on Emerging Topics in Computing, 2017 - DOI: 10.1109/TETC.2017.2756908

    Google Scholar 

  40. Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, Zaiton Muda, and Mohd Taufik Abdullah, “Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a Case Study,” IEEE Transactions on Sustainable Computing, DOI: 10.1109/TSUSC.2017.2687103, 2017.

    Google Scholar 

  41. Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo, “CloudMe Forensics: A Case of Big-Data Investigation,” Concurrency and Computation: Practice and Experience, http://onlinelibrary.wiley.com/doi/10.1002/cpe.4277, 2017

  42. Dennis Kiwia, Ali Dehghantanha, Kim-Kwang Raymond Choo, Jim Slaughter, “A Cyber Kill Chain Based Taxonomy of Banking Trojans for Evolutionary Computational Intelligence”, Journal of Computational Science, 2017

    Google Scholar 

  43. Amin Azmoodeh, Ali Dehghantanha, Mauro Conti, Raymond Choo, “Detecting Crypto-Ransomware in IoT Networks Based On Energy Consumption Footprint”, Journal of Ambient Intelligence and Humanized Computing, DOI: 10.1007/s12652-017-0558-5, 2017

    Google Scholar 

Download references

Acknowledgments

We should acknowledge and thank Virus Total for graciously providing us with a private API key for use during our research to prepare the dataset. The authors would like to thank Mr. Ali Feizollah for his assistance with the feature extraction process. This work is partially supported by the European Council 268 International Incoming Fellowship (FP7-PEOPLE-2013-IIF) grant.

Author information

Authors and Affiliations

  1. School of Computing, Science and Engineering, University of Salford, Manchester, UK

    Omar M. K. Alhawi & James Baldwin

  2. Department of Computer Science, University of Sheffield, Sheffield, UK

    Ali Dehghantanha

Authors
  1. Omar M. K. Alhawi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. James Baldwin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ali Dehghantanha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ali Dehghantanha .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Sheffield, Sheffield, United Kingdom

    Ali Dehghantanha

  2. Department of Mathematics, University of Padua, Padua, Italy

    Mauro Conti

  3. Department of Computer Science, University of Salford, Manchester, United Kingdom

    Tooska Dargahi

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Alhawi, O.M.K., Baldwin, J., Dehghantanha, A. (2018). Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection. In: Dehghantanha, A., Conti, M., Dargahi, T. (eds) Cyber Threat Intelligence. Advances in Information Security, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-319-73951-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-73951-9_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-73950-2

  • Online ISBN: 978-3-319-73951-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation