Conference Paper
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Ransomware has become a serious and concrete threat for mobile platforms and in particular for Android. In this paper, we propose R-PackDroid, a machine learning system for the detection of Android ransomware. Differently to previous works, we leverage information extracted from system API packages, which allow to characterize applications without specific knowledge of user-defined content such as the application language or strings. Results attained on very recent data show that it is possible to detect Android ransomware and to distinguish it from generic malware with very high accuracy. Moreover, we used R-PackDroid to flag applications that were detected as ransomware with very low confidence by the VirusTotal service. In this way, we were able to correctly distinguish true ransomware from false positives, thus providing valuable help for the analysis of these malicious applications.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... The first technique consists of defining a learningbased system whose structure is inspired by other popular detection systems (Daniel et al., 2014;Chen et al., 2016;Maiorca et al., 2017). In particular, the proposed system performs the following steps: (i) it takes as an input an Android application and extracts its cryptographic API usage with the pipeline described in Section 2.2; (ii) it encodes this statistics into a vector of features; (iii) it trains a machine-learning classifier to predict a benign/malicious label. ...
... The third approach consists of taking a wellestablished malware classifier for Android as a baseline and measuring its performance when enhanced with features related exclusively to cryptographic API. To this end, we chose R-PackDroid (Maiorca et al., 2017), an available learning-based classifier (trained on random forests) based on static features, and we expand its feature set by adding the cryptographic features described above. There are multiple reasons for which this system was chosen as a baseline: (i) It was initially designed to detect ransomware; (ii) It harvests a relatively small number of features; (iii) It features a high detection rate (the original paper documents over 97% F1 score). ...
... We trained a random forest model based only on cryptography-related features described in Section 2.4 and compared its performance to R-PackDroid. To obtain a valid comparison, we replicated the experimental setup of the original R-PackDroid paper (Maiorca et al., 2017), taking 10 thousand appli- cations divided 50:50 into benign/malicious, and split 50:50 into training/test set. Our classifier achieved 62.4% F1 score on the malicious samples (see also Table 4), showing that cryptographic information is discriminant enough to separate malicious from benign samples. ...
... There are few [3], [5], [8], [10], [12], [15], [17]- [20] that classifies an Android malware into malware families. Mostly, the machine learning based Android malware detection tools utilize either static features ( [3], [4], [7], [12], [19]) or dynamic features ( [7]- [9]). Some machine learning based malware analysis tool (like EC2 [17]) use both types of features i.e., static and dynamic. ...
... There are few [3], [5], [8], [10], [12], [15], [17]- [20] that classifies an Android malware into malware families. Mostly, the machine learning based Android malware detection tools utilize either static features ( [3], [4], [7], [12], [19]) or dynamic features ( [7]- [9]). Some machine learning based malware analysis tool (like EC2 [17]) use both types of features i.e., static and dynamic. ...
... All the above work utilizes API call information in some form, whereas we use API package information to identify Android malware families. R-PackDroid [7] is the most closely related work that utilizes API package information to characterize and detect Mobile Ransomware. However, in later work [28], authors have again shifted their focus on API call information. ...
Conference Paper
With the increased popularity and wide adoption as a mobile OS platform, Android has been a major target for malware authors. Due to unprecedented rapid growth in the number, variants, and diversity of malware, detecting malware on the Android platform has become challenging. Beyond the detection of a malware, classifying the family the malware belongs to, helps security analysts to reuse malware removal techniques that is known to work for that family of malware. It takes manual analysis if a malware belongs to an unknown family. Therefore, classifying malware into exact family is important. This paper presents a technique and tool named MAPFam that applies machine learning on static features from the Manifest file and API packages to classify an Android malware into its family. This work is premised on a starting hypothesis that features extracted from API packages rather than on API calls lead to more precise classification. Our experiments indeed shows that API package based models provides ~1.63X more accurate classification compared to an API call based method. Our machine learning based malware family classification system uses API packages, requested permissions, and other features from the Manifest files. The proposed family classification system achieves accuracy and average precision above 97% for the top 60 malware families by using only 81 features with 97.55% of model reliability rate (Kappa score). The experimental results also shows that MAPFam can perfectly identity 36 malware families.
... All these security solutions employ different strategies based on the analysis of the application through static analysis [3][4][5], dynamic analysis [6][7][8], or a combination of them. Additionally, such information is often employed by machine learning algorithms to carry out an accurate detection of known and previously unseen attacks [9][10][11][12][13]. However, machine learning algorithms are vulnerable to well-crafted attacks. ...
... Generally, the features used for the classification of patterns are gathered using static or dynamic analysis. [12,21]. We now briefly describe the work by Maiorca et al. [12], which is the basis of the setting considered in this paper. ...
... [12,21]. We now briefly describe the work by Maiorca et al. [12], which is the basis of the setting considered in this paper. The authors proposed a system designed for the detection of Android ransomware attacks. ...
Article
Full-text available
Due to its popularity, the Android operating system is a critical target for malware attacks. Multiple security efforts have been made on the design of malware detection systems to identify potentially harmful applications. In this sense, machine learning-based systems, leveraging both static and dynamic analysis, have been increasingly adopted to discriminate between legitimate and malicious samples due to their capability of identifying novel variants of malware samples. At the same time, attackers have been developing several techniques to evade such systems, such as the generation of evasive apps, i.e., carefully-perturbed samples that can be classified as legitimate by the classifiers. Previous work has shown the vulnerability of detection systems to evasion attacks, including those designed for Android malware detection. However, most works neglected to bring the evasive attacks onto the so-called problem space, i.e., by generating concrete Android adversarial samples, which requires preserving the app’s semantics and being realistic for human expert analysis. In this work, we aim to understand the feasibility of generating adversarial samples specifically through the injection of system API calls, which are typical discriminating characteristics for malware detectors. We perform our analysis on a state-of-the-art ransomware detector that employs the occurrence of system API calls as features of its machine learning algorithm. In particular, we discuss the constraints that are necessary to generate real samples, and we use techniques inherited from interpretability to assess the impact of specific API calls to evasion. We assess the vulnerability of such a detector against mimicry and random noise attacks. Finally, we propose a basic implementation to generate concrete and working adversarial samples. The attained results suggest that injecting system API calls could be a viable strategy for attackers to generate concrete adversarial samples. However, we point out the low suitability of mimicry attacks and the necessity to build more sophisticated evasion attacks.
... Maiorca et al. statically analyze the Dalvik bytecode to extract API packages found. Using API packages reduces the number of features needed for classification [39]. APIs contained in the invoke-type instructions are checked to see if they belong to system packages. ...
... Many techniques have been proposed to this end, especially monitoring/tracking user activity or sensitive information like Scandroid, TaintDroid [28,30] and others [50,73,122]. However, current literature is not abundant with mobile ransomware journals or papers, as stated in [32,39]. Even in the latest survey released in 2020 about ransomware in Windows and Android platforms, only six papers were mentioned related to mobile ransomware [21]. ...
... Approaches Tested Detection/Protection Mechanism Static Dynamic Solution [39] API Calls ✓ X ✓ Random forest applied to the occurrences of system API packages in the Android apps to classify the executables as ransomware, malware, or trusted. [18] API Calls X ✓ ✓ Random forest, J48, and Naive Bayes are applied to fiftytwo collected system calls to detect ransomware samples. ...
Article
Ransomware remains an alarming threat in the 21st century. It has evolved from being a simple scare tactic into a complex malware capable of evasion. Formerly, end-users were targeted via mass infection campaigns. Nevertheless, in recent years, the attackers have focused on targeted attacks, since the latter are profitable and can induce severe damage. A vast number of detection mechanisms have been proposed in the literature. We provide a systematic review of ransomware countermeasures starting from its deployment on the victim machine until the ransom payment via cryptocurrency. We define four stages of this malware attack: Delivery, Deployment, Destruction, and Dealing. Then, we assign the corresponding countermeasures for each phase of the attack and cluster them by the techniques used. Finally, we propose a roadmap for researchers to fill the gaps found in the literature in ransomware’s battle.
... Maiorca et al. statically analyze the Dalvik bytecode to extract API packages found. Using API packages reduces the number of features needed for classification [236]. APIs contained in the invoke-type instructions are checked to see if they belong to system packages. ...
... Approaches Tested Detection/Protection Mechanism Static Dynamic Solution [236] API Calls X Random forest applied to the occurrences of system API packages in the Android apps to classify the executables as ransomware, malware, or trusted. [237] API Calls X Random forest, J48, and naïve bayes are applied to fifty-two collected system calls to detect ransomware samples. ...
... Many techniques have been proposed to this end, especially monitoring/tracking user activity or sensitive information like Scandroid, TaintDroid [172,240] and others [241][242][243]. However, current literature is not abundant with mobile ransomware journals or papers, as stated in [236,238]. Even in the latest survey released in 2020 about ransomware in Windows and Android platforms, only six papers were mentioned related to mobile ransomware [244]. ...
Thesis
Ransomware remains the number one cyberthreat for individuals, enterprises, and governments. Malware’s aftermath can cause irreversible casualties if the requirements of the attackers are not met in time. This thesis targets Windows ransomware. It affects users’ data and undermines many public services. Four stages of this malware attack are defined: delivery, deployment, destruction, and dealing. The corresponding countermeasures are assigned to each phase of the attack and clustered according to the techniques used. This thesis presents three contributions. The first detection mechanism is located in the file system layer. It is based on the system traversal that is sufficient to highlight the malicious behavior. This thesis proposes also an analysis of the network traffic. It is generated by collected ransomware samples to perform a packet-level detection. A study of the ransom notes is made to define where it takes place in a ransomware workflow. The last contribution provides an insight into plausible attacks, especially Doxware. A quantification model that explores the Windows file system in search of valuable data is presented. It is based on the term frequency-inverse document frequency solution provided in the literature for information retrieval. Honeypot techniques are also used to protect the sensitive files of the users. Finally, this thesis provides future perspectives granting a better roadmap for researchers.
... However, the difficulty to deal with time-variant ransomware can become a bottleneck because of the escalating flow of ransomware versions that vary in their tricking exploitations, intrusion traits, and the type of platforms they have infected [6][7][8][9]. Furthermore, the existing detection tools still have direct impacts on the processing time, classification accuracies, searching for the minimum set of distinctive traits, employing an inappropriate number of static clues and dynamic actions, and then the overall performance of the detection engines [9][10][11][12][13][14][15]. For example, the detection tools of file system analysis, search for executable files, recognize ransomware infections through examining particular function calls like APIs (Application Program Interface), specific inserted codes, dynamic interactions of some apps, and some elementary settings of smartphone system [10][11][12]. ...
... For example, the detection tools of file system analysis, search for executable files, recognize ransomware infections through examining particular function calls like APIs (Application Program Interface), specific inserted codes, dynamic interactions of some apps, and some elementary settings of smartphone system [10][11][12]. Whereas, the detection tools of machine learning aided analysis, identify suspicious activities and apps as ransomware by encountering the values of a combination of static clues and dynamic actions that are mentioned above [13][14][15][16][17][18]. They, deploy these values (i.e. ...
... They, deploy these values (i.e. ransomware infection vectors) as the input in their machine learning procedures [13][14][15][16][17][18]. ...
... Machine leaning has numerous application in classifying the malware, ransomware, and benign programs [22]. R-PackDroid, an android based ransomware detection system was presented in [57]. This system performed the static analysis by analyzing the Dalvik bytecode. ...
... In [57], an android based ransomware detection system was presented named as R-PackDroid. This system ran the static analysis using RF a supervised machine learning classifier to categorize the applications in ransomware, generic malware and trusted by using the system API packages. ...
... Victims are threatened with the loss of their mobile data, sharing of personal information, and browsing history to their contact lists. Android.Lockdroid.E is one of the example of mobile ransomware [57,86]. ...
Article
Full-text available
Ransomware is an ill-famed malware that has received recognition because of its lethal and irrevocable effects on its victims. The irreparable loss caused due to ransomware requires the timely detection of these attacks. Several studies including surveys and reviews are conducted on the evolution, taxonomy, trends, threats, and countermeasures of ransomware. Some of these studies were specifically dedicated to IoT and android platforms. However, there is not a single study in the available literature that addresses the significance of dynamic analysis for the ransomware detection studies for all the targeted platforms. This study also provides the information about the datasets collection from its sources, which were utilized in the ransomware detection studies of the diverse platforms. This study is also distinct in terms of providing a survey about the ransomware detection studies utilizing machine learning, deep learning, and blend of both techniques while capitalizing on the advantages of dynamic analysis for the ransomware detection. The presented work considers the ransomware detection studies conducted from 2019 to 2021. This study provides an ample list of future directions which will pave the way for future research.
... The existing literature on Android ransomware (Ferrante et al., 2017;Gharib and Ghorbani, 2017;Maiorca et al., 2017;Saracino et al., 2016;Scalas et al., 2019;Su et al., 2018) employs supervised machine learning techniques and lacks extraction of significant features such as intents which switch the user from one app to another app, text displayed on users screen in the native language, strings in images, and encoding methods misused by malicious apps to display text in native languages. ...
... Saracino et al. (2016) analyzed permissions and system calls; while Mercaldo et al. (2016) analyzed Java Bytecode to show the behavior of Android ransomware. Maiorca et al. (2017) analyzed Dalvik bytecode to monitor invoke-type instructions to detect Android ransomware. Gharib and Ghorbani (2017) analyzed text, images of logos, permissions, system and Application Programming Interface (API) call sequence; while Ferrante et al. (2017) analyzed n-grams opcodes (n ¼ 2), memory, system calls, network traffic logs, and CPU usage for the detection of Android ransomware. ...
... If an app wants to access an API, then an alert will be generated for the users to either permit or refuse the access. But overclaiming of permission is the most drastic issue in Android (Song et al., 2016) 2016 processor, memory Others Process Monitoring Madam (Saracino et al., 2016) 2016 permissions, system calls Supervised K-Nearest Neighbors R-inside out (Mercaldo et al., 2016) 2016 Java Bytecode Others CWNC model R-PackDroid (Maiorca et al., 2017) 2017 invoke-type instructions Supervised RF DNA-Droid (Gharib and Ghorbani, 2017) 2017 text, images, API, permissions Supervised NB, RF,SVM, AdaBoost, DNN Extinguish-ransom (Ferrante et al., 2017) 2017 memory, system calls, logs Supervised DT, NB, LR RansomProber (Chen et al., 2017) 2018 widgets, activities Others User Interface Locker (Su et al., 2018) 2018 text, commands, permissions Supervised LR, RF, DT, SVM, Ensemble Learning API-based (Scalas et al., 2019) 2019 API Supervised RF GPU-based (Sharma et al., 2020a) 2020 ...
Article
Ransomware attacks are not only limited to Personal Computers but are increasing rapidly to target smart-phones as well. The attackers target smart-phone devices to steal users’ personal information for monetary purposes. However, Android is the most widely used mobile operating system with the largest market share in the world that makes it a primary target for cyber-criminals to attack. The existing research towards the detection of Android ransomware lacks significant features and works with supervised machine learning techniques. But there are several restrictions in supervised machine learning techniques such as these techniques heavily rely on anti-virus vendors to provide explicit labels and the given sample can be wrongly classified if the training set does not include related examples and/or if the labels are incorrect. Moreover, it may not detect unknown ransomware samples in real-time situations due to the absence of historical targets in the real world. In this work, an attempt is made for an in-depth investigation of Android ransomware with reverse engineering and forensic analysis to extract static features. Furthermore, a novel RansomDroid framework on clustering based unsupervised machine learning techniques is proposed to address the issues such as mislabeling of historical targets and detecting unforeseen Android ransomware. To the best of our knowledge, performing unsupervised machine learning techniques for the detection of Android ransomware is still an open area of research that has not been explored by the researchers yet. The proposed RansomDroid framework employs a Gaussian Mixture Model that has a flexible and probabilistic approach to model the dataset. RansomDroid framework utilizes feature selection and dimensionality reduction to further improve the performance of the model. The experimental results show that the proposed RansomDroid framework detects Android ransomware with an accuracy of 98.08% in 44 ms.
... The first technique consists of defining a learningbased system whose structure is inspired by other popular detection systems (Daniel et al., 2014;Chen et al., 2016;Maiorca et al., 2017). In particular, the proposed system performs the following steps: (i) it takes as an input an Android application and extracts its cryptographic API usage with the pipeline described in Section 2.2; (ii) it encodes this statistics into a vector of features; (iii) it trains a machine-learning classifier to predict a benign/malicious label. ...
... The third approach consists of taking a wellestablished malware classifier for Android as a baseline and measuring its performance when enhanced with features related exclusively to cryptographic API. To this end, we chose R-PackDroid (Maiorca et al., 2017), an available learning-based classifier (trained on random forests) based on static features, and we expand its feature set by adding the cryptographic features described above. There are multiple reasons for which this system was chosen as a baseline: (i) It was initially designed to detect ransomware; (ii) It harvests a relatively small number of features; (iii) It features a high detection rate (the original paper documents over 97% F1 score). ...
... We trained a random forest model based only on cryptography-related features described in Section 2.4 and compared its performance to R-PackDroid. To obtain a valid comparison, we replicated the experimental setup of the original R-PackDroid paper (Maiorca et al., 2017), taking 10 thousand applications divided 50:50 into benign/malicious, and split 50:50 into training/test set. Our classifier achieved 62.4% F1 score on the malicious samples (see also nificantly better than our system 7 , our classifier was able to correctly identify 88/180 malicious samples that were misclassified as benign by R-PackDroid (with all 211 features). ...
Preprint
Full-text available
Cryptography has been extensively used in Android applications to guarantee secure communications, conceal critical data from reverse engineering, or ensure mobile users' privacy. Various system-based and third-party libraries for Android provide cryptographic functionalities, and previous works mainly explored the misuse of cryptographic API in benign applications. However, the role of cryptographic API has not yet been explored in Android malware. This paper performs a comprehensive, longitudinal analysis of cryptographic API in Android malware. In particular, we analyzed $603\,937$ Android applications (half of them malicious, half benign) released between $2012$ and $2020$, gathering more than 1 million cryptographic API expressions. Our results reveal intriguing trends and insights on how and why cryptography is employed in Android malware. For instance, we point out the widespread use of weak hash functions and the late transition from insecure DES to AES. Additionally, we show that cryptography-related characteristics can help to improve the performance of learning-based systems in detecting malicious applications.
... Android malware detection classifies Android apps into two classes benign and malware. However, some papers detect Android Ransomware (Andronio, Zanero & Maggi, 2015;Maiorca et al., 2017) considering three classes benign, malware, and ransomware. Hence, we briefly explain the evaluation measures of ML classification. ...
... Until today, many static analysis researchers depends on permissions (Arora, Peddoju & Conti, 2019; Dharmalingam & Palanisamy, 2021;Li et al., 2018;Şahin et al., 2021); however, many are relying on API calls (Alazab et al., 2020;Jung et al., 2018;Maiorca et al., 2017;Mirzaei et al., 2019;Pektaş & Acarman, 2020;Tiwari & Shukla, 2018;Zhang et al., 2020;Zhang, Breitinger & Baggili, 2016;Zou et al., 2021) and deep code analysis and other types of features as discussed earlier in Android evasion detection frameworks section. Many of examined researches ignored the evasion techniques evaluation. ...
Article
Full-text available
The various application markets are facing an exponential growth of Android malware. Every day, thousands of new Android malware applications emerge. Android malware hackers adopt reverse engineering and repackage benign applications with their malicious code. Therefore, Android applications developers tend to use state-of-the-art obfuscation techniques to mitigate the risk of application plagiarism. The malware authors adopt the obfuscation and transformation techniques to defeat the anti-malware detections, which this paper refers to as evasions. Malware authors use obfuscation techniques to generate new malware variants from the same malicious code. The concern of encountering difficulties in malware reverse engineering motivates researchers to secure the source code of benign Android applications using evasion techniques. This study reviews the state-of-the-art evasion tools and techniques. The study criticizes the existing research gap of detection in the latest Android malware detection frameworks and challenges the classification performance against various evasion techniques. The study concludes the research gaps in evaluating the current Android malware detection framework robustness against state-of-the-art evasion techniques. The study concludes the recent Android malware detection-related issues and lessons learned which require researchers’ attention in the future.
... Chen et al. [21] converted app opcodes to an image-like structure in order to perform data augmentation through a Generative Adversarial Network (GAN), while the works by Mahindru et al. focused on assessing effective feature selection, mainly considering the usage of APIs and permissions as features [44,45]. Moreover, different works in the literature target specific types of attacks, such as botnets [33] or ransomware samples [17,47,57]. ...
... An interesting aspect to underline is that most of the feature sets used in previous work-the earliest as well as the newest ones-include information from Android APIs [1,4,19,38,45,47,48,57]. According to Zhang et al. [67], although Android malware evolves over time, many semantics are still the same or similar, and can be caught by identifying the relations between the different APIs. ...
Article
Full-text available
While machine-learning algorithms have demonstrated a strong ability in detecting Android malware, they can be evaded by sparse evasion attacks crafted by injecting a small set of fake components, e.g., permissions and system calls, without compromising intrusive functionality. Previous work has shown that, to improve robustness against such attacks, learning algorithms should avoid overemphasizing few discriminant features, providing instead decisions that rely upon a large subset of components. In this work, we investigate whether gradient-based attribution methods, used to explain classifiers’ decisions by identifying the most relevant features, can be used to help identify and select more robust algorithms. To this end, we propose to exploit two different metrics that represent the evenness of explanations, and a new compact security measure called Adversarial Robustness Metric. Our experiments conducted on two different datasets and five classification algorithms for Android malware detection show that a strong connection exists between the uniformity of explanations and adversarial robustness. In particular, we found that popular techniques like Gradient*Input and Integrated Gradients are strongly correlated to security when applied to both linear and nonlinear detectors, while more elementary explanation techniques like the simple Gradient do not provide reliable information about the robustness of such classifiers.
... Maiorca et al. [14] extracted the Dalvikbytecode feature present in the dex files. They analyzed invoketype instructions which belonged to system Application Program Interface (API) packages. ...
... This section compares the accuracy of the best machine learning model (i.e., ensemble learning RF model) of the proposed framework with the existing frameworks to detect Android ransomware. Figure 8 shows that the proposed framework achieved the best accuracy (99.67%) to detect Android locker and crypto ransomware as compared to the existing Systemcallbased [1], DNA-DROID [12], API-based [21], and R-PackDroid [14] frameworks. Figure 8. ...
Article
With latest development in technology, the usage of smartphones to fulfill day-to-day requirements has been increased. The Android-based smartphones occupy the largest market share among other mobile operating systems. The hackers are continuously keeping an eye on Android-based smartphones by creating malicious apps housed with ransomware functionality for monetary purposes. Hackers lock the screen and/or encrypt the documents of the victim’s Android based smartphones after performing ransomware attacks. Thus, in this paper, a framework has been proposed in which we (1) utilize novel features of Android ransomware, (2) reduce the dimensionality of the features, (3) employ an ensemble learning model to detect Android ransomware, and (4) perform a comparative analysis to calculate the computational time required by machine learning models to detect Android ransomware. Our proposed framework can efficiently detect both locker and crypto ransomware. The experimental results reveal that the proposed framework detects Android ransomware by achieving an accuracy of 99.67% with Random Forest ensemble model. After reducing the dimensionality of the features with principal component analysis technique; the Logistic Regression model took least time to execute on the Graphics Processing Unit (GPU) and Central Processing Unit (CPU) in 41 milliseconds and 50 milliseconds respectively
... Here, this paper discusses these research directions and issues which can assist to develop the efficiency and effectiveness of ransomware recognition and prevention solutions [44]. Some existing software tools for detecting, analyzing and predicting ransomware are briefly illustrated in Table 2. [45], [46], [50], [51] Classification SVM, LR, RF, Baysian Belief Network, NB. ...
... [52], [49], [46], [50] Similarity measurement Structural similarity (SSIM), Cosine similarity. ...
Preprint
Full-text available
Internet of Things (IoT) is being considered as the growth engine for industrial revolution 4.0. The combination of IoT, cloud computing and healthcare can contribute in ensuring well-being of people. One important challenge of IoT network is maintaining privacy and to overcome security threats. This paper provides a systematic review of the security aspects of IoT. Firstly, the application of IoT in industrial and medical service scenarios are described, and the security threats are discussed for the different layers of IoT healthcare architecture. Secondly, different types of existing malware including spyware, viruses, worms, keyloggers, and trojan horses are described in the context of IoT. Thirdly, some of the recent malware attacks such as Mirai, echobot and reaper are discussed. Next, a comparative discussion is presented on the effectiveness of different machine learning algorithms in mitigating the security threats. It is found that the k-nearest neighbor (kNN) machine learning algorithm exhibits excellent accuracy in detecting malware. This paper also reviews different tools for ransomware detection, classification and analysis. Finally, a discussion is presented on the existing security issues, open challenges and possible future scopes in ensuring IoT security.
... Maiorca et al. [17] extracted the Dalvik bytecode feature present in the dex files. They analyzed invoke-type instructions which belonged to system Application Program Interface (API) packages. ...
... This section compares the accuracy of the best machine learning model in the proposed framework with the existing frameworks to detect Android ransomware. Fig. 4. shows that the proposed framework achieved the best accuracy (99.59%) to detect Android locker and crypto ransomware as compared to the existing DNA-Droid [18], API-based [21], and R-PackDroid [17] frameworks. This paper proposed a framework to classify Android ransomware and benign apps by using supervised machine learning models. ...
... They didn't provide any ransomware examples in the training phase and their framework identifies anomaly that deviates from learned behaviour. -Maiorca et al. [36] proposed R-PackDroid for the android operating system. ...
... Researchers focused on process anomaly detection to enhance their detection rate. The technique discussed in the paper uses Windows API calls [22,36,39], I/O request Packets (IRP) logs, File system operations, set of operation performed per file extension, directories operations, dropped files, registry key operation, strings [14,22,23,24,26] for detection.For file system activity detection, researchers recorded folder listing, Files written, Files Renamed, files read, write entropy, file type coverage [24]. The various researchers recorded IRP open, IRP write, IRP create for IRP logs [23]. ...
Chapter
Full-text available
Ransomware is a program used by an attacker or hacker, that locks or encrypts target files or data. The user or the owner of data cannot access these without the explicit assistance of the attacker. After locking or encrypting, the attacker demands ransom generally in the form of cryptocurrencies to permit user to regain access to the locked data. However, there is no guarantee that the user can access seized data again even after that ransom has been paid. Researchers have proposed various tools and techniques to protect and fight against ransomware. Existing tools and methods are not sufficient to detect ransomware early because several new ransomware variants are being introduced every day. Machine learning techniques are used efficiently in various applications like ransomware detection, spam detection, text classification, pattern recognition, etc. Further, deep learning, a subfield of machine learning, eliminates the burden of re-engineering the features for the new types of malware or network attacks that may arise. In this paper, several machine learning-based detection techniques against ransomware are reviewed.
... K. R-PackDroid R-PackDroid [103] is a machine learning approach designed to detect Android ransomware based on extracted API package information. This static detection system is used to label inspected applications as one of three classes; either ransomware, malware, or trusted app. ...
... Also, this system was not tested against obfuscated applications. Therefore, it uses VirusTotal service to confirm its classification results and reduce its false positive rate [103]. ...
Preprint
Full-text available
Malware proliferation and sophistication have drastically increased and evolved continuously. Recent indiscriminate ransomware victimizations have imposed critical needs of effective detection techniques to prevent damages. Therefore, ransomware has drawn attention among cyberspace researchers. This paper contributes a comprehensive overview of ransomware attacks and summarizes existing detection and prevention techniques in both Windows and Android platforms. Moreover, it highlights the strengths and shortcomings of those techniques and provides a comparison between them. Furthermore, it gives recommendations to users and system administrators.
... Here, this paper discusses these research directions and issues which can assist to develop the efficiency and effectiveness of ransomware recognition and prevention solutions [44]. Some existing software tools for detecting, analyzing and predicting ransomware are briefly illustrated in Table 2. [45], [46], [50], [51] Classification SVM, LR, RF, Baysian Belief Network, NB. ...
... [52], [49], [46], [50] Similarity measurement Structural similarity (SSIM), Cosine similarity. ...
Article
Full-text available
Internet of Things (IoT) is being considered as the growth engine for industrial revolution 4.0. The combination of IoT, cloud computing and healthcare can contribute in ensuring well-being of people. One important challenge of IoT network is maintaining privacy and to overcome security threats. This paper provides a systematic review of the security aspects of IoT. Firstly, the application of IoT in industrial and medical service scenarios are described, and the security threats are discussed for the different layers of IoT healthcare architecture. Secondly, different types of existing malware including spyware, viruses, worms, keyloggers, and trojan horses are described in the context of IoT. Thirdly, some of the recent malware attacks such as Mirai, echobot and reaper are discussed. Next, a comparative discussion is presented on the effectiveness of different machine learning algorithms in mitigating the security threats. It is found that the k-nearest neighbor (kNN) machine learning algorithm exhibits excellent accuracy in detecting malware. This paper also reviews different tools for ransomware detection, classification and analysis. Finally, a discussion is presented on the existing security issues, open challenges and possible future scopes in ensuring IoT security.
... In dynamic or behaviour analysis, the malware binary is executed in controlled environment to learn its behaviour in terms of operations it performs with the operating system and machine's other resources. Anti-malware evasion techniques such as code obfuscation and polymorphism utilized by ransomware developers make signature-based ransomware detection ineffective [19,21]. To complement the static detection process behaviour-based detection (dynamic analysis based) approaches are used. ...
... It can be further observed that for binary classification, the proposed method selected most of the features from API group which is in line with existing literature since many authors have used the API calls in connection with ransomware detection, e.g, [19,21,30]. Similarly, for multi-class classification, the proposed method selected the most number of features from STR group. ...
Chapter
Ransomware has emerged as a grave cyber threat. Many of the existing ransomware detection and classification models use datasets created through dynamic or behaviour analysis of ransomware, hence known as behaviour-based detection models. A big challenge in automated behaviour-based ransomware detection and classification is high dimensional data with numerous features distributed into various groups. Feature selection algorithms usually help to deal with high dimensionality for improving classification performance. In connection with ransomware detection and classification, the majority of the feature selection methods used in existing literature ignore the varying importance of various feature groups within ransomware behaviour analysis data set. For ransomware detection and classification, we propose a two-stage feature selection method that considers the varying importance of each of the feature groups in the dataset. The proposed method utilizes particle swarm optimization, a wrapper-based feature selection algorithm, for selection of the optimal number of features from each feature group to produce better classification performance. Although the proposed method shows comparable performance for binary classification, it performs significantly better for multi-class classification than existing feature selection method used for this purpose.
... Some studies in detecting Android Ransomware in dynamic approach [28], hybrid approach [29] [30] and using classification technique Random Forest [31]. ...
Article
Full-text available
The Ransomware detection reports from cyber-security companies trigger high threat in Android devices vulnerability. The study used machine learning approaches, particularly classifiers: Decision Tree, Random Forest, Gradient Boosting Decision Trees, and AdaBoost to detect Ransomware malware. The study used dataset from HelDroid with known Ransomware's features, the dataset was transformed and feed on the classifier model. Using 5-attribute dataset feed on the classifier, the models generate high average of 98.05% accuracy rate, both on training and test sets. The same results from Naive Bayes classifiers mean cross-validation accuracy on Gaussian and Bernoulli is 97.6%, while on Multinomial is 81.6%. Feeding the binarized 229-attribute dataset, Decision Tree generates 99.08% accuracy, while the three Naive Bayes Classifiers returns 100% overfit results.
... In Applications R-PackDroid: 57 The authors collected Android ransomware samples from HelDroid and VirusTotal datasets to perform static analysis on dex files. They used the ApkTool to convert dex files into Dalvik bytecode to analyze invoke-type instructions. ...
Article
Smart‐phones have become a necessity for users due to their abundance of services such as global positioning system, Wi‐Fi, voice/video calls, SMS, camera, and so forth. It contains personal information of users including photos, documents, messages, and videos. Android‐based smart‐phones enriched with many applications (commonly known as apps) fascinates users to use this ubiquitous technology up to a full extent. With open architecture and 73% of market share, Android is the most popular mobile operating system (OS) among developers. At the same time, the increasing popularity of Android OS woos attackers or cyber‐criminals to exploit its vulnerabilities. The attackers write malicious code to harm the device and grab users' sensitive information. For example, ransomware (a form of malware) demands ransom from victims to liberate the ceased material for illegal financial gain. The existing survey papers cover the analysis and detection of generic Android malware. The focus of this survey paper is to present an in‐depth threat scenario of Android ransomware. This article not only provides a comprehensive survey on analysis and detection methods for Android ransomware since its beginning (2015) till date (2020); but also presents observations and suggestions for researchers and practitioners to carry out further research.
... Maiorca et al. [11] extract the API package to detect the Android ransomware by static method, and build a model named R-PackDroid based on this. This model does not rely on prior knowledge of ransomware encryption, but only depends on the API package and its calling frequency in the application and its detection accuracy is higher than HelDroid, but its anti-aliasing ability is poor and the false alarm rate is high. ...
Article
Full-text available
With the popularity of smart devices such as smartphones and pads, the attack of Android ransomware is becoming increasingly serious. Compared with other malicious software, ransomware is widely favoured by hackers because of hard restoration and the directness of obtaining benefits, which also brings serious spiritual and property damage to users. To protect our smart devices from ransomware and reduce threats and losses, researchers conduct a lot of research on Android ransomware and propose many practical detection schemes. This paper first summarizes the characteristics of Android ransomware, and then summarizes the existing research work on detecting and safeguarding against ransomware on the Android platform and makes a comprehensive analysis and comparison on them. Finally, it points out that the remaining problems of these solutions, puts forward corresponding suggestions and proposes future research directions.
... Researchers focused on process anomaly detection to enhance their detection rate. The technique discussed in the paper uses Windows API calls [21,22,23], I/O request Packets (IRP) logs, File system operations, set of operations performed per file extension, directories operations, dropped files, registry key operation, strings [24,25,26,27,28] for detection. Researchers recorded artefacts like folder listing, Files written, Files Renamed, files read, write entropy, and file type coverage as file system activities [27]. ...
Preprint
Full-text available
The current pandemic situation has increased cyber-attacks drastically worldwide. The attackers are using malware like trojans, spyware, rootkits, worms, ransomware heavily. Ransomware is the most notorious malware, yet we did not have any defensive mechanism to prevent or detect a zero-day attack. Most defensive products in the industry rely on either signature-based mechanisms or traffic-based anomalies detection. Therefore, researchers are adopting machine learning and deep learning to develop a behaviour-based mechanism for detecting malware. Though we have some hybrid mechanisms that perform static and dynamic analysis of executable for detection, we have not any full proof detection proof of concept, which can be used to develop a full proof product specific to ransomware. In this work, we have developed a proof of concept for ransomware detection using machine learning models. We have done detailed analysis and compared efficiency between several machine learning models like decision tree, random forest, KNN, SVM, XGBoost and Logistic Regression. We obtained 98.21% accuracy and evaluated various metrics like precision, recall, TP, TN, FP, and FN.
... Moreover, being open, this system is very attracting for malware writers, for these reasons it represents the primary target of cybercriminals, that are able to develop malicious code to attack the users and their information [4,5]. Moreover, also ransomware is becoming a serious threat in Android environment [6,7]. ...
Article
Full-text available
The Android platform is currently targeted by malicious writers, continuously focused on the development of new types of attacks to extract sensitive and private information from our mobile devices. In this landscape, one recent trend is represented by the collusion attack. In a nutshell this attack requires that two or more applications are installed to perpetrate the malicious behaviour that is split in more than one single application: for this reason anti-malware are not able to detect this attack, considering that they analyze just one application at a time and that the single colluding application does not exhibit any malicious action. In this paper an approach exploiting model checking is proposed to automatically detect whether two applications exhibit the ability to perform a collusion through the SharedPreferences communication mechanism. We formulate a series of temporal logic formulae to detect the collusion attack from a model obtained by automatically selecting the classes candidate for the collusion, obtained by two heuristics we propose. Experimental results demonstrate that the proposed approach is promising in collusion application detection: as a matter of fact an accuracy equal to 0.99 is obtained by evaluating 993 Android applications.
... In Kadiyala et al. (2020), only four hardware performance aspects were considered. Maiorca et al. (2017) proposed a supervised machine learning-based procedure, R-PackDroid, to detect Android ransomware, which is a light-weight technique and does not require prior knowledge of ransomware's encryption mechanisms. However, the R-PackDroid technique uses fully encrypted code-files and is unable to analyze the applications that load the code at run-time. ...
Article
Full-text available
Due to the expeditious inclination of online services usage, the incidents of ransomware proliferation being reported are on the rise. Ransomware is a more hazardous threat than other malware as the victim of ransomware cannot regain access to the hijacked device until some form of compensation is paid. In the literature, several dynamic analysis techniques have been employed for the detection of malware including ransomware; however, to the best of our knowledge, hardware execution profile for ransomware analysis has not been investigated for this purpose, as of today. In this study, we show that the true execution picture obtained via a hardware execution profile is beneficial to identify the obfuscated ransomware too. We evaluate the features obtained from hardware performance counters to classify malicious applications into ransomware and non-ransomware categories using several machine learning algorithms such as Random Forest, Decision Tree, Gradient Boosting, and Extreme Gradient Boosting. The employed data set comprises 80 ransomware and 80 non-ransomware applications, which are collected using the VirusShare platform. The results revealed that extracted hardware features play a substantial part in the identification and detection of ransomware with F-measure score of 0.97 achieved by Random Forest and Extreme Gradient Boosting.
... The paper aims to contribute to this research field by proposing some prediction models to increase the reliability of credit risk assessments in support of bank CRM. Our data mining techniques i.e., supervised machine learning algorithms Mercaldo et al., 2016;Maiorca et al., 2017;Martinelli et al., 2017b;Martinelli et al., 2017a), are exploited to reduce the percentage of unsafe borrowers. In detail, our aim is to investigate the adoption of these techniques to develop more advanced credit risk measurement to tackle the problem of estimating the PD on loan repayments. ...
... Machine Learning-Based Detection Via Structural Features: In terms of the ML-based ransomware detection systems for mobile devices using structural features, researchers used API packages [20,122], API packages, classes, and methods [154], permissions [21], opcodes in native instruction formats [111], grey-scale images of mobile application source codes [98], and structural entropy of mobile applications [59] to build and evaluate various ML classifiers. ...
Preprint
Full-text available
In recent years, ransomware has been one of the most notorious malware targeting end users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.
... The authors in [33] evaluated the performance metrics for various detectors by utilizing the CICAndMal2017 dataset. Authors in [34] mentioned a chance of ransomware in the system's API packages of android mobile and proposed ''R-PackDroid'' that grouped apps of ransomware with high accuracy. The existing work done can be classified into three categories: (1) Application program interface (API) Call Based Android Malware Detection, (2) Intent-Based Android Malware Detection, and (3) Permission-Based Android Malware Detection. ...
Article
Android smartphones are being utilized by a vast majority of users for everyday planning, data exchanges, correspondences, social interaction, business execution, bank transactions, and almost in each walk of everyday lives. With the expansion of human reliance on smartphone technology, cyberattacks against these devices have surged exponentially. Smartphone applications use permissions to utilize various functionalities of the smartphone that can be maneuvered to launch an attack or inject malware by hackers. Existing studies present various approaches to detect Android malware but lack early detection and identification. Accordingly, there is a dire need to craft an efficient mechanism for malicious applications’ detection before they exploit the data. In this paper, a novel approach DeepAMD to defend against real-world Android malware using deep Artificial Neural Network (ANN) has been adopted including an efficiency comparison of DeepAMD with conventional machine learning classifiers and state-of-the-art studies based on performance measures such as accuracy, recall, f-score, and precision. As per the experimental analysis, DeepAMD outperforms other approaches in detecting and identifying malware attacks on both Static as well as Dynamic layers. On the Static layer, DeepAMD achieves the highest accuracy of 93.4% for malware classification, 92.5% for malware category classification, and 90% for malware family classification. On the Dynamic layer, DeepAMD achieves the highest accuracy of 80.3% for malware category classification and 59% for malware family classification in comparison with the state-of-the-art techniques.
... The extracted features were combined to form a new vector used to train a deep neural network (DNN) classifier. The proposed model was compared with other models including random forest [61], decision trees [59], logistic regression (LR), support vector machine (SVM) [62], and DNN [63] and it was found that it achieves the best performance as measured by the detection rate (DR) and the false negative rate (FNR). ...
Article
Full-text available
In today's Industrial Internet of Things (IIoT) environment, where different systems interact with the physical world, the state proposed by the Industry 4.0 standards can lead to escalating vulnerabilities, especially when these systems receive data streams from multiple intermediaries, requiring multilevel security approaches, in addition to link encryption. At the same time taking into account the heterogeneity of the systems included in the IIoT ecosystem and the non-institutionalized interoperability in terms of hardware and software, serious issues arise as to how to secure these systems. In this framework, given that the protection of industrial equipment is a requirement inextricably linked to technological developments and the use of the IoT, it is important to identify the major vulnerabilities and the associated risks and threats and to suggest the most appropriate countermeasures. In this context, this study provides a description of the attacks against IIoT systems, as well as a thorough analysis of the solutions for these attacks, as they have been proposed in the most recent literature.
... It also can detect the multiple variants of ransomware. Reference [11] built a static model called R-PackDroid that was light weight solution and was implemented on users' device itself. Its functionality was to extract and analyze the application packages from the apk files. ...
Article
Full-text available
Ransomware is a special malware designed to extort money in return for unlocking the device and personal data files. Smartphone users store their personal as well as official data on these devices. Ransomware attackers found it bewitching for their financial benefits. The financial losses due to ransomware attacks are increasing rapidly. Recent studies witness that out of 87% reported cyber-attacks, 41% are due to ransomware attacks. The inability of application-signature-based solutions to detect unknown malware has inspired many researchers to build automated classification models using machine learning algorithms. Advanced malware is capable of delaying malicious actions on sensing the emulated environment and hence posing a challenge to dynamic monitoring of applications also. Existing hybrid approaches utilize a variety of features combination for detection and analysis. The rapidly changing nature and distribution strategies are possible reasons behind the deteriorated performance of primitive ransomware detection techniques. The limitations of existing studies include ambiguity in selecting the features set. Increasing the feature set may lead to freedom of adept attackers against learning algorithms. In this work, we intend to propose a hybrid approach to identify and mitigate Android ransomware. This study employs a novel dominant feature selection algorithm to extract the dominant feature set. The experimental results show that our proposed model can differentiate between clean and ransomware with improved precision. Our proposed hybrid solution confirms an accuracy of 99.85% with zero false positives while considering 60 prominent features. Further, it also justifies the feature selection algorithm used. The comparison of the proposed method with the existing frameworks indicates its better performance.
... Ransomware takes over the victim's device, and blocks or encrypts the data, therefore, preventing the victim from using the device. The victim can get back to using the device or its data only if ransom is paid [4]. Ransomware made history in 2020 as it contributed to the first reported death related to a cyber-attack, when a German hospital was attacked by ransomware, causing a lock out of their systems and preventing treatment of patients. ...
... The experiments were run on an Intel(R) Xeon(R) CPU E5-2683 v4 2.1 GHz with 64 GB RAM with GeForce RTX 2080 TI GPU. The dataset for the experiments consisted of ∼73K benign apps from the Google Play Market [1] (obtained from Androzoo [85]) and ∼6K malicious apps from the Drebin dataset [86], [4], [5], [87], [88], [89], [90]. To account for variations in the dataset, a 5-fold CV was used. ...
Preprint
Full-text available
Android malware is a continuously expanding threat to billions of mobile users around the globe. Detection systems are updated constantly to address these threats. However, a backlash takes the form of evasion attacks, in which an adversary changes malicious samples such that those samples will be misclassified as benign. This paper fully inspects a well-known Android malware detection system, MaMaDroid, which analyzes the control flow graph of the application. Changes to the portion of benign samples in the train set and models are considered to see their effect on the classifier. The changes in the ratio between benign and malicious samples have a clear effect on each one of the models, resulting in a decrease of more than 40% in their detection rate. Moreover, adopted ML models are implemented as well, including 5-NN, Decision Tree, and Adaboost. Exploration of the six models reveals a typical behavior in different cases, of tree-based models and distance-based models. Moreover, three novel attacks that manipulate the CFG and their detection rates are described for each one of the targeted models. The attacks decrease the detection rate of most of the models to 0%, with regards to different ratios of benign to malicious apps. As a result, a new version of MaMaDroid is engineered. This model fuses the CFG of the app and static analysis of features of the app. This improved model is proved to be robust against evasion attacks targeting both CFG-based models and static analysis models, achieving a detection rate of more than 90% against each one of the attacks.
... Ransomware takes over the victim's device, and blocks or encrypts the data, therefore, preventing the victim from using the device. The victim can get back to using the device or its data only if ransom is paid [4]. Ransomware made history in 2020 as it contributed to the first reported death related to a cyber-attack, when a German hospital was attacked by ransomware, causing a lock out of their systems and preventing treatment of patients. ...
Research
Full-text available
Every day, there is great growth of the Internet and smart devices connected to the network. Additionally, there is an increasing number of malwares that attack networks, devices, system and applications. One of the biggest threats and newest attacks in cybersecurity is Ransom Software (Ransomware). Although there is a lot of research on detecting malware using machine learning (ML), only a few focus on ML-based ransomware detection, especially attacks targeting smartphone operating systems (e.g., Android) and applications. In this research, a new system was proposed to protect smartphones from malicious applications through monitoring network traffic. Six ML methods (Random Forest (RF), k-Nearest Neighbors (k-NN), Multi-Layer Perceptron (MLP), Decision tree (DT), Logistic Regression (LR), and eXtreme Gradient Boosting (XGB)) are applied to CICAndMal2017 dataset which consists of benign and various kinds of android malware samples. 603288 benign and ransomware samples were extracted from this collection. Ransomware samples were collected from 10 different families. Several types of feature selection techniques have been used on the dataset. Finally, seven performance metrics were used to determine the best feature selection and ML classifiers for ransomware detection. The experiment results imply that DT and XGB outperform other classifiers with best detection accuracy at more than (99.30%) and (99.20%) for (DT) and (XGB) respectively.
... Machine Learning-Based Detection Via Structural Features: In terms of the ML-based ransomware detection systems for mobile devices using structural features, researchers used API packages [19,126], classes, and methods [159], permissions [20], opcodes in native instruction formats [115], grey-scale images of mobile application source codes [95], and structural entropy of mobile applications [56] to build and evaluate various ML classifiers. ...
Article
Full-text available
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.
... Few authors have tried to present solutions for mobile malware detection [2,6,15]. They attempt to identify applications that encrypt data without consent of the user. ...
Article
Full-text available
Cloud computing has become one of the most preferred solutions for enterprises to implement and extend various enterprise applications. The importance of virtual servers in cloud computing makes them a lucrative target among attackers. Current security mechanisms can be circumvented by malware present on same machine. This paper presents an approach for reliable ransomware detection on an enterprise’s private cloud. It captures the volatile memory state of virtual machines and extracts a valuable set of RAM, file system and network features after execution of benign and malicious samples. Further, feature selection and machine learning techniques are applied to these extracted features for determining the effectiveness of proposed set of features. The proposed methodology is evaluated in four extensive experiments and results depict that it can differentiate between benign and ransomware samples. Random Forest classifier performed best in all experiment setups in comparison to all other classifiers. The proposed methodology can effectively serve as a basis for detecting infection in enterprise virtual machines.
... Intent-filters are used by each of the application component to register itself to obtain the Intents. • API calls [139] [140] API calls are used by the application to work with the device in order to accomplish the core functionalities. • Network addresses [141] [142] [143] Network addresses can be used to access the URLs, IP addresses used by the application. ...
Article
Full-text available
Smartphones usage have become ubiquitous in modern life serving as a double-edged sword with opportunities and challenges in it. Along with the benefits, smartphones also have high exposure to malware. Malware has progressively penetrated thereby causing more turbulence. Malware authors have become increasingly sophisticated and are able to evade detection by anti-malware engines. This has led to a constant arms race between malware authors and malware defenders. This survey converges on Android malware and covers a walkthrough of the various obfuscation attacks deployed during malware analysis phase along with the myriad of adversarial attacks operated at malware detection phase. The review also unscrambles the difficulties currently faced in deploying an on-device, lightweight malware detector. It sheds spotlight for researchers to perceive the current state of the art techniques available to fend off malware along with suggestions on possible future directions
Article
Ransomware is malware that encrypts the victim’s data and demands a ransom for a decryption key. The increasing number of ransomware families and their variants renders the existing signature-based anti-ransomware techniques useless; thus, behavior-based detection techniques have gained popularity. A difficulty in behavior-based ransomware detection is that hundreds of thousands of system calls are obtained as analysis output, making the manual investigation and selection of ransomware-specific features infeasible. Moreover, manual investigation of the analysis output requires domain experts, who are expensive to hire and unavailable in some cases. Machine learning methods have shown success in a wide range of scientific domains to automate and address the problem of feature selection and extraction from noisy and high-dimensional data. However, automated feature selection is under-explored in malware detection. This study proposes an automated feature selection method that utilizes particle swarm optimization for behavior-based ransomware detection and classification. The proposed method considers the significance of various feature groups of the data in ransomware detection and classification and performs feature selection based on groups’ significance. The experimental results show that, in most cases, the proposed method achieves comparable or significantly better performance than other state-of-the-art methods used in this study for benchmarking. In addition, this article presents an in-depth analysis of the significance of various features groups and the features selected by the proposed method in ransomware detection and classification.
Book
This book includes high quality research papers presented at the International Conference on Communication, Computing and Electronics Systems 2021, held at the PPG Institute of Technology, Coimbatore, India, on 28-29 October 2021. The volume focuses mainly on the research trends in cloud computing, mobile computing, artificial intelligence and advanced electronics systems. The topics covered are automation, VLSI, embedded systems, optical communication, RF communication, microwave engineering, artificial intelligence, deep learning, pattern recognition, communication networks, Internet of Things, cyber-physical systems, and healthcare informatics.
Chapter
Over the years, there has been a significant increase in cyber security risks and vulnerabilities with one of the most severe threat being ransomware attacks. Ransomware, a variant of malware, encrypts files, data, and often locks computer systems, and retains the decryption key until victims pay a ransom. Current method of ransomware mitigation is the analysis and classification of the ransomware and its variants to propose solution for detection and prevention. This mitigation approach omits technology users as part of the solution especially given their role in falling prey to ransomware by means of social engineering attack vectors. The purpose of this qualitative study was to highlight current and emerging ransomware vectors, and to identify cyber security awareness and education solutions that can be applied to mitigate socially engineered ransomware attacks. A semi-structured interview with executives and managers from several financial, technology, construction, transportation, education, and health industries revealed the lack of current awareness and training approaches to mitigate against socially engineered ransomware attacks. This study recommends some specific cybersecurity training and awareness approaches to consider in order to enable technology users resist and mitigate against ransomware attacks.
Article
Ransomware has presented itself as one of the most critical computer threats in the past few years. Along with the increase of user’s data on portable devices, ransomware has also vastly targeted smartphones. In this paper, we present RansomCare, a data-centric detection and mitigation method against smartphone crypto-ransomware. RansomCare can detect and neutralize crypto-ransomware in real-time on smartphones employing dynamic and lightweight static analysis. It is capable of recovering user’s lost files while preserving data privacy, thanks to its backup before modification or deletion. Our solution mainly relies on the structure of the user’s data and data entropy for the detection of crypto-ransomware. We assessed RansomCare on two datasets of recent smartphone crypto-ransomware and performed experiments to evaluate its detection time, accuracy, and performance overhead. We also compared our work with some state-of-the-art commercial and academic solutions. The results reveal that RansomCare is capable of fast detection of crypto-ransomware on smartphones with high accuracy and zero data loss.
Article
Traditional non-semantic file systems are not sufficient in protecting file systems against attacks, either caused by ransomware attacks or software-related defects. Furthermore, outbreaks of new malware often cannot provide a large quantity of training samples for machine-learning-based approaches to counter malware campaigns. The malware defense system should aim to achieve the best balance between early detection and detection accuracy. In this paper, we present a situation-aware access control framework to work with existing file systems as a stackable add-on. Our framework enables the access control decision making to be deferred when required, to observe the consequence of such an access request to the file system and to roll back changes if required. As an application against ransomware attacks, it can be applied to preserve file content integrity, by enforcing that all binary files written to the file system have consistent internal file structures with the declared file types, and rolling back changes that violate such constraints. We envision our access control framework to complement existing operating system access control frameworks, to significantly reduce the dimension of data required for machine learning, and to build extra resilience into the operating systems against damages caused by either malware or software defects. We demonstrate the practicality of our framework through a prototype testing, capturing relevant ransomware situations. The experimental results along with a large ransomware dataset show that our framework can be effectively applied in practice.
Article
The detection mechanism provided by current antimalware is the so-called signature based, requiring that a threat must be widespread to be recognised by the antimalware. Even if a malware is rightly recognized, by applying even trivial obfuscation techniques, it is really easy to bypass the antimalware detection mechanism. In this paper we propose a method to detect if an Android application is obfuscated with the call indirection obfuscation techniques by exploiting formal equivalence checking. In the experimental analysis we show the effectiveness of the propose approach for call indirection obfuscation technique detection, by exploiting two obfuscation tools.
Article
Zero-day malware samples pose a considerable danger to users as implicitly there are no documented defences for previously unseen, newly encountered behaviour. Malware detection therefore relies on past knowledge to attempt to deal with zero-days. Often such insight is provided by a human expert hand-crafting and pre-categorising certain features as malicious. However, tightly coupled feature-engineering based on previous domain knowledge risks not being effective when faced with a new threat. In this work we decouple this human expertise, instead encapsulating knowledge inside a deep learning neural net with no prior understanding of malicious characteristics. Raw input features consist of low-level opcodes, app permissions and proprietary Android API package usage. Our method makes three main contributions. Firstly, a novel multi-view deep learning Android malware detector with no specialist malware domain insight used to select, rank or hand-craft input features. Secondly, a comprehensive zero-day scenario evaluation using the Drebin and AMD benchmarks, with our model achieving weighted average detection rates of 91% and 81% respectively, an improvement of up to 57% over the state-of-the-art. Thirdly, a 77% reduction in false positives on average compared to the state-of-the-art, with excellent F1 scores of 0.9928 and 0.9963 for the general detection task again on the Drebin and AMD benchmark datasets respectively.
Article
Ransomware attacks are often catastrophic, yet existing reactive and preventative measures could only partially mitigate ransomware damage, often not in a timely manner, and often cannot prevent the novel attack vectors. Many of them were program-centric or data-centric and did not take into consideration user intention or consent. In this paper, we advocate for a dynamic approach of detecting ransomware-like behaviors by proposing a user-centric access control framework, which collects security indicators from the Operating System (OS) to deduct security metrics, compute security indicators and estimate security positions, to dynamically make access control assessments on file access requests. To demonstrate its applicability, we effectuated the principles of User-Driven Access Control (UDAC) for user intention (the goal of a user operation) and Content-Based Isolation (CBI) for user consent (the acceptance of the consequence of a user operation), and developed a proof-of-concept prototype on Windows desktop platforms. It collected information that could reveal the application identity, behavior and the OS environmental factor, before assessing whether an access request to the file system violated the principles of UDAC or CBI. Our prototype was able to raise early warnings on both attacks by real and simulated ransomware of novel vectors.
Conference Paper
Full-text available
Crypto-ransomware is a common type of malware that exploits software vulnerabilities of Internet accessible servers, end-user computers, and mobile devices. In this paper, the behavior of crypto-ransomware is empirically analyzed. We performed dynamic analysis of the ransomware in a virtual environment and the behavior of the malware represented using the data flow modeling approach. Modification of registry values and system call functions by the malware were within the scope of the analysis. The outcome of the empirical study provides a number of indicators that can be considered when assessing the effectiveness of solutions designed to prevent and detect crypto-ransomware.
Preprint
Full-text available
Android malware is one of the most dangerous threats on the internet, and it's been on the rise for several years. Despite significant efforts in detecting and classifying android malware from innocuous android applications, there is still a long way to go. As a result, there is a need to provide a basic understanding of the behavior displayed by the most common Android malware categories and families. Each Android malware family and category has a distinct objective. As a result, it has impacted every corporate area, including healthcare, banking, transportation, government, and e-commerce. In this paper, we presented two machine-learning approaches for Dynamic Analysis of Android Malware: one for detecting and identifying Android Malware Categories and the other for detecting and identifying Android Malware Families, which was accomplished by analyzing a massive malware dataset with 14 prominent malware categories and 180 prominent malware families of CCCS-CIC-AndMal2020 dataset on Dynamic Layers. Our approach achieves in Android Malware Category detection more than 96 % accurate and achieves in Android Malware Family detection more than 99% accurate. Our approach provides a method for high-accuracy Dynamic Analysis of Android Malware while also shortening the time required to analyze smartphone malware.
Article
Full-text available
In today's Industrial IoT (IIoT) environment, where different systems interact with the physical world, the state proposed by the Industry 4.0 standards can lead to escalating vulnerabili-ties, especially when these systems receive data streams from multiple intermediaries, requiring multilevel security approaches, in addition to link encryption. At the same time taking into account the heterogeneity of the systems included in the IIoT ecosystem and the non-institutionalized in-teroperability in terms of hardware and software, serious issues arise as to how to secure these systems. In this framework, given that the protection of industrial equipment is a requirement inextricably linked to technological developments and the use of the IoT, it is important to identify the major vulnerabilities, the associated risks and threats and to suggest the most appropriate countermeasures. In this context, this study provides a description of the attacks against IIoT systems, as well as a thorough analysis of the solutions against these attacks, as they have been proposed in the most recent literature.
Chapter
Machine learning is currently successfully used for addressing several cybersecurity detection and classification tasks. Typically, such detectors are modeled through complex learning algorithms employing a wide variety of features. Although these settings allow achieving considerable performances, gaining insights on the learned knowledge turns out to be a hard task. To address this issue, research efforts on the interpretability of machine learning approaches to cybersecurity tasks is currently rising. In particular, relying on explanations could improve prevention and detection capabilities since they could help human experts to find out the distinctive features that truly characterize malware attacks. In this perspective, Android ransomware represents a serious threat. Leveraging state-of-the-art explanation techniques, we present a first approach that enables the identification of the most influential discriminative features for ransomware characterization. We propose strategies to adopt explanation techniques appropriately and describe ransomware families and their evolution over time. Reported results suggest that our proposal can help cyber threat intelligence teams in the early detection of new ransomware families, and could be applicable to other malware detection systems through the identification of their distinctive features.
Conference Paper
Full-text available
Although Machine Learning (ML) based approaches have shown promise for Android malware detection, a set of critical challenges remain unaddressed. Some of those challenges arise in relation to proper evaluation of the detection approach while others are related to the design decisions of the same. In this paper, we systematically study the impact of these challenges as a set of research questions (i.e., hypotheses). We design an experimentation framework where we can reliably vary several parameters while evaluating ML-based Android malware detection approaches. The results from the experiments are then used to answer the research questions. Meanwhile, we also demonstrate the impact of some challenges on some existing ML-based approaches. The large (market-scale) dataset (benign and malicious apps) we use in the above experiments represents the real-world Android app security analysis scale. We envision this study to encourage the practice of employing a better evaluation strategy and better designs of future ML-based approaches for Android malware detection.
Conference Paper
Full-text available
Due to its popularity and open-source nature, An-droid is the mobile platform that has been targeted the most by malware that aim to steal personal information or to control the users' devices. More specifically, mobile botnets are malware that allow an attacker to remotely control the victims' devices through different channels like HTTP, thus creating malicious networks of bots. In this paper, we show how it is possible to effectively group mobile botnets families by analyzing the HTTP traffic they generate. To do so, we create malware clusters by looking at specific statistical information that are related to the HTTP traffic. This approach also allows us to extract signatures with which it is possible to precisely detect new malware that belong to the clustered families. Contrarily to x86 malware, we show that using fine-grained HTTP structural features do not increase detection performances. Finally, we point out how the HTTP information flow among mobile bots contains more information when compared to the one generated by desktop ones, allowing for a more precise detection of mobile threats.
Conference Paper
Full-text available
Malicious applications pose a threat to the security of the Android platform. The growing amount and diversity of these applications render conventional defenses largely ineffective and thus Android smartphones often remain un-protected from novel malware. In this paper, we propose DREBIN, a lightweight method for detection of Android malware that enables identifying malicious applications di-rectly on the smartphone. As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an ap-plication as possible. These features are embedded in a joint vector space, such that typical patterns indicative for malware can be automatically identified and used for ex-plaining the decisions of our method. In an evaluation with 123,453 applications and 5,560 malware samples DREBIN outperforms several related approaches and detects 94% of the malware with few false alarms, where the explana-tions provided for each detection reveal relevant properties of the detected malware. On five popular smartphones, the method requires 10 seconds for an analysis on average, ren-dering it suitable for checking downloaded applications di-rectly on the device.
Article
Full-text available
The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.
Conference Paper
The recent past has shown that Android smartphones became the most popular target for malware authors. Malware families offer a variety of features that allow, among the others, to steal arbitrary data and to cause significant monetary losses. This circumstances led to the development of many different analysis methods that are aimed to assess the absence of potential harm or malicious behavior in mobile apps. In return, malware authors devised more sophisticated methods to write mobile malware that attempt to thwart such analyses. In this work, we briefly describe assumptions analysis tools rely on to detect malicious content and behavior. We then present results of a new obfuscation framework that aims to break such assumptions, thus modifying Android apps to avoid them being analyzed by the targeted systems. We use our framework to evaluate the robustness of static and dynamic analysis systems for Android apps against such transformations.
Article
Smartphones are becoming more and more popular and, as a consequence, malware writers are increasingly engaged to develop new threats and propagate them through official and third-party markets. In addition to the propagation vectors, malware is also evolving quickly the techniques adopted for infecting victims and hiding their malicious nature to antimalware scanning. From SMS Trojans to legitimate applications repacked with malicious payload, from AES encrypted root exploits to the dynamic loading of a payload retrieved from a remote server: malicious code is becoming more and more hard to detect.
Conference Paper
In ransomware attacks, the actual target is the human, as opposed to the classic attacks that abuse the infected devices (e.g., botnet renting, information stealing). Mobile devices are by no means immune to ransomware attacks. However, there is little research work on this matter and only traditional protections are available. Even state-of-the-art mobile malware detection approaches are ineffective against ransomware apps because of the subtle attack scheme. As a consequence, the ample attack surface formed by the billion mobile devices is left unprotected. First, in this work we summarize the results of our analysis of the existing mobile ransomware families, describing their common characteristics. Second, we present HelDroid, a fast, efficient and fully automated approach that recognizes known and unknown scareware and ransomware samples from goodware. Our approach is based on detecting the “building blocks” that are typically needed to implement a mobile ransomware application. Specifically, HelDroid detects, in a generic way, if an app is attempting to lock or encrypt the device without the user’s consent, and if ransom requests are displayed on the screen. Our technique works without requiring that a sample of a certain family is available beforehand. We implemented HelDroid and tested it on real-world Android ransomware samples. On a large dataset comprising hundreds of thousands of APKs including goodware, malware, scareware, and ransomware, HelDroid exhibited nearly zero false positives and the capability of recognizing unknown ransomware samples.
Article
In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by applying simple obfuscation transformations on previously detected malware samples. In this paper, we provide a large-scale experiment in which the detection performances of a high number of anti-malware solutions are tested against two different sets of malware samples that have been obfuscated according to different strategies. Moreover, we show that anti-malware engines search for possible malicious content inside assets and entry-point classes. We also provide a temporal analysis of the detection performances of anti-malware engines to verify if their resilience has improved since 2013. Finally, we show how, by manipulating the area of the Android executable that contains the strings used by the application, it is possible to deceive anti-malware engines so that they will identify legitimate samples as malware. On one hand, the attained results show that anti-malware systems have improved their resilience against trivial obfuscation techniques. On the other hand, more complex changes to the application executable have proved to be still effective against detection. Thus, we claim that a deeper static (or dynamic) analysis of the application is needed to improve the robustness of such systems.
Conference Paper
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en- ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral- lel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced foren- sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an- tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser- vice with ten antivirus engines and two behavioral detec- tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini- mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.
Dissecting the android bouncer
  • J Oberheide
  • C Miller
Butterworth-Heinemann Newton MA USA 2nd edition 1979
  • C J V Rijsbergen