Conference Paper
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Ransomware has become a serious and concrete threat for mobile platforms and in particular for Android. In this paper, we propose R-PackDroid, a machine learning system for the detection of Android ransomware. Differently to previous works, we leverage information extracted from system API packages, which allow to characterize applications without specific knowledge of user-defined content such as the application language or strings. Results attained on very recent data show that it is possible to detect Android ransomware and to distinguish it from generic malware with very high accuracy. Moreover, we used R-PackDroid to flag applications that were detected as ransomware with very low confidence by the VirusTotal service. In this way, we were able to correctly distinguish true ransomware from false positives, thus providing valuable help for the analysis of these malicious applications.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... However, ransomware does have some common properties that can allow the detection tools to reveal them. In the Android environment, ransomware has been found to have some common behavior and features, as follows [9][10]. ...
... According to experimental results, they claimed that the proposed method can be the correct way to develop commercial solutions that successfully detect ransomware and prevent their effects. Maiorca et al. (2017) [10] utilized the information extracted from API packets that enabled characterizing applications without any special information regarding userdefined content such as the application language. Results obtained from the data showed that it is possible to detect Android ransomware and distinguish them from malicious software in general with a very high accuracy. ...
... According to experimental results, they claimed that the proposed method can be the correct way to develop commercial solutions that successfully detect ransomware and prevent their effects. Maiorca et al. (2017) [10] utilized the information extracted from API packets that enabled characterizing applications without any special information regarding userdefined content such as the application language. Results obtained from the data showed that it is possible to detect Android ransomware and distinguish them from malicious software in general with a very high accuracy. ...
Article
Full-text available
Android ransomware has become one of the most dangerous types of attack that have occurred recently due to the increasing use of the Android operating system. Generally, ransomware is based on the idea of encrypting the files in the victim’s device and then demanding money to provide the decryption password. Machine learning techniques are increasingly used for Android ransomware detection and analysis. In this study, Android ransomware is detected using Bootstrap Aggregating based Multivariate Adaptive Regression Splines (Bagging MARS) for the first time in feature selection. A feature matrix with 134 permissions and API calls in total was reduced to 34 features via the proposed Bagging MARS feature selection technique. Multi-Layer Perceptron (MLP), one of the classification techniques, produced the best accuracy with 90.268%. Additionally, the proposed feature selection method yielded more successful results compared to the filter, wrapper, and embedded methods used. Thus, this method, which was used for the first time to detect the common features of Android Ransomware, will enable the next Android Ransomware detection systems to work faster and with a higher success rate.
... The first technique consists of defining a learningbased system whose structure is inspired by other popular detection systems (Daniel et al., 2014;Chen et al., 2016;Maiorca et al., 2017). In particular, the proposed system performs the following steps: (i) it takes as an input an Android application and extracts its cryptographic API usage with the pipeline described in Section 2.2; (ii) it encodes this statistics into a vector of features; (iii) it trains a machine-learning classifier to predict a benign/malicious label. ...
... The third approach consists of taking a wellestablished malware classifier for Android as a baseline and measuring its performance when enhanced with features related exclusively to cryptographic API. To this end, we chose R-PackDroid (Maiorca et al., 2017), an available learning-based classifier (trained on random forests) based on static features, and we expand its feature set by adding the cryptographic features described above. There are multiple reasons for which this system was chosen as a baseline: (i) It was initially designed to detect ransomware; (ii) It harvests a relatively small number of features; (iii) It features a high detection rate (the original paper documents over 97% F1 score). ...
... We trained a random forest model based only on cryptography-related features described in Section 2.4 and compared its performance to R-PackDroid. To obtain a valid comparison, we replicated the experimental setup of the original R-PackDroid paper (Maiorca et al., 2017), taking 10 thousand appli- cations divided 50:50 into benign/malicious, and split 50:50 into training/test set. Our classifier achieved 62.4% F1 score on the malicious samples (see also Table 4), showing that cryptographic information is discriminant enough to separate malicious from benign samples. ...
Chapter
Cryptography allows for guaranteeing secure communications, concealing critical data from reverse engineering, or ensuring mobile users’ privacy. Android malware developers extensively leveraged cryptographic libraries to obfuscate and hide malicious behavior. Various system-based and third-party libraries provide cryptographic functionalities for Android, and their use and misuse by application developers have already been documented. This paper analyzes the use of cryptographic APIs in Android malware by comparing them to benign Android applications. In particular, Android applications released between 2012 and 2020 have been analyzed, and more than 1 million cryptographic API expressions have been gathered. We created a processing pipeline to produce a report to reveal trends and insights on how and why cryptography is employed in Android malware. Results showed that the usage of cryptographic APIs in malware differs from that made in benign applications. The different patterns in the use of cryptographic APIs in malware and benign applications have been further analyzed through the explanations of Android malware detectors based on machine learning approaches, showing how crypto-related features can improve detection performances. We observed that the transition to more robust cryptographic techniques is slower in Android malware than in benign applications.
... The first technique consists of defining a learningbased system whose structure is inspired by other popular detection systems (Daniel et al., 2014;Chen et al., 2016;Maiorca et al., 2017). In particular, the proposed system performs the following steps: (i) it takes as an input an Android application and extracts its cryptographic API usage with the pipeline described in Section 2.2; (ii) it encodes this statistics into a vector of features; (iii) it trains a machine-learning classifier to predict a benign/malicious label. ...
... The third approach consists of taking a wellestablished malware classifier for Android as a baseline and measuring its performance when enhanced with features related exclusively to cryptographic API. To this end, we chose R-PackDroid (Maiorca et al., 2017), an available learning-based classifier (trained on random forests) based on static features, and we expand its feature set by adding the cryptographic features described above. There are multiple reasons for which this system was chosen as a baseline: (i) It was initially designed to detect ransomware; (ii) It harvests a relatively small number of features; (iii) It features a high detection rate (the original paper documents over 97% F1 score). ...
... We trained a random forest model based only on cryptography-related features described in Section 2.4 and compared its performance to R-PackDroid. To obtain a valid comparison, we replicated the experimental setup of the original R-PackDroid paper (Maiorca et al., 2017), taking 10 thousand appli- cations divided 50:50 into benign/malicious, and split 50:50 into training/test set. Our classifier achieved 62.4% F1 score on the malicious samples (see also Table 4), showing that cryptographic information is discriminant enough to separate malicious from benign samples. ...
... The first technique consists of defining a learningbased system whose structure is inspired by other popular detection systems (Daniel et al., 2014;Chen et al., 2016;Maiorca et al., 2017). In particular, the proposed system performs the following steps: (i) it takes as an input an Android application and extracts its cryptographic API usage with the pipeline described in Section 2.2; (ii) it encodes this statistics into a vector of features; (iii) it trains a machine-learning classifier to predict a benign/malicious label. ...
... The third approach consists of taking a wellestablished malware classifier for Android as a baseline and measuring its performance when enhanced with features related exclusively to cryptographic API. To this end, we chose R-PackDroid (Maiorca et al., 2017), an available learning-based classifier (trained on random forests) based on static features, and we expand its feature set by adding the cryptographic features described above. There are multiple reasons for which this system was chosen as a baseline: (i) It was initially designed to detect ransomware; (ii) It harvests a relatively small number of features; (iii) It features a high detection rate (the original paper documents over 97% F1 score). ...
... We trained a random forest model based only on cryptography-related features described in Section 2.4 and compared its performance to R-PackDroid. To obtain a valid comparison, we replicated the experimental setup of the original R-PackDroid paper (Maiorca et al., 2017), taking 10 thousand applications divided 50:50 into benign/malicious, and split 50:50 into training/test set. Our classifier achieved 62.4% F1 score on the malicious samples (see also nificantly better than our system 7 , our classifier was able to correctly identify 88/180 malicious samples that were misclassified as benign by R-PackDroid (with all 211 features). ...
Preprint
Full-text available
Cryptography has been extensively used in Android applications to guarantee secure communications, conceal critical data from reverse engineering, or ensure mobile users' privacy. Various system-based and third-party libraries for Android provide cryptographic functionalities, and previous works mainly explored the misuse of cryptographic API in benign applications. However, the role of cryptographic API has not yet been explored in Android malware. This paper performs a comprehensive, longitudinal analysis of cryptographic API in Android malware. In particular, we analyzed 603937603\,937 Android applications (half of them malicious, half benign) released between 2012 and 2020, gathering more than 1 million cryptographic API expressions. Our results reveal intriguing trends and insights on how and why cryptography is employed in Android malware. For instance, we point out the widespread use of weak hash functions and the late transition from insecure DES to AES. Additionally, we show that cryptography-related characteristics can help to improve the performance of learning-based systems in detecting malicious applications.
... Ransomware is malware that extorts money (ransom) by holding hostage a victim's data, usually through encryption [1][2][3][4][5][6]. Cybercriminals collect the ransom as crypto-currency, mainly Bitcoins, to hide their identity [7]. ...
... All of the three selected registry keys associated with write operation have been marked as indicative of ransomware by Hybrid Analysis. 4 The format of these three keys is given as HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\MountPoints2\e7136b33-a421-11e5-b597 -80 6d6172696f, which is common among three keys but with a difference of the number at the end of the key. The 19 registry keys associated with the read operation come from three hives, i.e., HKLM\SOFTWARE, HKLM\SYSTEM, and HKCU\Software. ...
... The features (with maximum frequency of selection) from other groups include tmp from DROP group (this group contains extension of the dropped files), tmp from FILES_EXT (for opening a file with extension ''.tmp''), and C:\Documents and Set-tings\MyUser\Local Settings\Start Menu and C:\Documents and Settings\MyUser\Local Settings \Temp from FILES group. 4 A free online malware analysis tool that uses Falcon sandbox for automated analysis of submitted files. ...
Article
Ransomware is malware that encrypts the victim’s data and demands a ransom for a decryption key. The increasing number of ransomware families and their variants renders the existing signature-based anti-ransomware techniques useless; thus, behavior-based detection techniques have gained popularity. A difficulty in behavior-based ransomware detection is that hundreds of thousands of system calls are obtained as analysis output, making the manual investigation and selection of ransomware-specific features infeasible. Moreover, manual investigation of the analysis output requires domain experts, who are expensive to hire and unavailable in some cases. Machine learning methods have shown success in a wide range of scientific domains to automate and address the problem of feature selection and extraction from noisy and high-dimensional data. However, automated feature selection is under-explored in malware detection. This study proposes an automated feature selection method that utilizes particle swarm optimization for behavior-based ransomware detection and classification. The proposed method considers the significance of various feature groups of the data in ransomware detection and classification and performs feature selection based on groups’ significance. The experimental results show that, in most cases, the proposed method achieves comparable or significantly better performance than other state-of-the-art methods used in this study for benchmarking. In addition, this article presents an in-depth analysis of the significance of various features groups and the features selected by the proposed method in ransomware detection and classification.
... There are few [3], [5], [8], [10], [12], [15], [17]- [20] that classifies an Android malware into malware families. Mostly, the machine learning based Android malware detection tools utilize either static features ( [3], [4], [7], [12], [19]) or dynamic features ( [7]- [9]). Some machine learning based malware analysis tool (like EC2 [17]) use both types of features i.e., static and dynamic. ...
... There are few [3], [5], [8], [10], [12], [15], [17]- [20] that classifies an Android malware into malware families. Mostly, the machine learning based Android malware detection tools utilize either static features ( [3], [4], [7], [12], [19]) or dynamic features ( [7]- [9]). Some machine learning based malware analysis tool (like EC2 [17]) use both types of features i.e., static and dynamic. ...
... All the above work utilizes API call information in some form, whereas we use API package information to identify Android malware families. R-PackDroid [7] is the most closely related work that utilizes API package information to characterize and detect Mobile Ransomware. However, in later work [28], authors have again shifted their focus on API call information. ...
Conference Paper
With the increased popularity and wide adoption as a mobile OS platform, Android has been a major target for malware authors. Due to unprecedented rapid growth in the number, variants, and diversity of malware, detecting malware on the Android platform has become challenging. Beyond the detection of a malware, classifying the family the malware belongs to, helps security analysts to reuse malware removal techniques that is known to work for that family of malware. It takes manual analysis if a malware belongs to an unknown family. Therefore, classifying malware into exact family is important. This paper presents a technique and tool named MAPFam that applies machine learning on static features from the Manifest file and API packages to classify an Android malware into its family. This work is premised on a starting hypothesis that features extracted from API packages rather than on API calls lead to more precise classification. Our experiments indeed shows that API package based models provides ~1.63X more accurate classification compared to an API call based method. Our machine learning based malware family classification system uses API packages, requested permissions, and other features from the Manifest files. The proposed family classification system achieves accuracy and average precision above 97% for the top 60 malware families by using only 81 features with 97.55% of model reliability rate (Kappa score). The experimental results also shows that MAPFam can perfectly identity 36 malware families.
... Machine leaning has numerous application in classifying the malware, ransomware, and benign programs [22]. R-PackDroid, an android based ransomware detection system was presented in [57]. This system performed the static analysis by analyzing the Dalvik bytecode. ...
... In [57], an android based ransomware detection system was presented named as R-PackDroid. This system ran the static analysis using RF a supervised machine learning classifier to categorize the applications in ransomware, generic malware and trusted by using the system API packages. ...
... Victims are threatened with the loss of their mobile data, sharing of personal information, and browsing history to their contact lists. Android.Lockdroid.E is one of the example of mobile ransomware [57,86]. ...
Article
Full-text available
Ransomware is an ill-famed malware that has received recognition because of its lethal and irrevocable effects on its victims. The irreparable loss caused due to ransomware requires the timely detection of these attacks. Several studies including surveys and reviews are conducted on the evolution, taxonomy, trends, threats, and countermeasures of ransomware. Some of these studies were specifically dedicated to IoT and android platforms. However, there is not a single study in the available literature that addresses the significance of dynamic analysis for the ransomware detection studies for all the targeted platforms. This study also provides the information about the datasets collection from its sources, which were utilized in the ransomware detection studies of the diverse platforms. This study is also distinct in terms of providing a survey about the ransomware detection studies utilizing machine learning, deep learning, and blend of both techniques while capitalizing on the advantages of dynamic analysis for the ransomware detection. The presented work considers the ransomware detection studies conducted from 2019 to 2021. This study provides an ample list of future directions which will pave the way for future research.
... However, the difficulty to deal with time-variant ransomware can become a bottleneck because of the escalating flow of ransomware versions that vary in their tricking exploitations, intrusion traits, and the type of platforms they have infected [6][7][8][9]. Furthermore, the existing detection tools still have direct impacts on the processing time, classification accuracies, searching for the minimum set of distinctive traits, employing an inappropriate number of static clues and dynamic actions, and then the overall performance of the detection engines [9][10][11][12][13][14][15]. For example, the detection tools of file system analysis, search for executable files, recognize ransomware infections through examining particular function calls like APIs (Application Program Interface), specific inserted codes, dynamic interactions of some apps, and some elementary settings of smartphone system [10][11][12]. ...
... For example, the detection tools of file system analysis, search for executable files, recognize ransomware infections through examining particular function calls like APIs (Application Program Interface), specific inserted codes, dynamic interactions of some apps, and some elementary settings of smartphone system [10][11][12]. Whereas, the detection tools of machine learning aided analysis, identify suspicious activities and apps as ransomware by encountering the values of a combination of static clues and dynamic actions that are mentioned above [13][14][15][16][17][18]. They, deploy these values (i.e. ...
... They, deploy these values (i.e. ransomware infection vectors) as the input in their machine learning procedures [13][14][15][16][17][18]. ...
... Algorithm Resolved issue Data set Performance metrics [186] Fuzzy pattern tree malware Kaggle a and Vx-Heaven b 97.0427% and 88.76% accuracies [187] LSTM malware UNSW-NB15 70% accuracy [188] Fuzzy set theory and a malware Drebin [189] and AndroZoo [190] 9% F1-score improvement new loss function [191] Fuzzy clustering malware Custom data sets created from VirusShare: 94.66%, Kaggle: VirusShare c , Kaggle, and 97.56%, RansomwareTracker: RansomwareTracker d 94.26% accuracies [192] Theoretical analysis malware NA NA [193] J48 ransomware VirusTotal 97.1% detection rate [194] kNN [196] Random forest ransomware ransomware and malware-trusted 97.817% average F1-score of five splits [197] Logistic regression ransomware created from VirusShare website 96.3% detection rate and 99.5% ROC curve [198] DNN Guizani and Ghafoor [187] have presented a software-based framework that adopts NFV technology to resist malware diffusion in heterogeneous IoT environments. To deploy a precise countermeasure, the authors deployed a deep learning-based IDS to detect a broad range of malware promptly. ...
... Maiorca et al. [196] have introduced an Android ransomware attack detector using the random forest ensemble method. The proposed technique differs from previous methods, in that it utilizes extracted features from API packages to categorize applications, without needing to be familiar with user-defined content (e.g., strings) and the language used to write the application. ...
Preprint
Full-text available
The Industrial Internet of Things (IIoT) paradigm is a key research area derived from the Internet of Things (IoT). The emergence of IIoT has enabled a revolution in manufacturing and production, through the employment of various embedded sensing devices connected with each other by an IoT network, along with a collection of enabling technologies such as artificial intelligence (AI) and edge/fog computing. One of the unrivaled characteristics of IIoT is the inter-connectivity provided to industries; however, this characteristic might open the door for cyber-criminals to launch various attacks. In fact, one of the major challenges hindering the prevalent adoption of the IIoT paradigm is IoT security. Inevitably, an increasing number of research proposals have been introduced over the last decade to overcome these security concerns. To obtain an overview of this research area, conducting a literature survey of the published research is necessary, eliciting the various security requirements and their considerations. This paper provides a literature survey of IIoT security, focused on the period from 2017 to 2023. We identify IIoT security threats and classify them into three categories, based on the IIoT layer they exploit to launch these attacks. Additionally, we characterize the security requirements that these attacks violate. Finally, we highlight how emerging technologies, such as AI and edge/fog computing, can be adopted to address security concerns and enhance IIoT security.
... Android malware detection classifies Android apps into two classes benign and malware. However, some papers detect Android Ransomware (Andronio, Zanero & Maggi, 2015;Maiorca et al., 2017) considering three classes benign, malware, and ransomware. Hence, we briefly explain the evaluation measures of ML classification. ...
... Until today, many static analysis researchers depends on permissions (Arora, Peddoju & Conti, 2019; Dharmalingam & Palanisamy, 2021;Li et al., 2018;Şahin et al., 2021); however, many are relying on API calls (Alazab et al., 2020;Jung et al., 2018;Maiorca et al., 2017;Mirzaei et al., 2019;Pektaş & Acarman, 2020;Tiwari & Shukla, 2018;Zhang et al., 2020;Zhang, Breitinger & Baggili, 2016;Zou et al., 2021) and deep code analysis and other types of features as discussed earlier in Android evasion detection frameworks section. Many of examined researches ignored the evasion techniques evaluation. ...
Article
Full-text available
The various application markets are facing an exponential growth of Android malware. Every day, thousands of new Android malware applications emerge. Android malware hackers adopt reverse engineering and repackage benign applications with their malicious code. Therefore, Android applications developers tend to use state-of-the-art obfuscation techniques to mitigate the risk of application plagiarism. The malware authors adopt the obfuscation and transformation techniques to defeat the anti-malware detections, which this paper refers to as evasions. Malware authors use obfuscation techniques to generate new malware variants from the same malicious code. The concern of encountering difficulties in malware reverse engineering motivates researchers to secure the source code of benign Android applications using evasion techniques. This study reviews the state-of-the-art evasion tools and techniques. The study criticizes the existing research gap of detection in the latest Android malware detection frameworks and challenges the classification performance against various evasion techniques. The study concludes the research gaps in evaluating the current Android malware detection framework robustness against state-of-the-art evasion techniques. The study concludes the recent Android malware detection-related issues and lessons learned which require researchers’ attention in the future.
... They didn't provide any ransomware examples in the training phase and their framework identifies anomaly that deviates from learned behaviour. -Maiorca et al. [36] proposed R-PackDroid for the android operating system. ...
... Researchers focused on process anomaly detection to enhance their detection rate. The technique discussed in the paper uses Windows API calls [22,36,39], I/O request Packets (IRP) logs, File system operations, set of operation performed per file extension, directories operations, dropped files, registry key operation, strings [14,22,23,24,26] for detection.For file system activity detection, researchers recorded folder listing, Files written, Files Renamed, files read, write entropy, file type coverage [24]. The various researchers recorded IRP open, IRP write, IRP create for IRP logs [23]. ...
Chapter
Full-text available
Ransomware is a program used by an attacker or hacker, that locks or encrypts target files or data. The user or the owner of data cannot access these without the explicit assistance of the attacker. After locking or encrypting, the attacker demands ransom generally in the form of cryptocurrencies to permit user to regain access to the locked data. However, there is no guarantee that the user can access seized data again even after that ransom has been paid. Researchers have proposed various tools and techniques to protect and fight against ransomware. Existing tools and methods are not sufficient to detect ransomware early because several new ransomware variants are being introduced every day. Machine learning techniques are used efficiently in various applications like ransomware detection, spam detection, text classification, pattern recognition, etc. Further, deep learning, a subfield of machine learning, eliminates the burden of re-engineering the features for the new types of malware or network attacks that may arise. In this paper, several machine learning-based detection techniques against ransomware are reviewed.
... Chen et al. [21] converted app opcodes to an image-like structure in order to perform data augmentation through a Generative Adversarial Network (GAN), while the works by Mahindru et al. focused on assessing effective feature selection, mainly considering the usage of APIs and permissions as features [44,45]. Moreover, different works in the literature target specific types of attacks, such as botnets [33] or ransomware samples [17,47,57]. ...
... An interesting aspect to underline is that most of the feature sets used in previous work-the earliest as well as the newest ones-include information from Android APIs [1,4,19,38,45,47,48,57]. According to Zhang et al. [67], although Android malware evolves over time, many semantics are still the same or similar, and can be caught by identifying the relations between the different APIs. ...
Article
Full-text available
While machine-learning algorithms have demonstrated a strong ability in detecting Android malware, they can be evaded by sparse evasion attacks crafted by injecting a small set of fake components, e.g., permissions and system calls, without compromising intrusive functionality. Previous work has shown that, to improve robustness against such attacks, learning algorithms should avoid overemphasizing few discriminant features, providing instead decisions that rely upon a large subset of components. In this work, we investigate whether gradient-based attribution methods, used to explain classifiers’ decisions by identifying the most relevant features, can be used to help identify and select more robust algorithms. To this end, we propose to exploit two different metrics that represent the evenness of explanations, and a new compact security measure called Adversarial Robustness Metric. Our experiments conducted on two different datasets and five classification algorithms for Android malware detection show that a strong connection exists between the uniformity of explanations and adversarial robustness. In particular, we found that popular techniques like Gradient*Input and Integrated Gradients are strongly correlated to security when applied to both linear and nonlinear detectors, while more elementary explanation techniques like the simple Gradient do not provide reliable information about the robustness of such classifiers.
... This subsection compares the accuracy of the approach proposed in this paper to various static and dynamic methods from relevant literature as referenced in Sect. 2. The results R-PackDroid (Maiorca et al. 2017) is another static method. The best reported result is based on cross validation with 440 ransomware samples from HelDroid (Andronio et al. 2015). ...
Article
Full-text available
This paper proposes a finite-state machine based approach to recognise crypto ransomware based on their behaviour. Malicious and benign Android applications are executed to capture the system calls they generate, which are then filtered and tokenised and converted to finite-state machines. The finite-state machines are simplified using supervisor reduction, which generalises the behavioural patterns and produces compact classification models. The classification models can be implemented in a lightweight monitoring system to detect malicious behaviour of running applications quickly. An extensive set of cross validation experiments is carried out to demonstrate the viability of the approach, which show that ransomware can be classified accurately with an F1 score of up to 93.8%.
... Many have attempted to observe Android malware or ransomware, such as Maiorca et al. [44] discusses an Android ransomware approach, which observed Android application's bytecode to determine if an application was a ransomware. This work was further extended by incorporating system API-related information to improve the efficacy of the proposed approach [55]. ...
Article
Full-text available
Ransomware, particularly crypto ransomware, has emerged as the go-to malware for threat actors aiming to compromise data on Android devices as well as in general. In this paper, we present a ransomware detection technique based on behaviours observed in the system calls performed by the malware. We first describe our repeatable and extensible methodology for extracting the system call log and patterns. We then identify and present some common high-level system call behavioural patterns exhibited by crypto ransomware, and evaluate these patterns. We further describe the implementation of a streaming implementation that utilises regular expressions for modelling malware behaviours and finite state machines for detecting crypto ransomware behaviours in real time. The success of our proof of concept evaluation allows us to envision our proposed technique applied as part of a self-protection system on Android phones against malware.
... Ransomware is examined by static malware analysis without executing the actual binary files. This technique utilizes static data such as file header information, hashes, and URLs, which can be fed to open-source analysis tools such as VirusTotal [22]. Although static malware analysis methods are simple to detect and implement for known ransomware, they are mainly ineffective against highly sophisticated ransomware attacks. ...
Article
Full-text available
Ransomware attacks are currently one of cybersecurity's greatest and most alluring threats. Antivirus software is frequently ineffective against zero-day malware and ransomware attacks; consequently, significant network infections could result in substantial data loss. Such attacks are also becoming more dynamic and capable of altering their signatures, resulting in a race to the bottom regarding weaponry. Cryptographic ransomware exploits crypto-viral extortion techniques. The malware encrypts the victim's data and demands payment in exchange. The attacker would release the data decryption key after accepting payment. After data encryption, the user has two options: pay the ransom or lose the data. Cryptographic ransomware causes damage that is nearly impossible to undo. Detection at an early stage of a ransomware attack's lifecycle is vital for preventing unintended consequences for the victim. Most ransomware detection technologies concentrate on detection during encryption and post-attack stages. Due to the absence of early behaviour signs, it is challenging to detect ransomware before it begins the unwanted process of mass file encryption. This study examines the relationship between API calls pattern and their nature to determine whether it is ransomware early behaviour. The purpose of this paper is to determine whether this technique can be used to early detect the presence of ransomware activity on a Windows endpoint. 582 ransomware samples that consist of ten ransomware families and 942 benign software samples were analysed. This study proposed RENTAKA, a novel framework for the early detection of cryptographic ransomware. It makes use of characteristics acquired from ransomware behaviour and machine learning. This study presented an algorithm to generate a ransomware pre-encryption dataset. This study, which includes six machine-learning models, gives satisfactory results in detecting cryptographic ransomware. The features used in this research were among the 232 features identified in Windows API calls. Five standard machine learning classifiers were employed in this experiment: Naive Bayes, k-nearest neighbours (kNN), Support Vector Machines (SVM), Random Forest, and J48. In our tests, SVM fared the best, with an accuracy rate of 93.8% and an area under the curve (AUC) of 0.979, respectively. The results indicate that we can distinguish ransomware from benign applications with low false-positive and false-negative rates.
... The suggested methodology demonstrated high tracking efficiency and good detection precision for ransomware attacks. To minimize data dimensions and provide accurate activity visualizations, also suggested was a hybrid detection model that combines classical auto-encoding (CAE) [70] and variational auto-encoding (VAE) DL approaches [71]. A deep neural network (DNN) classifier was trained using a new vector created from extracted characteristics. ...
Article
Full-text available
The Industrial Internet of Things (IIoT) ecosystem faces increased risks and vulnerabilities due to adopting Industry 4.0 standards. Integrating data from various places and converging several systems have heightened the need for robust security measures beyond fundamental connection encryption. However, it is difficult to provide adequate security due to the IIoT ecosystem’s distributed hardware and software. The most effective countermeasures must be suggested together with the crucial vulnerabilities, linked threats, and hazards in order to protect industrial equipment and ensure the secure functioning of IIoT systems. This paper presents a thorough analysis of events that target IIoT systems to alleviate such concerns. It also offers a comprehensive analysis of the responses that have been advanced in the most recent research. This article examines several kinds of attacks and the possible consequences to understand the security landscape in the IIoT area. Additionally, we aim to encourage the development of effective defenses that will lessen the hazards detected and secure the privacy, accessibility, and reliability of IIoT systems. It is important to note that we examine the issues and solutions related to IIoT security using the most recent findings from research and the literature on this subject. This study organizes and evaluates recent research to provide significant insight into the present security situation in IIoT systems. Ultimately, we provide outlines for future research and projects in this field.
... It has been observed from the literature work that most of the techniques [84] can either only observe System/API calls [86,87,89], file operations [88], processor usage [83], or registry activities [90]. Some of the studies are based on static analysis [82] whereas other proposed techniques mainly focus on dynamic analysis for classification. ...
Article
Full-text available
Smart Autonomous Vehicles (AVSs) are networks of Cyber-Physical Systems (CPSs) in which they wirelessly communicate with other CPSs sub-systems (e.g., smart -vehicles and smart-devices) to efficiently and securely plan safe travel. Due to unreliable wireless communication among them, such vehicles are an easy target of malware attacks that may compromise vehicles’ autonomy, increase inter-vehicle communication latency, and drain vehicles’ power. Such compromises may result in traffic congestion, threaten the safety of passengers, and can result in financial loss. Therefore, real-time detection of such attacks is key to the safe smart transportation and Intelligent Transport Systems (ITSs). Current approaches either employ static analysis or dynamic analysis techniques to detect such attacks. However, these approaches may not detect malware in real-time because of zero-day attacks and huge computational resources. Therefore, we introduce a hybrid approach that combines the strength of both analyses to efficiently detect malware for the privacy of smart-cities.
... Maiorca et al. [208] introduced an Android ransomware attack detector using the random forest ensemble method. The proposed technique differs from previous methods, in that it utilizes extracted features from API packages to categorize applications, without needing to be familiar with user-defined content (e.g., strings) and the language used to write the application. ...
Article
Full-text available
The Industrial Internet of Things (IIoT) paradigm is a key research area derived from the Internet of Things (IoT). The emergence of IIoT has enabled a revolution in manufacturing and production, through the employment of various embedded sensing devices connected by an IoT network, along with a collection of enabling technologies, such as artificial intelligence (AI) and edge/fog computing. One of the unrivaled characteristics of IIoT is the inter-connectivity provided to industries; however, this characteristic might open the door for cyber-criminals to launch various attacks. In fact, one of the major challenges hindering the prevalent adoption of the IIoT paradigm is IoT security. Inevitably, there has been an inevitable increase in research proposals over the last decade to overcome these security concerns. To obtain an overview of this research area, conducting a literature survey of the published research is necessary, eliciting the various security requirements and their considerations. This paper provides a literature survey of IIoT security, focused on the period from 2017 to 2023. We identify IIoT security threats and classify them into three categories, based on the IIoT layer they exploit to launch these attacks. Additionally, we characterize the security requirements that these attacks violate. Finally, we highlight how emerging technologies, such as AI and edge/fog computing, can be adopted to address security concerns and enhance IIoT security.
... Malware applications were collected and processed by following the workflow depicted in Figure 4. Phone scam applications were shared with us by the Korea Internet Security Agency (KISA) and the security researcher Min-chang Jang, who has reported the collection of samples in a previous work [28]. In turn, banking and ransomware samples were obtained from the following datasets: CIC-AndMal2017 [38], CICMalDroid 2020 [39] and R-PackDroid [40]. In addition, we searched for the hash of other samples in security reports (e.g., available on Malpedia [41]) and downloaded the corresponding APK files from Koodous, a popular web repository of APK files. ...
Article
Full-text available
Android has been a constant target of cybercriminals that try to attack one of the most used operating systems, commonly using malicious applications (denominated malware ) that, once installed on a device, can harm users in several ways. In this context, we propose an approach to detect Android malware consisting of a set of specific-type detectors in which each one performs a multi-stage analysis, based on rules and machine learning techniques, in different phases of the application cycle (before and after its installation). Our approach differs from state-of-the-art solutions by being non-invasive, since it leverages a process to obtain application’s features that does not infringe licenses and terms of use of applications. In addition, according to experiments performed on a real Android smartphone, our proposal presents the following additional advantages over state-of-the-art solutions: a more efficient process to classify applications that is three times faster and requires ten times less CPU usage in some cases (saving device energy); and a better detection performance, with higher balanced accuracy, nine times less false positive cases, and ten times less false negative cases.
... Event-based approaches for ransomware detection have their limitations. As event-based techniques need prior information of encryption used by ransomware (Maiorca, Mercaldo, Giacinto, Visaggio, & Martinelli, 2017). Similarly, event-based techniques are not enough to detect ransomware because sometimes they may not occur, but they already did their damage. ...
Article
Full-text available
Ransomware is a destructive type of malware that encrypts the user's valuable data or locks the screen of the user's device, causing massive economic losses to users. Signature-based ransomware detection models struggle to detect zero-day ransomware and questioning their suitability for protecting user's files against such attacks. In this study, we propose a model that extracts eighteen useful features vectors from the ransomware dataset. It performs classification on ransomware datasets. We utilize API call series to represent behavior-based features of ransomware. To validate the effectiveness of Random Forest, we tested 78556 ransomware and good ware files. Compared to Naive Bayes and Support Vector Machine, the testing accuracy of the proposed method is 99.57%. In the future, we will use deep learning to detect ransomware and its types at an early stage.
... The authors showed that the latter can detect ransomware in the initial stages before infection occurs, with a high precision rate and a 1.5% false negative rate. Maiorca et al. [35] proposed R-PackDroid, which is a system dedi-cated to detecting Android ransomware via machine learning. In fact, this system leverages API packages to achieve its goal with high accuracy. ...
Article
Full-text available
The proliferation of ransomware has become a significant threat to cybersecurity in recent years, causing significant financial, reputational, and operational damage to individuals and organizations. This paper aims to provide a comprehensive overview of the evolution of ransomware, its taxonomy, and its state-of-the-art research contributions. We begin by tracing the origins of ransomware and its evolution over time, highlighting the key milestones and major trends. Next, we propose a taxonomy of ransomware that categorizes different types of ransomware based on their characteristics and behavior. Subsequently, we review the existing research over several years in regard to detection, prevention, mitigation, and prediction techniques. Our extensive analysis, based on more than 150 references, has revealed that significant research, specifically 72.8%, has focused on detecting ransomware. However, a lack of emphasis has been placed on predicting ransomware. Additionally, of the studies focused on ransomware detection, a significant portion, 70%, have utilized Machine Learning methods. We further discuss the challenges found such as the ones related to obtaining ransomware datasets. In addition, our study uncovers a range of shortcomings in research pertaining to real-time protection and identifying zero-day ransomware. Adversarial machine learning exploitation has been identified as an under-researched area in the field. This survey is a constructive roadmap for researchers interested in ransomware research matters.
... Organizational readiness provides cybercriminals with a wealth of opportunities to exploit their targets. Therefore, in order to prevent any effort at ransomware invasion, organisations must employ the appropriate resources, build strategic plans for incidence response, educate their workforce, and enforce laws and regulations that guarantee network security [15]. It has been determined that drive-by downloads account for more than 60% of ransomware attacks on victims' computers. ...
Article
Full-text available
The changing dynamics of technology, attacking strategies are always evolving. Consequently, to defend against these evolving threats, individuals and organisations must deploy the highest levels of security in their devices and infrastructure. When it comes to discovering security holes in computer systems, ransomware is one kind of attack that never ceases to astound. Attacks using ransomware are becoming commonplace worldwide, and their main goal is to make money illegally. Emails were used to launch the attack, and spamming and phishing were then used to spread it. Files on targets are encrypted by ransomware, which also displays warnings demanding payment before the data can be decrypted. Cybercriminals are now making millions of dollars a year from it, and corporations are facing a very significant threat that might result in billions of dollars in losses. Many studies, including surveys that cover certain parts of ransomware research, were suggested to combat the ransomware problem. In this literature the author provides a comprehensive overview of ransomware and ransomware defence research with regard to the variety of platforms that it targets. Understanding ransomware and examining defence mechanisms with regard to target platforms is becoming more crucial because ransomware is already common in PCs, workstations, desktops, and laptops, is becoming more common in mobile devices, has already affected IoT/CPS, and will likely spread further in the IoT/CPS domain very soon. It is imperative to find a solution for ransomware in cloud environments since more and more applications are being hosted in these environments. Software as service is very popular because of its easy to use and cheap price, so in all such application security is major concern. The results of our investigations illustrate the operation of ransomware in a manner familiar to both academics and those with experience in the field, including practitioners and those who have dealt with the threat firsthand. To conclude our study, we developed a minimal proof-of-concept approach to risk assessment using information provided by the target entity.
... Event-based approaches for ransomware detection have their limitations. As event-based techniques need prior information of encryption used by ransomware (Maiorca, Mercaldo, Giacinto, Visaggio, & Martinelli, 2017). Similarly, event-based techniques are not enough to detect ransomware because sometimes they may not occur, but they already did their damage. ...
Article
Full-text available
Ransomware is a destructive type of malware that encrypts the user's valuable data or locks the screen of the user's device, causing massive economic losses to users. Signature-based ransomware detection models struggle to detect zero-day ransomware and questioning their suitability for protecting user's files against such attacks. In this study, we propose a model that extracts eighteen useful features vectors from the ransomware dataset. It performs classification on ransomware datasets. We utilize API call series to represent behavior-based features of ransomware. To validate the effectiveness of Random Forest, we tested 78556 ransomware and good ware files. Compared to Naive Bayes and Support Vector Machine, the testing accuracy of the proposed method is 99.57%. In the future, we will use deep learning to detect ransomware and its types at an early stage.
... Organizational readiness provides cybercriminals with a wealth of opportunities to exploit their targets. Therefore, in order to prevent any effort at ransomware invasion, organisations must employ the appropriate resources, build strategic plans for incidence response, educate their workforce, and enforce laws and regulations that guarantee network security [15]. It has been determined that drive-by downloads account for more than 60% of ransomware attacks on victims' computers. ...
Article
Full-text available
The changing dynamics of technology, attacking strategies are always evolving. Consequently, to defend against these evolving threats, individuals and organisations must deploy the highest levels of security in their devices and infrastructure. When it comes to discovering security holes in computer systems, ransomware is one kind of attack that never ceases to astound. Attacks using ransomware are becoming commonplace worldwide, and their main goal is to make money illegally. Emails were used to launch the attack, and spamming and phishing were then used to spread it. Files on targets are encrypted by ransomware, which also displays warnings demanding payment before the data can be decrypted. Cybercriminals are now making millions of dollars a year from it, and corporations are facing a very significant threat that might result in billions of dollars in losses. Many studies, including surveys that cover certain parts of ransomware research, were suggested to combat the ransomware problem. In this literature the author provides a comprehensive overview of ransomware and ransomware defence research with regard to the variety of platforms that it targets. Understanding ransomware and examining defence mechanisms with regard to target platforms is becoming more crucial because ransomware is already common in PCs, workstations, desktops, and laptops, is becoming more common in mobile devices, has already affected IoT/CPS, and will likely spread further in the IoT/CPS domain very soon. It is imperative to find a solution for ransomware in cloud environments since more and more applications are being hosted in these environments. Software as service is very popular because of its easy to use and cheap price, so in all such application security is major concern. The results of our investigations illustrate the operation of ransomware in a manner familiar to both academics and those with experience in the field, including practitioners and those who have dealt with the threat firsthand. To conclude our study, we developed a minimal proof-of-concept approach to risk assessment using information provided by the target entity.
... API dependency [21] and Android's evaluations and effectiveness, the researchers proposed various techniques such as DroidSIFT [22]. Maiorca et al. [23] proposed a scheme that detects and ransomware the extracting information from API packages by using the R-PackDroid method. R-PackDroid accurately categorized apps without knowing their content (language or strings). ...
Article
Android is the most popular mobile operating system, making it the main target of malware attacks. Machine learning-based attack detection techniques have recently emerged as promising methods that relies heavily on particular features to classify malware. Despite machine learning-based malware detectors having hundreds of features, attackers can use feature-related expertise to generate malware variants to avoid detection. Therefore, the Android security team must constantly develop novel features to detect suspicious attacks. This paper proposes a novel malware detection method called Droid-MCFG that combines the Android features of manifest and Control Flow Graph (CFG). First, reverse engineering tools are used to mine manifest files and Java source codes from Android Package Kit (APK). Second, to represent Android apps with elevated features, we develop a features selection method that retrieves API calls and API sequences from CFGs. The API calls and manifest information are then combined to produce digital fingerprints of Android app actions. Third, a transfer learning approach based on word2vec is developed to extract trained features from digital fingerprints. To thoroughly analyze the novel features, the word2vec is fine-tuned with random, static, and dynamic strategies. Finally, the multi-head Temporal Convolutional Network (TCN) is designed to identify malware based on fine-tuned features. The TCN employs casual convolutions and dilations due to its temporality and broad receptive fields, making it very responsive to API-call sequences and malware activities in the manifest file. The proposed method achieves a classification accuracy of 96.24% using the CICInvesAndMal2019 dataset.
... It has been observed from the literature work that most of the techniques [31] can either only observe System/API calls [33], [34], [39], file operations [35], processor usage [30], or registry activities [40]. Some of the studies are based on static analysis [29] whereas other proposed techniques mainly focus on dynamic analysis for classification. ...
Preprint
Full-text available
Smart autonomous vehicles (AVs) are networks of cyber physical systems (CPS) in which they wirelessly communicate with other CPS sub-systems (e.g., smart -vehicles and smart-devices) to efficiently and securely plan safe travel. Due to unreliable wireless communication among them, such vehicles are an easy target of malware attacks that may compromise vehicles’ autonomy, increase inter-vehicle communication latency, and drain vehicles’ power. Such compromises may result in traffic congestion, threaten the safety of passengers, and can result in financial loss. Therefore, real-time detection of such attacks is key to the safe smart transportation and Intelligent Transport Systems (ITS). Current approaches either employ static analysis or dynamic analysis techniques to detect such attacks. However, these approaches may not detect malware in real-time because of zero-day attacks and huge computational resources. Therefore, we introduce a hybrid approach that combines the strength of both analyses to efficiently detect malware for the privacy of smart-cities.
... Several research studies have been conducted to detect, prevent and classify ransomware families based on static and dynamic analysis, each of which considers different aspects to circumvent such incursions (Ahmed et al., 2020;Akbanov et al., 2019;Al-rimy et al., 2019;Andronio et al., 2015;Chen & Bridges, 2017;Cimitile et al., 2018;Continella et al., 2016;Gómez-Hernández et al., 2018;Hampton et al., 2018;Homayoun et al., 2017;Maiorca et al., 2017;Mehnaz et al., 2018;Morato et al., 2018;Scalas et al., 2019;Xiaofeng et al., 2019;Xu et al., 2017;Zhang et al., 2019). However, despite the high importance of this cyber resource hijacking, no common knowledge base of extortionate malware, especially ransomware, is available. ...
Article
With the COVID-19 pandemic and the growing influence of the Internet in critical sectors of industry and society, cyberattacks have not only not declined, but have risen sharply. In the meantime, ransomware is at the forefront of the most devastating threats that have launched the lucrative illegal business. Due to the proliferation and variety of ransomware forays, there is a need for a new theory of categories. The intricacy and multiplicity of components involved in digital extortions entails the construction of a knowledge representation system that is able to organize large volumes of information from heterogeneous sources in a formal structured format and infer new knowledge from it. This paper suggests and develops a dedicated ontology of digital blackmails, called Rantology, with a particular focus on ransomware assaults. The logic coded in this ontology allows to assess the maliciousness of programs based on various factors, including called API functions and their behaviors. The proposed framework can be used to facilitate interoperability between cybersecurity experts and knowledge-based systems, and identify sensitive points for surveillance. The evaluation results based on several criteria confirm the adequacy of the suggested ontology in terms of clarity, modularity, consistency, coverage and inheritance richness.
... Ransomware takes over the victim's device, and blocks or encrypts the data, therefore, preventing the victim from using the device. The victim can get back to using the device or its data only if ransom is paid [4]. Ransomware made history in 2020 as it contributed to the first reported death related to a cyber-attack, when a German hospital was attacked by ransomware, causing a lock out of their systems and preventing treatment of patients. ...
Research
Full-text available
Every day, there is great growth of the Internet and smart devices connected to the network. Additionally, there is an increasing number of malwares that attack networks, devices, system and applications. One of the biggest threats and newest attacks in cybersecurity is Ransom Software (Ransomware). Although there is a lot of research on detecting malware using machine learning (ML), only a few focus on ML-based ransomware detection, especially attacks targeting smartphone operating systems (e.g., Android) and applications. In this research, a new system was proposed to protect smartphones from malicious applications through monitoring network traffic. Six ML methods (Random Forest (RF), k-Nearest Neighbors (k-NN), Multi-Layer Perceptron (MLP), Decision tree (DT), Logistic Regression (LR), and eXtreme Gradient Boosting (XGB)) are applied to CICAndMal2017 dataset which consists of benign and various kinds of android malware samples. 603288 benign and ransomware samples were extracted from this collection. Ransomware samples were collected from 10 different families. Several types of feature selection techniques have been used on the dataset. Finally, seven performance metrics were used to determine the best feature selection and ML classifiers for ransomware detection. The experiment results imply that DT and XGB outperform other classifiers with best detection accuracy at more than (99.30%) and (99.20%) for (DT) and (XGB) respectively.
... Researchers focused on process anomaly detection to enhance their detection rate. The technique discussed in the paper uses Windows API calls [21,22,23], I/O request Packets (IRP) logs, File system operations, set of operations performed per file extension, directories operations, dropped files, registry key operation, strings [24,25,26,27,28] for detection. Researchers recorded artefacts like folder listing, Files written, Files Renamed, files read, write entropy, and file type coverage as file system activities [27]. ...
Preprint
Full-text available
The current pandemic situation has increased cyber-attacks drastically worldwide. The attackers are using malware like trojans, spyware, rootkits, worms, ransomware heavily. Ransomware is the most notorious malware, yet we did not have any defensive mechanism to prevent or detect a zero-day attack. Most defensive products in the industry rely on either signature-based mechanisms or traffic-based anomalies detection. Therefore, researchers are adopting machine learning and deep learning to develop a behaviour-based mechanism for detecting malware. Though we have some hybrid mechanisms that perform static and dynamic analysis of executable for detection, we have not any full proof detection proof of concept, which can be used to develop a full proof product specific to ransomware. In this work, we have developed a proof of concept for ransomware detection using machine learning models. We have done detailed analysis and compared efficiency between several machine learning models like decision tree, random forest, KNN, SVM, XGBoost and Logistic Regression. We obtained 98.21% accuracy and evaluated various metrics like precision, recall, TP, TN, FP, and FN.
... Few authors have tried to present solutions for mobile malware detection [2,6,15]. They attempt to identify applications that encrypt data without consent of the user. ...
Article
Full-text available
Cloud computing has become one of the most preferred solutions for enterprises to implement and extend various enterprise applications. The importance of virtual servers in cloud computing makes them a lucrative target among attackers. Current security mechanisms can be circumvented by malware present on same machine. This paper presents an approach for reliable ransomware detection on an enterprise’s private cloud. It captures the volatile memory state of virtual machines and extracts a valuable set of RAM, file system and network features after execution of benign and malicious samples. Further, feature selection and machine learning techniques are applied to these extracted features for determining the effectiveness of proposed set of features. The proposed methodology is evaluated in four extensive experiments and results depict that it can differentiate between benign and ransomware samples. Random Forest classifier performed best in all experiment setups in comparison to all other classifiers. The proposed methodology can effectively serve as a basis for detecting infection in enterprise virtual machines.
... The experiments were run on an Intel(R) Xeon(R) CPU E5-2683 v4 2.1 GHz with 64 GB RAM with GeForce RTX 2080 TI GPU. The dataset for the experiments consisted of ∼73K benign apps from the Google Play Market [1] (obtained from Androzoo [85]) and ∼6K malicious apps from the Drebin dataset [86], [4], [5], [87], [88], [89], [90]. To account for variations in the dataset, a 5-fold CV was used. ...
Preprint
Full-text available
Android malware is a continuously expanding threat to billions of mobile users around the globe. Detection systems are updated constantly to address these threats. However, a backlash takes the form of evasion attacks, in which an adversary changes malicious samples such that those samples will be misclassified as benign. This paper fully inspects a well-known Android malware detection system, MaMaDroid, which analyzes the control flow graph of the application. Changes to the portion of benign samples in the train set and models are considered to see their effect on the classifier. The changes in the ratio between benign and malicious samples have a clear effect on each one of the models, resulting in a decrease of more than 40% in their detection rate. Moreover, adopted ML models are implemented as well, including 5-NN, Decision Tree, and Adaboost. Exploration of the six models reveals a typical behavior in different cases, of tree-based models and distance-based models. Moreover, three novel attacks that manipulate the CFG and their detection rates are described for each one of the targeted models. The attacks decrease the detection rate of most of the models to 0%, with regards to different ratios of benign to malicious apps. As a result, a new version of MaMaDroid is engineered. This model fuses the CFG of the app and static analysis of features of the app. This improved model is proved to be robust against evasion attacks targeting both CFG-based models and static analysis models, achieving a detection rate of more than 90% against each one of the attacks.
... Machine Learning-Based Detection Via Structural Features: In terms of the ML-based ransomware detection systems for mobile devices using structural features, researchers used API packages [19,126], classes, and methods [159], permissions [20], opcodes in native instruction formats [115], grey-scale images of mobile application source codes [95], and structural entropy of mobile applications [56] to build and evaluate various ML classifiers. ...
Article
Full-text available
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.
... Ransomware takes over the victim's device, and blocks or encrypts the data, therefore, preventing the victim from using the device. The victim can get back to using the device or its data only if ransom is paid [4]. Ransomware made history in 2020 as it contributed to the first reported death related to a cyber-attack, when a German hospital was attacked by ransomware, causing a lock out of their systems and preventing treatment of patients. ...
... It also can detect the multiple variants of ransomware. Reference [11] built a static model called R-PackDroid that was light weight solution and was implemented on users' device itself. Its functionality was to extract and analyze the application packages from the apk files. ...
Article
Full-text available
Ransomware is a special malware designed to extort money in return for unlocking the device and personal data files. Smartphone users store their personal as well as official data on these devices. Ransomware attackers found it bewitching for their financial benefits. The financial losses due to ransomware attacks are increasing rapidly. Recent studies witness that out of 87% reported cyber-attacks, 41% are due to ransomware attacks. The inability of application-signature-based solutions to detect unknown malware has inspired many researchers to build automated classification models using machine learning algorithms. Advanced malware is capable of delaying malicious actions on sensing the emulated environment and hence posing a challenge to dynamic monitoring of applications also. Existing hybrid approaches utilize a variety of features combination for detection and analysis. The rapidly changing nature and distribution strategies are possible reasons behind the deteriorated performance of primitive ransomware detection techniques. The limitations of existing studies include ambiguity in selecting the features set. Increasing the feature set may lead to freedom of adept attackers against learning algorithms. In this work, we intend to propose a hybrid approach to identify and mitigate Android ransomware. This study employs a novel dominant feature selection algorithm to extract the dominant feature set. The experimental results show that our proposed model can differentiate between clean and ransomware with improved precision. Our proposed hybrid solution confirms an accuracy of 99.85% with zero false positives while considering 60 prominent features. Further, it also justifies the feature selection algorithm used. The comparison of the proposed method with the existing frameworks indicates its better performance.
Article
Due to the complexity and diversity of Industrial Internet of Things (IIoT) systems, which include heterogeneous devices, legacy and new connectivity protocols and systems, and distributed networks, sophisticated attacks like ransomware will likely target these systems in the near future. Researchers have focused on studying and addressing ransomware attacks against various platforms in recent years. However, to the best of our knowledge, no existing study investigates the new trends of ransomware tactics and techniques and provides a comprehensive analysis of ransomware attacks and their detection techniques for IIoT systems. Therefore, this paper investigates this attack and its associated detection techniques in IIoT systems in various aspects, including recent ransomware tactics, types, infected operating systems, and platforms. Specifically, we initially discuss the evolution of the IIoT system and its common architecture. Then, we provide an in-depth examination of the development of ransomware attacks and their constituent blocks, outline recent tactics and types of ransomware, and provide an extensive overview of the latest research on detection models. We also summarize numerous significant issues that have yet to be addressed and require further research. We conclude that offensive and defensive research is urgently needed to protect IIoT against ransomware attacks.
Research
Full-text available
Network Packet Sniffing
Chapter
This chapter investigates the potential of deep learning architectures for Android malware detection, specifically convolutional neural networks (CNNs) using natural language processing (NLP) concepts. The proposed solution is based on static analysis of raw opcode sequences from disassembled programs and other complementary features such as API calls and permissions, with features indicative of malware automatically learned by the network. This removes the need for hand-engineered malware features while performing classification. Using the Drebin and AMD benchmark datasets, the benefits of this multi-view architecture to combine multiple feature sources are demonstrated in our findings. We conclude the use of deep learning architectures enables state-of-art results in automatic malware detection, while reducing the dependency on feature engineering and domain expertise. Using multi-view compared to single-view architectures improves performance through exposure to simultaneous sources of information, learning a more effective set of features. The model achieves state-of-the art detection performance in a challenging zero-day scenario, reducing false positives by 77% in relative terms on average, an important metric for potential real-world deployment.
Chapter
As the threat landscape continues to evolve, users are becoming less aware, ignorant, or negligent, putting their confidential data at risk. Users easily fall prey to socially engineered ransomware attacks that encrypt and lock a computer or mobile device, holding it hostage unless a ransom is paid. The cryptoware encrypts data securely, making it almost impossible for anyone except the hacker to unlock the device. This research conducts a systematic review to identify methods for executing socially engineered ransomware attacks. Using a CRI framework, 122 studies were synthesized from 3209 research articles highlighting gaps in identifying and analyzing attack vectors, as well as the need for a holistic approach to ransomware with behavioural control as part of the solution. Human vulnerability was found to be a critical point of entry for miscreants seeking to spread ransomware. This review will be useful in developing control models that will educate organisations and security professionals to focus on adopting human-centered solutions to effectively counter ransomware attacks.
Article
Security plays an extremely important role for users in terms of digital India, the Internet, and the IoT era. Every user is now getting access to data and moving towards digitization in today's world. Due to the transfer of information everywhere in the organization due to processing vast amounts of knowledge, it faces numerous cyber-malware problems. Various sectors are adopting more technology to improve communications and infrastructure, and the cyber threat to these networks is growing in parallel. Cyber-malware and its class is ransomware. When it spreads, it locks the machine and encrypts it. Its impact performs various functions, such as confidential data theft, data misuse, and unauthorized access. The goal of this paper is to explore methods to counter ransomware attacks. This paper provides an understanding of cyber malware, why cyber malware is chosen as ransomware, and the attack process of cyber malware.
Article
The use of smartphone devices in healthcare has increased manifold due to their widespread use and ease of integration with the Internet of Things (IoT) based medical devices. In healthcare, either in-home observation or in a hospital scenario, the medical sensors use certain local communication devices to share the measured vital signs with a fog/cloud-based medical system. The large user community of Android devices has also brought some serious challenges, such as potential malicious attacks. For the past few years, ransomware attacks on healthcare have been increasing dramatically, posing several challenges. Therefore, an effective ransomware detection mechanism is needed to protect critical assets such as healthcare data, patients’ private data, etc. In this work, a novel hybrid ransomware detection method is proposed that analyzes image data, text, and application code to extract plain or encrypted threat text. Threatening text is a potential tool and could be one of the most effective features for ransomware detection. Our proposed hybrid approach utilizes both static and dynamic and uses multi-machine learning classifier models. The proposed approach also provides a family classification of ransomware. Experimental results show that the proposed approach achieves up to 94% accuracy and fewer false negatives.
Book
This book includes high quality research papers presented at the International Conference on Communication, Computing and Electronics Systems 2021, held at the PPG Institute of Technology, Coimbatore, India, on 28-29 October 2021. The volume focuses mainly on the research trends in cloud computing, mobile computing, artificial intelligence and advanced electronics systems. The topics covered are automation, VLSI, embedded systems, optical communication, RF communication, microwave engineering, artificial intelligence, deep learning, pattern recognition, communication networks, Internet of Things, cyber-physical systems, and healthcare informatics.
Chapter
The usage of Android smartphones is rapidly increasing. The users are unaware of the malware activities which may target their mobile phones. This paper focuses on a particular kind of malware named ransomware that turned out to be a massive security threat to end-users, large organizations, and enterprises. In recent times, locker ransomware has been playing a major havoc in Android families. Locker ransomware blackmails victims for ransom by compulsorily locking the devices. We propose a model based on dynamic analysis to detect the locker ransomware variants using foreground analysis.KeywordsRansomware detectionAndroidDynamic analysis-foreground analysis—Locker ransomware
Article
Full-text available
Android ransomware is one of the most threatening attacks that is increasing at an alarming rate. Ransomware attacks usually target Android users by either locking their devices or encrypting their data files and then requesting them to pay money to unlock the devices or recover the files back. Existing solutions for detecting ransomware mainly use static analysis. However, limited approaches apply dynamic analysis specifically for ransomware detection. Furthermore, the performance of these approaches is either poor or often fails in the presence of code obfuscation techniques or benign applications that use cryptography methods for their APIs usage. Additionally, most of them are unable to detect ransomware attacks at early stages. Therefore, this paper proposes a hybrid detection system that effectively utilizes both static and dynamic analyses to detect ransomware with high accuracy. For the static analysis, the proposed hybrid system considered more than 70 state-of-the-art antivirus engines. For the dynamic analysis, this research explored the existing dynamic tools and conducted an in-depth comparative study to find the proper tool to integrate it in detecting ransomware whenever needed. To evaluate the performance of the proposed hybrid system, we analyzed statically and dynamically over one hundred ransomware samples. These samples originated from 10 different ransomware families. The experiments’ results revealed that static analysis achieved almost half of the detection accuracy—ranging around 40–55%, compared to the dynamic analysis, which reached a 100% accuracy rate. Moreover, this research reports some of the high API classes, methods, and permissions used in these ransomware apps. Finally, some case studies are highlighted, including failed running apps and crypto-ransomware patterns.
Conference Paper
Full-text available
Although Machine Learning (ML) based approaches have shown promise for Android malware detection, a set of critical challenges remain unaddressed. Some of those challenges arise in relation to proper evaluation of the detection approach while others are related to the design decisions of the same. In this paper, we systematically study the impact of these challenges as a set of research questions (i.e., hypotheses). We design an experimentation framework where we can reliably vary several parameters while evaluating ML-based Android malware detection approaches. The results from the experiments are then used to answer the research questions. Meanwhile, we also demonstrate the impact of some challenges on some existing ML-based approaches. The large (market-scale) dataset (benign and malicious apps) we use in the above experiments represents the real-world Android app security analysis scale. We envision this study to encourage the practice of employing a better evaluation strategy and better designs of future ML-based approaches for Android malware detection.
Conference Paper
Full-text available
Due to its popularity and open-source nature, An-droid is the mobile platform that has been targeted the most by malware that aim to steal personal information or to control the users' devices. More specifically, mobile botnets are malware that allow an attacker to remotely control the victims' devices through different channels like HTTP, thus creating malicious networks of bots. In this paper, we show how it is possible to effectively group mobile botnets families by analyzing the HTTP traffic they generate. To do so, we create malware clusters by looking at specific statistical information that are related to the HTTP traffic. This approach also allows us to extract signatures with which it is possible to precisely detect new malware that belong to the clustered families. Contrarily to x86 malware, we show that using fine-grained HTTP structural features do not increase detection performances. Finally, we point out how the HTTP information flow among mobile bots contains more information when compared to the one generated by desktop ones, allowing for a more precise detection of mobile threats.
Conference Paper
Full-text available
Malicious applications pose a threat to the security of the Android platform. The growing amount and diversity of these applications render conventional defenses largely ineffective and thus Android smartphones often remain un-protected from novel malware. In this paper, we propose DREBIN, a lightweight method for detection of Android malware that enables identifying malicious applications di-rectly on the smartphone. As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an ap-plication as possible. These features are embedded in a joint vector space, such that typical patterns indicative for malware can be automatically identified and used for ex-plaining the decisions of our method. In an evaluation with 123,453 applications and 5,560 malware samples DREBIN outperforms several related approaches and detects 94% of the malware with few false alarms, where the explana-tions provided for each detection reveal relevant properties of the detected malware. On five popular smartphones, the method requires 10 seconds for an analysis on average, ren-dering it suitable for checking downloaded applications di-rectly on the device.
Article
Full-text available
The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.
Conference Paper
The recent past has shown that Android smartphones became the most popular target for malware authors. Malware families offer a variety of features that allow, among the others, to steal arbitrary data and to cause significant monetary losses. This circumstances led to the development of many different analysis methods that are aimed to assess the absence of potential harm or malicious behavior in mobile apps. In return, malware authors devised more sophisticated methods to write mobile malware that attempt to thwart such analyses. In this work, we briefly describe assumptions analysis tools rely on to detect malicious content and behavior. We then present results of a new obfuscation framework that aims to break such assumptions, thus modifying Android apps to avoid them being analyzed by the targeted systems. We use our framework to evaluate the robustness of static and dynamic analysis systems for Android apps against such transformations.
Article
Smartphones are becoming more and more popular and, as a consequence, malware writers are increasingly engaged to develop new threats and propagate them through official and third-party markets. In addition to the propagation vectors, malware is also evolving quickly the techniques adopted for infecting victims and hiding their malicious nature to antimalware scanning. From SMS Trojans to legitimate applications repacked with malicious payload, from AES encrypted root exploits to the dynamic loading of a payload retrieved from a remote server: malicious code is becoming more and more hard to detect.
Conference Paper
In ransomware attacks, the actual target is the human, as opposed to the classic attacks that abuse the infected devices (e.g., botnet renting, information stealing). Mobile devices are by no means immune to ransomware attacks. However, there is little research work on this matter and only traditional protections are available. Even state-of-the-art mobile malware detection approaches are ineffective against ransomware apps because of the subtle attack scheme. As a consequence, the ample attack surface formed by the billion mobile devices is left unprotected. First, in this work we summarize the results of our analysis of the existing mobile ransomware families, describing their common characteristics. Second, we present HelDroid, a fast, efficient and fully automated approach that recognizes known and unknown scareware and ransomware samples from goodware. Our approach is based on detecting the “building blocks” that are typically needed to implement a mobile ransomware application. Specifically, HelDroid detects, in a generic way, if an app is attempting to lock or encrypt the device without the user’s consent, and if ransom requests are displayed on the screen. Our technique works without requiring that a sample of a certain family is available beforehand. We implemented HelDroid and tested it on real-world Android ransomware samples. On a large dataset comprising hundreds of thousands of APKs including goodware, malware, scareware, and ransomware, HelDroid exhibited nearly zero false positives and the capability of recognizing unknown ransomware samples.
Article
In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by applying simple obfuscation transformations on previously detected malware samples. In this paper, we provide a large-scale experiment in which the detection performances of a high number of anti-malware solutions are tested against two different sets of malware samples that have been obfuscated according to different strategies. Moreover, we show that anti-malware engines search for possible malicious content inside assets and entry-point classes. We also provide a temporal analysis of the detection performances of anti-malware engines to verify if their resilience has improved since 2013. Finally, we show how, by manipulating the area of the Android executable that contains the strings used by the application, it is possible to deceive anti-malware engines so that they will identify legitimate samples as malware. On one hand, the attained results show that anti-malware systems have improved their resilience against trivial obfuscation techniques. On the other hand, more complex changes to the application executable have proved to be still effective against detection. Thus, we claim that a deeper static (or dynamic) analysis of the application is needed to improve the robustness of such systems.
Conference Paper
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en- ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral- lel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced foren- sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an- tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser- vice with ten antivirus engines and two behavioral detec- tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini- mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.
Dissecting the android bouncer
  • J Oberheide
  • C Miller
  • Oberheide J.
Butterworth-Heinemann Newton MA USA 2nd edition 1979
  • C J V Rijsbergen