No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
R-PackDroid: API package-based characterization and detection of mobile ransomware
Abstract
Ransomware has become a serious and concrete threat for mobile platforms and in particular for Android. In this paper, we propose R-PackDroid, a machine learning system for the detection of Android ransomware. Differently to previous works, we leverage information extracted from system API packages, which allow to characterize applications without specific knowledge of user-defined content such as the application language or strings. Results attained on very recent data show that it is possible to detect Android ransomware and to distinguish it from generic malware with very high accuracy. Moreover, we used R-PackDroid to flag applications that were detected as ransomware with very low confidence by the VirusTotal service. In this way, we were able to correctly distinguish true ransomware from false positives, thus providing valuable help for the analysis of these malicious applications.
... The first technique consists of defining a learningbased system whose structure is inspired by other popular detection systems (Daniel et al., 2014;Chen et al., 2016;Maiorca et al., 2017). In particular, the proposed system performs the following steps: (i) it takes as an input an Android application and extracts its cryptographic API usage with the pipeline described in Section 2.2; (ii) it encodes this statistics into a vector of features; (iii) it trains a machine-learning classifier to predict a benign/malicious label. ...
... The third approach consists of taking a wellestablished malware classifier for Android as a baseline and measuring its performance when enhanced with features related exclusively to cryptographic API. To this end, we chose R-PackDroid (Maiorca et al., 2017), an available learning-based classifier (trained on random forests) based on static features, and we expand its feature set by adding the cryptographic features described above. There are multiple reasons for which this system was chosen as a baseline: (i) It was initially designed to detect ransomware; (ii) It harvests a relatively small number of features; (iii) It features a high detection rate (the original paper documents over 97% F1 score). ...
... We trained a random forest model based only on cryptography-related features described in Section 2.4 and compared its performance to R-PackDroid. To obtain a valid comparison, we replicated the experimental setup of the original R-PackDroid paper (Maiorca et al., 2017), taking 10 thousand appli- cations divided 50:50 into benign/malicious, and split 50:50 into training/test set. Our classifier achieved 62.4% F1 score on the malicious samples (see also Table 4), showing that cryptographic information is discriminant enough to separate malicious from benign samples. ...
... The first technique consists of defining a learningbased system whose structure is inspired by other popular detection systems (Daniel et al., 2014;Chen et al., 2016;Maiorca et al., 2017). In particular, the proposed system performs the following steps: (i) it takes as an input an Android application and extracts its cryptographic API usage with the pipeline described in Section 2.2; (ii) it encodes this statistics into a vector of features; (iii) it trains a machine-learning classifier to predict a benign/malicious label. ...
... The third approach consists of taking a wellestablished malware classifier for Android as a baseline and measuring its performance when enhanced with features related exclusively to cryptographic API. To this end, we chose R-PackDroid (Maiorca et al., 2017), an available learning-based classifier (trained on random forests) based on static features, and we expand its feature set by adding the cryptographic features described above. There are multiple reasons for which this system was chosen as a baseline: (i) It was initially designed to detect ransomware; (ii) It harvests a relatively small number of features; (iii) It features a high detection rate (the original paper documents over 97% F1 score). ...
... We trained a random forest model based only on cryptography-related features described in Section 2.4 and compared its performance to R-PackDroid. To obtain a valid comparison, we replicated the experimental setup of the original R-PackDroid paper (Maiorca et al., 2017), taking 10 thousand applications divided 50:50 into benign/malicious, and split 50:50 into training/test set. Our classifier achieved 62.4% F1 score on the malicious samples (see also nificantly better than our system 7 , our classifier was able to correctly identify 88/180 malicious samples that were misclassified as benign by R-PackDroid (with all 211 features). ...
Cryptography has been extensively used in Android applications to guarantee secure communications, conceal critical data from reverse engineering, or ensure mobile users' privacy. Various system-based and third-party libraries for Android provide cryptographic functionalities, and previous works mainly explored the misuse of cryptographic API in benign applications. However, the role of cryptographic API has not yet been explored in Android malware. This paper performs a comprehensive, longitudinal analysis of cryptographic API in Android malware. In particular, we analyzed $603\,937$ Android applications (half of them malicious, half benign) released between $2012$ and $2020$, gathering more than 1 million cryptographic API expressions. Our results reveal intriguing trends and insights on how and why cryptography is employed in Android malware. For instance, we point out the widespread use of weak hash functions and the late transition from insecure DES to AES. Additionally, we show that cryptography-related characteristics can help to improve the performance of learning-based systems in detecting malicious applications.
... Ransomware is malware that extorts money (ransom) by holding hostage a victim's data, usually through encryption [1][2][3][4][5][6]. Cybercriminals collect the ransom as crypto-currency, mainly Bitcoins, to hide their identity [7]. ...
... All of the three selected registry keys associated with write operation have been marked as indicative of ransomware by Hybrid Analysis. 4 The format of these three keys is given as HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\MountPoints2\e7136b33-a421-11e5-b597 -80 6d6172696f, which is common among three keys but with a difference of the number at the end of the key. The 19 registry keys associated with the read operation come from three hives, i.e., HKLM\SOFTWARE, HKLM\SYSTEM, and HKCU\Software. ...
... The features (with maximum frequency of selection) from other groups include tmp from DROP group (this group contains extension of the dropped files), tmp from FILES_EXT (for opening a file with extension ''.tmp''), and C:\Documents and Set-tings\MyUser\Local Settings\Start Menu and C:\Documents and Settings\MyUser\Local Settings \Temp from FILES group. 4 A free online malware analysis tool that uses Falcon sandbox for automated analysis of submitted files. ...
Ransomware is malware that encrypts the victim’s data and demands a ransom for a decryption key. The increasing number of ransomware families and their variants renders the existing signature-based anti-ransomware techniques useless; thus, behavior-based detection techniques have gained popularity. A difficulty in behavior-based ransomware detection is that hundreds of thousands of system calls are obtained as analysis output, making the manual investigation and selection of ransomware-specific features infeasible. Moreover, manual investigation of the analysis output requires domain experts, who are expensive to hire and unavailable in some cases. Machine learning methods have shown success in a wide range of scientific domains to automate and address the problem of feature selection and extraction from noisy and high-dimensional data. However, automated feature selection is under-explored in malware detection. This study proposes an automated feature selection method that utilizes particle swarm optimization for behavior-based ransomware detection and classification. The proposed method considers the significance of various feature groups of the data in ransomware detection and classification and performs feature selection based on groups’ significance. The experimental results show that, in most cases, the proposed method achieves comparable or significantly better performance than other state-of-the-art methods used in this study for benchmarking. In addition, this article presents an in-depth analysis of the significance of various features groups and the features selected by the proposed method in ransomware detection and classification.
... There are few [3], [5], [8], [10], [12], [15], [17]- [20] that classifies an Android malware into malware families. Mostly, the machine learning based Android malware detection tools utilize either static features ( [3], [4], [7], [12], [19]) or dynamic features ( [7]- [9]). Some machine learning based malware analysis tool (like EC2 [17]) use both types of features i.e., static and dynamic. ...
... There are few [3], [5], [8], [10], [12], [15], [17]- [20] that classifies an Android malware into malware families. Mostly, the machine learning based Android malware detection tools utilize either static features ( [3], [4], [7], [12], [19]) or dynamic features ( [7]- [9]). Some machine learning based malware analysis tool (like EC2 [17]) use both types of features i.e., static and dynamic. ...
... All the above work utilizes API call information in some form, whereas we use API package information to identify Android malware families. R-PackDroid [7] is the most closely related work that utilizes API package information to characterize and detect Mobile Ransomware. However, in later work [28], authors have again shifted their focus on API call information. ...
With the increased popularity and wide adoption as a mobile OS platform, Android has been a major target for malware authors. Due to unprecedented rapid growth in the number, variants, and diversity of malware, detecting malware on the Android platform has become challenging. Beyond the detection of a malware, classifying the family the malware belongs to, helps security analysts to reuse malware removal techniques that is known to work for that family of malware. It takes manual analysis if a malware belongs to an unknown family. Therefore, classifying malware into exact family is important. This paper presents a technique and tool named MAPFam that applies machine learning on static features from the Manifest file and API packages to classify an Android malware into its family. This work is premised on a starting hypothesis that features extracted from API packages rather than on API calls lead to more precise classification. Our experiments indeed shows that API package based models provides ~1.63X more accurate classification compared to an API call based method. Our machine learning based malware family classification system uses API packages, requested permissions, and other features from the Manifest files. The proposed family classification system achieves accuracy and average precision above 97% for the top 60 malware families by using only 81 features with 97.55% of model reliability rate (Kappa score). The experimental results also shows that MAPFam can perfectly identity 36 malware families.
... Machine leaning has numerous application in classifying the malware, ransomware, and benign programs [22]. R-PackDroid, an android based ransomware detection system was presented in [57]. This system performed the static analysis by analyzing the Dalvik bytecode. ...
... In [57], an android based ransomware detection system was presented named as R-PackDroid. This system ran the static analysis using RF a supervised machine learning classifier to categorize the applications in ransomware, generic malware and trusted by using the system API packages. ...
... Victims are threatened with the loss of their mobile data, sharing of personal information, and browsing history to their contact lists. Android.Lockdroid.E is one of the example of mobile ransomware [57,86]. ...
Ransomware is an ill-famed malware that has received recognition because of its lethal and irrevocable effects on its victims. The irreparable loss caused due to ransomware requires the timely detection of these attacks. Several studies including surveys and reviews are conducted on the evolution, taxonomy, trends, threats, and countermeasures of ransomware. Some of these studies were specifically dedicated to IoT and android platforms. However, there is not a single study in the available literature that addresses the significance of dynamic analysis for the ransomware detection studies for all the targeted platforms. This study also provides the information about the datasets collection from its sources, which were utilized in the ransomware detection studies of the diverse platforms. This study is also distinct in terms of providing a survey about the ransomware detection studies utilizing machine learning, deep learning, and blend of both techniques while capitalizing on the advantages of dynamic analysis for the ransomware detection. The presented work considers the ransomware detection studies conducted from 2019 to 2021. This study provides an ample list of future directions which will pave the way for future research.
... However, the difficulty to deal with time-variant ransomware can become a bottleneck because of the escalating flow of ransomware versions that vary in their tricking exploitations, intrusion traits, and the type of platforms they have infected [6][7][8][9]. Furthermore, the existing detection tools still have direct impacts on the processing time, classification accuracies, searching for the minimum set of distinctive traits, employing an inappropriate number of static clues and dynamic actions, and then the overall performance of the detection engines [9][10][11][12][13][14][15]. For example, the detection tools of file system analysis, search for executable files, recognize ransomware infections through examining particular function calls like APIs (Application Program Interface), specific inserted codes, dynamic interactions of some apps, and some elementary settings of smartphone system [10][11][12]. ...
... For example, the detection tools of file system analysis, search for executable files, recognize ransomware infections through examining particular function calls like APIs (Application Program Interface), specific inserted codes, dynamic interactions of some apps, and some elementary settings of smartphone system [10][11][12]. Whereas, the detection tools of machine learning aided analysis, identify suspicious activities and apps as ransomware by encountering the values of a combination of static clues and dynamic actions that are mentioned above [13][14][15][16][17][18]. They, deploy these values (i.e. ...
... They, deploy these values (i.e. ransomware infection vectors) as the input in their machine learning procedures [13][14][15][16][17][18]. ...
... Maiorca et al. statically analyze the Dalvik bytecode to extract API packages found. Using API packages reduces the number of features needed for classification [236]. APIs contained in the invoke-type instructions are checked to see if they belong to system packages. ...
... Approaches Tested Detection/Protection Mechanism Static Dynamic Solution [236] API Calls X Random forest applied to the occurrences of system API packages in the Android apps to classify the executables as ransomware, malware, or trusted. [237] API Calls X Random forest, J48, and naïve bayes are applied to fifty-two collected system calls to detect ransomware samples. ...
... Many techniques have been proposed to this end, especially monitoring/tracking user activity or sensitive information like Scandroid, TaintDroid [172,240] and others [241][242][243]. However, current literature is not abundant with mobile ransomware journals or papers, as stated in [236,238]. Even in the latest survey released in 2020 about ransomware in Windows and Android platforms, only six papers were mentioned related to mobile ransomware [244]. ...
Ransomware remains the number one cyberthreat for individuals, enterprises, and governments. Malware’s aftermath can cause irreversible casualties if the requirements of the attackers are not met in time. This thesis targets Windows ransomware. It affects users’ data and undermines many public services. Four stages of this malware attack are defined: delivery, deployment, destruction, and dealing. The corresponding countermeasures are assigned to each phase of the attack and clustered according to the techniques used. This thesis presents three contributions. The first detection mechanism is located in the file system layer. It is based on the system traversal that is sufficient to highlight the malicious behavior. This thesis proposes also an analysis of the network traffic. It is generated by collected ransomware samples to perform a packet-level detection. A study of the ransom notes is made to define where it takes place in a ransomware workflow. The last contribution provides an insight into plausible attacks, especially Doxware. A quantification model that explores the Windows file system in search of valuable data is presented. It is based on the term frequency-inverse document frequency solution provided in the literature for information retrieval. Honeypot techniques are also used to protect the sensitive files of the users. Finally, this thesis provides future perspectives granting a better roadmap for researchers.
... (Table 5): Static Analysis, also known as Static Code Analysis, is the method to examine the source code or compiled executable files to search for the presence of malware, before the executable files are executed [73,115]. Many studies ( [10,13,15,16,39,45,48,73,74,79,98,107,127,138,154,155]) performed static analysis for ransomware detection, and all claimed satisfactory detection results. However, those studies performing static analysis suffered from one or more of the following issues: (1) not all ransomware variants have the actual executable files present in the file system available for static analysis; (2) static analysis does not take into consideration the runtime variables, such as the parameters of API calls; (3) some assumed that future ransomware variants would all bear high similarity to existing ones, and did not consider encrypted, encoded, or dynamically loaded malicious code; (4) analyses of APIs or bycodes are often highly platformspecific, limiting their generalizability; and (5) ransomware could insert other benign code between malicious codes to obscure prominent static features. ...
... The peak of the number of antiransomware proposals around 2018 (as seen in Figure 1) corresponded to the sudden surge in research interest in machine learning, and its subsequent application on available ransomware datasets (either self-constructed or shared). A significant proportion of those ML-based proposals (e.g., [4,7,9,10,15,16,20,21,44,45,57,60,65,74,79,86,95,98,99,110,112,127,129,141,154,155,157]) were purely outcome-oriented and did not specify the malicious features found by their ML algorithms among ransomware samples, whereas a few other ML-based proposals (e.g., [13,48,51,63,78,94,124,131,132,144,146,158]) specified the malicious features they detected or concluded, but did not analyze whether there had been a causal relationship between each feature they considered malicious and the actual ransomware attack mechanism. Relying on ML to make the decision of ransomware classification without further analysis or verification of the results presented by ML can cause several issues: the ML algorithms can pick up features irrelevant to ransomware attacks, can overfit to the training samples, and do not adequately contribute to the theoretical understanding of ransomware attack mechanisms. ...
... Doing so enables other researchers to better understand the ransomware attack mechanisms, and to examine whether the features selected are appropriate and justified. While many studies (e.g., [1-3, 8, 11, 12, 14, 17, 22, 23, 28, 32, 34-40, 43, 47, 50, 52, 55, 56, 58, 61, 62, 64, 68-70, 72, 73, 75, 80, 81, 83, 87, 90-93, 101, 102, 105, 107, 108, 111, 113, 114, 117-119, 125, 126, 130, 133, 136, 138, 142, 143, 145, 147-151]) both disclosed the malicious features of ransomware they found and justified their selection, some studies (e.g., [13,48,51,63,71,78,85,94,124,131,132,134,139,144,146,158]) only disclosed ransomware malicious features they selected without justification, and others (e.g., [4,5,7,9,10,15,16,18,20,21,26,44,45,57,60,65,74,79,84,86,95,98,99,110,112,127,129,141,154,155,157]) did not discuss ransomware malicious features at all. Ransomware malicious features are by design, and ransomware developers can implement different features in different attack vectors or patterns. ...
Although ransomware has been around since the early days of personal computers, its sophistication and aggression have increased substantially over the years. Ransomware, as a type of malware to extort ransom payments from victims, has evolved to deliver payloads in different attack vectors and on multiple platforms, and creating repeated disruptions and financial loss to many victims. Many studies have performed ransomware analysis and/or presented detection, defense or prevention techniques for ransomware. However, because the ransomware landscape has evolved aggressively, many of those studies have become less relevant or even outdated. Previous surveys on anti-ransomware studies have compared the methods and results of the studies they surveyed, but none of those surveys has attempted to critique on the internal or external validity of those studies. In this survey, we first examined the up-to-date concept of ransomware, and listed the inadequacies in current ransomware research. We then proposed a set of unified metrics to evaluate published studies on ransomware mitigation, and applied the metrics to 118 such studies to comprehensively compare and contrast their pros and cons, with the attempt to evaluate their relative strengths and weaknesses. Finally, we forecast the future trends of ransomware evolution, and proposed future research directions.
... Maiorca et al. statically analyze the Dalvik bytecode to extract API packages found. Using API packages reduces the number of features needed for classification [39]. APIs contained in the invoke-type instructions are checked to see if they belong to system packages. ...
... Many techniques have been proposed to this end, especially monitoring/tracking user activity or sensitive information like Scandroid, TaintDroid [28,30] and others [50,73,122]. However, current literature is not abundant with mobile ransomware journals or papers, as stated in [32,39]. Even in the latest survey released in 2020 about ransomware in Windows and Android platforms, only six papers were mentioned related to mobile ransomware [21]. ...
... Approaches Tested Detection/Protection Mechanism Static Dynamic Solution [39] API Calls ✓ X ✓ Random forest applied to the occurrences of system API packages in the Android apps to classify the executables as ransomware, malware, or trusted. [18] API Calls X ✓ ✓ Random forest, J48, and Naive Bayes are applied to fiftytwo collected system calls to detect ransomware samples. ...
Ransomware remains an alarming threat in the 21st century. It has evolved from being a simple scare tactic into a complex malware capable of evasion. Formerly, end-users were targeted via mass infection campaigns. Nevertheless, in recent years, the attackers have focused on targeted attacks, since the latter are profitable and can induce severe damage. A vast number of detection mechanisms have been proposed in the literature. We provide a systematic review of ransomware countermeasures starting from its deployment on the victim machine until the ransom payment via cryptocurrency. We define four stages of this malware attack: Delivery, Deployment, Destruction, and Dealing. Then, we assign the corresponding countermeasures for each phase of the attack and cluster them by the techniques used. Finally, we propose a roadmap for researchers to fill the gaps found in the literature in ransomware’s battle.
... Algorithm Resolved issue Data set Performance metrics [186] Fuzzy pattern tree malware Kaggle a and Vx-Heaven b 97.0427% and 88.76% accuracies [187] LSTM malware UNSW-NB15 70% accuracy [188] Fuzzy set theory and a malware Drebin [189] and AndroZoo [190] 9% F1-score improvement new loss function [191] Fuzzy clustering malware Custom data sets created from VirusShare: 94.66%, Kaggle: VirusShare c , Kaggle, and 97.56%, RansomwareTracker: RansomwareTracker d 94.26% accuracies [192] Theoretical analysis malware NA NA [193] J48 ransomware VirusTotal 97.1% detection rate [194] kNN [196] Random forest ransomware ransomware and malware-trusted 97.817% average F1-score of five splits [197] Logistic regression ransomware created from VirusShare website 96.3% detection rate and 99.5% ROC curve [198] DNN Guizani and Ghafoor [187] have presented a software-based framework that adopts NFV technology to resist malware diffusion in heterogeneous IoT environments. To deploy a precise countermeasure, the authors deployed a deep learning-based IDS to detect a broad range of malware promptly. ...
... Maiorca et al. [196] have introduced an Android ransomware attack detector using the random forest ensemble method. The proposed technique differs from previous methods, in that it utilizes extracted features from API packages to categorize applications, without needing to be familiar with user-defined content (e.g., strings) and the language used to write the application. ...
The Industrial Internet of Things (IIoT) paradigm is a key research area derived from the Internet of Things (IoT). The emergence of IIoT has enabled a revolution in manufacturing and production, through the employment of various embedded sensing devices connected with each other by an IoT network, along with a collection of enabling technologies such as artificial intelligence (AI) and edge/fog computing. One of the unrivaled characteristics of IIoT is the inter-connectivity provided to industries; however, this characteristic might open the door for cyber-criminals to launch various attacks. In fact, one of the major challenges hindering the prevalent adoption of the IIoT paradigm is IoT security. Inevitably, an increasing number of research proposals have been introduced over the last decade to overcome these security concerns. To obtain an overview of this research area, conducting a literature survey of the published research is necessary, eliciting the various security requirements and their considerations. This paper provides a literature survey of IIoT security, focused on the period from 2017 to 2023. We identify IIoT security threats and classify them into three categories, based on the IIoT layer they exploit to launch these attacks. Additionally, we characterize the security requirements that these attacks violate. Finally, we highlight how emerging technologies, such as AI and edge/fog computing, can be adopted to address security concerns and enhance IIoT security.
... Android malware detection classifies Android apps into two classes benign and malware. However, some papers detect Android Ransomware (Andronio, Zanero & Maggi, 2015;Maiorca et al., 2017) considering three classes benign, malware, and ransomware. Hence, we briefly explain the evaluation measures of ML classification. ...
... Until today, many static analysis researchers depends on permissions (Arora, Peddoju & Conti, 2019; Dharmalingam & Palanisamy, 2021;Li et al., 2018;Şahin et al., 2021); however, many are relying on API calls (Alazab et al., 2020;Jung et al., 2018;Maiorca et al., 2017;Mirzaei et al., 2019;Pektaş & Acarman, 2020;Tiwari & Shukla, 2018;Zhang et al., 2020;Zhang, Breitinger & Baggili, 2016;Zou et al., 2021) and deep code analysis and other types of features as discussed earlier in Android evasion detection frameworks section. Many of examined researches ignored the evasion techniques evaluation. ...
The various application markets are facing an exponential growth of Android malware. Every day, thousands of new Android malware applications emerge. Android malware hackers adopt reverse engineering and repackage benign applications with their malicious code. Therefore, Android applications developers tend to use state-of-the-art obfuscation techniques to mitigate the risk of application plagiarism. The malware authors adopt the obfuscation and transformation techniques to defeat the anti-malware detections, which this paper refers to as evasions. Malware authors use obfuscation techniques to generate new malware variants from the same malicious code. The concern of encountering difficulties in malware reverse engineering motivates researchers to secure the source code of benign Android applications using evasion techniques. This study reviews the state-of-the-art evasion tools and techniques. The study criticizes the existing research gap of detection in the latest Android malware detection frameworks and challenges the classification performance against various evasion techniques. The study concludes the research gaps in evaluating the current Android malware detection framework robustness against state-of-the-art evasion techniques. The study concludes the recent Android malware detection-related issues and lessons learned which require researchers’ attention in the future.
... They didn't provide any ransomware examples in the training phase and their framework identifies anomaly that deviates from learned behaviour. -Maiorca et al. [36] proposed R-PackDroid for the android operating system. ...
... Researchers focused on process anomaly detection to enhance their detection rate. The technique discussed in the paper uses Windows API calls [22,36,39], I/O request Packets (IRP) logs, File system operations, set of operation performed per file extension, directories operations, dropped files, registry key operation, strings [14,22,23,24,26] for detection.For file system activity detection, researchers recorded folder listing, Files written, Files Renamed, files read, write entropy, file type coverage [24]. The various researchers recorded IRP open, IRP write, IRP create for IRP logs [23]. ...
Ransomware is a program used by an attacker or hacker, that locks or encrypts target files or data. The user or the owner of data cannot access these without the explicit assistance of the attacker. After locking or encrypting, the attacker demands ransom generally in the form of cryptocurrencies to permit user to regain access to the locked data. However, there is no guarantee that the user can access seized data again even after that ransom has been paid. Researchers have proposed various tools and techniques to protect and fight against ransomware. Existing tools and methods are not sufficient to detect ransomware early because several new ransomware variants are being introduced every day. Machine learning techniques are used efficiently in various applications like ransomware detection, spam detection, text classification, pattern recognition, etc. Further, deep learning, a subfield of machine learning, eliminates the burden of re-engineering the features for the new types of malware or network attacks that may arise. In this paper, several machine learning-based detection techniques against ransomware are reviewed.
... Chen et al. [21] converted app opcodes to an image-like structure in order to perform data augmentation through a Generative Adversarial Network (GAN), while the works by Mahindru et al. focused on assessing effective feature selection, mainly considering the usage of APIs and permissions as features [44,45]. Moreover, different works in the literature target specific types of attacks, such as botnets [33] or ransomware samples [17,47,57]. ...
... An interesting aspect to underline is that most of the feature sets used in previous work-the earliest as well as the newest ones-include information from Android APIs [1,4,19,38,45,47,48,57]. According to Zhang et al. [67], although Android malware evolves over time, many semantics are still the same or similar, and can be caught by identifying the relations between the different APIs. ...
While machine-learning algorithms have demonstrated a strong ability in detecting Android malware, they can be evaded by sparse evasion attacks crafted by injecting a small set of fake components, e.g., permissions and system calls, without compromising intrusive functionality. Previous work has shown that, to improve robustness against such attacks, learning algorithms should avoid overemphasizing few discriminant features, providing instead decisions that rely upon a large subset of components. In this work, we investigate whether gradient-based attribution methods, used to explain classifiers’ decisions by identifying the most relevant features, can be used to help identify and select more robust algorithms. To this end, we propose to exploit two different metrics that represent the evenness of explanations, and a new compact security measure called Adversarial Robustness Metric. Our experiments conducted on two different datasets and five classification algorithms for Android malware detection show that a strong connection exists between the uniformity of explanations and adversarial robustness. In particular, we found that popular techniques like Gradient*Input and Integrated Gradients are strongly correlated to security when applied to both linear and nonlinear detectors, while more elementary explanation techniques like the simple Gradient do not provide reliable information about the robustness of such classifiers.
... Other studies chose to detect ransomware via different approaches. In Scaife et al. (2016) , Genç et al. (2018) , Genç et al. (2019) , Kolodenker et al. (2017) , Maiorca et al. (2017) , Palisse et al. (2016) , it was proposed to perform API analysis on ransomware during its execution, but ransomware could obscure its API calling patterns. API analysis will not be effective for fileless ransomware attacks via command scripts or virtual machines. ...
... In Moore (2016) , it was proposed to set up honeypot files to detect ransomware, but ransomware may not always attack honeypot files before other user files. In Genç et al. (2018) , Kolodenker et al. (2017) , Palisse et al. (2016) , the usage of Windows OS encryption libraries was monitored, but those implementation was Windows-specific, and not all ransomware variants relied on the OS encryption li- ( Continella et al., 2016;Kharraz and Kirda, 2017;Mehnaz et al., 2018 ) × × × API Analysis ( Genç et al., 2018;Kolodenker et al., 2017;Maiorca et al., 2017;Palisse et al., 2016;Scaife et al., 2016 ) × × Behavioral Analysis ( Ahmadian and Shahriari, 2016;Homayoun et al., 2017;Kharraz et al., 2015;Park et al., 2019;Sgandurra et al., 2016 ) × × × Network Activities ( Ahmadian et al., 2015;Bortolameotti et al., 2017;Cabaj et al., 2018;Morato et al., 2018;Wang et al., 2018 ) × Sandboxing ( braries. In Medhat et al. (2018) , static analysis was applied on ransomware samples, but static analysis can only detect known ransomware features, and may not effective on newer ransomware variants or fileless ransomware attacks. ...
Ransomware attacks are often catastrophic, yet existing reactive and preventative measures could only partially mitigate ransomware damage, often not in a timely manner, and often cannot prevent the novel attack vectors. Many of them were program-centric or data-centric and did not take into consideration user intention or consent. In this paper, we advocate for a dynamic approach of detecting ransomware-like behaviors by proposing a user-centric access control framework, which collects security indicators from the Operating System (OS) to deduct security metrics, compute security indicators and estimate security positions, to dynamically make access control assessments on file access requests. To demonstrate its applicability, we effectuated the principles of User-Driven Access Control (UDAC) for user intention (the goal of a user operation) and Content-Based Isolation (CBI) for user consent (the acceptance of the consequence of a user operation), and developed a proof-of-concept prototype on Windows desktop platforms. It collected information that could reveal the application identity, behavior and the OS environmental factor, before assessing whether an access request to the file system violated the principles of UDAC or CBI. Our prototype was able to raise early warnings on both attacks by real and simulated ransomware of novel vectors.
... Maiorca et al. [14] extracted the Dalvikbytecode feature present in the dex files. They analyzed invoketype instructions which belonged to system Application Program Interface (API) packages. ...
... This section compares the accuracy of the best machine learning model (i.e., ensemble learning RF model) of the proposed framework with the existing frameworks to detect Android ransomware. Figure 8 shows that the proposed framework achieved the best accuracy (99.67%) to detect Android locker and crypto ransomware as compared to the existing Systemcallbased [1], DNA-DROID [12], API-based [21], and R-PackDroid [14] frameworks. Figure 8. ...
With latest development in technology, the usage of smartphones to fulfill day-to-day requirements has been increased. The Android-based smartphones occupy the largest market share among other mobile operating systems. The hackers are continuously keeping an eye on Android-based smartphones by creating malicious apps housed with ransomware functionality for monetary purposes. Hackers lock the screen and/or encrypt the documents of the victim’s Android based smartphones after performing ransomware attacks. Thus, in this paper, a framework has been proposed in which we (1) utilize novel features of Android ransomware, (2) reduce the dimensionality of the features, (3) employ an ensemble learning model to detect Android ransomware, and (4) perform a comparative analysis to calculate the computational time required by machine learning models to detect Android ransomware. Our proposed framework can efficiently detect both locker and crypto ransomware. The experimental results reveal that the proposed framework detects Android ransomware by achieving an accuracy of 99.67% with Random Forest ensemble model. After reducing the dimensionality of the features with principal component analysis technique; the Logistic Regression model took least time to execute on the Graphics Processing Unit (GPU) and Central Processing Unit (CPU) in 41 milliseconds and 50 milliseconds respectively
... Maiorca et al. [208] introduced an Android ransomware attack detector using the random forest ensemble method. The proposed technique differs from previous methods, in that it utilizes extracted features from API packages to categorize applications, without needing to be familiar with user-defined content (e.g., strings) and the language used to write the application. ...
The Industrial Internet of Things (IIoT) paradigm is a key research area derived from the Internet of Things (IoT). The emergence of IIoT has enabled a revolution in manufacturing and production, through the employment of various embedded sensing devices connected by an IoT network, along with a collection of enabling technologies, such as artificial intelligence (AI) and edge/fog computing. One of the unrivaled characteristics of IIoT is the inter-connectivity provided to industries; however, this characteristic might open the door for cyber-criminals to launch various attacks. In fact, one of the major challenges hindering the prevalent adoption of the IIoT paradigm is IoT security. Inevitably, there has been an inevitable increase in research proposals over the last decade to overcome these security concerns. To obtain an overview of this research area, conducting a literature survey of the published research is necessary, eliciting the various security requirements and their considerations. This paper provides a literature survey of IIoT security, focused on the period from 2017 to 2023. We identify IIoT security threats and classify them into three categories, based on the IIoT layer they exploit to launch these attacks. Additionally, we characterize the security requirements that these attacks violate. Finally, we highlight how emerging technologies, such as AI and edge/fog computing, can be adopted to address security concerns and enhance IIoT security.
... Malware applications were collected and processed by following the workflow depicted in Figure 4. Phone scam applications were shared with us by the Korea Internet Security Agency (KISA) and the security researcher Min-chang Jang, who has reported the collection of samples in a previous work [28]. In turn, banking and ransomware samples were obtained from the following datasets: CIC-AndMal2017 [38], CICMalDroid 2020 [39] and R-PackDroid [40]. In addition, we searched for the hash of other samples in security reports (e.g., available on Malpedia [41]) and downloaded the corresponding APK files from Koodous, a popular web repository of APK files. ...
Android has been a constant target of cybercriminals that try to attack one of the most used operating systems, commonly using malicious applications (denominated
malware
) that, once installed on a device, can harm users in several ways. In this context, we propose an approach to detect Android
malware
consisting of a set of specific-type detectors in which each one performs a multi-stage analysis, based on rules and machine learning techniques, in different phases of the application cycle (before and after its installation). Our approach differs from state-of-the-art solutions by being non-invasive, since it leverages a process to obtain application’s features that does not infringe licenses and terms of use of applications. In addition, according to experiments performed on a real Android smartphone, our proposal presents the following additional advantages over state-of-the-art solutions: a more efficient process to classify applications that is three times faster and requires ten times less CPU usage in some cases (saving device energy); and a better detection performance, with higher balanced accuracy, nine times less false positive cases, and ten times less false negative cases.
... Event-based approaches for ransomware detection have their limitations. As event-based techniques need prior information of encryption used by ransomware (Maiorca, Mercaldo, Giacinto, Visaggio, & Martinelli, 2017). Similarly, event-based techniques are not enough to detect ransomware because sometimes they may not occur, but they already did their damage. ...
Ransomware is a destructive type of malware that encrypts the user's valuable data or locks the screen of the user's device, causing massive economic losses to users. Signature-based ransomware detection models struggle to detect zero-day ransomware and questioning their suitability for protecting user's files against such attacks. In this study, we propose a model that extracts eighteen useful features vectors from the ransomware dataset. It performs classification on ransomware datasets. We utilize API call series to represent behavior-based features of ransomware. To validate the effectiveness of Random Forest, we tested 78556 ransomware and good ware files. Compared to Naive Bayes and Support Vector Machine, the testing accuracy of the proposed method is 99.57%. In the future, we will use deep learning to detect ransomware and its types at an early stage.
... The authors showed that the latter can detect ransomware in the initial stages before infection occurs, with a high precision rate and a 1.5% false negative rate. Maiorca et al. [35] proposed R-PackDroid, which is a system dedi-cated to detecting Android ransomware via machine learning. In fact, this system leverages API packages to achieve its goal with high accuracy. ...
The proliferation of ransomware has become a significant threat to cybersecurity in recent years, causing significant financial, reputational, and operational damage to individuals and organizations. This paper aims to provide a comprehensive overview of the evolution of ransomware, its taxonomy, and its state-of-the-art research contributions. We begin by tracing the origins of ransomware and its evolution over time, highlighting the key milestones and major trends. Next, we propose a taxonomy of ransomware that categorizes different types of ransomware based on their characteristics and behavior. Subsequently, we review the existing research over several years in regard to detection, prevention, mitigation, and prediction techniques. Our extensive analysis, based on more than 150 references, has revealed that significant research, specifically 72.8%, has focused on detecting ransomware. However, a lack of emphasis has been placed on predicting ransomware. Additionally, of the studies focused on ransomware detection, a significant portion, 70%, have utilized Machine Learning methods. We further discuss the challenges found such as the ones related to obtaining ransomware datasets. In addition, our study uncovers a range of shortcomings in research pertaining to real-time protection and identifying zero-day ransomware. Adversarial machine learning exploitation has been identified as an under-researched area in the field. This survey is a constructive roadmap for researchers interested in ransomware research matters.
... Organizational readiness provides cybercriminals with a wealth of opportunities to exploit their targets. Therefore, in order to prevent any effort at ransomware invasion, organisations must employ the appropriate resources, build strategic plans for incidence response, educate their workforce, and enforce laws and regulations that guarantee network security [15]. It has been determined that drive-by downloads account for more than 60% of ransomware attacks on victims' computers. ...
The changing dynamics of technology, attacking strategies are always evolving. Consequently, to defend against these evolving threats, individuals and organisations must deploy the highest levels of security in their devices and infrastructure. When it comes to discovering security holes in computer systems, ransomware is one kind of attack that never ceases to astound. Attacks using ransomware are becoming commonplace worldwide, and their main goal is to make money illegally. Emails were used to launch the attack, and spamming and phishing were then used to spread it. Files on targets are encrypted by ransomware, which also displays warnings demanding payment before the data can be decrypted. Cybercriminals are now making millions of dollars a year from it, and corporations are facing a very significant threat that might result in billions of dollars in losses. Many studies, including surveys that cover certain parts of ransomware research, were suggested to combat the ransomware problem. In this literature the author provides a comprehensive overview of ransomware and ransomware defence research with regard to the variety of platforms that it targets. Understanding ransomware and examining defence mechanisms with regard to target platforms is becoming more crucial because ransomware is already common in PCs, workstations, desktops, and laptops, is becoming more common in mobile devices, has already affected IoT/CPS, and will likely spread further in the IoT/CPS domain very soon. It is imperative to find a solution for ransomware in cloud environments since more and more applications are being hosted in these environments. Software as service is very popular because of its easy to use and cheap price, so in all such application security is major concern. The results of our investigations illustrate the operation of ransomware in a manner familiar to both academics and those with experience in the field, including practitioners and those who have dealt with the threat firsthand. To conclude our study, we developed a minimal proof-of-concept approach to risk assessment using information provided by the target entity.
... Event-based approaches for ransomware detection have their limitations. As event-based techniques need prior information of encryption used by ransomware (Maiorca, Mercaldo, Giacinto, Visaggio, & Martinelli, 2017). Similarly, event-based techniques are not enough to detect ransomware because sometimes they may not occur, but they already did their damage. ...
Ransomware is a destructive type of malware that encrypts the user's valuable data or locks the screen of the user's device, causing massive economic losses to users. Signature-based ransomware detection models struggle to detect zero-day ransomware and questioning their suitability for protecting user's files against such attacks. In this study, we propose a model that extracts eighteen useful features vectors from the ransomware dataset. It performs classification on ransomware datasets. We utilize API call series to represent behavior-based features of ransomware. To validate the effectiveness of Random Forest, we tested 78556 ransomware and good ware files. Compared to Naive Bayes and Support Vector Machine, the testing accuracy of the proposed method is 99.57%. In the future, we will use deep learning to detect ransomware and its types at an early stage.
... Organizational readiness provides cybercriminals with a wealth of opportunities to exploit their targets. Therefore, in order to prevent any effort at ransomware invasion, organisations must employ the appropriate resources, build strategic plans for incidence response, educate their workforce, and enforce laws and regulations that guarantee network security [15]. It has been determined that drive-by downloads account for more than 60% of ransomware attacks on victims' computers. ...
The changing dynamics of technology, attacking strategies are always evolving. Consequently, to defend against these evolving threats, individuals and organisations must deploy the highest levels of security in their devices and infrastructure. When it comes to discovering security holes in computer systems, ransomware is one kind of attack that never ceases to astound. Attacks using ransomware are becoming commonplace worldwide, and their main goal is to make money illegally. Emails were used to launch the attack, and spamming and phishing were then used to spread it. Files on targets are encrypted by ransomware, which also displays warnings demanding payment before the data can be decrypted. Cybercriminals are now making millions of dollars a year from it, and corporations are facing a very significant threat that might result in billions of dollars in losses. Many studies, including surveys that cover certain parts of ransomware research, were suggested to combat the ransomware problem. In this literature the author provides a comprehensive overview of ransomware and ransomware defence research with regard to the variety of platforms that it targets. Understanding ransomware and examining defence mechanisms with regard to target platforms is becoming more crucial because ransomware is already common in PCs, workstations, desktops, and laptops, is becoming more common in mobile devices, has already affected IoT/CPS, and will likely spread further in the IoT/CPS domain very soon. It is imperative to find a solution for ransomware in cloud environments since more and more applications are being hosted in these environments. Software as service is very popular because of its easy to use and cheap price, so in all such application security is major concern. The results of our investigations illustrate the operation of ransomware in a manner familiar to both academics and those with experience in the field, including practitioners and those who have dealt with the threat firsthand. To conclude our study, we developed a minimal proof-of-concept approach to risk assessment using information provided by the target entity.
... API dependency [21] and Android's evaluations and effectiveness, the researchers proposed various techniques such as DroidSIFT [22]. Maiorca et al. [23] proposed a scheme that detects and ransomware the extracting information from API packages by using the R-PackDroid method. R-PackDroid accurately categorized apps without knowing their content (language or strings). ...
Android is the most popular mobile operating system, making it the main target of malware attacks. Machine learning-based attack detection techniques have recently emerged as promising methods that relies heavily on particular features to classify malware. Despite machine learning-based malware detectors having hundreds of features, attackers can use feature-related expertise to generate malware variants to avoid detection. Therefore, the Android security team must constantly develop novel features to detect suspicious attacks. This paper proposes a novel malware detection method called Droid-MCFG that combines the Android features of manifest and Control Flow Graph (CFG). First, reverse engineering tools are used to mine manifest files and Java source codes from Android Package Kit (APK). Second, to represent Android apps with elevated features, we develop a features selection method that retrieves API calls and API sequences from CFGs. The API calls and manifest information are then combined to produce digital fingerprints of Android app actions. Third, a transfer learning approach based on word2vec is developed to extract trained features from digital fingerprints. To thoroughly analyze the novel features, the word2vec is fine-tuned with random, static, and dynamic strategies. Finally, the multi-head Temporal Convolutional Network (TCN) is designed to identify malware based on fine-tuned features. The TCN employs casual convolutions and dilations due to its temporality and broad receptive fields, making it very responsive to API-call sequences and malware activities in the manifest file. The proposed method achieves a classification accuracy of 96.24% using the CICInvesAndMal2019 dataset.
... It has been observed from the literature work that most of the techniques [31] can either only observe System/API calls [33], [34], [39], file operations [35], processor usage [30], or registry activities [40]. Some of the studies are based on static analysis [29] whereas other proposed techniques mainly focus on dynamic analysis for classification. ...
Smart autonomous vehicles (AVs) are networks of cyber physical systems (CPS) in which they wirelessly communicate with other CPS sub-systems (e.g., smart -vehicles and smart-devices) to efficiently and securely plan safe travel. Due to unreliable wireless communication among them, such vehicles are an easy target of malware attacks that may compromise vehicles’ autonomy, increase inter-vehicle communication latency, and drain vehicles’ power. Such compromises may result in traffic congestion, threaten the safety of passengers, and can result in financial loss. Therefore, real-time detection of such attacks is key to the safe smart transportation and Intelligent Transport Systems (ITS). Current approaches either employ static analysis or dynamic analysis techniques to detect such attacks. However, these approaches may not detect malware in real-time because of zero-day attacks and huge computational resources. Therefore, we introduce a hybrid approach that combines the strength of both analyses to efficiently detect malware for the privacy of smart-cities.
... Several research studies have been conducted to detect, prevent and classify ransomware families based on static and dynamic analysis, each of which considers different aspects to circumvent such incursions (Ahmed et al., 2020;Akbanov et al., 2019;Al-rimy et al., 2019;Andronio et al., 2015;Chen & Bridges, 2017;Cimitile et al., 2018;Continella et al., 2016;Gómez-Hernández et al., 2018;Hampton et al., 2018;Homayoun et al., 2017;Maiorca et al., 2017;Mehnaz et al., 2018;Morato et al., 2018;Scalas et al., 2019;Xiaofeng et al., 2019;Xu et al., 2017;Zhang et al., 2019). However, despite the high importance of this cyber resource hijacking, no common knowledge base of extortionate malware, especially ransomware, is available. ...
With the COVID-19 pandemic and the growing influence of the Internet in critical sectors of industry and society, cyberattacks have not only not declined, but have risen sharply. In the meantime, ransomware is at the forefront of the most devastating threats that have launched the lucrative illegal business. Due to the proliferation and variety of ransomware forays, there is a need for a new theory of categories. The intricacy and multiplicity of components involved in digital extortions entails the construction of a knowledge representation system that is able to organize large volumes of information from heterogeneous sources in a formal structured format and infer new knowledge from it. This paper suggests and develops a dedicated ontology of digital blackmails, called Rantology, with a particular focus on ransomware assaults. The logic coded in this ontology allows to assess the maliciousness of programs based on various factors, including called API functions and their behaviors. The proposed framework can be used to facilitate interoperability between cybersecurity experts and knowledge-based systems, and identify sensitive points for surveillance. The evaluation results based on several criteria confirm the adequacy of the suggested ontology in terms of clarity, modularity, consistency, coverage and inheritance richness.
... Ransomware takes over the victim's device, and blocks or encrypts the data, therefore, preventing the victim from using the device. The victim can get back to using the device or its data only if ransom is paid [4]. Ransomware made history in 2020 as it contributed to the first reported death related to a cyber-attack, when a German hospital was attacked by ransomware, causing a lock out of their systems and preventing treatment of patients. ...
Every day, there is great growth of the Internet and smart devices connected to the network. Additionally, there is an increasing number of malwares that attack networks, devices, system and applications. One of the biggest threats and newest attacks in cybersecurity is Ransom Software (Ransomware). Although there is a lot of research on detecting malware using machine learning (ML), only a few focus on ML-based ransomware detection, especially attacks targeting smartphone operating systems (e.g., Android) and applications. In this research, a new system was proposed to protect smartphones from malicious applications through monitoring network traffic. Six ML methods (Random Forest (RF), k-Nearest Neighbors (k-NN), Multi-Layer Perceptron (MLP), Decision tree (DT), Logistic Regression (LR), and eXtreme Gradient Boosting (XGB)) are applied to CICAndMal2017 dataset which consists of benign and various kinds of android malware samples. 603288 benign and ransomware samples were extracted from this collection. Ransomware samples were collected from 10 different families. Several types of feature selection techniques have been used on the dataset. Finally, seven performance metrics were used to determine the best feature selection and ML classifiers for ransomware detection. The experiment results imply that DT and XGB outperform other classifiers with best detection accuracy at more than (99.30%) and (99.20%) for (DT) and (XGB) respectively.
... Researchers focused on process anomaly detection to enhance their detection rate. The technique discussed in the paper uses Windows API calls [21,22,23], I/O request Packets (IRP) logs, File system operations, set of operations performed per file extension, directories operations, dropped files, registry key operation, strings [24,25,26,27,28] for detection. Researchers recorded artefacts like folder listing, Files written, Files Renamed, files read, write entropy, and file type coverage as file system activities [27]. ...
The current pandemic situation has increased cyber-attacks drastically worldwide. The attackers are using malware like trojans, spyware, rootkits, worms, ransomware heavily. Ransomware is the most notorious malware, yet we did not have any defensive mechanism to prevent or detect a zero-day attack. Most defensive products in the industry rely on either signature-based mechanisms or traffic-based anomalies detection. Therefore, researchers are adopting machine learning and deep learning to develop a behaviour-based mechanism for detecting malware. Though we have some hybrid mechanisms that perform static and dynamic analysis of executable for detection, we have not any full proof detection proof of concept, which can be used to develop a full proof product specific to ransomware. In this work, we have developed a proof of concept for ransomware detection using machine learning models. We have done detailed analysis and compared efficiency between several machine learning models like decision tree, random forest, KNN, SVM, XGBoost and Logistic Regression. We obtained 98.21% accuracy and evaluated various metrics like precision, recall, TP, TN, FP, and FN.
... Few authors have tried to present solutions for mobile malware detection [2,6,15]. They attempt to identify applications that encrypt data without consent of the user. ...
Cloud computing has become one of the most preferred solutions for enterprises to implement and extend various enterprise applications. The importance of virtual servers in cloud computing makes them a lucrative target among attackers. Current security mechanisms can be circumvented by malware present on same machine. This paper presents an approach for reliable ransomware detection on an enterprise’s private cloud. It captures the volatile memory state of virtual machines and extracts a valuable set of RAM, file system and network features after execution of benign and malicious samples. Further, feature selection and machine learning techniques are applied to these extracted features for determining the effectiveness of proposed set of features. The proposed methodology is evaluated in four extensive experiments and results depict that it can differentiate between benign and ransomware samples. Random Forest classifier performed best in all experiment setups in comparison to all other classifiers. The proposed methodology can effectively serve as a basis for detecting infection in enterprise virtual machines.
... The experiments were run on an Intel(R) Xeon(R) CPU E5-2683 v4 2.1 GHz with 64 GB RAM with GeForce RTX 2080 TI GPU. The dataset for the experiments consisted of ∼73K benign apps from the Google Play Market [1] (obtained from Androzoo [85]) and ∼6K malicious apps from the Drebin dataset [86], [4], [5], [87], [88], [89], [90]. To account for variations in the dataset, a 5-fold CV was used. ...
Android malware is a continuously expanding threat to billions of mobile users around the globe. Detection systems are updated constantly to address these threats. However, a backlash takes the form of evasion attacks, in which an adversary changes malicious samples such that those samples will be misclassified as benign. This paper fully inspects a well-known Android malware detection system, MaMaDroid, which analyzes the control flow graph of the application. Changes to the portion of benign samples in the train set and models are considered to see their effect on the classifier. The changes in the ratio between benign and malicious samples have a clear effect on each one of the models, resulting in a decrease of more than 40% in their detection rate. Moreover, adopted ML models are implemented as well, including 5-NN, Decision Tree, and Adaboost. Exploration of the six models reveals a typical behavior in different cases, of tree-based models and distance-based models. Moreover, three novel attacks that manipulate the CFG and their detection rates are described for each one of the targeted models. The attacks decrease the detection rate of most of the models to 0%, with regards to different ratios of benign to malicious apps. As a result, a new version of MaMaDroid is engineered. This model fuses the CFG of the app and static analysis of features of the app. This improved model is proved to be robust against evasion attacks targeting both CFG-based models and static analysis models, achieving a detection rate of more than 90% against each one of the attacks.
... Machine Learning-Based Detection Via Structural Features: In terms of the ML-based ransomware detection systems for mobile devices using structural features, researchers used API packages [19,126], classes, and methods [159], permissions [20], opcodes in native instruction formats [115], grey-scale images of mobile application source codes [95], and structural entropy of mobile applications [56] to build and evaluate various ML classifiers. ...
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.
... Ransomware takes over the victim's device, and blocks or encrypts the data, therefore, preventing the victim from using the device. The victim can get back to using the device or its data only if ransom is paid [4]. Ransomware made history in 2020 as it contributed to the first reported death related to a cyber-attack, when a German hospital was attacked by ransomware, causing a lock out of their systems and preventing treatment of patients. ...
... It also can detect the multiple variants of ransomware. Reference [11] built a static model called R-PackDroid that was light weight solution and was implemented on users' device itself. Its functionality was to extract and analyze the application packages from the apk files. ...
Ransomware is a special malware designed to extort money in return for unlocking the device and personal data files. Smartphone users store their personal as well as official data on these devices. Ransomware attackers found it bewitching for their financial benefits. The financial losses due to ransomware attacks are increasing rapidly. Recent studies witness that out of 87% reported cyber-attacks, 41% are due to ransomware attacks. The inability of application-signature-based solutions to detect unknown malware has inspired many researchers to build automated classification models using machine learning algorithms. Advanced malware is capable of delaying malicious actions on sensing the emulated environment and hence posing a challenge to dynamic monitoring of applications also. Existing hybrid approaches utilize a variety of features combination for detection and analysis. The rapidly changing nature and distribution strategies are possible reasons behind the deteriorated performance of primitive ransomware detection techniques. The limitations of existing studies include ambiguity in selecting the features set. Increasing the feature set may lead to freedom of adept attackers against learning algorithms. In this work, we intend to propose a hybrid approach to identify and mitigate Android ransomware. This study employs a novel dominant feature selection algorithm to extract the dominant feature set. The experimental results show that our proposed model can differentiate between clean and ransomware with improved precision. Our proposed hybrid solution confirms an accuracy of 99.85% with zero false positives while considering 60 prominent features. Further, it also justifies the feature selection algorithm used. The comparison of the proposed method with the existing frameworks indicates its better performance.
This chapter investigates the potential of deep learning architectures for Android malware detection, specifically convolutional neural networks (CNNs) using natural language processing (NLP) concepts. The proposed solution is based on static analysis of raw opcode sequences from disassembled programs and other complementary features such as API calls and permissions, with features indicative of malware automatically learned by the network. This removes the need for hand-engineered malware features while performing classification. Using the Drebin and AMD benchmark datasets, the benefits of this multi-view architecture to combine multiple feature sources are demonstrated in our findings. We conclude the use of deep learning architectures enables state-of-art results in automatic malware detection, while reducing the dependency on feature engineering and domain expertise. Using multi-view compared to single-view architectures improves performance through exposure to simultaneous sources of information, learning a more effective set of features. The model achieves state-of-the art detection performance in a challenging zero-day scenario, reducing false positives by 77% in relative terms on average, an important metric for potential real-world deployment.
As the threat landscape continues to evolve, users are becoming less aware, ignorant, or negligent, putting their confidential data at risk. Users easily fall prey to socially engineered ransomware attacks that encrypt and lock a computer or mobile device, holding it hostage unless a ransom is paid. The cryptoware encrypts data securely, making it almost impossible for anyone except the hacker to unlock the device. This research conducts a systematic review to identify methods for executing socially engineered ransomware attacks. Using a CRI framework, 122 studies were synthesized from 3209 research articles highlighting gaps in identifying and analyzing attack vectors, as well as the need for a holistic approach to ransomware with behavioural control as part of the solution. Human vulnerability was found to be a critical point of entry for miscreants seeking to spread ransomware. This review will be useful in developing control models that will educate organisations and security professionals to focus on adopting human-centered solutions to effectively counter ransomware attacks.
Security plays an extremely important role for users in terms of digital India, the Internet, and the IoT era. Every user is now getting access to data and moving towards digitization in today's world. Due to the transfer of information everywhere in the organization due to processing vast amounts of knowledge, it faces numerous cyber-malware problems. Various sectors are adopting more technology to improve communications and infrastructure, and the cyber threat to these networks is growing in parallel. Cyber-malware and its class is ransomware. When it spreads, it locks the machine and encrypts it. Its impact performs various functions, such as confidential data theft, data misuse, and unauthorized access. The goal of this paper is to explore methods to counter ransomware attacks. This paper provides an understanding of cyber malware, why cyber malware is chosen as ransomware, and the attack process of cyber malware.
The use of smartphone devices in healthcare has increased manifold due to their widespread use and ease of integration with the Internet of Things (IoT) based medical devices. In healthcare, either in-home observation or in a hospital scenario, the medical sensors use certain local communication devices to share the measured vital signs with a fog/cloud-based medical system. The large user community of Android devices has also brought some serious challenges, such as potential malicious attacks. For the past few years, ransomware attacks on healthcare have been increasing dramatically, posing several challenges. Therefore, an effective ransomware detection mechanism is needed to protect critical assets such as healthcare data, patients’ private data, etc. In this work, a novel hybrid ransomware detection method is proposed that analyzes image data, text, and application code to extract plain or encrypted threat text. Threatening text is a potential tool and could be one of the most effective features for ransomware detection. Our proposed hybrid approach utilizes both static and dynamic and uses multi-machine learning classifier models. The proposed approach also provides a family classification of ransomware. Experimental results show that the proposed approach achieves up to 94% accuracy and fewer false negatives.
This book includes high quality research papers presented at the International Conference on Communication, Computing and Electronics Systems 2021, held at the PPG Institute of Technology, Coimbatore, India, on 28-29 October 2021. The volume focuses mainly on the research trends in cloud computing, mobile computing, artificial intelligence and advanced electronics systems. The topics covered are automation, VLSI, embedded systems, optical communication, RF communication, microwave engineering, artificial intelligence, deep learning, pattern recognition, communication networks, Internet of Things, cyber-physical systems, and healthcare informatics.
The usage of Android smartphones is rapidly increasing. The users are unaware of the malware activities which may target their mobile phones. This paper focuses on a particular kind of malware named ransomware that turned out to be a massive security threat to end-users, large organizations, and enterprises. In recent times, locker ransomware has been playing a major havoc in Android families. Locker ransomware blackmails victims for ransom by compulsorily locking the devices. We propose a model based on dynamic analysis to detect the locker ransomware variants using foreground analysis.KeywordsRansomware detectionAndroidDynamic analysis-foreground analysis—Locker ransomware
The detection mechanism provided by current antimalware is the so-called signature based, requiring that a threat must be widespread to be recognised by the antimalware. Even if a malware is rightly recognized, by applying even trivial obfuscation techniques, it is really easy to bypass the antimalware detection mechanism. In this paper we propose a method to detect if an Android application is obfuscated with the call indirection obfuscation techniques by exploiting formal equivalence checking. In the experimental analysis we show the effectiveness of the propose approach for call indirection obfuscation technique detection, by exploiting two obfuscation tools.
Ransomware is a growing concern in business and government because it causes immediate financial damages or loss of important data. There is a way to detect and block ransomware in advance, but evolved ransomware can still attack while avoiding detection. Another alternative is to back up the original data. However, existing backup solutions can be under the control of ransomware and backup copies can be destroyed by ransomware. Moreover, backup methods incur storage and performance overhead. In this paper, we propose AMOEBA, a devicelevel backup solution that does not require additional storage for backup. AMOEBA is armed with (i) a hardware accelerator to run content-based detection algorithms for ransomware detection at high speed and (ii) a fine-grained backup control mechanism to minimize space overhead for data backup. For evaluations, we not only implemented AMOEBA using the Microsoft SSD simulator, but also prototyped it on the OpenSSD-platform. Our extensive evaluations with real ransomware workloads show that AMOEBA has high ransomware detection accuracy with negligible performance overhead.
Android malware is one of the most dangerous threats on the internet, and it's been on the rise for several years. Despite significant efforts in detecting and classifying android malware from innocuous android applications, there is still a long way to go. As a result, there is a need to provide a basic understanding of the behavior displayed by the most common Android malware categories and families. Each Android malware family and category has a distinct objective. As a result, it has impacted every corporate area, including healthcare, banking, transportation, government, and e-commerce. In this paper, we presented two machine-learning approaches for Dynamic Analysis of Android Malware: one for detecting and identifying Android Malware Categories and the other for detecting and identifying Android Malware Families, which was accomplished by analyzing a massive malware dataset with 14 prominent malware categories and 180 prominent malware families of CCCS-CIC-AndMal2020 dataset on Dynamic Layers. Our approach achieves in Android Malware Category detection more than 96 % accurate and achieves in Android Malware Family detection more than 99% accurate. Our approach provides a method for high-accuracy Dynamic Analysis of Android Malware while also shortening the time required to analyze smartphone malware.
Although Machine Learning (ML) based approaches have shown promise for Android malware detection, a set of critical challenges remain unaddressed. Some of those challenges arise in relation to proper evaluation of the detection approach while others are related to the design decisions of the same. In this paper, we systematically study the impact of these challenges as a set of research questions (i.e., hypotheses). We design an experimentation framework where we can reliably vary several parameters while evaluating ML-based Android malware detection approaches. The results from the experiments are then used to answer the research questions. Meanwhile, we also demonstrate the impact of some challenges on some existing ML-based approaches. The large (market-scale) dataset (benign and malicious apps) we use in the above experiments represents the real-world Android app security analysis scale. We envision this study to encourage the practice of employing a better evaluation strategy and better designs of future ML-based approaches for Android malware detection.
Due to its popularity and open-source nature, An-droid is the mobile platform that has been targeted the most by malware that aim to steal personal information or to control the users' devices. More specifically, mobile botnets are malware that allow an attacker to remotely control the victims' devices through different channels like HTTP, thus creating malicious networks of bots. In this paper, we show how it is possible to effectively group mobile botnets families by analyzing the HTTP traffic they generate. To do so, we create malware clusters by looking at specific statistical information that are related to the HTTP traffic. This approach also allows us to extract signatures with which it is possible to precisely detect new malware that belong to the clustered families. Contrarily to x86 malware, we show that using fine-grained HTTP structural features do not increase detection performances. Finally, we point out how the HTTP information flow among mobile bots contains more information when compared to the one generated by desktop ones, allowing for a more precise detection of mobile threats.
Malicious applications pose a threat to the security of the Android platform. The growing amount and diversity of these applications render conventional defenses largely ineffective and thus Android smartphones often remain un-protected from novel malware. In this paper, we propose DREBIN, a lightweight method for detection of Android malware that enables identifying malicious applications di-rectly on the smartphone. As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an ap-plication as possible. These features are embedded in a joint vector space, such that typical patterns indicative for malware can be automatically identified and used for ex-plaining the decisions of our method. In an evaluation with 123,453 applications and 5,560 malware samples DREBIN outperforms several related approaches and detects 94% of the malware with few false alarms, where the explana-tions provided for each detection reveal relevant properties of the detected malware. On five popular smartphones, the method requires 10 seconds for an analysis on average, ren-dering it suitable for checking downloaded applications di-rectly on the device.
The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.
The recent past has shown that Android smartphones became the most popular target for malware authors. Malware families offer a variety of features that allow, among the others, to steal arbitrary data and to cause significant monetary losses. This circumstances led to the development of many different analysis methods that are aimed to assess the absence of potential harm or malicious behavior in mobile apps. In return, malware authors devised more sophisticated methods to write mobile malware that attempt to thwart such analyses. In this work, we briefly describe assumptions analysis tools rely on to detect malicious content and behavior. We then present results of a new obfuscation framework that aims to break such assumptions, thus modifying Android apps to avoid them being analyzed by the targeted systems. We use our framework to evaluate the robustness of static and dynamic analysis systems for Android apps against such transformations.
Smartphones are becoming more and more popular and, as a consequence, malware writers are increasingly engaged to develop new threats and propagate them through official and third-party markets. In addition to the propagation vectors, malware is also evolving quickly the techniques adopted for infecting victims and hiding their malicious nature to antimalware scanning. From SMS Trojans to legitimate applications repacked with malicious payload, from AES encrypted root exploits to the dynamic loading of a payload retrieved from a remote server: malicious code is becoming more and more hard to detect.
In ransomware attacks, the actual target is the human, as opposed to the classic attacks that abuse the infected devices (e.g., botnet renting, information stealing). Mobile devices are by no means immune to ransomware attacks. However, there is little research work on this matter and only traditional protections are available. Even state-of-the-art mobile malware detection approaches are ineffective against ransomware apps because of the subtle attack scheme. As a consequence, the ample attack surface formed by the billion mobile devices is left unprotected.
First, in this work we summarize the results of our analysis of the existing mobile ransomware families, describing their common characteristics. Second, we present HelDroid, a fast, efficient and fully automated approach that recognizes known and unknown scareware and ransomware samples from goodware. Our approach is based on detecting the “building blocks” that are typically needed to implement a mobile ransomware application. Specifically, HelDroid detects, in a generic way, if an app is attempting to lock or encrypt the device without the user’s consent, and if ransom requests are displayed on the screen. Our technique works without requiring that a sample of a certain family is available beforehand.
We implemented HelDroid and tested it on real-world Android ransomware samples. On a large dataset comprising hundreds of thousands of APKs including goodware, malware, scareware, and ransomware, HelDroid exhibited nearly zero false positives and the capability of recognizing unknown ransomware samples.
In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by applying simple obfuscation transformations on previously detected malware samples. In this paper, we provide a large-scale experiment in which the detection performances of a high number of anti-malware solutions are tested against two different sets of malware samples that have been obfuscated according to different strategies. Moreover, we show that anti-malware engines search for possible malicious content inside assets and entry-point classes. We also provide a temporal analysis of the detection performances of anti-malware engines to verify if their resilience has improved since 2013. Finally, we show how, by manipulating the area of the Android executable that contains the strings used by the application, it is possible to deceive anti-malware engines so that they will identify legitimate samples as malware. On one hand, the attained results show that anti-malware systems have improved their resilience against trivial obfuscation techniques. On the other hand, more complex changes to the application executable have proved to be still effective against detection. Thus, we claim that a deeper static (or dynamic) analysis of the application is needed to improve the robustness of such systems.
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited by malware. This paper advocates a new model for malware detection on end hosts based on providing antivirus as an in-cloud network service. This model en- ables identification of malicious and unwanted software by multiple, heterogeneous detection engines in paral- lel, a technique we term 'N-version protection'. This approach provides several important benefits including better detection of malicious software, enhanced foren- sics capabilities, retrospective detection, and improved deployability and management. To explore this idea we construct and deploy a production quality in-cloud an- tivirus system called CloudAV. CloudAV includes a lightweight, cross-platform host agent and a network ser- vice with ten antivirus engines and two behavioral detec- tion engines. We evaluate the performance, scalability, and efficacy of the system using data from a real-world deployment lasting more than six months and a database of 7220 malware samples covering a one year period. Using this dataset we find that CloudAV provides 35% better detection coverage against recent threats compared to a single antivirus engine and a 98% detection rate across the full dataset. We show that the average length of time to detect new threats by an antivirus engine is 48 days and that retrospective detection can greatly mini- mize the impact of this delay. Finally, we relate two case studies demonstrating how the forensics capabilities of CloudAV were used by operators during the deployment.
Dissecting the android bouncer
- J Oberheide
- C Miller
- Oberheide J.
Butterworth-Heinemann Newton MA USA 2nd edition 1979
- C J V Rijsbergen