Understanding Ransomware Actions Through Behavioral Feature Analysis

Authors

DOI:

https://doi.org/10.14209/jcis.2022.7

Abstract

Crypto ransomware attacks have substantially increased in recent years, and owing to their highly profitable  nature, this growth will evidently escalate in the future. To better understand this malware and help developers of ransomware detection systems build more robust and reliable solutions, this study investigates ransomware actions during the destruction phase through behavioral feature analysis. We used a dataset with 1524 samples and 30 967 features representing the actions conducted using 582 types of ransomware and 942 good applications (goodware). Six representative and widely used classification algorithms were applied as auxiliary tools to investigate the behavior of these attacks: Naive Bayes (NB), K-Nearest Neighbors (KNN), Logistic Regression (LR), Random Forest (RF), Stochastic Gradient Descent (SGD), and Support Vector Machine (SVM). We achieved an accuracy of 98.48%, balanced accuracy of 98.35%, precision of 98.17%, recall of 97.82%, F-measure of 97.98%, and ROC AUC of 99.87% by using RF for 462 features of the resultant dataset. We propose a new criterion to determine the feature group relevance and a method to distinguish the features that are most related to ransomware and goodware. Our main conclusions are as follows: Application Programming Interface (API) calls are the most relevant feature group, achieving alone a balanced accuracy of 96.49%; native encryption Windows APIs are not crucial for ransomware classification; and the most significant features of ransomware tend to involve handling the thread/process, physical memory operation, and communication, whereas goodware features are more likely to indicate virtual memory, files, directories, and resource operations.

Downloads

Download data is not yet available.

Author Biographies

Caio Carvalho Moreira, Federal University of Pará (UFPA)

caio.png

Caio Carvalho Moreira received the M.Sc. degree in electrical engineering from the Federal University of Pará (UFPA), Belém, Pará, Brazil, in 2013. He served as a Computer System Analyst at the Brazilian Air Force from 2013 to 2017. He is currently a Ph.D. student in the Electrical Engineering Graduate Program at UFPA. His contemporary research addresses machine learning techniques applied to network and system security, specifically, ransomware detection.

Claudomiro de Souza de Sales, Jr., Federal University of Pará (UFPA)

claudomiro.png

Claudomiro de Souza de Sales, Jr. received the Ph.D. in electrical engineering from the Federal University of Pará (UFPA), Belém, Pará, Brazil, in 2009. Since 2010, he has been with UFPA, where he is currently with the Computer Science Department and Electrical Engineering and Computer Science Graduate Programs. He is involved in developing new dimension reduction and data visualization techniques, applying machine learning algorithms for ransomware detection and bioinformatics, and developing new metaheuristics and variants for PSO and genetic algorithms.

Davi Carvalho Moreira, Federal University of Pará (UFPA)

davi.png

Davi Carvalho Moreira received the Ph.D. in electrical engineering from the Federal University of Pará (UFPA), Belém, Pará, Brazil, in 2021. Since 2005, he has been with the Electrical Center of North Brazil, Tucuruí, Pará, Brazil, where he is currently with the HPP Tucuruí in the Electrical Maintenance Department. He has experience in the operation of hydroelectric plants, maintenance planning, equipment design/specifications, and maintenance of generators, transformers, and gas insulated substations.

Downloads

Published

2022-03-10

How to Cite

Moreira, C. C., Sales, Jr., C. de S. de, & Moreira, D. C. (2022). Understanding Ransomware Actions Through Behavioral Feature Analysis. Journal of Communication and Information Systems, 37(1), 61–76. https://doi.org/10.14209/jcis.2022.7

Issue

Vol. 37 No. 1 (2022)

Section

Regular Papers

License

Authors who publish in this journal agree to the following terms:

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a CC BY-NC 4.0 (Attribution-NonCommercial 4.0 International) that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
  2. Authors can enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) before and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

___________

Received 2021-10-22
Accepted 2022-03-07
Published 2022-03-10