Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

Umara Urooj; Bander Ali Saleh Al-Rimy; Anazida Binti Zainal; Faisal Saeed; Abdelzahir Abdelmaboud; Wamda Nagmeldin

doi:10.1109/ACCESS.2023.3348451

IEEE Access (Jan 2024)

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

Umara Urooj,
Bander Ali Saleh Al-Rimy,
Anazida Binti Zainal,
Faisal Saeed,
Abdelzahir Abdelmaboud,
Wamda Nagmeldin

Affiliations

Umara Urooj: ORCiD; Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Johor Bahru, Johor, Malaysia
Bander Ali Saleh Al-Rimy: ORCiD; Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Johor Bahru, Johor, Malaysia
Anazida Binti Zainal: Department of Computer Science, Faculty of Computing, Universiti Teknologi Malaysia, Johor Bahru, Johor, Malaysia
Faisal Saeed: ORCiD; DAAI Research Group, School of Computing and Digital Technology, College of Computing and Digital Technology, Birmingham City University, Birmingham, U.K
Abdelzahir Abdelmaboud: ORCiD; Department of Information Systems, King Khalid University, Muhayil, Saudi Arabia
Wamda Nagmeldin: Department of Information Systems, College of Computer Engineering and Sciences, Prince Sattam bin Abdulaziz University, Al-Kharj, Saudi Arabia

DOI: https://doi.org/10.1109/ACCESS.2023.3348451
Journal volume & issue: Vol. 12
pp. 3910 – 3925

Abstract

Read online

Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim’s device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the pre-encryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-the-art solutions. The wGAN achieved higher accuracy and lower false alarm rates of 97% and 0.0088 respectively.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords