IEEE Access (Jan 2024)

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

  • Umara Urooj,
  • Bander Ali Saleh Al-Rimy,
  • Anazida Binti Zainal,
  • Faisal Saeed,
  • Abdelzahir Abdelmaboud,
  • Wamda Nagmeldin

DOI
https://doi.org/10.1109/ACCESS.2023.3348451
Journal volume & issue
Vol. 12
pp. 3910 – 3925

Abstract

Read online

Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim’s device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the pre-encryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-the-art solutions. The wGAN achieved higher accuracy and lower false alarm rates of 97% and 0.0088 respectively.

Keywords