Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic
Fecha
2022Autor
Versión
Acceso abierto / Sarbide irekia
Tipo
Artículo / Artikulua
Versión
Versión publicada / Argitaratu den bertsioa
Identificador del proyecto
Impacto
|
10.1016/j.eswa.2022.118299
Resumen
Ransomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’
computers usually store only system and program files, while all the documents are accessed from shared
servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared
files it has access to, which can be the whole set of files from a w ...
[++]
Ransomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’
computers usually store only system and program files, while all the documents are accessed from shared
servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared
files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool
to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the
traffic exchanged between the clients and the file servers and using machine learning techniques it searches
for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the
first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols.
We extract features from network traffic that describe the activity opening, closing, and modifying files. The
features allow the differentiation between ransomware activity and high activity from benign applications. We
train and test the detection model using a large set of more than 70 ransomware binaries from 33 different
strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed
tool can detect all ransomware binaries described, including those not used in the training phase. This paper
provides a validation of the algorithm by studying the false positive rate and the amount of information from
user files that the ransomware could encrypt before being detected [--]
Materias
Crypto-ransomware,
File-sharing traffic,
Network security
Editor
Elsevier
Publicado en
Expert Systems with Applications 209 (2022) 118299
Departamento
Universidad Pública de Navarra. Departamento de Ingeniería Eléctrica, Electrónica y de Comunicación /
Nafarroako Unibertsitate Publikoa. Ingeniaritza Elektrikoa, Elektronikoa eta Telekomunikazio Ingeniaritza Saila
Versión del editor
Entidades Financiadoras
This work was supported by Spanish Ministry of Science and Innovation through project PID2019-104451RB-C22/AEI/10.13039/ 501100011033. Open access funding provided by Universidad Pública de Navarra.