Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic

Date

2022

Director

Publisher

Elsevier
Acceso abierto / Sarbide irekia
Artículo / Artikulua
Versión publicada / Argitaratu den bertsioa

Project identifier

AEI/Plan Estatal de Investigación Científica y Técnica y de Innovación 2017-2020/PID2019-104451RB-C22/ES/ recolecta
Impacto
No disponible en Scopus

Abstract

Ransomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’ computers usually store only system and program files, while all the documents are accessed from shared servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols. We extract features from network traffic that describe the activity opening, closing, and modifying files. The features allow the differentiation between ransomware activity and high activity from benign applications. We train and test the detection model using a large set of more than 70 ransomware binaries from 33 different strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries described, including those not used in the training phase. This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected

Description

Keywords

Crypto-ransomware, File-sharing traffic, Network security

Department

Ingeniería Eléctrica, Electrónica y de Comunicación / Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren

Faculty/School

Degree

Doctorate program

item.page.cita

Berrueta, E., Morato, D., Magaña, E., & Izal, M. (2022). Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic. Expert Systems with Applications, 209, 118299. https://doi.org/10.1016/j.eswa.2022.118299

item.page.rights

© 2022 The Author(s). This is an open access article under the CC BY license

Licencia

Los documentos de Academica-e están protegidos por derechos de autor con todos los derechos reservados, a no ser que se indique lo contrario.