Publication:
Crypto-ransomware detection using machine learning models in file-sharing network scenarios with encrypted traffic

Consultable a partir de

Date

2022

Director

Publisher

Elsevier
Acceso abierto / Sarbide irekia
Artículo / Artikulua
Versión publicada / Argitaratu den bertsioa

Project identifier

AEI/Plan Estatal de Investigación Científica y Técnica y de Innovación 2017-2020/PID2019-104451RB-C22/ES/recolecta

Abstract

Ransomware is considered as a significant threat for home users and enterprises. In corporate scenarios, users’ computers usually store only system and program files, while all the documents are accessed from shared servers. In these scenarios, one crypto-ransomware infected host is capable of locking the access to all shared files it has access to, which can be the whole set of files from a workgroup of users. We propose a tool to detect and block crypto-ransomware activity based on file-sharing traffic analysis. The tool monitors the traffic exchanged between the clients and the file servers and using machine learning techniques it searches for patterns in the traffic that betray ransomware actions while reading and overwriting files. This is the first proposal designed to work not only for clear text protocols but also for encrypted file-sharing protocols. We extract features from network traffic that describe the activity opening, closing, and modifying files. The features allow the differentiation between ransomware activity and high activity from benign applications. We train and test the detection model using a large set of more than 70 ransomware binaries from 33 different strains and more than 2,400 h of ‘not infected’ traffic from real users. The results reveal that the proposed tool can detect all ransomware binaries described, including those not used in the training phase. This paper provides a validation of the algorithm by studying the false positive rate and the amount of information from user files that the ransomware could encrypt before being detected

Keywords

Crypto-ransomware, File-sharing traffic, Network security

Department

Ingeniería Eléctrica, Electrónica y de Comunicación / Ingeniaritza Elektrikoa, Elektronikoaren eta Telekomunikazio Ingeniaritzaren

Faculty/School

Degree

Doctorate program

Editor version

Funding entities

This work was supported by Spanish Ministry of Science and Innovation through project PID2019-104451RB-C22/AEI/10.13039/ 501100011033. Open access funding provided by Universidad Pública de Navarra.

© 2022 The Author(s). This is an open access article under the CC BY license

Los documentos de Academica-e están protegidos por derechos de autor con todos los derechos reservados, a no ser que se indique lo contrario.